Automatic create Software Update Group and assign patches

Does someone has a e.g. powershell/vbs script which does the following:
- step 1: verify which patches are added to Windows 7 image using SCCM 2012 Offline Servicing
- step 2: verify all downloaded and deployed patches in the SCCM 2012 environment
- step 3: get the multi-reboot patches
Then creates a Software Update Group and add all patches obtained in step 2 and exclude all patches obtained in step 1 and step 3..
Then I can assign that software update group to my Reference Image task sequence and I will not ran in the currently available problems where lists are to big and software updates during the task sequence are failing :-)
Does some likes this and want to help me with it ?
I think it is a nice solution for the patch deployment problem during the reference image task sequence phase.

1.  I've not written a script for that but to be plain:  why?  There's no reason you shouldnt have those patches downloaded and deployed anyway in case someone makes a computer "the old fashioned way" then joins it to the domain.
2.  This is what ADR is for.  I've got a few runbooks to help with things like cleaning up expired patches, but you shouldn't need any script for this step specifically.
3.  Getting multi-reboot patches someone already did for you :)  http://blogs.technet.com/b/deploymentguys/archive/2015/03/11/excluding-known-multi-reboot-updates-during-a-zti-deployment.aspx
Basically for #3, you just replace the update task with the MDT version and put this script right in front.  Bam, done :)  As for the extra scripting to exclude downloading patches you injected with DISM (#1)... I honestly don't see a point ...
but I could probably write something if you wanted.

Similar Messages

  • Create software update group that only contains post service pack hotfixes?

    I'm creating software update groups for server and workstation OS.  Is there a way to exclude pre-service pack updates from an update group (or even the search itself)?  Example: all of our machines already have Windows 7 SP1 installed, therefore
    I don't need to include any updates that were included in SP1.  I know only required updates will be installed, but I'd rather not waste disk space downloading ones I don't need.  Thx

    The console shows you how many devices in your hierarchy require a given update. If you don't want to see updates that are not required by any devices, select Add Criteria > Required > Greater or Equal to 1 > Search. This assumes that the Software
    Updates Evaluation cycle is run on the devices...
    If you apply SP1 to all devices, the individual updates (pre-SP1), should not be required by the devices (they may even become superseded by SP1 - depends)... The count of Required in the console should be 0...
    I know this is not the exact answer you're looking for, but it's easy...

  • Creating software update group for required updates ?

    Hello,
    I've been trying to find an easy way to create a software update group that contains required security updates for a specific device collection but no solution yet. It is easy to get which security updates are required for that collection via SQL query or
    by using built-in report in sccm2012. The problem is, there is no way to easily create a update group to deploy from those lists. You have to add them one by one and that takes so much time. So i would be glad if someone have an answer for me?
    Best Regards,

    Thanks for your quick response. I have hundreds of required updates in the software update section. So you say deploy all of them to that collection even most of are not required for those devices. At this point it seems unreasonable to deploy so much
    unnecessary file which will increase the burden on network and devices while it also increases the risk of failures. On the other hand it is also very time consuming to add approx. 50 update one by one to update group.

  • Automate the set of patches in the software update group

    Up until now, we have been creating new software update groups for each Patch we are doing with Config Manager 2012 sp1.   For instance every weekend we are pushing out patches to workstations.   These are Windows 7, 8 and 8.1 updates.
    After synchronizing the latest software updates in COnfig manager, we pull up our saved search and highlight all the updates and add them to a software update group.   We then deploy this software update group to a device collection.
    Is there anyway to avoid this step of updating the software update group with the list of patches to go out that week.   This seems to be a manual step each time.
    Thanks
    Lance
    Thanks Lance

    More info:
    Operations and Maintenance for Software Updates in Configuration Manager
    http://technet.microsoft.com/en-us/library/gg712304.aspx#BKMK_AutoDeploy
    System Center 2012 Configuration Manager Best Practices
    http://social.technet.microsoft.com/wiki/contents/articles/11215.system-center-2012-configuration-manager-best-practices.aspx#Best_Practices_for_Software_Updates
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Software Update Group not created...?

    SCCM 2012 R2
    So I'm working on patching up our servers and am not sure how the Software Update Group gets created.
    I created an Automatic Deployment Rule for the group of machines I want to patch and chose to Add to an existing Software Update Group.  However, it never prompted me for what group to update.  I checked under Software Update Groups and only have
    ones from our workstations that have been in there for a while.
    Do I have to manually create the Software Update Group for the servers to use and if so, where do I do that in the Confir Manager program?
    Also, on a side note, when I view my ADRs, a couple of them say: Auto Deployment Rule results exceeded maximum number of updates.  Not sure if that's when I need to somehow break them up into Monthly groups or something like that? 
    I know there's a hard limit of updates per something but this was all originalyl configured by an external consultant so no one here is fully up to speed on all the nuances yet.
    Thanks!

    OK, so my ADRs are setup so that they all run on a certain date and then the have a 0, 7, or 14 day delay on when the patches become available so certain groups patch each weekend.  Since they all failed with the Too many patches error, I need to redo
    them.  If I make the changes and then do a "Run Now" to force them to update, will it start the 7 day delay over from when I do the Run Now or will that still go from the original date?
    And if I have the patches set to Deadline immediately, but have maintenance windows setup as Saturday 1AM - 11PM, and do not have the checkboxes checked to allow them to go outside a maintenance window, I can still do the Run Now any time and all the patches
    will then install at 1 AM on Saturday.  right?  Just don't want things to start installing in the middle of the day and mess everything up. :)
    Thanks!

  • Export and Import members of a Software Update Group

    Greetings,
    I am looking for a method I can use to Export a Software Update Group (or just it's members) to a file that I can then use to Import into another 2012 hierarchy. I can't use the built-in Migration process as it is already connected to a different Hierarchy.
    I have scripts that will pull Approvals from WSUS and then import into Update groups, but I also need something that I can use to copy update groups from "DEV" to "PROD" and back again.
    Any thought or suggestions most welcome.
    Scott.

    Hi
    You cannot export Software Update Groups in ConfigMgr 2012.
    One way of doing what you what is to use Powershell to "dump" all the settings of your Software Update Groups and then use that file as a basis for creating the Software Update Group in production. Or you could just create all Software Update Groups using
    a Powerscript which runs in dev and production.
    To get you started, you could look at the snippet of code below, which I use for creating Software Update Group automatically.
    import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
    $PSD = Get-PSDrive -PSProvider CMSite
    CD "$($PSD):"
    $DPDate = get-date "22-02-2011 19:00:00"
    $SUGName = "Workstaitions 2011 02 February"
    $SUGMembers = Get-CMSoftwareUpdate | Where-Object {$_.DatePosted -eq $DPDate -and $_.NumMissing -ge 1} | select CI_ID
    New-CMSoftwareUpdateGroup -Name $SUGName -UpdateId $SUGMembers.CI_ID

  • All Software update groups expired

     Hi,
    Please see http://social.technet.microsoft.com/Forums/en-US/39b60e34-f30a-4963-a08b-6a8e13e44b91/software-update-groups-grey-icon-with-x-?forum=configmanagersecurity
    for reference.
    We created update lists for Windows 7 with Office, automatic updates for SCEP, they all are expired (Expired icon of “http://technet.microsoft.com/en-us/library/hh848254.aspx). I don’t want them to expire. I want to make sure every new
    OS will get the latest updates + antivirus updates.
    Not sure if this is by design, an error on SCCM (http://social.technet.microsoft.com/Forums/en-US/0c13c27d-55a9-4f56-8ac0-f9053301ab0c/all-updates-in-sccm-software-updates-are-set-to-expire?forum=configmgrsum=>
    my SCUP is there) or there is some misconfiguration.
    Please advise. J.
    Jan Hoedt

    Jan,
    > *Can you help me with this mechanism, I'm not familiar with it?
    While viewing the updates that are a member of the software updates group, either sort by the "Expired" column or filter by Expired = Yex.  Select all expired updates, right click, and select 'Edit Membership".  Uncheck the checkbox for the software
    update groups you are trying to remove them from.
    > *I seem to remember there was somewhere an option that mentioned expired
    This option has to do with how long 'superseded' updates will remain available for deployment.  You can set under Administration > Site Configuration > Sites.  Right click on your site and select Configure Site Components > Software Update
    Point.  The setting is on the "Supersedence Rules" tab.
    However, Microsoft will also directly expire updates from time to time as well.  In general, this is normal and something you shouldn't worry about managing.  When the update has been expired by Microsoft, it is something you couldn't install even
    by going to Windows Update, so you shouldn't worry trying to deploy them.  Instead, deploy the current updates instead of superseded ones.
    >How can I automate this (not automatically apply but using manually which updates to use and deploy at times I choose)?
    For organizations with very simple Software Update processes, you could use an Automatic Deployment Rule to select updates based on a criteria, download the content to a deployment package, add the updates to a software update group, and create a deployment
    to a collection.  That deployment can be 'available' and not required if you plan to hand install them later.
    This documentation gives you an overview of how all the Software Update Management features work:
    http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_DeploymentWorkflows
    And this blog post gives an example of using an ADR:
    http://blogs.technet.com/b/configmgrdogs/archive/2012/05/08/configmgr-2012-automatic-deployment-rules.aspx
    I hope that helps,
    Nash
    Nash Pherson, Senior Systems Consultant
    Now Micro -
    My Blog Posts
    If you've found a bug or want the product worked differently,
    share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

  • Add an Update to the Software Update Group - where it's been monitored?

    Hello all,
    I'm looking for a solution to get the Updates for adding to a Software Update Group in SCCM 2012 R2.
    Which components (Message type, Severity, Message ID,...) are concerned?
    Or which log files are concerned?
    I will use the "Status Filer Rules" to create an new rule that will send me an E-Mail which let me know all the Updates what have been added to the Software Update Group.
    Many Thanks
    Andreas

    Just add an update to a software update group and see if a status message is being generated. Without having tested it: I think there will be one, but it will only tell that user xyz modified SUG abc, but you won't see which update was added. 
    Torsten Meringer | http://www.mssccmfaq.de

  • Software update group - Superseded updates

    Hi all,
    I need to understand something. I have Software Update Group and it has a deployment configured . When a given update becomes superseded and I remove it from the software update group, how does this affect the configured deployment? I don't
    want to delete/recreate the deployment.  Will the deployment automatically update itself and remove the update that I removed from the Update Group, will it still try to deploy the upddate...wil it give an error...etc.
    Thanks in advance,
    Jesmat.

    The deployment is for the updates in the software update group. For currently targeted devices it will need a machine policy update before they know about the change.
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Downloaded additional language for software update group question

    Hi,
    We have some clients where the updates are stuck at downloading at 66% and I think it may be due to missing a language. So I went into the software update group and redownloaded it again with the additional language selected. Do I now need to do anything
    else? Do I need to re-deploy it to the collection again? Just not sure if more is required after downloading the additional language? TIA

    Correct. You can log in to any endpoint in that state and run machine policy evaluation cycle or use right click tools to do so and you should see that client download missing update.
    Additionally, you can check logs for more details on what is really going on:
    UpdatesDeployment.log UpdatesHandler.log - both in C:\Windows\CCM\Logs folder and C:\Windows\WindowsUpdate.log

  • SCCM 2012 R2 changing date and time for patching software update groups

    I recieve this error when changing date and time for software update group. worked fine yesterday before patches to the server were applied last night. we removed patches but still get error below. Any help would be great.
    ConfigMgr Error Object:
    instance of SMS_ExtendedStatus
    Description = "Property array AssignedCIs exceeded the max allowed";
    ErrorCode = 1078462259;
    File = "e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspupdatesassignment.cpp";
    Line = 94;
    Operation = "PutInstance";
    ParameterInfo = "";
    ProviderName = "ExtnProv";
    StatusCode = 2147749889;
    Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException
    The SMS Provider reported an error.
    Stack Trace:
    at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
    at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
    at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(IResultObject resultObject, List`1 resultObjectsPut, Boolean retainLock)
    at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(Boolean retainLock)
    at Microsoft.ConfigurationManagement.AdminConsole.DialogFramework.Forms.SmsPropertySheet.Put(ActionTrigger trigger)
    System.Management.ManagementException
    Generic failure
    Stack Trace:
    at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
    at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
    at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(IResultObject resultObject, List`1 resultObjectsPut, Boolean retainLock)
    at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(Boolean retainLock)
    at Microsoft.ConfigurationManagement.AdminConsole.DialogFramework.Forms.SmsPropertySheet.Put(ActionTrigger trigger

    no it is the final version... is working today after cleaning up database... is working now...thanks
    Hello Robert,
    would you please give some more informations, as I have the same issue and don't get what you mean bye "cleaning up databases".
    Regards ooGDoo
    ooGDoo

  • SCCM 2012 SP1 - PowerShell command to create a software update group deployment DISABLED by default

    Hello,
    I create deployment jobs using new Powershell cmdlet "Start-CMSoftwareUpdateDeployment". However it looks there is no way with this cmdlet to create a job which is disabled by default.
    Is it possible ? As an alternative, which cmdlet could I use to manage enable/disable job state ? I have not found anything so far.
    Regards.
    Sylvain

    hi, i tried the solution to create a deployment using  http://cm12sdk.net/?p=2014 link.
    it creates deployment but it is not downloaded so a red cross sign is shown in front of software update group. can you guide me on which command to use to download software update after which we can try the script mentioned in the link.
    thanks.
     

  • Automatic software update stuck and going nowhere

    Had 10.5 on a PPC Macmini, running smoothly, no problems. Ran Software update today and it's stuck on a progress bar now for over an hour installing 10.5. The progress seems stuck 'installing one item' at app 10%. I am tempted to shut down but thought I might get a quick answer here first.
    Peter

    peter stephen wrote:
    Had 10.5 on a PPC Macmini, running smoothly, no problems. Ran Software update today and it's stuck on a progress bar now for over an hour installing 10.5. The progress seems stuck 'installing one item' at app 10%. I am tempted to shut down but thought I might get a quick answer here first.
    Peter
    Was it just one update, or many? Which one is it stuck at?
    Since you are running 10.5.0 there are many updates available, and installing them all at once might be problematical. Nothing should take an hour to install, but if you are installing a dozen or so updates, it's possible to take a long time.
    You might run your activity monitor and see if anything is really happening.

  • Creating Software Update Packages - Best Practice?

    I am setting up our SCCM 2012 R2 environment to begin using it for Windows Updates, however I'm not sure 100% the best method of setting it up.
    Currently my plan is to break out the deployment packages by OS, but I read\told that I should avoid creating to many dynamic deployment packages, as every time it changes all the computers will re-scan that package.  So What I want to do is create
    various packages for OS and years, so I would have a package that contains all updates for Windows 7, older then January 31, 2013 (assuming the package doesn't have 1000+ updates), and are not superseded\Expired. Then I would create Packages for the 2014
    monthly updates each month, then at the end 2014, combine them all in 1 package, and restart the process for 2015.  Is this a sound plan or is there a better course of action?
    If this the best practice method, is there any way to automatically create these packages?  I tried the Automatic Deployment Rules, but I can not set a Year of release, only the a time frame of the release,(older then 9 Months), unless I am missing
    something.  The only way I can see doing this is going into All Software Updates, and filtering on my requirements, and then manually creating the package, but this would less desirable, as after each year I would like to remove the superseded and expired
    without having to recreate the package.
    Mark.

    First, please learn what the different objects are -- not trying to be rude, just stating that if you don't do this, you will have fundamental issues. Packages are effectively meaningless when it comes to deploying updates. Packages are simply a way of grouping
    the binary files so they can be distributed to DPs and in-turn made available to clients. The package an update is in is irrelevant. Also, you do not "deploy" update packages and packages are not scanned by clients. The terminology is very important because
    there are implications that go along with it).
    What you are actually talking about above are software update groups. These are separate and distinct objects from update packages. Software Update groups group updates (not the update binaries) into logical groups that can be in-turn deployed or used for
    compliance reporting.
    Thus, you have two different containers that you need to be concerned about, update packages and update groups. As mentioned, the update package an update is in is pretty meaningless as long as the update is in a package that is also available to the clients
    that need it. Thus, the best way (IMO) to organize packages is by calendar period. Yearly or semi-annually usually works well. This is done more less to avoid putting all the updates into a single package that could get corrupted or will be difficult to deploy
    to new DPs.
    As for update groups, IMO, the best way is to create a new group every month for each class of products. This typically equates to one for servers, one for workstations, and one for Office every month. Then at the end of every year (or some other timeframe),
    rolling these monthly updates into a larger update group. Keep in mind that a single update group can have no more than 1,000 updates in it though. (There is no explicit limit on packages at all except see my comments above about not wanting one huge package
    for all updates.)
    Initially populating packages (like 2009, 2010, 2011, etc) is a manual process as is populating the update groups. From then on, you can use an ADR (or really three: one for workstations, one for servers, and one for Office) that runs every month, scans
    for updates released in the past month, and creates a new update group.
    Depending upon your update process, you may have to go back and add additional deployments to each update group also, but that won't take too long. Also, always QC your update groups created by an ADR. You don't want IE11 slipping through if it will break
    your main LOB application.
    Jason | http://blog.configmgrftw.com

  • Software update group problem on Primary SUP

    Hi All
    I hope someone can help me with the following issue it is related to SUP
    We have an environment of a CAS and a Primary Site ( I know not an ideal situation ;-))
    We have the SCCM 2012 Sp1 version with no CU update.
    We have two separate SUPS installed at separate servers one connected to the CAS site and one connected to the Primary site.
    The one connected to the CAS site connects to the internet and the one connected to primary sync’s with the other one.
    Everything works perfect but after the implementation of the new updates from the month April we have some problems.
    When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
    When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
    Strange !!!
    I created a new update group and new package downloaded all updates again and the same thing happens as above.
    The updates KB2837579 , KB2553444 , KB973688 , KB2687567 are correct when I connect to the CAS but when I connect to the Primary they have status downloaded NO. Al other updates 150 are correct on both sites.
    There is no problem with the Sync between the SUPs when I check Software Update Point Sync status and wsyncmgr.log.
    I am lost in this one I hope someone can help me with this .or can help me where to troubleshoot
    regards
    Johan

    When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
    When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
    Strange !!!
    Yes, even I've seen these kind of issues several times even after CM12 R2 upgrade. I had these issues normally (ONLY) with Windows XP and Windows Server 2003 server patches. It seems to me like when you DON'T have Win XP and Windows Server 2003 machines
    in Primary server DB then we're facing this issue. But I'm not very sure. This is just a thought.
    Primary server CM12 console - When you look at software update group or Package then in the “summary” there would one or more  patches show as “not downloaded” 
    But when you take a look at the properties of the patch and look at  “Content information”, it says downloaded = yes
    Anoop C Nair -
    @anoopmannur :: MY Site:
     www.AnoopCNair.com ::
    FaceBook:
     ConfigMgr(SCCM) Page ::
    Linkedin:
     Linkedin<

Maybe you are looking for

  • Expand audio does not work in FCP X?

    when I use expand audio from video (cntr-S) accoding to the helpto split video/audio it does not work; the audiowaveform disappears, there is no split in audio and video. Only the audio is functoning and then the colour is green. A bug?

  • Re-dating photos now does not re-date events. Bug?

    Hi, I have been progressing through all my old scanned negatives, importing them into iPhoto '11, organising them into 'events', and then re-dating them using Photos>Batch change... This had been working perfectly until today. The re-dated photos aut

  • Picture problem on some channels

    Hi I am new to Youview got my box yesterday not sure if this is normal but sometimes when I go to a channel I get a black screen with just audio. If I go up or down a channel then back to the channel I was on it ok. This only seems to happen on freev

  • Sub Form in 10GR2

    Hi All, How to display a sub-form (using call_form) in forms10gr2.10.0.2 ? Requirement : From my main form i want to display a small form from which i will pass some values through global variables according to user selection. Currently my subform is

  • HT204380 can i facetime my ipad from my iphone?

    hi, i am having trouble with facetime. i was just wondering if i could facetime my ipad from my iphone?