The software updates feature was introduced with Systems Management Server (SMS) 2003 and provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. The same basic objectives are achieved, but software updates in Microsoft System Center Configuration Manager 2007 provides more advanced configuration options and utilizes new components and improved technology to achieve these objectives.
Comparing SMS 2003 and Configuration Manager Software Updates
To better illustrate the changes in the software update process in Configuration Manager, the following table outlines a typical scenario for deploying new software updates to a standard set of client computers:
| Feature | SMS 2003 ITMU | Configuration Manager 2007 |
|---|---|---|
|
Compliance Assessment |
Multiple scan tools. Offline CAB file for scanning |
Configuration Manager client agent uses the Windows Update Agent (WUA) on client computers to connect to Windows Server Update Services (WSUS) on the Configuration Manager software updates point. |
|
Update Categories |
Security updates, update rollups, service packs, and non-Microsoft updates |
All Microsoft update categories and non-Microsoft updates |
|
Scan Results |
Results reported using hardware inventory |
Results reported using state messages. State messages are more timely and more accurate. Does not require hardware inventory. |
|
Deployments |
Uses software distribution packages, programs, and advertisements. |
Uses deployments instead of advertisements and do not use regular software distribution packages. Deployments do not require a 1:1 relationship with deployment packages. Allows multiple deployments and better reporting. |
|
Admin Experience |
Admin has to run a 17 step wizard every time an update is added or changed. Every language version of every update is listed. |
Templates save common settings. Search folders group updates according to administrator criteria. Update lists facilitate reporting and deployment. Homepage provides a status summary. Language versions are bundled under a single update. |
|
Update Binaries |
Either had to download the entire package or run from the distribution point |
Client selectively downloads only missing applicable updates |
Software Update Point Site System Role
The software update point is installed as a site system role in the Configuration Manager console. Each site must have an active software update point before the software updates feature is enabled. A second software update point can be installed to handle the communications from Internet-based client computers. The software update point site system role must be created on a server that has Windows Server Update Services (WSUS) 3.0 already installed and configured. The software update point provides the communication with WSUS and synchronizes with the WSUS database to retrieve the latest software update metadata from Microsoft Update, as well as locally published software updates. For more information, see About the Software Update Point.
Software Updates Client Agent
The Software Updates Client Agent in Configuration Manager 2007 is enabled by default, and client agent components are installed on client computers with the other Configuration Manager client components. The Software Updates Client Agent handles scan requests for software updates compliance, software update evaluation requests, deployment policies for the client, and content download requests. Configuration Manager 2007 clients do not use the Automatic Updates client to retrieve or install updates. For more information, see About the Software Updates Client Agent.
Software Updates Compliance Data on Clients
Configuration Manager 2007 no longer uses hardware inventory to report the compliance for software updates on Configuration Manager 2007 client computers. Client computers now create state messages that contain the compliance assessment data and send these messages to the management point, which in turn sends the data to the site server. The compliance assessment data is displayed in the Configuration Manager console and in Software Updates compliance reports.
Inventory Scan Tools
Configuration Manager client computers no longer use a variety of inventory scan tools to scan for software update compliance, but instead the Windows Update Agent (WUA) on client computers. There are several inventory scan tools in SMS 2003 that scan client computers for software update compliance. When a site is upgraded to Configuration Manager 2007 and the Inventory Tool for Microsoft Updates is found on the site server, most likely the central site, the tool is automatically upgraded. After the upgrade, the Inventory Tool for Microsoft Updates is fully operational for SMS 2003 client computers at the site, the Inventory Tool for Custom Updates is supported, but with conditions, and the other scan tools have very limited support. Using the scan tools on Configuration Manager 2007 client computers is not supported. For more information, see Planning the SMS 2003 Software Updates Upgrade.
Software Update Bundles
SMS 2003 displayed the same software update multiple times in the SMS Administrator console for each language and product for the update. Configuration Manager 2007 has introduced the concept of software update bundles, where a software update is displayed only once in the Configuration Manager console. Software update deployments are initiated by selecting the bundle update, and when creating the deployment the administrator can define which language specific update files will be downloaded and made available to client computers.
 Note |
|---|
| After upgrading from SMS 2003, software updates that existed for each language and product are still displayed in the Configuration Manager 2007 console and to the client if they are available to install, but they have the word Legacy appended to them. |
Software Updates Supersedence
Supersedence is when a new software update contains the same fixes that were in a previously released software update. In the past, new and previously released software updates, which contained the same fix, might have both been marked as required when the only one that was necessary was the newer software update.
In Configuration Manager 2007, software updates uses the Windows Update Agent which partially addresses the issue of supersedence. When new software updates are released that contain fixes for previously released updates, Microsoft Update is refreshed with information relating to the new software update and any software updates that it supersedes. As client computers scan for software update compliance, any required software updates that supersede previous updates are returned with compliance state but the previously released software updates are not returned. The exception to this is when a Service Pack contains a required software update. The Windows Update Agent returns both the software update and the service pack with a required compliance state. This provides administrators with the flexibility to deploy individual software updates or full service packs.
Deploying Software Updates
Software updates are deployed to client computers using the Deploy Software Updates Wizard, much like it is in SMS 2003, but new objects have been introduced and there have been changes to the deployment process. The following sections briefly describe these changes.
Deployments
Configuration Manager 2007 no longer uses advertisements for delivering software updates. Software update deployments are now used as the vehicle that delivers software updates to client computers. The deployment properties contain the relevant information about the software updates in the deployment, the target collection, the settings that impact client behavior when running the deployment, the deployment schedule settings, and so on. When a deployment is created, client computers receive it as part of the Configuration Manager policy. For more information, see About Software Update Deployments.
Deployment Packages
Deployment packages are used to host the files for the software updates in a deployment, much like that of software distribution packages. The main difference is that the deployment package is used to get the files to the distribution points, but once that process completes, client computers will access the software update files from any package shared folder on any distribution point regardless of whether the package was defined in the deployment that targeted the client. When the client computer receives a new deployment, it determines where the software update files are located, independent of the deployment, and install from the preferred location. For more information, see About Software Update Deployment Packages.
Selective Download
Configuration Manager 2007 provides selective download technology. This technology allows a deployment package to contain a large number of files, but client computers will retrieve only the files that are required. For example, if a client receives a deployment that contains ten software updates but only two of them are required on the client computer, the client will connect to the distribution point and download only the files that it needs.
Deployment Templates
Deployment templates provide the ability to save a set of deployment properties for use in future software update deployments. When a deployment template is used in creating a new deployment, it populates the deployment with the preconfigured properties. This provides consistency among deployments with similar requirements and saves a lot of administration time. For more information, see About Deployment Templates in Software Updates.
Update Lists
Update lists provide the ability to initiate a deployment for a set of software updates contained in the list. Using the update list provides several benefits when deploying and monitoring software updates and is, therefore, part of the recommended software updates workflow. Update lists allow administrators to create a deployment from the update list instead of manually selecting the set of updates every time a new deployment is created. They allow administrators to use reports for specific update lists to monitor the compliance for the software updates and help to troubleshooting updates contained in the list. Update lists also allow administrators to create update lists with approved updates, and then delegate the responsibility to deploy the update lists. For more information, see About Update Lists in Software Updates.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform built into the Windows Vista and Windows Server 2008 operating system that allows you to better protect network assets by enforcing compliance with system health requirements.
Configuration Manager 2007 provides Network Access Protection as a new feature, which lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server. The Network Policy Server then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation.
For more information, see Network Access Protection in Configuration Manager.
Upgraded Administrators Do Not Have Access to New Software Updates Objects
After upgrading, the user who ran the upgrade has access to all of the objects in the Configuration Manager 2007 console but existing administrators have access only to objects that existed prior to upgrade. This is true even for software updates objects. Users who had full rights to all SMS 2003 software updates objects will have full rights to the same objects in Configuration Manager 2007 but will not have any rights to new software updates object types, such as update lists and deployment templates.
Software Updates Reporting
The predefined software updates reports and underlying software updates SQL Server views have been modified in Configuration Manager 2007 to work with the new software updates infrastructure. During a site upgrade, the Systems Management Server 2003 reports are migrated, but they might fail to run or retrieve the expected data. Most of the software updates reports use state messages sent from client computers, not hardware inventory results, to report on the state for compliance or for a process. Several new reports have been created to support software updates in Configuration Manager and are grouped in the following categories:
- Software Updates - A. Compliance
- Software Updates - B. Deployment
Management
- Software Updates - C. Deployment States
- Software Updates - D. Scan
- Software Updates - E. Troubleshooting
- Software Updates - F. Distribution Status
For a complete list of the software updates reports, see About Software Updates Reports.
See Also
Concepts
About Software Update Deployment PackagesAbout Deployment Templates in Software Updates
About Software Update Deployments
About the Software Update Point
About the Software Updates Client Agent
About Update Lists in Software Updates
Administrator Workflows for Software Updates
Planning for the Software Update Point Installation
Planning for the Software Update Point Settings
Planning the SMS 2003 Software Updates Upgrade
About Software Updates Reports
What's New in Configuration Manager 2007
Other Resources
Administrator Checklists for Software UpdatesOverview of Software Updates
Planning for Software Updates