Software Updates Management with System Center Configuration Manager 2007 (July 12, 2007)
Chat Topic: Software Updates Management with System Center Configuration Manager 2007
Date: Thursday, July 12, 2007
**Please note:****Portions of this transcript have been edited for clarity
Experts:
Samoil Samak Marc Umeno, Shafqat Khan, Brent Dunsire, Raman Saka, Nikhil Manchanda, Eric Mattoon, Rick Duong , Dan Conley
Newsgroup:
https://connect.microsoft.com/messageboards/community.aspx?SiteID=16?
https://www.microsoft.com/technet/sms/2007/evaluate/default.mspx
Start of Chat
Samoil Samak[MSFT] (Expert):
Q: Do we will still support ITMU in SCCM 2007 along with SUM
A: Yes we still support ITMU for management of v3 clients but not for management of v4 clients.
Marc Umeno [MSFT] (Expert):
Q: How does the wizard differ from SMS 2003 when doing updates?
A: There are number of differences from SMS 2003 - one of the main differences is that you have the ability to use a deployment template for deployments that you will use the same settings over & over (collection, schedule, restarts, etc)
Shafqat Khan [MSFT] (Expert):
Q: How do I integrate SCOM alerting with the Software Updates (I know it had its own tab in 2003)?
A: There is deployment property to raise events for update failures. These events are trapped by SCOM.
Marc Umeno [MSFT] (Expert):
Q: How does the wizard differ from SMS 2003 when doing updates?
A: BTW, there are a number of wizards now associated with Software Updates, including Update List, Download Updates, Add Updates to Existing Deployment, as well as the Deploy Software Updates Wizard. Since there are a number of different settings for SCCM, those are also reflected in the new wizards
Samoil Samak[MSFT] (Expert):
Q: How does the scanning processing will be handled in SUM. Do we still have client side scanning? [That is causing lot of perf issues with ITMU scan ]
A: There have been numerous perf improvements in v4 scanning, and now using WSUS server scanning is much faster than using ITMU. There is also no issue with Anti-Virus trying to scan the catalog anymore either.
Raman Saka [MSFT] (Expert):
Q: What security rights are required now for a Software Update Manager administration role responsible for defining, downloading and deploying software updates?
A: There are new provider classes for Templates, Software Updates and deployments. Upgrading from SMS 2003 most of the permissions are retained. So your delegated deployment scenarios will continue to function.
Marc Umeno [MSFT] (Expert):
Q: How many software update points will be required per hierarchy? Do I need one per site and, if so, do they all have to be installed on WSUS servers?
A: SCCM SUM requires a software update point (new WSUS-based server role) for every primary site server that is managing software updates. They can be co-located on the same site server or remote on a different machine (where the role can be co-located with other roles, such as an MP). Installation of SUPs on secondary sites is also supported.
Raman Saka [MSFT] (Expert):
Q: Will SCCM still be supporting multiple scan engines the SMS 2003 does currently?
A: The general approach is to NOT support multiple scanners. Vendors should be able to publish updates into WSUS and from that point onwards all updates are treated alike.
Shafqat Khan [MSFT] (Expert):
Q: Do all software update points sync with Microsoft Update?
A: Only the top level site's WSUS server syncs from WU/MU. All lower level site's WSUS server will sync from the parent.
Dan Conley [MSFT] (Moderator):
Q: Have any vendors already started working on updates to plug into Software Updates? How soon after release should we expect to see 3rd party ones available
A: The 3rd party integration to SCCM SUM is similar to SMS 2003 R2 ITCU feature. Today, you can import catalogs created by 3rd party vendors into SMS 2003 R2 via ITCU. Those same catalogs will import into SCCM via the next generation publishing tool called System Center Updated Publisher (SCUP). SCUP will ship on the SCCM CD, and is available for download via MSDN Subscription.
Marc Umeno [MSFT] (Expert):
Q: I'm pretty green when it comes to SMS/SCCM and our company is thinking about deploying it to manage our software components. What mechanisms are in place for delivering a patch to a server using SCCM?
A:
1. State & Policy-based infrastructure and reports - we can get near real-time state of scan and enforcement/installation for each & every client.
2. Maintenance windows - must-have functionality for server patching - we can set these for each collection, and they apply to both installation and restarts.
3. Update lists - new object in SCCM, makes it easier to do role-based delegation, also can get non-SCCM folks to approve updates & then create update list (through SDK)
4. State messages are sent up every 5 min for compliance and enforcement. Policy polling interval can be set to 5 min to pick up any new deployments - you can probably kick off an emergency install within 10 min or so. This gives low-latency & great accuracy.
5. There are number of reports (& DB views) that leverage the new infrastructure, such as overall per-machine compliance for any update list, enforcement state and evaluation state per deployment, and troubleshooting for scan and enforcement. The overall per-machine compliance report can be used as the all-up compliance status to senior management
6. However the reports that are the most impressive are the brand-new-to-RC0 troubleshooting reports. SCCM can now produce a stack-ranked list of problems for each & every client that has produced a failure. This means that you can know what is wrong with each client centrally without having to hit the logs for each one of them, and can decide how much effort you want to spend to fix the problems.
Shafqat Khan [MSFT] (Expert):
Q: Is there a way to remotely change the client's cache size?
A: Client side SDK method is exposed to change the cache size. Admin can just send a script through softdist to call this method.
Raman Saka [MSFT] (Expert):
Q: Do I need any rights on the Configuration Items and Advertisement classes to manage software updates?
A: Software Updates are a type of Configuration Items so yes. For SMS 2003 Clients you will need SMS Advertisements in case you have interop ( some v3 child sites to v4 Site) or some v3 clients. So yes for interop Admins will need class rights on SMS advertisements
Samoil Samak[MSFT] (Expert):
Q: My company would like to run WSUS and SCCM at the same time. At an earlier webcast, it was mentioned how we needed to careful with our WSUS GP overwriting changes made by the SCCM client to local policies. Is there one GP we can force to all systems?
A: The SCCM agent will try to change local GP settings, and if it fails - such as when a domain GP is set, then it will fail to scan. We recommend that you allow the SCCM agent to set the GP settings. Otherwise if you have a domain GP set, then any changes you make on the Sofware Update Point, such as address changes etc., you will have to go and change the domain GP to match exactly what the SCCM agent will write to the local GP on the client machine.
Nikhil [MSFT] (Expert):
Q: REPORT EVENT: {31EA971E-0E2A-4626-BE24-80533CAF3876} 2007-07-11 13:28:52:473-0700 1 148 101 {00000000-0000-0000-0000-000000000000} 0 8024400a CcmExec Failure Software Synchronization Windows Update Client failed to detect with error 0x8024400a.
A: You may need to install an update on your SUP/WSUS Server. For more details look at:
https://support.microsoft.com/default.aspx/kb/898708
https://support.microsoft.com/kb/905422/
https://support.microsoft.com/kb/923507/
Samoil Samak[MSFT] (Expert):
Q: Are there any additional requirements for software update points when a site is configured for native mode versus mixed mode?
A: This is Eric Mattoon here, I am sharing a laptop with Samoil. The simple answer is yes. The SUP in Native Mode will need a Server Signing certificate. Additionally, five of the Virtual Directories installed with WSUS will need to have SSL enabled (APIRemoting30, ClientAuth, DSSAuth, ServerSync, SimpleAuth). If you are going to use an NLB of SUP's in NM, then there are additional considerations beyond that. These will be in our final documentation (WebDocs, not DVD docs).
Raman Saka [MSFT] (Expert):
Q: Follow up question to #12 - Will settings created for the SCCM agent will allow WSUS and SCCM to work (we have a WSUS server with two child WSUS servers, splitting the load across all systems and the SCCM structure would point to the central server only)?
A: With SCCM , you can use the existing WSUS hierarchy. The Only limitation is that one SMS Site can have only 1 WSUS Server. if you need to load balance then you will need to create a NLB of WSUS Servers
Shafqat Khan [MSFT] (Expert):
Q: Could you provide details (or point to some documentation to read) on how the Wake-On-LAN functionality will work with pushing out security updates?
A: You can enable WOL on updates deployment (a property to check in Updates Distribute Wizard), SMS server will try to wake up the client at then enforcement time of the deployment if WOL is supported by the client machine.
Samoil Samak[MSFT] (Expert):
Q: Is there any issues with a workstation receiving a portion of their updates while connected to the local LAN and then reconnecting later that day using Internet Based Client Management and receiving the rest of their updates?
A: No there shouldn't be, as long as you have an internet facing Software Update Point, Management Point and Distribution Point that has the content, and the client can contact them (there are client side proxy settings that might need to be set by the user, depending on their internet environment).
Marc Umeno [MSFT] (Expert):
Q: what is the difference between using stand alone WSUS 3.0 server and also WSUS 3.0 with SCCM integration?
A: WSUS Standalone: Standalone management of Microsoft Updates with simple administration, control, and reporting.
WSUS & SCCM: Comprehensive management of both Microsoft and 3rd-party Software Updates with advanced administration, control, and reporting. Complete configuration management offering, including Application and OS Deployment, Desired Configuration Management, Asset Management, and Network Access Management.
Samoil Samak[MSFT] (Expert):
Q: We have a WSUS 2.0 server in our environment already, but no SMS presence. We have a domain policy with no set enforcement applied. We are planning to put WSUS 3 and SMS v4 into plat at the same time. Is there a preferred order or deployment?
A: You will need WSUS 3 first installed, since SCCM setup will warn you that it is a required component. You will also need to remove any domain GP settings that set the location of WSUS to be used, since the SCCM agent will set the location locally on the client. After installing WSUS, then SCCM, you will need to setup a Software Update Point for each primary site server and configure it to your environment needs.
Shafqat Khan [MSFT] (Expert):
Q: Will the Wake-On-LAN functionality work on systems that are asleep and on systems that are powered off? Or will it only work on systems that are powered off? And if woken up and patched will there be the ability to shut them down again afterward?
A: I think it should work for both cases. We keep the machine busy during the enforcement only. After enforcement machine becomes idle. So if machine is set to shutdown after for example 15 minutes of idle time, it will power off following that OS policy.
Marc Umeno [MSFT] (Expert):
Q: Any questions about upgrade/migration from SMS 2003 or interoperability with SMS 2003 clients?
Rick Duong [MSFT] (Expert):
Q: I am new to windows xp and I am trying to install xp service pack 2 via the Microsoft update website but the checking for latest updates just runs continuously for at least 40 minutes. can you recommend a way to get this service pack 2 installed
A: You can also download the SP2 from Microsoft and install it locally. In addition, you can also order the CD as well if you are having network issues.https://www.microsoft.com/windowsxp/sp2/default.mspx
Dan Conley [MSFT] (Moderator):
Ok, everyone thanks for attending today's TechNet chat. Don't forget to sign up for the next chats on SCCM next week. found on the TechNet chat calendar! https://www.microsoft.com/communities/chats/default.mspx