Jump to content


  • 0
anyweb

Configuring Software Update Point within SCCM

Question

This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here.

 

Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums.

 

In a production environment please consult Technet for best practise, see below links:

 

Superflow:

 

Software Update Deployment SuperFlow

 

 

About Software Update Point:

 

About Software Update Point

 

Planning:

 

Planning for Software Updates Client Settings

 

Configuration:

 

Configuring Software Updates

How to Configure the Software Updates Client Agent

How to Create and Configure an Active Internet-Based Software Update Point

 

Best Practices:

 

Configuring Configuration Manager Sites for Best Performance

Checklist for Security Best Practices

Best Practices for Central and Primary Site Hardware and Software Configuration

Best Practices for Operating System Deployment

 

Software Update Point process Flowcharts:

 

Software Updates Synchronization Process Flowchart

Software Update Deployment Process Flowchart

Deployment Package Process Flowchart

 

Related:

 

How to obtain the latest version of the Windows Update Agent

 

 

1. Install WSUS

 

Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server.

 

sup_role.jpg

 

Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful

 

2. Create some Search Folders

 

In the Software Updates section, right click on Search Folders and choose New Folder,

 

enterprise_searches.jpg

 

give the new folder a name like Enterprise Searches (we willl store our yearly searches here)

 

ent_searches.jpg

 

Right click on our new folder and choose New Search Folder,

 

new_search_folder.jpg

 

select the following options from step 1 (in the screenshot),

 

BulletinID, Expired and Superseded

 

choices.jpg

 

in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08

Set Expired to No

Set Superseded to No

 

Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches

 

search_folder_criteria.jpg

 

Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder

 

Fill it in as follows

 

monthly_search.jpg

 

and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs.

 

server_2008_patches.jpg

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Hi,

I have a problem with Windows Update Agent and SCCM Update Agent.

I have supress reboots in the Deployment Management in SCCM then, as expected, when a reboot is required a red icon appear. But at the next day the WUA window is showed and it allow a delayed restart in 10 minutes, 1 hour or 4 hours. I don't want that the WUA window appear and allow the users to reboot whenever they want. Anyone know a solution?. Thanks in advance

.

Share this post


Link to post
Share on other sites

  • 0

Hi Anyweb,

 

Thanks for a great article. I have used this and SCCM unleashed book to understand most of how this part of SCCM works.

 

What I still don't understand are four bits ( or need clarification ) if you would please.

 

1. Deployment Management node-- Are these similar to advertisements in the software distribution part ?

 

2. If I want to apply (eg: win 7 sp1) to a classroom and see it happen say within an hour how would I go about doing it ? ( assuming I have all the engine working wsus , sup etc) what logs at either end should I use to check the progress or lack of it ?

 

3. How do i set the time in the update tab in the sccm client ? it's set to 3:00 am and most of our classrooms are shutdown at that time. i have tried to find anything that says how to change this on the internet and have come up with a blank.

 

4. Is it possible to deploy MS hotfixes using this method ( am i right in thinking that this is only possible if the hotfix is in a MS catalog ?). If not do I have to use Software distribution to do this ?

 

I would be really grateful if you could have even a brief answer at your earliest please .

 

Many thanks again for maintaiing this wonderful resource.

 

Nalin.

Share this post


Link to post
Share on other sites

  • 0

Hi,

 

I have an issue with getting the updates to start deploying immediately.

Once I have downloaded the required updates and deployed them, I have attempted to initiate the following

 

1. Machines policy retrieval and evaluation Cycle

2. Software Updates Scan Cycle

3. Software Updates deployment evaluation cycle

 

The schedule for the deployment is set as follows

 

updates to be made available: As soon as possible

Deadline for udpates installation: current time

 

I was expecting this to start installing the update on the test machines immediately but it did not install till after 20 mins

 

Windows Updates log shows the following

 

2012-09-17 15:13:11:087 1488 db0 Agent * Added update {70D41FF9-0796-4EB6-A699-61C04CB395FE}.100 to search result

2012-09-17 15:13:11:087 1488 db0 Agent * Added update {87E3E2FA-70E5-4B90-83EE-A16F41569A11}.106 to search result

2012-09-17 15:13:11:118 1488 db0 Agent * Found 192 updates and 61 categories in search; evaluated appl. rules of 1072 out of 2146 deployed entities

 

2012-09-17 15:13:11:431 1488 db0 Agent *********

2012-09-17 15:13:11:431 1488 db0 Agent ** END ** Agent: Finding updates [CallerId = CcmExec]

2012-09-17 15:13:11:431 1488 db0 Agent *************

2012-09-17 15:13:11:462 2252 e60 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]

2012-09-17 15:13:13:321 2252 e60 COMAPI - Updates found = 192

2012-09-17 15:13:13:321 2252 e60 COMAPI ---------

2012-09-17 15:13:13:321 2252 e60 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]

2012-09-17 15:13:13:321 2252 e60 COMAPI -------------

 

WUAHandler.log contains the following entries

 

Successfully completed scan. WUAHandler 17/09/2012 14:45:23 1852 (0x073C)

Going to search using WSUS update source. WUAHandler 17/09/2012 15:18:43 5700 (0x1644)

Synchronous searching started using filter: 'UpdateID = 'bdf4d8e9-c1a2-4b0e-8703-0d00a09bf57e' AND DeploymentAction = *'... WUAHandler 17/09/2012 15:18:43 5700 (0x1644)

Successfully completed synchronous searching of updates. WUAHandler 17/09/2012 15:19:01 5700 (0x1644)

1. Update: bdf4d8e9-c1a2-4b0e-8703-0d00a09bf57e, 103 BundledUpdates: 1 WUAHandler 17/09/2012 15:19:01 5700 (0x1644)

Update: c5547a35-e639-4352-94f8-ddeda5fa2080, 102 BundledUpdates: 0 WUAHandler 17/09/2012 15:19:01 5700 (0x1644)

1. Update (Missing): Security Update for Windows XP (KB2564958) (bdf4d8e9-c1a2-4b0e-8703-0d00a09bf57e, 103) WUAHandler 17/09/2012 15:19:01 5700 (0x1644)

Async installation of updates started. WUAHandler 17/09/2012 15:19:02 5700 (0x1644)

Update 1 (bdf4d8e9-c1a2-4b0e-8703-0d00a09bf57e) finished installing (0x00000000), Reboot Required? Yes WUAHandler 17/09/2012 15:19:13 4528 (0x11B0)

Async install completed. WUAHandler 17/09/2012 15:19:13 4164 (0x1044)

Installation of updates completed. WUAHandler 17/09/2012 15:19:13 620 (0x026C)

Update (bdf4d8e9-c1a2-4b0e-8703-0d00a09bf57e) has finished the post reboot operation. HResult: 0x00000000. WUAHandler 17/09/2012 15:28:58 4380 (0x111C)

Async searching of updates using WUAgent started. WUAHandler 17/09/2012 15:28:58 4380 (0x111C)

 

 

what do i have to do to get it to start installing the updates immediately?

Share this post


Link to post
Share on other sites

  • 0

So, I have looked and looked, but I can't seem to find the answer to how to disable users from checking the internet for updates. This seems like it would be the simplest of questions since one of the big ideas behind WSUS is to keep computers from applying updates you don't want them to get, but maybe I'm blind or my noobnish is shining through.

 

As a fall back I guess the easiest way is to use the GPO to point to the SCCM server. Am I to assume that I should point it here:

 

http://<server.domain.com:8530/ClientWebService/client.asmx as shown in the updates log on clients?

Share this post


Link to post
Share on other sites

  • 0

The tutorials you provide are great. I have two questions

 

1. In the sotware Update Deployment template / display/Time Settings should I change the Duration from 0 to 1 and what are the effects.

 

 

 

2. On the primary site server in site settings / Client Agents / Software Update Client Agent Update Installation /

 

To get better results should I enforce all mandatory.

I have about have about 7, 000 machines in total.

Does this mean the update will Install after a certain amount of days no matter what.

Share this post


Link to post
Share on other sites

  • 0

Hello,

 

I'm fairly new to sccm, and i'm trying to get wsus and sccm to work properly, my problem is however that i dont have a spare 2TB to store all the updates it wants to download, now i've seen the option in wsus to auto approve the updates, but have clients download them from the MS update site, problem is, sccm keeps reseeting it back to storing the files locally, which continuously fills up the available hdd space (60gb).

Is there any way to have it use the above mentioned wsus setting? Or will i need to buy a bunch of large drives to put in the server? I'm mainly using this to be able to use MS FEP, which actually works fine, and updates from MS.

post-17818-0-64050200-1350047697_thumb.jpg

Share this post


Link to post
Share on other sites

  • 0

I want to install the updates automatically for the user. Do I need to choose the 'set a deadline...' or can I just do it without? When I choose the deadline option all clients will come and download the updates which result in network overload. When I set a deadline in let's say 3 weeks, will it download in the background everything it needs or not?

 

EDIT: And also, can I use WOL on a secondary site that is in another domain than primary site over WAN or are the magic packets send from the primary site only?

Share this post


Link to post
Share on other sites

  • 0

great post anyweb !

 

i have a question for you, but i dont think it's same topic :)

i have SCCM2012 SP1 & Wsus 3.0 installed on windows 2012 server, everything run smoothly.

but a few month ago, i had change my proxy server. and all serer run without proxy.

the problem is, when i change proxy settings on sccm server (i change the settings through internet option in control panel) i found that wsus proxy still use the old configuration.

i change proxy on wsus, then synchronise succeeded.

but few hour later, the proxy change again (back to old proxy setting). i change it manualy every 3 hour, and synchronise manualy.

 

===================

 

fixed anyway,

i had change the Proxy And Account Settings on server & sites system roles -> software update point and uncheck all proxy settings for update point.

 

thanks

:D

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.