TechNET Event - myITforum.com
Download
Report
Transcript TechNET Event - myITforum.com
Software Update Management with
System Center Configuration Manager 2007
Joeie Oon
Senior Product Technology Specialist
Microsoft Singapore
TechNet Security Series II (13th Dec 2007)
Agenda
Key improvements for SCCM 2007
WSUS integration
How SUM works end-to-end
State-based reporting from clients
End-user experience
How SUM integrates with NAP
Custom updates in SCCM 2007
Key Improvements
WSUS
Integration
• Only need one scan agent (WUA) and one
update source (WSUS)
• Each client scans only for applicable updates
• Full Microsoft Update and 3rd-party content
Policy-based
infrastructure
• Accurate, near real-time client state data
• New compliance and operational reports
• Selective download of update binaries
Administrative
Improvements
• Deployment templates
• Update lists & search folders
Client
improvements
•
•
•
•
Maintenance Windows
Internet-based Client Management
Better performance
Pre-deadline scheduled installation
Configuration Manager 2007 SUM Architecture
Compliance Assessment
Using Update Metadata
Download, Deploy, & Install
Using CI Policy and Update Binaries
Configuration Manager Site
Software Update Point
Reports
Site Server
WSUS Control Mgr
WSUS Sync Mgr
WSUS Admin APIs
ConfigMgr WSUS Config Mgr
WSUS Server
WSUS Database
SUM Admin
UI
Management
Point
Distribution
Point
Configuration Manager Client
WMI
Repository
Client Content
Cache
Windows Update Agent
ConfigMgr Agent
Client UI
Configuration of Software Update Points
Software Update Point (SUP) Role
• SUP = WSUS + Installed ConfigMgr component
• Uppermost SUP will sync with Microsoft Update
Supported configurations
• SUP co-located with Site Server – reduces # of clients that can be
managed
• SUP on remote machine from Site Server, can co-located with MPs
• Can have separate internet-facing SUP (requires Native Mode)
Each WSUS server supports 25,000 clients
• WSUS can be configured across NLB, supports failover up to 100,000
clients
• SQL clusters are supported
Clients will always use assigned site SUP
• Can also have SUP on secondary site
• Bandwidth consumed - 5MB for initial client deployment, 250K for typical
Patch Tuesday
Demo
Administrative
Experience &
Configuring SUP
SUM End to End
7. Compliance
reports show
aggregated
scan results
9. Binaries are
downloaded
from MU
1. WSUS gets
Update
Metadata
Catalog from MU
2. WSUS syncs
Metadata
Catalog with
Site Server
15. Enforcement
State messages
are sent to DB
6. Compliance
State messages
are sent to DB
10. Updates are
placed in a
Deployment
Package on
Distribution
Point
16. Deployment
reports show
aggregated
enforcement
results
SUM Admin
UI
8. Admin UI is
used to deploy
updates
3. WUA scans
client for missing
updates against
WSUS server
4. Scan
results are
stored in
WMI
14. Enforcement
State messages
are sent to MP
11. Client gets
policy for
deployment
5. Compliance
State messages
are sent to MP
12. Client gets
update binaries
from deployment
package and
stores them in
cache on client
13. Updates are
automatically installed
on schedule or directly
by end user
Client UI
SUM Reports in Configuration Manager 2007
34 New SUM Reports
• SUM categories make it easier to find reports you need
• Compliance, Deployment Management, Deployment States, Scan,
Troubleshooting, Distribution to SMS 2003 Clients
Compliance
• Overall per-machine compliance, Per update compliance – update
list, collection
• Update, Computer, Deployment,
Deployment
• States: enforcement state, evaluation state
• Requires action: Applicable updates not yet deployed
Troubleshooting
• Scan Errors; Deployment Errors – gives # of machines with particular
error code, results in stack-ranked list of issues
Compliance and Enforcement States
Update Compliance
States
• Update is installed
(measured)
• Update is required
(measured)
• Update is not required
(by inference)
• Detection state unknown
Update Enforcement
States
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enforcement started
Waiting for content
Waiting for installation
Waiting for maintenance
window
Restart required before
installing
General failure
Pending installation
Applying
Pending restart
Successfully installed
Failed to install update
Downloading update
Downloaded update
Failed to download
Enforcement state
unknown
Deployment
Enforcement States
•
•
•
•
•
•
•
•
•
•
•
Installing update(s)
Waiting for restart
Waiting for installation
Waiting for maintenance
window
Successfully installed
Pending restart
Failed to install update
Downloading update(s)
Downloaded update(s)
Failed to download
Enforcement state
unknown
Network Access Protection
CSS
Publish Health State
in Active Directory
DP
Install Required
Updates
MP Download
New Policy
`
Healthy Client
AD
Protected Network
Retrieve Health
State Policy
Health
Registration
Authority
Send Statement of
Health for Evaluation
Boundary Network
System Health
Validator
Quarantine Restricted
Network
System Center Updates Publisher
Follow-on to Inventory Tool for Custom Updates Install on workstation for content authoring and/or
publishing to a Software Update Point (SUP)
Import updates from outside sources
Customers create their own update catalogs
Publish updates to the SUP
Manage update metadata, revising and editing catalog
data
Client Requirements for Custom Updates
Windows Update Agent needs to be configured to accept
third-party content (this is a GPO/registry setting)
Clients will need to have the WSUS signing certificate
deployed to the trusted publisher store (AD, Certificate
Services, etc)
Customers can supply their own cert for this or the
publishing tool can generate a self-signed cert that is
private to the customer’s environment
Current Catalog Partners
1E
Adobe
Citrix
Hewlett-Packard
Dell
Sanbolic
Yosemite
Microsoft Enterprise Software Update Management
Advanced Software Update
and Configuration Management
• Comprehensive management of both Microsoft and 3 rd-party
Software Updates with advanced administration, control, and
reporting.
• Complete integrated configuration management offering
including Application and OS Deployment, Desired
Configuration Management, Asset Management, and Network
Access Management.
Basic Software
Update Management
• Free Windows Server download that provides simple
administration, control and reporting of Microsoft updates.
• The platform for System Center Configuration Manager
Software Update Management.
Summary
•
We’ve listened to you
•
•
•
WSUS integration and new policy-based update
management infrastructure provide big gains in capability
Significant improvements in administrative experience and
client management functionality
System Center Configuration Manager 2007 is the
right choice for customers that need its advanced
Software Updates Management functionality and
integration with other features
Resources
System Center Product Family Homepage
http://www.microsoft.com/systemcenter
System Center Configuration Manager Homepage
http://www.microsoft.com/systemcenter/configmgr/default.mspx
Learn more from Configuration Manager Webcasts
http://www.microsoft.com/events/series/technetmms.aspx?tab=webcasts&id=42364
[email protected]