SCCM is capable of managing Software Updates, but it relies on WSUS for that. So you need to have that installed. If you’ve followed this guide, you have.
Whereas for WSUS you need to configure group policies, for SCCM everything runs through the SCCM client so you don’t need to worry about that.
Enable the Software Updates part in SCCM
- Expand (in order) site database, site management, <your site>, site settings, site systems, <your server> and rightclick your server, select New Roles, Next, select “software update point” + Next
- At the Active Settings window, check the “Use this server as the active software update point” + click next
- Enable a schedule (1 day for now) and click next
- Select classifications and click next
- Select the products and click next
- Select and deselect the appropriate languages and click next
- Next, Next, Close
If you want to change any settings later, expand site database, site management, <your site>, site settings, component configuration and rightclick “Software Update Point Component” and click properties.
Start initial synchronization
- Expand site database, computer management, software updates, Update Repository
- Rightclick Update Repository and click Run Synchronization
Download the System Center Configuration Manager 2007 Toolkit V2 and use Trace32 to tail the logfile “c:\program files (x86)\Microsoft Configuration Manager\Logs\wsyncmgr.log” to watch the progress of the synchronization.
Configure the Software Updates Client
- Expand (in order) site database, site management, <your site>, site settings, client agents
- Rightclick Software Updates Client Agent and click properties
- Adjust the schedule to 1 day
- On the tab Update Installation select “Enforce all mandatory deployments” and set it to 1 hour. Also enable the “Hide all deployments from end users”. Click on OK
Create templates
- Expand site database, computer management, software updates, deployment templates
- Rightclick deployment templates and select new deployment template.
- Name it “Windows 7 updates”, since we’ve created a collection of Windows 7 stations previously, and click next
- Browse for the “All Windows 7 Systems” that we’ve created in Part 4 of this SCCM series, click OK and next
- Select Suppress notification, since the end user doesn’t have to be bothered with this, and set the Duration to 1 hours, which means that updates will be deployed fast. Click next
- Select Workstations to suppress the reboot notifications for the end user and click next
- Select the “Generate Operation Manager alert when a software update installation fails” and click next
- Select “Download software updates from distribution point and install” on both scenarios and click next
- Click next on the “SMS 2003” window
- Next, Close
Now before you can continue, you have to make sure that the software updates are synchronized with Microsoft. Use the Trace32 mentioned above.
Create a search folder and an update list
- Expand site database, computer management, software updates, update repository, search folders
- Rightclick search folders and select “new search folder”.
- Name it “All Windows 7 updates” and press OK
- Step 1 = Product, Step 2 = Windows 7, Step 3 = enable all subfolders, step 4 = “All Windows 7 updates” and press OK
- Rightclick the “All Windows 7 updates” search folder and click on refresh
- In the right pane, select all updates and then rightclick and select Update List.
- In the window that opens select “Create a new update list” and name it “Windows 7 update list” and press next, finish, next, close
(with this method you can add extra updates to the list later too)
Deploy the Update list to the template
- First, we need to create a share on the SCCM computer to where the updates can be temporary downloaded to.
- Create something like “E:\tmp_downloads”
- Share this folder and add “domain admins” and the sccm computeraccount to the sharing and ntfs permissions with full control
- In the SCCM console, expand site database, computer management, software updates, update lists AND deployment templates so you see them both.
- Drag the “Windows 7 update list” on to the “Windows 7 workstations” deployment template
- If there are any license terms you need to accept, you’ll have an extra window in where you need to accept the license terms
- Next, at “create a new deployment package”, specify a name like “Windows 7 update package” and point the package source to the share you’ve created (”\\SCCM01\tmp_downloads”). Enable “Enable binary differential replication” and click Next
- Browse to select your distribution point, which is your sccm server, and click Next
- “Download the updates from the internet” and click Next
- Choose your languages but they should already match your template and click Next
- Choose a schedule or leave it to the defaults and click Next
- Next, Next (updates will be provisioned)
- Close
Now from time to time keep updating your list and drag it to the deployment template. Since you’ve enabled binary differential replication, clients that already have received most of the list, will only transfer the differential.
Best practice is to create a couple of deployment templates, based on the priorities, so for example you can deploy critical updates faster than other updates.