How To Deploy Software Updates Using SCCM 2012 R2

212821

How To Deploy Software Updates Using SCCM 2012 R2 In this post we will look at the steps on how to deploy software updates using SCCM 2012 R2. Deploying the software updates for the computers is essential, the software updates are released by major software vendors to address security vulnerabilities in their existing products. To stay protected against cyber-attacks and malicious threats it is very important that you keep the computers patched with latest software updates. Software updates in System Center 2012 R2 Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Talking about software updates, in SCCM 2012 R2 there are few new features added which includes a new maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates. When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. A new feature called Software updates preview lets you review the software updates before you create the deployment.

How To Deploy Software Updates Using SCCM 2012 R2

In this post we will see the steps on how to deploy software updates using SCCM 2012 R2, if you are looking for SCCM 2012 R2 step by step guides click here. There are 2 ways to deploy software updates using SCCM 2012 R2, Manual and Automatic. In Manual software updates deployment, a set of software updates is selected the Configuration Manager console and these updates are deployed to the target collection whereas Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection. In this post we will see the steps to deploy the software updates manually and for automatic software updates deployment, there will be a separate post.

To start with, install the Software Update Point role first. Launch the Configuration Manager Console, click on Administration, expand Overview, click Site Configuration, click on Sites. At the top ribbon click on Add Site System Roles.

Deploy Software Updates Using SCCM 2012 R2 Snap1From the Add Site System Roles Wizard, click on Software Update Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap2For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.

When you install WSUS, you can specify whether to use the default Internet Information Services (IIS) website or create a new custom WSUS website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point for the site.

Deploy Software Updates Using SCCM 2012 R2 Snap3For WSUS Server Connection Account, click Use credentials to connect to the WSUS server, click on Set and choose the account. The account provides authenticated access from the site to WSUS server. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap4Click Synchronize from Microsoft Update and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap5Click Enable synchronization on a schedule and let the schedule be set to default (simple schedule). You may also click Alert when sync fails on any site in hierarchy. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap6For Supersedence behavior, select Immediately expire a superseded software update. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap7Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap8Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap9Choose the desired language, click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap10The Software Update Point role has been installed. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap11In the configuration manager console, click Software Library, expand Overview, click Software Updates, click All Software Updates and at the top ribbon click Synchronize Software Updates.

Deploy Software Updates Using SCCM 2012 R2 Snap12To see what’s happening at the background, you need to have 2 files opened wsyncmgr.log and WCM.log file. Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.

Deploy Software Updates Using SCCM 2012 R2 Snap13The synchronization is completed. The software updates can now be seen when you click All Software Updates option in CM Console. Note that the updates are yet to be downloaded.

Deploy Software Updates Using SCCM 2012 R2 Snap14Out of all the updates we will not deploy all of them rather we will filter the updates by adding criteria. Click on Add criteria. Select Expired, Product, Superseded, Bulletin ID. Click Add. Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.

Deploy Software Updates Using SCCM 2012 R2 Snap15Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.

Deploy Software Updates Using SCCM 2012 R2 Snap16Provide the name to the software update group as Windows 7 Update group. Click Create.

Deploy Software Updates Using SCCM 2012 R2 Snap17Click on Software Update Group and you will find the software update group that was created in the previous step. Right click on the Windows 7 Update Group and click Deploy.

Deploy Software Updates Using SCCM 2012 R2 Snap18On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap19Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.Deploy Software Updates Using SCCM 2012 R2 Snap20Configure the schedule for this deployment, set the Time based on to Client local time. Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap21On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap22For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install. If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap23 Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap24Add the Distribution Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap25For Download Location choose Download software updates from the Internet. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap26Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click on Close to close the wizard.

Deploy Software Updates Using SCCM 2012 R2 Snap27After few minutes we see that the updates are installed on one the client machines in the collection and there is a notification that system needs to be restarted.

Deploy Software Updates Using SCCM 2012 R2 Snap28You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.

Deploy Software Updates Using SCCM 2012 R2 Snap29

  • Hardik Shah

    i am working in IT field since last 10 years as a desktop support engineer, I want to be a system engineer what i have to do next to became system engineer. Pl. guide me on same. I had taken academic training on Windows Server2008 R2 but nothing happen in knowledge.

  • Marcelo

    Hi, very good your manual, but I have a question, How do you configure the package source? could you explain more detailed, may be I missed an step or link because I dont see how create the repository (in your example package source \\server\sources\update\windows 7) snap24.jpg
    Thank for you help.

    • The folder windows 7 is created for storing the updates. The Package source is the folder where the updates are downloaded to and deployed from. You can create a shared folder and provide that folder as package source. It is recommended to create folders for different products.

  • Marcelo

    Hi Prajwal
    Thanks for you answer, I am a little confused, the task to download the updates is or is not made by WSUS? this step was configured (only the steps for activate the rol, not the full configuration) when WSUS rol was installed, before to install and configrue SCCM, and this folder was, in my case, e:\wsus.
    WSUS creates own folders to shared, this folders are differents to SCCM folders?, I am talking about the same update downloads.

    If you dont create any package and only makes deployments from all update software view, then ¿where the update are located or downloaded?. Maybe the software (SCCM) always ask the folder destination where the software update will be downloaded

    Thanks again, I am new in SCCM and I am to trying to know how this software works, and the english is not my native language is spanish.
    =)

    • The task to download the updates is or is not made by WSUS? – WSUS works in the background while SCCM takes the charge of downloading the updates and deploying them. If you are using SCCM to deploy the updates then you should not open the WSUS administration console.
      When you create a software update group you basically group the updates for a product and download the updates to a folder, this folder is the package source location. This is not one of the folders inside the WSUS.


      If you dont create any package and only makes deployments from all update software view, then ¿where the update are located or downloaded?.
      – This cannot be done because when you choose to deploy the updates they must be downloaded to a folder and then deployed. You can see the screenshot in my post where in I have defined the package source.

  • Ilya

    Hi, Prajwal!
    Your SCCM blogpost series very informative for me! Thanks a lot!
    What do you think about updating Windows 2008 R2 Itanium-based servers by SCCM? There is no SCCM agents. What should I do to include these servers into SCCM updating process?
    Please, let me know if you have some tips&tricks about Itanium servers.
    With best regards, Ilya.

  • arshad

    Hi Prajwal,

    i would like to konw on sccm 2012 sp1, for updats logs for (sup) i can see only wsyncmgr.log.

    But unable to find the log file as Mentioned some forums WSUSsyncmgr.log ( will Available after the Client windows updates with SCCM 2012 SP1 server…?) . Kinldy let me know it.

    Best Regards,
    Arshad

  • arshad

    Fine. Actually even once you also sent me blow link for all log files & WSUSsyncmgr.log Mentioned here.

    Some details of log file of this link & might be sccm 2007 Log file…?

    WSUSsyncmgr.log

    Performing sync on local request SMS_WSUS_SYNC_MANAGER 4/27/2010 11:59:54 PM 6112 (0x17E0)

    STATMSG: ID=6701 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM SITE=LAB PID=3040 TID=6112 GMTDATE=Tue Apr 27 18:29:54.530 2010 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/27/2010 11:59:54 PM 6112 (0x17E0)

    STATMSG: ID=6704 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM SITE=LAB PID=3040 TID=6112 GMTDATE=Tue Apr 27 18:30:18.547 2010 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/28/2010 12:00:18 AM 6112 (0x17E0)

    Synchronizing WSUS server SCCM SMS_WSUS_SYNC_MANAGER 4/28/2010 12:00:18 AM 6112 (0x17E0)

    Synchronizing WSUS server sccm.mylab.in … SMS_WSUS_SYNC_MANAGER 4/28/2010 12:02:16 AM 5220 (0x1464)

    sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER 4/28/2010 12:02:16 AM 5220 (0x1464)

    sync: WSUS synchronizing categories SMS_WSUS_SYNC_MANAGER 4/28/2010 12:02:44 AM 5220 (0x1464)

    http://blogs.technet.com/b/sudheesn/archive/2010/11/10/troubleshooting-sccm-part-iii-software-updates.aspx

    Best Regards,
    Arshad

  • Sayeed

    Hi Prajwal,

    I have started working on SCCM recently and found your posts are very helpful.
    Now I am trying to put those information which I found very helpful when someone would be trying to solve them.

    For example, if somebody using Windows 2008 R2 + SCCM 2012 SP1 (as per my experience), he may find these errors on ccm.log –

    Looking for WSUS SP2 + KB2734608 + KB2720211

    What happens here even WUS SP2 console already been installed, the other patches (KB2734608 & KB2720211) also need to be installed first. There are processes also some procedures for installing them. The IIS and WSUS services need to be stopped before attempting to install them. Once they are installed, those services can be started. Details can be found in the Microsoft KB article

    http://support.microsoft.com/kb/2734608

    Hope this could be helpful for somebody..

    Thanks

  • Umesh

    Hi Prajwal,
    Thanks for nice posts. After deploying software updates(followed above steps). I was unable to see updates on client machines. checked WUAHandler.log files on client machines getting “Error – 87d00692” I hope it is related to group policy.
    what could be the reason for above error ?
    Regards
    Umesh

    • have you configured the GPO for WSUS pointing to SCCM server ?

  • Karemo

    i install sccm 2012 SP1 to have a primary site – i need to deploy a remote branch distribution points to be working instead of adding a child SCCm in those remote sites i need your step by step to do that ? also what other sccm roles recommended this Distribution point will have ??

    i have an compatibility issue between sccm 2012 sp1 and windows 8.1 client to deploying EP protection 2012 – does i need migration to sccm 2012 R2 if this is the solution please i need your full steps to migrate from sp1 to R2 – MY OS is windows server enterprise 2008 R2
    thank you

  • Kwan

    Hi Prajwal, thanks your post. it’s very good.
    I have a question.
    I deployed SUS feature reference this guide.
    It’s successful distributed Windows Update group for collection.
    but don’t view Windows Update list on client software center.
    and distributed result is unknown collection.
    i have to 8530 port telnet succeed from client to server and disable firewall to all server and client.
    Where can i look for this issue?

    • You mean to say that updates are not getting installed to client machines ?

      • Kwan

        Thank you for quick reply.
        Yes. same issue server. not getting anymore.
        i test to CM 2012. Consisting of private Internet environment.
        When Windows Update while connected to the public Internet.
        When the update is complete, disabled the public Internet.

        • Hi, can you tell me more about what exactly the issue is ? You are trying to deploy using SCCM to client computers and as per you the client systems are not getting updates from SCCM.. Is that true ? You need to check WCM.log file and WSyncmgr.log file on SCCM server and WUAHandler.log file on client machine to troubleshoot the updates related issues.

  • Kwan

    My English is a little low. Please note that.
    below is red line in log file.
    Repeat to error log.

    wsyncmgr.log
    Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
    STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS_WSUS_SYNC_MANAGER” SYS=CM-WSUS.sc2012.local SITE=SYS PID =768 TID=3976 GMTDATE=FRI 3 20 23:45:10.454 2014 ISTRO=”CWSyncMgr::DoSync” ISTR1=”WSUS server not configured. Please refer to WCM.log for configuration error details.”ISTR2=””ISTR3=””ISTR4=””ISTR5=””ISTR6=””ISTR7=””ISTR8=””ISTR9=”” NUMATTRS=0
    Sync failed. Will retry in 60 minutes

    WCM.log
    System.Data.SqlClient.SqlException (0x80131904): Can’t connect SQL Server to Network or Instance error. Can’t search for Server or can’t Access.
    Done using SC2012\Administrator credentials.
    Remote configuration failed on WSUS Server.

    WUAHandler.log
    ONSearchComplete – Failed to end search job Error = 0x8024401c.
    Scan failed with error = 0x8024401c.

    But I success ping test from SQL Server to SCCM Server.
    And disable public on SCCM Server after Partly successful Windows Update list display on client.
    However, does not display all Windows Update list on client and server.

    In my opinion, I Deployment SCCM with private and public ethernet.
    It results setting public on SQL Server TCP/IP and SCCM Server.
    After disable public and change SQL Server TCP/IP from private to public and disable to SCCM Server.
    May be It seems IP is twisted.

  • Earthcooder

    Hello Testing this out but i get a Scan report saying Group Policy Conflict
    is there away of doing updates on machines with out Group Policy as we already have a Wsus Server deploying Windows updates, but want to test using SCCM instead we dont want to turn off Current wsus at the moment.

    • If you are using SCCM 2012 to eploy updates then there is no need of group policy, you can turn off. But keeping the WSUS group policy it won’t work properly.

  • Earthcooder

    So if our Current Group Policy set up is for our current WSUS server (WsusServer1.xxx.local) then we cant use SCCM (SCCM2012.xxx.local) to deploy Windows updates until we remove current server and remove from group policy?

    • @EarthCoder – Good Question, When SCCM is installed it creates a local policy and those are always overwritten by GPO. I mean to say that GPO will take precedence over SCCM local policies. So you have to disable or delete the WSUS GPO settings if you are going to use SCCM 2012 to deploy windows updates. you must also set Configure Automatic Updates = Disabled, let SCCM take complete control over updates deployment.

      • Arshad Husain

        @ Prajwal
        Thanks, After disable the GP of AD, I am able to deploy the windows 7 clients updates. But other end windows 8 & windows 8.1 updates I am not able to deploy so far… on sccm 2012 R2. Any Inputs …

        • @Arshad – What is the problem ? Why are you not able to deploy windows 8 updates ?

          • Arshad Husain

            Thanks for your reply & always Support.
            I hope found the Solution ,
            As some of the M/s WINDOWS 7 Stand for detection state unknown means log file(wuahandler.log) stand for GP Error.
            then i dsable & enable My system , gppdate.exe/force , now win7 updates working fine.

            Same issue with some windows 8 (only 10) clients also detection state unknown with same error we need to try Gp Enable & disable
            so i will try the same & i get back to you
            Best Regards
            Arshad

          • Arshad Husain

            Hi Prajwal,
            As application deployment as we add DP,
            I deployed windows 7 updates, or server updates fine without add DP (Distribution group name).
            is it recommended to add DP because I am not able push WINDOWS 8.1 updated. ..?

            wuahandler.log : err0r=0x8024401c ..(stand for GP error..?)
            (2) some windows 7 client error status id (11423) & last error code (-2147012894)
            Error description: : Network connection: windows update agent encountered Transient network connection-related error.
            client system need to update any windows update agent ..? or SCCM client agent issue….?
            My SCCM 2012 r2 agent are updated with R2 agent.
            Kindly give the inputs.
            Regards,
            Arshad

            • Arshad Husain

              Hi Prajwal,
              for windows 8.1 updated ( for WSUS 3.0 SP2 OR WSUS 3.2), need KB2919355 update. client side …?
              Regards,
              Arshad

              • Hi Arshad, I read about the update KB2919355. “Microsoft plans to issue an update as soon as possible that will correct the issue and restore the proper behavior for Windows 8.1 Update KB 2919355 scanning against all supported WSUS configurations. Until that time, we are delaying the distribution of the Windows 8.1 Update KB 2919355 to WSUS servers. You may still obtain the Windows 8.1 Update (KB 2919355) from the Windows Update Catalog or MSDN. However, we recommend that you suspend deployment of this update in your organization until we release the update that resolves this issue.”

                • Arshad Husain

                  @prajwaldesai:disqus
                  Thanks for your Valuable Support.
                  Fine. Aapart from this update, i am unabale to deploy any windows 8 or windows 8.1 updates from sccm R2 .
                  (But windows 7 no issue. ) shall i send log file text of windows 8 system. Even After disabel the GP of domain
                  Best Regards,
                  Arshad

                • Yes Arshad log files will be helpful to understand where exactly the issue.

                • Arshad Husain

                  Prajwal Desai

                  Wuahandler.log text details:(dated 10-04-2014) , os windows 8.1

                  ![LOG[Async searching completed.]LOG]!>

                  so this error stand for GP correct (Code= 0x8024410c)….? If yes

                  after admin disable th GP from Domain Controller ……

                  After changed the “ Configure Automatic Update” from GPO to Not Configurewe are lost the control of windows update now , many machine get the update (windows 8) from Internet .

                  if required i will send the text of new current update log file tommorrow
                  Best Regards,
                  Arshad

                • @Arshad – If the client machines are downloading the updates from internet then you can block it with the help of WSUS GPO setting. Check this link http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx and check for the last section. I will reply to your ticket soon in the ticketing tool.

                • Arshad Husain

                  Fine. Thank You for your Support.

                • Arshad Husain

                  @prajwaldesai:disqus
                  open My ticket…..
                  Regards,
                  Arshad

    • Arshad Husain

      @Earthcooder

      Thanks, After disable the GP of AD, I am able to deploy the windows 7 clients updates. But other end windows 8 & windows 8.1 updates I am not able to deploy so far… on sccm 2012 R2. Any Inputs

  • ARSHAD

    Hi Prajwal,

    As My sccm 2012 R2 Server. now i checked your above comments on GPO. (sccm 2012 local policy) & AD GP policy. My case also all client not able reach the deploy updates, later discover the GPO issue according to the client Log & also sccm log file files , sccm Reports (scan reports , deploy reports)

    Now i completely disabele the GP of AD. so SCCM 2012 R2 having client local polices Exist , so i hope wehn i test as deploy updates for clients it will work fine….?.

    (2) Sccm 2012 R2 all Kind of (exchange connector) Mobile deviss it support…. My Exchange 2013 & Present i am able to see only 36 Mob Devices. If having any Ms article for all type of Mob device support , Please share the Link or steps.

    (3) I would like to install Managment pack for Exchange 2013 & Lync 2013 on SCOM 2012 R2. Please provide me download link & steps for installtion Guide.

    (3) after upgrade sccm 2012 sp1 to sccm 2012 R2 Some of My clients shows as inactive, If I try i to manually lnstall the Cleint SCCM R2 & Refesh the service , configration policy it will be fine…?

    (4)some of the clients i am not able to connect remotely (remote client option) from sccm 2012 R2… what could be the reason
    ..(no firewall but Kaspers 10.2 issue..?

    Thanking You in Advance.

    Arshad

  • Arshad

    Hi,

    Prajwal,

    option (3) Management Pack installation done & no issue (exchange & LYNC 2013 ). other above My query Kindly let me know it

    Best Regards,
    Arshad

  • Dinesh Jadavh

    Hello this is a nice post .. Thanks Prajwal..

  • Shawn

    Hi Prajwal,

    Been using the site for a few weeks now, great tools. Thank you.

    I want to setup an automatic deployment rule for the updates. In your post here you say it is covered in a separate article. Can you tell me where or is it still in the works? Any help is greatly appreciated.

    Kindly,
    Shawn

    • Hi Shawn, I am yet to create a post on that. This would take sometime..

      Thanks,

      Prajwal Desai

  • Curt

    Hello Prajwal

    Software Updates are not installing for me. I am using SCCM 2012 R2 but I see different steps in the wizard than what you show here. I have no place to create a deployment package or specify a distribution point. Have you seen this before?

    • @Curt – This looks strange.. Can you give me little info about your SCCM setup ..

      Thanks,

      Prajwal Desai

      • Curt

        I’m using 2012 R2 with everything except the database on one server.

        It looks like they have separated the missing steps into a second wizard. Now you have to right click on the SUG and choose “Download”. Then you get this wizard:

  • Naveen Punj

    Want to know about Automatic deployment rules in SCCM 2012 and best practices related to it

    Next – What is your opinion on having WIN 7 ,8 and XP machines put in one collection and applying patches ?
    What are the draw back and advantages ?

    Patches will be packaged and then will be deployed .

    Your quick response will be appreciated.

  • Sandeep Suda

    Hi Prajwal,

    In this example you have shown the synchronized updates i.e., security updates for the windows 7. And how we can determine the selected updates will be suitable for the Windows machines in the environment. Please provide me the details how this can be done.

  • You need to deploy the updates first to one of the test machine before you deploy it to systems in your organization. You should not directly deploy it to production systems. The same applies even if you are using WSUS. Because if an update(s) causes an issue rolling back is a big task.

  • It is recommended to create separate collections for each of the OS and then deploy the updates.

    • Naveen Punj

      Any advantage of this? Bcoz clients will download only those patches which are required to them and this information is stored in client’s wmi itself during wsus sync.
      So a xp machine will not try to download and install any patch which is related to win 7 only.

  • Sandeep Suda

    I am trying it in the Virtual Labs as per the steps given by you .

    I have choosen the Synchronize From Microsoft Update. After the process selection, Language and clicked on close. But when i go to Monitoring and Component status in this Clicked on the Wsus_sync_manager it was started and showing the message at Wsus sync has been failed.

    Please suggest me regarding to the issue.

    • Check wsyncmgr.log and WCM.log files. In the component status window, right click on WSUS_SYNC_Manager component and check for errors/warnings.

  • Rahman

    Hi Prajwal,

    I am having a problem with updates, it says downloading (0% Complete) but its doing nothing since 4days any idea?

    • This indicates that the client is not able to find a DP to download content from. Is the content distributed to the DP ? Check the status and also check if the DP is correctly assigned to the boundary group where the boundary belongs to?

      • Rahman

        Hi prajwal there is no boundary group as i have only 1 boundary do i need to create boundary group even I have 1 boundary?
        and content is already distributed to DP. the error I am getting on status is 0x800705B4. and there are only 28 machines which failed to download this update.

      • Rahman

        Hi Prajawal,

        The error I am getting the operation return because the time out period has expired 0x800705B4. content is already distributed to DP & I have only 1 boundary so I have’t created boundary group. Is that compulsory to create boundary group as I have only 1 boundary? please let me know.
        note:- it says in status that complaint 57 ans error 19 computers.

        Thanks,
        Rahman

  • @Rahman – You must create a boundary group. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point.

  • Yes you must create a boundary group. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point.

  • Bahram maleki

    Hello Prajwal,
    I created a software group with 75 patches for windows 8.1.
    but clients only receive 11 patches and in sccm console shown 100% compliance.
    please help me.
    Thanks in advance

  • Bojan Zivkovic

    I added WSUS role on SCCM server, installed SUP role, configured it and did synchronize software updates (security, critical and definition updates for Windows 7). I have chosen all non-expired and no-superseded and put them into new software update group, and, finally deployed it to target collection with one Windows 7 machine. However nothing happened on machine – I noticed in WU in CP info Windows is up to date and in installed updates list I saw many updates installed on November 10th, however not using SCCM but probably online from MS since I installed SUP yesterday. Also I can manually change update settings – they are not grayed-out as it was the case when “normal” WSUS server is deployed. Logs are here: https://onedrive.live.com/redir?resid=670BDDFCE8F2477A!466&authkey=!AMJeRV46bRz7ilk&ithint=folder%2clog

  • Bojan Zivkovic

    Prajwal, I solved my problem – updates were successfully deployed to my test collection. However two things bother me. First why update settings in Control Panel – Windows Update on client machines are not grayed-out. Secondly in Software Center user can follow update progress but if user clicks on installed update that requires restart in lower-right corner there is a button RESTART – I did not try but it probably would have restarted machine regardless of installation process of other updates that was in progress. I did not find any settings in SCCM client related to this “weird” behaviour. I assume this is not normal situation on clients.

    Answer to your question – I do not have dedicated WSUS server, WSUS is on SCCM server itself.

  • Slevin_Kelevra

    Hi Prajwal, I have always had the most problems with software updates and SCCM. I have followed each step of the guide without issue thus far. I’m not sure that updates are getting to my 2008 R2 servers. I have created a software update group for deployment of critical updates to my 2012 R2 servers, and it appears that these updates showed up on the 2012 servers in the software center. I had to reboot each of them individually to finish the updates because I misconfigured the restart option I believe, but minor inconvenience. I can not seem to see any updates being deployed to the 2008 R2 servers? I didn’t have windows update setup on any of the servers, they have all never accessed windows update.

    Can you give some advice as to how to check that the updates are making it to the 2008 servers or are not making it there. Also, I saw the updates in the Software Center of the 2012 servers waiting for reboot, but once they rebooted and completed the installation of the updates, I didn’t see anything in Installed Software tab of the Software Center.

    I’d appreciate any help with the software updates as it’s always been the hardest thing to administer for me. Thanks.

    -SK

    • There are lot of things that we need to check here. I am sure you would have filtered the expired updates using the search criteria from list of updates. Login to any of the client which has 2008 R2 OS and check the windows update group policy, can you tell me what is the intranet update server info there ?

      • Slevin_Kelevra

        Hi Prajwal,
        I did filter the expired updates using the search criteria. The update group I created for the 2008 R2 servers contained just critical, not expired, and not superceeded updates. I didn’t make a specific GPO for the update server to point to my SCCM server. Is this necessary for the 2008 servers? If so I can create one and link it to the 2008 Servers OU. Thanks.

  • Jagjeet Sangha

    Hi Prajwal,
    I hope you can help me. I have configured SCCM 2012 R2 in my lab on a Windows Server 2008 R2 Operating system. I have installed the “Software Update Point” service and have successfully downloaded and filtered the patch for a Windows 7 Client sitting in my lab, as per the instructions above.
    For some reason my Windows 7 Client when polling is not picking up the Patchs that have been created as a deployment Package.
    Any helps would be much appreciated.
    Just to confirm if I click on “Configuration Manager” on the Windows 7 Client and go to “Sites” then find site this returns a message saying that configuration manager has found a site to manage this client.
    Many Thanks
    Jag

  • Jagjeet Sangha

    Hi Prajwal,

    I hope you can help me. I have configured SCCM 2012 R2 in my lab on a Windows Server 2008 R2 Operating system. I have installed the “Software Update Point” service and have successfully downloaded and filtered the patch for a Windows 7 Client sitting in my lab, as per the instructions above.

    For some reason my Windows 7 Client when polling is not picking up the Patchs that have been created as a deployment Package.

    Any helps would be much appreciated.

    Just to confirm if I click on “Configuration Manager” on the Windows 7 Client and go to “Sites” then find site this returns a message saying that configuration manager has found a site to manage this client.

    Many Thanks

    Jag

    • Okay is it the only one Win7 client that is not pulling the updates or its whole collection. Can you try making the update package “AVAILABLE” to the client machine so that you see atleast its being distributed by DP ?.

  • Thanks for the comment Carlton. I shall surely surely check it.

  • Hi Pradeep, I am not sure about the lab that you are talking. I would recommend to build your own lab for SCCM and try out the testing. I understand that the labs are easy to learn but I feel real lab is good for learning.

  • Have you got proxy server in your setup ?. For me this looks like you have not specified the correct proxy server info.

  • Deven Chouhan

    Dear Prajwal,

    I want to create Standalone Media TS with Application & Package (Office 2010, adobe reader, 7Zip, Pdf creator etc) for work group machine, could you tell me that how to create TS because i tried lot of time but not success.

    Please help me.

    Regards,
    D.Chouhan
    devendchouhan@gmail.com

  • John Bellomo

    Hi Prajwal, what we are interested in is the client side (servers and Workstations). Can the SCCM client only pull down what it needs from a scheduled software update deployment or must you first have the all the updates available/downloaded on the machine? From what we’ve seen it seems that the whole package gets downloaded first if we do a scheduled software deployment and then compliance of the updates are checked.

  • Pradeep

    Helllo Prajwal

    I am facing a problems related to software update. i have already installed SUP and WSUS but when i click on Synchronize Software Updates no one software update are showing there.can you please provide me any help related to this.As iam fresher in SCCM.so please help me in a proper ways
    Thanks a lot

  • @Shahzad – Could you post your question here along with screenshot ? – http://prajwaldesai.com/community

  • Which step are you talking about ?. Post the screenshot.

    • Hanson

      Do I have to create it in different server? Also, I don’t see anything happens on the clients; even though, the wizard completed successfully. What log (on the client machine) should I look for? I went to Software Center on the client box, and nothing is in there.

      • If you are creating new deployment package then you need to specify the location where the updates will be downloaded. Once you complete the wizard, at the end updates will be downloaded and stored in the location that you specified. Are you saying that you are not able to deploy the updates to client computers ?

        • Hanson

          Yes, the updates DID not get to the client computers. I followed all the step above and created a Software Update Group with few updates, deployed to a test collection (couple clients Windows 7). Everything seemed no errors, but when I went to the client’s Software Center, there is nothing in there and nothing happened. What log in SCCM server and log in the clients should I log for errors. I’ve been struggling with this issues for days. Today, I tried to create ADRs (one for Windows 7, one for Windows Server 2008), and It’s still not working. I see no updates (patches) listed in the Software Update group. Please help!

  • Gautam Goswami

    Hello Prajwal,

    Thank you for your documentations – these are really handy. I am having lot of problems downloading Windows updates for patching process via SCCM 2012. I select the product for which I want to download the updates for Patching. After that I create a software group – no issues so far. Then I go ahead and create a deployment package for the update where it fails saying – The Deploy Software Updates Wizard completed with Errors.

    The irony is that sometimes it will working fine, sometimes it will fail in the middle of downloading updates & sometimes it will fail completely. I have made sure that our SCCM server has access to the web as well.

    I checked PatchDownloader.log file and it shows the following error:

    HttpQueryInfo HTTP_QUERY_CONTENT_LENGTH failed 12150

    Download http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2015/01/windows6.1-kb3004375-v3-x64_106d506f0b146279985ca204a0abf70423e00c68.cab to C:UsersTestAppDataLocalTempCAB75A1.tmp returns 12150

    ERROR: DownloadContentFiles() failed with hr=0x80072f76

    The above error sometimes will come up straight away or it will come up in the middle of downloading updates and the process will stop. I have also check the directory where the update files will be store has appropriate permission.

    I am lost here. Please help.

    • Did I answer your question in the technet ?

      • Gautam Goswami

        Hello Prajwal,
        Yes, you did answer my question and it worked. Thank you kindly.
        My apologies for the late reply.

  • PercyJ

    This is great, thanks for sharing

  • Markus Kugler

    Hello Prajwal,

    thanks very much for your great tutorials.

    i have a problem with my sup. it’s installed with your step-by-step guide.

    my issue is, that I miss several updates although the product and the category is selected in sup configuration settings.

    for example KB 2889923 (its the lync/skype for business April 2015 update)

    How ca I manually add a patch to the updates repository, or otherwise how con i reset the update point content and resync from scratch?

  • PercyJ

    Thanks for sharing

  • Robin Pei

    Thanks for sharing

  • Ben Denham

    Great doco.

    Assuming all steps have been completed without errors and you still are not getting the updates to the client:

    If you have created the deployment packages and nothing is happening on your client you can run the Software Updates Deployment Evaluation cycle on the client machine from “Actions” in the Configuration Manager client app.

    Remember that the default client settings are to poll for updates every 7 days as of 1/2/1970.

    Praj, it may be worth adding this small step to your instructions. It seems a lot of people are just waiting expecting it to kick off in a few minutes like you have stated:

    “After few minutes we see that the updates are installed on one the
    client machines in the collection and there is a notification that
    system needs to be restarted.”

    One i run this, updates start to appear in software center.

    SUCCESS

    Thanks

    • Thanks for the information Ben. I will add it soon.

  • Andrea Rochira

    Hi Praj,
    thank you so much for your step-by-step guide, really clear and helpful.
    Just a question to be sure, you wrote:”When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window”, does it mean that the software updates maintenance windows wins over the Default Client Settings?
    I know, it’s a basic question but I’m a beginner and I learn faster from masters.
    Thanks!

    Andrea

  • Yaser Hussaini

    Hello Prajwal,

    I’ve completed the following steps as mentioned. I’m getting the following msg after deployment in my
    updatedeployment.log. “Optional assignment, no advance download needed”. This pc has not been updated in over a year. And
    the other msg is ” EnumerateUpdates for action (UpdateActionInstall) – Total actionable updates = 0″.

    Pls Help.

  • Yaser Hussaini

    Dear Prajwal,
    I’ve followed all your steps. I dont get any errors but i get the msg at the every time i deploy software updates on my updatesdeployment.log.
    No actionable updates for install task. No attempt required.

    All my updates are current from 2016, no expired or superseded
    Computers that i’m deploying to, have not been updated in almost a year

    I have no clue why the updates are not going through.

    Pls help.

  • Alex Raddle

    Dear Prajwal,

    Have you tried using other specialized software products for deployment? Is there anything decent on the market today? SCCM is very powerful, but I had a few products that I wasn’t able to deploy due to an unsupported file format. I’ve met several other product like Lansweper, Manage Engine and Total Software Deployment across the web, but I haven’t tried them yet.

  • Matt Austin

    Greetings Prajwal,

    I wanted to start off by saying how helpful your guides have been. I have a question about creating the deployment package step where you have the Package Source set to “\SourcesUpdatesWindows 7.” Am I missing where that UNC was defined/established? Is that something that needs to be created before staring the process, so that the files have somewhere to go?

    • Thank you Matt. The package source path (windows 7 folder) is a folder where all the updates would be downloaded and the updates will be installed from the same folder. Yes you have to create a folder before you download the updates.

      • Matt Austin

        Thanks for the quick reply… So my next question is, where do you configure the system to download all Win 7 (or Win 8, Win 10, etc) updates to the desired location?

        • Yes, you could create a folder called updates under sources folder. Under updates folder, you can create folders like Windows 7, windows 8.1 etc to download the updates. If you wish you place all the updates in one folder you could do that as well.

  • Vishnu

    I am facing the same. can anyone provide a solution to overcome above?

    • Ed

      Hi, I have the same issue, try to uncheck all of the products, and then run sync. Check the logs if it’s successful,

      and then check the products you need and run the sync again.

      It work on my end. Hope this helps.

  • Troy Kelly

    What I don’t understand is why you would download the software from the internet? What is the point of even using he WSUS if when creating the “Deploy Software Updates” via the wizard the updates are downloaded from the internet. I choose all the appropriate groups (by the way I am using 1511) when I set the SCCM console up as a Software Distribution Point (updates)…

    • Darkhorse Fkn

      That setting is for the server to download the updates in the first instance. It can get them from microsoft via the internet OR an upstream WSUS server. The clients will download the updates from the distribution point.

  • Ed

    Hi, I have the same issue, try to uncheck all of the products, and then run sync. Check the logs if it’s successful,
    and then check the products you need and run the sync again.
    It work on my end. Hope this helps.

  • LemRom

    Hi Prajwal, i encountered this error in sccm software updates. Can you help me how to fix for days
    . Thanks

  • Tadeas

    Can you please explain to me how the software update deployment process will work, if I install a new machine in the environment? I installed it via MDT task sequence, added it to the domain, it has SCCM client installed, I even added the machine to the Device collection for which I have set automatic updates. Will the Automatic Deployment Rule apply to the newly added server as well? Or are there some updates that have to be installed manually?

    Can someone make this clear to me? Thanks

  • Nick

    Hi Prajwal, can you configure where the site server should store all these updates? I’ve got a separate hard drive for it but I don’t see an option.

    • Share a folder on that drive and you can store the updates.

  • mark reny

    Prajwal.
    When I create the collection, within a few days I receive an error on the distribution site that there is a file missing from the folder and then the deployments fail. I created a patch distribution for Adobe Products and it worked this past Friday, but today when I came in, the deployment package that I created was displaying an error and it failed. It fails for the same reason in that there is a file missing from the folder. I am not sure why this is happening as I am not doing anything to these folders once I create them. I am using SCCM 2012 R2 and following your steps. I have 3 update packages that are now failing on a regular basis. Am I causing the issue by adding additional selected patches from the “All Software Updates” section and “rick click” and “Update Membership”? I am having to re-create these almost now on a weekly basis and am not sure what I may be doing wrong. If you would, let me know what further logs or information you may need to help point me in the right direction.
    Mark
    mreny@dynamicaviation.com

  • chris davis

    Hi Prajwal,

    I am new to sccm, and learning how to deploy updates. After creating the software update group and then going to deploy, during following the steps i am not prompted to create the deployment package. Am I doing something wrong or missed a step?

  • Higgs

    Hi,

    I have 2 separate servers, one for WSUS and one for SCCM. I will like to use SCCM to get the updates from this WSUS server.
    Do i add site system role or create site system server? or both?

    Thanks

  • Syed Suleman Gilani

    Hi Prajwal
    I have configured SCCM for updates but got errors.
    Attachment has the scenario.. WCM and wsyncmgr log files..
    Any Solution please ??

  • Software Update Point for Internet-Based Client Connections – This basically allows you to manage Configuration Manager clients when they are not connected to your company network but have a standard Internet connection.

  • Dave

    Thank you for your great how to steps Prajwal!! Is WSUS required for SCCM to manage updates? Since you can point SCCM directly to the Microsoft update servers couldn’t you do this without WSUS running? I have an environment with 100 systems I need to manage so I’m trying to do this as simple as I can. I have no need for secondary sites since everyone can hit my primary site. Thanks again!!

  • boris boris

    Dear Prajwal,

    Sorry to bother you, I have a critical issue in my SCCM 2012 R2, I try to troubleshoot and find the root cause but no luck, could you mind check my attachment file and take a look. Please advise me how can fix this issue, thx.

    Regards

    Boris

  • Sunil Kaushik

    Hi Prajwal,

    I want to change the maximum run time (minutes) for software updates by default is 10 min and want to change it for 30 min.

    I know I can do it for every update manually. But how can I change it so that i don’t have to do it every month for the update. By default it should be set for 30 min.

    Regards,
    Sunil Kaushik.

  • AaronSmith86

    Hey Prajwal,
    I never get prompted to create a deployment package? What am I missing?