Patch Distribution
This article shows how all critical and security updates are distributed, including specific instructions in case the SUP shall download the patches from an upstream WSUS Server, rather than retrieving them from the Internet (minimum requirement SCCM 2012 SP1 / 2012 R2).
A filter is generated under "All Software Updates". Please add the fields "Expired", „"Superseded" and, twice, the field "Update Classification"…
… and configure the filter as follows:
Now you must select all filtered patches (Ctrl+A) and launch the "Create Software Update Group" option in the context menu.
You can assign any name to the software update group. Additional information can be found here.
If you use a SUP that downloads all updates directly from the Internet (as described in this article), you can now go to the context menu of the software update group to initiate the download of the patches included in this group.
Additional information on the download process can be found here
Even if the SUP is used as downstream server (which is possible, starting with SCCM 2012 SP1 or 2012 R2), SCCM will load the mass data of the patches directly from the Internet during download.
If you want that patches are loaded directly from the SUP, the WSUS Server accessed by the SUP must be configured manually. To do so, open the WSUS administrator console and launch the "Update Files and Languages" dialog in the options.
(please note that this is a one-off exception, since it is recommended that you configure the WSUS Server via the SCCM SUP settings, which does, however, not include the subsequent option).
Disable the option "Download update files to this Server only when updates are approved" to ensure that the WSUS Server synchronizes all updates available through the upstream server.
Now the wizard for downloading the mass data is started, as shown above. The next dialog is used to create a deployment package that contains all updates to be distributed. Alternatively, you can add new updates to an existing deployment package.
Now do not select the option for downloading the mass data from the Internet, but specify the content directory of the WSUS Server.
The final step is to select the languages to be made available and then finish the wizard.
If the download fails, see '%Temp%/PatchDownloader.log'.
If error message 404 is displayed (not found), the content location may be incorrect. In such case, you must review the failed updates, perform an incremental synchronization and try again. This log may also provide support for other problems such as blocked download of patches by the proxy.
Synchronizing a WSUS slave server with an upstream server means that all patches are stored at four different locations in the infrastructure (upstream server, downstream server, package directory and DP). You can modify such scenario to define that the mass data are loaded directly from the upstream server, if it has approved the patches, or loads all patches, as shown for the downstream server. The exact configuration depends on the requirements of the respective infrastructure.
On the client machine:
- Open the control panel and select the Configuration Manager.
- Go to Actions to perform the following actions; after each action, you must wait a little.
Go to C:/Windows/WindowsUpdate.log to check whether all actions have been performed successfully.
3. Open the Software Center on the client and view available software.
4. Log files and other distribution files for verification purposes can be found under:
- C:/Windows/CCM/Logs/"WUAHandler" and "UpdatesHandler"
- %programdata%\Matrix42\Installation\InstallationSandbox#<date-time>
- %windir%\SoftwareDistribution\Download\Install