Overview

This article contains a recommended set of procedures and schedules you can follow in your environment to obtain great WSUS compliance within SCCM. I developed these best practices and helped a client implement them to improve their compliance.

Schedule

I recommend that you create a schedule in your environment to check/complete the following WSUS components/tasks.

Network Segment Creation

Overview

When a new network segment is created within your environment, be sure the new segment is communicated.

Procedure

1. Work with your Network engineers to be included in communication when new network segments are created.

Set MaxExecutionTime on Specific SCCM Software Updates

Overview

Every update in SCCM has a maximum amount of time that it is allowed to run. If the amount of time it takes to install the update exceeds the MaxExecutionTime variable set for the update, the update will fail to install. Increasing this execution time can allow a greater installation success rate.

Procedure

1. Run from NNN(Your SCCM Sever): Powershell:

   
   Get-CMSoftwareUpdate -name  "*Cumulative Update*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
   Get-CMSoftwareUpdate -name "*Cumulative Security Update*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
   Get-CMSoftwareUpdate -name "*Security Monthly Quality Rollup*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 60
   Get-CMSoftwareUpdate -name "*Security and Quality Rollup*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
   

   Examples

   

   Figure 1 Maximum Run Time on a Software Update

   Cleanup Packages from DPs That are Not Needed

   Overview

   Overtime, SCCM Distribution Points out will accumulate updates and applications that are no longer applicable to the particular DP. For example, if an older version of Adobe Reader were needed in 2015, leaving the installation files on the DP is using unnecessary space.

   Procedure

   1. View Active Deployments
      1. Within the SCCM Console, open Monitoring\Overview\Deployments
      2. Sort by Date Created
   2. Cross Reference Active Deployments with DP Content, And Remove Unneeded
      1. Administration\Overview\Distribution Point Groups -> Branch Distribution Groups [Right Click -> Properties]
      2. Content Tab -> Click Unneeded Updates -> Remove

   Examples

   

   Figure 2 Removing DP Content

   Verify That Applications are NOT Updated to DPs on a Schedule

   Overview

   Within the SCCM Console there is an option to have content automatically redistribute itself to distribution points on a schedule. When found to be enabled on content, the processes unnecessarily consumes SCCM traffic.

   Procedure

   1. Open a suspected offending application or package
   2. For example, open Software Library\Overview\Application Management\Packages\Workstations\
      System Configurations\NCI
   3. [Right Click] Properties -> Data Source -> Update Distribution points on a schedule
   4. Verify this is unchecked

   Examples

   

   Figure 3 Verifying content is not updated on schedule

   Manage SCCM Deployment Threads

   Overview

   SCCM controls the number of packages it will attempt to distribute at one time, and the number of distribution points it will attempt to distribute the packages to. Adjusting these controls will allow maximum throughput of traffic while maintaining throttling constraints.
   
   

   Figure 4 SCCM Content Threads

   Procedure

   1. Within the SCCM Console go to Administration\Overview\Site Configuration\Sites\XXX
   2. [Right Click] Configure Site Components -> Software Distribution
   3. Adjust Maximum Threads

   Monitoring Threads

   1. Download and Install the System Center 2012 R2 Configuration Manager Toolkit
   2. Open the DP Job Manager Tool at C:\Program Files (x86)\ConfigMgr 2012 Toolkit R2\ServerTools\DPJobMgr.exe
   3. Use the Manage Jobs tab to monitor

   
   

   Figure 5 DP Job Manager Tool

   Examples

   

   Figure 6 Adjusting Content Threads

   Manage DP Rate Limits (Time-Sliced Throttling)

   Overview

   Distribution Point Rate limits are a form throttling which applies to content distribution. Adjusting these throttles can help maximize performance while minimizing disruption during the workweek.

   Procedure

   1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
   2. Open the Rate Limits tab
   3. Adjust accordingly

   Examples

   

   Figure 7 Adjusting DP Rate Limits

   Manage SCCM Distribution Point Priority Schedules

   Overview

   Distribution schedules allow low, medium and high priority deployments to adhere to certain schedules. Adjusting these schedules can help maximize performance while minimizing disruption during the workweek.

   Procedure

   1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
   2. Open the Schedule tab
   3. Adjust accordingly

   Examples

   

   Figure 8 Adjusting DP Priority Schedules

   Maximize Performance and Coverage of Automatic Deployment Rules

   Overview

   When creating SCCM ADRs, it is important that no rule duplicates another, and also that combined rules do not miss any critical or security updates for an environment (such as Prod or Pilot)

   

   Figure 9 Optimizing ADRs in SCCM

   How Microsoft Deploys Software Updates

   Security Only Quality Update (Released every month)

   • Includes Critical and Security for That Month

   Security Monthly Quality Rollup (Released every month)

   • Includes Critical, Security and Updates*, Cumulative for Year
     
     * Feature patches (non-security)

   Procedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
   2. A Deployment Packages are updated via an ADR no more frequently than necessary. For example, a pilot ADR may update weekly, whereas a Production ADR may update monthly.

   Enable Binary Differential Replication on Deployment Packages

   Overview

   Binary Differential Replication, sometimes known as “delta replication,” is used by SCCM to update package source files with a minimum of additional network traffic. This minimizes the network traffic between sites, especially when the package is large and the changes are relatively small.

   Procedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\Deployment Packages
   2. [Right Click Package] and check Enable binary differential replication

   Examples

   

   Figure 10 Enabling Binary Differential Replication

   Allow Site Server and Microsoft to be used as Fallback Update Locations

   Overview

   If there is no distribution point assigned to a client, updates can fail to deploy. Allowing a fallback source to be used, which increases the chances your clients will receive their required updates.

   Procedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
   2. Click an ADR, and then go to the Deployment Settings tab at the bottom of the screen
   3. [Right Click] Properties
   4. Open the Download Settings tab and check If software updates are not available…

   Examples

   

   Figure 11 Configuring Failback Sources for ADRs

   Remediate Updates That Are required but not deployed

   Overview

   There is a prebuilt SCCM report that can help identify updates that are required, but have not been distributed. I have further configured the ability automate this portion in a different project. Please see SCCM: Automate Deployment of Required Updates for more details.

   Procedure

   1. Using Internet Explorer, browse to the Reports path at http://vconscm005prd/Reports
   2. Find the report Management 2 – Updates required but not deployed and run it
   3. Collection: ‘Production Workstation’ and ‘Production Server’ (one report for each)
   4. Vendor: Microsoft
   5. Update Class: Critical and Security (one report for each)
   6. Export each report as updates_nn.csv
   7. Connect to NNN: PowerShell console and use the report to update Software Update Groups accordingly:
      

   
   $updates =import-csv -path updates_nn.csv
   
   $undeployedupdates=$updates | %{Get-CMSoftwareUpdate -ArticleId $_.update -Fast | ?{$_.nummissing -ge 1}} 
   $PilotSoftwareUpdategroup=Get-CMSoftwareUpdateGroup -Name "Production Servers Updates - All other Products* nnn"
   $undeployedupdates | %{Add-CMSoftwareUpdateToGroup -SoftwareUpdateId $_.CI_ID -SoftwareUpdateGroupName "Production Servers Updates - All other Products* nnn"}
   

   Examples

   

   Figure 12 Checking Critical Updates

   

   Figure 13 Checking Security Updates

   Software Update Cleanup of Superseded and Expired

   Overview

   Superseded and Expired updates need to periodically be cleaned up from Software Update Groups.

   Superseded Updates Procedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
   2. Add Criteria -> Superseded + Deployed
   3. [Right Click] Edit Membership -> Uncheck from each Deployment Package
      

   Expired Procedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
   2. Add Criteria -> Expired + Deployed
   3. [Right Click] Edit Membership -> Uncheck from each Deployment Package

   Examples

   

   Figure 14 Removing Expired Updates From SUG

   Software Update Groups Cleanup

   Overview

   Once an Update Group has been automatically created, used and replaced by a new Update Group of the same exact type, the old group can safely be deleted. This helps keep the environment clean and remove unnecessary Software Update Group deployments.

   Procuedure

   1. Within the SCCM Console go to Software Library\Overview\Software Updates\Software Update Groups
   2. Sort by Name
   3. Delete the older of identical Software Update Groups if no longer user

   Examples

   

   Figure 15 Deleting Old Software Update Groups