SCCM 2007 – Getting Started with Windows Updates

So, you have a Software Update Point configured and you’re ready to start pushing MS Updates. Great! Here’s how I got started.

The Overview

  1. Create Phase 1\2 AD groups and collections.
  2. Enable AD System and Security Group Discovery for your site.
  3. Create update lists for 2003-2007 then by year until the present.
  4. Create deployment templates.
  5. Deploy old updates to your update collections (requires about 75GB disk space).

The Process

Create the AD Groups and Collections

I use Active Directory security groups to manage membership to the phased update collections.

  1. Create 3 new Active Directory security groups:
  2. Add computers from your first deployment cycle to COMP_UpdateCycle_Phase1.
  3. Add computers from your second deployment cycle (installed later) to COMP_UpdateCycle_Phase2.
  4. Add computers that you want to update manually and carefully to COMP_UpdateCycle_Exempt.
  5. In SCCM Console, navigate to Site Database -> Computer Management -> Collections
  6. Right-click ‘Collections’ and choose, “New Collection”.
  7. On the ‘General’ screen enter “Update Collections” for the name and click “Next”.
  8. On the ‘Membership Rules’ screen check, “Dynamically add new resources” then click “Next”.
  9. If a pop-up box appears warning you that the collection has no rules, click “OK”.
  10. Click through the advertise and security screens without making edits, then click “Finish”.
  11. Next, right-click your new collection named “Update Collections” and choose New -> Collection.
  12. On the ‘General’ screen enter, “Update Cycle – Phase 2” for the name and click “Next”.
  13. On the ‘Membership Rules’ screen click the orange rectangle to add a dynamic rule.
  14. For ‘Name’ enter “Group Membership – COMP_UpdateCycle_Phase2” then click “Edit Query Statement”.
  15. Click the “Show Query Language” button.
  16. Edit the following query to replace DOMAIN with your domain name, then copy\paste it into the text box, then click “OK”.
    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\COMP_UpdateCycle_Phase2"

  17. Press OK until you’re back to the ‘Membership Rules’ screen and click “Next”.
  18. Press “Next” through the ‘Advertisement’ and ‘Security’ screens.
  19. Once back to the Collection screen, right-click the Collection named “Update Cycle – Phase 2”, and choose, “New -> Collection”.
  20.  Repeat steps 7-12, making a new collection named “Update Cycle – Phase 1”. Modify the query to use COMP_UpdateCycle_Phase1 instead of Phase 2.

Enable Active Directory Discovery

The first step towards update freedom is to enable the appropriate Active Directory Discoveries. This populates the SCCM database with Active Directory systems and security groups.

  1. Navigate to Site Database -> Site Management -> Site -> Site Settings -> Discovery Methods.
  2. Right-click the “Active Directory System Group Discovery” method and click “Properties”.
  3. Check the “Enable” box, then click the yellow star to add a new rule.
  4. Leave ‘Local Domain’ selected, and press OK.
  5. On the ‘Polling Schedule’ tab, check “Enable delta discovery” and “Run full discovery as soon as possible”.
  6. Click “OK” again if satisfied with the settings.
  7. Now, right-click the “Active Directory System Discovery” method and click “Properties”.
  8. Check the “Enable” box, then click the yellow star to add a new rule.
  9. Leave ‘Local Domain’ selected, and press OK.
  10. On the ‘Polling Schedule’ tab, choose “Enable delta discovery”.
  11. Click “OK” again if satisfied with the settings.
  12. Now, right-click “Active Directory Security Group Discovery” method and click “Properties”.
  13. Check the “Enable” box, then click the yellow star to add a new rule.
  14. Leave ‘Local Domain’ selected, and press OK.
  15. On the ‘Polling Schedule’ tab, check “Enable delta discovery”.
  16. Click “OK” again if satisfied with the settings.
  17. Your final collections should look like this:
    Update Collections -> Phase 2 -> Phase 1

Creating Update Lists

  1. To create an update list, we need a search folder. Open SCCM Console and navigate to Site Database -> Computer Management -> Software Updates -> Update Repository -> Search Folders.
  2. Right-click “Search Folders” and choose” New Search Folder”.
  3. Use the following name and criteria then press “OK”.
    Search Folder Name: All Active MS Updates
    Vendor: Microsoft
    Expired: No
    Superceeded: No
  4. Click on the new search folder and wait for the updates to load completely.
  5. Sort by “Date Released”, and select all updates released from oldest shown to then end of 2007.
  6. Right-click the selected list and choose “Update List”.
  7. On the ‘Update List’ screen, choose “Create a new update list” and name it, “2003-2007 Updates”, then press “Next”.
  8. On the ‘Security’ screen click “Next”.
  9. On the ‘Summary’ screen click “Next”.
  10. On the ‘Confirmation Screen’ click “Finish”.
  11. Repeat steps 5 through 10 to create a new update list for every year since 2007 to the present.
  12. (Optional) To save disk space, it’s possible to delete Itanium updates that you might not need. For ever update list created, click on the list and search for “ia64”. Right-click and delete any updates which indicate that they’re for the Itanium platform only. Repeat the process searching for “Itanium” also.

Creating Deployment Templates

  1. Create a share on your SCCM server to store the downloaded Microsoft updates. This guide will assume \\sccm\updates$ exists for this purpose and has around 80GB free.
  2. Navigate to Software Updates -> Deployment Templates. Right-click “Deployment Templates” and choose “New Deployment Template”.
  3. On the ‘Template Name’ screen, enter “Deploy to All Update Collections” for name, then click “Next”.
  4. On the ‘Collection’ screen, choose the “Update Collections” collection, check the “Include members of subcollections” box, then click “Next”.
  5.  On the ‘Display/Time Settings’ screen, click “Client Local Time”, then click “Next”.
  6.  On the ‘Restart Settings’ screen, check the “Servers” box to suppress automatic server reboots. Also check the “Allow system restart outside of maintenance windows” box. Since we have no maintenance windows enabled, systems will otherwise never reboot for updates. When finished click “Next”.
  7. On the ‘Event Generation’ screen, check both boxes and click “Next”.
  8. On the ‘Download Settings” screen, leave the defaults and click “Next”.
  9. On the ‘SMS 2003 Settings’ screen, click “Next”.
  10. On the ‘Summary’ screen, click “Next”.
  11. On the ‘Confirmation’ screen, click “Finish”.
  12. Repeat these steps to create 2 additional deployment templates:
    Phase 1 Deployments
    Phase 2 Deployments

Deploying the Updates

  1. Right-click the ‘2003-2007’ Update List and choose “Deploy Software Updates”.
  2. On the ‘General’ screen, name the deployment “Deploy Microsoft 2003-2007 Updates” then click “Next”.
  3.  On the ‘Deployment Template’ screen, use the template named “Deploy to All Update Collections”.
  4. On the ‘Deployment Package’ screen, choose “Create a new deployment package”, use the following information, then click “Next”.
    Name: Legacy Microsoft Updates
    Description: Microsoft Updates Pre-2012
    Package Source: \\sccm\updates$\ms_legacy
    Check “Enable binary differential replication”
  5. On the ‘Distribution Points’ screen, click “Browse” and select  your main distribution point, then click “Next”.
  6. On the ‘Download Location’ screen, choose “Download software updates from the Internet” then click “Next”.
  7.  On the ‘Language Selection’ screen, choose the language editions of Windows that you support. Most USA organizations will only need to choose ‘English’. This isn’t related to which keyboard layouts are installed. This screen refers to the actual edition of Windows the patches are being applied to.
  8. On the ‘Schedule’ screen, check “Enable Wake On LAN” and “Ignore maintenance windows”, then click “Finish”.
  9. Repeat these steps until you have deployments created for all of your update lists. However, on the ‘Deployment Package’ screen of subsequent deployments make sure to choose the existing package created during the first deployment. SCCM will automatically add the new updates from each update list to this existing deployment package.

Congrats! You’re now all caught-up on updates…woo!

One thought on “SCCM 2007 – Getting Started with Windows Updates

  1. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s