Join Brien Posey for an in-depth discussion in this video Configure automatic deployment rules in Configuration Manager, part of Windows 10: Plan and Implement Software Updates.
- [Instructor] Systems Center Configuration Manager allows you to set up automatic deployment rules for software updates. To do so, go to the software library workspace, and then click on Software Updates. From there, click on the automatic deployment rules container, and then click on the create automatic deployment rules icon, on the ribbon. This is going to launch the create automatic deployment rule wizard. So the first thing that we have to do is create a name for the rule that we're going to be generating.
So I'm going to call this one security and critical updates. And typically in a production environment you would also want to enter a description. Next we have the option of specifying a template, but you don't have to use a template. If you do choose to use a template, then click on manage templates, and there are a few pre-built templates that you can use. Patch Tuesday, Office 365 Client Updates, and SCEP and Windows Defender Updates.
I'm going to cancel out of this, and instead, what I'm going to do is I'm going to specify a collection. So I'm going to come down to the collection field, and click browse, and I'm going to choose all systems, and click OK. So then I come down to the next section, and it says, each time the rule runs, and finds new updates, and we have the option of adding it to an existing software update group, or creating a new software update group. I'm going to choose the option to create a new software update group, and then, we come down here and we see choose whether to enable the deployment after the rule runs for the associated software update group.
When this setting is not selected, you must manually deploy the software update group. So generally you're going to want to enable this setting. So click next. And so the next screen asks if you want to use WakeonLAN, it also asks about how much state detail you want clients to report back for deployments created by the rule. By default, the clients will only report error messages. And then, we come down to this section, and we have to tell Systems Center Configuration Manager how we want to handle licensing for updates.
So by default, the option that's selected is automatically deploy all software updates found by this rule, and approve any license agreements. Alternatively, we could choose this option, which will deploy software updates found by the rule, but only if they do not include a license agreement. So I'm going to choose the option to automatically deploy all software updates found by the rule, and to approve any license agreements, and I'll click next. And so now, we have to specify the criteria for the rule. In other words, what kind of updates do we want to download and deploy? Well, there are any number of criteria that we can base this rule around.
So, what I'm going to do is scroll down a little bit, and you can see that we can base the rule on things like products, on whether it's required, the severity, superceded, title. I'm going to go with update classifications. I'm going to choose the update classification checkbox, and then down here you can see update classification, and then in a blue hyperlink we have items to find, so I'm going to click on items to find, and for this rule, I'm going to include critical updates, and I'm going to include security updates, so I'm going to select both of those, and click OK.
And I'll click next. Now I'm asked for the rule schedule. So we can set this to not run automatically, we can run the rule after any software update point synchronization, that's the default behavior, or we can run the rule on a schedule. So I'm going to run the rule on a schedule, and we can see that this occurs every 30 days, but I'm going to click customize, and I'm going to set this to run once every hour. Now in a production environment that's probably a lot more frequently than what you would want, but for my purposes this gets the job done.
So I'm going to click OK, and click next. Now I'm asked to configure schedule details for the deployment. So, the first thing that we have to specify, is if the schedule for the deployment is based on universal coordinated time, or UTC time, or the local time on the client. So the default is client local time, that's going to be fine, and then we have to specify when the software is available. The default option is as soon as possible, that's good.
And then we can set an installation deadline. We can set the deadline to a specific time. I'm going to make this as soon as possible, and click next. So now we're taken to a screen that asks us to specify the user experience. So right now user notifications are hidden in the software center. That's fine. The deadline behavior. When the installation deadline is reached, allow the following activities to be performed outside of any defined maintenance windows. So, we can force a software update installation, and we can force a system restart if necessary.
Those activities can be a little bit disruptive, so I recommend avoiding forcing a system restart, unless you have no other choice. Then we come to device restart behavior. And if you look, we have the option of suppressing the system restart on the following devices. Well typically you're not going to want servers to automatically restart, unless you put some controls into place to keep critical workloads from dropping offline. Then we have right filter handling for Windows embedded devices, and there's a checkbox that we can use to commit changes at deadline, or during a maintenance window, and that requires a restart.
And then it says, if this option is not selected, content will be applied on the overlay, and committed later. So I'm going to leave that unselected, and then we have the software update deployment reevaluation behavior upon restart. And there's a checkbox that if any update in this deployment requires a system restart, run update deployment evaluation cycle after restart. In other words, after the system reboots, check to see if any updates are required. I'm not going to worry about selecting that, I'm just going to click next, and now I'm taken to the alerts screen, and Systems Center Configuration Manager allows you to generate alerts if you want to, and here we can set up some criteria.
For example, by default there's a checkbox that's selected that will generate an alert when the rule fails. There's also an option to generate an alert when the following conditions are met. And what are those conditions? We can generate an alert if client compliance is below a certain percentage. Here it's set to 90 percent. We can generate an alert for offsets from the deadline. The default is seven days. I'm not going to worry about generating alerts here. There are also operation manager alerts. We have the option of disabling operation manager alerts while software updates run, and we have the option of generating operation manager alerts when a software update installation fails.
So, this is separate from Systems Center Configuration Manager. If you're running Systems Center Operations Manager, then maybe you want to enable this checkbox right here so that you're not getting an operation manager alert while software updates are running. That way, you're avoiding false positives that might indicate that you've got a problem because of system reboots. So I'm going to clear that, because I don't have an operations manager server, and I'll click next. And so now we're taken to the download settings. So, we have to select our download options.
So we can see select the deployment option to use when a client uses a distribution point from a neighbor boundary group, or the default site boundary group. And our options are do not install the software update, or download software update from a distribution point and install. So I'm going to choose the option to download the software updates from a distribution point. Then the next section, when software updates are not available on any distribution point in current or neighbor boundary groups, client can download and install software updates from distribution points in site default boundary groups.
And here we have the option, once again, to either not install the update, or to go ahead and download the update. The default is to download the update, and that's probably where you want to leave it in most cases. And we also have an option to allow clients to share content with other clients on the same subnet. So what we're doing here is peer to peer update sharing. And generally that's a good idea, because it helps to conserve bandwidth. And then we have a couple of options, if software updates are not available on a distribution point, and the current, neighbor, or site boundary group, download content from Microsoft update.
Well it's a good idea to select this one, because that can keep updates from failing. And then finally we have allow clients on a metered Internet connection to download content after the installation deadline, which might incur a cost. So metered connection is a connection for which you're being charged, based on the amount of bandwidth that you use. So this is saying that updates would be downloaded across a metered connection, once the deadline for that update expires. I recommend leaving this one deselected, so that you don't incur additional charges.
So I click next. The next screen that we encounter asks us to select the deployment package for this automatic deployment rule. So we have the option of reusing an existing deployment package, or creating a new deployment package. I'm just going to reuse one that I've already got. I'm going to click browse, and I'm going to choose this deployment package and click OK, and then click next, and now I'm prompted to choose a download location for this automatic update rule. So we can download software updates from the Internet, or we can download software updates from a location on my network.
I'm going to use Internet based downloads, and click next. And then we can choose the languages that we want to use, I'm going to go with English, and I'm going to make sure that none of the other languages are selected, and click next. And now I'm taken to a summary screen, and as you can see, there are a lot of different options listed on the summary screen. So it's a good idea to take a moment and read through this, and just make sure that it says everything that you expect it to say. Once you've done that click next, and the automatic deployment rule is going to be created.
So I'm going to go ahead and close out of this, and we can see the new automatic deployment rule listed right here, so that's how you create an automatic deployment rule in Systems Center Configuration Manager.
- Deploying updates manually
- Monitoring deployments
- Configuring automatic deployment rules
- Analyzing log files
- Approving and declining updates in Intune
- Deploying software from SCCM, WSUS, and Intune