Best Practices for Software Updates
Updated: April 1, 2011
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
This section provides best practices for software updates in Configuration Manager 2007. Review and consider the following recommendations when planning and using software updates in your environment.
Installation/Upgrade Best Practices
The following are best practices for the installation of or upgrade to Configuration Manager 2007:
the Windows Update Agent on client computers in a phased software distribution before upgrading the WSUS server on the software update point.
When Windows Server Update Services (WSUS) on the software update point is upgraded, there are scenarios, such as the self-update process, where every client computer assigned to the site will connect to the WSUS server at the same time to upgrade the Windows Update Agent (WUA). This could potentially result in high network bandwidth and performance issues on the WSUS server.
Configuration Manager and WSUS use the same SQL Server, one should use a named instance and one should use the default instance of SQL Server.
When the Configuration Manager 2007 and WSUS databases use the same SQL Server and share the same instance of SQL, it is difficult to determine the resource usage between the two applications. Using a different SQL instance for Configuration Manager 2007 and WSUS provides the ability to better troubleshoot and diagnose resource usage issues that might occur for each application.
Use a custom Web site during WSUS 3.0 installation.
During the WSUS 3.0 installation, you can specify whether to use the default Internet Information Services (IIS) Web site or create a WSUS 3.0 Web site. It is recommended that you select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated Web site instead of sharing the same Web site used by the other Configuration Manager 2007 site systems or other applications. When using a custom Web site for WSUS 3.0, the default port numbers are port 8530 for HTTP protocol and port 8531 for HTTPS protocol (Secure Sockets Layer, or SSL). These port settings will need to be specified when creating the active software update point for the site. For the step-by-step procedures for installing WSUS 3.0 for software updates, see How to Install Windows Server Update Services 3.0
Store updates locally
setting during WSUS 3.0 installation.
During the WSUS 3.0 installation, you should select Store updates locally so that any license terms associated with software updates are downloaded and stored on the local hard drive for the WSUS server during the synchronization process. When this setting is not selected, client computers might fail to scan for software updates compliance for updates that have a license terms. When the active software update point is installed, the Store updates locally setting in WSUS is automatically configured, and WSUS Synchronization Manager will verify that the setting is enabled every 60 minutes by default.
Operations Best Practices
The following are best practices for performing Configuration Manager 2007 operations:
Software update limits per software update deployment or deployment package
To avoid possible performance issues, we recommend that you do not add more than 500 software updates to a single software update deployment or deployment package.
Suppress display notifications for deployments that contain optional updates.
When optional software updates are deployed to and available on a Configuration Manager 2007 client computer and the Install required updates on a schedule setting is enabled on the client computer, a display notification might appear every 3 hours that incorrectly indicates that the software update will automatically install at a specific time. Because the software update is optional, the notification is incorrect and the software update will not be automatically installed on the client computer. This issue does not occur on client computers that do not have the Install required updates on a schedule setting enabled. Specify the Suppress display notifications on clients setting on the Display/Time Settings page of the Deploy Software Updates Wizard when deploying optional software updates to client computers that have the Install required updates on a schedule setting enabled.
When creating test deployments, select one local distribution point and add additional distribution points when the deployment is ready.
When a software update is added to a deployment that is configured with the Deploy software updates to SMS 2003 clients setting or when the start time setting in the deployment is modified, the package source will be updated, the deployment package version will be incremented, and the distribution points configured for the package will be updated.When creating a deployment for testing, it is recommended that you configure the deployment package with a local distribution point so that the package refresh does not copy the update files from the deployment to all distribution points every time a new update is added or when a new start time is configured. This is especially true when the update files are large, such as service packs, when there are a large number of distribution points in your environment, or when the network bandwidth to your distribution points is limited.
Note A package refresh does not occur when a software update is added to a deployment that targets only Configuration Manager 2007 client computers.
Interop Best Practices
The following are best practices for the interoperability of Configuration Manager 2007 and SMS 2003:
Run update installation from distribution point
when deploying software updates to SMS 2003 clients in the Deploy Software Updates Wizard.
When creating a software update deployment that targets SMS 2003 clients, select Run update installation from distribution point on the SMS 2003 Settings page of the Deploy Software Updates Wizard. When this setting is selected, SMS 2003 clients will run the update installation from the distribution point only for required software updates. Following this practice is especially important when the deployment contains a large number of software updates, because unlike Configuration Manager 2007 client computers, which download only required software updates from a deployment, SMS 2003 clients download all software updates in the deployment regardless of whether they are required on the client.
removing the Inventory Tool for Microsoft Updates from the hierarchy, clear the
Deploy software updates
setting in all active deployments.
After the Inventory Tool for Microsoft Updates is removed from the hierarchy, the software updates metadata specific to the tool will be set to an expired state. When there are active deployments that deploy software updates to SMS 2003 clients, the software updates in the deployment will display as expired but cannot be removed. The deployment will continue to work for the valid software updates, but the deployment will be displayed with a gray icon indicating that there are expired updates in the deployment.
To prevent this issue, clear the Deploy software updates to SMS 2003 clients setting in the properties for all active deployments before removing the Inventory Tool for Microsoft Updates.
Download software updates before deploying software updates to SMS 2003 clients when some updates in the deployment are already downloaded.
When creating a software update deployment that will target SMS 2003 clients and at least one software update has not yet been downloaded, all of the software updates not in the package configured for the deployment will be downloaded even when they were previously downloaded to another package. When all software updates have been downloaded prior to creating the deployment, when the downloaded updates were previously downloaded to the package selected in the deployment, or when the Deploy software updates to SMS 2003 clients setting is not selected in the deployment, the wizard downloads only the software updates that have not been previously downloaded.
To prevent this behavior, download the software updates that have not yet been downloaded prior to creating the deployment to SMS 2003 clients by using the Download Updates Wizard or the Update List Wizard.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.