System Center Updates Publisher

The System Center Updates Publisher was built on the custom updates framework that was introduced in Systems Management Server 2003 R2. Updates Publisher is a stand-alone tool that enables independent software vendors or line-of-business developers to import custom software update catalogs, create and modify software update definitions, export update definitions to catalogs, and publish software update information to a configured WSUS server. 

By using Updates Publisher to define software updates and publish them to the WSUS server, the Software Updates feature in Configuration Manager is able to synchronize the custom update from the WSUS server database to the site server database. This will allow you to enable client computers to scan for custom update compliance and to provide administrators with the ability to deploy the custom updates to client computers.

Automatic Deployment Rules

A new Software Updates feature in Configuration Manager 2012 is Automatic Deployment Rules. This feature lets you define rules for specific types of software updates that can be downloaded and added to a software update group automatically. If a software update group is enabled for deployment, the updates are automatically deployed to your workstations. The Automatic Deployment Rules feature can be used for two common scenarios, namely: 

◆ Automatically deploying Endpoint Protection definition and engine updates
◆ Patch Tuesday security patches

For both scenarios two out of the box templates are available to assist you in creating the automatic deployment rules. When you create an automatic deployment rule, you need to define whether you want to add the updates to an existing software update group or to automatically create a software update group.

When you deploy Endpoint Protection (System Center Endpoint Protection) definition and engine updates, you can add these updates to an existing software update group. The reason for this is that only four definition updates are available per agent for Endpoint Protection. Three of them are superseded, and only one is active. Every fifth definition update will be expired and fall out of the software update group. Configuration Manager 2012 R2 is able to run the automatic deployment rule up to three times a day, in line with the definition updates publishing frequency.

If you want to deploy the Tuesday patches automatically, it is recommended that you create a new software update group every Patch Tuesday. This keeps your software updates organized. You can automatically select software updates based on the following parameters:

◆ Article ID
◆ Bulletin ID
◆ Custom severity
◆ Date released or revised
◆ Description
◆ Language
◆ Product
◆ Required
◆ Severity
◆ Superseded
◆ Title
◆ Update classification
◆ Vendor

Running an automatic deployment rule for a longer time can result in a very large package size. You are able to change the deployment package in an automatic deployment rule to limit the size of the package.

Deployments

While it is deployment packages that host the update files, it is software update deployments that actually deliver software updates to clients. The Deploy Software Updates Wizard is used to create deployments and can be started using several methods, which we will detail later. Table  lists all the pages in this wizard and describes the settings that can be configured in each one to create a software update deployment.

Page	Description
General	Provides the name of and comments about the deployment; the update or update group and collection also need to be supplied.
Deployment Settings	Defines if the deployment is required or optional and sets the verbosity level. Also configures whether to send wake-up packets.
Scheduling	Sets whether the user will be notified of pending updates and/or the  installation progress for updates, if the client evaluates the deployment schedule in local or Coordinated Universal Time, and the timeframe between when an update is available and when it is mandatory on clients.
User Experience	Defines if users will receive notice of installations of software updates and what happens when an installation deadline is reached. Defines the system restart behavior when an update installs on a client and needs to restart to finish. Defines if the Windows Embedded write filter is enabled or bypassed for this deployment
Alerts	Sets the in-console alert handling of Configuration Manager and sets if System Center Operations Manager (SCOM) alerts are disabled while updates install and whether to send an alert if the install fails.
Download Settings	Sets how clients will interact with the distribution points when they get a software update deployment. Defines whether clients should use Microsoft Updates for content download if the updates are not present on the preferred distribution point, or whether to download software updates content when on a metered Internet connection.
Deployment Package	Shows the deployment package that will host the software updates for the deployment. This setting won’t appear if the updates have already been downloaded to a package
Deployment Package	Lets you choose to download the updates from the Internet or from a source on the local network.
Languages Selection	Lets you select the languages for which the software updates that will be in the deployment are downloaded

If an update in a deployment has Microsoft Software License Terms that have not been accepted yet, then a Review/Accept License Terms dialog box will appear before the Deploy Software Updates Wizard and give you a chance to review and accept the license terms. When you accept the terms, then you can deploy the updates. If you don’t accept the terms, the process is canceled.

Deployment Packages

A deployment package is the method used to download software updates (either one or several) to a network shared folder, which must be manually created before it is used, and copy the software updates source file to distribution points defined in the deployment. Software updates can be downloaded and added to deployment packages prior to deploying them by using the Download Software Updates Wizard. This wizard provides admins with the capability to provision software updates on distribution points and verify that this part of the deployment process works properly.

When downloaded software updates are deployed using the Deploy Software Updates Wizard, the deployment automatically uses the deployment package that contains each software update. When software updates are selected that haven’t been downloaded or deployed, a new or existing deployment package must be specified in the Deploy Software Updates Wizard, and the updates are downloaded to the package when the wizard is finished.

There is no hard link between a deployment and a specific deployment package. Clients will install software updates in a deployment by using any distribution point that has the software updates, regardless of the deployment package. Even if a deployment package is deleted for an active deployment, clients will still be able to install the software updates in the deployment—as long as each update has been defined in at least one other deployment package and is present on a distribution point that the client can get to. To help prevent software update deployment failures, you should make sure that deployment packages are sent to a group of distribution points that can be accessed by all the clients you are targeting.

Deployment package access accounts allow you to set permissions to specify users and user groups who can access a deployment package folder on distribution points. Configuration Manager makes these folders available to everyone by default, but you can modify this access if required for a specific security need.

Configuration Manager 2012 client computers also have the option of selective download: A deployment package might contain both updates that are required for a client and some that are not, but the client can determine which software updates are applicable and retrieve only those files. This allows admins to have multiple updates in a single deployment package and use it to target clients that might need only some of those updates.