Thursday, April 25, 2013

Utilizing Fall back for Software Updates in 2012 Sp1

"Starting in Configuration Manager SP1, you can configure a client on the intranet to download software updates from Microsoft Update if a distribution point is not available. "

Now that we have a way to make clients download updates from the Internet when an update is not found on a distribution point.   This is a unique feature but it does require updates be download and on at least 1 DP.

Now how can we utilize this new feature to cheat the clients.  This is how:

Scenario: Company of 15,000 machines has 300 machines left on Vista and 400 on Windows XP.  Network bandwith to the DP is limited and there are no more than 10 machines at each site.  This company is special because they have a proxy link to the Internet so all non-business traffic is sent directly to the internet.  But they must still patch all these computers.

Solution: Pick a single DP to hold the Vista and XP patches.  Create your Software Update Groups as usual but only deploy them to a single DP.  Why?  The XP/Vista clients will look at the local and remote DPs for software updates.  You must check both Boxes to "Download and install".  They will not find the updates so it will fail over to the Internet. Because the number of machines is small the company will not feel the internet traffic download and the admins don't need to distribute Vista or XP patches all over the world. 

This was not meant for the way I am pushing it but it does work. 

What it solves:
1. No network traffic to random DPS for Vista and XP patches
2. DP queue is open for other distributions.
3. Clients patch and compliance number will continue to rise
4. OS patches only need to be on 1 DP

Note: CU1 is required is you are running over alternate ports.  This corrects and issue of the client trying to use the alternate ports to contact Microsoft Updates