1 / 23

MNSCUG 8/21/2008

Agenda Eat / Relax / Introductions Recap of last year of MNSCUG Officer Elections New meeting ideas SCCM / WSUS Patching Overview / Demonstration / Pitfalls. MNSCUG 8/21/2008. One year term of President and V.P. Past Meetings SCCM Native Mode requirements (Jul)

redell
Télécharger la présentation

MNSCUG 8/21/2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda Eat / Relax / Introductions Recap of last year of MNSCUG Officer Elections New meeting ideas SCCM / WSUS Patching Overview / Demonstration / Pitfalls MNSCUG8/21/2008

  2. One year term of President and V.P. Past Meetings SCCM Native Mode requirements (Jul) Operating System Deployment Deep Dive (Nov) Round Table / Misc topics in OM and CM (Jan) SCOM – Desktop Error Reporting (Feb) 1E Vendor presentation (Mar) SQL / Web Reporting MMS topic by Wells Fargo (Apr) Round Table – MMS recap (May) Summer Break (Jun/Jul) SCCM / WSUS (Aug) Formal presentations / Round Table / Vendor presentation – what makes the group work? Yearly Recap

  3. Elections • 1 Year terms • Nominations for President / V.P. • Duties • Plan future meetings • Present topics / Moderate meetings • Find other speakers • Send out invites / manage email lists • Coordinate room reservations / order food / beverages • Other positions • Web coordinator • Meeting / Event planner • Sergeant at Arms 

  4. SCOM Management Packs How other companies are benefitting ACS AEM Reporting SCCM R2 features SP1 features (OOB/vPro) Asset Intelligence SQL/Collections/Reports OSD / Task Sequences DCM NAP Software Updates/WSUS New “Team” based presentations

  5. SoftGrid / AppVirt The Art of Packaging PowerShell / Scripting Forefront /Sterling Server 2008 MCTIP / Certification Study Help More Team roles • Try to work with people not from your company- 3 people max per group- Shoot for a 15 – 30 min demo / talk (or take more time)- Plan 2 – 3 topics per month (Round Table afterwards)

  6. Patching Overview • What is everyone using today for patch management? • SUS/WSUS • Continues to improve with each version • Simplified Administration / easy to deploy • Lacks rollout control / fine grained reporting • SMS 2003 and ITMU • Much more power / scheduling • Not easy to just step in and learn • Shortcomings • Patch packages • Reporting / “Not applicable” is not an option • Administrative overhead • Relies on Hardware Inventory framework constraints

  7. Clean slate with SCCM • MSFT Goals with patching in SCCM • Improve already powerful scheduling • Maintenance windows / Reboot / User Experience • Support large numbers / over a large area • 100 k behind 4 way NLB at one site • Utilize existing DP’s for patch content • Improve reporting • State based messages as well as patch compliance • 34 new reports • Ease the administrative burden • New SCCM components – Update Lists, Deployment Templates, Search Folders • More easy to use wizards, Drag and Drop • Reuse existing infrastructure if already built –WSUS hierarchy

  8. WSUS 3.0 SP1 Overview • Why do I need to know how to use this console / troubleshoot WSUS? • SCCM uses the WUA to deploy patches and you do not have to use the WSUS console but it can be a good tool to troubleshoot • C:\windows\windowsupdate.log – WUA logs everything here, CM uses this scan data to determine patch compliance – Hint: don’t use Trace32 • Group Policy for WSUS is essential, but not needed for CM, but you can run both WSUS and CM independently even on the same box. MSFT does not endorse this.

  9. Demo – WSUS • Pre requirements – 2003 / 2008 • Console • Settings – Synch / Proxy / Products / Downstream Servers (Replica) • Automatic Approvals • Updates • Assigning clients • Group Policy overview / setup • Approving an update • Reporting • When would I use this if I have SCCM / SMS?

  10. Questions on WSUS • ??? • Downsides to using WSUS • Targeting systems – all via machine GPO • No remote DP’s need high bandwidth or extra servers • Reporting is ok, not near as robust as SCCM

  11. Configuration Manager 2007 SUM Architecture

  12. SUM End to End

  13. Configuration of Software Update Points

  14. Compliance and Enforcement States

  15. SCCM and the new SUP role • Pre-requirements • Installing SUP role – let it bake! – 30k updates • Decide on box or off box / WSUS database on same box as CM database ? • Differences from WSUS • Synchronization settings • Proxy settings just for MetaData – When downloading updates uses currently logged on user credentials to add files to a Package • No auto approvals • Basically CM uses WSUS for Metadata from MU and then pushes that to the CM Agents to then run WUA • Every Hour SCCM will “reset” the WSUS settings (This is where you need to be careful in a dual environment) • No need to set WU location in GPO, it’s now set by CM agent in a local policy (Must be very careful here) LSDOU precedence

  16. SCCM and WSUS running independently • Forefront Client Security (FCS) – Big problem currently for MSFT • Anti-malware definition updates come out 3-5 times a day (no auto approvals – WSUS works great for this) • CM is not officially supported as the deployment server for FCS • If CM is installed, WSUS is not officially supported in a dual environment. • Problem lies in the GPO / Local Policy settings • As long as the FQDN of your GPO matches what CM would try to set you will be ok. If not, CM will not work as a SUP.

  17. Demo – CM Console SUP overview • Patch Cycle walk through • Update Repository • Synchronize – delta versus full • Update List • New security for SMS upgrades ! • Used for Reporting (compliance for this months updates) • Used to allow other groups to “pick” their own patches • Security to just one update list for Office Team • Deployment Templates • Used to quickly pick how a deployment will reboot and look to user • Ensures you don’t miss one of these settings month to month • Reboot / no reboot / display a prompt • Collection or no Collection (beta template / prod template) • Time to make it mandatory

  18. Demo continued 2 • Search Folders • Right click – Add to Update List • Don’t forget to download • Create a new Package • This differs from SMS in that you put all patches here, and it only downloads what you need (same engine as driver database in OSD within SCCM) • When you add or delete patches it will update the DP with a new version of that package • Recommended to stay below 500 Updates per package • Now just drag and drop the update list to your deployment template to create a deployment

  19. Demo – cont 3 • Deployment Management • Will you reuse existing deployments or delete old and create new? • If reusing make sure you change enforcement dates • Monthly Update List and All other Updates List /One deployment per month? • Come up with a plan and modify as needed • Enforcement of patches • Mandatory • Force download of patch immediately once machine policy refresh • Ensures a quick enforcement of security policy • Have to choose how to impact the user with reboot or not impact and risk no updates • Optional • Download once user kicks off process • Slow compliance potentially • If we rely on the user are we doing our jobs right? • Combine the two • Prompt user and make Man. 1 week out, this will combine the best of both • Deploy Patches during OSD Task Sequence or during Image build

  20. Demo – cont 4 • Maintenance Windows • Control when it runs and when you can reboot • Relies on estimated run times • Can control reboot behavior • Must make all Advertisements mandatory if you want to be able to Install Software during standard working hours (option to bypass is not available without it) • These are cumulative – Will combine together if multiple Collections have a M.W. • Servers is a no brainer for M.W., but what about end users Desktops and Laptops? • Now I can deploy anything and not force a reboot unless I really want it to • Only catch with patches is you must reboot or else the Windows Update Agent is held in a locked state after CM runs a successful patch process

  21. Demo – cont 5 • End User impact • Prompt for Optional / Mandatory about to run • Reboot held or not • SCCM icon in system tray – color changing • Don’t show anything – big risk of never rebooting and no more patching until you do • 2 prompts in SCCM versus up to unlimited in WSUS – First warning and second, no easy way to stop it

  22. Problems we’ve had • Downloads happen using BITS from the server to MU • Known issues with Sonic firewall – allowing partial downloads • Using XP to download large files (XP SP3) • Had to use either Vista or 2008 / sometimes 2003 works • GPO’s not pointing to the correct location • wsus1.company.com – should be – wsus1.ad.company.com, this is because of an empty root in our domain • Turned off all access to WU/MU for both user and machine in a GPO to limit errors we would see in logs (Firewall was blocking access anyway)

  23. Resources • Migration from Systems Management Server 2003 Inventory Tool for Microsoft Updates Document – Download HERE • Integrating FCS with SCCM – Download HERE • End user experience (GUI) – Download HERE • Install WSUS on 2008 – Download HERE • Excellent overview – Here • SCCM Updates Publisher - HERE

More Related