The software updates feature in Microsoft System Center Configuration Manager 2012 provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the network infrastructure. However, because of the changing nature of technology and the continual appearance of new security threats, the task of effective software update management can be challenging.
Migrating Software Updates from Configuration Manager 2007
If you have an existing Configuration Manager 2007 hierarchy and are actively deploying software updates, you will need to decide whether to migrate software updates objects. Configuration Manager 2012 provides you with the ability to migrate update lists, deployments, deployment packages, and deployment templates from Configuration Manager 2007. You can continue to use software updates content on distribution points located in the Configuration Manager 2007 hierarchy during the migration process by using distribution point sharing. As part of migration, you can choose to upgrade your distribution points to Configuration Manager 2012, which adds the distribution point to a site and removes the distribution point from the Configuration Manager 2007 hierarchy. Your decision to migrate software updates objects will depend primarily on whether you have a lot of active deployments and whether you have specific deployment templates that you want to reuse in Configuration Manager 2012. For more information about migrating Configuration Manager 2007 objects to Configuration Manager 2012, see the online book (http://go.microsoft.com/fwlink/?LinkId=210645)
What’s New in Configuration Manager 2012
Though the general concept for deploying software updates is the same in Configuration Manager 2012, new or updated options are available that provide improvements to the software update deployment process, including automatic approval and deployment for software updates, improved search with expanded criteria, enhancements to software updates monitoring, greater user control for scheduling software update installation, and so on. The following table contains the changes to software updates in Configuration Manager 2012.
| Feature | Description |
|---|---|
|
Software update groups |
Software update groups are new in Configuration Manager 2012 and replace update lists and deployments that are used in Configuration Manager 2007. Software update groups provide a more effective method for you to organize software updates in your environment. You can manually add software updates to a software updates group or software updates can be automatically added to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed. |
|
Automatic deployment rules |
Automatic deployment rules provide the ability to automatically approve and deploy software updates. You specify the criteria for software updates (for example, all Windows 7 software updates released in the last 1 week), the software updates are added to a software update group, you configure deployment and monitoring settings, and choose whether to deploy the software updates in the software update group. You can deploy the software updates in the software update group or retrieve compliance information from devices for the software updates in the software update group without deploying them. |
|
Software updates filtering |
New search and the ability to provide expanded criteria is available when software updates are listed in the Configuration Manager console. You can add a set of criteria that make it very easy to find the software updates that you need. You can then save the search criteria to use at a later time. For example, you can set criteria for all critical software updates for Windows 7, and released in the last year. After you filter for the updates that you need, you can select the software updates and review compliance information per software update, create a software update group that contains the software updates, manually deploy the software updates, and so on. |
|
Software updates monitoring |
The Configuration Manager console provides the following to help you to monitor software updates objects and processes:
Software updates reports are also available that provide detailed state information for software updates, software update groups, and software update deployments. |
|
Manage superseded software updates |
Software updates in Configuration Manager 2007 were automatically expired during the full software updates synchronization process for a site. This prevented you from deploying superseded software updates because they were expired and Configuration Manager does not allow you to deploy expired software updates. In Configuration Manager 2012, you can choose whether to manage superseded software updates as it is in Configuration Manager 2007 or you can configure a specified period of time where the software update is not automatically expired after it is superseded. That allows you to deploy superseded software updates when necessary. |
|
Increased user control over software update installation |
Configuration Manager 2012 provides users more control over when software updates are installed on their device. Configuration Manager Software Center is an application that installs when the Configuration Manager 2012 client is installed. Users run this application from the Start menu to request software and manage the software that is deployed to them, including software updates. Software Center allows users to schedule software update installation at a convenient time before the deadline and install optional software updates. For example, you can configure your business hours and have software updates run outside of those hours to minimize lost productivity. When the deadline is reached for a software update, the installation for the software update is initiated. |
|
Software update files are stored in the content library |
The content library in Configuration Manager 2012 is the location where all content files are stored for software updates, applications, operating system deployment, and so on. The content library is located on the site server and each distribution point. The content library provides advantages over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007 you might deploy the same content files multiple times using different deployments and deployment packages. The result was that the same content files were stored on the site server and distribution points multiple times. The content library in Configuration Manager 2012 provides a single instance store for content files. This means that before content files are downloaded and copied to distribution points, Configuration Manager 2012 checks to see if the content file is already in the content library, and if so, the existing content file is used. |
|
Software update deployment template |
There is no longer a Deployment Templates node in the Configuration Manager console to manage your templates. Deployment templates can be created only in the Automatic Deployment Rules Wizard or Deploy Software Updates Wizard. Deployment templates store many of the deployment properties that might not change from deployment to deployment, and they can save a lot of time for administrators when deploying software updates. Deployment templates can be created for different deployment scenarios in your environment. For example, you can create a template for expedited software update deployments and planned deployments. The template for the expedited deployment can suppress display notifications on client computers, set the deadline for 0 days from the deployment schedule, and allow system restarts outside of maintenance windows. The template for a planned deployment can allow display notifications on client computers and set the deadline for 14 days from the deployment schedule. |
The following software updates features have been deprecated in Configuration Manager 2012.
| Feature | Description |
|---|---|
|
Update lists |
Update lists have been replaced by software update groups. |
|
Deployments |
Though you can still deploy software updates in Configuration Manager 2012, there is no longer a visible software update deployment object. The deployment object is now nested in a software update group. |
The following software updates objects remain in Configuration Manager 2012 much like they were in Configuration Manager 2007.
| Feature | Description |
|---|---|
|
Software update point |
The software update point is required for software updates on the central administration site and primary sites, is optional on secondary sites, and is installed as a site system role in the Configuration Manager console. The software update point site system role must be created on a server running Windows Server Update Services (WSUS). The software update point interacts with the WSUS services to configure software update settings and to synchronize software updates. At a secondary site, you have the option of installing an active software update point for the site. Having a software update point at a secondary site provides local access to client computers when scanning for software updates compliance. When the secondary site does not have a configured software update point, client computers will connect to the active software update point on the parent site. You will need to determine whether client computers at the remote site have sufficient connectivity to WSUS running on the parent site or whether WSUS running on a local software update point is required. |
Software Updates Workflows
There are two main scenarios for deploying software updates in your environment – manual deployment and automatic deployment. Typically, you will manually deploy software updates to create a baseline for your device clients, and then you will manage software updates on devices using automatic deployment. The following sections provide a summary for the workflow for manual and automatic deployment for software updates.
Manual Deployment of Software Updates
Manual deployment of software updates is the process of selecting software updates from the Configuration Manager 2012 console and manually initiating the deployment process. You will typically use this method of deployment to get your client devices up to date with required software updates before creating automatic deployment rules that will manage ongoing monthly software update deployments, and to deploy out of band software update requirements. The following list provides the general workflow for manual deployment of software updates:
- Filter for software updates using specific requirements. For
example, you could provide criteria that retrieves all software
updates that are required on greater than 50 device clients and are
security or critical software updates.
- Create a software update group that contains the software
updates.
- Download the content for the software updates in the software
update group.
- Manually deploy the software update group.
Automatic Deployment of Software Updates
Automatic software update deployment is configured by using automatic deployment rules. You will typically use this method of deployment for your monthly software updates (generally referred to as Patch Tuesday) and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last 1 week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client devices in the target collection. The following list provides the general workflow for automatic deployment of software updates:
- Create an automatic deployment rule that specifies deployment
settings such as the following:
- Target collection
- Whether to enable the deployment or report on
software updates compliance for the client devices in the target
collection
- Software updates criteria
- Evaluation and deployment schedules
- User experience
- Download properties
- Target collection
- The software updates are added to a software updates group.
- The software updates group is deployed to the client devices in
the target collection, if specified.
You will need to determine what deployment strategy to use in your environment. For example, you might create the automatic deployment rule and target a collection of test client devices. After you verify that the software updates install on the test group, you can change the collection in the automatic deployment rule to a target collection that includes a larger set of clients. The software update objects that are created by the automatic deployment rules are interactive.
- Software updates that have been deployed by
using an automatic deployment rule are automatically deployed to
new clients added to the target collection.
- New software updates added to a software
update group are automatically deployed to the clients in the
target collection.
- Deployments can be enabled or disabled at any
time for the automatic deployment rule.