Share via


Guide to Software Updates Deployment in Configuration Manager 2007

Deploying Software Updates

Software updates are deployed to client computers using the Deploy Software Updates Wizard, much like it is in SMS 2003, but new objects have been introduced and there have been changes to the deployment process. I have made an attempt to explain these changes with help of screenshots.

Update Lists

Update lists provide the ability to initiate a deployment for a set of software updates contained in the list. Using the update list provides several benefits when deploying and monitoring software updates and is, therefore, part of the recommended software updates workflow. Update lists allow administrators to create a deployment from the update list instead of manually selecting the set of updates every time a new deployment is created. They allow administrators to use reports for specific update lists to monitor the compliance for the software updates and help to troubleshooting updates contained in the list. Update lists also allow administrators to create update lists with approved updates, and then delegate the responsibility to deploy the update lists.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image002_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image004_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image006_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image008_thumb.jpg

Deployment Packages

Deployment packages are used to host the files for the software updates in a deployment, much like that of software distribution packages. The main difference is that the deployment package is used to get the files to the Distribution Points, but once that process completes, client computers will access the software update files from any package shared folder on any Distribution Point regardless of whether the package was defined in the deployment that targeted the client. When the client computer receives a new deployment, it determines where the software update files are located, independent of the deployment, and install from the preferred location.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image010_thumb.jpg

Deployment Templates

Deployment templates provide the ability to save a set of deployment properties for use in future software update deployments. When a deployment template is used in creating a new deployment, it populates the deployment with the preconfigured properties. This provides consistency among deployments with similar requirements and saves a lot of administration time.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image012_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image014_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image016_thumb.jpg

Deployment Deadline

When creating a software update deployment in the Deploy Software Updates Wizard, the Deployment Schedule page allows a deployment deadline date and time to be configured. Deployment deadlines can also be configured from the Deployment Schedule tab in the properties for the deployment.

Setting a deadline makes the deployment mandatory, and it enforces the software update installation on client computers by the configured date and time.

If the deadline is reached and the software update deployment has not yet run on the client computer, the installation starts automatically whether or not a user is logged on to the computer. A system restart can be enforced if it is necessary for the software update installation to complete.

On client computers, display notifications will appear that inform the user that one or more software updates are ready to install and the date for the earliest deadline time displays. For example, if there are two deployments with deadlines that are two days apart, the deployment deadline that comes first displays in the notifications to users. Once the software updates have been installed for the deployment with the earliest deadline, the client computer will continue to receive notifications, but the deadline will now display the deadline for the second deployment.

In SMS 2003, deadlines were set to occur x days after the client received the policy to install the software updates. Deployment deadlines have been simplified in Configuration Manager 2007 and are now configured for an explicit date and time. SMS 2003 clients in the Configuration Manager hierarchy will also use the configured deadline date and time for deployments targeted to them.

When software updates that have a configured deadline become available on a client computer, the Available Software Updates icon appears in the notification area that informs the user of the pending deadline. Display notifications are presented on a periodic basis until all pending mandatory software update installations have completed. By default, they are displayed every three hours for deadlines more than 24 hours away, every hour for deadlines less than 24 hours away, and every 15 minutes for deadlines that are less than one hour away.

Required System Restart

By default, when software updates from a mandatory deployment have installed on a client computer but a system restart is required for the installation to complete, the system restart will be initiated. For software updates that have been installed prior to the deadline, the automatic system restart will be postponed until the deadline, unless the computer is restarted prior to that for some other reason. The system restart can be suppressed for servers and workstations. These settings are configured in the Restart Settings page of the Deploy Software Updates Wizard when creating a deployment and in the Restart Settings tab in the deployment properties. This setting can also be configured in a deployment template.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image018_thumb.jpg

Planning for Maintenance Windows

Maintenance windows provide administrators with a way to define a period of time that limits when changes can be made on the systems that are members of a collection. Maintenance windows restrict when the software updates in deployments can be installed on client computers, as well as operating system advertisements and software distribution advertisements. Client computers determine whether there is enough time to start a software update installation by using the following three settings:

Restart countdown: Specifies the length of the client restart notification (in minutes) for computers in this site. The default setting is 5 minutes. This setting is available as a global setting in the Computer Client Agent Properties dialog box.

System restart turnaround Time: Specifies the length of time given for computers to initiate the system restart and reload the operating system. This setting is stored in the site control file for the site and has a default value of 10 minutes.

Maximum run time: Specifies the amount of time that is estimated for a software update to install. The default setting is 20 minutes for updates and 60 minutes for service packs. This setting can be modified for individual software updates on the Maximum Run Time tab for the properties for the software update.

When these settings are used to determine the available maintenance window, each software update has a default of 35 minutes (75 minutes for service packs). When planning for maintenance windows, take these defaults into consideration. When planning software update deployments to client computers, be aware of the configured maintenance window, how many software updates are in a deployment (so that you can forecast whether client computers will be able to install the updates within the maintenance window) and whether the update installation will span multiple maintenance windows. When software update installation has completed, but there is not enough time in the maintenance window for the computer to restart, the computer will wait until the next maintenance window and initiate the restart before installing pending update installations. When there are multiple software updates to be installed on a client computer with a configured maintenance window, the update with the lowest maximum run time installs first, the update with the next lowest maximum run time installs next, and so on. Before installing each update, the client verifies that the available maintenance window is long enough to install the update. After an update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window. When creating a software update deployment, there are two settings that allow maintenance windows to be ignored as follows:

Allow system restart outside of maintenance windows: Specifies whether to allow system restarts for both workstations and servers outside of configured maintenance windows. By default, this setting is not enabled. This setting is beneficial when you want your software update installation to complete on client computers as soon as possible. When this setting is not specified, a system restart will not be initiated if the maintenance window ends in 10 minutes or less. This could prevent the installation from completing and leave the client computer in a vulnerable state until the next maintenance window. This setting is available on the Restart Settings page of the Deployment Template Wizard or Deploy Software Updates Wizard.

Ignore maintenance windows and install immediately at deadline: Specifies whether the software updates in the deployment are installed at the deadline regardless of a configured maintenance window. By default, this setting is not enabled and is available only when there is a deadline configured for the deployment. This setting is beneficial when there are software updates that must be installed on client computers as soon as possible, such as the updates in an expedited deployment. This setting is available on the Schedule page of the Deploy Software Updates Wizard.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image020_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image022_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_90BB/clip_image024_thumb.jpg

Deployments

Configuration Manager 2007 no longer uses advertisements for delivering software updates. Software update deployments are now used as the vehicle that delivers software updates to client computers. The deployment properties contain the relevant information about the software updates in the deployment, the target collection, and the settings that impact client behavior when running the deployment, the deployment schedule settings, and so on. When a deployment is created, client computers receive it as part of the Configuration Manager policy.

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image002_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image004_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image006_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image008_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image010_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image012_thumb.jpg

Table 1 Software Update Settings

Setting

Description

General

Specifies the name and description of the deployment.

* Collection

Specifies the collection that will be targeted for the software update deployment.

* Display/Time Settings

Specifies whether the user will be notified of pending software updates, the installation progress for software updates, whether a client evaluates the deployment schedule based on local or Coordinated Universal Time (UTC), and the default duration between software update availability and mandatory

installation on clients.

* Restart Settings

Specifies the system restart behavior when a software update installs on a client and requires a restart to complete.

* Event Generation

Specifies whether Microsoft Operation Manager alerts are disabled while the software updates install and whether an Operation Manager alert is created when a software update installation fails.

* Download Settings

Specifies how clients will interact with Distribution Points when they receive a software update deployment.

* SMS 2003 Settings

Specifies whether to deploy software updates to SMS 2003 clients that are in the target collection.

Deployment Package

Specifies the deployment package that will be used to host the software updates in the deployment. This setting is not available when all software updates in the deployment have already been downloaded to a package.

Download Location

Specifies whether the software updates in the deployment are downloaded from the Internet or from the local network.

Language Selection

Specifies the languages for which the software updates in the deployment are downloaded.

Deployment Schedule

Specifies the schedule for when a software update deployment becomes active, when software update installation is enforced on clients, whether to enable Wake On LAN, and whether to ignore maintenance windows when installing updates.

NAP Evaluation

Specifies whether the software updates in this deployment will be included in a Network Access Protection (NAP) evaluation.

After Installation completes you can check the reports for compliance

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image014_thumb.jpg

http://blogs.technet.com/blogfiles/configurationmgr/WindowsLiveWriter/GuidetoSoftwareUpdatesDeploymentinConfig_8D83/clip_image016_thumb.jpg

Reference readings

Software Updates in Configuration Manager

The Microsoft System Center Configuration Manager 2007 software updates feature provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Click the associated link in the following section for detailed information about the concepts, planning, configuring, managing, security, and troubleshooting software updates.

In This Section

Overview of Software Updates

Provides an overview of the software updates feature.

Prerequisites for Software Updates

Provides information about the internal and external software updates requirements.

Planning for Software Updates

Provides planning information for the software updates feature.

Configuring Software Updates

Provides the configuration checklist and tasks to configure software updates in the environment.

Tasks for Software Updates

Provides a set of tasks to perform software updates objectives.

Software Updates Security Best Practices and Privacy Information

Provides security and privacy information and best practices for software updates.

Troubleshooting Software Updates

Provides troubleshooting information for software updates.

Technical Reference for Software Updates

Provides technical reference information for software updates.

Note: This information was originally contributed by Adnan Ezzi, Configuration Manager Support Engineer*, on the Configuration Manager Support Team blog.*