Having worked extensively with ITMU in SMS 2003 for datacenter patch management of servers, I welcomed the new architecture promised for SCCM.
If you are using ITMU now and are new to SCCM here is a high level summary of the patch management components:
- SCCM Clients are scanned using the clients Windows Update Agent (WUA)
- WSUS used as the scan catalog known as a SUP (basically WSUS dedicated to SCCM and no more 5MB local catalog downloads to all clients)
- Download and execute option now does a scan before and, only downloads required updates
- Security updates are categorized as in native WSUS and now have the ability to deploy non security updates including service packs.
- Status of patch deployment is provided near real-time (well every 15 minutes by default) by state messages; no longer uses advertisement reports and hardware inventory . I have an earlier blog that shows you how you can get basic information collected using hardware inventory.
Below is a link to a very good whitepaper providing extensive details.
My aim in this article (blog) is to give you a field view of what it means to translate these changes into existing processes. In a nutshell going from reading about it to using it.
SCCM SUM Reduces Wizard Screens?
A statement I have read many times about SCCM is, it reduces the old ITMU wizard screens from 18 to about 7. I disagree and will quantify it with, only if you use the power and flexibility of the templates under deployment management.
If you are like me, the first thing you do with a new version of a product is to make it work like the old one (how many people turned the WK3 interface into W2K?).
My attempt at an ITMU to SCCM translator below should hopefully ease some of your pain.
ITMU to SCCM translator
|SMS 2003 ITMU||SCCM Software Updates Management (SUM)|
|ITMU Scan Tool||Software updates scan agent|
|Recurring ITMU Scan Tool Advertisement||Software updates scan agent schedule – WUA scan using SUP (SCCM dedicated WSUS)|
|Packages (one to one relationship with selected patches)||Deployment Packages (selected patches not linked to one package; will search all packages on the DP and download from any package)|
|Advertisement Start time||Deployment Deadline|
|Expiring Advertisements||Use maintenance window on targeted collection with Recurrence set to None. TIP:
Advertisement Start Time = Deployment Deadline = Maintenance Windows start.
Expiry time = Maintenance Window End
Useful and New to SCCM
Now lets take a closer look at the SUM components and sample patch management process.
Summary of the steps for a sample process:
- Create a search folder to group security updates
- Create an empty collection with no members (to be used for the deployment templates)
- Create a deployment template (I create two; 1 for Patch Only and 1 for Patch with Reboot)
- Create a folder for storing the source files for packages
- Create an update list (e.g. Select required patches for your deployment), specify download updates to create the package.
- Drag the update list onto the deployment template to create the deployment (Deployment type will be determined by the template in this case)
- Create a maintenance window for the collection to be targeted
- Modify the Deployment by changing the collection specified (inherited from the template) and also the deadline date and time.
Update Repository: this is where the software updates are displayed and categorized. Shows all software updates depending on what you have selected under the SUP (WSUS) configuration.
- Search Folders: allow you to group software updates logically for ease of selection when creating deployment packages. In my example I have a master search folder for all Security patches and one folder for every year from 2003 – 2009. Use a search criteria on Bulletin ID using % so for 2009 would be MS09%
- Create an empty collection: I am a great fun of place holder collections. I use them as a safety check before targeting the real collections. In this case I created a collection called with no members (safe to ignore the warning).
- Create deployment templates: Now this is where the wizard pages reduction takes place. Right click the deployment templates node and select new deployment template. Once created, using the template significantly reduces the number of wizard screens. I created two, one with suppressed reboots and, the other without.
- Create a package source folder: I typically create top level folder for all packages and then sub-folders for categories of packages. In this example process we will use a subfolder called “Security_Updates”
- Create an update list: Using the “All Security updates” search folder as an example select the security updates required for the SUM package. Selection is now much better as you can use the shift key, and the control key, to block select security updates.
Select download updates during the creation of the update list. You can create a new package or select an existing page. NB be sure to specify a new subdirectory as part of the UNC to the package directory. If you do not specify a subdirectory all updates are placed in the root folder (near impossible to tidy up when you delete a package)
- Create a deployment (replaces advertisements in the ITMU deployment process):Drag and drop the update list onto a deployment template. In this example we use the patch only template. Notice that the collection used is the place holder we created and selected for our template. In addition the suppress restart and any other general properties are inherited from the template. This is the magic of the wizard reduction I mentioned. Modify the settings to required deployment deadline and target collection
Monitor the deployment using the new Software Updates category reports.