SCCM 2012 patching design – no subcollections

I'm still in the process of implementing SCCM 2012, but I've done some research on this topic to come up with a good plan for implementing software updates.

First, there is a finite limit for the number of patches you can include in a single deployment. I think with 2012 it was increased to 1000, so that's generally not going to be a concern. Though, I believe there are still some drawbacks to having a very large number of patches - every time you make a change to the deployment (adding new patches), there's a lot more processing that has to happen to re-evaluate compliance. Unless you have a TON of patches, or a lot of clients (50,000-100,000+), I think it will be negligible.

That said, this is my plan. It's somewhat specific to my environment, but I think it can apply to most environments.

1. Have one large deployment containing all patches for all products that are included on your standard image (if your image was fully patched as of Feb 2013, only include the patches that are actually necessary).
2. Every month, create two new update group deployments: one for all critical patches, and one for all non-critical patches. That way, our QA department can test them independently, and focus on releasing the critical patches first.
3. Every 6 months to a year, update the base image WIM source file to include all patches released in that time period.
   • Move the 6 months of patches into the 'base' patch deployment group.

One thing to note - if you weren't already aware, SCCM only downloads the updates that are applicable to each computer - even if you have one deployment with 150 patches, it will only copy down the files and install the patches that are needed. With this approach, we should be able to keep our systems fully patched, and keep the image up to date so it doesn't take an additional 45 minutes to image a machine.

Also note, we aren't patching servers, and we have a fairly standardized environment. If we had multiple images / operating systems to support, I might make a few changes to the above plan (multiple "baseline" patch groups, one per image).

Perhaps the REV site code was used for a temporary test installation of SCCM 2012? Perhaps not. Institutional knowledge doesn't have any record of the REV it and the migration we performed before I was hired.

This hunch was correct. I got a hold of my predecessor and apparently the first and unsuccessful attempt to migrate from SCCM 2007 to SCCM 2010 used the REV site code. How it managed to sit dormant in WMI all this time and why it got "activated" is a complete mystery to me.

I very carefully re-read the solution in this TechNet post which advised deleting the old namespaces and decided to try that. I kind of hesitate to mark this as an answer even though it did resolve this issue, it indicates that I implicitly approve of it, especially since I couldn't get anyone "official" at Microsoft to confirm whether or not this was a safe approach or what the consequences were for doing this. That being said, make sure you have complete backups of your SCCM server or at least a much more intimate knowledge of WMI before proceeding. You could very easily break everything doing this, especially if like me, you're not familiar with WMI and how deeply SCCM leverages it.

I used wbemtest to connect to the root\sms namespace on our SCCM server. From there I used the [Enum_Instances...] button and search for __NAMESPACE as the superclass. I deleted the entry for the REV site code. I then did the same Enum_Instances for the SMS_ProviderLocation as the superclass and deleted the old site code from that namespace. Re-running the Automatic Deployment Rules and reviewing the PatchDownloader.log showed the successful downloading of each Windows Update.

I would greatly appreciate more information about how these namespaces are used by SCCM and exactly how this fixed the issue if anyone has more detailed information.