The below post explains the end to end process of software updates management in SCCM 2012 Pre-requisites: 1. WSUS Server (WSUS 3.0 SP2 ) should be installed on the SCCM site server or if you want to install WSUS on another server, it is important that you install WSUS administration console as the SCCM Server uses API. This link explains the step by step procedure to install WSUS 3.0 SP2 2. Install SUP-Software Update Point on the SCCM Server . 3. Reporting Services Point: Install reporting services point role as described in this link . 4. Client agent: The software update client agent should be enabled(will be enabled by default) and the settings have to specified as per the requirement. On SCCM console, go to Administration>Site Configuration>Client settings>Right click on Default client settings> Click on Properties. If required, we can create custom client settings and then enable client settings for that settings. ...
The below post explains the end to end process of software updates management in SCCM 2012
4. Client agent: The software update client agent should be enabled(will be enabled by default) and the settings have to specified as per the requirement.
On SCCM console, go to Administration>Site Configuration>Client settings>Right click on Default client settings> Click on Properties.
If required, we can create custom client settings and then enable client settings for that settings.
It covers the following aspects of patch deployment:
1. Software update synchronization.
2. Creating Automatic deployment rule
3. Deployment of software Update package.
4. Monitoring Software Updates.
Microsoft releases security updates on 2nd Tuesdays of every month. We have to sync the SCCM Server with the Microsoft update site. The synchronizing procedure is as follows -
The synchronization process can be viewed in WSYNCMGR.LOG
Location: Configuration manager Installation Directory/ Logs folder
Search Status codes:
New with SCCM 2012, we can check the status of sync on console itself.
In SCCM 2012 console, go to Monitoring>Software update point Synchronization status> see the results on the right pane.
Software update groups is almost similar to Update lists in SCCM 2007 but provides more features within SCCM 2012.
2. Creating Automatic Deployment rule
The best way to manage monthly security patches automatically through SCCM is by creating an automatic deployment rule, new with SCCM 2012.
This post explains the end to end process on creation of the ADR.
Deployment package,Software update group and deployment template are created in ADR.
Updates can be manually deployed as well from All software updates node as shown below. This process is somewhat similar to what we do in CM 2007
a] Go to All Software Updates node>Click on Add criteria and select the appropriate updates by filtering through the updates.
The criteria that I have used here is
* Product : Windows 7
* Required : yes
* Superseded : No
* Expired : No
* Bulletin ID : MS13-040
Select the filtered updates, right click on them and click on create software update group to create a new software update group.
b]Provide the name and description.
c]The newly created software update group is available now under Software update groups node.
d]The members can be viewed by clicking on show members.
To download the updates, right click on the Software update group( Manual Windows 7 updates) here and select download.
Download Software Updates wizard pops up.
e] Download Software updates wizard: this wizard is similar to the one in CM 2007.
Deployment package: Select " Create a new deployment package". Provide a name and package source( network share where we have to download the software updates).
distribution point: Add distribution points from here.
distribution settings : Select the distribution priority.
Language selection: Select the applicable languages, click next, review summary and click close to complete the wizard.
Now the updates are downloaded with either of the methods( ADR or manual) and are ready to be deployed.
3. Deployment of software update package.
Open Software Update group, select the update group, right click and click on deploy.
It will open the Deploy Software Updates wizard, Enter the below details:
* general tab:
name, description and select the collection that has to be targeted.
* Deployment settings
This is similar to mandatory or available deployments. Here " Required" means mandatory.
scheduling
we can configure options like
--- UTC or client time- am going with Client local time
--- Software available time- ASAP
--- Installation deadline- 1 week
user experience
Set the following options
--- user notifications: specify how the software update is displayed or hidden
--- deadline behavior: whether to install during maintenance window
--- device restart behavior: whether to suppress restart on servers and workstations.
alerts
We can configure alerts to be generated by Configuration manager when the client compliance is below certain level of percentage. There is SCOM alerts as well if required.
Here, I am going with Configuration manager alerts with minimum 95% client compliance.
download settings
Configure
--- whether the client will download the updates when on slower boundary
--- whether to fail over to other content source location
--- whether to fail over to Microsoft update site.
summary Review summary.
There is an option to save the settings as template.
Click Next to complete the wizard.
4. Monitoring:
Now that the updates have been deployed, we can monitor by navigating through Monitoring node, new with SCCM 2012.
Go to Monitoring node>Deployments> Select the update and click on view status.
A temporary node with the update name will appear, we can check the deployment status from here.Apart from this, we can create customized reports as in SCCM 2007 to find out the Software update deployment and compliance status.
Pre-requisites:
1. WSUS Server (WSUS 3.0 SP2) should be installed on the SCCM site server or if you want to install WSUS on another server, it is important that you install WSUS administration console as the SCCM Server uses API.
This link explains the step by step procedure to install WSUS 3.0 SP2
On SCCM console, go to Administration>Site Configuration>Client settings>Right click on Default client settings> Click on Properties.
If required, we can create custom client settings and then enable client settings for that settings.
Under the properties as shown in the below screenshot, select yes from the drop down menu to enable the software update on the clients and also specify other settings that are applicable to software update management as desired.
The server set up is now ready for synchronizing ,deploying and managing updates from SCCM Server.
It covers the following aspects of patch deployment:
1. Software update synchronization.
2. Creating Automatic deployment rule
3. Deployment of software Update package.
4. Monitoring Software Updates.
1. Software update sychronization:
On SCCM Console, go to Software Library>All Software Updates> Right click on it and select "Synchronize software updates".
Click Yes on the prompt.
Location: Configuration manager Installation Directory/ Logs folder
Search Status codes:
- 6702 for success
- 6703 for failure
- 6701 for starting of the sync process
- 6704 in process
New with SCCM 2012, we can check the status of sync on console itself.
In SCCM 2012 console, go to Monitoring>Software update point Synchronization status> see the results on the right pane.
Software update groups is almost similar to Update lists in SCCM 2007 but provides more features within SCCM 2012.
2. Creating Automatic Deployment rule
The best way to manage monthly security patches automatically through SCCM is by creating an automatic deployment rule, new with SCCM 2012.
This post explains the end to end process on creation of the ADR.
Deployment package,Software update group and deployment template are created in ADR.
Updates can be manually deployed as well from All software updates node as shown below. This process is somewhat similar to what we do in CM 2007
a] Go to All Software Updates node>Click on Add criteria and select the appropriate updates by filtering through the updates.
The criteria that I have used here is
* Product : Windows 7
* Required : yes
* Superseded : No
* Expired : No
* Bulletin ID : MS13-040
Select the filtered updates, right click on them and click on create software update group to create a new software update group.
b]Provide the name and description.
c]The newly created software update group is available now under Software update groups node.
d]The members can be viewed by clicking on show members.
To download the updates, right click on the Software update group( Manual Windows 7 updates) here and select download.
Download Software Updates wizard pops up.
e] Download Software updates wizard: this wizard is similar to the one in CM 2007.
Deployment package: Select " Create a new deployment package". Provide a name and package source( network share where we have to download the software updates).
distribution point: Add distribution points from here.
distribution settings : Select the distribution priority.
download location: Select the source location. Internet or any network location where the software updates are already downloaded.
Now the updates are downloaded with either of the methods( ADR or manual) and are ready to be deployed.
3. Deployment of software update package.
Open Software Update group, select the update group, right click and click on deploy.
It will open the Deploy Software Updates wizard, Enter the below details:
* general tab:
name, description and select the collection that has to be targeted.
* Deployment settings
This is similar to mandatory or available deployments. Here " Required" means mandatory.
scheduling
we can configure options like
--- UTC or client time- am going with Client local time
--- Software available time- ASAP
--- Installation deadline- 1 week
user experience
Set the following options
--- user notifications: specify how the software update is displayed or hidden
--- deadline behavior: whether to install during maintenance window
--- device restart behavior: whether to suppress restart on servers and workstations.
We can configure alerts to be generated by Configuration manager when the client compliance is below certain level of percentage. There is SCOM alerts as well if required.
Here, I am going with Configuration manager alerts with minimum 95% client compliance.
download settings
Configure
--- whether the client will download the updates when on slower boundary
--- whether to fail over to other content source location
--- whether to fail over to Microsoft update site.
There is an option to save the settings as template.
Click Next to complete the wizard.
4. Monitoring:
Now that the updates have been deployed, we can monitor by navigating through Monitoring node, new with SCCM 2012.
Go to Monitoring node>Deployments> Select the update and click on view status.
A temporary node with the update name will appear, we can check the deployment status from here.Apart from this, we can create customized reports as in SCCM 2007 to find out the Software update deployment and compliance status.
This information is very helpful. Thank you.
ReplyDeletePerfect Sir Ji... :)
ReplyDelete"deadline behavior: whether to install during maintenance window" is wrong. It should be deadline behavior: whether to install outside of the maintenance window.
ReplyDeleteI am so proud of you and your efforts and work make me realize that anything can be
ReplyDeletedone with patience and sincerity. Well I am here to say that your work has inspired me without a doubt. Here is i want to share about mulesoft course with Free Bundle videos .