Archive for: February, 2009

ITMU to SCCM Patch management –> A process approach

Feb 25 2009 Published by admin under Tech Tips

Introduction

Having worked extensively with ITMU in SMS 2003 for datacenter patch management of servers, I welcomed the new architecture promised for SCCM.

If you are using ITMU now and are new to SCCM here is a high level summary of the patch management components:

  • SCCM Clients are scanned using the clients Windows Update Agent (WUA)
  • WSUS used as the scan catalog known as a SUP (basically WSUS dedicated to SCCM and no more 5MB local catalog downloads to all clients)
  • Download and execute option now does a scan before and, only downloads required updates
  • Security updates are categorized as in native WSUS and now have the ability to deploy non security updates including service packs.
  • Status of patch deployment is provided near real-time (well every 15 minutes by default) by state messages; no longer uses advertisement reports and hardware inventory . I have an earlier blog that shows you how you can get basic information collected using hardware inventory.

Below is a link to a very good whitepaper providing extensive details.

Configuration Manager Software Updates Management Guidance – Migration from ITMU.doc

My aim in this article (blog) is to give you a field view of what it means to translate these changes into existing processes. In a nutshell going from reading about it to using it.

SCCM SUM Reduces Wizard Screens?

A statement I have read many times about SCCM is, it reduces the old ITMU wizard screens from 18 to about 7. I disagree and will quantify it with, only if you use the power and flexibility of the templates under deployment management.

If you are like me, the first thing you do with a new version of a product is to make it work like the old one (how many people turned the WK3 interface into W2K?).

My attempt at an ITMU to SCCM translator below should hopefully ease some of your pain.

ITMU to SCCM translator

SMS 2003 ITMU SCCM Software Updates Management (SUM)
ITMU Scan Tool Software updates scan agent
Recurring ITMU Scan Tool Advertisement Software updates scan agent schedule – WUA scan using SUP (SCCM dedicated WSUS)
Advertisements Deployments
Packages (one to one relationship with selected patches) Deployment Packages (selected patches not linked to one package; will search all packages on the DP and download from any package)
Advertisement Start time Deployment Deadline
Expiring Advertisements Use maintenance window on targeted collection with Recurrence set to None. TIP:
Advertisement Start Time = Deployment Deadline = Maintenance Windows start.
Expiry time = Maintenance Window End

Useful and New to SCCM

Now lets take a closer look at the SUM components and sample patch management process.

Summary of the steps for a sample process:

  1. Create a search folder to group security updates
  2. Create an empty collection with no members (to be used for the deployment templates)
  3. Create a deployment template (I create two; 1 for Patch Only and 1 for Patch with Reboot)
  4. Create a folder for storing the source files for packages
  5. Create an update list (e.g. Select required patches for your deployment), specify download updates to create the package.
  6. Drag the update list onto the deployment template to create the deployment (Deployment type will be determined by the template in this case)
  7. Create a maintenance window for the collection to be targeted
  8. Modify the Deployment by changing the collection specified (inherited from the template) and also the deadline date and time.

Detailed steps:

Update Repository: this is where the software updates are displayed and categorized. Shows all software updates depending on what you have selected under the SUP (WSUS) configuration.

image

  • Search Folders: allow you to group software updates logically for ease of selection when creating deployment packages. In my example I have a master search folder for all Security patches and one folder for every year from 2003 – 2009. Use a search criteria on Bulletin ID using % so for 2009 would be MS09%

imageimage

  • Create an empty collection: I am a great fun of place holder collections. I use them as a safety check before targeting the real collections. In this case I created a collection called   image with no members (safe to ignore the warning).
  • Create deployment templates: Now this is where the wizard pages reduction takes place. Right click the deployment templates node and select new deployment template. Once created, using the template significantly reduces the number of wizard screens. I created two, one with suppressed reboots and, the other without.

imageimage

image image

image image

  • Create a package source folder: I typically create top level folder for all packages and then sub-folders for categories of packages. In this example process we will use a subfolder called “Security_Updates”

image

  • Create an update list: Using the “All Security updates” search folder as an example select the security updates required for the SUM package. Selection is now much better as you can use the shift key, and the control key, to block select security updates.

image image

Select download updates during the creation of the update list. You can create a new package or select an existing page. NB be sure to specify a new subdirectory as part of the UNC to the package directory. If you do not specify a subdirectory all updates are placed in the root folder (near impossible to tidy up when you delete a package)

image

image image

  • Create a deployment (replaces advertisements in the ITMU deployment process):Drag and drop the update list onto a deployment template. In this example we use the patch only template. Notice that the collection used is the place holder we created and selected for our template. In addition the suppress restart and any other general properties are inherited from the template. This is the magic of the wizard reduction I mentioned. Modify the settings to required deployment deadline and target collection

image image

Monitor the deployment using the new Software Updates category reports.

No responses yet

Security Updates rollup to a central site without a Software Update Point (SUP) Part II

Feb 24 2009 Published by admin under Tech Tips

Creating a view for your Reports

The SMSDEF.MOF file update creates the following tables Software_Updates_V4_Data and Software_Updates_V4_HIST. The following SQL script can be used to create a custom SQL view for reports. I have included the computer names from V_R_System and the site code from v_RA_System_SMSInstalledSites

Make sure you change the database name to your Config Manager database name before using. Also the name of the view can be edited to suit you own naming convention.

USE [SMS_XXX]
GO
/****** Object:  View [dbo].[V_Custom_Update_Status]    Script Date: 10/20/2007 17:06:38 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE VIEW [dbo].[V_Custom_Update_Status]
AS
SELECT DISTINCT
TOP (100) PERCENT  dbo.v_R_System.ResourceID, dbo.v_R_System.Netbios_Name0 AS ClientName, dbo.v_RA_System_SMSInstalledSites.SMS_Installed_Sites0 AS Site_Code,
dbo.Software_Updates_v4_DATA.Article00 AS KB_Number, dbo.Software_Updates_v4_DATA.Bulletin00 AS Bulletin_ID,
dbo.Software_Updates_v4_DATA.ScanTime00 AS Scan_Date_Time, dbo.Software_Updates_v4_DATA.Status00 AS Update_Status,
dbo.v_R_System.Operating_System_Name_and0 AS OS, dbo.Software_Updates_v4_DATA.Title00 AS Update_Title
FROM         dbo.v_R_System INNER JOIN
dbo.Software_Updates_v4_DATA ON dbo.v_R_System.ResourceID = dbo.Software_Updates_v4_DATA.MachineID INNER JOIN
dbo.v_RA_System_SMSInstalledSites ON dbo.Software_Updates_v4_DATA.MachineID = dbo.v_RA_System_SMSInstalledSites.ResourceID
ORDER BY Bulletin_ID DESC

Granting Select Permissions on the custom View

The following roles Smsschm_users and webreport_approle need to be granted select permission on any custom views created. Without performing the permissions step, the reports will only work in SQL Server Management Studio.

clip_image002

Sample Report Query

The following is a sample query to create a summary report from the new view (make sure your edit the view name if you did not use the suggested name). Modify to suit your needs.

SELECT Bulletin_ID, KB_Number, OS,(100 * Installed /(Installed+Applicable)) AS ‘%Compliant’, Installed+Applicable AS Total
From (Select Bulletin_ID, OS, Update_Title AS BulletinInfo,
SUM(CASE WHEN Update_Status = ‘Installed’ THEN 1 ELSE 0 END)as ‘Installed’ ,
SUM(CASE WHEN Update_Status = ‘Missing’ THEN 1 ELSE 0 END) AS ‘Applicable’
from v_Custom_Update_Status
where Bulletin_ID like ‘MS08-%’AND OS LIKE ‘%Server%’
group by Bulletin_ID,OS,Update_title) AS ps
Order by Bulletin_ID DESC, OS

The report is filtered on all security updates for the year 2008 and by server operating systems only. Edit the filters to change the year and the operating system as needed.

No responses yet

Security Updates rollup to a central site without a Software Update Point (SUP)

Feb 23 2009 Published by admin under Tech Tips

The release of System Center Configuration manager has seen a vast improvement in security update management. The improvements have introduced new ways of doing familiar tasks

No Security updates compliance at the parent site without a SUP:

Prior to Config Mgr 2007 software update compliance information propagated up the SMS hierarchy following a parent child connection. No additional configuration was required once the parent child relationship was established. Each child site could manage software updates with no dependency on components at the parent site. The new version of SMS has removed this functionality. In order for a parent site to receive software updates compliance information a new component setting has to be enabled (Software Updates Point –SUP). The new SUP role forms its own hierarchy where only the highest SUP in the hierarchy synchronises directly with the internet for new software updates availability. Child site SUPs will not be updated until the parent site SUP is updated.

The ability to use a central site for consolidated reporting is no longer possible without adding this additional layer in you Config Mgr design. Another challenge is the ease of creating summary reports on security update compliance. The new state message based reports though excellent will present challenges for seasoned SMS administrators tasked with creating management summary reports.

How to get compliance information at a parent reporting site without a SUP:

This is how to get summary security update status to your parent sites without creating a SUP hierarchy. The solution uses the hardware inventory process to collect summary security update information. This is basic security update information and ideal for creating your management reports. This does not remove the requirement for a SUP at the client’s assigned site.The status of an update is either installed or missing. The information also depends on the old time lag required to receive hardware inventory information from clients.

Steps are as follows:
Edit the SMS_DEF.MOF file and append the reporting class data at the end of this article
Stop sms_executive on parent site
Change sms_def.mof file in: %ConfigMgrInstallDir%\inboxes\clifiles.scr\hinv (Append the class CCM_UpdateStatus at the end of the file.)
Start sms_executive on the parent site
Repeat steps 2-4 for child site where the SUP is installed
Make sure policy is updated on clients assigned to child site
Run scan/install updates on the clients
Run HINV cycle on client (or wait for cycle to run per schedule)
Check dataldr.log on the child site, once HINV is received; Software_Updates_V4_DATA table is created in the database with all the info as per the class below.
Same table gets created on the parent site’s database as well

NB: There is no need to compile the SMS_DEF.MOF as this is now done by the site server and clients updated through policy changes. Test this on a lab instance before applying to production sites.This has been tested on Config Mgr 2007 SP1. Append this to the SMS_DEF.MOF:
//————————————-

// SMS – Software Update Status

//————————————-

[SMS_Report(TRUE),

SMS_Group_Name("Software Updates v4"),

SMS_Class_ID("MICROSOFT|UPDATESTATUS|1.0"),

Namespace("\\\\\\\\.\\\\root\\\\ccm\\\\SoftwareUpdates\\\\UpdatesStore")]

class CCM_UpdateStatus : SMS_Class_Template
{

[SMS_Report(TRUE), Key]

string UniqueId;

[SMS_Report(TRUE)]

string Title;

[SMS_Report(TRUE)]

string Bulletin;

[SMS_Report(TRUE)]

string Article;

[SMS_Report(TRUE)]

string Language;

[SMS_Report(TRUE)]
string SourceUniqueId;

[SMS_Report(TRUE)]

DateTime ScanTime;

[SMS_Report(TRUE)]

uint32 SourceVersion;

[SMS_Report(TRUE)]

uint32 RevisionNumber;

[SMS_Report(TRUE)]

string Status;

[SMS_Report(FALSE)]
CCM_SourceStatus Sources[];

};

In my next article I will provide details of reports which can be created using data from this class, including an SQL view.

No responses yet