Deploying Windows Updates using SCCM 2007

When deciding to use SCCM to deploy software updates some time should be taken to plan your release process and the strategy you want to take with regards to deploying updates. Microsoft has created a good document which can be downloaded from here. This will give you a good idea of the different deployment scenarios including the benefits and drawbacks for each. Before we start, this guide assumes that you have already installed and configured SCCM 2007 with SP2 or above and you are installing WSUS on the same server that SCCM is installed on. For the purpose of this guide we are just going to look at deploying updates to a Windows XP environment, please note that all steps in this guide are also relevant to Windows Vista, Windows 7 etc and should give you enough help to customise my scenario to your requirements. My deployment scenario As my environment is standerdised on one client Opearing System with a specific service pack level, I have created a single package to contain the authorised updates. When it comes to the deployment of the updates I have created two collections; one for my test clients and then one for all clients. I have then assigned deployment templates to these collections to handle the deployment process. This is quite a simple and easy to manage setup. It is also a good place to start when first starting to use SCCM to deploy software updates. The first thing you need to do is download WSUS 3.0 SP2 from here and the Microsoft Report Viewer Redistributable 2008 from here. Install Microsoft Report Viewer 1. 2. 3. 4. 5. Double click ReportViewer.exe Click Next Select I have read and Accept the license terms Click Install Click Finish

Install WSUS 3.0 SP2 1. 2. 3. 4. 5. 6. 7. 8. Double click WSUS30-KB972455-x86.exe Click Next Select Full server install Click Next Select I accept the terms. Click Next Select Store Updates Locally and specify a path for the data to be stored i.e. d:\WSUS Specify the name of the database server to use

9. Click Next 10. At the successfully connected screen, Click Next 11. When prompted to select what IIS website to use, select the one relevant to your setup, in my case I am installing on the same server as SCCM so have selected Create a Windows update services web site 12. Click Next 13. Click Next

14. Click Finish 15. Click Cancel on the WSUS configuration wizard screen as all configuration will be done via the SCCM console Configuring the Software Update Point 1. 2. 3. 4. 5. 6. 7. 8. 9. Open SCCM ConfigMgr console Expand Site Settings Expand Site Systems Right Click on your Server name Click New Roles Click Next Select the roles you would like to install, in our case Software Update Point Click Next. At this point you will be prompted to configure a proxy server. If your organisation uses a proxy server, configure the details here before proceeding. Otherwise click Next Click Next

10. Click Next 11. Click Next 12. Select the Software classifications that you want to be syncronised 13. Click Next 14. Select the products that you require updates for 15. Click Next 16. Deselect all languages except English 17. Click next 18. Click Next 19. Click Close At this point you should monitor the wsyncmgr.log file which can be found in the location that you install SCCM, to check the progress of the first WSUS syncronisation. Configuring the Software Updates Client Agent 1. 2. 3. 4. 5. 6. 7. 8. Open SCCM ConfigMgr console Expand Site Settings Click Client Agents Double Click Software Updates Client Agent Select Enable Software Updates on clients Click Update Installation Tab Select Enforce all mandatory deployments Click OK

At this point you should initiate the machine policy retrieval and a software updates scan cycle on a test client. Creating deployment templates Deployment templates are used to easily deploy software updates in a consitent manner based on the deployment settings you configure such as restart time, interation by users etc. A deployment template should be created for each software update collection that you create. As explained at the start of this guide I have created two collections, the first one is called Monthly Updates Test Clients, the second one is called Monthly updates All Clients. My deployment templates will also follow these naming conventions.

Before proceeding you need to create your required collections. 1. 2. 3. 4. 5. 6. 7. 8. Open SCCM ConfigMgr console Expand Computer Management Right Click Software Updates Click New Deployment Template Enter a name and description this should follow the names given to your collections Select the collection that this template should be assigned to Specify your required settings for time and display notifications Click Next

9. Specify your required settings for restart settings 10. Click Next 11. Specify your required settings for event generation 12. Click Next 13. Specify your required settings for download settings 14. Click Next 15. Click Next 16. Click Next 17. Click Close Repeat these steps for each required deployment template. Creating Search Folders Search folders are an easy way to retrieve a list of software updates based on a specific search criteria. For this guide we are going to create a search folder that displays all updates for Windows XP. We will then use this search folder in the next step of this guide. 1. 2. 3. 4. 5. 6. 7. 8. Open SCCM ConfigMgr console Expand Computer Management Expand Software Updates Expand Update Repository Right Click Search Folders Click New Folder In Step 1 select Product In Step 2 select Windows XP

9. In Step 3 select search all folders 10. In Step 4 Enter a name for the search folder 11. Click OK Creating an Update list and Deployment Package 1. 2. 3. 4. 5. 6. 7. Open SCCM ConfigMgr console Expand Computer Management Expand Software Updates Expand Update Repository Expand Search Folders Select Windows XP In the right hand window you should now have a list of updates, using CTRL + Select highlight all of the updates that you want to deploy. In my case I selected all those that were relevant from Service Pack 3.

8. 9.

Once you have selected the updates that you want to deploy, drag them onto the Update Lists folder, which will launch the Update List Wizard Select Create a new update list

10. Enter a name and if required a description 11. Select Download the files. 12. Click Next 13. Select Create a new deployment package 14. Enter a name and if required a description 15. Specify the Package Source. This is should be a subfolder of the folder specified in Step 7 of Install WSUS 3.0 SP2. This should be in unc form. 16. Click Next 17. Click Browse 18. Select the Distribution Points that the deployment package should be on 19. Click OK 20. Select Download software updates from the internet 21. Click Next 22. Deselect all Languages except those that you require 23. Click Next 24. Click Next 25. Click Next 26. Once all of the updates have downloaded Click Close. Depending on the number of updates and the speed of your internet connection this may take a while. Creating your Deployments Now that all of the ground work is done, we can look at linking each bit together in order to make the updates available to your clients. Depending on your deployment strategy you may need to complete these steps multiple times. 1. 2. 3. 4. 5. 6. 7. 8. Open SCCM ConfigMgr console Expand Computer Management Expand Software Updates Expand Update Lists Right click the update list previously created Click Deploy Software Updates Click Next Select Use and existing template and select the first template you want to create a deployment for. In my case I selected Monthly Updates Test Clients. I then repeated these steps to create the deployment for Monthly Updates All Clients Click Next

9.

10. Specifiy a date and time that you would like to make updates available to clients 11. Specify a deadline for the installation 12. Click Next 13. Click Next 14. Click Close Once finished you should now have a deployment listed under deployment management and if you expand the deployment it will show the updates that are being deployed as part of this deployment. You can now add clients to your relevant collections.

The clients that you add will start to install software updates according to the settings you have applied. Note they will need to run a Machine Policy Retrieval & Evaluation Cycle, Software Updates Deployment Evaluation Cycle and a Software Updates Scan Cycle before this will work.