Rube Goldberg & Patching the Enterprise with SCCMby Dan Newton. You might not be familiar with a Rube Goldberg machine, a complex machine that is built of chain reactions. ConfigMgr SCCM Patch Management Pros and Cons. I started working on patching since . Patch deployment without End User Interaction. Internet Explorer ActiveX compatibility patch for Mshtml.dll. Deployment We strongly. 64-bit client deployments are only supported by SMS 2003 SP2 and later. Build Your Skills: Use SMS for patch management by deploying this feature pack.
A server downloads all the updates from Microsoft, the clients scan the server for new updates that are required, then the server will create a new list of updates to push, the updates are sent to Deployment Points and a new Update Deployment is scheduled to run. Care and preparation must be done to ensure that software patches are deployed successfully to the desired targets at the desired time. To start, we must have a solid understanding of the overall process flow of how SCCM imports, prepares, deploys and monitors software updates (how all the dominos are laid out). The top of SCCM’s patching infrastructure is the Software Update Point (the SUP). The SUP should be set to download only the patches that meet the Classification and Products that are supported in the given environment. The synchronization schedule should be the same or more frequent as the clients Software Updates scans configure within the SCCM “Client Settings”. The server sync and the client scan work together to get the full picture of what updates are needed. With the server/client schedule working like a well- timed clock, the next ball in our Rube Goldberg update machine, is Automatic Deployment Rules (ADRs). New to SCCM 2. 01. ADRs are SCCM’s answer to WSUS’s “automatic approval”. The trick with ADRs is to configure the schedule to run at appropriate time. All patches must be installed to all systems by the following Monday at 6am. With those requirements the ADR should look like: Evaluation Schedule – custom scheduled to run Monthly, every 2nd Tuesday at 1. UTC)Software Updates filters – Required “> 0” and Superseded “No”Deployment Schedule – Software Available time = Specific Time: 2 Days, Installation Deadline = 5. Deployment Schedule – Based on Client Local Time. Create a new Software Update Group each time the ADR runs. Some explanation for the scheduling is required. The Evaluation Schedule is when the SUP will run the rule and download the updates that meets the filters. The above filter is set to download any update that has at least 1 client that requires the update and is NOT superseded. The deployment schedule’s “Software Available Time” is based on the time the Evaluation runs. In the above example the Evaluation runs on patch Tuesday at 1. Available time is adding to that time (Tuesday at 1. Thursday at 1. 0pm). The Installation Deadline is derived from the Software Available time so Thursday at 1. Monday at 6am. So it becomes clear that the Rube Goldberg analogy is not too far off. Before we leave the topic for today, I should mention a few “Best Practices” that we at i. Vision recommend: Classifications should be configured at the SUP level to only what is needed for the given environment – in general the following Classifications: “Critical Updates, Definition Updates (if SCEP is deployed), and Security Updates”Products should be configured at the SUP level to only what is needed – in general only the Operating Systems that are deployed and supported in the environment and the products that are deployed. Automatic Updates/Deployment should only be done if a non- production “Pilot” deployment can be first to validate the given updates. Use a single Software Update Deployment for each year – this means that all the updates for workstations and servers are downloaded to the same deployment. And note the recommended limit is 1. Leverage custom collections that are just for patching – this will be helpful when reporting on compliance. Use maintenance windows for servers to ensure the updates happen only when they should – (more on this in a future blog)Only suppress reboots for those systems that require manual intervention for a reboot – if a system does not reboot when a patch requires a reboot, then the systems is not really patched. For more details on SCCM Software Updates Best Practices see: https: //technet. In the next post, I’ll detail the how’s and why’s of Maintenance Windows. What You Need to Know About Microsoft Systems Management Server 2. In late 2. 00. 3, Microsoft delivered a long- awaited major update to its software deployment, inventory tracking, and remote- troubleshooting server product, Microsoft Systems Management Server (SMS) 2. SMS is an excellent way to manage the deployment of security patches to users' desktops, and the company has updated this version to better support roaming and remote users. SMS 2. 00. 3 forms the basis for Microsoft's Change and Configuration Management (CCM) strategy. Here's what you need to know about SMS 2. What's New in SMS 2. SMS 2. 00. 3 addresses several common CCM concerns, including managing computers and users who roam between different computers on a network or who work remotely, often over low- or poor- quality bandwidth connections. The product also tracks software deployment and use throughout your organization, helping you better plan software licensing and purchasing. To enhance computer security, SMS 2. SMS 2. 00. 3 adds support for roaming and mobile users through a new Advanced Client that provides all SMS features without requiring a local server. The Advanced Client uses an HTTP- based protocol called Background Intelligent Transfer Service (BITS) to provide connectivity over intermittent or low- quality connections, including RAS dial- up and remote VPN connections. Microsoft originally developed BITS for Windows Update, and the Automatic Updates service in Windows Server 2. Windows XP, and Windows 2. The original SMS client, now dubbed the Legacy Client, is still available for backward compatibility during migrations or for mixed environments. Microsoft has rewritten SMS's application tracking and usage functionality to scale better on Windows 2. This change means that SMS is now more adaptable for even the largest enterprises, providing an accurate picture of your software- licensing situation at any time. The tracking feature can also give you a better idea about which users are using which software, helping you realistically determine your software- licensing requirements. Security Features. Although Microsoft didn't originally design SMS as a platform for managing security patches, customer needs drove Microsoft to add this functionality to earlier versions through add- on packs. In SMS 2. 00. 3, security patch management is now an integrated feature that can help you ensure that your systems are as up- to- date as possible, meaning you won't have to scramble when a new critical security fix suddenly appears. SMS 2. 00. 3 divides security patch management tasks into three phases. First, you perform a vulnerability assessment by installing the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates, which are included with SMS 2. These tools automatically create the packages, collections, and desktop- based software alerts needed to regularly run the software update scanning tools on all managed clients; SMS automatically downloads newer versions of these tools when available. After SMS generates a set of reports about the state of your network, you can use SMS to begin the second phase—patch- deployment planning—in which you prioritize patches according to various criteria, such as patch severity or the number of machines that are affected. In the third phase, patch deployment, you use the simple Patch Distribution Wizard, which walks you through the steps for creating an ongoing patch- deployment strategy. Recommendations. Unless you've already settled on a third- party CCM tool, SMS 2. SMS 2. 00. 3's security features are another benefit, and given the current patch- management climate, moving to a system that helps automate this process is a plus. Given SMS 2. 00. 3's ties to Active Directory (AD) and Microsoft's other management tools, this product is definitely one to evaluate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |