Before you deploy software updates to client computers in Configuration Manager 2007, a scan for software updates compliance should be initiated on client computers. For each software update, a state message is created that contains the compliance state for the update. The state messages are sent in bulk to the management point and then to the site server, where the compliance state is inserted into the site database. Compliance state for software updates is displayed in the Configuration Manager console, and software updates can be deployed and installed on client computers that require the updates. The following sections provide information about the compliance states and describe the process for scanning for software updates compliance.

Software Updates Compliance States

The following table lists and describes each compliance state that is displayed in the Configuration Manager console for software updates.

State Description

Required

Specifies that the software update is applicable and required on the client computer. Any of the following conditions could be true when the software update state is Required:

  • The software update has not been deployed to the client computer.

  • The software update has been installed on the client computer, but the most recent state message has not yet been inserted into the database on the site server. The client computer rescans for the update after the installation completes. There might be a delay of up to two minutes before it sends the updated state to the management point, which then forwards it to the site server.

  • The software update has been installed on the client computer, but the software update installation requires a computer restart before it completes.

  • The software update has been deployed to the client computer but not yet installed.

Not Required

Specifies that the software update is not applicable on the client computer, and therefore, the software update is not required.

Installed

Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed.

Unknown

Specifies that the site server has not received a state message from the client computer, typically because:

  • The client computer did not successfully scan for software updates compliance.

  • The scan completed successfully on the client computer, but the state message has not been processed yet on the site server, possibly due to backlog state message backlog.

  • The scan completed successfully on the client computer, but the state message has not been received from the child site.

  • The scan completed successfully on the client computer, but the state message file was corrupted in some way and could not be processed.

Scan for Software Updates Compliance Process

When the active software update point is installed and synchronized, a site-wide machine policy is created that informs client computers that the Configuration Manager 2007 software updates feature has been enabled for the site. When a client computer receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours. When the scan is initiated, a component of the Software Updates Client Agent clears the scan history, submits a request to find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS server location.

Note
Internet-based clients and clients attached to a site configured for native mode must connect to the WSUS server by using Secure Sockets Layer (SSL).

A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server location listed in the local policy, retrieves the software updates metadata that has been synchronized on the WSUS server, and scans the client computer for the updates. A component of the Software Updates Client Agent detects that the scan for compliance has completed, and it creates state messages for each software update that had a change in compliance state since the last scan. The state messages are sent to the management point in bulk every 15 minutes. The management point then forwards the state messages to the site server, where the state messages are inserted into the site server database.

After the initial scan for software updates compliance, the scan is initiated at the scan schedule. However, if the client has scanned for software updates compliance within the time frame indicated by the Time-to-Live (TTL) value, the client will use the software updates metadata that is stored locally. When the last scan is outside of the TTL, the client must connect to WSUS running on the active software update point and update the software updates metadata stored on the client.

Including the scan schedule, the scan for software updates compliance can initiate in the following ways:

  • Scan schedule: The scan for software updates compliance initiates at the configured scan schedule, which is configured on the General tab in the Software Updates Client Agent properties.

  • Configuration Manager Properties action: The user can initiate the Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle action from the Configuration Manager Properties dialog box on the client computer.

  • Deployment reevaluation schedule: The deployment evaluation and scan for software updates compliance initiates at the configured deployment reevaluation schedule, which is configured on the Deployment Re-evaluation tab in the Software Updates Client Agent properties.

  • Prior to downloading update files: When a client computer receives an assignment policy for a new mandatory deployment, the software update files are downloaded to the local cache. Prior to downloading the update files, a scan is initiated to verify that the update is still required.

  • Prior to update installation: Just prior to software update installation, a scan is initiated to verify that the update is still required.

  • After update installation: Just after a software update installation completes, a scan is initiated to verify that the update is no longer required and to create a new state message that indicates the update has been installed. When the installation has finished but a restart is necessary, the state will indicate that the client computer is pending a restart.

  • After system restart: When a client computer was pending a system restart for the software update installation to complete, a scan is initiated after the restart to verify that the update is no longer required and to create a state message that indicates the update has been installed.

Time to Live Value

The software updates metadata that is required for the scan for software updates compliance is stored on the local client computer and is relevant for up to 24 hours by default. This value is known as the Time to Live (TTL).

Scan for Software Updates Compliance Types

The client will scan for software updates compliance using an online or offline scan and a forced or non-forced scan, depending on the way the scan for software updates compliance is initiated. The following table describes which methods for initiating the scan are online or offline and whether the scan is forced or non-forced.

Scan Method          Scan Type              Description                                          

Scan schedule

Non-forced online scan

At the configured scan schedule, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Software Updates Scan Cycle

Software Updates Deployment Evaluation Cycle

Forced online scan

The client computer always connects to WSUS running on the active software update point to retrieve the software updates metadata prior to scanning for software updates compliance. After the scan completes, the TTL counter is reset. For example, if the TTL is 24 hours, after a user initiates a scan for software updates compliance, the TTL is reset to 24 hours.

Deployment reevaluation schedule

Non-forced online scan

At the configured deployment reevaluation schedule, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Prior to downloading update files

Non-forced online scan

Prior to downloading update files in mandatory deployments, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

Prior to update installation

Non-forced online scan

Prior to installing software updates in mandatory deployments, the client will connect to WSUS running on the active software update point to retrieve the software updates metadata only when the last scan was outside of the TTL.

After update installation

Forced offline scan

After a software update has been installed, a scan is initiated using the local metadata. The client will never connect to WSUS running on the active software update point to retrieve software updates metadata.

After system restart

Forced offline scan

After a software update has been installed and the computer has been restarted, a scan is initiated using the local metadata. The client will never connect to WSUS running on the active software update point to retrieve software updates metadata.

See Also