Powershell, Deployment Packages and Software Updates OH MY!
Ok, so I snooped around and was not able to find an answer to my question so here goes.
I'm building an automated process where Orchestrator runbooks will automate the entire process of downloading updates, deploying to test groups, waiting for an approved RFC then deploying the updates. That's the 10k foot level view.
My question revolves around the process of downloading software updates and placing them into a package. It has been suggested that the Save-CMSoftwareUpdate does this, but reviewing the doc I am less inclined to believe this statement. Was hoping
to get lucky and have someone reply that they have done this and here are the interesting parts.
This will all be performed via powershell commands with no direct user interaction at all. So some powershell script that pops up the download software updates wizard will not work for me.
Thanks in advance for any pearls of wisdom around this,
Jim
Ok, I know that we are playing 20 questions here, but I needed the first part to scope the next set of questions.
You say that the approvals are coming from an external source...are you wanting to automate the parsing of the external source or are you planning on putting the approvals into a WSUS group for it to download the update content? Keep in mind here
that the UpdateID that I am referring to is a GUID and not something that someone is likely to give you in a human readable document. The problem with Bulletin IDs is that they will likely apply to a number of operating systems and architectures.
It would be nice if you could get them to populate the approvals into the computer group directly to alleviate the ambiguity. Of course you have to remember that someone has to keep it cleaned up.
You can query WSUS for all of the UpdateIDs for a given computer group.
Beyond this, you will now need to use the WSUS APIs and may want to take a look at the IUpdate interface:
http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.iupdate_members(v=vs.85).aspx and call the GetInstallableItems method, which will return a list of InstallableItem:
http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.installableitem_members(v=vs.85).aspx each item will have an ID, which is the ID that you will need to publish into your update package; it also has a Files property, which
is a list of files for the installable item, and is of type UpdateFile:
http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.updatefile_members(v=vs.85).aspx. These are the files that will get published into the update package. Each update file will have a FileUri property, which will
provide you with a web link to download the file. If you are a bit more enterprising, you can mangle the FileUri into a UNC path, so that you can just copy the file directly.
You should now create the update list. In the process of creating the update list, you will want to create a table of UpdateID to CI...you will need this when you create your advertisement.
Once you have gathered all of the update content, and their associated InstallableItem identifiers, you are ready to tell configuration manager to populate the update package with the installable items. Interesting here is that you are dealing with
the installable items and not directly with the updates. Configuration manager will associate the InstallableItems with the appropriate updates to be shown in the interface.
Once you get the package populated, you will need to create the advertisements to the appropriate collection. By the way, this is done on an individual update basis. Remember that update lists, update packages and update advertisements have
no direct relationship to one another, although a stronger bond was created in 2012.
Simple stuff huh?!?
Remember that Configuration Manager will not pull metadata across for updates that are already superseded, so you may not always have a one to one reference.
Keeping your packages cleaned up, removing extraneous update content that is no longer needed, is a completely different subject.
It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link.
Similar Messages
-
Change deployment package for software updates
Hi there
Currently we have different deployment packages and software update groups based on year, product, etc.
In the near future i'd like to rearange our software deployment process in configuration manager 2012:
1x Deployment Package for all updates
1x "Full" Software Update Groups with all updates in it. Additional to that we'll create a "Diff" Software Update Group at the Patchday and merge the updates later via edit membership in the "Full" Software Update Group.
Are the following steps which i would perform correct?
1. Select all updates which are deployed and not expired and not superseeded
2. Create a new Software Update Group "Full"
3. Select the new Software Update Group --> Download --> Create my new deployment package
4. Deploy the new software update group to my collections
5. Delete the obsolete software update groups / deployment package
6. Delete the old updates source folders on our filer.
I current don't know if the redownload process let the updates "forget" the old deployment package. With the above described steps i should get rid of all expired and superseeded updates.
Thanks for any advice :-)
Regards,
SimonThat is correct they only receive and install the updates they require, but don't confuse the metadata and deployments with the updates themselves. They will still receive the metadata and the policies for every update you deploy to them and that's where
the problem lies. Each and every update assigned to a client (using a deployment) has it's own policy which of course must be downloaded by the client and stored in WMI causing the bloat. Note that I haven't experienced this first-hand but am relying on the
accounts of others here in the forums but to me, if there is any chance of this being an issue, I would avoid it.
For Update Groups, just a few categories is sufficient to break things up and I typically do three: workstations, server, office. These are often on different patching schedules anyway so it makes sense to have three separate ADRs for them anyway.
For packages, I typically organize based on the calendar creating a new package every 3-6 months with the package containing all updates. There's really no need to divide the package up by product unless you have DPs dedicated to a specific product. Note
that pre-R2, to change the package an ADR referenced you had to use PowerShell -- it's been added into the GUI in R2 though.
Jason | http://blog.configmgrftw.com -
Deployment Package vs Right-Click, Deploy directly from Software Update Groups?
I'm not sure I understand the difference between collecting updates into a group and then just using right-click to create a deployment from within Software Update Groups?
One thing I did notice this morning, is that if I want to distribute that content to other DPS, I have to create deployment package first? Are there other reasons for not simply deploying from within Software Update Groups?
Thank-youUpdate Groups *group* updates together. That's it, they have no additional functionality.
Updates can be deployed individually or as groups (in the form of Update Groups) -- it would be pretty painful to manually deploy every update individually so that's why there are update groups.
Update Packages (I don't like calling them deployment packages even though that's what they're labeled as in the console because they have nothing to do with deployments) make update binaries available to the clients.
Update Groups have nothing to do with Update Packages. Update Groups contain references to updates, update packages contain binaries. Deploying an update or update group assigns those updates to the client within the collection specified. Clients that have
an update assigned that is also applicable will download the binary for the update from any available update package and install it.
You create an update package by right-clicking on an update or update group and choosing download. The wizard offers you a choice between using an existing package or creating a new one. You cannot directly create on.
Secondary sites have nothing to do with this process whatsoever. Clients are clients are clients regardless of where they are located. As long as they are within t he collection targeted by the deployment and they have access to the assigned update binaries
in an update package, they will download and install the updates properly.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Deleting a deployment without a Software Update Group
I deleted a Software Update group prior to removing the deployment attached. I am not unable to remove the deployment nor recreate the deployment with the same name through the Config Manager.
Is there a was to remove the deployment package?
Thanks.I deleted a Software Update group prior to removing the deployment attached. I am not unable to remove the deployment nor recreate the deployment with the same name through the Config Manager.
That should also have removed the deployment of the software update group then.
Torsten Meringer | http://www.mssccmfaq.de -
Some issue with appstore and software update
Hi all,
I have some issues with app store and software update.
Sometime App Store report that it was available software update for Mac OS X ML. When I enter in App Store to upgrade something goes wrong and I cannot do anything.
If I close and open again App Store, it start to look for update and aftware 5-10 seconds App Store reports that there aren't update available.
I take a look in /var/log/install.log and I found this:
Jun 4 01:40:54 XXX.local Software Update[6741]: Can't load distribution from https://swdist.apple.com/content/downloads/03/60/041-5259/K4G5rj8jSCBBxxxLM2XHpjPJdGspgBHzFX/041-5259.English.dist.gz: Host cert invalid or otherwise insecure download
Jun 4 01:40:54 XXX.local Software Update[6741]: Failed Software Update - trust evaluation failed in SecTrustEvaluate with result: 5
Jun 4 01:40:54 XXX.local Software Update[6741]: Can't load distribution from https://swdist.apple.com/content/downloads/32/52/041-5688/9zts9cfPJssQJdHBjQ2TFM5yxSgqwrT6rM/041-5688.English.dist.gz: Host cert invalid or otherwise insecure downlo
Jun 4 01:40:54 XXX.local Software Update[6741]: Failed Software Update - trust evaluation failed in SecTrustEvaluate with result: 5
Jun 4 01:40:54 XXX.local Software Update[6741]: Can't load distribution from https://swdist.apple.com/content/downloads/21/24/041-5260/876hzpgDST2NBNK2LKmjpPBhDwrL94sJ9x/041-5260.English.dist.gz: Host cert invalid or otherwise insecure download
Jun 4 01:40:54 XXX.local Software Update[6741]: Removing package source SUContentLocatorPackageSource from manager
Any ideas?
Thanks
RegardsBack up all data.
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
In the Keychains list, there should be an item named System. If not, select
File ▹ Add Keychain
from the menu bar and add the following item:
/Library/Keychains/System.keychain
From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu at the top, select
When using this certificate: Use System Defaults
Close the inspection window. You'll be prompted for your administrator password to update the settings. Revert all the certificates with non-default trust settings.
From the menu bar, select
Keychain Access ▹ Preferences ▹ Certificates
There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.
Log out, log back in, and test. -
Safari, Mail, and Software Update won't launch
I've tried downloading Safari 3 but my iMac needed to be 10.4+. As a result my Safari, Mail , and Software Update will not launch. When I click either one it will just do 1 or 2 bounces and will not open. No error message pops up.My Firefox browser does work so it can't be a internet problem.
This is what comes up on Console when I try to open Safari.
Safari can't open library: /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/Syndicatio nUI (No such file or directory, errno = 2)
Does anyone know a solution?
Thank you.That's probably because Safari 3.1 introduced a webkit that your Panther applications can't use.
Go to HD/Library/Packages, and delete the package for Safari 3.
Then go to HD/Library/Receipts and delete any reference to Safari 3.
Then go to Home/Library/Preferences and delete
com.apple.Safari.plist
Now re-install your previous version of Safari from your install disk (the one that came with your Mac).
Repair permissions and reboot. -
Major Sync and software update issue with windows 7 and iphone
Loved my iPhone 3g and love my 4.0! My only concern is syncing and software updates are sporadic.
When I first purchased and sync'd my 3g on my laptop, that I had since 2005 w/XP home 64bit, it would constantly (1 out of 5 times) show phone was disconnected and could not sync. Purchased a desktop, 2009 w/Vista 64bit (same issue mentioned continued) then upgraded to windows 7 64bit (same issue mentioned continued).
Both pc's are authorized and contain the same apps and software. I went through all trouble shooting steps (authorize/deauthorize, phone hard boot, sync w/airplane mode on and/or off, uninstall and or reinstall iTunes, etc...) when both phones would brick after software updates on both pc's.
The last software update 4.0 and most recent 4.2.1 went well on laptop with XP and no longer shows sync issue. The problem continues on the windows 7 and backup has completed successfully 3 times.
Long story short, I have to pray the laptop never dies because iTunes, syncing and software updates on XP works now! The problem with software update, backups and syncing persists on windows 7.
* I was able to apply 4.2.1 software update on XP and then connect to windows 7 to sync and backup successfully. I then disconnected/reconnected iphone to windows 7 and problem happened again, unable to sync phone was disconnected error message.I've had my new pc for over a year, never had any probs syncing my iphone (then a 3G but now the big 4!)
I went to sync updates to Apps and a couple of tunes I had downloaded straight to my phone only to get an error message 'iTunes has stopped working - windows is checking the problem' followed by another messaged telling me there was a problem causing the program not to work correctly. Windows will close the program and notify me if a solution is found'
Well..... I have NO music on my iPhone and every time I try to sync, the same error messages come up and the bloody program shuts down.... -
Lion disables system info and software update in about this mac
hey guys I have problem with lion when I reboot lion,
it disables system info and software update in "about this mac"
actually it says "this button is disabled because there is no system profiler application" or "this button is disabled because there is no software update application"
and also everytime when I reboot my computer it always changes default applicatons. for example
it changes from VLC player to quicktime, from Archive utility to textEdit and so on.
each time i got to reinstall "Afloat application" if i want to use it.
for making them ok I just need to open software updater from system pref. and the button becomes visible again.
it is same with the system info. I gotto search system profiler via spotlight search and I run, button becomes visible again.
for the archieve utility i got to go to coreservices and open Archieve utility then automatically it becomes default app for .zip files again.
/___sbsstatic___/migration-images/170/17091900-1.png
http://imageshack.us/photo/my-images/689/screenshot20111225at659.png/Did you just install Lion? If so, you might need to try to reinstall as something got messed up.
Alfoat uses SIMBL which will break at just about every update. The reason you may have to keep installing Afloat is because the Resume feature of Lion is not compatible with SIMBL. See here: http://roaringapps.com/app:383
SIMBL is a low-level system hack and may be causing your problems. -
Unable to connect to network with Safari and Software Update
A user I support has encountered a problem with networking. He is unable to connect to the network with Safari and Software Update, but IS able to connect and surf with Foxfire and some other programs. Another unusual symptom is that he actually can connect to one web site (which is in his Bookmarks Bar) with Safari, but can't connect to anything else. He's also unable to navigate off of that one site he connects to. When he runs Network Diagnostics, he gets all green lights (no problems). He has fixed permissions, deleted Safari Cache and .plist, rebooted - not fixed yet. He's using 10.4.8 on a PowerPC G4. Any ideas appreciated (this is the wierdest I've seen in a while!).
Here's what he did. After reading your post, he created another location in his network preferences, entering EXACTLY the same info that was in his old location (he even used the old DNS addresses), except using a new location name. Then he chose the new location and "everything worked". It's one of life's great mysteries. Thanks for your help - it is appreciated.
-
IChat won't connect and Software Update will not run.
Hi, all,
Sorry if something like this has already come up, and I apologise if this is the incorrect forum to post this in. I searched and didn't see anything identical to my issue (I didn't search very hard, but I did search), so I figured posting a topic might be the best way to go. I know this is two problems, but I decided to post it in the iChat forum in case the two were related.
I bought this computer and received it yesterday. It's a 15 inch MacBook Pro, i5, 10.6.4. It worked fine this morning, software update ran, ichat worked fine.
Now, when I try to connect to iChat, it takes a good ten minutes to try to connect, and then it sends me an error that says "You have been disconnected from iChat services. An internal error occurred that disconnected you from all iChat services. To resume using iChat, log in again to your instant messaging account." So, I quit iChat, and restarted it, but now it won't even show me my buddy list saying "connecting....". It just starts and sits there, and all the options are greyed out. I tried going into the security settings and changing the port to 443, but that's greyed out, too.
So I thought I would try to run software update, and software update opens, but it doesn't ... go. It shows the little blue bar, and it's not frozen, but it doesn't advance at all, and it never gives me the option to go to the "install updates" screen because it doesn't check. I went into my network settings to check my connection, and I'm definitely connected to the internet (I mean, I'm typing this ON the MacBook Pro right now), but the panel says I'm not. I can hit "cancel" and quit software update.
I already reinstalled the OS and the update to 10.6.4, and it's still the same issue.
Help, anyone? This computer is brand new and I really don't want to have to erase and reinstall.
ThanksHi,
Welcome to the Discussions
On the changing the port front stop off on the Account Info tab on the way a deselect "Use this Account" to take it Off Line. (you can get half way states)
You should then find the port 5190 is dark text so it can be edited.
You should press the Enter key to "Set" the port change (this is different to earlier versions of iChat)
Also try it with the SSL option disabled.
If this is an AIM Login (AIM or Apple Name) their SSL server is more prone to "Falling over". iChat should default to using an Non SSL Login on a reconnection front it can be subject to a time frame issue.
Next check the Mac Firewall (System Preferences > Security > Firewall tab)
If this is On in Snow Leopard you have to go to the Advanced Button and Allow Signed Apps and Add iChat to the list.
I favour the last suggestion as this may also block Software Update (Although I nm not sure how you got to 10.6.4 although it is a separate Download you can get).
I would also check you have DNS servers listed in System Preferences > Network > Advanced Button > DNS tab
9:14 PM Saturday; September 25, 2010
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
Where can I manually download itunes and software updates
I am having problems downloading itunes and software updates. I understand that I need to do these manually but from where?
The problem as explained to me is that auto updates will not work and are showing as no connection available due to the latency with my satellite connection.
Apple auto updates are configured for US high speed internet and show no connection due to latency with sat connection.
Drives me crazy but have no other option available to me.
Any help would be greatly appreciated.Standalone updates can be found at http://support.apple.com/downloads.
-
Safari, iTunes and Software update can't connect, firefox can
Hi all!
Since upgrading to Leopard I've been unable to get my macbook to connect using Safari, Software Update or iTunes. I get unknown error messages from iTunes and Software Update and a message that the server can't be found or times out from safari.
Strangely Firefox works perfectly and the other Macs on my network (some 10.4, some 10.5) are fine.
I have tried checking the proxy settings and creating an new user account but both times the problem persists.
The only thing I can think it could be is that someone configured proxy settings through firefox a while ago (pre 10.5) when they used it at their office. could that affect safari etc?
All help gratefully received.
AdamHi. Sorry this will not help, more of an observation. I posted a while back that I was having much the same problem at work when connecting through a proxy. Any Apple app that needs an internet connection did not work, ie Safari, Widgets, Software Update etc. But iChat works, as does Mail although not the RSS function. Firefox on the other hand works fine. I am absolutely certain my setting are correct and when I revert to using my 10.4.10 boot disk that all works fine. I think Apple has some how changed the way user info and password is sent when making a net connection through a proxy and now with 10.5 it does not work.
I also spoke with a mate yesterday he has just upgraded to 10.4.11 which means he now has Safari 3. He now is also experiencing the same problems I have with 10.5 and proxy connections. -
my iwork suite of apps wont update. pages is still 4.1 and software update doesnt catch it. I also cant buy it from app store because it says its already installed on this system...any ideas? thank you
I'd be posting in the iWork forums.
-
Snow leopard server for net boot and software updates only what needs to be running to use it?
Snow leopard server for net boot and software updates only what needs to be running to have it work right?
Netboot and Software Update, at its simplest. Mac OS X Server also expects to have functional IP networking and DNS services (somewhere) on the LAN (and if you're behind a NAT gateway, then the DNS server(s) are on your LAN and not out at your ISP), or things get weird. SUS (usually) works out of the box, outside of cases where there's an outbound firewall. Netboot can be more effort to setup, in terms of what you're loading into the clients.
-
Safari and software update won't connect with 10.6.5 and 10.6.6
Downloaded 10.6.5 and 10.6.6 to my 4 month old Macbookpro but safari and software update wouldn't connect. Camino worked fine. I'm back on 10.6.3. It works fine but I would like to update. Suggestion?
In response to how did I update if safari and update didn't work with 10.5 and 10.6. Your question is silly. I updated from 10.6.4 and as I said Camino works fine and always has.
Maybe you are looking for
-
SharePoint Workflow send the notification to External email address fine but do not work when Trusted Identity Provider/SSO feature Checked. Please Advice!
-
Powermac G5 will not boot after 10.5.6 install
I recently inherited a Powermac G5 with 8gb ram(recognizes 6) 2x150gb HD which was at 10.5.8 HD1 was 10.5.8 HD2 is setup as backup most apps would not launch so decided to refresh and start over by erasing and installing anew 10.5.6 and going from th
-
Threads to keep the CPU faster than the disk?
Greetings, I hope this is the correct place to post a question like this - I did not see a forum specific to C/C++ programming on Solaris. I'm currently writing a data conversion program and would like to get better performance. The programming langu
-
Convert a copy to a master file
Ernie, My master has been destroyed. I can view my photo but I cannot work (change) them because I receive the message that aperture cannot find the master file. So I would like to know if there is a way to convert my file (1000 photo), that is consi
-
IDOC, XCBL and Enterprise Structures
Hi all, I would like to know the pros and cons of using IDOC's, XCBL and Enterprise Structures. Inputs will be rewarded. Regards, Sandeep