microsoft confidential © 2014 microsoft corporation. all rights reserved
Post on 17-Dec-2015
223 Views
Preview:
TRANSCRIPT
Microsoft Confidential
© 2014 Microsoft Corporation. All rights reserved.
System Center 2012 Configuration ManagerConcepts & Administration
Lesson 7: Deploying Software Updates
Premier Field Engineer
Microsoft
Your Name
Conditions and Terms of Use
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Copyright and Trademarks © 2014 Microsoft Corporation. All rights reserved.
Microsoft Confidential
OverviewIntroduction to Software Updates ManagementFeatures available Reporting and troubleshooting
Microsoft Confidential4
Objective
After completing this lesson, you will be able to:Install and configure a Software Update PointUnderstand the different features involved in patch management and how to manage themCreate manual and automated update deploymentsUse reports to check update compliance states and deployment status
Microsoft Confidential5
Introduction to Software Update Management
Patch Management processPrerequisitesCapacity planningInstallation
Microsoft Confidential6
Software Updates End-to-End Workflow
StartConfigure
software update components
Enable and configure Software Updates
Client Agent
Enable and configure Active
SUP
Synchronize with WSUS server
Analyze whether software updates
are required
Create a deployment using Deployment Software Updates
Wizard or use Automatic Deployment Rule (new)
Monitor deployment using
reports
Are softwar
e Updates required
?
No
Yes
Optional: Configure
multiple SUP using NLB
Optional: Create Software Update Groups that
contain defined sets of updates.
Optional: Download software updates and
provision the updates on DP using Download Updates
Wizard.
Software Update Point Prerequisites
Server prerequisites:Windows Server Update Service (WSUS) 3.0 SP2WSUS Administration Console if SUP is remoteNetwork Load Balancing (optional, see capacity planning)
Note : This is Pre-SP1 Requirement. With SP1 you can have 4 SUPs per site.
SRS Reporting Point
Client prerequisites:Latest version of Windows update agent
Microsoft Confidential8
Capacity Planning
The number of supported clients is dependent on the version of Windows Server Update Services (WSUS) that runs on the Software Update Point and on whether the Software Update Point site system role co-exists with other site system roles.
Microsoft Confidential9
Role Limit
SUP co-exists with another site system role
Up to 25,000
SUP on a separate box (without any other site server role)
Up to 100,000
Installation
Installed as site system roleSUP can be installed on:
CAS sitePrimary SiteSecondary Site
The first SUP must be installed on the CAS.If CAS does not have access to the internet then you can use export/import functions of WSUSUtil tool to synchronize software updates metadata.(New in Sp1) - You can install multiple SUP* at a site to support untrusted forest scenario as well as remove NLB** requirements for fault tolerance.
Microsoft Confidential10
New in Configuration Manger 2012 Sp1You can specify existing WSUS server (which is not part of the Configuration Manager hierarchy) as the upstream Synchronization source for the top-level site.New Deployment Templates
Definition Updates templatePatch Tuesday
New WSUS Server connection account for SUP You can select multiple software updates from the Software Center to install as a group. Disable Software Update randomization optionWindows Embedded devices – Control the behavior of the write filter when you deploy Software Updates using the new feature “Commit changes at deadline or during a maintenance windows (requires restarts)”.
Microsoft Confidential11
New Maintenance Windows for Software Updates only.
Ability to control Software update Installation separately from Software Distribution and Operating System Deployment.
Modify Deployment package for Existing Automatic Deployment Rules.
Ability to modify the deployment package ADR downloads to allow for better control before a deployment package becomes too large.
Preview Software Updates in the Automatic Deployment Rule while building the property filters.
Allows a preview of Software updates found while building filters for the ADR. Gives the ability to validate the filter rules were built correctly.
New in Configuration Manger 2012 R2
Microsoft Confidential12
Installing the SUP Role on a Secondary Site
Microsoft Confidential13
Installation Recommendations
Ensure that clients managed by a site with an active SUP are not targeted by a WSUS GPO.
If you are using Software Update-based client installation on a fresh image, you must configure and assign a Group Policy Object (GPO) in AD to specify the SUP server name from which the computer will obtain software updates*.
Use GP Preferences** rather than GPO for setting the WSUS server for initial client installation to make use of failover SUP***. Do not re-use an existing WSUS infrastructureDo not configure the WSUS ServerConsider using a custom web site for SUP
Microsoft Confidential14
PowerShell Cmdlets for Software updates
Multiple PowerShell Cmdlets are available for Software updates.
Example to Perform a full Sync for Software updatesSync-CMSoftwareUpdate
Sync-CMSoftwareUpdate -FullSync <Boolean> [ <CommonParameters>]
This command retrieves metadata for all software updates.
PS C:\> Sync-CMSoftwareUpdate -FullSync $True
Microsoft Confidential16
Lab: Software Update Point Installation and Configuration
GoalsGoals
ScenarioScenario
Ensure prerequisites are met
Install and configure a software update point.
Configure client agent settings
Ensure prerequisites are met
Install and configure a software update point.
Configure client agent settings
You are the administrator of the Contoso Configuration Manager hierarchy. You wish to install and configure SUP into your hierarchy
You are the administrator of the Contoso Configuration Manager hierarchy. You wish to install and configure SUP into your hierarchy
Microsoft Confidential17
Lesson Review
Why is the WSUS admin console required on the site server when installing the SUP ?What should I do if I plan to manage more than 25,000 clients when using a SUP ?
Version RTM?Version SP1?
Microsoft Confidential18
Lesson Summary
In this lesson, you learned:How to plan for a SUP installation, including the required componentsHow to complete a SUP installation
Microsoft Confidential19
Objective
After completing this lesson you will learn:How to manage updatesHow to create update groupsHow to create update deployments
Microsoft Confidential20
Features Available
Superseded update supportSUM admin role (with RBA)Client agent settingsSimplified update groupsAutomated deploymentsEnd user experienceContent library and cleanupMigration from Configuration Manager 2007
Microsoft Confidential21
Superseded Updates Support
Publisher can expire or supersede software updates
Configuration Manager 2007 automatically expires superseded updates
System Center 2012 Configuration Manager can:
Persist Configuration Manager 2007 behaviorConfigure System Center 2012 Configuration Manager to not automatically expire superseded updates
Microsoft Confidential22
SUM Administration Role (with RBA)
SUM Admin can initiate specific actions (role) . . .
. . . on a specific set of objects (scope)
Example: SUM admin for servers can manage all software updates for just the server collection
Microsoft Confidential23
Client Agent Settings for SUM
New UI for client agents settings
Settings can be applied per Collection so software updates can be enabled or disabled on select systems
Microsoft Confidential24
Simplified Update Groups
Improved search to find updatesUpdate groups replace lists and deploymentsNew updates added to groups are automatically deployedGroups can be used for compliance or deployment
Microsoft Confidential25
Automated Deployments (new)
Automatic approval of selected updatesScheduled or manually runUseful for Patch Tuesday and Endpoint ProtectionObjects created by rules are interactive:
Deployments Rules can be enabled/disabledDeployment can be added/removed from groupsUpdates can be added/removed from groups
Deployment templates
Microsoft Confidential26
End User Experience
Uses the new Software Center user interfaceEnd user has better control of their own experience:
Install/schedule updatesUse non-business hours
Admin can choose to hide just pop-ups, or hide all end user notifications
Microsoft Confidential27
Content Library and cleanup
Software updates stored in the Content LibraryMaintenance task deletes expired updates and content
Microsoft Confidential28
Migration from Configuration Manager 2007
Migrate existing SUM objects:
Preserve existing update lists or deploymentsPersist use of update content on Distribution Points (through Distribution Point sharing or pre-staging)
SUP configuration for products and classifications must be the same on both infrastructuresSCUP updates cannot be migrated
Microsoft Confidential29
Features that have not Changed from Configuration Manager 2007
Maintenance WindowsUpdate will not be installed until next available service windowPotential system restart time period is factored into evaluationIf client is member of multiple collections – all applicable maintenance windows will be honoredOne time maintenance windows can prevent future update deploymentsCan be overridden
Internet-based client supportWake-On-LAN integrationSelective download of binaries
Microsoft Confidential30
Lab: Software Update deployment
GoalsGoals
ScenarioScenario
Create an update group
Create a manual and an automated deployment
Check deployment status
Create an update group
Create a manual and an automated deployment
Check deployment status
You are the administrator of the Contoso Configuration Manager hierarchy and you wish to deploy an update group to your clients
You are the administrator of the Contoso Configuration Manager hierarchy and you wish to deploy an update group to your clients
Microsoft Confidential31
Lesson Review
What are the two types of update deployments? Where does Configuration Manager store software updates?How do you configure different software update policies for servers and clients?
Microsoft Confidential32
Lesson Summary
In this lesson, you learned: How to manage updates How to create update groups How to create update deployments
Microsoft Confidential33
Objective
In this lesson, you will learn: How to use reports for software updates How to troubleshoot software updates
Microsoft Confidential34
Reporting and Troubleshooting
Key compliance and deployment views Detailed state of all deployments and assets Error codes are interpreted Software update synchronization status monitoring Alerts for software issues Extensive update states available in out-of-box reports
Microsoft Confidential35
Key Compliance Reports
Microsoft Confidential36
Deployment Status and Asset Views
Microsoft Confidential37
Using Reports for Troubleshooting
Microsoft Confidential38
Software Update Point Synchronization Status
Microsoft Confidential39
Alerts for software update issues
Microsoft Confidential40
Server Logs
Microsoft Confidential41
Log Types of issues
SUPsetup.log Installation of SUP Site Role
WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP
WSyncMgr.log ConfigMgr/WSUS Updates Synchronization Issues
Objreplmgr.log Policy Issues for Update Assignments/CI Version Info policies
RuleEngine.log Auto Deployment Rules
Client logs
Microsoft Confidential42
Log Types of issues
UpdatesDeployment.log Deployments, SDK, UX
UpdatesHandler.log Updates, Download
ScanAgent.log Online/Offline scans, WSUS location requests
WUAHandler.log Update status (missing/installed – verbose logging), WU interaction
UpdatesStore.log Update status (missing/installed)
%windir%\WindowsUpdate.log Scanning/Installation of updates
Lesson Review
What tools are available for troubleshooting updates?What log should I check to verify update installation on a client?
Microsoft Confidential43
Lesson Summary
In this lesson, you learned:How to use reports for software updatesHow to troubleshoot software updates
Microsoft Confidential44
top related