ConfigMgr 2012 – How to automatically make updates available to computers without forcing them to be installed

configuration-managementsccmsccm-2012system-centerwindows-update

I'm using System Center Configuration Manager 2012 with the Software Update Point feature; however, in this environment patching has to be strictly manual, because server reboots need to be approved and scheduled by different people; thus, I need to use ConfigMgr's SUP like I would use a plain WSUS server with auto-approval but with manual installation.

I created some Automatic Deployment Rules to automatically download and deploy critical updates, and to have an installation dealine of "as soon as possible"; but then, I've also configured those rules to not do anything when the deadline is reached, and to not perform system restarts even if needed:

Screenshot with nice red circle

Also, I've configured the device collections to where those rules deploy updates to not have any valid maintencance window.

However, I'm experiencing quite the opposite of what I was expecting: as soon as the new updates are processed by the ADRs, they get automatically installed on all systems by the Software Center, and the computers are subsequently restarted.

Why is this happening? Am I getting something wrong or is just ConfigMgr 2012 not behaving like it should?

Best Answer

I know this question is a bit old, but there's some untruths being posted here. There is nothing wrong with how SCCM 2012 functions, the problem is a misunderstanding of how it deploys software and updates. It is not fair to quote Microsoft when they say it was behaving "by design" and that you cannot do anything but set a deadline far into the future. This actually IS by design, but based on YOUR design. You didn't set maintenance windows, so of course the updates will apply as soon as the deadline hits. That's what it does by default. In that type of design, you must set your deadline far into the future to avoid the installation starting. However, that's NOT the only way to do what you want, nor is it the simplest.

Did you know you can reverse SCCM's default behavior of "anything goes unless told otherwise"?

To do this, create a new collection (named anything that makes sense, like "Deploy Manually") and include the "All Systems" collection in its membership. Then get Properties on it, and set a Maintenance Window using any effective date in the past, like 01/01/2013 from 12:00am to 12:05am, and set the recurrence schedule to None. You will get a warning about recurrence not being set, but click OK anyway. From that point forward, every device in your SCCM environment will automatically have an expired Maintenance Window set on it, and can no longer install anything without a new Maintenance Window, or by checking the override maintenance window box when making a deployment. This is the opposite of its previous behavior, because it will now run no installs or updates until explicitly told.

This is very powerful, but the caveat is that you now have full manual control over when installs can run and when reboots can take place -- just like you wanted. Now those checkboxes have a meaning. For example, if you have auto deployment rules, like Endpoint Protection Definitions, you need to make sure they can install outside of maintenance windows unless you enjoy logging into servers every day to apply them. You have the option to suppress reboots even if an install is allowed to run outside maintenance windows. One benefit is that you can easily deploy anything and simply use "As soon as possible" when choose assignments and deadlines for manual installs, and if you're clever about maintenance window setups, you can deploy patches once, but schedule the actual install and reboot by using other collections with new maintenance windows. Remember, maintenance windows are cumulative across all collections, so design your environment accordingly.

Related Topic