using SCCM 2012 in a LAB - Part 6. Deploying Software Updates

[anyweb]

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies.

Now we will configure our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections.

Recommended Reading:-

Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx
Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx

Step 1. Configure the SUP Products to Sync and Perform a Sync

Perform the following on the SCCM server as SMSadmin

Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.



In the Products tab ensure that the product Windows 7 check box is selected.



Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates, answer Yes when prompted.



Monitor the Sync process using the Wsyncmgr.log file in CMTrace.

As we started the sync manually you should search for the following string "Performing Sync on local request", followed by the status of the sync and you know it's complete when you can see the following line "Sync Succeeded. Setting Sync alert to cancelled on Site P01."





Step 2. Specify Search Criteria for Software Updates

Perform the following on the SCCM server as SMSadmin

In the console, click Software Library, expand it and select All Software Updates then click on Add Criteria in the top right of the search field. In the scrollable Add Criteria menu, select the following options

• Bulletin ID
• Expired
• Superseded
• Product

then define the criteria using the drop down menus beside each option



so that they look as follows:-

• Product = Windows 7
• Bulletin ID =MS
• Expired = No
• Superseded = No

then click on Search, you'll get a list of results like so







let's save our Search criteria and call it Windows 7 Updates search criteria, you can return to this search later by clicking on saved searches and selecting your search from the list.




Step 3. Create a Software Update Group that Contains the Software Updates

Perform the following on the SCCM server as SMSadmin


Note: Normally you'd want to look through all these updates and filter out (delete) the ones that are not applicable to you, such as Beta or Service Packs, Delete these from your list before continuing.

After we've trimmed down out updates we'll select the remaining updates by selecting all the updates found in our search criteria above by clicking on one update and then pressing CTRL + A, it should say 153 (or similar) items selected in the bottom left corner, make sure you are still in the Search Criteria as in the picture below



In the ribbon, click on Home and then in the Update click on Create Software Update Group, call it Windows 7 Updates and click on Create



Now you can click on Software Update Groups in the console and you'll see your newly created Software Update Group, right click on it and choose Show Members to see the updates in this group.



this lists the Sotware Updates contained in the Software Update Group





Step 4. Deploy the Software Update Group


Perform the following on the SCCM server as SMSadmin


We could download the Content for the Software Update Group to verify that it's available before distributing it to our Distribution Points, but we'll skip that step and go ahead and deploy our Updates to our previously created All Windows 7 Computers collection. Select the Windows 7 Updates Software Update Group and in the Ribbon click on Deploy.



give it a name and point it to our All Windows 7 Computers collection.



Note: if you click on Select deployment Template, it will appear empty as you have no created any templates yet.

for Deployment Settings set the type of deployment to Required (mandatory) and State message level to Minimal (to reduce Configuration Manager server load via state messages)



For scheduling set the Time Based on to UTC



for User Experience we want the user to see they are being updated,



set Alerts client compliance is below the following to 80%,

Set the Download Settings to download if a slow or unreliable connection detected, click next



when you get to Deployment Package, choose create a new deployment package,

Note: Make sure that \\sccm\sources\updates\windows7 (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist



select your Distribution Point and click next, then for Download Location select Download Software Updates from the Internet, select the English language and at the summary screen click on Save As Template, call the template Windows 7 updates Template



TIP: To review the progress of this task, while you are waiting for the wizard to complete you can browse the UNC on your server of your Deployment Package to see that it's actually filling up with updates, you should see something like this



And that's it, after you complete the wizard the software updates in the software update group are deployed to computers in the target collection



Finally, create a new collection called Build and Capture Windows 7 X64 and repeat the above Deployment for our Windows 7 Updates and target it to the Build and Capture Windows 7 X64 Collection as follows



In the next two parts we will start adding clients to these collections and we will verify that the above is really working.

[n00blar]

Here's a message I've received as I was attempting to create a Software Update Group:

 

The number of updates in the selected group exceeds the maximum allowed per deployment. The maximum number of updates for any single deployment is 500. Reduce the number of updates in this group to create a deployment.

 

Interesting to know this...

[tmewin]

Hi

 

I followed all the steps that were listed above and it all works fine but i'm getting this error from the Wsyncmgr.log and i can't seem to find the fix for it.

 

I keep getting errors Failed to sync update 482d29fe-7a9b-46cc-a77e-0af94f146ce3. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow for certain updates.

 

Any help with this would be appreciated.

 

Thanks

 

[Mathieu.desjardins]

You have to accept terms for some updates. You can see which updates require the approval by doing a right clic on the title bar and select License Terms to show that column in the window.

You then have to accept the Terms on updates before downloading them.

[t0meck]

Hello everyone.

 

I'm following this tutorial and I must say it's pretty good. But during this part I got some problems. When you say that in a few minutes there should be some updates downloaded and/or deployed, in my test lab there's no downloaded updates and there should be and since I've setup network so my workstations are cut off of internet (second nic is disabled) they only have connection with dc and sccm. Since you imply to set update point only from sccm I did like you said but my workstations (one to be precise) can't update Endpoint Protection client definitions and also my sccm isn't downloading any (but it can since only my sccm has internet connection) updates from Microsoft so please help me with this. I don't want to skip anything if I don't have to.

BTW. my sccm lab is running in native mode. I've setup the environment like for sccm 2007 native and uptill now everything worked ok.

 

EDIT:

Oh. Now I found there's an option to force download right away but the outcome of this operations is a failure since I get "Access Denied" error.

[anyweb]

can you clarify, does your SCCM server have access to the internet ? what happens when you trigger a sync does that work ?

[t0meck]

can you clarify, does your SCCM server have access to the internet ? what happens when you trigger a sync does that work ?

 

DC - no internet access

SCCM - has access to the internet

Workstations - no internet access

 

When I trigger sync, WSUS downloads the list of updates but only the list not the updates itself and when I try to force download right away i get Access Denied error.

In logs there is a line which says: Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5

[anyweb]

ok then, if you are sure you followed the guide exactly as i explained it then check your component status logs, is there anything obvious wrong in there ?

[t0meck]

ok then, if you are sure you followed the guide exactly as i explained it then check your component status logs, is there anything obvious wrong in there ?

 

I tried to follow as much as I could. The only difference is the fact that I do everything as "The Administrator" user and I run SCCM 2012 in native mode.

BTW. How do I check the component status logs? Which files should I check?

\\sccm\sms_xyz\Logs\*.log ? or only some of them?

 

Also sorry for delay. I'm not everyday at my workplace where I have my SCCM 2012 lab setup.

[techguyben]

I keep getting "Access is denied" error when attempting to download software packages to the UNC path.

 

I have been using a domain admin account for everything, shouldn't that allow me to have full control over the server which includes downloading and saving files on the server?