Hello,
I manually deployed software updates in a software update group" or https://technet.microsoft.com/en-us/library/gg712304.aspx. or pages 12-15. In a nutshell, I created a Critical Update item with a collection of 3 servers. When I look at the Software Update Group area that lists the members that I created, I do see under the tabs that Deployed=Yes and Download=Yes for the items that I created. However, this was not installed on any of the servers last night. A few people gave me some feedback yesterday and I did a few things based on what they offered. Here is what I did yesterday:
1. I was told the Software Update Scan cycle and Software Update Deployment Evaluation cycle need to run. So I modified the client setting on the Software Update Scan Schedule to last night so it would get scanned. Also, on the Configuration Manager client on the servers under Actions for (a) Machine Policy Retrieval and (b) Software Updates Scan Cycle, I did a Run Now to force a Scan.
2. I also noticed under Software Center that "Suspend Software Center activities when my computer is in presentation mode", I unchecked the box. I noticed a bunch of entries in the c:\windows\ccm\logs\wuahandler.log
Today I checked and none of the updates got installed.
So I checked the c:\windows\ccm\logs\wuahandler.log on all 3 servers and no longer see the presentation mode entries. I do see "Successfully completed scan" in the logs which is good. I did not really see anything else but I did see one thing but not sure if this is an issue or not.
<![LOG[Existing WUA Managed server was already set <I removed this information> (http://servername FQDN:port number), skipping Group Policy registration.]LOG]!><time="11:45:08.741+300" date="03-03-2015" component="WUAHandler" context="" type="1" thread="8480" file="sourcemanager.cpp:936">.
See the skipping Group policy registration? Is this a potential issue? Please advise.
Thanks,
Reez
When you deployed the software update group, what deadline did you set?
Jeff
- Edited by Jeff Poling Wednesday, March 04, 2015 2:05 PM
When you deployed the software update group, what deadline did you set?
Jeff
- Edited by Jeff Poling Wednesday, March 04, 2015 2:05 PM
Hi Jeff,
The deadline date/time that I had originally set was for 3/3/2015 at 1AM so the deadline had passed. This morning I edited the software update group items to change the deadline date/time to be 3/7/2015 at 5:46AM.
Do you think this is the issue? If so, do I need to do anything else?
Thanks,
Reezie
My deadline for the deployment had passed, per my post below:
The deadline date/time that I had originally set was for 3/3/2015 at 1AM so the deadline had passed. This morning I edited the software update group items to change the deadline date/time to be 3/7/2015 at 5:46AM.
The deadline is when the updates will be installed, if the deployment is required and not optional. The available time is when they are available for installation.. . .check out this explanation of the process: https://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_DeploymentProcess
Also check out the other related client logs referenced here: https://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SU_NAPLog
Torsten,
What does the monitoring node tell for the deployment of the software update group?
The Compliant tab is green. In the properties tab, "status information is currently unavailable for this deployment"; error tab has the same status.
Total Assets=3
Status=Compliant
Last Status Time=3/3/2015 6:02AM
In the properties tab, "status information is currently unavailable for this deployment"; error tab has the same status.
If the machines to which you deployed the software update group are listed with a status of Compliant, then they have the update installed.
Jeff
Jeff,
<sorry I am a newbie so let me break this down a bit>
So if I navigate to Monitoring>Overview>Deployments, I see the Software Update Group items I created. This is what I see: Total asset count=3 for the 3 servers in the collection; compliant:3
Compliance %=100
Action=Install
However, I do not see any visual evidence that these updates were in fact installed on the 3 servers. I looked under "View Installed Updates" on the servers and I do not see these KBs listed there -- shouldn't they be listed there or is that not how it is done now with SCCM? Please advise. I just need to be able to prove to management that these have been installed, is there a report I can run to prove that? Thanks for your help.
Jeff,
In view installed updates I do not see KB3000483 installed.
So, I started digging through the logs and this is what I found and so it looks like while the update got downloaded it did not get installed:
<from c:\windows\windowsupdate.log>
AutomaticUpdates Success Content Download Download succeeded.
2015-02-24 17:05:45:986 956 d88 Report REPORT EVENT: {3DE7CB40-B064-4ABD-8F74-968195DB9DB3} 2015-02-24 17:05:41:038-0500 1 189 [AU_UNSCHEDULED_INSTALL_READY] 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:Security Update for Windows Server 2012 R2 (KB3000483) - Update for Windows Server 2012 R2.
So I logged onto the server with my domain admin account and Windows did not prompt me for any further instructions as stated above. I looked at Software Center on the server and there is nothing at all there. So I looked at Windows Update on the server and it has "Last Update" dated today at 9am but the update has not been installed. I see under "You receive updates: Managed by your systems administrator". It seems like something is blocking this security update from being installed.
Does anyone have any thoughts on what could be blocking this? Windows policy maybe? Will check that out next. I am getting closer ..
Thanks for your time!
Reez
Can you post a screenshot of your deployment deadline settings?
Jeff
Ok, based on that, the update will not install until tomorrow at 5:46 AM.
Do you see the update listed in Software Center?
Jeff
Whether it shows in software center depends on the user experience settings also. . .are those set so that updates appear in software center? If you can, post a screenshot of the user experience tab.
Jeff
Maybe I missed a step -- I did not execute this step. Is this necessary?
https://technet.microsoft.com/en-us/library/hh489603.aspx
BTW: I do not expect to utilize the application catalog for our environment. But maybe it is necessary to configure the Software Center areas? I will read up.
Thanks for the continued help -- really appreciate it.
Reez
- Edited by Reezie Reez 12 hours 25 minutes ago
Maybe I missed a step -- I did not execute this step. Is this necessary?
Couple of questions here:
Do you by chance have Maintenance Windows Configured? The collection that you are pointing the deployment to, may have a maintenance Window that will prohibit the updates from deploying to your computer.
Did you disable Automatic Updates on the computers? You need to disable automatic updates on your system to make this work.
Do you, or have you ever had a WSUS server configured in the environment. You may have conflicting configurations if you do.
I am not aware of any Maintenance Windows Configured -- where would I look for that? Do you mean the Options area in Software Center or somewhere else? Can you please clarify this --
On the servers the settings for the Windows Update is set to "Never check for updates". Is there something else needed here?
I am told that there has never been a WSUS server configured in the environment. As part of the SCCM configuration, WSUS got installed and configured but no other WSUS server exists in the environment.
Thanks for the help!
Maintenance windows are created on collections. Check the collection to which you deployed the software update group
Jeff
No, the application catalog is not required, that's for deploying applications to users only and has nothing to do with updates.
Also, this statement is incorrect: "You need to disable automatic updates on your system to make this work." Disabling Automatic Updates can be advantageous but is certainly not required.
No, the application catalog is not required, that's for deploying applications to users only and has nothing to do with updates.
Also, this statement is incorrect: "You need to disable automatic updates on your system to make this work." Disabling Automatic Updates can be advantageous but is certainly not req
I am not aware of any Maintenance Windows Configured -- where would I look for that? Do you mean the Options area in Software Center or somewhere else? Can you please clarify this --
Go to Software Library > Expand Overview > Expand Software Updates > Select Your Software Update Group > At the bottom of the page and go to "Deployment" Tab > Take note of the "Target Collection Names"
Go to Assets and Compliance > Expand Over view> Expand Device or User Collections > Find the Device or User Collection. > Right-Click the Collection > Select Properties > Select the Maintenance Window Tab > Take note of any Maintenance Windows.
Partly correct. Yes, the WUA references a WSUS server (or Microsoft Update if none is specified); however, it will only download updates from WSUS if they are approved in WSUS.
With ConfigMgr in the picture, the ConfigMgr agent uses a local group policy to set the WUA to use the WSUS instance corresponding to the installation of the SUP. The WUA *must* use this WSUS instance to retrieve the update catalog. As long as you don't approve updates directly in WSUS, which is generally bad and totally unsupported when integrated with ConfigMgr, then there are no updates for it to download or install (except a handful of very old infrastructure updates and an updated WUA version).
Disabling Auto-updates does not change any of the above. The reason disabling auto-updates is often a good thing with ConfigMgr in the picture is to prevent the WUA from rebooting systems and to prevent it from installing those infrastructure updates like newer WUA in an uncontrolled fashion.
Now, if you set the WUA to use some other WSUS instance using a domain group policy, then the ConfigMgr agent will see this and effectively disable local software update capabilities.
Lots for info on this at the following two posts I did a while back:
http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
Maybe I missed a step -- I did not execute this step. Is this necessary?
https://technet.microsoft.com/en-us/library/hh489603.aspx
BTW: I do not expect to utilize the application catalog for our environment. But maybe it is necessary to configure the Software Center areas? I will read up.
Thanks for the continued help -- really appreciate it.
Reez
- Edited by Reezie Reez Friday, March 06, 2015 8:11 PM
Jeff,
I checked the collection and the Maintenance Window tab is empty -- I did not set that up.
Reez
Jason,
Thank you for answering my question about the application catalog.
Reezie
Brenton,
I did not setup any maintenance windows on the collection.
Thanks,
Reez
Jason,
I am not approving any updates in WSUS.
We are not setting the WUA to use other WSUS instance using a domain group policy.
I will take a look at your blogs.
Thanks for the continued help.
Reezie
Thanks to Jason for the blogs -- they are great and I was able to verify the local and group policies and how they are set and everything is good there.
But it does bring me to my next question: is there a document somewhere that references what services should be running and/or stopped? For example, I did notice today that the windows update service keeps stopping on the servers (site server/SCCM server and the servers that I am trying to install the updates on). Does this need to be running or not? Questions: what services need to be running on the SCCM/site server? Also, the WSUS service is running on the SCCM/site server and I believe it should be or should it? I wonder if it is something stupid like that that disallows the software update to not install -- it still did not install it.
Please let me know if the windows update service needs to be running.
Thanks,
Reez