Automatically Publishing Recommended Updates


This automated task will detect products that are contained on your client machines, and it will then publish updates that apply to those products. It does this using a Recommended Updates filter that is automatically generated for you each time the task is run. The task uses the filter to identify which updates to publish for the detected products. You can choose to apply an additional filter to narrow the list of updates that get published, and you can configure a number of options that allow you to perform additional tasks. This process is repeated on a recurring basis according to the schedule that you configure.

There are three important differences between this automated task and the manual process used to create a list of recommended updates:

The list of products that are detected on your endpoints is updated each time this task is run, so you are continually working with the most current information.

The Recommended updates filter is automatically created for you in the background.

The Recommended updates filter created here does not live beyond this process; the filter cannot be viewed or edited.

How to Use This Feature

1.Within the Configuration Manager Software Library workspace, expand the Software Updates > Ivanti Patch folder and then click on Automation Scheduler.

A calendar is displayed that contains the scheduled tasks for all consoles that are using the same database. You can edit a scheduled task by double-clicking it or by selecting it and then clicking Edit. You can also delete a task by selecting it and then clicking Delete.

Tip: You can also manage the scheduled tasks using the Microsoft Task Scheduler.

2.On the Home tab, click Publish Recommendations.

The Publish Recommendations dialog is displayed.

Specify what action(s) should occur and when the task should run.

Task name: Specify a name that uniquely identifies the purpose of this task. This name will also be displayed in the Automation Scheduler calendar.

Match this filter: Enables you to narrow the list of updates beyond those identified by the Recommended Updates filter. You can choose either the predefined filter named *Latest not-published or one of your custom filters.

Example 1: To publish all recommended updates that have not been previously published and that are not superseded, select the * Latest not-published filter. This is an easy way to automatically publish new updates on a recurring basis.

Example 2: Assume you have previously created a custom filter that identifies all unpublished critical updates for the products you use in your organization. Simply select that filter here to publish just those updates on a recurring basis.

If an update contains different packages for different languages, only the language versions specified on the Languages tab will be published.

Run the scheduled task offline: If enabled, the task will be run in offline mode. This means the console will not attempt to download the selected update files. In order for the publication to be successful, the update(s) must already reside in the Local Source folder.

This check box is automatically enabled if Run disconnected is enabled on the Offline Options tab.

Accept all metadata updates in the catalog: If you want to automatically update WSUS with any metadata revisions that are available for updates that have been previously published, enable this check box.

Synchronize updates: If you want Configuration Manager to automatically synchronize itself with the WSUS database as part of this task, enable this check box. This will cause an incremental synchronization to be performed. If you do not enable this check box, the published updates will not be available for deployment until your regularly scheduled synchronization process occurs. Synchronization can also be started by going to the Ivanti Patch > Updates workspace and then clicking Synchronize Software Updates.

Publish metadata only: If enabled, this will publish detection logic for the update but not the actual software update binaries. You might do this if you want to detect if an update is needed by your clients but ensure that the update cannot be installed. This is useful only in very specific scenarios and server configurations.

If you edit an update that is published as metadata-only, the original update will be deleted and the edited update republished as metadata-only. This means the revision number for these updates will always be 1. An update that is published as metadata-only cannot be re-signed because there is no content to sign. An attempt to re-sign it will result in a warning message in the log file.

Software Update Group options: Configuration Manager provides the use of software update groups to help you organize and deploy your software updates. Updates that are published using Patch for MEM can be automatically added to a new or existing software update group.

You can choose one of the following options:

Do not add updates to a Software Update Group: None of the updates in the scheduled task will be added to a software update group.

Add all updates to a Software Update Group: All updates specified in the scheduled task will be added to a software update group.

Add only newly published updates to a Software Update Group: Only newly published updates specified in the scheduled task will be added to a software update group.

The following options apply only if you choose to add updates to a software update group:

Name: If you want the published updates to be added to an existing software update group, select the group name from the drop-down list. You can also type the first few letters of the name until the correct group is displayed. If you want to specify a new group, select New from the drop-down list and provide a unique group name and a description.

Description: This field describes the purpose of the specified software update group. The description is defined when the group is created and cannot be modified here.

The updates will be added to the software update group after the publication process is complete and a synchronization has been performed.

Schedule: Specify the day and time when the task should run.

Logged on user: If enabled, specifies that you will use the credentials of the currently logged on user to add the publishing task to Microsoft Scheduler. The User box is automatically populated so you only need to type the account password.

Different user: If enabled, specifies that you want to use a different user account when adding the publishing task to Microsoft Scheduler. For example, you might specify a service account whose password does not expire.

The account must:

Have Log on as a batch job rights

Be a member of the WSUS Administrators group on the WSUS server

Be a member of the local administrators group on the WSUS Server if the WSUS Server is remote

When specifying a different user, you must indicate if credentials are required to authenticate to a proxy server.

Proxy authentication is required – use these credentials: If enabled, indicates that proxy server credentials are required when using the user account. If you then choose Same as above, the user account credentials will be used as the proxy credentials. If you choose Credentials below, you can provide a separate set of proxy credentials.

User name: Type the user name for an account on the proxy server. It may be necessary to specify a domain as part of your user name (for example: mydomain\

Password: Type the password for the proxy server account.

3.Click Add task.

You can view the scheduled task within the Automation Scheduler calendar or using the Microsoft Task Scheduler.