Update Lists
Update
lists are intermediate objects used to build static lists of updates.
Using update lists is optional but recommended. Update lists are
static, rather than dynamic like search folders; this capability allows
you to create a list to monitor the life cycle of a set of updates,
including download status, deployment status, and compliance reporting.
You can also use update lists as a delegation mechanism, allowing
separate lists for different administrative use. As an example, you can
create one set of lists for desktops and one set for servers,
delegating the proper rights on each.
You
can view the details of updates in an update list the same way you view
them though the update repository—by selecting the Update List in the
console tree. The result is similar to Figure 4. Additionally, you can customize the columns displayed in a list.
As
an example, you may only want to see the Bulletin ID and percent
compliance details for updates. To customize the columns, right-click
the list in the ConfigMgr console tree on
the left and select View -> Add/Remove columns... to launch the
Add/Remove Columns dialog box, where you can move columns between the
Available and Displayed lists.
To add updates to a list, select any number of updates in the update repository and do one of the following:
- Right-click and choose Update List.
- Drag the updates from the update repository to an existing list.
Both methods launch the Update List Wizard (displayed in Figure 5)
to guide you through the process. If you add updates using the
right-click method, the first page of the wizard allows you to choose
to add the updates to an existing list or create a new list. This is
the only method available to create a new list.
In
both cases, the first page of the wizard contains a check box to
initiate downloading the updates. The second page varies based on
whether or not you are creating a new package:
If
you choose to download the updates using the wizard, the next page
prompts you to select an existing update package or to create a new
package.
If you choose to create a new
package, you must name the package and specify a source location.
ConfigMgr will download the applicable files for the chosen updates to
the source location.
The
source location must be in Universal Naming Convention (UNC) format and
accessible by the current user of the ConfigMgr console. Additionally,
the wizard adds a Distribution Points page, where you can specify the
distribution points on which to install the package.
Update
lists are also particularly useful in a multisite ConfigMgr hierarchy.
Lists created at parent sites replicate to child sites; these
replicated lists are read-only at the child sites. Administrators of
the child sites can then use these replicated lists to expedite the
deployment of the updates in those lists—they no longer have to worry
about actually discovering applicable updates, just deploying them
using existing collections and templates. This replication process can
be used to approve updates at higher levels of the organization and
push them down as “approved” patches to the lower levels for use in a
delegated model of software update maintenance.
|
SCUP
is a separate tool that third parties use to publish software update
information to WSUS; this in effect expands the update catalog served
by that WSUS system to include non-Microsoft updates. The main
advantage of using WSUS to deploy updates over normal software
distribution is that updates deployed using WSUS are subject to a
compliance scan before installation. Therefore, you do not have to
build any logic into the package or a collection to ensure that updates
are applied only where they are needed.
An
additional use of SCUP is to publish expired or superseded Microsoft
updates into WSUS for use by ConfigMgr. ConfigMgr does not allow you to
download expired or superseded updates for use with Software Updates
because these are viewed as a security risk. If your organization has a
requirement to deploy an expired or superseded update you have not yet
downloaded, one workaround is to manually download the update and
publish it with SCUP. As noted, though, this is not necessarily
recommended because of the security risk it may pose, but it may be
required because of corporate politics or other requirements.
|
Deployment Templates
You
typically will create multiple deployments to manage distributing
updates, with the only difference being the collection or the deadline
for the updates. Deployment templates provide a group of common
settings used to create update deployments ; with templates, you can predefine the common settings for deployments, including the following:
Collection— The collection for the deployment.
User Notification— Suppress or allow user notification.
Deployment time interpretation— Determines how a client interprets the deployment time—either as client local time or Coordinated Universal Time (UTC).
Duration—
The amount of time until a deployment becomes mandatory. This setting
determines the actual deadline of a deployment when you use a template
to create a deployment by adding the duration to the current date and
time. Figure 6 shows the Deployment Template Wizard page to set this option.
Restart Suppression— You can choose to suppress restarts on servers, workstations, or both.
Ignore Maintenance Windows— Tells the deployment to ignore any configured maintenance windows . This is useful when deploying critical updates or zero-day updates that need immediate installation.
Operations Manager Integration—
Unexpected restarts and update installations may generate many warnings
and alerts in Operations Manager. The following are your options:
You
can instruct the ConfigMgr agent to put the Operations Manager (OpsMgr)
agent on that system into maintenance mode, thus preventing unnecessary
warnings and alerts.
Note: Maintenance Mode
Specifying
that ConfigMgr place the Operations Manager agent into maintenance mode
does not truly place the OpsMgr agent health service watcher into
maintenance mode; instead, it merely pauses the health service on the
managed system. This should change in a future Configuration Manager
service pack or maintenance release.
You can also configure the deployment to generate an Operations Manager alert if an update installation fails.
Both options assume an Operations Manager environment and an Operations Manager agent installed on the client system.
Download Settings—
These settings dictate whether to download updates if the client is
connected to a distribution point in a slow network, or if the client
is connected to an unprotected distribution point when a protected DP
is available but without the specified updates.
If
you only allow content to download from distribution points in a local
or fast boundary and no DPs are available to a client, the updates
cannot download and the deployment will fail. This may happen with
roaming clients, because they move from location to location. If you
have a population of systems that roam between sites with local
distribution points, be sure to define the slow boundaries and make the
deployments available to the slow boundaries.
Updates
in a mandatory deployment download to a client when they become
available, as configured on the Schedule tab of the deployment’s
properties page. This capability allows clients to pre-stage the
updates and ensures those updates are available when the deadline for
the deployment hits, regardless of the availability on a local
distribution point.
Pre-staging also
prevents a distribution point from overloading with requests for
updates once a deadline hits. Updates in nonmandatory deployments—those
without a deadline—are not downloaded to the client until the client
initiates installing updates in the deployment.
You
can create new update deployments with an update template using the New
Deployment Wizard. Utilizing a template makes creating deployments
quicker, and ensures you can create multiple deployments using
identical settings with a minimal effort. Deployment templates are
optional but recommended.
To create a
deployment template, launch the new Deployment Template wizard by
right-clicking on the Deployment Templates node and selecting New
Deployment Template. Alternatively, if you create a deployment using
the New Deployment Wizard without a deployment template, you are
prompted (as shown in Figure 7) to create a new template using the settings you just entered to create the deployment.
There
is no link between a template and deployments created using that
template. ConfigMgr copies the settings from the template to the
deployment but does not establish or maintain a relationship between
the two.
