Hi I've installed WSUS on my SCCM Server and created the SUP role.
On my clients it says that - You receive updates as Managed by your system administrator.
But below that there is the option to Check Online for updates from Windows Update.
I don't want my clients to be able to do this. Because they could install anything that they want and I would have no control over the process.
What can I do?
Thanks
This is probably a silly question, but how would I go about setting up an ADR to run on "Patch Tuesday", which in my case, I'm GMT+10 so "Patch Tuesday" is actually "Patch Wednesday" here.
Currently in our legacy SCCM 2007 environment I do this all manually on the Thursday of patch week, but was hoping to leverage ADRs in our new 2012 environment to help simplify this.
I currently have a rule to fire every second Tuesday at 11:59:59 PM but unfortunately doesn't seem to get all the updates (must be released later).
I also couldn't find any sort of method to set the Sync time to UTC (the client schedule yes, but not the actual sync schedule)
The ADR fires at 11:59PM (GMT+10) on the second Tuesday of every month (I'm using the Patch Tuesday template type). The issue is, that most updates don't come into our system until 6AM the Wednesday morning. (Our update sync schedule is every two hours,
so this is not the cause.)
I have SCCM 2012 SP1, I increased our restart on the client to 120 mins, 20 count down. I see there is no postpone option. My Workstation SUGs , under User Experience, I have "system restart (if necessary), & commit changes at deadline or during a maintence window (requires restarts)...
I am unclear, how I configure it, so users don't get a reboot , during critical parts of the day, and not postpone the restart.
thank you.
In 2012, most of my W7 SP1 clients are using IE9. I'm looking to push IE10 to some more of them via Software Updates. Software Updates is working fine for Security Updates, Critical Updates etc.
However, it does not seem to be installing on these W7 clients with IE9. Mainly I think because they are not requesting it for some reason. In the reports the clients are showing up as "Compliant". All the clients have the necessary per-reqs installed via Software Updates (e.g. KB2758857, 2729094, 2758857, 2786081, 2760838).
In SCCM 2007, I had no problems deploying IE10 to a small number of clients who needed it. But all are now on 2012. Has something changed (e.g. the release of IE11) or an I just missing something obvious?
I recently started using ADR's for generating monthly Software Updates groups (with adding to an existing package). I choose to just target an empty collection so that I can verify the updates that have been included in the Software Update groups are ones I want to actually deploy. The vast majority of time there are updates I do not want to deploy.
Example: SharePoint Server updates are added but I do not currently manage patches for servers with SCCM so this is just unnecessary bloat for my Update packages.
I then remove the updates from the SUG prior to moving the deployment to my Test collection, however at this point the updates have been downloaded and added to my DP's.
My question is if there is a good process for removing the updates I have removed from the SUG, from the DP's (i.e. delete from the source location and refresh the DP's)
To my knowledge, SCCM will not do this for me by simply removing the update from a SUG.
Thanks!
Hey guys,
We had a few Windows 8/Server 2012 (Non-R2) systems in our environment last year. I was using our SCCM SUP to keep them patched. We just completed updates on all those systems and they are now *all* Windows 8.1/Server 2012 R2. I've also upgraded our SCCM Server to 2012 R2. After the upgrade I noticed that there were new software update categories specific to Windows 8.1/Server 2012 R2 so I added those to my ADRs. Since we no longer have any Windows 8/Server 2012 (Non-R2) systems in our environment is it still necessary to retain the software update product categories for those OSes in my ADRs? (i.e. Definition updates for Endpoint Protection definitions still fall under the product category "Forefront Endpoint Protection 2010", worried Windows 8/8.1 is similar and that I might miss something if I leave it out).
I'm looking for the exact security rights needed to use the Right Click > Resultant Client Policy feature added in CM2012 R2 update.
I have a role that can view the Client settings if they open the properties of them, they can view which settings objects are applied to a device/collection in the preview pane, but that can NOT right click > Resultant Client Settings.
I'm not sure what I'm missing. They obviously have read rights, and the R2 remote console is installed. Is there another specific settings I'm missing? Otherwise I'm destined to grant full rights and take away rights piece by piece until I find out what makes it disappear...and I really, really don't want to do that.
I’m fairly new to SCCM and I’m using SCCM 2012 SP1 CU1. I have about 1,000 clients and have a maintenance window of three hours. I need to have the clients patched, rebooted and have the report updated in that
timeframe. I have a two software updates collections, one for “legacy” patches from 2007 – 1-1-2012 and a second collection for “Current” Patches 1-1-2013 – Present. I’m finding when I deploy these patches to clients most are succeed but some patches fail.
The client reboots and I’m left with several failed patches leaving the client non-compliant.
My question is how can I get these patches to retry the install? If I log onto the client and manually retry the install they usually are successful and even if one or two fail again, I usually rerun them and it installs.
To try to resolve this, I’ve set up a separate software deployment that has a deadline of one hour later than the first, but this does not seem to kick off. I’m looking to the community to see how others are dealing with this situation.
Hi
I have a SCCM 2012 SP1 CU3 site server only no CAS.
At the moment for server and workstation updates I have ADR's that run once a month after patch Tuesday. A separate ADR is configured for each OS and it adds new updates to an existing Software Update Group. This obviously means if updates are not expired the number can get rather large (E.g. Windows Server 2008 939 items)
My question is what happens to the old software update groups if I configure the ADR to create a new SUG each time, are they still deployed. How are the updates in the old SUG's kept current so no expired or superseded updates are deployed. Put another way if a new SUG is created by the ADR each time what process keeps the old SUG's synced so the updates in them if superseded are eventually expired.
Its probably a dumb question but I need to know how the mechanism works can anyone help.
Thanks
Simon
Hi,
The following post is for SCCM 2007: http://social.technet.microsoft.com/Forums/en-US/5426538a-0971-414d-a63f-03db440c320c/public-certificate-for-internet-based-client-managment?forum=configmgribcm
It is possible to use certificates from a public CA for Internet-Based Client Management for SCCM 2012?
Thanks in advance!
Hello,
Updates stopped working suddenly for clients, and the clients reported back with message: "Client check passed/Active".
I can't say much about it because I have to be honest, I didn't do much troubleshooting.
I went straight to re-configuration of SUP/WSUS.
So I removed the SUP CM role, and WSUS and re-installed everything again.
I did this several times now and followed similar procedures, but slightly different.
Basically:
Remove SUP
Remove WSUS
Restart
Install WSUS
Install the two famous updates
Restart
Add SUP role
Environment (one machine):
Server: 2008 R2
SCCM: 2012 SP1 - 5.0.7804.1000
WSUS 3.0 SP2 with both KB's
Syncing doesn't work.
From the wsyncmgr.log I'd say that SCCM is unable to communicate with WSUS.
From the wcm.log I'd think that Category Products are enabled on SCCM which cannot be found on WSUS, which I find a strange reason to block the whole Updating process but who am I to critisize. :-)
The problem is that I can't find these products in SCCM, let alone disable.
I really hope someone can help me out with this as this is starting to drive me crazy.
Also tried to run the WSUS configuration wizard partially until the products but that didn't help either.
Each time I restart the whole configuration, when I add the SUP role it seems to remember my settings. Is there a proper way to completely remove SUP?
WCM.log:
Category Product:70cfad70-6629-b54b-5819-c809a605515e (Adobe Flash Player) not found on WSUSSMS_WSUS_CONFIGURATION_MANAGER13/12/2013 15:32:125572 (0x15C4)
Category Product:e1d507be-497c-d8fd-61d7-b0d93ee399ca (Adobe Reader) not found on WSUSSMS_WSUS_CONFIGURATION_MANAGER13/12/2013 15:32:125572 (0x15C4)
Subscription contains categories unknown to WSUS.
SMS_WSUS_CONFIGURATION_MANAGER13/12/2013 15:32:125572 (0x15C4)
Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified errorSMS_WSUS_CONFIGURATION_MANAGER13/12/2013 15:32:125572 (0x15C4)
WSYNCMGR.log
Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSyncSMS_WSUS_SYNC_MANAGER13/12/2013 15:37:125660 (0x161C)In this latest batch of December updates, I've run across about 4 updates that stubbornly refuse to update from the Software Center. They all return an error 0x87D00705 which in a CMTrace lookup says the error is "Pause State Required". The actual message in Software Center reads
The software change returned error code 0x87D00705(-2016409851).
The UpdatesDeployment.log shows the same error code. When I Retry the update, it logs this
InstallUpdates Initiated by user
ApplyCIs - JobId = {4AD644BB-081B-4043-9674-A19FBA5C2EBB}
Update (Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda) Progress: Status = ciStateDetecting, PercentComplete = 0, DownloadSize = 0, Result = 0x0
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda", actionType 1l, value NULL, user NULL, session 4294967295l, level 0l,
verbosity 30l
Update (Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda) Progress: Status = ciStateDownloading, PercentComplete = 0, DownloadSize = 0, Result = 0x0
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda", actionType 1l, value NULL, user NULL, session 4294967295l, level 0l,
verbosity 30l
Update (Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda) Progress: Status = ciStateWaitInstall, PercentComplete = 0, DownloadSize = 0, Result = 0x0
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda", actionType 1l, value NULL, user NULL, session 4294967295l, level 0l,
verbosity 30l
CUpdatesJob({4AD644BB-081B-4043-9674-A19FBA5C2EBB}): CUpdatesJob::NotifyError - NotifyError received. Result = 0x87d00705
Update (Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda) Progress: Status = ciStateError, PercentComplete = 0, DownloadSize = 0, Result =0x87d00705
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda", actionType 1l, value NULL, user NULL, session 4294967295l, level 0l,
verbosity 30l
Not refreshing update presence state as error CI Info status received
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_D27959F3-68D0-45FE-8B2D-EA95DFA187FC/SUM_416de864-839a-4a61-907f-d18cabcc6dda", actionType 11l, value NULL, user NULL, session 4294967295l, level 0l,
verbosity 30l
CUpdatesJob({4AD644BB-081B-4043-9674-A19FBA5C2EBB}): Delete job from WMI UpdatesDeploymentAgent 12/13/2013 10:12:30 AM 4960 (0x1360)
No other installations in pipeline. No reboot required.
EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 7
EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 7
Has anyone run into this error before?
Orange County District Attorney
I created a new Software Update Group to deploy a revised KB today that didn't require a reboot. The deployment was set to be available ASAP and install ASAP. I set a maintenance window of 1:30PM on the collections that received the deployment. When I ran a report, to verify the patch status, prior to that start of the maintenance window I saw that the patch had already installed.
Does this behavior change depending on the patch? I have other collections that I do monthly updating to, this same way, and they don't install patches until the start of the maintenance window I believe. Should I be using a specific time for my deadlines, or should I be using ASAP? I don't want servers sitting in a 1/2 installed but yet to be rebooted state for any period of time.
SCCM 2012 SP1 with WSUS installed on same machine
Issue: When go Software Library/All Software Updates I don't have any listings for Office or Lync 2013
At first I went into WSUS and checked Office 2013 under products and classifications but then I remembered SCCM overrides WSUS. I'm seeing this because when I go back into WSUS the check box for Office 2013 is unchecked as is classification Updates that I also checked.
I have an automatic deployment rule that has Product ... and Office 2013
I noticed all this because I just installed Office 2013 on my workstation and after running the ADR against my workstation and then Windows Update I saw no Office 2013 patches being applied. Went into All software updates and didn't find a single patch listing.
On my Primary site (don't have CAS) under role software update I have standard WSUS Configuration 80 and 443 and Allo Internet and intranet Client connections and no proxy account settings
My software Update Point Synchronization Status shows updated today with catalog version 388 to my software update point.
What am I missing
I've searched the forum and multiple blogs - but, I'm still confused about what is causing some of our workstations to restart after applying a software updates deployment.
I deployed the Dec 2013 Patch Tuesday updates to a collection of workstations. The deployment was set to:
There is no maintenance window defined for any of our workstations
On all the workstations, the HKEY_LOCAL_MACHINE\Software\...\WindowsUpdate\ values are:
Also, the key in HKEY_LOCAL_MACHINE\...\WindowsUPDATE\AU is:
Some set of workstations automatically restarted shortly after 3:00 am the next morning. Clearly that's the Windows Update Agent jumping in a restarting the systems. However, I don't understand why it would do that. I really don't understand why it would have occurred on only some of the workstations while others are still waiting for users to manually restart 36 hours later.
All of the workstations are in the same active directory OU - so the same set of GPOs applies to all.
Note: none of the registry keys were set directly in any GPOs - I assume the values were set by the SCCM client.
Any assistance would be appreciated.
Larry
Is there a way to setup a software baseline configuration that will deploy packages or applications base on a collection?
I want to make sure that if required software is removed that we track when using a config baseline.
Hey newbie here to SCCM 2012 and SUP -- I've been using SMS since the 2.0 days. I have a concept that I’m trying to wrap my head around and maybe someone can point me in the right direction.
The process that I have works great in SCCM 2007 R3 -- i need to port this same process over to 2012 R2.
Background
In my SCCM 2007 R3 environment my servers fall into two categories:
2007 Collections Setup
I have two collections for this
SUP - All Servers -- This is made up of direct membership of servers who get the patches advertised to them but the admin can install when they choose due to various reasons.
SUP -- MW All Servers -- This is an empty collection made of up 20-30 sub-collections that have the various different defined MWs based on the application and business requirements.
This works great in 2007 as i can target my distribution at the two collections.
SUP - All Servers&SUP - MW All Servers. When I target the top level SUP -- MW All Servers (which includes) all the sub-collections with predefined MWs, they get the updates and install based on their individual MWs. It keeps it pretty simple and clean.
2012 Collection Setup
In working with my SCCM 2012 R2 deployment and SUP's I've discovered that the concept of sub-collections is gone, it’s seemed to be replaced with folders. This is what’s caused me headaches on how I can get this to work as it did in SCCM 2007.
Once again in 2012 I have created two folders. For simplicity sake I’ve limited the collections in the MW folder only to 2.
SUP – Manual - All Servers (folder)
|--- SUP – Server Patching – Manual (collection)
SUP – MW - All Servers (folder)
|--- SUP – MW – 3rd Fri of Month 4-5am ET (collection)
|--- SUP – MW – 2nd Wed of Month 2-4am ET (collection)
I’ve setup two Software Deploy Groups in 2012
SUP – ALL MS13-XXX Approved Updates
SUP – All Non MS13-XXX Approved Updates
Each one of these update groups is deployed to the non MW collection with a type ofavailable. This works great – as they are notified on the server that they have patches and need to be installed when they can schedule it.
Using the same set of two update groups I create a new deployments with a type ofrequired to be targeted at my MW collections. This works great – however I can only target this deployment at one collection– that is why the sub-collections worked so well in 2007. How can I accomplish this same thing w/out having to create 20-30 different deployments each specifically targeted at that specific MW collection?
There has to be a simpler way to target all my servers that have MW with one deployment.
Thanks in advance for any help.
~Mike