[26928] in resnet
SCCM, WSUS, and Patch Management
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Mon Oct 24 14:14:25 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec520f439e407d604b00f59ea
Message-ID: <CAEPWjztRmdwy0-nbbPwfNG842PrLNYJcccc1JtVxMbaNSprJDg@mail.gmail.com>
Date: Mon, 24 Oct 2011 14:11:25 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@BROWN.EDU>
To: RESNET-L@listserv.nd.edu
--bcaec520f439e407d604b00f59ea
Content-Type: text/plain; charset=ISO-8859-1
Greetings,
We're on the verge of switching clients over to our internal systems
for Windows Updates. We already have SCCM set up for deploying software to
several departments, but we're debating how to do Windows Updates.
There are two 'philosophies' currently:
1. Use SCCM to choose, approve, and bundle each month's updates into
'packages' that are deployed to three 'tiers' of users ('testers', 'early
adopters', and 'everyone'). After each month, the 'old' updates would be
moved to an 'archived updates' package that would be mandatory for everyone.
or
2. Use GPOs to point the tiers of users to a WSUS server that's set to
'auto-approve' the entire Microsoft update catalog, but have the clients
'check' the server on schedules that allow us to un-approve problematic
updates before they go to the second or third tiers.
Basically, option 1 is very admin-intensive, relying on staff to choose
updates from what's available for different products, then manage packages
and push them. Only updates we 'approve' get pushed. Option 2 is a bit more
'cowboy', but it would guarantee that if the benevolent admins forget that a
certain user is using an oddball product, they'll still get updates for it.
Option 2 would put us in a situation where by default, clients eventually
get all the updates, unless we need to put the brakes on particular ones.
I'm all about doing less busywork, I'd like to hear from folks using
WSUS in environments that also have SCCM. If you ask an SCCM tech 'how to
push updates', they invariably tell you how to accomplish Option 1, but I'm
not sure that's the simplest, best, and most inclusive way to handle this.
Maybe 'the best way to do Windows Updates with SCCM' isn't to use SCCM at
all, but to point clients right at WSUS, does that make sense?
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520f439e407d604b00f59ea
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0=A0 We're on the verge of switching clients over=
to our internal systems for Windows Updates. We already have SCCM set up f=
or deploying software to several departments, but we're debating how to=
do Windows Updates.<br>
=A0=A0=A0=A0 There are two 'philosophies' currently:<br><br>1. Use =
SCCM to choose, approve, and bundle each month's updates into 'pack=
ages' that are deployed to three 'tiers' of users ('testers=
', 'early adopters', and 'everyone'). After each month,=
the 'old' updates would be moved to an 'archived updates' =
package that would be mandatory for everyone.<br>
<br>or<br><br>2. Use GPOs to point the tiers of users to a WSUS server that=
's set to 'auto-approve' the entire Microsoft update catalog, b=
ut have the clients 'check' the server on schedules that allow us t=
o un-approve problematic updates before they go to the second or third tier=
s.<br>
<br>=A0=A0=A0=A0 Basically, option 1 is very admin-intensive, relying on st=
aff to choose updates from what's available for different products, the=
n manage packages and push them. Only updates we 'approve' get push=
ed. Option 2 is a bit more 'cowboy', but it would guarantee that if=
the benevolent admins forget that a certain user is using an oddball produ=
ct, they'll still get updates for it. Option 2 would put us in a situat=
ion where by default, clients eventually get all the updates, unless we nee=
d to put the brakes on particular ones.<br>
<br>=A0=A0=A0=A0 I'm all about doing less busywork, I'd like to hea=
r from folks using WSUS in environments that also have SCCM. If you ask an =
SCCM tech 'how to push updates', they invariably tell you how to ac=
complish Option 1, but I'm not sure that's the simplest, best, and =
most inclusive way to handle this. Maybe 'the best way to do Windows Up=
dates with SCCM' isn't to use SCCM at all, but to point clients rig=
ht at WSUS, does that make sense?<br clear=3D"all">
<br>- Marc Doughty<br>"If you aren't sure who is the give-way vess=
el, you are the give-way vessel."<br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520f439e407d604b00f59ea--
