Upload
jane-williams
View
223
Download
2
Tags:
Embed Size (px)
Citation preview
Software Updates Zen
Jason SandysPrincipal ConsultantCatapult Systems
UD-B405
OverviewInfrastructure Requirements and OperationsUpdate DeploymentClient FunctionalityUser ExperienceDos and Don’ts
Software Update considerationsDefine service level agreement with the “business”Include test and pilot phasesUnderstand the implications of rebooting and not rebootingKnow system dependencies and design with them in mindAccount for expectationsDocument the processAutomate the process
Infrastructure Requirements and Operations
• Requires Windows Server Update Services (WSUS)• Must be on the top-level site and all primary sites
where you wish to manage updates on clients• Only manages the software update catalog (and
EULAs)• Does not download or distribute update binaries to
clients
The Software Update Point
• Windows Update / Microsoft Update (WU/MU)• Updated twice a month (normally)• Does not contain every possible Microsoft Update
The Windows Update Catalog
The update catalog in a hierarchy
WSUS
SUPWSUS
MicrosoftWSUS
SUPParent Child
DBDB
Using an upstream WSUS server in new in
2012 SP1
Clients
Clients Parent can be a CAS (no clients) or a
primary siteChild can be a primary (if the
parent is a CAS) or a secondary
Multiple SUPs• New for 2012 SP1• Replaces Network Load Balancing
• Is for availability and cross forest scenarios only• SUP selection by client is random and not location aware• Failover based on four unsuccessful scan attempts• Clients do not failback
Multiple SUPs in a primary site
WSUS
SUPWSUS
MicrosoftWSUS
SUPSUP 1 SUP 2
WSUSDB
Clients
Update binaries• Updates download by clients from DPs (like all content
in ConfigMgr)• Clients only download assigned and applicable
updates• Client pre-cache binaries for required updates
Update binary flow
SiteServer
Microsoft
Clients
DP
Console
ContentLibrary
UpdatePackageSourceFolder
ADR
Manual
Update Deployment
Update Objects
Software Update Groups
•Contain references to updates•Organize updates
Update Deployments•Assign updates to clients•Define when, where, how, who
Update Packages
•Contain update binaries•Are not deployed
Automated Deployment Rules (ADR)• ADRs create or update
• Software Update Groups• Update Deployments• Update Packages
• ADRs do not deploy/install/distribute updates• ADRs run on a schedule (or manually)• ADRs automate the grunt work
ADR Creation
ADR Limitations• Cannot change an ADR’s update package (in the UI)• ADR search criteria is not as rich as console searching• ADRs create mandatory deployments only• ADRs only create or update one deployment
ADRs do not deploy updates
Update scheduling
Available (no deadline)
• User initiated (typically)• Best for systems with tight control
Required (deadline)
• System initiated (typically)• Best with normal use systems
Required with maintenance windows
• System initiated• Best with servers or always on systems that have business defined service hours
Update scheduling examples
Group A
Group B
Exceptions
No maintenance windows
SoftwareUpdate
Group(s)
Deployments
Group A
Group B
Exceptions
Deployment
MasterLimited
Maintenance windows
Main
ten
an
ce w
ind
ow
s ap
plie
d
How many (general guidelines)?
•One for every update schedule•Endpoint protection•Monthly (one per-month)•Out-of-band
Software Update Groups
•No specific technical separation needed•More than one•Recommended: at least one per calendar year
Update Packages
•One for every “class” and “phase” defined by your SLA•Typical classes: Workstation, Server•Typical phases: Test, Pilot, Production
Collections
There is no relationship
between Software Update
Groups and Update
Packages; clients pull
updates from any available
Update Package.
Client Functionality
The Windows Update Agent (WUA)• Downloads the update catalog• Scans clients for compliance
• At the configured scan time• Whenever new updates are available via a deployment• Before update installation• After update installation• After a reboot following update installation
• Compliance results stored in WMI by the ConfigMgr agent
• Installs Updates• Can still install updates outside of ConfigMgr*
Client Processing
MP Client
DP
WSUS
Update catalog
Update binaries(content download)
Update deployments(machine policy)
SUP
ComplianceConfigMgrAgent
WindowsUpdateAgent
Compliance Scan
Compliance(state messages)
*
* The ConfigMgr agent initiates all
compliance scans
Group Policy and the client• ConfigMgr client agent sets a local group policy
• Specify Intranet Microsoft update service location• Can be overwritten by domain Group Policy
• Group Policy settings for Windows update are largely N/A
• Reboot warnings from the WUA• Disable the Configure Automatic Updates Group Policy setting
Group Policy and Software Updates
Updating the WUA• The WUA is periodically updated• No stand-alone installer available for the latest
versions• Updated WUA must come from WSUS
User Experience
Let them eat cake
User
initiated
•Increases compliance•Increases user satisfaction•Reboots enforced at deadline
Completel
y sile
nt
• Two hour deadline randomization (controllable in SP1)
• No reboot postpone
• Maintenance window availability
Software Center
Dos and Don’ts
Simon Says
Do• Review what an ADR created or updated• Plan, document, and communicate• Learn which reports are available
Don’t• Use the WSUS admin console• Treat Software Updates as WSUS• Use the “Required” ADR search filter
Take it with youSoftware Updates uses WSUS but it isn’t WSUSAutomated Deployment Rules aren’t a complete solutionUser involvement can be a good thingPlan your update deployment based on realistic business requirementsKnow your business requirementsCommunicate the process and expectations
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.