myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


Software update user interaction

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Software update user interaction Page: [1]
Login
Message << Older Topic   Newer Topic >>
Software update user interaction - 6/2/2008 10:21:30 AM   
bhastings


Posts: 248
Score: 2
Joined: 5/22/2002
From: Natick, Massachusetts
Status: offline 		In the past using SMS 2003, we had our patch deployment set up such that the patches would install automatically and silently, prompt for a reboot if needed at the end of installation. If the user did not reboot, the machine would reboot at the end of the "postponement from time authorized".

What am I missing here in SCCM? I've played around with the many options however I'm not able to achieve the same output. There always seems to be some end user interaction in which we would rather suppress with the exception of the reboot prompt.

A balloon window would notify them that the IT group has installed software updates and a reboot is needed. If you do not reboot, a reboot will automatically occur in “x” amount of days.

Thanks in advance for your help.
-Bruce

_____________________________

Bruce Hastings
The MathWorks, Inc.
Post #: 1
RE: Software update user interaction - 6/2/2008 9:57:05 PM   
mhudson

 

Posts: 511
Score: 10
Joined: 4/1/2007
From: College Station, TX
Status: offline 		Yes it has changed.  You can make it install without user interaction by setting the time the patch is available to say 10am and then the manditory start time to be 10:01am.  They will get a prompt that time has exceeded and the install will begin.  Then if you have a maintenance window setup for restart you can postpone it for days or hours.  We have it set to 11pm so no matter what day the patch is installed a manditory restart will occur at 11pm.  You will need to adjust how patches are done.  We (IT) sat down and figured out the way we will need to do it and then sent several notices to our users to let them know the change.  Not much else you can do.

_____________________________

Matthew Hudson
http://sms-hints-tricks.blogspot.com/
http://www.sccm-tools.com

(in reply to bhastings)
Post #: 2
RE: Software update user interaction - 6/25/2008 4:11:21 PM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		Hi,

I'm having a similar situation since moving from SMS2003 to SCCM. In SMS/ITMU I was able to silently push updates with no notifications, balloons, pop-ups etc, as well as no scheduled rebooting or reminders of rebooting. We are mostly laptops that are out of the main office, so this worked quite well.

I would like to reproduce this, but so far in testing I've had machines automatically rebooting at 3am whether or not someone is logged into the machine or not, despite having reboots suppressed both in the template and in the deployment. I don't want to set maintenance windows because we have people working at all hours. Because of this, I need to make every update mandatory (not a huge problem) but I also need a way to manage accurately supressing reboots and reminders which doesn't seem to be the case. Does anyone know of a way to do this in SCCM? I enabled the reboot suppression policy through GP (wuau.adm) today, so we'll see, but i'm also interested in suppressing all notifications and user interaction.

Thanks guys

-Pete

_____________________________

-P

(in reply to mhudson)
Post #: 3
RE: Software update user interaction - 6/25/2008 4:14:51 PM   
mhudson

 

Posts: 511
Score: 10
Joined: 4/1/2007
From: College Station, TX
Status: offline 		In your Deployment Management do you have Restart suppressed for both servers and workstations?

This would suppress the patch restart.  It just means you rely on the user to restart.  Laptops are no big deal since the user shuts them down all the time.


_____________________________

Matthew Hudson
http://sms-hints-tricks.blogspot.com/
http://www.sccm-tools.com

(in reply to sounddoc)
Post #: 4
RE: Software update user interaction - 6/25/2008 4:19:36 PM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		Exactly what I thought! however, two machines that recieved the policy yesterday morning rebooted at 3am, another the night before with the same policy - reboots suppressed for both servers and WS. I have an inkling that either a non-SCCM local policy is fudging with things, as no group policy was set at the time. There's a chance that the user had seen the "!" icon, clicked on it and set it to install at 3am manually, but the updates according to the log files were installed in the afternoon at the deadline as expected. hopefully the GP suppressing reboots will take care of this though.

As a general question, despite the signed content GP that MS recommends setting, are there any other GPs that should be set? For instance, I'm interested if anybody has the "Configure Automatic Updates" policy set?

_____________________________

-P

(in reply to mhudson)
Post #: 5
RE: Software update user interaction - 6/25/2008 4:22:33 PM   
mhudson

 

Posts: 511
Score: 10
Joined: 4/1/2007
From: College Station, TX
Status: offline 		Oh it hit me...We have users that have admin rights.  Those machines will restart, or popup the hey do you wish to restart your machine.  It doesn't happen for the User only pcs.  Are these users Admins on their machines.  Or could another application have installed and waited till 3am to restart.



_____________________________

Matthew Hudson
http://sms-hints-tricks.blogspot.com/
http://www.sccm-tools.com

(in reply to sounddoc)
Post #: 6
RE: Software update user interaction - 6/25/2008 4:30:04 PM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		Our users are local admins on their machines (cringe) and no other apps were installed.

<edit>
On looking at windowsupdate.log, it seems the wuauclt is rebooting the machine, not SCCM. So now my original question, of how do you get SCCM to override all the local AU settings, or at least block them out?

2008-06-25 01:32:51:576 1456 790 Report REPORT EVENT: {D4CE9DD3-AF29-41F0-94BE-2CF5295F61AD} 2008-06-25 01:32:46:583-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Windows Defender Success Software Synchronization Windows Update Client successfully detected 0 updates.
2008-06-25 01:32:51:576 1456 790 Report REPORT EVENT: {6618D157-33B1-4F08-8ED5-2EFAEF678497} 2008-06-25 01:32:46:583-0400 1 156 101 {00000000-0000-0000-0000-000000000000} 0 0 Windows Defender Success Pre-Deployment Check Reporting client status.
2008-06-25 02:07:32:681 1456 adc AU AU received policy change subscription event
2008-06-25 03:01:50:210 1456 adc AU Forced install timer expired for scheduled install
2008-06-25 03:01:50:244 1456 adc AU UpdateDownloadProperties: 0 download(s) are still in progress.
2008-06-25 03:01:50:262 1456 adc AU Found a pending reboot, launching reboot UI
2008-06-25 03:01:50:262 1456 adc AU AU setting pending client directive to 'Reboot Warning'
2008-06-25 03:01:50:262 1456 adc AU Changing existing AU client directive from 'Reboot Pending' to 'Reboot Warning', session id = 0x0
2008-06-25 03:01:50:262 1456 adc AU Setting AU scheduled install time to 2008-06-26 07:00:00
2008-06-25 03:01:50:296 6004 c24 CltUI AU client got new directive = 'Reboot Warning', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2008-06-25 03:01:50:331 6004 c24 CltUI AU client reboot notification: user clicked Restart Later
2008-06-25 03:06:51:096 1456 adc AU AU invoking RebootSystem (OnRebootNow)
2008-06-25 03:06:51:242 1456 adc Misc WARNING: SUS Client is rebooting system.
2008-06-25 03:06:51:242 1456 adc AU AU invoking RebootSystem (OnRebootRetry)
2008-06-25 03:07:01:645 1456 adc AU AU invoking RebootSystem (OnRebootRetry)
2008-06-25 03:07:10:389 1456 adc Misc WARNING: SUS Client is rebooting system.
2008-06-25 03:07:10:389 1456 adc AU AU received handle event
2008-06-25 03:07:20:564 1456 adc AU AU invoking RebootSystem (OnRebootRetry)
2008-06-25 03:07:20:564 1456 adc Misc WARNING: SUS Client is rebooting system.
2008-06-25 03:07:30:626 1456 adc AU AU invoking RebootSystem (OnRebootRetry)
2008-06-25 03:07:32:771 1456 adc Misc WARNING: SUS Client is rebooting system.
2008-06-25 03:07:42:667 1456 adc AU ###########  AU: Uninitializing Automatic Updates  ###########

<edit>



Here's an excerpt from updatesDeployment.log - best to copy and paste into a .log file and use trace32 to view:

<![LOG[Deadline received for assignment ({D6D4B740-D23B-4D64-A03D-7EEB26BEA72E})]LOG]!><time="14:22:37.709+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="4184" file="updatesassignment.cpp:806">
<![LOG[Detection job ({FF35B14C-7291-4453-9076-5BB5B1E9656B}) started for assignment ({D6D4B740-D23B-4D64-A03D-7EEB26BEA72E})]LOG]!><time="14:22:37.725+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="4184" file="updatesassignment.cpp:1085">
<![LOG[Message received: '<?xml version='1.0' ?>
<CIAssignmentMessage MessageType='Activation'>
   <AssignmentID>{D6D4B740-D23B-4D64-A03D-7EEB26BEA72E}</AssignmentID>
</CIAssignmentMessage>']LOG]!><time="14:22:37.740+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="1004" file="cdeploymentagent.cpp:190">
<![LOG[Assignment ({D6D4B740-D23B-4D64-A03D-7EEB26BEA72E}) received activation trigger]LOG]!><time="14:22:37.756+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="1004" file="updatesassignment.cpp:642">
<![LOG[Operation (TriggerEnforce) already in progress. No need to activate.]LOG]!><time="14:22:37.756+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="2" thread="1004" file="updatesassignment.cpp:648">
<![LOG[DetectJob completion received for assignment ({D6D4B740-D23B-4D64-A03D-7EEB26BEA72E})]LOG]!><time="14:22:37.803+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="1004" file="updatesassignment.cpp:1853">
<![LOG[Added update (Site_65FA2E5A-89B0-4E0E-94F8-C1827ECF632D/SUM_46a0b6f7-b283-45f8-9ccb-c8e3b4ec332c) to the targeted list]LOG]!><time="14:22:37.803+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="1004" file="updatesmanager.cpp:851">
<![LOG[Added update (Site_65FA2E5A-89B0-4E0E-94F8-C1827ECF632D/SUM_5d2787cb-bcb5-439d-b734-3e6f1b21b2dd) to the targeted list]LOG]!><time="14:22:37.818+240" date="06-24-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="1004" file="updatesmanager.cpp:851">
<![LOG[User logoff system task]LOG]!><time="03:07:19.232+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="5208" file="systemtasks.cpp:111">
<![LOG[Service shutdown system task]LOG]!><time="03:07:39.468+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="3856" file="systemtasks.cpp:57">
<![LOG[Service startup system task]LOG]!><time="03:11:36.034+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="systemtasks.cpp:30">
<![LOG[Software Updates feature is enabled]LOG]!><time="03:11:36.517+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="cdeploymentagent.cpp:55">
<![LOG[GetLoggedOnUserSIDString: No user is logged on.]LOG]!><time="03:11:39.276+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="0" thread="200" file="usertoken.cpp:1023">
<![LOG[No user is logged on]LOG]!><time="03:11:39.276+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="updatesdeployment.cpp:118">
<![LOG[GetLoggedOnUserSIDString: No user is logged on.]LOG]!><time="03:11:42.144+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="0" thread="200" file="usertoken.cpp:1023">
<![LOG[Total Pending reboot updates = 1]LOG]!><time="03:11:42.144+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="updatesmanager.cpp:651">
<![LOG[Initiated detect for pending reboot updates after system restart - JobId = {EAEE2A74-6EF8-45BC-8468-BFC9E88CA68C}]LOG]!><time="03:11:42.674+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="updatesmanager.cpp:710">
<![LOG[Assignment {5F295E35-E68E-4981-8164-C61DABF79187} has total CI = 17]LOG]!><time="03:11:43.235+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="updatesassignment.cpp:143">
<![LOG[Assignment ({5F295E35-E68E-4981-8164-C61DABF79187}) reconnected to the existing job ({0D2F942E-D05C-43E8-93F0-DBB7F4B19819}) successfully.]LOG]!><time="03:11:43.235+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="updatesassignment.cpp:452">
<![LOG[OnServiceWindowAvailable - No pending install assignment]LOG]!><time="03:11:43.250+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="assignmentsmanager.cpp:275">
<![LOG[Startup task completed]LOG]!><time="03:11:43.250+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="200" file="cdeploymentagent.cpp:105">
<![LOG[CTargetedUpdatesManager - Job completion received.]LOG]!><time="03:12:57.491+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="3408" file="updatesmanager.cpp:1658">
<![LOG[Job Id = {EAEE2A74-6EF8-45BC-8468-BFC9E88CA68C}]LOG]!><time="03:12:57.491+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="3408" file="updatesmanager.cpp:1666">
<![LOG[Detect after reboot job completed with result = 0x0]LOG]!><time="03:12:57.491+240" date="06-25-2008" component="UpdatesDeploymentAgent" context="" type="1" thread="3408" file="updatesmanager.cpp:1812">

< Message edited by sounddoc -- 6/25/2008 4:37:06 PM >

_____________________________

-P

(in reply to mhudson)
Post #: 7
RE: Software update user interaction - 6/25/2008 7:26:23 PM   
csummers311


Posts: 103
Score: 5
Joined: 2/20/2004
From: Tampa, FL
Status: offline 		Is it possible that you have a GPO setup to reboot at 3AM?

(in reply to sounddoc)
Post #: 8
RE: Software update user interaction - 6/25/2008 11:06:14 PM   
jsandys


Posts: 464
Score: 17
Joined: 3/24/2005
From: San Antonio, TX
Status: offline 		ConfigMgr Updates and Windows Updates use the same facility to deploy updates and to monitor their status. Thus if the machine's local policy (or a group policy) says to apply updates at 3AM (via the Windows Updates settings), the local Windows update will reboot if a reboot is pending. Because 3AM is the default time for Windows update to be configured to reboot when enabled, I think it highly likely that the local windows update on those system is configured to update and/or reboot at 3AM.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to csummers311)
Post #: 9
RE: Software update user interaction - 6/26/2008 10:32:08 AM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		There's no GPO in place to reboot at 3am, as stated earlier I now have one to suppress reboots through AU.

So there's still one more piece of the puzzle that I am confused by. As jsandys above has noted, the local policy, or more accurately the local user setup of windows updates doesn't seem to be controlled by SCCM anywhere. For example, you set up AU through GP, or locally to install updates at 3am daily, etc...this is all good, but wouldn't it override any SCCM deadline / installation settings, and therefore supressed reboot settings? I believe this is what my issue was - AU was set up by the user on the machine to install at 3am daily, and reboots were not suppressed through GP. The scan cycle picked up updates from SCCM, directed them to AU which said, ok, I'll install these at 3am as my local policy says to, it did, and then rebooted because there is no part of the /local/ policy that says not to reboot, or to suppress notifications - hence the two showing up in the log i posted.

Here's my delimna then: a brand new imaged machine is pestering for AU to be set up. SCCM agent is installed and has updates targeted towards it. There're no policies local, or Group assigned to the machine for AU, outside of the client agent policies...doesn't this mean the AU wizard setup exclamation point would be present indefinitely until it is either configured by the user or by GP?

thanks again for all the input as well!

_____________________________

-P

(in reply to jsandys)
Post #: 10
RE: Software update user interaction - 6/26/2008 11:10:21 AM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		Found my answer....looks like you DO have to configure AU through GP when using SCCM/WSUS...I suppose it is still WSUS afterall. Would be nice to have this configured through the client agent options as other things pertaining to updates are.

http://technet.microsoft.com/en-us/library/bb632393(TechNet.10).aspx#SUM_GPSettings

I'm going to assume then that deadlines and such set in the SCCM deployment will override the SCCM settings.

and now for some testing. thanks again, guys, appreciate all the help.


_____________________________

-P

(in reply to sounddoc)
Post #: 11
RE: Software update user interaction - 6/26/2008 12:54:50 PM   
lcpc78

 

Posts: 40
Score: 0
Joined: 10/4/2007
Status: offline 		I was able to successfully configure AU through GPO and set it to Disabled. I am still able to configure updates using SCCM. Just ensure you don't disable the Automatic Update service. If you configure the WSUS site via GPO make sure you configure it "servername.mydomain.com:80/443. Your better off not configuring this as the SCCM settings will configure it on it's on. So in theory the only thing you would have to set via GPO for AU would be to disable it and enable signed content.

(in reply to sounddoc)
Post #: 12
RE: Software update user interaction - 6/26/2008 1:32:41 PM   
sounddoc

 

Posts: 41
Score: 0
Joined: 11/15/2007
Status: offline 		I'm not setting a location, I let the client agent do that. The only thing I'm setting is what is prescribed by MS in the technet document above. In short, I suppress reboots for logged on users, and set to 4, auto download and schedule, install at 3am every day, and allow signed content. As a side note, though, I do set BITS (manual) and the AU (automatic) services in the policy as well as the AU service had been disabled in the past by spyware / viruses.

With these settings things seem to be working well now. I should have guessed that the "configure automatic updates" policy had to be set as it was when I was using WSUS 2 long ago, as SCCM's windows updates are after all WSUS driven.

Thanks again, all

_____________________________

-P

(in reply to lcpc78)
Post #: 13
RE: Software update user interaction - 6/26/2008 4:43:51 PM   
jsandys


Posts: 464
Score: 17
Joined: 3/24/2005
From: San Antonio, TX
Status: offline 		Based on the description in the Group Policy editor, disabling Automatic Updates via a GPO does disable the Automatic Updates service.  I'm not sure if that is accurate or not though, has anyone tested this?

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to sounddoc)
Post #: 14
RE: Software update user interaction - 6/30/2008 11:49:28 PM   
lcpc78

 

Posts: 40
Score: 0
Joined: 10/4/2007
Status: offline 		When I configured AU through GPO I turned AU off, but I did not configure the actual service through GPO. I tested it and it does work.

(in reply to jsandys)
Post #: 15
Page:   [1]
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Software update user interaction Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.320