Operations and Maintenance for Software Updates in Configuration Manager 2012

Updated: March 15, 2011

Applies To: System Center Configuration Manager 2012

Software updates in Configuration Manager 2012 is composed of three main operational phases. The synchronization phase is the process of synchronizing the software updates metadata from Microsoft Update and inserting it into the site server database. The compliance assessment phase is the process that client devices perform to scan for software update compliance and report compliance state for the software updates. The software update deployment phase is the process of manually or automatically deploying software updates to client devices.

ImportantImportant
Before software update compliance assessment data is displayed in the Configuration Manager console and before software updates can be deployed to client devices, you must carefully plan for software updates in the hierarchy and configure the software updates dependences to meet the needs of the environment. For more information about planning for software updates, see Planning for Software Updates in Configuration Manager 2012. For more information about configuring software updates, see Configuring Software Updates in Configuration Manager 2012.

Use the following sections to help you with the operational phases for software updates in Configuration Manager 2012:

Software Updates Synchronization

Software updates synchronization in Configuration Manager 2012 is the process of retrieving the software updates metadata that meets the criteria that you configure. The software update point on the central administration site retrieves the metadata from Microsoft Update on a schedule or you can manually initiate synchronization from the Configuration Manager console at the central administration site. After the software update point on the central administration site completes, a synchronization request is sent to the child sites where the software updates synchronization process is initiated. This process continues throughout the Configuration Manager hierarchy. Child sites always perform a full synchronization.

You configure software updates synchronization to run on a schedule as part of the properties for the software update point on the central administration site. After you configure the synchronization schedule you will typically not change the schedule as part of normal operations. Software updates synchronization can be manually initiated on the central administration site. For information about configuring the software updates synchronization schedule, see .

Use the following procedure to manually initiate software updates synchronization.

To manually initiate software updates synchronization on the central administration site

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and click All Software Updates or Software Update Groups.

  3. On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

After you initiate the synchronization process, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software updates synchronization process.

To monitor the software updates synchronization process

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, click Software Update Point Synchronization Status.

    The software update points in your Configuration Manager 2012 hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. When you want more detailed information about the synchronization process, you can review the wsyncmgr.log file located in <ConfigMgrInstallationPath>\Logs on each site server.

Software Updates Compliance Assessment

Before you deploy software updates to client computers in Configuration Manager 2012, a scan for software updates compliance should be initiated on client computers. For each software update, a state message is created that contains the compliance state for the update. The state messages are sent in bulk to the management point and then to the site server, where the compliance state is inserted into the site database. Compliance state for software updates is displayed in the Configuration Manager console, and software updates can be deployed and installed on client computers that require the updates. The following sections provide information about the compliance states and describe the process for scanning for software updates compliance.

Software Updates Compliance States

The following table lists and describes each compliance state that is displayed in the Configuration Manager console for software updates.

 

State Description

Required

Specifies that the software update is applicable and required on the client computer. Any of the following conditions could be true when the software update state is Required:

  • The software update has not been deployed to the client computer.

  • The software update has been installed on the client computer, but the most recent state message has not yet been inserted into the database on the site server. The client computer rescans for the update after the installation completes. There might be a delay of up to two minutes before it sends the updated state to the management point, which then forwards it to the site server.

  • The software update has been installed on the client computer, but the software update installation requires a computer restart before it completes.

  • The software update has been deployed to the client computer but not yet installed.

Not Required

Specifies that the software update is not applicable on the client computer, and therefore, the software update is not required.

Installed

Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed.

Unknown

Specifies that the site server has not received a state message from the client computer, typically because:

  • The client computer did not successfully scan for software updates compliance.

  • The scan completed successfully on the client computer, but the state message has not been processed yet on the site server, possibly due to backlog state message backlog.

  • The scan completed successfully on the client computer, but the state message has not been received from the child site.

  • The scan completed successfully on the client computer, but the state message file was corrupted in some way and could not be processed.

Scan for Software Updates Compliance Process

When the active software update point is installed and synchronized, a site-wide machine policy is created that informs client devices that the Configuration Manager 2012 software updates feature has been enabled for the site. When a client receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours. When the scan is initiated, a software updates client agent process clears the scan history, submits a request to find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS server location.

noteNote
Internet-based clients must connect to the WSUS server by using SSL.

A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server location listed in the local policy, retrieves the software updates metadata that has been synchronized on the WSUS server, and scans the client computer for the updates. A software updates client agent process detects that the scan for compliance has completed, and it creates state messages for each software update that had a change in compliance state since the last scan. The state messages are sent to the management point in bulk every 15 minutes. The management point then forwards the state messages to the site server, where the state messages are inserted into the site server database.

After the initial scan for software updates compliance, the scan is initiated at the configured scan schedule. However, if the client has scanned for software updates compliance within the time frame indicated by the Time-to-Live (TTL) value, the client will use the software updates metadata that is stored locally. When the last scan is outside of the TTL, the client must connect to WSUS running on the active software update point and update the software updates metadata stored on the client.

Including the scan schedule, the scan for software updates compliance can initiate in the following ways:

  • Software updates scan schedule: The scan for software updates compliance initiates at the configured scan schedule, which is configured in the software updates client agent settings. For more information about how to configure the software updates client agent settings, see .

  • Configuration Manager Properties action: The user can initiate the Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle action from the Action tab of the Configuration Manager Properties dialog box on the client computer.

  • Deployment reevaluation schedule: The deployment evaluation and scan for software updates compliance initiates at the configured deployment reevaluation schedule, which is configured in the software updates client agent settings. For more information about how to configure the software updates client agent settings, see .

  • Prior to downloading update files: When a client computer receives an assignment policy for a new mandatory deployment, the software update files are downloaded to the local cache. Prior to downloading the update files, a scan is initiated to verify that the update is still required.

  • Prior to software update installation: Just prior to software update installation, a scan is initiated to verify that the update is still required.

  • After software update installation: Just after a software update installation completes, a scan is initiated to verify that the update is no longer required and to create a new state message that indicates the update has been installed. When the installation has finished but a restart is necessary, the state will indicate that the client computer is pending a restart.

  • After system restart: When a client device was pending a system restart for the software update installation to complete, a scan is initiated after the restart to verify that the software update is no longer required and to create a state message that indicates the update has been installed.

Time to Live Value

The software updates metadata that is required for the scan for software updates compliance is stored on the local client computer and is relevant for up to 24 hours by default. This value is known as the Time to Live (TTL).

Scan for Software Updates Compliance Types

The client will scan for software updates compliance using an online or offline scan and a forced or non-forced scan, depending on the way the scan for software updates compliance is initiated. The following table describes which methods for initiating the scan are online or offline and whether the scan is forced or non-forced.

 

Scan Method          Scan Type              Description                                          

Software updates scan schedule

Non-forced online scan

At the configured scan schedule, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Software Updates Scan Cycle

Software Updates Deployment Evaluation Cycle

Forced online scan

The client computer always connects to WSUS running on the active software update point to retrieve the software updates metadata prior to scanning for software updates compliance. After the scan completes, the TTL counter is reset. For example, if the TTL is 24 hours, after a user initiates a scan for software updates compliance, the TTL is reset to 24 hours.

Deployment reevaluation schedule

Non-forced online scan

At the configured deployment reevaluation schedule, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Prior to downloading update files

Non-forced online scan

Prior to downloading update files in mandatory deployments, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Prior to software update installation

Non-forced online scan

Prior to installing software updates in mandatory deployments, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

After software update installation

Forced offline scan

After a software update has been installed, a scan is initiated using the local metadata. The client will never connect to WSUS running on the active software update point to retrieve software updates metadata.

After system restart

Forced offline scan

After a software update has been installed and the computer has been restarted, a scan is initiated using the local metadata. The client will never connect to WSUS running on the active software update point to retrieve software updates metadata.

Software Update Deployment

The software update deployment phase is the process of deploying the software updates. Typically the software updates are added to a software update group and then the software update group is deployed. When the deployment is created, the software updates policy is sent to client devices, and then the software update content files are downloaded to and installed on the client. Clients send state messages back to the site server that report whether the software update installation was successful. There are two main scenarios for deploying software updates in your environment – manual deployment and automatic deployment. Typically, you will manually deploy software updates to create a baseline for your device clients, and then you will manage software updates on devices using automatic deployment.

The following sections provide information and procedures for manual and automatic deployment workflows for software updates.

Manually Deploy Software Updates

Manual deployment of software updates is the process of selecting software updates from the Configuration Manager 2012 console and manually initiating the deployment process. You will typically use this method of deployment to get your client devices up to date with required software updates before creating automatic deployment rules that will manage ongoing monthly software update deployments, and to deploy out of band software update requirements. The following sections provide the general workflow for manual deployment of software updates.

Specify Search Criteria for Software Updates

There are potentially thousands of software updates in displayed in the Configuration Manager console, and the first step in the workflow for manually deploying software updates is to find the software updates that you want to deploy. For example, you could provide criteria that retrieves all software updates that are required on more than 50 client devices and have a software update classification of security or critical.

To specify search criteria for software updates

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and click All Software Updates. The software updates that have been synchronized are displayed.

  3. In the search pane, filter the software update that you need by using one or both of the following steps:

    • In the search text box, type a search string that will filter the software updates. For example, you could type the article ID or bulletin ID for a specific software update, or a string that would appear in the title for software updates.

    • Click Add Criteria, select the criteria that you want to use to filter software updates, click Add, and then provide the values for the criteria.

  4. Click Search to filter the software updates.

    TipTip
    You have the option to save the filter criteria on the Search tab and in the Save group.

Create a Software Update Group that Contains the Software Updates

When you filter on the software updates that you need to manually deploy, you could deploy the software updates without adding them to a software update group, but it is recommended that you first add them to a software update group to easily monitor the deployment and assess compliance for the software updates.

To add software updates to a new software update group

  1. Select the software updates that you want to add to the new software update group.

  2. On the Home tab, in the Update group, click Create Software Update Group.

  3. Specify the name for the software update group and optionally provide a description, and then click Create. You should consider using a name and description that will provide enough information for you to know what software updates are in the software update group.

  4. Click the Software Update Groups node to display the new software update group.

  5. Click the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates in the group.

To add software updates to an existing software update group

  1. Select the software updates that you want to add to the new software update group.

  2. On the Home tab, in the Update group, click Edit Membership.

  3. Select the software update group in which you want to add the software updates as members.

  4. Click the Software Update Groups node to display the software update group.

  5. Click the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates in the group.

Download the Content for the Software Update Group

Optionally, you can download the content for the software updates in the software update group before you deploy the software updates. You might choose to do this so you can verify that the content is available on the distribution points before you deploy the software updates to avoid any unexpected issues with the content delivery. You can skip this step and the content will be downloaded and copied to the distribution points as part of the deployment process. Use the following procedure to download the content for software updates in the software update group.

To download content for the software update group

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and click Software Update Groups.

  3. Select the software update group in which you want to download content.

  4. On the Home tab, in the Update Group group, click Download. The Download Software Updates Wizard opens.

  5. Configure the settings in the wizard. After you complete the wizard, the content files for the software updates in the software update group are downloaded, and then copied to the distribution points specified.

  6. To monitor the content status for the software updates, click Monitoring.

  7. In the Monitoring workspace, expand Distribution Status, and then click Content Status.

  8. Select the software update package that you selected to download the software updates in the software update group.

  9. On the Home tab, click View Status.

Deploy the Software Update Group

After you determine what software updates you want to deploy and add the software updates to a software update group, you can manually deploy the software updates in the software update group. Use the following procedure to manually deploy the software updates in a software update group.

To manually deploy the software updates in a software update group

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and click Software Update Groups.

  3. Select the software update group that you want to deploy.

  4. On the Home tab, in the Deployment group, click Deploy. The Deploy Software Updates Wizard opens.

  5. Configure the settings in the wizard. After you complete the wizard, the software updates in the software update group are deployed to clients in the target collection.

Automatically Deploy Software Updates

You can automatically deploy software updates by using automatic deployment rules. You will typically use this method of deployment for your monthly software updates (generally referred to as Patch Tuesday) and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last 1 week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client devices in the target collection. Use the following procedure to create an automatic deployment of software updates.

Create an Automatic Deployment Rule

You can automatically approve and deploy software updates by using an automatic deployment rule. Use the following procedure to create an automatic deployment rule.

To create an automatic deployment of software updates

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Software Updates, and click Automatic Deployment Rules.

  3. On the Home tab, in the Create group, click Create Automatic Deployment Rule. The Create Automatic Deployment Rule Wizard opens.

  4. On the General page, configure the name and description for the rule, choose whether to select a deployment template to automatically populate many of the deployment settings, and select the target collection for the auto deployment rule.

  5. Decide whether to add software updates to a new or existing software update group. In most cases, you will probably choose to create a new software update group when the automatic deployment rule is run. The exception to this is if the rule runs on a more aggressive schedule. For example, if you are running the rule daily for definition updates then you should choose to add the software updates to an existing software update group.

  6. Decide whether to select Enable the deployment after the rule is run. Consider the following to help you to decide whether to select this setting:

    • When you enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group, the content is downloaded for the software updates (unless it is already downloaded), the content is copied to the distribution points that are specified, and the software updates are deployed to the clients in the target collection.

    • When you do not enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group. The software updates deployment policy is configured but the software updates are not downloaded or deployed to clients. This allows you to prepare to deploy the software updates, verify that the software updates that meet the criteria are adequate, and then at a later time enable the deployment.

  7. Configure the settings on the remaining pages in the wizard. After you complete the wizard, the automatic deployment rule will run, add the software updates that meet the specified criteria to a software update group, and the software update group is deployed to clients in the target collection (if you enable the deployment).

Monitor Software Update Group Deployment Status

After you deploy the software updates in a software update group, you can monitor the software update group for deployment status. Use the following procedure to monitor a software update group for deployment status.

To monitor software update group deployment status

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, click Deployments.

  3. Click the software update group in which you want deployment status.

  4. On the Home tab, in the Deployment group, click View Status.

See Also