anyweb Posted May 8, 2008 Report post Posted May 8, 2008 This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here. Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums. In a production environment please consult Technet for best practise, see below links: Superflow: Software Update Deployment SuperFlow About Software Update Point: About Software Update Point Planning: Planning for Software Updates Client Settings Configuration: Configuring Software Updates How to Configure the Software Updates Client Agent How to Create and Configure an Active Internet-Based Software Update Point Best Practices: Configuring Configuration Manager Sites for Best Performance Checklist for Security Best Practices Best Practices for Central and Primary Site Hardware and Software Configuration Best Practices for Operating System Deployment Software Update Point process Flowcharts: Software Updates Synchronization Process Flowchart Software Update Deployment Process Flowchart Deployment Package Process Flowchart Related: How to obtain the latest version of the Windows Update Agent 1. Install WSUS Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server. Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful 2. Create some Search Folders In the Software Updates section, right click on Search Folders and choose New Folder, give the new folder a name like Enterprise Searches (we willl store our yearly searches here) Right click on our new folder and choose New Search Folder, select the following options from step 1 (in the screenshot), BulletinID, Expired and Superseded in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08 Set Expired to No Set Superseded to No Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder Fill it in as follows and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 8, 2008 Report post Posted May 8, 2008 Create a Deployment Template In Computer Management, right click on Collections and choose New Collection, create a new collection called Blank For Staging with no membership rules or advertisements. right click on Deployment Templates and choose New Deployment Template give the template a name like All Microsoft Approved Patches for Collection, point it to the Blank For Staging one we created above, and make sure sub collections are selected. Set the Display/Time settings to suppress display notification on clients, client local time for deployment schedules and duration of 1 day for Restart Setttings set them accordingly leave Event Generation as it is unless you are using Operations Manager servers and want the reporting.,... for download Settings, make sure to select download in both choices leave SMS 2003 blank and next... and next to the summary and close. your finished Deployment Template will appear Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 8, 2008 Report post Posted May 8, 2008 Create a Windows Update Share In Windows Explorer, create a share that Everyone can access called Windows Updates Create a Deployment Management Task select a Search Folder that contains the patches you want to apply eg: select Windows Server 2008 Patches in the right you'll see the list of patches available (if not, you need to Synchronise WSUS with Microsoft) to do that click on Update Repository and choose Run Synchronisation. Select all and right click and choose Deploy Software Updates Enter a name for the new deployment, be descriptive eg: Windows Server 2008 Patches, the screenshot below is generic so refers to all updates..and click next .. Select the Deployment Template you created earlier and click next.. choose to Create a Package, be descriptive eg: Windows Server 2008 Patches, the screenshot below is generic so refers to all updates (All Microsoft Approved patches), point it to the Windows Updates share you created and give it a description, select Binary Replication for distribution points, click browse and selct your distribution point Choose download software updates from the internet select your language choose As soon as possible and Do not set a deadline for software update installation (keeps the updates OPTIONAL)... Note: You can change this later to force the deployment of the updates but this is fine for our LAB, in other words if you do NOT set a deadline then the updates will not be forcefully installed (they are Optional), if you want them to install (mandatory/forced) then SET A DEADLINE clicking next will start the Provisioning update progress....... *can take time...* once done you should see this and you can browse the Windows Updates share and it should be full of packages Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 8, 2008 Report post Posted May 8, 2008 Optional: Create an Update List Note: Update lists are useful for us as they can be used (after the event) to Report on what patches are deployed to computers and to review their compliance using those reports. If you are not interested in reporting or the compliance status of your machines then Update Lists will probably not matter to you at all and you can deploy patches without using them. If you do decide to utilise SCCM's reporting capabilities in regards to patching, then it would be a good idea to create separate Update Lists on a monthly basis to see what patches go out, and to what computers. If you want to read a guide aimed at using Update Lists for Reporting purposes then please see here. Select a search folder for example Windows Server 2008 Patches and highlight the first Windows update contained and press Shift, scroll down to the last one and press again until all patches are selected. Right click within the selection and choose Update List choose Create New Update List from the options in the wizard When the Deployment Package window appears, click on Browse to select one, or choose to create a new one and give it a descriptive name like All Windows XP Updates or Windows Server 2008 Updates as this is just a lab, we will pick the one we made earlier.. The Deployment Package is selected... choose the Internet as the download location *even if the WSUS server is on another Site Server* choose a language *english* click next to Security and Summary, the updates will be provisioned review the Confirmation, if there are any errors at this point then verify that you have correctly specified the WSUS site server Hit refresh in the Configmgr console to see your Update List. 1 Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 8, 2008 Report post Posted May 8, 2008 Create some Patch Deployment Collections How you want to deploy your patches is up to you and your organisation, below is only a suggestion, use at your own risk ! Create some new Blank collections with no membership rules with each collection having a new sub-collection so they are like this Deploy Patches/Phase 3/Phase 2/Phase 1/Test Group When Microsoft Release's it's Patches you'll want to get them deployed quickly to a Test Group, to do that do as follows Add some computers to the Test Group collection (or create a link to a collection as described below) If you want to link a collection , then pick a collection from the list *remember this howto is to show you HOW you can do this, you will obviously have to create your own test collections and add computers to them yourself before linking them here* Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 8, 2008 Report post Posted May 8, 2008 Choose a Deployment Template In the Deployment Management Node, Right click on the Deployment Template we created earlier (All Microsoft Approved Patches) and choose properties Click on the Collections Tab and browse to Test Group make sure Include Members of Sub Collections is selected and click apply to start the Patch deployment to your Test Group click on the Schedule tab and select As Soon as Possible, include the Set a Deadline option and Ignore Maintenance options as below Note: If you are using or have configured Maintenance Windows then do not select Ignore Maintenance Windows unless you really want to ignore those maintenance windows, this remember, is just a LAB. sit back and wait, the Servers listed in your Test Group will now be targetted with the selected patches 1 Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 18, 2008 Report post Posted December 18, 2008 Verify On a client, open up control panel and the Configuration Manager client agent, click on the actions tab and Initiate the Following actions to trigger a check for any changes in Client Policy. Machine Policy Retrieval & Evaluation Cycle Software Updates Deployment Evaluation Cycle Software Updates Scan Cycle More info about the above Actions on Technet > http://technet.microsoft.com/en-us/library/bb632393.aspx Machine Policy Retrieval & Evaluation Cycle: Bypasses the automatic policy polling interval on clients to get the machine policy as soon as possible. Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed. Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed. If you don't see any updates coming then read the WUAHandler log for details to see what is happening.... the log is located in C:\windows\system32\ccm\logs (x86) or c:\windows\syswow64\ccm\logs you can also browse the c:\windows\syswow64\ccm\cache folder to see if any updates have started to download yet be patient, even if you set the deadline for 10:10 it might take time to get them transferred over. Tip: To troubleshoot scan errors, you can run the Troubleshooting 1 - Scan errors report which will return a count of computers for each error that occurred during the last scan for software update compliance on client computers. You can then drill down to the Troubleshooting 3 / Computers Failing with a specific scan error report to view a list of computers that returned that specific scan error. here's what your desktop will look like when the software updates are being pushed out, you can click on the update icon to get details of the updates themselves after they are applied the update icon will change colour and here is my WUAhandler.log file (of a successful update) compare it to your own if you are experiencing problems to see what is different... WUAHandler.log 1 Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted April 1, 2009 Report post Posted April 1, 2009 What to use as description if I want only windows xp updates? I put "Windows XP" for description instead of "Windows Server 2008" in your example. EDIT: If the downloaded updates resides on the wsus server, there is no need to download it again or yes? I'm referring to this print screen; I've got a problem when I want to close my first advertisement. I made a search based on windows xp updates. I selected the ones I need in the list and chose 'Deploy update...' and gave me those errors in the end. This is the print screen; Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted April 1, 2009 Report post Posted April 1, 2009 change Description to Product and then you'll get only Windows XP stuff.. for All Windows XP Updates choose the following search criteria Product Windows XP Expired No Superseded No for All Windows XP Security Updates Product Windows XP Bulletin MS Expired No Superseded No cheers anyweb Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted April 2, 2009 Report post Posted April 2, 2009 change Description to Product and then you'll get only Windows XP stuff.. for All Windows XP Updates choose the following search criteria Product Windows XP Expired No Superseded No for All Windows XP Security Updates Product Windows XP Bulletin MS Expired No Superseded No cheers anyweb Thanks for your answer The thing is that I want to install a machine and that all the latest xp updates are installed on it. Can I install IE7 and block the install of IE8? Can I just leave IE6 and block the install of IE7? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted April 2, 2009 Report post Posted April 2, 2009 then you should choose All Windows XP updates and let the windows update process install all that it can during deployment, i know you can block ie7 being installed, more info here and here's one for blocking IE8, so if you enabled both i guess you'd be left with IE6 You can at any time select updates in your Search folders after doing a Run Synchronisation, right click on the ones you want and choose Deploy, doing so will allow you to create a New Deployment Management task, or to update an existing one, you can REMOVE any updates that you DON'T WANT to be advertised to your clients by selecting it from your Updates Deployment Package and deleting it look at the screenshot below to understand how easy that is over time you can sort your Enterprise searchs like I have here, obviously you should customise this to suit your environment.. the above search folder criteria are as follows Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted June 4, 2009 Report post Posted June 4, 2009 which update is the installation of IE7? I can't find it under Software Updates on SCCM Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 4, 2009 Report post Posted June 4, 2009 Bulletin ID: Article ID: 940767 Date revised: Tuesday, April 29, 2008 That's it ^, i found it by searching for Internet Explorer 7 in my All Windows XP updates with the following Search Folder Criteria Product Windows XPExpired No Superseded No Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted June 17, 2009 Report post Posted June 17, 2009 Can tell me more about the update list? When I have already made some update lists to a package like; Update List - 12/01/2009 17:02:17 Update List - 25/02/2009 20:05:15 Update List - 04/03/2009 12:15:24 Update List - 11/04/2009 07:28:19 Update List - 07/05/2009 09:28:38 Update List - 16/06/2009 11:37:24 Can I say that I delete (right button) the older ones so anything before 16/06/2009 ? Another thing, on which interval are you making an update list? Every wednesday, every week, every month,...? Thanks anyweb! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 17, 2009 Report post Posted June 17, 2009 it's up to you i just update my deployment packages and deployment management tasks and the change the schedule and thats it do it monthly as thats when the patches come out (second tuesday of the month) Quote Share this post Link to post Share on other sites More sharing options...
nsilimela Posted June 30, 2009 Report post Posted June 30, 2009 What to use as description if I want only windows xp updates? I put "Windows XP" for description instead of "Windows Server 2008" in your example. EDIT: If the downloaded updates resides on the wsus server, there is no need to download it again or yes? I'm referring to this print screen; I've got a problem when I want to close my first advertisement. I made a search based on windows xp updates. I selected the ones I need in the list and chose 'Deploy update...' and gave me those errors in the end. This is the print screen; Hi there Kingskawn, Why are you choosing to download from the internet if you already have an in house WSUS server in your environment ? Shouldn't the updates be on the \WSUScontent folder ? I'm just curious .. Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted June 30, 2009 Report post Posted June 30, 2009 Hi there Kingskawn, Why are you choosing to download from the internet if you already have an in house WSUS server in your environment ? Shouldn't the updates be on the \WSUScontent folder ? I'm just curious .. Yes you're right. Why am I downloading from the internet when I've got the sources on site? I don't know. Maybe I'm gonna change that Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 7, 2009 Report post Posted July 7, 2009 below is a screenshot of Offline Updates (via MDT integration in the Task Sequence) Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted July 7, 2009 Report post Posted July 7, 2009 below is a screenshot of Offline Updates (via MDT integration in the Task Sequence) Ok, I'll try that. Anyweb, can you tell me what's in your TS named 'Tatoo' and 'Copy logs' please? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 7, 2009 Report post Posted July 7, 2009 hi kingskawn sorry i just posted that screenshot for another post on technet, it wasnt directed at you. are you software updates working ok or not ? Quote Share this post Link to post Share on other sites More sharing options...
Kenny456 Posted July 8, 2009 Report post Posted July 8, 2009 I was walking thru the steps, and I don't seem to have an option to type text for a product, I get check boxes. Server 2008 isn't available as an option? How do I add server 2008 as a product option? Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted July 9, 2009 Report post Posted July 9, 2009 You have to do I synchronize first, after that the productlist will be updated. Quote Share this post Link to post Share on other sites More sharing options...
The Last Remnant Posted August 13, 2009 Report post Posted August 13, 2009 can you tell me whats the use of blank for staging collection why its empty ? and in case it has some machines then what it will affect ? thanks Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted August 13, 2009 Report post Posted August 13, 2009 you can use blank collenctions to link some other collections to this collection Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted August 13, 2009 Report post Posted August 13, 2009 you must keep the blank for staging collection EMPTY at ALL TIMES never put systems in it and never link to other collections in it, ever. you do this because all of your Deployment Management Tasks will point to the 'blank for staging' collection by DEFAULT. That is the way you want it to be, the LAST thing you want to happen is for an untested patch or service pack to go out to all your servers or clients causing mayhem in your organisation keep blank for staging empty Always, and use the phase 1,phase 2, phase 3 and test subcollections to test patches, working your way from test > phase 1 > phase 2 > phase 3 by the time you've reached phase 3 ALL of your systems should be targetted and patched with your selected patches and you then point your Deployment Management tasks back to blank for staging cheers Quote Share this post Link to post Share on other sites More sharing options...