The second meeting we had yesterday (why does every company have so many meetings?), involved scheduling the patches for the rest of the company.
At our company we actually send out 3 packages at once.
The first package is the patch notice.
It informs our customers (IT world translation: end-user) that their machine is part of the SMS patch program and is targeted to receive the latest patches.
It also gives instructions for calling helpdesk (I’m sure helpdesk is thrilled that we give that extension out every month to every customer).
The notice is available starting at 8:00am and the advertisement runs for 8 hours (5:00pm).
If the customer clicks okay, or 8 hours passes and the notice closes itself, the program package ran successfully.
At 11:00pm, the Microsoft Patch Update program runs.
This is the same program created and updated by ITMU.
We advertise it to run for 3 days.
It ends at 10:00am on the 3rd day.
This way we catch laptop users and people who take a short week.
The third program is advertised starting on the 2nd day.
This is a reboot notice.
We don’t actually reboot machines, instead we let the customer
do it. The reboot notice checks the registry to see if the customer has a patch pending reboot.
Patches that quit with exit code 3010 will create a temporary reg key for that update: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\WindowsUpdate\AutoUpdate\RebootRequired\DWORD value of each update ID that requires a reboot and sets the value to 1.
If we don’t find a key = 1 then the reboot notice is suppressed.
If there is valid reboot key, then we display a notice that alerts the customer.
The customer may delay the reboot by clicking okay, but not kill the notice.
It will pop up again later, until a reboot happens, or the advertisement expires, 8 hours later.
Get the script from Microsoft here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wua_sdk/wua/using_wua_to_scan_for_updates_offline.aspWe had 4 different collections to setup of all 3 package advertisements for.
The first one went out to the entire systems group.
It was one last chance to find a problem before hitting the rest of the company, so all of its packages are advertised one day earlier.
The second group was our normal internal lan.
Known as the Business Network, it hits all our standard operational departments (marketing, accounting, contracts, etc.).
The third group was our developer network.
Our developers are currently given a choice about having SMS update their system.
The ones who opt out must be able to provide a valid reason, so we separated the entire network to make administration a little easier when dealing with the rest of the company.
The last network was our RO’s (Regional Offices).
We’ll probably roll them into the business network eventually, but for now they are separate.
We did hit an issue with the RO’s, the old admin had a 3 hour time difference for some parts of the patches but not for all. We spent an hour debating if SMS used the Parent Site time, the Child Site time, the DP time, or the client time. While we were certain that most machines in the lan were joined to the domain and therefore had the right time, we couldn’t be as sure about the RO’s. Also, if all the RO’s are in one collection and we start something at 8:00 am our time (Pacific), then it really starts at 11:00 eastern. If we start it at 5:00 am our time then how does that affect things that are expected to run until 5:00pm since they would now be ending at 2:00pm. At one point Admin no. 2 thought that checking the Greenwich Mean Time checkbox would be a good idea. We eventually convinced him that it wasn’t. We finally settled on running the notices at the earlier adjusted time, but running the patch at our local 11:00pm time, which was 8:00pm eastern. Anybody still working at 8:00 and noticing a slowdown should just call it quits for the day.