© 2012 Microsoft Corporation. All rights reserved.

Microsoft Confidential
 System Center 2012 Configuration Manager
Concepts & Administration Workshop
Lesson 7: Deploying Software Updates

Your Name

Premier Field Engineer

Microsoft
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software
is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content
and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether
express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

© 2012 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
 Overview
Introduction to Software Updates Management
Features available
Reporting and troubleshooting

4 Microsoft Confidential
 Objective
After completing this lesson, you will be able to:
Install and configure a Software Update Point
Understand the different features involved in patch
management and how to manage them
Create manual and automated update deployments
Use reports to check update compliance states and
deployment status

5 Microsoft Confidential
 Introduction to Software Update Management
Patch Management process
Prerequisites
Capacity planning
Installation

6 Microsoft Confidential
Software Updates End-to-End Workflow
Enable and configure
Configure software Enable and
Start update components
Software Updates Client
configure Active SUP
Agent

Optional: Configure
multiple SUP using
Monitor deployment NLB
using reports Synchronize with
WSUS server

Optional: Create Software

Update Groups that contain
defined sets of updates.

Create a deployment using Yes Are Analyze whether

software software updates
Deployment Software Updates
Updates are required
Wizard or use Automatic
required?
Deployment Rule (new)

Optional: Download software

updates and provision the
updates on DP using Download
No
Updates Wizard.
 Software Update Point Prerequisites
Server prerequisites:
Windows Server Update Service (WSUS) 3.0 SP2
WSUS Administration Console if SUP is remote
Network Load Balancing (optional, see capacity planning)
SRS Reporting Point

Client prerequisites:
Latest version of Windows update agent

8 Microsoft Confidential
 Capacity Planning
The number of supported clients is dependent on the
version of Windows Server Update Services (WSUS) that
runs on the Software Update Point and on whether the
Software Update Point site system role co-exists with other
site system roles.
Role Limit
SUP co-exists with another site Up to 25,000*
system role
SUP on a separate box (without Up to 100,000
any other site server role)

Note: *NLB can be used to manage more than 25,000 clients.

9 Microsoft Confidential
 Installation
Installed as site system role
SUP can be installed on:
CAS site
Primary Site
Secondary Site
The first SUP must be installed on the CAS and will require
access to the internet to sync with Microsoft Updates.
If CAS does not have access to the internet then you can
use export/import functions of WSUSUtil tool to
synchronize software updates metadata.

10 Microsoft Confidential
 Installing the SUP Role on a Secondary Site

11 Microsoft Confidential
 Installation Recommendations

Ensure that clients managed by a site with an active SUP

are not targeted by a WSUS GPO
Do not re-use an existing WSUS infrastructure
Do not configure the WSUS Server
Consider using a custom web site for SUP

12 Microsoft Confidential
 Lab: Software Update Point Installation and
Configuration
Scenario
You are the administrator of the
Contoso Configuration Manager
hierarchy. You wish to install and
configure SUP into your
hierarchy

Goals
Ensure prerequisites are met
Install and configure a software
update point.
Configure client agent settings

13 Microsoft Confidential
 Lesson Review
Why is the WSUS admin console required on the
site server when installing the SUP ?
What should I do if I plan to manage more than
25,000 clients when using a SUP ?

14 Microsoft Confidential
 Lesson Summary
In this lesson, you learned:
How to plan for a SUP installation, including the
required components
How to complete a SUP installation

15 Microsoft Confidential
 Objective
After completing this lesson you will learn:
How to manage updates
How to create update groups
How to create update deployments

16 Microsoft Confidential
 Features Available
Superseded update support
SUM admin role (with RBA)
Client agent settings
Simplified update groups
Automated deployments
End user experience
Content library and cleanup
Migration from Configuration Manager 2007

17 Microsoft Confidential
 Superseded Updates Support

Publisher can expire or supersede

software updates

Configuration Manager 2007

automatically expires superseded
updates

System Center 2012 Configuration

Manager can:
Persist Configuration Manager 2007
behavior
Configure System Center 2012
Configuration Manager to not
automatically expire superseded updates

18 Microsoft Confidential
 SUM Administration Role (with RBA)
SUM Admin can initiate
specific actions (role) . . .

. . . on a specific set of
objects (scope)

Example: SUM admin for

servers can manage all
software updates for just the
server collection

19 Microsoft Confidential
 Client Agent Settings for SUM
New UI for client
agents settings

Settings can be
applied per Collection
so software updates
can be enabled or
disabled on select
systems

20 Microsoft Confidential
 Simplified Update Groups

Improved search to find updates

Update groups replace lists and deployments
New updates added to groups are automatically
deployed
Groups can be used for compliance or deployment

21 Microsoft Confidential
 Automated Deployments (new)

Automatic approval of selected updates

Scheduled or manually run
Useful for Patch Tuesday and Endpoint Protection
Objects created by rules are interactive:
Deployments can be enabled/disabled
Deployment can be added/removed from groups
Updates can be added/removed from groups
Deployment templates

22 Microsoft Confidential
 End User Experience

Uses the new Software

Center user interface
End user has better control
of their own experience:
Install/schedule updates
Use non-business hours
Admin can choose to hide
just pop-ups, or hide all end
user notifications

23 Microsoft Confidential
 Content Library and cleanup
Software updates stored in the Content Library
Maintenance task deletes expired updates and content

24 Microsoft Confidential
 Migration from Configuration Manager 2007
Migrate existing SUM objects:
Preserve existing update lists or
deployments
Persist use of update content on
Distribution Points (through
Distribution Point sharing or pre-
staging)
SUP configuration for products
and classifications must be the
same on both infrastructures
SCUP updates cannot be
migrated

25 Microsoft Confidential
Features that have not Changed from Configuration
Manager 2007
Maintenance Windows
Update will not be installed until next available service window
Potential system restart time period is factored into evaluation
If client is member of multiple collections – all applicable
maintenance windows will be honored
One time maintenance windows can prevent future update
deployments
Can be overridden
Internet-based client support
Wake-On-LAN integration
Selective download of binaries

26 Microsoft Confidential
 Lab: Software Update deployment
Scenario
You are the administrator of the
Contoso Configuration Manager
hierarchy and you wish to deploy
an update group to your clients

Goals
Create an update group
Create a manual and an
automated deployment
Check deployment status

27 Microsoft Confidential
 Lesson Review
What are the two types of update deployments?
Where does Configuration Manager store software updates?
How do you configure different software update policies for
servers and clients?

28 Microsoft Confidential
 Lesson Summary
In this lesson, you learned:
How to manage updates
How to create update groups
How to create update deployments

29 Microsoft Confidential
 Objective
In this lesson, you will learn:
How to use reports for software updates
How to troubleshoot software updates

30 Microsoft Confidential
 Reporting and Troubleshooting

Key compliance and deployment views

Detailed state of all deployments and assets
Error codes are interpreted
Software update synchronization status
monitoring
Alerts for software issues
Extensive update states available in out-of-box
reports

31 Microsoft Confidential
 Key Compliance Reports

32 Microsoft Confidential
 Deployment Status and Asset Views

33 Microsoft Confidential
 Using Reports for Troubleshooting

34 Microsoft Confidential
 Software Update Point Synchronization Status

35 Microsoft Confidential
 Alerts for software update issues

36 Microsoft Confidential
 Server Logs

Log Types of issues

SUPsetup.log Installation of SUP Site Role

WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP

WSyncMgr.log SMS/WSUS Updates Synchronization

Issues
Objreplmgr.log Policy Issues for Update
Assignments/CI Version Info policies

RuleEngine.log Auto Deployment Rules

37 Microsoft Confidential
 Client logs

Log Types of issues

UpdatesDeployment.log Deployments, SDK, UX

UpdatesHandler.log Updates, Download

ScanAgent.log Online/Offline scans, WSUS location

requests
WUAHandler.log Update status (missing/installed –
verbose logging), WU interaction

UpdatesStore.log Update status (missing/installed)

%windir%\WindowsUpdate.log Scanning/Installation of updates

38 Microsoft Confidential
 Lesson Review
What tools are available for troubleshooting
updates?
What log should I check to verify update
installation on a client?

39 Microsoft Confidential
 Lesson Summary
In this lesson, you learned:
How to use reports for software updates
How to troubleshoot software updates

40 Microsoft Confidential