Jaa


Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

This topic provides an example scenario of how you can use software updates in Microsoft System Center 2012 Configuration Manager to deploy and monitor the security software updates that Microsoft releases monthly.

In this scenario, John is the Configuration Manager administrator at Woodgrove Bank. John needs to create a software update deployment strategy with the following conditions and requirements:

  • Active software update deployment occurs one week after Microsoft releases the security software updates on the second Tuesday of each month. This event is typically referred to as Patch Tuesday.

  • Software updates are downloaded and staged on distribution points. Then a deployment is tested to a subset of clients before John fully deploys the software updates in his production environment.

  • John must be able to monitor the software updates' compliance by month or by year.

This scenario assumes that the software update point infrastructure has already been implemented. Use the information in the following table to plan for and configure software updates in System Center 2012 Configuration Manager.

Process

Reference

Review the key concepts for software updates.

Introduction to Software Updates in Configuration Manager

Plan for software updates. This information helps you to plan for capacity considerations, determine the software update point infrastructure, software update point installation, synchronization settings, and client settings for software updates.

Planning for Software Updates in Configuration Manager

Configure software updates. This information helps you to install and configure software update points in your hierarchy and helps to configure and synchronize software updates.

Important

John configures the software updates synchronization schedule to occur on the second Wednesday of each month to ensure that he retrieves the latest security software updates from Microsoft.

Configuring Software Updates in Configuration Manager

 

The following sections in this topic provide example procedural steps to help you to deploy and monitor System Center 2012 Configuration Manager security software updates in your organization:

  • Step 1: Create a Software Update Group for Yearly Compliance

  • Step 2: Create an Automatic Deployment Rule for the Current Month

  • Step 3: Verify That Software Updates Are Ready to Deploy

  • Step 4: Deploy the Software Update Group

  • Step 5: Monitor Compliance for Deployed Software Updates

  • Step 6: Add Monthly Software Updates to the Yearly Update Group

Step 1: Create a Software Update Group for Yearly Compliance

John creates a software update group that he can use to monitor compliance for all of the security software updates that he releases in 2012. He performs the steps in the following table.

Process

Reference

From the All Software Updates node in the Configuration Manager console, John adds criteria to display only security software updates that are released or revised in year 2012 that meet the following criteria:

  • Criteria: Date Released or Revised

    Condition: is greater than or equal to specific date

    Value: 1/1/2012

  • Criteria: Update Classification

    Value: Security Updates

  • Criteria: Expired

    Value: No

No additional information

John adds all of the filtered software updates to a new software update group with the following requirements:

  • Name: Compliance Group - Microsoft Security Updates 2012

  • Description: Software updates

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 2: Create an Automatic Deployment Rule for the Current Month

John creates an automatic deployment rule for the security software updates that are released by Microsoft for the current month. He performs the steps in the following table.

Process

Reference

John creates an automatic deployment rule with the following requirements:

  1. On the General tab, John configures the following:

    • He specifies Monthly Security Updates for the name.

    • He selects a test collection with limited clients.

    • He selects Create a new Software Update Group.

    • He verifies that Enable the deployment after this rule is run is not selected.

  2. On the Deployment Settings tab, John selects the default settings.

  3. On the Software Updates page, John configures the following property filters and search criteria:

    • Date Released or Revised Last 1 month.

    • Update Classification Security Updates.

  4. On the Evaluation page, John enables the rule to run on a schedule for the second Thursday of every month. John also verifies that his synchronization schedule is set to run on the second Wednesday of every month.

  5. John uses the default settings on the Deployment Schedule, User Experience, Alerts, and Download Settings pages.

  6. On the Deployment Package page, John specifies a new deployment package.

  7. John uses the default settings on the Download Location and Language Selection pages.

For more information about creating an automatic deployment rule, see the Automatically Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 3: Verify That Software Updates Are Ready to Deploy

On the second Thursday of every month, John verifies that the software updates are ready to deploy. He performs the step in the following table.

Process

Reference

John verifies that software updates synchronization completed successfully.

For more information about creating an automatic deployment rule, see the Automatically Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 4: Deploy the Software Update Group

After John verifies that the software updates are ready to deploy, he deploys the software updates. He performs the steps in the following table.

Process

Reference

John creates two test deployments for the new software update group. He considers the following environments for each deployment:

 

Workstation test deployment: John considers the following for the workstation test deployment:

  • He specifies a deployment collection that contains a subset of workstation clients to verify the deployment.

  • He configures the deployment settings that are appropriate for the workstation clients in his environment.

Server test deployment: John considers the following for the server test deployment:

  • He specifies a deployment collection that contains a subset of server clients to verify the deployment.

  • He configures the deployment settings that are appropriate for the server clients in his environment.

For more information about how to deploy software updates, see the Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John verifies that the test deployments have successfully deployed.

For more information about how to monitor a software update deployment, see the Monitor software updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John updates the two deployments with new collections that include his production workstations and servers.

No additional information

Step 5: Monitor Compliance for Deployed Software Updates

John monitors compliance of his software update deployments. He performs the step in the following table.

Process

Reference

John monitors the software updates deployment status in the Configuration Manager console and checks the software update deployment reports available from the console.

For the steps to monitor a software update deployment, see the Monitor software updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 6: Add Monthly Software Updates to the Yearly Update Group

John adds the software updates from the monthly software update group to the yearly software update group. He performs the step in the following table.

Process

Reference

John selects the software updates from the monthly software update group and adds the software updates to the software updates group that he created for yearly compliance. He tracks the software update compliance and creates various reports for his management.

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John has successfully completed his monthly deployment for security software updates. He continues to monitor and report on software update compliance to ensure that the clients in his environment are within acceptable compliance levels.

Recurring Monthly Process to Deploy Software Updates

After the first month that John deploys software updates, he performs steps three through six to deploy the monthly security software updates released by Microsoft.