Create software update group that only contains post service pack hotfixes?

Similar Messages

• Creating software update group for required updates ?

  Hello,
  I've been trying to find an easy way to create a software update group that contains required security updates for a specific device collection but no solution yet. It is easy to get which security updates are required for that collection via SQL query or
  by using built-in report in sccm2012. The problem is, there is no way to easily create a update group to deploy from those lists. You have to add them one by one and that takes so much time. So i would be glad if someone have an answer for me?
  Best Regards,

  Thanks for your quick response. I have hundreds of required updates in the software update section. So you say deploy all of them to that collection even most of are not required for those devices. At this point it seems unreasonable to deploy so much
  unnecessary file which will increase the burden on network and devices while it also increases the risk of failures. On the other hand it is also very time consuming to add approx. 50 update one by one to update group.

• Automatic create Software Update Group and assign patches

  Does someone has a e.g. powershell/vbs script which does the following:
  - step 1: verify which patches are added to Windows 7 image using SCCM 2012 Offline Servicing
  - step 2: verify all downloaded and deployed patches in the SCCM 2012 environment
  - step 3: get the multi-reboot patches
  Then creates a Software Update Group and add all patches obtained in step 2 and exclude all patches obtained in step 1 and step 3..
  Then I can assign that software update group to my Reference Image task sequence and I will not ran in the currently available problems where lists are to big and software updates during the task sequence are failing :-)
  Does some likes this and want to help me with it ?
  I think it is a nice solution for the patch deployment problem during the reference image task sequence phase.

  1.  I've not written a script for that but to be plain:  why?  There's no reason you shouldnt have those patches downloaded and deployed anyway in case someone makes a computer "the old fashioned way" then joins it to the domain.
  2.  This is what ADR is for.  I've got a few runbooks to help with things like cleaning up expired patches, but you shouldn't need any script for this step specifically.
  3.  Getting multi-reboot patches someone already did for you :)  http://blogs.technet.com/b/deploymentguys/archive/2015/03/11/excluding-known-multi-reboot-updates-during-a-zti-deployment.aspx
  Basically for #3, you just replace the update task with the MDT version and put this script right in front.  Bam, done :)  As for the extra scripting to exclude downloading patches you injected with DISM (#1)... I honestly don't see a point ...
  but I could probably write something if you wanted.

• Software Update Group not created...?

  SCCM 2012 R2
  So I'm working on patching up our servers and am not sure how the Software Update Group gets created.
  I created an Automatic Deployment Rule for the group of machines I want to patch and chose to Add to an existing Software Update Group.  However, it never prompted me for what group to update.  I checked under Software Update Groups and only have
  ones from our workstations that have been in there for a while.
  Do I have to manually create the Software Update Group for the servers to use and if so, where do I do that in the Confir Manager program?
  Also, on a side note, when I view my ADRs, a couple of them say: Auto Deployment Rule results exceeded maximum number of updates.  Not sure if that's when I need to somehow break them up into Monthly groups or something like that? 
  I know there's a hard limit of updates per something but this was all originalyl configured by an external consultant so no one here is fully up to speed on all the nuances yet.
  Thanks!

  OK, so my ADRs are setup so that they all run on a certain date and then the have a 0, 7, or 14 day delay on when the patches become available so certain groups patch each weekend.  Since they all failed with the Too many patches error, I need to redo
  them.  If I make the changes and then do a "Run Now" to force them to update, will it start the 7 day delay over from when I do the Run Now or will that still go from the original date?
  And if I have the patches set to Deadline immediately, but have maintenance windows setup as Saturday 1AM - 11PM, and do not have the checkboxes checked to allow them to go outside a maintenance window, I can still do the Run Now any time and all the patches
  will then install at 1 AM on Saturday.  right?  Just don't want things to start installing in the middle of the day and mess everything up. :)
  Thanks!

• Export and Import members of a Software Update Group

  Greetings,
  I am looking for a method I can use to Export a Software Update Group (or just it's members) to a file that I can then use to Import into another 2012 hierarchy. I can't use the built-in Migration process as it is already connected to a different Hierarchy.
  I have scripts that will pull Approvals from WSUS and then import into Update groups, but I also need something that I can use to copy update groups from "DEV" to "PROD" and back again.
  Any thought or suggestions most welcome.
  Scott.

  Hi
  You cannot export Software Update Groups in ConfigMgr 2012.
  One way of doing what you what is to use Powershell to "dump" all the settings of your Software Update Groups and then use that file as a basis for creating the Software Update Group in production. Or you could just create all Software Update Groups using
  a Powerscript which runs in dev and production.
  To get you started, you could look at the snippet of code below, which I use for creating Software Update Group automatically.
  import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
  $PSD = Get-PSDrive -PSProvider CMSite
  CD "$($PSD):"
  $DPDate = get-date "22-02-2011 19:00:00"
  $SUGName = "Workstaitions 2011 02 February"
  $SUGMembers = Get-CMSoftwareUpdate | Where-Object {$_.DatePosted -eq $DPDate -and $_.NumMissing -ge 1} | select CI_ID
  New-CMSoftwareUpdateGroup -Name $SUGName -UpdateId $SUGMembers.CI_ID

• What Changes to Software Update Group Causes Clients to Re-check Compliance

  Hello,
  I have a number of software update groups that have been deployed over the past couple of years. When Microsoft release new updates etc. some of the updates already deployed change their status e.g. an update might get marked as expired. As a result of this
  I can go from having clients reporting as being compliant to a situation where they are in an unknown state until they report back again.
  Does anyone know what changes to an update already deployed would cause clients to have to check their compliance status for that software update group?
  Thank you.
  Stephen

  If you are referring to the enforcement state, this is indeed specific to the deployment, not the group itself.
  With regards to your question - Upon a change to your deployment, your clients will receive updated policy.  On a successful evaluation of the deployment, it will re-send a state message if necessary.  Unfortunately I do not know if there are certain
  things that do not trigger a policy update (i.e. change in the name or description vs. update membership or deadline change)

• I receive a Software Update notice that fails. How do I find out who/what is trying to update? How do I stop its attempt to update? The only response allowed is "OK". When OK is selected the window goes away and nothing else happens.

  About once a month I receive the Software update notice that has failed. How do I find out who/what is trying to update? If I decided I want this update how do I allow it to continue? If I decided I do not want this update how do I stop it and its attempt to update? The only response allowed is "OK". When OK is selected the window goes away and nothing else happens.

  Hi sharkbiscuit79,
  Yes your cabinet 10 on the Crediton exchange has already been installed and linked with a FTTC DSLAM cabinet (making it able to provide FTTC fibre broadband) and has been Accepting FTTC orders since December 2013.  PCP10 (with it's DSLAM cabinet within 100meters of it) is locate on the junction of Commercial Road and the A3072.
  However by the looks of things your are just too far away to obtain a FTTC (VDSL2) connection, meaning FTTC fibre broadband is not available to you.
  Have a look at the Connecting Devon and Somerset Considerations (particularly the last paragraph) - http://www.connectingdevonandsomerset.co.uk/where-when-map-conditions/
  Your best bet is to talk to Connecting Devon and Somerset to see if there are any further plans to get a fibre based service to your area via https://www.connectingdevonandsomerset.co.uk/contact-us/ (as your area may not be inscope of any further deployment). Best give them your full address and landline number too as they can check if you are within a NGA area.
  jac_95 | BT.com Help Site | BT Service Status
  Someone Solved Your Question?
  Please let other members know by clicking on ’Mark as Accepted Solution’
  Try a Search
  See if someone in the community had the same problem and how they got it resolved.

• I recently start using Firefox panorama. If I create a tab group that contains, for example, my favorite stack exchange websites, can I save ("bookmark") this tab group for easy access if I start a new session?

  <blockquote>Locking duplicate thread.<br>
  Please continue here: [/questions/813855]</blockquote><br>
  I recently start using Firefox panorama. If I create a tab group that contains, for example, my favorite stack exchange websites, can I save ("bookmark") this tab group for easy access if I start a new session?

  You can bookmark all those tabs and place them in a folder.
  * "Bookmark This Page" and "Bookmark All Tabs" no longer show in the Bookmarks menu unless you open the Bookmarks menu via the keyboard (Alt + B).
  * "Bookmark All Tabs" can be accessed via the right-click context menu of a tab on the tab bar.

• SCCM 2012 SP1 - PowerShell command to create a software update group deployment DISABLED by default

  Hello,
  I create deployment jobs using new Powershell cmdlet "Start-CMSoftwareUpdateDeployment". However it looks there is no way with this cmdlet to create a job which is disabled by default.
  Is it possible ? As an alternative, which cmdlet could I use to manage enable/disable job state ? I have not found anything so far.
  Regards.
  Sylvain

  hi, i tried the solution to create a deployment using  http://cm12sdk.net/?p=2014 link.
  it creates deployment but it is not downloaded so a red cross sign is shown in front of software update group. can you guide me on which command to use to download software update after which we can try the script mentioned in the link.
  thanks.
   

• I can not update a Windows Server 2008 R2 with Software Update Group in SCCM2012

  Hi all,
  I got some problems with update deployments these days.
  I try to configure SCCM2012 to update 1 Windows Server 2008 R2 (with Hyper-V / This server is in a cluster)
  Actually i've 4 other Hyper-V servers and i would like to add one more in the cluster called Hyper-V5. To do that i need that all Hyper-V servers use the same Windows Updates.
  I created a collection for my Hyper-V servers and then a Software Update Group with all needed updates (checked the list of another HV-Server).
  I did a deployment on this collection using this new Software Update Group.
  I checked the Sofwtare Center's logs on the Hyper-V5 server and i saw that synchronization has a successfull state.
  But there is no updates installed or displayed in Sofwtare Center.
  Here is some screenshots : Oh no i can't post image because ... "Body text cannot contain images or links until we are able to verify your account." waiting to be verified since months.
  Thanks for your help.

  Hi,
  Have you try to run Software Updates Scan Cycle and Software Updates Deployment Evaluation Cycle Actions on the client? Please check ScanAgent.log and PolicyAgent.log to see whether the client received the updates deployment policy.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Creating Software Update Packages - Best Practice?

  I am setting up our SCCM 2012 R2 environment to begin using it for Windows Updates, however I'm not sure 100% the best method of setting it up.
  Currently my plan is to break out the deployment packages by OS, but I read\told that I should avoid creating to many dynamic deployment packages, as every time it changes all the computers will re-scan that package.  So What I want to do is create
  various packages for OS and years, so I would have a package that contains all updates for Windows 7, older then January 31, 2013 (assuming the package doesn't have 1000+ updates), and are not superseded\Expired. Then I would create Packages for the 2014
  monthly updates each month, then at the end 2014, combine them all in 1 package, and restart the process for 2015.  Is this a sound plan or is there a better course of action?
  If this the best practice method, is there any way to automatically create these packages?  I tried the Automatic Deployment Rules, but I can not set a Year of release, only the a time frame of the release,(older then 9 Months), unless I am missing
  something.  The only way I can see doing this is going into All Software Updates, and filtering on my requirements, and then manually creating the package, but this would less desirable, as after each year I would like to remove the superseded and expired
  without having to recreate the package.
  Mark.

  First, please learn what the different objects are -- not trying to be rude, just stating that if you don't do this, you will have fundamental issues. Packages are effectively meaningless when it comes to deploying updates. Packages are simply a way of grouping
  the binary files so they can be distributed to DPs and in-turn made available to clients. The package an update is in is irrelevant. Also, you do not "deploy" update packages and packages are not scanned by clients. The terminology is very important because
  there are implications that go along with it).
  What you are actually talking about above are software update groups. These are separate and distinct objects from update packages. Software Update groups group updates (not the update binaries) into logical groups that can be in-turn deployed or used for
  compliance reporting.
  Thus, you have two different containers that you need to be concerned about, update packages and update groups. As mentioned, the update package an update is in is pretty meaningless as long as the update is in a package that is also available to the clients
  that need it. Thus, the best way (IMO) to organize packages is by calendar period. Yearly or semi-annually usually works well. This is done more less to avoid putting all the updates into a single package that could get corrupted or will be difficult to deploy
  to new DPs.
  As for update groups, IMO, the best way is to create a new group every month for each class of products. This typically equates to one for servers, one for workstations, and one for Office every month. Then at the end of every year (or some other timeframe),
  rolling these monthly updates into a larger update group. Keep in mind that a single update group can have no more than 1,000 updates in it though. (There is no explicit limit on packages at all except see my comments above about not wanting one huge package
  for all updates.)
  Initially populating packages (like 2009, 2010, 2011, etc) is a manual process as is populating the update groups. From then on, you can use an ADR (or really three: one for workstations, one for servers, and one for Office) that runs every month, scans
  for updates released in the past month, and creates a new update group.
  Depending upon your update process, you may have to go back and add additional deployments to each update group also, but that won't take too long. Also, always QC your update groups created by an ADR. You don't want IE11 slipping through if it will break
  your main LOB application.
  Jason | http://blog.configmgrftw.com

• Dots in Software Update Groups names

  Hello,
  Do you know any reason why is it impossible to put a dot (".") in a name of Software Update Group? I can use dots in SUG's name created via ADR but not when I create one manually, I receive an error: "Must specify a valid name for the software
  update group".
  How can I put dots in a names for manually created SUGs?
  SCCM 5.00.7958.1000
  http://about.me/exchange12rocks

  While you might be able to create it with an ADR or with PowerShell, if the User Interface specifically prevents it from being created, its a strong bet that it isn't tested and supported by the product team.
  You're best bet is to put in feedback on Microsoft Connect asking them to allow and support it. 
  http://myitforum.com/myitforumwp/2013/12/02/giving-feedback-on-microsoft-connect-for-configmgr-2012-help-yourself-help-the-community/
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.

• All Software update groups expired

   Hi,
  Please see http://social.technet.microsoft.com/Forums/en-US/39b60e34-f30a-4963-a08b-6a8e13e44b91/software-update-groups-grey-icon-with-x-?forum=configmanagersecurity
  for reference.
  We created update lists for Windows 7 with Office, automatic updates for SCEP, they all are expired (Expired icon of “http://technet.microsoft.com/en-us/library/hh848254.aspx). I don’t want them to expire. I want to make sure every new
  OS will get the latest updates + antivirus updates.
  Not sure if this is by design, an error on SCCM (http://social.technet.microsoft.com/Forums/en-US/0c13c27d-55a9-4f56-8ac0-f9053301ab0c/all-updates-in-sccm-software-updates-are-set-to-expire?forum=configmgrsum=>
  my SCUP is there) or there is some misconfiguration.
  Please advise. J.
  Jan Hoedt

  Jan,
  > *Can you help me with this mechanism, I'm not familiar with it?
  While viewing the updates that are a member of the software updates group, either sort by the "Expired" column or filter by Expired = Yex.  Select all expired updates, right click, and select 'Edit Membership".  Uncheck the checkbox for the software
  update groups you are trying to remove them from.
  > *I seem to remember there was somewhere an option that mentioned expired
  This option has to do with how long 'superseded' updates will remain available for deployment.  You can set under Administration > Site Configuration > Sites.  Right click on your site and select Configure Site Components > Software Update
  Point.  The setting is on the "Supersedence Rules" tab.
  However, Microsoft will also directly expire updates from time to time as well.  In general, this is normal and something you shouldn't worry about managing.  When the update has been expired by Microsoft, it is something you couldn't install even
  by going to Windows Update, so you shouldn't worry trying to deploy them.  Instead, deploy the current updates instead of superseded ones.
  >How can I automate this (not automatically apply but using manually which updates to use and deploy at times I choose)?
  For organizations with very simple Software Update processes, you could use an Automatic Deployment Rule to select updates based on a criteria, download the content to a deployment package, add the updates to a software update group, and create a deployment
  to a collection.  That deployment can be 'available' and not required if you plan to hand install them later.
  This documentation gives you an overview of how all the Software Update Management features work:
  http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_DeploymentWorkflows
  And this blog post gives an example of using an ADR:
  http://blogs.technet.com/b/configmgrdogs/archive/2012/05/08/configmgr-2012-automatic-deployment-rules.aspx
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you've found a bug or want the product worked differently,
  share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

• Add an Update to the Software Update Group - where it's been monitored?

  Hello all,
  I'm looking for a solution to get the Updates for adding to a Software Update Group in SCCM 2012 R2.
  Which components (Message type, Severity, Message ID,...) are concerned?
  Or which log files are concerned?
  I will use the "Status Filer Rules" to create an new rule that will send me an E-Mail which let me know all the Updates what have been added to the Software Update Group.
  Many Thanks
  Andreas

  Just add an update to a software update group and see if a status message is being generated. Without having tested it: I think there will be one, but it will only tell that user xyz modified SUG abc, but you won't see which update was added. 
  Torsten Meringer | http://www.mssccmfaq.de

• Software update group question

  I did my June updates in June seems to pushing updates fine but now I look at the JUNE update group and the icon looks like this and I know it is not finished  updating all workstations.  Is there a setting to keep it active longer?
  MSB

  Also, the icon simply indicates that the group itself contains at least one expired update. This does not in any way affect the deployment of the software update group as a whole or the other updates within the group -- they will still be deployed normally.
  Only the actual update(s) that are expired will not be deployed.
  Jason | http://blog.configmgrftw.com