These features include the centralized, single-instance store content library, and the distributed design of the distribution point site system role.
You use these features when you download and distribute software update deployment packages. For more information, see Download software updates.
Configuration Manager supports the use of express installation files for Windows updates. Express update files and supporting technologies such as Delivery Optimization can help reduce the network impact of large content files downloading to clients. For more information, see Optimize Windows update delivery. When you deploy software updates to clients, configure the deployment for clients to download content from the Microsoft Update cloud service.
When clients aren't able to download content from another content source, they can still download the content from the internet. You don't have to create a deployment package when deploying software updates.
When you select the No deployment package option, clients can still download content from local sources if available, but typically download from the Microsoft Update service. Internet-based clients always download content from the Microsoft Update cloud service.
Don't distribute software update deployment packages to a content-enabled cloud management gateway CMG. Most customers use other third-party applications that also need updates. There are several options to consider for keeping third-party applications up to date. Use a supersedence relationship with the application management feature in Configuration Manager to upgrade or replace existing applications. When you supersede an application, specify a new deployment type to replace the deployment type of the superseded application.
Also decide whether to upgrade or uninstall the superseded application before the superseding application is installed. For more information, see Revise and supersede applications. You can use the Third-Party Software Update Catalogs node in the Configuration Manager console to subscribe to third-party catalogs, publish their updates to your software update point, and then deploy them to clients.
For more information, see Third-party software updates. System Center Updates Publisher SCUP is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates.
These updates include those with dependencies, like drivers and update bundles. SCUP can also be used for third-party update catalogs that aren't available directly in the console. For more information, see System Center Updates Publisher. This section provides information about the steps to take to successfully plan and prepare for the software update point installation. Before you create a site system role for the software update point in Configuration Manager, there are several requirements to consider.
The specific requirements depend on your Configuration Manager infrastructure. When you configure the software update point to communicate by using HTTPS, this section is especially important to review. HTTPS-enabled servers require additional steps to work properly. Install the software update point role on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems.
For more information about the minimum requirements for the WSUS server role in Windows Server, see Review considerations and system requirements. For more information about the supported configurations for Configuration Manager site systems, see Site and site system prerequisites. Install a supported version of WSUS on all site system servers that you configure for the software update point role. When you don't install the software update point on the site server, install the WSUS Administration Console on the site server.
This component allows the site server to communicate with WSUS that runs on the software update point. This component performs periodic health checks. Choose one of the following options to configure the required permission:. Configure a minimum of the webService database role membership. When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. Sharing the same database improves performance when clients switch to a new software update point.
When you install WSUS, you'll need to provide a content directory path. Otherwise it shares the same website that's used by the other Configuration Manager site systems or applications. This configuration is especially necessary when you install the software update point role on the site server.
Specify these ports when you create the software update point at a site. When you add the software update point role on a primary site server, you can't use a WSUS server that's configured as a replica. The first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point. Using the SSL protocol to help secure the software update point is highly recommended.
If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections.
The software update point at a Configuration Manager central administration site communicates with WSUS on the software update point. WSUS communicates with the synchronization source to synchronize software updates metadata. Software update points at a child site communicate with the software update point at the parent site. When there's more than one software update point at a primary site, the additional software update points communicate with the default software update point.
The default role is the first software update point that's installed at the site. When your security policy doesn't allow the connection, use the export and import synchronization method. For more information, see the Synchronization source section in this article. If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow the active software update point to access internet endpoints.
For more information, see Internet access requirements. Software updates synchronization in Configuration Manager downloads the software updates metadata based on criteria that you configure. The top-level site in your hierarchy synchronizes software updates from Microsoft Update.
You have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy.
The child primary sites synchronize software updates metadata from the software update point on the central administration site. Before you install and configure a software update point, use this section to plan for the synchronization settings. The synchronization source settings for the software update point specify the location for where the software update point retrieves software updates metadata.
It also specifies whether the synchronization process creates WSUS reporting events. Synchronization source : By default, the software update point at the top-level site configures the synchronization source for Microsoft Update. You have the option to synchronize the top-level site with an existing WSUS server. The software update point on a child primary site configures the synchronization source as the software update point at the central administration site.
The first software update point that you install at a primary site, which is the default software update point, synchronizes with the central administration site. Additional software update points at the primary site synchronize with the default software update point at the primary site.
When a software update point is disconnected from Microsoft Update or from the upstream update server, configure the synchronization source not to synchronize with a configured synchronization source. Instead configure it to use the export and import function of the WSUSUtil tool to synchronize software updates. For more information, see Synchronize software updates from a disconnected software update point. These events aren't used by Configuration Manager. When these events aren't created, the only time that the client should connect to the WSUS server is during software update evaluation and compliance scans.
If these events are needed for reporting outside of Configuration Manager, modify this setting to create WSUS reporting events. Configure the synchronization schedule only at the software update point on the top-level site in the Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point synchronizes with the synchronization source at the date and time that you specified.
The custom schedule allows you to synchronize software updates to optimize for your environment. Choose to automatically deploy all software updates regardless of an associated license term, or only deploy updates that don't have associated license terms. To review the license terms for a software update, select the software update in the All Software Updates node of the Software Library workspace. In the ribbon, click Review License.
To find software updates with associated license terms, add the License Terms column to the results pane in the All Software Updates node.
Click the heading for the column to sort by the software updates with license terms. On the Software Updates page, configure the criteria for the software updates that the ADR retrieves and adds to the software update group. If needed, filter on the content size for software updates in automatic deployment rules.
For more information, see Configuration Manager and simplified Windows servicing on down level operating systems. Starting in version , the following options were added in the Date Released or Revised search criteria:. You can use Deployed as an update filter for your automatic deployment rules. This filter helps identify new updates that may need to be deployed to your pilot or test collections. The software update filter can also help avoid redeploying older updates. A property filter for Architecture is now available.
Use this filter to exclude architectures like Itanium and ARM64 that are less common. Remember that there are bit x86 applications and components running on bit x64 systems. Unless you're certain that you don't need x86, enable it as well when you choose x When enabled, click Customize to set the recurring schedule.
The start time configuration for the schedule is based on the local time of the computer that runs the Configuration Manager console. Never set the evaluation schedule with a frequency that exceeds the software updates synchronization schedule. This page displays the software update point sync schedule to help you determine evaluation schedule frequency.
ADRs can be scheduled to evaluate offset from a base day. For example, if Patch Tuesday actually falls on Wednesday for you, set the evaluation schedule for the second Tuesday of the month offset by one day. Schedule evaluation : Specify the time that Configuration Manager evaluates the available time and installation deadline times.
Software available time : Select one of the following settings to specify when the software updates are available to clients:. As soon as possible : Makes the software updates in the deployment available to clients as soon as possible. When you create the deployment with this setting selected, Configuration Manager updates the client policy.
At the next client policy polling cycle, clients become aware of the deployment and the software updates are available for installation. Specific time : Makes software updates included in the deployment available to clients at a specific date and time.
When you create the deployment with this setting enabled, Configuration Manager updates the client policy. At the next client policy polling cycle, clients become aware of the deployment. However, the software updates in the deployment aren't available for installation until after the configured date and time. Installation deadline : These options are only available for Required deployments. Select one of the following settings to specify the installation deadline for the software updates in the deployment:.
As soon as possible : Select this setting to automatically install the software updates in the deployment as soon as possible. Specific time : Select this setting to automatically install the software updates in the deployment at a specific date and time.
Configuration Manager determines the deadline to install software updates by adding the configured Specific time interval to the Software available time. The actual installation deadline time is the displayed deadline time plus a random amount of time up to two hours. The randomization reduces the potential impact of clients in the collection installing updates in the deployment at the same time.
The Disable deadline randomization in the Computer Agent group doesn't override the randomization behavior. For more information, see Computer Agent client settings. Delay enforcement of this deployment according to user preferences, up to the grace period defined in client settings : Enable this setting to give users more time to install required software updates beyond the deadline.
This behavior is typically required when a computer is turned off for long time, and needs to install many software updates or applications. For example, when a user returns from vacation, they have to wait for a long time as the client installs overdue deployments. Configure this grace period with the property Grace period for enforcement after deployment deadline hours in client settings.
For more information, see the Computer agent section. The enforcement grace period applies to all deployments with this option enabled and targeted to devices to which you also deployed the client setting. After the deadline, the client installs the software updates in the first non-business window, which the user configured, up to this grace period. However, the user can still open Software Center and install the software updates at any time.
Once the grace period expires, enforcement reverts to normal behavior for overdue deployments. User notifications : Specify whether to display notification in Software Center at the configured Software available time. This setting also controls whether to notify users on the clients.
Deadline behavior : This setting is only configurable for Required deployments. Specify the behaviors when the software update deployment reaches the deadline outside of any defined maintenance windows. The options include whether to install the software updates, and whether to perform a system restart after installation. For more information about maintenance windows, see How to use maintenance windows.
This applies only when the maintenance window is configured for the client device. If no maintenance window is defined on the device, the update of the installation and restart will always happen after the deadline.
Definition update publishers typically set definition updates to expire when they're superseded by four newer updates. Therefore, the software update group that's created by the ADR never contains more than four definition updates for the publisher: one active, and three superseded. Skip to main content.
This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? If you want other people to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to the other people.
Never e-mail the virus itself. If a virus has been sent through e-mail, you can also create a path rule to prevent execution of e-mail attachments. A file that is renamed or moved to another folder results in the same hash. Any change to the file itself results in a different hash. The only file types that are affected by hash rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies.
Internet zone rules apply only to Windows Installer packages. A zone rule can identify software from a zone that is specified through Internet Explorer. An Internet Zone rule is designed to prevent users from downloading and installing software. Zone rules only apply to files with an. A path rule identifies software by its file path. For example, if you have a computer that has a default security level of Disallowed , you can still grant unrestricted access to a specific folder for each user.
You can create a path rule by using the file path and setting the security level of the path rule to Unrestricted. You can also create registry path rules that use the registry key of the software as its path.
Because these rules are specified by the path, if a software program is moved, the path rule no longer applies. In either the console tree or the details pane, right-click Additional Rules , and then click New Path Rule. In Path , type a path, or click Browse to find a file or folder. On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system.
Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs. It may be necessary to create new software restriction policies for the Group Policy Object GPO if you have not already done so.
0コメント