SCCM Automatic Deployment Rule
Automatic Deployment Rule Overview
In this blog post, I will show you how to create a SCCM Automatic Deployment Rule. ADR (abbreviation for Automatic Deployment Rule) have been a great feature that was released by Microsoft with SCCM 2012. They allow and Administrator to control update download and deployments like no previous version of SCCM. With ADRs, the Administrator can automate what products and severity they would like updates for, to download, approve updates and schedule when deployment should occur to your desktops, tablets, laptops and server client machines. Best practice is to often schedule the rule to download the last months updates after Microsoft perform their monthly patch releases, on what is affectionately known as Patch Tuesday (Patch Tuesday occurs the second Tuesday of every month. You can monitor this blog around this time as we post what the latest patch releases and vulnerabilities are).
- Deployment How To Patch Management SCCM. SCCM Automatic Deployment Rule. ADR Download Location TAB. Choose where to download the updates from. Should you have a location where updates are downloaded, you can specify that, or should you be using a Microsoft’s WSUS Server, to download them directly from the internet.
- There are 2 ways to deploy software updates using SCCM 2012 R2, Manual and Automatic. In Manual software. For Download Location choose Download software updates.
- The download happens immediately during publication of the patch. Do the patch files get transferred into the WSUS updates location when they are published? Yes, once the patch is download to the WsusContent location SCCM/WSUS will distribute it out to the WSUS server and then to other sites if configured to do so.
This post is really helpful for the people who are looking for SCCM log files, SCCM Log Files, Configuration Manager Log Files. MP_Location.log – Records location manager tasks. MP_Policy.log – Records policy communication. Prajwal Desai on Installing Update 1706 of System Center Configuration Manager.
When the ADR runs according to the schedule you have set, it downloads the latest updates as per your requirements, distributes them to the distribution points and then finally deploys the updates to your target collection during the maintenance and deployment windows you have set. As always, with Patch Deployments, it is good to follow some guidelines. Click the link for further information on how to create a Patch Management Process.
How to create a SCCM Automatic Deployment Rule
Creating the ADR is fairly easy process. Open your SCCM console and navigate to SOFTWARELIBRARY, then expand SOFTWAREUPDATES. Now right click AUTOMATICDEPLOYMENTRULES and choose CREATEAUTOMATICDEPLOYMENTRULE.
ADR General TAB
Now give the rule a descriptive NAME that will easily identify what this ADR is for (ie Monthly Update deployment to Desktops), a DESCRIPTION, choose a TEMPLATE (I choose Patch Tuesday) and then the TARGET COLLECTION. Now you will need to choose between CREATE A NEW SOFTWARE UPDATE GROUP or to ADD TO AN EXISTING SOFTWARE UPDATE GROUP. The differences between these two settings is, Add to an existing Software Update Group will create a new Software Update group the first time it runs, but then subsequent schedules of the ADR will utilise this update group, or creating a new software update group will create a new update group each time the ADR runs. Choose one of the options and then click on NEXT.
(Make sure you have the checkbox enabled, ENABLE THE DEPLOYMENT AFTER THIS RULE TO RUN).
ADR Deployment Settings TAB
We are now presented with the Deployment Settings page next. You can choose to use Wake On Lan (if you have that enabled in your environment) and what level of detail we want regarding the Patch Deployment. You can also specify toAutomatically deploy all software updates found by this rule and approve any license agreements.Obviously this will automatically approve and licenses agreements that may be required to deploy the updates, a very handy feature. Once you are happy to proceed, click on NEXT.
ADR Software Updates TAB
Next we get to choose the products and the severity among other things for the ADR. Choose the products you want (ie in this example Im choosing Windows 10) and the patch severity (Critical, Important, Low, Moderate or None) and date the patches were released (following on from my previous comments, I want the last months patch releases) . Click on NEXT when you have chosen the products you wish patches deploy to.
ADR Evaluation Schedule TAB
This tab allows you to configure the settings for when you would like the SCCM Automatic Deployment Rule to evaluate available software updates. You need to configure this schedule to run less frequently than your SUP synchronisation will run (highlighted in the example picture below). You can choose not to run this rule automatically (ie you will have to run this manually if required), after the SUP synchronisation happens (which is the default) or according to a schedule you specify.
ADR Deployment Schedule TAB
On the ADR deployment schedule TAB, we choose when we would like our updates to be deployed to our client machines. You can choose Universal Coordinated Time or Client machine local time, when you would like the updates to be available to clients, and the software installation deadline. Choose the last two settings carefully as the wrong choice will have a major impact on your environment and users if incorrect.
ADR User Experience TAB
One of the most important TABS, is the User Experience TAB. Do you wish to notify the users that updates are available and have them install them prior to the deadline you have set? Would you like the machines to automatically install restart at the deadline? Do you want to suppress a restart on Desktops or Servers, or even both? Choose the required settings and then click NEXT.
ADR Alerts TAB
The SCCM Automatic Deployment Rule alerts TAB is next. Various settings are available of how you would like to be alerted. From when the rule fails, to compliance settings to alert you of the percentage of machines that are compliant. Additionally, you can generate alerts to System Centre Operations Manager (or SCOM) if you have this in your environment. Again, choose your required settings and click on NEXT.
ADR Download Settings TAB
The ADR download settings tab will allow you to specify what and where the client machine downloads the updates from. Obviously, if they are connected to your corporate LAN, the nearest SCCM distribution point is the ideal location. Should the updates not be available on a preferred distribution point, then you can choose not to install updates, or from a fallback location. Allowing the client machines to share the update content with other clients on the same subnet is a great thing to have, especially if they do not have a local SCCM distribution point, or are on a slow WAN link. Additionally, you can allow those clients to download from Microsoft Update.
Click on NEXT when ready to proceed.
ADR Deployment Package TAB
We can now create a new deployment package, or select an existing one. I will create a new deployment package in this example to show you how that is done.
Choose CREATE A NEW DEPLOYMENT PACKAGE.
Give the deployment package a descriptive name, a description that is easy to identify, where you would like the source files to live (remember this should be a UNC path, so make sure to have shared out the folder and given the correct permissions for SCCM to save the updates to).
Click on NEXT when completed.
Sccm Package Location
ADR Distribution Points TAB
Select the distribution points you wish the updates to be available from and for you client machines to download from. You can choose individual SCCM Distribution Points, or a Distribution Point Group. Click on NEXT when you have entered these details.
ADR Download Location TAB
Choose where to download the updates from. Should you have a location where updates are downloaded, you can specify that, or should you be using a Microsoft’s WSUS Server, to download them directly from the internet. Click on NEXT when done.
ADR Language Selection TAB
Now choose the appropriate languages you want the patches to download in and then click NEXT.
ADR Summary TAB
We are almost there. Almost finished. At the SCCM Automatic Deployment Rule Summary TAB, review the choices you have made and make sure they are correct. When you are happy with the settings, click on NEXT to continue.
ADR Completion TAB
We made it. We finally got there. The Automatic Deployment Rule is now setup and will run with the settings you have specified. You can now close the wizard.
If you followed this post and were careful with the settings you have chosen for your SCCM Automatic Deployment Rule, then the updates you have selected will now deploy to your client machines, when and how you have requested.
See how SnaPatch can help you with Patching your Virtual Server environment.
As part of monthly security patching, we had faced an interesting issue. WSUS sync was completed successfully and we’re able to download some of the patches from Windows Update service however the .NET patches were not getting downloaded. I’ve seen these kind of issues during SCCM/ConfigMgr software update monthly patch package creation. However, most of the time “couple of retries” solved these kind of patch download issues. This time around retry/retries, server restart etc didn’t really help us. It was giving us Error 403 (HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED).
As a next step, we’ve analysed PatchDownloader.log. As expected we found some clue about the issue. In the PatchDownloader.log located in SCCM site server, we could see that the patch file with “.CAB” extension is getting downloaded without any issue. However, we’re getting download error “403 HTTP STATUS FORBIDDEN” for the patch files with “.EXE” extension. The issues turned out to be with proxy and Firewall box configuration. There are a bunch of networks nated behind the source SCCM server hence network and proxy team also struggled to get into the root of the issue. Network team was able to find “TCP_DENIED/403″ log entry and make necessary settings to “TCP_CLIENT_REFRESH_MISS/200” !! So network and proxy team helped to resolve the issue. More details and log file samples at the bottom of the post.
Following are the log file entries which I found in PatchDownloader.log
Download destination = ACNCMCASSUPackagesNov979d1441-d8f7-4844-9a4f-a68abd66a68f.1MSIPatchRegFix-AMD64.exe . Contentsource = http://wsus.ds.download.windowsupdate.com/msdownload/update/software/secu/2012/10/msipatchregfix-amd64_5011cb29b096fb674a4795ee8fc2f7fdad33863a.exe . Try username configmgrServiceAccount from the registry. Proxy enabled proxy server 10.10.10.12 HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED
I hope you found the solution a long time ago, but for those who are still stuck with this problem and arrived on this page while seeking a solution :
DISABLE UAC !