In the last post we deployed operating systems. In this post we will deploy Software updates to our servers.
Some prereqs include:
Having enough disk space on your virtual machines. I noticed before I started this post I am up to the limit on my Configuration Manager server, and I needed to resize the virtual machine. This involved copying my virtualmachine from the SSD datastore to the regular HD datastore and resizing the virtual machine.
Time, this section may take your home lab many hours, even days of leaving your systems on.
Installation of WSUS
We will be using a different VM in order to deploy software updates. This will help balance the IOPS needed in our environment and place less of a load on our Configuration Manager Server.
DISTRO will be our wsus server. I have added a secondary harddrive to this virtual machine in order to simplify management of our updates, and in case we need to expand space in the future.
I used a 500GB thin provisioned hard drive.
Create a folder called sources on the E:\. Share this folder as sources and give everyone read access.
folder is shared
Go to server manager, and select add roles and features.
Select Next at this page.
Select Role-based or feature-based installation and select Next.
Make sure the server you are working on is selected and select Next.
Scroll down to select Windows Server Update Services (WSUS).
Once WSUS is selected you will see another dialog box. Select Add Features at this dialog box.
Now select Next to proceed.
You will be prompted with installing additional features for WSUS. Select Background Intelligent Transfer Services (BITS), at the additional dialog box select to Add Features. Select Next.
On the overview page select Next.
On the role services page we want to install WSUS database on the ConfigManager server. So on role services select WSUS Services and Database. Select Next.
Specify the updates in the path E:\Sources and select Next.
Set the Database instance for Configmgr and select Check Connection. Select Next.
On IIS role select the defaults and select Next.
Select Restart the destination server automatically if required and select Yes to the prompt after. Select Install.
WSUS and IIS has been installed. But there is additional configurations that need to be set. Select Launch Post-Installation Tasks. This may take awhile as the post configuration is prepared.
Open Server Manager and Select WSUS and right click to select Windows Server Update Services.
This will launch the WSUS console.
Get familiar with this console as it may be needed for troubleshooting later.
WSUS additional install settings
Launch the WSUS console on your configuration Manager server.
Installation of the Configuration Manager Software Update Point
Go to the Configuration Manager server and launch the Configuration Manager console.
Go to Administration, Site Configuration, Servers and Site System Roles and select the configuration manager server. Right click and select Add Site System roles. Select Next.
We are not using a proxy, so select Next.
Select Software Update Point and select Next.
Select the second option, and select Next.
On specify account to connect to WSUS, select Use Credentials to connect to the WSUS server and set the account as BLUEPALACE\SMSAdmin. Select Next.
Set Create all WSUS reporting events, and select Next.
Enable synchronization on a schedule and have it run every 1 days. Also set to Alert when synchronization fails on any site in the hierarchy so you will know if the sync has failed. This value can be changed later if needed. Select Next.
Superseded updates are updates that are no longer valid as they have been replaced or are included with current updates (such as service packs). Select Immediately expire a superseded software update. Select Next.
Select Critical updates, Security updates, and Update Rollups and select next. If more items are selected the database can grow to become very large. This value can be changed later if needed. Select Next.
Which products will be updated? I will be updating Server 2012, Server 2008 R2, Office 2007, Windows 7, and Windows 8. We can always change this value later, but you have to be careful as you may download more updates than you may need. You can change this value later if needed. Select Next.
On languages, eliminate all of the languages except for English. Additional languages will double the size of the amount of updates that will be downloaded from Microsoft. Select Next.
On the summary, select Next.
The role has been installed successfully.
Now install WSUS on the Configmgr server
Go to Server Manager and select Add role, Select Windows Server Update Services. On role services only select WSUS Services. On content location select \\distro\sources and select restart automatically if required. Having a local copy of the Windows Update Service will allow you to push updates. In addition you will need to give the user account SMSadmin rights to the SUS database.
Had to add roles DB Creator to the DB on Config Manager.
<Rewrite entire post> will use WSUS on the same server as Config Mgr.
Configuration of Client Settings for Updates
Select Client Settings, and default client settings. go to the Software Updates tab. Select the Software update scan schedule and select Custom. As we don’t want to leave our home lab machines on for weeks at a time, select hourly and set the clients to check for updates every hour. This will ensure clients that are turned on will provide information for our database to be able to push updates out.
A deadline, or a triggered software update time period is critical to ensuring your systems will receive their updates in the maintenance window specified. Although this policy will affect all of our systems we will set the option to ensure systems are patched within a deadline of 1 hour.
We will also change the software update re-evaluation to occur within an hour as well to ensure any missing or failed updates are re-evaluated within a 1 hour timeframe.
Force a Synchronization
Although WSUS is now configured to check for updates every day, you may not want to leave your machines on for this long. To force a synchronization from Microsoft go to Software Library. At the top of the screen select Synchronize Software Updates.
You will be presented with a warning. This warning basically informs you a site-wide synchronization will occur. This is critical as in an enterprise environment the additional overhead and network traffic may not be welcome during the day or during normal operating hours. Select Yes. This first synchronization may take several hours.
To check on the status of the synchronization go to, Monitoring, and Software Update Point Synchronization Status.
Note.. this can take several attempts in order to get it working correctly. It seems to just give it time and eventually it will output data, and properly sync. I have also had some error messages and I checked
C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log in order to figure out if synchronization was going to work.
Synchronization took from 2:32 PM to 6:06 PM, almost 4 hours. The WSUS database grew to over 1 GB, despite not actually downloading any updates. 2105 updates are now known about.
However, I see some updates are for Itanium-based systems, 292 updates. I have moved these updates into a group called: Itanium systems.
The catalog version 0000 is the first update list that will be downloaded from Microsoft. A second update catalog version 1 will be what updates you want to download.
Now that the catalog has been built, client need to verify their status against the metadata that has been downloaded.
To sync with WSUS quickly, go to a client pc. Select Control Panel, and then select Configuration Manager. Run the following reports;
Machine Policy Retrieval & Evaluation Cycle
Software Updates Deployment Evaluation Cycle
Software Updates Scan Cycle
Then Run Summarization in order to take the data that has been collected and to turn into a usable product. You may have to do this several times in order to find out exactly how up to date your systems are, and which patches they already have installed. It may take over night in order to process, as the executable that run in order to create these reports are set to run as a lowest priority and cannot be changed to run as a higher priority.
Create a Baseline group is critical to make sure that machines have the exact same updates. Again, this may take several hours or even a day before you have useable data in order to create an update group.
You can select all updates that are required for a certain operating system for example search for Windows XP and sort by Required. Now hold down shift to select all of the updates.
Select Create Software Update Group. Give the group the name Updates needed for Windows XP, and select Create.
Now select the Group and right click select Deploy. This will start the deploy software updates wizard. Note: It will autogenerate a timestamp of when the wizard was first initiated, which is very helpful in determining the status of the Deploy/Software update push.
On collection select Browse, and select the default collection All Systems. Select Next.
On the deployment settings, you can either make these updates available to users, or make them required for users. We want to make these updates required, so select Required. Select Next.
Creating this deployment, works kind of like a package, in order to specifically deploy updates we have selected. This creates a deployment package.
Possibly make Deploying updates part 1
part 2: scenarios what to do
Windows 7 answer file
Server 2012/2008R2 answer file
Note: 8:46 pm wsus database is