Friday, 5 April 2013

ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 15: Software Updates (Microsoft)

Back to main menu

Part 15 of the guide describes the implementation of a software updates solution. This section is for Microsoft updates only. Non-Microsoft updates are discussed in Part 16.

The process is divided into the following sections:

1. WSUS Role
2. Config Mgr Software Update Point
3. Updates Infrastructure and deploying updates
4. Client view

1. Add WSUS Role


 Launch Add Roles and Features Wizard




Choose Role-based or feature-based



Choose local server


Choose WSUS role. You are prompted to add features that are required for WSUS.


Select to Add Features. Click Next to continue


Click Next



Click Next




Select required role services. Note that we need WSUS services and Database. We will not be using Windows Internal Database (SQL Server Embedded)


Choose location for WSUS updates. Note that this folder will only contain WSUS metadata and will not grow massive in size. (ConfigMgr will manage the download of the actual updates files to deployment packages). Choose a folder. Note that it must exist already.


Enter the database server name and click "Check Connection"


Click Install to continue installing WSUS




When installation has succeeded click Close to finish

Launch Administrative Tools


Double-click WSUS to continue the installation


Enter WSUS content location. Catalog information and EULA are downloaded here during synchronisation with Microsoft Updates. Note that Updates will not downloaded to this location. Updates will be downloaded to ConfigMgr Deployment packages.


WSUS has been installed. We do not need to configure it. Config Mgr will do that for us. Click Cancel to finish.


Verify that the database has been created.


2. Config Mgr Software Update Point




Right click Site Server and choose Add Site System Role


Verify server name and click Next


We do not need proxy server this time. Click Next



Choose Software Update Point


Choose 8530 and 8531 for client communications


Click Next


Choose to Synchronize with Microsoft Updates





Choose to enable sync on a schedule. Every 7 days is sufficient



Choose default supersedence behaviour


Choose your required classifications




Choose the required products. I chose Windows 7 and Office 2010.



Choose English only (or not as the case may be)


Verify your choices and click Next to continue


Software Update Point has been added. Click Close to finish.





Navigate to Software Library. Right click on Software Updates and click Synchronize Software Updates. This manually starts the first sync with Microsoft Update catalog.


Click Yes to verify


Verify sync via WSYNCMGR.LOG



Updates start to appear in the console. Note that these entries just show details of available updates in the catalog. We will download the updates in the next phase.


3. Updates Infrastructure and deploying updates

Create a test collection




Add test resources to the collection




Prepare folder structure for Windows 7 and Office 2010

Note that the Deployment process involves Software Update Groups and Deployment Packages. Software Update Groups should be created monthly and are deployed to collections of devices. They will contain all the updates released that month and are simply a filtered list of downloaded updates (note that a SUG can contain a maximum of 1000 updates). The same deployment package can be used each month. The deployment package contains all the downloaded updates binaries.

See here for a possible software update strategy for your organization.

For the sake of demonstration we will just consider Windows 7 updates in this example.

Open Software Updates. On top right hand side of screen click Add Criteria (this is merely for filtered searching of updates)





Choose Product, Bulletin ID, Expired and Superseded and click Add




Now filter the criteria as above




Click Search

You are now presented with a filtered list of Windows 7 updates which are not expired or superseded.

Save Search Criteria for future use (Save Current Search)



This is now accessible under Saved Searches

If you scroll down through the list you will notice that none of the updates have been downloaded. The next time we do this (next month) we will select only those updates that haven't been downloaded.

Highlight the updates and right click to deploy



This launches the Deploy Software Updates Wizard



Enter suitable names for the Deployment and the Software Group. Select Deploy (as this is our first time we have no deployment template. We can create one as part of this initial process).

Choose to deploy to the test collection



Leave default "Required". After all updates should not be optional.



For the sake of testing we will choose Deadline to be "As soon as possible". You would not use this in production. Allow a week or so before forcing the installation. Users will be informed for a week that they should install the updates. When the deadline is reached the installation will commence.


  

Click Next


Click Next


Click Next


Choose to Create new deployment package, enter a name and a location for updates to be downloaded. We created these folders earlier.


Select the DPs which will host this deployment package


Click Next



Click Next to download the updates, add to the deployment package, distribute to the DP and deploy to the test collection



See the folder populating. Monitor progress via PATCHDOWNLOADER.LOG


On successful completion, click close to finish


4. Client view

When policy retrieval is initiated at the client the updates start to download and install




See installed software updates in the Software Center


As the deadline has already been reached the restart countdown commences.








184 comments:

  1. Hi Gerry,
    I have 2 questions regarding this step.
    I have a Windows 2012 WSUS server installed and configured in a separate VM that is currently deploying updates to all my VMs.
    1) What is the interest in configuring the System Update Point role when you already have a WSUS server installed ?
    2) Regarding this configuration (with an already installed server), I have only installed WSUS Console using this PowerShell command : Install-WindowsFeature -Name UpdateServices-Ui.
    When I try to configure the SU Point Role, I'm unable to have the same Product list as the one I have in the WSUS server (missing Office 2013 / Windows 8... All new products).
    Is it because I haven't installed WSUS on my SCCM server and therefore haven't been able to install the 2 patches WSUS-KB2720211-x64 and WSUS-KB2734608-x64 needed for WSUS 3.0 SP2 ?
    I hope I'm clear enough..
    Thanks

    ReplyDelete
  2. 1. SCCM allows you to manage your estate from one console. You don't seed to use the WSUS console. Also, you can take advantage of the following SCCM features
    - maintenance windows
    - bandwidth throttling
    - reporting

    2. Choose your products (without Office 2013 and and Windows 8) and carry out your first sync. I believe the new products will then be available.

    ReplyDelete
  3. Is it necessary to share the folder where the updates are downloaded to so that all users have read access to the updates?

    Thanks,
    Ryan

    ReplyDelete
  4. Even though you have to create a folder when you are configuring WSUS, this is never used by SCCM. You create a folder structure for SCCM Update Deployment packages. This is where the updates are downloaded to. These packages are then distributed to your Distribution Points for deployment.
    When the SCCM client on a device looks for updates from SCCM it is directed to the nearest DP for downloading. The computer System account does all this and should have access to the DP by default - nothing to do with users.

    ReplyDelete
  5. Hi Gerry, would you please give me some kind of advice on a current problem:

    I've decided to start configuring SCCM from a "Software update point" role, instead of setting up others(maybe that's the problem). Everything worked fine until I tried to start "first manual update" - it didn't work at all.

    I opened "WSUSCtrl.log" with a "Trace tool" and found out this:
    Checking for supported version of WSUS (min WSUS 3.0 SP2+KB2720211+KB2734608)
    Checking runtime v2.0.50727... SMS_WSUS_CONTROL_MANAGER 15412 (0x1524)
    Did not find supported version of assembly

    Microsoft.UpdateServices.Administration. SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    Checking runtime v4.0.30319... SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)

    Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.2.9200.16384 SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)

    Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.2.9200.16384 SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)

    Supported WSUS version found SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)

    ***
    Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    System.Net.WebException: Сбой запроса с состоянием HTTP 503: Service Unavailable.~~ в Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ в Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ в Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    System.Net.WebException: Сбой запроса с состоянием HTTP 503: Service Unavailable.~~ в Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ в Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ в Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    Failures reported during periodic health check by the WSUS Server SRVSCCM.rainvest.local. Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
    Waiting for changes for 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)

    It seems like SCCM is unable to connect WSUS through web, I've tried to do it manually and got same error. I've ran IIS console - it shows that WSUS has been assigne ports 8530 and 8531, SCCM configs are made accordingly.

    ReplyDelete
  6. Are SCCM and WSUS on different servers? You have to add the SCCM Computer Account (SCCM_Server$) to the Local Administrators Group on the WSUS server.

    ReplyDelete
    Replies
    1. No, I've got only one server. WSUS role was added to current server just according to your guide.

      Delete
  7. There is an issue with WSUS on Server 2012. When you add the WSUS role you have to launch WSUS from Administrative Tools. This carries out some post-installation configuration. You then cancel the WSUS Configuration Wizard when it starts. Did you do this - it's in the blog.

    I've just had a similar problem on a site this morning. I had to do this twice and then restarted the server. Then I could see that the Software Update Point was added successfully.

    ReplyDelete
    Replies
    1. Gerry, thanks a lot for your answers. And yes, it was done right that way. Suppose removing the "WSUS" role and cleaning administration web-site through IIS-console can help me to accomplish new installation ?

      Delete
    2. Gerry, my great thanks to you for paying attention to my small problem! I removed "WSUS" role and went through the installing process again(both in OS and SCCM) and now it works! Thanks again!

      Delete
  8. Hi Gerry,

    Nice article(s). Other blogs refer to the creation of the standard GPOs to reference the WSUS server (points to the SCCM 2012 server) and manage update time and behaviour. Is this not necessary in SP1 as the only difference appears to be that their articles are pre SP1. The reason I ask is I'm having issues in getting the updates to deploy to the workstation and have GPO settings hitting my test machines as defined in another guide. Are you able to advise if the GPOS are needed please.

    Cheers,

    Matt

    Cheers,

    Matt.

    ReplyDelete
  9. I don't use a GPO when configuring Software Updates via SCCM (even pre-SP1). I find that GPOs can interfere with the process.

    ReplyDelete
    Replies
    1. Thanks Gerry, almost as soon as I'd finished writing, the test machine popped up with updates to deploy! I had thought that GPOs may muddy the water. Will remove and retest. Thanks for the reply. Cheers. Matt.

      Delete
  10. Hi Gerry,

    If I go to deploy updates using an Update Group and proceed to creating an “Update Package”, it will obviously download all the updates I’ve chosen, distribute those to the DPs and deploy to my collection. What if I need to deploy these updates to a different collection at a later time? Do I need to create go through the whole process again (downloading same updates, deploying, distributing, etc.)?

    Also, what is the best way of purging the downloaded content from the DPs periodically?

    Thanks,
    Steve

    ReplyDelete
  11. No, you just have to deploy the update deployment package to the new collection. The updates have already been downloaded.

    In ConfigMgr 2012, Microsoft have added the capability to automatically remove software update content from distribution points when that content is related to expired updates. See here

    http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx

    ReplyDelete
  12. How do I go about reinstalling WSUS? I removed the Role and features and tried to reinstall WSUS but after going to my server /SUSDB I get this error, Error 26 Locating Server/Instance Specified servername/SUSDB is what I enter in the post WSUS installation it worked the first time I installed WSUS but misconfigured the ports and need to change back to port 80. Thanks

    ReplyDelete
  13. If you need to re-install the WSUS role you should remove the WSUS role and delete the database before you start again.

    ReplyDelete
  14. Hi Gerry,

    I've created Software Update Groups for "2003-2009", 2010, 2011, 2012 and 2013 for "All Products". These are not deployed, but show me the level of compliance for machines. The 2012 group has 547 updates and is at 93% compliance (there are only 7 updates actually required by machines). If I deploy the 2012 group, will it download all 547 updates? Similarly, in the 2013 group, only 169 out of 751 are actually required, and I don't want to download all that extra content when it's not currently required.

    Rory.

    ReplyDelete
  15. Hi Rory,

    Once you have created the Software Update Group you have compiled a list of updates that WILL be downloaded into a Deployment Package (up to a maximum of 1000 updates - this is a hard limit).
    They will be downloaded even if they are not required for current compliance (you should appreciate that they may be required later for compliance - if you introduce additional devices).
    I know, for example, that only 169 out of 751 are actually required, but the disk space required is not much. Also there will be no attempt to install them on a device if they are already installed.

    I would be more concerned with the extent of "Products & Classifications". I would not choose "All Products" just because I could. I would only choose the products I actually require, for example I would not deploy SQL or Exchange updates using this method.

    Also, I usually don't deploy updates to XP and Windows 2003 as they are approaching end-of-life.

    Gerry

    ReplyDelete
  16. Also Rory,

    I would be very specific in targeting the updates. I tend to create Software Update Groups monthly for specific products (Windows 7 for example) and add the updates to Deployment Packages in 6 monthly cycles. These updates would be deployed to collections of Windows 7 computers only.

    I treat server OS differently as maintenance windows requirements would be very different.

    ReplyDelete
  17. Thanks Gerry,

    Like many, I've been hit by "bad" patches over the last six or so months, mainly on server platforms, and am re-evaluating how I roll them out. I used to push updates out on the Friday night after patch Tuesday, but now I have pushed it out to three weeks after release, to give more time for some patches to be withdrawn, and even then only to client machines.

    I haven't auto-patched any servers for about 5 months now (Aidan Finn has also written about this recently), preferring to do them individually depending on a combination of business requirements and the level of patch-criticality.

    So the only endpoints that get auto-patched are our W7 clients (we've no clients older than that, and only one W8).

    When I said "All Products", I actually meant all products that we use here, e.g. W7, IE10, Lync 2013, TMG Client, SCEP definitions and Office, etc.

    Thanks for the advice,

    Rory.

    ReplyDelete
  18. I know where you're coming from Rory. It's been poor recently. I read Aidan's blog this week. He was very critical all right.


    Also, I don't see any harm being up to 4 weeks behind - as long as you can quickly deploy a critical patch if necessary.

    ReplyDelete
  19. Hi Gerry,

    Can i select multiple products in creating software update groups?

    Thx

    ReplyDelete
  20. Yes, you can. I like to keep them separate though. If you use separate groups you should configure "Install All Required Updates When Deadline Occurs" in Software Updates client agent.

    This setting indicates whether to enforce all mandatory software update deployments that have deadlines within a certain timeframe.

    ReplyDelete
  21. Hi Gerry,

    Thanks for these great series, I've been using your blog to configure the system center here.
    I just don't seem to be able to deploy Internet Explorer (9 & 10) because they are not visible in the SUP. I don't know if this has something to do with it but when I have a look in the WSUS console I can see that the files haven't been approved because the Microsoft Software Terms failed to download.

    Kind regards
    Jurgen

    ReplyDelete
  22. Hi Jurgen,

    You need to solve that Microsoft Software Terms problem before you can continue successfully. I previously had it

    http://www.gerryhampsoncm.blogspot.ie/2013/07/failed-to-sync-update-error-microsoft.html

    ReplyDelete
    Replies
    1. Hi Gerry,

      Just for the record, my SCCM is behind a required proxy with authentication. The solution was this hotfix: http://support.microsoft.com/kb/2838998

      Kind regards
      Jurgen

      Delete
  23. Very good Jurgen. Thanks for letting me know.

    ReplyDelete
  24. Hi Gerry,

    I tried your steps but I can't get the clients updated. The updates (step 4) are not downloaded to the clients. I tried to force run the policy update, but still nothing happens.

    Your help is highly appreciated.

    ReplyDelete
  25. There are so many reasons why this could happen. Look in Monitoring > Deployments and double click on the Updates deployment to see the status.

    ReplyDelete
    Replies
    1. Great article, lot of help. Seems like a lot of maintenance compared to WSUS, I'll be making deployment packages all the time.

      Delete
  26. Thank you for the article. I have a question though. When I added the WSUS role to my site server I chose to install on the Windows Internal Database. When I download the updates in SCCM where exactly are the updates going to be stored?

    ReplyDelete
  27. Only the WSUS metadata is stored in the database (in your case the Windows Internal Database).
    When ConfigMgr actually downloads the updates it will save the files in the deployment packages that you configure.

    ReplyDelete
  28. Gerry, I have a nightmare on WSUS using Server 2012 R2 Standard to work properly with SCCM 2012 R2 Standard using Server 2012 R2 Standard on separate box.

    What is the proper way on setting it up? I have no problem on re-doing my test lab.

    My environment:

    - 2 Domain Controller (Server 2012 R2 Standard)
    - 1 SCCM 2012 R2 Standard (site server, not CAS) (Server 2012 R2 Standard) with SQL 2012 SP1 CU3
    - WSUS (Server 2012 R2 Standard) using SQL 2012 SP1 on different box.

    I can't configure SCCM 2012 R2 to work with my WSUS (WSUS recognized all the computers and downloaded patches without any problem).

    I really need your advice, please.

    Thanks,
    Reza

    ReplyDelete
    Replies
    1. Sorry for the delay in responding Reza. I've been on vacation. Did you manage to resolve your issue? This is a supported configuration.

      Delete
    2. I got from this blog: http://prajwaldesai.com/installing-wsus-for-configuration-manager-2012-r2/?goback=%2Egmp_3752127%2Egde_3752127_member_5826543302941364226#%21

      WSUS 3.0 Service Pack 2 is required for System Center 2012 R2 Configuration Manager. SCCM 2012 R2 supports only 64-bit site systems, you must use the 64-bit version of WSUS on one of the supported 64-bit editions of Windows Server. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216

      But when I tried to install it on Windows Server 2012 R2 before adding WSUS role and before installing SCCM 2012 R2. I'm stuck... I wished I could upload my screen shot.

      WSUS30-KB972455-x64.exe (double click to install it)

      This program has compatibility issues, Windows Server Update Services Microsoft. Click button: Get help online

      Delete
    3. You do not need WSUS 3.0 SP2. This is only for Windows Server 2008R2. Server 2012 ships with a new version of WSUS - no Service Pack required.

      You really should try following this guide step by step.

      Consider your logic. You are trying to install a service pack for a role you have not added.

      Delete
  29. Hi Gerry,

    I'm also having problems with the updates I'm able to create the Software Update Groups with the required content but after I deploy them to the collection the computers won't start the installation. Nothing is downloaded. I checked the locationservices.log on the clients machines and there is no mention of the WSUS or SUP paths. Could that be my problem?

    Your help is appreciated.

    Thanks

    ReplyDelete
    Replies
    1. In the ConfigMgr console have a look at Monitoring / Deployments. Check the status of your deployment for errors.

      Delete
  30. Hi Gerry,

    Thanks for the quick response. Turns out I forgot to clear out the System Management container in AD after I had previously reinstalled the server. After I did that and restarted the Site Component Manger service the updates started working.

    Thanks

    ReplyDelete
  31. Hi Gerry,

    I'm able to to deploy updates (Microsoft and Adobe). When the install is finished on the client the software center notification appears saying software has been installed. But when I go to the software center it's empty. It doesn't give a list of the installed software. Is this because I'm only installing updates and not applications? Is this normal or is there a config I'm missing?

    Thanks

    ReplyDelete
    Replies
    1. This is by design. Once updates are installed they are no longer visible in the Software Center. It actually makes sense when you consider the number of updates that will be installed in the lifetime of a computer.

      Delete
  32. Gerry, we are running SCCM 2012 R2 on a Server 2012 R2 box as our primary stand alone site that manages about 500 computers. Currently, we have another box running WSUS (not a SUP to SCCM) and GPO is set for all machines to download their update from MS Updates. Question is, is there are way for the computers to still get their updates from MS Update if we were to set the WSUS box as the SUP?

    ReplyDelete
    Replies
    1. Yes there is, although that doesn't make sense to me. Have a look at this.

      http://social.technet.microsoft.com/Forums/en-US/527ba570-0921-4be6-85da-2d1fc95e4f35/question-regarding-download-settings-within-a-software-update-deployment?forum=configmanagersecurity

      Delete
  33. Gerry,

    I finally got it working. I updated my post:
    http://www.windows-noob.com/forums/index.php?/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/?p=36633

    FYI, someone responding to me directly from other source:

    * If you are installing using Windows Server 2012 then no because WSUS is version 4 in Server 2012.

    * If installing on Server 2008(R2) then yes, but you should always look to update everything to latest versions anyway.

    ReplyDelete
    Replies
    1. That's good Reza. But I already told you that. See above

      Gerry Hampson8 January 2014 13:39

      You do not need WSUS 3.0 SP2. This is only for Windows Server 2008R2. Server 2012 ships with a new version of WSUS - no Service Pack required.

      Delete
  34. Gary, that's confusing lots of users out there because during the SCCM 2012 R2 setup, it said you must add WSUS 3.0 SP2. And one thing that Microsoft forgot to mentioned on that screen:

    Microsoft should add here, if you are running Server 2012 plain or R2, you do NOT need to install WSUS 3.0 SP2!!! This is only for Windows Server 2008

    http://www.windows-noob.com/forums/index.php?/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/?p=36633

    ReplyDelete
  35. Hi. We have WSUS setup on server002 and the Windows 7 clients point to this. The SUP though is on the same server as most site system roles, server007

    I understand that WSUS is supposed to feed into SCCM the updates and SCCM then deploys these as packages. Does this mean that in the GPO Intranet Microsoft Update location setting needs to be the SCCM server rather than the WSUS server ?

    Someone mentioned switching off the WSUS GPO but then how will the Win 7 machines know where to look for updates or is the fact Confgiguration Manager installed enough for them just to receive updates pushed to collections from SCCM admin console ?

    Thanks in advance, John

    ReplyDelete
    Replies
    1. When you deploy a ConfigMgr software update solution the ConfigMgr client creates a local policy on the clients telling them where they will now get their updates.

      Therefore in theory you no longer need the WSUS GPO. However, this is just in theory. What happens if the client, for some reason, loses it's local policy? It will then revert back to it's default setting, which is, automatic download via Internet and install at 3am. We don't want that. Therefore I retain a WSUS policy but configure it to disable automatic updates altogether.

      It's good practice to do this John.

      Delete
  36. OK. Currently some clients show the WSUS server as update point in windowsupdate.log, I assume this is wrong and it should be showing the SCCM server with the SUP role ? Sounds like need to remove the old GPO then or as you say change it to disable automatic updates altogether

    ReplyDelete
    Replies
    1. Don't just remove the GPO. Otherwise all your clients will default to Automatic Updates via Internet. I've seen it happen and it's not pretty. Edit the GPO to disable the updates.

      Delete
  37. Some clients show the WSUS server as update point in windowsupdate.log, I assume this is wrong and it should be showing the SCCM server in the log file ?

    ReplyDelete
  38. I still use GPO for our current environment SCCM 2007 SP2 R3. You could try using this command: wuauclt /detectnow

    ReplyDelete
  39. I have just build the SCCM 2012 on my environment in a single site and I could able to sync the updates and push the client install to the clients, but when I try to deploy the software update, updates are not getting pushed on the clients, can you please let me know what could be the issue

    Thanks ,

    Sudhi

    ReplyDelete
    Replies
    1. What troubleshooting have you done Sudhi - Monitoring > Deployments, logs etc?

      Delete
  40. So, that's all about WSUS updates.

    And what about orphaned SCCM packages?
    I reinstalled the Distribution Point. It's folder is 20gb, but currently deployed packages are 1gb only. Is there any auto-cleanup and how often is it done?

    ReplyDelete
    Replies
    1. No, there is only an auto-clean for Windows Updates. Packages should be removed from the DP when you carry out the instruction in the console.

      Delete
  41. Gerry...a quick question. I have installed WSUS and the SUP role on the Primary server. They point to a SQL database on a remote SQL server. Everything is working nicely at the moment. The next step is that we need to install one additional SUP server. I have it ready to install WSUS, but where I get stuck is in the WSUS installation. I provide a local path for the updates. But for the database location, do I point it to the remote SQL database instance that we've already installed? We want to share the database rather than sync databases, as the servers will reside on the network. Once that's completed, then my plan is to simply push the SUP role to it from the Primary Server. But I just need to confirm that I have these steps correct regarding the installation/configuration of WSUS on the additional SUP that is separate from the Primary Server. Thank you for the great detailed information above!!

    ReplyDelete
  42. Sharing the database is the preferred method as it limits network traffic when clients failover to use the second SUP. You can read about it in the TechNet library

    http://technet.microsoft.com/en-us/library/hh692394.aspx

    ReplyDelete
  43. When deploying updates, is it better to split them up along MS Product lines? Or have each months updates in a single ADR/Deployment?

    ReplyDelete
    Replies
    1. I always split the updates by product.

      Delete
  44. Hi Gerry,

    I have been trying to deploy windows updates...

    My device settings were initally no set right.. Endpoint protection was being installed on all machines which I did not want to happen. I managed to sort this out for future machines.

    But yea the problem I have is with the PC's I have uninstalled Endpoint from. All these PC's are stuck in non-compliant for some reason.. I have tried reinstalling the client but still no luck..

    Is there anything I can do to sort this?!

    ReplyDelete
  45. That really depends of your client settings Matt. Look in Software Updates. What are your Software Update Scan & deployment re-evaluation schedules. By default they are 7 days. The compliance will not change until these scans run and report.

    ReplyDelete
    Replies
    1. Manually run the scans on the client and see if this changes the compliance. Note that it will not be instant - nothing is with ConfigMgr.

      Delete
    2. The non-compliant PC's eventually go to a failed state: Failed to install updates error code: 0x800705B4

      This only happens on PC's I have removed Endpoint from, before it had the chance to download the updates.

      Any ideas?

      Delete
  46. Gerry,

    I am terribly new to deploying updates through SCCM, have been doing it through WSUS stand-alone for a while now. Can you point me to any resources that will help in getting the logic of how to manage product updates from within SCCM , rather than WSUS stand-alone?

    A few of my main questions/concerns:
    1) What's the best way to organize / manage updates for the products my environment requires? (Windows 7, server 2012, server 2008, sql 2008, sql 2012/etc)

    2) Do I have to have a device collection of all windows 7 computers, all server 2012 computers, all sql 2008/2012 computers / etc in order to deploy software to JUST those devices, or is there another non-time-consuming way of doing this?

    3) I did a custom search for Product : windows 7, expired : no, Superseded : no and added those to a group called Windows 7 Updates...and i'm GUESSING I then must create a device collection of all windows 7 clients (I already had this) and deploy new "Windows 7 Updates" package to the "Windows 7 Clients" device collection? Is that logic correct, and if so do I have to do that for each and every other product? (seems a lot more work than WSUS stand-alone was, but just wanting to make sure my thought process on this was correct)

    Your blog / replies on technet are greatly appreciated...thanks so much!

    ReplyDelete
  47. You're welcome Jon.

    In answer to your questions:

    1. I usually create separate Software Update Groups and deployment packages (and folder structures) for each product.
    2. It really depends. I would have a Windows 7 collection. However I would not have an Office 2013 collection - I would use the Windows 7 collection for these updates.
    You would need separate collection for other products.
    Note - I would not use this method for SQL updates. SQL updating should be planned as a project in it's own right.
    3. Your logic is correct. It won't seem like a lot of work once you start using it and you get used to it.

    ReplyDelete
  48. Hi Gerry.

    I managed to overcome a problem I was having with PC's going to Non-compliant mode. I had no boundary groups which meant PC's were not able to find the site!

    Strangely I never thought this was the problem because some were working without the boundary group. But yea, as soon as I added the boundary group all PC's starting working correctly!

    ReplyDelete
  49. Hi Gerry,

    Already close to a nervous breakdown:


    Some time ago we had our WSUS / SUP working fine with SCCM 2012 SP1, installed on a (virtual) server 2008R2
    Due to performance issues we were forced to move SCCM to a powerful hardware box.

    there we installed server 2012R2 as OS, and we succesfully did restore a SCCM Backup from the virtual Machine
    We've been told to keep the same servername as the virtual - to succeed on SCCM backup restore

    So far so good ... all does work fine, on top of, we did upgrade to CU3

    However since that day - none of our clients did receive a single WSUS update anymore. On the server side all is fine to me.
    updates are synchronised - automatic deployment rules do what they have to do, software update groups are created, updates downloaded, distributed and deployed.
    update deployments are required with deadline and so on ...

    the logs on the server do look fine ...except one thing in the WCM.log which came to my attention

    Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608) SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Checking runtime v2.0.50727... SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Did not find supported version of assembly Microsoft.UpdateServices.Administration. SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
    Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)

    It states that it can't find a supported version of assembly - but 2 lines later it says that it has one of a higher release
    Since server 20112R2 does come with a higher WSUS release. so I think no issue here ...

    Even on the client side I do not find errors - see here entries of WUAhandler.log (here I changed servername & domain) but in real life the server's name = correct

    Its a WSUS Update Source type ({FA626CBA-DA9C-4CBE-99E7-397DD7570854}), adding it. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Existing WUA Managed server was already set (HTTP://servername.dom.CORP.DIR:8530), skipping Group Policy registration. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Added Update Source ({FA626CBA-DA9C-4CBE-99E7-397DD7570854}) of content type: 2 WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Scan results will include all superseded updates. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver') WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Async searching of updates using WUAgent started. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
    Async searching completed. WUAHandler 10/04/2014 8:58:59 10176 (0x27C0)
    Successfully completed scan. WUAHandler 10/04/2014 8:59:01 9488 (0x2510)

    FYI - we are not using GPO's to set WSUS source .. boundaries are configured correct ....

    on the SCCM server In the deployment status for a software updates deployment -> clients report - status unknown -> client check passed /active


    To me the clients don't detect that there are new updates available.

    Have you any idea where it can go wrong .. I so far can't find out Why

    Thanks

    G.

    ReplyDelete
    Replies
    1. I think you went wrong by not keeping the same OS on the new hardware. WSUS version has changed from 2008R2 to 2012R2 and I believe that this is the problem. ConfigMgr is still looking for the previous installation.

      I think that you will have to re-create you software update solution.

      Delete
    2. Gerry,
      Could you be a little more specific on what you mean by re-create your software update solution? I have the exact same issue above for the exact same reason.

      Delete
    3. I mean start again Zachary. Remove the Software Update Point and WSUS and start again.

      Delete
  50. Dear,

    I found out that when the sccm client gets in stalled -> a local policy has been set to point to the WSUS update service location / SCCM server - in our case http://servername.domain.corp.local:8530

    Since most of our clients were installed from the former SCCM setup on the Virtual server installed with server 2008 R2 + wsus 3.0 + SP2 this local policy is still pointing to http://servername.domain.corp.local:80

    We however did upgrade all clients to the CU3 level from the SCCM setup on the new server installed with 2012R2 operating system and corresponding WSUS 4... - the client upgrade did suceed - but the setting for the WSUS service location Did remain on http://servername.domain.corp.local:80

    I did try to get rid of that port 80 setting - but no chance ..the SCCM agent nicely did revert back to port 80 all the time.

    Than I uninstalled the SCCM client by running CCMSetup.exe /uninstall - after the uninstall I've rebooted the client - and installed teh SCCM client again (direct from teh primary site server)

    And yes - the windows update service location was set correct now!

    http://servername.domain.corp.local:8530

    Suddenly the client did start talking with the System center server - and did report back updates status - the client even did install updates - unfortunately only updates who were released / deployed before - we moved SCCM from the Virtual server to the 2012R2 hardware server.

    So we're getting closer - now we need to find out why those fresh released updates / groups (April 2014) and corresponding deployments - are not detected by the client.

    any suggestion would be highly appreciated

    Thx

    G.

    ReplyDelete
  51. Dear,

    I found out that when the sccm client gets in stalled -> a local policy has been set to point to the WSUS update service location / SCCM server - in our case http://servername.domain.corp.local:8530

    Since most of our clients were installed from the former SCCM setup on the Virtual server installed with server 2008 R2 + wsus 3.0 + SP2 this local policy is still pointing to http://servername.domain.corp.local:80

    We however did upgrade all clients to the CU3 level from the SCCM setup on the new server installed with 2012R2 operating system and corresponding WSUS 4... - the client upgrade did suceed - but the setting for the WSUS service location Did remain on http://servername.domain.corp.local:80

    I did try to get rid of that port 80 setting - but no chance ..the SCCM agent nicely did revert back to port 80 all the time.

    Than I uninstalled the SCCM client by running CCMSetup.exe /uninstall - after the uninstall I've rebooted the client - and installed teh SCCM client again (direct from teh primary site server)

    And yes - the windows update service location was set correct now!

    http://servername.domain.corp.local:8530

    Suddenly the client did start talking with the System center server - and did report back updates status - the client even did install updates - unfortunately only updates who were released / deployed before - we moved SCCM from the Virtual server to the 2012R2 hardware server.

    So we're getting closer - now we need to find out why those fresh released updates / groups (April 2014) and corresponding deployments - are not detected by the client.

    any suggestion would be highly appreciated

    Thx

    ReplyDelete
  52. Question - why do you need yet another database? Why not use the one that is installed (SQL)?

    ReplyDelete
  53. Hi Gerry

    I am having problem with updates at server and client. it says downloading (0% complete) on software center since 4 days but it's doing nothing. any idea?

    thanks
    Hananahujaja

    ReplyDelete
  54. hi gerry
    hope you are well, I am having a problem with updates. in software center it says downloading ( 0% complete) but it's doing nothing. any idea?

    thanks

    ReplyDelete
    Replies
    1. Quite often this is caused by incorrectly configured boundaries and boundary groups.

      Delete
    2. Thanks for your replay gerry really appreciate.
      But when is see the deployments status there are 57 computers has compliant and 19 computers has failed to install update (This operation returned because the timeout period expired) error code 0x800705B4.
      Apart from this I have only 1 boundary do I still need to create boundary group?

      Delete
    3. You need a boundary group. Add your boundaries and associate with a DP.

      Delete
    4. Oh and also, in the Locationservices.log (if it matters) there is an entry - Calling back with empty distribution points group.

      Chris

      Delete
    5. Sorry Gerry, I seem to have lost my first post (again on this site) I have the same issue as above but it has been working for a few weeks prior. Now I see the error Failed to download update(s) for all 160 clients...any ideas?

      Regards,
      Chris

      Delete
    6. Forget the complexity of software updates for the moment. Can you deploy a simple application to your clients?

      Delete
    7. To be fair I have not yet tried pushing applications as this is the last part of the project and least urgent. If I show the patches as visible in software centre then I can try and download them but they just sit at 0% complete. I have had the boundary groups set up since the first push and they have been rolling out fine (well 96% success rate) for a few weeks preceding.

      Delete
    8. I've seen this problem recently (clients stuck downloading updates at 0%) when the deployment package was not available on the DP. Check the Monitoring node and redistribute if necessary.

      Delete
    9. Thanks for your response Gerry, I only have 1 SCCM server running. I have an ADR for updates that creates the deployments. A new deployment for each set of updates. The odd thing is that I have it set to create a new Deployment each week on a Tuesday night and the past 2 weeks have been an issue but today I see patches are rolling as I am 14% compliant. I will let it lie until the weekend to see if, after the forced reboot deadline, my compliance jumps up.

      I did check on the DP and all of the patches in the previous group show as 'Downloaded' 'yes'. I may change the policy to update once monthly rather than weekly...

      In any case I will feed back to you whether it was a blip or if I still have issues.

      Thanks
      Chris

      Delete
  55. Gerry - I've tried following your guide and others and my SCCM 2012 SP1 keeps looking for WSUS 3.0 SP2 (+ 2 KB). I'm doing a fresh install with the following:

    Windows 2012 R2 with SCCM 2012 SP1
    Windows 2012 R2 with WSUS 4

    Initially, when I installed SCCM 2012, I tried connecting to an existing WSUS on a 2008 Server, but this had all the software updates configured. This was another machine and does not share the same name with the 2012 WSUS server. Every time I've tried to add the SUP, it's looking for WSUS 3.0.

    I've read that sometimes SCCM takes awhile to update, but I've done countless rebooting. I've ensured the SCCM computer is a local admin on the WSUS server and also a part of the WSUS Administrators. I've also added the domain service account we're using. The WCM.logs continue to indicate it's looking for WSUS 3.0. Do you know how to fix this?

    Thanks for your work.

    ReplyDelete
    Replies
    1. I would start again here. There must be a reference to the 2008 WSUS somewhere. Remove the SUP, remove WSUS, delete the database (SQL or Windows Internal). Then reinstall WSUS (do not configure) and add the SUP again.

      Delete
    2. Hello, great information, thanks for your good documentation!
      I just wondered if any other SCCM user ran into the problem to be able to update the Windows servers (2012, 2008 R2) the "conventional way" via Windows Update, the SCCM server as the WSUS server and therefore being able to choose the time of installation of the already downloaded patches individually while still updating the other clients via SCCM push.
      I searched this post but did not find any suggestions.
      Anyone solved this yet?
      Thanks in advance!

      Delete
    3. I'm not 100% clear what you are trying to achieve Markus, but it sounds very messy.

      Delete
  56. I have successfully deployed updates from the console but I from the client no action happens. How can I trace where the problem could be?. I had targeted to a single test collection PC. I need to know to trace if issue is related to ports, updates folder. Is there any given troubleshooting procedure for issues related to sccm site server and clients?
    Secondly I inherited operation which previously had WSUS deploying updated directly to clients. Do I need to re-install WSUS Role?.

    ReplyDelete
    Replies
    1. Have a look at the Monitoring node -> Deployments. Find the updates deployment. Are there any errors?

      Delete
  57. Hi Gerry I hav an issue where I am have SCCM SP1 installed on a Server with SERVER 2012 DATACENTER.

    I am having issues getting the WSUS to synchronize for the first time.
    I keep getting a http error.

    I am looking all over the internet for a solution but no help?

    ReplyDelete
    Replies
    1. You've given no information. Where are you seeing this error and what is it? Analyze the WCM.log and WSYNCMGR.log files for errors.

      Delete
  58. Hi Gerry,

    I have read your blog. Also i think you can help me in this matter. In my organization sccm 2012 was configured by another person. who has already left now. he configured wsus & also the SUP . Clients machines are not getting any windows updates. Also i am totally new to the server side . Its shows in the software library as updates are downloaded & depoyed as "yes".But Required , Installed & Percent Compliant as "0". Last working day i changed the wsus ports to 8530 & 8531. After that in Wsyncmgr.log it shows some errors.
    for the last six months none of the client computers are getting windows updates. same with the Endpoint protection. I pushed endpoint protection to all client computers but they are not getting the updates.

    Please help me.

    Regards,

    Thomas

    ReplyDelete
  59. Hi
    do you have any ideas why the classification "drivers" is not available in sccm software update point options? in native wsus it is..... so the 8.1 driver updates cannot be deployed...
    regards mike

    ReplyDelete
    Replies
    1. Sorry for the late response Mike. I've been on vacation. This option was deliberately removed as it was deemed a bad idea to manage drivers in this way. I actually agree.

      Delete
  60. Hi Guys,
    I am configuring my first SCCM server. I am following the windows-noob.com CM12 Guides. It's a very good guide. I am facing some problem to configure system update server. Whenever I am trying to sync server I get this error
    "Sync failed: WSUS update source not found on site xyz. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource"
    I tried to find out the solution over the internet but I couldn't find it. If you guys can help me regarding this I will really appreciate. Please reply
    Regards

    ReplyDelete
    Replies
    1. Sorry for the late response Shahid. I've been on vacation. As the error says you need to refer to the WCM.log file for details.

      Delete
  61. Hello Jerry,
    thanks for your efforts of posting this and responding to everyone

    I need your help
    I am implementing SCCM with Endpoint protection for one of my customers
    VM1:SCCM 2012 Primary Site OS 2012R2
    VM2:SQL 2008R2

    Issue
    Software Update Point never works
    Critical State and viewer shows error SMS_WSUS_Manager Site Component failed to install this component on this site system.

    I followed your earlier advise to reinstall WSUS and SUP for three times now with no luck :(

    I am stuck and need you help.

    BR
    Maher

    ReplyDelete
    Replies
    1. You need to review the WCM.LOG file for errors

      Delete
  62. Hi, I ran into the same problem as one of the above, but count not find ans.
    Clients at one of the sites talking to DP are failing on windows updates. (about 25% good, 75% failed)
    on the SCCM Monitoring I see :
    Failed to install Update(s); Error Code : 0X800705B4; This operation returned because the timeout period expired.
    Could not find much information from the logs on the client.
    Clients are talking to the correct DP.
    Boundaries look OK. Its based on AD site and added to a BG.
    WUAHandler says Successfully completed scan.
    UpdateHandler : Updates scan completion received, result = 0x0.

    Not sure what's going wrong. Any help please?

    Thanks.
    Vin

    ReplyDelete
  63. Hello,

    I have a WSUS infrastructure (One Autonomous Upstream - "AU", one Replica Downstream -"RD"). My SCCM 2012 R2 SUP syncs with the RD. The problem I have is that the SCCM console shows far less updates under "All Software Updates" than what I see in both the AU and RD consoles for "All Updates". The SUP is configured for All Products and All Classifications. Should I see the same updates in SCCM as I do in WSUS given my setup? That was my intent.

    ReplyDelete
    Replies
    1. Why would you possibly want "All Products and All Classifications"?

      Delete
    2. We don't. The RD has the intended Products/Classifications defined and it is assumed that if we select All Products / All Classifications in SCCM SUP then its scope will narrow to the RD because the it gets its catalog only from the RD. It would only be a problem for us if the SCCM SUP scope was smaller than the RD scope. Since I posted my original comment I have found the default Supersedence rules in SCCM to be 3 months for expiring an update that has been superseded (3 months from the date of supersedence). The maximum allowable value for this is 99 (months). The RD reports 12,041 total updates in its WSUS console. That is intended. SCCM configured at 3 months supersedence rule reports 5160 total updates. Configured at 99 months it reports 10,099 total updates. Clearly this value has some affect but with a limit on 99 months it sounds like either that limit is causing the gap between SCCM and WSUS or something else. Thoughts?

      Delete
  64. Hi Gerry, I have a question. There is a new IE Cumulative Update MS14-052 that I have deployed to 2 machines via SCCM 2012 Software updates and the reports come back as Compliant. However when I manually check the PC the update is not installed. The most recent Cumulative IE update on them is MS13-037. Is there a reason for Compliancy showing "Green" when the update is not installed ??

    Thanks,

    ReplyDelete
  65. Hi Gerry / anyone that can help

    First of all, I just found this site, this is an awesome resource that's been put together, kudos on that.

    I have a question. I'm currently trying to use Automatic Deployment Rules for patch Tuesday on a lab I have setup, So I

    can try and understand how it works. The ADR works to a point, gathers some software updates, 6 in total last time

    around. However, when I look in the "All software updates" node I can see 108 updates listed from the last patch Tuesday

    are available. Any ideas why these 108 updates are not in my ADR group? I used the following criteria in my ADR

    settings.

    DATE RELEASED OR REVISED: Last 1 week (7 days)

    UPDATE CLASSIFICATION: Critical Updates Or Security Updates OR Update Rollups OR Updates

    Any suggestions what to check out would be massively appreciated.

    David

    ReplyDelete
    Replies
    1. I've seen something similar before David - resolved by re-creating the ADR (no explanation unfortunately).

      Delete
  66. Hi Gerry,

    You made my life easier!!!

    Thanks for your SCCM guide as I manage to implement SCCM 2012 R2 and deploy apps in short possible time. I have configured Software Updates and I can verify that Windows 7 test clients are getting the MS updates(Oct 2014) from the SCCM 2012 server. My question about updates for Windows servers is that if I deploy updates for 2003/2008/2012 in one go (select ones for 2003/2008 R2/2012 R2), will the end server automatically download/install only appropriate updates for 2003 or 2008/2012? Do I need to deploy updates specific only to 2008 R2 or 2012 R2? So in my case, I will have three software groups for each server flavor.

    ReplyDelete
  67. There is a hard limit of 1000 updates per software group. Therefore when I am deploying past updates I create a new software update group per product (Windows 7 for example currently has over 900 updates). Into the future, on a monthly basis, there is no reason to separate them. I usually create one SUG for server updates and one for workstations.

    ReplyDelete
  68. Hello
    I have an interesting question. I have setup a software update group for windows 7 for past updates and named it baseline windows 7 and also created a deployment package with same name.

    I used criteria when searching for updates: expired: no superceded: no product: windows 7
    i.e. I initially used bulletin: MS but this seemed to not give me as many updates.

    Ok, here's my problem: the updates download and install on a virtual machine but on a dell optiplex they install, the pc reboots and goes thru 2 stages configuring and at the end it writes a bunch of reg entries but then displays something to the effect it can go any further and reverts back to the machine with no updates installed!

    in event viewer it says updates failled... xxxx on and on

    Now how the heck can I narrow down which update is really causing the problem?

    thanks

    ReplyDelete
    Replies
    1. It's hard to say. Your process seems sound. Is this a general problem or just a problem with a single device?

      Delete
    2. Hi there,

      You can check C:\Windows\WindowsUpdate.log.
      Also under ccm\logs\updatsdeployment on the client.

      Everything is logged there.

      Good luck!

      Delete
  69. Hi Garry

    You said Updates are stored into the SCCM Database.
    I deploy Software only to client PCs, not to Servers, because Server Licences for SCCM are to expensive.
    Is there a possibility to store the Server Updates outside of the SCCM Database?

    Or the better Question is:
    Is it possible to run the Client Updates via SCCM and the Server Updates normally via WSUS?

    Thanks for your help

    ReplyDelete
    Replies
    1. I didn't say that the update binaries are stored in the database. They are downloaded into deployment packages. You can choose not to manage servers. In that case you cannot install the ConfigMgr client on them.

      You could use WSUS to patch your servers but you would require a separate WSUS instance for this. Also you would need to configure a GPO for your servers.

      Delete
  70. Hi Gerry

    We are currently looking at implementing SCCM in our organization mainly to allow laptops to be built from a DP at our remote offices across the country, this will save having to send them back to us here at head office.

    We currently have a WSUS server that is in our main data center and it controls all of our updates for server, client OS and Office. Our server engineer asked the question if we can setup WSUS on the SCCM server and allow it to control all updates relating to the Windows 7 image, but leave our existing WSUS server in place to handle all the updates once the build is complete, ie once the build is complete the SCCM server is no longer required for anything.

    ReplyDelete
    Replies
    1. I'm pretty sure you could do this. The updates would be installed via SCCM/WSUS when the laptops are being built. You could then configure your SCCM client policy to disable software updates and and manage them with WSUS. I can't think of a good reason to do this though.

      Delete
  71. Hi Gerry,
    I have just deployed Windows update from SCCM to client and it deployed successfully.I configured it to use 8530 but i did not enable 8530 on the firewall for SCCM. My question is ,is it necessary to open 8530 on the firewall? or how do i know which port the client is communicating with WSUS?

    ReplyDelete
    Replies
    1. In your case the client will be communicating with the Software Update Point on port 8530. If the server firewall is turned on then I would expect that you would need to allow this port. It is not necessary to configure the client firewall as all communication is initiated by the client.

      Delete
  72. Hi Gerry,
    I have SCCM 2007 infrastructure installed in my environment. I am trying to install SCCM 2012 as a fresh (Not migrate). I have standalone primary site, with 5000 clients, spread across 3 locations. I have built SCCM 2012 R2 with SQL server 2012. I want to test various functions of SCCM 2012, before moving it into production. Now the question is, Can I install WSUS/SUP on SCCM 2012 and configure it for patching. If I do so, will it disturb my current SCCM 2007 patching, or is it fine. Kindly suggest.
    - Vasu

    ReplyDelete
    Replies
    1. The two environments can co-exist. After all that's the way migrations are done. You just have to be careful of overlapping boundaries for site assignment. However I'm not a big fan of deploying products like this in production for "testing" purposes. That's what labs are for.

      Delete
  73. Hi Gerry - I am setting up SCCM 2012 R2, the database will be co-located on the Site Server. The database will be setup with mixed mode authentication (both windows and SQL ). I am planning for WSUS to use same SQL instance as SCCM. I have seen it mentioned in many blogs that WSUS supports only Windows Authentication. Do see any issues with WSUS database on SQL server setup with mixed authentication?

    ReplyDelete
    Replies
    1. No, as far as I know that will be OK. However, why would you use Mixed Mode? You are only licensed to host System Center related technologies anyway, which will all use Windows Integrated. I never use Mixed Authentication in these cases.

      Delete
  74. Hi Gerry - I have to follow the DB standards in the organisation. Hence mixed mode.

    ReplyDelete
    Replies
    1. That doesn't really make too much sense Sandeep. The standard isn't always correct. You are using a local SQL install which will not be used for anything else. You are actually making the solution less secure by introducing Mixed Mode.

      Delete
  75. Gerry, great stuff. Used your guides to get a fully functional environment. I have searched and searched but cannot find the answer. I wonder if you could help.
    I am trying to figure out which workstation in a group is the most out of date in terms of Windows Updates. The idea is to patch this machine completely and get a baseline, so I can more accurately determine how long and how many reboots it would take to complete the rest of the computers in that group.
    Thank you and keep up the good work.

    -Matt

    ReplyDelete
    Replies
    1. Have a look a these options Matt

      http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx

      http://blogs.bamits.com.au/2011/04/sccm-report-which-shows-you-how-many.html

      Delete
  76. Hi Gerry,

    I am facing the below issue while running the post configuration after reinstalling WSUS.

    2015-02-04 02:03:21 Starting service W3SVC
    2015-02-04 02:03:22 Configuring IIS...
    2015-02-04 02:03:22 Start: ConfigureWebsite
    2015-02-04 02:03:22 Configuring website on port 8530
    2015-02-04 02:03:22 System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified
    at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
    at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
    at Microsoft.UpdateServices.Administration.UseCustomWebSite.ExecuteIisCustomAction(String arguments)
    at Microsoft.UpdateServices.Administration.UseCustomWebSite.Install(Int32 portNumber)
    at Microsoft.UpdateServices.Administration.UseCustomWebSite.InstallAndConfigure(IisConfiguration& iisConfiguration, Int32 newPortNumber)
    at Microsoft.UpdateServices.Administration.PostInstall.ConfigureWebsite(Int32 portNumber)
    at Microsoft.UpdateServices.Administration.PostInstall.Run()
    at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)
    . I tried to launch the Windows server update services from admin tools, it opens MMC console prompting to connect to the Server. The server URL along with WSUS default port is mentioned and when, tried to connect. it throws an error stated below.

    Cannot connect to ""Server"". Please make sure the post-Installation task is completed successfully in that server. If it was , please verify is the server is using another port or different secure sockets layer (SSL) setting.

    The WSUS specific Virtual directories are not created in IIS.

    Any pointers to resolve this issue would be of great help.

    ReplyDelete
    Replies
    1. Sounds a little messy. I would remove WSUS and re-add it.

      Delete
  77. Hello Gerry,
    I have immensely benefited from your blog and it has gotten me very far considering that I had no prior knowledge on SCCM. I am however at a fix at this point. I have my AM policy and have SCEP installed on a few computers I'm testing with. I can see the definition updates downloaded under the software library on the sccm server and they appear as deployed, yet SCEP hasn't received any definition updates. Software center is empty too.

    I examined execmgr.log and found repeated instances of "Auto Install is set to false. Do Nothing"

    What am I missing out please?

    Auto Install is set to false. Do Nothing. execmgr 2/14/2015 12:00:00 AM 528 (0x0210)
    Service startup. execmgr 2/16/2015 7:24:42 PM 4376 (0x1118)
    A user has logged on. execmgr 2/16/2015 7:25:02 PM 5652 (0x1614)
    The logged on user is domain\username execmgr 2/16/2015 7:25:02 PM 5652 (0x1614)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/16/2015 10:00:00 PM 5048 (0x13B8)
    CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/16/2015 10:00:01 PM 5048 (0x13B8)
    Auto Install is set to false. Do Nothing. execmgr 2/16/2015 10:00:01 PM 5048 (0x13B8)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/17/2015 5:00:00 AM 7552 (0x1D80)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/17/2015 10:00:00 PM 10736 (0x29F0)
    CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/17/2015 10:00:01 PM 10736 (0x29F0)
    Auto Install is set to false. Do Nothing. execmgr 2/17/2015 10:00:01 PM 10736 (0x29F0)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/18/2015 5:00:00 AM 8692 (0x21F4)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
    CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
    Auto Install is set to false. Do Nothing. execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
    CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/19/2015 5:00:00 AM 6432 (0x1920)

    ReplyDelete
    Replies
    1. That's good. I'm glad to help.

      Have you created a Software Update Group with the definition files and deployed to your clients? Look at the Deployment Status for this SUG in the Monitoring node.

      Delete
  78. Yes, I have created a SUG with the definition files and deployed to my clients. I look under the Monitoring >> Deployments node for the deployment status of my SUG and nothing under the compliant tab, nothing under the in-progress tab, nothing under the error tab but I see the 3 devices I'm testing with under the unknown tab.
    I'm actually very confused.

    ReplyDelete
  79. Hi Gerry,
    I need your advise to resolve one issue
    I have installed sccm2012 sp1 with CU4. I have created a test collection with only one machine into it. I downloaded and deployed the MS patches but not able to see these patches on client machine.
    Agent on client machine is working fine, as I am able to take the remote control from sccm server
    C:\windows\ccmcache folder is not showing MS patches.
    On server side, patches has been downloaded to given location
    In monitoring -> deployment -> win7 update status is unknown with "Client check passed/active"
    In Soft library -> soft update gp -> deployed - yes and downloaded -yes
    Windows updates is marked as "never look for update" using GPO on client machines
    SCCM and WSUS are installed on same server
    While installing WSUS, I picked WID Database and WSUS Services
    Any suggestions?
    What could be the name of log file to get more information
    Not able to see option to run inventory etc from SCCM Console (I have seen these option in SCCM 2007). Do I need to install any other plug-ins
    Thanks

    ReplyDelete
    Replies
    1. Have a look at these log files

      Server Logs:
      SUPsetup.log - Installation of SUP Site Role.
      WCM.log, WSUSCtrl.log - Configuration of WSUS Server/SUP.
      WSyncMgr.log - SMS/WSUS Updates Synchronization Issues.
      Objreplmgr.log - Policy Issues for Update Assignments/CI Version Info policies.
      RuleEngine.log - Auto Deployment Rules.


      Client Logs:
      UpdatesDeployment.log - Deployments, SDK, UX.
      UpdatesHandler.log - Updates, Download.
      ScanAgent.log - Online/Offline scans, WSUS location requests.
      WUAHandler.log - Update status (missing/installed - verbose logging), WU interaction.
      UpdatesStore.log - Update status (missing/installed).
      %windir%\WindowsUpdate.log - Scanning/Installation of updates.

      Delete
  80. Hi Gerry,

    Trying to find info on a particular task in sccm and came across your blog. Will appreciate if you can point me in the correct direction.

    We have a sccm 2012 r2 infrastructure and have a .wim file with Office 2013 already installed (thick image). I want to
    deploy Office 2013 SP1 to all the workstaions using sccm. I have downloaded the SP1 package and it's in .exe format.

    Thanks in advance,

    Sailesh

    ReplyDelete
    Replies
    1. You need to work out the command to install the SP silently. Then just deploy it to your workstations as a package/program.

      Delete
  81. Hi Gerry!

    Thank you very much for this amazing blog!

    May I ask you some questions, please?

    When I´m in the ADR Wizard and choose "Existing Package" and "Create New Software Update Group", does the SUP clear the existing package everytime the ADR has been started and fill it with the new content from the new software update group? Or does it expand the existing package with the new updates? In that case the package will grow every patchday...

    Do the clients have to download the complete package everytime the ADR has published the package? Or do they just download the needed updates like they do with WSUS? I don´t want the clients to download more and more already installed updates over the months with the existing package.

    Thanks in advance and best regards
    Patrick

    ReplyDelete
  82. Hi Mr HAMPSON,

    First of all, thank you for this blog, it really helps me to understand a lot of stuff.

    Well, I have an issue and I'm pretty sure you have the answer.

    I've got this error during post-installation of Wsus services :
    Failure post-installation task. More informations below:
    Log file in :"C:\....".
    So I've checked :
    "CreateDefaultSubscription failed. Exception: System.Net.WebException: La demande a échoué avec l'état HTTP 503 : Service Unavailable."

    This is my configuration :
    One SCCM server & One WSUS server.
    On my WSUS server, I've just install the role WSUS, I know that I may not finish the wizard of post-installation of WSUS services.

    I've deleted on my SCCM the update softwares before doing anything.
    Ang I'm waiting this part of post-installation to create my SUP on SCCM but I have this error.

    What I've done this far:
    On each server there is the admin account in Administrator.
    My GPO's are ok I think.

    Can you help me with this ?
    Regards.

    Michel

    ReplyDelete
    Replies
    1. Hi Michel,

      What OS is on each server?

      Delete
    2. Hi,

      Sorry for the delay.

      I have Win2012R2 for the WSUS server and Win2008R2 for the SCCM server.

      I didn't install WSUS console on my SCCM server : Is that important ?

      After stopping the wizard of post-installation of WSUS services, I've installed the SUP on my SCCM. There is no more notification on my WSUS server but on SCCM I don't have any updates, there is no synchronisation between them:
      "Failed to synchronize".

      I'm trying to search what is the WSUS console that I have to install on my SCCM server (I've found a thread on the web who said to install this console in SCCM).

      Thanks in advance for giving us time to our questions.

      Regards

      Delete
    3. Start PowerShell Console (as Administrator) and run : Install-WindowsFeature -Name UpdateServices-Ui

      Delete
  83. Hi Gerry Hampson,

    I have installed the scom 2012 in windwos 2012 server and configured software update for client, installed client agent also. i deployed the updates to client as per your guide still the client pc's are not updating? i have the WSUS server in the same network and the client were updating patches through gpo configuration. i need to disable this GPO? or i have to do any other configuration for client? i have checked the logs but i couldn't see anything wrong
    please do replay

    ReplyDelete
    Replies
    1. In the ConfigMgr console check the deployment status for your software update group (Monitoring > Deployments). I'll bet it tells you that the deployment has failed due to an existing group policy. That GPO needs to be removed. It's best practice to create a GPO to disable automatic updates.

      Delete
  84. Dear Gerry,

    I have checked in the monitoring deployments, the complaint,progress and error window saying "status information currently unavailable for this deployment" Unknown is showing client check passed and active. i will remove the GPO as per your suggestion and try is there any other configuration required? if you required i will send you the screenshot through mail if you can send your email id to my mail

    ReplyDelete
  85. Hi Gerry,

    Thanx for your post.On an new installation of SCCM 2012 R2 SP1 I configured WSUS and SCCM exactly the way you described in this post. However, the updates do not appear in the console but they do in the WSUS console. Do you have any advise?

    ReplyDelete
    Replies
    1. You need to review the WCM.LOG file for errors Fabian.

      Delete
  86. Hi Gerry,
    I'm super new to SCCM. I was wondering if it is possible for SCCM to deploy windows updates without WSUS in the environment?

    ReplyDelete
    Replies
    1. No Saul. That's not possible. You need WSUS.

      Delete
  87. Gerry,

    I have a lab environment and have followed your how-2s for most everything SCCM 2012, great work by the way. I repeatedly run into a snag where sccm admin console shows 400+ updates in the update package, but when I deploy them the client's only receive about a dozen security updates. Everything appears to be normal except the fact that only a few updates come through. Under the SUP and products I've only selected Windows 7 updates and nothing else since this is a lab environment. Any idea's?

    ReplyDelete
    Replies
    1. Thanks. Glad to be able to help. This behaviour could be normal. The Software Update Group may contain 400 updates. This doesn't mean that your test computer needs them all. Most could be installed already. Only the mssing updates will be downloaded and installed.

      Delete
    2. Wouldn't I see a larger list of installed updates on the "Installed updates" on the control panel windows update screen?

      Delete
    3. Test the behaviour. Choose some updates that are in the SUG but not applied to the test computer. Try to install them manually.

      Delete
  88. Hi Gerry,

    As a starter to SCCM. I have following lab environment.

    SCCM 2012 Release Candidate installed on Server 2012 R2 with SQL 2008 R2. I was following some random articles - well I am facing issues with WSUS.

    WSUS does not seems to be integrated with SUP ( I also have followed RezaChan, article for correcting WSUS issues: http://www.windows-noob.com/forums/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/)

    but I keep getting errors like:

    Wsync.log:

    Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync

    WCM.log:

    The installed WSUS build (0.0.0.0) does not have the valid and supported WSUS Administration DLL assembly version. Please install WSUS 3.0 SP2(minimum 3.1.6001.65) or above

    Eventviewer log: eventID: 6703

    WSUS Synchronization failed.
    Message: WSUS server not configured. Please refer to WCM.log for configuration error details..
    Source: CWSyncMgr::DoSync.
    The operating system reported error 2147500037: Unspecified error

    Please suggest something. Thanks.

    ReplyDelete
    Replies
    1. Why are you working with Configuration Manager 2012 RC? This is not a production version. R2 is the latest version and you should install that. Let me know if you have issues after that.

      Delete
  89. Ok Thanks. I'll recreate my Lab then i'll get back to you.

    ReplyDelete
  90. Gerry,

    This is probably a silly question, but what permission levels should the shares be set at? Share permissions and NTFS.

    Also, when deploying updates from the SCCM console which account is actually creating the update folders and files?

    Thanks!

    ReplyDelete
    Replies
    1. Which Shares are you referring to? When you actually deploy the updates using the console the process runs under the context of the looged on user. That's why the patchdownloader.log file is found buried deep in the users profile (C:\Users\AppData\Local\Temp). This log file is only visible when a deployment is running.

      Delete
    2. I'm referring to the server side file share for the approved updates. I'm guessing it's where SCCM and WSUS work together to store the approved updates on the server? When I first approved updates in the console they failed to download which I'm sure was because of share permissions. In order to test this out, I gave everyone full control and tried this again and it worked, but I'll state the obvious that I would like to lock the permissions down to the most restrictive that I can.

      Delete
  91. Gerry, I have been deploying updates and making them required the day they are deployed. I wanted to start letting them be available for a week or so before forcing them. I was wondering it is done that way is there a way to pull back the updates, say 2 days into the deployment, just in case something goes wrong?

    ReplyDelete
  92. Gerry, I am begging to roll out my deployments in the same fashion you are .i.e. giving the Users a few days for installation prior to making it required. I was wondering if there was a way to cancel the deployment for users who have not installed the updates, say 2 days into the deployment, before the deadline has been reached?

    ReplyDelete
    Replies
    1. I wouldn't rely on that strategy to get you out of trouble Kevin. That's why you should always test your updates on a pilot colelction well in advance of deploying to production.

      Delete
  93. Hi Gerry,
    When creating a new deployment folder for deploying windows update. Whats the minimum permission required for all users and computers in order for the update to be successful?

    ReplyDelete
  94. Wonderfully written, All the best and Thanks a Ton

    ReplyDelete
  95. Hello Gerry,

    thanks a lot for you blog. Amazing job.

    My configuration : SCCM 2012 R2 with SP1 in server A(Windows server 2012R2) and I would like to deploy MS update. I created server B (Windows server 2012R2 with 281updates!). I installed SQL server 2012(with your STEPbySTEP), and before install wsus roles, I'm wondering if I need to install the SP3 of SQL server 2012 ? I already update SQL with SP1 and with kb3045318. SQL versions is now : 11.0.3156.0


    ReplyDelete
    Replies
    1. Hi Peter,

      I'm a great believer in always installing the latest SP or CU. They have been created and published for good reason.

      Delete
  96. HELLO SIR,

    My name is faraz I have deployed SCCM 2012 SP2 IN MY COMPANY ALL SCCM COMPONENTS WORKING FINE, EXCEPT SCEP Software Update Management - Endpoint Protection Definition Updates - Compliance showing as "Not Required" instead of "Installed" after installing

    ReplyDelete
  97. hi,

    I have sccm 2012 sp2 server, all component working fine . but I have a problem in Software Update , software update are working fine, scan all updates required by clients except SCEP DEFINITION as required 0 but when I deploy that update to SCCM client its install on client computers and when I see in \Monitoring\Overview\Deployments\SCEP FOR HEAD OFFICE Status to All Head Office SCEP Clients IT SHOWS nothing installed in client computer but SCEP definition update installed, I have all log files in client computer and SITE SERVER all working fine . but still shows required 0 in all computers..

    ReplyDelete
  98. Hi
    I'm new in SCCM. I'm trying to update my workstations in test collection with software updates for Windows 8.1 operating system.
    One month ago it seemed everything OK. I had about 610 updates in my software update group and my test WS were updating. Then one day a lot of SU in my group became Expired and so I deleted them from my software update group. Later I realised that they were not Expired - I checked KB numbers on Microsoft page: https://catalog.update.microsoft.com/v7/site/Home.aspx
    Now there are just 310 SU in my group and I can succesfull distibute them on my test WS, but if I check upgraded WS with Microsoft Windows Update, it finds about 130 missing updates for Windows 8.1. When I check missing KB numbers in my SCCM catalog they indeed missing in catalog and also in update group - even if i manualy run "Synchronize software updates".
    The big question is: what to do in SCCM to include all available software updates again in catalog.

    Thanks for your answers - anyone.

    ReplyDelete
  99. Gerry, my WSUS keeps giving errors and won't allow me to continue the post installation. What are your suggestions on completely removing it and starting over. SCCM2012R2, Win2012R2. DB created and IIS site created. When I remove the SUP and WSUS I guess it still leaves behind files. Is there folders and/or regedit I should delete to start from scratch?

    ReplyDelete
  100. Not really. Just removing and reinstalling has often done the trick for me.

    ReplyDelete
  101. Hi Gerry i have a problem with sccm 2012 client installation for remote site, this site is configured as VPN network. the client installation failing with "Download Update: A recoverable error has occurred. A retry attempt will be made." this error, we have sonicwall firewall in both site but all ports are open and ipsec vpn is configured. i can see the user admin$ ccmsetup folder and logs its showing Bits related issue. any idea about it

    ReplyDelete
  102. Hi Gerry,

    I hope you or anyone that reads this can help me.

    I am running sccm 2012 r2 currently on a Windows 2012 R2 Server.
    The SCCM has been updated to version 1606 with the hotfix.

    I am just starting with SCCM so i am certainly not using it with full potential.

    I have succesfully deployed Windows 7 and Windows 10.
    What i want to accomplice is that while installing the OS, it also installs the Windows Updates so that the computer is up-to-date.

    SCCM and WSUS have the updates for Windows 7.
    But i have also added Windows 8.1 and Windows 10 to the products.
    But for some strange reason those updates are never being downloaded to SCCM/WSUS.
    Any idea why?

    I cant seem to find any error messgages in the log files for SCCM.


    ReplyDelete
    Replies
    1. Did you synchronize the updates after choosing new products? Look at the WSYNCMGR.log file. you should see the synchronizations there.

      Delete
    2. Thanks for the reply. All i had to do was reboot the server.. All is working now thanks.

      Delete
  103. Hi Gary,

    I haven't run WSUS post installation once as you have advised in the prvious comments, i immediately canceled my installation after role been added, then i added the SUP role. What should be done in this situation

    ReplyDelete
  104. I am having problem that my sccm reports are showing empty, i have checked sql reporting services configuration and all seems okay.. when i hit the ie reports page i bump into number of configmgr, configmgr.old etc... where do you think I am going wrong

    ReplyDelete
  105. Hi Gerry,

    I have got production environment. I patches monthly windows updates and scheduled updates via SCCM 2012. Updates installed successfully at scheduled time. But some users attempted to manually uninstall some updates.

    Can I force users to not uninstall any monthly updates without approval ?

    or Can I force sccm to reinstall, when it find any updates removal via maually or by any users ?

    Thanks

    Nomi

    ReplyDelete
    Replies
    1. Users will only be able to uninstall updates if they are local administrators on their devices.
      IF you leave the required deployment in place the update will be forcibly installed again as the deadline has passed.

      Delete