Sccm software update strategy

Nothing is updated "dynamically". For the endpoint protection I would recommend that you use the same update Group every time as they release 3 times a day :. Thus, your ADR will add updates to a Software Update Group new or existing and either update or create a new deployment on the Software Update Group to deploy the updates to the client.

The ADR will also download any necessary content to the update package specified when you created the ADR and the package will be replicated to all DPs it is distributed to. If the package doesn't exist when the ADR runs, you will get an error. Office Office Exchange Server. Not an IT pro? Resources for IT Professionals. Sign in.

United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:. Clients use boundary groups to find a new software update point. If their current software update point is no longer accessible, they also use boundary groups to fallback and find a new one. Add individual software update points to different boundary groups to control which servers a client can find. For more information, see Software update points.

If you have multiple software update points at a site, and one fails or becomes unavailable, clients will connect to a different software update point. With this new server, clients continue to scan for the latest software updates. When a client is first assigned a software update point, it stays assigned to that software update point unless it fails to scan. The scan for software updates can fail with a number of different retry and non-retry error codes.

When the scan fails with a retry error code, the client starts a retry process to scan for the software updates on the software update point.

The high-level conditions that result in a retry error code are typically because the WSUS server is unavailable or because it is temporarily overloaded. When the client fails to scan for software updates, it uses the following process:. If the scan fails, the client waits 30 minutes to retry the scan. It uses the same software update point. The client retries a minimum of four times every 30 minutes. After the fourth failure, and after it waits an additional two minutes, the client moves to the next software update point in its list.

The client repeats this process with the new software update point. After a successful scan, the client continues to connect to the new software update point. The following list provides additional information to consider for software update point retry and switching scenarios:. If a client is disconnected from the intranet and fails to scan for software updates, it doesn't switch to another software update point.

This failure is expected, because the client can't reach the internal network or a software update point that allows connections from the intranet.

The Configuration Manager client determines the availability of the intranet software update point. If you're managing clients on the internet, and have configured multiple software update points to accept communication from clients on the internet, the switching process follows the standard retry process previously described.

If the scan process starts, but the client is turned off before the scan completes, it isn't considered a scan failure and it doesn't count as one of the four retries. When Configuration Manager receives any of the following Windows Update Agent error codes, the client retries the connection:. To look up the meaning of an error code, convert the decimal error code to hexadecimal, and then search for the hexadecimal value on a site such as the Windows Update Agent - Error Codes Wiki.

Switch Configuration Manager clients to a new software update point when there are issues with the active software update point. This change only happens when a client receives multiple software update points from a management point.

When you switch devices to use a new server, the devices use fallback to find that new server. Clients switch to the new software update point during their next software updates scan cycle. Before you start this change, review your boundary group configurations to make sure that your software update points are in the correct boundary groups. Switching to a new software update point generates additional network traffic.

The amount of traffic depends on your WSUS configuration settings, for example, the synchronized classifications and products, or use of a shared WSUS database.

If you plan to switch multiple devices, consider doing so during maintenance windows. This timing reduces the impact to your network when clients scan with the new software update point. Start this change on a device collection. Once triggered, the clients look for another software update point at the next scan. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Device Collections node.

Select the target collection. Create one or more software update points at a site to support clients in an untrusted forest. To add a software update point in another forest, first install and configure a WSUS server in that forest. Then start the wizard to add a Configuration Manager site server with the software update point site system role. In the wizard, configure the following settings to successfully connect to WSUS in the untrusted forest:.

When switching to the next software update point, the clients prioritize the servers from the same forest. Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with Microsoft Update. When your organizational security policy doesn't allow the top-level site to access to the internet, configure the synchronization source for the top-level site to use an existing WSUS server.

For example, you have a WSUS server in an internet-connected network DMZ , but your top-level site is in an internal network without internet access. Otherwise, the top-level site might not synchronize the software updates that you expect. When you install the software update point, configure a WSUS server connection account. Also confirm that the firewall permits traffic for the appropriate ports.

For more information, see the ports used by the software update point to the synchronization source. The software update point is optional on a secondary site. Install only one software update point at a secondary site.

When a software update point isn't installed at the secondary site, devices within the boundaries of a secondary site use a software update point at their assigned primary site. You typically install a software update point at a secondary site when there's limited network bandwidth between the devices in the secondary site and the software update points at the parent primary site.

You may also use this configuration when the software update point at the primary site approaches the capacity limit. After you successfully install and configure a software update point at the secondary site, a site-wide policy is updated for clients, and they start to use the new software update point.

When you need to manage devices that roam off your network onto the internet, develop a plan for how to manage software updates on these devices. Configuration Manager supports several technologies for this scenario. Use one or a combination as necessary to meet the requirements of your organization.

Create a cloud management gateway in Microsoft Azure and enable at least one on-premises software update point to allow traffic from internet-based clients.

As clients roam onto the internet, they continue to scan against your software update points. All internet-based clients always get content from the Microsoft Update cloud service. For more information, see Overview of cloud management gateway and Configure boundary groups.

Place a software update point in an internet-facing network and enable it to allow traffic from internet-based clients. As clients roam onto the internet, they switch to this software update point for scanning. For more information on the advantages and disadvantages of internet-based client management, see Manage clients on the internet. Windows Update for Business allows you to keep Windows 10 or later devices always up-to-date with the latest quality and feature updates.

These devices connect directly to the Windows Update cloud service. For more information, see Integration with Windows Update for Business. Clients need to download the content files for software updates in order to install them. Configuration Manager provides several technologies to support management and delivery of this content.

Or configure software update deployments to allow or require clients to get content directly from the Microsoft Update cloud service. By default, the software update management process in Configuration Manager uses the built-in content management features. These features include the centralized, single-instance store content library, and the distributed design of the distribution point site system role.

You use these features when you download and distribute software update deployment packages. For more information, see Download software updates. Configuration Manager supports the use of express installation files for Windows updates. Express update files and supporting technologies such as Delivery Optimization can help reduce the network impact of large content files downloading to clients. For more information, see Optimize Windows update delivery.

When you deploy software updates to clients, configure the deployment for clients to download content from the Microsoft Update cloud service. When clients aren't able to download content from another content source, they can still download the content from the internet. You don't have to create a deployment package when deploying software updates. When you select the No deployment package option, clients can still download content from local sources if available, but typically download from the Microsoft Update service.

Internet-based clients always download content from the Microsoft Update cloud service. Don't distribute software update deployment packages to a content-enabled cloud management gateway CMG. Most customers use other third-party applications that also need updates.

There are several options to consider for keeping third-party applications up to date. Use a supersedence relationship with the application management feature in Configuration Manager to upgrade or replace existing applications.

When you supersede an application, specify a new deployment type to replace the deployment type of the superseded application. Also decide whether to upgrade or uninstall the superseded application before the superseding application is installed. For more information, see Revise and supersede applications. You can use the Third-Party Software Update Catalogs node in the Configuration Manager console to subscribe to third-party catalogs, publish their updates to your software update point, and then deploy them to clients.

For more information, see Third-party software updates. System Center Updates Publisher SCUP is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates. These updates include those with dependencies, like drivers and update bundles. SCUP can also be used for third-party update catalogs that aren't available directly in the console. For more information, see System Center Updates Publisher. This section provides information about the steps to take to successfully plan and prepare for the software update point installation.

Before you create a site system role for the software update point in Configuration Manager, there are several requirements to consider. The specific requirements depend on your Configuration Manager infrastructure. When you configure the software update point to communicate by using HTTPS, this section is especially important to review.

HTTPS-enabled servers require additional steps to work properly. Install the software update point role on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems. For more information about the minimum requirements for the WSUS server role in Windows Server, see Review considerations and system requirements. For more information about the supported configurations for Configuration Manager site systems, see Site and site system prerequisites.

This guide does not explain how to setup your Software Update Point. There are other ways of doing software update management in SCCM, this document describes a typical case that can be used in any organization as a good starting point. Use our products page or use the button below to download it.

Good luck with your googling, readers of this. Thank you for our feedback, based on your comment, we included this information in version 2 of this guide. If I had known this guide had not been updated in over 4 years I would not have purchased it.