Jump to content


  • 0
anyweb

Configuring Software Update Point within SCCM

Question

This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here.

 

Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums.

 

In a production environment please consult Technet for best practise, see below links:

 

Superflow:

 

Software Update Deployment SuperFlow

 

 

About Software Update Point:

 

About Software Update Point

 

Planning:

 

Planning for Software Updates Client Settings

 

Configuration:

 

Configuring Software Updates

How to Configure the Software Updates Client Agent

How to Create and Configure an Active Internet-Based Software Update Point

 

Best Practices:

 

Configuring Configuration Manager Sites for Best Performance

Checklist for Security Best Practices

Best Practices for Central and Primary Site Hardware and Software Configuration

Best Practices for Operating System Deployment

 

Software Update Point process Flowcharts:

 

Software Updates Synchronization Process Flowchart

Software Update Deployment Process Flowchart

Deployment Package Process Flowchart

 

Related:

 

How to obtain the latest version of the Windows Update Agent

 

 

1. Install WSUS

 

Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server.

 

sup_role.jpg

 

Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful

 

2. Create some Search Folders

 

In the Software Updates section, right click on Search Folders and choose New Folder,

 

enterprise_searches.jpg

 

give the new folder a name like Enterprise Searches (we willl store our yearly searches here)

 

ent_searches.jpg

 

Right click on our new folder and choose New Search Folder,

 

new_search_folder.jpg

 

select the following options from step 1 (in the screenshot),

 

BulletinID, Expired and Superseded

 

choices.jpg

 

in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08

Set Expired to No

Set Superseded to No

 

Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches

 

search_folder_criteria.jpg

 

Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder

 

Fill it in as follows

 

monthly_search.jpg

 

and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs.

 

server_2008_patches.jpg

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

You can use a GPO to configure the 'Specify intranet Microsoft update service location' to point to the SCCM update point. This would prevent users from changing the setting.

 

This would however override the SCCM client setting, so when changing the SCCM update point you will need to manually adjust the GPO to point to the new update point.

 

 

I basically had to go to GPO policy manager<<user settings<<<administrative templates<<start menu and taskbar and enable "remove links and access to windows update"

 

Another question I had though is I was pushing out a handful of updates just as a test. Both of my computers didnt download these updates from sccm. Does this mean they already have the updates and dont need them? Or a better question is if they dont need the update will they still download and "try" to install them or will they ignore them altogether?

Share this post


Link to post
Share on other sites

  • 0

The SCCM client will start a scan for updates and compare the ones installed to the ones needed/available just like with a regular WSUS. After the scan it will only download the updates when needed by the client. The download will not start untill the deadline for the updates has been reached and even then it depends on the different settings in the update deployment package.

 

You can check the UpdatesHandler and UpdatesStore log files of the SCCM clients to see if there was an update scan and if there were any updates available.

Share this post


Link to post
Share on other sites

  • 0

updatestore.log says

 

![LOG[successfully done with SetStatus() operation.]LOG]!><time="14:10:03.401+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2584" file="cupdatesstore.cpp:376">

<![LOG[Querying update status of 2 updates.]LOG]!><time="14:10:06.214+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2584" file="cupdatesstore.cpp:1146">

<![LOG[Queried Update (47ad79ce-554a-4cd3-89b5-882ee5285578): Status=Missing, Title=Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2446704), BulletinID=MS11-028, QNumbers=2446704, LocaleID=.]LOG]!><time="14:10:06.214+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2584" file="cupdatesstore.cpp:1189">

<![LOG[Queried Update (9c3076be-890e-4a52-a74f-af7ece21eb59): Status=Missing, Title=Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2446704), BulletinID=MS11-028, QNumbers=2446704, LocaleID=.]LOG]!><time="14:10:06.214+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2584" file="cupdatesstore.cpp:1189">

<![LOG[Querying update status completed successfully.]LOG]!><time="14:10:06.214+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2584" file="cupdatesstore.cpp:1170">

<![LOG[Querying update status of 7 updates.]LOG]!><time="14:11:48.215+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2340" file="cupdatesstore.cpp:1146">

<![LOG[Querying update status completed successfully.]LOG]!><time="14:11:48.215+300" date="05-11-2011" component="UpdatesStore" context="" type="1" thread="2340" file="cupdatesstore.cpp:1170">

 

updateshandler says

 

![LOG[updates scan completion received, result = 0x0.]LOG]!><time="14:08:00.494+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="1724" file="capplicabilityhandler.cpp:100">

<![LOG[initiating updates scan for checking applicability.]LOG]!><time="14:09:56.839+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2340" file="capplicabilityhandler.cpp:414">

<![LOG[successfully initiated scan.]LOG]!><time="14:09:57.089+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2340" file="capplicabilityhandler.cpp:485">

<![LOG[initiating updates scan for checking applicability.]LOG]!><time="14:09:57.089+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="3028" file="capplicabilityhandler.cpp:414">

<![LOG[successfully initiated scan.]LOG]!><time="14:09:57.198+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="3028" file="capplicabilityhandler.cpp:485">

<![LOG[updates scan completion received, result = 0x0.]LOG]!><time="14:10:00.683+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="1724" file="capplicabilityhandler.cpp:100">

<![LOG[updates scan completion received, result = 0x0.]LOG]!><time="14:10:00.761+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2340" file="capplicabilityhandler.cpp:100">

<![LOG[initiating updates scan for checking applicability.]LOG]!><time="14:11:48.090+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2248" file="capplicabilityhandler.cpp:414">

<![LOG[successfully initiated scan.]LOG]!><time="14:11:48.136+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2248" file="capplicabilityhandler.cpp:485">

<![LOG[updates scan completion received, result = 0x0.]LOG]!><time="14:11:48.215+300" date="05-11-2011" component="UpdatesHandler" context="" type="1" thread="2340" file="capplicabilityhandler.cpp:100">

 

 

I dont see any errors. But the sourcefiles apparently did not make it to the cache like it did the first time I ran other updates. Am I missing something?

 

 

 

30 minutes later I discovered it had downloaded a new package which I setup just now. But only one of the updates out of the 2. So I guess it justs selects what it needs?

It still has not installed it. I have run a manual update scan (by going to ms update site) it needs like 100+ updates but the updates available to me are like 30 from the search folder i created. What gives?

Share this post


Link to post
Share on other sites

  • 0

Yes, it only gets the updates it needs.

 

Updates will not be downloaded untill the installation of the updates is started. The installation can be started manually or you can use a deadline in the deployment settings of the update package. Do you get the popup of the SCCM agent which says there are updates available?

 

Also check your deployment settings (Computer Management > Software Updates > Deployment Management) when the updates will be made available to the client.

 

Attached is a screenshot of the settings for a deployment package from my environment (which works perfectly).

 

post-3196-0-52583300-1305172641_thumb.png

Share this post


Link to post
Share on other sites

  • 0

Yes, it only gets the updates it needs.

 

Updates will not be downloaded untill the installation of the updates is started. The installation can be started manually or you can use a deadline in the deployment settings of the update package. Do you get the popup of the SCCM agent which says there are updates available?

 

Also check your deployment settings (Computer Management > Software Updates > Deployment Management) when the updates will be made available to the client.

 

Attached is a screenshot of the settings for a deployment package from my environment (which works perfectly).

 

post-3196-0-52583300-1305172641_thumb.png

 

Thanks for the reply.

I checked my settings and had the advertisement to run "as soon as possible" and had a time about 5 minutes ahead on the bottom selection.

Weird, it appeared to download one of the updates but I didn't see it installed.

And yes, I will get the advert window popup just as test when it did run successfully which was the first time i set it up. Its only when I apply changes to the updates that nothing happens.

Share this post


Link to post
Share on other sites

  • 0

I am having a weird issue with a client computer. It is simply not pulling updates. I have done everything in the tutorial but still cant get the updates to download to cache and checked the wuahandler log too

 

<![LOG[Existing WUA Managed server was already set (http://company.HEADQUARTERS.company.COM:80), skipping Group Policy registration.]LOG]!><time="11:52:13.423+300" date="07-12-2011" component="WUAHandler" context="" type="1" thread="2304" file="sourcemanager.cpp:1041">

<![LOG[Added Update Source ({8D938AAF-AD85-43F4-A235-D614AD410191}) of content type: 2]LOG]!><time="11:52:13.439+300" date="07-12-2011" component="WUAHandler" context="" type="1" thread="2304" file="sourcemanager.cpp:1381">

<![LOG[Async searching of updates using WUAgent started.]LOG]!><time="11:52:13.439+300" date="07-12-2011" component="WUAHandler" context="" type="1" thread="2304" file="cwuahandler.cpp:587">

<![LOG[Async searching completed.]LOG]!><time="11:52:49.439+300" date="07-12-2011" component="WUAHandler" context="" type="1" thread="2976" file="cwuahandler.cpp:2099">

<![LOG[successfully completed scan.]LOG]!><time="11:52:49.673+300" date="07-12-2011" component="WUAHandler" context="" type="1" thread="824" file="cwuahandler.cpp:3261">

 

There is nothing in here to go on except for the fact that its missing the scan details...

Also, I have uninstalled and reinstalled the client and removed and readded to domain...one thing of interest is this is an imaged pc

I have reset the SID and tried to reset the GUID also but dont know where to do that..

The firewall and antivirus are also turned off...nothing also in the event viewer to track

I am out of ideas...

Share this post


Link to post
Share on other sites

  • 0

The console on my sccm server has the option to Deploy Software Updates when creating a deployment management task. However, the console on my workstation does not. any ideas? thanks

 

Nevermind, posted too soon. Restarted the workstation console and it was there. sorry...

Share this post


Link to post
Share on other sites

  • 0

Hi, all!!

I need a help.

A have configured sccm server, like described in this guide. But nohting happen on my test comp.

In WUAHandler.log:

<![LOG[its a WSUS Update Source type ({E606BEC7-5452-4A9D-99E8-FF3E85B30E02}), adding it.]LOG]!><time="10:12:52.891+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="sourcemanager.cpp:1348">

<![LOG[Enabling WUA Managed server policy to use server: https://MNV-SRV-SCCM.MNV.RU:8531]LOG]!><time="10:12:52.891+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="sourcemanager.cpp:1054">

<![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change...]LOG]!><time="10:12:53.000+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="sourcemanager.cpp:1060">

<![LOG[Waiting for 30 secs for policy to take effect on WU Agent.]LOG]!><time="10:13:01.282+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="sourcemanager.cpp:1124">

<![LOG[Added Update Source ({E606BEC7-5452-4A9D-99E8-FF3E85B30E02}) of content type: 2]LOG]!><time="10:13:31.298+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="sourcemanager.cpp:1381">

<![LOG[Async searching of updates using WUAgent started.]LOG]!><time="10:13:31.313+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="cwuahandler.cpp:587">

<![LOG[Async searching completed.]LOG]!><time="10:13:56.001+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3176" file="cwuahandler.cpp:2099">

<![LOG[successfully completed scan.]LOG]!><time="10:13:56.392+-660" date="09-03-2011" component="WUAHandler" context="" type="1" thread="3772" file="cwuahandler.cpp:3261">

Accroding last record in log, we have no any problem, but i still no any changes on test computer.

Can you help me to find out, whats wrong?

Share this post


Link to post
Share on other sites

  • 0

We do need some more information then (like what did you configure, packages, deployments, etc.)

Thanks for your post.

I try to configure SCCM 2007 R3 to deploy security updates to my domain computers.

I try to do this exact like in this article. I put one test computer ( Win XP SP3) to test collection.

Enything else? Your adviсe is very important for me, because it very important task

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.