Jump to content


  • 0
anyweb

Configuring Software Update Point within SCCM

Question

This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here.

 

Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums.

 

In a production environment please consult Technet for best practise, see below links:

 

Superflow:

 

Software Update Deployment SuperFlow

 

 

About Software Update Point:

 

About Software Update Point

 

Planning:

 

Planning for Software Updates Client Settings

 

Configuration:

 

Configuring Software Updates

How to Configure the Software Updates Client Agent

How to Create and Configure an Active Internet-Based Software Update Point

 

Best Practices:

 

Configuring Configuration Manager Sites for Best Performance

Checklist for Security Best Practices

Best Practices for Central and Primary Site Hardware and Software Configuration

Best Practices for Operating System Deployment

 

Software Update Point process Flowcharts:

 

Software Updates Synchronization Process Flowchart

Software Update Deployment Process Flowchart

Deployment Package Process Flowchart

 

Related:

 

How to obtain the latest version of the Windows Update Agent

 

 

1. Install WSUS

 

Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server.

 

sup_role.jpg

 

Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful

 

2. Create some Search Folders

 

In the Software Updates section, right click on Search Folders and choose New Folder,

 

enterprise_searches.jpg

 

give the new folder a name like Enterprise Searches (we willl store our yearly searches here)

 

ent_searches.jpg

 

Right click on our new folder and choose New Search Folder,

 

new_search_folder.jpg

 

select the following options from step 1 (in the screenshot),

 

BulletinID, Expired and Superseded

 

choices.jpg

 

in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08

Set Expired to No

Set Superseded to No

 

Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches

 

search_folder_criteria.jpg

 

Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder

 

Fill it in as follows

 

monthly_search.jpg

 

and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs.

 

server_2008_patches.jpg

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

You probably selected Store updates locally during the installation of WSUS. This means that you are storing the updates on three different places, the WSUS folder, the Updates package and on the DP.

 

 

at least, is there any way to "unselect" the "store localy updates"? Do I have to reinstall? It's a 2008 R2 so by reinstalling I mean removing the WSUS role and re-enabling it. What's the easiest thing to do.

 

Thanks,

Share this post


Link to post
Share on other sites

  • 0

try temporarily disbaling the firewall on the client and do a Data Discovery, do you see the client in configmgr collections ? is it approved and client=yes ?

 

How to do a Data Discovery. I see the client in ConfigMgr Collections but it's not approved and client=no. How to change this parameters.

 

Thanks for your help.

Share this post


Link to post
Share on other sites

  • 0

at least, is there any way to "unselect" the "store localy updates"? Do I have to reinstall? It's a 2008 R2 so by reinstalling I mean removing the WSUS role and re-enabling it. What's the easiest thing to do.

 

Thanks,

 

Well.. I was a bit to quick with saying that it is not needed at all, because it can be used to store license associated with the software updates...

 

You can also just clean up the WSUS directory, by opening the WSUS Console > Options > WSUS Cleaunup Wizard. This will cleanup al unwanted, expired, superceded, etc updates.

Share this post


Link to post
Share on other sites

  • 0

Verify

 

On a client, open up control panel and the Configuration Manager client agent, click on the actions tab and Initiate the Following actions

 

Machine Policy Retrieval & Evaluation Cycle

Software Updates Deployment Evaluation Cycle

Software Updates Scan Cycle

 

post-1-1229634162_thumb.jpg

 

If you don't see any updates coming then read the WUAHandler log for details to see what is happening....

 

the log is located in C:\windows\system32\ccm\logs (x86) or c:\windows\syswow64\ccm\logs

 

you can also browse the c:\windows\syswow64\ccm\cache folder to see if any updates have started to download yet

 

be patient, even if you set the deadline for 10:10 it might take time to get them transferred over.

 

Tip: To troubleshoot scan errors, you can run the Troubleshooting 1 - Scan errors report which will return a count of computers for each error that occurred during the last scan for software update compliance on client computers. You can then drill down to the Troubleshooting 3 / Computers Failing with a specific scan error report to view a list of computers that returned that specific scan error.

 

here's what your desktop will look like when the software updates are being pushed out, you can click on the update icon to get details of the updates themselves

 

post-1-1229859160_thumb.jpg

 

after they are applied the update icon will change colour

 

post-1-1229859167_thumb.jpg

 

and here is my WUAhandler.log file (of a successful update) compare it to your own if you are experiencing problems to see what is different...

 

WUAHandler.log

 

 

Hi,

i tried to do like you but it's doesn't work. Can you help me please. I have a little bit different configuration because I do not use Active Directory. I add computer to SCCM like this (Computer association, Import Computer Information = > Import single computer). Can you explain me how to configure deploy update with SCCM please.

 

When I tried like you, i haven't got all the action in Computer manager Properties but i have all the components installed.

 

Configuration : WIndows Server 2008 R2, SCCM 2007 SP2 R2, WSUS 3.0 SP2

post-5534-12710766334743_thumb.jpg

post-5534-12710766966212_thumb.jpg

Share this post


Link to post
Share on other sites

  • 0

Hello,

Just one question, can you configure SCCM to deploy Windows update to computer in a collection (add computer in collection using Computer Association => Import Computer Association => Import single computer) without setup on the same server Active Directory? I want to deploy windows update without setup Active Directory.

Share this post


Link to post
Share on other sites

  • 0

this post is really separate to setting up a Software Update Point, but i'll give you a hint, you need to SLP role installed on your site server, slp=server locator point, you'll then need to configure the configmr clients with the info required to see the SLP

 

if you have questions that are not specific to this topic then please raise them as separate posts to avoid any confusion

 

cheers

niall

Share this post


Link to post
Share on other sites

  • 0

Assuming settings are part of configuring SUP, I'll post this question here.

 

When updates are configured to not require a client to reboot (For example: emergency dispatch systems) automatically, I get the package and red arrow in the system tray. Is there a way to force visible reminders to reboot? I'd like something flashier and more pesky than the little box and arrow.

 

I've been through all the settings and all I find is reminders that a reboot is going to happen, but when one is needed and not forced, can SCCM be configured to pester systems that are always on until they reboot?

 

Much thanks for any and all ideas.

 

-Kelly

Share this post


Link to post
Share on other sites

  • 0

hi all,,

 

can u please help me?

 

i have question to ask

 

1. I have deploy Software Update to server collection contain 2 Server.

2. The deployment success

3. I have check the status message queries from sccm console to re confirm ..the content downloaded successfully into the server.

4. Then i check in the server in cache folder..all patches pushed from sccm is there..

 

the problem is until now the patches is not install. it supposed to install automatically right?..

 

is it because the deadline or not?

 

thanks in advance...

Share this post


Link to post
Share on other sites

  • 0

hi all,,

 

can u please help me?

 

i have question to ask

 

1. I have deploy Software Update to server collection contain 2 Server.

2. The deployment success

3. I have check the status message queries from sccm console to re confirm ..the content downloaded successfully into the server.

4. Then i check in the server in cache folder..all patches pushed from sccm is there..

 

the problem is until now the patches is not install. it supposed to install automatically right?..

 

is it because the deadline or not?

 

thanks in advance...

 

If your update package has a deadline that's set in the future it will indeed wait with the installation untill after the deadline. You can choose to install the updates manually from the server or adjust the deadline of the update package.

Share this post


Link to post
Share on other sites

  • 0

Hello. how can i change the products and classification of the updates? I tried change them through the software update component and issue a WSUS cleanup from that console but i keep on seeing for example Office 2002 although i have removed it from that product list and also on the wsus.log i can still see the initial classifications that i selected. I tried changing it also through WSUS console but no luck.

 

Any ideas?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.