Maksim Kabakou - Fotolia


System Center Configuration Manager tool regulates server updates to stop attacks

Early security updates diminish online threats. See how IT admins use System Center Configuration Manager to roll out patches promptly while minimizing downtime for users.

Business workers face a persistent wave of online threats -- from malicious hacking techniques to ransomware -- and it's up to the administrator to lock down Microsoft systems and protect the company.

Administrators who apply Microsoft's security updates in a timely fashion thwart many attacks effectively. IT departments use both System Center Configuration Manager and Windows Server Update Services to roll out patches, but the Configuration Manager tool's scheduling and deployment options make it the preferred utility for this task. Admins gain control and automation over software updates to all managed systems with the Configuration Manager tool, which also monitors compliance and reporting.

Why we wait to update

An organization bases its security update deployment timeline on several factors, including internal policies, strategies, staff and skill sets. Some businesses roll patches out to production servers as soon as Microsoft makes them available on Patch Tuesday, the second Tuesday each month. Other companies wait a week or even a couple months to do the same, due to stringent testing procedures.

Patch deployment timeline
This example of a five-week patch deployment schedule leaves many systems in danger for a significant length of time.

The five-week deployment scenario depicted in the graphic leaves many endpoints unpatched and vulnerable to security risks for several weeks. Microsoft has a cumulative update model for all supported Windows OSes; the company packages each month's patches and supersedes the previous month's release. In some cases, systems won't be fully patched -- or will remain unpatched -- if a business fails to deploy the previous month's security fixes before Microsoft releases the new updates. To avoid this situation, IT organizations should roll out the current month's updates before the next Patch Tuesday arrives just a few weeks later.

Automatic deployment rule organizes the patch process

An automatic deployment rule (ADR) in the System Center Configuration Manager tool coordinates the patch rollout process. An ADR provides settings to download updates, package them into software update groups, create deployments of the updates for a collection of devices and roll out the updates when it's most appropriate.

Find the ADR feature in the Configuration Manager tool under the Software Updates menu within the Software Library module. Figure 1 shows its options.

Create a software update group
Figure 1. The automatic deployment rule feature in the System Center Configuration Manager tool builds a deployment package to automate the update procedure.

Settings to configure specific update criteria

The admin sets the ADR options to download and package software updates with the following criteria, which is also shown in Figure 2:

  • released or revised within the last month;
  • only updates that are required by systems evaluated at the last scan;
  • updates that are not superseded; and
  • updates classified as Critical Updates, Security Updates, Feature Packs, Service Packs, Update Rollups or Updates.
Build an automatic deployment rule
Figure 2. The administrator builds the criteria for a software update group in the ADR component.

The property filter -- also seen in Figure 2 -- packages software updates on a granular scale to best suit the organization's needs. In the example shown, the admin uses the property filter to only deploy updates released in the last month.

In the evaluation schedule shown in Figure 3, the admin configures an ADR to assess and package software updates at 11 p.m. on the second Tuesday of each month.

ADR custom schedule
Figure 3. The admin builds a schedule to evaluate and package software updates every month at a certain time in the ADR feature of the System Center Configuration Manager tool.

Set a maintenance window to assist users

To patch servers, use maintenance windows, which control the deployment of software updates to clients in a collection at a specific time. This meets the preferences of server owners, who cannot take certain machines down at particular times for a software update and the consequent reboot. In most cases, admins set maintenance windows to run updates overnight to minimize disruption and effects on end users.

Some businesses roll patches out to production servers as soon as Microsoft makes them available on Patch Tuesday, the second Tuesday each month. Other companies wait a week or even a couple months to do the same, due to stringent testing procedures.

Admins can set the deployment schedule in a maintenance window to As soon as possible since the maintenance window controls the actual rollout time. For example, assume the IT staff configured the following maintenance windows for a collection of servers:

  1. Servers-Updates-GroupA: maintenance window from 12 a.m. to 2 a.m.
  2. Servers-Updates-GroupB: maintenance window from 2 a.m. to 4 a.m.
  3. Servers-Updates-GroupC: maintenance window from 4 a.m. to 6 a.m.

If the admin sets these collections to deploy software updates with the As soon as possible flag, the servers download the Microsoft updates when they become available -- it could be right in the middle of a busy workday. Instead, the update process waits until 12 a.m. for Servers-Updates-GroupA, 2 a.m. for the next group and so on. Without any deployment schedule, collections install the software updates as soon as possible and reboot if necessary based on the client settings in the Configuration Manager tool.

To create a maintenance window for a collection, click on the starburst icon under the Maintenance Windows tab in the collection properties. Figure 4 shows a maintenance window that runs daily from 2 a.m. to 4 a.m.

Maintenance window schedule
Figure 4. Configure a maintenance window for a collection with a recurring schedule.

In this situation, admins should configure an ADR to deploy updates with the Available flag at a specific date and time, but not make the installation mandatory until later. Users apply patches and reboot the system at their convenience. Always impress upon users why they should implement the updates quickly.

Microsoft refines features to maximize uptime

Microsoft added more flexibility to coordinate maintenance and control server uptime in version 1606 of the System Center Configuration Manager tool. The server group settings feature the following controls:

  • the percentage of machines that update at the same time;
  • the number of the machines that update at the same time;
  • the maintenance sequence; and
  • PowerShell scripts that run before and after deployments.

How to use System Center Configuration
Manager to plan and execute a patching regimen
for applications and OSes.

A server group uses a lock mechanism to ensure only the machines in the collection execute and complete the update before the process moves to the next set of servers. An admin can release the deployment lock manually if a patch gets stuck before it completes. Microsoft provides more information on updates to server groups.

To develop server group settings, select the All devices are part of the same server group option in the collection properties, and then click on Settings, as seen in Figure 5.

 Set server group configuration
Figure 5. Select the All devices are part of the same server group option to configure a collection's server group settings.

Select the preferred option for the group. In Figure 6, the admin sets the maintenance sequence. Finally, click OK, and the server group is ready.

Maintenance sequence
Figure 6. The administrator uses the server group settings to maintain control over uptime and coordinate the maintenance schedule.

For additional guidance on software update best practices, Microsoft offers pointers for the deployment process.

Next Steps

Secret Service: Culture change needed to boost security

Reduce patching headaches with these tools

Find the right patching software

Dig Deeper on Windows administration tools