A client recently requested preliminary design for moving security updates from WSUS to CM 2012. There were several requirements for the move as well: 1) SUP would need to be tested on a small group of clients initially; 2) WSUS would need to remain in parallel during the process in order to keep current desktop/laptop clients and servers patched; 3) WSUS would need to remain in place after the move as the server team would continue to use it until their conversion to CM 2012.
I’m only going to focus on how custom client settings were used to segment out the test group from the main body of desktops and laptops. (There were Group Policy and other adjustments which had to be made as well, but they are not part of this discussion.)
First, I created a test collection to house the initial software updates test group.
Current Default Client settings have Software Updates turned off.
I created a custom client device setting specifically targeted at software updates. You can do this by navigating to Administration > [expand] Overview > [expand] Site Configuration > [select] Client Settings, then either right-click on Client Settings and select “Create Custom Client Device Settings” or click the same-named icon in the top ribbon.
On the General tab of the resulting screen, I named the Custom Device Settings “Software Updates – Enabled” and checked the Software Updates box. Checking this box reveals the Software Updates tab in the left panel.
On the Software Updates tab, I enabled software updates on clients (1 in the picture below), set bundling of updates having deadlines within 1 day of any update which has reached its deadline. (2 and 3 in the picture below) Save the custom client setting by clicking OK and then deploy it to the test collection. I set the priority of the setting to 1. If this is your first custom setting, it will default to a priority of 1. You can change the priority of any custom setting by right-clicking on the setting and using the Increase or Decrease Priority selections from the drop-down menu. Remember that the lower the priority number, the higher the priority in settings application on the client machine.
The newly deployed shows up under the deployments tab of the custom settings.
Force a Machine Policy Retrieval & Evaluation Cycle on the machines located in the test collection and the new custom settings will be applied. You can check this by looking at the Components tab of the Configuration Manager control panel applet.
Initiate a Software Updates Scan Cycle on the machines located in the test collection and then spot-check the WUAHandler.log file on those machines to validate that the clients are pointing to the correct SUP server and that the scan is not encountering any errors which need addressing. You should see something similar to the below entries in the log file.
Enabling WUA Managed server policy to use server: [YOUR SERVER HERE]
Async searching of updates using WUAgent started.
Async searching completed.
Successfully completed scan.
If you feel so inclined, use a tool such as Roger Zanders Client Center to check things out. (http://sccmclictr.codeplex.com/ - don’t forget to donate!)