How To Deploy Software Updates Using SCCM 2012 R2 In this post we will look at the steps on how to deploy software updates using SCCM 2012 R2. Deploying the software updates for the computers is essential, the software updates are released by major software vendors to address security vulnerabilities in their existing products. To stay protected against cyber-attacks and malicious threats it is very important that you keep the computers patched with latest software updates. Software updates in System Center 2012 R2 Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.
Talking about software updates, in SCCM 2012 R2 there are few new features added which includes a new maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates.
In this post we will look at the steps on how to deploy software updates using SCCM 2012 R2. Deploying the software updates for the computer.
When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. A new feature called Software updates preview lets you review the software updates before you create the deployment. How To Deploy Software Updates Using SCCM 2012 R2 In this post we will see the steps on how to deploy software updates using SCCM 2012 R2, if you are looking for SCCM 2012 R2 step by step guides click. There are 2 ways to deploy software updates using SCCM 2012 R2, Manual and Automatic. In Manual software updates deployment, a set of software updates is selected the Configuration Manager console and these updates are deployed to the target collection whereas Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection.
In this post we will see the steps to deploy the software updates manually and for automatic software updates deployment, there will be a separate post. To start with, install the Software Update Point role first. Launch the Configuration Manager Console, click on Administration, expand Overview, click Site Configuration, click on Sites. At the top ribbon click on Add Site System Roles. From the Add Site System Roles Wizard, click on Software Update Point and click Next. For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.
When you install WSUS, you can specify whether to use the default Internet Information Services (IIS) website or create a new custom WSUS website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS.
You must specify these port settings when you create the software update point for the site. For WSUS Server Connection Account, click Use credentials to connect to the WSUS server, click on Set and choose the account. The account provides authenticated access from the site to WSUS server. Click Synchronize from Microsoft Update and click Next. Click Enable synchronization on a schedule and let the schedule be set to default (simple schedule). You may also click Alert when sync fails on any site in hierarchy.
For Supersedence behavior, select Immediately expire a superseded software update. Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP. Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Choose the desired language, click Next. The Software Update Point role has been installed.
In the configuration manager console, click Software Library, expand Overview, click Software Updates, click All Software Updates and at the top ribbon click Synchronize Software Updates. To see what’s happening at the background, you need to have 2 files opened wsyncmgr.log and WCM.log file. Below is the screenshot of the wsyncmgr. Log file and we can see that the WSUS is synchronizing the categories and updates. The synchronization is completed. The software updates can now be seen when you click All Software Updates option in CM Console.
Note that the updates are yet to be downloaded. Out of all the updates we will not deploy all of them rather we will filter the updates by adding criteria. Click on Add criteria. Select Expired, Product, Superseded, Bulletin ID. Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.
Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group. Provide the name to the software update group as Windows 7 Update group. Click Create. Click on Software Update Group and you will find the software update group that was created in the previous step. Right click on the Windows 7 Update Group and click Deploy. On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed.
Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.Configure the schedule for this deployment, set the Time based on to Client local time. Choose Software available time to specific time and set the Installation deadline to as soon as possible. On the User Experience page, you can choose to suppress the restart for Server or Workstations. For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install. If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location.
Create a new deployment package by providing a name, location for the Package source and Sending priority. Add the Distribution Point and click Next. For Download Location choose Download software updates from the Internet.
Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click on Close to close the wizard. After few minutes we see that the updates are installed on one the client machines in the collection and there is a notification that system needs to be restarted. You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours. Actually even once you also sent me blow link for all log files & WSUSsyncmgr.log Mentioned here. Some details of log file of this link & might be sccm 2007 Log file?
Hi Prajwal, I have started working on SCCM recently and found your posts are very helpful. Now I am trying to put those information which I found very helpful when someone would be trying to solve them. For example, if somebody using Windows 2008 R2 + SCCM 2012 SP1 (as per my experience), he may find these errors on ccm.log – Looking for WSUS SP2 + KB2734608 + KB2720211 What happens here even WUS SP2 console already been installed, the other patches (KB2734608 & KB2720211) also need to be installed first. There are processes also some procedures for installing them.
The IIS and WSUS services need to be stopped before attempting to install them. Once they are installed, those services can be started. Details can be found in the Microsoft KB article – Hope this could be helpful for somebody. I install sccm 2012 SP1 to have a primary site – i need to deploy a remote branch distribution points to be working instead of adding a child SCCm in those remote sites i need your step by step to do that? Also what other sccm roles recommended this Distribution point will have?? I have an compatibility issue between sccm 2012 sp1 and windows 8.1 client to deploying EP protection 2012 – does i need migration to sccm 2012 R2 if this is the solution please i need your full steps to migrate from sp1 to R2 – MY OS is windows server enterprise 2008 R2 thank you. My English is a little low.
Please note that. Below is red line in log file. Repeat to error log. Wsyncmgr.log Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.
Source: CWSyncMgr::DoSync STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS_WSUS_SYNC_MANAGER” SYS=CM-WSUS.sc2012.local SITE=SYS PID =768 TID=3976 GMTDATE=FRI 3 20 23:45:10.454 2014 ISTRO=”CWSyncMgr::DoSync” ISTR1=”WSUS server not configured. Please refer to WCM.log for configuration error details.”ISTR2=””ISTR3=””ISTR4=””ISTR5=””ISTR6=””ISTR7=””ISTR8=””ISTR9=”” NUMATTRS=0 Sync failed. Will retry in 60 minutes WCM.log System.Data.SqlClient.SqlException (0x80131904): Can’t connect SQL Server to Network or Instance error. Can’t search for Server or can’t Access. Done using SC2012 Administrator credentials. Remote configuration failed on WSUS Server.
WUAHandler.log ONSearchComplete – Failed to end search job Error = 0x8024401c. Scan failed with error = 0x8024401c. But I success ping test from SQL Server to SCCM Server. And disable public on SCCM Server after Partly successful Windows Update list display on client.
However, does not display all Windows Update list on client and server. In my opinion, I Deployment SCCM with private and public ethernet.
It results setting public on SQL Server TCP/IP and SCCM Server. After disable public and change SQL Server TCP/IP from private to public and disable to SCCM Server. May be It seems IP is twisted.
Hi Prajwal, As application deployment as we add DP, I deployed windows 7 updates, or server updates fine without add DP (Distribution group name). Is it recommended to add DP because I am not able push WINDOWS 8.1 updated..? Wuahandler.log: err0r=0x8024401c.(stand for GP error.?) (2) some windows 7 client error status id (11423) & last error code (-) Error description:: Network connection: windows update agent encountered Transient network connection-related error.
Client system need to update any windows update agent.? Or SCCM client agent issue.? My SCCM 2012 r2 agent are updated with R2 agent. Kindly give the inputs.
Regards, Arshad. Hi Arshad, I read about the update KB2919355. “Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers. You may still obtain the Windows 8.1 Update (KB 2919355) from the Windows Update Catalog or MSDN. However, we recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue.”. Prajwal Desai Wuahandler.log text details:(dated ), os windows 8.1![LOG[Async searching completed.]LOG]!>so this error stand for GP correct (Code= 0x8024410c).?
If yes after admin disable th GP from Domain Controller After changed the “ Configure Automatic Update” from GPO to Not Configurewe are lost the control of windows update now, many machine get the update (windows 8) from Internet. If required i will send the text of new current update log file tommorrow Best Regards, Arshad. Hi Prajwal, As My sccm 2012 R2 Server.
Now i checked your above comments on GPO. (sccm 2012 local policy) & AD GP policy. My case also all client not able reach the deploy updates, later discover the GPO issue according to the client Log & also sccm log file files, sccm Reports (scan reports, deploy reports) Now i completely disabele the GP of AD. So SCCM 2012 R2 having client local polices Exist, so i hope wehn i test as deploy updates for clients it will work fine.? (2) Sccm 2012 R2 all Kind of (exchange connector) Mobile deviss it support.
My Exchange 2013 & Present i am able to see only 36 Mob Devices. If having any Ms article for all type of Mob device support, Please share the Link or steps. (3) I would like to install Managment pack for Exchange 2013 & Lync 2013 on SCOM 2012 R2. Please provide me download link & steps for installtion Guide.
(3) after upgrade sccm 2012 sp1 to sccm 2012 R2 Some of My clients shows as inactive, If I try i to manually lnstall the Cleint SCCM R2 & Refesh the service, configration policy it will be fine? (4)some of the clients i am not able to connect remotely (remote client option) from sccm 2012 R2 what could be the reason.(no firewall but Kaspers 10.2 issue.? Thanking You in Advance. I added WSUS role on SCCM server, installed SUP role, configured it and did synchronize software updates (security, critical and definition updates for Windows 7). I have chosen all non-expired and no-superseded and put them into new software update group, and, finally deployed it to target collection with one Windows 7 machine. However nothing happened on machine – I noticed in WU in CP info Windows is up to date and in installed updates list I saw many updates installed on November 10th, however not using SCCM but probably online from MS since I installed SUP yesterday. Also I can manually change update settings – they are not grayed-out as it was the case when “normal” WSUS server is deployed.
Logs are here. Prajwal, I solved my problem – updates were successfully deployed to my test collection. However two things bother me. First why update settings in Control Panel – Windows Update on client machines are not grayed-out. Secondly in Software Center user can follow update progress but if user clicks on installed update that requires restart in lower-right corner there is a button RESTART – I did not try but it probably would have restarted machine regardless of installation process of other updates that was in progress. I did not find any settings in SCCM client related to this “weird” behaviour. I assume this is not normal situation on clients.
Answer to your question – I do not have dedicated WSUS server, WSUS is on SCCM server itself. Hi Prajwal, I have always had the most problems with software updates and SCCM. I have followed each step of the guide without issue thus far. I’m not sure that updates are getting to my 2008 R2 servers. I have created a software update group for deployment of critical updates to my 2012 R2 servers, and it appears that these updates showed up on the 2012 servers in the software center. I had to reboot each of them individually to finish the updates because I misconfigured the restart option I believe, but minor inconvenience. I can not seem to see any updates being deployed to the 2008 R2 servers?
I didn’t have windows update setup on any of the servers, they have all never accessed windows update. Can you give some advice as to how to check that the updates are making it to the 2008 servers or are not making it there. Also, I saw the updates in the Software Center of the 2012 servers waiting for reboot, but once they rebooted and completed the installation of the updates, I didn’t see anything in Installed Software tab of the Software Center. I’d appreciate any help with the software updates as it’s always been the hardest thing to administer for me. Hi Prajwal, I hope you can help me. I have configured SCCM 2012 R2 in my lab on a Windows Server 2008 R2 Operating system.
I have installed the “Software Update Point” service and have successfully downloaded and filtered the patch for a Windows 7 Client sitting in my lab, as per the instructions above. For some reason my Windows 7 Client when polling is not picking up the Patchs that have been created as a deployment Package. Any helps would be much appreciated. Just to confirm if I click on “Configuration Manager” on the Windows 7 Client and go to “Sites” then find site this returns a message saying that configuration manager has found a site to manage this client. Many Thanks Jag. Hi Prajwal, I hope you can help me. I have configured SCCM 2012 R2 in my lab on a Windows Server 2008 R2 Operating system.
I have installed the “Software Update Point” service and have successfully downloaded and filtered the patch for a Windows 7 Client sitting in my lab, as per the instructions above. For some reason my Windows 7 Client when polling is not picking up the Patchs that have been created as a deployment Package.
Any helps would be much appreciated. Just to confirm if I click on “Configuration Manager” on the Windows 7 Client and go to “Sites” then find site this returns a message saying that configuration manager has found a site to manage this client. Many Thanks Jag. SCCM is complaining that the WSUS server cannot be contacted. I check IIS and there is no WSUS server running.
I have reinstalled WSUS twice now, and there is no such step prompting me to “Create a Windows Server Update Services 3.0 Web site”. It’s not there. This is installing it from the add roles and features section of the Server Manager in server 2012 R2. The error I’m getting in the event log is this: “On 3/12/2015 12:21:25 PM, component SMS_WSUS_CONTROL_MANAGER on computer blah reported: WSUS Control Manager failed to configure proxy settings on WSUS Server “blah”. Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.
Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.You can receive failure because proxy is set but proxy name is not specified or proxy server port is invalid.” Google is turning up no hints about how to resolve this issue. Yes, the updates DID not get to the client computers. I followed all the step above and created a Software Update Group with few updates, deployed to a test collection (couple clients Windows 7).
Everything seemed no errors, but when I went to the client’s Software Center, there is nothing in there and nothing happened. What log in SCCM server and log in the clients should I log for errors. I’ve been struggling with this issues for days. Today, I tried to create ADRs (one for Windows 7, one for Windows Server 2008), and It’s still not working. I see no updates (patches) listed in the Software Update group. Hello Prajwal, Thank you for your documentations – these are really handy. I am having lot of problems downloading Windows updates for patching process via SCCM 2012.
I select the product for which I want to download the updates for Patching. After that I create a software group – no issues so far. Then I go ahead and create a deployment package for the update where it fails saying – The Deploy Software Updates Wizard completed with Errors. The irony is that sometimes it will working fine, sometimes it will fail in the middle of downloading updates & sometimes it will fail completely. I have made sure that our SCCM server has access to the web as well.
I checked PatchDownloader.log file and it shows the following error: HttpQueryInfo HTTP_QUERY_CONTENT_LENGTH failed 12150 Download to C:UsersTestAppDataLocalTempCAB75A1.tmp returns 12150 ERROR: DownloadContentFiles() failed with hr=0x80072f76 The above error sometimes will come up straight away or it will come up in the middle of downloading updates and the process will stop. I have also check the directory where the update files will be store has appropriate permission.
I am lost here. Assuming all steps have been completed without errors and you still are not getting the updates to the client: If you have created the deployment packages and nothing is happening on your client you can run the Software Updates Deployment Evaluation cycle on the client machine from “Actions” in the Configuration Manager client app. Remember that the default client settings are to poll for updates every 7 days as of 1/2/1970. Praj, it may be worth adding this small step to your instructions. It seems a lot of people are just waiting expecting it to kick off in a few minutes like you have stated: “After few minutes we see that the updates are installed on one the client machines in the collection and there is a notification that system needs to be restarted.” One i run this, updates start to appear in software center. SUCCESS Thanks. Crimson Skies Windows 7 Download. Hello Prajwal I am currently installing a newer version of SCCM 2012 in our dev enviroment before it goes to production we originally had 2007 but I have not migrated anything with the old version this is a fresh intall.
I am trying to connect my WSUS server which is on a different box to my newly built 2012 sccm box, I have tried conneting using your guide and noob.com guide and to no avail I have not succeded. This is very baffling as the 2007 box connected with no problems. Do I need a fresh install of the WSUS server Urdu English Bol Chal Book Free Download Pdf more. ????
Hi Prajwal, I’ve done a deployment, and it’s saying deployed in the deployment package, however the client doesn’t appear to be receiving the updates (the updates have been downloaded to the “sources/updates/windows 7” folder on the SCCM server.). I took a look at UpdatesDeployment.log on the client however nothing seems to be standing out (the only thing would be “No current service window available to run updates assignment with time required = 1”). Any help would be greatly appreciated. Thanks, Stephen. When I create the collection, within a few days I receive an error on the distribution site that there is a file missing from the folder and then the deployments fail.
I created a patch distribution for Adobe Products and it worked this past Friday, but today when I came in, the deployment package that I created was displaying an error and it failed. It fails for the same reason in that there is a file missing from the folder.
I am not sure why this is happening as I am not doing anything to these folders once I create them. I am using SCCM 2012 R2 and following your steps. I have 3 update packages that are now failing on a regular basis. Am I causing the issue by adding additional selected patches from the “All Software Updates” section and “rick click” and “Update Membership”? I am having to re-create these almost now on a weekly basis and am not sure what I may be doing wrong. If you would, let me know what further logs or information you may need to help point me in the right direction.
I am just starting to wade into the SCCM pool, and have a question about applying Monthly Windows updates. I believe that my problem lies with the Scan Agent and getting Updates to be detected as required etc. After the process runs I everything comes back as Not Required. I have manually installed at least one of the problematic patches successfully, so they are needed. Hi Prajwal – Thank you for sharing this post, I’ve found it very helpful 🙂 I think I’m clear on all the steps except for the package source. According to technet, I need to manually create The shared folder for the deployment package source files Deployment package source: Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package.
The source location must be entered as a network path (for example, serversharenamepath), or the Browse button can be used to find the network location. The shared folder for the deployment package source files must be manually created before proceeding to the next page. Do I just need to right click in the Updates directory and create the new folder then reference it in the Package Source location in SCCM? My WSUS sync isn’t work after a restore.
Here are the following logs. I was able to remove Adobe by unchecking it and resyncing but I can’t get rid of the Java JRE Client. WCM Log Subscription contains categories unknown to WSUS.~ $$ Failed to set Subscriptions on the WSUS Server.
Error:(-)Unspecified error~ $$. Successfully connected to server: server, port: 8530, useSSL: False $$ Category Company:94d731de-22a6-4458-dc4d-b5267de026fc (Adobe Systems, Inc.) not found on WSUS $$ Category Product:b1d1a5ca-37c4-5805-b271-367467ef10f5 (Java JRE Client) not found on WSUS $$ Starting WSUS category sync from upstream $$Microsoft.SystemsManagementServer.WSUS.WSUSMSPException: WSUS sync failed with UssNotFound: ~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.IsSyncRunning() $$ Failed to set Subscriptions on the WSUS Server.
Error:(-)Unknown error 0x80131500~ $$. I was able to get that to work. Now when I synced SCCM to WSUS I only see Windows 7 updates. I looked in WSUS and have multiple categories and products as far as software updates.
I noticed that my WSUS content folder only contained a few folders. I’m not sure what else to do. This is all after a restore.
I think I failed to install SCCM on the correct drive during the restore. I also don’t see my servernamesorcefolder. Should I just start the restore over? Is it difficult to uninstall WSUS?
I have the same issue.tried deploying updates and it says on the configuration that the deployment was succesful, and on the “Title” list where the deployed update was listed under the “Downloaded” and “Deployed” tab there was a “YES” statement. My problem is that no notification from “System Center” on the client machine. I think I missed steps on how to install System Center on the client. How can I see System Center on my client and is there any way that I can do to verify and check if the updates are really deployed on my client machine? Thanks and more power!
• Machine Name • Username • Make • Model • Architecture • RAM • Publisher • Program • Version • Install Date • Product ID You can add and remove any of these columns where you feel the need to customise them but for this guide, these are what we will use. By running our first query, it will bring back a huge amount of data (depending on your environment size of course) – it will basically show everything that is in the Add/Remove Programs list for every machine in your Configuration Manager database. To do this, run the following query.
DisplayName0 NOT LIKE '%Update%' This will now remove any “Program” that is “NULL” or have KB in the title – this means removing all/most of the Windows Update information. If you run this query now, you should get a return which looks much tidier. But what if I want to run this report based on a collection?
ResourceID = COMP. ResourceID Once you are happy with your SQL query, you can then use it in SSRS to produce a professional looking report. HOW DO I CREATE THE SSRS REPORT? We have now created a guide that will help you to create your SSRS reports based on the data that this guide will pull into the Configuration Manager database. You can access this guide by clicking the link below: COMMENTS If you have any problems with any of the above, then please leave your comments and questions below using our Disqus system and we will try to get back to you as soon as we can. We also like to hear back any success stories too, so if you have used our guide and found it helpful, we would love to hear from you.