Tuesday, December 17, 2013

SCCM 2012 - Deploying Updates

In WSUS & Software Update Point we installed WSUS and SUP, then we went on and did additional configuration in Changing SUP Settings. Now that we SUP configured and have update definitions downloaded we are ready to deploy updates out to our clients.

Expired & Superseded Updates:
First thing we need to do is get rid of any of the updates that are no longer valid. Before we do this I wanted to take a moment to explain the Update icons, what they are and what they mean.

The Normal Icon
 The icon with the green arrow represents a normal software update.
Normal software updates have been synchronized and are available for software deployment.
Operational Concerns:
There are no operational concerns.

The Expired Icon
The icon with the black X represents an expired software update. You can also identify expired software updates by viewing the Expired column for the software update when it displays in the Configuration Manager console.
Expired software updates were previously deployable to client computers, but once a software update is expired, new deployments can no longer be created for the software updates. Expired software updates contained in active deployments continue to be available to clients.
Operational Concerns:
Replace expired software updates when possible. When software updates become expired, Configuration Manager does not remove the software updates contained within active software update deployments. Configuration Manager continues to assess software update compliance on expired software updates in deployments, but they are considered “not required” for reporting purposes.

The Superseded Icon
The icon with the yellow star represents a superseded software update. You can also identify superseded software updates by viewing the Superseded column for the software update when it displays in the Configuration Manager console.
Superseded software updates have been replaced with newer versions of the software update. Typically, a software update that supersedes another software update does one or more of the following:
  • Enhances, improves, or adds to the fix provided by one or more previously released software updates.
  • Improves the efficiency of its software update file package, which clients install if the software update is approved for installation. For example, the superseded software update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new software update, so those files are not included in the superseding software update's file package.
  • Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Software updates can also supersede other software updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial software update release.
Operational Concerns:
When possible, deploy the superseding software update to client computers instead of the superseded software update. You can display a list of the software updates that supersede the software update on the Supersedence Information tab in the software update properties.

The Invalid Icon
The icon with the red X represents an invalid software update.
Invalid software updates are in an active deployment, but for some reason the content (software update files) is not available. The following are scenarios in which this state can occur:
  • You successfully deploy the software update, but the software update file is removed from the deployment package and is no longer available.
  • You create a software update deployment at a site and the deployment object is successfully replicated to a child site, but the deployment package has not successfully replicated to the child site.
Operational Concerns:
When the content is missing for a software update, clients are unable to install the software update until the content becomes available on a distribution point. You can redistribute the content to distribution points by using the Redistribute action. When content is missing for a software update in a deployment created at a parent site, the software update must be replicated or redistributed to the child site.

Folders & Filtering:
So now we understand a little more about what we are dealing with. Lets isolate all of the Expired and Superseded updates so they won't interfere with the deployments. In the Software Library expand Software Updates and Right Click on All Software Updates. Select Folder then Create Folder. Call the folder Superseded & Expired

Now we have a place to put the outdated updates lets go ahead and do that. In the upper right corner of the viewing pane you will see Add Criteria. Click on it to expand the selection window. Scroll down and Check Superseded then Click Add

You will now see below the Search Bar that we have scoped for Superseded = Yes. Hit Search to Filter out the items.

Note: This is a search that you will use regularly so it is a good chance for you to save this search for easy reference later. Once you have your search results In the Navigation Bar on the Search Tab Click Save Current Search As. Call it Superseded = Yes. You will then be able to refer back to this search quickly by clicking on Saved Searches and then Selecting Manage Searches for Current Node

So now we have our filter in place and we have run it so all we should see are the updates that have been superseded. You can confirm that by checking the icons for each update on the left.

In the Display Window do a Ctrl+A to select all displayed updates. Right Click on the updates and Select Move.

The Move Selected Items window will open, Select the Superseded & Expired folder and Click OK

This will move all the updates to the sub folder so you wont have to sift through them again.

Repeat these same steps for the the Expired items so all you are left with are active current updates.

Software Update Groups:
So now we understand the updates a little better and know how to remove inactive updates, the next thing we need to do is create a Software Update Group. This is a grouping of like updates which we will use to deploy to our Test Device Collection.

Lets go back into All Software Updates and create a new filter. For the purposes of this segment we will be working with updates for Server 2008 R2. So in Add Criteria select Product. You will notice that the default search for Product is Active Directory Rights Management  Services Client 2.0 (its alphabetical).

Click on it and find Windows Server 2008 R2 and Click Search

What you should be left with are all of the current Windows Server 2008 R2 updates. In the viewing pane select all of the updates (Ctrl + A), Right Click and Select Create Software Update Group.

Give it a descriptive name like Windows Server 2008 R2. You can optionally give it a more detailed description. Click Create

Now we are ready to do the deployment. In the navigation window go to Software Update Groups. Find your newly created group for Server 2008 R2. Right Click on it and Select Deploy

Deploying Updates:
The Deploy Software Wizard will start and you can begin providing information for the deployment. The Software Update/Software Update Group should already be selected. If this is your first deployment you wont have a Deployment Template available so you can skip that (don't worry we will make one shortly). Now you will remember in SCCM 2012 - Creating Device Collections from an Organizational Unit we discussed creating device collections. You should have a few already made. If not, stop now and go back and make some. You will need to have a collection of devices to deploy to. If you have them Click Browse and select your Server 2008 R2 group. Click Next

For Type of deployment you can choose between Available and Required. Since this is for updates we want this to be Required. If your network is configured for Wake-on-LAN you can check that box, otherwise skip it. For Detail level select Only Success and error messages. Click Next

For Time based on, you can set it either way but I generally prefer UTC. For Software available time you can choose As soon as possible or Specific time. If you use ASAP it content for the client will become available individually as soon as the Distribution Point has it to deploy if you set a specific time it will come as a group of updates. Installation deadline dictates the install behavior. You can choose As soon as possible which means that as soon as the DP has distributed content the client will install (and reboot if necessary). If you use Specific time it will download update content but wait to install and reboot until the deadline. Click Next

User visual experience indicates what the end user will see in Software Center. Since these are Required updates (set previously) we don't really need to let the users know what is available as they won't have the authority to be selective anyway, so I set Hide in Software Center and all notifications. Deadline behavior indicates what happens when the client hits the deadline. You want to check both boxes. Device restart behavior is pretty clear. If there is an update that requires the client to reboot, it will. You also want to check Commit changes at deadline.

On Configuration Manager alerts, this can be determined by your update policy so adjust it as required. If you have SCOM configured in your install you can automatically suppress alerts during the update run and send notifications for failed alerts. You should probably check both boxes. Click Next

You can determine what SCCM does with the actual updates in a slow site or boundary, whether to download or not. You can also dictate what the client does if content is not available from its primary server. It can either pull from a FSP or from other clients on the same subnet. If all else fails you can tell the client to pull directly from Microsoft. Click Next

If this is the first time you have deployed updates you will be required to create a Deployment package. This just determines where the updates are placed when you download them. Give the package a name and source location (this should be the WSUSContent folder created during the SUP install). Click Next
Gotcha - At the time of this writing there is a bug in SCCM 2012 SP1 related to downloading updates. If after you run through the downloads you experience an Access Denied error when trying to write to your WSUSContent folder this is part of that bug. To my knowledge Microsoft has not fixed this issue and it persists through CU3. The workaround is to close the console and re-open it running as administrator.

You can also determine what distribution points to send content to. Add the DP's as needed and Click Next

To reduce WAN traffic you can pull content straight from Microsoft as opposed to a site server. If you have a decent pipe between sites and boundaries this may not matter. Click Next

Choose the languages required by your environment. Click Next

On the summary page you have the option to save the update template as an answer file for later use. Click Save As Template.

Give it a good descriptive name and Click Save. This will give you the ability to skip steps next time you run updates. Click Next

SCCM will process the request and download the required updates. Depending on how many are in the group this could take a few hours to kick off but in the end you should have something like below.

I will cover how to monitor the deployment status in an upcoming segment.

More to come!

If you like this blog give it a g+1

Tuesday, November 19, 2013

SCCM 2012 - Enable Asset Intelligence

In this segment I am going to go over Asset Intelligence. AI is quite useful for keeping track of the assets within your environment including hardware and software inventory as well as licensing. When it comes time for true-up this can be quite beneficial. This information can be utilized via console and in reporting. There are a number of configuration steps before you can use Asset Intelligence in SCCM 2012.

Enable Asset Intelligence Hardware Inventory Reporting Classes:
First we need to enable AI hardware inventory classes. In the Administration Space Click on Client Settings then highlight Default Client Settings. Right Click on it and Select Properties. In the Default Settings dialogue box Click Hardware Inventory. Set Enable hardware inventory on classes to Yes. You can adjust the inventory schedule as required or leave it set as the default.

Note: It is recommend to run the scans off hours or on the weekends when system resource utilization is lower as the scans can consume quite a bit of processor.

Click Set Classes

In the Hardware Inventory Classes you can adjust what items you wish to collect data on from any number of possible items. For additional information regarding the classes refer to the Technet article on them. Click OK then Click OK again.

Now we need to enable Inventory Reporting Classes. In the Asset and Compliance space Select Asset Intelligence. On the Home Tab Click Edit Inventory Classes. When the Edit Inventory Classes opens Select Enable all Asset Intelligence reporting classes or you can select individual classes.
Note: If you intend to enable the Hardware Inventory Client Agent to inventory the information required to support these reports, SMS_SystemConsoleUser must be checked

If you chose to enable all classes you will get a prompt warning you to about client system resources during the scan. Click Yes

Install Asset Intelligence Synchronization Point:
Next we need to install AI. In the Administration Space expand Site Configuration then highlight Sites. Select the site server you want to install AI on and Right Click and select Add Site System Roles. By now you should be all to familiar with the Add Site System Roles Wizard. Add the server name if not already present then select the Site code. Click Next

Add proxy information if required. Click Next

Select Asset Intelligence synchronization point. Click Next

By default, the Use this Asset Intelligence Synchronization Point setting is selected and cannot be configured on this page. System Center Online accepts network traffic only over TCP port 443, therefore the SSL port number setting cannot be configured on this page of the wizard. Click Next

You can modify the synchronization schedule as required. Keep in mind to run scans in off hours if at all possible. Click Next

Verify your settings and Click Next

You should get a success page. Click Close

Enable Auditing of Success Logon Events:
In order for AI to display information gathered from Windows Security event logs on client computers in reporting you need to enable audit logging. If it is not enabled these reports would contain no data even if the appropriate hardware inventory reporting class is enabled.

Note: The following actions will need to be performed by someone with Domain Administrator level access in Active Directory.

On your domain controller open Group Policy Management Editor. Find the SCCM policy that you created before you did the SCCM installation, Right Click and Edit (you can create a new policy if you prefer but I like to keep all my related policies together like this). Expand out Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. Double Click on Audit Logon Events. Check Define these policy settings and then Check Success. Click Apply

Import Software License Information:
The Import Software License Wizard is used to import Microsoft Volume Licensing (MVLS) information and general license statements into the Asset Intelligence catalog. The MVLS license statement contains information about the license entitlements, or number of purchased licenses, for Microsoft products. A general license statement contains information about the purchased licenses for any publisher.

Note: The site server computer account needs Full Control permissions for the NTFS file system to the file share that is used to import software license information. 

One thing to keep in mind when importing license information. Existing software license information is overwritten so ensure that the information file that you use when you do the import contains a complete listing of all necessary data. This will only update information in the license file, not any other data.

In the Assets and Compliance space Click Asset Intelligence. On the home tab Click Import Software Licenses. The Import Software License Wizard will start up. Click Next

There are two possibilities to chose from here. Microsoft Volume License Statement and General License Statement.

Microsoft Volume License Statement
The first is for importing Microsoft related product volume licenses (duh). The easiest way to gather this data is to pull it directly from the Microsoft partner website.

Open up Excel (any version), rename Sheet 1 to License Data then delete sheets 2 & 3. In the Ribbon Select Data then Click From Web. Navigate to https://licensing.microsoft.com/ and enter in your Windows Live ID. Once you are logged in Click View your license summary, click the box to Select License Data then Click Import. Click OK. You will need to remove the first column then save the file as a normal .xlsx file for future reference. Then save the file as an .xml file to the NTFS share discussed previously.

General License Statement
A General License Statement is used for all non Microsoft related products you have in AI and will need to be saved as a .csv file only.

Open up Excel (any version), rename Sheet 1 to License Data then delete sheets 2 & 3. In Row 1 Column A enter the following (each in a new column). Green items are required for all software on the list, the rest are not, but I leave them in there so I can remember the place holders and its nice to input the data if it is available.

  • Name
  • Publisher
  • Version
  • Language
  • EffectiveQuantity
  • PONumber
  • ResellerName
  • DateOfPurchase
  • SupportPurchased
  • SupportExpirationDate
  • Comments
Now that we have our 11 columns labeled we can add in the software information in row 2 down (as needed). The software names need to match up exactly to what you see in Inventoried Software, otherwise you will get an error when inputting data. Save the file as .cvs to the NTFS share discussed previously.

Now that we have our license file created select Microsoft or General depending on your need and browse to the file. Click Next

You will get a summary, Click Next

Once you have success Click Close

Configure Asset Intelligence Maintenance Tasks:
There are two types of Maintenance tasks available in AI. Check Application Title With Inventory Information and Summarize Installed Software Data

Check Application Title With Inventory Information
This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. By default, this task is enabled and scheduled to run on Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only available at the top-level site in your Configuration Manager hierarchy.

Summarize Installed Software Data (Available only on Primary Sites)
This maintenance task provides the information that is displayed in the Assets and Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. By default, this task is enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M. This maintenance task is available only on primary sites.

Go to the Administration Space, Expand Site Configuration then Click Sites. Highlight the server that has AI installed on it and and on the Home tab Click Site Maintenance

Locate Check Application Title With Inventory Information and Click Edit

Check Enable this task and set the schedule appropriate for your environment. Click OK

Summarize Installed Software Data (Available only on Primary Sites)Click Edit

Check Enable this task and set the schedule appropriate for your environment. Click OK

Congratulations Asset Intelligence is now up and running

More to come!

Like this blog, give it a g+1