Thursday, September 27, 2007

Installing SCCM 2007 Clients using Software Update Point

After installing System Center Configuration Manager 2007, we need to deploy the SCCM client. There are a lot of ways to deploy the SCCM client but I will be focusing more on using the Software Update Point as I have been using Windows Server Update Services (WSUS) for patch management. The first thing you need is to make sure that you already have a WSUS 3.0 in your infrastructure as you will be using this as your Software Update Point. The nice thing about this approach is that you already have your infrastructure set for software update management.

  1. Install Software Update Point.
    You need to install the Configuration Manager Software Update Point Site Role on top of your WSUS 3.0. This could also be on another machine which points to a remote WSUS 3.0. If you are going to install this on a server separate from your WSUS 3.0 server, you need to have the WSUS 3.0 admin console prior to installing the software update point. If you want to use your primary site server as your software update point as well, you just need to add a new role and define it as a Software Update Point. The typical configurations for WSUS 3.0 will be used for this configuration, such as if you are using a proxy server to connect to Microsoft Updates, whether you are using an upstream WSUS 3.0 server, etc. You can also enable a synchronization schedule. A recommended schedule for this is on a weekly basis and after patch Tuesday (Tuesday afternoon my time). In my case, I do manual synchronization and run once after patch Tuesday or anytme I get an email alert from Microsoft for Critical Security updates. You also define the classification - critical updates, service packs, etc. - the same way you do in WSUS. Then you specify the products which you need to configure the updates for. Since you have Microsoft as the vendor by default, you can select which products are installed within your enterprise - Office 2003, SQL Server, Windows, etc. Then, you specify the different languages you need for those updates.
    Note that the steps are similar to that of the WSUS 3.0 configuration. If you have configured yor WSUS 3.0 prior to deploying your software update point, those will be overwritten by your new configuration.
  2. Validate your configuration in the Software Update Point Component
    Any configuration you've made in setting up your software update point can be validated in the Software Update Point Component under the Component Configuration. So, if you need to do some modifications in the long run, this is the right place to do it.
  3. Configure the Software Update Point Client Installation
    At this point, we still have to deploy the SCCM client in order to use our software update point for patch management. Under the Client Installation Methods, make sure that Software Update Point Client Installation is enabled. This is to publish the SCCM client to WSUS 3.0 as a mandatory update. Together with this, the appropriate BITS component will be downloaded by the client as well.
  4. Configure the Software Update Client Agents
    Although we haven't really installed the SCCM clients at this point, we can already configure how our clients will behave like enforcing all mandatory deployments and deployment re-evaluation
  5. Configure a Group Policy for Windows Update
    Similar to how we configure a group policy to point clients to download updates from a WSUS server, we need to do the same. If you already have this in place, you can skip this portion. For a more detailed description on how to do this, check out this Microsoft TechNet documentation. Make sure that you treat servers and workstations differently so you definitely need separate GPOs for these.
  6. Import the SCCM 2007 ADM Template
    I got this from Kim Oppalfen's (Microsoft MVP for Software Distribution) blog so all credit goes to him on the ADM template and the process on how to do this. Just make sure you specify the parameters needed for this. In my case, I just used the SMSSITECODE=value parameter.
    Now, we're ready to deploy the SCCM client and our Software Update Point has been configured as well. It's like hitting two birds with one stone. The best way to test whether our configuration is to log in to one of the machines in your domain and run a group policy update (gpupdate /force for Windows XP and Windows Server 2003 or secedit /refreshpolicy machine_policy /enforce for Windows 2000) and manually run a force detect of the Windows Update client (wuauclt /detectnow) If you open your Task Manager, you will see ccmsetup.exe in the Image name under the Processes tab. Another way to find out if the SCCM client is being deployed thru WSUS 3.0 is to look at the WindowsUpdate.log file which contains information regarding the installation of Configuration Manager Client

No comments: