{"id":14020,"date":"2013-01-10T09:39:40","date_gmt":"2013-01-10T09:39:40","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=14020"},"modified":"2013-01-10T09:39:40","modified_gmt":"2013-01-10T09:39:40","slug":"strike-up-another-reason-for-using-system-center-configuration-manager-in-your-cloud","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=14020","title":{"rendered":"Strike Up Another Reason For Using System Center Configuration Manager In Your Cloud"},"content":{"rendered":"

It is rare that Microsoft releases a bad update through Windows Updates, but one appeared this week, as Hans Vredevoort posted<\/a>.  How do you avoid the problem of automatically pushing out \u201cbad\u201d updates straight after they are released?<\/p>\n

Well, here\u2019s the \u201csolution\u201d I often encounter when I talk to consultants and administrators:<\/p>\n

\n

We approve patches manually<\/p>\n<\/blockquote>\n

Ah!  My response to this usually goes along the lines of:<\/p>\n

    \n
  1. I grimace<\/li>\n
  2. and respond with:<\/li>\n<\/ol>\n
    \n

    When you approve patches manually then you don\u2019t patch at all!<\/p>\n<\/blockquote>\n

    One such company hadn\u2019t deployed a Windows update since Windows XP SP2 \u2013 and I suspect that the media they used came with SP2 slipstreamed.  It was no doubt that Conficker ate them up.  And it\u2019s no doubt that Conficker still is in the top 10 of malware in domain-joined (i.e. administrator controlled) PCs.  Meanwhile, PCs that are managed by users (workgroup members) are not seeing Conficker in the top 10.  By the way, Microsoft released a hotfix to prevent Conficker 1 month before the malware was first detected, and that was around the time of Windows 7\u2019s GA launch.<\/p>\n

    The fact is that manual patch testing<\/em> and approval do not happen.  There might be a process, but that doesn\u2019t mean that it\u2019s used.  I bet if you surveyed 1000 companies with this process then you\u2019d find the majority of them don\u2019t do it, and are probably woefully unprotected.  Queue the moronic comments that\u2019ll try to excuse behaviour \u2026 I know they\u2019re coming and they only show guilt.<\/p>\n

    What you need is automation.  But doesn\u2019t automated patch approval mean that patches are approved and deployed immediately, bugs and all?  Not necessarily.<\/p>\n

    When I started working with ConfigMgr 2012, I read the guides<\/a> by Irish (in Sweden) MVP, Niall Brady.  I liked his approach to dealing with updates:<\/p>\n

      \n
    1. Check for new catalog updates every hour (my preference)<\/li>\n
    2. Allow already approved updates to be superseded automatically<\/li>\n
    3. Delay approval of updates by 7-14 days<\/li>\n
    4. Set a deadline of 7 days<\/li>\n<\/ol>\n

      With this approach, updates are approved automatically, but<\/em> they aren\u2019t made available for 7-14 days.  And updates won\u2019t be mandatory for another 7 days beyond that. That means updates don\u2019t get forced onto machines for 14-21.<\/p>\n

      For server updates, I\u2019d set a maintenance window on the collection(s) of servers, so that updates can only happen during those time windows (and not impact SLA).<\/p>\n

      With this approach, you get the best of both worlds:<\/p>\n