Jump to content




anyweb

using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates



Recommended Posts

a. the patch tuesday scenario is already covered in this part

b. use SCUP to deploy 3rd party updates

Share this post


Link to post
Share on other sites


Can anyone pls help me with this. I am having trouble to run the script to create folders and collections

 

 

 

PS E:\> dir SCCMTools\powershellscripts\createfoldersandcollections.ps1> Set-ExecutionPolicy RemoteSigned

Get-ChildItem : A positional parameter cannot be found that accepts argument 'RemoteSigned'.

At line:1 char:4

+ dir <<<< SCCMTools\powershellscripts\createfoldersandcollections.ps1> Set-ExecutionPolicy RemoteSigned

+ CategoryInfo : InvalidArgument: ( :) [Get-ChildItem], ParameterBindingException

+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

PS E:\>

 

----

I think the issue with the .ps1 but I am not sure what will be the work around.

When I run this without .ps1, it gives me the below error

 

 

PS E:\SCCMTools> dir powershellscripts\CreateFoldersAndCollections

Get-ChildItem : Cannot find path 'E:\SCCMTools\powershellscripts\CreateFoldersAndCollections' because it does not exist

.

At line:1 char:4

+ dir <<<< powershellscripts\CreateFoldersAndCollections

+ CategoryInfo : ObjectNotFound: (E:\SCCMTools\po...sAndCollections:String) [Get-ChildItem], ItemNotFound

Exception

+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Share this post


Link to post
Share on other sites

First of all, great job this is definitely the best SCCM blog I've found.

 

I am having trouble with deploying updates, the clients deployment status shows this:

 

Status: Failed to install update(s)

Error Code:0x80070005

Error Description:Access is denied.

 

Last Enforcement State: Failed to install update(s)

Last Enforcement Error Code:0x80070005

 

http://ioan.in/N2EG

 

I have a permission problem somewhere :(

 

On the clients I get:

 

Failed to download contents for update 1a571c03-31b3-440e-87ee-d4952f090d03.

 

Bundle update "20b340d0-2c5e-4600-8095-f7a5e403f1a2" failed to get content for update "cb2c36a8-437a-4be5-9780-571301b7e53f". Please check the enforcement status of update "cb2c36a8-437a-4be5-9780-571301b7e53f" to get further details.

 

Updates advance download job completed with failure for assignment {d1325882-d2d1-49c8-9e18-127f7cf51176}.

 

Any hints on this are greatly apreciated :D

 

 

Hi everyone, I've solved the problem and wanted to share maybe it will help someone.

 

On the client DataTransferService.log i got the error:

 

Successfully sent location services HTTP failure message.

Error sending DAV request. HTTP code 401, status 'Unauthorized'

GetDirectoryList_HTTP('http://DCM-SRV-SCCM-01.ulbsibiu.local:80/SMS_DP_SMSPKG$/e1dc20b6-5536-4bd0-9b3b-e26fc09287d0') failed with code 0x80070005.

 

The workaround is to check Allow clients to connect anonymously on the Distribution point Properties.

 

Thank you all, especially anyweb for his amazing blog, keep up the good work.

Share this post


Link to post
Share on other sites

In Step 1 how do I get Vista and 2008 R2 in the OS list? In my current SCCM setup, those are the only machines I have.

 

just edit the XML files and include (or remove) the os's you want/don't want.

Share this post


Link to post
Share on other sites

Niall,

 

First off great post. I hope you can help me out by expanding on it a bit. I’ve got three ADRs set up that are totally identical in terms of the updates they download and push out. The only thing that differentiates them is the week in which they push out updates (each is staggered out 1 week after the other) and (of course) the collections they point to. Here's what I have in the console:

 

post-8347-0-25041000-1361939723_thumb.png

 

Basically they work in this fashion:

 

Week 1 - Alpha Push

Week 2 - Beta Push

Week 3 - Production Push

 

Key point- Since the updates being pushed were identical I just created one deployment package with one package source folder and pointed all three at it.

 

So far all three have been running without any apparent issues. Now I'm hearing that pointing multiple ADRs to the same package is (in fact) a bad idea and I should separate them out. Further complicating matters, I have integrated Office 2007-2013 updates into these ADRs and I now understand that is a bad idea too (because of the 1000 update max) and I need to separate those out into their own ADR! Now I'm totally confused about how to proceed. What I need is the aforementioned three week update process with Windows Updates and Office Updates going out on the same day and time. If I have to use different software update groups for the Office Updates and Windows Updates, I'd like to somehow "tie" the two together so from my end user's perspective they just appear as single updates (with the same deadlines and restart window). Can that be done by just scheduling them to go out on the same date and time? I'd also really like to do this in the most "disk efficient" manner possible. it just seems like a waste to make three ADRs that download the same exact updates every month, only in different package folders. Whats the problem with pointing these at the same package if al the updates are the same?

 

So far I have yet to find a guide that covers anything beyond "this is how you make an ADR for Windows 7 and WIndows XP", but surely people are doing more than that. Can you please elaborate more on how you structure your Software Update ADRs, Packages, Groups and Source Folders when you start to add other products into the mix like Office, SQL Server, etc?

Share this post


Link to post
Share on other sites

Hi Niall! And nice work as always!

 

When i create the rule i dont have the same options as you do when i crate the Deployment rule, se screenshot. I would guess "All messages" represents "Normal" in your screenshot?

 

 

 

 

post-12125-0-58609600-1362126091_thumb.png

Share this post


Link to post
Share on other sites

yup that's correct, certain things were re-worded from RTM to SP1, but it should all make sense, if not i can post additional screenshots.

  • Like 1

Share this post


Link to post
Share on other sites

Hello Gentlemen;

I'm a newbie and studying SCCM2012. I am a bit confused.

 

Without WSUS or SUP, when we trigger windows update, "windows update" updates windows itself and installed MS products. That's good.

...but in a system there are many servers and each server has different bunch of ms products installed.

Server1 - Win2012 - Exch2013

Server2 - Win2003 - Exch2007

Server3 -Win2008, SQL Express 2005, capicom, silverlight

Server4 - Win2008, SQL Srv 2008R2, OpMgr2007

Server5 - Win2003, SharePoint2007, SQL Srv 2005

..etc.

Additionally when someone else add a new server which has ms products installed to the system, should I create new software update group and deployment(s) in SCCM?

 

Should I create different deployment groups and deployment definitions for each MS product in SCCM 2012? If yes, is this automation? Just for SQL Server, there are many different releases; sql express 2005, sql express 2008, sql srv 2005, r2 , cd, cdi, diesel, hybrid ...

 

Thanks

Share this post


Link to post
Share on other sites

Hi, thanks for the tutorial. i do have a few questions regarding scan cycle vs evaluation cycle vs re-evaluation cycle vs machine policy

 

so ive read the definition of each but am still confused as to what does what exactly and how it relates to manual (actions tab) vs client settings

 

so the software scan seems pretty straight forward, it seems to be only for inventory purposes and will not "install" anything.

the software Updates Deployment evaluation Cycle installs ALL updates (new or uninstalled)

 

what does the machine policy retrieval do in regards to software updates? i read it updates the policy but does that actually do anything for software updates? will it actually push a patch out?

 

in client settings is there a direct relation from Schedule Deployment Re-evaluation and software Updates Deployment evaluation Cycle (in Actions), if there is and this is set to every 7 days does it mean patches ONLY install every 7 days? or is patch "connects" occurring every 60 mins (default of client policy polling interval)

 

i really appreciate any help.. wrapping my head around when patches will be deployed and how often is driving me crazy! THANKS!

Share this post


Link to post
Share on other sites

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

Thanks a lot for your help

  • Like 1

Share this post


Link to post
Share on other sites

Stupid questions:

 

So if we create an automatic task to deploy the fat Tuesday updates every month, how will you catch the updates from previous months since the OSD image was created retroactively?

 

It seems to me it would only deploy the current month.

 

Also, you have it configured to deploy all of the updates for Windows 7 in your example, but does that cover all of the MS products that may be in your environment or do you have to create separate product tasks?

 

Thanks!

 

 

Products: Do I need to create another ADR for Bing Bar, and one for Forefront Client Security... Each Microsoft Product with it's own ADR and it's own collection?

 

I am tempted to find a way to schedule a daily rule to approve and download those updates that show as "Required."

Share this post


Link to post
Share on other sites

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

 

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

 

Thanks a lot for your help

 

 

I created a folder for "Delayed" updates and moved Internet Explorer 9 to the sub folder. The ADR rules do not apply to the sub folders.

 

This may not be the "right" answer, but it is working in my test environment.

Share this post


Link to post
Share on other sites

I have a question on the Evaluation schedule and the Deployment Schedules and how they interact.

 

When you set your custom schedule to have the ADR run on Patch tuesday, there are 2 dates. The START date, which is when the rule goes into effect, and the Recurrence pattern, which tells it to run on the 2nd tuesday every month going forward. The deployment Schedule, which is when the updates are to be available for install, might have a delay of 10 days. But that 10 days is based on the START date, not the run date. So I might create my rule on April 1, schedule it to run on April 7, and deploy after 10 days. But that means my deployment date is April 10.

 

I had THOUGHT that the ADR runs again every month and pushes out a new deployment on that month. But if I'm understanding this right now, this means the ADR is really just updating an existing package/deployment and setting a 're-run' deployment flag on the clients to re-run that package again every month. So, the deployment schedule on ADR's is NOT a repeating schedule like the eval is. It's a one time only delay that applies only the first time the rule is run.

 

This means that if I want to wait 1 week to deploy packages from Patch Tuesday, the ONLY way I can manage this is to set maintenance windows every month for 1 week after patch tuesday. If I do not have maintenance windows in place, patches will install on workstations immediately after the rule runs and the updates become available to workstations next month.

 

Am I reading this right?

Share this post


Link to post
Share on other sites

I setup the ADR per the instructions in this posting. All seemed to be going well... workstations started to download the updates at the end of the day. This morning, most of the PCs have downloaded the updates, but not a single one has installed them. I rebooted my PC to see if it would help. It did not. I ran an update check and it says I am up to date. (Wireshark confirms its going to the SCCM server). I confirmed that SCCM thinks I have fully downloladed the updates. I then went out to Microsoft to check for my updates, and sure enough I still need the same updates that I downloaded from the SCCM.

 

Questions:

1. Where on the PC are the updates downloaded to? - They do not seem to be in the SCCM cache

2. Why are some still downloading updates after 8+ hours? - XP had a much smaller update total size, had fewer PC's to download to but none say downloaded. (I reran a summary nd did a refresh several times)

3. What triggers the install of these updates? - An updates check thinks I am up to date (Wireshark confirms its going to the SCCM server).

4. Once this is working, will I have to do anything else on each patch Tuesday?

 

Thank you,

 

C68

 

 

Edit: I am also seeing a weird, possible error, in Wireshark.

post-19819-0-97456200-1365688833_thumb.jpg

post-19819-0-90802100-1365688892_thumb.jpg

post-19819-0-38590700-1365695398_thumb.jpg

Share this post


Link to post
Share on other sites

My windows 7 have downloaded the updates and will start to install them next week.

 

WIndows XP says it is still downloading the updates, which were a lost fewer in size and count then 7, but not a single XP box has the updates in the ccmcache. There were 6 updates for about 33 megs that started to download two days ago over a GB connection. Still the folders in the ccmcache are empty for that day. (6 of them).

 

What gives?

Share this post


Link to post
Share on other sites

Thanks for taking the time to write this guide, it was quite helpful and easy to grasp.

 

I have made some minor changes to suit my purpose by deploying the update to a master collection (prefix with ADR) which includes the second set of collections below. This allow me to distribute the updates to test systems automatically as well as production systems based on their maintenance windows.

 

ADR:Software Updates - Windows Server 2008 R2

 

_Preproduction ADR:Software Updates - Windows Server 2008 R2 Automatic

Software Updates - Windows Server 2008 R2 Automatic

Software Updates - Windows Server 2008 R2 Maintenance Window [Fri 10pm - 4am]

Software Updates - Windows Server 2008 R2 Maintenance Window [sat 10pm - 4am]

 

I do however have a question in regards to the best practice for systems that require manual interaction. Would I ...

 

1) Update the existing software update group and create a new deployment set the deployment to be available rather than required?

2) Create a new ADR with a deadline of 30 days and uncheck default behavior settings for software installation and check to supress restarts?

3) ???

 

I am more inclined to use process 1 as that is the simplest to manage unless there is an easier way.

 

These updates would target the following collection: Software Updates - Windows Server 2008 R2 Manual

Share this post


Link to post
Share on other sites

Silly question, and maybe I missed a post.. In SCCM 2007 we had our monthly patch collections structured in groups, ie.

 

Group 4

- Office 1

- Office 2

Group 3

- Office 3

- Office 4

Group 4

- Office 5

 

And we would push our monthly updates to group 4, group 3 etc.

 

In Sccm 2012 we are now unable to create sub collections. Does that now mean that if we want to accompliush the same task we need to break out each office into individual collections?

post-16629-0-78030600-1366404054_thumb.jpg

Share this post


Link to post
Share on other sites

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

 

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

 

Thanks a lot for your help

 

Does anyone have a solution? I am having the same problem. I have tried everything to exclude some items and it does not work.

 

I have set the search text for title to be:

 

-"Beta" and -"Malicious" and -"Internet Explorer 10"

 

However, I still get the same list of updates with or without the search text setting.

Share this post


Link to post
Share on other sites

I'm making an assumption that when creating the ADR and I get to the Download Location settings that I would want to download software updates from the internet or is there a location that should already contain those updates from the WSUS setup? These guides have been extremely helpful. Thanks.

Share this post


Link to post
Share on other sites

Silly question, and maybe I missed a post.. In SCCM 2007 we had our monthly patch collections structured in groups, ie.

 

Group 4

- Office 1

- Office 2

Group 3

- Office 3

- Office 4

Group 4

- Office 5

 

And we would push our monthly updates to group 4, group 3 etc.

 

In Sccm 2012 we are now unable to create sub collections. Does that now mean that if we want to accompliush the same task we need to break out each office into individual collections?

 

pretty much, you could create folders for the Groups above and then have collections for those corresponding groups contained within.

Share this post


Link to post
Share on other sites

This tutorial seemed to skip right over the "Download Location" settings. While most of the topics that have come up in the many replies to this tutorial have referenced best practices, I think I have a more basic problem.

 

My SCCM servers do not have direct Internet access.

 

I have managed to configure the SUP to sync the updates catalog with an upstream WSUS server. However, when configuring deployments, I am requested to provide the location from which SCCM can actually download those updates. Without direct Internet access, I can't download those updates from Microsoft. I am left with specifying a network share. So where can I point the deployment? Is there a folder on the upstream WSUS server that contains the installable update files? (\WSUS\WSUSContent?) Can I just share that folder and point SCCM to it?

 

Thanks.

Share this post


Link to post
Share on other sites

Hi anyweb,

 

First of all great tutorial many thanks for your hard work. I created first one named ADR: Window 7 monthley update and follow your descrition until:

 

After running the rule, verify that the Deployment Package is indeed created and when done, right click on the ADR again, and choose Disable.( here I choose create a new deployment package)

 

After runing the ADR:Window 7 monthley update I saw the deploment package is created I disabled the ADR Window 7 monthley update and recreate again a new ADR named: ADR:windows 7 monthley updated and follow exact the description choose this time the Select Deployment Package and follow the wizard.

 

My question is:

 

Which ADR should I run for deploy my updates to the Windows client? The ADR:Window 7 monthley update still is disabled and ADR:windows 7 monthley updated is enabled.

 

For testing I did run (manalley) The ADR:Window 7 monthley update( it is still disabled) and I open my Windows Explorer at this point and browse to the location of my Windows 7 Updates package source location and saw alle updated files. If I go the Software Library workspace, select Software Updates and expand Deployment Packages, select my Windows 7 Updates deployment Package and click on Content Status.

I can see that everthing is OK. But my client computer does not receive any windows update. I cannot see any new software update in the Software center.

 

What do I here wrong?

 

Thanks for help.

 

Here you see my compliance information revealed at this point is listed as Unknown (71).

post-17658-0-72631300-1371032727_thumb.png

Share this post


Link to post
Share on other sites

if you followed the guide exactly then you'll have two ADRs, the first one is disabled (so don't use it) and the second one is enabled (use it..)

Share this post


Link to post
Share on other sites

Hi.

 

I’ve followed the tutorial form Niall to implement WSUS with SCCM 2012 SP1 with ADR’s that worked fine, but we have also an old WSUS environment and there are some difference between them with the updates.

I took the same setting from the old WSUS environment (download critical and security updates) and make sure that the ADR download the same but clients with the old WSUS environment getting much more updates installed then clients with SCCM 2012 SP1.

The updates are in the list but not downloaded and not deployed to the workstations with the SCCM 2012 client. I don’t know where it went wrong so maybe someone could give me a hint for this.

 

Thanks.

Harmen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×