using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates

[anyweb]

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups. In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.

In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

In Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent. In Part 6 we prepared our server for the Endpoint Protection Point role, and installed that role before configuring custom client device settings and custom antimalware policies. We then deployed those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections.

In Part 7 we added operating system deployment ability to our hierarchy by adding Windows 7 X64. We used the Build and Capture process to capture a WIM image which we can later deploy to targeted computers using network boot (PXE). PXE boot requires specific settings on our distribution points and the boot images used to deliver the operating system WIM images were therefore also enabled for PXE support.

In Part 8 we added Applications to our Software Library and configured the requirements in the Deployment Type to add new abilities to the application delivery process. We monitored the approval process of our applications and saw how requirements can influence whether an application is installed or not and we noted the difference between deploying to Users versus Devices. Now we will take a look at how Automatic Deployment Rules can be used to automate the deployment of windows updates on Patch Tuesday using a recurring schedule to patch your infrastructure using Software Updates.

Recommended Reading
Planning for Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/hh237372.aspx
Configuring Software Updates in Configuration Manager - https://technet.microsoft.com/en-us/library/gg712312.aspx

Step 1. Create some Folders and Collections.
Perform the following on the CAS server as SMSadmin

To make the management of Software Updates easier we will first create some Folders and populate them with Collections. You can do this manually in the Assets and Compliance workspace or you can do it in an automated way using PowerShell. The below script will create a nice Folder and Collection structure sorting the Client Operating Systems and 3 Windows Server Operating Systems, in addition, the server Operating Systems are further divided into Automatic patching, Manual patching and Maintenance Windows collections. Here's the script (kindly provided by a colleague of mine, Niklas Landqvist), I've customized the XML file to create the Folders and Collections we want for this part of the series.

powershell scripts.zip

 

Note: You may have to do the following for the downloaded powershell scripts.

 

1. Save the script file on your computer, locate the saved script file.
2. Extract the contents and then locate the powershell PS1 scripts, right-click each script file, and then click Properties.
3. Click Unblock.

To use the script open a Windows PowerShell session as administrator by right-clicking on the Windows PowerShell icon and choosing Run As Administrator as in the screenshot below.



Change to the Directory where you've unzipped the script using CD (to change directory).



Once done we need to Set the Execution Policy to allow this script (RemoteSigned) to run.

Set-ExecutionPolicy RemoteSigned

and answer Yes to the prompt.



and then run the script as follows:-

.\CreateFoldersAndCollections.ps1 .\FolderAndCollections_Software_Updates.xml

the screen will update once you press enter...



and once the script is complete you can open the console in Assets and Compliance and refresh, you'll see the following Folders and Collections are already created.



Note: All of the collections have Membership queries to automatically populate the collections based on Operating System version. You may want to edit the queries further in order to exclude (or include) computers otherwise you will have overlap between those three Windows Server Collections where servers show up in all three of the respective collections.


Step 2. Perform a SUP Sync.
Perform the following on the CAS server as SMSadmin

Before starting our activity we want to make sure that the updates that we are looking at are current and relevant therefore we'll synchronize our Software Update Point with Microsoft Windows Update.

Tip: There are two types of sync, Full or Delta. A Full sync is performed on schedule (as defined in the Software Update Point scheduled synchronization), whereas a Delta sync occurs when you initiate a sync in the console. If a sync fails for whatever reason then it will be retried every 60 minutes. A Delta sync will be forced to a Full sync if you make any change to the Categories (for example, add an additional Product, or add or remove a Classification).

Note: In a hierarchy, when you trigger a sync it will affect all sites in the hierarchy starting with the CAS.

To trigger a Full Sync in the Administration workspace, select Sites, select the CAS server, right click and choose Configure Site-Wide components, and select Software Update Point. Select the Schedule tab and click on Custom Schedule (in Part 5 we configured this to synchronize every 1 day, however setting a Custom schedule allows you to not only sync once a day but to decide what time that sync occurs at).




Click on Customize and set the Custom Schedule to Every 1 day at 7:00 pm as in the screenshot below. This will force a full sync at 7:00pm (if you want it to happen now, then set the schedule time to approx two minutes after the current time.)



To monitor a syncs progress open the WsyncMgr.log. Before continuing, confirm that the sync has succeeded on your CAS server by looking for the following line in WsyncMgr.log

Sync Succeeded. Setting sync alert to cancelled state on site CAS.

Once the Sync has succeeded on CAS it will trigger a signal on the primary site P01 to Sync to it's upstream server (CAS). You can verify this by opening the WsyncMgr.log file on the Primary server and look for the following lines:

Found parent sync notification file CAS.SYN.
Performing sync on parent request.

Once the Primary server has finished syncing from it's parent server (CAS) it will log the fact. Look for the following lines in WsyncMgr.log on the Primary server P01 for evidence of a succesful sync.

Sync succeeded. Setting sync alert to canceled state on site P01
Successfully synced site with parent CAS, version 10.

Tip: To watch the sync in real-time you can start the Windows Server Update Services Console, this will show you any error messages pertaining to the synchronization process (such as services that are not started when they should be) and will give you a percentage reading as the sync takes place.



At this point we are confident our SUPs are synched and we can go ahead and start deploying Updates.

Step 3. Deploying Updates automatically using an ADR
Perform the following on the CAS server as SMSadmin

We've already created some ADR's previously for Deploying Endpoint Protection definition updates in Part 6 of this series, but now we will create a new ADR to automatically deploy Windows 7 Updates once a month on a recurring schedule (after patch Tuesday, Microsoft releases new updates every month on the second Tuesday of the month). Once you understand how this works you can customize it to suit your needs to keep your systems patched in an automated way on a recurring schedule.

In the Software Updates section of the console, select Automatic Deployment Rules and in the ribbon click Create Automatic Deployment Rule.



when the wizard appears give the ADR a suitable name (I like to Pre-pend ADR: Software Updates so they are easy to see in Deployments/Monitoring) such as ADR: Software Updates - Windows 7 monthly Updates.



for Collection click on browse and you'll notice our nice folder and collection structure makes it easy to select the right collection, select the Software Updates - Windows 7 collection.



As this ADR is for Patch Tuesday and occurs on a recurring schedule every month, we will choose to create a new software update group every time it runs, this means that we can have a single software update group to measure compliance against when the rule runs.



for Deployment Settings set the verbosity level of state messages to Normal (default is minimal) as we want to be able to determine what went wrong if some computers are not compliant after the rule is run and having all those state messages will help.



for the software Updates screen select the following options:-

• Date release or revised Last 1 day
• Product Windows 7

this means that when the rule runs it will find all Windows 7 updates released in the last 1 day, this wil become clearer in the next step



on the Evaluation Schedule screen click on Customize and set the schedule accordingly, set it to start running on the second Tuesday of the current month, and to recur monthly on the second Tuesday of every month at least two hours after the SUP has synched (which should give it time to sync). You can see that the SUP sync time is highlighted and that helps you to plan your ADR deployment.



For the Deployment Schedule screen set the Software Available Time to be at least 4 hours after the rule has run in order for the actual software updates deployment packages to reach the destination distribution points.



On the User Experience screen, as we want out users to interact with the Deployment of software updates on Patch Tuesday, for User Notification select display in software center and show all notifications. If you wanted to hide these notifications you can select that ability here also. In this guide we are deploying Windows 7 updates therefore we don't need to surpress any system restarts, however if you were targetting server operating systems with automatic deployment rules then you'd probably want to supress the system restart.



If you want to be alerted when the compliance threshold is below the desired compliance level then select the next option on the Alerts screen.



for Download Settings, leave it as default



The first time you run this ADR select to create a new deployment package (as none will exist that we want to use). Once it has run, you can retire that rule by disabling it (right click on the ADR, choose Disable) and then you should recreate an identical rule except in the replacement rule, for Deployment Package choose the previously created package (Windows 7 Monthly Updates) so that it re-uses the package every month.

So Below screenshot is from the first run of the ADR.



continue through the rest of the wizard through to the Summary screen, on that screen click on Save as Template so that you can reuse the settings.



call the template Windows 7 Monthly Updates



right-click on the newly created ADR and choose Run Now, we do this to create the Deployment Package.



After running the rule, verify that the Deployment Package is indeed created and when done, right click on the ADR again, and choose Disable.



Once done recreate the rule (the ADR) but this time point to that package during the wizard in the Select Deployment Package option like in the screenshot below.



Repeat the above for your Windows XP clients just as we've done for Windows 7, except obviously change the Product name from Windows 7 to Windows XP and point the collection to the Windows XP equivalent...



At this point your ADR's are created and you are ready to sit back and watch as your Windows XP and Windows 7 clients get automatically patched on Patch Tuesday. Awesome.



Later in this series (after Patch Tuesday) I'll show you what happens on the clients, and I'll explain how we can patch our servers using Maintenance windows.

Until then, adios,

cheers
niall.

[sergei.borisenko@ipers.org]

I just installed SCCM 2012 primary site on a brand new virtual W2008R2 server. I belive I've met all prereqs, installed SQL2008R2SP2 and WSUS on the same machine. I added the SUP role, but am confused about GPO settings. Some information I find online indicates I need to disabled all WSUS-related GPOs, yet some other sources indicate I need to fully configure all WSUS-related GPOs. Currently, only Allow signed content from intranet Microsoft update service location is enabled, while everything else is disabled. When I check my local group policy settings it shows the location of my MS update site correctly (my new SCCM server). Everything looks good, but for some reason all my client machines show that they need zero updates. When I check the Update Library I see over 3000 available updates, but all off them show zero as Required or Installed. What am I missing?

Thanks,

[anyweb]

I just installed SCCM 2012 primary site on a brand new virtual W2008R2 server. I belive I've met all prereqs, installed SQL2008R2SP2 and WSUS on the same machine. I added the SUP role, but am confused about GPO settings. Some information I find online indicates I need to disabled all WSUS-related GPOs, yet some other sources indicate I need to fully configure all WSUS-related GPOs. Currently, only Allow signed content from intranet Microsoft update service location is enabled, while everything else is disabled. When I check my local group policy settings it shows the location of my MS update site correctly (my new SCCM server). Everything looks good, but for some reason all my client machines show that they need zero updates. When I check the Update Library I see over 3000 available updates, but all off them show zero as Required or Installed. What am I missing?

Thanks,

 

did you review Part 5 yet ?

[Witcher]

Anyweb,

first thank you for this helpfull part!

 

I have still one question during recreating an identical ADR:

Do i have to add the identical rule to an existing Software Update Group or new SUG?

 

Kind Regards

 

Witcher

[anyweb]

 

Do i have to add the identical rule to an existing Software Update Group or new SUG?

 

 

create the rule as you did before, so choose 'create new software update group'

 

this will allow you to run compliance reports for that months patches otherwise all the patches would end up month after month in the same software update group and you'd have a problem trying to determine last months compliance

[Bobfrapple]

So this is good for Patch Tuesday. What about out of band or pervious months patches. Right now in sccm 2007 we have it broke out by month for the current year (ex 2012 - July) and then by year for anything else (2009 (Jan-Jun) all patches). Would I just create ADR for each month and year.

[anyweb]

Right now in sccm 2007 we have it broke out by month for the current year (ex 2012 - July) and then by year for anything else (2009 (Jan-Jun) all patches). Would I just create ADR for each month and year.

 

I think creating a Software Update Group with a corresponding deployment would be more suitable for that scenario

[Gormster]

In the file "FolderAndCollection_Software_Updates.xml", I would suggest some changes.

 

1.

As the "OperatingSystemNameandVersion" can differ from "Standard", "Datacenter" and so on and the version numbers can contain subversions, i also suggest the following changes for all the lines containing the text SMS_R_System.OperatingSystemNameandVersion

 

Using the following example

[...]SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 5.1"

 

I suggest changing the = to LIKE in order to place a % after [...]NT[..] and the version number.

 

The results will then change from:

[...]SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 5.1"

to

[...]SMS_R_System.OperatingSystemNameandVersion LIKE "Microsoft Windows NT% Server 5.1%"

 

 

2.

As the "Microsoft Windows NT Server 6.1" only refers to Windows Server 2008 R2 and not Windows Server 2008 (6.0), I suggest adding "OR" to the line, thereby changing the the end of the lines 32, 35 and 38 from

 

[....]where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.0"</Rule>

to

[....]where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.0" OR SMS_R_System where SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Server 6.1"</Rule>

[sccm2012noob]

Great tutorial but I have some questions I'm hoping you can answer:

 

1. Under step #3, the screenshot directly below "So Below screenshot is from the first run of the ADR." shows a package source (\\cas\sources . . . ). Did you create this manually? The "WindowsUpdates\Windows 7|" sub-directory is not in my sources folder so I couldn't choose it. Do I have to create it manually? Also, what does it do? There really isn't an explanation unless I missed it in one of the other tutorials.

 

2. You mention creating the ADR, running it, disabling it, and then recreate the rule (selecting the package the first rule created). When I try to recreate and name the rule and "Select Deployment Template", it says one with that name already exists. This makes sense but I see your screenshot shows two rules with the same name. Am I doing something wrong?

 

Thanks for any help you can give.

[Rocket Man]

Hi Anyweb

 

Quick query on the ADR(just want to make sure as I am currently in the process of a Primary with 30 remote DPs and am going to soon introduce ADRs)

In my enviornment I am constantly imaging machines on a weekly basis, so I am just wondering does this update package hold onto all previous months updates without expiring them?

As I need a newly built machine to get this months updates from the ADR but I also want them to get say the 2,3,4 previous monthly patches also.....does it do this?

 

I had been doing it different with my other sites....in the ADR configuration I currently have just product ID and also superseded NO component and evaluation of every 3rd thursday(just to give time if there are any problematic updates to remove them before they are deployed). IT seems to be working so far so good but I also just added these to an existing software update group(same as FEP ADR) without disabling the ADR and creating an identical one and pointing it to the initial SUG...

Could this cause problems other than not been able to see the compliance?

 

Thanks

 

Rocket Man