SCCM / WSUS Software Update Best Practices

Overview

A client was having issues with inconsistent software updating using WSUS in SCCM. After working with the client and determining their update issues, the following best practice procedures were provided for them.

Schedule

Weekly

All Software Update Cleanup of Supersedence and Expired

Software Update Groups Cleanup

Monthly

Set MaxExecutionTime on Specific SCCM Software Updates

Cleanup Packages from Branch DPs that are not Needed at Branch DPs

Remediate Updates that are required but not deployed

Network Team Network Segment Creation

Quarterly

Verify Packages and Applications are NOT Updated to DPs on a Schedule

Manage SCCM Deployment Threads

Manage SCCM Distribution Point Rate Limits (Time-Slice Based Throttling)

Manage SCCM Distribution Point Priority Schedules

Enable Binary Differential Replication on Deployment Packages

Project Based

Maximize Performance and Coverage of Automatic Deployment Rules

Allow Site Server and Microsoft to be used fallback Update locations for Updates

Network Team Network Segment Creation

Overview

When a new network segment is created by Network Team, the segment is not always communicated.

Procedure

  1. Work with Network Team to be included in communication when new network segments are created.

Set MaxExecutionTime on Specific SCCM Software Updates

Overview

Every update in SCCM has a maximum amount of time that it is allowed to run. If the amount of time it takes to install the update exceeds the MaxExecutionTime variable set for the update, the update will fail to install. Increasing this execution time can allow a greater installation success rate.

Procedure

  1. Run from AS1: Powershell:

    1. Get-CMSoftwareUpdate -name “*Cumulative Update*” -Fast | ? {$_.MaxExecutionTime -lt ‘1800’} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
    2. Get-CMSoftwareUpdate -name “*Cumulative Security Update*” -Fast | ? {$_.MaxExecutionTime -lt ‘1800’} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
    3. Get-CMSoftwareUpdate -name “*Security Monthly Quality Rollup*” -Fast | ? {$_.MaxExecutionTime -lt ‘1800’} | Set-CMSoftwareUpdate -MaximumExecutionMins 60
    4. Get-CMSoftwareUpdate -name “*Security and Quality Rollup*” -Fast | ? {$_.MaxExecutionTime -lt ‘1800’} | Set-CMSoftwareUpdate -MaximumExecutionMins 30

Examples

Figure 1 Maximum Run Time on a Software Update

Cleanup Packages from Branch DPs That are Not Needed

Overview

Overtime, SCCM Distribution Points out at the branches will accumulate updates and applications that are no longer applicable to the branch. For example, if an older version of Adobe Reader were needed in 2015, leaving the installation files at the branch is using unnecessary space.

Procedure

  1. View Active Deployments

    1. Within the SCCM Console, open Monitoring\Overview\Deployments
    2. Sort by Date Created
  2. Cross Reference Active Deployments with DP Content, And Remove Unneeded

    1. Administration\Overview\Distribution Point Groups -> Branch Distribution Groups [Right Click -> Properties]
    2. Content Tab -> Click Unneeded Updates -> Remove

Examples

Figure 2 Removing DP Content

Verify That Applications are NOT Updated to DPs on a Schedule

Overview

Within the SCCM Console there is an option to have content automatically redistribute itself to distribution points on a schedule. When found to be enabled on content, the processes unnecessarily consumes SCCM traffic.

Procedure

  1. Open a suspected offending application or package
  2. For example, open Software Library\Overview\Application Management\Packages\Workstations – Packages\
    WS – System Configurations\NathCorp\Branch-Apps\NCI Teller
  3. [Right Click] Properties -> Data Source -> Update Distribution points on a schedule
  4. Verify this is unchecked

Examples

Figure 3 Verifying content is not updated on schedule

Manage SCCM Deployment Threads

Overview

SCCM controls the number of packages it will attempt to distribute at one time, and the number of distribution points it will attempt to distribute the packages to. Adjusting these controls will allow maximum throughput of traffic while maintaining throttling constraints.

Figure 4 SCCM Content Threads

Procedure

  1. Within the SCCM Console go to Administration\Overview\Site Configuration\Sites\AS1
  2. [Right Click] Configure Site Components -> Software Distribution
  3. Adjust Maximum Threads

Monitoring Threads

  1. Download and Install the System Center 2012 R2 Configuration Manager Toolkit
  2. Open the DP Job Manager Tool at C:\Program Files (x86)\ConfigMgr 2012 Toolkit R2\ServerTools\DPJobMgr.exe
  3. Use the Manage Jobs tab to monitor


Figure 5 DP Job Manager Tool

Examples

Figure 6 Adjusting Content Threads

Manage DP Rate Limits (Time-Sliced Throttling)

Overview

Distribution Point Rate limits are a form throttling which applies to content distribution. Adjusting these throttles can help maximize performance while minimizing disruption during the DGM workweek.

Procedure

  1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
  2. Open the Rate Limits tab
  3. Adjust accordingly

Examples

Figure 7 Adjusting DP Rate Limits

Manage SCCM Distribution Point Priority Schedules

Overview

Distribution schedules allow low, medium and high priority deployments to adhere to certain schedules. Adjusting these schedules can help maximize performance while minimizing disruption during the DGM workweek.

Procedure

  1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
  2. Open the Schedule tab
  3. Adjust accordingly

Examples

Figure 8 Adjusting DP Priority Schedules

Maximize Performance and Coverage of Automatic Deployment Rules

Overview

When creating SCCM ADRs, it is important that no rule duplicates another, and also that combined rules do not miss any critical or security updates for an environment (such as Prod or Pilot)

Figure 9 Optimizing ADRs in SCCM

How Microsoft Deploys Software Updates

Security Only Quality Update (Released every month)

  • Includes Critical and Security for That Month

Security Monthly Quality Rollup (Released every month)

  • Includes Critical, Security and Updates*, Cumulative for Year

    * Feature patches (non-security)

Procedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
  2. A Deployment Packages are updated via an ADR no more frequently than necessary. For example, a pilot ADR may update weekly, whereas a Production ADR may update monthly.

Enable Binary Differential Replication on Deployment Packages

Overview

Binary Differential Replication, sometimes known as “delta replication,” is used by SCCM to update package source files with a minimum of additional network traffic. This minimizes the network traffic between sites, especially when the package is large and the changes are relatively small.

Procedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\Deployment Packages
  2. [Right Click Package] and check Enable binary differential replication

Examples

Figure 10 Enabling Binary Differential Replication

Allow Site Server and Microsoft to be used as Fallback Update Locations

Overview

If there is no distribution point assigned to a client, updates can fail to deploy. Allowing a failback source increasing the chances all clients will receive their required updates.

Procedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
  2. Click an ADR, and then go to the Deployment Settings tab at the bottom of the screen
  3. [Right Click] Properties
  4. Open the Download Settings tab and check If software updates are not available…

Examples

Figure 11 Configuring Failback Sources for ADRs

Remediate Updates That Are required but not deployed

Overview

There is a prebuilt SCCM report that can help identify updates that are required, but have not been distributed.

Procedure

  1. Using Internet Explorer, browse to the Reports path at http://vconscm005prd/Reports
  2. Find the report Management 2 – Updates required but not deployed and run it
  3. Collection: ‘Production Workstation’ and ‘Production Server’ (one report for each)
  4. Vconor: Microsoft
  5. Update Class: Critical and Security (one report for each)
  6. Export each report as updates_nn.csv
  7. Connect to AS1: PowerShell console and use the report to update Software Update Groups accordingly:

$updates =import-csv -path updates_nn.csv

$undeployedupdates=$updates | %{Get-CMSoftwareUpdate -ArticleId $_.update -Fast | ?{$_.nummissing -ge 1}}

$PilotSoftwareUpdategroup=Get-CMSoftwareUpdateGroup -Name “SVR – 2 – Production Servers Updates – All other Products* nnn

$undeployedupdates | %{Add-CMSoftwareUpdateToGroup -SoftwareUpdateId $_.CI_ID -SoftwareUpdateGroupName “SVR – 2 – Production Servers Updates – All other Products* nnn“}

Examples

Figure 12 Checking Critical Updates

Figure 13 Checking Security Updates

Software Update Cleanup of Supersedence and Expired

Overview

Superseded and Expired updates need to periodically be cleaned up from Software Update Groups.

Superseded Updates Procedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
  2. Add Criteria -> Superseded + Deployed
  3. [Right Click] Edit Membership -> Uncheck from each Deployment Package

Expired Procedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
  2. Add Criteria -> Expired + Deployed
  3. [Right Click] Edit Membership -> Uncheck from each Deployment Package

Examples

Figure 14 Removing Expired Updates From SUG

Software Update Groups Cleanup

Overview

Once an Update Group has been automatically created, used and replaced by a new Update Group of the same exact type, the old group can safely be deleted. This helps keep the environment clean and remove unnecessary Software Update Group deployments.

Procuedure

  1. Within the SCCM Console go to Software Library\Overview\Software Updates\Software Update Groups
  2. Sort by Name
  3. Delete the older of identical Software Update Groups if no longer user

Examples

Figure 15 Deleting Old Software Update Groups

Leave a Comment

Your email address will not be published.