Windows as a Service (3)--Manage WINDOWS10 updates with SCCM

Hello Little Friends, this is the third article in this series, I have shared with you about the Windows 10 Service branch and the way to manage updates with WSUS, interested partners can refer to the following links:

Windows as a service (1)--windows 10 Services Branch

Windows as a Service (2)--using WSUS to manage WINDOWS10 updates

We're on the strike. Methods for managing Windows 10 updates using SCCM. System Center Configuration Manager (SCCM) provides a simple mechanism for managing and updating Windows 10 clients in our environment, giving us maximum control over the management of Windows 10 updates. To manage Windows 10 feature updates, System Center Configuration Manager 1511 and later contains an additional service feature called a service plan. How do you do that? This document will be shared in the following steps:

1. Create a GPO and target client 2

2. Create a collection and its corresponding service plan

3. Enable Client-side targeting

4. Create and deploy a task sequence

---------------------------------Gorgeous split-line-------------------------------------------

1. Create a GPO and target client 2

In the group Policy Management Console, expand Forest \ Domains \ contoso.com, right-click the domain name, and then click Create a GPO in this domain, and Link it to her E, in the New GPO dialog box, name the new GPO.

Navigate to Windows Update and select Defer Windows Updates.

Right-click Select when Feature Updates is received, click Edit to enable this feature. Under Options, select the branch readiness level for the future updates, so you want to receive, choose the appropriate service branch and click OK.

Add the GPO that you just created in security filtering.

At this point, we have successfully created and deployed a GPO that specifies which machines should be located in the CBB service branch.

2.Create a collection and its corresponding service plan

Open SCCM, click Assets and Compliance, click Device Collection, and create a new collection.

TIPS:SCCM reads the client's service branch (0 (CB), 1 (CBB), and 2 (LTSB)) and stores the value in the Osbranch property, which we will use to create a collection based on the service branch.

Click Next, click Query rule in Add rule, name it, and click Edit Query statement for rule editing.

On the Criteria tab, click the new icon . In the Select Properties dialog box, select System resources from the list of attribute classes, because we are creating a collection of CB, so value writes 0.

On the Criteria tab, continue to click the new icon to create additional conditions.

After you've created all the criteria, you'll see the following pages:

Click Summary to view the site information, click Next to complete the creation. We have successfully created a collection that contains all of the managed Windows 10 clients in the CB service branch. Since the feature update time available for CB and CBB is different, we can set up the service plan based on the service branch where the customer is located.

In SCCM, click Software Library, follow the path, enter servicing plan, and create a new service plan.

Select the target collection that corresponds to the service plan.

The configuration of the service update time.

On the Deployment Plan page, click Next to leave the default settings (update immediately and require installation within a 7-day period).

Tip: In such a configuration, the effect is that when the configured due date arrives, the software update and the system restart are forced, and the restarted device must be a workstation device.

Create a deployment package that specifies the source path of the deployment package.

On the Distribution node page, click Add-> Distribution point, select the appropriate domain name as the distribution point, and then click OK.

Click Summary to view the configuration.

We have now created a service plan for the WIN10 Ring 2 Pilot Business User deployment ring. By default, this rule is followed every time the software updates, and we can modify the schedule by editing evaluation schedule.

3.Enable Client-side targeting

In general, Group Policy settings are widely deployed on multiple computers. Unlike these settings, Client-side targeting allows administrators to automatically add computers from specific security groups to a particular computer group in the WSUS administration console.

Create a new GPO in the same way as the 5th step.

Select Computer configuration->policies->administrative templates->windows components->windows Update.

Right-click Edit Enable Client-side targeting, enabling this feature. Enter the associated GPO name in target group name for this computer. This is the name of the deployment ring in WSUS where these computers will be added.

In group Policy management, select Wsus–client targeting-win10 Ring 1 Pilot IT, click on Security Filtering, remove authenticated USERS, add Add WIN10 Ring 1 Pilot IT group.

4.Create and deploy a task sequence

Task sequences are a series of steps that are performed in a sequential order. They are structured and able to determine whether a step is executed based on a specific condition logic. Therefore, the task sequence provides some unique service plans: Perform some additional steps before or after the feature update. When a new feature update is available for Windows 10 o'clock, the published ISO is also updated. With the task sequence, we can use the updated ISO to apply feature updates to clients, which is the same as the traditional in-place upgrade process. This is the only way to feature updates to devices running Windows Enterprise LTSB.

In the Create Task sequence interface, select the upgrade an operating system from the upgrade package.

Select the upgrade package.

Select the criteria for the software update deployment.

All the way next.

After the task sequence is created, we must deploy it to the collection.

This step used to paralyse the organization's environment because they accidentally forced the entire organization to install the operating system task sequence. Therefore, in System Center Configuration Manager 1511 and later, if any task sequences or other high-risk deployments are pressed to the site system, a warning box appears. This warning is intended to minimize the error in deploying task sequences to incorrect devices.

We take 14 days as an example, before automatic installation, we tell the user 14 days to run the task sequence on its own.

Do more configuration for the user experience.

Conclusion

System Center Configuration Manager gives us maximum control over the management of Windows 10 updates. We create and deploy the necessary GPOs, designate some machines as CBB, create the appropriate collections to manage Windows 10 updates for the deployment ring, we create service plans, automatically deploy the WINDOWS10 feature update to the appropriate collection when the deployment ring receives the update, and finally, We create and deploy upgrade packages and task sequences to deploy Windows 10 feature updates to managed clients.

Windows as a Service (3)--Manage WINDOWS10 updates with SCCM