Jump to content


anyweb

using SCCM 2012 in a LAB - Part 6. Deploying Software Updates

Recommended Posts

Thanks for these tutorials!

For creating a Windows x64 collection, does the query that you provided in Part 5 need to be altered to filter for x64?

select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

Share this post


Link to post
Share on other sites

Hi,

 

Very interesting post with good advice.

 

I wanted to know if you had some tips or inputs for some offline sccm updates.

If you download the updates on the side, from a distant WSUS server and want to manually add the updates to the sccm SUP

 

Do you have anything related? or inputs on how to import those?

 

Thanks :)

Share this post


Link to post
Share on other sites

I'm curious - do we have to update the included update list manually, or does it automatically update the contained updates on it's own?

 

I'd have assumed to just set the domain computers to point to WSUS and be done with things, why do we configure all of these deployment groups and rules? Is it not just repeating what WSUS does on it's own?

Share this post


Link to post
Share on other sites

I know this question is old, but if it were to be answered, it would be of great help to me. I am in a lab environment, so I installed WSUS on a server, then added it to my primary site as the SUP. I created a SUG and deployed them to a device collection to no avail. In fact, it is just showing "Unknown" for the collection as though it doesn't even know if any of the PCs (1) in the collection needs the updates.

 

I only have a WSUS server and SCCM. No GPOs, no changes to the desktop (it was added to the domain and left alone). When I created a device collection containing said desktop and deployed the package, nothing.

 

 

Dear.

I might have a stupid question.

We have WSUS implemented in the organization and it’s managed through AD GPOs.

We installed SCCM 2012 (thanks to your blog, we solved a lot of issues). We uninstalled all existing WSUS servers. We deleted the WSUS GPOs.

On a new server, we installed WSUS, but did not configure it. On SCCM 2012, we deployed the SUP to this new server. We configured software updates as explained on your site.

The questions I have:

  • Do we need to do something in AD or GPO’s for WSUS/SCCM ??? Or will everything completely be managed by SCCM.
  • SCCM found all our clients, software metering is ok, clients ware approved too … but the compliancy status is still be unknown.
  • How can I force a compliance scan on my SCCM clients. The last compliance scan time report is empty, so I supose they never did a compliance scan.
  • When I create a report, all updates are marked as being not approved. Should I somewhere approve the patches before, such as in WSUS?

Thanks in advance,

 

Regards,

Peter

Share this post


Link to post
Share on other sites

I know this question is old, but if it were to be answered, it would be of great help to me. I am in a lab environment, so I installed WSUS on a server, then added it to my primary site as the SUP. I created a SUG and deployed them to a device collection to no avail. In fact, it is just showing "Unknown" for the collection as though it doesn't even know if any of the PCs (1) in the collection needs the updates.

 

I only have a WSUS server and SCCM. No GPOs, no changes to the desktop (it was added to the domain and left alone). When I created a device collection containing said desktop and deployed the package, nothing.

 

 

Do we need to do something in AD or GPO’s for WSUS/SCCM ??? Or will everything completely be managed by SCCM.

If you haven't set anything before, then you do not need to do anything. SCCM uses local policies to use SUP. If you have any GPO's with any update setting, they will override the local ones, and possibly create problems.

 

SCCM found all our clients, software metering is ok, clients ware approved too … but the compliancy status is still be unknown.

seems like they have a problem connecting to SUP. Check these logs:

 

UpdatesDeployment.log

Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

UpdatesHandler.log

Provides information about software update compliance scanning and about the download and installation of software updates on the client.

UpdatesStore.log

Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle.

 

How can I force a compliance scan on my SCCM clients. The last compliance scan time report is empty, so I supose they never did a compliance scan.

Control panel - Configuration Manager - Action [tab] - Software updates deployment evaluation cycle

ref.

  • Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.
  • Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Source: http://technet.microsoft.com/en-us/library/bb632393.aspx

 

When I create a report, all updates are marked as being not approved. Should I somewhere approve the patches before, such as in WSUS?

you use update list as way to approve to updates. The ones that are on the list that you deploy will be evaluated and if required be installed.

Share this post


Link to post
Share on other sites

Thanks - I have checked these logs and this is what I've found. Does this tell you anything?

 

From UpdatesDeployment.log in no specific order

[No actionable updates for install task. No attempt required.]

[updates could not be installed at this time. Waiting for the next maintenance window.]

[Attempting to install 0 updates]

[Auto install during non-business hours is disabled or never set, selecting only scheduled updates]

[A user-defined service window (non-business hours) is avbailable. We will attempt to install any scheduled updates.]

 

 

From UpdatesStore.log

There were some errors, but now for the past few days it has said "Successfully refreshed Resync state message" and "Refresh status completed successfully".

Share this post


Link to post
Share on other sites

I'm curious - do we have to update the included update list manually, or does it automatically update the contained updates on it's own?

 

I'd have assumed to just set the domain computers to point to WSUS and be done with things, why do we configure all of these deployment groups and rules? Is it not just repeating what WSUS does on it's own?

 

Any thoughts people? I'm hoping it all happens automagically once setup, if not then would using WSUS not be a better option to reduce admin intervention?

Share this post


Link to post
Share on other sites

 

Any thoughts people? I'm hoping it all happens automagically once setup, if not then would using WSUS not be a better option to reduce admin intervention?

Interested in the responses you receive as I, too, am still awaiting seeing a compelling reason to move from patching with WSUS to patching with SCCM.

Share this post


Link to post
Share on other sites

Interested in the responses you receive as I, too, am still awaiting seeing a compelling reason to move from patching with WSUS to patching with SCCM.

 

Further reading does suggest you can have an automatic or manual software update deployment rule - the automatic one appears to automatically scan for new updates, then make them available to the relevant device group. Need to do a bit of playing to see how that works, as for critical/security/definition updates this would be my preferred method, I want my manual intervention requirements to be as low as possible!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.