Configuring Software Update Point within SCCM

[anyweb]

This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here.

 

Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums.

 

In a production environment please consult Technet for best practise, see below links:

 

Superflow:

 

Software Update Deployment SuperFlow

 

 

About Software Update Point:

 

About Software Update Point

 

Planning:

 

Planning for Software Updates Client Settings

 

Configuration:

 

Configuring Software Updates

How to Configure the Software Updates Client Agent

How to Create and Configure an Active Internet-Based Software Update Point

 

Best Practices:

 

Configuring Configuration Manager Sites for Best Performance

Checklist for Security Best Practices

Best Practices for Central and Primary Site Hardware and Software Configuration

Best Practices for Operating System Deployment

 

Software Update Point process Flowcharts:

 

Software Updates Synchronization Process Flowchart

Software Update Deployment Process Flowchart

Deployment Package Process Flowchart

 

Related:

 

How to obtain the latest version of the Windows Update Agent

 

 

1. Install WSUS

 

Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server.

 

 

Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful

 

2. Create some Search Folders

 

In the Software Updates section, right click on Search Folders and choose New Folder,

 

 

give the new folder a name like Enterprise Searches (we willl store our yearly searches here)

 

 

Right click on our new folder and choose New Search Folder,

 

 

select the following options from step 1 (in the screenshot),

 

BulletinID, Expired and Superseded

 

 

in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08

Set Expired to No

Set Superseded to No

 

Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches

 

 

Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder

 

Fill it in as follows

 

 

and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs.

 

[anyweb]

Create a Deployment Template

 

In Computer Management, right click on Collections and choose New Collection, create a new collection called Blank For Staging with no membership rules or advertisements.

 

 

right click on Deployment Templates and choose New Deployment Template

 

 

give the template a name like All Microsoft Approved Patches

 

 

for Collection, point it to the Blank For Staging one we created above, and make sure sub collections are selected.

 

 

Set the Display/Time settings to suppress display notification on clients, client local time for deployment schedules and duration of 1 day

 

 

for Restart Setttings set them accordingly

 

 

leave Event Generation as it is unless you are using Operations Manager servers and want the reporting.,...

 

 

for download Settings, make sure to select download in both choices

 

 

leave SMS 2003 blank and next... and next to the summary and close.

 

your finished Deployment Template will appear

 

[anyweb]

Create a Windows Update Share

 

In Windows Explorer, create a share that Everyone can access called Windows Updates

 

Create a Deployment Management Task

 

select a Search Folder that contains the patches you want to apply eg: select Windows Server 2008 Patches

 

in the right you'll see the list of patches available (if not, you need to Synchronise WSUS with Microsoft) to do that click on Update Repository and choose Run Synchronisation.

 

 

Select all and right click and choose Deploy Software Updates

 

 

Enter a name for the new deployment, be descriptive eg: Windows Server 2008 Patches, the screenshot below is generic so refers to all updates..and click next ..

 

 

Select the Deployment Template you created earlier and click next..

 

 

choose to Create a Package, be descriptive eg: Windows Server 2008 Patches, the screenshot below is generic so refers to all updates (All Microsoft Approved patches), point it to the Windows Updates share you created and give it a description, select Binary Replication

 

 

for distribution points, click browse and selct your distribution point

 

 

Choose download software updates from the internet

 

 

select your language

 

 

choose As soon as possible and Do not set a deadline for software update installation (keeps the updates OPTIONAL)...

 

Note: You can change this later to force the deployment of the updates but this is fine for our LAB, in other words if you do NOT set a deadline then the updates will not be forcefully installed (they are Optional), if you want them to install (mandatory/forced) then SET A DEADLINE

 

 

clicking next will start the Provisioning update progress....... *can take time...*

 

 

once done you should see this

 

 

and you can browse the Windows Updates share and it should be full of packages

 

[anyweb]

Optional: Create an Update List

 

Note: Update lists are useful for us as they can be used (after the event) to Report on what patches are deployed to computers and to review their compliance using those reports. If you are not interested in reporting or the compliance status of your machines then Update Lists will probably not matter to you at all and you can deploy patches without using them. If you do decide to utilise SCCM's reporting capabilities in regards to patching, then it would be a good idea to create separate Update Lists on a monthly basis to see what patches go out, and to what computers. If you want to read a guide aimed at using Update Lists for Reporting purposes then please see here.

 

Select a search folder for example Windows Server 2008 Patches and highlight the first Windows update contained and press Shift, scroll down to the last one and press again until all patches are selected.

 

 

Right click within the selection and choose Update List

 

 

choose Create New Update List from the options in the wizard

 

 

When the Deployment Package window appears, click on Browse to select one, or choose to create a new one and give it a descriptive name like All Windows XP Updates or Windows Server 2008 Updates

 

 

as this is just a lab, we will pick the one we made earlier..

 

 

The Deployment Package is selected...

 

 

choose the Internet as the download location *even if the WSUS server is on another Site Server*

 

 

choose a language *english*

 

 

click next to Security and Summary,

 

the updates will be provisioned

 

 

review the Confirmation, if there are any errors at this point then verify that you have correctly specified the WSUS site server

 

 

Hit refresh in the Configmgr console to see your Update List.

 

[anyweb]

Create some Patch Deployment Collections

 

How you want to deploy your patches is up to you and your organisation, below is only a suggestion, use at your own risk !

 

Create some new Blank collections with no membership rules with each collection having a new sub-collection so they are like this

 

Deploy Patches/Phase 3/Phase 2/Phase 1/Test Group

 

 

When Microsoft Release's it's Patches you'll want to get them deployed quickly to a Test Group,

 

to do that do as follows

 

Add some computers to the Test Group collection (or create a link to a collection as described below)

 

If you want to link a collection , then pick a collection from the list *remember this howto is to show you HOW you can do this, you will obviously have to create your own test collections and add computers to them yourself before linking them here*

 

 

[anyweb]

Choose a Deployment Template

 

In the Deployment Management Node, Right click on the Deployment Template we created earlier (All Microsoft Approved Patches) and choose properties

 

 

Click on the Collections Tab and browse to Test Group

 

 

make sure Include Members of Sub Collections is selected and click apply

 

 

to start the Patch deployment to your Test Group click on the Schedule tab and select As Soon as Possible, include the Set a Deadline option and Ignore Maintenance options as below

 

Note: If you are using or have configured Maintenance Windows then do not select Ignore Maintenance Windows unless you really want to ignore those maintenance windows, this remember, is just a LAB.

 

 

sit back and wait, the Servers listed in your Test Group will now be targetted with the selected patches

[anyweb]

Verify

 

On a client, open up control panel and the Configuration Manager client agent, click on the actions tab and Initiate the Following actions to trigger a check for any changes in Client Policy.

 

Machine Policy Retrieval & Evaluation Cycle

Software Updates Deployment Evaluation Cycle

Software Updates Scan Cycle

 

More info about the above Actions on Technet > http://technet.microsoft.com/en-us/library/bb632393.aspx

 

 

 

Machine Policy Retrieval & Evaluation Cycle: Bypasses the automatic policy polling interval on clients to get the machine policy as soon as possible.

 

Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

 

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

 

 

If you don't see any updates coming then read the WUAHandler log for details to see what is happening....

 

the log is located in C:\windows\system32\ccm\logs (x86) or c:\windows\syswow64\ccm\logs

 

you can also browse the c:\windows\syswow64\ccm\cache folder to see if any updates have started to download yet

 

be patient, even if you set the deadline for 10:10 it might take time to get them transferred over.

 

Tip: To troubleshoot scan errors, you can run the Troubleshooting 1 - Scan errors report which will return a count of computers for each error that occurred during the last scan for software update compliance on client computers. You can then drill down to the Troubleshooting 3 / Computers Failing with a specific scan error report to view a list of computers that returned that specific scan error.

 

here's what your desktop will look like when the software updates are being pushed out, you can click on the update icon to get details of the updates themselves

 

 

after they are applied the update icon will change colour

 

 

and here is my WUAhandler.log file (of a successful update) compare it to your own if you are experiencing problems to see what is different...

 

WUAHandler.log

[Kingskawn]

What to use as description if I want only windows xp updates? I put "Windows XP" for description instead of "Windows Server 2008" in your example.

 

EDIT: If the downloaded updates resides on the wsus server, there is no need to download it again or yes?

I'm referring to this print screen;

 

 

I've got a problem when I want to close my first advertisement. I made a search based on windows xp updates. I selected the ones I need in the list and chose 'Deploy update...' and gave me those errors in the end. This is the print screen;

 

[anyweb]

change Description to Product and then you'll get only Windows XP stuff..

 

for All Windows XP Updates choose the following search criteria

 

Product Windows XP

Expired No

Superseded No

 

for All Windows XP Security Updates

 

Product Windows XP

Bulletin MS

Expired No

Superseded No

 

cheers

anyweb

[Kingskawn]

change Description to Product and then you'll get only Windows XP stuff..

 

for All Windows XP Updates choose the following search criteria

 

Product Windows XP

Expired No

Superseded No

 

for All Windows XP Security Updates

 

Product Windows XP

Bulletin MS

Expired No

Superseded No

 

cheers

anyweb

 

Thanks for your answer

 

1. The thing is that I want to install a machine and that all the latest xp updates are installed on it.
   
2. Can I install IE7 and block the install of IE8?
   
3. Can I just leave IE6 and block the install of IE7?
   

[anyweb]

then you should choose All Windows XP updates and let the windows update process install all that it can during deployment,

 

i know you can block ie7 being installed, more info here

 

and here's one for blocking IE8, so if you enabled both i guess you'd be left with IE6

 

You can at any time select updates in your Search folders after doing a Run Synchronisation, right click on the ones you want and choose Deploy, doing so will allow you to create a New Deployment Management task, or to update an existing one, you can REMOVE any updates that you DON'T WANT to be advertised to your clients by selecting it from your Updates Deployment Package and deleting it

 

look at the screenshot below to understand how easy that is

 

 

 

over time you can sort your Enterprise searchs like I have here, obviously you should customise this to suit your environment..

 

 

the above search folder criteria are as follows

 

[Kingskawn]

which update is the installation of IE7? I can't find it under Software Updates on SCCM

[anyweb]

Bulletin ID:

Article ID: 940767

 

Date revised: Tuesday, April 29, 2008

 

 

That's it ^, i found it by searching for Internet Explorer 7 in my All Windows XP updates with the following Search Folder Criteria

 

 

Product Windows XP

Expired No

Superseded No

[Kingskawn]

Can tell me more about the update list?

When I have already made some update lists to a package like;

 

Update List - 12/01/2009 17:02:17

Update List - 25/02/2009 20:05:15

Update List - 04/03/2009 12:15:24

Update List - 11/04/2009 07:28:19

Update List - 07/05/2009 09:28:38

Update List - 16/06/2009 11:37:24

 

Can I say that I delete (right button) the older ones so anything before 16/06/2009 ?

 

Another thing, on which interval are you making an update list? Every wednesday, every week, every month,...?

 

Thanks anyweb!

[anyweb]

it's up to you

 

i just update my deployment packages and deployment management tasks and the change the schedule and thats it

 

do it monthly as thats when the patches come out (second tuesday of the month)

 

[nsilimela]

What to use as description if I want only windows xp updates? I put "Windows XP" for description instead of "Windows Server 2008" in your example.

 

EDIT: If the downloaded updates resides on the wsus server, there is no need to download it again or yes?

I'm referring to this print screen;

 

 

I've got a problem when I want to close my first advertisement. I made a search based on windows xp updates. I selected the ones I need in the list and chose 'Deploy update...' and gave me those errors in the end. This is the print screen;

 

 

 

Hi there Kingskawn,

 

Why are you choosing to download from the internet if you already have an in house WSUS server in your environment ? Shouldn't the updates be on the \WSUScontent folder ?

 

I'm just curious ..

[Kingskawn]

Hi there Kingskawn,

 

Why are you choosing to download from the internet if you already have an in house WSUS server in your environment ? Shouldn't the updates be on the \WSUScontent folder ?

 

I'm just curious ..

 

Yes you're right. Why am I downloading from the internet when I've got the sources on site?

 

I don't know. Maybe I'm gonna change that

[anyweb]

below is a screenshot of Offline Updates (via MDT integration in the Task Sequence)

 

[Kingskawn]

below is a screenshot of Offline Updates (via MDT integration in the Task Sequence)

 

 

Ok, I'll try that. Anyweb, can you tell me what's in your TS named 'Tatoo' and 'Copy logs' please?

[anyweb]

hi kingskawn sorry i just posted that screenshot for another post on technet, it wasnt directed at you.

 

are you software updates working ok or not ?

[Kenny456]

I was walking thru the steps, and I don't seem to have an option to type text for a product, I get check boxes. Server 2008 isn't available as an option? How do I add server 2008 as a product option?

 

[Kingskawn]

You have to do I synchronize first, after that the productlist will be updated.

[The Last Remnant]

can you tell me whats the use of blank for staging collection

why its empty ? and in case it has some machines then what it will affect ?

 

thanks

[Kingskawn]

you can use blank collenctions to link some other collections to this collection

[anyweb]

you must keep the blank for staging collection EMPTY at ALL TIMES

 

never put systems in it and never link to other collections in it, ever.

 

you do this because all of your Deployment Management Tasks will point to the 'blank for staging' collection by DEFAULT. That is the way you want it to be, the LAST thing you want to happen is for an untested patch or service pack to go out to all your servers or clients causing mayhem in your organisation

 

keep blank for staging empty Always, and use the phase 1,phase 2, phase 3 and test subcollections to test patches, working your way from

 

test > phase 1 > phase 2 > phase 3

 

by the time you've reached phase 3 ALL of your systems should be targetted and patched with your selected patches and you then point your Deployment Management tasks back to blank for staging

 

cheers