- SCCM Software Update PART 1 – Introduction to SCCM and WSUS
- SCCM Software Update PART 2 – Software Update Point configuration
- SCCM Software Update PART 3 – Automatic Deployment Rules
- SCCM Software Update PART 4 – Create deployment packages manually
- SCCM Software Update PART 5 – Best practices
Updating of computer equipment is an aspect often overlooked by companies because there are too many constraints. It is necessary to manage downtime, while patches provide sometime malfunctions. However, updates computer equipment is a necessity for security. In this article series I will introduce you how to update your computers limiting constraints with SCCM Software update.
WSUS (Windows Server Update Service) is a role that provides a central management point for Microsoft Update. Thanks to WSUS, all servers no longer need to connect to Microsoft Update to download patches and hotfix. WSUS is in charge of downloading updates and distribute them on different machines.
Because there are a lot of updates for several products, downloading updates is performed according to some rules such as classification, languages or products.
However WSUS can’t be used alone in a big IT infrastructure requiring automation. This product doesn’t have a granular scheduler to deploy update. This is why SCCM is used with WSUS.
SCCM and WSUS
SCCM has a system role called Software Update Point (SUP). This role has to be installed on WSUS server. When it is set, SCCM can manage updates catalog and binaries to make updates packages. Such as WSUS, packages can be created regarding to classification, products, languages of the update (this is not an exhaustive list). Once these updates packages is created, it can be deployed with SCCM and use its powerful scheduler:
- WSUS downloads updates catalog and update binaries when SCCM requests them.
- Primary site configures himself WSUS role. When it is done, Primary site synchronizes updates catalog and requests binaries when the update package is creating.
- Once an update package is created, it is deployed on Deployment Point
- Managed servers download this package and install it regarding to maintenance period and scheduling configured on Primary Site.
- Before installing updates, managed servers download update catalog from WSUS to validate them.
Below the network flow according to above schema:
Regarding the storage part, when WSUS is added to SCCM, it no longer stores the binary files on its own store. Binaries are on SCCM content store. However WSUS still needs a database to store update catalog.
On the next part, I will present the configuration of an SUP point. WSUS and SCCM are installed on the same machine. But it is the same process when WSUS is installed on another server. After integration of WSUS in SCCM hierarchy, I will deploy updates by two different methods:
- Create packages and deploy it manually
- Automatic Deployment rules
Once SUP is configured correctly, the catalog of updates appears in SCCM console. A filter can be created regarding some criteria (classification, updates id, products etc.). Then updates can be added to a package and can be deployed. The deployment scheduling is configured manually. Then managed servers install updates in their maintenance period. This method is very useful on complex environment such as Exchange or Hyper-V cluster where patching should be orchestrated (move Virtual Machines or databases before patching etc.). The package can be used with System Center Orchestrator to be deployed and orchestrate patching.
Moreover the Cluster-Aware Updating is not compatible with software update from SCCM. An Orchestrator runbook should be created for this task. This is why it is possible to create a package manually and then deploy this last.
Automatic Deployment rules feature provides automatic creation and deployment of updates packages. The package creation can be scheduled (such as every second Tuesday of each month) and the choice of updates is made in function of some criteria (classification, updates id, products etc.). Once the package is created, it is automatically deployed in function of scheduling configuration. Then managed servers install updates in their maintenance period. This method should be used on mockup or simple environment.