Sccm Patch Deployment Best Practices
Best Practices Before Installation New! SQL Collation must be set to 'SQLLatin1GeneralCP1CIAS' Why is it important? Well firstly because it is a setting that most people don't change (as it's hidden from view) and secondly it's set based on your regional settings. When you install SQL Server (which ConfigMgr needs to host it's database) the SQL Collation is 'set in stone' during setup, that's why knowing what your SQL Collation is and what it should be are important prior to running ConfigMgr setup. To learn how to identify your SQL Collation on a running SQL Server and how to change SQL Collation during SQL Server setup see.
Having the wrong SQL Server Collation will require you to reinstall SQL Server from scratch, and that takes time and effort. Best Practices for SQL Server Installation A lot of early adopters of System Center 2012 Configuration Manager are having issues getting SQL Server installed correctly. Many issues are due to having the wrong supported version or cumulative update applied. For information on supported versions please see Supported Configurations for Configuration Manager: SQL server issues can also be seen when having the wrong certificate applied or by misconfiguring the port. For SQL Server installation and configuration tips see the support blog Best Practices for Client Deployment Extend the Active Directory schema and publish the site so that you can run CCMSetup without command-line options When you extend the Active Directory schema for Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment.
Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated. For more information, see.
When you have many clients to deploy, plan a phased rollout outside business hours. Minimize the effect of the CPU processing requirements on the site server by planning a phased rollout of clients over a period of time.
Deploy clients outside business hours so that critical business services have more available bandwidth during the day and users are not disrupted if their computer slows down or requires a restart to complete the installation. Enable automatic upgrade after your main client deployment has finished Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active.
For more information about client deployment method, the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic. Use SMSMP and FSP if you install the client with client.msi properties. The SMSMP property specifies the initial management point for the client to communicate with and removes the dependency on service location solutions such as Active Directory Domain Services, DNS, and WINS. Use the FSP property and install a fallback status point so that you can monitor client installation and assignment, and identify any communication problems. About these options, see. If you want to use client languages other than English, install the client language packs before you install the clients.
When you enable the Use incremental updates for this collection option, this configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections. The exact number depends on the following factors:.
Sccm Patch Deployment Best Practices
The total number of collections. The frequency of new resources being added and changed in the hierarchy.
The number of clients in your hierarchy. The complexity of collection membership rules in your hierarchy Do not modify the built-in collections and instead, copy and then modify the pasted collection. If a default collection (such as All Desktop and Server Clients) does not meet your business requirements, do not modify the collection. Instead, copy and paste the collection, and then modify the new collection. This practice helps to troubleshoot collection queries and safeguards against the possibility that future upgrades might overwrite and change the built-in collections.
This system has a limited programming time of about eight hours. Four GMS 204 units were controlled from a 6809, with the program stored in a plug-in. Argentina 1980-1990 A different technology appeared in 1980 with the analog recorders made by Solidyne, which used a computer-controlled tape positioning system. Broadcast automation software.
Best Practices for Endpoint Protection Configure custom client settings for Endpoint Protection When you configure client settings for Endpoint Protection, do not use the default client settings because they apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings to collections of computers in your hierarchy. When you configure custom client settings, you can do the following. After you have created a collection of computers to which you want to apply power management settings, split this collection into two sub collections. One sub collection should contain the majority of the computers to which you want to apply power settings and the other sub collection (the control collection) should contain the remaining computers. Apply the required power management plan to the sub collection containing the majority of computers.
You can then run reports to compare the power cost, power usage and environmental impact of the computers to which you have applied power settings and the control collection that you have not applied power settings to. Run the Power Settings report before you apply a power management plan. Always test the effect of applying a power management plan on a test collection of computers before you apply the power plan to a larger collection of computers. Power settings applied to computers running Windows XP or Windows Server 2003 are not reverted to their original values even if you exclude the computer from power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values.
Apply power plan settings individually. Power management includes a report that displays computers that have more than one power plan applied. If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken:. Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used.
Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight will be used. Save or export power management information during the monitoring and planning phase of power management. Power management information used by daily reports is retained in the Configuration Manager site database for 31 days.
Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months. When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager. Best Practices for Reporting For best performance, install the reporting services point on a remote site system server. Whenever possible, schedule report subscription processing to run outside normal office standard hours to minimize the CPU processing on the Configuration Manager site database server. This practice also improves availability for unpredicted report requests.
Best Practices for Software Updates When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application. Use a custom website for the WSUS installation.
When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a WSUS 3.0 website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the active software update point for the site. Specify the Store updates locally setting for the WSUS installation When you install WSUS 3.0, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms.
When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default. Create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” and for general deployment There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in many software updates, and the rule runs on a recurring schedule, choose to create a new software update group each time the rule runs to prevent the deployment from surpassing the limit of 1000 software updates per deployment. Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, hundreds of software update groups will be created over time. Typically, definition update publishers set definition updates to be expired when they are superseded by 4 newer updates.
Therefore, the software update group that is created by the automatic deployment rule will never contain more than 4 definition updates for the publisher (1 active and 3 superseded). Do not deploy software updates that require multiple reboots via task sequence Exclude updates that require multiple reboots from your operating system deployment collection if you are using the software update step in task sequences. Deploy these updates separately or add them to your images. If software updates that require multiple reboots are installed via task sequence installation will fail. See Microsoft for an updated list of software updates that require multiple reboots. Other Languages This article is also available the following languages:.
. T o conclude the SCCM Software Update subject, I will present some SCCM software update best practices to manage Micorosft updates in production environments. Subscribes to news site about updates and security It is important to be aware about the last updates (often the second Tuesday of the month) but also the last security issue. Sometime an emergency update is released by Microsoft to fix a vulnerability so it is necessary to patch quickly and to reduce the risk to be attacked. There are many solutions to make a technology watch: RSS (ex: ), Twitter ( @msftsecresponse: #security #updates).
A good source for security purpose is the (sorry it is a French link J). Create standard baselines All your system should be set on the same way to ease management and find the issue. That means that systems should be based on the same image installation, same Operating System (as much as possible) and application version and so on. Same baseline should be gathered in the same SCCM collection to ease software updates. Create a pre-production to validate updates Updates should be tested before the installation on production environment. Make sure to have a pre-production environment reflect the production environment.
That means that pre-production environment contains every operating system and applications that you have on production. So when Tuesday patches are released, first update pre-production environment and test that everything is ok for one or two weeks. Create packages with pre-determined criteria To ease the management of update packages, create them with pre-determined criteria such as products, languages, classification and release date.
This avoids to reconfigure update packages every month. Create collections for each Operating System version Organize collections by operating system ease update packages management. In this way make an update package containing every update for the related operating system and apply it to the collection. So every month, update this update package with new updates (view next point). Reuse update packages when possible To limit the number of update packages and so ease management, you should reuse deployment packages most of the time.
So in a perfect world, you should have one update package per operating system version (including service pack), and one per application (example: SQL Server, System Center DPM etc.). Create an emergency procedure Sometime Microsoft releases a security update outside of Tuesday patch process because a 0-day vulnerability has been discovered for example. That happens one or two times per year. A process to make an emergency patching for this case should exist. Usually the emergency update should take a short time such as 10 to 15 days for pre-production and production environment patching.
Enforce a deadline to install updates I recommend to enforce install updates when the deadline is reached. However I don’t suggest to force servers restart.
I recommend that because everyone knows a colleague that will never install updates because he does not give a damn! With enforcing install updates on deadline, this administrator will have to be aware about updates. Hi ROMAIN SERRE suppose we have global clients where they are using different language OS as well as software, so i want to update thees client machines OS as well as software(ms office). Is WSUS (SCCM with SUP Point) Server download the updates based on client machine (client machine’s OS) in organization, or topically it will download from Microsoft which are available.? In organization having win7, win8, win8.1 and win10 as well as server operation systems. If WSUS server not download based on client machines, how we can differentiation with update need to install which client machine.?