Posts belonging to Category Software Updates
While being in the process of migrating Windows Software Update Services 3.x to Configuration Manager 2012 you have only one really supported solution, namely adding all approved software updates to Software Update Group manually. This is a lot of work when being in an environment that was operational for years and years with lots of products and approved updates. Just adding all updates isn’t an option either since all approved and declined updates are tested throughout the years. When looking on the Internet for a workaround I came across this workaround for Configuration Manager 2007.
Basically what is described is connecting to the WSUS SQL database (WID or SQL), export all ArticleIDs of the approved updates from the SUSDB database, match those exported ArticleID’s with the synced Software Updates in Configuration Manager and export the UpdateID’s and add the updates with the exported UpdateID’s to a Software Update List in Configuration Manager 2007 or in this case Update Group in Configuration Manager 2012. For the last step I wrote an import script that can be used to create Update Groups with the in WSUS approved updates, using the Native Configuration Manager 2012 SP1/R2 cmdlets.
Again, below is based on the workaround for Configuration Manager 2007, so many thanks to DT.
The first step is exporting all of the ArticleID’s of the approved updates from the WSUS database, this is done by executing a query against the database. If you installed the SUSDB on a full SQL version you should easily able to do this, if you are using the Windows Internal Database (WID) you need to use a commandline tool called OSQL.
Connecting to the WID can be done as follows:
osql -E -S \.pipeMSSQL$MICROSOFT##SSEEsqlquery -o d:export.txt
After being connected to the WID, we need to connect to the database, execute the following commands, the -o parameter will export all results to the defined file:
select distinct KnowledgebaseArticle from PUBLIC_VIEWS.vUpdate UPD
join PUBLIC_VIEWS.vUpdateApproval APP on upd.UpdateId = app.UpdateId
order by KnowledgebaseArticle
Now that we have a list of ArticleID’s we need to clean up all rubbish and lines with Null or six zeros. Next we need to create a CSV file of this list so that we are able to use the CSV format in a SQL query in the VBScript as explained here. Below you see the codesnipped you need to change in red, see for the complete script the blog explaining the process.
Query1 = "Select * from SMS_SoftwareUpdate where Articleid in ('940060','940357',’960123’)"
Paste the CSV formatted list of articleID’s in this query and execute the VB Script and be sure to save the output to a file that we need to use with the new PowerShell script. Running the VB script like shown below will result in a list of Software Update ID’s which we are able to use when we want to add updates to s Software Update Group with the native Configuration Manager 2012 R2 PowerShell cmdlets.
The PowerShell script can be downloaded here and works as follows:
- Be sure that the Software Updates of the enabled products and categories are synchronized and available in Configuration Manager
- Enable only the products that you still want to support with Configuration Manager 2012. Only updates that are available will be added to a Software Update Group.
- Export the ArticleID’s and match them with UpdateIDs like described above.
What does it?
Based on the approved WSUS updates in an updates.txt file, the script creates for every 999 approved updates a Software Update Group which you are able to deploy to your collections. You cannot have more than 1000 Software Updates in one deployment so that’s why I limited the script to not allow more than 999 updates in a Software Update Group. The script will only add updates to the Software Update Group that are available within Configuration Manager 2012, so if you leave out old operating systems like Windows XP or Windows Server 2003 those updates will not be imported. The script will save a logfile with the imported and not imported software updates.
After the Software Update Groups are created you are able to clean them up by removing the membeship of updates that you do not want to install anymore.
How to use it:
In the PowerShell Script you need to set a couple of parameters and you are good to go. Place the approved.txt file in the same folder as the script.
$sitecode = "PS1:"
$installdrive = "D:"
$loglocation = "D:Logfiles"
Tested in the following scenarios:
This script is tested in the following environments:
- WSUS 3.2 + WID with +2900 approvals
- Configuration Manager 2012 SP1 CU3
- Configuration Manager 2012 R2
Please let me know what you think!
###Update: Just released the blog and script and I find another solution in the Gallery from Saud Al-Mishari which you can find here:
The Offline Servicing for custom Windows images feature in Configuration Manager 2012 allows you to install Software Updates offline, like described in an earlier blog. From the Configuration Manager 2012 there is no option to remove installed the software update. But there is a way, let’s see if it the right way;)
If we go back to the future we always could use tools like DISM or Imagex to change captured WIM images. Now that imagex has been replaced by DISM, let’s have a look how this works and if it is the right way to do this. The Software Updates are installed via the Offline Servicing feature in Configuration Manager 2012, but under the hood Configuration Manager is using DISM to modify the image. When looking at a logfile at the Site Server after an offline servicing process is finished you see in the DISM.log what changes are made to the custom WIM image. You can find the log file at the following location; c:\windows\logs\dism\ .
So if the DISM tool is used, then we must be able to remove Software Updates from the WIM image without rebuilding the image. Let’s see how and if this works. For this blog I installed Security Update KB2705219 with the offline servicing feature like shown in the figure below.
The process to remove the software update from the WIM image will have the following steps:
- Mount the WIM image
- Gather the name of the software update (package)
- Remove the software update
- Un-mount and commit the WIM image.
Mounting the image is easy and done with a command like this;
dism.exe /mount-wim:d:\Packagesource\OSD\WIM\win7x64.wim /index:1 /mountdir:d:\wim-image
After mounting time image you can get a list with software updates installed in the image by executing the following command:
Dism.exe /image:d:\wim-image /get-package
In the figure above you see that the Software Update is listed as follows: Package_for_KB2705219~31bf3856ad364e35~amd64~~126.96.36.199
Looking at the figure you see that the update is marked as an Install Pending state. If you are installing a software update in an offline image with offline servicing, the package state is “install pending” because of pending online actions. In other words, the software update will normally be installed when the image is booted.
Next step would be to remove the Software Update package by executing the following command;
Dism.exe /image:d:\wim-image /remove-package /packagename:Package_for_KB2705219~31bf3856ad364e35~amd64~~188.8.131.52
After a while the update is removed and you can commit and unmounts the WIM image. Next you should update the distribution points and test the changed image.
When looking at the Configuration Manager 2012 console you will notice that the Software Update is still listed when looking at the installed updates on the object of the updated custom image. This is probably because this information is gathered from the database and not from the image itself. Adding another update to the image will rebuild the list, the installed or not required update is just added.
My conclusion is that is you want to be able to see the truly installed software updates you should be use the old, by the offline servicing feature, backuped WIM image or run a new Build and Capture task sequence to create a brand new image without the software update.
In a develop- and test environment you can use the DISM option to quickly test the image without the software update. In production environments I will use the build and capture option as long as you are not able to remove the Software Update from the WIM image.
So what do you think? Is an option to be able to remove an update from a custom WIM image a welcome future feature, or is rebuilding the image the best way?
This week I was triggered by a question on the support forum of the Configuration Manager 2012 CEP about a nice new feature in Configuration Manager 2012. With Configuration Manager 2012 you are able to service your OS Images by integrating the latest Software Updates from the Configuration Manager Console. Let’s see how this works.
When you want to update Windows 7 WIM files in an Configuration Manager 2007 environment, you need to use tools like DISM to update your images offline. In Configuration Manager 2012 a real cool new feature is there to update your WIM images in the Configuration Manager 2012 console with updates that are approved in Configuration Manager 2012. Be sure to configure the Software Update Point and Software Update Deployments.
- Start the Configuration Manager 2012 Console and browse to your WIM image that you want to update
- Select the image and click on Schedule Updates
- Select the software updates that you want to install into the WIM image and click on Next
- Select a schedule or choose As soon as possible and click on Next twice.
- After scheduling review the settings and click on Close
- You can monitor the update process by viewing selecting the Windows 7 Enterprise object, which shows above the “In process” status. After the process is finished you can view which software updates are installed by selecting the Update Status tab like shown below. You can also monitor the process by viewing the OfflineServicingMgr.log which is updated in the logs directory.
Another real nice feature that is implemented in Configuration Manager 2012 and makes the life of the Configuration Manager easier. This test is done with a standard Windows 7 WIM Image from the installation DVD and a custom Windows 7 image.
Till next time.
Today it was again time for the biweekly Community Evaluation Session again, this time the subject was Software Update Management in Configuration Manager 2012. Since the session was already held in January this year, most of the session of today covered foremost the changes since the last time the session was held. During the beginning of the session I noticed that the GUI was a little bit changed.
First see the little bit that was changed, a little recap.
Configuration related changes:
- In Configuration Manager 2007 publishers were able to expire or supersede software updates
- Configuration Manager 2007 automatically expires superseded updates
- In Configuration Manager 2012 you are able to control the supersedence behavior
Software Update Management administrator role with RBA:
- Limit the Software Update Management administrator to software update related actions
Client Agent settings:
- New UI for client agent settings
- Apply it to collections
- Customize settings for different systems on the same site, like servers and desktops
Migration from Configuration Manager 2007:
- Migrate packages, deployments, lists and templates
- Persist update content from Configuration Manager 2007 through Distribution Point sharing
- Important: SUP products and category settings must be the same
Simplified update groups:
- Improved search to find updates
- List and deployments combined into update groups
- Updates added to groups automatically deployed
- Groups can be deployed and/or used to aggregate compliance
Better end user experience
- Administrator can manage the user experience
- User can view what kind of software updates can be installed and the user can manage / schedule when this installation can tale place
In-console views and alerts
- Critical information new in-console
- Compliance and deployment views per update and update group
- Detailed state of all assets targeted with update deployment
- Hierarchy-wide Software Update Point synchronization status
- Alerts for synchronization failures and compliance not met
Content optimization and cleanup
- Updates optimized with new content model to reduce and storage
- Expired updates and content automatically cleaned up
- All deployments can be monitored from the console
- Deployment status of Software Updates are categorized in the following categories:
- In progress
- All categories have subcategories.
- Software Update Point synchronization status (displays for instance if all SUPs have the same catalog version)
Now let’s talk about the changes since Configuration Manager 2012 Beta 2 and some more information about the subjects above.
Automatic deployment rules:
There are two core scenarios where automatic deployment rules can apply:
- When deploying Forefront Endpoint Protection definition updates, these updates can be deployed to an existing update group. In software updates, there are never more than 4 definition updates. One active and three superseded definition updates) Every fifth definition update will be expired and fall out of the software update group.
- Patch Tuesday update deployment , these updates must be deployed to new update groups and deployments.
Creating criteria is being enhanced within the Automatic deployment rule, and the user notification options are enhanced with the following options:
- Display in Software Center and show all notifications
- Display in Software Center and only show notifications for computer restarts
- Hide all Software Center notifications
Removing expired updates
Removing expired updates can be done by searching for expired updates, selecting them and edit the membership of the updates. By deselecting the software update groups, the software updates will be removed from the distribution points during the next maintenance schedule. The source content will be still in place but automatic removal is still being developed.
Search filter expressions are much better in the pre RC release.
Changed software update or update group icons
Last but not least you are now able to see when a expired or superseded update is member of a software update group or when a software update is exired or superseded. An X will be presented in the icon like show below.
Wished I could write more about the pre RC release but unfortunately I don’t have the bits to play with.. Next CEP session is September the 7th, the subject will be Settings Management.