Thursday, August 16, 2012

Installing SUP for SCCM 2007


**screenshots to come soon**

Introduction
This document has been created to show the generic installation steps to setup a Software Update Point on a Central site server, it also shows some guidance on how to setup your initial deployment. All changes to the SCCM environment should be thoroughly tested in a Lab environment that closely resembles the production environment.

Assumptions
This document assumes that the Operating System is still at the same level as per the last completed CMRAP which was Windows Server 2008 SP2. It also assumes that all of the clients in the environment have the latest WSUS Prerequisites for Software Updates and that the site servers are already configured with the appropriate prerequisites.


Install WSUS 3.0 SP2

Start ServerManager
Start > Administrative Tools > Server Manager


Select Roles and Click Add Roles


Select Windows Server Update Services and Click Next

Click Next
 
Click Install


Click Next when the WSUS setup screen appears


Accept the license agreement and click Next


Select the Updates directory and click Next

Select the DB location and click Next


Click Next after it confirms the connection


Leave the default setting and click Next


Click Next to Install

Click Finish


Click Cancel as all the configuration will be done from the SCCM console


Click Close



Add the SUP Role on Central Primary Server
Start the ConfigMgr Console

Expand [Site] > Site Settings > Site Systems and Right Click [Site Server] then click on New Roles


Leave the defaults and click Next


Select Software Update Point and click Next

If you have a proxy put in the appropriate settings otherwise leave as default and click Next


Tick use this server as the active software update point and click Next


Leave the default settings and click Next (NOTE : If you create any downstream Child Primary server In future this option will be greyed out and the Synchronize from an upstream server will be selected automatically)

Tick Enable synchronization on a schedule and click on Custom Schedule then select Customize


I recommend selecting a Weekly schedule of Wednesday at 8:00pm local time as this allows you to not only pick up patches from patch Tuesday every month but also will pick up and updates out of band patches and will run after standard work hours at most companies.
Click OK


Click Next


Select the updates that are applicable to your company and click Next. Remember the more you select the bigger the database size and the longer it will take to synchronise.


Select the products you want to synchronise. Note as Software updates recognises new products this selection will grow  so you will need to check this perhaps once a month to see if any new products of note are available. Also the list will be much larger once the initial synchronisation is complete. DB size and sync time also applies to this selection as well.


Select all appropriate languages and click Next

Double check the Settings and click Next


When its complete click Close


Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation was successfull


Synchronize the SUP Point
NOTE The following method is a good way to force synchronisation manually however you should use the schedule to run an initial scan if possible.

Open the ConfigMgr Console

Expand [Site] > Computer Management > Software Updates > and Right Click [Update Repository ] then click on Run Synchronization


Click Yes


Watch the %SMSDIR%\Logs\wsyncmgr.log and you should see the sync begin.
See the line sync:Starting WSUS synchronization

The Sync may take quite a while depending on how many products you have selected.
Once it is complete you will see the following entries in the log.

                Configure SUP Point

Open the ConfigMgr Console

Expand [Site] > Site Management > Site Settings > Component Configuration and on the right window pane Right Click [Software Update Point Component] then click on Properties


This is where you can change all of the SUP configuration items.


Select the Products Tab. You may notice quite a few extra products have been added. Select all of the appropriate products that you want to synchronise for SUP and click OK. Then follow the steps above and run synchronization again. (Preferable run synch via schedule.)


As stated before if you have added and each time you add more products it can take quite a while to synchronize.
See logs below.


Once synchronisation is complete you will need to allow time or force your workstations and servers to update policy (ensure Client agent settings are enabled see section 4.1.1) and run the Software Updates Scan Cycle. Use the %WINDIR%System32\CCM\Logs\WUAHandler.log (on 64 bit systems %WINDIR%SysWOW64\CCM\Logs\WUAHandler.log) file on the client to look at the scan cycle.  This will identify what patches are required. (You may want to build a new workstation and or server and run the scan to ensure all patches required are recognised.)




Enable Software Updates Client Agent
 Start the ConfigMgr Console

Expand [Site] > Site Settings > Client Agents and in the right window pane Right Click Software Updates Client Agent then click on Properties

Tick Enable software updates on clients Client Agent and set a simple or customised schedule as per business requirements then select the Update Installation tab


Select Enforce all mandatory deployments if you want any current separate deployments with future deadlines within the specified period to also apply. Select the Deployment Re-evaluation tab.


Set the deployment re-evaluation schedule here and then click OK
 
Setup a New Deployment
Create a new blank Collection that you will use to point deployments to initially. (This should not contain any clients).


Expand [Site] > Computer Management > Software Updates > Right click on Deployment Templates and select New Deployment Template


Type in the name of the template and click Next

Select the Collection we created above and untick Include members of subcollections and Click Next


Choose your specific preferences to either allow display notifications or supress them and whether to use Client local or UTC time. Be careful when using UTC time as clients in different time zones may install updates during business hours. When finished click  Next


Again choose your specific preferences. Decide whether to supress reboots for workstations or servers and whether you will allow a system restart outside of maintenance windows. When finished click Next


Unless you have SCOM in place and wish to Alert on failure or disable Ops Manager during updates leave these blank and click Next

Determine whether to allow slow or unreliable networks to download and install updates then click Next


Unless you have SMS 2003 clients in your environment and want to deploy to them leave this blank and click Next


Review the summary and click Next


Click Close

If you ever want to change the template just right click on it and select properties


Create a Search Folder
Rather than sifting through hundreds of updates you can create a search folder under Update Repository to search for specific updates. For the purposes of this document I will create a search folder that will look for Windows 7 and Office 2010 Updates that are required and not downloaded.
Expand Update Repository and Right Click on Search Folders and select New Search Folder

There are multiple options to choose from when creating the search folder we will select the following
Product Windows 7,  Office 2010
Update Classification Critical  Updates, Security Updates, Service Packs, Update Rollups and Updates
Downloaded No
Expired No
Required [^0]
Tick Search all folders under this feature
And name the Search Folder then click OK
(You can obviously setup up as many Search folders as you like)

You should now see any Windows 7 and Office 2010 updates that meet the above criteria in the right window pane.

Create a Deployment
Highlight all of the updates in the Search Folder and click the right mouse button and select Deploy Software Updates


If any updates require License agreements select Accept License Terms and click OK


Name your Deployment and click Next

Select the template we created before or and click Next


Either select a current package or enter create a new package.
Enter the Name, description and package source then click Next. NOTE the package source folder must already exist.

Add appropriate Distribution points and click Next

If you have the updates locally select the location otherwise leave the default settings to download from the Internet.


Select appropriate languages and click Next


Select the appropriate options for this deployment as to when it will be available and whether you will set a deadline. Then click Next

Check the Summary and click Next


The updates will now download this may take a while.


Once the updates have finished downloading click Close.

Expand Deployment Management and you will see the newly created deployment.

To edit the properties right click on the deployment and click Properties. Then just select the tab you wish to edit.

Treat the deployment as you would an advertisement by pointing it to an appropriate collection of clients to deploy the updates.

To add the updates to a new build you will need to ensure the deployment is pointing to a collection that either has the imported client or is pointing to the unknown computer collection. Otherwise the newly built client will not receive any updates.
You will also need to add the Install Software Updates option to your build Task Sequence

Choose whether you want to install just mandatory or all available updates available which are pointing to that collection.

Optional SUP Downstream Installations
Child Primary SUP Downstream Installation
As per the Central primary WSUS prereqs must be met and installed. See Section 2
Start the ConfigMgr Console

Expand [Site] > Site Settings > Site Systems and Right Click [Site Server] then click on New Roles


Enter the Site FQDN and click Next

Select Software Update point and Click Next


If you have a proxy put in the appropriate settings otherwise leave as default and click Next


Tick Use this server as the active software update point and click Next


As this is a downstream server the synch option will be greyed out click Next


Select the languages you want and click Next

Check the summary and click Next


Click Close


Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation was successful


Check  %SMSDIR%\Logs\wsyncmgr.log to ensure synchronisation is successful. Note this may take some time to complete the initial synch.
 
5.0.2      Secondary SUP Downstream Installation
Start the ConfigMgr Console

Expand [Site] > Site Settings > Site Systems and Right Click [Site Server] then click on New Roles


Insert the FQDN of the secondary Site and Click Next


Select Software Update Point and click Next

If you have a proxy put in the appropriate settings otherwise leave as default and click Next


Double check the Settings and click Next


Click Close


Check the %SMSDIR%\Logs\SUPSetup.Log and ensure Installation was successful


Open the ConfigMgr Console

Expand [Site] > Site Management > Site Settings > Component Configuration and on the right window pane Right Click [Software Update Point Component] then click on Properties


Select Active software update point on site server and ensure the port settings for WSUS are correct then click OK

Check  %SMSDIR%\Logs\wsyncmgr.log to ensure synchronisation is successful. Note this may take some time to complete the initial synch.


Recommendations
Identifier                Notes
1.                            You should not create a deployment with more than 500 updates.
2.                            Keep an eye on the size of your packages as they can get quite large. Updates will be downloaded from whichever package they sit in so you can have multiple patches over multiple packages.
3.                            Ensure your builds do not go past the 30 minute time limit when patching. Keep builds as up to date as possible. http://support.microsoft.com/kb/2009754
4.                            Setting up a downstream SUP point on your secondary sites or child primary allows clients to scan for updates at that SUP point rather than going back to the central primary to scan for updates.
5.                            On a client use the following log files to troubleshoot software update issues
WUAHandler.log
UpdatesDeployment.log
UpdatesHandler.log
6.                            All changes to the SCCM environment should be thoroughly tested in a Lab environment that closely resembles the production environment

Appendix
Prerequisites for Software Updates
Software Updates in Configuration Manager
Prerequisites for Installing Configuration Manager
ConfigMgr 2007: The Install Software Update task in an Configuration Manager 2007 OSD Task Sequence fails after exactly 30 minutes

1 comment:

 
Find us on Google+