SCCM 2012 SP1 Upgrade Checklist

Alright, everyone else has a checklist — time for mine :). Here’s how we’re installing SCCM 2012 SP1. Once again, this is based off of my internal documentation, so it’s not as polished as it really should be for the open web. I’ve been putting off blogging for so long — it’s time to just get something out there and see if it helps anyone.

Overview

  1. Configure Site Backups
  2. Spin Up a SQL Server Test VM
  3. Test the Database Upgrade
  4. Disable Site Maintenance Task
  5. Backup Boot Image Customizations
  6. Upgrade from WAIK to ADK
  7. Install WSUS Hotfix
  8. Run the Prereq Checker
  9. Run the SP1 Install

You can download an actual excel checklist from the John Puskar Github Repo.

This is going to be a long post…

Step-By-Step

Configure Site Backups

  1. Administration -> Site Configuration -> Sites -> CAS -> Settings -> Site Maintenance
  2. Backup Site Server -> Edit
  3. Enable this task
  4. Set paths -> Local Drive -> F:\Backups
  5. Start time — 5mins from now. Latest start time -> 1hr after start time.
  6. OK to save.
  7. Wait and get the backup.

Spin Up a SQL Server Test VM

  • 80GB Free space
  • Install MS SQL — same version as the one which produced the database backup.
  • Install MS SQL Server 2012 Native Client. Download from here. You have to click ‘download’, then ignore the text file that gets downloaded and scroll to the middle of the download confirmation page. Microsoft® SQL Server® 2012 Feature Pack

Test the Database Upgrade

  1. Login to the test server using a domain account that has local administrator and SQL sysadmin privileges.
  2. Copy the SCCM Site Backup folder from SCCM server to test server.
  3. Open SQL Server Management Studio.
  4. Right-click the SQL Server and choose ‘attach’.
  5. Navigate to the backup folder and select the MDF file found in the site server backup folder.
  6. Click OK to attach the db.
  7. In SQL Server Management Studio, navigate to Security -> Logins.
  8. Right-click the account or group which represents your current login and choose ‘properties’.
  9. Choose ‘User Mapping’ from the left-pane, then select your attached site server database.
  10. Check the box next to the site database backup in the ‘map’ column.
  11. Check the ‘db_owner’ box in the bottom pane.
  12. Click OK to save changes.
  13. Open a command prompt as administrator and navigate to .\sccm2012sp1\smssetup\bin\x64.
  14. Run setup.exe /testdbupgrade <dbname> (ex: cm_cas)
  15. Prerequisite checker should pass.
  16. Click ‘next’ to attempt the upgrade.
  17. Watch task manager for the sqlservr.exe process’ CPU usage. It will spike for 20mins or more.
  18. When the sqlservr.exe process seems to be idle, open the file C:\configMgrSetup.log. It should read ‘Successfully upgraded the SCCM database’.

Disable Site Maintenance Task

  1. Open SCCM Console on the CAS and navigate to Administration -> Site Configuration > Sites.
  2. Right-click the CAS site and choose ‘Site Maintenance’.
  3. Select the task ‘Delete Aged Client Operations’.
  4. Click the ‘disable’ button and confirm that the column labeled ‘Enabled’ reads ‘No’ next to the task.
  5. Click ‘OK’ to save changes.

Backup Boot Image Customizations

Run the following commands and confirm that the files are actually copied.

MKDIR C:\backups
MKDIR C:\backups\bootimages
MKDIR C:\backups\bootimages\Extra
IF EXIST "C:\Program Files\Microsoft Configuration Manager\OSD\Extra" XCOPY /e /y "C:\Program Files\Microsoft Configuration Manager\OSD\Extra" C:\backups\bootimages\extra\
XCOPY /y "C:\Program Files\Microsoft Configuration Manager\bin\x64\osdinjection.xml" C:\backups\bootimages\

Upgrade from WAIK to ADK

  1. Obtain the ADK Downloader, and download the full ADK installer. The downloader is available here: Windows Assessment and Deployment Kit (ADK) for Windows 8
  2. Uninstall WAIK from control panel.
  3. Run the ADK installer.
  4. Choose to install the following features
    • Deployment Tools
    • Windows Preinstallation Environment (Windows PE)
    • User State Migration Tool (USMT)

Install WSUS Hotfix

Download the following hotfix and install.

Run the Prereq Checker

  • Navigate to .\smssetup\bin\x64 and double-click ‘prereqchk.exe’.
  • You will probable see a SQL Server process memory allocation error, but that should be the only issue.

Run the SP1 Install

  1. WOOOOOOOO!
  2. Run the following command:
    cmd /c mkdir C:\SCCMDownloads-SP1
  3. Navigate to .\smssetup\bin\x64 and double-click ‘setup.exe’.
  4. On the ‘Getting Started’ screen, choose to ‘Upgrade this Configuration Manager site’
  5. On the ‘Product Key’ screen, enter the licensing information and click ‘next’.
  6. On the ‘Microsoft Software License Terms’ screen, choose ‘I accept’ and click ‘next’.
  7. On the ‘Prerequisite Licenses’ screen, accept all the license terms and click ‘next’.
  8. On the ‘Prerequisite Downloads’ screen, choose the download required files to C:\SCCMDownloads-SP1 and click ‘next’.
  9. On the ‘Server Language Selection’ screen, click ‘Next’.
  10. On the ‘Client Language Selection’ screen, click ‘Next’.
  11. On the ‘Settings Summary’ screen, confirm that the box reads ‘Setup Type – Upgrade’, then click ‘Next’.
  12. On the ‘Prerequisite Check’ screen, click ‘Begin Install’.
  13. Complete the wizard.

One thing I noticed is that database replication doesn’t work well until all the site servers are upgraded. Good luck!

Advertisements

SCCM 2012 – Installing the SUP Role

I posted previously about configuring software updates in SCCM. This post is about installing the SUP role on the CAS and site servers. A little backwards, I know.

This post is a slightly modified version of my internal documentation on the process. Sorry if it’s a little un-treated. These instructions assume that you’re not using a proxy server, and that you’re installing the SUP role on the same server as your CAS and site server management points.

Install WSUS and Hotfix on CAS

  • WSUS 3 SP1 Download
  • WSUS Install cmd line. The F:\WSUS line is where you want WSUS to store the license agreements for updates which require them.
    WSUS30-KB972455-x64.exe /q CONTENT_LOCAL=1 CONTENT_DIR=F:\WSUS SQLINSTANCE_NAME=%COMPUTERNAME% MU_ROLLUP=1 DEFAULT_WEBSITE=0 CREATE_DATABASE=1 CONSOLE_INSTALL=0
  • WSUS Hotfix Download
  • WSUS Hotfix Install cmd line:
    WSUS-KB2734608-x64.exe /q

Install SUP Role on CAS

  • Administration -> Site Configuration -> Servers and Site System Roles -> CAS Server.
  • Right-click -> Add Site System Role
  • Specify the server’s FQDN.
  • Check ‘Software Update Point’.
  • Do not use a proxy sever unless actually needed.
  • Active Settings: Check ‘Use this server as the active software update point’, and ‘WSUS is configured to use a custom website’.
  • Synchronization Source: ‘Synchronize from Microsoft Update’ and ‘Do not create WSUS reporting events’
  • Synchronization Schedule: Check ‘Enable synchronization on a schedule’. Run every 1 days. Alert when synchronization fails on any site in the hierarchy.
  • Supersedence Rules: Choose ‘Immediately expire a superseded software update’.
  • Classifications: All
  • Products: DO NOT CHOOSE EVERYTHING, only what you need right now. You can always add more later. Choosing everything makes the console really slow.
  • Languages: Only select languages for which you actually install that specific language’s OS version of Windows. This is not about keyboard layouts, it’s about the whole OS language scheme.
  • Next, wait, close.

Run a Full WSUS Synchronization

  • Software Library -> Software Updates -> Right-click -> Run Synchronization

Enable SUP Internet Mode on CAS

  • Admin -> Sites -> Right-click Site -> Configure Site Components -> Software Update Point
  • Choose ‘Allow both intranet and internet clients’.

Install WSUS and Hotfix on Site Server

  • See the previous section regarding the WSUS and Hotfix install. It’s the same process for both the CAS and Site Server.

Install SUP Role on Site Server

  • Admin -> Site Config -> Servers and Site System Roles -> CAS Serevr.
  • Right-click -> Add Site System Role
  • Specify FQDN
  • Check Software Update Point
  • Do not use a proxy sever
  • Active Settings: Check Use this server as the active software update point, and WSUS is configured to use a custom website.
  • Synchronization Source: Do not create WSUS reporting events.
  • Languages: Only select languages for which you actually install that specific language’s OS version of Windows. This is not about keyboard layouts, it’s about the whole OS language scheme.
  • Next, wait, close.

Run a Full WSUS Synchronization

  • Software Library -> Software Updates -> Right-click -> Run Synchronization

Now, you should be ready to actually configure the SUP to push out updates. Good luck!

Installing All Software Updates in a XP in Build and Capture TS

I had a hell of a time getting software updates to work in an XP Build and Capture Task Sequence. Things would work okay if I used ZTIUpdates, but not the ‘Install Software Updates’ TS action. A lot of people online seem to have given up, but I think I found the keys to getting things going.

The Problem

When you run an XP Task Sequence with ‘Install Software Updates’, the updates don’t actually install.

The Cause

  1. SCCM can’t scan with the XP SP3 default WUAgent because it’s too old.
  2. SCCM can’t scan for updates with IE 6 installed, which is the XP SP3 default.
  3. SCCM can’t scan for updates without the WSUS patch KB898461 installed.
  4. SCCM can’t download updates with XP SP3 unless joined to the domain.
  5. SCCM can’t communicate with the client once joined to the domain unless the XP certificate hotfix is installed.
  6. Once a software scan action is completed with the ‘install Software Updates’ step, subsequent updates are not detected because it doesn’t re-scan for new updates after every set of updates is installed.

We’ll resolve these issues below.

The Fix

Packages and Prep

This post assumes that you have MDT Integrated and can use the ZTIWindowsUpdates script.

  1. Download the IE 7 installer here: Windows Internet Explorer 7 for Windows XP.
  2. Make a package for the IE7 installer using the following command-line action.
    IE7-WindowsXP-x86-enu.exe /NoRestart /NoBackup /UpDate-No /Quiet
  3. Download the WUAgent 7.4 Installer here: Windows Update Agent 7.4.7600.226. I found the link here: Forum Post – Windows Update Agent.
  4. Create a package for the WUAgent 7.4.7600.226 installer using the following command-line action.
    WindowsUpdateAgent30-x86.exe /quiet /norestart /wuforce
  5. Download the Windows XP Certificate Enrollment hotfix here: Windows Server 2003 and Windows XP clients cannot obtain certificates
  6. Create a package for the hotfix using the following command-line action.
    WindowsXP-KB968730-x86-ENU.exe /quiet

Task Sequence Changes

  1. Open the XP Build and Capture Task Sequence.
  2. On the ‘apply network settings’ action, join a workgroup instead of a domain.
  3. Directly after the ‘Setup Windows and ConfigMgr Step’, add ‘Install Package’ actions for IE 7, WUAgent 7.4, then the Certificate Hotfix.
  4. Next, right after the certificate hotfix install, add join domain and reboot actions.
  5. Next, add a ‘set task sequence variable’ action with the variable ‘WSUSServer’ set to your site server’s WSUS URL (ex: https://sccm.domain.local:8531″).
  6. Next, add the ‘Use Toolkit Package’ and ‘ZTIUpdates’ steps. This will install the WSUS patch and update WUAgent to the latest version.
  7. Next, create an ‘Install Software Updates’ action.
  8. After that, create a new ‘Run Command-Line Action’ with the following command. This will re-scan for new updates.
    WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
  9. Repeat the Install Software Updates and Re-Scan command line actions. This will ensure that all updates are installed, since each Install Software Updates action is hard-coded to time out after 30mins.

Here’s a screenshot of my final task sequence.

XPBuildAndCapUpdates

Enjoy!

SCCM 2012 Updates Deployment – Getting Started

For some reason it took me a long time to wrap my head around updates in SCCM 2012. First, I’ll cover a few basics. Then, we’ll start a multi-part series on how to get everything rolling.

Important Notes

  1. If you’re running a CAS then the Software Update Point on the CAS is the master WSUS server, and the site site servers are downstream servers.
  2. The basic idea is that Software Updates go into Software Update Groups which are then Deployed.
  3. Software Update Groups (SUG’s) are just lists of software updates. An update by itself is not deploy-able.

The Overview

  • Install the prereq’s and SUP role.
  • Configure the SUP role and synchronize updates.
  • Configure Hardware and Software Inventory.
  • Create collections.
  • Create SUG’s.
  • Create deployments.

Installing the Prereq’s and Configuring the SUP Role

When configuring the SUP, only select the languages and products that you actually need. This simplifies things quite a bit down the road. See the following guide: System Center 2012 Configuration Manager – Part 5. Adding WSUS, Adding the SUP Role.

Configure Hardware and Software Inventory

We’re going to create some collections for deploying updates. Some of these collections depend on the hardware and software inventory reports. These can be configured as follows:

  1. Open your client settings package from Administration -> Client Settings.
  2. Make sure that Hardware Inventory is enabled.
  3. Make sure that Software Inventory is enabled.
  4. Configure Software Inventory to scan for “*.exe” in the following paths:
    %programfiles%
    %programfiles(x86)%
  5. Modify the following reg key on your Management Point site server, so that inventory reports greater than 5MB can be collected. You want to set the max file size to around 20,000,000 (without the comma’s).
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_SOFTWARE_INVENTORY_PROCESSOR\Max File Size.

Creating Your Collections

So, the end goal is to have group of workstations which install updates first for testing, then have the rest of your workstations install updates a week or so later. Also, something that further complicates things is that you need to break up the initial update deployment by platform. If you try to deploy all initial updates since the beginning of time to all workstations, then your OSD will break with the error, “failed to start task sequence”. Every update deployed to a workstation consumes some of the 10MB policy download limit, so we need to hide some updates in order for that limit to not be reached.

The following collections will be needed:

  • Name: 0-Day Updates
    Contains all computers you want to deploy updates to first, as canaries.
  • Name:14-Day Updates
    Contains all computers that you want to deploy updates to after the canaries have had the updates for two weeks.
    Excludes: 0-Day Updates
  • Name: 14-Day Windows XP x86 Updates
    Limiting Collection: 14-Day Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 5%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows XP%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x86-based PC"
  • Name:14-Day Windows XP x64 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 5%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows XP%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"
  • Name:14-Day Windows 7 x86 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x86-based PC"
  • Name: 14-Day Windows 7 x64 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%") and SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"
  • Name: 14-Day Internet Explorer 8 Updates
    Query:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FileVersion like "8.%"
  • Name: 14-Day Internet Explorer 9 Updates
    Query:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FileVersion like "9.%"
  • Name: 14-Day Office 2007 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Office%2007%") and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1
  • Name: 14-Day Office 2010 Updates
    Query:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Office%2010%") and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1

Creating your Software Update Groups

Now that you have collections configured, you need to create matching Software Update Groups; one-per-platform. Here’s the procedure:

  1. Navigate to Software Library -> Software Updates -> All Software Updates.
  2. Create a search with the following settings:
    Title: Windows XP
    Superseded: No
    Expired: No
  3. Left-click a single update -> Ctrl-A to select them all -> Right-click the selected bunch -> “Create Software Update Group”.
  4. Name the new group “Initial Windows XP Updates”
  5. Navigate to your new update group.
  6. Create a search with the following criteria:
    Title: Itanium
    Or Title: IA64
  7. Select all -> Edit Membership -> Uncheck the current collection to remote all IA64 updates from the update group.
  8. Create a new search in your same newly created update group:
    Title: x64
  9. Select all -> Create Software Update Group -> “Initial Windows XP x64  Updates”.
  10. Navigate to this x64 group -> Select All -> Edit Membership -> Uncheck the original non-x64 group.

This will create 2 software update groups, one for XP x86, one for XP x64. Neither group will have IA64 or Itanium updates. Repeat this for every platform you need. Also, repeat this for IE 8, IE9, Office 2007, and Office 2010. However, you do -not- need to differentiate between x64 and x86 for IE or Office.

Download the Software Update Groups

Next, you need to download the SUG’s for deployment. Do this procedure for every update group.

  1. Right-click a Software Update Group, and click ‘download’.
  2. When prompted, choose ‘Create a new deployment package’.
  3. Name the new package the same name as the software update group.
  4. For the source location, choose \\sccm\source$\updates\<name of update group>.

When downloading you may get the error “Content cannot be located for the language chosen”. This is normal. The workaround is to remove that specific update from the software update group, then try downloading again. This sucks, and it’s a known issue.

Deploy the Initial Software Update Groups

Once downloaded, the software update groups can finally be deployed. To do this, right-click each Software Update Group and choose ‘deploy’. You pick the options here. Each group should be deployed to its respective collection.

OK, that will get you started! Stay tuned for a blog post on what the monthly update workflow looks like, as well as auto-approval and System Center Updates Publisher.

SCCM 2007 – Patch Client to R3 During OSD

I recently wanted to use SCCM 2007’s R3 Power Features, and needed to update a few clients to the latest agent version. Turns out, it’s easy to have the patch added during OSD.

The Process

First, we need to find the Package ID of the SCCM R3 client patch.

  1. Open SCCM, navigate to Packages, and search for “Configuration Manager”. Note the Package ID.
  2. Next, open a deploy task sequence and select the ‘Setup Windows and ConfigMgr” action. Insert the following code into the “Installation Properties” box. Replace <PackageID> with the ID noted from step 1:
    PATCH="C:\_SMSTaskSequence\OSD\<PackageID>\i386\hotfix\KB977384\sccm2007ac-sp2-kb977384-x86-enu.msp"

Now, your clients will be patched on deployment! Enjoy.

SCCM Task Sequence – Updating Dell BIOS versions

FUN ALERT! Here’s how to update the Dell BIOS in a task sequence.

Notes

BIOS update executables are x86-only. Since I primarily deploy x64 machines, the task sequence (or at least it’s actions) must run inside the guest OS, and not in WinPE. Also, the BIOS update will fail unless you know the BIOS password, or the password is not set. For this reason, I make multiple tries to set a BIOS password using different ‘current’ passwords before running the actual update action.

Downloads

The Process

Prep Work

  1. First, download all the BIOS versions you’ll need for your platform. Note that some systems require multiple intermediary upgrades.
  2. Next, make an SCCM package named “Dell BIOS Updates” containing all the executables for the platforms you’d like to update.  The following is an image of my package source folder.
  3. Next, download and install Dell’s CCTK utility.
  4. Make a SCCM package named “Dell CCTK 2.01 Portable x64”
  5. Copy the contents of the following folder to the package source directory.
    C:\Program Files (x86)\Dell\CCTK\X86_64
  6. Create a new task sequence, or open a task sequence that you’d like to add the BIOS updates to.
  7. Create a new folder in this task sequence named “Dell BIOS Updates”, and use the following WMI criteria to filter. Change “Optiplex” to the make of your PC if necessary (Latitude, Precision, PowerEdge, etc.).
    select * from win32_computersystem where Model like 'Optiplex%'

TS Actions – Passwords

  1. Create a new “Run Command Line” action named “Set a BIOS Password (attempt 1)” with the following settings. This will set a BIOS password if there is no password currently set.
    command line:  cctk.exe --setuppwd=<newBiosPassword>
    package: Dell CCTK 2.01 Portable x64
  2. Create a new “Run Command Line” action named “Set a BIOS Password (attempt 2)” with the following settings. This will set a BIOS password if there is a current password that is different.
    command line:  cctk.exe --setuppwd=<newBiosPassword> --valsetuppwd=<current\oldBiosPassword>
    package: Dell CCTK 2.01 Portable x64

TS Actions – Prepping for Multiple Update Steps

Skip this section if your particular model(s) don’t require intermediary update steps.

  1. Create a new group named “Update <modelname>”. Assign this group the following 2 WMI criteria. Change “A11” to the -latest- version of the BIOS available, so that the group is skipped if the system is already up to date. Also, change “Optiplex 990%” to the make\ model number of your PC. The % represents a wildcard allowing anything after, such as a space or null character.
    If -all- the conditions are true
    select * from WIN32_BIOS where SMBIOSBIOSVersion < "A11"
    select * from win32_computersystem where Model like 'Optiplex 990%'
  2. Create a new group for each update step named “Update to A##”. The following filtering criteria should be used, and the BIOS version  in the WMI criteria should be changed to the version you’re updating -to-.
    select * from WIN32_BIOS where SMBIOSBIOSVersion < "A10"

Examples

  • Group Name: Update to  A03
    WMI:  select * from WIN32_BIOS where SMBIOSBIOSVersion < “A03”
  • Group Name: Update to A07
    WMI: select * from WIN32_BIOS where SMBIOSBIOSVersion < “A07”

TS Actions – Updates to Newer systems

Onward to the actual update step! Woohoo! This action works for systems newer than the Optiplex 755.

For each update step required, use a “Run Command Line” action with the following criteria:

Name: Update <make\model> to <new BIOS version>
WMI:
If all are true:
select * from WIN32_BIOS where SMBIOSBIOSVersion < "<NewBiosVerion>"
select * from win32_computersystem where Model like '<make model>%'
Command: <Biosname>.exe /f /s /p=<currentBiosPassword>
Package: Dell BIOS Updates

Examples

Name: Update Opti990 to A11
WMI:
If all are true:
select * from WIN32_BIOS where SMBIOSBIOSVersion < "A11"
select * from win32_computersystem where Model like 'Optiplex 990%'
Command: <Biosname>.exe /f /s /p=MyPassword
Package: Dell BIOS Updates

TS Actions – Updates to Older systems

Systems older than the Optiplex 760 are a little tricky. I can’t get BIOS updates to work while the system has a BIOS password, so we first need to remove the password.

  1. Create a TS action with the following command to remove the BIOS password:
    cctk.exe --setuppwd= --valsetuppwd=<currentPassword>
  2. For each update step required, use a “Run Command Line” action with the following criteria:
    Name: Update <make\model> to <new BIOS version>
    WMI:
    If all are true:
    select * from WIN32_BIOS where SMBIOSBIOSVersion < "<NewBiosVerion>"
    select * from win32_computersystem where Model like '<make model>%'
    Command: <Biosname>.exe -NOREBOOT -NOPAUSE
    Package: Dell BIOS Updates
  3. Finally, set a new BIOS password with the following command in a TS action:
    cctk.exe --setuppwd=<new password>

Wrapping Up

Here’s an image of my task sequence; I hope it helps. Good luck!

Secunia – Patching Java

This post contains the steps necessary steps to patching Java with Secunia since things don’t seem to work out of the gate. The main problem seems to be that Secunia didn’t provision for having both x64 and x86 java on x64 systems. I was able to create 3 custom patches using Applicability Rules to get the right patch to the right place.

Overview:

  • Create an install script.
  • Extract the msi files.
  • Create a custom package for installing x64 Java on x64 machines.
  • Create a custom package for installing x86 Java on x64 machines.
  • Create a custom package for installing x86 Java on x86 machines.
  • Test the packages with an SPS.exe file.
  • Deploy the packages.

The Process

Create an Install Script

I received the following script from Secunia support. Save this script as ‘PatchJava.xml’ on a system with Secunia CSI Console installed.

<!--?xml version="1.0" encoding="UTF-8" standalone="yes"?-->
	<![CDATA[Update Sun Java JRE 1.6.x to 6u31 (x64 for 64-bit systems)]]>

	<![CDATA[var Title = "Custom Update Sun Java JRE 1.6.x - 4";
var GUID = "3c16e659-3c45-49ef-897e-4a8b8c22a0fd";
var userSpecficParams = "ADDLOCAL=ALL JAVAUPDATE=0 AUTOUPDATECHECK=0 JU=0 REBOOT=ReallySupress /qn";

// NOTE - keep the GUID and title variables already set up in the default script.

// Note - this assumes that the file order of the included files, whether they be // local files or dynamically downloaded files, is as follows:

//Data1.cab
//jre1.6.0_31.msi

function main() {

	if ( !GUID ) {
		server.logMessage("No GUID supplied for package " + Title);
		return 1;
	}

	server.logMessage("Running package " + Title);
	server.logMessage("GUID : " + GUID);

	// There must be at least 3 embedded files (this script is the first one)
	var numFiles = server.numberOfFiles;
	if ( numFiles < 3 ) {
		server.logMessage("Incorrect number of embedded files. Aborting.");
		return 1;
	}

	var filename, shell, sys, temp, tempPath, outdir; // Declare variables we use below

	// Set up the directory the files will be extracted to and run from
	shell = new ActiveXObject( "WScript.Shell" );
	temp = shell.ExpandEnvironmentStrings( "%TEMP%" );
	sys = new ActiveXObject( "Scripting.FileSystemObject" );
	tempPath = temp + "\\\\" + GUID;
	try {
		if ( sys.FolderExists( tempPath ) ) {
			outdir = sys.GetFolder( tempPath );
		} else {
			outdir = sys.CreateFolder( tempPath );
		}
	} catch ( ex ) {
		server.logMessage( "Exception with get/create temporary directory " + ex.number + " : " + ex.message );
		return 1;
	}

	// First, extract all the files into the outdir created/found above and get the full path names into
	// an array that we can reference later
	var extractedFileNamesWithPath = [];
	for ( var i=1; i <= 2; i++ ) {
		filename = server.getFilename( i );
		if ( !filename ) {
			server.logMessage( "Cannot read filename: " + filename + "  from file. Corrupted file." );
			return 1;
		}

		tempFileWithPath = outdir.Path + "\\\\" + filename;

		// Check integrity of file
		sha1Sum = server.getSHA1Sum( i ); // file at index i
		if ( !sha1Sum ) {
			server.logMessage( "Cannot read SHA1SUM from file. Corrupted file." );
			return 1;
		}
		try {
			server.extractFile( i, tempFileWithPath ); // file at index i
		} catch ( ex ) {
			server.logMessage( "Error when extracting file " + ex.number + " : " + ex.message + "File may already exist." );
		}
		sha1SumCalc = server.getSHA1Sum( tempFileWithPath );
		if ( sha1SumCalc !== sha1Sum ) {
			server.logMessage( "Wrong SHA1SUM. Corrupted file." );
			return 1;
		}

		// File is ok - store the tempFileWithPath into our array
		extractedFileNamesWithPath[ extractedFileNamesWithPath.length ] = tempFileWithPath;
	}

	// We need to the appropriate command on the 5 extracted files.  i.e. if they were called: File0, File1, ..., File4
	//

	 var commandLine = "%WINDIR%\\SYSTEM32\\msiexec.exe /package " + extractedFileNamesWithPath[1] + " " + userSpecficParams;
	server.logMessage("Executing: " + commandLine);
	var exec = shell.Exec( commandLine );

	wait( exec, 3 * 3600 * 1000 ); // timeout in 3 hours

	if ( !exec.Status ) {
		server.logMessage("Executed " + commandLine + ", but failed to complete. Abandoning.");
		exec.Terminate();
		wait( exec, 300 * 1000 ); // timeout in 5 mins
		sys.DeleteFolder( outdir.Path );
		return 1;
	} else {
		server.logMessage("Executed " + commandLine + ", return status is " + exec.ExitCode);
		shell.RegWrite( "HKLM\\Software\\Secunia\\Updates\\Installed\\" + GUID + "\\", Title );
		sys.DeleteFolder( outdir.Path );
	}
}

// The function waits for the command to complete its execution or timeout
function wait( execObject, timeout ) {
    var start = ( new Date() ).valueOf();
    while ( 0 === execObject.Status && (new Date()).valueOf()-start < timeout ) { 		server.sleep(1000);     } }   main();]]>
	<source /><![CDATA[JScript]]>

		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\Data1.cab]]>
		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\jre1.6.0_31.msi]]>

		<![CDATA[C:\Program Files\Java\jre6\bin\java.exe]]>

		<![CDATA[false]]>

	<![CDATA[only64]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>

Extract the msi files.

To extract the msi files from the Java downloads, follow the instructions on Oracle’s site here: How do I deploy Java using Active Directory across a network?.

Custom Package – x64 Java on x64 machines

  1. Open Secunia CSI and Navigate to Patch -> Secure Package System (SPS)
  2. Click ‘New Custom Package’
  3. Click the button ‘Import Package’ and select the xml update package created for Java.
  4. On the ‘Import Package Content’ dialog box click “OK”.
  5. Click ‘Next’ once the package is imported.
  6. On the ‘Step 2 of 4: Package Contents’ screen, right-click to remove both files under the ‘Files to Include’ Frame.
  7. Click ‘Add local file’ and select “Data1.cab” from your java installation source. Note: it’s important that the files be deleted and re-imported even if the current paths seem correct. Also, it’s important that data1.cab be imported first and the msi file imported second.
  8. Click ‘Add local file’ and select “jre1.6.0_31.msi’ from your java installation source.
  9. Click ‘Create SPS File’, and run the file on a target system. It should update your x64 java!
  10. Click ‘Next’.
  11. On the ‘Step 3 of 4: Applicability Criteria – Paths’ screen, un-check the ‘Mark Package as “Always Installable”‘ checkbox.
  12. Click ‘Next’.
  13. On the ‘Step 4 of 4: Applicability Criteria – Rules’ screen, under the “System Applicability” frame select “64-Bit Systems Only”.
  14. Un-Check the “Do not include Step 3 applicability Paths in XML File” checkbox, then click “Export Package Content”. Save the package file as “Java Package – x64 for x64.xml”.
  15. Click “Publish” to publish your package.

Custom Package – x86 Java on x64 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On the ‘Step 3 of 4: Applicability Criteria’ screen, remove all the applicability paths, then add the following: “C:\Program Files (x86)\Java\jre6\bin\java.exe”.

Custom Package – x86 Java on x86 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On step 13, select “32-Bit Systems Only”.

Grats! You should now have a working Java update.