使用更新管理将更新部署到 Microsoft Endpoint Configuration Manager 客户端Deploy updates to Microsoft Endpoint Configuration Manager clients with Update Management

已经投资购买 Microsoft Endpoint Configuration Manager 来管理电脑、服务器和移动设备的客户还依赖其在软件更新管理 (SUM) 周期中管理软件更新方面的优势和成熟度。Customers who have invested in Microsoft Endpoint Configuration Manager to manage PCs, servers, and mobile devices also rely on its strength and maturity in managing software updates as part of their software update management (SUM) cycle.

可以通过在 Configuration Manager 中创建和预暂存软件更新部署来报告和更新托管 Windows 服务器,并使用更新管理获取已完成的更新部署的详细状态。You can report and update managed Windows servers by creating and pre-staging software update deployments in Configuration Manager, and get detailed status of completed update deployments using Update Management. 如果使用 Configuration Manager 提供 Windows 服务器的更新合规性报告而不使用它管理更新部署,则可以继续向 Configuration Manager 进行报告,而使用更新管理来管理安全更新。If you use Configuration Manager for update compliance reporting but not for managing update deployments with your Windows servers, you can continue reporting to Configuration Manager while security updates are managed with the Update Management.

先决条件Prerequisites

  • 必须将更新管理添加到自动化帐户。You must have Update Management added to your Automation account.
  • 当前由 Configuration Manager 环境管理的 Windows 服务器还需要向也启用了更新管理的 Log Analytics 工作区进行报告。Windows servers currently managed by your Configuration Manager environment also need to report to the Log Analytics workspace that also has Update Management enabled.
  • Configuration Manager 当前分支版本 1606 和更高版本中启用了此功能。This feature is enabled in Configuration Manager current branch version 1606 and higher. 若要将 Configuration Manager 中心管理站点或独立主站点与 Azure Monitor 日志和重要集合进行集成,请查看将 Configuration Manager 连接到 Azure Monitor 日志To integrate your Configuration Manager central administration site or a stand-alone primary site with Azure Monitor logs and import collections, review Connect Configuration Manager to Azure Monitor logs.
  • 如果 Windows 代理不从 Configuration Manager 接收安全更新,则它们必须配置为与 Windows Server Update Services (WSUS) 服务器进行通信或有权访问 Microsoft 更新。Windows agents must either be configured to communicate with a Windows Server Update Services (WSUS) server or have access to Microsoft Update if they don't receive security updates from Configuration Manager.

如何使用现有 Configuration Manager 环境管理 Azure IaaS 中托管的客户端主要取决于已在 Azure 数据中心与基础结构之间建立的连接。How you manage clients hosted in Azure IaaS with your existing Configuration Manager environment primarily depends on the connection you have between Azure datacenters and your infrastructure. 此连接会影响你可能需要对 Configuration Manager 基础结构所做的任何设计更改,还会影响与支持这些必要更改相关的成本。This connection affects any design changes you may need to make to your Configuration Manager infrastructure and related cost to support those necessary changes. 若要了解在继续操作之前需要评估哪些规划注意事项,请查看 Azure 上的 Configuration Manager - 常见问题解答To understand what planning considerations you need to evaluate before proceeding, review Configuration Manager on Azure - Frequently Asked Questions.

配置Configuration

从 Configuration Manager 管理软件更新Manage software updates from Configuration Manager

如果打算继续从 Configuration Manager 管理更新部署,请执行以下步骤。Perform the following steps if you are going to continue managing update deployments from Configuration Manager. Azure 自动化连接到 Configuration Manager 来向连接到 Log Analytics 工作区的客户端计算机应用更新。Azure Automation connects to Configuration Manager to apply updates to the client computers connected to your Log Analytics workspace. 可以从客户端计算机缓存获取更新内容,就像部署是由 Configuration Manager 管理的一样。Update content is available from the client computer cache as if the deployment were managed by Configuration Manager.

  1. 使用部署软件更新中所述过程从 Configuration Manager 层次结构中的顶层站点创建软件更新部署。Create a software update deployment from the top-level site in your Configuration Manager hierarchy using the process described in Deploy software updates. 与标准部署不同的必须配置的唯一设置是选项“不安装软件更新”,此选项用于控制部署包的下载行为。The only setting that must be configured differently from a standard deployment is the option Do not install software updates to control the download behavior of the deployment package. 通过在下一步骤中创建计划的更新部署,可以在更新管理中管理此行为。This behavior is managed in Update Management by creating a scheduled update deployment in the next step.

  2. 在 Azure 自动化中,选择“更新管理”。In Azure Automation, select Update Management. 根据创建更新部署中介绍的步骤创建一个新部署,并从“类型”下拉列表中选择“导入的组”来选择合适的配置管理器集合 。Create a new deployment following the steps described in Creating an Update Deployment and select Imported groups on the Type dropdown to select the appropriate Configuration Manager collection. 请记住以下要点:a.Keep in mind the following important points: a. 如果为所选的 Configuration Manager 设备集合定义了维护窗口,则它将存储在集合的成员中而不是存储在计划的部署中定义的“持续时间”设置中。If a maintenance window is defined on the selected Configuration Manager device collection, members of the collection honor it instead of the Duration setting defined in the scheduled deployment. b.b. 目标集合的成员必须连接到 Internet(直接连接、通过代理服务器或者通过 Log Analytics 网关)。Members of the target collection must have a connection to the Internet (either direct, through a proxy server or through the Log Analytics gateway).

通过 Azure 自动化完成更新部署后,属于所选计算机组的成员的目标计算机将按计划的时间从本地客户端缓存中安装更新。After completing the update deployment through Azure Automation, the target computers that are members of the selected computer group will install updates at the scheduled time from their local client cache. 可以查看更新部署状态来监视部署结果。You can view update deployment status to monitor the results of your deployment.

从 Azure 自动化管理软件更新Manage software updates from Azure Automation

对于由更新管理管理的所有客户端,若要从本身是 Configuration Manager 客户端的 Windows Server VM 管理更新,则需要配置客户端策略来禁用软件更新管理功能。To manage updates for Windows Server VMs that are Configuration Manager clients, you need to configure client policy to disable the Software Update Management feature for all clients managed by Update Management. 默认情况下,客户端设置以层次结构中的所有设备为应用目标。By default, client settings target all devices in the hierarchy. 有关此策略设置以及如何配置此设置的详细信息,请查看如何在 Configuration Manager 中配置客户端设置For more information about this policy setting and how to configure it, review How to configure client settings in Configuration Manager.

在执行此配置更改后,根据创建更新部署中介绍的步骤创建一个新部署,并从“类型”下拉列表中选择“导入的组”来选择合适的配置管理器集合。 After performing this configuration change, you create a new deployment following the steps described in Creating an Update Deployment and select Imported groups on the Type drop-down to select the appropriate Configuration Manager collection.

后续步骤Next steps

按照创建更新部署中所述的步骤创建新的部署。Create a new deployment following the steps described in Creating an Update Deployment.