When the Update Management feature is enabled in VMM 2012, the admin starts by adding a pre-built WSUS server to VMM 2012. The following blog details how to use the VMM Sample baselines created when VMM 2012 adds an Update Server (WSUS Server). The following steps should help you understand the process flow that occurs when a sample baseline or any custom created baseline is assigned to fabric servers. Of particular focus, in this blog, is the outline of the communication flow between VMM 2012 , WSUS Server, and the managed computer’s WUA agent during baseline assignment and server scan and remediation.
The following detail assumes you are using a dedicated WSUS server, but if you are using a shared WSUS server please ensure the environment is set up properly before proceeding. (See http://technet.microsoft.com/en-us/library/hh341476.aspx.) This applies to situations where you are using a WSUS server that is managed by SCCM or using a straight WSUS server.
1. Two sample baselines get created when an update server (WSUS) is added to VMM. These baselines contain all hot fixes that are security or critical according to the products types selected in WSUS. In this example, when WSUS was set up, the products were selected according to the supported Operating Systems supported by the VMM 2012 for Fabric servers.
By default, this sample baseline has no assignments. This means it is simply a sample object performing no function until you start using it. To start using this baseline a user should provide a custom name, modify any updates (add/remove), and assign scope.
2. What happens when Baseline scope is assigned? In VMM the change properties of a baseline job kicks off:
Inside this running job, VMM is communicating with WSUS and the following occurs:
· VMM is adds the VMM managed computers scoped within the baseline to a target group in WSUS called SCVMM Managed Computers.
· VMM approves the updates in the baseline for this WSUS target group for scan and install.
3. When the job is complete, enter the Fabric space and switch to the Compliance View. In this view the servers that were scoped to the baseline are in an Unknown Compliance status and have an operational status of Pending Compliance Scan.
a. These two states occur when a computer is assigned a new baseline or an existing baseline assigned to a computer is modified. For example, each month I add a select set of patches to my Security Baseline. All computers assigned to this baseline will go into a compliance scan of Unknown and operational status of Pending Compliance Scan. This lets the administrator know something has changed and that action is required.
4. Determining Compliance – Right click on the object and select the Scan Action or select the object and use the Scan Action in the Ribbon.
What is happening during the Compliance scan job?
a. VMM contacts the VMM Agent on the managed computer.
b. The VMM agent triggers the WUA on the managed computer to scan.
c. WUA agent on the managed computer contacts WSUS.
d. The managed computer scans itself against approved updates within the target group.
e. The WUA on the managed computer delivers the scan results to the VMM agent.
f. The VMM agent filters the scan information based upon what is required in the baseline and delivers that back to the VMM Server.
g. The VMM server displays the compliance status of the managed computer.
5. To view the detailed Compliance status of a managed computer use the Compliance Properties action.
Compliance Properties dialog brings up a detailed list of the compliance according to each assigned baseline:
6. Remediation – In VMM the next step is to use Remediation to bring the managed computer into Compliance.
For the purpose of this blog we are patching a single computer so no orchestration is required. Simply select the managed computer for remediation, the remediation dialog appears. By default any non-compliance patches are automatically selected, but if desired that can be modified to be as granular as you need.
The remediation job starts and the steps below describe what is happening within the context of the running job.
a. VMM sends a list of required updates to the VMM agent on the managed computer.
b. The VMM agent instructs the WUA agent to installed the updates specified in the remediation job.
c. The WUA performs the installation and when it is complete delivers the results to the VMM agent.
d. The VMM agent delivers the results back to the VMM server and the compliance status is reflected in the Compliance view.
Hopefully, this will help everyone understand how to use a sample baseline and the process flow for when a baseline is assigned. From this you should also understand the communication flow between VMM, WSUS, and the WUA agent on each managed computer.
Carmen M. Summers – Senior Program Manager, VMM 2012