About Update Management in Essentials

  • Article

Applies To: System Center Essentials 2010

System Center Essentials 2010 provides Update Management features that enable administrators to view, download, and deploy software updates that operating systems and other software require on managed computers.

To manage updates in Essentials 2010, you must access the Updates Overview pane. In the Essentials console, click Updates. In the Overview pane, you can view updates, determine what updates managed computers need, centrally deploy updates to those computers, and then view deployment and other related reports.

Note

If you did not run the Computer and Device Management Wizard to discover computers or did not run the Updates Management Configuration Wizard to configure Update Management, you cannot manage updates. In those cases, the Updates Overview pane displays a message stating that the Essentials configuration is incomplete. You must complete the listed tasks before you can manage updates.

Before you start to manage updates, you should become familiar with the following terms.

  • Update
    A software package that fixes an issue with a specific operating system or application.
  • Security updates
    Updates that help protect the operating system or applications from product or administrative vulnerabilities.
  • Essentials 2010 required updates
    Updates published by Microsoft that are related to Essentials 2010.

Update Management Process on the Management Server

Microsoft publishes security updates and other updates on the Microsoft Update Web site. Essentials 2010 accesses that Web site to download information about available updates and to download the updates that are needed in your organization.

Deploying updates to managed computers consists of the following phases:

  1. Synchronize Essentials 2010 information about available updates with the information at the Microsoft Update Web site.

  2. If you configured Update Management to store updates locally on the Management Server (by default, in the %SYSTEMDRIVE%\SCE\WSUSContent folder, or in a folder you specify), Essentials 2010 downloads the updates and stores them locally.

  3. View available updates, and identify any updates that must be deployed.

  4. Identify the computers that require the respective update. If necessary, create a new computer group that contains those computers.

  5. Approve the update for deployment to the specified computer group.

  6. Run reports to track the progress of the deployment and to identify any potential problems.

Using Computer Groups for Update Deployment

To deploy an update to a managed computer, the computer must be a member of a computer group. You can either use Essentials 2010 predefined computer groups or create a new group. In a single update deployment, you can deploy multiple updates to multiple computer groups.

Initial Synchronization

To start to deploy updates to managed computers, Essentials 2010 must complete an initial synchronization with Microsoft Update. During this initial synchronization, Essentials 2010 downloads information about updates and then downloads the updates according to the criteria that you specified. This process might require extensive resources, depending on your settings.

Subsequent synchronization runs on a regular schedule; however, it is faster than the initial synchronization because Essentials 2010 downloads only those updates that were published since the previous synchronization. When you configure update management for the first time after you install Essentials 2010, you can select to perform the initial synchronization.

Automatic Approval

You can configure update management with automatic approval for selected types of updates and for selected computer groups. After you configure automatic approval, the selected updates are automatically approved for the specified groups when Essentials 2010 downloads updates of the specified type. Deployment of those updates starts immediately without additional administrative intervention.

Update Management Process on Managed Computers

The agent on managed computers checks for new updates every 22 hours. After the administrator approves updates for deployment, in its next cycle, the agent on an approved computer detects that a new update is available. The agent then determines when the update must be installed and displays a notification icon in the computer's notification area.

If an update requires a restart, the agent complies with the current domain restart policies that are in effect on the computer.

Important

Automatic Updates must be enabled on the managed computer to enable Essentials 2010 to deploy updates to that managed computer. To view the status of Automatic Updates, in Control Panel, select Automatic Updates.

Installation Schedule

The installation schedule of an approved update depends on whether you set an installation deadline for the update and on the Automatic Updates settings:

  • If you set a deadline, the update is automatically installed during the next check-in from the client computer.

  • If you did not set a deadline, the installation time depends on how Automatic Updates is configured on the computer:

    • If Automatic Updates is configured to automatically download and install at a certain time, the update is installed automatically at that time unless the user manually installs it before that time.

    • If Automatic Updates is configured for automatic download and manual installation, the user can install the update at any time.

Keeping a Computer Up-to-Date When Disconnected from the Corporate Network

Computers managed by Essentials 2010 check that the Essentials management server is available by using the PING command (Internet Control Message Protocol or ICMP). If the management server is available to the managed computer, then the managed computer receives any updates that are approved for installation. If the management server does not have PING enabled, or if the managed computer is a laptop or portable computer and is disconnected from the corporate network for more than six hours, the managed computer is reconfigured to obtain updates from Microsoft Update. The computer receives all important updates, regardless of whether the updates were approved. When the managed computer is reconnected to the corporate network, it reconfigures itself to be managed by the Essentials management server and only installs approved updates.

To prevent this behavior, ensure that PING is enabled on the management computer and, in the Essentials console, in the Authoring workspace, configure an override to disable the Microsoft.SystemCenter.Essentials.WindowsUpdateRoaming rule. For more information, see Targeting in Essentials and Overrides in Essentials.

See Also

Tasks

How to Approve or Decline an Update for Deployment in Essentials
How to Configure Essentials to Automatically Select and Approve Updates
How to Configure Automatic Approvals to Support Deadlines in Essentials
How to Manually Synchronize Updates with Microsoft Update in Essentials
How to View Synchronization Status in Essentials

Concepts

Targeting in Essentials
Overrides in Essentials

Other Resources

Update Management in Essentials