You're reading from Troubleshooting System Center Configuration Manager

Product type Paperback

Published in Mar 2016

Publisher

ISBN-13 9781782174844

Length 248 pages

Edition 1st Edition

Tools

Microsoft System Center Configuration Manager

Concepts

Cloud Computing

Authors (2):

Gerry Hampson

Peter Egerton

View More author details

Table of Contents (11) Chapters

Preface

1. The Configuration Manager Troubleshooting Toolkit

2. Configuration Manager Monitoring Workspace and Log Files FREE CHAPTER

3. Troubleshooting Configuration Manager Clients

4. Troubleshooting Hierarchies and Site Servers

5. Troubleshooting Management Points and Distribution Points

6. Troubleshooting Other Roles

7. Troubleshooting Common Tasks

8. Disaster Recovery

9. Avoiding Trouble

Index

Troubleshoot software update deployment

Software Updates deployment is another popular Configuration Manager feature. A robust process is essential to maintain network security and compliance. This is a complicated process consisting of many moving parts. The Software Update Point (SUP) is a Site System role that leverages Windows Server Update Services (WSUS) to make Microsoft updates available in the Configuration Manager console. The updates are then arranged in Software Update Groups and deployed using Deployment Packages. Other components used in the process include the following:

Configuration Manager Client Agent
Windows Update Agent (WUA)
Device Collections
Deadlines
Maintenance Windows
Automatic Deployment Rules (ADR)
SQL Server Reporting Services

Troubleshooting steps

It's not possible for us to describe every possible issue that you will encounter when deploying a Software Updates solution with Configuration Manager. There are too many components that can be configured in many different ways. We've concentrated on the main components in the following and have added troubleshooting guidance in each case. More detail for some of the steps is provided later in this chapter.

Component	Troubleshooting step
Configuration Manager client	Verify that the client is healthy. The previous Healthy Configuration Manager client section details how a healthy client should look.
	Verify that the client falls under a boundary defined in Configuration Manager. This boundary should be added to a boundary group that is configured with one or more DPs ("Waiting for content" and "0% downloaded" are typical messages when this is misconfigured).
	Force policy retrieval using the Configuration Manager applet in Control Panel: Machine Policy Retrieval and Evaluation Cycle Software Update Deployment Evaluation Cycle Software Updates Scan Cycle
	Examine log files for errors relating to location or site assignment: `ClientLocation.log` `LocationServices.log` `ClientIDManagerStartup.log`
Software Update Point	Examine the `SupSetup.log` file and verify that the SUP role has been added successfully.
WSUS integration	Verify the health of WSUS using `WSUSCtrl.log`.
	`WCM.log` provides information on the SUP connection to the WSUS. Remember that WSUS could be installed on a remote server. Verify that the relevant firewall ports are open. You will find this information in the official documentation in the TechNet Library.
	Remember that you should not configure WSUS in any way. If you have, it is recommended that you uninstall and start again. Configuration Manager will configure WSUS for you.
SUP synchronization	Examine the `Wsyncmgr.log` to verify that the SUP can synchronize with the Microsoft update catalog site. When the SUP successfully synchronizes, you should see update information in the Configuration Manager console (All Software Updates).
	Verify that you have configured the SUP with the correct proxy credentials. In some cases, it may be necessary to whitelist the SUP on the proxy to be able to access the Microsoft Updates sites with no filtering or authentication.
	Microsoft provides an online guided walkthrough to assist in troubleshooting software update synchronization issues. It provides detailed information on known issues and difficulties which is available at https://support.microsoft.com/en-ie/kb/2995743.
Software Updates Group	Remember that there is a hard limit of 1,000 updates per Software Update Groups. Bear this in mind when creating your SUG structure.
	Verify that you have chosen the required products and classifications in the SUP properties.
Deployment Package	Examine the `PatchDownloader.log` file for issues in downloading updates. If you manually run the Deploy Software Updates Wizard, this log file will be found under your user profile in the `%localappdata%\temp` folder. This log file will only be available when updates are actually downloading.
	Verify that the deployment package has been distributed to the DP. Check the Distribution Status node of the Monitoring workspace \| Content Status. Examine the `distmgr.log` file for errors.
Automatic Deployment Rules	Examine the `ruleengine.log` file for issues with ADRs. It is not uncommon to have to recreate an ADR if it is not running successfully.
Client side issues	Verify that the WUA initiates a compliance scan on the client. This compares the updates on the client to updates in the WSUS catalog. Details of this activity can be seen in `WUAHAndler.log` file.
	Update the WUA to the latest version.
	Examine the following log files for issues: `UpdatesDeployment.log`, `UpdatesHandler.log`, `UpdatesStore.log`, `Wuahandler.log`, and `WindowsUpdate.log`.
	Windows 7 update scan fails resulting in client performance issues and incorrect compliance status. This is resolved with `KB 3050265`. It is vital that this `KB` is deployed
Deadlines	You should understand deadline behavior. When a deadline is reached, all required updates will start to install. However, a period of randomization of up to two hours is built into the process. Therefore, do not be alarmed if clients do not start installing updates when the deadline is reached.
Maintenance Windows	Use Maintenance Windows correctly. They are very powerful when used in conjunction with deadlines. After a deadline passes, updates will be installed as soon as the next Maintenance Windows is reached. Examine the `ServiceWindow.log` file for issues with this process.
Software Updates Cleanup	Clean up superseded and expired updates (see the Software Updates Cleanup section).
Offline servicing	Offline servicing allows you to inject updates into an OSD image file. Servicing activity is recorded in the `OfflineServicingMgr.log` file.

Software Updates Cleanup

Unfortunately, there is no straightforward way to manage superseded and expired updates (even in Configuration Manager 2012 R2). You still have to remove these updates manually from Software Update Groups. There is no technical reason for removing these updates. They don't interfere with the patching process. However, you can save disk space on all your servers by carrying out a regular Software Updates cleanup.

You can do this manually by using the Configuration Manager console.

Use the Expired and Superseded criteria search for these updates.
Choose Edit Membership to find the Software Update Groups to which they belong.
Uncheck the boxes and select OK to remove the expired and superseded updates from the selected SUGs.
The updates are then marked for subsequent deletion.

This process is a little tedious. PowerShell scripts are available from the Configuration Manager community, which will help you to fine-tune this process.