anyweb

How can I setup Software Updates in System Center Configuration Manager (Current Branch)



6 posts in this topic

Introduction

At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes:

In this post you will learn how to setup Software Updates which is a necessary step in preparing your environment for Windows 10 servicing. You can setup the Software Update Point manually using the ConfigMgr console or fully automated using the supplied PowerShell script in the Downloads section of this guide.

 

What's new in Software Updates ?

The following points explain what's new in Software Updates for System Center Configuration Manager Current Branch [source:Technet]

  • System Center Configuration Manager now has the ability to differentiate a Windows 10 computer that connects to Windows Update for Business (WUfB) for software update management versus the computers connected to WSUS for software update management. The UseWUServer attribute is new and specifies whether the computer is manage with WUfB. You can use this setting in a collection to remove these computers from software update management. For more information, see Integration with Windows Update for Business in Windows 10.

  • You can now schedule and run the WSUS clean up task from the Configuration Manager console. You can now manually run the WSUS cleanup task from in Software Update Point Component properties. When you select to run the WSUS cleanup task, it will run at the next software updates synchronization. The expired software updates will be set to a status of declined on the WSUS server and the Windows Update Agent on computers will no longer scan these software updates. For more information, see Schedule and run the WSUS clean up task.

Step 1. Install a hotfix (recommended)

If you are impacted by either of the issues below or if you installed ConfigMgr before the hotfix was released then you'll need to install the hotfix. Microsoft released a hotfix (KB3127032) January 9th, 2016 to address the following issues:

  • The "Upgrades" entry is missing from the list of classifications in the Software Update Point Component Properties. This issue occurs even after the following Windows Server Update Services (WSUS) update is applied: 3095113 Update to enable WSUS support for Windows 10 feature upgrades
  • Windows 10 upgrades cannot be downloaded by using the Download Software Updates Wizard. Errors that resemble the following appear on the Completion page of the wizard

Before installing the hotfix though, restart the server via the following command in an administrative command prompt:

shutdown /r

you are about to be signed out.png

After downloading the hotfix, run it by double clicking on the CM1511RTM-QFE-KB3127032-X64-ENU.exe file. The wizard will appear.

execute hotfix.png

Click next and accept the License terms

hotfix license terms.png

Click next and the prerequisite checker will run.

hotfix prerequisite check.png

Click next and when prompted to upgrade the database answer yes.

upgrade database.png

if you'd like the Deployment Assistance options to create a package, leave the default settings and click next

default assistance.png

click next at the Update Package for Configuration Manager Servers screen

update package for configuration manager servers.png

and click Install at the summary screen

install hotfix.png

and review the progress before clicking Next

hotfix installed.png

at the Installation Complete screen click Finish.

hotfix finished installing.png

Even though it's not a requirement, i'd suggest you reboot the server again as I've seen reports of it being necessary.

you are about to be signed out.png

Step 2. Add and configure the SUP role using ConfigMgr Console
Note: If you want to automate this instead using PowerShell, please skip to Step 4.

Using the ConfigMgr console, in the Administration workspace, expand Site Configuration and select Sites. On the ribbon, select Add Site System Roles, the Add Site System Roles Wizard appears, click next,

add site system roles wizard.png

On the Specify internet proxy server enteryour proxy details before clicking next

specify internet proxy server.png

on the Specify Roles for this server screen, select Software Update Point

software update point role.png

In the Specify Software Update Point properties, select the following options:

  • WSUS Configuration: WSUS is configured to use ports 8530 and 8531
  • Client Connection Type: Allow intranet-only client connections

specify software update point properties.png

on the Specify Proxy and Account settings for the software update point configure it as appropriate for your environment and click next

specify proxy and account settings for the sup.png

on the Specify Synchronization Sources page, as this is a standalone Primary, use the defaults. If you have a CAS in an hierarchy then point it to the upstream server as appropriate.

specify sychronization source settings.png

and on the Specify a synchronization schedule page place a check mark in Enable synchronization on a schedule and leave it at the default of every 7 days.

sync every 7 days.png

Note: If you want to have precise control over the time, day and frequency when the SUP synchronizes with Microsoft Update, then you should select the Custom Schedule option and configure it as appropriate. If you also intend to update Endpoint Protection definition updates then you should configure the sync to run at least daily in order to get the latest definition updates and Endpoint Protection engine updates as soon as they are released.

On the Select behavior for software updates that are superseded page, select Do not expire..., leave the default of 3 months and then place a check mark in Run WSUS cleanup Wizard as shown below:

supersedence rules.png

 

Note: When you select to run the WSUS cleanup task, it will run at the next software updates synchronization. The expired software updates will be set to a status of declined on the WSUS server and the Windows Update Agent on computers will no longer scan these software updates. This task does not replace normal WSUS cleanup activities, to do them you should review this post.

 

On the Select the software update classifications that you want to synchronize screen select those that are shown below, you'll see the following popup when you select the Upgrades Classification

 

upgrades classification.png

 

Note: If the Upgrades classification is not listed review Step 1.

select classifications.png

 

On the Select the products that you want to synchronize screen place a check mark in All Products and then remove it again, this will deselect everything before the first synchronization (recommended).

 

all products are NOT selected.png

On the Specify the language settings that you want to synchronize screen, deselect everything except English (don't forget to scroll down as some languages are hidden from view)

sync languages.png

review the Summary

summary sup setup.png

Note: Using CMTrace, review the SUPSetup.log on the server hosting the Software Update Point (SUP) role in <ConfigMgr Installation Path>\Logs to confirm that the installation of the SUP role succeeded. Look for a line that states "Installation was successful" as shown below.

SUPSETUP was successful.png

At this point you can close the Add Site System Roles wizard.

 

The first sync from the SUP will take some time, and you should monitor the following logs to verify that the sync is in progress and working as expected.

 

  • <ConfigMgr Installation Path>\Logs\WCM.log - Provides information about the software update point configuration and connecting to the WSUS server for subscribed update categories, classifications, and languages
  • <ConfigMgr Installation Path>\Logs\WSUSCtrl.log - Provides information about the configuration, database connectivity, and health of the WSUS server for the site
  • <ConfigMgr Installation Path>\Logs\Wsyncmgr.log - Provides information about the software updates synchronization process

Here you can see the WCM.log file showing that WSUS was sucessfully configured

 

WCM log file.png

 

Here you can see the wsyncmgr.log file showing that the sync was successful

 

wsyncmgr log.png

 

Here you can see the WSUSctrl.log file showing information about the configuration

 

wsusctrl log.png

 

Step 3. Selecting Windows 10 as a product

After the first successful sync, the SUP should now have updated the list of Products available. Below you can see the Windows Products listed before (on the left) and after (on the right) the first SUP sync takes place.

 

before and after sync.png

 

You will not see the updated products until the WCM.log states the following "Successfully refreshed categories from WSUS server"

 

As you want Windows 10 to be secure and up to date, you'll need to re-configure the SUP role and specify Windows 10 from the list of available products. Using the ConfigMgr console, in the Administration workspace, expand Site Configuration and select Sites. Select the P01 Primary site, right click and choose Configure Site Components and then select Software Update Point

 

configure software update point.png

 

In the Software Update Point Component Properties screen select the Products tab and scroll down to Windows 10, make selections appropriate to your organization, click Apply and OK when done to apply and close the Software Update Point Component Properties.

 

all windows 10 products selected.png

 

Now that you've made a change to the Products, perform a sync. To perform a sync do as follows. In the ConfigMgr console select the Software Library workspace, select Software Updates, right click on All Software Updates and choose Synchronize Software Updates. Answer Yes to the popup.

 

perform a sync.png

 

Using CMTrace, monitor the sync progress in <ConfigMgr Installation Path>\Logs\Wsyncmgr.log. This sync will take some time as you've changed the list of Products to sync and therefore a Full sync is required and noted in the log file.

 

wsyncmgr log showing sync starting.png

 

Look for the Sync succeeded. Setting sync alert to canceled state on site P01 text in the log file to notify you of a successful sync.

 

sync succeeded.png

 

Now that the sync is completed it's time to refresh the All Software Updates view in the console. In the ConfigMgr console select the Software Library workspace, select Software Updates, select All Software Updates and press the Refresh All Software Updates button.

 

refresh all software updates.png

 

And you should see a whole bunch of updates (and upgrades) listed for Windows 10.

 

windows 10 updates listed.png

 

To see the Windows 10 Upgrade updates listed in the Windows 10 servicing section, in the ConfigMgr console select the Software Library workspace, select Windows 10 Servicing, select All Windows 10 Updates.

 

Note: I will cover servicing Windows 10 in a later post.

 

windows 10 servicing.png

 

Step 4. Add and configure the SUP role using PowerShell

The above steps show how you can configure the SUP role using the ConfigMgr console, however you could script it all using PowerShell. The ConfigMgr PowerShell cmdlets for Software Update Point can be listed with the below command once you've connected to PowerShell in ConfigMgr.

Get-Command -Module configurationmanager -Noun *SoftwareUpdatePoint*

software update point noun in PowerShell.png

 

To add the Software Update Point (SUP) role using PowerShell do as follows. Download the Add SUP Role.ps1 contained in a zip file in the Downloads section at the bottom of this guide and extract it to C:\Temp.

 

Start Windows PowerShell ISE as Administrator and open Add SUP Role.ps1 script. Edit any variables in the script to match your environment before proceeding, and then save your changes.

 

variables to be edited.png

 

When you are happy with the variables, consider changing which Products to sync. Check line number 192 and remove anything you are not interested in (for example, Windows 10 Language Packs). If you want to add Products to the script, do so here but make sure you specify it correctly or it will fail.

 

line 192.png

 

Save any changes, then run the script by pressing F5 or clicking on the Green arrow. Below you can see the script is running, don't worry about that warning in Orange, it's benign (safe to ignore). The script will perform two SUP syncs, the first is used to update the index (classifications, products etc) and the second sync actually syncs the Windows 10 updates which are appropriate to the Windows 10 products selected.

 

Note: Depending on the number of products you select, you may want to adjust the sleep settings of the second sync to work with your environment.

 

script in action along with logs in the background.png

 

After the script is completed (it takes about 30 minutes for syncing All Windows 10 updates available, over 3240 items..) check the All Software Updates section of the ConfigMgr console. You might have to wait even longer for the console to display everything.

 

synched via PowerShell.png

 

Job done ! Isn't PowerShell automation amazing.

 

Note: The observant amongst you will notice different languages listed even though we only specified English. This is a bug (either in SCCM or WSUS, not sure which yet) and Microsoft is working on it.

Summary

In this guide you learned about configuring the Software Update Point role in ConfigMgr to get it ready for deploying security updates and to perform Windows 10 servicing in your enterprise and you were shown how to do it manually and full automated using PowerShell. Thanks for reading my guides !

 

Related Reading

Downloads

You can download a Microsoft Word copy of this guide here dated 2016/01/16 Setting up Software Updates with System Center Configuration Manager Current Branch.zip

 

You can download the PowerShell script used above here. Add SUP role.zip

 

Next Post > Installing the Client Agent

Share this post


Link to post
Share on other sites


My LAB is Based on Server 2016. and SCCM is 1606? Version 5.00.8412.1000 and Build Number 8412

I got stuck at the end of the step 2, can someone please try to help?

 

This is what in my wsyncmgr.log:

Found 1 SUPs SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:04 PM 5832 (0x16C8)
Found active SUP CM01.sccmlab.com from SCF File. SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:04 PM 5832 (0x16C8)
DB Server not detected for SUP CM01.sccmlab.com from SCF File. skipping. SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:05 PM 5832 (0x16C8)
Sync failed: WSUS update source not found on site P01. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:05 PM 5832 (0x16C8)
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=CM01.sccmlab.com SITE=P01 PID=2492 TID=5832 GMTDATE=Thu Nov 10 00:11:05.594 2016 ISTR0="getSiteUpdateSource" ISTR1="WSUS update source not found on site P01. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:05 PM 5832 (0x16C8)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:06 PM 5832 (0x16C8)
Setting sync alert to active state on site P01 SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:06 PM 5832 (0x16C8)
This is the WSUSCtrl:
Successfully connected to local WSUS server SMS_WSUS_CONTROL_MANAGER 11/9/2016 4:11:34 PM 6836 (0x1AB4)
Errors were reported in these WSUS Server components WSUSService, on WSUS Server CM01.sccmlab.com SMS_WSUS_CONTROL_MANAGER 11/9/2016 4:11:34 PM 6836 (0x1AB4)
STATMSG: ID=7001 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONTROL_MANAGER" SYS=CM01.sccmlab.com SITE=P01 PID=2492 TID=6836 GMTDATE=Thu Nov 10 00:11:34.243 2016 ISTR0="CM01.sccmlab.com" ISTR1="WSUSService," ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_CONTROL_MANAGER 11/9/2016 4:11:34 PM 6836 (0x1AB4)
Why i am getting "DB Server not detected for SUP CM01.sccmlab.com from SCF File. skipping. SMS_WSUS_SYNC_MANAGER 11/9/2016 4:11:05 PM 5832 (0x16C8)"
My SQL is up and running, console is up an no issues as well?

Share this post


Link to post
Share on other sites

What can you actually do with those upgrades?

because as i understand it, you must use a servicing plan or task sequence (and task sequence uses an ISO?)

I mean, you can't do as you would with other updates, right click and deploy?

Share this post


Link to post
Share on other sites

sure you can right click and deploy, and follow the wizard, it's just a software update after all, the ADR created by Servicing Plans is just a way to automate that...

deploy update.png

Share this post


Link to post
Share on other sites

So i have removed my Wsus role, Deleted the SUSDB and removed the SUP on sccm. Upon re-configuring WSUS, then the SUP, when i get to classifications, upgrade is not listed.   I found this windows noob how to, Downloaded the Hotfix above, but when i run the hotfix, i get the error below, i assume this has been fixed in my version of Sccm 1606?   However i am still not seeing upgrades?   Any idea why?

Error.jpg

Share this post


Link to post
Share on other sites

so you are setting this up in Server 2016 or ? where are the upgrades missing exactly, in WSUS or in the SUP ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now