System Center Configuration Manager 2012 SP1 and the new way of handling software updates explained

Click to edit Master title style

TechNet goes virtual© Microsoft Corporation. All Rights Reserved.

TechNet goes virtual

LiveMeeting:

System Center Configuration Manager 2012 SP1 and the new way handling of Software Updates explained

Kenny BuntinxConfiguration Manager MVP



Agenda

• Introduction

• Infrastructure Changes

• Operational “Best Practices”

• Q&A



About me

Kenny Buntinx

Inovativ : Principal [email protected]

http://www.inovativ.be

@KennyBuntinx

http://be.linkedin.com/pub/kenny-buntinx/3/639/107

http://scug.be/blogs/sccm

http://www.inovativ.be/

http://www.inovativ.be/

http://twitter.com/

http://twitter.com/

http://be.linkedin.com/pub/kenny-buntinx/3/639/107



SUM Top 5 Improvements wanted

SUM Top 5 "Needs Improvement"0%

50%

100%

76%

64%

46% 44%37%

Update CleanupInfrastructure Im-provementsAuto ApprovalSupersedenceUser Experience



Infrastructure Changes since SP1

Multiple SUPs per Site with cross-forest SUP supportThe active software update point concept is deprecated in

Configuration Manager SP1

Source top level SUP off of internal WSUS servers

Optional client content download from Windows Update

Windows Embedded support

3X delivery of definitions through software updates



Infrastructure needs

• WSUS 3.0 SP2 - WSUS-KB2720211

- WSUS-KB2734608

• You are allowed to put your WSUS db on the same SQL box as where your CM db lives.

• Use a custom Web site during WSUS 3.0 installation

• Installing SP1 will reset custom ports to 80/433• Store Updates locally = License agreement



Multiple Software Update Points per site

• Add multiple SUP’s per site (8 per Site)• You can add SUP’s cross-forest• NLB no longer required (but still supported

through the SDK or Powershell)• Clients will automatically fail over to additional

SUPs in the same forest if scan fails (same mechanism as MP)





WSUS SOURCE FOR TOP LEVEL SUP

• No longer required to source top-level SUP from Windows Update / Microsoft Update

• Can specify an internal, independent WSUS server as an update catalog source

• The active software update point concept is deprecated.

• You no longer have the option to configure a software update point as an NLB in the Configuration Manager console (thru PowerShell with Set-CMSoftwareUpdatePoint)

http://go.microsoft.com/fwlink/?LinkId=276834





OPTIONAL CLIENT CONTENT FROM WU/MU

• Support for using Windows Update / Microsoft Update as an update content source for clients

• Local content sources (distribution points) are still prioritized



3X PER DAY DEFINITIONS THROUGH SUM

• Architectural changes to improve SUP synch and client scans to support delivering Endpoint Protection definition updates 3X per day (delta synchs and category scans)

• Simplified out of box templates for :

• Endpoint Protection Auto Deployment • Patch Tuesday



Operational Changes since SP1

• Not only related to SP1 !• Stop using the SMS 2003 -

ConfigMgr 2007 Methods !



Configure: Superseded Updates

Publisher can expire or supersede

software updates

ConfigMgr 2007 did automatically expires superseded updates

In CM12, you control supersedence

behavior



Deploy: Simplified update groups

Updates added to groups automatically deployed

Groups can be deployed and/or used for aggregate compliance

Lists and deployments combined into Update Groups

Improved search to find updates



Deploy: Automated deployments

Automated deployment of desired updates

Schedule or run rules manually

Daily (Forefront) and monthly (Patch Tuesday) scenarios

Rules create update groups that can be further edited or used manually



Maintain: Content optimization and cleanup

Updates optimized with new content model to reduce replication and

storage

Expired updates and content

automatically cleaned up

Expired updates

deleted by maintenanc

e task

Content for expired updates removed

from Distribution

Points

SUP Synchs with

Windows Update

Expired updates marked

“expired” in CM db



Operational Best Practices

Keep your SUG’s Limited Keep them under 1000 Updates

Don’t split up products

Keep your SDP’s tightEnable delta replication

High priority for SDP’s

Multiple deployments of the same SUGDetail view thru reporting



Software Update Group Best Practices

• Don’t split up SUG into products.• Split up per year and then per month

!• Stay under 1000 updates per SUG



Software Update Icons

The icon with the red X represents an invalid software update.

The icon with the blue arrow represents a metadata-only software update.

The icon with the green arrow represents a software update group that contains only normal software updates.

The icon with the black X represents a software update group that contains one or more expired software updates.

The icon with the yellow star represents a software update group that contains one or more superseded software updates.





Software Update Deployment Packages Best Practices

• Don’t split up all SDP per month.• Split up per year and save all updates in

that SDP !• Enable “delta updates” for DP• Do the work once, also for yearly

maintenance.





Deployment Best Practices

• Pre-Production / Production• Create Templates • Required for workstations• Set your Alerting Target not too high !• Available for servers• No Reboot = Not patched in most cases.





Reporting Best Practices

• Split up per year and then per month !• Split up deployments per collection as you

want to know compliance per Month/Collection

• What you see isn’t always what you get ! Look at your deployment rates.

• Reporting is quite powerfull.



Troubleshooting Server Side

Log Types of issuesSUPsetup.log Installation of SUP Site Role

WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP

WSyncMgr.log SMS/WSUS Updates Synchronization Issues

Objreplmgr.log Policy Issues for Update Assignments/CI Version Info policies

RuleEngine.log Auto Deployment Rules



Troubleshooting Client Side

Log Types of issues

UpdatesDeployment.log Deployments, SDK, UX

UpdatesHandler.log Updates, Download

ScanAgent.log Online/Offline scans, WSUS location requests

WUAHandler.log Update status(missing/installed – verbose logging), WU interaction

UpdatesStore.log Update status(missing/installed)

%windir%\WindowsUpdate.log Scanning/Installation of updates



Next Steps

Microsoft System Center 2012 SP1:http://www.microsoft.com/en-us/server-cloud/system-center/default.aspx

• Virtual Machine Manager

• Operations Manager

• Orchestrator

• Service Manager

• Data Protection Manager

• Configuration Manager

System Center Marketplace: http://systemcenter.pinpoint.microsoft.com

Blogs: http://blogs.technet.com/systemcenter


Download and Evaluate More Resources

http://www.microsoft.com/en-us/server-cloud/system-center/default.aspx





http://systemcenter.pinpoint.microsoft.com/



http://blogs.technet.com/systemcenter






Technology

System Center Configuration Manager 2012 SP1 and the new way of handling software updates explained