Jump to content


anyweb

using SCCM 2012 in a LAB - Part 6. Deploying Software Updates

Recommended Posts

I know this question is old, but if it were to be answered, it would be of great help to me. I am in a lab environment, so I installed WSUS on a server, then added it to my primary site as the SUP. I created a SUG and deployed them to a device collection to no avail. In fact, it is just showing "Unknown" for the collection as though it doesn't even know if any of the PCs (1) in the collection needs the updates.

 

I only have a WSUS server and SCCM. No GPOs, no changes to the desktop (it was added to the domain and left alone). When I created a device collection containing said desktop and deployed the package, nothing.

 

 

Do we need to do something in AD or GPO’s for WSUS/SCCM ??? Or will everything completely be managed by SCCM.

If you haven't set anything before, then you do not need to do anything. SCCM uses local policies to use SUP. If you have any GPO's with any update setting, they will override the local ones, and possibly create problems.

 

SCCM found all our clients, software metering is ok, clients ware approved too … but the compliancy status is still be unknown.

seems like they have a problem connecting to SUP. Check these logs:

 

UpdatesDeployment.log

Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

UpdatesHandler.log

Provides information about software update compliance scanning and about the download and installation of software updates on the client.

UpdatesStore.log

Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle.

 

How can I force a compliance scan on my SCCM clients. The last compliance scan time report is empty, so I supose they never did a compliance scan.

Control panel - Configuration Manager - Action [tab] - Software updates deployment evaluation cycle

ref.

  • Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.
  • Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Source: http://technet.microsoft.com/en-us/library/bb632393.aspx

 

When I create a report, all updates are marked as being not approved. Should I somewhere approve the patches before, such as in WSUS?

you use update list as way to approve to updates. The ones that are on the list that you deploy will be evaluated and if required be installed.

Share this post


Link to post
Share on other sites


Thanks - I have checked these logs and this is what I've found. Does this tell you anything?

 

From UpdatesDeployment.log in no specific order

[No actionable updates for install task. No attempt required.]

[updates could not be installed at this time. Waiting for the next maintenance window.]

[Attempting to install 0 updates]

[Auto install during non-business hours is disabled or never set, selecting only scheduled updates]

[A user-defined service window (non-business hours) is avbailable. We will attempt to install any scheduled updates.]

 

 

From UpdatesStore.log

There were some errors, but now for the past few days it has said "Successfully refreshed Resync state message" and "Refresh status completed successfully".

Share this post


Link to post
Share on other sites

I'm curious - do we have to update the included update list manually, or does it automatically update the contained updates on it's own?

 

I'd have assumed to just set the domain computers to point to WSUS and be done with things, why do we configure all of these deployment groups and rules? Is it not just repeating what WSUS does on it's own?

 

Any thoughts people? I'm hoping it all happens automagically once setup, if not then would using WSUS not be a better option to reduce admin intervention?

Share this post


Link to post
Share on other sites

 

Any thoughts people? I'm hoping it all happens automagically once setup, if not then would using WSUS not be a better option to reduce admin intervention?

Interested in the responses you receive as I, too, am still awaiting seeing a compelling reason to move from patching with WSUS to patching with SCCM.

Share this post


Link to post
Share on other sites

Interested in the responses you receive as I, too, am still awaiting seeing a compelling reason to move from patching with WSUS to patching with SCCM.

 

Further reading does suggest you can have an automatic or manual software update deployment rule - the automatic one appears to automatically scan for new updates, then make them available to the relevant device group. Need to do a bit of playing to see how that works, as for critical/security/definition updates this would be my preferred method, I want my manual intervention requirements to be as low as possible!

Share this post


Link to post
Share on other sites

when you say "Create new Build and Capture Windows 7 X64 collection"

 

I think i am missing something. I can create a "Device" and "User" collections. where do i have to create "Build and Capture Collection"?

 

Thank you.

Share this post


Link to post
Share on other sites

when you say "Create new Build and Capture Windows 7 X64 collection"

 

I think i am missing something. I can create a "Device" and "User" collections. where do i have to create "Build and Capture Collection"?

 

Thank you.

 

Hey,

 

Click on Assets and Compliance --> Right click Device Collections --> Click Create Device Collection.

  • Like 1

Share this post


Link to post
Share on other sites

I can't seem to get any updates deployed. They syncronization is working between my WSUS server on the CA and the WSUS server on the primary, but when i try to deploy an update I get 0x80244022 errors everywhere, especially in the WindowsUpdate.log on the client and in the WUHandler.log on the servers. In additon i am seeing a 503 error on the server logs. Below is some content of the WindowsUpdate.log on the client.

 

012-05-07 09:20:34:711 2860 11a8 COMAPI -------------

2012-05-07 09:20:34:712 2860 11a8 COMAPI WARNING: Operation failed due to earlier error, hr=80244022

2012-05-07 09:20:34:712 2860 11a8 COMAPI FATAL: Unable to complete asynchronous search. (hr=80244022)

2012-05-07 09:20:39:037 2860 11a8 COMAPI -------------

2012-05-07 09:20:39:037 2860 11a8 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:20:39:037 2860 11a8 COMAPI ---------

2012-05-07 09:20:39:039 2860 11a8 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:20:39:039 924 1abc Agent *************

2012-05-07 09:20:39:039 924 1abc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]

2012-05-07 09:20:39:039 924 1abc Agent *********

2012-05-07 09:20:39:039 924 1abc Agent * Include potentially superseded updates

2012-05-07 09:20:39:039 924 1abc Agent * Online = Yes; Ignore download priority = Yes

2012-05-07 09:20:39:039 924 1abc Agent * Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')"

2012-05-07 09:20:39:039 924 1abc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

2012-05-07 09:20:39:039 924 1abc Agent * Search Scope = {Machine}

2012-05-07 09:20:39:278 924 1abc PT +++++++++++ PT: Synchronizing server updates +++++++++++

2012-05-07 09:20:39:278 924 1abc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://HQSCCM01.MicroTechllc.com:8530/ClientWebService/client.asmx

2012-05-07 09:20:39:285 924 1abc PT WARNING: Cached cookie has expired or new PID is available

2012-05-07 09:20:39:286 924 1abc PT Initializing simple targeting cookie, clientId = 688b5ad1-7986-4e6c-a97a-ae0c0a10a391, target group = Windows 7, DNS name = matkinson-lpt.microtechllc.com

2012-05-07 09:20:39:286 924 1abc PT Server URL = http://HQSCCM01.MicroTechllc.com:8530/SimpleAuthWebService/SimpleAuth.asmx

2012-05-07 09:20:39:289 924 1abc PT WARNING: GetAuthorizationCookie failure, error = 0x80244022, soap client error = 10, soap error code = 0, HTTP status code = 503

2012-05-07 09:20:39:290 924 1abc PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80244022

2012-05-07 09:20:39:290 924 1abc PT WARNING: PopulateAuthCookies failed: 0x80244022

2012-05-07 09:20:39:290 924 1abc PT WARNING: RefreshCookie failed: 0x80244022

2012-05-07 09:20:39:290 924 1abc PT WARNING: RefreshPTState failed: 0x80244022

2012-05-07 09:20:39:290 924 1abc PT WARNING: Sync of Updates: 0x80244022

2012-05-07 09:20:39:290 924 1abc PT WARNING: SyncServerUpdatesInternal failed: 0x80244022

2012-05-07 09:20:39:290 924 1abc Agent * WARNING: Failed to synchronize, error = 0x80244022

2012-05-07 09:20:39:290 924 1abc Agent * WARNING: Exit code = 0x80244022

2012-05-07 09:20:39:290 924 1abc Agent *********

2012-05-07 09:20:39:290 924 1abc Agent ** END ** Agent: Finding updates [CallerId = CcmExec]

2012-05-07 09:20:39:291 924 1abc Agent *************

2012-05-07 09:20:39:291 924 1abc Agent WARNING: WU client failed Searching for update with error 0x80244022

2012-05-07 09:20:39:297 924 1abc Report REPORT EVENT: {15955890-C614-4895-8491-E07C4EA1B365} 2012-05-07 09:20:34:704-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80244022 CcmExec Failure Software Synchronization Windows Update Client failed to detect with error 0x80244022.

2012-05-07 09:20:39:297 924 1abc Report REPORT EVENT: {7E5220B4-84D3-4762-9655-703B43E2E072} 2012-05-07 09:20:39:290-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80244022 CcmExec Failure Software Synchronization Windows Update Client failed to detect with error 0x80244022.

2012-05-07 09:20:39:303 2860 1fa8 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:20:39:303 2860 1fa8 COMAPI - Updates found = 0

2012-05-07 09:20:39:303 2860 1fa8 COMAPI - WARNING: Exit code = 0x00000000, Result code = 0x80244022

2012-05-07 09:20:39:303 2860 1fa8 COMAPI ---------

2012-05-07 09:20:39:303 2860 1fa8 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:20:39:303 2860 1fa8 COMAPI -------------

2012-05-07 09:20:39:304 2860 1fa8 COMAPI WARNING: Operation failed due to earlier error, hr=80244022

2012-05-07 09:20:39:304 2860 1fa8 COMAPI FATAL: Unable to complete asynchronous search. (hr=80244022)

2012-05-07 09:20:39:305 924 1abc Report CWERReporter::HandleEvents - WER report upload completed with status 0x8

2012-05-07 09:20:39:305 924 1abc Report WER Report sent: 7.5.7601.17514 0x80244022 00000000-0000-0000-0000-000000000000 Scan 101 Managed

2012-05-07 09:20:39:312 924 1abc Report CWERReporter::HandleEvents - WER report upload completed with status 0x8

2012-05-07 09:20:39:312 924 1abc Report WER Report sent: 7.5.7601.17514 0x80244022 00000000-0000-0000-0000-000000000000 Scan 101 Managed

2012-05-07 09:20:39:312 924 1abc Report CWERReporter finishing event handling. (00000000)

2012-05-07 09:23:45:391 2860 19ec COMAPI -------------

2012-05-07 09:23:45:391 2860 19ec COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:23:45:391 2860 19ec COMAPI ---------

2012-05-07 09:23:45:393 2860 19ec COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:23:45:393 924 1abc Agent *************

2012-05-07 09:23:45:393 924 1abc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]

2012-05-07 09:23:45:393 924 1abc Agent *********

2012-05-07 09:23:45:393 924 1abc Agent * Include potentially superseded updates

2012-05-07 09:23:45:393 924 1abc Agent * Online = Yes; Ignore download priority = Yes

2012-05-07 09:23:45:393 924 1abc Agent * Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')"

2012-05-07 09:23:45:393 924 1abc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

2012-05-07 09:23:45:393 924 1abc Agent * Search Scope = {Machine}

2012-05-07 09:23:45:651 924 1abc PT +++++++++++ PT: Synchronizing server updates +++++++++++

2012-05-07 09:23:45:651 924 1abc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://HQSCCM01.MicroTechllc.com:8530/ClientWebService/client.asmx

2012-05-07 09:23:45:662 924 1abc PT WARNING: Cached cookie has expired or new PID is available

2012-05-07 09:23:45:662 924 1abc PT Initializing simple targeting cookie, clientId = 688b5ad1-7986-4e6c-a97a-ae0c0a10a391, target group = Windows 7, DNS name = matkinson-lpt.microtechllc.com

2012-05-07 09:23:45:662 924 1abc PT Server URL = http://HQSCCM01.MicroTechllc.com:8530/SimpleAuthWebService/SimpleAuth.asmx

2012-05-07 09:23:45:667 924 1abc PT WARNING: GetAuthorizationCookie failure, error = 0x80244022, soap client error = 10, soap error code = 0, HTTP status code = 503

2012-05-07 09:23:45:668 924 1abc PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80244022

2012-05-07 09:23:45:668 924 1abc PT WARNING: PopulateAuthCookies failed: 0x80244022

2012-05-07 09:23:45:668 924 1abc PT WARNING: RefreshCookie failed: 0x80244022

2012-05-07 09:23:45:668 924 1abc PT WARNING: RefreshPTState failed: 0x80244022

2012-05-07 09:23:45:668 924 1abc PT WARNING: Sync of Updates: 0x80244022

2012-05-07 09:23:45:668 924 1abc PT WARNING: SyncServerUpdatesInternal failed: 0x80244022

2012-05-07 09:23:45:668 924 1abc Agent * WARNING: Failed to synchronize, error = 0x80244022

2012-05-07 09:23:45:670 924 1abc Agent * WARNING: Exit code = 0x80244022

2012-05-07 09:23:45:670 924 1abc Agent *********

2012-05-07 09:23:45:670 924 1abc Agent ** END ** Agent: Finding updates [CallerId = CcmExec]

2012-05-07 09:23:45:670 924 1abc Agent *************

2012-05-07 09:23:45:670 924 1abc Agent WARNING: WU client failed Searching for update with error 0x80244022

2012-05-07 09:23:45:683 2860 19ec COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:23:45:683 2860 19ec COMAPI - Updates found = 0

2012-05-07 09:23:45:683 2860 19ec COMAPI - WARNING: Exit code = 0x00000000, Result code = 0x80244022

2012-05-07 09:23:45:683 2860 19ec COMAPI ---------

2012-05-07 09:23:45:683 2860 19ec COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]

2012-05-07 09:23:45:683 2860 19ec COMAPI -------------

2012-05-07 09:23:45:684 2860 19ec COMAPI WARNING: Operation failed due to earlier error, hr=80244022

2012-05-07 09:23:45:684 2860 19ec COMAPI FATAL: Unable to complete asynchronous search. (hr=80244022)

2012-05-07 09:23:50:670 924 1abc Report REPORT EVENT: {DA55621E-39D6-4790-882A-DB78699F50D0} 2012-05-07 09:23:45:669-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80244022 CcmExec Failure Software Synchronization Windows Update Client failed to detect with error 0x80244022.

2012-05-07 09:23:50:677 924 1abc Report CWERReporter::HandleEvents - WER report upload completed with status 0x8

2012-05-07 09:23:50:677 924 1abc Report WER Report sent: 7.5.7601.17514 0x80244022 00000000-0000-0000-0000-000000000000 Scan 101 Managed

2012-05-07 09:23:50:677 924 1abc Report CWERReporter finishing event handling. (00000000)

2012-05-07 09:24:47:300 924 1abc PT WARNING: Cached cookie has expired or new PID is available

2012-05-07 09:24:47:301 924 1abc PT Initializing simple targeting cookie, clientId = 688b5ad1-7986-4e6c-a97a-ae0c0a10a391, target group = Windows 7, DNS name = matkinson-lpt.microtechllc.com

2012-05-07 09:24:47:301 924 1abc PT Server URL = http://HQSCCM01.MicroTechllc.com:8530/SimpleAuthWebService/SimpleAuth.asmx

2012-05-07 09:24:47:308 924 1abc PT WARNING: GetAuthorizationCookie failure, error = 0x80244022, soap client error = 10, soap error code = 0, HTTP status code = 503

2012-05-07 09:24:47:309 924 1abc PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80244022

2012-05-07 09:24:47:309 924 1abc PT WARNING: PopulateAuthCookies failed: 0x80244022

2012-05-07 09:24:47:309 924 1abc PT WARNING: RefreshCookie failed: 0x80244022

2012-05-07 09:24:47:309 924 1abc PT WARNING: RefreshPTState failed: 0x80244022

2012-05-07 09:24:47:309 924 1abc PT WARNING: PTError: 0x80244022

2012-05-07 09:24:47:309 924 1abc Report WARNING: Reporter failed to upload events with hr = 80244022.

2012-05-07 09:27:01:584 924 1398 AU AU received policy change subscription event

Share this post


Link to post
Share on other sites

When creating a collection for the Windows 7 Image - What membership rule do you specify so that the collection will find it?

Share this post


Link to post
Share on other sites

I've been racking my brain as to why our Windows 7 Updates weren't being installed and I think I have just sorted it - I followed the above a good few times, but only now did I notice that one of your pictures appears to be of the wrong thing - I was trying to deploy the 'Windows 7 Updates' beneath the 'All Software Updates' folder, but this did nothing on clients, nothing ever got installed.

 

I ran through again this afternoon and this time I checked your written explaination - I deployed the 'Windows 7 Updates' beneath 'Software Update Groups' and it prompted me to accept or decline any software requiring me to accept a licence agreement which I don't recall from before. Alongside this, the 'Software Update Group' was previously always listed as the name of an actual update (ActiveX Killibits for me), whereas doing it now showed it correctly as 'Windows 7 Updates'.

 

Fingers crossed it will now deploy the updates correctly, it was beginning to bug me why it wasn't working! It is still downloading the updates but I will report back once things work (or not!)! This is quite possibly why no updates appeared to be installed during the PXE deployment and why none were listed in Add/Remove Programs > Show Windows Updates.

Share this post


Link to post
Share on other sites

Potentially stupid question. How do you see what updates are needed for a specific computer?

Share this post


Link to post
Share on other sites

computers that need updates which you make available to your organization are not compliant, computers that have all available updates installed are compliant,

speaking of compliance, if you want to see what updates a computer needs then you could drill through the software update compliance reports and work out what it needs, but be prepared to take your time..

Share this post


Link to post
Share on other sites

I currently use WSUS to deploy updates and have the servers and settings set with group policy. I'm starting to test the method with SCCM. What do I need to change in my group policy so that it uses my SCCM servers for updates instead of WSUS? I don't want to undo all the settings since I don't want my clients going to Microsoft for updates, nor do I want them being notified of them before I approve the updates.

 

How do I do this?

Share this post


Link to post
Share on other sites

computers that need updates which you make available to your organization are not compliant, computers that have all available updates installed are compliant,

speaking of compliance, if you want to see what updates a computer needs then you could drill through the software update compliance reports and work out what it needs, but be prepared to take your time..

 

Thanks. Is there a report that I can run that shows how many approved updates each computer needs? I.E. List each computer and the number of needed updates next to it.

Share this post


Link to post
Share on other sites

OK, my Win7 client has downloaded all the Windows Updates at last, I can see the folders and content in the C:\Windows\CCMCACHE folder.

 

It has not, however installed them at present. The UpdatesStore.log lists them all and has 'Status=Missing' which I believe indicates they are required. I have no time window set for these to install, just ASAP, should I expect them to install straight away or is there some other process the client is waiting for before these updates all get installed?

Share this post


Link to post
Share on other sites

Well tickle me with a feather and call me Susan, it is actually working - at last Control panel has some new updates listed, and it is still running msiexec so I am assuming the other updates are all being processed. Win :)

  • Like 1

Share this post


Link to post
Share on other sites

Great step by step setup/documentation!

 

I have a question, for Forefront Endpoint protection, do you have to download the definition files via WSUS and/or SCCM12?

 

Can you set it up such that, the client/users machine will download it self?

 

My problem is, SCCM12 is seeing the definition files, however I am unable to deploy them, as I get an access denied response. Please see below:

 

SCCM12_Deployment_Error.png%20upload%20images"]http://SCCM12_Deployment_Error.png upload images[/url]

 

The server where SCCM12 resides on, as full access to the "WSUS/content" files...

Share this post


Link to post
Share on other sites

I currently use WSUS to deploy updates and have the servers and settings set with group policy. I'm starting to test the method with SCCM. What do I need to change in my group policy so that it uses my SCCM servers for updates instead of WSUS? I don't want to undo all the settings since I don't want my clients going to Microsoft for updates, nor do I want them being notified of them before I approve the updates.

 

How do I do this?

 

Anyone?

Share this post


Link to post
Share on other sites

Hello,

I’m having problems with Software Update inside CM2012…I’ve set it up to only to get win7 updates… all the updates were retrieved correctly under Software Library->Software Updates-> All Software…. the thing is though that there is no compliance status…all the updates have status Unknown for some reason… and I’m wondering if it supposed to be like that.. Even if I deploy a package the update is under Unknown category (no errors or anything) and with status “client check passed/Active” for each machine and never installs any update… even after I left it to run for more than 10 days.

 

My setup is following:

 

WSUS on windows server 2008 R2 installed on ports 8530/8531

Configuration Manager 2012 installed on port 80/443

No group policy applied

All relevant logs not showing any errors or something to indicate that there is a problem.

When I open WSUS console all the settings from Configuration Manager were applied correctly…all the “Installed, Not Applicable”, “Needed” etc status are displayed also correctly.

On client machines logs looks also okay no errors or anything weird (UpdatesStore.log even receives the list of deployed updates)

 

Any ideas as to where to look or where the problem might be…

 

Thanks

Share this post


Link to post
Share on other sites

Hello:

 

I have a lab where we are making a migration process from SMS and WSUS to SCCM 2012. I have a problema with WSUS migration. In the SCCM 2012 primary site I have installed and configured WSUS and SUP role. I made the followind proc: export the wsus metadata in the actual wsus server, move the WsusContent directory and then import the wsus metadata in the WSUS server in the lab. After these steps I´m able to view the updates trought the WSUS console in the SCCM 2012 server, but I can´t see these information in the SCCM console. As we are in a lab environment we don´t have internet connection, so we can´t connect to Windows Update. Which is the way to see the updates i have in the SCCM 2012 console?

Any help would be appreciated.

 

Ivan

Share this post


Link to post
Share on other sites

i am using SCCM 2012 as Software Update point and cannot find the proxy settings for downloading updates. this is not the RC version, but the full release. not sure where it has disappeared?

Share this post


Link to post
Share on other sites

in the Administration workspace, Servers and Site System Roles, select your server hosting the SUP role, click on software update point, done.

Share this post


Link to post
Share on other sites

Is this Software Update Group that we created updated automatically? Or must we re-create a group like this on a monthly basis to deploy updates to the clients?

Share this post


Link to post
Share on other sites

use ADR (automatic deployment rules) to do your patch tuesday monthly updates. I'll do a new post on that sooner or later

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...