Using Microsoft System Center 2012 Configuration Manager for Updates
One of the many features supported by Microsoft System Center 2012 Configuration Manager (SCCM 2012) is software updates. For any business, being and staying compliant is of the utmost importance. When setting up a software update solution, it’s really important that you start with first things first—and the first thing is planning.
Planning for Software Updates
An important part of the planning process for SCCM 2012 is developing criteria that you can use to determine when you have reached an acceptable compliance level for updates. Without that information, it’ll be difficult for you to know when you have to spend additional time tracking noncompliant devices. Table 1 shows sample compliance criteria for workstations. Table 2 shows sample compliance criteria for servers.
Update Severity Level | Success Criterion for Week 1 | Success Criterion for Week 3 | Success Criterion for Week 5 |
---|---|---|---|
Extremely critical (zero day exploit) | 90% | 95% | 99.5% |
Critical | 50% | 80% | 95% |
Security | 50% | 75% | 90% |
Update Severity Level | Success Criterion for Week 1 | Success Criterion for Week 3 | Success Criterion for Week 5 |
---|---|---|---|
Extremely critical (zero day exploit) | 99% | 99% | 100% |
Critical | 50% | 80% | 100% |
Security | 50% | 75% | 100% |
Your planning must also include what to do when the criteria aren’t met.Another important part of the planning process is determining what updates you want to apply and how often. Most organizations create unique deployments for each Patch Tuesday. (Microsoft releases security patches the second Tuesday of each month, which is often referred to as Patch Tuesday.) So, I’ll walk you through how to set up a Patch Tuesday deployment. First, though, you need to be familiar with the components in a software update solution.
Understanding the Software Update Components
The software update feature in SCCM consists of eight components. Most of them only need to be created once, and the creation of the other components can be automated. After the components are created, approving and deploying monthly updates can take less than 10 minutes. The components and the recommended strategy for how often they should be created are as follows.
Software update point. A software update point is a Windows Server Update Services (WSUS) server controlled by SCCM. Unlike a standalone WSUS solution, clients don’t download or install updates directly from a software update point. The only data downloaded by the client from a software update point is the update metadata. In SCCM 2012, only one software update point is supported, but multiple software update points are supported in SCCM 2012 SP1. You only need to install this component once.
Deployment package. A deployment package is like any other package in SCCM, except that it contains only the software update binary files. The client downloads only the required updates. As a result, deployment packages can contain a mix of updates from multiple OSs. In SCCM 2012 SP1, a client can fall back to Windows Update if the requested update isn’t available in a deployment package. You should create a new deployment package twice a year.
Software update groups. A software update group is a group of updates that can be deployed to devices. They can also be used to track update compliance. A software update group can be created automatically using the Automatic Update Rule feature or manually by selecting the updates. You should create a new software update group every month for a Patch Tuesday deployment.
Deployments. The deployment is a child object of a software update group. Like any other deployment, it contains information about the installation purpose, schedule, and user experience (e.g., whether to restart the computer after an update if needed). The Automatic Deployment Rule will create the first deployment. All other deployments in the software update group will need to be created manually. You’ll have to create a number of deployments each month.
Software update templates. Software update deployments can be controlled by the use of templates. You should create one template for each unique deployment scenario. Here are some sample templates you might consider creating:
- Pilot 1: All computers that participate in the first test deployment.
- Pilot 2: All computers that participate in the second test deployment.
- Workstation Production: All workstations that aren’t excluded from patch management.
- Server Automatic: All servers in which the installation and restart will be performed automatically but controlled through maintenance windows.
- Server Manual: All servers in which the installation and restart will be performed manually.
Each template needs to be created only once.
Collections. A collection is a group of targets for a deployment. Each collection is created only once. You’ll have at least one collection per template. Figure 1 shows some sample collections. Collections containing the letters MW all have a configured maintenance window. The Referenced Collections column specifies the number of referenced collections. A referenced collection is a collection that’s either included or excluded in another collection. The SUM Excluded collection contains devices that won’t be part of the update process.
Maintenance windows. A maintenance window is a collection attribute that defines when software can be installed and when computers are restarted. A device will apply maintenance windows from all the collections of which it is a member. You create a maintenance window once.
Automatic Deployment Rule. The Automatic Deployment Rule is a very powerful feature that lets you fully automate the software update deployment process. The rule contains information about the run time, what updates to download, where to store the updates, and whether the deployment will be automatically enabled. It’s common to have a rule for Patch Tuesday and a rule for System Center Endpoint Protection updates. For each application, you need to create an Automatic Deployment Rule once.
Setting Up a Software Update Deployment
Now that you know about the software update components, I’ll guide you through the steps needed to set up a software update deployment for Patch Tuesday. Specifically, I’ll show you how to create a collection (including a maintenance window), create an Automatic Deployment Rule, work with software update groups, and deploy the updates to production machines. I don’t describe how to create the software update point. For information about its creation, see the Configuring Software Updates in Configuration Manager web page.
Creating a Collection
You always deploy software updates to a collection, so creating collections is an important part in setting up a software update solution. You can add members to a new collection three ways:
- You can use a direct rule to explicitly add members to a new collection.
- You can use an include collection rule to include members of another collection in the new collection.
- You can use a query rule to dynamically add members to the new collection. With this method, you need to specify a WMI Query Language (WQL) query.
You can use Windows PowerShell, a new feature in SCCM 2012 SP1, to create a collection and directly add members to it. For example, to create the SUM WRK Pilot I collection with the Active Directory (AD) group SUM_WRK_Pilot1 as a member, you’d follow these steps:
- Click the Home tab in the SCCM 2012 administrator console and select Connect via Windows PowerShell.
- In the PowerShell console, type
New-CMDeviceCollection -Name “SUM WRK Pilot1” -LimitingCollectionName “All Systems”
and press Enter.
- While still in PowerShell, run the command to add the AD group SUM_WRK_Pilot1 as a member, such as:
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "SUM Workstation Pilot 1" -RuleName "SUM Pilot 1" -QueryExpression "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = 'Domain\\SUM_WRK_Pilot1'"
(Although this command wraps here, you’d enter it all on one line in the PowerShell console.)
You can also create collections using either the Create Device Collection Wizard or the Create User Collection Wizard. For more information about creating collections using these wizards, see the How to Create Collections in Configuration Manager web page.
After you create a collection and add members to it, you have the option to create a maintenance window for it. Although the SUM WRK Pilot I collection you just created doesn’t need a maintenance window, here are the steps you’d follow if you wanted to create one for another collection:
- Open the properties of the collection.
- Select the Maintenance Windows tab.
- Click the Yellow starburst icon and fill in the details specifying the schedule for the maintenance window.
- Click OK to save the changes, and close the collection properties.
Creating the Automatic Deployment Rule
With the collection created, you can use the Create Automatic Deployment Rule Wizard to create the Automatic Deployment Rule for your Patch Tuesday updates. Here are the steps:
- In the SCCM 2012 administrator console, navigate to the Software Library workspace.
- Select Software Updates, and choose Automatic Deployment Rules. Click the Create Automatic Deployment Rule option on the ribbon to launch the Create Automatic Deployment Rule Wizard.
- On the General page, which Figure 2 shows, specify Patch Tuesday in the Name field and a description in the Description field. In the Collection field, enter or browse to the SUM WRK Pilot I collection you created. For the Each time the rule runs and finds new updates option, select Create a new Software Update Group. Although adding updates to an existing software update group is useful when creating an Automatic Deployment Rule for Endpoint Protection definition updates, it’s not useful for regular software updates. Here you’ll create a new group every month. Otherwise, you’ll end up having too many updates in the group. (A software update group has a limit of 1,000 updates.) Clear the Enable the deployment after this rule is run check box. Click Next.
- On the Deployment Settings page, click Next.
- On the Software Updates page, select the following filters and add the specified search criteria: Date Released or Revised: Last 1 month; Update Classification: “Critical Updates” OR “Security Updates”; Title: -Itanium. Note that the Title filter will prevent updates containing the word Itanium from being downloaded. Confirm that your page looks like the one in Figure 3, then click Next.
- On the Evaluation Schedule page, select Enable rule to run on a schedule and click the Customize button. Configure the rule to run the second Tuesday of every month at a time of your choosing. Click OK, then click Next.
- On the Deployment Schedule page, configure the following settings. In the Time based on drop-down list, select Client local time. In the Software available time and Installation deadline sections, select As soon as possible. You don’t have to worry about this deadline being too aggressive because this setting is being applied only to the devices in your pilot group. For the production workstations, I recommend making the updates available two days prior to the company-decided deadline. Updates will start downloading in the background when they become available and will install when the deadline is reached. Click Next.
- On the User Experience page, select Display in Software Center and show all notifications in the User notifications drop-down list. In addition, suppress the system restart on both servers and workstations, as shown in Figure 4. Click Next.
- On the Alerts page, you can configure SCCM to send an alert when the compliance level drops below a certain percentage. To do this, select the Generate an alert when the following conditions are met check box. Then, in the Client compliance is below the following percent drop-down list, select 95. Finally, set the Offset from the deadlineoption to 35 days. This means that SCCM will generate an alert if the compliance level isn’t at 95 percent 35 days after the specified deadline. Click Next.
- On the Download Settings page, configure the following settings. Select Download software updates from distribution point and install as the deployment option for the preferred distribution point. Select Download and install software updates from the fallback content source location as the deployment option to use when updates aren’t available on any preferred distribution point. Select the Allow clients to share content with other clients on the same subnet check box. Select the If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates check box. This is a new SP1 feature that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved. After making sure that your settings look like those in Figure 5, click Next.
- On the Deployment Package page, you can either select an existing deployment package or create a new one. For this example, create a new one, specifying a name and description for it. In the Package Source field, enter or browse to the folder containing the software update binary files. Leave the sending priority at the default of medium. Click Next.
- On the Distribution Points page, specify the distribution points or distribution point groups to which you want to distribute the package and click Next.
- On the Download Location page, select Download software updates from the Internetand click Next.
- On the Language Selection page, select the languages supported in your organization and click Next.
- On the Summary page, click Save As Template. In the Save As Template dialog box that appears, type Pilot Deployment I in the Name field and click Save.
- Click Next to have the wizard create the Automatic Deployment Rule. When it completes, click Close.
You’ll now see the Patch Tuesday rule in the list of Automatic Deployment Rules. Manually run that rule by selecting it and clicking the Run Now option on the ribbon, as shown in Figure 6. Click Yes to start the process.
Working with Software Update Groups
The Patch Tuesday rule will now automatically create a new software update group every Patch Tuesday. What you need to do every month is rename the update group, remove any unwanted updates, and enable the pilot deployment.
To rename the update group and remove any unwanted updates, follow these steps:
- In the SCCM 2012 administrator console, go to the Software Library workspace. Navigate to Software Update Groups and verify that you have a new Patch Tuesday update group.
- Rename that update group by right-clicking it, selecting Properties, and entering the new name. Naming standards are as important in SCCM as in any other management system. You’ll be using the names when running reports and tracking update compliance. I recommend that you use a naming convention such as Year + Number of Month + Name of Month (e.g., 2013 04 April).
- Right-click the update group and select Show Members. When you navigate down the different updates in the group, notice that the compliance statistics are updated.
- Remove any unwanted updates from the update group by right-clicking the update, selecting Edit Membership, and choosing Remove the update(s) from the shown update groups.
At this point, it’s time to enable the deployment of the Patch Tuesday updates to the workstation pilot group. Follow these steps:
- Go back to the Software Update Groups workspace, select the renamed update group, and click the Deployment tab at the bottom of the window. Notice that you have a disabled deployment.
- Right-click the deployment, select Properties, and change the name to something more descriptive by including the details about the collection and whether it’s a pilot deployment (e.g., WRK 2013 04 April Pilot I).
- Right-click the deployment and click Enable, as Figure 7 shows.
Deploying the Updates to Production Machines
After a successful deployment to your pilot group, you’re ready to create the deployment for the production workstations. To do this, you use the Deploy Software Updates Wizard. Follow these steps:
- Make sure the software update group is selected and click Deploy on the ribbon to launch the Deploy Software Updates Wizard.
- In the Deployment Name field on the General tab, type the name of the deployment.
- In the Collection field, enter or browse to your collection containing your production workstations. Click Next.
- On the Deployment settings page, click Next.
- On the Scheduling page, specify an installation deadline. The deadline determines when updates will be installed automatically. Click Next.
- On the User Experience page, configure the following settings. In the User notificationsdrop-down list, select Display in Software Center, and only show notifications for computer restarts. In the Device restart behavior section, select the Workstations check box. Confirm that your page looks like the one in Figure 8, then click Next.
- On the Alerts page, select Generate an alert when the following conditions are met and click Next.
- On the Download Settings page, select the option If software updates are not available on preferred distribution point or remote distribution point, download content Microsoft Updates. Click Next.
- On the Summary page, click Save As Template, type Workstation Production, and click Save. By saving the settings as a template, you don’t have to go through these same steps every month.
- Click Next.
- Click Summary and Next to deploy the updates.
You might want to create additional Patch Tuesday deployments, such as a deployment for the servers that can restart automatically and a deployment for the servers that require a manual restart. Assuming that you already added some servers to a pilot collection and tested the Patch Tuesday updates against it, you can use the Deploy Software Updates Wizard to deploy those updates to the production servers.
For example, the following steps show how to deploy the Patch Tuesday updates to servers that can restart automatically using a predefined template:
- Make sure the software update group is selected and click Deploy on the ribbon to launch the Deploy Software Updates Wizard.
- In Deployment Name field on the General tab, type the name of the deployment, as shown in Figure 9.
- Click the Select Deployment Template button and select a predefined template.
- If needed, click any of the page links (e.g., Scheduling, Alerts) if you want to change elements of the deployment.
- Click Summary and Next to deploy the updates.
Keep It Simple
For many administrators, handling software updates is a complex process, but it doesn’t have to be. By keeping it simple, as shown here, you’ll likely get the job done quicker and gain a better understanding of the software update process. You should always start by defining how many deployments you need and defining a service level agreement (SLA) that’s approved by management and is achievable by you. Once you have the deployments and SLA defined, SCCM 2012 is a great tool to ensure high compliance with a minimum of effort.