Microsoft completely redesigned the Software Update/Patch Management operations in SCCM 2007. Although many of the familiar concepts and procedures are changed, the final process is very similar to what was used in SMS 2003. Only one rarely-used capability was removed, and common deployment designs were made far simpler to administer.
Patch Management is inherently a risky activity. You are installing software that changes basic functions of the operating system and key applications on every computer and server in the company. In that environment, there are no small errors. Even slight differences from intended options can cause serious problems. SCCM adds features that greatly reduce the need to select deployment options, once standards are developed and tested. Pre-selected sets of options can be used each month.
It is vital to understand the changes in design and operations from SMS 2003 before upgrading your production environment from SMS 2003 to SCCM 2007. Failure to do so, including testing planned strategies in a test lab, are likely to result in incomplete patching or increased disruption to users, or even both.
The biggest change is replacing the individual scanners, such as ITMU, with the same mechanism used by the public Microsoft Update feature. You must install at least one WSUS 3.0 server to support Software Updates. You will not need ITMU or ESUIT after all clients have been upgraded. Basing this feature on WSUS also means that all updates that are distributed through Microsoft Update are available for deployment with SCCM Software Updates. It is not limited to security updates.
SCCM supports an enhanced version of Inventory Tool for Custom Updates (ITCU). This allows updates to non-Microsoft products to be deployed and managed just like Microsoft updates. Definitions for some updates can be downloaded from some vendors such as Adobe. An editor supplied with this feature allows the administrator to create rules for applying any updates from any vendor, including internally-created applications. ITCU must be downloaded and installed separately after SCCM 2007 is installed.
Software Update Components
- Scanning schedules are set for a site or the entire environment. You can not run the scanner for selected collections.
- Rescanning updates that were previously applied, to see if they are needed again, is a separate activity from scanning for new updates. Each type of scan is scheduled separately. Only the scan for new updates downloads and uses the latest definitions.
- SCCM uses collections to limit selected update activities to particular lists of machines, just as with SMS 2003.
- The updates to be included in a deployment are selected in a separate activity. The selection can be saved as an Update List for later use or used to immediately create a Deployment Package.
- A Deployment Package is the logical equivalent of an SMS 2003 update package created with the Distribute Software Updates Wizard. It creates a folder of installation files which are copied to the selected DPs.
- An Update Deployment is the logical equivalent of the SMS 2003 advertisement plus options previously set in the DSUW wizard. Templates can be created that save the collection, deployment options and postponement time period for later reuse. The deployment specifies when it is available, if it is mandatory, and when it expires.
- Patching deadlines, or maximum postponement, is based on the time the deployment is available plus any postponement period specified in the deployment. That makes it very easy to set up staged deployments of a set of updates to different collections with different schedules.
Reporting
Reporting is changed from SMS 2003. Monitoring the status of an advertisement is replaced by monitoring the results of a deployment. This will take getting used to, but should result in simpler reporting in most cases.