anyweb Posted July 29, 2009 Report post Posted July 29, 2009 Introduction In this guide I will show you one way of updating your monthly updates released from Microsoft on the second Tuesday of every Month. Many different scenarios can be followed to deploy software updates. In this example, we will use a Software Updates Deployment Package called All Windows XP Updates to store the updates we want made available to our XP machines. We will create a new Deployment Management Task to deploy the new updates, and we will clean up our previous Deployment Management Tasks and remove any expired updates referenced in it by deleting them. As we are not using Update Lists in this guide we will not be concerned with reporting, but if you want to report on the status of your Updates, you should use Update Lists as Part of your Process. This Deployment Package had been created earlier when setting up the Software Update Point, but you can create a new one if you need to. We will use a Deployment Management task to start the deployment called All XP Updates. and as you can see from the screenshot above it contains some updates which are expired and this is noticeable because of the Grey Icon. We will also use our Windows XP All Updates search folder which is created with the following Search Folder Criteria Step 1. Run a Synchronisation. Expand your Software Updates node in configmgr, right click on Update Repository and choose Run Synchronisation. Answer Yes when prompted. You can verify that the synchronisation process has completed in the Site Status, Component Status, SMS_WSUS_SYNC_MANAGER log. Look for Message ID 6702 which is SMS WSUS Synchronization Done. Step 2. Check our Deployment Package To start off the monthly update process we need to first see what updates we currently have in our Deployment Package and remove any expired or superseded updates contained within. Expand your Software Updates node in configmgr, expand the Deployment Packages node and highlight the All Windows XP Updates Deployment Package. Expand the Software Updates node within so that you can see what updates we have, click on the Bulletin ID heading to sort our updates. Take note of the Expired or Superseded updates and highlight them and once done right click and choose Delete. You can press CTRL while selecting these updates and don't forget to scroll so you see all updates. We only want Green updates in our Deployment Package. Click ok when prompted about the Delete process click ok if prompted about Deployment can fail process, this is ok as we will be updating the Deployment Management Task. At this point we now have removed all the expired updates so only green 'good' updates are left, sort the updates by BulletinID again and take note of the most recent one, in our case that is MS09-026 Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 30, 2009 Report post Posted July 30, 2009 Step 3. Using the Search folder, select the new updates Open our Windows XP All Updates search folder and sort by BulletinID as you can see there are a few updates released since our Deployment Package was last updated a month ago, and we need to select those new updates since MS09-026 which was the last update listed in our Deploymet Package (From June 2009) Right-click and choose Download Software Updates on the select a deployment package screen click on browse and select our All Windows XP Updates Deployment Package on the Download Location screen choose to download software updates from the internet select your chosen language and click Finish click next and close when prompted... Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 30, 2009 Report post Posted July 30, 2009 Step 4. Deploy the selected updates right click the selected updates again and this time choose Deploy software updates give the Deployment Task a name for Deployment Template, choose the one that suits your environment select our Deployment Package go with the Default Choice of Download Software updates from the Internet select your language set the Schedule as below review the summary and close Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 30, 2009 Report post Posted July 30, 2009 Step 5. Target the Deploy Task to the collection you want to receive the updates Expand the Deployment Management Tasks node and right click, choose Refresh you will see that the task is targetted to the Blank for Staging collection which is an Empty collection, right click it the Deployment Management task and choose properties select your targetted XP collection click ok and apply Step 6. Monitor your XP machines and verify that they are receiving the Updates just before the deadline occurs, your XP machines should start receiving the new Update Policy and inform you finally, once the deadline has been reached the updates are installed automatically Quote Share this post Link to post Share on other sites More sharing options...
Dietmar Posted August 4, 2009 Report post Posted August 4, 2009 Hi, this is great! I love your step-by-step guides! (I wrote on TechNet Forum to you). One question: What do you realize with the "phase 1", "phase 2" and "phase 3" collections? I do not understand the whole purpose for this hirachy. If the updates are successfully deployed to the test group and you get positiv feedback, how do you deploy the updates to the rest of computers in environment? Do you create an own deployment with All Windows XP Collection as target or do you change the existing deployment target to another collection? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted August 4, 2009 Report post Posted August 4, 2009 you use phase 1/phase 2/phase 3 as stages for applying patches and updates to selected sets of computers for example if you have 100 XP computers in your organisation, you will probably want to do a Test run of the patches on 5 computers in the first week, those computers are in the test collection which is a sub collection of phase 1 after all is ok, and a week has passed, you decide it's time to update 25 more machines, and you do so by targetting the phase 2 collection with the deployment Management task by editing it's Collection Tab value remember a collection can contain sub collections, and those sub collections can be Links to other collections so... you can create some XP collections like this Phase 1/test (5 xp computers) Phase 2/xp_phase2 (25 xp computers) Phase 3/xp_phase3 (the remaining xp computers) in my screenshots i have NOT implemented the above, because it's up to you to decide how to patch your systems, this is only one way of doing it.. by the time you have reached phase 1 all your XP computers are updated and you start the whole cycle again, and it takes a month from beginning to end... Quote Share this post Link to post Share on other sites More sharing options...
Dietmar Posted August 4, 2009 Report post Posted August 4, 2009 Thanks for answer. I will do so. Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted October 21, 2009 Report post Posted October 21, 2009 Do I have to delete all the greyed out updates in my update packages or is it automatic? Quote Share this post Link to post Share on other sites More sharing options...
Gorilla Posted October 22, 2009 Report post Posted October 22, 2009 Great articles as always Anyweb. So I was experimenting with what I like to call the "One Package"...One package to rule them all. Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too? For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs? And if I'm deploying newer updates but use the same package again, will it matter if updates that were already installed are still in the package. ie. will it try to reinstall previously installed updates? Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically? What about re-using the share? Should all my downloads be in one folder via one share and if so, what parses it? The update list? The deployment package itself? I think I've got most of it down now except for a bit of the philosophy and intent. I know it's flexible, but there are also limitations I'd like to understand better. I'll contribute more as I answer these things myself eventually. But any input and help with strategy is valued. Thanks! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted October 22, 2009 Report post Posted October 22, 2009 wow loads of questions and i'll try and answer some... Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too? I would keep os patches in separate packages that way if you someday have to troubleshoot patches back to the originating level it'll be easier to work with, and there are other reasons, but yes, you can keep all os patches together in one big package. For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs? yes it can and yes it will just like windows update will it try to reinstall previously installed updates? nope, unless you uninstall the update and its required.. Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically? you have to physically delete it, but you can automate it with scripts, if you find one that works for you please share it here, but for a starting point look at this Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted November 12, 2009 Report post Posted November 12, 2009 Hi, I have deployed patches onto XP collection with a deadline and i dont see any updates that are installing automcatically in my environment but if i set an option like do not set a deadline,i can see a POPUP in the taskbar and need to click the patches to install manually.IS it something gone wrong in the settings? Regards, Eswar. Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted November 12, 2009 Report post Posted November 12, 2009 I have one more on this: I have SCCM R2 with server 2008.I created a standard template for Windows XP machines with some custom settings. I have few updates that are required by clients.I started deploying these to my client PCs.when i do this,i have come acroos an option to downlaod software updated either from internet or from network location.I have placed all the updated in a shared location(\\PRODSCM\Updates\November).When i select this folder to get these updates,I do see only the folders for these patches(which are inside the november folder) not the content inside( ilke .exe files).But if i select the any patch folder ,i can see only that patch gets updated to DP but not all the patches.Can some tell me is there any option to get all the patches one at a time ? Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted November 12, 2009 Report post Posted November 12, 2009 I have 20 patches and a standard template with some custom settings.Now i created a package (Test package) for these 20 patches and advsetised on to XP machines.SO it install succuessfully without any issues(of course again in this case,user invention is required to click on the taskbar icon) Now my question:is it possible for me to create a another package that should has only 6 patches(from above 20) so i can distrbute only these patches to another collection with standard template. I have tried to do this but i can see only new deplyment management that consists of 6 patches . It assumes that,if a patch is already downloaded onto DP and member of Any packages,it wont comes under newly created package ? I am not sure if this information makes you to understand my quiry but if anything requires i can post some more information . Regards, Eswar. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted November 12, 2009 Report post Posted November 12, 2009 You do not need multiple packages when you need to use updates that already excist in a package. Just create a new deployment in which you select the needed updates, ONLY the selected updates in the deployment will be advertised Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted November 13, 2009 Report post Posted November 13, 2009 You do not need multiple packages when you need to use updates that already excist in a package. Just create a new deployment in which you select the needed updates, ONLY the selected updates in the deployment will be advertised Yes i aggree but if i have package called "October" and deplyment called "october" with 20 patches in the package.i have created new deplyment called "November" and advertised on to some collection.If i want to delete unwanted packages which already deplyed,how can i do it if i am not sure bcz the deplyment called is "november" and pcakage exits is "October" ? Am i thinking wrong here? Regards, Eswar. Quote Share this post Link to post Share on other sites More sharing options...
p.andrew Posted November 23, 2009 Report post Posted November 23, 2009 Hi all, I'm still reading this update deployment stuff so forgive me if I misunderstood something. First of all, this is a great post! Second ... question: Let's say I have been managing the updates for several months now. Based on your guide, to deploy the latest updates we need to: - select which update(s) - download it - select it(them) again - deploy it Now, how do we know which update already been downloaded? Can it be just "automatic"? I mean, it would be easier when we choose to deploy an update(s) it will just auto-download if it's not exist in the source package. Ap Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted November 23, 2009 Report post Posted November 23, 2009 this can be found from software updates node.If u look at the patches information under the node ,you can see if it is already downloaded or not .Here is the screen shot that gives u more information. Quote Share this post Link to post Share on other sites More sharing options...
gojensen Posted December 2, 2009 Report post Posted December 2, 2009 One thing... I see you filter out packages that don't have a "Bulletin ID"... in my repository there are a lot of current updates without a "Bulletin ID"... Wouldn't it be better to "sort" by published/updated date? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 2, 2009 Report post Posted December 2, 2009 depends on what your criteria are, Microsoft releases updates every month, some are security related (bulletin ID) some not... as you want your machines to be secure, using the Bulletin ID is a good idea (and best practise). if you want your XP or Vista or 7 machines to get access to the other updates then make them available as a separate Deployment Management task and package, at least thats the way I do it. here's one SAMPLE suggested layout of a SUP using search folders categorised to find updates quickly sorted by client/server and further broken down into year, security udpates and all updates... etc. cheers niall Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted December 4, 2009 Report post Posted December 4, 2009 And what about all updates that don't have a bulletin ID? Like "Windows Malicious Software Removal Tool - November 2009 (KB890830)", it's from november, so it's relatively new , but it isn't taken into the updated list Quote Share this post Link to post Share on other sites More sharing options...
MRaybone Posted December 8, 2009 Report post Posted December 8, 2009 Yes I have a similar issue. How do you include updates which don't have an "MS0X" Bulletin ID in a month based set of search folders? I can see the names of some of your search folders listed and I can't think how to achieve them. I'm trying to devise a nice system for covering monthly bulletins and also everything else that MS release each month and am having trouble coming up with a decent structure. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 9, 2009 Report post Posted December 9, 2009 easy, just create two packages for XP, one called Windows XP Security Updates (which includes the BulletID) and another called Windows XP All Updates, which does not include BulletinID and therefore shows all XP updates like in this screenshot or are you trying to do something else ? cheers niall Quote Share this post Link to post Share on other sites More sharing options...
MRaybone Posted December 9, 2009 Report post Posted December 9, 2009 Looking at it some more, I think peopleu usually initially want to categorize everything on a month by month basis. Possible for any updates with MS0X bulletin IDs because you can specify "MS09" and "Date Released within 1 month", for example, but not possible for updates without Bulletin IDs. However I guess what you should just do is look at a larger collection of updates in a search folder, just arrange by Date Released and create Update Lists based on your results. Those screenshots intrigue me though - what do you have under the Hotfixes and Applications subfolders...? Cheers, Mark. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 9, 2009 Report post Posted December 9, 2009 its my home lab which i don't have access to from work, but if i remember correctly applications is sccm 2007/sms 2003/sql server 2005 and sql server 2008/office 2003/office xp and office 2007, and the hotfixes search folder probably links to some hotfixes..., i'll take a look this evening and if anything cool in there i'll post it here Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 10, 2009 Report post Posted December 10, 2009 here's a closer look Quote Share this post Link to post Share on other sites More sharing options...