The deployment package is the vehicle used to download software updates to a network shared folder and copy the software update source file to distribution points defined in the deployment. Software updates can be downloaded and added to deployment packages prior to deploying them by using the Download Updates Wizard. This wizard provides administrators with the ability to provision software updates on distribution points and verify that this part of the deployment process was successful.

When downloaded software updates are deployed using the Deploy Software Updates Wizard, the deployment automatically uses the deployment package that contains each software update. When software updates that haven't been downloaded are deployed, a new or existing deployment package must be specified in the Deploy Software Updates Wizard and the updates are downloaded to the package when the wizard completes.

Important
The shared folder for the deployment package source files must be manually created prior to specifying it in the wizard. Each deployment package must use a different shared folder.
Important
The SMS Provider computer account and the user who will actually download the software updates both require write access to the package source. Restrict access to the package source to reduce the risk of attackers tampering with the software updates source files in the package source.

When a new deployment package is first created, the content version is set to 1 before any software updates are downloaded. When the software update files are downloaded to the package, the content version is incremented to 2. Because of this all new deployment packages will start with a content version of 2. Each time the content changes in a deployment package, the content version is incremented by 1.

Deployment Packages Are Not Linked to Deployments

There is no hard link between a deployment and deployment package. Clients install software updates in a deployment by using any distribution point that has the software updates available, regardless of the deployment package. Even if a deployment package is deleted for an active deployment, clients are still able to install the software updates in the deployment as long as each update has been downloaded to at least one other deployment package and available on a distribution point accessible from the client. When the last deployment package that contains a software update is deleted, client computers will not be able to retrieve the update until the software update is downloaded again to a deployment package.Software updates display with a red arrow in the Configuration Manager console when the update files are not in any deployment packages. Deployments display with a double red arrow if they contain any updates in this condition. The Deployments Containing Deleted Software Updates section below provides more information.

Deployment Package Access Accounts

Deployment Package access accounts enable you to set permissions to specify users and user groups that can access a deployment package folder on distribution points. By default, Configuration Manager 2007 makes these folders available to all users. If deployment packages contain sensitive data or should otherwise have restricted access, you can configure deployment package access accounts to limit access to specific users and user groups.

For each account, you specify the permissions that users and user groups can have. The following table lists the permissions that can be specified.

Permission Description

No Access

Prevents the account from reading, writing, or deleting files on the shared folder for the deployment package.

Read

Enables the account to view and copy files, run programs, change folders within the shared folder, and read extended attributes of files.

By default, Configuration Manager grants the Users and Guests generic accounts Read permission to the shared folder for the deployment package on distribution points.

Change

Enables the account to change the contents and extended attributes of files and to delete files. Change permission is required for applications that need to write information back to the shared package folder on the distribution point.

Full Control

Enables the account to write the contents and extended attributes of files, and to delete files.

By default, the Administrators generic account has Full Control permission so that the Configuration Manager 2007 components can access the deployment package data.

The generic deployment package access accounts (Users, Guests, and Administrators) are mapped to operating system-specific accounts, and the appropriate rights on each operating system are applied to the deployment package folder on the distribution point.

Important
If you remove the Administrators default account, Configuration Manager 2007 components cannot update and modify the deployment package data.
Important
In some cases, removing the Users group as a package access account might cause deployment to fail. If the distribution point is in a native mode site, you must add IUSR_<computername> as a package access account with the permissions required to access to the package.

If a client computer does not have sufficient rights to the deployment package folder, the software update will fail to install.

Deployment Package Distribution Points

Configuration Manager 2007 uses distribution points to store the files needed to deploy software updates to client computers. To run a software update installation, client computers must have access to at least one distribution point that contains the update. Therefore, you should specify for each deployment package a group of distribution points that can be accessed by all targeted clients.

You can have multiple distribution points in each site. By default, the site server is the only site system used as a distribution point. To reduce the load on the site server, additional distribution points should be configured at each site. For more information, see About Distribution Points.

Selective Download

Configuration Manager 2007 client computers identify which targeted software updates are applicable and retrieve only the files for required updates from the deployment package contents that might contain both required and not required software updates. This allows administrators to have multiple software updates in a single deployment package and use the package in deployments that target client computers that need only a subset of the deployment package contents. As a best practice, it is recommended that less than 500 software updates are added to a single deployment package.

Important
Selective download is not available on SMS 2003 clients. These clients download the entire deployment package contents regardless of how many software updates are applicable in the package. When creating SMS 2003 deployments, it is recommended that you use deployment packages containing only the applicable software updates for the client. Otherwise, unnecessary hard drive space is used on the clients. Alternatively, SMS 2003 clients can be configured to install software updates directly from the distribution point (run from network).

Removing Updates from a Deployment Package

Before removing software updates from a deployment package, you should verify that the update is not part of an active software update deployment or that the update has been downloaded to a different deployment package. When the last deployment package that contains a software update is deleted, client computers will no longer be able to retrieve the update until the software update is downloaded again to a deployment package.

When deleting a software update from a deployment package, the Delete Updates dialog box appears to allow you to cancel the process or confirm it and choose whether to remove the update file from the distribution points configured for the package. If the software update is in an active deployment and no other deployment packages contain the update, the Software Update Deployment Deletion Confirmation dialog box is displayed. When a NAP enabled software update is deleted from a deployment package and no other deployment packages contain the update, a warning dialog box is displayed. For the step-by-step procedure, see How to Delete a Software Update from a Deployment Package.

When software updates are removed from a deployment package, the software update no longer displays in the \Deployment Packages\<package name>\Software Updates console tree node, the Downloaded property for the software updates displays as "No" if the update is not downloaded to another package, and the update file is removed from the deployment package source.

Deployments Containing Deleted Software Updates

When a software update is being removed from a deployment package, the update is not in any other packages at the site, and the update is in an active deployment, client computers will not be able to install the software update. Also, the icon for the software update in the Configuration Manager console displays a red arrow and the icon for the deployment that contains a software update that is missing content displays a red double arrow. For a list of the icons used by software updates, see Icon Glossary for Software Updates.

Deleting a NAP Enabled Software Update from a Deployment Package

When a software update is being removed from a deployment package, the update is not in any other packages at the site, and NAP evaluation has been enabled for the software update, a warning appears with a confirmation to delete the software update, and if accepted the NAP policy is deleted from the NAP Policies console tree node, and then the NAP policy is tombstoned from the site server database.

Checking for Deployment Package Status

The Package Status console tree node in Configuration Manager 2007 displays summary information about each package for each site to which the package is targeted. The Package Status node displays under each deployment package and provides information about the specific package or under the System Status console tree node where is displays all packages and deployment packages together. This allows you to easily verify that a deployment package has been successfully provisioned on distribution points.

See Also