Solving the Patch Management Dilemma Using SCCM 2007



Similar documents
Introduction to Mindjet MindManager Server

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

STIOffice Integration Installation, FAQ and Troubleshooting

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Deployment Overview (Installation):

Systems Support - Extended

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Implementing SQL Manage Quick Guide

Installation Guide Marshal Reporting Console

Connector for Microsoft Dynamics Installation Guide

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Information Services Hosting Arrangements

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

MaaS360 Cloud Extender

Licensing Windows Server 2012 for use with virtualization technologies

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Getting Started Guide

Ten Steps for an Easy Install of the eg Enterprise Suite

Getting Started Guide

Installation Guide Marshal Reporting Console

Licensing Windows Server 2012 R2 for use with virtualization technologies

Software Distribution

Aladdin HASP SRM Key Problem Resolution

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Service Desk Self Service Overview

BackupAssist SQL Add-on

LeadStreet Broker Guide

Telelink 6. Installation Manual

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Phone support is available if you have any questions or problems with the NASP PRO software during your tournament.

SITE APPLICATIONS USER GUIDE:

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

SpiraPlan & SpiraTeam Version Control Integration User Guide Inflectra Corporation

Diagnostic Manager Change Log

Helpdesk Support Tickets & Knowledgebase

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

990 e-postcard FAQ. Is there a charge to file form 990-N (e-postcard)? No, the e-postcard system is completely free.

Migrating to SharePoint 2010 Don t Upgrade Your Mess

Uninstalling and Reinstalling on a Server Computer. Medical Director / PracSoft

BRILL s Editorial Manager (EM) Manual for Authors Table of Contents

AVG AntiVirus Business Edition

KronoDesk Migration and Integration Guide Inflectra Corporation

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

User Manual Brainloop Outlook Add-In. Version 3.4

StarterPak: Dynamics CRM Opportunity To NetSuite Sales Order

PCI Compliance Merchant User Guide

1) Update the AccuBuild Program to the latest version Version or later.

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation User Guide

Tipsheet: Sending Out Mass s in ApplyYourself

WatchDox for Windows User Guide

Creating automated reports using VBS AN 44

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Help Desk Level Competencies

Junos Pulse Instructions for Windows and Mac OS X

Integrating With incontact dbprovider & Screen Pops

Monthly All IFS files, all Libraries, security and configuration data

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

User Guide. Excel Data Management Pack (EDM-Pack) OnCommand Workflow Automation (WFA) Abstract PROFESSIONAL SERVICES. Date: December 2015

SaaS Listing CA Cloud Service Management

ScaleIO Security Configuration Guide

ISAM TO SQL MIGRATION IN SYSPRO

Organisational self-migration guide an overview V1-5 April 2014

Instant Chime for IBM Sametime Quick Start Guide

DocAve for Salesforce 3.1

FOCUS Service Management Software Version 8.5 for CounterPoint Installation Instructions

HSBC Online Home Loan Application Process

Customer Service Description

CallRex 4.2 Installation Guide

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Monitor Important Windows Security Events using EventTracker

CSC IT practix Recommendations

QAD Operations BI Metrics Demonstration Guide. May 2015 BI 3.11

Online Learning Portal best practices guide

How To Install Fcus Service Management Software On A Pc Or Macbook

Safe PST Backup Enterprise Edition Administrator Guide

Using PayPal Website Payments Pro UK with ProductCart

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

Connecting to

IT Help Desk Service Level Expectations Revised: 01/09/2012

Configuring and Monitoring SysLog Servers

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

The 3Dnet Cloud - are you connected yet?

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Software and Hardware Change Management Policy for CDes Computer Labs

Backups and Backup Strategies

Transcription:

White Paper Slving the Patch Management Dilemma Using SCCM 2007 Abstract If yu find it difficult t patch r update yur enterprise cmputers, a Micrsft System Center Family prduct System Center Cnfiguratin Manager 2007 may be the slutin yu are lking fr. In this white paper a strategy t slving the Sftware Update Management prblem using SCCM will be presented. Table f Cntents Intrductin... 3 Situatin... 3 Slutin... 3 Intrductin... 3 Slutin Design... 4 Nrmal Mnthly Activities... 9 Abut the Authr... 11 Resurces and References... 11

Authr's Disclaimer and Cpyright: This publicatin cntains prprietary and cnfidential infrmatin f expit and is nt t be cpied in whle r part. Infrmatin furnished is believed t be accurate and reliable. Hwever, expit assumes n respnsibility fr the cnsequences f use f such infrmatin r fr any infringement f patents r ther rights f third parties which may result frm its use. Specificatins mentined in this publicatin are subject t change withut ntice. This publicatin supersedes and replaces all infrmatin previusly supplied. Trademarks used in this text: expit lg, expit are registered trademarks f expit. Other trademarks and trade names may be used in this dcument t refer t either the entities claiming the marks and names r their prducts. expit, disclaims any prprietary interest in trademarks and trade names ther than its wn. 2010 expit, Kuwait. All rights reserved. Expit Slving the Patch Management Dilemma Using SCCM 2007 2

Intrductin System Center Cnfiguratin Manager (SCCM), frmerly Systems Management Server (SMS), is a systems management sftware prduct by Micrsft fr managing large grups f Windws-based cmputer systems. Cnfiguratin Manager prvides remte cntrl, patch management, sftware distributin, perating system deplyment, netwrk access prtectin, and hardware and sftware inventry. Cnfiguratin Manager als takes the step t standardize sftware updates. With Cnfiguratin Manager, we nw use WSUS Server fr sftware updates. Cnfiguratin Manager extends WSUS sftware update management functinality with advanced capabilities fr patching (reprting, targeting, cntrl f cntent, maintenance windws, delegated administratin, 3 rd -party updates, etc) while being integrated int a full cnfiguratin management ffering. Nw yu can deply, nt just Windws updates. Yu can update bis and firmware fr ppular hardware vendrs, dwnlad catalgs fr ppular third party sftware vendrs, write catalgs fr updating yur internal custm applicatins, and receive yur Frefrnt client updates. Situatin A cmpany has a multi DC enterprise infrastructure. With requirements fr sftware update management fr cmpliance assurance, security updates/ vulnerability assessment and applicatin updates. The slutin we present will address the sftware update/ patch Management prblem and allw the custmer t fllw its cmpliance requirements with security plicies. Slutin Intrductin In SCCM 2007 Micrsft cmpletely redesigned the Sftware update/ Patch Management peratins. Patch Management is inherently a risky activity. If yu are installing sftware that changes basic functins f the perating system and key applicatins n every cmputer and server in the cmpany. In such envirnments, there are n small errrs. Even slight differences frm intended ptins can cause serius prblems. SCCM adds features that greatly reduce the need t select deplyment ptins, nce standards are develped and tested. Pre-selected sets f ptins can be used each mnth. This slutin takes int accunt that yu already have SCCM with WSUS installed and the SUP wrking. If yu need assistance with Patch Management, see the SCCM Installatin and setup dcumentatin available by Micrsft. Expit Slving the Patch Management Dilemma Using SCCM 2007 3

Slutin Design Sync with Micrsft First yu have t synchrnize the WSUS server and SCCM with Micrsft Update n the desired schedule. The tp-mst server in the hierarchy synchrnizes with Micrsft Update. All thers synch that with tp level server. Manual synchs nly add new updates. Scheduled synchs als include changed and remved data. The first synch shuld be started in late afternn. Mnitr the wsyncmgr.lg file until yu see an entry saying "WSUS synchrnizing categries, prcessed 0 f 820 items". The numbers may be different, f curse. Allw the prcess t run vernight. Scheduled synchrnizatin shuld run every evening, t detect any new r rereleased updates. If multiple WSUS servers are running update the lwer level nes frm the tp level after its synchrnizatin has cmpleted. Scanning and Re-scanning In this cntext, scanning refers t scanning fr new updates. It checks the SUP and dwnlads any new update definitins. Rescanning is used t describe an activity ttally within the client as it rescans fr previus updates. This detects when lder updates need t be applied r reapplied. Scanning The scanning schedule is set glbally, in the Sftware Updates Client Agent Prperties, General tab Yu can chse a simple schedule f nce every X days, r a custm schedule The custm schedule allws yu t cntrl time f day as well as the interval The scanning must be run n the client befre new updates will be detected and can be deplyed The easiest way t assure that such is the case is t set a schedule f running daily, during the middle f the night after the Synch wuld be cmpleted If that impses a lad n the envirnment, set it t daily just befre Patch Tuesday and reset it t weekly after all machines have been scanned at least nce Expit Slving the Patch Management Dilemma Using SCCM 2007 4

Re-scanning The schedule is set glbally, in the Sftware Updates Client Agent Prperties, Deplyment Re-evaluatin tab Yu can chse a simple schedule f nce every X days, r a custm schedule The custm schedule allws yu t cntrl time f day as well as the interval This is nt needed frequently, weekly is prbably gd fr mst envirnments The lad n the systems shuld be minimal Selecting Updates There are three basic steps t selecting updates: First, make sure yu are dwnlading all f the updates yu care abut Changes in yur envirnment may require adding prducts such as a new versin f Windws r SQL, s yu shuld review this every mnth Secnd, review the newly available updates Review all categries yu have selected, nt just security updates r critical updates Cmpare t reprts f installed prducts r ther material t decide which are relevant t yur envirnment Third, decide hw yu will deply the updates Separate deplyments fr wrkstatins and servers are nrmal, s separate Update Lists wuld make that easier Separate deplyments fr selected grups f machines may be needed t reduce the impact n netwrk and DPs Sme nn-security updates may require separate deplyments because f testing and change management requirements The gal is t minimize the chance f mistakes All decisins are specific t yur envirnment, deplyment strategies, plicies, rganizatin, etc -- decide what's best fr yur envirnment, nt smene else's Expit Slving the Patch Management Dilemma Using SCCM 2007 5

Deplying Updates Creating Update List Cnfiguratin Manager prvides many ways t set up an update deplyment. These sectins reflect ne way that I think shuld wrk well fr many rganizatins. They will prvide a gd basis fr understanding the prcess and make the alternative prcedures clear. Yu shuld experiment in a lab setup t determine which is best fr yu. The fllwing steps create an Update List that is later used in ne r mre deplyments. This prcedure allws different individuals t select the updates t be applied, and als allws ne Update List t be used in mre than ne deplyment. Use Ctrl+click in a Search Flder t select the updates t be deplyed, based n the previus analysis Right click and select Update List Select Create a new update list and enter the desired name, based n yur naming standards D nt check the "Dwnlad the files..." bx - that will be dne as part f creating the deplyment Update security permissins if needed, just as under SMS 2003 A summary f the selected actins is displayed fr yur review - make sure it matches yur intentins A final summary is displayed shwing if the peratin was successful - review any warnings r errrs and crrect as needed Creating Deplyments Once the Update Lists are created, yu need t set up the deplyments. This is where yu select the varius deplyment ptins and schedules. As explained in the Creating Update Lists sectin, Cnfiguratin Manager prvides many ways t set up an update deplyment. These sectins reflect ne way that I think shuld wrk well fr many rganizatins. They will prvide a gd basis fr understanding the prcess and make the alternative prcedures clear. Yu shuld experiment in a lab setup t determine which is best fr yu. Expand the Update Lists sectin f the cnsle, right click n the desired list, and chse Deply Sftware Updates Select t create a new deplyment package, and enter a name cnsistent with yur standards If yu have an existing Deplyment Template that's apprpriate, select it - therwise select Create a new deplyment definitin The fllwing steps assume yu are creating a new definitin, which can be saved as a template Select the cllectin t receive this deplyment Select if users shuld be ntified f the updates Select whether t base schedule n client lcal time r GMT time (default is GMT) Expit Slving the Patch Management Dilemma Using SCCM 2007 6

Select the default pstpnement perid, which can be verridden fr any particular deplyment Specify if restarts are allwed r suppressed fr servers and wrkstatins, and whether t allw restarts utside f the maintenance windws If yu use MS Operatins Manager, select actins yu want taken - this is nrmally relevant nly fr updates t servers, and can enhance management reprting Set client dwnlad settings, just as in an SMS 2003 advertisement. Nte that the default is nt t install ver slw r unreliable netwrks If desired, save these settings as a template using an apprpriate name and descriptin Use f templates allws the preceding steps t be skipped and guarantees use f cnsistent settings Create a Deplyment Package r update an existing ne This is what's cpied t yur DPs and deplyed t the clients Nrmally yu select Create a new deplyment package Select a package name cnsistent with yur naming standards Fr the package surce pint t an existing share n any server where yu want the dwnladed files stred, with the name f the Deplyment package appended as a sub-flder. Cnfiguratin Manager will create that sub-flder, but the share must already exist Select enable binary differential replicatin if desired. This shuldn't hurt, but als is unlikely t nrmally be f use with updates Select distributin pints if desired. Fr large packages yu may want t select just the lcatin where they will be tested, and distribute t ther DPs later Select t dwnlad updates frm the Internet if deplying frm yur central site server, therwise pint t the share lcatin n the server cntaining the updates Select the desired languages fr the updates Set the deplyment schedule Clients will begin dwnlading updates frm their DPs at the Time Available If a deadline is set, updates will be applied autmatically at that time if nt scheduled earlier. If n deadline is set, updates will never be applied withut user actin Enable Wake On LAN if yur rganizatin uses it and if it's apprpriate fr this deplyment under yur standards Chse t ignre maintenance windw if yu want t verride the deplyment template setting Review the summary t be sure all actins are crrect Updates are dwnladed When the wizard is cmplete it reprts success, warning r errrs. Review and crrect any warnings r errrs as needed Expit Slving the Patch Management Dilemma Using SCCM 2007 7

Deplyment Template Deplyment Templates are amng the best innvatins in Cnfiguratin Manager, because they allw a grup f deplyment settings t be stred and reused, thus eliminating ne cmmn surce f prblems. Deplyment templates can be created by themselves r the settings used in a new deplyment can be saved as a template. The steps invlved are identical. These steps are dcumented in the Creating Deplyments abve, and will nt be repeated here. The settings included in a deplyment template are: Cllectin Allw r suppress ntificatin n clients Base schedule n client lcal time r Greenwich Mean Time Default maximum pstpnement (can be verridden in a deplyment) Restarts allwed r suppressed, separately fr wrkstatins and servers Allw restart utside f maintenance windw (can be verridden in a deplyment) Creating r suppressin f MOM alerts Whether client shuld dwnlad and install updates n slw and unreliable netwrks, and frm unprtected DPs Separate templates are needed fr any variatins n settings that cannt be verridden in a deplyment. SCCM 2007 Sftware Update Standard Reprts Micrsft prvides 34 standard reprts, gruped in five categries. Sftware Updates - A. Cmpliance These reprts shw the degree t which prtins r yur entire netwrk is in cmpliance. Reprts can be based n Cllectins, Update Lists, Updates, Deplyments, Vendrs, r specific cmputers. They can prvide high level summary data, and linked reprts permits drilling dwn t details that can be used t increase the cmpliance rates. Sftware Updates - B. Deplyment Management These reprts are designed t help manage update deplyments. Sftware Updates - C. Deplyment States These reprts help track the status and results f a Deplyment. Sftware Updates - D. Scan These reprts help manage scanning. Sftware Updates - E. Trubleshting These reprts help identify and trublesht prblems. Expit Slving the Patch Management Dilemma Using SCCM 2007 8

Nrmal Mnthly Activities Preparatin Befre beginning a mnthly cycle, yu'll usually have sme cleanup t d frm the previus mnth and activities t be sure yu're ready fr the next mnth. Details will always depend n hw yu manage updates at yur cmpany, but here are sme pssible activities. Prir Mnth Cleanup Check the cmpliance rate fr the prir mnth's updates, and address any significant issues. If yu rll each mnth's updates int a cumulative deplyment package fr baseline maintenance and reprting, yu shuld d that after reaching an acceptable cmpliance rate. Ideally that's befre starting the next mnth's cycle, but that wn't always be true. If yu must cntinue mnitring last mnth's updates during the next cycle, identify the reprts that will be apprpriate t use. Identify the effect these nging activities might have n the reprts yu usually mnitr fr current mnth activities. Be certain yu can prduce the reprts that may be needed fr each separate mnth's activities r the cmbined ttal, based n yur nrmal reprting. Verify Pilt Test and Exceptin Lists If yu have lists f pilt testers and/r exceptin machines that get special handling, make sure yur data is current and reflects all changes during the last mnth. Check Client Health Status Check the verall client health status, and assure that smene is fllwing up n any issues. Yu may want t reprt the percentage t yur management, as it establishes the maximum cmpliance rate pssible. Verify Server Data If yu are respnsible fr patching servers, yu're likely t have them divided int cllectins t reflect different deplyment schedules r rebt handling. Make certain all servers are in the prper cllectins, particularly nes created during the past mnth. Cmpany-specific Testing Schedule Test the update deplyments and updates per yur cmpany standards. After testing with VMs, it is cmmn t test n cmputers belnging t the deplyment team. Yu are mst likely t recgnize imprper results. If pilt testers are used, create deplyments specifying the apprpriate cllectins, ptins and schedule. If templates d nt exist they can be created while creating the deplyments. Fllw Up Use standard reprts t mnitr deplyment prgress, detect issues, and reslve any issues. Expit Slving the Patch Management Dilemma Using SCCM 2007 9

Prvide peridic prgress reprts t apprpriate management based n standard Cmpliance reprts. Peridically review the Search Flder listing updates released during the latest mnth t see if any changes have been released. If s, decide what actin is required. Truble Shting sftware Updates http://technet.micrsft.cm/en-us/library/bb693492.aspx Expit Slving the Patch Management Dilemma Using SCCM 2007 10

Abut the Authr Numan Khan is an Infrastructure Services Cnsultant presently wrking with expit. His expertise includes System Center Suite and Unified Cmmunicatin design and implementatin. Resurces and References Micrsft System Center Cnfiguratin Manager http://www.micrsft.cm/systemcenter/cnfigmgr/default.mspx http://myitfrum.cm Expit http://www.expit.cm Expit Slving the Patch Management Dilemma Using SCCM 2007 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information