How To Do IT

IT solutions and curiosities
  • Home
  • Downloads
  • About Me

Deploy Microsoft Updates with SCCM – the User-Friendly Way

  • Home
  • /
  • System Center Configuration Manager
  • /
  • Deploy Microsoft Updates with SCCM – the User-Friendly Way

Deploy Microsoft Updates with SCCM – the User-Friendly Way

By Arjan Pater

  • 523
  • System Center Configuration Manager ,
  • 05 Dec

Sometimes, updating computer systems with the latest Microsoft Windows updates and patches is difficult. Users are disrupted during their work. Applications may fail to function properly. Last but not least, the look and feel of the Windows operating system is changed. However, installing the latest (security) updates on a regular basis is more important than ever. Just read this article for example: http://www.bbc.com/news/technology-39901382 and if you’re not up to date with your Microsoft (security) updates, you may want to care about that now.

In this article, I write about an update strategy that I implemented at a customer who was worried about ransomware attacks and the impact these could have for his organization. Ransomeware is software that blocks access to important data, unless a  ransom is paid. If all the company data is encrypted it could have a lot of impact. For more information, please check the Wikipedia article about ransomware.

The customer already had a mechanism in place for updating the users’ computer systems. However, it needed some improvement. Some users never shutdown their computer systems at the end of a working day. Thus, they could postpone the system restarts forever as these usually are executed when the computer is rebooted. In these cases, the installation of critical security updates is never completed. This is a bad situation as Windows systems are dependent on a restart to finish the installation of Windows updates. As a result, the customer wanted to make sure that updates are installed, systems rebooted when necessary, and the users informed properly.

The Microsoft updates are downloaded with the Windows Server Updating Services (WSUS) that is integrated within the System Center Configuration Manager (SCCM). Using these mechanisms, updates are distributed to laptops and client computer systems. The Configuration Manager Client as well as the settings that are used are essential for this mechanism.

The behavior of the Configuration Manager Client is controlled by the settings as shown in the screenshots below.

WSUS_4
System Center Client agent settings.

These are the default System Center Client agent settings. These are the default settings.

  • If the deployment deadline is greater than 24 hours, then give a reminder to the user every 48 hours.
  • If the deployment deadline is less than 24 hours, give the user a reminder the user every 4 hours.
  • If the deployment deadline is less than 1 hour, remind the user every 15 minutes.

Now go to the restart options.

WSUS_6
Configuration Manager Client restart options.

Set these restart options as they fit you best. My customer decided that these settings suits his needs:

  • The users are presented with a temporary notification that indicates the interval before the user is logged off or before the computer restarts. In this case: 180 minutes.
  • Display a dialog box that the user cannot close which displays the countdown interval before the user is logged off or before the computer restarts. This is set to: 30 minutes.

Everything is set, so that when the Windows security updates are deployed, the settings as configured above will be applied. Let’s do a deployment and see what the user will experience:

Every second Tuesday of the month Microsoft releases new updates. Security updates will be selected for distribution in these weeks. The updates are distributed to a pilot group of users before the they are finally being releases to all company systems. In the screenshot below, the SCCM collections are shown.

SCCM_WSUS_1
Collections.

I leave it open how to collect the members for the computer collections. However, I suggest using WMI queries or maybe direct membership for pilot purposes. Just make sure the collections are filled with the computer systems who should receive the Windows updates. In the Software Update Groups, I made two groups for the two system collections. See the screenshot below.

WSUS_3
Update groups

Now it’s possible to deploy the Software Update Groups to the collections.

 

SCCMWSUS_002

    Deploy button
  • Select the update group and press deploy and follow the Wizard.
SCCMWSUS_005
Deployment Wizard: Set deadline.
  • Set a deadline. In my case the customer decided that a three-day deadline is enough.
SCCMWSUS_006
Deployment Wizard: Set user notifications, deadline behavior and restart options.
  • I choose the options as above when deploying updates. I am following the company guidelines as much as possible, but maybe other options are more suited for your company.

As soon as the deployment of the new Microsoft updates is running, the users have three days’ time to install the updates themselves (we set this deadline in the wizard). The user is informed that there are updates available. See the screenshot below.

SCCM_WSUS_2
Updates are available.

Users can ignore these messages for three days. If they decide to click on it, the screen as shown below opens.

SCCMWSUS_012
User options.
  1. If “view details” is clicked, the user sees what kind of Microsoft updates are available.
  2. Here, the user can decide when to install the Microsoft updates available.

From my experience, most users go for the option: “Snooze and remind met later.”

However, the deadline is reached after three days. The updates are downloaded in the SCCM cache and then installed in the system. Now the system needs to be restarted and the user is presented with the popup as shown below.

SCCMWSUS_018
Restart window. With hide option.

For the user, it’s possible to hide this popup window. Here you see the 180 minutes countdown that we set in the System Center Agent Custom Device Settings.

SCCMWSUS_022
Restart window. No hide option.

Users can’t hide this message anymore. This happens in the last 30 minutes of the 180 minutes countdown. I configured this in the System Center Agent Custom Device Settings. All the programs that are open are in background now and there is no excuse for the users to say they have not been informed or lost work due to an unexpected restart. The users could even influence the installation and restart their own computer systems themselves. The only thing they can’t do anymore is postpone the installation of the Windows updates forever.

If the counter reaches 00:00:00 the computer is being restarted and the installation of the Windows security updates is completed. With this behavior, the computer systems stay up to date with the latest Microsoft updates and the customer is more protected against ransomware.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

    Recent Posts

  • Silent install Citrix Receiver not working!

    26 March 2018

  • Implement Windows Server Update Services (WSUS) Offline in Login Automated Machine (Login AM)

    06 December 2017

  • Deploy Microsoft Updates with SCCM – the User-Friendly Way

    05 December 2017

  • We want to choose our own browser!

    28 June 2017

  • How to capture

    28 June 2017

Categories

  • Citrix
  • Geen categorie
  • Login Automation Machine
  • PowerShell
  • System Center Configuration Manager

Archives

  • March 2018
  • December 2017
  • June 2017

LinkedIn

Xing

Powered By Impressive Business WordPress Theme