Using Microsoft System Center 2. Configuration Manager for Updates One of the many features supported by Microsoft System Center 2. Configuration Manager (SCCM 2. For any business, being and staying compliant is of the utmost importance. When setting up a software update solution, it's really important that you start with first things first—and the first thing is planning. Without that information, it'll be difficult for you to know when you have to spend additional time tracking noncompliant devices. Table 1 shows sample compliance criteria for workstations. Table 2 shows sample compliance criteria for servers. Table 1: Example of Compliance Criteria for Workstations Update Severity Level Success Criterion for Week 1 Success Criterion for Week 3 Success Criterion for Week 5 Extremely critical (zero day exploit) 9. Critical 5. Security 5. Update Severity Level Success Criterion for Week 1 Success Criterion for Week 3 Success Criterion for Week 5. Table 2: Example of Compliance Criteria for Servers Extremely critical (zero day exploit) 9. Critical 5. Security 5. Your planning must also include what to do when the criteria aren't met. Another important part of the planning process is determining what updates you want to apply and how often. Most organizations create unique deployments for each Patch Tuesday. First, though, you need to be familiar with the components in a software update solution. Most of them only need to be created once, and the creation of the other components can be automated.
After the components are created, approving and deploying monthly updates can take less than 1. The components and the recommended strategy for how often they should be created are as follows. Software update point. A software update point is a Windows Server Update Services (WSUS) server controlled by SCCM. Unlike a standalone WSUS solution, clients don't download or install updates directly from a software update point. The only data downloaded by the client from a software update point is the update metadata. In SCCM 2. 01. 2, only one software update point is supported, but multiple software update points are supported in SCCM 2. SP1. You only need to install this component once. Deployment package. A deployment package is like any other package in SCCM, except that it contains only the software update binary files. The client downloads only the required updates. As a result, deployment packages can contain a mix of updates from multiple OSs. In SCCM 2. 01. 2 SP1, a client can fall back to Windows Update if the requested update isn't available in a deployment package. You should create a new deployment package twice a year. Software update groups. A software update group is a group of updates that can be deployed to devices. They can also be used to track update compliance. This topic describes the device compliance policy. Compliance policy settings for Android devices in Microsoft. Minimum Android security patch. One of the many features supported by Microsoft System Center 2012 Configuration Manager (SCCM 2012) is software updates. For any business, being and. A software update group can be created automatically using the Automatic Update Rule feature or manually by selecting the updates. You should create a new software update group every month for a Patch Tuesday deployment. Deployments. The deployment is a child object of a software update group. Like any other deployment, it contains information about the installation purpose, schedule, and user experience (e. The Automatic Deployment Rule will create the first deployment. All other deployments in the software update group will need to be created manually. You'll have to create a number of deployments each month. Software update templates. Software update deployments can be controlled by the use of templates. You should create one template for each unique deployment scenario. Here are some sample templates you might consider creating: Pilot 1: All computers that participate in the first test deployment. A collection is a group of targets for a deployment. Each collection is created only once. You'll have at least one collection per template. Figure 1 shows some sample collections. Collections containing the letters MW all have a configured maintenance window. The Referenced Collections column specifies the number of referenced collections. A referenced collection is a collection that's either included or excluded in another collection. The SUM Excluded collection contains devices that won't be part of the update process. Maintenance windows. A maintenance window is a collection attribute that defines when software can be installed and when computers are restarted. A device will apply maintenance windows from all the collections of which it is a member. You create a maintenance window once. Automatic Deployment Rule. The Automatic Deployment Rule is a very powerful feature that lets you fully automate the software update deployment process. The rule contains information about the run time, what updates to download, where to store the updates, and whether the deployment will be automatically enabled. It's common to have a rule for Patch Tuesday and a rule for System Center Endpoint Protection updates. For each application, you need to create an Automatic Deployment Rule once. Specifically, I'll show you how to create a collection (including a maintenance window), create an Automatic Deployment Rule, work with software update groups, and deploy the updates to production machines. I don't describe how to create the software update point. For information about its creation, see the Configuring Software Updates in Configuration Manager web page. You can add members to a new collection three ways: You can use a direct rule to explicitly add members to a new collection. With this method, you need to specify a WMI Query Language (WQL) query. For example, to create the SUM WRK Pilot I collection with the Active Directory (AD) group SUM. For more information about creating collections using these wizards, see the How to Create Collections in Configuration Manager web page. Although the SUM WRK Pilot I collection you just created doesn't need a maintenance window, here are the steps you'd follow if you wanted to create one for another collection: Open the properties of the collection. Here are the steps: In the SCCM 2. Software Library workspace. Click the Create Automatic Deployment Rule option on the ribbon to launch the Create Automatic Deployment Rule Wizard. In the Collection field, enter or browse to the SUM WRK Pilot I collection you created. For the Each time the rule runs and finds new updates option, select Create a new Software Update Group. Although adding updates to an existing software update group is useful when creating an Automatic Deployment Rule for Endpoint Protection definition updates, it's not useful for regular software updates. Here you'll create a new group every month. Otherwise, you'll end up having too many updates in the group. Note that the Title filter will prevent updates containing the word Itanium from being downloaded. Confirm that your page looks like the one in Figure 3, then click Next. Configure the rule to run the second Tuesday of every month at a time of your choosing. Click OK, then click Next. In the Time based on drop- down list, select Client local time. In the Software available time and Installation deadline sections, select As soon as possible. You don't have to worry about this deadline being too aggressive because this setting is being applied only to the devices in your pilot group. For the production workstations, I recommend making the updates available two days prior to the company- decided deadline. Updates will start downloading in the background when they become available and will install when the deadline is reached. In addition, suppress the system restart on both servers and workstations, as shown in Figure 4. To do this, select the Generate an alert when the following conditions are met check box. Then, in the Client compliance is below the following percent drop- down list, select 9. Finally, set the Offset from the deadline option to 3. This means that SCCM will generate an alert if the compliance level isn't at 9. Select Download software updates from distribution point and install as the deployment option for the preferred distribution point. Select Download and install software updates from the fallback content source location as the deployment option to use when updates aren't available on any preferred distribution point. Select the Allow clients to share content with other clients on the same subnet check box. Select the If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates check box. This is a new SP1 feature that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved. After making sure that your settings look like those in Figure 5, click Next. For this example, create a new one, specifying a name and description for it. In the Package Source field, enter or browse to the folder containing the software update binary files. Leave the sending priority at the default of medium. In the Save As Template dialog box that appears, type Pilot Deployment I in the Name field and click Save. When it completes, click Close. Manually run that rule by selecting it and clicking the Run Now option on the ribbon, as shown in Figure 6. Click Yes to start the process. What you need to do every month is rename the update group, remove any unwanted updates, and enable the pilot deployment. Navigate to Software Update Groups and verify that you have a new Patch Tuesday update group. Naming standards are as important in SCCM as in any other management system. You'll be using the names when running reports and tracking update compliance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |