SCCM Software updates Strategy

SCCM Software updates strategy


Today I will describe how I do make my SSCM software updates strategy.

First Software Updates Strategy is a collection of procedures and can be very different for different customers. I will describe my own Software Updates Strategy made after I analyse more “best practices” strategy.

In any strategy you need to consider more elements. In SCCM any actions like Software Updates installing are linked with collections. You can have same action linked to more collections.

·         When to apply Software Updates? Until now Microsoft release updates in every second Tuesday of each month.

o    Test environment. Usually I download the updates in same week Friday and install on my testing environment. NEVER install updates for the first time in a production environment. I made this operation Friday in case that some updates released Tuesday are dangerous and Microsoft retried them.

o    After one week if nothing it’s wrong I published the updates on my environment and make them Available for two weeks. So everybody can see the available updates, Department managers can download on a few less important workstations and see if they are casing issues or not.

o    After three weeks from release I made the updates Mandatory and deployed them with one week time deployment deadline. Usually the deployment time is Friday after 17:00 for workstations and Saturday at 02:00 for regular servers. So when the updates are applied the software updates has already one month age and it’s stable. One month I think it’s enough for community and Microsoft to discover if some software updates are dangerous. Some customers update the server at every three months, other at every 6 months, etc. The time is compliant with customer strategy

·         Collections. With collections you can group your servers and workstations in different category.

o    For servers for example I have more collections and I’ve tried to put servers with same roles in different collections with different installing schedules. So if something is wrong not all my servers are affected. Usually I have also collections not important, important, highly important and critical. Of course I start my process with less important and finish with critical

o    For workstations is not important to group them after OS. Always I put in same collection all type of OS (XP, W7, W8, etc.). When I make my SUG I put all security updates for all OS clients and all security updates for all OS servers. Each server/workstation chose what needs from entire SUG

·         Software Updates Groups. You need to make SUG’s in order to apply more updates to collections. It’s an entire strategy how to make Software Updates Groups. It’s important to know that SUG’s are limited to 1000 updates. I prefer to have less SUG’s, it’s more easy to manage them, you lose less time if you chose to update the images in deployment cahin,  First myself I group SUG’s with few keys in my mind

o    Updates age.

§  So usually I make SUG’s whit historical software updates. For example I have for workstations all security software updates until 2015. Always I comeback and clean for retired/expired updates

§  Monthly groups. After another year I make a consolidation and add all monthly updates in historical SUG. Easy noJ?

o    Product

§  Usually I create a SUG with security updates for all windows clients. For example in this moment all security updates for XP+W7 until 2015 are 630

§  A SUG for all servers until 2015 2003, 2008, 2012 are 771

§  A SUG for Office

A typical strategy:


o    SUG all historical security updates until 2015

o    January

o    February

o    March

o    …..

o    All Office


o    SUG all historical security updates until 2015

o    January

o    February

o    March

o    …..

·         Deadlines

Usually for workstations I make all software updates available after 3 weeks from released and the deadline is 7 days ending at Friday 17:00

For servers is same, after 3 weeks from released time after in the test environment are no problems, I push de updates with deadline 7 days ending at Saturday 02:00 (AM). I some admins need to update in different time then the deadline they have 7 days to do that.

·         Maintenance windows

I used maintenance windows on workstations and servers. First you can set the maintenance windows in collection properties. So be careful one server can be in multiple collections so is easy to have more maintenance windows. Usually I setup the maintenance window only where I group servers and workstations for update. I you want to know what maintenance winows has a computer or a server see article How to check maintenance windows for a client servers

o    For workstations. Usually I make the maintenance window from 17:00 to 07:00 daily. Default is from 22:00 to 07:00. But I’ve see many admins who deploy the updates out of maintenance windows for workstations. Depends also what is the customer policy.

o    For servers usually I make the maintenance window in a second Friday of each month. IN this time the update age is one month so if something was wrong I have time to know and suspend. For default servers maintenance window start from Saturday 02:00 to 04:00. Just be careful with servers schedules, be sure no other task is scheduled for this time (backup, copy, av scan, etc)      

·         Restart

Usually I have to policy:

o    For Servers I have configured 15 minutes to restart, 5 minutes user can’t close restart window. A small count down is safe to finish all updates scheduled for night maintenance window.

o    For workstations almost all customers insist to configure restart window to maximum (24 Hours). If you will ask a user when to restart the workstations the answer is NEVER. So always I configure the updates to restart the workstations, otherwise they will not restart the workstations forever.

Real life scenarios for software updates strategy:

·         Workstations with Wake on LAN, lovely. You can Setup maintenance windows in the night execute when you want, again lovely. You are master of the house ;).

·         Workstations without Wake on LAN (laptops). Usually nobody it’s in office at 17:00 it should but … is already weekendJ!!! So when deadline its reach and maintenance window is in the place computer is turned off. So nothing happens. User come to office Monday at 09:00, the deadline was reach but is not in maintenance window, so the setup it will wait until first maintenance window, in my case every day after 17:00. So you pray that the user don’t leave before 17:00 again. If the computer is on Monday at 17:00 his computer it will start to install the updates and the restart it will be countdown in my case 24 hours. So Tuesday probably at 17:10 his computer it will go to restart. It’s possible that he will start to scream that was involved in something very important and you are guilty for unfinished financial reports, week sales, etc.

So chose wised how to operate all this settings, be shore that company understand how the process works and make the best software update strategy to have a happy customer.


If you work in financial industry or you have a financial department NEVER schedule updates in the first week of the month otherwise you will be guilty for all financial problems. Usually in the first week are heavy works to close the last month.