Jump to content




anyweb

using SCCM 2012 in a LAB - Part 6. Deploying Software Updates



Recommended Posts

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies.

Now we will configure our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections.

Recommended Reading:-

Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx
Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx

Step 1. Configure the SUP Products to Sync and Perform a Sync

Perform the following on the SCCM server as SMSadmin

Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.

configure sup.png

In the Products tab ensure that the product Windows 7 check box is selected.

windows 7 product in products.png

Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates, answer Yes when prompted.

sync software updates.png

Monitor the Sync process using the Wsyncmgr.log file in CMTrace.

As we started the sync manually you should search for the following string "Performing Sync on local request", followed by the status of the sync and you know it's complete when you can see the following line "Sync Succeeded. Setting Sync alert to cancelled on Site P01."

sync succeeded.png



Step 2. Specify Search Criteria for Software Updates

Perform the following on the SCCM server as SMSadmin

In the console, click Software Library, expand it and select All Software Updates then click on Add Criteria in the top right of the search field. In the scrollable Add Criteria menu, select the following options

  • Bulletin ID
  • Expired
  • Superseded
  • Product

add criteria.png




then define the criteria using the drop down menus beside each option

windows 7 product.png

so that they look as follows:-

  • Product = Windows 7
  • Bulletin ID =MS
  • Expired = No
  • Superseded = No

then click on Search, you'll get a list of results like so





153 items shown.png

let's save our Search criteria and call it Windows 7 Updates search criteria, you can return to this search later by clicking on saved searches and selecting your search from the list.

windows 7 updates search criteria.png


Step 3. Create a Software Update Group that Contains the Software Updates

Perform the following on the SCCM server as SMSadmin


Note: Normally you'd want to look through all these updates and filter out (delete) the ones that are not applicable to you, such as Beta or Service Packs, Delete these from your list before continuing.

After we've trimmed down out updates we'll select the remaining updates by selecting all the updates found in our search criteria above by clicking on one update and then pressing CTRL + A, it should say 153 (or similar) items selected in the bottom left corner, make sure you are still in the Search Criteria as in the picture below

153 items selected.png

In the ribbon, click on Home and then in the Update click on Create Software Update Group, call it Windows 7 Updates and click on Create

create software update group.png

Now you can click on Software Update Groups in the console and you'll see your newly created Software Update Group, right click on it and choose Show Members to see the updates in this group.

show members.png

this lists the Sotware Updates contained in the Software Update Group

members.png



Step 4. Deploy the Software Update Group


Perform the following on the SCCM server as SMSadmin


We could clear.gifdownload the Content for the Software Update Group to verify that it's available before distributing it to our Distribution Points, but we'll skip that step and go ahead and deploy our Updates to our previously created All Windows 7 Computers collection. Select the Windows 7 Updates Software Update Group and in the Ribbon click on Deploy.

deploy windows 7 updates.png

give it a name and point it to our All Windows 7 Computers collection.

deploy to windows 7 collection.png

Note: if you click on Select deployment Template, it will appear empty as you have no created any templates yet.

for Deployment Settings set the type of deployment to Required (mandatory) and State message level to Minimal (to reduce Configuration Manager server load via state messages)

minimal state messages.png

For scheduling set the Time Based on to UTC

utc.png

for User Experience we want the user to see they are being updated,

user experience.png

set Alerts client compliance is below the following to 80%,

Set the Download Settings to download if a slow or unreliable connection detected, click next

download settings for bac deployment.png

when you get to Deployment Package, choose create a new deployment package,

Note: Make sure that \\sccm\sources\updates\windows7 (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist

create a new deployment package windows 7 updates.png

select your Distribution Point and click next, then for Download Location select Download Software Updates from the Internet, select the English language and at the summary screen click on Save As Template, call the template Windows 7 updates Template

save as template.png

TIP: To review the progress of this task, while you are waiting for the wizard to complete you can browse the UNC on your server of your Deployment Package to see that it's actually filling up with updates, you should see something like this

unc working.png

And that's it, after you complete the wizard the software updates in the software update group are deployed to computers in the target collection

deploy software updates wizard completed.png

Finally, create a new collection called Build and Capture Windows 7 X64 and repeat the above Deployment for our Windows 7 Updates and target it to the Build and Capture Windows 7 X64 Collection as follows

windows 7 updates used during deployment.png

In the next two parts we will start adding clients to these collections and we will verify that the above is really working.

  • Like 2

Share this post


Link to post
Share on other sites


Here's a message I've received as I was attempting to create a Software Update Group:

 

The number of updates in the selected group exceeds the maximum allowed per deployment. The maximum number of updates for any single deployment is 500. Reduce the number of updates in this group to create a deployment.

 

Interesting to know this...

Share this post


Link to post
Share on other sites

Hi

 

I followed all the steps that were listed above and it all works fine but i'm getting this error from the Wsyncmgr.log and i can't seem to find the fix for it.

 

I keep getting errors Failed to sync update 482d29fe-7a9b-46cc-a77e-0af94f146ce3. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow for certain updates.

 

Any help with this would be appreciated.

 

Thanks

 

post-12657-0-66236500-1321584423_thumb.png

Share this post


Link to post
Share on other sites

You have to accept terms for some updates. You can see which updates require the approval by doing a right clic on the title bar and select License Terms to show that column in the window.

You then have to accept the Terms on updates before downloading them.

Share this post


Link to post
Share on other sites

Hello everyone.

 

I'm following this tutorial and I must say it's pretty good. But during this part I got some problems. When you say that in a few minutes there should be some updates downloaded and/or deployed, in my test lab there's no downloaded updates and there should be and since I've setup network so my workstations are cut off of internet (second nic is disabled) they only have connection with dc and sccm. Since you imply to set update point only from sccm I did like you said but my workstations (one to be precise) can't update Endpoint Protection client definitions and also my sccm isn't downloading any (but it can since only my sccm has internet connection) updates from Microsoft so please help me with this. I don't want to skip anything if I don't have to.

BTW. my sccm lab is running in native mode. I've setup the environment like for sccm 2007 native and uptill now everything worked ok.

 

EDIT:

Oh. Now I found there's an option to force download right away but the outcome of this operations is a failure since I get "Access Denied" error.

Share this post


Link to post
Share on other sites

can you clarify, does your SCCM server have access to the internet ? what happens when you trigger a sync does that work ?

Share this post


Link to post
Share on other sites

can you clarify, does your SCCM server have access to the internet ? what happens when you trigger a sync does that work ?

 

DC - no internet access

SCCM - has access to the internet

Workstations - no internet access

 

When I trigger sync, WSUS downloads the list of updates but only the list not the updates itself and when I try to force download right away i get Access Denied error.

In logs there is a line which says: Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5

Share this post


Link to post
Share on other sites

ok then, if you are sure you followed the guide exactly as i explained it then check your component status logs, is there anything obvious wrong in there ?

Share this post


Link to post
Share on other sites
ok then, if you are sure you followed the guide exactly as i explained it then check your component status logs, is there anything obvious wrong in there ?

 

I tried to follow as much as I could. The only difference is the fact that I do everything as "The Administrator" user and I run SCCM 2012 in native mode.

BTW. How do I check the component status logs? Which files should I check?

\\sccm\sms_xyz\Logs\*.log ? or only some of them?

 

Also sorry for delay. I'm not everyday at my workplace where I have my SCCM 2012 lab setup.

Share this post


Link to post
Share on other sites

I keep getting "Access is denied" error when attempting to download software packages to the UNC path.

 

I have been using a domain admin account for everything, shouldn't that allow me to have full control over the server which includes downloading and saving files on the server?

Share this post


Link to post
Share on other sites

I am trying to get this setup in a lab for a client and I have a problem when the Updates attempt to download from the internet. They use a proxy server and there is no practical way bypass the proxy server. I know the proxy is the problem. is there some way to configure SCCM to use the proxy address to download the patches. Windows Updater is set to use the proxy. Any help would be appreciated.

Share this post


Link to post
Share on other sites

choose servers and site system roles, software update point, you can configure the proxy settings in there.

Share this post


Link to post
Share on other sites

Hello everyone.

 

I'm following this tutorial and I must say it's pretty good. But during this part I got some problems. When you say that in a few minutes there should be some updates downloaded and/or deployed, in my test lab there's no downloaded updates and there should be and since I've setup network so my workstations are cut off of internet (second nic is disabled) they only have connection with dc and sccm. Since you imply to set update point only from sccm I did like you said but my workstations (one to be precise) can't update Endpoint Protection client definitions and also my sccm isn't downloading any (but it can since only my sccm has internet connection) updates from Microsoft so please help me with this. I don't want to skip anything if I don't have to.

BTW. my sccm lab is running in native mode. I've setup the environment like for sccm 2007 native and uptill now everything worked ok.

 

EDIT:

Oh. Now I found there's an option to force download right away but the outcome of this operations is a failure since I get "Access Denied" error.

 

I found out why I'm getting Access Denied error while downloading updates from internet.

That was because \\sccm\sources is a share READ-ONLY for everyone.

So I added user SMSadmin with Full-Control permission and that solved the problem.

Share this post


Link to post
Share on other sites

Dear.

I might have a stupid question.

We have WSUS implemented in the organization and it’s managed through AD GPOs.

We installed SCCM 2012 (thanks to your blog, we solved a lot of issues). We uninstalled all existing WSUS servers. We deleted the WSUS GPOs.

On a new server, we installed WSUS, but did not configure it. On SCCM 2012, we deployed the SUP to this new server. We configured software updates as explained on your site.

The questions I have:

  • Do we need to do something in AD or GPO’s for WSUS/SCCM ??? Or will everything completely be managed by SCCM.
  • SCCM found all our clients, software metering is ok, clients ware approved too … but the compliancy status is still be unknown.
  • How can I force a compliance scan on my SCCM clients. The last compliance scan time report is empty, so I supose they never did a compliance scan.
  • When I create a report, all updates are marked as being not approved. Should I somewhere approve the patches before, such as in WSUS?

Thanks in advance,

Regards,

Peter

Share this post


Link to post
Share on other sites
I found out why I'm getting Access Denied error while downloading updates from internet. That was because \\sccm\sources is a share READ-ONLY for everyone. So I added user SMSadmin with Full-Control permission and that solved the problem.

 

Changing the Share settings is what worked for me.

 

Thanks!

Share this post


Link to post
Share on other sites

Thanks for the great step by step guide.

Are there anyway to customize the client pop up restart window message after updates are installed?

Thanks in advance.

Share this post


Link to post
Share on other sites

right click on a Software Update Group and choose show members, from there, you can select updates and right click to Edit Membership, that will remove the update(s) from the software update groups

Share this post


Link to post
Share on other sites

Thanks for these tutorials!

For creating a Windows x64 collection, does the query that you provided in Part 5 need to be altered to filter for x64?

select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

Share this post


Link to post
Share on other sites

Hi,

 

Very interesting post with good advice.

 

I wanted to know if you had some tips or inputs for some offline sccm updates.

If you download the updates on the side, from a distant WSUS server and want to manually add the updates to the sccm SUP

 

Do you have anything related? or inputs on how to import those?

 

Thanks :)

Share this post


Link to post
Share on other sites

I'm curious - do we have to update the included update list manually, or does it automatically update the contained updates on it's own?

 

I'd have assumed to just set the domain computers to point to WSUS and be done with things, why do we configure all of these deployment groups and rules? Is it not just repeating what WSUS does on it's own?

Share this post


Link to post
Share on other sites

I know this question is old, but if it were to be answered, it would be of great help to me. I am in a lab environment, so I installed WSUS on a server, then added it to my primary site as the SUP. I created a SUG and deployed them to a device collection to no avail. In fact, it is just showing "Unknown" for the collection as though it doesn't even know if any of the PCs (1) in the collection needs the updates.

 

I only have a WSUS server and SCCM. No GPOs, no changes to the desktop (it was added to the domain and left alone). When I created a device collection containing said desktop and deployed the package, nothing.

 

 

Dear.

I might have a stupid question.

We have WSUS implemented in the organization and it’s managed through AD GPOs.

We installed SCCM 2012 (thanks to your blog, we solved a lot of issues). We uninstalled all existing WSUS servers. We deleted the WSUS GPOs.

On a new server, we installed WSUS, but did not configure it. On SCCM 2012, we deployed the SUP to this new server. We configured software updates as explained on your site.

The questions I have:

  • Do we need to do something in AD or GPO’s for WSUS/SCCM ??? Or will everything completely be managed by SCCM.
  • SCCM found all our clients, software metering is ok, clients ware approved too … but the compliancy status is still be unknown.
  • How can I force a compliance scan on my SCCM clients. The last compliance scan time report is empty, so I supose they never did a compliance scan.
  • When I create a report, all updates are marked as being not approved. Should I somewhere approve the patches before, such as in WSUS?

Thanks in advance,

 

Regards,

Peter

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×