Finally, there is a set of FAQs at the bottom of the page that provides answers to questions that may arise about the interpretation of the definition, the phased approach, and other related topics.
EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:.
The definition applies to software of all forms e. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition. NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.
Subsequent phases may address other categories of software such as:. The table below provides a preliminary list of software categories considered to be EO-critical. This table is provided to illustrate the application of the definition of EO-critical software to the scope of the recommended initial implementation phase described above. As noted previously, CISA will provide the authoritative list of software categories at a later date.
Software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices. Software that processes content delivered by web servers over a network, and is often used as the user interface to device and service configuration functions. Recommended Posts. Ketone98 Posted October 30, Report post. Posted October 30, I have attached the errors of Software Update Point.
Under Components I have one critical error. Can somebody please point me in the right direction as I honestly haven't a clue. The client computer always connects to WSUS running on the software update point to retrieve the software updates metadata before the client computer scans for software updates compliance. After the scan is complete, the TTL counter is reset. For example, if the TTL is 24 hours, after a user starts a scan for software updates compliance, the TTL is reset to 24 hours.
At the configured deployment reevaluation schedule, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. Before the client can download update files in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL.
Before the client installs software updates in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL.
After a software update is installed, the Software Updates Client Agent starts a scan by using the local metadata. The client never connects to WSUS running on the software update point to retrieve software updates metadata. After a software update is installed and the computer is restarted, the Software Updates Client Agent starts a scan by using the local metadata.
A software update deployment package is the vehicle used to download software updates to a network shared folder, and copy the software update source files to the content library on site servers and on distribution points that are defined in the deployment. By using the Download Updates Wizard, you can download software updates and add them to deployment packages before you deploy them. This wizard lets you provision software updates on distribution points and verify that this part of the deployment process is successful before you deploy the software updates to clients.
When you deploy downloaded software updates by using the Deploy Software Updates Wizard, the deployment automatically uses the deployment package that contains the software updates. When software updates that have not been downloaded are deployed, you must specify a new or existing deployment package in the Deploy Software Updates Wizard, and the software updates are downloaded when the wizard is finished.
You must manually create the shared network folder for the deployment package source files before you specify it in the wizard. Each deployment package must use a different shared network folder. The SMS Provider computer account and the administrative user who actually downloads the software updates both require Write permissions to the package source.
Restrict access to the package source to reduce the risk of an attacker tampering with the software updates source files in the package source. When a new deployment package is created, the content version is set to 1 before any software updates are downloaded. When the software update files are downloaded by using the package, the content version is incremented to 2.
Therefore, all new deployment packages start with a content version of 2. Every time that the content changes in a deployment package, the content version is incremented by 1.
For more information, see Fundamental concepts for content management. Clients install software updates in a deployment by using any distribution point that has the software updates available, regardless of the deployment package. Even if a deployment package is deleted for an active deployment, clients still can install the software updates in the deployment as long as each update was downloaded to at least one other deployment package and is available on a distribution point that can be accessed from the client.
When the last deployment package that contains a software update is deleted, client computers cannot retrieve the software update until the update is downloaded again to a deployment package. Software updates appear with a red arrow in the Configuration Manager console when the update files are not in any deployment packages. Deployments appear with a double red arrow if they contain any updates in this condition.
There are two main scenarios for deploying software updates in your environment, manual deployment and automatic deployment. Typically, you deploy software updates manually to create a baseline for client computers, and then you manage software updates on clients by using automatic deployment.
The following sections provide a summary for the workflow for manual and automatic deployment for software updates. Manual deployment of software updates is the process of selecting software updates in the Configuration Manager console and manually starting the deployment process. You typically use this method of deployment to get the client computers up-to-date with required software updates before you create automatic deployment rules that manage ongoing monthly software update deployments, and to deploy out of band software update requirements.
The following list provides the general workflow for manual deployment of software updates:. Filter for software updates that use specific requirements. For example, you could provide criteria that retrieves all security or critical software updates that are required on more than 50 client computers. Automatic software updates deployment is configured by using an automatic deployment rule ADR.
You typically use this method of deployment for your monthly software updates generally known as Patch Tuesday and for managing definition updates. When the rule runs, software updates are removed from the software update group if using an existing group , the software updates that meet a specified criteria for example, all security software updates released in the last week are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection.
The following list provides the general workflow for automatic deployment of software updates:. Decide whether to enable the deployment or report on software updates compliance for the client computers in the target collection. The software update group is deployed to the client computers in the target collection, if it is specified.
You must determine what deployment strategy to use in your environment. Maximum severity rating : Specifies the vendor-defined severity rating for the software update. Description : Provides an overview of what condition the software update fixes or improves. Applicable languages : Lists the languages for which the software update is applicable. Affected products : Lists the products for which the software update is applicable.
In the Content Information tab, review the following information about the content that is associated with the selected software update:. Downloaded : Indicates whether Configuration Manager has downloaded the software update files. In the Custom Bundle Information tab, review the custom bundle information for the software update. When the selected software update contains bundled software updates that are contained in the software update file, they are displayed in the Bundle information section.
This tab does not display bundled software updates that are displayed in the Content Information tab, such as update files for different languages. On the Supersedence Information tab, you can view the following information about the supersedence of the software update:.
This update has been superseded by the following updates : Specifies the software updates that supersede this update, which means that the updates listed are newer.
In most cases, you will deploy one of the software updates that supersedes the software update. The software updates that are displayed in the list contain hyperlinks to webpages that provide more information about the software updates.
When this update is not superseded, None is displayed. This update supersedes the following updates : Specifies the software updates that are superseded by this software update, which means this software update is newer. In most cases, you will deploy this software update to replace the superseded software updates. The software updates that are displayed in the list contain hyperlinks to web pages that provide more information about the software updates.
When this update does not supersede any other update, None is displayed. In the properties, you can configure software update settings for one or more software updates. You can configure most software update settings only at the central administration site or stand-alone primary site.
The following sections will help you to configure settings for software updates. In the Maximum Run Time tab, set the maximum amount of time a software update is allotted to complete on client computers.
If the update takes longer than the maximum run-time value, Configuration Manager creates a status message and stops the software updates installation.
0コメント