We just released a whitepaper around servicing offline VMs using SCVMM and SCCM.

Download details are here:

https://www.microsoft.com/downloads/details.aspx?FamilyID=c5abb19e-15b1-4692-b465-393584c592a0&displaylang=en

Direct Download file from here:

http://download.microsoft.com/download/d/1/0/d10ecad6-3de9-4bb2-bbc4-4f8d5c487b66/VMMLibraryPatching.zip

There will be more to come on this subject from us in the future, but this is a great start for realizing the combined value of System Center products.

I just moved over to the System Center Service Manager team, so will likely not be posting too much about SCCM 2007 Software Updates Management any more.

In the Service Manager product group, I will working as a Senior Program Manager on SCCM Integration, Configuration Management, Asset Management, Software Delivery, and Self-Service Software Provisioning.

The Microsoft Update Catalog site can be used with System Center Configuration Manager 2007 to deploy updates that are not automatically synchronized with WSUS.   For example drivers, QFEs, or other optional updates can be downloaded from the site (more info here).   This is a great additional capability, but how exactly can you make it work with SCCM?

Step 1:  Within the System Center Updates Publisher tool, click on the "Microsoft Catalog" link under "Online Resources"

Step 2: Install the ActiveX control and then search for the update you want to deploy.

Step 3:  Add to the basket and then import into the Software Update Point (WSUS server):

Step 4: Sync the update into SCCM and you are good to go.  (Note that you can initiate an immediate sync using the "Run Synchronization" action from the Updates Repository node under Software Updates)

Additional Note: You may find that some updates are not getting synced into SCCM even though they are in the WSUS Admin console.  This is because SCCM will not sync updates that may require user input or updates that have been superseded.  Fortunately, the Microsoft Update Catalog site gives you that information.

This one will not sync into SCCM:

This one will work:

I am pleased to announce that we have just published a whitepaper that provides guidance for customers transitioning from SMS 2003 Patch Management to System Center Configuration Manager 2007 Software Updates Management.

You can download the paper from here:

http://download.microsoft.com/download/d/8/6/d861e149-76f7-4348-89aa-7f3d9777f5ae/Configuration Manager Software Updates Management Guidance - Migration from ITMU.doc

Here is a description:

While the release of System Center Configuration Manager 2007 has been accompanied by robust functional and procedural product documentation, the integration of WSUS introduced two additional challenges:

¾ Successful migration of SMS 2003 environments to Configuration Manager while maintaining the existing software update levels of service.

¾ Clarifying a dramatic shift in a fundamental process in the minds of experienced SMS 2003 administrators.

This whitepaper provides guidance on how to migrate software update management from SMS 2003 to Configuration Manager, how to operate in the transition period while maintaining ongoing software update deployments for both SMS 2003 and Configuration Manager clients, and best practices for managing software updates using Configuration Manager.

This document assumes that the reader has experience with both SMS 2003 and the Inventory Tool for Microsoft Updates (ITMU).  Additionally, it is beneficial for the reader to be familiar with the operational processes associated with enterprise software update management. 

In SCCM 2007, we added a neat feature similar to one provided by Automatic Updates that gives managed clients the ability to install updates prior to deadline.  End users can configure this by clicking the "Schedule Installation" as shown below or by going to directly to the Configuration Manager control panel applet under the "Updates" tab.

This is a very fundamental question for Admins trying to raise the level of software update compliance at their company.

Traditionally using SMS 2003, the normal practice was to look at a sample of client logs and use that as a basis for guessing what the top problems were for non-compliance.

In SCCM 2007, we have added a couple of new reports that can help solve this problem for Scan and Deployment, "Troubleshooting 1 - Scan Errors" & "Troubleshooting 2 - Deployment Errors" which displays groupings of the last error received from clients.  You can sort by the "count" column to get a stack-ranked list of these errors, which can greatly increase the accuracy in determining the exact top non-compliance issues and dramatically reduce the time & effort required to make the assessment. 

No more scrubbing through client logs! 

In real-life deployments within MSIT and TAP customers, we used these reports constantly to quickly identify problem areas such as Group Policy conflicts, low WUA version, networking issues, and SUP configuration issues.  By addressing the top problems, customers were able to eliminate major sources of failures and achieve much greater compliance numbers.

It's been a while since I added a post.  Let's start up again with a quick one.

I was recently asked when do SCCM clients download updates and when would they show the notification balloon in the system tray - here is the answer:

1.  SCCM clients download updates according to a deployment-specific setting in the Deploy Software Updates Wizard (DSUW).  They begin downloading at the time specified in the "Make Software Updates Available" setting on the Deployment Schedule page.  If you select "As soon as possible" then the updates will start being downloaded as soon as the deployment policy hits the client.

2.   The notification balloon is displayed immediately for deployments without a deadline and only after updates have completed download for deployments with a deadline.

Late on Friday, we declared SCCM 2007 RC1 ready for release to the web!  It is now available on connect.

For the Software Updates Management feature, RC1 brings a number of improvements, including new reports for overall per-machine compliance, scan errors, deployment errors; reorganized categorization of reports; ability for end users to schedule installations prior to deadline ("install updates every day at 3am"); capability to hide icons and balloon notifications from end users (silent mode); many many performance and scalability improvements; and a lot more.  I'll follow-up in future posts to talk more about all of this.  

Let's talk about maintenance windows in SCCM, a new feature for software distribution and software updates.  Maintenance windows usually make sense in a server-based scenario where servers have defined service windows where they can be taken down for changes, including software updates.  You can define a maintenance window for a collection by choosing "Modify Collection Settings" and then going to the Maintenance Windows tab.

The window uses an estimated time to execute the entire install.  This time is comprised of the following settings:

1. Restart countdown time (Restart countdown time has a default of 5 min and is available to change on each collection in the Admin UI). 

2. System restart turnaround time (Site Control File-only setting, which has a default of 10 min).

3. Maximum Run Time, which is the per-update installation time and has a Site Control File-only default setting of 20 min for Updates and 60 min for Service Packs.  However, the difference from below is that this setting can be changed in the Admin UI for each update.  This setting for each update can be found in a list view when looking at updates in the update repository node, update list node, or in a search folder

If more than 1 update is needed to be installed, say Update 1 with Max Run Time (MRT) of 20 min, Update 2 with MRT of 5 min, and Update 3 with MRT of 30 min, we will start by installing the update with the smallest MRT, in this case Update 2.  We watch the installation & if Update 2 finishes, we look for the next shortest MRT and see if that will fit in the window, and so on, until we run out of available time.

In the the situation when the only thing left to do is a pending reboot when waiting for a Maintenance Window, we will only use the restart countdown time and the system restart turnaround time and not use the MRT.

One of the most useful new objects in System Center Configuration Manager 2007 is the Update List.   An update list is, well, a list of software updates - that is, it is a fixed list of updates that can be created through a wizard (which also allows downloading of updates).  Security rights can be assigned to update lists to enable delegation scenarios.  We also have a couple of key compliance reports that use update lists as inputs.  The first new compliance report is the "Overall Compliance" report, which gives per-machine compliance for a given update list on a collection.  This report assesses whether any of the updates in the list are out of compliance and reports the totals for all machines in the collection.  The other new report gives per-update compliance for an update list on a collection, giving the results across the collection for a single update. 

Also new to SCCM, search folders are the best way to identify exactly which updates should be put in an update list.  To create a search folder, simply navigate to the search folders subnode under the Updates Repository node & select the "new search folder" action.  It is easy to create a list of updates, for example, that have the following criteria: critical, security, applicable to Windows, released within the last month, not superseded. 

Update lists can be used by the Deploy Software Updates Wizard, Deployment Templates, and the Download Wizard, either through right-click/action pane or by drag and drop.

I thought I could put some thoughts down about the Software Update Point (SUP), which is a new site role within SCCM 2007.  The job of the SUP is provide software update metadata to clients that are using the Windows Update Agent (WUA) to scan for missing updates.  The underlying component of the SUP is an installed WSUS 3.0 server with an additional SCCM component.  The additional component is called the WSUS Control Manager, which allows the SCCM site server to control the behavior of the SUP.

Installing the Software Update Point

In practice, the first thing you need to do to get started with Software Updates Management in SCCM is to install the SUP.  The basic steps to do this are:

1.  Download the latest WSUS 3.0 bits from their website. 

2.  Install the WSUS server on the machine that is slated to be the SUP

3.  If the SUP is remote from the SCCM site server, then the WSUS admin console needs to installed on the SCCM site server.

4.  Once WSUS is installed, go to the SCCM admin console and go to the site systems node, pick the server with WSUS and start the New Site Role wizard to install the SUP.

5.  Let synchronization happen between the WSUS server and SCCM site server - you can monitor progress of the sync by looking at the wsyncmgr.log file

6.  Once this sync has completed successfully, you are done!  You can now see updates in the updates repository subnode under the Software Updates main node.

These are only high-level steps - the detailed instructions can be found here. 

How does the Software Update Point work?

The top level SUP gets its metadata catalog from Microsoft Update and stores that catalog in its database.  That database is also put into the SCCM database via the sync process.  For software updates scanning, SCCM clients utilize the WUA to connect with a SUP and get the specific metadata that are relevant for the client.  The client is scanned for missing or installed updates and results from the scanning are stored in a WMI repository.  The SCCM agent collects the results and passes them through the State message system and those results are stored in the SCCM database for every client and every update.  Reports can then be generated from the scan data to produce accurate and detailed compliance reports.

A Few Practical Things about the Software Update Point

One hurdle that every SCCM installation or upgrade will need to get over is the successful SUP sync - it is an indication that you have covered all the important parts and now can begin deployments.  But there are some things that I think you should know about:

1. The most common problems I have seen have been around the proxy settings for the SUP - be sure to put the right settings in there, or the SUP won't be able get to the Microsoft Update site to get the catalog

2.  You need a SUP at every primary site - unlike other WSUS-based implementations, SCCM requires one at every site to function.

3.  Don't get concerned if the sync does not succeed right away, especially if you installed the WSUS server after the SCCM site server.  The SUP first needs to successfully complete its initial sync with Microsoft Update to get the metadata catalog, which can take a while.  If this process is not completed, you will see failure to sync errors in the wsyncmgr.log, which is normal. 

4.  In a similar vein, it can take up to a few hours for the initial sync between SUP and SCCM site server to complete, which can be a CPU-intensive process.  I don't recommend trying to complete this while other CPU-intensive SCCM processes are happening.

5.  As the metadata catalog is revised with new or expired updates within the SUP database, the SCCM site server needs to re-sync.  This sync can be accomplished automatically on a schedule as well as through a manual initiation from the updates repository node.

6.  All legacy scan tools other than ITMU should be uninstalled prior to upgrade from SMS 2003 and should not be re-installed after upgrade.  They will not work anymore with SCCM and can cause serious problems that can break your site.

This being the first post on my new blog, I would like to start out by stating some goals:

1. Discuss some of the interesting or practical things about the Software Update Management (SUM) feature within the System Center Configuration Manager 2007 product (SCCM), which my team is helping to produce.

2.  Highlight interesting things in the other parts of SCCM 2007, other System Center products or general neat things related to Microsoft.

3. Perhaps hear from folks outside my personal sphere on how we are doing with SMS and SCCM. 

4. Write down some personal thoughts on IT management, technology, innovation, or any other interesting bits that come to mind.

Now, it's time to get going on some posts!