Automate the set of patches in the software update group

Similar Messages

• Add an Update to the Software Update Group - where it's been monitored?

  Hello all,
  I'm looking for a solution to get the Updates for adding to a Software Update Group in SCCM 2012 R2.
  Which components (Message type, Severity, Message ID,...) are concerned?
  Or which log files are concerned?
  I will use the "Status Filer Rules" to create an new rule that will send me an E-Mail which let me know all the Updates what have been added to the Software Update Group.
  Many Thanks
  Andreas

  Just add an update to a software update group and see if a status message is being generated. Without having tested it: I think there will be one, but it will only tell that user xyz modified SUG abc, but you won't see which update was added. 
  Torsten Meringer | http://www.mssccmfaq.de

• Update showing up in "Compliance 5 - Specific Computer" Report even after removing the update from the Software Update before creating Group and Package

  So I've created a Software Update Group and I did NOT want anything in there dealing with Internet Explorer 11 since the organization is currently stuck at using 10 as the highest. So I made sure that Internet Explorer was NOT in the list and then I deployed
  the package. 
  After running my Overall Compliance report it shows that the systems are compliant, but when I view the "Compliance 5 - Specific Computer" I see that "Internet Explorer 11 for Windows 7 for x64-based Systems" is listed in the report. 
  This is just a testing phase right now and I have not created a WSUS like Domain level GPO. I understand that the SCCM client creates a local policy on the clients for the location of the Software Update Point (Specify
  Intranet Microsoft update service location), but the "Configure Automatic Updates" policy is set to Not Configured, which it looks like when this
  is set, the "Install updates automatically (recommended)" at 3AM is the default. 
  Is the reason why the "Internet Explorer 11 for Windows 7 for x64-based Systems" update is showing up in the list due to the fact that the "Configure
  Automatic Updates" policy is set to Not Configured
  and therefore it is still reaching out to check Windows Update online? 
  So, if I do create a Domain level GPO to Disable the "Configure
  Automatic Updates" policy, then the "Internet Explorer 11 for Windows 7 for x64-based Systems" update would not show up in the "Compliance 5 - Specific Computer" report?
  By the way, I have a Software Update Maintenance Window configured for the hours of 1AM-4AM so the 3AM default time falls within this time frame, therefore, I am assuming the SCCM 2012 client will not allow the Windows Update Agent to install the "Internet
  Explorer 11 for Windows 7 for x64-based Systems" update, even though it has detected it is "Required". 
  Thanks

  But, don't you need a Deployment Package in order to deploy the Software Update Group? The Software Update Group uses the downloaded updates contained in the Deployment Package located in, wherever the Package Source is, right?
  One more quick question that you will know right off hand, because, well, you just will I'm sure.
  No. The software update group really has nothing to do with any update packages. The update group assigns updates to clients and in turn clients use update packages to download assign and applicable updates from. There is no connection between the two though
  as the client can download an update from any available update package. Thus, it's more than possible to updates in an update package that are not in any update groups and it is also possible for an update to be in an update group without being in any update
  package.
  If the "Configure Automatic Updates" policy is set to "Not Configured" and since this keeps the 3AM Automatic Updates default, if I was to remove the Software Update Maintenance Window from being between 1AM-4AM, will the WUA agent install updates
  at 3AM, or no because the SCCM 2012 client still manages and oversees it and basically blocks that from occurring?
  No, ConfigMgr does not in any way block the WUA; however, the WUA can only autonomously install updates it downloads directly from WSUS. Thus, since there are no updates approved or downloaded in your WSUS instance, there's nothing for it to download and
  install. If you happen to actually be going into WSUS and approving updates (which you should not be doing as its unsupported), then yes, it actually would install updates -- this is outside of ConfigMgr's control though. Generally, disabling the WUA via a
  GPO is the recommended to prevent any accidental installations or reboots (as the WUA wil also check for initiate pending reboots outside of ConfigMgr).
  Lots more info in these two blog posts:
  - http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
  - http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
  Jason | http://blog.configmgrftw.com

• How does the software updates actually get installed?

  Hello,
  Yesterday I followed the steps to perform "To manually deploy the software updates in a software update group" or
  https://technet.microsoft.com/en-us/library/gg712304.aspx.  or pages 12-15.  In a nutshell, I created a Critical Update item with a collection of 3 servers.  When I look
  at the Software Update Group area that lists the members that I created, I do see under the tabs that Deployed=Yes and Download=Yes for the items that I created.    However, this was not installed on any of the servers.   How does
  this actually get installed on the collection servers?  Did I miss a step?   Do the client settings play a role here?  Please advise.
  Thanks for all the help!
  Reez

  Kind of. Yes a software update scan cycle must run (a deployment eval doesn't), but it doesn't wait until the 7 day interval. Simply creating a new deployment in the console will trigger a software update scan cycle on targeted clients:
  http://blog.configmgrftw.com/notes-software-update-scan-cycle/
  For your deployment, did you create a "Required" deployment?
  Have you reviewed software center on the targeted clients?
  Have you check wuahandler.log on the clients.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Software Update Group not created...?

  SCCM 2012 R2
  So I'm working on patching up our servers and am not sure how the Software Update Group gets created.
  I created an Automatic Deployment Rule for the group of machines I want to patch and chose to Add to an existing Software Update Group.  However, it never prompted me for what group to update.  I checked under Software Update Groups and only have
  ones from our workstations that have been in there for a while.
  Do I have to manually create the Software Update Group for the servers to use and if so, where do I do that in the Confir Manager program?
  Also, on a side note, when I view my ADRs, a couple of them say: Auto Deployment Rule results exceeded maximum number of updates.  Not sure if that's when I need to somehow break them up into Monthly groups or something like that? 
  I know there's a hard limit of updates per something but this was all originalyl configured by an external consultant so no one here is fully up to speed on all the nuances yet.
  Thanks!

  OK, so my ADRs are setup so that they all run on a certain date and then the have a 0, 7, or 14 day delay on when the patches become available so certain groups patch each weekend.  Since they all failed with the Too many patches error, I need to redo
  them.  If I make the changes and then do a "Run Now" to force them to update, will it start the 7 day delay over from when I do the Run Now or will that still go from the original date?
  And if I have the patches set to Deadline immediately, but have maintenance windows setup as Saturday 1AM - 11PM, and do not have the checkboxes checked to allow them to go outside a maintenance window, I can still do the Run Now any time and all the patches
  will then install at 1 AM on Saturday.  right?  Just don't want things to start installing in the middle of the day and mess everything up. :)
  Thanks!

• All Software update groups expired

   Hi,
  Please see http://social.technet.microsoft.com/Forums/en-US/39b60e34-f30a-4963-a08b-6a8e13e44b91/software-update-groups-grey-icon-with-x-?forum=configmanagersecurity
  for reference.
  We created update lists for Windows 7 with Office, automatic updates for SCEP, they all are expired (Expired icon of “http://technet.microsoft.com/en-us/library/hh848254.aspx). I don’t want them to expire. I want to make sure every new
  OS will get the latest updates + antivirus updates.
  Not sure if this is by design, an error on SCCM (http://social.technet.microsoft.com/Forums/en-US/0c13c27d-55a9-4f56-8ac0-f9053301ab0c/all-updates-in-sccm-software-updates-are-set-to-expire?forum=configmgrsum=>
  my SCUP is there) or there is some misconfiguration.
  Please advise. J.
  Jan Hoedt

  Jan,
  > *Can you help me with this mechanism, I'm not familiar with it?
  While viewing the updates that are a member of the software updates group, either sort by the "Expired" column or filter by Expired = Yex.  Select all expired updates, right click, and select 'Edit Membership".  Uncheck the checkbox for the software
  update groups you are trying to remove them from.
  > *I seem to remember there was somewhere an option that mentioned expired
  This option has to do with how long 'superseded' updates will remain available for deployment.  You can set under Administration > Site Configuration > Sites.  Right click on your site and select Configure Site Components > Software Update
  Point.  The setting is on the "Supersedence Rules" tab.
  However, Microsoft will also directly expire updates from time to time as well.  In general, this is normal and something you shouldn't worry about managing.  When the update has been expired by Microsoft, it is something you couldn't install even
  by going to Windows Update, so you shouldn't worry trying to deploy them.  Instead, deploy the current updates instead of superseded ones.
  >How can I automate this (not automatically apply but using manually which updates to use and deploy at times I choose)?
  For organizations with very simple Software Update processes, you could use an Automatic Deployment Rule to select updates based on a criteria, download the content to a deployment package, add the updates to a software update group, and create a deployment
  to a collection.  That deployment can be 'available' and not required if you plan to hand install them later.
  This documentation gives you an overview of how all the Software Update Management features work:
  http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_DeploymentWorkflows
  And this blog post gives an example of using an ADR:
  http://blogs.technet.com/b/configmgrdogs/archive/2012/05/08/configmgr-2012-automatic-deployment-rules.aspx
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you've found a bug or want the product worked differently,
  share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

• Export and Import members of a Software Update Group

  Greetings,
  I am looking for a method I can use to Export a Software Update Group (or just it's members) to a file that I can then use to Import into another 2012 hierarchy. I can't use the built-in Migration process as it is already connected to a different Hierarchy.
  I have scripts that will pull Approvals from WSUS and then import into Update groups, but I also need something that I can use to copy update groups from "DEV" to "PROD" and back again.
  Any thought or suggestions most welcome.
  Scott.

  Hi
  You cannot export Software Update Groups in ConfigMgr 2012.
  One way of doing what you what is to use Powershell to "dump" all the settings of your Software Update Groups and then use that file as a basis for creating the Software Update Group in production. Or you could just create all Software Update Groups using
  a Powerscript which runs in dev and production.
  To get you started, you could look at the snippet of code below, which I use for creating Software Update Group automatically.
  import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
  $PSD = Get-PSDrive -PSProvider CMSite
  CD "$($PSD):"
  $DPDate = get-date "22-02-2011 19:00:00"
  $SUGName = "Workstaitions 2011 02 February"
  $SUGMembers = Get-CMSoftwareUpdate | Where-Object {$_.DatePosted -eq $DPDate -and $_.NumMissing -ge 1} | select CI_ID
  New-CMSoftwareUpdateGroup -Name $SUGName -UpdateId $SUGMembers.CI_ID

• Software update group problem on Primary SUP

  Hi All
  I hope someone can help me with the following issue it is related to SUP
  We have an environment of a CAS and a Primary Site ( I know not an ideal situation ;-))
  We have the SCCM 2012 Sp1 version with no CU update.
  We have two separate SUPS installed at separate servers one connected to the CAS site and one connected to the Primary site.
  The one connected to the CAS site connects to the internet and the one connected to primary sync’s with the other one.
  Everything works perfect but after the implementation of the new updates from the month April we have some problems.
  When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
  When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
  Strange !!!
  I created a new update group and new package downloaded all updates again and the same thing happens as above.
  The updates KB2837579 , KB2553444 , KB973688 , KB2687567 are correct when I connect to the CAS but when I connect to the Primary they have status downloaded NO. Al other updates 150 are correct on both sites.
  There is no problem with the Sync between the SUPs when I check Software Update Point Sync status and wsyncmgr.log.
  I am lost in this one I hope someone can help me with this .or can help me where to troubleshoot
  regards
  Johan

  When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
  When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
  Strange !!!
  Yes, even I've seen these kind of issues several times even after CM12 R2 upgrade. I had these issues normally (ONLY) with Windows XP and Windows Server 2003 server patches. It seems to me like when you DON'T have Win XP and Windows Server 2003 machines
  in Primary server DB then we're facing this issue. But I'm not very sure. This is just a thought.
  Primary server CM12 console - When you look at software update group or Package then in the “summary” there would one or more  patches show as “not downloaded” 
  But when you take a look at the properties of the patch and look at  “Content information”, it says downloaded = yes
  Anoop C Nair -
  @anoopmannur :: MY Site:
   www.AnoopCNair.com ::
  FaceBook:
   ConfigMgr(SCCM) Page ::
  Linkedin:
   Linkedin<

• Software update group question

  I did my June updates in June seems to pushing updates fine but now I look at the JUNE update group and the icon looks like this and I know it is not finished  updating all workstations.  Is there a setting to keep it active longer?
  MSB

  Also, the icon simply indicates that the group itself contains at least one expired update. This does not in any way affect the deployment of the software update group as a whole or the other updates within the group -- they will still be deployed normally.
  Only the actual update(s) that are expired will not be deployed.
  Jason | http://blog.configmgrftw.com

• Software update group - Superseded updates

  Hi all,
  I need to understand something. I have Software Update Group and it has a deployment configured . When a given update becomes superseded and I remove it from the software update group, how does this affect the configured deployment? I don't
  want to delete/recreate the deployment.  Will the deployment automatically update itself and remove the update that I removed from the Update Group, will it still try to deploy the upddate...wil it give an error...etc.
  Thanks in advance,
  Jesmat.

  The deployment is for the updates in the software update group. For currently targeted devices it will need a machine policy update before they know about the change.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How can I tell what Software Update Groups are members of Deployment Packages?

  I have a single SCCM 2012 SP1 CU4 server running on Windows Server 2012.
  I am trying to clean things up a little bit and I am curious:
  How can I tell which Software Update Groups use
  which Deployment Packages?  I don't see it on the Properties of either one.
  Thanks!

  Funny thing is that you can't see from the software update (in the software update group) in which deployment package(s) it exists. Your only options are manually comparing every single update (not really an option), or use PowerShell and do something
  like this:
  http://myitforum.com/myitforumwp/2014/05/12/matching-configmgr-software-updates-to-a-deployment-package-with-powershell/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Dots in Software Update Groups names

  Hello,
  Do you know any reason why is it impossible to put a dot (".") in a name of Software Update Group? I can use dots in SUG's name created via ADR but not when I create one manually, I receive an error: "Must specify a valid name for the software
  update group".
  How can I put dots in a names for manually created SUGs?
  SCCM 5.00.7958.1000
  http://about.me/exchange12rocks

  While you might be able to create it with an ADR or with PowerShell, if the User Interface specifically prevents it from being created, its a strong bet that it isn't tested and supported by the product team.
  You're best bet is to put in feedback on Microsoft Connect asking them to allow and support it. 
  http://myitforum.com/myitforumwp/2013/12/02/giving-feedback-on-microsoft-connect-for-configmgr-2012-help-yourself-help-the-community/
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.

• Deleting a deployment without a Software Update Group

  I deleted a Software Update group prior to removing the deployment attached. I am not unable to remove the deployment nor recreate the deployment with the same name through the Config Manager.
  Is there a was to remove the deployment package?
  Thanks.

  I deleted a Software Update group prior to removing the deployment attached. I am not unable to remove the deployment nor recreate the deployment with the same name through the Config Manager.
  That should also have removed the deployment of the software update group then.
  Torsten Meringer | http://www.mssccmfaq.de

• Downloaded additional language for software update group question

  Hi,
  We have some clients where the updates are stuck at downloading at 66% and I think it may be due to missing a language. So I went into the software update group and redownloaded it again with the additional language selected. Do I now need to do anything
  else? Do I need to re-deploy it to the collection again? Just not sure if more is required after downloading the additional language? TIA

  Correct. You can log in to any endpoint in that state and run machine policy evaluation cycle or use right click tools to do so and you should see that client download missing update.
  Additionally, you can check logs for more details on what is really going on:
  UpdatesDeployment.log UpdatesHandler.log - both in C:\Windows\CCM\Logs folder and C:\Windows\WindowsUpdate.log

• Added additional update to software update group, do I need to deploy it?

  Hi,
  I am fairly new to SCCM and I am not sure about this. Couple days ago I downloaded some windows updates and placed them into a software update group 2015Clients and created the required deployments. So today I found an additional update that needed
  to be added to this update group 2015clients. So I downloaded the additional update and it was placed into the 2015Clients deployment package. My first question is why is it in the deployment package 2015Clients and not in the software update group 2015Clients
  as well? Second question, the new update that is now in the deployment package group says that it is not deployed like the other updates do. Do I need to deploy this new update? I was confused because when I tried to deploy it using the same deployment name
  as the other updates it wants me to use a different name. TIA

  Downloading an additional update doesn't directly add an update to an update group. Those are two separate things and by that two separate actions. There is no direct link between an update group and a deployment package.
  The deployed update group tells the client which updates it should install and the deployment package is the method to make the content of the update available.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude