Planning for Software Updates Client Settings
The software updates client settings in Configuration Manager 2007 are site wide and configured with default values. There are software updates client agent settings and general settings that affect when software updates are scanned for compliance, and how and when software updates are installed on client computers. The client settings specific to software updates are configured within the Software Updates Client Agent properties, the site-wide general settings that affect software updates are configured within the Computer Client Agent properties, and the software updates installation schedule can be configured from the Configuration Manager in the Control Panel on the client computer. There are also Group Policy settings on the client computer that might need to be configured depending on your environment.
重要
Before client computers can scan for software update compliance and before deployments can be created that target client computers, the software updates environment must be planned and configured. For more information, see Administrator Checklist: Planning and Preparing Software Updates.
On This Page
Software Updates Client Agent Settings
Computer Client Agent Settings
Configuration Manager Control Panel Settings
Group Policy Settings
Software Updates Client Agent Settings
The Software Updates Client Agent properties contain three tabs that provide configuration settings to enable software updates and configure the software updates settings on client computers. Use the following procedure to open the properties dialog box.
To open the Software Updates Client Agent properties
In the Configuration Manager console of the primary site server, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name> / Site Settings / Client Agents.
Right-click the Software Updates Client Agent, and then click Properties.
The following client settings are available in the Software Updates Client Agent properties:
General Tab
Enable Software Updates on Clients
This setting specifies whether the Software Updates Client Agent is enabled or disabled for the site. The Software Updates Client Agent is installed on Configuration Manager 2007 clients by default. If the client agent is disabled, the client agent components are put into a dormant state but not removed on clients. Existing deployment policies will be removed from client computers when the client agent is disabled. Re-enabling the Software Updates Client Agent initiates a policy to request that the components on clients be enabled and the deployment metadata be downloaded. The Software Updates Client Agent is configured on a site-by-site basis and affects only clients assigned to that site. Disabling the Software Updates Client Agent at a site prevents software update compliance assessment and software updates from being deployed.
Scan schedule
This setting specifies how often the client computer initiates a scan for software updates compliance. By default, a simple schedule is configured to run the scan for compliance every 7 days and the site database is updated with any changes since the last scan. The minimum value allowed for the scan schedule is 1 day and the maximum is 31 days. This setting is available to configure only after an active software update point site role has been installed on a site system server for the site.
注意
When a custom schedule is selected, the actual start time on client computers is the start time plus a random amount of time up to 2 hours. This prevents client computers from initiating the scan and connecting to Windows Server Update Services (WSUS) on the active software update point server at the same time.
Update Installation Tab
Enforce all mandatory deployments
This setting specifies whether to enforce all mandatory software update deployments that have deadlines within a specified period of time. When a deadline is reached for a mandatory software update deployment, installation is initiated on clients for the updates defined in the deployment. This setting determines whether to also initiate the installation for software updates defined in other mandatory deployments that have a configured deadline within the specified period of time.
The benefit of this setting is that it expedites software update installation for mandatory updates, might increase security, might decrease display notifications, and might decrease system restarts on client computers. By default, this setting is not enabled.
For deployment deadlines within
This setting specifies the timeframe for the Enforce all mandatory deployments setting. The minimum value allowed is 1 to 23 hours and 1 to 365 days. By default, this setting is configured for 7 days.
Hide all deployments from end users
This setting specifies that all deployments are hidden when they are received on client computers. Use this setting to deploy software updates to computers without any display notifications or notification area icons. Also, end users will not be able to open the Available Software Updates dialog box to manually install updates. By default, this setting is not enabled.
重要
When this setting is enabled, only software updates in mandatory deployments will be installed on client computers.
Deployment Re-Evaluation Tab
The setting on this tab configures how often the Software Updates Client Agent reevaluates software updates for installation status. When software updates that have been previously installed are no longer found on client computers and are still required, they are reinstalled. The deployment reevaluation schedule should be adjusted based on company policy for software update compliance, whether users have the ability to uninstall software updates, and so on, and with the consideration that every deployment reevaluation cycle results in some network and client computer CPU activity. The minimum value allowed for the deployment reevaluation schedule is 1 day and the maximum is 31 days. By default, a simple schedule is configured to run deployment reevaluation every 7 days.
注意
When a custom schedule is selected, the actual start time on client computers is the start time plus a random amount of time up to 2 hours. This prevents client computers from initiating the scan and connecting to Windows Server Update Services (WSUS) on the active software update point server at the same time.
Computer Client Agent Settings
The Computer Client Agent properties contain four tabs that provide configuration settings that affect the software updates reminders and the customization for software update deployments on client computers. Use the following procedure to open the properties dialog box.
To open the Computer Client Agent properties
In the Configuration Manager console of the primary site server, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name> / Site Settings / Client Agents.
Right-click the Computer Client Agent, and then click Properties.
The following settings are applicable to software updates in the Computer Client Agent properties:
General Tab
Interval
The Policy polling interval (minutes) setting specifies how often client computers retrieve machine policy. This setting is relevant to software updates in that when new deployments are created, the machine policy is updated with the deployment information. Clients can take up to the Policy polling interval (minutes) value to receive the deployment policy. The default value for this setting is 60 minutes.
State messages
The State message reporting cycle (minutes) specifies how often client computers sent state messages to the management point. The software updates client creates state messages for scan, software updates compliance, deployment evaluation, and deployment enforcement. The default value for this setting is 5 minutes.
Customization Tab
Organization name
This setting specifies the name of the organization authoring the software update installation. By default, the text box displays "IT Organization." The organization name displays in software updates display notifications, the Available Software Updates dialog box, and the restart countdown dialog box on clients that receive deployed software updates. It is recommended that this setting be customized with something more appropriate for your organization.
Software updates
This setting specifies an optional subheading used by software updates dialog boxes on client computers. By default, the text box displays "Protecting your computer." The software updates setting displays in the Available Software Updates and restart countdown dialog boxes on client computers that receive deployed software updates.
Reminders Tab
The settings on this tab specify how often display notifications are displayed on client computers when a deployment deadline is approaching for software updates. The reminder intervals can be configured for when the deadline is greater than 24 hours, when the deadline is less than 24 hours away, and when the deadline is less than an hour away. For more information about this tab, see Computer Client Agent: Reminders Tab.
BITS Tab
The settings on this tab specify whether bandwidth throttling is configured for the site. These settings apply to Configuration Manager client computers when they use BITS to download software update files from distribution points. For more information about the settings on this tab, see Computer Client Agent: BITS Tab.
Restart Tab
The settings on this tab configure the restart countdown timeframe and restart final notification when a software update is installed on client computers and a restart is required for it to complete. By default, the initial countdown is 5 minutes and a final notification is displayed when there is 1 minute before the restart will be initiated. For more information about this tab, see Computer Client Agent Properties: Restart Tab.
Configuration Manager Property Settings
The Configuration Manager Properties dialog box provides software updates actions and configuration settings. Use the following procedure to open the properties dialog box.
To open the Configuration Manager properties
On a client computer, open the Control Panel.
Double-click the Configuration Management icon.
The following actions and settings are applicable to software updates in the Configuration Manager properties:
Actions
The following actions are applicable to software updates:
Machine Policy Retrieval & Evaluation Cycle: Bypasses the automatic policy polling interval on clients to get the machine policy as soon as possible.
Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.
Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.
Updates Tab
The setting on this tab configures whether there is a schedule for installing mandatory software updates that are required on the client computer. When this setting is not enabled, mandatory software updates will be installed at the deadline date and time scheduled by the Configuration Manager administrator or manually installed prior to the deadline.
When this setting is enabled, it allows you to schedule software update installation at a time that is convenient, for example, every day at 2 AM. When multiple users are using a client computer and this setting is modified, the setting that was configured last is used.
Install required updates on a schedule
This setting specifies whether required software updates that have been deployed to this client computer will install on a specified schedule. When it is enabled, you can specify a recurrence pattern of every day or a specific day of the week, and a specific time. Local users and administrators can modify this setting.
Group Policy Settings
The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.
注意
If users running the Windows Vista® operating system on Configuration Manager 2007 clients use Windows Update to check for new updates, they will see only updates that have been approved in WSUS instead of all applicable updates. To prevent confusion, you should consider preventing users from checking for updates using Group Policy. For more information about using Group Policy to control the Windows Update experience, see https://go.microsoft.com/fwlink/?LinkId=94680.
Specify intranet Microsoft update service location
When the active software update point is created for a site, client computers receive a machine policy that provides the active software update point server name and configures the Specify intranet Microsoft update service location local policy on the computer. The WUA retrieves the server name specified in the Set the intranet update service for detecting updates setting, and then connects to this server when it scans for software updates compliance. When a domain policy has been created for the Specify intranet Microsoft update service location setting, it overrides the local policy, and the WUA might connect to a server other than the active software update point. If this happens, the client computer might scan for software update compliance based on different products, classifications, and languages. It is recommended that this domain policy not be configured for Configuration Manager 2007 client computers.
Allow signed content from intranet Microsoft update service location
Before the WUA 3.0 on computers will scan for updates that were created and published with the System Center Updates Publisher, the Allow signed content from intranet Microsoft update service location Group Policy setting must be enabled. When the policy setting is enabled, WUA 3.0 will accept updates received through an intranet location if the updates are signed in the Trusted Publishers certificate store on the local computer. For more information about the Group Policy settings required for Updates Publisher, see the Updates Publisher help file. For more information about Updates Publisher, see About System Center Updates Publisher.
Automatic Updates Configuration
Automatic Updates allows security updates and other important downloads to be received on client computers. Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive update notifications and, depending on the configured settings, download and install required updates. When Automatic Updates coexists with software updates, each might display notification icons and popup display notifications for the same update. Also, when a restart is required, each might display a restart dialog box for the same update.
Self Update
When Automatic Updates is enabled on client computers, the WUA automatically does a self update when a newer version becomes available or when there are problems with a WUA component. When Automatic Updates is not configured or disabled and client computers have an earlier version of the WUA, the client computers must run the WUA installation file. For more information about installing the WUA on client computers, see How to Install the Windows Update Agent on Client Computers.
See Also
Tasks
How to Install the Windows Update Agent on Client Computers
Troubleshooting Software Updates Client Issues
Concepts
About the Software Updates Client Agent
About the Software Updates Process
Administrator Checklist: Planning and Preparing Software Updates
Planning for Software Updates Server Settings
Other Resources
Computer Client Agent Properties
Software Updates Client Agent Properties