Wednesday, April 13, 2011

Patch Management in ConfigMgr 2012 Beta 2

Now ConfigMgr 2012 Beta 2 is configured right (see my other blogs about ConfigMgr 2012 for that), the server must be get ready for Patch Management. On this server WSUS is installed, and the database is hosted on the SQL server. Default I change the rights on the WSUS root folder to Network Service - Full control. Otherwise error messages can be shown when synchronizing Software Updates. (For example: License agreement not ready)

Install the Software Update point role on the Site System server, and configure the role beneath Sites > Configure Site Components > Software Update Management Point. After that choose the "Software Library" tab, and click on "All Software Updates". This will still be empty then. In the Ribbon choose "Synchronize Software Updates" for starting a catalog sync. New Microsoft products in Site Components will become available now.


In ConfigMgr 2007 it was needed to create Search Folders, Update Lists, Deployment Templates, Deployment Management (advertisements) and Deployment Packages. This was a lot of work to create and maintain Software Updates. Because of that, most of time ConfigMgr 2007 and WSUS were keep separate. In ConfigMgr 2012 Beta 2 things are complete different (read: better)!

Now only the following items are available: All Software Updates (with the possibility to create Search Criteria), Software Update Groups, Deployment Packages and Automatic Deployment Rules.


The last one is immediately the most interesting. This because in "Automatic Deployment Rules", all functionality to automatically download Software Updates and deploy them to devices will be configured. That way it's not needed anymore to download Software Updates on a monthly base, and put them in an Update List. Just create an "Automatic Deployment Rules", and see it happen!


The "Automatic Deployment Rules" has the following functionality in it:
  • The choice for creating a new Software Update Group (formely known as Update Lists in ConfigMgr 2007) or use an existing one
  • Selecting the updates from product groups which must be used
  • Configure the Deployment Schedule and User Experience (hide notifications, suppress reboots, and so on)
  • The possibility for creating Alerts and download settings..

It's also needed to create a Deployment Package, for putting in the Software Updates. One package is enough put putting in all Software Updates, or choose to create a package for different products.


Create a Deployment Template now, for the Software Upgrade Group created before. Choose Deploy in the Ribbon, to create a new Deployment Template. There is also still the choice to set a Maintenance Window on the collections, to decide when updates must be installed.

Last reminder: look at the Group Policies if they are configured right. The following must be configured to get it working:
  • Configure Automatic Updates > Disabled
    (so that other people cannot change this setting)
  • Specify intranet microsoft update service location > Enable
    (put in here the SCCM server FQDN and Port Number)

Now all is configured for having Patch Management available!

Update: There were some questions about Patch Management in ConfigMgr 2012 from Daniel. I will answer them in this blog also, because they're handy to know:

1. I didn't find a way to define Search Folders. I only saw the possibility to save Custom Searches. Any ideas?


The idea of Search Folders is not existing anymore in ConfigMgr 2012. You are right about that. Now you can create multiple search criteria, with the possibility to save them. From the Ribbon - Search tab, it is possible to select the saved search criteria then. In my opinion a different approach, with the same result.

2. Where can I create and manage Deployment Templates? 


As it seems for now, Deployment Templates are created automatically. The information needed is taken from the "Automatic Deployment Rules". Within the Software Update Groups, look down in the screen, and choose "Deployment" (next to Summary). Then the Deployment Template for that specific Software Update Group will be displayed. There can be multiple Deployment Templates created per Software Update Group.

3. I created a Deployment Rule and I choosed "new Software Update Group". But never asked for the name and after finished the wizard I didn't see any Software Groups.


I think the Patch Management functionality is not completed in this Beta release. This because there cannot be any existing Software Updates Group selected when creating or editing a "Automatic Deployment Rule". The choice is between Add to an existing, or Create a new one, but both without a choice. The best thing here, is wait till ConfigMgr 2012 is creating the Software Updates Group automatically. Even when selecting "Add to an existing", there will be a new Software Updates Group created, which is not what I want.

4. I also choosed to create a new Deployment Package and after finished the wizard I see the package. But where can I now start the download for the defined updates?


The Download for the defined updates can be started from the Ribbon also. Go to Software Update Groups for that, and start Download from the Ribbon there. Then the Download Wizard will be displayed, with the possibility to create or use a deployment package. Then this package will be displayed in the Console @ Deployment Packages.

----------------------------------------------------------------------
Hope I make things clear with Patch Management functionality in ConfigMgr 2012 this way. In my environment Software Updates are successfully deployed last weekend with ConfigMgr 2012, within the Maintenance Window!

5 comments:

  1. Hi Henk,

    Thanks for your blog. I am concerned just with Beta 2 and Software Updates and I have read your blog. Now I have a few questions:
    1. I didn't find a way to define Search Folders. I only saw the possibility to save Custom Searches. Any ideas?
    2. Where can I create and manage Deployment Templates?
    3. I created a Deployment Rule and I choosed "new Software Update Group". But never asked for the name and after finished the wizard I didn't see any Software Groups.
    4. I also choosed to create a new Deployment Package and after finished the wizard I see the package. But where can I now start the download for the defined updates?

    Thank you for your support,
    Daniel

    ReplyDelete
  2. Hi Henk

    I test SCCM 2012 RC and have a question about "internal patch maintenance".
    I made multiple Software Update Groups (patches from each month) and included the updates in the same deployment package.
    So each month I will get one group more and more patches in the deployment package consuming disk space.
    What about superseded patches?
    Is there an automatic way in SCCM to do some "internal maintenance"?
    I want SCCM to remove superseded patches from groups, deployment packages and file system if I deployed the replacement patches.

    Thanks for your answer.
    Stefan

    ReplyDelete
  3. In ConfigMgr 2012 it's possible to configure Supersedence Rules.

    You can configure a software update to expire as soon as it is superseded by a more recent software update or to expire after a specified period of time when it is superseded by a more recent software update.

    Supersedence settings do not apply to Microsoft Forefront definition updates or to software updates that are superseded by Service Packs. There software updates never expire when they are superseded.

    ReplyDelete
  4. May I know the advantage of ConfigMgr 2012 Beta 2 update.

    ReplyDelete
  5. ConfigMgr 2012 is RTM by now! ConfigMgr 2012 SP1 will be released in Q1 2013. More functionality to come!

    ReplyDelete