Today I’m going to talk a bit aobut software updates. As you may be aware, softwre update is a “simple” task however, the process behind the software update can be a bit complex. And the reason is simple, what happen if I do this?
Well…i don’t want this post to be dealt as “best practices” but a guidance on how to do software update and the reason is simple, many people know how to do, but always want a bit more guidance on what would be better….and remember…not best practices. I always refuse to talk about best practices because it always depends. Let’s imagine the scenario where you have a remote site with 3k users. Should you put a local DP there? maybe a secondary site? Let’s assume that as best practices, you would add a distribution point, but on this scenario, every single server should only be located on the datacenters only. As you can see, the best practices changed for this environment. this is the same for the software updates. This is the base where I always start and I make changes when needed.
Well…let’s stop talking about something else and let’s start with software updates.
1st step is to create “baselines”. Baselines are basic, a sw update group where every single update that has been already approved or is on your base image (yes, sw update is tight with OS Deployment). You’ll also, split the baselines per product to be easy to manage. It means you’ll have 1 baseline for Windows 7, 1 for windows 8/8.1, 1 for windows server 2012, 2012 r2, etc…
The easiest way to see which update to add to each baseline is adding the column product to the list of software update
Let’s assume in this example that every single update released by december/2013 has been already approved. It means you’ll create a baseline for it as well as update your WIM file. Now, you may be asking, why do I need the “baseline” if all updates are already on my WIM file and every single machine will get it by default?!?!!? It is simple, reporting. I say that because you should not need to deploy any update on this baseline as the user should not have rihts to remove updates (yes, utopia world)
The 1sst step is done, now, we need to create the monthly patches, this would be simple, add every single update to the month. Yes, there are only few updates every month, you don’t need to create many per product etc…
In this case, you’ll need to create updates for 2014-January, 2014-February, etc…
As you can see, you can easily have 12 update group per year. But when do I clean them up? Simple, the next time you re-create your WIM file, you’ll move all updates to the baselines.
Let’s understand the process. June, you update your WIM file adding to it every single update released by june. What you do next? Easy, move the updates released until last month (may) to the baselines and delete the update group for the month. Easy isn’t it?
But why do I move on the updates released by may and not june. It is simple, you’re still deploying the june updates and the june updates will be safely migrated to the baselines once it has 100% of compliance. But it may take few months..
Interesting, but what about the expired updates? Once the update is marked as expired, you cannot deploy it anymore, and in this situation, you should remove it from the update group. This is a process you need to look at every time there is a windows update sync.
And what about superseeded updates? Well, this is a bit different, reason is simple, are you deploying the new update?!?!? If yes, you can easily remove the old update once the new update reach 100% of compliance 🙂
Ok, but I did not see you deploying these updates, how do you do? I normally deploy it to at least 2 collections
1- All unknown systems (yes, you need this to “just in case”)
2- A collection that contains all machines with that sw installed. The world has changed a bit since windows xp where deploying to “All active machines” could cause performance issues. I’m not going to start talking about this, what I would recommend to be easy to manage would create a collection for all actice systems and deploy it to this colleciton Wow, it seems a good “guidance” but do you actually know what you need to do?
The list bellow list steps you need to take
When you start
1- Create baselines update group
2- Download files to a deployment group with same name as update group
3- Create deployment to collections
1- Create monthly update group
2- Download files to a deployment group with same name as the update group
3- Create deployment to collections
4- Remove any expired updates from any other update group, including baselines
Every few months (when you update your WIM File)
1- Backup your WIM file and re-create it…test, test and test
2- Move the monthly updates (until last month) to the baselines
3- Re-download the updates to the baseline deployment group
4- Delete the monthly update group
5- Delete the monthly deployment group
Do you have any comments? Would you like to share the way you do? Contact me firstname.lastname@example.org