Guide to Software Updates Deployment in Configuration Manager 2007


I get a lot of requests for information about how to do software update deployments in System Center Configuration Manager 2007 so I thought I would put together a quick guide explaining the process.  It turned out to be quite large so I broke it into two parts: Part 1 is below and covers Update Lists, Deployment Packages and Deployment Templates, and then Part 2 will cover the deployments themselves.

Deploying Software Updates

Software updates are deployed to client computers using the Deploy Software Updates Wizard, much like it is in SMS 2003, but new objects have been introduced and there have been changes to the deployment process. I have made an attempt to explain these changes with help of screenshots.

Update Lists

Update lists provide the ability to initiate a deployment for a set of software updates contained in the list. Using the update list provides several benefits when deploying and monitoring software updates and is, therefore, part of the recommended software updates workflow. Update lists allow administrators to create a deployment from the update list instead of manually selecting the set of updates every time a new deployment is created. They allow administrators to use reports for specific update lists to monitor the compliance for the software updates and help to troubleshooting updates contained in the list. Update lists also allow administrators to create update lists with approved updates, and then delegate the responsibility to deploy the update lists.

clip_image002

clip_image004

clip_image006

clip_image008

Deployment Packages

Deployment packages are used to host the files for the software updates in a deployment, much like that of software distribution packages. The main difference is that the deployment package is used to get the files to the Distribution Points, but once that process completes, client computers will access the software update files from any package shared folder on any Distribution Point regardless of whether the package was defined in the deployment that targeted the client. When the client computer receives a new deployment, it determines where the software update files are located, independent of the deployment, and install from the preferred location.

clip_image010

Deployment Templates

Deployment templates provide the ability to save a set of deployment properties for use in future software update deployments. When a deployment template is used in creating a new deployment, it populates the deployment with the preconfigured properties. This provides consistency among deployments with similar requirements and saves a lot of administration time.

clip_image012

clip_image014

clip_image016

Deployment Deadline

When creating a software update deployment in the Deploy Software Updates Wizard, the Deployment Schedule page allows a deployment deadline date and time to be configured. Deployment deadlines can also be configured from the Deployment Schedule tab in the properties for the deployment.

Setting a deadline makes the deployment mandatory, and it enforces the software update installation on client computers by the configured date and time.

If the deadline is reached and the software update deployment has not yet run on the client computer, the installation starts automatically whether or not a user is logged on to the computer. A system restart can be enforced if it is necessary for the software update installation to complete.

On client computers, display notifications will appear that inform the user that one or more software updates are ready to install and the date for the earliest deadline time displays. For example, if there are two deployments with deadlines that are two days apart, the deployment deadline that comes first displays in the notifications to users. Once the software updates have been installed for the deployment with the earliest deadline, the client computer will continue to receive notifications, but the deadline will now display the deadline for the second deployment.

In SMS 2003, deadlines were set to occur x days after the client received the policy to install the software updates. Deployment deadlines have been simplified in Configuration Manager 2007 and are now configured for an explicit date and time. SMS 2003 clients in the Configuration Manager hierarchy will also use the configured deadline date and time for deployments targeted to them.

When software updates that have a configured deadline become available on a client computer, the Available Software Updates icon appears in the notification area that informs the user of the pending deadline. Display notifications are presented on a periodic basis until all pending mandatory software update installations have completed. By default, they are displayed every three hours for deadlines more than 24 hours away, every hour for deadlines less than 24 hours away, and every 15 minutes for deadlines that are less than one hour away.

Required System Restart

By default, when software updates from a mandatory deployment have installed on a client computer but a system restart is required for the installation to complete, the system restart will be initiated. For software updates that have been installed prior to the deadline, the automatic system restart will be postponed until the deadline, unless the computer is restarted prior to that for some other reason. The system restart can be suppressed for servers and workstations. These settings are configured in the Restart Settings page of the Deploy Software Updates Wizard when creating a deployment and in the Restart Settings tab in the deployment properties. This setting can also be configured in a deployment template.

clip_image018

Planning for Maintenance Windows

Maintenance windows provide administrators with a way to define a period of time that limits when changes can be made on the systems that are members of a collection. Maintenance windows restrict when the software updates in deployments can be installed on client computers, as well as operating system advertisements and software distribution advertisements. Client computers determine whether there is enough time to start a software update installation by using the following three settings:

Restart countdown: Specifies the length of the client restart notification (in minutes) for computers in this site. The default setting is 5 minutes. This setting is available as a global setting in the Computer Client Agent Properties dialog box.

System restart turnaround Time: Specifies the length of time given for computers to initiate the system restart and reload the operating system. This setting is stored in the site control file for the site and has a default value of 10 minutes.

Maximum run time: Specifies the amount of time that is estimated for a software update to install. The default setting is 20 minutes for updates and 60 minutes for service packs. This setting can be modified for individual software updates on the Maximum Run Time tab for the properties for the software update.

When these settings are used to determine the available maintenance window, each software update has a default of 35 minutes (75 minutes for service packs). When planning for maintenance windows, take these defaults into consideration. When planning software update deployments to client computers, be aware of the configured maintenance window, how many software updates are in a deployment (so that you can forecast whether client computers will be able to install the updates within the maintenance window) and whether the update installation will span multiple maintenance windows. When software update installation has completed, but there is not enough time in the maintenance window for the computer to restart, the computer will wait until the next maintenance window and initiate the restart before installing pending update installations. When there are multiple software updates to be installed on a client computer with a configured maintenance window, the update with the lowest maximum run time installs first, the update with the next lowest maximum run time installs next, and so on. Before installing each update, the client verifies that the available maintenance window is long enough to install the update. After an update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window. When creating a software update deployment, there are two settings that allow maintenance windows to be ignored as follows:

Allow system restart outside of maintenance windows: Specifies whether to allow system restarts for both workstations and servers outside of configured maintenance windows. By default, this setting is not enabled. This setting is beneficial when you want your software update installation to complete on client computers as soon as possible. When this setting is not specified, a system restart will not be initiated if the maintenance window ends in 10 minutes or less. This could prevent the installation from completing and leave the client computer in a vulnerable state until the next maintenance window. This setting is available on the Restart Settings page of the Deployment Template Wizard or Deploy Software Updates Wizard.

Ignore maintenance windows and install immediately at deadline: Specifies whether the software updates in the deployment are installed at the deadline regardless of a configured maintenance window. By default, this setting is not enabled and is available only when there is a deadline configured for the deployment. This setting is beneficial when there are software updates that must be installed on client computers as soon as possible, such as the updates in an expedited deployment. This setting is available on the Schedule page of the Deploy Software Updates Wizard.

clip_image020

clip_image022

clip_image024

That’s it for Part 1, so be sure to check out Part 2 where I discuss putting all this together and doing the actual deployment.  Part 2 can be found here:

Guide to Software Updates Deployment in Configuration Manager 2007 – Part 2

Adnan Ezzi | Configuration Manager Support Engineer

Comments (23)
  1. Adnan Ezzi says:

    You an also download the content in .doc if the pictures are blurry from the following link

    blogs.technet.com/…/deploying-software-updates-with-sccm-2007.aspx

  2. Anonymous says:

    SCCM Update in russian: http://itband.ru/tag/update/

  3. Anonymous says:

    Yes, link to part 2 please.  Also agree about the screen shots and this is a great article.  Thanks.

  4. Great Articles….but I have one question regarding Reimder Notification.

    Can I configure customize reminder notification as per customer requirement like as (4 hours and every 15 minutes got users pop-up for reboot reminder). Please sugest the same.

  5. Adnan Ezzi says:

    You can download the content in doc from the following link if the pictures are blurry

    blogs.technet.com/…/deploying-software-updates-with-sccm-2007.aspx

    Thank you all for the feedback

  6. Anonymous says:

    A couple good resources for you (community generated):

    The SCCM 2007 Software Updates Wiki:

    http://www.myitforum.com/myITwiki/SCCMSU.ashx

    Patch Management directions for SCCM:

    http://myitforum.com/cs2/blogs/cstauffer/archive/2008/11/13/patch-management-directions-for-sccm.aspx

  7. Adnan Ezzi says:

    You can download the content in doc from the following link if the pictures are blurry

    blogs.technet.com/…/deploying-software-updates-with-sccm-2007.aspx

    Thank you all for the feedback

  8. Kukulkan says:

    Thanks for the article, the only suggestion I would give is to use better screen shots.  They're so blurry they're nearly useless.

  9. Nalin says:

    Hi

    Very good post. That's all I can say .

    Thank you for your effort.

  10. Olufis says:

    This is fantastic, please any link to part 2?

  11. APJ says:

    How to Identify (From Which Log) who has configured the Patching. Thanks in advance.

  12. Jarrod Mitchell says:

    I noticed that in the section for Display Notifications you mention the Default Times for display notification. Can you advise if these notification times and be customized?

    Great article by the way.

  13. Midhun.ps says:

    Please let me how to check the patch compliance report and how to configure that

  14. Halfmad says:

    Great guide, 2 years after my training I've been asked to deploy SCCM/WSUS and this has been a great refresh!

  15. Raul Samayoa says:

    this is good, but what to do if I'm missing updates that are showing only in WSUS console but not in SCCM console

  16. Bhasker says:

    This is very good document but the images are blurr …adjusted. Where si the next part?

    How do you monitor the reboot jobs once scheduled in maintenance window…can we generate/configure this in SCCM 2007.

  17. jim says:

    Soooooo, there really isn't a part two then???

  18. Thanks but no thanks says:

    Thanks for skipping the Deployment Package screen. That was the only useful thing i was looking for.

  19. Dave says:

    Is there any way to configure software updates that require a restart, to remind the user to restart but not force an automatic reboot?

  20. Bob Morris says:

    We're trying to work backwards in deploying older updates to catch-up.  We have a master Update List, that we are adding older updates to in ~50 update lots to deploy.  When selecting older updates from a Search Folder, if I select and drag to the Update List that has some of the selected updates, you get a warning of this asking if you want to proceed.  Will this cause a problem, or is SCCM smart enough to ignore the duplication. I'm trying to avoid having to manually verify and exclude duplicate updates in the in the Search Folders.  

  21. sccm says:

    looking for troubleshooting document for e.g error code 11752, 11756,  & 11751, 11759,

  22. MSB says:

    Hi,

    While creating update list, the deployment package option is not comming as per your first screenshot, the options shown only Update List, Security, Summary, Progress and Confirmation. Deployment Package, Download Location and Language Selection option is not shown. Due to this, I am unable to create Deployment Package, now I have been created Update List, Deployment Template, Deployment Management, but I'm unable to proceed to next stage.

    Kindly help on this…

    Regards,

    MSB

  23. SS says:

    The screenshots are unreadable, and saved in jpeg for extra unreadability.  I am amazed how extraordinarily complicated it is possible to make an ugrade proicess.  Congratulations Microsoft!  I come from a world where all opgrades are a simple matter of apt-get update; apt-get upgrade, and I am flabbergasted by the level of clicketyclickery needed to do something similar in Windows.  And then only the operating system is upgraded.  Not installed software.  I can't even make this work, and can't see what you are doing here either because the screenshots are unreadable. 🙁

Comments are closed.

Skip to main content