Managing Software Updates with SCCM 2007

Environment:

(Hostname)SCCM1: windows Server 2003 R2

(Hostname) DB1 : SQL 2008 Sp2

(Hostname) DC1 : Windows serve 2003 sp2

What all we need?

The SCCM Software updates Point (Role)

The Software Updates Client Agent

Steps involved in Managing Software Updates.

1) Create a deployment Template

2) Create an update List

3) Deploying Update

Scenario:

These days due to the Changing Technology, They are much software produced with have to be updates with Hot fixes, more Often we find that Software Updates released. IT becomes a difficult task to manage these software updates. This is where SCCM plays an Important Role in helping to manage a huge amount of Software updates.

What is the Relationship between SCCM & WSUS?

SCCM is just an extension to WSUS

Everything is handled through the SCCM console

SCCM does not need Group policy Modifications

WSUS does needs Group policy pushed to Clients to point them to WSUS to get the updates

What is the SCCM Software Update Point?

The Software Update Point is a role that is added via SCCM on of the Site Systems.

Microsoft Recommendation:

Install a new and independent WSUS for SCCM.

NO need to run the configuration Wizard after installing WSUS 3.0 SP1

What are the Requirements for Software Update Point ?

1) IIS 6.0 of Higher

2) WSUS 3.0 SP1 or Higher

3) Site System Membership in Local Admin Group

Eg : SCCM1 is a member of DB1 (local Admin Group)

Let’s start:

1) Install WSUS

Select create a WSUS 3.0 sp1 website

2) Install WSUS Software Update Point

Right Click one of the Site Systems (SCCM1)

Select New Roles.

Specify FQDN of the Site System (SCCM1)

Select Software Update Point

If you use a proxy server, mention the same

Select Use this Server as the Active Software Update point.

Specify the port Number

Port Number : 8530

SSL port Number: 8531

3) Synchronize from Microsoft Update, if you have another WSUS server, synchronize with WSUS.

Specify the Synchronization schedule.

Specify the update Classification. (Critical Update, Definition Updates, Service packs)

Specify Specific products Updates to be synchronized. (Office, windows, System Center products)

Specify what language you want the updates in (English)

This will take a long time, I ran all night for me.

Where do I check for Updates that get downloaded?

Under Software Updates.

Update Repository

Log file for WSUS synchronization

Wsyncmgr.log in c:\Program Files\Microsoft Configuration Manager\Logs (Synchronization of WSUS)

wcm.log (Managing the Software update point and association with WSUS.)

How often should a client machine check/Scans itself to check if it needs an update?

Site Managements

Site Settings

Client Agents

Software updates Client agents

Enable Software updates on clients

Specify the schedule

You can specify to enforce all mandatory Deployment.

You can also hide the notification for end users.

Specify the re-evaluation schedule

Whenever you make software changes on client. You would have to wait till those changes are active on the client. This depends on the Polling Schedule Specified in Computer Client Agent Properties (default 60 minutes)

What is a Deployment Template?

Object within SCCM which specified all the settings related to Updates to be pushed.

A deployment Template specifies to what Collection the Update will be applied.

Should users be notified that update are pending

Allow a system restart if necessary, Can a system restart or take place in maintenance window

Suppress SCOM Alerts.

Decide to push update via slow link

Recommended Templates

Workstation-Normal Priority

Workstation-Emergency Priority

Server-Normal Priority

Server-Emergency Priority

How to create Deployment Template

Under Computer Management>Software Updates>Deployment Template

Right click and select new deployment Template

Workstation-normal Priority

Specify the Collections to which it should be applied

Suppress Display for notification

Specify the Deployment Schedule

Specify the restart Settings (Workstation/ Server)

Do you want to create alerts with SCOM. If fails let it Alert

Slow or unreliable link-Download Update.

If you are running a Mixed environment, push updates to SMS 2003 Clients

(Note : Update would be ignored if they do not match the requirement, Eg : Xp update will not apply to vista)

Create an Update List

It Will specify which update would be included in the List

(Eg : out of 50 MS update, we selected only 20)

Now we would have to create a place for these update to reside before they get pushed to Software

Update Point and then we will associate our Deployment Template with the Update List.

Create a Package Source Folder

Create a Share Folder (\\SCCM1\Updates) Computer account Full Control.

Associate Update list with Workstation Normal Priority Deployment Template

Drag updates List to Deployment Template

This will start the Software Update deployment Wizard

Create a new Deployment Package

Specify the Source.

Binary Differential Helps with Minute changes in the package.

Specify the Distribution Point

Download Software updates from the internet

Set a Deadline and Select Wake on LAN if required.

Ignore Maintenance Window

(Note: This will download the Software update to the share we created and then push it to the Software update Point and install it on the Clients)

Has the Software Update Point been Updates?

Go to Computer Management> Software Updates.

Deployment Package Node

Workstation deployment Package.

Distribution Point>Verify the Distribution Point

Software Updates>check the list of software update

Package Status> check the state (should be Installed)

Some Reports For Software Updates

Computer Management >Reporting

Management 1: Updates required but not Deployed.

Management 1: Updates in a deployment

State 1: Enforcement State of a deployment

How does it appear on the Client Side.

You would see Software Update Installation Progress.

What’s on the SCCM Console Results

Go to Computer management> Software updates.

On the Right Pane check the Graph (For office)

It shows 50 % Required and 50% installed

You can check which machines have it installed.

(Note : we Targeted it to Workstation Collections and We also have office 2007 on Servers, so it shows as Required =50%)

Check on update List

Installed Column