Post 16 – Deploying Software Updates

In the last post we deployed operating systems. In this post we will deploy Software updates to our servers.


Some prereqs include:

Having enough disk space on your virtual machines. I noticed before I started this post I am up to the limit on my Configuration Manager server, and I needed to resize the virtual machine. This involved copying my virtualmachine from the SSD datastore to the regular HD datastore and resizing the virtual machine.

Time, this section may take your home lab many hours, even days of leaving your systems on.



 Installation of WSUS

We will be using a different VM in order to deploy software updates. This will help balance the IOPS needed in our environment and place less of a load on our Configuration Manager Server.

DISTRO will be our wsus server. I have added a secondary harddrive to this virtual machine in order to simplify management of our updates, and in case we need to expand space in the future.

I used a 500GB thin provisioned hard drive.

Create a folder called sources on the E:\. Share this folder as sources and give everyone read access.

everyone read access

Give everyone Read accessfolder is shared

folder is shared

Select Done.

Go to server manager, and select add roles and features.

add role

Select Next at this page.

select next

Select Role-based or feature-based installation and select Next.

select install type

Make sure the server you are working on is selected and select Next.

distro selected

Scroll down to select Windows Server Update Services (WSUS). 

select WSUS

Once WSUS is selected you will see another dialog box. Select Add Features at this dialog box.

Select Add Features

Select Add Features

Now select Next to proceed.

wsus selected

wsus selected

You will be prompted with installing additional features for WSUS. Select Background Intelligent Transfer Services (BITS), at the additional dialog box select to Add Features. Select Next.

added features for wsus

On the overview page select Next.


On the role services page we want to install WSUS database on the ConfigManager server. So on role services select WSUS Services and Database. Select Next.

role services

Specify the updates in the path E:\Sources and select Next.

update path

source update path

Set the Database instance for Configmgr and select Check Connection. Select Next.

DB instance on Configmgr

DB instance on Configmgr

Select Next.

iis role 1

On IIS role select the defaults and select Next.

iis role 2

Select Restart the destination server automatically if required  and select Yes to the prompt after. Select Install.

ready to install

ready to install

WSUS and IIS has been installed. But there is additional configurations that need to be set. Select Launch Post-Installation Tasks. This may take awhile as the post configuration is prepared.

post install tasks


wsus installed to configmgr

Open Server Manager and Select WSUS  and right click to select Windows Server Update Services. 

select wsus for post install

select wsus for post install

This will launch the WSUS console.

wsus console installed

Get familiar with this console as it may be needed for troubleshooting later.

WSUS additional install settings

Launch the WSUS console on your configuration Manager server.





Installation of the Configuration Manager Software Update Point 

Go to the Configuration Manager server and launch the Configuration Manager console.

Go to Administration, Site Configuration, Servers and Site System Roles and select the configuration manager server. Right click and select Add Site System roles. Select Next.

site roles wizard

We are not using a proxy, so select Next.

no proxy

Select Software Update Point and select Next.

software update point selected

software update point selected

Select the second option, and select Next.

software update point settings

On specify account to connect to WSUS, select Use Credentials to connect to the WSUS server and set the account as BLUEPALACE\SMSAdmin. Select Next.

set credientals


Set Create all WSUS reporting events, and select Next.

set create all wsus events

Enable synchronization on a schedule and have it run every 1 days. Also set to Alert when synchronization fails on any site in the hierarchy so you will know if the sync has failed. This value can be changed later if needed. Select Next.

update schedule

update schedule

Superseded updates are updates that are no longer valid as they have been replaced or are included with current updates (such as service packs). Select Immediately expire a superseded software update. Select Next.

supersedence rules

supersedence rules

Select Critical updates, Security updates, and Update Rollups and select next. If more items are selected the database can grow to become very large. This value can be changed later if needed. Select Next.

what updates do we care about

Which products will be updated? I will be updating Server 2012, Server 2008 R2, Office 2007,  Windows 7, and Windows 8. We can always change this value later, but you have to be careful as you may download more updates than you may need. You can change this value later if needed. Select Next.


Products to update

On languages, eliminate all of the languages except for English. Additional languages will double the size of the amount of updates that will be downloaded from Microsoft.  Select Next.



On the summary, select Next. 


The role has been installed successfully.

role installed success

 Now install WSUS on the Configmgr server

Go to Server Manager and select Add role, Select Windows Server Update Services. On role services only select WSUS Services. On content location select \\distro\sources and select restart automatically if required. Having a local copy of the Windows Update Service will allow you to push updates. In addition you will need to give the user account SMSadmin rights to the SUS database.

Had to add roles DB Creator to the DB on Config Manager.

<Rewrite entire post> will use WSUS on the same server as Config Mgr.




Configuration of Client Settings for Updates

Select Client Settings, and default client settings. go to the Software Updates tab. Select the Software update scan schedule and select Custom. As we don’t want to leave our home lab machines on for weeks at a time, select hourly and set the clients to check for updates every hour. This will ensure clients that are turned on will provide information for our database to be able to push updates out.

custom schedule

A deadline, or a triggered software update time period is critical to ensuring your systems will receive their updates in the maintenance window specified. Although this policy will affect all of our systems we will set the option to ensure systems are patched within a deadline of 1 hour.

setting a deadline

setting a deadline

We will also change the software update re-evaluation to occur within an hour as well to ensure any missing or failed updates are re-evaluated within a 1 hour timeframe.

deadline enforcement

deadline enforcement

Force a Synchronization 

Although WSUS is now configured to check for updates every day, you may not want to leave your machines on for this long. To force a synchronization from Microsoft go to Software Library. At the top of the screen select Synchronize Software Updates.

software updates

Software updates

You will be presented with a warning. This warning basically informs you a site-wide synchronization will occur. This is critical as in an enterprise environment the additional overhead and network traffic may not be welcome during the day or during normal operating hours. Select Yes. This first synchronization may take several hours. 

warning site wide sync

warning site wide sync

To check on the status of the synchronization go to, Monitoring, and Software Update Point Synchronization Status.  


Note.. this can take several attempts in order to get it working correctly. It seems to just give it time and eventually it will output data, and properly sync. I have also had some error messages and I checked

C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log in order to figure out if synchronization was going to work.


Synchronization took from 2:32 PM  to 6:06 PM,  almost 4 hours. The WSUS database grew to over 1 GB, despite not actually downloading any updates. 2105 updates are now known about.

However, I see some updates are for Itanium-based systems, 292 updates. I have moved these updates into a group called: Itanium systems.


The catalog version 0000 is the first update list that will be downloaded from Microsoft. A second update catalog version 1 will be what updates you want to download.

Now that the catalog has been built, client need to verify their status against the metadata that has been downloaded.

To sync with WSUS quickly, go to a client pc. Select Control Panel, and then select Configuration Manager. Run the following reports;

Machine Policy Retrieval & Evaluation Cycle

Software Updates Deployment Evaluation Cycle

Software Updates Scan Cycle

actions to run

Then Run Summarization in order to take the data that has been collected and to turn into a usable product. You may have to do this several times in order to find out exactly how up to date your systems are, and which patches they already have installed. It may take over night in order to process, as the executable that run in order to create these reports are set to run as a lowest priority and cannot be changed to run as a higher priority.


Create a Baseline group is critical to make sure that machines have the exact same updates. Again, this may take several hours or even a day before you have useable data in order to create an update group.

You can select all updates that are required for a certain operating system for example search for Windows XP and sort by Required. Now hold down shift to select all of the updates.


Select Create Software Update Group. Give the group the name Updates needed for Windows XP, and select Create.


Now select the Group and right click select Deploy. This will start the deploy software updates wizard. Note: It will autogenerate a timestamp of when the wizard was first initiated, which is very helpful in determining the status of the Deploy/Software update push.

On collection select Browse, and select the default collection All Systems. Select Next.

general settings deployment


On the deployment settings, you can either make these updates available to users, or make them required for users. We want to make these updates required, so select Required. Select Next.

deployment settings

deployment settings

Creating this deployment, works kind of like a package, in order to specifically deploy updates we have selected. This creates a deployment package.


Possibly make Deploying updates part 1

part 2: scenarios what to do
testing …

Windows 7 answer file
Server 2012/2008R2 answer file

Note: 8:46 pm wsus database is

db size before


Post changes to push out software updates. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s