Managing Software Updates with System Center Configuration Manager R2

Managing Software Updates with System Center

Configuration Manager R2Jason CondoBennett Adelsonwww.bennettadelson.comjcondo@bennettadelson.com

Agenda

• Why do we care about patching• Common approaches to patching• Example of controlled patch approval process• Overview of the ConfigMgr SUP Role• Ongoing Management of SUP• Tips and Tricks• Links

Common Approaches to Patch Management

• “What Updates?” Approach• “Shotgun” Approach• “Managed” Approach• “Controlled” Approach

“Patches? We don’t need no stinking patches!”

Security Review/Approval Process

• At least three teams: Security, Systems, Application• Vendors shouldn’t dictate patch installation• You are inevitably responsible for accepting vulnerabilities• “No process” is still a process

Enterprise Security Review Process – Example Cross-Functional Workflow – Bennett Adelson

Secu

rity

Vend

orSy

stem

s - T

echn

ical

Busi

ness

- Te

chni

cal

Secu

rity

Revi

ew T

eam

Docu

men

tatio

n

AssimilateAcquire Assign Asses Apply

Vendor releases update information

Update reviewed and classified for security threat level

Technical review validates the risk exists in current systems

and assigns level

If determined to be applicable, submit to BA for impact of

change

Application owner assesses impact and assigns level

Security Review Board Meeting – assess team risk levels and

assign deployment

Master risk/priority level assigned based on security risk, mitigation factors, and business

impact

Matrix defines when update must be applied based on

master level

Each update documented based on finding and mitigation

factors

Update applied and tested for functionality, stability

Update is deployed. Up to 80% saturation

Update integrated into source installations, images

Verify reporting and matrix deadline

Update added to Enterprise Security Vulnerability database/

spreadsheetSecurity risk level assigned Technical Risk level assigned Business impact assigned

Vunerability assigned Enterprise Risk level – SLA defined

Issues encountered

Change to assessment or mitigation requirements

documented – Enterprise Risk level adjusted

Update reviewed for mitigation

yes

no

Update documented as standard. Report on anomolies

Security receives information from vendor or other source

System Admins receive information from vendor or

other source

Developer, business analyst, or application owner receives information from vendor or

other source

The Five “A”s

• From the previous process diagram:– Acquire

• Review the information for the Enterprise• Security, Technical, Application/Business

– Assign• Team/Board review and assign to Enterprise Risk Level

– Assess• Testing

– Apply• Deploy

– Assimilate• Prevent the vulnerability from occurring

ConfigMgr SUP Role – What is it?• Built on WSUS and like WSUS but not• Functionally similar to role in ConfigMgr

2007

– 2012 new features• SUP fallback with 2012 SP1• Load balancing supported• Automatic Deployment rules• Superseded updates not automatically expired• Single instance storage

– 2007 Functions kept• Maintenance Windows

– Update will not be installed until next available service window

– Potential system restart time period is factored into evaluation

– If client is member of multiple collections – all applicable maintenance windows will be honored

– One time maintenance windows can prevent future update deployments

– Can be overridden• Internet-based client support• Wake-On-LAN integration• Selective download of binaries

ConfigMgr SUP – How does it work

ConfigMgr Console - SUP

• The SUP sections in the console (demo):– All Software Updates– Software Update Groups– Deployment Packages– Automatic Deployment Rules

• Reporting– Search “Software Updates”

Managing Updates (demo)

• Acquire– List from vendors

• Vendor blogs, rss feeds, email newsletters

• See hyperlinks at end of slide deck

– List from ConfigMgr console• Only Microsoft• Depends on SUP settings• Patch Tuesday and based on

your sync schedule

• Assign

– Review with team (if exists)– Your custom severity level

• Assess– Creation of update groups

• Apply– SUP collections– Maintenance windows– Reporting

• Assimilate– Deployment rollups– Image updates

User Experience

• Uses the new Software Center user interface• End user has better control of their own

experience:– Install/schedule updates– Use non-business hours

• Admin can choose to hide just pop-ups, or hide all end user notifications

Ongoing Updates Management• General

– Leverage Rollups• Single package• Operational deployment• Organize by products and year

– Keep current SUG for 2-3 months• Depending on saturation and mobile workforce• Retire into rollup

• Monthly– Prune expired– Be careful about superseded

• Yearly– One old rollup, One current year rollup.– Removing old updates from packages

• Download from existing package source• Be aware of redistribution (package size)• What are you really saving

Rollup WorkflowConfiguration Manager 2012 - Software Updates Lifecycle Management

Ope

ratio

nsDe

ploy

edRo

llout

2013 January Patching February Patching DescriptionsMarch Patching

Patches Rollup 2013

January 2014 March 2014

Patches Rollup 2014 Patches Rollup 2014

February 2014

January 2014 February 2014

Patches Rollup 2013 Patches Rollup 2013 Patches Rollup 2013

January 2014

December 2013

December 2013

December 2012

Always deployed to all systems

Catches any new systems that were not connected during deployment.

Targeted to the OSD collections to ensure images are up to date.

Previous update groups two cycles old are copied into here and the update group removed. (Patches stay deployed but cleans up the console)

Updates always downloaded to the Rollup Package.

Update Group membership edited when retiring monthly update lists.

Keep up to three cycles of update groups for reporting

Newly created update groups of the current deployment cycle

Tips and Tricks

• Patch Organization– Filter console (Demo)– Saved searches (Demo)– File deployed updates into folders (Demo)

• Deployment templates– General and specific

• Deployments and Collections– One to one relationship

• but collections can include collections• Phased collections with a deployment collection (Demo)

Tips and Tricks

• Automatic Deployment Rules– Streamlining new patches

• ADR to deploy to pilots• Validate• Rollout the SUG

• Demo – creation of SCEP ADR

• Optimize Package Distribution– Ensure downloading only the languages you need– Configure patch distribution to occur in the evenings– Stagger patch distributions between tiered sites

Troubleshooting – Server LogsLog Types of issues

SUPsetup.log Installation of SUP Site Role

WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP

WSyncMgr.log ConfigMgr/WSUS Updates Synchronization Issues

Objreplmgr.log Policy Issues for Update Assignments/CI Version Info policies

RuleEngine.log Auto Deployment Rules

Troubleshooting – Client LogsLog Types of issues

UpdatesDeployment.log Deployments, SDK, UX

UpdatesHandler.log Updates, Download

ScanAgent.log Online/Offline scans, WSUS location requests

WUAHandler.log Update status (missing/installed – verbose logging), WU interaction

UpdatesStore.log Update status (missing/installed)

%windir%\WindowsUpdate.log Scanning/Installation of updates

Links• Information

– BA Blog (slides, technical)• http://bennettadelson.wordpress.com

– BA website• http://www.benettadelson.com

• Vendor security RSS or newsletter– Adobe

• http://helpx.adobe.com/security.html

– Oracle• http://www.oracle.com/technetwork/topics/security/alerts-086861.html

– Microsoft Security Bulletin Advance Notification• http://technet.microsoft.com/en-us/security/gg309152.aspx

– Microsoft Technical Security Notifications• http://technet.microsoft.com/en-us/security/dd252948.aspx• sign up for various topics delivered via email, rss, or website.