Jump to content




anyweb

using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates



Recommended Posts

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups. In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.

In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

In Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent. In Part 6 we prepared our server for the Endpoint Protection Point role, and installed that role before configuring custom client device settings and custom antimalware policies. We then deployed those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections.

In Part 7 we added operating system deployment ability to our hierarchy by adding Windows 7 X64. We used the Build and Capture process to capture a WIM image which we can later deploy to targeted computers using network boot (PXE). PXE boot requires specific settings on our distribution points and the boot images used to deliver the operating system WIM images were therefore also enabled for PXE support.

In Part 8 we added Applications to our Software Library and configured the requirements in the Deployment Type to add new abilities to the application delivery process. We monitored the approval process of our applications and saw how requirements can influence whether an application is installed or not and we noted the difference between deploying to Users versus Devices. Now we will take a look at how Automatic Deployment Rules can be used to automate the deployment of windows updates on Patch Tuesday using a recurring schedule to patch your infrastructure using Software Updates.

Recommended Reading
Planning for Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/hh237372.aspx
Configuring Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/gg712312.aspx

Step 1. Create some Folders and Collections.
Perform the following on the CAS server as SMSadmin

To make the management of Software Updates easier we will first create some Folders and populate them with Collections. You can do this manually in the Assets and Compliance workspace or you can do it in an automated way using PowerShell. The below script will create a nice Folder and Collection structure sorting the Client Operating Systems and 3 Windows Server Operating Systems, in addition, the server Operating Systems are further divided into Automatic patching, Manual patching and Maintenance Windows collections. Here's the script (kindly provided by a colleague of mine, Niklas Landqvist), I've customized the XML file to create the Folders and Collections we want for this part of the series.

powershell scripts.zip

 

Note: You may have to do the following for the downloaded powershell scripts.

 

1. Save the script file on your computer, locate the saved script file.
2. Extract the contents and then locate the powershell PS1 scripts, right-click each script file, and then click Properties.
3. Click Unblock.

To use the script open a Windows PowerShell session as administrator by right-clicking on the Windows PowerShell icon and choosing Run As Administrator as in the screenshot below.

Windows PowerShell Run As Administrator.png

Change to the Directory where you've unzipped the script using CD (to change directory).

change directory.png

Once done we need to Set the Execution Policy to allow this script (RemoteSigned) to run.

Set-ExecutionPolicy RemoteSigned

and answer Yes to the prompt.

Set-ExecutionPolicy RemoteSigned.png

and then run the script as follows:-

.\CreateFoldersAndCollections.ps1 .\FolderAndCollections_Software_Updates.xml

the screen will update once you press enter...

running the PowerShell Script.png

and once the script is complete you can open the console in Assets and Compliance and refresh, you'll see the following Folders and Collections are already created.

Software Updates folders and collections.png

Note: All of the collections have Membership queries to automatically populate the collections based on Operating System version. You may want to edit the queries further in order to exclude (or include) computers otherwise you will have overlap between those three Windows Server Collections where servers show up in all three of the respective collections.


Step 2. Perform a SUP Sync.
Perform the following on the CAS server as SMSadmin

Before starting our activity we want to make sure that the updates that we are looking at are current and relevant therefore we'll synchronize our Software Update Point with Microsoft Windows Update.

Tip: There are two types of sync, Full or Delta. A Full sync is performed on schedule (as defined in the Software Update Point scheduled synchronization), whereas a Delta sync occurs when you initiate a sync in the console. If a sync fails for whatever reason then it will be retried every 60 minutes. A Delta sync will be forced to a Full sync if you make any change to the Categories (for example, add an additional Product, or add or remove a Classification).

Note: In a hierarchy, when you trigger a sync it will affect all sites in the hierarchy starting with the CAS.

To trigger a Full Sync in the Administration workspace, select Sites, select the CAS server, right click and choose Configure Site-Wide components, and select Software Update Point. Select the Schedule tab and click on Custom Schedule (in Part 5 we configured this to synchronize every 1 day, however setting a Custom schedule allows you to not only sync once a day but to decide what time that sync occurs at).


custom schedule.png

Click on Customize and set the Custom Schedule to Every 1 day at 7:00 pm as in the screenshot below. This will force a full sync at 7:00pm (if you want it to happen now, then set the schedule time to approx two minutes after the current time.)

custom schedule set to every 1 day at 7 pm.png

To monitor a syncs progress open the WsyncMgr.log. Before continuing, confirm that the sync has succeeded on your CAS server by looking for the following line in WsyncMgr.log

Sync Succeeded. Setting sync alert to cancelled state on site CAS.


Sync Succeeded.png

Once the Sync has succeeded on CAS it will trigger a signal on the primary site P01 to Sync to it's upstream server (CAS). You can verify this by opening the WsyncMgr.log file on the Primary server and look for the following lines:

Found parent sync notification file CAS.SYN.
Performing sync on parent request.


sync signalled to start on Primary.png

Once the Primary server has finished syncing from it's parent server (CAS) it will log the fact. Look for the following lines in WsyncMgr.log on the Primary server P01 for evidence of a succesful sync.

Sync succeeded. Setting sync alert to canceled state on site P01
Successfully synced site with parent CAS, version 10.


sync succeeded on P01.png

Tip: To watch the sync in real-time you can start the Windows Server Update Services Console, this will show you any error messages pertaining to the synchronization process (such as services that are not started when they should be) and will give you a percentage reading as the sync takes place.

sync status in Windows Server Update Services console.png

At this point we are confident our SUPs are synched and we can go ahead and start deploying Updates.

Step 3. Deploying Updates automatically using an ADR
Perform the following on the CAS server as SMSadmin

We've already created some ADR's previously for Deploying Endpoint Protection definition updates in Part 6 of this series, but now we will create a new ADR to automatically deploy Windows 7 Updates once a month on a recurring schedule (after patch Tuesday, Microsoft releases new updates every month on the second Tuesday of the month). Once you understand how this works you can customize it to suit your needs to keep your systems patched in an automated way on a recurring schedule.

In the Software Updates section of the console, select Automatic Deployment Rules and in the ribbon click Create Automatic Deployment Rule.

Create Automatic Deployment Rule.png

when the wizard appears give the ADR a suitable name (I like to Pre-pend ADR: Software Updates so they are easy to see in Deployments/Monitoring) such as ADR: Software Updates - Windows 7 monthly Updates.

ADR software updates - windows 7.png

for Collection click on browse and you'll notice our nice folder and collection structure makes it easy to select the right collection, select the Software Updates - Windows 7 collection.

Software Updates - Windows 7.png

As this ADR is for Patch Tuesday and occurs on a recurring schedule every month, we will choose to create a new software update group every time it runs, this means that we can have a single software update group to measure compliance against when the rule runs.

create a new software update group.png

for Deployment Settings set the verbosity level of state messages to Normal (default is minimal) as we want to be able to determine what went wrong if some computers are not compliant after the rule is run and having all those state messages will help.

Detail Level Normal.png

for the software Updates screen select the following options:-

  • Date release or revised Last 1 day
  • Product Windows 7

this means that when the rule runs it will find all Windows 7 updates released in the last 1 day, this wil become clearer in the next step

date release or revised Last 1 day.png

on the Evaluation Schedule screen click on Customize and set the schedule accordingly, set it to start running on the second Tuesday of the current month, and to recur monthly on the second Tuesday of every month at least two hours after the SUP has synched (which should give it time to sync). You can see that the SUP sync time is highlighted and that helps you to plan your ADR deployment.

evaluation schedule.png

For the Deployment Schedule screen set the Software Available Time to be at least 4 hours after the rule has run in order for the actual software updates deployment packages to reach the destination distribution points.

Deployment Schedule.png

On the User Experience screen, as we want out users to interact with the Deployment of software updates on Patch Tuesday, for User Notification select display in software center and show all notifications. If you wanted to hide these notifications you can select that ability here also. In this guide we are deploying Windows 7 updates therefore we don't need to surpress any system restarts, however if you were targetting server operating systems with automatic deployment rules then you'd probably want to supress the system restart.

display in software center and show all notifications.png

If you want to be alerted when the compliance threshold is below the desired compliance level then select the next option on the Alerts screen.

alerts.png

for Download Settings, leave it as default

download Settings.png

The first time you run this ADR select to create a new deployment package (as none will exist that we want to use). Once it has run, you can retire that rule by disabling it (right click on the ADR, choose Disable) and then you should recreate an identical rule except in the replacement rule, for Deployment Package choose the previously created package (Windows 7 Monthly Updates) so that it re-uses the package every month.

So Below screenshot is from the first run of the ADR.

create a new deployment package.png

continue through the rest of the wizard through to the Summary screen, on that screen click on Save as Template so that you can reuse the settings.

summary save as template.png

call the template Windows 7 Monthly Updates

call the template Windows 7 Monthly Updates.png

right-click on the newly created ADR and choose Run Now, we do this to create the Deployment Package.

Run ADR Now.png

After running the rule, verify that the Deployment Package is indeed created and when done, right click on the ADR again, and choose Disable.

Disable ADR.png

Once done recreate the rule (the ADR) but this time point to that package during the wizard in the Select Deployment Package option like in the screenshot below.

Select Deployment Package.png

Repeat the above for your Windows XP clients just as we've done for Windows 7, except obviously change the Product name from Windows 7 to Windows XP and point the collection to the Windows XP equivalent...

Windows XP Monthly Updates ADR.png

At this point your ADR's are created and you are ready to sit back and watch as your Windows XP and Windows 7 clients get automatically patched on Patch Tuesday. Awesome.

ADRs created.png

Later in this series (after Patch Tuesday) I'll show you what happens on the clients, and I'll explain how we can patch our servers using Maintenance windows.

Until then, adios,

cheers
niall.

  • Like 1

Share this post


Link to post
Share on other sites


I just installed SCCM 2012 primary site on a brand new virtual W2008R2 server. I belive I've met all prereqs, installed SQL2008R2SP2 and WSUS on the same machine. I added the SUP role, but am confused about GPO settings. Some information I find online indicates I need to disabled all WSUS-related GPOs, yet some other sources indicate I need to fully configure all WSUS-related GPOs. Currently, only Allow signed content from intranet Microsoft update service location is enabled, while everything else is disabled. When I check my local group policy settings it shows the location of my MS update site correctly (my new SCCM server). Everything looks good, but for some reason all my client machines show that they need zero updates. When I check the Update Library I see over 3000 available updates, but all off them show zero as Required or Installed. What am I missing?

Thanks,

Share this post


Link to post
Share on other sites

I just installed SCCM 2012 primary site on a brand new virtual W2008R2 server. I belive I've met all prereqs, installed SQL2008R2SP2 and WSUS on the same machine. I added the SUP role, but am confused about GPO settings. Some information I find online indicates I need to disabled all WSUS-related GPOs, yet some other sources indicate I need to fully configure all WSUS-related GPOs. Currently, only Allow signed content from intranet Microsoft update service location is enabled, while everything else is disabled. When I check my local group policy settings it shows the location of my MS update site correctly (my new SCCM server). Everything looks good, but for some reason all my client machines show that they need zero updates. When I check the Update Library I see over 3000 available updates, but all off them show zero as Required or Installed. What am I missing?

Thanks,

 

did you review Part 5 yet ?

Share this post


Link to post
Share on other sites

Anyweb,

first thank you for this helpfull part!

 

I have still one question during recreating an identical ADR:

Do i have to add the identical rule to an existing Software Update Group or new SUG?

 

Kind Regards

 

Witcher

Share this post


Link to post
Share on other sites

 

Do i have to add the identical rule to an existing Software Update Group or new SUG?

 

 

create the rule as you did before, so choose 'create new software update group'

 

this will allow you to run compliance reports for that months patches otherwise all the patches would end up month after month in the same software update group and you'd have a problem trying to determine last months compliance

Share this post


Link to post
Share on other sites

So this is good for Patch Tuesday. What about out of band or pervious months patches. Right now in sccm 2007 we have it broke out by month for the current year (ex 2012 - July) and then by year for anything else (2009 (Jan-Jun) all patches). Would I just create ADR for each month and year.

Share this post


Link to post
Share on other sites
Right now in sccm 2007 we have it broke out by month for the current year (ex 2012 - July) and then by year for anything else (2009 (Jan-Jun) all patches). Would I just create ADR for each month and year.

 

I think creating a Software Update Group with a corresponding deployment would be more suitable for that scenario

Share this post


Link to post
Share on other sites

In the file "FolderAndCollection_Software_Updates.xml", I would suggest some changes.

 

1.

As the "OperatingSystemNameandVersion" can differ from "Standard", "Datacenter" and so on and the version numbers can contain subversions, i also suggest the following changes for all the lines containing the text SMS_R_System.OperatingSystemNameandVersion

 

Using the following example

[...]SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 5.1"

 

I suggest changing the = to LIKE in order to place a % after [...]NT[..] and the version number.

 

The results will then change from:

[...]SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 5.1"

to

[...]SMS_R_System.OperatingSystemNameandVersion LIKE "Microsoft Windows NT% Server 5.1%"

 

 

2.

As the "Microsoft Windows NT Server 6.1" only refers to Windows Server 2008 R2 and not Windows Server 2008 (6.0), I suggest adding "OR" to the line, thereby changing the the end of the lines 32, 35 and 38 from

 

[....]where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.0"</Rule>

to

[....]where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.0" OR SMS_R_System where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.1"</Rule>

  • Like 1

Share this post


Link to post
Share on other sites

Great tutorial but I have some questions I'm hoping you can answer:

 

1. Under step #3, the screenshot directly below "So Below screenshot is from the first run of the ADR." shows a package source (\\cas\sources . . . ). Did you create this manually? The "WindowsUpdates\Windows 7|" sub-directory is not in my sources folder so I couldn't choose it. Do I have to create it manually? Also, what does it do? There really isn't an explanation unless I missed it in one of the other tutorials.

 

2. You mention creating the ADR, running it, disabling it, and then recreate the rule (selecting the package the first rule created). When I try to recreate and name the rule and "Select Deployment Template", it says one with that name already exists. This makes sense but I see your screenshot shows two rules with the same name. Am I doing something wrong?

 

Thanks for any help you can give.

Share this post


Link to post
Share on other sites

Hi Anyweb

 

Quick query on the ADR(just want to make sure as I am currently in the process of a Primary with 30 remote DPs and am going to soon introduce ADRs)

In my enviornment I am constantly imaging machines on a weekly basis, so I am just wondering does this update package hold onto all previous months updates without expiring them?

As I need a newly built machine to get this months updates from the ADR but I also want them to get say the 2,3,4 previous monthly patches also.....does it do this?

 

I had been doing it different with my other sites....in the ADR configuration I currently have just product ID and also superseded NO component and evaluation of every 3rd thursday(just to give time if there are any problematic updates to remove them before they are deployed). IT seems to be working so far so good but I also just added these to an existing software update group(same as FEP ADR) without disabling the ADR and creating an identical one and pointing it to the initial SUG...

Could this cause problems other than not been able to see the compliance?

 

Thanks

 

Rocket Man

Share this post


Link to post
Share on other sites

What's the point in Disabling the ARD once you created it? Don't you still want it to run every month?

 

you create the ADR to create the deployment package, once done you disable the ADR and recreate it as before, except this time you re-use the previously created deployment package, this is to avoid recreating the deployment package every time the ADR runs...

Share this post


Link to post
Share on other sites

Great tutorial but I have some questions I'm hoping you can answer:

 

1. Under step #3, the screenshot directly below "So Below screenshot is from the first run of the ADR." shows a package source (\\cas\sources . . . ). Did you create this manually? The "WindowsUpdates\Windows 7|" sub-directory is not in my sources folder so I couldn't choose it. Do I have to create it manually? Also, what does it do? There really isn't an explanation unless I missed it in one of the other tutorials.

 

yes you have to create that folder manually, it's simply there to store the contents of the Windows 7 Updates for the windows 7 deployment package

 

2. You mention creating the ADR, running it, disabling it, and then recreate the rule (selecting the package the first rule created). When I try to recreate and name the rule and "Select Deployment Template", it says one with that name already exists. This makes sense but I see your screenshot shows two rules with the same name. Am I doing something wrong?

 

simply add a space or fullstop or rename the original ADR slightly to get the desired result, no you are not doing anything wrong, mine has an extra space (from memory..)

 

Thanks for any help you can give.

 

you are welcome :)

Share this post


Link to post
Share on other sites

Would a "Best Practice" be to;

  • Date release or revised Last 1 Month

This would allow the updates to catch any "out of cycle" patches that MS might push out? Since the update ADR is only running once a month. As alternative you could run this ADR daily and still keep it at Last 1 Day.

 

Do you have to keep the Disabled ADR's or can I just delete them?

post-18089-0-07314600-1356131164_thumb.jpg

Share this post


Link to post
Share on other sites

if you want to do it that way in production go ahead, but you'll have a hard time keeping track of what is going out to your systems and when,

by setting it to Last one day and scheduling it to occur just after patch tuesday once per month, you are deciding when and where your systems get patched.

Share this post


Link to post
Share on other sites

Great scripts your providing here!

You mention modifiying the XML file. Is their any convient way to convert exported collection mof's into XML format?

 

I have a bunch of collections that I would like to export and import using this script.

Share this post


Link to post
Share on other sites

Hi! Greath tutorial. Just a question. Although we have a policy in which we configure a server as SUP. The computers still download the updates package from the distribution point that I configured to use in the boundary related to that computer?. Sorry, my english isn't quite good.

Share this post


Link to post
Share on other sites

YEs, this is my question, the client first try to copy the updates from the dp assigned via boundary group, in any case try to download from other locations? I don't have failover DP configured.

Share this post


Link to post
Share on other sites

When I tried to execute the script I got the following error:

 

File C:\temp\CreateFoldersAndCollections.ps1 cannot be loaded. The file C:\temp\CreateFoldersAndCollections.ps1 is not digitally signed. The script will not execute on the system. Please see "get-help about_signing" for more details..

 

Any suggestions?

Share this post


Link to post
Share on other sites

When I tried to execute the script I got the following error:

 

File C:\temp\CreateFoldersAndCollections.ps1 cannot be loaded. The file C:\temp\CreateFoldersAndCollections.ps1 is not digitally signed. The script will not execute on the system. Please see "get-help about_signing" for more details..

 

Any suggestions?

 

did you read the guide ?

 

 

 

Once done we need to Set the Execution Policy to allow this script (RemoteSigned) to run.

 

Set-ExecutionPolicy RemoteSigned

Share this post


Link to post
Share on other sites

Another query:

How do I send the same ADR to another collection. I have office 2013 updates that at the moment are deployed via ADR to my windows 7 collection, I also want to deploy this ADR to my windows8 collection.

 

Do I have to create another ADR and point it to the office 2013 update source directory(that was created from my windows7 ADR) and then deploy this new ADR to the windows8 collection. Will this work, 2 ADRs' using the same source directory??

 

Thanks

Share this post


Link to post
Share on other sites

did you read the guide ?

Sorry, I didn't mean to be a pain but yes I did read the guide. Your guides are very appreciated and have greatly accelerated our deployment. Here is my PowerShell window.

 

post-17377-0-54501900-1358864374_thumb.jpg

Share this post


Link to post
Share on other sites

If anyone should run into the problem I ran into I follow the following to get the scripts to run. You will have to do it to both CM12Functions.ps1 and CreateFoldersAndCollections.ps1.

 

1. Save the script file on your computer.
2. Click Start, click My Computer, and locate the saved script file.
3. Right-click the script file, and then click Properties.
4. Click Unblock.

Share this post


Link to post
Share on other sites

thanks i'll update my post to reflect that info.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×