Managing monthly updates in SCCM

[anyweb]

Introduction

 

In this guide I will show you one way of updating your monthly updates released from Microsoft on the second Tuesday of every Month. Many different scenarios can be followed to deploy software updates. In this example, we will use a Software Updates Deployment Package called All Windows XP Updates to store the updates we want made available to our XP machines. We will create a new Deployment Management Task to deploy the new updates, and we will clean up our previous Deployment Management Tasks and remove any expired updates referenced in it by deleting them. As we are not using Update Lists in this guide we will not be concerned with reporting, but if you want to report on the status of your Updates, you should use Update Lists as Part of your Process.

 

 

 

This Deployment Package had been created earlier when setting up the Software Update Point, but you can create a new one if you need to.

 

We will use a Deployment Management task to start the deployment called All XP Updates.

 

 

and as you can see from the screenshot above it contains some updates which are expired and this is noticeable because of the Grey Icon.

 

 

We will also use our Windows XP All Updates search folder which is created with the following Search Folder Criteria

 

 

Step 1. Run a Synchronisation.

 

Expand your Software Updates node in configmgr, right click on Update Repository and choose Run Synchronisation. Answer Yes when prompted. You can verify that the synchronisation process has completed in the Site Status, Component Status, SMS_WSUS_SYNC_MANAGER log. Look for Message ID 6702 which is SMS WSUS Synchronization Done.

 

 

 

Step 2. Check our Deployment Package

 

To start off the monthly update process we need to first see what updates we currently have in our Deployment Package and remove any expired or superseded updates contained within.

 

Expand your Software Updates node in configmgr, expand the Deployment Packages node and highlight the All Windows XP Updates Deployment Package. Expand the Software Updates node within so that you can see what updates we have, click on the Bulletin ID heading to sort our updates.

 

 

Take note of the Expired or Superseded updates and highlight them and once done right click and choose Delete. You can press CTRL while selecting these updates and don't forget to scroll so you see all updates.

 

 

We only want Green updates in our Deployment Package.

 

Click ok when prompted about the Delete process

 

 

click ok if prompted about Deployment can fail process, this is ok as we will be updating the Deployment Management Task.

 

 

At this point we now have removed all the expired updates so only green 'good' updates are left, sort the updates by BulletinID again and take note of the most recent one, in our case that is MS09-026

 

[anyweb]

Step 3. Using the Search folder, select the new updates

 

Open our Windows XP All Updates search folder and sort by BulletinID

 

 

as you can see there are a few updates released since our Deployment Package was last updated a month ago, and we need to select those new updates since MS09-026 which was the last update listed in our Deploymet Package (From June 2009)

 

Right-click and choose Download Software Updates

 

 

on the select a deployment package screen click on browse and select our All Windows XP Updates Deployment Package

 

 

on the Download Location screen choose to download software updates from the internet

 

 

select your chosen language and click Finish

 

 

click next and close when prompted...

[anyweb]

Step 4. Deploy the selected updates

 

right click the selected updates again and this time choose Deploy software updates

 

 

give the Deployment Task a name

 

 

for Deployment Template, choose the one that suits your environment

 

 

select our Deployment Package

 

 

go with the Default Choice of Download Software updates from the Internet

 

 

select your language

 

 

set the Schedule as below

 

 

review the summary and close

[anyweb]

Step 5. Target the Deploy Task to the collection you want to receive the updates

 

Expand the Deployment Management Tasks node and right click, choose Refresh

 

 

you will see that the task is targetted to the Blank for Staging collection which is an Empty collection, right click it the Deployment Management task and choose properties

 

 

select your targetted XP collection

 

 

click ok and apply

 

 

Step 6. Monitor your XP machines and verify that they are receiving the Updates

 

just before the deadline occurs, your XP machines should start receiving the new Update Policy and inform you

 

 

finally, once the deadline has been reached the updates are installed automatically

 

[Dietmar]

Hi, this is great! I love your step-by-step guides! (I wrote on TechNet Forum to you).

One question: What do you realize with the "phase 1", "phase 2" and "phase 3" collections?

I do not understand the whole purpose for this hirachy. If the updates are successfully deployed to

the test group and you get positiv feedback, how do you deploy the updates to the rest of computers

in environment? Do you create an own deployment with All Windows XP Collection as target or do you change the

existing deployment target to another collection?

[anyweb]

you use phase 1/phase 2/phase 3 as stages for applying patches and updates to selected sets of computers

 

for example if you have 100 XP computers in your organisation, you will probably want to do a Test run of the patches on 5 computers in the first week, those computers are in the test collection which is a sub collection of phase 1

 

after all is ok, and a week has passed, you decide it's time to update 25 more machines, and you do so by targetting the phase 2 collection with the deployment Management task by editing it's Collection Tab value

 

remember a collection can contain sub collections, and those sub collections can be Links to other collections

 

so... you can create some XP collections like this

 

Phase 1/test (5 xp computers)

Phase 2/xp_phase2 (25 xp computers)

Phase 3/xp_phase3 (the remaining xp computers)

 

in my screenshots i have NOT implemented the above, because it's up to you to decide how to patch your systems, this is only one way of doing it..

 

 

by the time you have reached phase 1 all your XP computers are updated and you start the whole cycle again, and it takes a month from beginning to end...

[Dietmar]

Thanks for answer. I will do so.

[Kingskawn]

Do I have to delete all the greyed out updates in my update packages or is it automatic?

[Gorilla]

Great articles as always Anyweb.

 

So I was experimenting with what I like to call the "One Package"...One package to rule them all. Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too?

 

For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs? And if I'm deploying newer updates but use the same package again, will it matter if updates that were already installed are still in the package. ie. will it try to reinstall previously installed updates?

 

Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically? What about re-using the share? Should all my downloads be in one folder via one share and if so, what parses it? The update list? The deployment package itself?

 

I think I've got most of it down now except for a bit of the philosophy and intent. I know it's flexible, but there are also limitations I'd like to understand better. I'll contribute more as I answer these things myself eventually. But any input and help with strategy is valued. Thanks!

[anyweb]

wow loads of questions and i'll try and answer some...

 

Is it important that a package only contain updates applicable to the collection it is advertised to, or can it contain updates for other products too?

 

I would keep os patches in separate packages that way if you someday have to troubleshoot patches back to the originating level it'll be easier to work with, and there are other reasons, but yes, you can keep all os patches together in one big package.

 

 

For example: Can a package have updates for Server 2003, 2008, XP, and Vista? I know it "can" but will it only apply those that the client needs?

 

yes it can and yes it will just like windows update

 

will it try to reinstall previously installed updates?

 

nope, unless you uninstall the update and its required..

 

 

Last, can you talk a bit about managing the physical file / share level. I don't believe that if I delete a superseded update that it physically removes it. Should that be something we do manually each time we don't need the binary any longer? Or is there some way to clean that up automatically?

 

you have to physically delete it, but you can automate it with scripts, if you find one that works for you please share it here, but for a starting point

look at this

[Eswar Koneti]

Hi,

I have deployed patches onto XP collection with a deadline and i dont see any updates that are installing automcatically in my environment but if i set an option like do not set a deadline,i can see a POPUP in the taskbar and need to click the patches to install manually.IS it something gone wrong in the settings?

 

Regards,

Eswar.

[Eswar Koneti]

I have one more on this:

 

I have SCCM R2 with server 2008.I created a standard template for Windows XP machines with some custom settings.

I have few updates that are required by clients.I started deploying these to my client PCs.when i do this,i have come acroos an option to downlaod software updated either from internet or from network location.I have placed all the updated in a shared location(\\PRODSCM\Updates\November).When i select this folder to get these updates,I do see only the folders for these patches(which are inside the november folder) not the content inside( ilke .exe files).But if i select the any patch folder ,i can see only that patch gets updated to DP but not all the patches.Can some tell me is there any option to get all the patches one at a time ?

[Eswar Koneti]

I have 20 patches and a standard template with some custom settings.Now i created a package (Test package) for these 20 patches and advsetised on to XP machines.SO it install succuessfully without any issues(of course again in this case,user invention is required to click on the taskbar icon)

 

Now my question:is it possible for me to create a another package that should has only 6 patches(from above 20) so i can distrbute only these patches to another collection with standard template.

 

I have tried to do this but i can see only new deplyment management that consists of 6 patches .

 

It assumes that,if a patch is already downloaded onto DP and member of Any packages,it wont comes under newly created package ?

 

I am not sure if this information makes you to understand my quiry but if anything requires i can post some more information .

 

Regards,

Eswar.

[Peter van der Woude]

You do not need multiple packages when you need to use updates that already excist in a package. Just create a new deployment in which you select the needed updates, ONLY the selected updates in the deployment will be advertised

[Eswar Koneti]

You do not need multiple packages when you need to use updates that already excist in a package. Just create a new deployment in which you select the needed updates, ONLY the selected updates in the deployment will be advertised

 

 

Yes i aggree but if i have package called "October" and deplyment called "october" with 20 patches in the package.i have created new deplyment called "November" and advertised on to some collection.If i want to delete unwanted packages which already deplyed,how can i do it if i am not sure bcz the deplyment called is "november" and pcakage exits is "October" ?

Am i thinking wrong here?

 

Regards,

Eswar.

[p.andrew]

Hi all,

 

I'm still reading this update deployment stuff so forgive me if I misunderstood something.

 

First of all, this is a great post!

 

Second ... question:

Let's say I have been managing the updates for several months now.

Based on your guide, to deploy the latest updates we need to:

- select which update(s)

- download it

- select it(them) again

- deploy it

 

Now, how do we know which update already been downloaded?

Can it be just "automatic"?

I mean, it would be easier when we choose to deploy an update(s) it will just auto-download if it's not exist in the source package.

 

 

Ap

[Eswar Koneti]

this can be found from software updates node.If u look at the patches information under the node ,you can see if it is already downloaded or not .Here is the screen shot that gives u more information.

[gojensen]

One thing... I see you filter out packages that don't have a "Bulletin ID"... in my repository there are a lot of current updates without a "Bulletin ID"... Wouldn't it be better to "sort" by published/updated date?

[anyweb]

depends on what your criteria are,

 

Microsoft releases updates every month, some are security related (bulletin ID) some not...

 

as you want your machines to be secure, using the Bulletin ID is a good idea (and best practise).

 

if you want your XP or Vista or 7 machines to get access to the other updates then make them available as a separate Deployment Management task and package, at least thats the way I do it.

 

here's one SAMPLE suggested layout of a SUP using search folders categorised to find updates quickly sorted by client/server and further broken down into year, security udpates and all updates... etc.

 

 

 

 

cheers

niall

[Kingskawn]

And what about all updates that don't have a bulletin ID? Like "Windows Malicious Software Removal Tool - November 2009 (KB890830)", it's from november, so it's relatively new , but it isn't taken into the updated list

[MRaybone]

Yes I have a similar issue. How do you include updates which don't have an "MS0X" Bulletin ID in a month based set of search folders? I can see the names of some of your search folders listed and I can't think how to achieve them.

 

I'm trying to devise a nice system for covering monthly bulletins and also everything else that MS release each month and am having trouble coming up with a decent structure.

[anyweb]

easy, just create two packages for XP,

 

one called Windows XP Security Updates (which includes the BulletID) and another called Windows XP All Updates, which does not include BulletinID and therefore shows all XP updates

 

like in this screenshot

 

 

or are you trying to do something else ?

 

cheers

niall

[MRaybone]

Looking at it some more, I think peopleu usually initially want to categorize everything on a month by month basis. Possible for any updates with MS0X bulletin IDs because you can specify "MS09" and "Date Released within 1 month", for example, but not possible for updates without Bulletin IDs. However I guess what you should just do is look at a larger collection of updates in a search folder, just arrange by Date Released and create Update Lists based on your results.

 

Those screenshots intrigue me though - what do you have under the Hotfixes and Applications subfolders...?

 

Cheers,

Mark.

[anyweb]

its my home lab which i don't have access to from work, but if i remember correctly applications is sccm 2007/sms 2003/sql server 2005 and sql server 2008/office 2003/office xp and office 2007, and the hotfixes search folder probably links to some hotfixes..., i'll take a look this evening and if anything cool in there i'll post it here

[anyweb]

here's a closer look