[26929] in resnet
Re: SCCM, WSUS, and Patch Management
daemon@ATHENA.MIT.EDU (Isaac Holmes)
Mon Oct 24 14:57:19 2011
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_086960B2AF09CC458C0AE60BE5D19D48189ECD4B17ICEMBX6icende_"
MIME-Version: 1.0
Message-ID: <086960B2AF09CC458C0AE60BE5D19D48189ECD4B17@ICE-MBX-6.ice.nd.edu>
Date: Mon, 24 Oct 2011 14:55:14 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Isaac Holmes <iholmes@ND.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAEPWjztRmdwy0-nbbPwfNG842PrLNYJcccc1JtVxMbaNSprJDg@mail.gmail.com>
--_000_086960B2AF09CC458C0AE60BE5D19D48189ECD4B17ICEMBX6icende_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
We use both, as SCCM is an opt in service the OIT provides to campus.
We mirror our SCCM update list to what is being delivered via our WSUS serv=
er, everything is auto-approved except service packs which we manually appr=
ove.
From compliance reporting standpoint SCCM is definitely the way to go.
You can also do #2 via SCCM you just don't create the extra overhead of the=
tiers of users, you approve everything and put it in a deployment package =
and push it to everyone which is how our SCCM server is configured. The on=
ly 'tiers' we create are for each OS.
Administration takes no more than an hour once a month, and most of that is=
waiting for SCCM to create the packages.
Isaac Holmes
Client Engineering Specialist
OIT Distributed Engineering Support
University of Notre Dame
B036 IT Center
(574) 631-3254
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Doughty, =
Marc
Sent: Monday, October 24, 2011 2:11 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: SCCM, WSUS, and Patch Management
Greetings,
We're on the verge of switching clients over to our internal systems f=
or Windows Updates. We already have SCCM set up for deploying software to s=
everal departments, but we're debating how to do Windows Updates.
There are two 'philosophies' currently:
1. Use SCCM to choose, approve, and bundle each month's updates into 'packa=
ges' that are deployed to three 'tiers' of users ('testers', 'early adopter=
s', and 'everyone'). After each month, the 'old' updates would be moved to =
an 'archived updates' package that would be mandatory for everyone.
or
2. Use GPOs to point the tiers of users to a WSUS server that's set to 'aut=
o-approve' the entire Microsoft update catalog, but have the clients 'check=
' the server on schedules that allow us to un-approve problematic updates b=
efore they go to the second or third tiers.
Basically, option 1 is very admin-intensive, relying on staff to choos=
e updates from what's available for different products, then manage package=
s and push them. Only updates we 'approve' get pushed. Option 2 is a bit mo=
re 'cowboy', but it would guarantee that if the benevolent admins forget th=
at a certain user is using an oddball product, they'll still get updates fo=
r it. Option 2 would put us in a situation where by default, clients eventu=
ally get all the updates, unless we need to put the brakes on particular on=
es.
I'm all about doing less busywork, I'd like to hear from folks using W=
SUS in environments that also have SCCM. If you ask an SCCM tech 'how to pu=
sh updates', they invariably tell you how to accomplish Option 1, but I'm n=
ot sure that's the simplest, best, and most inclusive way to handle this. M=
aybe 'the best way to do Windows Updates with SCCM' isn't to use SCCM at al=
l, but to point clients right at WSUS, does that make sense?
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way vessel=
."
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_086960B2AF09CC458C0AE60BE5D19D48189ECD4B17ICEMBX6icende_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We use bo=
th, as SCCM is an opt in service the OIT provides to campus. <o:p></o=
:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-fam=
ily:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p cl=
ass=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans=
-serif";color:#1F497D'>We mirror our SCCM update list to what is being deli=
vered via our WSUS server, everything is auto-approved except service packs=
which we manually approve.<o:p></o:p></span></p><p class=3DMsoNormal><span=
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D=
'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size=
:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>From compli=
ance reporting standpoint SCCM is definitely the way to go. <o:p></o:=
p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-fami=
ly:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p cla=
ss=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-=
serif";color:#1F497D'>You can also do #2 via SCCM you just don’t crea=
te the extra overhead of the tiers of users, you approve everything and put=
it in a deployment package and push it to everyone which is how our SCCM s=
erver is configured. The only ‘tiers’ we create are for e=
ach OS. <o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'fon=
t-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> =
</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-=
family:"Calibri","sans-serif";color:#1F497D'>Administration takes no more t=
han an hour once a month, and most of that is waiting for SCCM to create th=
e packages.<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-s=
ize:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o=
:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-fam=
ily:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p cl=
ass=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans=
-serif";color:#1F497D'>Isaac Holmes<o:p></o:p></span></p><p class=3DMsoNorm=
al><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color=
:#1F497D'>Client Engineering Specialist <o:p></o:p></span></p><p class=3DMs=
oNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";=
color:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=
=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>OIT =
Distributed Engineering Support<o:p></o:p></span></p><p class=3DMsoNormal><=
span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F=
497D'>University of Notre Dame<o:p></o:p></span></p><p class=3DMsoNormal><s=
pan style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F4=
97D'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-s=
ize:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>B036 IT Center=
<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;=
font-family:"Calibri","sans-serif";color:#1F497D'>(574) 631-3254<o:p></o:p>=
</span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family=
:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=
=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-se=
rif";color:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'=
><o:p> </o:p></span></p><p class=3DMsoNormal><b><span style=3D'font-si=
ze:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style=3D=
'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Resnet Forum [mailto:=
RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of </b>Doughty, Marc<br><b>Sent:</b>=
Monday, October 24, 2011 2:11 PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br=
><b>Subject:</b> SCCM, WSUS, and Patch Management<o:p></o:p></span></p><p c=
lass=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Greetings,<br>&n=
bsp; We're on the verge of switching clients over to our =
internal systems for Windows Updates. We already have SCCM set up for deplo=
ying software to several departments, but we're debating how to do Windows =
Updates.<br> There are two 'philosophies' currently=
:<br><br>1. Use SCCM to choose, approve, and bundle each month's updates in=
to 'packages' that are deployed to three 'tiers' of users ('testers', 'earl=
y adopters', and 'everyone'). After each month, the 'old' updates would be =
moved to an 'archived updates' package that would be mandatory for everyone=
.<br><br>or<br><br>2. Use GPOs to point the tiers of users to a WSUS server=
that's set to 'auto-approve' the entire Microsoft update catalog, but have=
the clients 'check' the server on schedules that allow us to un-approve pr=
oblematic updates before they go to the second or third tiers.<br><br> =
; Basically, option 1 is very admin-intensive, relying on=
staff to choose updates from what's available for different products, then=
manage packages and push them. Only updates we 'approve' get pushed. Optio=
n 2 is a bit more 'cowboy', but it would guarantee that if the benevolent a=
dmins forget that a certain user is using an oddball product, they'll still=
get updates for it. Option 2 would put us in a situation where by default,=
clients eventually get all the updates, unless we need to put the brakes o=
n particular ones.<br><br> I'm all about doing less=
busywork, I'd like to hear from folks using WSUS in environments that also=
have SCCM. If you ask an SCCM tech 'how to push updates', they invariably =
tell you how to accomplish Option 1, but I'm not sure that's the simplest, =
best, and most inclusive way to handle this. Maybe 'the best way to do Wind=
ows Updates with SCCM' isn't to use SCCM at all, but to point clients right=
at WSUS, does that make sense?<br clear=3Dall><br>- Marc Doughty<br>"=
If you aren't sure who is the give-way vessel, you are the give-way vessel.=
"<br>___________________________________________________ You are subsc=
ribed to the ResNet-L mailing list. <o:p></o:p></p><p>To subscribe, unsubsc=
ribe or search the archives, go to <a href=3D"http://LISTSERV.ND.EDU/archiv=
es/resnet-l.html">http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _______=
____________________________________________ <o:p></o:p></p></div></body></=
html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_086960B2AF09CC458C0AE60BE5D19D48189ECD4B17ICEMBX6icende_--
