microsoft confidential © 2014 microsoft corporation. all rights reserved

Microsoft Confidential

© 2014 Microsoft Corporation. All rights reserved.

System Center 2012 Configuration ManagerConcepts & Administration

Lesson 7: Deploying Software Updates

Premier Field Engineer

Microsoft

Your Name

Conditions and Terms of Use

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.

The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/

Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Copyright and Trademarks © 2014 Microsoft Corporation. All rights reserved.

Microsoft Confidential

http://www.microsoft.com/about/legal/permissions/

http://www.microsoft.com/about/legal/permissions/

OverviewIntroduction to Software Updates ManagementFeatures available Reporting and troubleshooting

Microsoft Confidential4

Objective

After completing this lesson, you will be able to:Install and configure a Software Update PointUnderstand the different features involved in patch management and how to manage themCreate manual and automated update deploymentsUse reports to check update compliance states and deployment status


Introduction to Software Update Management

Patch Management processPrerequisitesCapacity planningInstallation


Software Updates End-to-End Workflow

StartConfigure

software update components

Enable and configure Software Updates

Client Agent

Enable and configure Active

SUP

Synchronize with WSUS server

Analyze whether software updates

are required

Create a deployment using Deployment Software Updates

Wizard or use Automatic Deployment Rule (new)

Monitor deployment using

reports

Are softwar

e Updates required

?

No

Yes

Optional: Configure

multiple SUP using NLB

Optional: Create Software Update Groups that

contain defined sets of updates.

Optional: Download software updates and

provision the updates on DP using Download Updates

Wizard.

Software Update Point Prerequisites

Server prerequisites:Windows Server Update Service (WSUS) 3.0 SP2WSUS Administration Console if SUP is remoteNetwork Load Balancing (optional, see capacity planning)

Note : This is Pre-SP1 Requirement. With SP1 you can have 4 SUPs per site.

SRS Reporting Point

Client prerequisites:Latest version of Windows update agent


Capacity Planning

The number of supported clients is dependent on the version of Windows Server Update Services (WSUS) that runs on the Software Update Point and on whether the Software Update Point site system role co-exists with other site system roles.


Role Limit

SUP co-exists with another site system role

Up to 25,000

SUP on a separate box (without any other site server role)

Up to 100,000

Installation

Installed as site system roleSUP can be installed on:

CAS sitePrimary SiteSecondary Site

The first SUP must be installed on the CAS.If CAS does not have access to the internet then you can use export/import functions of WSUSUtil tool to synchronize software updates metadata.(New in Sp1) - You can install multiple SUP* at a site to support untrusted forest scenario as well as remove NLB** requirements for fault tolerance.


New in Configuration Manger 2012 Sp1You can specify existing WSUS server (which is not part of the Configuration Manager hierarchy) as the upstream Synchronization source for the top-level site.New Deployment Templates

Definition Updates templatePatch Tuesday

New WSUS Server connection account for SUP You can select multiple software updates from the Software Center to install as a group. Disable Software Update randomization optionWindows Embedded devices – Control the behavior of the write filter when you deploy Software Updates using the new feature “Commit changes at deadline or during a maintenance windows (requires restarts)”.


New Maintenance Windows for Software Updates only.

Ability to control Software update Installation separately from Software Distribution and Operating System Deployment.

Modify Deployment package for Existing Automatic Deployment Rules.

Ability to modify the deployment package ADR downloads to allow for better control before a deployment package becomes too large.

Preview Software Updates in the Automatic Deployment Rule while building the property filters.

Allows a preview of Software updates found while building filters for the ADR. Gives the ability to validate the filter rules were built correctly.

New in Configuration Manger 2012 R2


Installing the SUP Role on a Secondary Site


Installation Recommendations

Ensure that clients managed by a site with an active SUP are not targeted by a WSUS GPO.

If you are using Software Update-based client installation on a fresh image, you must configure and assign a Group Policy Object (GPO) in AD to specify the SUP server name from which the computer will obtain software updates*.

Use GP Preferences** rather than GPO for setting the WSUS server for initial client installation to make use of failover SUP***. Do not re-use an existing WSUS infrastructureDo not configure the WSUS ServerConsider using a custom web site for SUP


PowerShell Cmdlets for Software updates

Multiple PowerShell Cmdlets are available for Software updates.

Example to Perform a full Sync for Software updatesSync-CMSoftwareUpdate

Sync-CMSoftwareUpdate -FullSync <Boolean> [ <CommonParameters>]

This command retrieves metadata for all software updates.

PS C:\> Sync-CMSoftwareUpdate -FullSync $True


Lab: Software Update Point Installation and Configuration

GoalsGoals

ScenarioScenario

Ensure prerequisites are met

Install and configure a software update point.

Configure client agent settings

Ensure prerequisites are met

Install and configure a software update point.

Configure client agent settings

You are the administrator of the Contoso Configuration Manager hierarchy. You wish to install and configure SUP into your hierarchy

You are the administrator of the Contoso Configuration Manager hierarchy. You wish to install and configure SUP into your hierarchy


Lesson Review

Why is the WSUS admin console required on the site server when installing the SUP ?What should I do if I plan to manage more than 25,000 clients when using a SUP ?

Version RTM?Version SP1?


Lesson Summary

In this lesson, you learned:How to plan for a SUP installation, including the required componentsHow to complete a SUP installation


Objective

After completing this lesson you will learn:How to manage updatesHow to create update groupsHow to create update deployments


Features Available

Superseded update supportSUM admin role (with RBA)Client agent settingsSimplified update groupsAutomated deploymentsEnd user experienceContent library and cleanupMigration from Configuration Manager 2007


Superseded Updates Support

Publisher can expire or supersede software updates

Configuration Manager 2007 automatically expires superseded updates

System Center 2012 Configuration Manager can:

Persist Configuration Manager 2007 behaviorConfigure System Center 2012 Configuration Manager to not automatically expire superseded updates


SUM Administration Role (with RBA)

SUM Admin can initiate specific actions (role) . . .

. . . on a specific set of objects (scope)

Example: SUM admin for servers can manage all software updates for just the server collection


Client Agent Settings for SUM

New UI for client agents settings

Settings can be applied per Collection so software updates can be enabled or disabled on select systems


Simplified Update Groups

Improved search to find updatesUpdate groups replace lists and deploymentsNew updates added to groups are automatically deployedGroups can be used for compliance or deployment


Automated Deployments (new)

Automatic approval of selected updatesScheduled or manually runUseful for Patch Tuesday and Endpoint ProtectionObjects created by rules are interactive:

Deployments Rules can be enabled/disabledDeployment can be added/removed from groupsUpdates can be added/removed from groups

Deployment templates


End User Experience

Uses the new Software Center user interfaceEnd user has better control of their own experience:

Install/schedule updatesUse non-business hours

Admin can choose to hide just pop-ups, or hide all end user notifications


Content Library and cleanup

Software updates stored in the Content LibraryMaintenance task deletes expired updates and content


Migration from Configuration Manager 2007

Migrate existing SUM objects:

Preserve existing update lists or deploymentsPersist use of update content on Distribution Points (through Distribution Point sharing or pre-staging)

SUP configuration for products and classifications must be the same on both infrastructuresSCUP updates cannot be migrated


Features that have not Changed from Configuration Manager 2007

Maintenance WindowsUpdate will not be installed until next available service windowPotential system restart time period is factored into evaluationIf client is member of multiple collections – all applicable maintenance windows will be honoredOne time maintenance windows can prevent future update deploymentsCan be overridden

Internet-based client supportWake-On-LAN integrationSelective download of binaries


Lab: Software Update deployment

GoalsGoals

ScenarioScenario

Create an update group

Create a manual and an automated deployment

Check deployment status

Create an update group

Create a manual and an automated deployment

Check deployment status

You are the administrator of the Contoso Configuration Manager hierarchy and you wish to deploy an update group to your clients

You are the administrator of the Contoso Configuration Manager hierarchy and you wish to deploy an update group to your clients


Lesson Review

What are the two types of update deployments? Where does Configuration Manager store software updates?How do you configure different software update policies for servers and clients?


Lesson Summary

In this lesson, you learned: How to manage updates How to create update groups How to create update deployments


Objective

In this lesson, you will learn: How to use reports for software updates How to troubleshoot software updates


Reporting and Troubleshooting

Key compliance and deployment views Detailed state of all deployments and assets Error codes are interpreted Software update synchronization status monitoring Alerts for software issues Extensive update states available in out-of-box reports


Key Compliance Reports


Deployment Status and Asset Views


Using Reports for Troubleshooting


Software Update Point Synchronization Status


Alerts for software update issues


Server Logs


Log Types of issues

SUPsetup.log Installation of SUP Site Role

WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP

WSyncMgr.log ConfigMgr/WSUS Updates Synchronization Issues

Objreplmgr.log Policy Issues for Update Assignments/CI Version Info policies

RuleEngine.log Auto Deployment Rules

Client logs


Log Types of issues

UpdatesDeployment.log Deployments, SDK, UX

UpdatesHandler.log Updates, Download

ScanAgent.log Online/Offline scans, WSUS location requests

WUAHandler.log Update status (missing/installed – verbose logging), WU interaction

UpdatesStore.log Update status (missing/installed)

%windir%\WindowsUpdate.log Scanning/Installation of updates

Lesson Review

What tools are available for troubleshooting updates?What log should I check to verify update installation on a client?


Lesson Summary

In this lesson, you learned:How to use reports for software updatesHow to troubleshoot software updates


microsoft confidential © 2014 microsoft corporation. all rights reserved

Documents

microsoft products

microsoft confidential

registered trademarks

content andor software

training package content

intellectual property

training purposes

training materials