Apr 22 2020 08:17 AM
Apr 22 2020 08:17 AM
We are currently using SCCM using Windows 10 upgrade task sequences to mange our Microsoft Windows 10 feature updates. With 300 of staff going remote and SCCM upgrade task sequences not being an option. What free ways does Microsoft recommend for managing these updates?
Apr 22 2020 08:27 AM
@zaclaramay there are a few different ways that you can manage updates for your remote workers.
1. You can deploy feature updates as a software update from Configuration Manager and allow clients to acquire the content for those directly from Windows Updates rather than from on premise DPs while still maintaining management of the updates from Configuration Manager so long as you configure correctly (see these blogs 1, 2).
2. To further reduce VPN traffic, you can utilize Windows Update for Business which is free whether through Group Policy or through moving your Windows update workload to co-management with Intune. Please see the docs on how to set this up here.
Please let me know if you want any more information on either of these approaches. :)
Apr 22 2020 08:28 AM
@zaclaramay We use the upgrade task sequence remotely on computers connected to the VPN and to the CMG. it is only OS deployments that cannot go over the CMG. For Upgrades, you use to have to select to pre-download all the content first, but i think in 1806, that requirement was removed.
Apr 22 2020 08:31 AM
@Aria Carley thank you for your reply. I will look into the managing the updates via Windows Updates rather than from on premise DP. We will just have to do some testing as we deploy several scripts in our Upgrade Task Sequence to resolve bugs in the Windows feature upgrade process.
Apr 22 2020 08:34 AM
For the scripts you run in your IPU process currently via a Task Sequence, you might be able to leverage the Custom Action Scripts that run at various times during the Windows 10 Setup Engine process:
You might also be able to leverage scheduled tasks, and have the scripts look for specific conditions to know when to run.
Apr 22 2020 08:36 AM
Yeah, if you don't have VPN back to connect to your internal CM infrastructure, TS's become very difficult.
If you do have VPN, then it's completely possible, even with slow links thanks to LEDBAT++ and BranchCache Technology.
Apr 22 2020 08:45 AM
I hear you on that, we too had a handful of users who rarely would connect to VPN. At at point it became a management issue. They were instructed to turn on their computer at 6PM, connect to VPN and leave it on overnight so it could upgrade over VPN. Failure to comply was failing to complete job duties.
Apr 22 2020 08:55 AM
@gwblok @zaclaramay I had IBCM configured for my ConfigMgr but soon after the sudden WFH mandate, I discovered IBCM was not working properly. After getting it fixed, it required the clients to VPN at least once for a duration of time to pick up new policies and changes. Catch-22 is that some remote systems don't have the VPN client installed and they are unable to install due to lack of local admin creds for UAC elevation. Sigh!
Apr 22 2020 09:01 AM
@zaclaramay We have been upgrading these users with the CMG. We set the content location to download all content prior to start.
We also mark the task sequence allow to run on Internet. The only issue we see is the status messages for the deployment status are not returned after the new OS is deployed.
here is a snip-it from the documentation:
Allow task sequence to run for client on the Internet: Specify whether the task sequence is allowed to run on an internet-based client. Operations that require a boot media, such as the installation of an OS, aren't supported with this setting. Use this option only for generic software installations or script-based task sequences that perform operations in the standard OS.