Post 17 – Post changes to push out software updates

There are some post changes that need to be made in order to deploy software updates.

 

Group Policy Changes

Go to your domain controller and select Group Policy Management. Select the domain and right click to choose Create a GPO in this domain and link it here.

ad gpo creation

Call the new GPO Configuration Manager Client Installation. Select OK.

gpo name

Right click to select the new GPO and select Edit.

gpo selected

Expand Computer Configuration, Policies,Administrative Templates,  Windows Components, and scroll down to Windows Update.

windows update options

Select Specify Intranet Microsoft Update service location. Set the checkbox to Enabled, enter the fully qualified domain name and port of the configuration manager server that is running WSUS. In this case it is: http://configmgr:8530  Select Apply and OK.

specify location

 

Set client side targeting settings to build a NEW computer group. Call this group New.  This will help show you which servers and clients have received the new domain policy and are following it.

new created

 

The update checking frequency gpo. This gpo is vital for troubleshooting. As I am having problems getting my clients to talk to sccm/wsus I set the update detection frequency at every hour. This ensures I will be seeing something or having an attempt at communication within 1 hour.

update frequency check

If a non-admin is logged on, they should still see updates. I set this to enabled.

non admin updates

Enhanced software notifications, set to enabled. This will allow Win7, Server2008+ to receive better information about the software they may be receiving.

software notification

 

Configure Auto Update, set it to download and schedule the install. I am selecting the closest time.

auto update options

Configuration of Client Installation Settings

Go to your configuration manager server. Go to Administration, Site Configuration, and select Sites. Click on the Settings button in the ribbon and select Software Update-Based Client Installation.  

settings selected

Select Enable software update-based client installation. Select Apply and Ok.

software update based client install

 

Monitoring your environment

checking wsus on your configuration manager server reveals some computers are now reporting back:

computers reporting

 

Now that the new GPO has been published and Software Update-Based Client Installation has been enabled, you have to manually check your clients. I amchecking a windows XPbox:

xp sees auto software install

It sees 1 package to install. Select Install. This package is the configuration manager client. Also this machine is already running Configuration Manager, a new install (with pointers to where updates can be pulled will be installed).

To manually force your machines to use the new group policy open CMD. Type gpupdate /force, in order to force the machines into using the new group policy. Wait about 5 minutes, and then run windows update. This will force your machines to begin the process of building the known state of windows updates against the WSUS database. You can now check WSUS on your configuration Manager and see more machines reporting their status. In addition you can run wuauclt.exe /detectnow (on windows xp and windows 7 machines in order to check/report the status of updates needed for the machine).

 

I am currently using:

Server 2012 STD

Server 2012 Datacenter

Server 2008

Windows XP Clients (3)

Windows 7 Clients (2)

Windows 8 Clients (not yet built)

 

Note: Manually checking updates, will not work for several hours. The machines need to report to configuration manager their status of what has been installed, and their current patch level.

note: all of my virtual machines have the firewall turned off. I am also running Kali Linux penetration testing software to see what I can from the existing environment. The default ports needed will be secured after doing this.

Now run: Software Updates Scan Cycle on each client pc (in order to speed up the creation process). I noticed although WSUS can now show which pc needs which updates, configuration manager can’t. The software updates scan cycle can take several hours.

 

 

Configmgr: /

Post Changes

 

You may not want users to have the ability to check for updates themselves. If so go to group policy manager and change the following setting:

 Installation of the Application Catalog Web Service Point and Application Catalog Website Point Roles

Needed?

 

Re-edit: I would recommend that you review the the links below on Technet to get Best Practice configuration advise in relation to the Application Catalog roles we are about to install.

You will add the Application Catalog roles to your Primary server as the catalog provides new functionality for your clients as part of application deployment later on in this series. If you are wondering why are there two Application Catalog roles, well they perform different functions as outlined below:-

  • Application Catalog web service point: This site system role provides information about available software from the Software Library to the Application Catalog website.
  • Application Catalog website point: This site system role provides users with a list of available software.

Creation of an Applicaiton Catalog Web service point, cata log

 

Go to Administration, and select Sites. Select your primary site. Right click to select Add Site System Roles. Select Next.

add role wizard

 

We are not using a proxy. Select Next.

no proxy

Select Application Catalog web service point and Application Catalog website point and select Next.

roles selected

We are already using port 80 for default IIS services so we will continue to use port 80. Select Next.

use port 80

 

IIS specific settings, leave as defaults and select NExt.

iis specific

 

Set the name of the organization, in this case it’s Blue Palace. Select Next.

blue palace

 

The summary screen will confirm the changes before applying them. Select Next.

summary

 

Success. Select Close.

Completed

 

Now we have to set up clients with the new Application Catalog.

Setup of clients with the application Catalog

Go to Administration, and client settings. Right click and select create custom client device settings. 

custom device settings

Select the following from the list  (we can always add/configure more later).

  • Client Policy
  • Computer Agent
  • Software Updates

custom settings

 

 

Give the policy a unique name. Select Client Policy. Set the client policy polling interval to 5 minutes. Select Computer Agent.

client policy

Computer Agent Settings. Set the default application catalog website point by clicking set website.

computer agent 1

 

Select the FQDN value of ConfigMgr.BluePalace.LAB (use intranet FQDN). Select OK after. computer agent 2

 

Set Add default Application Catalog website to Internet Explorer trusted sites zone to True and fill in the Organization Name you want displayed in Software Center in this case Blue Palace. Select Software Updates.

computer agent 3

Change the schedule to check every 1 hour, and to redeploy every 1 hour. Select OK to set the settings.

deployment

Deployment of New Settings

 

Now deploy the new settings to the clients. Select the new device settings, and right click to select Deploy. Select All Systems and OK.

set collection

 

Testing before major changes:

few details

 

There is only 1 computer showing installed.

Removed software update role and restarted vm.

 

confusing whats this few details

 

Created groups for Server 2012, Server 2008, Windows 7 updates, Expired updates

software update groups

 

Icon’s have now changed to another type. Will try to deploy to windows 7 pc’s.

Windows 7 Security Updates selected and Download selected

download selected

ConfigMgr added as distribution point

configmgr distro point

Setting to auto-distro, setting priority to High.

distro priority

Setting to download from the internet

where updates

Language, selected English. Next.

languages

Confirmation of download:

confirm download

To download the following Win 7 security updates:

Package:
The software updates will be placed in a new package:
• Windows 7 Security
Content (1):
• CONFIGMGR.BLUEPALACE.LAB
Distribution Settings
• Priority: High
• Distribute the content for this package to preferred distribution points: Disabled
• Prestaged distribution point settings: Automatically download content when packages are assigned to distribution points

Software updates that will be downloaded from the internet
Security Update for Windows 7 (KB982799)
Security Update for Windows 7 (KB2124261)
Security Update for Windows 7 (KB2271195)
Security Update for Windows 7 (KB2281679)
Security Update for Windows 7 (KB2296011)
Security Update for Windows 7 (KB2305420)
Security Update for Windows 7 (KB2347290)
Security Update for Windows 7 (KB2378111)
Security Update for Windows 7 (KB2387149)
Security Update for Windows 7 (KB2393802)
Security Update for Windows 7 (KB2419640)
Security Update for Windows 7 (KB2423089)
Security Update for Windows 7 (KB2442962)
Security Update for Windows 7 (KB2479943)
Security Update for Windows 7 (KB2483614)
Security Update for Windows 7 (KB2491683)
Security Update for Windows 7 (KB2503665)
Security Update for Windows 7 (KB2506212)
Security Update for Windows 7 (KB2509553)
Security Update for Windows 7 (KB2510531)
Security Update for Windows 7 (KB2511455)
Security Update for Windows 7 (KB2532531)
Security Update for Windows 7 (KB2535512)
Security Update for Windows 7 (KB2536275)
Security Update for Windows 7 (KB2536276)
Security Update for Windows 7 (KB2544893)
Security Update for Windows 7 (KB2560656)
Security Update for Windows 7 (KB2564958)
Security Update for Windows 7 (KB2570947)
Security Update for Windows 7 (KB2579686)
Security Update for Windows 7 (KB2584146)
Security Update for Windows 7 (KB2585542)
Security Update for Windows 7 (KB2619339)
Security Update for Windows 7 (KB2620704)
Security Update for Windows 7 (KB2621440)
Security Update for Windows 7 (KB2631813)
Security Update for Windows 7 (KB2644615)
Security Update for Windows 7 (KB2653956)
Security Update for Windows 7 (KB2654428)
Security Update for Windows 7 (KB2655992)
Security Update for Windows 7 (KB2667402)
Security Update for Windows 7 (KB2676562)
Security Update for Windows 7 (KB2685939)
Security Update for Windows 7 (KB2690533)
Security Update for Windows 7 (KB2698365)
Security Update for Windows 7 (KB2705219)
Security Update for Windows 7 (KB2712808)
Security Update for Windows 7 (KB2716513)
Security Update for Windows 7 (KB2719033)
Security Update for Windows 7 (KB2727528)
Security Update for Windows 7 (KB2743555)
Security Update for Windows 7 (KB2758857)
Security Update for Windows 7 (KB2770660)
Security Update for Windows 7 (KB2772930)
Security Update for Windows 7 (KB2785220)
Security Update for Windows 7 (KB2803821)
Security Update for Windows 7 (KB2807986)
Security Update for Windows 7 (KB2813347)
Security Update for Windows 7 (KB2813430)
Security Update for Windows 7 (KB2839894)
Security Update for Windows 7 (KB2840149)
Security Update for Windows 7 (KB2847311)
Security Update for Windows 7 (KB2847927)
Security Update for Windows 7 (KB2853587)
Security Update for Windows 7 (KB2855844)
Security Update for Windows 7 (KB2859537)
Security Update for Windows 7 (KB2861855)
Security Update for Windows 7 (KB2862152)
Security Update for Windows 7 (KB2862330)
Security Update for Windows 7 (KB2862335)
Security Update for Windows 7 (KB2862966)
Security Update for Windows 7 (KB2862973)
Security Update for Windows 7 (KB2864058)
Security Update for Windows 7 (KB2864202)
Security Update for Windows 7 (KB2868038)
Security Update for Windows 7 (KB2868626)
Security Update for Windows 7 (KB2871997)
Security Update for Windows 7 (KB2884256)
Security Update for Windows 7 (KB2887069)
Security Update for Windows 7 (KB2892074)
Security Update for Windows 7 (KB2893294)
Security Update for Windows 7 (KB2909210)
Security Update for Windows 7 (KB2912390)
Security Update for Windows 7 (KB2918614)
Security Update for Windows 7 (KB2922229)
Security Update for Windows 7 (KB2926765)
Security Update for Windows 7 (KB2928120)
Security Update for Windows 7 (KB2939576)
Security Update for Windows 7 (KB2957189)
Security Update for Windows 7 (KB2957503)
Security Update for Windows 7 (KB2957509)
Security Update for Windows 7 (KB2961072)
Security Update for Windows 7 (KB2965788)
Security Update for Windows 7 (KB2971850)
Security Update for Windows 7 (KB2972280)
Security Update for Windows 7 (KB2973201)
Security Update for Windows 7 (KB2973351)
Security Update for Windows 7 (KB2976897)
Security Update for Windows 7 (KB2978668)
Security Update for Windows 7 (KB2978742)
Security Update for Windows 7 (KB2993651)
Security Update for Windows 7 (KB971468)
Security Update for Windows 7 (KB972270)
Security Update for Windows 7 (KB974571)
Security Update for Windows 7 (KB975467)
Security Update for Windows 7 (KB975560)
Security Update for Windows 7 (KB977165)
Security Update for Windows 7 (KB978542)
Security Update for Windows 7 (KB979482)
Security Update for Windows 7 (KB979687)
Security Update for Windows 7 (KB979688)
Security Update for Windows 7 (KB982132)
Security Update for Windows 7 (KB982665)
Security Update for Windows 7 (KB982666)
Language Selection:
English

After Next is selected, updates are provisioned:

provisioning

D:\sources is 106 MB at 10:09 PM

1009 pm

Updated:

downloads complete

 

Deployment:

Selected Deploy, will try to deploy the security updates. Set collection to security updates, win 7 computers.

set collection

Unsure on whether these are even needed, so setting to ‘Available’ instead of required.

availalbe

Setting time to as soon as possible.

when

User experience, set it so that the client (me in this case) will see that it actually does something.

user experience

Failure notification, yep.

alerts

download settings, kept at default. Clients should not have a slow network.

download settings

Confirmation,

confirmation

.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s