I get a lot of requests for information about how to do software update deployments in System Center Configuration Manager 2007 so I thought I would put together a quick guide explaining the process. It turned out to be quite large so I broke it into two parts: Part 1 is below and covers Update Lists, Deployment Packages and Deployment Templates, and then Part 2 will cover the deployments themselves.
Deploying Software Updates
Software updates are deployed to client computers using the Deploy Software Updates Wizard, much like it is in SMS 2003, but new objects have been introduced and there have been changes to the deployment process. I have made an attempt to explain these changes with help of screenshots.
Update lists provide the ability to initiate a deployment for a set of software updates contained in the list. Using the update list provides several benefits when deploying and monitoring software updates and is, therefore, part of the recommended software updates workflow. Update lists allow administrators to create a deployment from the update list instead of manually selecting the set of updates every time a new deployment is created. They allow administrators to use reports for specific update lists to monitor the compliance for the software updates and help to troubleshooting updates contained in the list. Update lists also allow administrators to create update lists with approved updates, and then delegate the responsibility to deploy the update lists.
Deployment packages are used to host the files for the software updates in a deployment, much like that of software distribution packages. The main difference is that the deployment package is used to get the files to the Distribution Points, but once that process completes, client computers will access the software update files from any package shared folder on any Distribution Point regardless of whether the package was defined in the deployment that targeted the client. When the client computer receives a new deployment, it determines where the software update files are located, independent of the deployment, and install from the preferred location.
Deployment templates provide the ability to save a set of deployment properties for use in future software update deployments. When a deployment template is used in creating a new deployment, it populates the deployment with the preconfigured properties. This provides consistency among deployments with similar requirements and saves a lot of administration time.
When creating a software update deployment in the Deploy Software Updates Wizard, the Deployment Schedule page allows a deployment deadline date and time to be configured. Deployment deadlines can also be configured from the Deployment Schedule tab in the properties for the deployment.
Setting a deadline makes the deployment mandatory, and it enforces the software update installation on client computers by the configured date and time.
If the deadline is reached and the software update deployment has not yet run on the client computer, the installation starts automatically whether or not a user is logged on to the computer. A system restart can be enforced if it is necessary for the software update installation to complete.
On client computers, display notifications will appear that inform the user that one or more software updates are ready to install and the date for the earliest deadline time displays. For example, if there are two deployments with deadlines that are two days apart, the deployment deadline that comes first displays in the notifications to users. Once the software updates have been installed for the deployment with the earliest deadline, the client computer will continue to receive notifications, but the deadline will now display the deadline for the second deployment.
In SMS 2003, deadlines were set to occur x days after the client received the policy to install the software updates. Deployment deadlines have been simplified in Configuration Manager 2007 and are now configured for an explicit date and time. SMS 2003 clients in the Configuration Manager hierarchy will also use the configured deadline date and time for deployments targeted to them.
When software updates that have a configured deadline become available on a client computer, the Available Software Updates icon appears in the notification area that informs the user of the pending deadline. Display notifications are presented on a periodic basis until all pending mandatory software update installations have completed. By default, they are displayed every three hours for deadlines more than 24 hours away, every hour for deadlines less than 24 hours away, and every 15 minutes for deadlines that are less than one hour away.
Required System Restart
By default, when software updates from a mandatory deployment have installed on a client computer but a system restart is required for the installation to complete, the system restart will be initiated. For software updates that have been installed prior to the deadline, the automatic system restart will be postponed until the deadline, unless the computer is restarted prior to that for some other reason. The system restart can be suppressed for servers and workstations. These settings are configured in the Restart Settings page of the Deploy Software Updates Wizard when creating a deployment and in the Restart Settings tab in the deployment properties. This setting can also be configured in a deployment template.
Planning for Maintenance Windows
Maintenance windows provide administrators with a way to define a period of time that limits when changes can be made on the systems that are members of a collection. Maintenance windows restrict when the software updates in deployments can be installed on client computers, as well as operating system advertisements and software distribution advertisements. Client computers determine whether there is enough time to start a software update installation by using the following three settings:
■ Restart countdown: Specifies the length of the client restart notification (in minutes) for computers in this site. The default setting is 5 minutes. This setting is available as a global setting in the Computer Client Agent Properties dialog box.
■ System restart turnaround Time: Specifies the length of time given for computers to initiate the system restart and reload the operating system. This setting is stored in the site control file for the site and has a default value of 10 minutes.
■ Maximum run time: Specifies the amount of time that is estimated for a software update to install. The default setting is 20 minutes for updates and 60 minutes for service packs. This setting can be modified for individual software updates on the Maximum Run Time tab for the properties for the software update.
When these settings are used to determine the available maintenance window, each software update has a default of 35 minutes (75 minutes for service packs). When planning for maintenance windows, take these defaults into consideration. When planning software update deployments to client computers, be aware of the configured maintenance window, how many software updates are in a deployment (so that you can forecast whether client computers will be able to install the updates within the maintenance window) and whether the update installation will span multiple maintenance windows. When software update installation has completed, but there is not enough time in the maintenance window for the computer to restart, the computer will wait until the next maintenance window and initiate the restart before installing pending update installations. When there are multiple software updates to be installed on a client computer with a configured maintenance window, the update with the lowest maximum run time installs first, the update with the next lowest maximum run time installs next, and so on. Before installing each update, the client verifies that the available maintenance window is long enough to install the update. After an update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window. When creating a software update deployment, there are two settings that allow maintenance windows to be ignored as follows:
■ Allow system restart outside of maintenance windows: Specifies whether to allow system restarts for both workstations and servers outside of configured maintenance windows. By default, this setting is not enabled. This setting is beneficial when you want your software update installation to complete on client computers as soon as possible. When this setting is not specified, a system restart will not be initiated if the maintenance window ends in 10 minutes or less. This could prevent the installation from completing and leave the client computer in a vulnerable state until the next maintenance window. This setting is available on the Restart Settings page of the Deployment Template Wizard or Deploy Software Updates Wizard.
■ Ignore maintenance windows and install immediately at deadline: Specifies whether the software updates in the deployment are installed at the deadline regardless of a configured maintenance window. By default, this setting is not enabled and is available only when there is a deadline configured for the deployment. This setting is beneficial when there are software updates that must be installed on client computers as soon as possible, such as the updates in an expedited deployment. This setting is available on the Schedule page of the Deploy Software Updates Wizard.
That’s it for Part 1, so be sure to check out Part 2 where I discuss putting all this together and doing the actual deployment. Part 2 can be found here:
Guide to Software Updates Deployment in Configuration Manager 2007 – Part 2
Adnan Ezzi | Configuration Manager Support Engineer
A couple good resources for you (community generated):
The SCCM 2007 Software Updates Wiki:
Patch Management directions for SCCM:
SCCM Update in russian: http://itband.ru/tag/update/
Thanks for the article, the only suggestion I would give is to use better screen shots. They're so blurry they're nearly useless.
Very good post. That's all I can say .
Thank you for your effort.
This is fantastic, please any link to part 2?
Yes, link to part 2 please. Also agree about the screen shots and this is a great article. Thanks.
How to Identify (From Which Log) who has configured the Patching. Thanks in advance.
You can download the content in doc from the following link if the pictures are blurry
Thank you all for the feedback
You an also download the content in .doc if the pictures are blurry from the following link
I noticed that in the section for Display Notifications you mention the Default Times for display notification. Can you advise if these notification times and be customized?
Great article by the way.
Please let me how to check the patch compliance report and how to configure that
Great guide, 2 years after my training I've been asked to deploy SCCM/WSUS and this has been a great refresh!
this is good, but what to do if I'm missing updates that are showing only in WSUS console but not in SCCM console
This is very good document but the images are blurr ...adjusted. Where si the next part?
How do you monitor the reboot jobs once scheduled in maintenance window...can we generate/configure this in SCCM 2007.