There are software updates settings and general site settings that have an impact on software updates in Configuration Manager 2007. These settings configure the active software update point and determine what updates are synchronized, whether there are maintenance windows for installing updates, how much time software updates have to complete, whether software updates are included in a Network Access Protection (NAP) evaluation, and so on.
|Before client computers can scan for software update compliance and before deployments can be created that target client computers, the software updates environment must be planned and configured. For more information, see Administrator Checklist: Planning and Preparing Software Updates.
Software Update Point Settings
The software update point site system role is required before software updates can be synchronized, assessed for compliance on clients, and deployed. Multiple site system servers can have the software update point site system role, but only one site system server can be configured as the active software update point. When the site is in Native mode, an additional active Internet-based software update point can be assigned to a remote site system server that allows communication from only Internet-based client computers. Additionally, if the active software update point is configured as a Network Load Balancing (NLB) cluster, a site system server with the software update point site role should be created for each server in the NLB cluster. For information about planning for the software update point in your environment, see Planning for the Software Update Point Settings.
Planning for Maintenance Windows
Maintenance windows provide administrators with a way to define a period of time that limits when changes can be made on the systems that are members of a collection. Maintenance windows restrict when the software updates in deployments can be installed on client computers, as well as operating system advertisements and software distribution advertisements. For more information about how to configure maintenance windows, see How to Set a Maintenance Window.
Client computers determine whether there is enough time to start a software update installation by using the following three settings:
- Restart countdown: Specifies the
length of the client restart notification (in minutes) for
computers in this site. The default setting is 5 minutes. This
setting is available as a global setting in the Computer Client
Agent Properties dialog box.
- System restart turnaround Time:
Specifies the length of time given for computers to initiate the
system restart and reload the operating system. This setting is
stored in the site control file for the site and has a default
value of 10 minutes.
- Maximum run time: Specifies the amount
of time that is estimated for a software update to install. The
default setting is 20 minutes for updates and 60 minutes for
service packs. This setting can be modified for individual software
updates on the Maximum Run Time tab for the properties for
the software update.
When these settings are used to determine the available maintenance window, each software update has a default of 35 minutes (75 minutes for service packs). When planning for maintenance windows, take these defaults into consideration. When planning software update deployments to client computers, be aware of the configured maintenance window, how many software updates are in a deployment (so that you can forecast whether client computers will be able to install the updates within the maintenance window) and whether the update installation will span multiple maintenance windows. When software update installation has completed, but there is not enough time in the maintenance window for the computer to restart, the computer will wait until the next maintenance window and initiate the restart before installing pending update installations.
When there are multiple software updates to be installed on a client computer with a configured maintenance window, the update with the lowest maximum run time installs first, the update with the next lowest maximum run time installs next, and so on. Before installing each update, the client verifies that the available maintenance window is long enough to install the update. After an update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window.
When creating a software update deployment, there are two settings that allow maintenance windows to be ignored as follows:
- Allow system restart outside of
maintenance windows: Specifies whether to allow system restarts
for both workstations and servers outside of configured maintenance
windows. By default, this setting is not enabled. This setting is
beneficial when you want your software update installation to
complete on client computers as soon as possible. When this setting
is not specified, a system restart will not be initiated if the
maintenance window ends in 10 minutes or less. This could prevent
the installation from completing and leave the client computer in a
vulnerable state until the next maintenance window. This setting is
available on the Restart Settings page of the Deployment
Template Wizard or Deploy Software Updates Wizard.
- Ignore maintenance windows and install
immediately at deadline: Specifies whether the software updates
in the deployment are installed at the deadline regardless of a
configured maintenance window. By default, this setting is not
enabled and is available only when there is a deadline configured
for the deployment. This setting is beneficial when there are
software updates that must be installed on client computers as soon
as possible, such as the updates in an expedited deployment. This
setting is available on the Schedule page of the Deploy
Software Updates Wizard.
Planning for Settings on Software Updates
The Software Updates Client Agent properties dialog box contains three tabs that provide configuration settings to enable software updates and configure the software updates settings on client computers. Use the following procedure to open the properties dialog box.
To open the properties dialog box for a software update
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Software Updates / Update Repository. For information about where software updates can be displayed, see How to Find Software Updates in Configuration Manager.
Right-click the software update, and then click Properties.
The following client settings can be configured in the properties for the software update.
Maximum Run Time Tab
The Maximum Run Time tab in the properties dialog box for a software update allows you to set the maximum amount of time a software update has to complete installation on client computers. If the maximum run-time value has been reached, a status message is created and the deployment is no longer monitored for software update installation. This setting is also used to determine whether the software update installation should be initiated within a configured maintenance window. If the maximum run-time value is greater than the time left in the maintenance window, software update installation is not initiated until the start of the next maintenance window. This setting can be configured only on the site that synchronizes with Microsoft Update, most likely the central site.
|Ensure that the maximum run-time value is not set for more time than the configured maintenance window or the software update installation will never initiate.
Some software updates might take more time to install than the default setting allows. Increasing the Maximum run time (minutes) setting to accommodate larger software updates is recommended.
The Maximum run time (minutes) setting specifies the maximum number of minutes that a software update installation has to complete before the installation is no longer monitored by Configuration Manager. This setting is also used to determine whether there is enough time to install the update before the end of a maintenance window. The default setting is 60 minutes for service packs and 20 minutes for all other software update types. Values can range from 5 to 9999 minutes.
NAP Evaluation Tab
The NAP Evaluation tab is used to specify whether the software update is required for compliance when using Network Access Protection (NAP). Enable NAP evaluation to include the software update in a NAP policy that will become effective on NAP-capable clients based on the configured schedule. When the policy becomes effective, NAP-capable clients might have restricted access until they comply with the selected software update. Network restriction and remediation is dependent on how the policies are configured on the Windows Network Policy Server. This setting can be configured only on the site that synchronizes with Microsoft Update, most likely the central site.
Custom Severity Tab
The Custom Severity tab can be used to configure custom severity values for software updates if predefined severity values do not meet your needs. The custom values are listed in the Custom Severity column in the Configuration Manager console. The software updates can be sorted by the defined custom severity values, the search folder can be created based on these values, queries and reports can be created that can filter on these values, and so on. This setting can be configured only on the site that synchronizes with Microsoft Update, most likely the central site.
TasksHow to Find Software Updates in Configuration Manager
How to Set a Maintenance Window
ConceptsAdministrator Checklist: Planning and Preparing Software Updates
Planning for Software Updates Client Settings
Planning for the Software Update Point Settings
Other ResourcesComputer Client Agent Properties
Deploy Software Updates Wizard
Deployment Template Wizard
Planning for Software Updates
Software Update Name Properties