Deploying Software Updates

© 2012 Microsoft Corporation. All rights reserved.
Microsoft Confidential
System Center 2012 Configuration Manager
Concepts & Administration
Lesson 7: Deploying Software Updates
Your Name
Premier Field Engineer
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software
is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content
and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind,
whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and noninfringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should
be inferred.
Copyright and Trademarks
© 2012 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Introduction to Software Updates Management
Features available
Reporting and troubleshooting
Microsoft Confidential
After completing this lesson, you will be able to:
Install and configure a Software Update Point
Understand the different features involved in patch
management and how to manage them
Create manual and automated update deployments
Use reports to check update compliance states and
deployment status
Microsoft Confidential
Introduction to Software Update Management
Patch Management process
Capacity planning
Microsoft Confidential
Software Updates End-to-End Workflow
Configure software
update components
Monitor deployment
using reports
Enable and configure
Software Updates Client
Enable and
configure Active SUP
Optional: Configure
multiple SUP using
Synchronize with
WSUS server
Optional: Create Software
Update Groups that contain
defined sets of updates.
Create a deployment using
Deployment Software Updates
Wizard or use Automatic
Deployment Rule (new)
Optional: Download software
updates and provision the
updates on DP using Download
Updates Wizard.
Analyze whether
software updates are
Software Update Point Prerequisites
Server prerequisites:
Windows Server Update Service (WSUS) 3.0 SP2
WSUS Administration Console if SUP is remote
Network Load Balancing (optional, see capacity planning)
SRS Reporting Point
Client prerequisites:
Latest version of Windows update agent
Microsoft Confidential
Capacity Planning
The number of supported clients is dependent on the
version of Windows Server Update Services (WSUS) that
runs on the Software Update Point and on whether the
Software Update Point site system role co-exists with other
site system roles.
SUP co-exists with another site
system role
Up to 25,000
SUP on a separate box (without
any other site server role)
Up to 100,000
Microsoft Confidential
Installed as site system role
SUP can be installed on:
CAS site
Primary Site
Secondary Site
The first SUP must be installed on the CAS.
If CAS does not have access to the internet then you can
use export/import functions of WSUSUtil tool to
synchronize software updates metadata.
(New in Sp1) - You can install multiple SUP* at a site to
support untrusted forest scenario as well as remove NLB**
requirements for fault tolerance.
Microsoft Confidential
New in Configuration Manger 2012 Sp1
You can specify existing WSUS server (which is not part of
the Configuration Manager hierarchy) as the upstream
Synchronization source for the top-level site.
New Deployment Templates
Definition Updates template
Patch Tuesday
New WSUS Server connection account for SUP
You can select multiple software updates from the Software
Center to install as a group.
Disable Software Update randomization option
Windows Embedded devices – Control the behavior of the
write filter when you deploy Software Updates using the
new feature “Commit changes at deadline or during a
maintenance windows (requires restarts)”.
Microsoft Confidential
Installing the SUP Role on a Secondary Site
Microsoft Confidential
Installation Recommendations
Ensure that clients managed by a site with an active SUP
are not targeted by a WSUS GPO. If you are using Software
Update-based client installation on a fresh image, you must
configure and assign a Group Policy Object (GPO) in AD to
specify the SUP server name from which the computer will
obtain software updates*.
Use GP Preferences** rather than GPO for setting the
WSUS server for initial client installation to make use of
failover SUP***.
Do not re-use an existing WSUS infrastructure
Do not configure the WSUS Server
Consider using a custom web site for SUP
Microsoft Confidential
Lab: Software Update Point Installation and
You are the administrator of the
Contoso Configuration Manager
hierarchy. You wish to install and
configure SUP into your
Ensure prerequisites are met
Install and configure a software
update point.
Configure client agent settings
Microsoft Confidential
Lesson Review
Why is the WSUS admin console required on the
site server when installing the SUP ?
What should I do if I plan to manage more than
25,000 clients when using a SUP ?
Microsoft Confidential
Lesson Summary
In this lesson, you learned:
How to plan for a SUP installation, including the
required components
How to complete a SUP installation
Microsoft Confidential
After completing this lesson you will learn:
How to manage updates
How to create update groups
How to create update deployments
Microsoft Confidential
Features Available
Superseded update support
SUM admin role (with RBA)
Client agent settings
Simplified update groups
Automated deployments
End user experience
Content library and cleanup
Migration from Configuration Manager 2007
Microsoft Confidential
Superseded Updates Support
Publisher can expire or supersede
software updates
Configuration Manager 2007
automatically expires superseded
System Center 2012 Configuration
Manager can:
Persist Configuration Manager 2007
Configure System Center 2012
Configuration Manager to not
automatically expire superseded
Microsoft Confidential
SUM Administration Role (with RBA)
SUM Admin can initiate
specific actions (role) . . .
. . . on a specific set of
objects (scope)
Example: SUM admin for
servers can manage all
software updates for just the
server collection
Microsoft Confidential
Client Agent Settings for SUM
New UI for client
agents settings
Settings can be
applied per Collection
so software updates
can be enabled or
disabled on select
Microsoft Confidential
Simplified Update Groups
Improved search to find updates
Update groups replace lists and deployments
New updates added to groups are automatically
Groups can be used for compliance or deployment
Microsoft Confidential
Automated Deployments (new)
Automatic approval of selected updates
Scheduled or manually run
Useful for Patch Tuesday and Endpoint Protection
Objects created by rules are interactive:
Deployments can be enabled/disabled
Deployment can be added/removed from groups
Updates can be added/removed from groups
Deployment templates
Microsoft Confidential
End User Experience
Uses the new Software
Center user interface
End user has better control
of their own experience:
Install/schedule updates
Use non-business hours
Admin can choose to hide
just pop-ups, or hide all end
user notifications
Microsoft Confidential
Content Library and cleanup
Software updates stored in the Content Library
Maintenance task deletes expired updates and content
Microsoft Confidential
Migration from Configuration Manager 2007
Migrate existing SUM objects:
Preserve existing update lists or
Persist use of update content on
Distribution Points (through
Distribution Point sharing or prestaging)
SUP configuration for
products and classifications
must be the same on both
SCUP updates cannot be
Microsoft Confidential
Features that have not Changed from Configuration
Manager 2007
Maintenance Windows
Update will not be installed until next available service window
Potential system restart time period is factored into evaluation
If client is member of multiple collections – all applicable
maintenance windows will be honored
One time maintenance windows can prevent future update
Can be overridden
Internet-based client support
Wake-On-LAN integration
Selective download of binaries
Microsoft Confidential
Lab: Software Update deployment
You are the administrator of the
Contoso Configuration Manager
hierarchy and you wish to deploy
an update group to your clients
Create an update group
Create a manual and an
automated deployment
Check deployment status
Microsoft Confidential
Lesson Review
What are the two types of update deployments?
Where does Configuration Manager store software updates?
How do you configure different software update policies for
servers and clients?
Microsoft Confidential
Lesson Summary
In this lesson, you learned:
How to manage updates
How to create update groups
How to create update deployments
Microsoft Confidential
In this lesson, you will learn:
How to use reports for software updates
How to troubleshoot software updates
Microsoft Confidential
Reporting and Troubleshooting
Key compliance and deployment views
Detailed state of all deployments and assets
Error codes are interpreted
Software update synchronization status
Alerts for software issues
Extensive update states available in out-of-box
Microsoft Confidential
Key Compliance Reports
Microsoft Confidential
Deployment Status and Asset Views
Microsoft Confidential
Using Reports for Troubleshooting
Microsoft Confidential
Software Update Point Synchronization Status
Microsoft Confidential
Alerts for software update issues
Microsoft Confidential
Server Logs
Types of issues
Installation of SUP Site Role
WCM.log, WSUSCtrl.log
Configuration of WSUS Server/SUP
ConfigMgr/WSUS Updates
Synchronization Issues
Policy Issues for Update
Assignments/CI Version Info policies
Auto Deployment Rules
Microsoft Confidential
Client logs
Types of issues
Deployments, SDK, UX
Updates, Download
Online/Offline scans, WSUS location
Update status (missing/installed –
verbose logging), WU interaction
Update status (missing/installed)
Scanning/Installation of updates
Microsoft Confidential
Lesson Review
What tools are available for troubleshooting
What log should I check to verify update
installation on a client?
Microsoft Confidential
Lesson Summary
In this lesson, you learned:
How to use reports for software updates
How to troubleshoot software updates
Microsoft Confidential
Related flashcards
Create Flashcards