This blog is owned and operated by the ANZ ConfigMgr Premier Field Engineer team.
Ian BartlettMatt ShadboltGeorge Smpyrakis
In CM12 we have a number of changes in Software Updates. One of the most anticipated one’s is Auto Deployment Rules.
Yes finally I hear you say….
Well Lets run through creating an Auto Deployment and one little gotcha to keep your eye on.
Software Library > Software Updates > Automatic Deployment Rules
Choose Create Automatic Deployment Rule from the Ribbon or Right click on the mouse.
In the first screen we can choose a Template
(Templates are no longer a node in the console they are now created when creating an Auto Deployment Rule or manually Deploying Updates and are saved at the Summary screen.Ill point this out later in the post)
You can Select to Add to an Existing Software Update Group or Create a new Software Update Group.
If you select Add to an Existing Software Update Group a brand new group will be created the first time the Auto Deployment Rule is run and every time the rule runs after that the new updates are added to that group.
(NOTE You cannot create a software Update group manually and then create an Auto Deployment rule to add new updates to that group. Even if you give it the same name and description the Auto Deployment Rule will still create a new group. See Figure below.The group created at 6:02 pm was done manually. I then ran the Auto Deployment rule at 6:07 pm and you can see that it creates a group with a duplicate name and description.)
If you select Create a new Software Update Group every time the rule is run a new Software Update Group is created.
You can also choose to Enable the deployment after the rule is run.
Here you can choose to use Wake on lan and also decide whether to automatically deploy all updates and approve any license agreements or deploy only updates that do not include license agreements.
This is where you select the requirements to select the updates to auto approve.
Here you can set a Schedule for the Rule to run. Potentially every Patch Tuesday or Daily for Forefront updates.
Or you can run the rule manually.
Similar to CM07 we can set the deployment schedule and whether the Deployment will be Mandatory.
Set the User Experience, deadline behaviour and reboot suppression.
We can now Generate Alerts if the compliance falls below a certain after a certain period of time. As before we can select to disable alerts for Operations Manager.
Set your Deployment options
Either select an existing package or create a new one for the new updates
Select a DP or DP Group
Where to download the updates from
Choose a language
On the Summary screen you can Choose to Save your settings as a Template for future use
We now see the new Rule in the console and we can choose to Run Now from the ribbon.
The log file for troubleshooting is Ruleengine.log
We can see the Auto Deployment Rule is kicked off
Evaluating and downloading updates
Here we see it looking for an existing update group and not finding one therefore creating a new Software Update Group then adding the updates to that Group.
Back to the console.If we select Software Update Groups we now see the newly created Windows 7 Automatic Deployment and the Deployment (Yet to be enabled) on the tab below.
When we select Show Members we can see the updates applied.
and there you have it.
I do not seem to be able to get the rule to create the Software Update Group (SUG). I have selected "Add an existing" and "Create a new" but when I manually run the ADR it does not create the SUG.
Hi Paul, I would just check your log file Ruleengine.log. That will point to what the issue is. It's likely to be either that it didn't find any patches from the rules that you set to add to a SUG or it failed to download the patches for a specific reason. either way the log file should definately tell you what has gone wrong.
Will it keep downloading and adding the old updates to the update group since you didn't do Date <30 days?
If I have Add to an existing Software Update Group(SUG)selected then no it shouldn't as the rule is looking for any patches that fit my requirements that are not part of that existing SUG. If I have create a new SUG selected (Which we would use for something like Endpoint protection updates) then it will add the same updates again to a brand new SUG but wouldn't download them again as they have already been downloaded and distributed.
Thanks for this very useful this part in particular:
Gents, Trying to make the ADR work but I have a unique situation.
I have my SCCM as a Standalone, it is syncing from an Upstream WSUS that I have no control over and is not connected to the internet. It gets its updates sneaker-netted over from a machine connected to the internet.
How can I download updates to my Software Update Groups in this scenario? Is there some way I can download the updates and point at them from SCCM to download them to be used by Software Updates group?
is there any way at all that you can get your primary site access to the Internet or at the very least to Microsoft Update so it can download the updates for ADR ? To the best of my knowledge now in 2012 your primary needs access to the Internet to download the updates(Very happy to be corrected if anyone else has found a way around). In 2007 you use to be able to specify a local location for the updates but I cant see any reference to it in 2012.
I have a question about the Download Location. My SCCM server does not have Internet access. I have configured the Software Update Point role to download the update catalog from an upstream WSUS server. This is configured with a URL. On the Download Location configuration page, I can only provide a UNC path. I'm assuming the WSUS server is already configured to download the actual updates (from another upstream WSUS server). Do these get stored somewhere? Can I pull from that location (assuming I share the folder)?
You need to point the download location to the WSUS source folder called WsusContent. In my lab it's located on my WSUS server at F:\WSUS\WsusContent, however by default it's shared as \\Server\WsusContent so use the share as the download location.
One thing to be aware of though - ensure the updates that will be processed via the ADR have been downloaded on the upstream server BEFORE the ADR Rule runs. If the update is not available in the WsusContent share, the ADR will fail.
Very Nice Explanation.
I have not created my rule, but This is exactly what I was looking for. Thanks for the clear article.