When it comes to patch management it can be a logistical nightmare. Dedicating the attention it deserves can be difficult at times. With System Center Configuration Manager 2012, utilising Software Update Groups and Automatic Deployment Rules can help but phasing updates can still require valuable time creating the additional deployments. But SCCM can be set to work much harder for us…
I’ve a version of this PowerShell script that automates Software Updates running live some time now. Its part of a bigger solution we have which my colleague Robert Ryan and I worked on through Azure SMA Runbooks. Rob’s currently looking at writing up the automation of the collection membership.
The script checks for a matching Software Update Group created by an Automatic Deployment Rule and creates 3 additional deployments based on parameters from a settings.xml file. It can also email a report out showing deployment dates for phases, updates included and corresponding compliance reports.
Download the SetDeploymentPhases script and copy the folder to the primary SCCM server or computer with SCCM module installed. Before running the script please follow the prerequisite guide below
1. Create the Device Collections phases and Automatic Deployment Rule
Before running the script, in SCCM create 4 device collections for each phase of the deployment. The Test Phase will be used for the Automatic Deployment Rule.
Under Automatic Deployment Rules, create a new ADR for the test phase called “ADR – <Site> – Workstation – Software Updates”. Point it to your Test phase collection and select new updates to be created in new software update group.
IMPORTANT: The name must be like ADR – <Site> – <UpdateType> – Software Updates in order for script to work
Specify the deployment setting detail level and license agreement.
Specify the software update criteria. (note: you can just select one product on this, I selected two in this example.)
Specify evaluation schedule.
Specify the deployment schedule.
Specify the user experience.
Specify alert options if you want them, or select next.
Specify the download settings.
Create a new deployment package.
Specify the distribution group or point. then click next.
Then next, next, next finish.
(Optional) If you want to test the ADR, right and run a sync now.
Go get a cuppa and the confirm the software update group was created.
2. Configuring the Settings.xml file
I’ve setup the script to utilise an xml file to modify the parameters, this way it saves having to go into the script and edit settings. You need to go into settings.xml and set the SCCMSettings and EmailSettings section. If you don’t want to use the mail option, you can turn it off in the XML all together via the MailEnabled option. There is an advanced section to amend the deployment settings too if required. The script itself has an -xmlfile parameter which allows you to set another xml file in the default settings.xml.
<FooterDescription>Powered by RAF Infrastructure Automation</FooterDescription>
3. Running the script
Once you’ve downloaded the script and followed steps one and two, you can run the script.
Open PowerShell on the primary server
cd to the folder location
Run the Set-DeploymentPhases.ps1 (-XMLFile if you’ve setup your own settings.xml file)
If the script doesn’t find a matching Software Update Group, it will look like the below.
If it does find a matching Software Update Group it should look like the below.
When email enabled, it will send a report email too. The report contains the deployment details and the relevant links for each deployment. You can customise the logo and footer to your organisations too through the settings.xml to point to a different file.
4. Automation time…
Once setup is complete, you can automate the script to run on a schedule. We have our script running everyday purely in case we have to run an emergency ADR, you can however after ADR schedule day. With SMA runbooks you can kick off multiple scripts running, so you could have one for worksations, servers, sql, exchange etc. If you don’t have SMA or Orchestrator, running from a scheduled task should work too.
How you configure the collections is important, depending on your setup, you might want:
Test Phase – 1 or 2 workstations in test that always get the update straight away.
Phase 1 – Might have a few test users and non critical devices.
Phase 2 – A wider range with some critical devices.
Phase 3 – Rest of the estate.