Can you apply rules to WSUS used by SCCM?

The client I'm working at deploy patches via a WSUS server. They have set rules to deploy all critical patches to workstations. I have set up new WSUS server with SCCM controlling etc.. All works great
 
However, client sees this as a "backward" step because somebody must "manually" do work each patch Tuesday to update the Software Update list with the latest critical/important patches etc. and set up new deployments. I have explained that this is a very straightforward task and that SCCM provides a far superior patch mechanism in terms of granularity, selecting which clients to deploy to + compliance reporting and DCM etc. etc.
 
...but their attitude is we don't care - we don't bother doing any sort of QA checking each month - just assume that the MS patches are ok and just deploy then to all clients !!. On that basis I've had to agree if they feel that way they might as well scrap the new SCCM/WSUS server and just use their existing method
 
I have said that the two WSUS servers are mutually exclusive i.e. you don't screw around with the SCCM/WSUS server - let SCCM do all the work and never go into the WSUS console, but I will thow this one out there. Could you use the new SCCM/WSUS database AND apply a rule within WSUS console to deploy all Critical patches. Then you could still use SCCM for build and any other patches but they would get their fully automatic wish for the critical patches

Ian Burnell
London UK

I'm not aware of any out-of-the-box automated way to create the update lists, download every associated patch file, auto-approve any license agreements you might have to do, and auto-add every update in an update list to a deployment.

That's not to say that it can't be done.  I could see someone perhaps leveraging the SDK scripts and scripting all of that.  Then someone on their team could just run the script.

But if they like how WSUS is working for them, I'd just go with the flow and let them manage WSUS separately from ConfigMgr.  Perhaps point out that by doing so they will lose some functionality they might like in the future--like patching integration when doing OSD, or leverage SCUP to deploy non-Microsoft updates.  They might decide that a couple hours of work a month to go through the update lists/etc. is worth having the extra capability.

mofmaster@myitforum.com
My Blog
Microsoft MVP - ConfigMgr

Thanks Sherry.
 
What I was meaning was to set rules and download patches on the WSUS server/console i.e. like they do at present AND still use the same WSUS database for SCCM. I suspect this can't be done
 
.. as it happens I have pursuaded them to set aside a resource to authorise the monthly patches so it won't be needed but still interested to know if this is possible from a personal view

Ian Burnell
London UK

After using WSUS for quite a few years before moving to ConfigMgr to deploy updates, that was my gripe too (and still is).
However, the next version ( I know its still in beta) is supposed to allow automatic approvals.

I've had a wee look at the vhd and i think thats what the "Automatic Grouping Rule" is under software updates.

It allows you create a deployment but select the update classification i.e. security updates/ critical etc to deploy. Therefore i'm assuming it allows you to automatically deploy these updates to that collection with all the template settings we have in 2007.


If this is so, then that would be fab!
:-)

Jane