ConfigMgr 2012 - How to automatically make updates available to computers without forcing them to be installed?

windows-update configuration-management sccm sccm-2012 system-center

Solution 1:

I know this question is a bit old, but there's some untruths being posted here. There is nothing wrong with how SCCM 2012 functions, the problem is a misunderstanding of how it deploys software and updates. It is not fair to quote Microsoft when they say it was behaving "by design" and that you cannot do anything but set a deadline far into the future. This actually IS by design, but based on YOUR design. You didn't set maintenance windows, so of course the updates will apply as soon as the deadline hits. That's what it does by default. In that type of design, you must set your deadline far into the future to avoid the installation starting. However, that's NOT the only way to do what you want, nor is it the simplest.

Did you know you can reverse SCCM's default behavior of "anything goes unless told otherwise"?

To do this, create a new collection (named anything that makes sense, like "Deploy Manually") and include the "All Systems" collection in its membership. Then get Properties on it, and set a Maintenance Window using any effective date in the past, like 01/01/2013 from 12:00am to 12:05am, and set the recurrence schedule to None. You will get a warning about recurrence not being set, but click OK anyway. From that point forward, every device in your SCCM environment will automatically have an expired Maintenance Window set on it, and can no longer install anything without a new Maintenance Window, or by checking the override maintenance window box when making a deployment. This is the opposite of its previous behavior, because it will now run no installs or updates until explicitly told.

This is very powerful, but the caveat is that you now have full manual control over when installs can run and when reboots can take place -- just like you wanted. Now those checkboxes have a meaning. For example, if you have auto deployment rules, like Endpoint Protection Definitions, you need to make sure they can install outside of maintenance windows unless you enjoy logging into servers every day to apply them. You have the option to suppress reboots even if an install is allowed to run outside maintenance windows. One benefit is that you can easily deploy anything and simply use "As soon as possible" when choose assignments and deadlines for manual installs, and if you're clever about maintenance window setups, you can deploy patches once, but schedule the actual install and reboot by using other collections with new maintenance windows. Remember, maintenance windows are cumulative across all collections, so design your environment accordingly.

Solution 2:

Have you tried setting the deadline to ridiculously long into the future?

That's how I handle advertisements to my servers in SCCM 2008. I set the deadline for 1 year from the date I roll out the advertisements to the servers. Nice and convenient, since when the patching window rolls around, all the updates are there, waiting to be installed, but won't kick off without manual intervention. Also requires less effort on my part than mucking around in those settings you're trying to get to work as expected.

Solution 3:

Why not just make your deployment "available" rather than "required"? That way the updates will appear in Software Center but not automatically install.

Also, maintenance windows apply to the Client, not to the Collection.

"An additional gotcha is that if a machine is a member of more than one collection that have Deployments targeted to them, and one of those collections does not have a maintenance window defined, the maintenance windows of the other collections are effectively ignored."

Actually the maintenance window of the CLIENT will be the sum of whatever maintenance windows are applied to it. So if you have a one-hour maintenance window applied through membership in one collection, and the client is also a member of a collection with NO maintenance window defined, your effective maintenance window is one hour.

Solution 4:

Assuming that SCCM 2012 behaves like SCCM 2007, the absence of a maintenance window means that the machines in that collection will install updates whenever they feel like it (at or after the deadline), as you have found.

Personally what I do is to have collections based on AD security group membership. Servers that are members of the Tuesday Maintenance group, for example, become members of the Tuesday Maintenance collection and (surprise) are updated on a Tuesday evening.

Servers that cannot be rebooted on a weekly basis are kept in a collection that has no Update Deployments targeted at it, and so they never download or apply any updates except for Definition Updates.

On the occasions when I am able to update these critical servers, I just temporarily add them to an AD security group that is targeted by a collection that has a suitable maintenance window - or just create a new one in advance.

Not sure if this approach will be what you're looking for, but perhaps might give you some ideas.

Related

MX record point to itself, possible?
Tunnel over UDP or TCP
Are Anonymized Usernames necessary?
How do I permanently change the hostname on Solaris 10?
Force apache to server different directories on different ports?
How to disable anonymous access on LDAP
RAID 0 recovery
Why have multiple partitions on a windows server?
Things to consider when buying PDUs
Being a more attractive job candidate - Certs XOR Degree
Why should swap size be same or larger than RAM?
Apache 2.2 rewrite - Force all requests to index.html