MNSCUG 8/21/2008
Download
Report
Transcript MNSCUG 8/21/2008
MNSCUG
8/21/2008
– Agenda
•
•
•
•
•
Eat / Relax / Introductions
Recap of last year of MNSCUG
Officer Elections
New meeting ideas
SCCM / WSUS Patching Overview / Demonstration / Pitfalls
Yearly Recap
– One year term of President and V.P.
– Past Meetings
•
•
•
•
•
•
•
•
•
SCCM Native Mode requirements (Jul)
Operating System Deployment Deep Dive (Nov)
Round Table / Misc topics in OM and CM (Jan)
SCOM – Desktop Error Reporting (Feb)
1E Vendor presentation (Mar)
SQL / Web Reporting MMS topic by Wells Fargo (Apr)
Round Table – MMS recap (May)
Summer Break (Jun/Jul)
SCCM / WSUS (Aug)
– Formal presentations / Round Table / Vendor
presentation – what makes the group work?
Elections
• 1 Year terms
• Nominations for President / V.P.
– Duties
•
•
•
•
•
Plan future meetings
Present topics / Moderate meetings
Find other speakers
Send out invites / manage email lists
Coordinate room reservations / order food / beverages
– Other positions
• Web coordinator
• Meeting / Event planner
• Sergeant at Arms
New “Team” based presentations
SCOM
• Management Packs
• How other companies are
benefitting
• ACS
• AEM
• Reporting
SCCM
• R2 features
• SP1 features (OOB/vPro)
• Asset Intelligence
• SQL/Collections/Reports
• OSD / Task Sequences
• DCM
• NAP
• Software Updates/WSUS
More Team roles
•
•
•
•
SoftGrid / AppVirt
The Art of Packaging
PowerShell / Scripting
Forefront /Sterling
• Server 2008
• MCTIP / Certification
Study Help
- Try to work with people not from your company
- 3 people max per group
- Shoot for a 15 – 30 min demo / talk (or take more time)
- Plan 2 – 3 topics per month (Round Table afterwards)
Patching Overview
• What is everyone using today for patch management?
• SUS/WSUS
– Continues to improve with each version
– Simplified Administration / easy to deploy
– Lacks rollout control / fine grained reporting
• SMS 2003 and ITMU
– Much more power / scheduling
– Not easy to just step in and learn
• Shortcomings
–
–
–
–
Patch packages
Reporting / “Not applicable” is not an option
Administrative overhead
Relies on Hardware Inventory framework constraints
Clean slate with SCCM
• MSFT Goals with patching in SCCM
– Improve already powerful scheduling
• Maintenance windows / Reboot / User Experience
– Support large numbers / over a large area
• 100 k behind 4 way NLB at one site
• Utilize existing DP’s for patch content
– Improve reporting
• State based messages as well as patch compliance
• 34 new reports
– Ease the administrative burden
• New SCCM components – Update Lists, Deployment Templates,
Search Folders
• More easy to use wizards, Drag and Drop
– Reuse existing infrastructure if already built –WSUS hierarchy
WSUS 3.0 SP1 Overview
• Why do I need to know how to use this console /
troubleshoot WSUS?
– SCCM uses the WUA to deploy patches and you do
not have to use the WSUS console but it can be a
good tool to troubleshoot
– C:\windows\windowsupdate.log – WUA logs
everything here, CM uses this scan data to determine
patch compliance – Hint: don’t use Trace32
– Group Policy for WSUS is essential, but not needed
for CM, but you can run both WSUS and CM
independently even on the same box. MSFT does
not endorse this.
Demo – WSUS
• Pre requirements – 2003 / 2008
• Console
• Settings – Synch / Proxy / Products / Downstream
Servers (Replica)
• Automatic Approvals
• Updates
• Assigning clients
– Group Policy overview / setup
• Approving an update
• Reporting
• When would I use this if I have SCCM / SMS?
Questions on WSUS
• ???
• Downsides to using WSUS
– Targeting systems – all via machine GPO
– No remote DP’s need high bandwidth or extra servers
– Reporting is ok, not near as robust as SCCM
Configuration Manager 2007 SUM Architecture
Compliance Assessment
Using Update Metadata
Download, Deploy, & Install
Using CI Policy and Update Binaries
Configuration Manager Site
Software Update Point
Reports
Site Server
WSUS Control Mgr
WSUS Sync Mgr
WSUS Admin APIs
ConfigMgr WSUS Config Mgr
WSUS Server
WSUS Database
SUM Admin
UI
Management
Point
Distribution
Point
Configuration Manager Client
WMI
Repository
Client Content
Cache
Windows Update Agent
ConfigMgr Agent
Client UI
SUM End to End
7. Compliance
reports show
aggregated
scan results
9. Binaries are
downloaded
from MU
1. WSUS gets
Update
Metadata
Catalog from MU
2. WSUS syncs
Metadata
Catalog with
Site Server
15. Enforcement
State messages
are sent to DB
6. Compliance
State messages
are sent to DB
10. Updates are
placed in a
Deployment
Package on
Distribution
Point
16. Deployment
reports show
aggregated
enforcement
results
SUM Admin
UI
8. Admin UI is
used to deploy
updates
3. WUA scans
client for missing
updates against
WSUS server
4. Scan
results are
stored in
WMI
14. Enforcement
State messages
are sent to MP
11. Client gets
policy for
deployment
5. Compliance
State messages
are sent to MP
12. Client gets
update binaries
from deployment
package and
stores them in
cache on client
13. Updates are
automatically installed
on schedule or directly
by end user
Client UI
Configuration of Software Update Points
Software Update Point (SUP) Role
• SUP = WSUS + Installed ConfigMgr component
• Uppermost SUP will sync with Microsoft Update
Supported configurations
• SUP co-located with Site Server – reduces # of clients that can be managed
• SUP on remote machine from Site Server, can co-located with MPs
• Can have separate internet-facing SUP (requires Native Mode)
Each WSUS server supports 25,000 clients
• WSUS can be configured across NLB, supports failover up to 100,000 clients
• SQL clusters are supported
Clients will always use assigned site SUP
• Can also have SUP on secondary site
• Bandwidth consumed - 5MB for initial client deployment, 250K for typical Patch
Tuesday
Compliance and Enforcement States
Update Compliance
States
• Update is installed
(measured)
• Update is required
(measured)
• Update is not required (by
inference)
• Detection state unknown
Update Enforcement
States
• Enforcement started
• Waiting for content
• Waiting for installation
• Waiting for maintenance
window
• Restart required before
installing
• General failure
• Pending installation
• Applying
• Pending restart
• Successfully installed
• Failed to install update
• Downloading update
• Downloaded update
• Failed to download
• Enforcement state
unknown
Deployment Enforcement
States
• Installing update(s)
• Waiting for restart
• Waiting for installation
• Waiting for maintenance
window
• Successfully installed
• Pending restart
• Failed to install update
• Downloading update(s)
• Downloaded update(s)
• Failed to download
• Enforcement state
unknown
SCCM and the new SUP role
• Pre-requirements
• Installing SUP role – let it bake! – 30k updates
• Decide on box or off box / WSUS database on same box
as CM database ?
• Differences from WSUS
– Synchronization settings
• Proxy settings just for MetaData – When downloading updates uses
currently logged on user credentials to add files to a Package
– No auto approvals
– Basically CM uses WSUS for Metadata from MU and then
pushes that to the CM Agents to then run WUA
– Every Hour SCCM will “reset” the WSUS settings (This is where
you need to be careful in a dual environment)
– No need to set WU location in GPO, it’s now set by CM agent in
a local policy (Must be very careful here) LSDOU precedence
SCCM and WSUS running independently
• Forefront Client Security (FCS) – Big problem
currently for MSFT
– Anti-malware definition updates come out 3-5 times a
day (no auto approvals – WSUS works great for this)
– CM is not officially supported as the deployment
server for FCS
– If CM is installed, WSUS is not officially supported in
a dual environment.
• Problem lies in the GPO / Local Policy settings
• As long as the FQDN of your GPO matches what CM would
try to set you will be ok. If not, CM will not work as a SUP.
Demo – CM Console SUP overview
• Patch Cycle walk through
– Update Repository
• Synchronize – delta versus full
– Update List
• New security for SMS upgrades !
• Used for Reporting (compliance for this months updates)
• Used to allow other groups to “pick” their own patches
– Security to just one update list for Office Team
– Deployment Templates
• Used to quickly pick how a deployment will reboot and look to user
• Ensures you don’t miss one of these settings month to month
– Reboot / no reboot / display a prompt
– Collection or no Collection (beta template / prod template)
– Time to make it mandatory
Demo continued 2
• Search Folders
– Right click – Add to Update List
• Don’t forget to download
– Create a new Package
• This differs from SMS in that you put all patches here, and it
only downloads what you need (same engine as driver
database in OSD within SCCM)
• When you add or delete patches it will update the DP with a
new version of that package
• Recommended to stay below 500 Updates per package
– Now just drag and drop the update list to your
deployment template to create a deployment
Demo – cont 3
• Deployment Management
– Will you reuse existing deployments or delete old and create new?
• If reusing make sure you change enforcement dates
• Monthly Update List and All other Updates List /One deployment per month?
• Come up with a plan and modify as needed
– Enforcement of patches
• Mandatory
– Force download of patch immediately once machine policy refresh
– Ensures a quick enforcement of security policy
– Have to choose how to impact the user with reboot or not impact and risk no
updates
• Optional
– Download once user kicks off process
– Slow compliance potentially
– If we rely on the user are we doing our jobs right?
• Combine the two
– Prompt user and make Man. 1 week out, this will combine the best of both
• Deploy Patches during OSD Task Sequence or during Image build
Demo – cont 4
• Maintenance Windows
–
–
–
–
Control when it runs and when you can reboot
Relies on estimated run times
Can control reboot behavior
Must make all Advertisements mandatory if you want to be able
to Install Software during standard working hours (option to
bypass is not available without it)
– These are cumulative – Will combine together if multiple
Collections have a M.W.
– Servers is a no brainer for M.W., but what about end users
Desktops and Laptops?
• Now I can deploy anything and not force a reboot unless I really
want it to
• Only catch with patches is you must reboot or else the Windows
Update Agent is held in a locked state after CM runs a successful
patch process
Demo – cont 5
• End User impact
–
–
–
–
Prompt for Optional / Mandatory about to run
Reboot held or not
SCCM icon in system tray – color changing
Don’t show anything – big risk of never rebooting and
no more patching until you do
– 2 prompts in SCCM versus up to unlimited in WSUS –
First warning and second, no easy way to stop it
Problems we’ve had
– Downloads happen using BITS from the server to MU
• Known issues with Sonic firewall – allowing partial
downloads
– Using XP to download large files (XP SP3)
• Had to use either Vista or 2008 / sometimes 2003 works
– GPO’s not pointing to the correct location
• wsus1.company.com – should be – wsus1.ad.company.com,
this is because of an empty root in our domain
– Turned off all access to WU/MU for both user and
machine in a GPO to limit errors we would see in logs
(Firewall was blocking access anyway)
Resources
• Migration from Systems Management Server
2003 Inventory Tool for Microsoft Updates
Document – Download HERE
• Integrating FCS with SCCM – Download HERE
• End user experience (GUI) – Download HERE
• Install WSUS on 2008 – Download HERE
• Excellent overview – Here
• SCCM Updates Publisher - HERE