Software Updates Zen

Jason SandysPrincipal ConsultantCatapult Systems

UD-B405

OverviewInfrastructure Requirements and OperationsUpdate DeploymentClient FunctionalityUser ExperienceDos and Don’ts

Software Update considerationsDefine service level agreement with the “business”Include test and pilot phasesUnderstand the implications of rebooting and not rebootingKnow system dependencies and design with them in mindAccount for expectationsDocument the processAutomate the process

Infrastructure Requirements and Operations

• Requires Windows Server Update Services (WSUS)• Must be on the top-level site and all primary sites

where you wish to manage updates on clients• Only manages the software update catalog (and

EULAs)• Does not download or distribute update binaries to

clients

The Software Update Point

• Windows Update / Microsoft Update (WU/MU)• Updated twice a month (normally)• Does not contain every possible Microsoft Update

The Windows Update Catalog

The update catalog in a hierarchy

WSUS

SUPWSUS

MicrosoftWSUS

SUPParent Child

DBDB

Using an upstream WSUS server in new in

2012 SP1

Clients

Clients Parent can be a CAS (no clients) or a

primary siteChild can be a primary (if the

parent is a CAS) or a secondary

Multiple SUPs• New for 2012 SP1• Replaces Network Load Balancing

• Is for availability and cross forest scenarios only• SUP selection by client is random and not location aware• Failover based on four unsuccessful scan attempts• Clients do not failback

Multiple SUPs in a primary site

WSUS

SUPWSUS

MicrosoftWSUS

SUPSUP 1 SUP 2

WSUSDB

Clients

Update binaries• Updates download by clients from DPs (like all content

in ConfigMgr)• Clients only download assigned and applicable

updates• Client pre-cache binaries for required updates

Update binary flow

SiteServer

Microsoft

Clients

DP

Console

ContentLibrary

UpdatePackageSourceFolder

ADR

Manual

Update Deployment

Update Objects

Software Update Groups

•Contain references to updates•Organize updates

Update Deployments•Assign updates to clients•Define when, where, how, who

Update Packages

•Contain update binaries•Are not deployed

Automated Deployment Rules (ADR)• ADRs create or update

• Software Update Groups• Update Deployments• Update Packages

• ADRs do not deploy/install/distribute updates• ADRs run on a schedule (or manually)• ADRs automate the grunt work

ADR Creation

ADR Limitations• Cannot change an ADR’s update package (in the UI)• ADR search criteria is not as rich as console searching• ADRs create mandatory deployments only• ADRs only create or update one deployment

ADRs do not deploy updates

Update scheduling

Available (no deadline)

• User initiated (typically)• Best for systems with tight control

Required (deadline)

• System initiated (typically)• Best with normal use systems

Required with maintenance windows

• System initiated• Best with servers or always on systems that have business defined service hours

Update scheduling examples

Group A

Group B

Exceptions

No maintenance windows

SoftwareUpdate

Group(s)

Deployments

Group A

Group B

Exceptions

Deployment

MasterLimited

Maintenance windows

Main

ten

an

ce w

ind

ow

s ap

plie

d

How many (general guidelines)?

•One for every update schedule•Endpoint protection•Monthly (one per-month)•Out-of-band

Software Update Groups

•No specific technical separation needed•More than one•Recommended: at least one per calendar year

Update Packages

•One for every “class” and “phase” defined by your SLA•Typical classes: Workstation, Server•Typical phases: Test, Pilot, Production

Collections

There is no relationship

between Software Update

Groups and Update

Packages; clients pull

updates from any available

Update Package.

Client Functionality

The Windows Update Agent (WUA)• Downloads the update catalog• Scans clients for compliance

• At the configured scan time• Whenever new updates are available via a deployment• Before update installation• After update installation• After a reboot following update installation

• Compliance results stored in WMI by the ConfigMgr agent

• Installs Updates• Can still install updates outside of ConfigMgr*

Client Processing

MP Client

DP

WSUS

Update catalog

Update binaries(content download)

Update deployments(machine policy)

SUP

ComplianceConfigMgrAgent

WindowsUpdateAgent

Compliance Scan

Compliance(state messages)

*

* The ConfigMgr agent initiates all

compliance scans

Group Policy and the client• ConfigMgr client agent sets a local group policy

• Specify Intranet Microsoft update service location• Can be overwritten by domain Group Policy

• Group Policy settings for Windows update are largely N/A

• Reboot warnings from the WUA• Disable the Configure Automatic Updates Group Policy setting

Group Policy and Software Updates

Updating the WUA• The WUA is periodically updated• No stand-alone installer available for the latest

versions• Updated WUA must come from WSUS

User Experience

Let them eat cake

User

initiated

•Increases compliance•Increases user satisfaction•Reboots enforced at deadline

Completel

y sile

nt

• Two hour deadline randomization (controllable in SP1)

• No reboot postpone

• Maintenance window availability

Software Center

Dos and Don’ts

Simon Says

Do• Review what an ADR created or updated• Plan, document, and communicate• Learn which reports are available

Don’t• Use the WSUS admin console• Treat Software Updates as WSUS• Use the “Required” ADR search filter

Take it with youSoftware Updates uses WSUS but it isn’t WSUSAutomated Deployment Rules aren’t a complete solutionUser involvement can be a good thingPlan your update deployment based on realistic business requirementsKnow your business requirementsCommunicate the process and expectations

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.