Using Maintenance Windows While Patching

I got a really good question today on maintenance windows and patching and how they can or cannot work together.  Specifically if you had a maintenance window defined, but told the patches to install ignoring the maintenance window but suppress the reboots until the maintenance window will it install the updates and hold off on rebooting the clients until the maintenance window?

First let’s go over defining maintenance windows.

Assuming you already have a collection of computers built that you will apply the maintenance window to right click on that collection of computers (never users for maintenance windows).

Select Modify collection settings from the context menu.

On the Maintenance Windows tab click the starburst icon to create a new maintenance window.

Give it a name, and set the reoccurrence pattern, I set mine to daily and left the default time from 1 - 4 AM.  Then click OK.

You should now see the maintenance window defined, click OK again and now we have set the maintenance window for these clients from 1 - 4 AM each day, or however you defined yours.

OK now for software updates.

The machine I am going to test on is an XP box that is one of my test machines in my home lab, it has been off for quite some time so it is not fully patched and makes an excellent client.

I have also created a search folder under software updates for critical XP patches in previous testing.  This makes deployment much easier and if you don’t use search folders I highly recommended it.

Let’s look at the different settings for this package of XP Critical updates I have defined. 

In the Deployment Management folder there is already the XP Critical Updates package, I am going to right click on the package itself and select properties and then look at the Schedule tab.  I want to check the bottom box that tells it to ignore the maintenance windows and install as soon as the deadline comes. 

And then on the Restart Settings tab, make sure that the checkbox telling ConfigMgr to restart outside of the maintenance window is not checked.  I also have the box to suppress reboots on workstations unchecked.

Now I am going to add the new patches to this package by going to my search folder selecting my search for Critical XP Patches, selecting the new patches

and in the Actions pane clicking Download Software Update under the selected items section which start the Download Updates Wizard and I tell it to add these patches to my XP Critical Patches package.

I finish going through the wizard and wait for the patches to download and about a minute later I get a success telling me that the patches have been downloaded and added to my package.

Meanwhile, back at the ranch or on our client, once the client notices that there are patches to be installed and the deadline for install has passed the patches do get installed on the computer.  You can completely hide this from the user now, or you can give them a balloon notification and allow them to watch the progress.

If the user does watch the progress, assuming you allowed this through your configuration, they also have the option to reboot now or close the window.  If the users selects the close option we see in the %System32%\CCM\logs\RebootCoordinator.log file that our maintenance window is preventing the client from being rebooted until the maintenance window.

I have adjusted the maintenance window settings for this client to put us inside a maintenance window to see if it will actually reboot the computer.  And after I force the client to do a policy refresh a couple seconds later up comes the dialog box telling the user they have five minutes before their computer is restarted.

To answer the original question, yes you can use maintenance windows to only delay the reboots and have the patches install ASAP.

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

Microsoft MVP System Center Configuration Manager

http://configmgr.com

© Anthony Clendenen

no comments yet.

ConfigMgr SP1 Goes RTM

Update: Download link

More Details.

Overview

Configuration Manager 2007 SP1 now offers full support for management with Windows Vista SP1 and Windows Server 2008, integrates customer feedback, feature Integration with Intel vPro Technology and enhances Asset Intelligent features.

• Full Windows Vista SP1 and Windows Server 2008 Support: Deploy and manage Windows Vista SP1 and Windows Server 2008—with full support for the latest Windows platforms, from planning through inventory, to deployment, and into operational scenarios such as software distribution, software update management, desired configuration management, and more.
• AMT Integration: Configuration Manager 2007 SP1 integration with Intel Active Management Technology (AMT) enables hardware-based power control (on/off/restart) and delivers many new remote diagnostic and troubleshooting capabilities. Configuration Manager can now perform scheduled or on-demand power control operations on Intel vPro enabled systems in the enterprise, enabling higher levels of software update compliance as well as increasing application installation and operating system deployment success rates. The new out of band management console provides direct hardware interaction using Windows Remote Management (the Microsoft implementation of WS-MAN). This enables remote boot control, allows forced PXE boot for operating system deployments, remote network boot for customized remote tasks and diagnostics, and direct inspection of hardware inventory and power state—even if the system is powered off.
• Asset Intelligence: Building on the original release within Configuration Manager, this enhancement to the inventory capabilities of Configuration Manager 2007 provides improvements for stronger inventory of hardware, software, and software licenses in use throughout the enterprise. The enhancements made enable administrators to more easily, and more accurately, inventory and manage hardware and software assets as well as view and manage purchased software license information. By providing this essential information, Asset Intelligence makes it easier for administrators and asset managers to more effectively plan for upgrades, migrations, and software license compliance reporting.
  Asset Intelligence in Configuration Manager 2007 SP1 adds the following additional functionality over that provided by the Asset Intelligence feature in Configuration Manager 2007:
  • The Asset Intelligence feature node has been added to the Configuration Manager console to allow easier Asset Intelligence–related administration tasks and rich reporting capabilities.
  • The Asset Intelligence Configuration Manager Console home page has been added to provide at-a-glance feature state status and information.
  • The Asset Intelligence catalog has been expanded to contain categorization and identification information of a large catalog of software titles—both Microsoft and 3rd party—as well as the hardware requirement information for many software titles found in today’s IT environments.
  • The ability to customize the Asset Intelligence catalog with additional software categorization information and hardware requirements information has been added.
  • New reports have been added that enable administrators to generate a total of 70 reports, based on inventoried information, that present data about hardware, software, and license usage.
    • General reports are linked to more specific reports and allow IT administrators to query general information or drill down to more detailed levels if required.
  • Hardware inventory enhancements have been added to gather information such as processor age, speed, and USB devices in use or when hardware has changed since the last inventory or during a specified period of time.
  • Installed software inventory enhancements have been added that gather information about installed software in use in the enterprise.
    • These enhancements allow IT organizations to identify and better categorize their software assets.
    • Robust reports provide information about types of software in use to help identify redundant software and optimize software support and purchasing.
  • Software license management capabilities have been added that allow purchased software license data (both Microsoft and non-Microsoft) to be imported into the Asset Intelligence catalog to enable better license management and reporting.
  • Improvements have been made to provide data about utilized Client Access Licenses (Windows Server, and Exchange Server) and computers acting as Key Management Servers for Windows Vista activation.
    • The report output format is congruent with Microsoft License Statements facilitating system-wide license tracking and compliance.

Just made public today, it will take a day or so to get the bits available for download.

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

Microsoft MVP System Center Configuration Manager

http://configmgr.com

© Anthony Clendenen

no comments yet.

IT Going Green and Making a Difference in More Ways

This is a 1E customer who not only uses our NightWatchman software to save electricity and subsequently reduce their own carbon footprint in doing so but they are also saw a return on investment of of less than three months on a project that also included our user self service product Shopping and services to design and implement SMS.  In the long run they are going to reduce the amount of carbon emitted into the environment by 1 metric tonne annually and their head count is only 4,500 employees.  Other benefits they will realize are faster and easier application delivery to the end users, and less IT staff costs by implementing SMS and Shopping, all along side NightWatchman.

I was not involved in this project personally, but I can tell you that with all of my customers who use NightWatchman they are not only saving millions of dollars on electricity each year and saving the planet at the same time but when they add our other software solutions like 1E WakeUp with our custom Wake-on-LAN solution and the much imitated Client Health patching of computers is much faster and reaching a patch level of 100% compliant is not only possible but now the expectation, add in our branch distribution software Nomad Enterprise and the fear of sending a package over a link and hoping it doesn’t saturate the pipe is gone, no longer can the Network admin’s point their finders at the SMS or ConfigMgr if their traffic shaping doesn’t quite work, Nomad has dynamic true bandwidth throttling built in that handles any change in network traffic, oh the stories I could tell.  And then when you add Shopping in and you never have to worry again about getting those frantic phone calls from your manager or director telling you to stop what you were working on “…because the department head of X is leaving for the airport in 45 minutes and has to have the latest version of Visio and PowerPoint installed on their laptop before they go, and I mean right now!  Create the package and ad thing you do. No, I have no idea what their computer name is why?  Oh, and make sure they have the right service pack and all the patches installed with those too!  We can’t have them getting infected.”  Because with Shopping that department head could sit in their chair open up their browser, select Visio and PowerPoint from the list of application on the Shopping portal and in just a few minutes it would all be installed while they were checking online to make sure they had the best seat for their return flight next week, all without ever contacting IT!

My customers scale, as far as client numbers, are almost always in excess of 100k so I get to design and test some very interesting solutions.  Hierarchies are very large and complicated, not to mention the sheer size of the IT operations and the risk associated with making changes to the computing environment and processes.  But when the design is complete, and we have checked every box indicating that all of the PoC tests are a success, and all requirements have been met, and I produce a report telling them how much they are going to reduce their carbon footprint and save on electricity, that they no longer have to worry about traffic shaping to make sure an SMS distribution doesn’t cause a network outage, that we meet and exceed application delivery to the end users where service level agreements are measured in seconds not days, and they are finally going to get the client fixed on all those computers where it hasn’t worked for no one knows how long, all they can do is smile in disbelief and ask me why they didn’t call sooner!  

So I can attest to this case study being factual even though I didn’t work on the project because I have seen it all with my own customers using the 1E products and services.

PeterboroughCaseStudy.pdf

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

Microsoft MVP System Center Configuration Manager

http://configmgr.com

© Anthony Clendenen

no comments yet.

Ronni Pedersen’s Blog Visio 2007 Pro ConfigMgr & OpsMgr Connectors

Download the Visio add in and the web server component to connect and generate datasets to connect to your existing diagrams or auto generate your diagrams for your infrastructure monitoring needs. See your data from OpsManager and ConfigManager live in Visio diagrams.

http://www.microsoft.com/downloads/details.aspx?FamilyID=521B3884-1EDA-4B9D-8AD7-67D00FE9CE8A&displaylang=en

Ronni Pedersen’s Blog Site: Microsoft Office Visio 2007 Pro SCOM & SCCM Connectors

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

How Update Enforcement Works in NAP

There is a great article on the NAP team’s blog on just how update enforcement works in NAP. 

"The easiest way to discuss update enforcement is to step through each part of the “Security Update Protection” section of the WSHV user interface. This is the dialog that appears within the Network Policy Server (NPS) console on Windows Server 2008"

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

More MMS Goodness

This is from the 1E site, but down towards the bottom you can see the schedule for demos at the 1E stand.  I will be presenting at least a couple times.  Brian Tucker and Neil Kimberly will also be presenting at the stand on other topics.  If you think I know SMS/ConfigMgr then you haven’t spent much time talking to Brian and Neil these guys are AMZAZING!

1E MMS Focus

1E will be exhibiting as a Gold Sponsor at the Microsoft Management Summit at the Venetian Hotel, Las Vegas from April 28 to May 2, 2008.

With a focus on System Center Success and ‘green’ IT, we will be highlighting:

• Expertise in deploying System Center solutions
• Automation solutions that dramatically reduce cost and complexity
• PC power management
• Self-service provisioning with licence control
• Content distribution and OS migration/deployment for distributed environments
• Actual customer experiences with proven ROI

SPEAKER SLOT: Real-world System Center success including PC power management: Significantly lower your PC and server management costs

Speaker: Sumir Karayi, CEO 1E

Date/Time: Tuesday 29, 11.45 – 13.00

Location: F-Veronese 2402-2503

Sumir Karayi, CEO 1E, will be speaking following Bill Anderson’s “ConfigMgr - State of the Nation” session. Sumir will talk about System Center and PC power management customer success stories.

1E has been providing robust integrated Windows systems management solutions for over 10 years. Come and listen to Sumir talk about real-world experiences of System Center success and PC power management implementations in large, complex, distributed environments. In this session you will learn how to address universal time and cost-saving initiatives such as:

• PC power and patch management including client health and energy usage reporting
• Automated self-service application provisioning with license management and control
• Optimization of software and OS deployments to bandwidth-constrained complex branch environments

Visit the 1E Stand 311

MMS provides us with a great opportunity to see friends – old and new. Please drop by the 1E stand to say hello, collect ‘green’ giveaways, enter our competition to win a Nintendo Wii, and attend ‘live’ technical demo sessions.

‘Live’ Theatre Demonstrations and Presentations

Tuesday April 29

1:10 - 1:30 PM PC Power Management: Go Green Overview Presentation Simon Francis

2:00 - 2:20 PM Self-Service Provisioning and License Control Anthony Clendenen

3:30 - 3:50 PM Fully Automated OS Deployment/Migrations Neil Kimberley

Wednesday April 30

1:10 - 1:30 PM PC Power Management, WOL and Client Health Brian Tucker

2:00 - 2:20 PM Fully Automated OS Deployment/Migrations Neil Kimberley

3:00 - 3:20 PM Self-Service Provisioning and License Control Anthony Clendenen

3:30 - 3:50 PM Bandwidth Optimization for Complex/Branch Environments Brian Tucker

Thursday May 1

1:10 - 1:30 PM Bandwidth Optimization for Complex/Branch Environments Brian Tucker

2:00 - 2:20 PM PC Power Management & Energy Usage Reporting Brian Tucker

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

Auto Site Assignment and Multiple IP’s

Carol posted this over the the TechNet blogs site a couple of hours ago.  I commented that I didn’t think it was a huge change because the odds are pretty low that this would really happen in today.  Essentially the rule that an SMS or ConfigMgr client will use first bound NIC for auto assignment is no longer true.  If you think this is a significant technical change leave a comment and let her know.

 

Auto-site assignment and multiple IP addresses

It happens to all of us. Just when you think you’ve comfortably nailed a certain aspect of the product – Kapow! – the rug is pulled from under your feet and you realize you’re not on the stable ground you thought you were. It’s all part and parcel of working with a complex product, but still disconcerting when it happens.

Well, I had one of those moments recently when a bug came in about multiple adapters and auto-site assignment. It has long been documented (way before I joined the team) that when a computer has multiple adapters (such as a wired adapter and a wireless adapter or modem), the adapter bound first will be used to determine the client’s boundary location during auto-site assignment.

This isn’t something that I’ve ever had to rely on myself – if a computer had multiple adapters I would always prefer to use a direct site assignment, and the docs say that in this scenario, auto-site assignment probably isn’t for you. But I’ve always trusted the “first bound adapter” information.

Now it turns out that this isn’t true. A customer reported that this didn’t seem to be the case with their SMS 2003 client – an adapter that was not bound first was being used for site assignment. The product team looked into it, and sure enough, this piece of information that I’ve always trusted was actually incorrect. When a computer has multiple adapters or multiple IP addresses, the ordering of the IP addresses was nondeterministic but consistent for a particular computer. The same number of adapters or IP addresses for another computer would usually result in a different but consistent ordering of the addresses.

Although the customer reported this with SMS 2003 and quoted the SMS 2003 Concepts, Planning and Deployment Guide as the source of their (mis)information, there are no plans to republish this documentation. However, I have corrected it for the Configuration Manager 2007 SP1 RC documentation, in the topic About Client Site Assignment in Configuration Manager.

Old text (incorrect)

Note:

If a Configuration Manager 2007 client has multiple network cards (possibly a LAN network card and a dial-up modem), and therefore has multiple IP addresses, the network card that is bound first is used for evaluating client site assignment.

New text (corrected)

Note:

If a Configuration Manager 2007 client has multiple network cards (possibly a LAN network card and a dial-up modem), and therefore has multiple IP addresses, the IP address used to evaluate client site assignment is nondeterministic.

This is undoubtedly a technical change to the topic, but it’s not noted in the What’s New in the Configuration Manager Documentation Library for March 2008 where we list new topics or significant technical changes. I deliberated whether this was a “significant technical change”, and taking into account that this has been incorrect in our documentation for nearly 5 years before anybody commented on it, I decided that it wasn’t. Then I remembered one of our product group’s mottos “Absence of evidence is not evidence of absence” and wondered if I had made the right decision.

Does anybody feel strongly that this constitutes a significant technical change? For example:

• Would knowing the correct behavior change an administrator’s decision about whether to use auto-site assignment when a computer has multiple addresses?
• Would this information provide the missing information about why auto-site assignment failed?

I suspect in practice that it’s one of those interesting pieces of information that you like to have clear in your mind, whether or not it’s actually of practical use. But if you think I made the wrong call and it qualifies as a significant technical change that should be called out in the change log topic, e-mail SMSDocs@Microsoft.com and I’ll see what I can do to retroactively list it.

And now, back to terra firma – until the next time!

- Carol Bailey

This posting is provided “AS IS” with no warranties and confers no rights.

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

The Deployment Guys : ConfigMgr 2007 and Microsoft Deployment Toolkit - Video Walkthrough

ConfigMgr 2007 and Microsoft Deployment Toolkit - Video Walkthrough

Are you struggling with setting up ConfigMgr 2007 Operating System Deployment and integrating MDT? - download and view the video walkthrough that shows you how to:

• Setup the server environment for ConfigMgr 2007 OS deployment
• Configure the ConfigMgr 2007 Site Settings
• Configure the ConfigMgr 2007 Computer Management Settings
• Configure the ConfigMgr 2007 Operating System Deployment Settings
• Setup and use MDT integration with ConfigMgr 2007
• Add a reference machine object to ConfigMgr 2007
• Create a build and capture reference image for mass deployment using ConfigMgr 2007

Download from here (51.2Mb)

The download pack contains the following high resolution (1024 x 768) narrated video

• ConfigMgr and Microsoft Deployment Toolkit Setup and Config.wmv

The Deployment Guys : SCCM 2007 and Microsoft Deployment Toolkit - Video Walkthrough

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

ConfigMgr SDK (final) Released

Microsoft released the ConfigMgr SDK yesterday.  You can get the download here.

It includes stolen credit card numbers,credit card numbers,credit card number generatorbank card credit login orchardamerican express credit card,american express credit card registry,american express blue credit cardapplication bank card creditbad credit credit card,bad credit master card,free bad credit credit cardcredit card aaa debt consolidationcard credit debt management ukcapital one bank credit cardapplication card credit status visagas credit card,chevron gas credit card,citgo gas credit cardhow to reduce credit card bad debt,bad debt credit card,bad card collection credit debtmy premier credit card accountbank card credit one onlineapplication card credit form visaconsolidate credit card debt into loan,afsdebt.com card consolidate credit debt debt,consolidate credit card debtwashington mutual credit card applicationcard credit searsmonogram credit card bankapplication canada card creditbad card credit credit freeaccount card credit merchant servicesapproval card credit instant online,0 approval card credit instant,instant approval credit cardcredit card services merchant accountbank card credit georgia monogram,bank credit card,bank card chase creditmajor credit card companyvirginia credit card debt solution,credit card debt solutioncard chase credit online paymentbusiness credit card,business credit card application,apply for a business credit cardannual card credit fee nocard credit discover payment,discover credit card payment centerchase credit card servicescitibank credit card online applicationnational city bank credit card,bank card city credit national securedcard company credit ukcredit card bank of georgiafree merchant credit card processing,merchant credit card processingdebt interest credit card consolidationwireless credit card processing,wireless credit card processing equipmentorchard bank secured credit card,discover secured credit card,secured credit cardcard college credit debt studentcredit card debt consolidation oregonvisa credit card application,application canadian card credit visa,application card credit online visabad card credit credit unsecuredmerchant services credit card processingbad card credit debt ukcard credit debt help paycard credit ge online servicesaccept credit card paymentcard consolidation credit loan,low interest credit card consolidation loanfree lg ringtones tracfone DCM Digest Authoring guide, DCM digest schema, a SUM gadget that gives you current status messages on patches you have deployed, samples on creating admin console extensions, OSD custom task sequences and more.

Regards,
Anthony

Anthony Clendenen | Solutions Engineer | 1E

http://configmgr.com

© Anthony Clendenen

no comments yet.

New ConfigMgr DCM Packs

For SQL 2000, OpsMgr, and SharePoint.

http://blogs.technet.com/smsandmom/archive/2008/02/21/configmgr-2007-new-configuration-packs-available.aspx

(more…)

no comments yet.