**screenshots to come soon**
Introduction
This document has been created to show the generic
installation steps to setup a Software Update Point on a Central site server,
it also shows some guidance on how to setup your initial deployment. All
changes to the SCCM environment should be thoroughly tested in a Lab
environment that closely resembles the production environment.
Assumptions
This document assumes that the Operating System is still at
the same level as per the last completed CMRAP which was Windows Server 2008
SP2. It also assumes that all of the clients in the environment have the latest
WSUS Prerequisites for Software Updates and that the site servers are already
configured with the appropriate prerequisites.
Install
WSUS 3.0 SP2
Start ServerManager
Start > Administrative Tools > Server Manager
Select Roles and Click Add Roles
Select Windows Server Update Services and Click Next
Click Next
Click Install
Click Next when the WSUS setup screen appears
Accept the license agreement and click Next
Select the Updates directory and click Next
Select the DB location and click Next
Click Next after it confirms the connection
Leave the default setting and click Next
Click Next to Install
Click Finish
Click Cancel as all the configuration will be done from the
SCCM console
Click Close
Add the
SUP Role on Central Primary Server
Start the ConfigMgr Console
Expand [Site] > Site Settings > Site Systems and Right
Click [Site Server] then click on New Roles
Leave the defaults and click Next
Select Software Update Point and click Next
If you have a proxy put in the appropriate settings
otherwise leave as default and click Next
Tick use this server as the active software update point and
click Next
Leave the default settings and click Next (NOTE : If you
create any downstream Child Primary server In future this option will be greyed
out and the Synchronize from an upstream server will be selected automatically)
Tick Enable synchronization on a schedule and click on
Custom Schedule then select Customize
I recommend selecting a Weekly schedule of Wednesday at
8:00pm local time as this allows you to not only pick up patches from
patch Tuesday every month but also will pick up and updates out of band patches
and will run after standard work hours at most companies.
Click OK
Click Next
Select the updates that are applicable to your company and
click Next. Remember the more you select the bigger the database size and the
longer it will take to synchronise.
Select the products you want to synchronise. Note as
Software updates recognises new products this selection will grow so you will need to check this perhaps once a
month to see if any new products of note are available. Also the list will be
much larger once the initial synchronisation is complete. DB size and sync time
also applies to this selection as well.
Select all appropriate languages and click Next
Double check the Settings and click Next
When its complete click Close
Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation
was successfull
Synchronize
the SUP Point
NOTE The following method is a good way to force
synchronisation manually however you should use the schedule to run an initial
scan if possible.
Open the ConfigMgr Console
Expand [Site] > Computer Management > Software Updates
> and Right Click [Update Repository ] then click on Run Synchronization
Click Yes
Watch the %SMSDIR%\Logs\wsyncmgr.log and you should see the
sync begin.
See the line sync:Starting WSUS synchronization
The Sync may take quite a while depending on how many
products you have selected.
Once it is complete you will see the following entries in
the log.
Configure
SUP Point
Open the ConfigMgr Console
Expand [Site] > Site Management > Site Settings >
Component Configuration and on the right window pane Right Click [Software
Update Point Component] then click on Properties
This is where you can change all of the SUP configuration
items.
Select the Products Tab. You may notice quite a few extra
products have been added. Select all of the appropriate products that you want
to synchronise for SUP and click OK. Then follow the steps above and run
synchronization again. (Preferable run synch via schedule.)
As stated before if you have added and each time you add
more products it can take quite a while to synchronize.
See logs below.
Once synchronisation is complete you will need to allow time
or force your workstations and servers to update policy (ensure Client agent
settings are enabled see section 4.1.1) and run the Software Updates Scan
Cycle. Use the %WINDIR%System32\CCM\Logs\WUAHandler.log (on 64 bit systems
%WINDIR%SysWOW64\CCM\Logs\WUAHandler.log) file on the client to look at the
scan cycle. This will identify what
patches are required. (You may want to build a new workstation and or server
and run the scan to ensure all patches required are recognised.)
Enable
Software Updates Client Agent
Start the ConfigMgr
Console
Expand [Site] > Site Settings > Client Agents and in
the right window pane Right Click Software Updates Client Agent then click on
Properties
Tick Enable software updates on clients Client Agent and set
a simple or customised schedule as per business requirements then select the
Update Installation tab
Select Enforce all mandatory deployments if you want any
current separate deployments with future deadlines within the specified period
to also apply. Select the Deployment Re-evaluation tab.
Set the deployment re-evaluation schedule here and then
click OK
Setup a New
Deployment
Create a new blank Collection that you will use to point
deployments to initially. (This should not contain any clients).
Expand [Site] > Computer Management > Software Updates
> Right click on Deployment Templates and select New Deployment Template
Type in the name of the template and click Next
Select the Collection we created above and untick Include
members of subcollections and Click Next
Choose your specific preferences to either allow display
notifications or supress them and whether to use Client local or UTC time. Be
careful when using UTC time as clients in different time zones may install
updates during business hours. When finished click Next
Again choose your specific preferences. Decide whether to
supress reboots for workstations or servers and whether you will allow a system
restart outside of maintenance windows. When finished click Next
Unless you have SCOM in place and wish to Alert on failure
or disable Ops Manager during updates leave these blank and click Next
Determine whether to allow slow or unreliable networks to
download and install updates then click Next
Unless you have SMS 2003 clients in your environment and
want to deploy to them leave this blank and click Next
Review the summary and click Next
Click Close
If you ever want to change the template just right click on
it and select properties
Create a
Search Folder
Rather than sifting through hundreds of updates you can
create a search folder under Update Repository to search for specific updates.
For the purposes of this document I will create a search folder that will look
for Windows 7 and Office 2010 Updates that are required and not downloaded.
Expand Update Repository and Right Click on Search Folders
and select New Search Folder
There are multiple options to choose from when creating the
search folder we will select the following
Product Windows 7,
Office 2010
Update Classification Critical Updates, Security Updates, Service Packs,
Update Rollups and Updates
Downloaded No
Expired No
Required [^0]
Tick Search all folders under this feature
And name the Search Folder then click OK
(You can obviously setup up as many Search folders as you
like)
You should now see any Windows 7 and Office 2010 updates
that meet the above criteria in the right window pane.
Create a
Deployment
Highlight all of the updates in the Search Folder and click
the right mouse button and select Deploy Software Updates
If any updates require License agreements select Accept
License Terms and click OK
Name your Deployment and click Next
Select the template we created before or and click Next
Either select a current package or enter create a new
package.
Enter the Name, description and package source then click
Next. NOTE the package source folder must already exist.
Add appropriate Distribution points and click Next
If you have the updates locally select the location
otherwise leave the default settings to download from the Internet.
Select appropriate languages and click Next
Select the appropriate options for this deployment as to
when it will be available and whether you will set a deadline. Then click Next
Check the Summary and click Next
The updates will now download this may take a while.
Once the updates have finished downloading click Close.
Expand Deployment Management and you will see the newly
created deployment.
To edit the properties right click on the deployment and
click Properties. Then just select the tab you wish to edit.
Treat the deployment as you would an advertisement by
pointing it to an appropriate collection of clients to deploy the updates.
To add the updates to a new build you will need to ensure
the deployment is pointing to a collection that either has the imported client
or is pointing to the unknown computer collection. Otherwise the newly built
client will not receive any updates.
You will also need to add the Install Software Updates
option to your build Task Sequence
Choose whether you want to install just mandatory or all
available updates available which are pointing to that collection.
Optional
SUP Downstream Installations
Child
Primary SUP Downstream Installation
As per the Central primary WSUS prereqs must be met and
installed. See Section 2
Start the ConfigMgr Console
Expand [Site] > Site Settings > Site Systems and Right
Click [Site Server] then click on New Roles
Enter the Site FQDN and click Next
Select Software Update point and Click Next
If you have a proxy put in the appropriate settings
otherwise leave as default and click Next
Tick Use this server as the active software update point and
click Next
As this is a downstream server the synch option will be
greyed out click Next
Select the languages you want and click Next
Check the summary and click Next
Click Close
Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation
was successful
Check
%SMSDIR%\Logs\wsyncmgr.log to ensure synchronisation is successful. Note
this may take some time to complete the initial synch.
5.0.2 Secondary
SUP Downstream Installation
Start the ConfigMgr Console
Expand [Site] > Site Settings > Site Systems and Right
Click [Site Server] then click on New Roles
Insert the FQDN of the secondary Site and Click Next
Select Software Update Point and click Next
If you have a proxy put in the appropriate settings
otherwise leave as default and click Next
Double check the Settings and click Next
Click Close
Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation
was successful
Open the ConfigMgr Console
Expand [Site] > Site Management > Site Settings >
Component Configuration and on the right window pane Right Click [Software
Update Point Component] then click on Properties
Select Active software update point on site server and
ensure the port settings for WSUS are correct then click OK
Check
%SMSDIR%\Logs\wsyncmgr.log to ensure synchronisation is successful. Note
this may take some time to complete the initial synch.
Recommendations
Identifier Notes
1. You
should not create a deployment with more than 500 updates.
2. Keep
an eye on the size of your packages as they can get quite large. Updates will
be downloaded from whichever package they sit in so you can have multiple
patches over multiple packages.
3. Ensure
your builds do not go past the 30 minute time limit when patching. Keep builds
as up to date as possible. http://support.microsoft.com/kb/2009754
4. Setting
up a downstream SUP point on your secondary sites or child primary allows
clients to scan for updates at that SUP point rather than going back to the
central primary to scan for updates.
5. On
a client use the following log files to troubleshoot software update issues
WUAHandler.log
UpdatesDeployment.log
UpdatesHandler.log
6. All
changes to the SCCM environment should be thoroughly tested in a Lab
environment that closely resembles the production environment
Appendix
Prerequisites for Software Updates
Software Updates in Configuration Manager
Prerequisites for Installing Configuration Manager
ConfigMgr 2007: The Install Software Update task in an Configuration
Manager 2007 OSD Task Sequence fails after exactly 30 minutes
Posts
Thanks! Very detailed and informative
ReplyDelete