In our last article Part6: Software Updates (SUP), we’ve configure the Software Update point and ran the synchronization with Microsoft Updates server.

As a result of this process, we’ve got the Software Updates metadata synchronized and the result can be viewed from the Configuration Manager console

Throughout this article, we will select few updates and deploy them to a collection of Windows 7 machines. Before we do that, it would be nice to review the Software Update policy to make sure its properties satisfy our business needs.

From the Client Settings in the Administration tab, Click Software Update

If you are planning to use Software Update point to patch your environment, make sure you do not configure domain policy for client computers to receive updates from WSUS through Group Policy Settings. The group policy settings used by Windows Update Agent (WUA) on client computers will override any machine policy sent from Configuration Manager and hence the client agent will retrieve the updates specified by the “unmanaged” WSUS.

Deploying Software Updates to client machines is simply the process of adding software updates to a software update group and then deploy the software update group to clients. There are actually two methods to deploy updates. The first one is a manual process where we select updates from the console and deploy it to a collection of machines and the second method is automatic by using an automatic deployment rule or by adding software updates to an update group that has active an deployment.

At your initial install, you might need to use first the manual method to get your devices up-to-date with required software updates and then you create an automatic deployment rule to manage your ongoing monthly software update deployments.

As you’ve seen in our first screenshot, there are hundreds of updates in the console. The first step here would be to filter the updates by criteria.

To do so, from the Configuration Manager console, click Software Library.

Expand Software Updates and click All Software Updates.

In the search pane, click Add Criteria and select the criteria that you want to use to filter software updates and click Add

Click Search to filter the Software Updates

Select the updates you wish to deploy, right click on your selection and click Deploy

On the General page, specify the name of the deployment, the software update group name and the collection where the updates will be deployed

On the Deployment Settings page, make sure Required is selected as the Type of deployment to make sure the updates will be mandatory with an installation deadline and Minimal for Detail level.

On the Scheduling page, select Client local time, on the Software Available Time, select As soon as possible to make sure clients are notified for updates installation as soon as their next policy polling cycle and on the Installation deadline, specify a time where the software updates will get installed automatically

On the User Experience page, you can keep the default settings and click Next

On the Alerts page, configure how Configuration Manager and Operations Manager will generate Alerts

On the Download Settings page, when a client is connected to a slow network or is using a fallback content location, specify whether the client will download and install the software updates and when the content for the software updates is not available on a preferred distribution point, you can specify whether to have the client download and install the software updates from a fallback distribution point and on the Allow clients to share content with other clients on the same subnet: specify whether to enable the use of BranchCache for content downloads

On the Deployment Package page, select to create a new deployment package and specify its properties

On the Distribution point page, select the distribution point to host the software update files.

On the Download location page, select to Download software updates from the internet

On the Language selection page, select the languages for which the selected software updates are downloaded.

On the Summary page, review the settings and click Save As Template to save the settings for a future deployment

Click Next and on the Completion screen click Close.

At this stage, you would need to wait for the next policy polling cycle on the client machine or you can force the client machine to retrieve the machine policy by double clicking the Configuration Manager Client Agent found in Control Panel.

From the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and click Run Now

After few seconds, you will notice a notification message

From the Software Center, you can check the Software Updates deployment settings

Once the updates get installed, you will be able to view the installed updates with a description of each update

This comes to the end of this article where we’ve discussed the required steps to deploy Software Updates to devices. We will be discussing in a future article the automatic deployment rule when it comes to Endpoint Protection.

In my previous article Part5: Software Updates (WSUS), we’ve seen the necessary steps to install WSUS for Configuration Manager.

Throughout this article, we will install and configure Software update point.

From the Configuration Manager console, click Administration, expand Site Configuration and click Servers and Site System Roles.

Right click the primary server and click Add Site System Roles

On the General page, click Next and on the System Role Selection page, check Software update point

On the Software Update Point page, specify proxy settings if needed to connect to the internet to synchronize and download content.

On the Active Settings page, select to Use this server as the active software update point and choose to use the custom WSUS website

On the Synchronization source page, select to Synchronize from Microsoft Update. This option is only available for stand-alone primary servers and for CAS servers. Secondary servers and primary servers within a hierarchy are automatically configured to upstream through their parent site.

Under WSUS reporting events, keep the default selection since Configuration Manager doesn’t interpret WSUS reporting events.

On the Synchronization Schedule page, check to Enable synchronization on a schedule and check to Alert when synchronization fails on any site in the hierarchy

On the Supersedence Rules page, if you click to immediately expire a superseded software update, you will be able to see the expired updates in the Configuration Manager console for a period of 7 days. Following that, expired updates that are not associated with any deployment will be tomb-stoned.

You can select some time if you would need to wait before a superseded software update is expired

On the Classifications page, select the classification you want to synchronize

On the Products page, select the products you want to synchronize

On the Languages page, select the language you want to synchronize

On the Summary page, click Next

On the Completion page, click Finish

From the Configuration Manager console and from the Administration tab, click All Software Updates and click Synchronize Software Updates

Click Yes on the informational box

You can monitor the synchronization progress by checking wsyncmgr.log

This comes to the end of this article. In our next article we will deploy updates to desktop machines.

In my previous blog article Part4: Client Settings, we’ve discussed what have changed since Configuration Manager 2007 and how to create client settings for devices and users collection.

In this article, we will first install WSUS and later we will walk through the installation and configuration of the Software Update point.

From the Server Manager, right click Add Roles and click to add the WSUS role

On the Before you begin page click Next and on the Add Roles Wizard, select Windows Server Update Services

Click Next on the Windows Server Update Services page and click Install on the Confirm Installations Selections page

Click Next on the Setup Wizard page

Click the checkbox to accept the License Agreement and select the Store Update location

Select to use the existing database and click Next after successfully connecting to the SQL Server instance

On the Web Site selection, select to create a custom website

Click Next twice to start the installation

Click Finish on the completion page and click Cancel on the Windows Server Update Services Configuration Wizard since we will configure these settings from the Configuration Manager console.

This comes to the end of this article where we’ve install WSUS. In our next article we will go through the installation and configuration of Software Update point.

In my last blog article Part3: Boundaries and Boundary Groups, we’ve covered how to automatically discover and create boundaries and how to use these boundaries in boundary groups for site assignment and content location.

Throughout this article, we’ll cover Client Settings which was known as Client Agent Settings in Configuration Manager 2007.

One of the major changes in this area that Client Settings are now configured on the hierarchy level. With ConfigMgr 2007, Client Agent Settings are configured on a site level. Having that said, you didn’t have the option to configure different client agent settings for agents that exist within the same Configuration Manager site.

In System Center 2012 Configuration Manager, client settings are hierarchy based. The default client settings policy is applied to all agents within the hierarchy and additional client settings policies can be created and applied to collections. These collections could be a group of computers or a group of users.

The following client settings can be applied for devices (click on the policy to know more information):

• Client Policy
• Computer Agent
• Computer Restart
• Endpoint Protection
• Hardware Inventory
• Network Access Protection (NAP)
• Software Deployment
• Software Updates
• User and Device Affinity

The following client settings are for users:

• Mobile Devices
• User and Device Affinity

To create a new custom client settings for a user or a device, go the Administration tab in the console, right click Client Settings and select to create a new policy setting

Select a custom setting such as Remote Tools and click on Remote Tools from the upper left box to configure settings

Click Configure, check the box to Enable Remote Control on client computers and check the box of the Domain profile to automatically configure the Remote Control port and program exceptions for clients.

Set your other settings as desired and click on Set Viewers

Type the permitted viewers such as a user or a group and click OK

Once done you will notice the newly create device settings

If it happens to have two policies such as Remote Control settings and both being applied to the same collection, the policy with lower priority value will take over any other policy.

You can increase or decrease the client settings priority by right clicking the policy and selecting to increase the priority

To deploy the newly created policy to a device collection, right click the policy and click Deploy

Select the device collection and click OK

From the properties of the device collection, you will notice that the custom settings now appear as being applied to the collection

In my last blog article Part2: Discovery Methods, we’ve discussed the different discovery methods and how to configure these methods.

We’ve also seen the Forest Discovery Method which aim to automatically create boundaries based on the discovered IP subnets and Active Directory Sites.

To check the created boundaries. go to the Administration tab and click on Boundaries

Even though, the boundaries do exist, each boundary would need to to be a member of a boundary group before a device on that boundary can identify an assigned site or a distribution point.

On the other hand, boundaries are no longer site specific, instead defined for the hierarchy which make them available at all existing sites of that hierarchy. Boundaries are defined under the Hierarchy Configuration from the Administration tab.

From Boundary Groups, click Create Boundary Group

In the Name field, type the name for the boundary group and click on Add to add boundaries to the boundary group

On the References tab, check Use this boundary group for site assignment and click Apply

During automatic site assignment, the selected site will be used for client assignment that exists within the defined network location. If one particular boundary is added to many boundary groups where these groups are configured for client assignment, new installed clients will nondeterministically select one of the sites and we will have an overlap of boundary configuration. This scenario is not supported in Configuration Manager.

You might also have noticed from the References tab that we can add and associate one or many distribution points or state migration points to the boundary group

During a software distribution or an operating system deployment, the client request a location for deployment content or a location to send/receive state migration information (in OSD). The Configuration Manager send the client a list of distribution/state migration point that are associated with the boundary group of the client current network location. The client in this case will select the nearest server point.

The network connection speed is now defined for a distribution point and from within the boundary group

As a best practice, create boundary groups for site assignment and another set of boundary groups for content location. This will help you eliminate the chances for users getting assigned to wrong sites whenever they are roaming.

This comes to the end of this article where we’ve discussed boundaries and boundary groups.

Stay tuned  for our next one!!