Software Updates deployment is another popular Configuration Manager feature. A robust process is essential to maintain network security and compliance. This is a complicated process consisting of many moving parts. The Software Update Point (SUP) is a Site System role that leverages Windows Server Update Services (WSUS) to make Microsoft updates available in the Configuration Manager console. The updates are then arranged in Software Update Groups and deployed using Deployment Packages. Other components used in the process include the following:
- Configuration Manager Client Agent
- Windows Update Agent (WUA)
- Device Collections
- Deadlines
- Maintenance Windows
- Automatic Deployment Rules (ADR)
- SQL Server Reporting Services
It's not possible for us to describe every possible issue that you will encounter when deploying a Software Updates solution with Configuration Manager. There are too many components that can be configured in many different ways. We've concentrated on the main components in the following and have added troubleshooting guidance in each case. More detail for some of the steps is provided later in this chapter.
|
Component |
Troubleshooting step |
|---|---|
|
Configuration Manager client |
Verify that the client is healthy. The previous Healthy Configuration Manager client section details how a healthy client should look. |
|
Verify that the client falls under a boundary defined in Configuration Manager. This boundary should be added to a boundary group that is configured with one or more DPs ("Waiting for content" and "0% downloaded" are typical messages when this is misconfigured). | |
|
Force policy retrieval using the Configuration Manager applet in Control Panel:
| |
|
Examine log files for errors relating to location or site assignment:
| |
|
Software Update Point |
Examine the |
|
WSUS integration |
Verify the health of WSUS using |
|
| |
|
Remember that you should not configure WSUS in any way. If you have, it is recommended that you uninstall and start again. Configuration Manager will configure WSUS for you. | |
|
SUP synchronization |
Examine the |
|
Verify that you have configured the SUP with the correct proxy credentials. In some cases, it may be necessary to whitelist the SUP on the proxy to be able to access the Microsoft Updates sites with no filtering or authentication. | |
|
Microsoft provides an online guided walkthrough to assist in troubleshooting software update synchronization issues. It provides detailed information on known issues and difficulties which is available at https://support.microsoft.com/en-ie/kb/2995743. | |
|
Software Updates Group |
Remember that there is a hard limit of 1,000 updates per Software Update Groups. Bear this in mind when creating your SUG structure. |
|
Verify that you have chosen the required products and classifications in the SUP properties. | |
|
Deployment Package |
Examine the |
|
Verify that the deployment package has been distributed to the DP. Check the Distribution Status node of the Monitoring workspace | Content Status. Examine the | |
|
Automatic Deployment Rules |
Examine the |
|
Client side issues |
Verify that the WUA initiates a compliance scan on the client. This compares the updates on the client to updates in the WSUS catalog. Details of this activity can be seen in |
|
Update the WUA to the latest version. | |
|
Examine the following log files for issues: | |
|
Windows 7 update scan fails resulting in client performance issues and incorrect compliance status. This is resolved with | |
|
Deadlines |
You should understand deadline behavior. When a deadline is reached, all required updates will start to install. However, a period of randomization of up to two hours is built into the process. Therefore, do not be alarmed if clients do not start installing updates when the deadline is reached. |
|
Maintenance Windows |
Use Maintenance Windows correctly. They are very powerful when used in conjunction with deadlines. After a deadline passes, updates will be installed as soon as the next Maintenance Windows is reached. Examine the |
|
Software Updates Cleanup |
Clean up superseded and expired updates (see the Software Updates Cleanup section). |
|
Offline servicing |
Offline servicing allows you to inject updates into an OSD image file. Servicing activity is recorded in the |
Unfortunately, there is no straightforward way to manage superseded and expired updates (even in Configuration Manager 2012 R2). You still have to remove these updates manually from Software Update Groups. There is no technical reason for removing these updates. They don't interfere with the patching process. However, you can save disk space on all your servers by carrying out a regular Software Updates cleanup.
You can do this manually by using the Configuration Manager console.
- Use the Expired and Superseded criteria search for these updates.
- Choose Edit Membership to find the Software Update Groups to which they belong.
- Uncheck the boxes and select OK to remove the expired and superseded updates from the selected SUGs.
- The updates are then marked for subsequent deletion.
This process is a little tedious. PowerShell scripts are available from the Configuration Manager community, which will help you to fine-tune this process.