Managing monthly updates in SCCM

[anyweb]

Introduction

 

In this guide I will show you one way of updating your monthly updates released from Microsoft on the second Tuesday of every Month. Many different scenarios can be followed to deploy software updates. In this example, we will use a Software Updates Deployment Package called All Windows XP Updates to store the updates we want made available to our XP machines. We will create a new Deployment Management Task to deploy the new updates, and we will clean up our previous Deployment Management Tasks and remove any expired updates referenced in it by deleting them. As we are not using Update Lists in this guide we will not be concerned with reporting, but if you want to report on the status of your Updates, you should use Update Lists as Part of your Process.

 

 

 

This Deployment Package had been created earlier when setting up the Software Update Point, but you can create a new one if you need to.

 

We will use a Deployment Management task to start the deployment called All XP Updates.

 

 

and as you can see from the screenshot above it contains some updates which are expired and this is noticeable because of the Grey Icon.

 

 

We will also use our Windows XP All Updates search folder which is created with the following Search Folder Criteria

 

 

Step 1. Run a Synchronisation.

 

Expand your Software Updates node in configmgr, right click on Update Repository and choose Run Synchronisation. Answer Yes when prompted. You can verify that the synchronisation process has completed in the Site Status, Component Status, SMS_WSUS_SYNC_MANAGER log. Look for Message ID 6702 which is SMS WSUS Synchronization Done.

 

 

 

Step 2. Check our Deployment Package

 

To start off the monthly update process we need to first see what updates we currently have in our Deployment Package and remove any expired or superseded updates contained within.

 

Expand your Software Updates node in configmgr, expand the Deployment Packages node and highlight the All Windows XP Updates Deployment Package. Expand the Software Updates node within so that you can see what updates we have, click on the Bulletin ID heading to sort our updates.

 

 

Take note of the Expired or Superseded updates and highlight them and once done right click and choose Delete. You can press CTRL while selecting these updates and don't forget to scroll so you see all updates.

 

 

We only want Green updates in our Deployment Package.

 

Click ok when prompted about the Delete process

 

 

click ok if prompted about Deployment can fail process, this is ok as we will be updating the Deployment Management Task.

 

 

At this point we now have removed all the expired updates so only green 'good' updates are left, sort the updates by BulletinID again and take note of the most recent one, in our case that is MS09-026

 

[anyweb]

Step 3. Using the Search folder, select the new updates

 

Open our Windows XP All Updates search folder and sort by BulletinID

 

 

as you can see there are a few updates released since our Deployment Package was last updated a month ago, and we need to select those new updates since MS09-026 which was the last update listed in our Deploymet Package (From June 2009)

 

Right-click and choose Download Software Updates

 

 

on the select a deployment package screen click on browse and select our All Windows XP Updates Deployment Package

 

 

on the Download Location screen choose to download software updates from the internet

 

 

select your chosen language and click Finish

 

 

click next and close when prompted...

[anyweb]

Step 4. Deploy the selected updates

 

right click the selected updates again and this time choose Deploy software updates

 

 

give the Deployment Task a name

 

 

for Deployment Template, choose the one that suits your environment

 

 

select our Deployment Package

 

 

go with the Default Choice of Download Software updates from the Internet

 

 

select your language

 

 

set the Schedule as below

 

 

review the summary and close

[anyweb]

Step 5. Target the Deploy Task to the collection you want to receive the updates

 

Expand the Deployment Management Tasks node and right click, choose Refresh

 

 

you will see that the task is targetted to the Blank for Staging collection which is an Empty collection, right click it the Deployment Management task and choose properties

 

 

select your targetted XP collection

 

 

click ok and apply

 

 

Step 6. Monitor your XP machines and verify that they are receiving the Updates

 

just before the deadline occurs, your XP machines should start receiving the new Update Policy and inform you

 

 

finally, once the deadline has been reached the updates are installed automatically

 

[Dietmar]

Hi, this is great! I love your step-by-step guides! (I wrote on TechNet Forum to you).

One question: What do you realize with the "phase 1", "phase 2" and "phase 3" collections?

I do not understand the whole purpose for this hirachy. If the updates are successfully deployed to

the test group and you get positiv feedback, how do you deploy the updates to the rest of computers

in environment? Do you create an own deployment with All Windows XP Collection as target or do you change the

existing deployment target to another collection?

[anyweb]

you use phase 1/phase 2/phase 3 as stages for applying patches and updates to selected sets of computers

 

for example if you have 100 XP computers in your organisation, you will probably want to do a Test run of the patches on 5 computers in the first week, those computers are in the test collection which is a sub collection of phase 1

 

after all is ok, and a week has passed, you decide it's time to update 25 more machines, and you do so by targetting the phase 2 collection with the deployment Management task by editing it's Collection Tab value

 

remember a collection can contain sub collections, and those sub collections can be Links to other collections

 

so... you can create some XP collections like this

 

Phase 1/test (5 xp computers)

Phase 2/xp_phase2 (25 xp computers)

Phase 3/xp_phase3 (the remaining xp computers)

 

in my screenshots i have NOT implemented the above, because it's up to you to decide how to patch your systems, this is only one way of doing it..

 

 

by the time you have reached phase 1 all your XP computers are updated and you start the whole cycle again, and it takes a month from beginning to end...

[Dietmar]

Thanks for answer. I will do so.

[Kingskawn]

Do I have to delete all the greyed out updates in my update packages or is it automatic?

[Gorilla]

Great articles as always Anyweb.

 

So I was experimenting with what I like to call the "One Package"...One package to rule them all. Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too?

 

For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs? And if I'm deploying newer updates but use the same package again, will it matter if updates that were already installed are still in the package. ie. will it try to reinstall previously installed updates?

 

Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically? What about re-using the share? Should all my downloads be in one folder via one share and if so, what parses it? The update list? The deployment package itself?

 

I think I've got most of it down now except for a bit of the philosophy and intent. I know it's flexible, but there are also limitations I'd like to understand better. I'll contribute more as I answer these things myself eventually. But any input and help with strategy is valued. Thanks!

[anyweb]

wow loads of questions and i'll try and answer some...

 

Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too?

 

I would keep os patches in separate packages that way if you someday have to troubleshoot patches back to the originating level it'll be easier to work with, and there are other reasons, but yes, you can keep all os patches together in one big package.

 

 

For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs?

 

yes it can and yes it will just like windows update

 

will it try to reinstall previously installed updates?

 

nope, unless you uninstall the update and its required..

 

 

Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically?

 

you have to physically delete it, but you can automate it with scripts, if you find one that works for you please share it here, but for a starting point

look at this

[Eswar Koneti]

Hi,

I have deployed patches onto XP collection with a deadline and i dont see any updates that are installing automcatically in my environment but if i set an option like do not set a deadline,i can see a POPUP in the taskbar and need to click the patches to install manually.IS it something gone wrong in the settings?

 

Regards,

Eswar.