Protecting Clients (and yourself...)
The very first thing that I would recommend is to set a Maintenance Window in the past, with "Recurrance pattern" set to None, on an All Client Systems Collection. I would use 12/25/2006, from 6:00PM to 6:01PM. This will ensure that all clients are participating in Maintenance Window-style deployment and a client won't inadvertently execute a deployment. As I stated in Part I and Part II, if a client does not have a Maintenance Window defined a 24x7 Maintenance Window is implied.
The Implimentation
Once all clients are protected from a 24x7 Maintenance Window, a maintenance schedule and strategy must be defined. A very common strategy that I've seen for creating the Collections that Maintenance Windows will be defined is to create a Query-based Collection leveraging Active Directory Security Group Membership. This provides a flexible way to group Clients. Workstations can be grouped by department, etc. Servers can be grouped by role or function and spread out across multiple windows for uptime.
The design will most likely be the most complex part of the process. The implimentation is actually very simple. Once the Collections have been created and populated, simply right-click the Collection and select Modify Collection Settings and define your Maintenance Window. Keep in mind that the Maintenance Window duration must be long enough to accomodate the desired deployment(s).
Now that everything has been set up, it's time to trust the application to do what it is supposed to. A Software Updates deployment containing all of Microsoft's Security Updates (those with MS numbers) is a great place to start. If one has not previously been created, create a Software Updates List, and Deployment containing all of the MS07 Security Updates (if desired, remember to change the 20 min Maximum Runtime) and deploy it against the All Client Systems Collection. The following settings should be in place on the Deployment:
- Advertisement Start Time should be set for the current time
- Mandatory Assingment Deadline should be set for the current time (allowing clients to download prior to their scheduled Maintenance Window)
- Do NOT Ignore Maintenance Windows
- Do NOT allow System Restarts outside of Maintenance Windows
More Deployment Techniques Utilizing This Strategy
The Immediate Baseline Approach:
At times, say during a new Workstation or Server build, the deployment of a desired baseline must take place in a prompt fashion. Utilizing the concepts discussed previously, if the desired baseline is advertised to the All Client Systems Collection, all that is required is to create a 24x7 Collection (I would personally label it as such to keep it obvious) with a 24 hour Maintenance Window defined with a Daily "Recurrance pattern". Now, in order to deploy the desired baseline immediately, simply add the client to the 24x7 Collection. The Client will pick up its baseline as soon as it becomes a part of the All Client Systems Collection and then pick up its Maintenance Window from the 24x7 Collection. This process can be expedited by initiating a Machine Policy Refresh and (if applicable) a Software Updates Evaluation Cycle on the Client system. Remember to Remove the Client from the 24x7 Collection as soon as it reaches compliance.
Deploying To A Subset of Clients While Abiding By Their Respective Maintenance Windows:
Recently, I created a Task Sequence containing Adobe Reader and Acrobat Updates that was to be deployed during our normal, scheduled Maintenance Windows. The Task Sequence was set to reboot the Clients at the completion of the Update(s) installation, so I only wanted to advertise this to Clients that actually required the Updates. I created a Query-based Collection containing all of the clients I wanted to Advertise my package to and then Advertised my Task Sequence to that Collection. The Advertisement settings did not "Override Maintenance Windows", was set to "Always Re-run" (as it is now part of our desired baseline), and I did not set an Expiration. Now, this subset of Clients that require Adobe Updates will install them during their normal, scheduled Maintenance Windows.
No comments:
Post a Comment