Systems Center and WSUS - Deploying updates

Similar Messages

• System Center Endpoint Protection Definition Updates

  Hi can anyone advise deploying definitions via SCCM 2012 and selecting the source as being "Updates distributed from Configuration Manager" does that mean each client will go to the Primary Site to get updates? Or by using ADR will it ensure that
  definitions come via distribution points?
  Also another question, as sccm 2012 is not rolled out to all sites yet, and will be deploying unmanaged clients, when I deploy the SCEP client offline un-managed with a policy file, is there a way then later to change policy on the client by command line?

  You could configure updating SCEP in many ways, including:
  Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
  Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.
  Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
  Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.
  Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.
  For more details, please refer to:
  http://technet.microsoft.com/en-us/library/jj822983.aspx

• System Center keeps changing Microsoft Updates to previous upstream server

  1. Previously we configured the SCCM2012 R2 to talk to an upstream server which has now been decommissioned.
  2. We did the following to tell the SCCM2012R2 to go to Microsoft Update for updates by
  a. Clicking on Administration Workspace > Site Configuration > Servers and Site System Roles > Select the Primary Site Server> Clicked on the Home Ribbon >  Configure Site Components>  it shows that the SCCM2012 is configured to
  Synchronize from Microsoft Update.
  b. On the Windows Server Update Services, > Options > Update source, it is set to
  wsus.instance.com
  c. I changed it to Synchronize from Windows Update
  About 1 hour later, in the WCM.log
  This keeps appearing
  Attempting connection to WSUS server: wsus.instance.com, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 11:11:47 AM 3392 (0x0D40)
  Successfully connected to server: wsus.instance.com, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 11:11:48 AM 3392 (0x0D40)
  Verify Upstream Server settings on the Active WSUS Server SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 11:11:48 AM 3392 (0x0D40)
  Successfully configured WSUS Server settings and Upstream Server to wsus.instance.com SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 11:11:50 AM 3392 (0x0D40)
  e. Having checked on the Windows Server Update Services, > Options > Update source, it is set to
  wsus.instance.com again
  ============================================================
  Is there any problem with the following
  Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
  SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Checking runtime v2.0.50727... SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Did not find supported version of assembly Microsoft.UpdateServices.Administration. SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.3.9600.16384 SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER 4/8/2014 8:11:47 AM 3392 (0x0D40)
  ============================================================
  We have uninstalled and reinstalled the SUP but the problem still persist, SCCM2012 keeps configuring the WSUS to talk to the upstream server, this resulted in we are unable to get the latest Endpoint definition updates to distribute to client computers.
  Please advise, thank you

  It sounds that you've been in the WSUS console before and configured it that way, but I'm only guessing here. In your case I'd uninstall the SUP and then remove the WSUS role from the server. Re-add the WSUS role and only perform the initial configuration.
  Then install the SUP again and configure it from the ConfigMgr console only.
  Regards,
  Nickolaj Andersen | www.scconfigmgr.com | @Nickolaja

• Help Powershell and Wsus Approve Updates By Computer Group

  I've found this script to ApproveUpdatesByComputerGroupt and it works, my problem is now, I only need to approve Classification Critical, because I will not approve service packs for OS / SQL, etc. 
  I'm using SCCM, but Failover Cluster should I use WSUS, and my support team is already running a script, to set maintenance mode. 
  But no matter what I've tried, I can not really get it to work, so .. 
  Help Help
  # ApproveUpdatesByComputerGroup.ps1
  [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
  $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()
  $ComputerTargetGroups = $wsus.GetComputerTargetGroups()
  Write-Host "Warning: This will approve all NotApproved updates for a Computer Group" -ForegroundColor Red
  Write-Host "Computer Groups"
  $Count = 0
  foreach ($ComputerTargetGroup in $ComputerTargetGroups) {
      Write-Host $Count - $ComputerTargetGroup.Name
      $Count++
  $ComputerGroupToUpdate = Read-Host "Select Computer Group to update. [0 - $($Count-1)]"
  Write-Host "Finding all updates needing approval and approving them"
  $ComputerGroupName = $ComputerTargetGroups[$ComputerGroupToUpdate].Name
  $ComputerGroupId = $ComputerTargetGroups[$ComputerGroupToUpdate].Id
  $ComputersToScan = $wsus.GetComputerTargetGroup($ComputerGroupId).GetComputerTargets()
  foreach ($ComputerToScan in $ComputersToScan) {
      $ComputerTargetToUpdate = $wsus.GetComputerTargetByName($ComputerToScan.FullDomainName)
      # Get all Not Installed updates available to the computer
      $NeededAndNotInstalled = $ComputerTargetToUpdate.GetUpdateInstallationInfoPerUpdate() | where {
                            ($_.UpdateInstallationState -eq "NotInstalled") `
                            -and ($_.UpdateApprovalAction -eq "NotApproved")}
      foreach ($UpdateToApprove in $NeededAndNotInstalled)
          Approve-WsusUpdate -Action Install -TargetGroupName $ComputerGroupName -Update $(Get-WsusUpdate -UpdateId $UpdateToApprove.UpdateId) -Verbose
  Write-Host "Done approving updates"
  sleep -Seconds 5

  This is what you are looking for:
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/22/use-the-free-poshwsus-powershell-module-for-wsus-administrative-work.aspx
  ¯\_(ツ)_/¯

• How to pass system date and time with tabular from in Update only Mode.

  Dear Friends,
  i have created tabular form with UPDATE Only .here i am assigning work to another multiple users.i want to insert system date and time when i assign work to multiple users.
  How can i insert system date and time into table using tabular form in Update Only Mode.
  beacuse i have pass in default system date it's working only with add row button.
  How can i pass system date and time in update mode in tabular form.
  Thanks

  Hi,
  You just create a trigger on the table on which you build your tabular form:
  e.g:
  CREATE OR REPLACE TRIGGER  "AUDITING"
  before insert or update on "MYTABLE"
  for each row
  begin
      if inserting then
          :new.created_on := localtimestamp;
          :new.created_by := nvl(v('APP_USER'),user);
      elsif updating then
          :new.updated_on := localtimestamp;
          :new.updated_by := nvl(v('APP_USER'),user);
      end if;
  end;Regards,
  Fateh

• ISE 1.2 Posture assessment (AV) system center endpoint

  the cisco NAC web agent can't detect AV (system center endpoint protection) is updated although it is updated.
  by troubleshooting , it seems it is related to Windows 8.1 as i tested the same AV on another machine Windows 7 and it is working.
  any body faced this issue?

  Support for Windows 8.1
  Cisco NAC Appliance Release 4.9(3) along with Cisco NAC Windows Agent 4.9.3.9 and Cisco NAC Web Agent Version 4.9.3.7 supports Microsoft Windows 8.1. See Also Patch Supporting Windows 8.1 and Mac OS X 10.9.
  In a Windows 8.1 client, in the metro mode, the NAC Agent shortcuts are available in the Apps screen instead of the Start screen.
  For a Windows 8.1 client machine, while configuring the user pages in CAM web console, if you have selected the web client as 'Java Applet Only' and enabled the 'Use web client to detect client MAC address and Operating System' option, then the client Operating System might be detected as Windows 8. While using Applet for Windows 8.1, configure the user page with WINDOWS_ALL. See Also CSCuj59700.

• System Center Ops Mgr Access

  Hi 
  I am investigating System Center Ops Mgr deployment and its access within an AD environment.
  We are considering outsourcing the service but i am concerned about the level of access that will be given to the 3rd party that will manage this. 
  Is this a valid concern? we are trying to avoid domain admin access and will possibly have to look at local admin on the specific servers that will be monitored. Is this viable? What is the best way to approach this?
  Regards,
  VeeCT

  SCOM using role base security account in assigning user right on accessing monitored groups, tasks, views and administrative functions. Your can delegate a user account with low domain privilege in accessing SCOM.
  Beside, several service accounts are required in SCOM monitoring and use low privilege domain account or local system account.
  Account name
  Requested when
  Used for
  Low maintenance
  High security
  Management server Action Account
  management server setup
  Collecting data from providers, running responses
  Local system
  Low privilege domain account
  Data Access Service and Configuration Service Account
  management server setup
  Writing to operational database, running services
  Local system
  Low privilege domain account
  Local Administrator Account for target devices
  Discovery and push agent install
  Installing agents
  Domain or local administrator account
  Domain or local administrator account
  Agent Action Account
  Discovery and push agent install
  Gathering information and running responses on managed computers
  Local system
  Low privilege domain account
  Data Warehouse Write Action Account
  Reporting Server setup
  Writing to the Reporting Data Warehouse database
  Low privilege domain account
  Low privilege domain account
  Data Reader Account
  Reporting Server setup
  Querying SQL Reporting Services database
  Low privilege domain account
  Low privilege domain account
  For detail, pls refer to
  http://technet.microsoft.com/en-us/library/hh487288.aspx
  Roger

• Implement tool that get support from system center

  Hi All,
  I want to create a application that get support from the system center and provide similar features like system center but in a  simple  to understand to any user. I want to know
  whether is it better to giving the product to client to install it and use or install it on our cloud environment and only giving the service. 
  Thanks

  Hi Yan Li,
  Thanks you for the reply.  I am going to implement a application ( in C#) that communicate with the System center and get the health , performance information and about the services run on devices that have been connected to the system center. 
  Also I am going to get the information of databases that have connected to system center. This is the basic idea of my application. What is the best way to deployment for this kind of application. Also If you could please tell me the way to access to those
  details.
  Thanks

• I am trying to use system center to manage my Azure enviorment

  I am freaking lost!!!!
  I have a Widows Azure environment that i'm trying to manage using system center ( apparently this is the bee's knees cause every post is about it)
  So I attempt to install Microsoft System Center and I got something now on a 2012 server called Virtual Machine manager... I am assuming this is not the product I need to manage my windows azure solution so now i'm back to square one. can someone please
  help me with this???
  what download do I need to install system center on a windows machine to get this working?!?!
  Please help!!

  hi,
  It seems like the issue is not related to PAAS. I suggest you could refer to those tutorials
  2012 configuration manager sp1 lab in the cloud  and
  how to monitor your windows azure application with system center 2012 and this blog(https://blogs.technet.com/b/keithmayer/archive/2013/04/01/build-your-private-cloud-in-a-month-new-article-series.aspx#.Ux1QJHnxsic
  ). You could down load System Center files form
  this page.
  By the way, I suggest you could post this issue on azure
  VM forum for more details and better support.
  Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• System Center 2012 - 180 days expired

  Hi,I have the following question.
  I've installed System Center 2012 evaluation version and it will expire in 90 days.
  If I would like to restart again the 180 days, can I uninstall System Center and install again the evaluation version on the server so that the 180 days count starts again?
  Thanks
  Anna

  Hi
  For SCOM it would not work, because the licensing data is stored in the database. If you would reinstall the Management Servers it would just pull the data out of the database and therefore it would be expired again.
  As far I know the only way to get a Version longer than the eval period is adding a license key
  http://support.microsoft.com/kb/2699998/en-us .
  Using the pre-configured VHD might be another Option
  http://www.microsoft.com/en-us/download/details.aspx?id=40844 .
  Cheers,
  Stefan
  Blog: http://blog.scomfaq.ch

• MDT: deploy a WSUS-server/SCCM and include Windows updates?

  Hi,
  I'd like to deploy an sccm-server which will contain a WSUS-server. However, this SCCM-server itself should go to Internet and download all updates available. How can I achieve this in a tasksequence step?
  Pls advise.
  J.
  Jan Hoedt

  Is this an MDT question or an SCCM question?
  The SCCM server would need the Software Update Point role installed but that doesn't make it a WSUS server, per se. SCCM uses the metadata from WSUS to download updates to packages. It does not function like a standalone, traditional WSUS server.
  -Nick O.

• Does System Center Update Rollup 4 also contain Update Rollup 3 and Update rollupt 2, etc

  Hi,
  Does System Center SP1 Update Rollup 4 also contain Update Rollup 3 and Update rollupt 2, etc?
  Can I go from Update rollup 2 and apply update rollup 4 and get the updates in 3 as well?
  Thanks Lance

  Hello!
  Yes, the previous updates are included in UR4, so there is no need to install UR3 if you are going from UR2 to UR4.
  By the way, the latest update rollup for System Center SP1 is UR5: http://support.microsoft.com/kb/2904730/en-us
  Markus Bölske, Lumagate. www.lumagate.se Blog:
  www.opsmanager.se|www.scdpm.se

• Systems Center Update publisher

  I have Systems Center 2012 R2 setup and running on a Windows Server 2012 R2 box.  I installed update publisher on this same box so I can get the Adobe catalogs and include the adobe updates with my other updates.   Update publisher installed just
  fine, but I'm running into issues when trying to set it up.  Under Options > Update Server > Connect to local update server when I enable it I get the following message when I test the connection:
  When I click the "Create" button under Signing Certificate to create a certificate I just keep getting that same pop-up everytime I click it.  I read somewhere that 2012 no longer will create self signed certs, but I'm not sure how to get
  around this issue.  Anyone have any help?  Thanks in advance.

  Here's the info on re-enabling WSUS self-signed cert generation:
  http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx
  I suggest you don't re-enable this though -- they disabled it for a reason. Go the extra mile, get a PKI smart resource and deploy a PKI.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• ISE and Microsoft System Center Endpoint Protection AV Posture Issues

  We are deploying an Enterprise ISE Infrastructure. The Customer has adopted Microsoft System Center Endpoint Protection ver 4.x as its approved AV. NAC Agent detects the AV. It however has issues detecting the Definition Files.
  See Log File below:
  7721: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_PROD_ENG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Engine Version, Result: rcInternalError
  7722: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_VER: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product File Version, Result: rcInternalError
  7723: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_SIG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Data File Sig, Result: rcNotSupported
  7724: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_TIME: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Data File Time, Result: rcInternalError
  7725: XXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DEBUG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: OPSWAT AV/AS Retrieval Time(sec) Info for MicrosoftAS: total=0.0000, pid=0.0000, vendor=0.0000, desc=0.0000, vsn=0.0000, type=0.0000, engineVsn=0.0000, dataFileVsn=0.0000, sig=0.0000, dataFileTime=0.0000
  7726: XXXX-JOSE-W54: Aug 22 2014 11:03:00.640 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_SIG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAV - Product Data File Sig, Result: rcNotImplemented"
  NAC Agent version is 4.9.4.3 and CM version 3.6.9186.2

  Hi,
  Yes you can install the Endpoint Protection Client in the image, the process for doing this is described here:
  http://technet.microsoft.com/en-us/library/dn236350.aspx You can configure it manually to use Windows Update as the source for definition updates before the imaging as well then you should
  be good to go.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Control Windows 8.1 and WS2012 R2 "Update 1" and followings through WSUS?

  Hello all,
  Is there a way of identifying and stop through WSUS the new Updates (Update 1, Update 2 and followings) released for Windows 8.1 and WS 2012 R2?: http://blogs.windows.com/bloggingwindows/2014/04/02/windows-8-1-update-important-refinements-to-the-windows-experience/
  As far as i know, the are identified as: "Update for Windows", so its impossible to know these are a set of updates similar to a "small" service pack if you don't check the KB number associated.
  Due to my environment specs, I only make available Critical and Security updates through WSUS, so clients do not install set of updates such as service packs, which will jeopardize the environment.
  These kind of updates are not classified within Updates, Update rollups or anything else, so is there a way of stopping them or at least make them more visible on WSUS (if this makes sense)?
  Thanks in advance.

  Interesting question.... and I'm seeing a whole litany of problems with the above.
  First the answer: You simply don't approve the updates. As for identifying the updates, yeah, it's done by KB number. It will take a nominal amount of effort on your part. It's also identified by a uniquely formatted title:
  Windows 8.1 Update (KB2919355)
  BUT.. since the update was originally released into theSecurity Updates classification six months ago, if you're automatically approving Security Updates, then it's already long gone and already installed.
  Second.... not installing "Update 1" is not a choice. It's a
  mandatory update. If you've not installed this update (hard to see how that could have happened), then you've not actually deployed any to those systems since June if you've blocked this update ... the cutoff date for deploying "Update 1".
  "Update 2" is not a mandatory update, and being as the cited blog is dated April, 2014, it doesn't cover that update at all. This update was released in August 2014, and is identified only as KB2975719 and has the title
  Update for Windows 8.1 (KB2975719). It was published into Critical Updates a month ago, so again, if you're automatically approving Critical Updates.. it's long gone and already installed.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.