Exam Ref 70-696 Managing Enterprise Devices and Apps (MCSE): Plan and Implement Software Updates
- By Orin Thomas
- Objective 3.1: Plan and deploy third-party updates
- Objective 3.2: Deploy software updates by using Configuration Manager and WSUS.
- Objective 3.3: Deploy software updates by using Microsoft Intune
The timely and regular deployment of software updates is a task that almost all IT professionals have to manage. Microsoft provides the Windows Server Update Services (WSUS) role as a freely available add-on to enable organizations to manage the deployment of updates to computers in their environment. Although WSUS is functional, it has its limitations. That’s when products such as System Center Updates Publisher and System Center 2012 R2 Configuration Manager are useful. In this chapter, you learn about deploying third-party updates by using System Center Updates Publisher, deploying updates by using Configuration Manager, and deploying and managing updates by using Microsoft Intune.
Objective 3.1: Plan and deploy third-party updates
In this section, you learn about System Center Updates Publisher and how you can use this application to publish updates from third-party vendors to a WSUS server and Configuration Manager.
System Center Updates Publisher
System Center Updates Publisher (SCUP) 2011 is an application you can use with Configuration Manager to manage software updates that third-party vendors and your own organization produce. By using SCUP, you can import software updates from catalogs third-party vendors publish so that these updates can be deployed through Configuration Manager. You can also use SCUP to import software updates your own organization creates. For example, if your organization has created software that is deployed to a large number of client computers, and that software requires software updates to be deployed, you can use SCUP to import those updates so that you can use Configuration Manager to deploy them.
Operating system and software requirements
You can deploy SCUP 2011 on the following operating systems:
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows 8.1
- Windows 8
- Windows 7
- Windows Vista
The dependencies for SCUP are governed by the operating system platform you use to host it. If you use Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2 clients in your environment, you must deploy SCUP on a computer running either Windows Server 2012 or Windows Server 2012 R2.
- When installing System Center Updates Publisher on Windows Server 2012 and Windows Server 2012 R2, ensure that you have installed the remote server administration tools and the WSUS role.
- When installing System Center Updates Publisher on Windows Server 2008 and Windows Server 2008 R2, you should install WSUS 3.0 SP2 and install .NET Framework 4 as well as hotfix KB2530678.
SCUP requires a signing certificate to sign updates digitally that it publishes. This digital signature enables clients to verify the integrity of the updates. You can obtain a certificate from a trusted certificate authority (CA) or have SCUP create a self-signed certificate. Certificates must be trusted by clients of the update server and by the update server itself. This requirement is not a problem if you have obtained the certificate from a CA that client computers trust but requires special configuration of clients if you use the self-signed certificate.
When you obtain a signing certificate for Updates Publisher 2011 from a CA, ensure that it has the following properties:
- Enable The Allow Private Key To Be Exported Option
- Set Key Usage To Digital Signature
- Set Minimum Key Size To A Value Equal To Or Greater Than 2048 Bit
If you use a self-signed certificate, export the self-signed certificate from the server that hosts SCUP by using the certificates snap-in of the Microsoft Management console. You then import the certificate into the Trusted Root Certification Authorities certificate store. You can do this manually on each client, or you can use Active Directory to publish the self-signed certificate to the Trusted Root Certification Authorities certificate store on computers that are members of the domain.
Depending on the details of your SCUP deployment, you can choose to publish updates to a WSUS server or to a WSUS server integrated with Configuration Manager. Update Server options, shown in Figure 3-1, enable you to configure whether Updates Publisher 2011 publishes software updates to a WSUS update server and whether the update server is local or remote and to specify the certificate that Updates Publisher 2011 uses to publish software updates. All software updates must be digitally signed when they are published. Use this option when clients update using only WSUS.
FIGURE 3-1 System Center Updates Publisher Options
ConfigMgr Server options, shown in Figure 3-2, enable you to configure how Updates Publisher 2011 interacts with System Center 2012 R2 Configuration Manager to publish software updates. You should always publish to the top-level WSUS server in your Configuration Manager environment because this ensures that all child sites have access to SCUP published updates. Use this option if Configuration Manager manages software updates in your organization’s environment.
FIGURE 3-2 Configuration Manager integration
Trusted Publishers options, shown in Figure 3-3, enable you to configure which publishers SCUP trusts. This includes adding and removing trusted publishers. You can also view the certificate of trusted publishers. You automatically add a publisher to the list of trusted publishers when you import a catalog into SCUP and when you publish a software update.
FIGURE 3-3 Trusted Publishers
Proxy Settings options, shown in Figure 3-4, enable you to configure proxy settings when you use SCUP to import software update catalogs from the Internet or when you publish software update catalogs to the Internet.
FIGURE 3-4 Proxy Settings
Advanced options, shown in Figure 3-5, enable you to configure the following:
- Add Timestamp When Signing Updates
- Check For New Catalog Alerts On Startup
- Enable Certificate Revocation Checking For Digitally Signed Catalog Files
- Local Source Publishing
FIGURE 3-5 Advanced options
After you have integrated SCUP into your organization’s updates infrastructure, you need to start importing and publishing updates. You can add an update directly from a standalone update file, or you can subscribe to a vendor’s catalog file. You use the four workspaces of the SCUP console to accomplish these tasks.
Use the Updates workspace to create software updates and software update bundles, publish a software update, duplicate an update, delete a software update or bundle, export an update or bundle, and assign a software update or bundle to a publication. Figure 3-6 shows the Updates workspace. A bundle is a collection of updates.
FIGURE 3-6 Updates workspace
To create a software update, perform the following steps:
- In the Updates workspace of the System Center Updates Publisher 2011 console, click Create on the ribbon and then click Software Update.
In the Package Information section, provide the following information:
- Package Source Provide the location to an MSI file that contains the software update package.
- Use A Local Source To Publish Software Update Content Use this option to specify a local UNC or URL that hosts content.
- Binary Language Use this option to specify the language of the update.
- Success Return Codes This option displays any codes returned during installation that indicate that the update has installed correctly.
- Success Pending Reboot Codes This option displays any codes returned during installation that indicate that the update will complete installation correctly pending a reboot.
- Command Line Use the command line to install the update.
In the Required Information section, provide the following information:
- Language Specify the language of the title and description.
- Title Specify the name of the software update.
- Description Describe the software update.
- Classification Choose from among Critical Update, Feature Pack, Update, Security Update, Service Pack, Tool, Driver, and Update Rollup.
- Vendor Select the vendor for the software update.
- Product Specify which product is updated by the update.
- More Info Specify a URL that provides more information about the update.
In the Optional Information section, provide the following information if necessary:
- Bulletin ID If a bulletin exists to describe the update, provide the identifier here.
- Article ID If an article exists to describe the update, provide the article ID here.
- CVE ID Provide the CVE (Common Vulnerabilities and Exposures) ID number.
- Support URL Provide a URL for more information about the update.
- Severity Choose the severity of the update for security updates. Choose from among None, Critical, Important, Moderate, and Low.
- Impact Specify the update impact. Choose from among Normal, Minor, and Requires Exclusive Handling. If an update requires exclusive handling, it must be installed separately from other updates.
- Restart Behavior This option provides information about what happens after the update installs. Choose from among Never Reboots, Always Requires Reboot, and Can Request Reboot.
- In the Prerequisite dialog box, provide information about any software updates that must be present on the target computer for this update to install.
In the Superseded Updates dialog box, provide information about any existing updates that this update supersedes.
When you publish this update, Configuration Manager marks all software updates that you specify on this page as expired.
- In the Installable Rules dialog box, provide information that enables the software update client to determine whether the update should be installed.
The Catalogs workspace enables you to add catalogs to SCUP. Catalogs are collections of updates, usually from third-party vendors. Use the Catalogs workspace to subscribe to software updates catalogs (including partner catalogs), to edit catalog subscriptions, and to import software updates from catalogs into the Updates Publisher 2011 repository. After the software updates are imported into the repository, you can publish or export them to an external catalog. Figure 3-7 shows the Catalogs workspace.
FIGURE 3-7 Catalogs workspace
When you publish a software update to WSUS or Configuration Manager by using SCUP, you can choose to publish all content associated with the software update or just publish meta-data associated with the update. You define publications in the Updates workspace. You use the Publications workspace to publish a publication to an update server, export a publication, and remove software updates from a publication.
Applicability rules enable you to determine whether the computer that is the target of the update has the prerequisites for the installation update. For example, Figure 3-8 shows an applicability rule related to the Notepad.exe file.
FIGURE 3-8 Applicability rule
You can use the Rules workspace to create, edit, and delete rules and rule sets. You can create two types of applicability rules:
- Installable rules This rule type determines whether a target computer requires a software update.
- Installed rules This rule type determines whether an update is already present on a computer.
- System Center Updates Publisher enables you to deploy third-party software updates to WSUS or Configuration Manager servers so that these updates can be deployed to clients of these servers.
- You can subscribe to update catalogs that third-party vendors publish. From these catalogs, you can import updates.
- You can publish updates or update bundles to WSUS or Configuration Manager servers.
- Rules enable you to perform checks on clients to determine update applicability.
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter.
Which type of applicability rule should you configure to determine whether an update is already present on a computer?
- Installable rule
- Installed rule
- Automatic approval rule
- Automatic deployment rule
Which SCUP workspace do you use to remove a software update from publication?
- Updates workspace
- Catalogs workspace
- Publications workspace
- Rules workspace
You are adding an update from a third-party vendor in preparation for publishing that update to your organization’s Configuration Manager deployment. The update requires a computer restart to complete installation. Which of the following sections in the Optional Information window enables you to provide this information?
- Restart Behavior
- CVE ID