Part 15 of the guide describes the implementation of a software updates solution. This section is for Microsoft updates only. Non-Microsoft updates are discussed in Part 16.
The process is divided into the following sections:
1. WSUS Role
2. Config Mgr Software Update Point
3. Updates Infrastructure and deploying updates
4. Client view
1. Add WSUS Role
Choose Role-based or feature-based
Choose local server
Choose WSUS role. You are prompted to add features that are required for WSUS.
Select to Add Features. Click Next to continue
Click Next
Click Next
Select required role services. Note that we need WSUS services and Database. We will not be using Windows Internal Database (SQL Server Embedded)
Choose location for WSUS updates. Note that this folder will only contain WSUS metadata and will not grow massive in size. (ConfigMgr will manage the download of the actual updates files to deployment packages). Choose a folder. Note that it must exist already.
Enter the database server name and click "Check Connection"
Click Install to continue installing WSUS
When installation has succeeded click Close to finish
Launch Administrative Tools
Double-click WSUS to continue the installation
Enter WSUS content location. Catalog information and EULA are downloaded here during synchronisation with Microsoft Updates. Note that Updates will not downloaded to this location. Updates will be downloaded to ConfigMgr Deployment packages.
WSUS has been installed. We do not need to configure it. Config Mgr will do that for us. Click Cancel to finish.
Verify that the database has been created.
2. Config Mgr Software Update Point
Right click Site Server and choose Add Site System Role
Verify server name and click Next
We do not need proxy server this time. Click Next
Choose Software Update Point
Choose 8530 and 8531 for client communications
Click Next
Choose to Synchronize with Microsoft Updates
Choose to enable sync on a schedule. Every 7 days is sufficient
Choose default supersedence behaviour
Choose your required classifications
Choose English only (or not as the case may be)
Verify your choices and click Next to continue
Software Update Point has been added. Click Close to finish.
Navigate to Software Library. Right click on Software Updates and click Synchronize Software Updates. This manually starts the first sync with Microsoft Update catalog.
Click Yes to verify
Verify sync via WSYNCMGR.LOG
3. Updates Infrastructure and deploying updates
Create a test collection
Add test resources to the collection
Prepare folder structure for Windows 7 and Office 2010
Note that the Deployment process involves Software Update Groups and Deployment Packages. Software Update Groups should be created monthly and are deployed to collections of devices. They will contain all the updates released that month and are simply a filtered list of downloaded updates (note that a SUG can contain a maximum of 1000 updates). The same deployment package can be used each month. The deployment package contains all the downloaded updates binaries.
See here for a possible software update strategy for your organization.
For the sake of demonstration we will just consider Windows 7 updates in this example.
Open Software Updates. On top right hand side of screen click Add Criteria (this is merely for filtered searching of updates)
Choose Product, Bulletin ID, Expired and Superseded and click Add
Click Search
You are now presented with a filtered list of Windows 7 updates which are not expired or superseded.
Save Search Criteria for future use (Save Current Search)
This launches the Deploy Software Updates Wizard
Enter suitable names for the Deployment and the Software Group. Select Deploy (as this is our first time we have no deployment template. We can create one as part of this initial process).
Leave default "Required". After all updates should not be optional.
For the sake of testing we will choose Deadline to be "As soon as possible". You would not use this in production. Allow a week or so before forcing the installation. Users will be informed for a week that they should install the updates. When the deadline is reached the installation will commence.
Click Next to download the updates, add to the deployment package, distribute to the DP and deploy to the test collection
4. Client view
See installed software updates in the Software Center
As the deadline has already been reached the restart countdown commences.
Thanks, you save my day!.
ReplyDeleteHi Gerry,
ReplyDeleteI have 2 questions regarding this step.
I have a Windows 2012 WSUS server installed and configured in a separate VM that is currently deploying updates to all my VMs.
1) What is the interest in configuring the System Update Point role when you already have a WSUS server installed ?
2) Regarding this configuration (with an already installed server), I have only installed WSUS Console using this PowerShell command : Install-WindowsFeature -Name UpdateServices-Ui.
When I try to configure the SU Point Role, I'm unable to have the same Product list as the one I have in the WSUS server (missing Office 2013 / Windows 8... All new products).
Is it because I haven't installed WSUS on my SCCM server and therefore haven't been able to install the 2 patches WSUS-KB2720211-x64 and WSUS-KB2734608-x64 needed for WSUS 3.0 SP2 ?
I hope I'm clear enough..
Thanks
1. SCCM allows you to manage your estate from one console. You don't seed to use the WSUS console. Also, you can take advantage of the following SCCM features
ReplyDelete- maintenance windows
- bandwidth throttling
- reporting
2. Choose your products (without Office 2013 and and Windows 8) and carry out your first sync. I believe the new products will then be available.
Thanks for your information
ReplyDeleteIs it necessary to share the folder where the updates are downloaded to so that all users have read access to the updates?
ReplyDeleteThanks,
Ryan
Even though you have to create a folder when you are configuring WSUS, this is never used by SCCM. You create a folder structure for SCCM Update Deployment packages. This is where the updates are downloaded to. These packages are then distributed to your Distribution Points for deployment.
ReplyDeleteWhen the SCCM client on a device looks for updates from SCCM it is directed to the nearest DP for downloading. The computer System account does all this and should have access to the DP by default - nothing to do with users.
Hi Gerry, would you please give me some kind of advice on a current problem:
ReplyDeleteI've decided to start configuring SCCM from a "Software update point" role, instead of setting up others(maybe that's the problem). Everything worked fine until I tried to start "first manual update" - it didn't work at all.
I opened "WSUSCtrl.log" with a "Trace tool" and found out this:
Checking for supported version of WSUS (min WSUS 3.0 SP2+KB2720211+KB2734608)
Checking runtime v2.0.50727... SMS_WSUS_CONTROL_MANAGER 15412 (0x1524)
Did not find supported version of assembly
Microsoft.UpdateServices.Administration. SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Checking runtime v4.0.30319... SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.2.9200.16384 SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.2.9200.16384 SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Supported WSUS version found SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
***
Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
System.Net.WebException: Сбой запроса с состоянием HTTP 503: Service Unavailable.~~ в Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ в Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ в Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
System.Net.WebException: Сбой запроса с состоянием HTTP 503: Service Unavailable.~~ в Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ в Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ в Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Failures reported during periodic health check by the WSUS Server SRVSCCM.rainvest.local. Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
Waiting for changes for 1 minutes SMS_WSUS_CONTROL_MANAGER 19.06.2013 10:34:01 5412 (0x1524)
It seems like SCCM is unable to connect WSUS through web, I've tried to do it manually and got same error. I've ran IIS console - it shows that WSUS has been assigne ports 8530 and 8531, SCCM configs are made accordingly.
Are SCCM and WSUS on different servers? You have to add the SCCM Computer Account (SCCM_Server$) to the Local Administrators Group on the WSUS server.
ReplyDeleteNo, I've got only one server. WSUS role was added to current server just according to your guide.
DeleteThere is an issue with WSUS on Server 2012. When you add the WSUS role you have to launch WSUS from Administrative Tools. This carries out some post-installation configuration. You then cancel the WSUS Configuration Wizard when it starts. Did you do this - it's in the blog.
ReplyDeleteI've just had a similar problem on a site this morning. I had to do this twice and then restarted the server. Then I could see that the Software Update Point was added successfully.
Gerry, thanks a lot for your answers. And yes, it was done right that way. Suppose removing the "WSUS" role and cleaning administration web-site through IIS-console can help me to accomplish new installation ?
DeleteGerry, my great thanks to you for paying attention to my small problem! I removed "WSUS" role and went through the installing process again(both in OS and SCCM) and now it works! Thanks again!
DeleteHi Gerry,
ReplyDeleteNice article(s). Other blogs refer to the creation of the standard GPOs to reference the WSUS server (points to the SCCM 2012 server) and manage update time and behaviour. Is this not necessary in SP1 as the only difference appears to be that their articles are pre SP1. The reason I ask is I'm having issues in getting the updates to deploy to the workstation and have GPO settings hitting my test machines as defined in another guide. Are you able to advise if the GPOS are needed please.
Cheers,
Matt
Cheers,
Matt.
I don't use a GPO when configuring Software Updates via SCCM (even pre-SP1). I find that GPOs can interfere with the process.
ReplyDeleteThanks Gerry, almost as soon as I'd finished writing, the test machine popped up with updates to deploy! I had thought that GPOs may muddy the water. Will remove and retest. Thanks for the reply. Cheers. Matt.
DeleteHi Gerry,
ReplyDeleteIf I go to deploy updates using an Update Group and proceed to creating an “Update Package”, it will obviously download all the updates I’ve chosen, distribute those to the DPs and deploy to my collection. What if I need to deploy these updates to a different collection at a later time? Do I need to create go through the whole process again (downloading same updates, deploying, distributing, etc.)?
Also, what is the best way of purging the downloaded content from the DPs periodically?
Thanks,
Steve
No, you just have to deploy the update deployment package to the new collection. The updates have already been downloaded.
ReplyDeleteIn ConfigMgr 2012, Microsoft have added the capability to automatically remove software update content from distribution points when that content is related to expired updates. See here
http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx
How do I go about reinstalling WSUS? I removed the Role and features and tried to reinstall WSUS but after going to my server /SUSDB I get this error, Error 26 Locating Server/Instance Specified servername/SUSDB is what I enter in the post WSUS installation it worked the first time I installed WSUS but misconfigured the ports and need to change back to port 80. Thanks
ReplyDeleteIf you need to re-install the WSUS role you should remove the WSUS role and delete the database before you start again.
ReplyDeleteHi Gerry,
ReplyDeleteI've created Software Update Groups for "2003-2009", 2010, 2011, 2012 and 2013 for "All Products". These are not deployed, but show me the level of compliance for machines. The 2012 group has 547 updates and is at 93% compliance (there are only 7 updates actually required by machines). If I deploy the 2012 group, will it download all 547 updates? Similarly, in the 2013 group, only 169 out of 751 are actually required, and I don't want to download all that extra content when it's not currently required.
Rory.
Hi Rory,
ReplyDeleteOnce you have created the Software Update Group you have compiled a list of updates that WILL be downloaded into a Deployment Package (up to a maximum of 1000 updates - this is a hard limit).
They will be downloaded even if they are not required for current compliance (you should appreciate that they may be required later for compliance - if you introduce additional devices).
I know, for example, that only 169 out of 751 are actually required, but the disk space required is not much. Also there will be no attempt to install them on a device if they are already installed.
I would be more concerned with the extent of "Products & Classifications". I would not choose "All Products" just because I could. I would only choose the products I actually require, for example I would not deploy SQL or Exchange updates using this method.
Also, I usually don't deploy updates to XP and Windows 2003 as they are approaching end-of-life.
Gerry
Also Rory,
ReplyDeleteI would be very specific in targeting the updates. I tend to create Software Update Groups monthly for specific products (Windows 7 for example) and add the updates to Deployment Packages in 6 monthly cycles. These updates would be deployed to collections of Windows 7 computers only.
I treat server OS differently as maintenance windows requirements would be very different.
Thanks Gerry,
ReplyDeleteLike many, I've been hit by "bad" patches over the last six or so months, mainly on server platforms, and am re-evaluating how I roll them out. I used to push updates out on the Friday night after patch Tuesday, but now I have pushed it out to three weeks after release, to give more time for some patches to be withdrawn, and even then only to client machines.
I haven't auto-patched any servers for about 5 months now (Aidan Finn has also written about this recently), preferring to do them individually depending on a combination of business requirements and the level of patch-criticality.
So the only endpoints that get auto-patched are our W7 clients (we've no clients older than that, and only one W8).
When I said "All Products", I actually meant all products that we use here, e.g. W7, IE10, Lync 2013, TMG Client, SCEP definitions and Office, etc.
Thanks for the advice,
Rory.
I know where you're coming from Rory. It's been poor recently. I read Aidan's blog this week. He was very critical all right.
ReplyDeleteAlso, I don't see any harm being up to 4 weeks behind - as long as you can quickly deploy a critical patch if necessary.
Hi Gerry,
ReplyDeleteCan i select multiple products in creating software update groups?
Thx
Yes, you can. I like to keep them separate though. If you use separate groups you should configure "Install All Required Updates When Deadline Occurs" in Software Updates client agent.
ReplyDeleteThis setting indicates whether to enforce all mandatory software update deployments that have deadlines within a certain timeframe.
Hi Gerry,
ReplyDeleteThanks for these great series, I've been using your blog to configure the system center here.
I just don't seem to be able to deploy Internet Explorer (9 & 10) because they are not visible in the SUP. I don't know if this has something to do with it but when I have a look in the WSUS console I can see that the files haven't been approved because the Microsoft Software Terms failed to download.
Kind regards
Jurgen
Hi Jurgen,
ReplyDeleteYou need to solve that Microsoft Software Terms problem before you can continue successfully. I previously had it
http://www.gerryhampsoncm.blogspot.ie/2013/07/failed-to-sync-update-error-microsoft.html
Hi Gerry,
DeleteJust for the record, my SCCM is behind a required proxy with authentication. The solution was this hotfix: http://support.microsoft.com/kb/2838998
Kind regards
Jurgen
Very good Jurgen. Thanks for letting me know.
ReplyDeleteHi Gerry,
ReplyDeleteI tried your steps but I can't get the clients updated. The updates (step 4) are not downloaded to the clients. I tried to force run the policy update, but still nothing happens.
Your help is highly appreciated.
There are so many reasons why this could happen. Look in Monitoring > Deployments and double click on the Updates deployment to see the status.
ReplyDeleteGreat article, lot of help. Seems like a lot of maintenance compared to WSUS, I'll be making deployment packages all the time.
DeleteThank you for the article. I have a question though. When I added the WSUS role to my site server I chose to install on the Windows Internal Database. When I download the updates in SCCM where exactly are the updates going to be stored?
ReplyDeleteOnly the WSUS metadata is stored in the database (in your case the Windows Internal Database).
ReplyDeleteWhen ConfigMgr actually downloads the updates it will save the files in the deployment packages that you configure.
Gerry, I have a nightmare on WSUS using Server 2012 R2 Standard to work properly with SCCM 2012 R2 Standard using Server 2012 R2 Standard on separate box.
ReplyDeleteWhat is the proper way on setting it up? I have no problem on re-doing my test lab.
My environment:
- 2 Domain Controller (Server 2012 R2 Standard)
- 1 SCCM 2012 R2 Standard (site server, not CAS) (Server 2012 R2 Standard) with SQL 2012 SP1 CU3
- WSUS (Server 2012 R2 Standard) using SQL 2012 SP1 on different box.
I can't configure SCCM 2012 R2 to work with my WSUS (WSUS recognized all the computers and downloaded patches without any problem).
I really need your advice, please.
Thanks,
Reza
Sorry for the delay in responding Reza. I've been on vacation. Did you manage to resolve your issue? This is a supported configuration.
DeleteI got from this blog: http://prajwaldesai.com/installing-wsus-for-configuration-manager-2012-r2/?goback=%2Egmp_3752127%2Egde_3752127_member_5826543302941364226#%21
DeleteWSUS 3.0 Service Pack 2 is required for System Center 2012 R2 Configuration Manager. SCCM 2012 R2 supports only 64-bit site systems, you must use the 64-bit version of WSUS on one of the supported 64-bit editions of Windows Server. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216
But when I tried to install it on Windows Server 2012 R2 before adding WSUS role and before installing SCCM 2012 R2. I'm stuck... I wished I could upload my screen shot.
WSUS30-KB972455-x64.exe (double click to install it)
This program has compatibility issues, Windows Server Update Services Microsoft. Click button: Get help online
You do not need WSUS 3.0 SP2. This is only for Windows Server 2008R2. Server 2012 ships with a new version of WSUS - no Service Pack required.
DeleteYou really should try following this guide step by step.
Consider your logic. You are trying to install a service pack for a role you have not added.
Hi Gerry,
ReplyDeleteI'm also having problems with the updates I'm able to create the Software Update Groups with the required content but after I deploy them to the collection the computers won't start the installation. Nothing is downloaded. I checked the locationservices.log on the clients machines and there is no mention of the WSUS or SUP paths. Could that be my problem?
Your help is appreciated.
Thanks
In the ConfigMgr console have a look at Monitoring / Deployments. Check the status of your deployment for errors.
DeleteHi Gerry,
ReplyDeleteThanks for the quick response. Turns out I forgot to clear out the System Management container in AD after I had previously reinstalled the server. After I did that and restarted the Site Component Manger service the updates started working.
Thanks
Hi Gerry,
ReplyDeleteI'm able to to deploy updates (Microsoft and Adobe). When the install is finished on the client the software center notification appears saying software has been installed. But when I go to the software center it's empty. It doesn't give a list of the installed software. Is this because I'm only installing updates and not applications? Is this normal or is there a config I'm missing?
Thanks
This is by design. Once updates are installed they are no longer visible in the Software Center. It actually makes sense when you consider the number of updates that will be installed in the lifetime of a computer.
DeleteGerry, we are running SCCM 2012 R2 on a Server 2012 R2 box as our primary stand alone site that manages about 500 computers. Currently, we have another box running WSUS (not a SUP to SCCM) and GPO is set for all machines to download their update from MS Updates. Question is, is there are way for the computers to still get their updates from MS Update if we were to set the WSUS box as the SUP?
ReplyDeleteYes there is, although that doesn't make sense to me. Have a look at this.
Deletehttp://social.technet.microsoft.com/Forums/en-US/527ba570-0921-4be6-85da-2d1fc95e4f35/question-regarding-download-settings-within-a-software-update-deployment?forum=configmanagersecurity
Gerry,
ReplyDeleteI finally got it working. I updated my post:
http://www.windows-noob.com/forums/index.php?/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/?p=36633
FYI, someone responding to me directly from other source:
* If you are installing using Windows Server 2012 then no because WSUS is version 4 in Server 2012.
* If installing on Server 2008(R2) then yes, but you should always look to update everything to latest versions anyway.
That's good Reza. But I already told you that. See above
DeleteGerry Hampson8 January 2014 13:39
You do not need WSUS 3.0 SP2. This is only for Windows Server 2008R2. Server 2012 ships with a new version of WSUS - no Service Pack required.
Gary, that's confusing lots of users out there because during the SCCM 2012 R2 setup, it said you must add WSUS 3.0 SP2. And one thing that Microsoft forgot to mentioned on that screen:
ReplyDeleteMicrosoft should add here, if you are running Server 2012 plain or R2, you do NOT need to install WSUS 3.0 SP2!!! This is only for Windows Server 2008
http://www.windows-noob.com/forums/index.php?/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/?p=36633
Hi. We have WSUS setup on server002 and the Windows 7 clients point to this. The SUP though is on the same server as most site system roles, server007
ReplyDeleteI understand that WSUS is supposed to feed into SCCM the updates and SCCM then deploys these as packages. Does this mean that in the GPO Intranet Microsoft Update location setting needs to be the SCCM server rather than the WSUS server ?
Someone mentioned switching off the WSUS GPO but then how will the Win 7 machines know where to look for updates or is the fact Confgiguration Manager installed enough for them just to receive updates pushed to collections from SCCM admin console ?
Thanks in advance, John
When you deploy a ConfigMgr software update solution the ConfigMgr client creates a local policy on the clients telling them where they will now get their updates.
DeleteTherefore in theory you no longer need the WSUS GPO. However, this is just in theory. What happens if the client, for some reason, loses it's local policy? It will then revert back to it's default setting, which is, automatic download via Internet and install at 3am. We don't want that. Therefore I retain a WSUS policy but configure it to disable automatic updates altogether.
It's good practice to do this John.
OK. Currently some clients show the WSUS server as update point in windowsupdate.log, I assume this is wrong and it should be showing the SCCM server with the SUP role ? Sounds like need to remove the old GPO then or as you say change it to disable automatic updates altogether
ReplyDeleteDon't just remove the GPO. Otherwise all your clients will default to Automatic Updates via Internet. I've seen it happen and it's not pretty. Edit the GPO to disable the updates.
DeleteSome clients show the WSUS server as update point in windowsupdate.log, I assume this is wrong and it should be showing the SCCM server in the log file ?
ReplyDeleteI still use GPO for our current environment SCCM 2007 SP2 R3. You could try using this command: wuauclt /detectnow
ReplyDeleteI have just build the SCCM 2012 on my environment in a single site and I could able to sync the updates and push the client install to the clients, but when I try to deploy the software update, updates are not getting pushed on the clients, can you please let me know what could be the issue
ReplyDeleteThanks ,
Sudhi
What troubleshooting have you done Sudhi - Monitoring > Deployments, logs etc?
DeleteSo, that's all about WSUS updates.
ReplyDeleteAnd what about orphaned SCCM packages?
I reinstalled the Distribution Point. It's folder is 20gb, but currently deployed packages are 1gb only. Is there any auto-cleanup and how often is it done?
No, there is only an auto-clean for Windows Updates. Packages should be removed from the DP when you carry out the instruction in the console.
DeleteGerry...a quick question. I have installed WSUS and the SUP role on the Primary server. They point to a SQL database on a remote SQL server. Everything is working nicely at the moment. The next step is that we need to install one additional SUP server. I have it ready to install WSUS, but where I get stuck is in the WSUS installation. I provide a local path for the updates. But for the database location, do I point it to the remote SQL database instance that we've already installed? We want to share the database rather than sync databases, as the servers will reside on the network. Once that's completed, then my plan is to simply push the SUP role to it from the Primary Server. But I just need to confirm that I have these steps correct regarding the installation/configuration of WSUS on the additional SUP that is separate from the Primary Server. Thank you for the great detailed information above!!
ReplyDeleteSharing the database is the preferred method as it limits network traffic when clients failover to use the second SUP. You can read about it in the TechNet library
ReplyDeletehttp://technet.microsoft.com/en-us/library/hh692394.aspx
When deploying updates, is it better to split them up along MS Product lines? Or have each months updates in a single ADR/Deployment?
ReplyDeleteI always split the updates by product.
DeleteHi Gerry,
ReplyDeleteI have been trying to deploy windows updates...
My device settings were initally no set right.. Endpoint protection was being installed on all machines which I did not want to happen. I managed to sort this out for future machines.
But yea the problem I have is with the PC's I have uninstalled Endpoint from. All these PC's are stuck in non-compliant for some reason.. I have tried reinstalling the client but still no luck..
Is there anything I can do to sort this?!
That really depends of your client settings Matt. Look in Software Updates. What are your Software Update Scan & deployment re-evaluation schedules. By default they are 7 days. The compliance will not change until these scans run and report.
ReplyDeleteManually run the scans on the client and see if this changes the compliance. Note that it will not be instant - nothing is with ConfigMgr.
DeleteThe non-compliant PC's eventually go to a failed state: Failed to install updates error code: 0x800705B4
DeleteThis only happens on PC's I have removed Endpoint from, before it had the chance to download the updates.
Any ideas?
Gerry,
ReplyDeleteI am terribly new to deploying updates through SCCM, have been doing it through WSUS stand-alone for a while now. Can you point me to any resources that will help in getting the logic of how to manage product updates from within SCCM , rather than WSUS stand-alone?
A few of my main questions/concerns:
1) What's the best way to organize / manage updates for the products my environment requires? (Windows 7, server 2012, server 2008, sql 2008, sql 2012/etc)
2) Do I have to have a device collection of all windows 7 computers, all server 2012 computers, all sql 2008/2012 computers / etc in order to deploy software to JUST those devices, or is there another non-time-consuming way of doing this?
3) I did a custom search for Product : windows 7, expired : no, Superseded : no and added those to a group called Windows 7 Updates...and i'm GUESSING I then must create a device collection of all windows 7 clients (I already had this) and deploy new "Windows 7 Updates" package to the "Windows 7 Clients" device collection? Is that logic correct, and if so do I have to do that for each and every other product? (seems a lot more work than WSUS stand-alone was, but just wanting to make sure my thought process on this was correct)
Your blog / replies on technet are greatly appreciated...thanks so much!
You're welcome Jon.
ReplyDeleteIn answer to your questions:
1. I usually create separate Software Update Groups and deployment packages (and folder structures) for each product.
2. It really depends. I would have a Windows 7 collection. However I would not have an Office 2013 collection - I would use the Windows 7 collection for these updates.
You would need separate collection for other products.
Note - I would not use this method for SQL updates. SQL updating should be planned as a project in it's own right.
3. Your logic is correct. It won't seem like a lot of work once you start using it and you get used to it.
Hi Gerry.
ReplyDeleteI managed to overcome a problem I was having with PC's going to Non-compliant mode. I had no boundary groups which meant PC's were not able to find the site!
Strangely I never thought this was the problem because some were working without the boundary group. But yea, as soon as I added the boundary group all PC's starting working correctly!
Nice one Matt.
DeleteHi Gerry,
ReplyDeleteAlready close to a nervous breakdown:
Some time ago we had our WSUS / SUP working fine with SCCM 2012 SP1, installed on a (virtual) server 2008R2
Due to performance issues we were forced to move SCCM to a powerful hardware box.
there we installed server 2012R2 as OS, and we succesfully did restore a SCCM Backup from the virtual Machine
We've been told to keep the same servername as the virtual - to succeed on SCCM backup restore
So far so good ... all does work fine, on top of, we did upgrade to CU3
However since that day - none of our clients did receive a single WSUS update anymore. On the server side all is fine to me.
updates are synchronised - automatic deployment rules do what they have to do, software update groups are created, updates downloaded, distributed and deployed.
update deployments are required with deadline and so on ...
the logs on the server do look fine ...except one thing in the WCM.log which came to my attention
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608) SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Checking runtime v2.0.50727... SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Did not find supported version of assembly Microsoft.UpdateServices.Administration. SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 10.04.2014 08:38:01 3208 (0x0C88)
It states that it can't find a supported version of assembly - but 2 lines later it says that it has one of a higher release
Since server 20112R2 does come with a higher WSUS release. so I think no issue here ...
Even on the client side I do not find errors - see here entries of WUAhandler.log (here I changed servername & domain) but in real life the server's name = correct
Its a WSUS Update Source type ({FA626CBA-DA9C-4CBE-99E7-397DD7570854}), adding it. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Existing WUA Managed server was already set (HTTP://servername.dom.CORP.DIR:8530), skipping Group Policy registration. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Added Update Source ({FA626CBA-DA9C-4CBE-99E7-397DD7570854}) of content type: 2 WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Scan results will include all superseded updates. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver') WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Async searching of updates using WUAgent started. WUAHandler 10/04/2014 8:58:33 4172 (0x104C)
Async searching completed. WUAHandler 10/04/2014 8:58:59 10176 (0x27C0)
Successfully completed scan. WUAHandler 10/04/2014 8:59:01 9488 (0x2510)
FYI - we are not using GPO's to set WSUS source .. boundaries are configured correct ....
on the SCCM server In the deployment status for a software updates deployment -> clients report - status unknown -> client check passed /active
To me the clients don't detect that there are new updates available.
Have you any idea where it can go wrong .. I so far can't find out Why
Thanks
G.
I think you went wrong by not keeping the same OS on the new hardware. WSUS version has changed from 2008R2 to 2012R2 and I believe that this is the problem. ConfigMgr is still looking for the previous installation.
DeleteI think that you will have to re-create you software update solution.
Gerry,
DeleteCould you be a little more specific on what you mean by re-create your software update solution? I have the exact same issue above for the exact same reason.
I mean start again Zachary. Remove the Software Update Point and WSUS and start again.
DeleteDear,
ReplyDeleteI found out that when the sccm client gets in stalled -> a local policy has been set to point to the WSUS update service location / SCCM server - in our case http://servername.domain.corp.local:8530
Since most of our clients were installed from the former SCCM setup on the Virtual server installed with server 2008 R2 + wsus 3.0 + SP2 this local policy is still pointing to http://servername.domain.corp.local:80
We however did upgrade all clients to the CU3 level from the SCCM setup on the new server installed with 2012R2 operating system and corresponding WSUS 4... - the client upgrade did suceed - but the setting for the WSUS service location Did remain on http://servername.domain.corp.local:80
I did try to get rid of that port 80 setting - but no chance ..the SCCM agent nicely did revert back to port 80 all the time.
Than I uninstalled the SCCM client by running CCMSetup.exe /uninstall - after the uninstall I've rebooted the client - and installed teh SCCM client again (direct from teh primary site server)
And yes - the windows update service location was set correct now!
http://servername.domain.corp.local:8530
Suddenly the client did start talking with the System center server - and did report back updates status - the client even did install updates - unfortunately only updates who were released / deployed before - we moved SCCM from the Virtual server to the 2012R2 hardware server.
So we're getting closer - now we need to find out why those fresh released updates / groups (April 2014) and corresponding deployments - are not detected by the client.
any suggestion would be highly appreciated
Thx
G.
Dear,
ReplyDeleteI found out that when the sccm client gets in stalled -> a local policy has been set to point to the WSUS update service location / SCCM server - in our case http://servername.domain.corp.local:8530
Since most of our clients were installed from the former SCCM setup on the Virtual server installed with server 2008 R2 + wsus 3.0 + SP2 this local policy is still pointing to http://servername.domain.corp.local:80
We however did upgrade all clients to the CU3 level from the SCCM setup on the new server installed with 2012R2 operating system and corresponding WSUS 4... - the client upgrade did suceed - but the setting for the WSUS service location Did remain on http://servername.domain.corp.local:80
I did try to get rid of that port 80 setting - but no chance ..the SCCM agent nicely did revert back to port 80 all the time.
Than I uninstalled the SCCM client by running CCMSetup.exe /uninstall - after the uninstall I've rebooted the client - and installed teh SCCM client again (direct from teh primary site server)
And yes - the windows update service location was set correct now!
http://servername.domain.corp.local:8530
Suddenly the client did start talking with the System center server - and did report back updates status - the client even did install updates - unfortunately only updates who were released / deployed before - we moved SCCM from the Virtual server to the 2012R2 hardware server.
So we're getting closer - now we need to find out why those fresh released updates / groups (April 2014) and corresponding deployments - are not detected by the client.
any suggestion would be highly appreciated
Thx
Question - why do you need yet another database? Why not use the one that is installed (SQL)?
ReplyDeleteHi Gerry
ReplyDeleteI am having problem with updates at server and client. it says downloading (0% complete) on software center since 4 days but it's doing nothing. any idea?
thanks
Hananahujaja
hi gerry
ReplyDeletehope you are well, I am having a problem with updates. in software center it says downloading ( 0% complete) but it's doing nothing. any idea?
thanks
Quite often this is caused by incorrectly configured boundaries and boundary groups.
DeleteThanks for your replay gerry really appreciate.
DeleteBut when is see the deployments status there are 57 computers has compliant and 19 computers has failed to install update (This operation returned because the timeout period expired) error code 0x800705B4.
Apart from this I have only 1 boundary do I still need to create boundary group?
You need a boundary group. Add your boundaries and associate with a DP.
DeleteOh and also, in the Locationservices.log (if it matters) there is an entry - Calling back with empty distribution points group.
DeleteChris
Sorry Gerry, I seem to have lost my first post (again on this site) I have the same issue as above but it has been working for a few weeks prior. Now I see the error Failed to download update(s) for all 160 clients...any ideas?
DeleteRegards,
Chris
Forget the complexity of software updates for the moment. Can you deploy a simple application to your clients?
DeleteTo be fair I have not yet tried pushing applications as this is the last part of the project and least urgent. If I show the patches as visible in software centre then I can try and download them but they just sit at 0% complete. I have had the boundary groups set up since the first push and they have been rolling out fine (well 96% success rate) for a few weeks preceding.
DeleteI've seen this problem recently (clients stuck downloading updates at 0%) when the deployment package was not available on the DP. Check the Monitoring node and redistribute if necessary.
DeleteThanks for your response Gerry, I only have 1 SCCM server running. I have an ADR for updates that creates the deployments. A new deployment for each set of updates. The odd thing is that I have it set to create a new Deployment each week on a Tuesday night and the past 2 weeks have been an issue but today I see patches are rolling as I am 14% compliant. I will let it lie until the weekend to see if, after the forced reboot deadline, my compliance jumps up.
DeleteI did check on the DP and all of the patches in the previous group show as 'Downloaded' 'yes'. I may change the policy to update once monthly rather than weekly...
In any case I will feed back to you whether it was a blip or if I still have issues.
Thanks
Chris
Gerry - I've tried following your guide and others and my SCCM 2012 SP1 keeps looking for WSUS 3.0 SP2 (+ 2 KB). I'm doing a fresh install with the following:
ReplyDeleteWindows 2012 R2 with SCCM 2012 SP1
Windows 2012 R2 with WSUS 4
Initially, when I installed SCCM 2012, I tried connecting to an existing WSUS on a 2008 Server, but this had all the software updates configured. This was another machine and does not share the same name with the 2012 WSUS server. Every time I've tried to add the SUP, it's looking for WSUS 3.0.
I've read that sometimes SCCM takes awhile to update, but I've done countless rebooting. I've ensured the SCCM computer is a local admin on the WSUS server and also a part of the WSUS Administrators. I've also added the domain service account we're using. The WCM.logs continue to indicate it's looking for WSUS 3.0. Do you know how to fix this?
Thanks for your work.
I would start again here. There must be a reference to the 2008 WSUS somewhere. Remove the SUP, remove WSUS, delete the database (SQL or Windows Internal). Then reinstall WSUS (do not configure) and add the SUP again.
DeleteHello, great information, thanks for your good documentation!
DeleteI just wondered if any other SCCM user ran into the problem to be able to update the Windows servers (2012, 2008 R2) the "conventional way" via Windows Update, the SCCM server as the WSUS server and therefore being able to choose the time of installation of the already downloaded patches individually while still updating the other clients via SCCM push.
I searched this post but did not find any suggestions.
Anyone solved this yet?
Thanks in advance!
I'm not 100% clear what you are trying to achieve Markus, but it sounds very messy.
DeleteI have successfully deployed updates from the console but I from the client no action happens. How can I trace where the problem could be?. I had targeted to a single test collection PC. I need to know to trace if issue is related to ports, updates folder. Is there any given troubleshooting procedure for issues related to sccm site server and clients?
ReplyDeleteSecondly I inherited operation which previously had WSUS deploying updated directly to clients. Do I need to re-install WSUS Role?.
Have a look at the Monitoring node -> Deployments. Find the updates deployment. Are there any errors?
DeleteHi Gerry I hav an issue where I am have SCCM SP1 installed on a Server with SERVER 2012 DATACENTER.
ReplyDeleteI am having issues getting the WSUS to synchronize for the first time.
I keep getting a http error.
I am looking all over the internet for a solution but no help?
You've given no information. Where are you seeing this error and what is it? Analyze the WCM.log and WSYNCMGR.log files for errors.
DeleteHi Gerry,
ReplyDeleteI have read your blog. Also i think you can help me in this matter. In my organization sccm 2012 was configured by another person. who has already left now. he configured wsus & also the SUP . Clients machines are not getting any windows updates. Also i am totally new to the server side . Its shows in the software library as updates are downloaded & depoyed as "yes".But Required , Installed & Percent Compliant as "0". Last working day i changed the wsus ports to 8530 & 8531. After that in Wsyncmgr.log it shows some errors.
for the last six months none of the client computers are getting windows updates. same with the Endpoint protection. I pushed endpoint protection to all client computers but they are not getting the updates.
Please help me.
Regards,
Thomas
Hi
ReplyDeletedo you have any ideas why the classification "drivers" is not available in sccm software update point options? in native wsus it is..... so the 8.1 driver updates cannot be deployed...
regards mike
Sorry for the late response Mike. I've been on vacation. This option was deliberately removed as it was deemed a bad idea to manage drivers in this way. I actually agree.
DeleteHi Guys,
ReplyDeleteI am configuring my first SCCM server. I am following the windows-noob.com CM12 Guides. It's a very good guide. I am facing some problem to configure system update server. Whenever I am trying to sync server I get this error
"Sync failed: WSUS update source not found on site xyz. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource"
I tried to find out the solution over the internet but I couldn't find it. If you guys can help me regarding this I will really appreciate. Please reply
Regards
Sorry for the late response Shahid. I've been on vacation. As the error says you need to refer to the WCM.log file for details.
DeleteHello Jerry,
ReplyDeletethanks for your efforts of posting this and responding to everyone
I need your help
I am implementing SCCM with Endpoint protection for one of my customers
VM1:SCCM 2012 Primary Site OS 2012R2
VM2:SQL 2008R2
Issue
Software Update Point never works
Critical State and viewer shows error SMS_WSUS_Manager Site Component failed to install this component on this site system.
I followed your earlier advise to reinstall WSUS and SUP for three times now with no luck :(
I am stuck and need you help.
BR
Maher
You need to review the WCM.LOG file for errors
DeleteHi, I ran into the same problem as one of the above, but count not find ans.
ReplyDeleteClients at one of the sites talking to DP are failing on windows updates. (about 25% good, 75% failed)
on the SCCM Monitoring I see :
Failed to install Update(s); Error Code : 0X800705B4; This operation returned because the timeout period expired.
Could not find much information from the logs on the client.
Clients are talking to the correct DP.
Boundaries look OK. Its based on AD site and added to a BG.
WUAHandler says Successfully completed scan.
UpdateHandler : Updates scan completion received, result = 0x0.
Not sure what's going wrong. Any help please?
Thanks.
Vin
Hello,
ReplyDeleteI have a WSUS infrastructure (One Autonomous Upstream - "AU", one Replica Downstream -"RD"). My SCCM 2012 R2 SUP syncs with the RD. The problem I have is that the SCCM console shows far less updates under "All Software Updates" than what I see in both the AU and RD consoles for "All Updates". The SUP is configured for All Products and All Classifications. Should I see the same updates in SCCM as I do in WSUS given my setup? That was my intent.
Why would you possibly want "All Products and All Classifications"?
DeleteWe don't. The RD has the intended Products/Classifications defined and it is assumed that if we select All Products / All Classifications in SCCM SUP then its scope will narrow to the RD because the it gets its catalog only from the RD. It would only be a problem for us if the SCCM SUP scope was smaller than the RD scope. Since I posted my original comment I have found the default Supersedence rules in SCCM to be 3 months for expiring an update that has been superseded (3 months from the date of supersedence). The maximum allowable value for this is 99 (months). The RD reports 12,041 total updates in its WSUS console. That is intended. SCCM configured at 3 months supersedence rule reports 5160 total updates. Configured at 99 months it reports 10,099 total updates. Clearly this value has some affect but with a limit on 99 months it sounds like either that limit is causing the gap between SCCM and WSUS or something else. Thoughts?
DeleteHi Gerry, I have a question. There is a new IE Cumulative Update MS14-052 that I have deployed to 2 machines via SCCM 2012 Software updates and the reports come back as Compliant. However when I manually check the PC the update is not installed. The most recent Cumulative IE update on them is MS13-037. Is there a reason for Compliancy showing "Green" when the update is not installed ??
ReplyDeleteThanks,
Hi Gerry / anyone that can help
ReplyDeleteFirst of all, I just found this site, this is an awesome resource that's been put together, kudos on that.
I have a question. I'm currently trying to use Automatic Deployment Rules for patch Tuesday on a lab I have setup, So I
can try and understand how it works. The ADR works to a point, gathers some software updates, 6 in total last time
around. However, when I look in the "All software updates" node I can see 108 updates listed from the last patch Tuesday
are available. Any ideas why these 108 updates are not in my ADR group? I used the following criteria in my ADR
settings.
DATE RELEASED OR REVISED: Last 1 week (7 days)
UPDATE CLASSIFICATION: Critical Updates Or Security Updates OR Update Rollups OR Updates
Any suggestions what to check out would be massively appreciated.
David
I've seen something similar before David - resolved by re-creating the ADR (no explanation unfortunately).
DeleteHi Gerry,
ReplyDeleteYou made my life easier!!!
Thanks for your SCCM guide as I manage to implement SCCM 2012 R2 and deploy apps in short possible time. I have configured Software Updates and I can verify that Windows 7 test clients are getting the MS updates(Oct 2014) from the SCCM 2012 server. My question about updates for Windows servers is that if I deploy updates for 2003/2008/2012 in one go (select ones for 2003/2008 R2/2012 R2), will the end server automatically download/install only appropriate updates for 2003 or 2008/2012? Do I need to deploy updates specific only to 2008 R2 or 2012 R2? So in my case, I will have three software groups for each server flavor.
There is a hard limit of 1000 updates per software group. Therefore when I am deploying past updates I create a new software update group per product (Windows 7 for example currently has over 900 updates). Into the future, on a monthly basis, there is no reason to separate them. I usually create one SUG for server updates and one for workstations.
ReplyDeleteHello
ReplyDeleteI have an interesting question. I have setup a software update group for windows 7 for past updates and named it baseline windows 7 and also created a deployment package with same name.
I used criteria when searching for updates: expired: no superceded: no product: windows 7
i.e. I initially used bulletin: MS but this seemed to not give me as many updates.
Ok, here's my problem: the updates download and install on a virtual machine but on a dell optiplex they install, the pc reboots and goes thru 2 stages configuring and at the end it writes a bunch of reg entries but then displays something to the effect it can go any further and reverts back to the machine with no updates installed!
in event viewer it says updates failled... xxxx on and on
Now how the heck can I narrow down which update is really causing the problem?
thanks
It's hard to say. Your process seems sound. Is this a general problem or just a problem with a single device?
DeleteHi there,
DeleteYou can check C:\Windows\WindowsUpdate.log.
Also under ccm\logs\updatsdeployment on the client.
Everything is logged there.
Good luck!
Hi Garry
ReplyDeleteYou said Updates are stored into the SCCM Database.
I deploy Software only to client PCs, not to Servers, because Server Licences for SCCM are to expensive.
Is there a possibility to store the Server Updates outside of the SCCM Database?
Or the better Question is:
Is it possible to run the Client Updates via SCCM and the Server Updates normally via WSUS?
Thanks for your help
I didn't say that the update binaries are stored in the database. They are downloaded into deployment packages. You can choose not to manage servers. In that case you cannot install the ConfigMgr client on them.
DeleteYou could use WSUS to patch your servers but you would require a separate WSUS instance for this. Also you would need to configure a GPO for your servers.
Hi Gerry
ReplyDeleteWe are currently looking at implementing SCCM in our organization mainly to allow laptops to be built from a DP at our remote offices across the country, this will save having to send them back to us here at head office.
We currently have a WSUS server that is in our main data center and it controls all of our updates for server, client OS and Office. Our server engineer asked the question if we can setup WSUS on the SCCM server and allow it to control all updates relating to the Windows 7 image, but leave our existing WSUS server in place to handle all the updates once the build is complete, ie once the build is complete the SCCM server is no longer required for anything.
I'm pretty sure you could do this. The updates would be installed via SCCM/WSUS when the laptops are being built. You could then configure your SCCM client policy to disable software updates and and manage them with WSUS. I can't think of a good reason to do this though.
DeleteHi Gerry,
ReplyDeleteI have just deployed Windows update from SCCM to client and it deployed successfully.I configured it to use 8530 but i did not enable 8530 on the firewall for SCCM. My question is ,is it necessary to open 8530 on the firewall? or how do i know which port the client is communicating with WSUS?
In your case the client will be communicating with the Software Update Point on port 8530. If the server firewall is turned on then I would expect that you would need to allow this port. It is not necessary to configure the client firewall as all communication is initiated by the client.
DeleteHi Gerry,
ReplyDeleteI have SCCM 2007 infrastructure installed in my environment. I am trying to install SCCM 2012 as a fresh (Not migrate). I have standalone primary site, with 5000 clients, spread across 3 locations. I have built SCCM 2012 R2 with SQL server 2012. I want to test various functions of SCCM 2012, before moving it into production. Now the question is, Can I install WSUS/SUP on SCCM 2012 and configure it for patching. If I do so, will it disturb my current SCCM 2007 patching, or is it fine. Kindly suggest.
- Vasu
The two environments can co-exist. After all that's the way migrations are done. You just have to be careful of overlapping boundaries for site assignment. However I'm not a big fan of deploying products like this in production for "testing" purposes. That's what labs are for.
DeleteHi Gerry - I am setting up SCCM 2012 R2, the database will be co-located on the Site Server. The database will be setup with mixed mode authentication (both windows and SQL ). I am planning for WSUS to use same SQL instance as SCCM. I have seen it mentioned in many blogs that WSUS supports only Windows Authentication. Do see any issues with WSUS database on SQL server setup with mixed authentication?
ReplyDeleteNo, as far as I know that will be OK. However, why would you use Mixed Mode? You are only licensed to host System Center related technologies anyway, which will all use Windows Integrated. I never use Mixed Authentication in these cases.
DeleteHi Gerry - I have to follow the DB standards in the organisation. Hence mixed mode.
ReplyDeleteThat doesn't really make too much sense Sandeep. The standard isn't always correct. You are using a local SQL install which will not be used for anything else. You are actually making the solution less secure by introducing Mixed Mode.
DeleteGerry, great stuff. Used your guides to get a fully functional environment. I have searched and searched but cannot find the answer. I wonder if you could help.
ReplyDeleteI am trying to figure out which workstation in a group is the most out of date in terms of Windows Updates. The idea is to patch this machine completely and get a baseline, so I can more accurately determine how long and how many reboots it would take to complete the rest of the computers in that group.
Thank you and keep up the good work.
-Matt
Have a look a these options Matt
Deletehttp://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx
http://blogs.bamits.com.au/2011/04/sccm-report-which-shows-you-how-many.html
Hi Gerry,
ReplyDeleteI am facing the below issue while running the post configuration after reinstalling WSUS.
2015-02-04 02:03:21 Starting service W3SVC
2015-02-04 02:03:22 Configuring IIS...
2015-02-04 02:03:22 Start: ConfigureWebsite
2015-02-04 02:03:22 Configuring website on port 8530
2015-02-04 02:03:22 System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified
at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
at Microsoft.UpdateServices.Administration.UseCustomWebSite.ExecuteIisCustomAction(String arguments)
at Microsoft.UpdateServices.Administration.UseCustomWebSite.Install(Int32 portNumber)
at Microsoft.UpdateServices.Administration.UseCustomWebSite.InstallAndConfigure(IisConfiguration& iisConfiguration, Int32 newPortNumber)
at Microsoft.UpdateServices.Administration.PostInstall.ConfigureWebsite(Int32 portNumber)
at Microsoft.UpdateServices.Administration.PostInstall.Run()
at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)
. I tried to launch the Windows server update services from admin tools, it opens MMC console prompting to connect to the Server. The server URL along with WSUS default port is mentioned and when, tried to connect. it throws an error stated below.
Cannot connect to ""Server"". Please make sure the post-Installation task is completed successfully in that server. If it was , please verify is the server is using another port or different secure sockets layer (SSL) setting.
The WSUS specific Virtual directories are not created in IIS.
Any pointers to resolve this issue would be of great help.
Sounds a little messy. I would remove WSUS and re-add it.
DeleteHello Gerry,
ReplyDeleteI have immensely benefited from your blog and it has gotten me very far considering that I had no prior knowledge on SCCM. I am however at a fix at this point. I have my AM policy and have SCEP installed on a few computers I'm testing with. I can see the definition updates downloaded under the software library on the sccm server and they appear as deployed, yet SCEP hasn't received any definition updates. Software center is empty too.
I examined execmgr.log and found repeated instances of "Auto Install is set to false. Do Nothing"
What am I missing out please?
Auto Install is set to false. Do Nothing. execmgr 2/14/2015 12:00:00 AM 528 (0x0210)
Service startup. execmgr 2/16/2015 7:24:42 PM 4376 (0x1118)
A user has logged on. execmgr 2/16/2015 7:25:02 PM 5652 (0x1614)
The logged on user is domain\username execmgr 2/16/2015 7:25:02 PM 5652 (0x1614)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/16/2015 10:00:00 PM 5048 (0x13B8)
CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/16/2015 10:00:01 PM 5048 (0x13B8)
Auto Install is set to false. Do Nothing. execmgr 2/16/2015 10:00:01 PM 5048 (0x13B8)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/17/2015 5:00:00 AM 7552 (0x1D80)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/17/2015 10:00:00 PM 10736 (0x29F0)
CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/17/2015 10:00:01 PM 10736 (0x29F0)
Auto Install is set to false. Do Nothing. execmgr 2/17/2015 10:00:01 PM 10736 (0x29F0)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/18/2015 5:00:00 AM 8692 (0x21F4)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : START Event execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
CExecutionRequestManager::OnServiceWindowEvent for START execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
Auto Install is set to false. Do Nothing. execmgr 2/18/2015 10:00:00 PM 8508 (0x213C)
CServiceWindowEventHandler::Execute - Received SERVICEWINDOWEVENT : END Event execmgr 2/19/2015 5:00:00 AM 6432 (0x1920)
That's good. I'm glad to help.
DeleteHave you created a Software Update Group with the definition files and deployed to your clients? Look at the Deployment Status for this SUG in the Monitoring node.
Yes, I have created a SUG with the definition files and deployed to my clients. I look under the Monitoring >> Deployments node for the deployment status of my SUG and nothing under the compliant tab, nothing under the in-progress tab, nothing under the error tab but I see the 3 devices I'm testing with under the unknown tab.
ReplyDeleteI'm actually very confused.
Did you solve this?
DeleteNo. Not yet.
DeleteHi Gerry,
ReplyDeleteI need your advise to resolve one issue
I have installed sccm2012 sp1 with CU4. I have created a test collection with only one machine into it. I downloaded and deployed the MS patches but not able to see these patches on client machine.
Agent on client machine is working fine, as I am able to take the remote control from sccm server
C:\windows\ccmcache folder is not showing MS patches.
On server side, patches has been downloaded to given location
In monitoring -> deployment -> win7 update status is unknown with "Client check passed/active"
In Soft library -> soft update gp -> deployed - yes and downloaded -yes
Windows updates is marked as "never look for update" using GPO on client machines
SCCM and WSUS are installed on same server
While installing WSUS, I picked WID Database and WSUS Services
Any suggestions?
What could be the name of log file to get more information
Not able to see option to run inventory etc from SCCM Console (I have seen these option in SCCM 2007). Do I need to install any other plug-ins
Thanks
Have a look at these log files
DeleteServer Logs:
SUPsetup.log - Installation of SUP Site Role.
WCM.log, WSUSCtrl.log - Configuration of WSUS Server/SUP.
WSyncMgr.log - SMS/WSUS Updates Synchronization Issues.
Objreplmgr.log - Policy Issues for Update Assignments/CI Version Info policies.
RuleEngine.log - Auto Deployment Rules.
Client Logs:
UpdatesDeployment.log - Deployments, SDK, UX.
UpdatesHandler.log - Updates, Download.
ScanAgent.log - Online/Offline scans, WSUS location requests.
WUAHandler.log - Update status (missing/installed - verbose logging), WU interaction.
UpdatesStore.log - Update status (missing/installed).
%windir%\WindowsUpdate.log - Scanning/Installation of updates.
Hi Gerry,
ReplyDeleteTrying to find info on a particular task in sccm and came across your blog. Will appreciate if you can point me in the correct direction.
We have a sccm 2012 r2 infrastructure and have a .wim file with Office 2013 already installed (thick image). I want to
deploy Office 2013 SP1 to all the workstaions using sccm. I have downloaded the SP1 package and it's in .exe format.
Thanks in advance,
Sailesh
You need to work out the command to install the SP silently. Then just deploy it to your workstations as a package/program.
DeleteHi Gerry!
ReplyDeleteThank you very much for this amazing blog!
May I ask you some questions, please?
When I´m in the ADR Wizard and choose "Existing Package" and "Create New Software Update Group", does the SUP clear the existing package everytime the ADR has been started and fill it with the new content from the new software update group? Or does it expand the existing package with the new updates? In that case the package will grow every patchday...
Do the clients have to download the complete package everytime the ADR has published the package? Or do they just download the needed updates like they do with WSUS? I don´t want the clients to download more and more already installed updates over the months with the existing package.
Thanks in advance and best regards
Patrick
Hi Mr HAMPSON,
ReplyDeleteFirst of all, thank you for this blog, it really helps me to understand a lot of stuff.
Well, I have an issue and I'm pretty sure you have the answer.
I've got this error during post-installation of Wsus services :
Failure post-installation task. More informations below:
Log file in :"C:\....".
So I've checked :
"CreateDefaultSubscription failed. Exception: System.Net.WebException: La demande a échoué avec l'état HTTP 503 : Service Unavailable."
This is my configuration :
One SCCM server & One WSUS server.
On my WSUS server, I've just install the role WSUS, I know that I may not finish the wizard of post-installation of WSUS services.
I've deleted on my SCCM the update softwares before doing anything.
Ang I'm waiting this part of post-installation to create my SUP on SCCM but I have this error.
What I've done this far:
On each server there is the admin account in Administrator.
My GPO's are ok I think.
Can you help me with this ?
Regards.
Michel
Hi Michel,
DeleteWhat OS is on each server?
Hi,
DeleteSorry for the delay.
I have Win2012R2 for the WSUS server and Win2008R2 for the SCCM server.
I didn't install WSUS console on my SCCM server : Is that important ?
After stopping the wizard of post-installation of WSUS services, I've installed the SUP on my SCCM. There is no more notification on my WSUS server but on SCCM I don't have any updates, there is no synchronisation between them:
"Failed to synchronize".
I'm trying to search what is the WSUS console that I have to install on my SCCM server (I've found a thread on the web who said to install this console in SCCM).
Thanks in advance for giving us time to our questions.
Regards
Start PowerShell Console (as Administrator) and run : Install-WindowsFeature -Name UpdateServices-Ui
DeleteHi Gerry Hampson,
ReplyDeleteI have installed the scom 2012 in windwos 2012 server and configured software update for client, installed client agent also. i deployed the updates to client as per your guide still the client pc's are not updating? i have the WSUS server in the same network and the client were updating patches through gpo configuration. i need to disable this GPO? or i have to do any other configuration for client? i have checked the logs but i couldn't see anything wrong
please do replay
In the ConfigMgr console check the deployment status for your software update group (Monitoring > Deployments). I'll bet it tells you that the deployment has failed due to an existing group policy. That GPO needs to be removed. It's best practice to create a GPO to disable automatic updates.
DeleteDear Gerry,
ReplyDeleteI have checked in the monitoring deployments, the complaint,progress and error window saying "status information currently unavailable for this deployment" Unknown is showing client check passed and active. i will remove the GPO as per your suggestion and try is there any other configuration required? if you required i will send you the screenshot through mail if you can send your email id to my mail
Hi Gerry,
ReplyDeleteThanx for your post.On an new installation of SCCM 2012 R2 SP1 I configured WSUS and SCCM exactly the way you described in this post. However, the updates do not appear in the console but they do in the WSUS console. Do you have any advise?
You need to review the WCM.LOG file for errors Fabian.
DeleteHi Gerry,
ReplyDeleteI'm super new to SCCM. I was wondering if it is possible for SCCM to deploy windows updates without WSUS in the environment?
No Saul. That's not possible. You need WSUS.
DeleteGerry,
ReplyDeleteI have a lab environment and have followed your how-2s for most everything SCCM 2012, great work by the way. I repeatedly run into a snag where sccm admin console shows 400+ updates in the update package, but when I deploy them the client's only receive about a dozen security updates. Everything appears to be normal except the fact that only a few updates come through. Under the SUP and products I've only selected Windows 7 updates and nothing else since this is a lab environment. Any idea's?
Thanks. Glad to be able to help. This behaviour could be normal. The Software Update Group may contain 400 updates. This doesn't mean that your test computer needs them all. Most could be installed already. Only the mssing updates will be downloaded and installed.
DeleteWouldn't I see a larger list of installed updates on the "Installed updates" on the control panel windows update screen?
DeleteTest the behaviour. Choose some updates that are in the SUG but not applied to the test computer. Try to install them manually.
DeleteHi Gerry,
ReplyDeleteAs a starter to SCCM. I have following lab environment.
SCCM 2012 Release Candidate installed on Server 2012 R2 with SQL 2008 R2. I was following some random articles - well I am facing issues with WSUS.
WSUS does not seems to be integrated with SUP ( I also have followed RezaChan, article for correcting WSUS issues: http://www.windows-noob.com/forums/topic/9030-how-to-configure-wsus-on-sccm-2012-win-server-2012/)
but I keep getting errors like:
Wsync.log:
Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
WCM.log:
The installed WSUS build (0.0.0.0) does not have the valid and supported WSUS Administration DLL assembly version. Please install WSUS 3.0 SP2(minimum 3.1.6001.65) or above
Eventviewer log: eventID: 6703
WSUS Synchronization failed.
Message: WSUS server not configured. Please refer to WCM.log for configuration error details..
Source: CWSyncMgr::DoSync.
The operating system reported error 2147500037: Unspecified error
Please suggest something. Thanks.
Why are you working with Configuration Manager 2012 RC? This is not a production version. R2 is the latest version and you should install that. Let me know if you have issues after that.
DeleteOk Thanks. I'll recreate my Lab then i'll get back to you.
ReplyDeleteGerry,
ReplyDeleteThis is probably a silly question, but what permission levels should the shares be set at? Share permissions and NTFS.
Also, when deploying updates from the SCCM console which account is actually creating the update folders and files?
Thanks!
Which Shares are you referring to? When you actually deploy the updates using the console the process runs under the context of the looged on user. That's why the patchdownloader.log file is found buried deep in the users profile (C:\Users\AppData\Local\Temp). This log file is only visible when a deployment is running.
DeleteI'm referring to the server side file share for the approved updates. I'm guessing it's where SCCM and WSUS work together to store the approved updates on the server? When I first approved updates in the console they failed to download which I'm sure was because of share permissions. In order to test this out, I gave everyone full control and tried this again and it worked, but I'll state the obvious that I would like to lock the permissions down to the most restrictive that I can.
DeleteGerry, I have been deploying updates and making them required the day they are deployed. I wanted to start letting them be available for a week or so before forcing them. I was wondering it is done that way is there a way to pull back the updates, say 2 days into the deployment, just in case something goes wrong?
ReplyDeleteGerry, I am begging to roll out my deployments in the same fashion you are .i.e. giving the Users a few days for installation prior to making it required. I was wondering if there was a way to cancel the deployment for users who have not installed the updates, say 2 days into the deployment, before the deadline has been reached?
ReplyDeleteI wouldn't rely on that strategy to get you out of trouble Kevin. That's why you should always test your updates on a pilot colelction well in advance of deploying to production.
DeleteHi Gerry,
ReplyDeleteWhen creating a new deployment folder for deploying windows update. Whats the minimum permission required for all users and computers in order for the update to be successful?
Wonderfully written, All the best and Thanks a Ton
ReplyDeleteYou're welcome. Thanks.
DeleteHello Gerry,
ReplyDeletethanks a lot for you blog. Amazing job.
My configuration : SCCM 2012 R2 with SP1 in server A(Windows server 2012R2) and I would like to deploy MS update. I created server B (Windows server 2012R2 with 281updates!). I installed SQL server 2012(with your STEPbySTEP), and before install wsus roles, I'm wondering if I need to install the SP3 of SQL server 2012 ? I already update SQL with SP1 and with kb3045318. SQL versions is now : 11.0.3156.0
Hi Peter,
DeleteI'm a great believer in always installing the latest SP or CU. They have been created and published for good reason.
HELLO SIR,
ReplyDeleteMy name is faraz I have deployed SCCM 2012 SP2 IN MY COMPANY ALL SCCM COMPONENTS WORKING FINE, EXCEPT SCEP Software Update Management - Endpoint Protection Definition Updates - Compliance showing as "Not Required" instead of "Installed" after installing
hi,
ReplyDeleteI have sccm 2012 sp2 server, all component working fine . but I have a problem in Software Update , software update are working fine, scan all updates required by clients except SCEP DEFINITION as required 0 but when I deploy that update to SCCM client its install on client computers and when I see in \Monitoring\Overview\Deployments\SCEP FOR HEAD OFFICE Status to All Head Office SCEP Clients IT SHOWS nothing installed in client computer but SCEP definition update installed, I have all log files in client computer and SITE SERVER all working fine . but still shows required 0 in all computers..
Hi
ReplyDeleteI'm new in SCCM. I'm trying to update my workstations in test collection with software updates for Windows 8.1 operating system.
One month ago it seemed everything OK. I had about 610 updates in my software update group and my test WS were updating. Then one day a lot of SU in my group became Expired and so I deleted them from my software update group. Later I realised that they were not Expired - I checked KB numbers on Microsoft page: https://catalog.update.microsoft.com/v7/site/Home.aspx
Now there are just 310 SU in my group and I can succesfull distibute them on my test WS, but if I check upgraded WS with Microsoft Windows Update, it finds about 130 missing updates for Windows 8.1. When I check missing KB numbers in my SCCM catalog they indeed missing in catalog and also in update group - even if i manualy run "Synchronize software updates".
The big question is: what to do in SCCM to include all available software updates again in catalog.
Thanks for your answers - anyone.
Gerry, my WSUS keeps giving errors and won't allow me to continue the post installation. What are your suggestions on completely removing it and starting over. SCCM2012R2, Win2012R2. DB created and IIS site created. When I remove the SUP and WSUS I guess it still leaves behind files. Is there folders and/or regedit I should delete to start from scratch?
ReplyDeleteNot really. Just removing and reinstalling has often done the trick for me.
ReplyDeleteHi Gerry i have a problem with sccm 2012 client installation for remote site, this site is configured as VPN network. the client installation failing with "Download Update: A recoverable error has occurred. A retry attempt will be made." this error, we have sonicwall firewall in both site but all ports are open and ipsec vpn is configured. i can see the user admin$ ccmsetup folder and logs its showing Bits related issue. any idea about it
ReplyDeleteHi Gerry,
ReplyDeleteI hope you or anyone that reads this can help me.
I am running sccm 2012 r2 currently on a Windows 2012 R2 Server.
The SCCM has been updated to version 1606 with the hotfix.
I am just starting with SCCM so i am certainly not using it with full potential.
I have succesfully deployed Windows 7 and Windows 10.
What i want to accomplice is that while installing the OS, it also installs the Windows Updates so that the computer is up-to-date.
SCCM and WSUS have the updates for Windows 7.
But i have also added Windows 8.1 and Windows 10 to the products.
But for some strange reason those updates are never being downloaded to SCCM/WSUS.
Any idea why?
I cant seem to find any error messgages in the log files for SCCM.
Did you synchronize the updates after choosing new products? Look at the WSYNCMGR.log file. you should see the synchronizations there.
DeleteThanks for the reply. All i had to do was reboot the server.. All is working now thanks.
DeleteHi Gary,
ReplyDeleteI haven't run WSUS post installation once as you have advised in the prvious comments, i immediately canceled my installation after role been added, then i added the SUP role. What should be done in this situation
I am having problem that my sccm reports are showing empty, i have checked sql reporting services configuration and all seems okay.. when i hit the ie reports page i bump into number of configmgr, configmgr.old etc... where do you think I am going wrong
ReplyDeleteHi Gerry,
ReplyDeleteI have got production environment. I patches monthly windows updates and scheduled updates via SCCM 2012. Updates installed successfully at scheduled time. But some users attempted to manually uninstall some updates.
Can I force users to not uninstall any monthly updates without approval ?
or Can I force sccm to reinstall, when it find any updates removal via maually or by any users ?
Thanks
Nomi
Users will only be able to uninstall updates if they are local administrators on their devices.
DeleteIF you leave the required deployment in place the update will be forcibly installed again as the deadline has passed.
Hi Gerry,I installed SCCM 2012,SQL 2012in CAS and PSS,I have FBS separately. Software updates deployment status unknown. Error in client is failed to initiate applicability scanning error 0x87d00600 in UpdatesHandler.?
ReplyDeleteAnother query can we change server to client ports FM 8530 to 80?
A single error code doesn't really help. The fact that you're asking about firewall ports would suggest that maybe you have connectivity issues. 8530 is the default http port for IIS for Windows Server 2012 and later.
DeleteHi Gerry, could you be kind enough to answer a few questions for me, please?
ReplyDeleteWe currently have 4 WSUS Downstream servers in various offices, all of which sync with the main Upstream server. I now want SCCM to manage them.
1. Do I add the SUP role to the existing Upstream WSUS server and likewise the other 4 Downstream WSUS servers?
2. I'm assuming that when the SUP synchronizes with WSUS it doesn't require the same amount of storage space again for the update binaries. In essence it acts as an SCCM-controlled front-end to WSUS?
3. My existing WSUS server is in the same location as my SCCM primary site. Do I create a secondary site, or sites for the other 4 regional WSUS servers?
4. Does SCCM/SUP takeover WSUS upstream/downstream replication once configured correctly?
Thank you in anticipation,
Andy.
I wouldn't use the existing servers Andy. I would start again. When you use WSUS/SUP you shouldn't configure WSUS but let ConfigMgr do that for you.
DeleteThanks Gerry, but it would take me a month to re-download all the WSUS content. I don't have that much time. I think I'll build a test WSUS server and attempt to integrate that first.
DeleteHi Gerry, I added the WSUS role and it was installed successfully. I didnt configure it as you mentioned above but i cant see the SUSDB created in SQL.
ReplyDeleteYou must have used the Windows Internal database (WID).
DeleteHi Gerry,
ReplyDeleteI have WSUS on primary site which is working fine. I have another WSUS server on secondary which should sync from upstream primary server.
However when i deployed updates to clients, nothing happend. i noticed that WSUS GPO settings havent been applied to secondary site sever as well as the client..all i did was install WSUS on secondary, install SUP role and push the updates to clients (same worked for primary site clients).
can you please advise what could be the problem?
Hi Gerry,
ReplyDeleteDo you have to have Froefront/Endpoint running from the WSUS server? [it is currently set up this way on our systems]
We want to have Forefront/Endpoint running from our software distribution server, reducing the load from its current possition. However during installation of Forefront/Endpoint we are getting synchronisation issues, actually no sync or updates at all!
One of my colleagues thinks we need to also transfer WSUS to the same server for eveything to work correctly. Is this correct?
Apologies if im a little vague here.
Steve
EndPoint Protection definition files are delivered via WSUS and deployed via ConfigMgr, in the same manner as software updates. The files should then be available on a distribution point for clients to download. That is the process. The only real choice you have is whether or not to offload WSUS/Software Update Point role to another server. That can be a good idea for performance reasons.
DeleteHello Gerry,
ReplyDeleteI have 2 questions,
1. When we installed WSUS on separate server then why we need to select option download updates from Microsoft while configuring SUP role in SCCM?
2. SCCM should sync update from WSUS right? If we are directly syncing MS updates using SCCM server then what is the use of separate WSUS server?
SCCM actually configures WSUS. When you configure SCCM to download content from MS Updates you are actually telling it to configure WSUS to download content from MS Updates.
ReplyDelete