Managing monthly updates in SCCM

[anyweb]

Introduction

 

In this guide I will show you one way of updating your monthly updates released from Microsoft on the second Tuesday of every Month. Many different scenarios can be followed to deploy software updates. In this example, we will use a Software Updates Deployment Package called All Windows XP Updates to store the updates we want made available to our XP machines. We will create a new Deployment Management Task to deploy the new updates, and we will clean up our previous Deployment Management Tasks and remove any expired updates referenced in it by deleting them. As we are not using Update Lists in this guide we will not be concerned with reporting, but if you want to report on the status of your Updates, you should use Update Lists as Part of your Process.

 

 

 

This Deployment Package had been created earlier when setting up the Software Update Point, but you can create a new one if you need to.

 

We will use a Deployment Management task to start the deployment called All XP Updates.

 

 

and as you can see from the screenshot above it contains some updates which are expired and this is noticeable because of the Grey Icon.

 

 

We will also use our Windows XP All Updates search folder which is created with the following Search Folder Criteria

 

 

Step 1. Run a Synchronisation.

 

Expand your Software Updates node in configmgr, right click on Update Repository and choose Run Synchronisation. Answer Yes when prompted. You can verify that the synchronisation process has completed in the Site Status, Component Status, SMS_WSUS_SYNC_MANAGER log. Look for Message ID 6702 which is SMS WSUS Synchronization Done.

 

 

 

Step 2. Check our Deployment Package

 

To start off the monthly update process we need to first see what updates we currently have in our Deployment Package and remove any expired or superseded updates contained within.

 

Expand your Software Updates node in configmgr, expand the Deployment Packages node and highlight the All Windows XP Updates Deployment Package. Expand the Software Updates node within so that you can see what updates we have, click on the Bulletin ID heading to sort our updates.

 

 

Take note of the Expired or Superseded updates and highlight them and once done right click and choose Delete. You can press CTRL while selecting these updates and don't forget to scroll so you see all updates.

 

 

We only want Green updates in our Deployment Package.

 

Click ok when prompted about the Delete process

 

 

click ok if prompted about Deployment can fail process, this is ok as we will be updating the Deployment Management Task.

 

 

At this point we now have removed all the expired updates so only green 'good' updates are left, sort the updates by BulletinID again and take note of the most recent one, in our case that is MS09-026

 

[Gorilla]

Sounds good. Appreciate the clarification. Makes sense.

 

You mentioned that as part of your process you update the deployment management task. However I'm now going with the idea that I will delete my old deployment management task since I'm creating a new one which includes all the previous updates (sans expired and superseded) from the old update list plus any new ones I just added.

 

Are you keeping the "superseded" deployment tasks around for some reason or deleting them when you approve the new one? If I first prune the update list of unneeded updates, why would a I prune a deployment task I'm going to delete? That's the only part I'm confused about.

 

So here's a quick example:

 

UpdateList1 = 3 updates for XP clients. It is deployed successfully to all clients via Deployment (advertisement) Task "XP Clients".

Next month 2 new updates come out.

I add these updates to UpdateList1.

Then I add the new updates to the exsiting source package.

Now when I use the current UpdateList1 to create the new advertisement,"XP Clients", it will include the updates it's advertising + the 2 new ones I added.

I delete the old advertisement (no name conflicts).

I create the new one.

Voila!

 

It sounds like you might be keeping the previous task(s) around?? That's where I'm confused. If so, why?

 

Thanks for the quick and helpful response! You rock.

[anyweb]

i keep them around because i still use some of them for example the Deploy updates used during a task sequence deployment management tasks,

 

you are free to keep them (the deployment management tasks) or to remove them and create new ones

 

 

hope that helps

[MRaybone]

Is updating a Depoyment Package as simple as manually removing the updates, and selecting new ones from a search folder/Update List and adding them to the existing Deployment Package?

[anyweb]

not quite, you still have to update the distribution points for that deployment package otherwise it won't know that you've made changes to the package

 

cheers

niall

[Gorilla]

So it was bound to happen. Despite all the great information, I stumbled on to the button that threw my understanding into a tailspin. I'm going to play around today with I but wanted to ask both because I'm approaching a deadline and play time needs to be limited, but more for posterity. ;>)

 

If we don't re-use deployment management tasks, and if they are created from a package, what's the deal with the ADD button on the Software Updates tab of a Deployment Tasks properties page? I *thought* this all made sense and that I added files to the package and deployed the package. Now there's a button that let's me ADD updates to a task.

 

Is anyone familiar with this button and why it exists? The Add Software Updates window it invokes looks like WSUS and not SCCM. There are no Search Folders.

 

I want to try identifying an update I was going to add to my package and try adding it to the deployment and see what happens. If that doesn't seem to do anything, I'll try updating the package with the same file and then re-advertise and see if it works. I'm just curious and if anyone wants to talk me off the ledge, I do have better things to do. lol

[anyweb]

taken from the help button right beside it

 

Add Software Update Dialog Box

See Also

Use the Configuration Manager 2007 Add Software Updates dialog box to add downloaded software updates to a deployment. Only software updates that meet the following criteria appear in this dialog box:

 

The software update is has not been expired.

 

 

The Microsoft Software License Terms has been accepted, if one is associated with the software update.

 

 

The software update file has been downloaded.

 

 

To select software update updates that have not been previously downloaded, exit the deployment properties, follow the steps in How to Download Software Updates, and then open the dialog box. The software updates displayed in the results pane can be filtered by using the Look for text box or by navigating to the product name node of the catalog tree. The selected software updates are added to the deployment.

 

When a software update is added to a deployment that targets both Configuration Manager and SMS 2003 client computers the package source will be updated, the deployment package version will be incremented, and the distribution points configured for the package will be updated. Adding software updates to a deployment that does not deploy software updates to SMS 2003 clients will use the update source files from a deployment package that contains the software updates and the package is not refreshed.

 

The Add Software Updates dialog box contains the following elements:

 

Look for

 

Specifies the filter criteria for the software updates that are displayed. The downloaded updates display that are within the selected catalogs tree node and subnodes, and contain the Look for value for any of the following software update properties:

 

Name

 

 

Description

 

 

Category

 

 

Article ID

 

 

Bulletin ID

 

 

Vendor

 

 

Product

 

 

Update Classification

 

 

Unique Update ID

 

 

Click Find Now to display the software updates that have properties containing the text entered in the Look for control. Click Find Now without any text to display all downloaded software updates within the selected node and subnodes.

 

Results pane

 

Displays the downloaded software updates that are not currently in the deployment and that meet the Look for criteria. The software updates that are selected will be added to the deployment. Highlight the classification, vendor, or the product to display the available updates for the highlighted node and subnodes or use the Look for control to filter the software updates within the selected classifications tree node and subnodes. Select the updates to add to the deployment, and then click OK. There is no limit to the number of software updates that can be in a deployment.

 

Click the Selected Updates node to display the software updates that have been selected.

 

Note

You might need to refresh the Software Updates / Update Repository node before the latest updates are shown in the results pane.

 

 

 

OK

 

Saves the changes and exits the dialog box.

 

Cancel

 

Exits the dialog box without saving any changes.

 

See Also

Tasks

How to Add Software Updates to a Deployment Package

How to Deploy Software Updates

How to Download Software Updates

 

Concepts

About Software Update Deployments

About the Deploy Software Updates Wizard

Planning for a Software Update Deployment

 

Other Resources

Deployment Name Properties

 

 

 

--------------------------------------------------------------------------------

Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: SMSdocs@microsoft.com.

 

does that clarify a bit ? or not ?

 

try this, where it says 'look for' type in Security then press enter

 

[Gorilla]

taken from the help button right beside it

 

Argh I'm a dunderhead! I'm still not completely accepting of how awesome MS has made the SCCM help files. I admit I was being lazy. Thanks! Make perfect sense as usual.

[fallenwout]

Hi, I'm new to this. Is it possible to cancel/remove only one 1 update from the list when the icon has already appeared on the workstations but is mandatory scheduled 1 week later?

 

So users have the possibility to manually install the updates at this moment and mandatory in 1 week. But some have already installed it and there seems to be an issue with 1 update (rdp-client). I would like to remove it before the mandatory date arrives.

[p.andrew]

Hi there,

 

what you can do is to go to your deployment management and find the deployment in question.

I don't remember the exact location but either on [right-click > properties] or by expanding it, you will be able to see all the updates that got deployed.

then you can choose the update that you want to remove.

 

OPTIONAL:

to be safe, you can delete the actual, downloaded update directly within the update package itself (needs to be done AFTER you remove the update from the deployment management) so when the client tries to download it, it will give an error that the item can't be found (or something like that)

 

regarding the client, that's a bit tricky since the ccm agent is the one that initiate the update scan so there's not much you can do about it.

but as long as you don't change the default settings of the agent, it is by default do a scan every 2 days.

so as long as the client pc is turned on for at least 2 days, it should be able to get the updated list, which has that particular update removed.

 

just curious ... what kind of problem you're having with that rdp-client?

 

Hi, I'm new to this. Is it possible to cancel/remove only one 1 update from the list when the icon has already appeared on the workstations but is mandatory scheduled 1 week later?

 

So users have the possibility to manually install the updates at this moment and mandatory in 1 week. But some have already installed it and there seems to be an issue with 1 update (rdp-client). I would like to remove it before the mandatory date arrives.

[fallenwout]

I already done your OPTIONAL suggestion which makes the first suggestion not possible anymore. Deleted the update from the package and from the global list. I expected it to reach the client within minutes, guess not. After a few hours it seems the clients have accepted the new list so I paniced too soon. A bit bizar to be honest because the "Software Updates Client Agent Properties" is set to 7 days.

 

rdp problem:

We use laptops forced by policy to rdp to a terminal server so they act like mobile thin clients. If you have an rdp-client < version6 the security give som changes in the way they logon.

Like asking credentials before the real rdp is launched

Asking to trust the target pc

...

With 3000 users it would be a disaster if they all start calling the helpdesk to ask why their screens looks different (and trust me they would have killed the support line)