Microsoft Professional Advisory Services is a support option that provides short-term, proactive, consultative support beyond break-fix product maintenance needs. This includes working with the same technician for assistance with issues like product migration, code review, or new program development and is a remote, phone-based support option. This service is typically used for shorter engagements, and is designed for developers and IT professionals who do not require the traditional onsite consulting or sustained account management services that are available from other Microsoft support options.

For additional information on Microsoft Advisory Services, including on how to engage, refer to this Microsoft web page:

http://support.microsoft.com/gp/AdvisoryService (http://support.microsoft.com/gp/AdvisoryService)

This scenario will assist customers with the configuration of Software Updates in Configuration Manager 2007, including installing WSUS 3.0 and the latest Service Pack, creating and using Update Lists, creating and deploying Deployment Packages, and the use of Deployment Templates so that specified clients can properly receive approved software updates.    An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the systems infrastructure. However, because of the changing nature of technology and the continual appearance of new security threats, the task of effective software update management can be time consuming and challenging. With Configuration Manager, IT administrators can deliver updates of Microsoft products, third-party applications, custom in-house line-of-business applications, hardware drivers, and system BIOS to a variety of devices—including desktops, laptops, servers, and mobile devices. Software Update Management in Configuration Manager is built on Microsoft Windows Software Update Services (WSUS), a time-tested update infrastructure familiar to IT administrators worldwide. This integration improves speed and efficiency of update management and helps limit vulnerabilities by enabling IT administrators to deploy the latest Microsoft product updates.

Scoping questions

SCOPING QUESTIONS: SCENARIO #1 – SINGLE SITE IN MIXED MODE

1. Do we have a SCCM setup installed, configured and working, where clients and reporting getting the configurations from SCCM servers?
   
   Yes. Continue with the scoping and go to question number 2
   No. Stop the scoping with the customer, Customer has to complete the installation and configuration of SCCM server as per Microsoft recommendation. Microsoft System Center Configuration 2007 planning and Deployment Guide (http://technet.microsoft.com/en-us/library/bb680397.aspx)
   
2. Does the machine which is used as Software update point have internet connectivity?
   
   Yes. Continue with the scoping and go to question 3
   No. Customer has to get internet connectivity on the site server or the remote machine, which is used as SUP as it is required for syncing the windows update catalogue.
   
3. Do we have SCCM Reporting Point Site System already installed for this SCCM server.
   
   Yes. Continue with the scoping and go to question 4
   No. Customer has to install SCCM Reporting Point Site System.  The reporting point site system role must be installed before software updates Web reports can be displayed. For more information about creating a reporting point, see How to Create a Reporting Point (http://technet.microsoft.com/en-us/library/bb694033.aspx)
   
4. Do all the managed SCCM clients are having Windows Update Agent (WUA) 3.0 or higher installed on them.
   
   Yes. Continue with the scoping and go to question 5.
   No or Not sure. Customer has to verify that the clients are windows update agent version three oOr higher.  If required install them on machine they are missing it.
   
   The WUA 3.0 client is required on clients to connect to the WSUS 3.0 server and retrieve the list of software updates that need to be scanned for compliance. When running the Configuration Manager installation, the latest version of the Windows Update Agent is downloaded, and then when the Configuration Manager client is installed the Windows Update Agent is upgraded if necessary. When the installation fails, the Windows Update Agent will need to be upgraded using another method. For more information about how to verify the Windows Update Agent on clients, see How to Check the Windows Update Agent Version on Clients (http://technet.microsoft.com/en-us/library/bb680319.aspx)
   
   For more information about how to install the Windows Update Agent, see How to Install the Windows Update Agent on Client Computers (http://technet.microsoft.com/en-us/library/bb932139.aspx)
   
5. Does customer have multiple sites, are they in Native mode, whether they have IBCM client?
   
   Yes, and then go to scenario #2

Scoping Questions: Scenario #2 – MULTI SITE HIEARACHY AND also ADVANCED SETUP

1. Does this SCCM site is in native mode? Make sure that the SCCM site is functional in native mode with certificate based communication.
   
   Yes, continue with the scoping and go to question 8.
   No. Customer has to make sure the native mode is configured properly with necessary certificates and also the clients to server communication is working fine, before proceeding with SUP installation.
   
2. Do they have internet based client for which the SUP will be serving software updates. If so make sure that IBCM clients and functional and communicating with the management.
   
   Yes. Continue with the scoping and go to question 9.
   No. Customer has to do the necessary configuration and make sure that IBCM of SCCM is working fine outside software updates.
   
3. If there any firewall between the Configuration Manager 2007 active software update point and the Internet, an active software update point and its upstream server, or an active Internet-based software update point and the active software update point for the site, Then make sure that the firewall he firewall might need to be configured to accept the HTTP and HTTPS ports used for the WSUS Web site.
   
   Yes. Continue with the scoping and go to question 10.
   No. configure firewall as per How to Configure a Firewall for Software Updates (http://technet.microsoft.com/en-us/library/bb693717.aspx)
   
4. Collect the complete information about hierarchy and servers and setup and proceed with this support offering.

INCLUDED WITH SCOPE

Installation and configuration of the Software update management component.

Creating necessary SUM objects and testing it against a test collection.

ASSUMPTION

This SCCM  Pro Advisory Support Offerings make the following assumptions:

• System Center Configuration Manager 2007 is installed and configured per the recommendations of Microsoft System Center Configuration 2007 planning and Deployment Guide. http://technet.microsoft.com/en-us/library/bb680397.aspx (http://technet.microsoft.com/en-us/library/bb680397.aspx)
• The reporting point site system role must be installed before software updates Web reports can be displayed. For more information about creating a reporting point, see How to Create a Reporting Point. http://technet.microsoft.com/en-us/library/bb694033.aspx (http://technet.microsoft.com/en-us/library/bb694033.aspx)  
• SCCM central site server is having the internet connection as we will be using that server to sync the catalogue also might use for downloading software update binaries if we have a centralized administration.
• As the SCCM is released long back and already having SCCM Sp1, SP2 and R2 released later, we are not considering the SMS 2003 site and SMS clients in the scope of this document.
• Upon completion of the installation and configuration of software update deployment in SCCM, this advisory will be considered complete. When we deploy the patches to multiple clients, there might be different issues that can come and all those need to be taken care either by customer or need to have separate break fix cases.

COMPLEXITY: MEDIUM

Complexity of this project is based on how complex is your SCCM hierarchy. If you have a simple setup with a single SCCM site even the SUM installation and configuration is pretty straight forward as we need only one WSUS server and software update point.  But if we have a complex environment we need to do the installation configuration on multiple sites in the hierarchy.

Below is a list of self-help resources or this scenario. These resources may also be used by Microsoft Support Engineers during an Advisory Services engagement.

1. Install WSUS 3.0 and latest service pack on the SUP machine. If SUP is on a remote machine install WSUS admin console on site server. It is recommended to use a custom website for WSUS rather than using default website
   
   How to Install Windows Server Update Services 3.0 (http://technet.microsoft.com/en-us/library/bb693980.aspx)
   
   How to Install the Windows Server Update Services 3.0 Administration Console (http://technet.microsoft.com/en-us/library/bb632901.aspx)
   
2. Determine the port used for WSUS and any firewall in-between the SUP and internet and configure accordingly and then add the software update point site system role and the create and configure an active SUP
   
   How to Determine the Port Settings Used by WSUS (http://technet.microsoft.com/en-us/library/bb632477.aspx)
   
   How to Configure a Firewall for Software Updates (http://technet.microsoft.com/en-us/library/bb693717.aspx)
   
   How to Add the Software Update Point Site Role to a Site System (http://technet.microsoft.com/en-us/library/bb680313.aspx)
   [This is required only if SUP is remote]
   
   How to Create and Configure an Active Software Update Point (http://technet.microsoft.com/en-us/library/bb633236.aspx)
   
3. Configure the Software update point settings and initiate catalogue synchronization with Microsoft update site.
   
   Planning for the Software Update Point Settings (http://technet.microsoft.com/en-us/library/bb694108.aspx)
   
   How to Configure Software Updates Synchronization (http://technet.microsoft.com/en-us/library/bb632893.aspx)
   
   
4. Configure the Software Update Client agent and Server side Global settings for the client side scan and deployment and user interface experience and reboot settings.
   
   Planning for Software Updates Server Settings (http://technet.microsoft.com/en-us/library/bb693485.aspx)
   
   Planning for Software Updates Client Settings (http://technet.microsoft.com/en-us/library/bb632393.aspx)
   
   How to Configure the Software Updates Client Agent (http://technet.microsoft.com/en-us/library/bb694223.aspx)
   
   
   In below steps we will download the software updates creates necessary software updates related objects and then will do testing of patche4s against a test collection.
   
   
5. Go through the below link understand the methods of creating deployment packages, downloading software update files, adding software updates to deployment and updating distribution points etc. Also create a Deployment package and download few update files so that we can use it for testing.
   
   How to Manage Software Update Files (http://technet.microsoft.com/en-us/library/bb632328.aspx)
   
   Go through the below link to understand how to find software updates, configuring search folder, creating Update list etc. Create a Test search folder and update list that we can use while testing the deployment.  
   
   How to Manage Software Updates Metadata (http://technet.microsoft.com/en-us/library/bb633132.aspx)
   
   Understand about the deployment template About Deployment Templates in Software Updates (http://technet.microsoft.com/en-us/library/bb632940.aspx)   and then create a deployment template with necessary settings as per blow link:
   
   How to Create a Deployment Template (http://technet.microsoft.com/en-us/library/bb633176.aspx)

Understand about the deploy software update wizard  Deploy Software Updates Wizard (http://technet.microsoft.com/en-us/library/bb693791.aspx) and then Deploy the test update list created above to a test collection as per How to Deploy Software Updates Using an Update List (http://technet.microsoft.com/en-us/library/bb693779.aspx)

Monitor the deployment as per How to Monitor Software Update Deployments (http://technet.microsoft.com/en-us/library/bb633270.aspx) . Also we can look at the Troubleshooting Software Updates (http://technet.microsoft.com/en-us/library/bb693492.aspx)  to look more on this and to get an idea of different log files related to software updates.

Additional settings and requirements for native mode and internet based client management.

How to Add the Web Server Certificate to the Custom WSUS Web Site (http://technet.microsoft.com/en-us/library/bb680861.aspx)

How to Configure the WSUS Web Site to Use SSL (http://technet.microsoft.com/en-us/library/bb633246.aspx)

How to Configure a Software Update Point for Internet-Based Client Connections (http://technet.microsoft.com/en-us/library/bb694265.aspx)

Administrator Checklist: Configuring the Software Update Point in a Native Mode Site (http://technet.microsoft.com/en-us/library/bb632381.aspx)

How to Create and Configure an Active Internet-Based Software Update Point (http://technet.microsoft.com/en-us/library/bb694182.aspx)

All primary sites in the Configuration Manager hierarchy must have an active software update point. The child site synchronizes with the active software update point configured for the parent site. Secondary site servers can be configured with an active software update point, or client computers at the secondary site can connect directly to the active software update point on the parent primary site.

Creating the SUP on child primary is same as that of central. Only difference is that the sync settings won’t be available at the child primary.

Administrator Checklist: Configuring the Software Update Point in a Mixed Mode Site (http://technet.microsoft.com/en-us/library/bb680512.aspx)


When there is limited network bandwidth to the software update point at the parent site or when Windows Server Update Services (WSUS) is approaching the maximum number of client computers, it is recommended that a software update point be installed at the secondary site

How to Create and Configure an Active Software Update Point on a Secondary Site (http://technet.microsoft.com/en-us/library/bb932153.aspx)


This steps is required only if customer want o have a NLB cluster for SUP for scalability and high availability

How to Configure the Active Software Update Point Component to Use an NLB Cluster (http://technet.microsoft.com/en-us/library/bb633165.aspx)

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.