SCCM 2012 Updates Deployment – Getting Started

For some reason it took me a long time to wrap my head around updates in SCCM 2012. First, I’ll cover a few basics. Then, we’ll start a multi-part series on how to get everything rolling.

Important Notes

  1. If you’re running a CAS then the Software Update Point on the CAS is the master WSUS server, and the site site servers are downstream servers.
  2. The basic idea is that Software Updates go into Software Update Groups which are then Deployed.
  3. Software Update Groups (SUG’s) are just lists of software updates. An update by itself is not deploy-able.

The Overview

  • Install the prereq’s and SUP role.
  • Configure the SUP role and synchronize updates.
  • Configure Hardware and Software Inventory.
  • Create collections.
  • Create SUG’s.
  • Create deployments.

Installing the Prereq’s and Configuring the SUP Role

When configuring the SUP, only select the languages and products that you actually need. This simplifies things quite a bit down the road. See the following guide: System Center 2012 Configuration Manager – Part 5. Adding WSUS, Adding the SUP Role.

Configure Hardware and Software Inventory

We’re going to create some collections for deploying updates. Some of these collections depend on the hardware and software inventory reports. These can be configured as follows:

  1. Open your client settings package from Administration -> Client Settings.
  2. Make sure that Hardware Inventory is enabled.
  3. Make sure that Software Inventory is enabled.
  4. Configure Software Inventory to scan for “*.exe” in the following paths:
    %programfiles%
    %programfiles(x86)%
  5. Modify the following reg key on your Management Point site server, so that inventory reports greater than 5MB can be collected. You want to set the max file size to around 20,000,000 (without the comma’s).
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_SOFTWARE_INVENTORY_PROCESSOR\Max File Size.

Creating Your Collections

So, the end goal is to have group of workstations which install updates first for testing, then have the rest of your workstations install updates a week or so later. Also, something that further complicates things is that you need to break up the initial update deployment by platform. If you try to deploy all initial updates since the beginning of time to all workstations, then your OSD will break with the error, “failed to start task sequence”. Every update deployed to a workstation consumes some of the 10MB policy download limit, so we need to hide some updates in order for that limit to not be reached.

The following collections will be needed:

  • Name: 0-Day Updates
    Contains all computers you want to deploy updates to first, as canaries.
  • Name:14-Day Updates
    Contains all computers that you want to deploy updates to after the canaries have had the updates for two weeks.
    Excludes: 0-Day Updates
  • Name: 14-Day Windows XP x86 Updates
    Limiting Collection: 14-Day Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 5%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows XP%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x86-based PC"
  • Name:14-Day Windows XP x64 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 5%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows XP%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"
  • Name:14-Day Windows 7 x86 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x86-based PC"
  • Name: 14-Day Windows 7 x64 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"
  • Name: 14-Day Internet Explorer 8 Updates
    Query:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FileVersion like "8.%"
  • Name: 14-Day Internet Explorer 9 Updates
    Query:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FileVersion like "9.%"
  • Name: 14-Day Office 2007 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Office%2007%") and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1
  • Name: 14-Day Office 2010 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Office%2010%") and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1

Creating your Software Update Groups

Now that you have collections configured, you need to create matching Software Update Groups; one-per-platform. Here’s the procedure:

  1. Navigate to Software Library -> Software Updates -> All Software Updates.
  2. Create a search with the following settings:
    Title: Windows XP
    Superseded: No
    Expired: No
  3. Left-click a single update -> Ctrl-A to select them all -> Right-click the selected bunch -> “Create Software Update Group”.
  4. Name the new group “Initial Windows XP Updates”
  5. Navigate to your new update group.
  6. Create a search with the following criteria:
    Title: Itanium
    Or Title: IA64
  7. Select all -> Edit Membership -> Uncheck the current collection to remote all IA64 updates from the update group.
  8. Create a new search in your same newly created update group:
    Title: x64
  9. Select all -> Create Software Update Group -> “Initial Windows XP x64  Updates”.
  10. Navigate to this x64 group -> Select All -> Edit Membership -> Uncheck the original non-x64 group.

This will create 2 software update groups, one for XP x86, one for XP x64. Neither group will have IA64 or Itanium updates. Repeat this for every platform you need. Also, repeat this for IE 8, IE9, Office 2007, and Office 2010. However, you do -not- need to differentiate between x64 and x86 for IE or Office.

Download the Software Update Groups

Next, you need to download the SUG’s for deployment. Do this procedure for every update group.

  1. Right-click a Software Update Group, and click ‘download’.
  2. When prompted, choose ‘Create a new deployment package’.
  3. Name the new package the same name as the software update group.
  4. For the source location, choose \\sccm\source$\updates\<name of update group>.

When downloading you may get the error “Content cannot be located for the language chosen”. This is normal. The workaround is to remove that specific update from the software update group, then try downloading again. This sucks, and it’s a known issue.

Deploy the Initial Software Update Groups

Once downloaded, the software update groups can finally be deployed. To do this, right-click each Software Update Group and choose ‘deploy’. You pick the options here. Each group should be deployed to its respective collection.

OK, that will get you started! Stay tuned for a blog post on what the monthly update workflow looks like, as well as auto-approval and System Center Updates Publisher.

Advertisements

5 thoughts on “SCCM 2012 Updates Deployment – Getting Started

  1. Pingback: » Distributing computers into Maintenance Groups Some IT Blog

  2. Pingback: SCCM 2012 – Installing the SUP Role | windowsmasher

  3. Pingback: Table of Contents | windowsmasher

  4. Anyone know of any particular way of filtering out IA64 based software update from being listed? I’d like to filter them out somehow, similar to filtering out other software components, etc. It’s just kind of annoying having to filter them out manually with the SUG’s.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s