Automatically Publishing Recommended Updates

Overview

This automated task will detect products that are contained on your client machines, and it will then publish updates that apply to those products. It does this using a Recommended Updates filter that is automatically generated for you each time the task is run. The task uses the filter to identify which updates to publish for the detected products. You can choose to apply an additional filter to narrow the list of updates that get published, and you can configure a number of options that allow you to perform additional tasks. This process is repeated on a recurring basis according to the schedule that you configure.

There are three important differences between this automated task and the manual process used to create a list of recommended updates:

The list of products that are detected on your endpoints is updated each time this task is run, so you are continually working with the most current information.

The Recommended updates filter is automatically created for you in the background.

The Recommended updates filter created here does not live beyond this process; the filter cannot be viewed or edited.

How to Use This Feature

1.Within the Configuration Manager Software Library workspace, expand the Software Updates > Ivanti Patch folder and then click on Automation Scheduler.

A calendar is displayed that contains the scheduled tasks for all consoles. You can:

Edit a scheduled task by double-clicking it, using the right-click menu, or by selecting it and then clicking Edit

View the history of a task by using the right-click menu or by selecting it and then clicking History

Delete a task by using the right-click menu or by selecting it and then clicking Delete

Tip: You can also manage the scheduled tasks using the Microsoft Task Scheduler.

2.On the Home tab, click Publish Recommendations.

The Publish Recommendations dialog is displayed.

Specify when the task should run and what action(s) should occur.

Task name: Specify a name that uniquely identifies the purpose of this task. This name will also be displayed in the Automation Scheduler calendar.

Schedule: Specify the day and time when the task should run. One option is to schedule a task in conjunction with a regular monthly event, such as Microsoft's Patch Tuesday. For example, you might schedule a publication to occur the day after Patch Tuesday by specifying The Second Tuesday and then using the Add delay (days) option to delay the task by one day.

A task that is scheduled using the Add delay (days) option will run for 12 months before it must be rescheduled. When the task is down to its final three months, an alert will be generated and you will be prompted to enter your credentials to reschedule the task. If you enter your credentials, all tasks using the Add delay (days) option will be rescheduled for another 12 months.

Logged on user: If enabled, specifies that you will use the credentials of the currently logged on user to add the publishing task to Microsoft Scheduler. The User box is automatically populated so you only need to type the account password.

Different user: If enabled, specifies that you want to use a different user account when adding the publishing task to Microsoft Scheduler. For example, you might specify a service account whose password does not expire.

The account must:

Have Log on as a batch job rights

Be a member of the WSUS Administrators group on the WSUS server

Be a member of the local administrators group on the WSUS Server if the WSUS Server is remote

When specifying a different user, you must indicate if credentials are required to authenticate to a proxy server.

Proxy authentication is required – use these credentials: If enabled, indicates that proxy server credentials are required when using the user account. If you then choose Same as above, the user account credentials will be used as the proxy credentials. If you choose Credentials below, you can provide a separate set of proxy credentials.

User name: Type the user name for an account on the proxy server. It may be necessary to specify a domain as part of your user name (for example: mydomain\my.name).

Password: Type the password for the proxy server account.

Run the scheduled task offline: If enabled, the task will be run in offline mode. This means the console will not attempt to download the selected update files. In order for the publication to be successful, the update(s) must already reside in the Local Source folder.

This check box is automatically enabled if Run disconnected is enabled on the Offline Options tab.

Accept all metadata updates in the catalog: If you want to automatically update WSUS with any metadata revisions that are available for updates that have been previously published, enable this check box.

Synchronize updates: If you want Configuration Manager to automatically synchronize itself with the WSUS database as part of this task, enable this check box. This will cause an incremental synchronization to be performed. If you do not enable this check box, the published updates will not be available for deployment until your regularly scheduled synchronization process occurs. Synchronization can also be started by going to the Ivanti Patch > Updates workspace and then clicking Synchronize Software Updates.

Publish metadata only: If enabled, this will publish detection logic for the update but not the actual software update binaries. You might do this if you want to detect if an update is needed by your clients but ensure that the update cannot be installed. This is useful only in very specific scenarios and server configurations.

If you edit an update that is published as metadata-only, the original update will be deleted and the edited update republished as metadata-only. This means the revision number for these updates will always be 1. An update that is published as metadata-only cannot be re-signed because there is no content to sign. An attempt to re-sign it will result in a warning message in the log file.

Software Update Group options: Configuration Manager provides the use of software update groups to help you organize and deploy your software updates. Updates that are published using Patch for MEM can be automatically added to a new or existing software update group.

You can choose one of the following options:

Do not add updates to a Software Update Group: None of the updates in the scheduled task will be added to a software update group.

Add all updates to a Software Update Group: All updates specified in the scheduled task will be added to a software update group.

Add only newly published updates to a Software Update Group: Only newly published updates specified in the scheduled task will be added to a software update group.

The following options apply only if you choose to add updates to a software update group:

Name: If you want the published updates to be added to an existing software update group, select the group name from the drop-down list. You can also type the first few letters of the name until the correct group is displayed. If you want to specify a new group, select New from the drop-down list and provide a unique group name and a description.

Description: This field describes the purpose of the specified software update group. The description is defined when the group is created and cannot be modified here.

The updates will be added to the software update group after the publication process is complete and a synchronization has been performed.

Create a new Software Update Group each time this task publishes updates: A unique Software Update Group will be created for each publication. The group will be named based on the task name and the date and time that the publication occurs.

Deployment Options: This area provides the option to have Patch for MEM quickly deploy the published updates to your endpoints. Updates will be made available to your endpoints immediately upon deployment. For additional information on deployments, see Streamlined Deployment of Third-Party Updates.

Deploy updates after publication: If you want to specify deployment options, enable this check box. In order for this check box to be available for selection, in the Publications Options section you must enable the Synchronize updates option and you must choose to add updates to a software update group.

Deployment profile: The deployment profile that will be used when deploying the selected updates. See Automatically Publishing Recommended Updates.

Deployment package: Specifies where the deployments will be staged for distribution. Configuration Manager uses a deployment package to move the content into a distribution point, which is then pushed down to endpoints.

Deployment deadline after publication: Allows you to specify a specific date and time that the deployment process must begin.

Delay enforcement of deadline according to user preference: If enabled, this will honor any working hours that have been set by a user and the deployment process will not begin until the time period that is outside of those set hours.

Run updates deployment evaluation cycle after update requires system restart: If enabled, after deploying an update that requires a restart, the client will perform another evaluation for missing updates after the restart is complete.

Publish updates that supersede already deployed updates: Enables you to expand the list of updates beyond those identified by the Recommended Updates filter. Updates that supersede updates that have already been deployed will be included in the automated task.

Match this filter: Enables you to narrow the list of updates beyond those identified by the Recommended Updates filter. You can choose either the predefined filter named *Latest not-published or one of your custom filters.

Example 1: To publish all recommended updates that have not been previously published and that are not superseded, select the * Latest not-published filter. This is an easy way to automatically publish new updates on a recurring basis.

Example 2: Assume you have previously created a custom filter that identifies all unpublished critical updates for the products you use in your organization. Simply select that filter here to publish just those updates on a recurring basis.

If an update contains different packages for different languages, only the language versions specified on the Languages tab will be published.

3.Click Add task.

You can view the scheduled task within the Automation Scheduler calendar or using the Microsoft Task Scheduler.