This article walks you through the update process in Microsoft System Center Configuration Manager current branch, and demonstrates how things work from the client side.
Overview
When a client computer in the target collection for a deployment receives machine policy, the Software Update Client Agent starts an evaluation scan. The client agent downloads the content for required update installations from a distribution point to the local client cache at the Software available time setting for the deployment.
This process differs for software updates in optional deployments (deployments that do not have an installation deadline). This is because these updates are not downloaded until a user manually starts the installation. When the configured deadline passes, the Software Updates client agent runs a scan to verify that the software updates are still required. If they are, the agent then checks the local cache on the client computer to verify that the software update source files are still available, and then installs them.
If the content was deleted from the client cache to make room for another deployment, the client redownloads the software updates from the distribution point to the client cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size.
After the installation is finished, the client agent verifies that the software updates are no longer required, and then sends a state message to the management point to indicate that the software updates are now installed on the client.
Taking a Closer Look
To get a better understanding of this process, let’s take a look at the client log files and track the progress as we deploy KB 3176493. The client and site server components record process information in individual log files. By default, client and server component logging is enabled in Configuration Manager. You can use the information in these log files to help you troubleshoot issues that might occur in your Configuration Manager environment. For more information about these log files, see Configuration Manager client logs.
This is what the KB 3176493 entry looks like at the start:
Software Update Scanning and Evaluation
When the Evaluation cycle is requested (manual or on schedule), entries that resemble the following are logged in the ScanAgent.log file:
Message received: '<?xml version='1.0' ?> <UpdateSourceMessage MessageType='ScanByUpdateSource'>
<ForceScan>TRUE</ForceScan>
<UpdateSourceIDs>
<ID>{39B24983-D827-4C7C-8782-029410E9C146}</ID>
</UpdateSourceIDs>
</UpdateSourceMessage>'
On the server that is running Microsoft SQL Server, SQL profiler shows that Configuration Manager is running the stored procedure MP_GetWSUSServerLocations:
RPC:Completed exec MP_GetWSUSServerLocations N'{39B24983-D827-4C7C-8782-029410E9C146}',N'167',N'FCH',N'FCH',N'0',N'server.contoso.local' System Center 2012 Configuration Manager SYSTEM NT AUTHORITY\SYSTEM 16 131 0 38 1816 72 8/10/2016 1:24:05 AM
0X000000000700000032004D0050005F0047006500740057005300550053005300650072007600650072004C006F0063006100740069006F006E007300720000
This value is then returned to LocationService.log:
Calling back with the following WSUS locations
8/10/2016 1:24:05 AM 7956 (0x1F14) WSUS Path='http://server.contoso.local:8530', Server='server.contoso.local', Version='167'
ScanAgent.log also shows the following:
*****Policy Change notification received for ToolUniqueID={39B24983-D827-4C7C-8782-029410E9C146}
*****ScanByUpdates request received with ForceReScan=0, ScanOptions=0x00000008, WSUSLocationTimeout = 604800
ScanAgent then checks the update source and Time-To-Live (TTL) settings for the last scan results, and submits a request for WSUS server location. Then, LocationService retrieves the WSUS location from the Management Point, and returns the URL and the server name. This is shown in the following example entry from ScanAgent.log:
ScanJob({DCB47C9A-3D45-4495-8116-5EE9E0F3B4D2}): - - - - - -Locations requested for ScanJobID={DCB47C9A-3D45-4495-8116-5EE9E0F3B4D2} (LocationRequestID={6CBEFDD4-7390-4A41-AA4D-4D3F8B72111F}), will process the scan request once locations are available.
*****WSUSLocationUpdate received for location request guid={6CBEFDD4-7390-4A41-AA4D-4D3F8B72111F}
Next, the Windows Update scan is initiated, and an entry that resembles the following is logged in ScanAgent.log:
*****ScanByUpdates request received with ForceReScan=0, ScanOptions=0x00000008, WSUSLocationTimeout = 604800
- - -Evaluating Update Status...
Found CategoryID of :0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:4d52d21e-e4a1-4043-bcda-69a696b2b257
CScanAgent::ScanByUpdates - Found UpdateClassification 0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:4d52d21e-e4a1-4043-bcda-69a696b2b257
Found CategoryID of :0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:a12fff7b-aefc-4815-ab2e-0048ada4ea9e
CScanAgent::ScanByUpdates - Found UpdateClassification 0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:a12fff7b-aefc-4815-ab2e-0048ada4ea9e
Found CategoryID of :0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:c071152f-3697-44f4-b77c-bf07519dd63e
CScanAgent::ScanByUpdates - Found UpdateClassification 0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:c071152f-3697-44f4-b77c-bf07519dd63e
Found CategoryID of :0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:e6561a3e-2ee6-48e4-8770-78068771cfcb
CScanAgent::ScanByUpdates - Found UpdateClassification 0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:e6561a3e-2ee6-48e4-8770-78068771cfcb
State messages are created for each software update that changed in compliance state. Then, state messages are sent to the Management Point, as shown in StateMessage.log:
Adding message with TopicType 500 and TopicId 4d52d21e-e4a1-4043-bcda-69a696b2b257 to WMI
State message(State ID : 2) with TopicType 500 and TopicId 4d52d21e-e4a1-4043-bcda-69a696b2b257 has been recorded for SYSTEM
Successfully forwarded State Messages to the MP
We also see entries that resemble the following in WUAHandler.log:
Its a WSUS Update Source type ({39B24983-D827-4C7C-8782-029410E9C146}), adding it.
Existing WUA Managed server was already set (http://FC-CM01.fourthcoffee.local:8530), skipping Group Policy registration.
Added Update Source ({39B24983-D827-4C7C-8782-029410E9C146}) of content type: 2
Scan results will include superseded updates only when they are superseded by service packs and definition updates.
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')
Async searching of updates using WUAgent started.
Async searching completed.
Successfully completed scan.
Installation
When a client computer in the target collection for the deployment receives the machine policy, machine policy (including new or changed deployment assignment policy) is downloaded. UpdatesDeployment.log receives a modification event, and then triggers the evaluation and installation process, as shown:
Assignment {b8cf0a9f-3b46-4ce7-9712-b281aa88b953} has total CI = 16
OnPolicyModify for assignment ({b8cf0a9f-3b46-4ce7-9712-b281aa88b953})...
Update (Site_39B24983-D827-4C7C-8782-029410E9C146/SUM_4d52d21e-e4a1-4043-bcda-69a696b2b257) Name (Cumulative Update for Windows 10 Version 1511 (KB3176493)) ArticleID (3176493) added to the targeted list of deployment ({b8cf0a9f-3b46-4ce7-9712-b281aa88b953})
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_39B24983-D827-4C7C-8782-029410E9C146/SUM_4d52d21e-e4a1-4043-bcda-69a696b2b257", actionType 11l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l
UpdatesStore checks the status of each update, and looks for the source. Then, CIDownloader determines the applicability for each update. This is shown in UpdateStore.log:
Queried Update (4d52d21e-e4a1-4043-bcda-69a696b2b257): Status=Missing, Title=Cumulative Update for Windows 10 Version 1511 (KB3176493), BulletinID=MS16-095, QNumbers=3176493, LocaleID=, ProductID=0fa1201d-4330-4fa8-8ae9-b877473b6441, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.
Querying update status of 2 updates.
Queried Update (4d52d21e-e4a1-4043-bcda-69a696b2b257): Status=Missing, Title=Cumulative Update for Windows 10 Version 1511 (KB3176493), BulletinID=MS16-095, QNumbers=3176493, LocaleID=, ProductID=0fa1201d-4330-4fa8-8ae9-b877473b6441, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.
Queried Update (4d52d21e-e4a1-4043-bcda-69a696b2b257): Status=Installed, Title=Cumulative Update for Windows 10 Version 1511 (KB3176493), BulletinID=MS16-095, QNumbers=3176493, LocaleID=, ProductID=0fa1201d-4330-4fa8-8ae9-b877473b6441, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.
UpdatesHandler retrieves download settings and software update relationships, and then calls to download content.
Entries that resemble the following appear in UpdatesHanlder.log:
Bundle update (4d52d21e-e4a1-4043-bcda-69a696b2b257) is requesting download from child updates for action (INSTALL)
StateCore - bundle update (4d52d21e-e4a1-4043-bcda-69a696b2b257) state changed from (WAIT_CONTENTS) to (EXECUTE_READY) as child update state changed
Bundle update (4d52d21e-e4a1-4043-bcda-69a696b2b257) is requesting download from child updates for action (INSTALL)
Entries that resemble the following appear in WUAHandler.log:
Going to search using WSUS update source.
Synchronous searching of all updates started...
Successfully completed synchronous searching of updates.
1. Update: 4d52d21e-e4a1-4043-bcda-69a696b2b257, 205 BundledUpdates: 1
Update: a12fff7b-aefc-4815-ab2e-0048ada4ea9e, 200 BundledUpdates: 0
1. Update (Missing): Cumulative Update for Windows 10 Version 1511 (KB3176493) (4d52d21e-e4a1-4043-bcda-69a696b2b257, 205)
Async installation of updates started.
Update 1 (4d52d21e-e4a1-4043-bcda-69a696b2b257) finished installing (0x00000000), Reboot Required? Yes
Async install completed.
Installation of updates completed.
Then, you receive the content location, and the following entry is logged in LocationService.log:
Calling back with the following distribution points
Distribution Point=' http://FC-CM01.fourthcoffee.local/SMS_DP_SMSPKG $/a12fff7b-aefc-4815-ab2e-0048ada4ea9e', Locality='LOCAL', DPType='SERVER', Version='8325', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>', Signature=' http://FC-CM01.fourthcoffee.local/SMS_DP_SMSSIG $/a12fff7b-aefc-4815-ab2e-0048ada4ea9e.1.tar', ForestTrust='TRUE',
Filtering locations for request {E68DF60D-00D0-4330-9ECE-8742B48CB801}.
Then software update content is downloaded to the cache, and the following entry is logged in DataTransferService.log:
UpdateURLWithTransportSettings(): OLD URL - http://FC-CM01.fourthcoffee.local/SMS_DP_SMSPKG $/a12fff7b-aefc-4815-ab2e-0048ada4ea9e
UpdateURLWithTransportSettings(): NEW URL - http://FC-CM01.fourthcoffee.local:80/SMS_DP_SMSPKG $/a12fff7b-aefc-4815-ab2e-0048ada4ea9e
DTSJob {252AF5CA-A261-49FA-82DB-50556214AEAC} created to download from ' http://FC-CM01.fourthcoffee.local:80/SMS_DP_SMSPKG $/a12fff7b-aefc-4815-ab2e-0048ada4ea9e' to 'C:\Windows\ccmcache\1b'.
DTSJob {252AF5CA-A261-49FA-82DB-50556214AEAC} in state 'DownloadingManifest'.
GET: Host=FC-CM01.fourthcoffee.local, Path=/SMS_DP_SMSPKG$/a12fff7b-aefc-4815-ab2e-0048ada4ea9e, Port=80, Protocol=http, Flags=133, Options=224
UpdatesDeploymentAgent then raises a state message (download complete), and calls WUAHandler to handle the software update installation through WUA. You can see this in the following entries in UpdatesDeployment.log:
ApplyCIs - JobId = {301925A8-283F-42AE-95F0-272A10359929}
…...
Update (Site_39B24983-D827-4C7C-8782-029410E9C146/SUM_4d52d21e-e4a1-4043-bcda-69a696b2b257) Progress: Status = ciStateInstalling, PercentComplete = 10, DownloadSize = 0, Result = 0x0
Update (Site_39B24983-D827-4C7C-8782-029410E9C146/SUM_4d52d21e-e4a1-4043-bcda-69a696b2b257) Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0
CUpdatesJob({301925A8-283F-42AE-95F0-272A10359929}): Job completion received.
CUpdatesJob({301925A8-283F-42AE-95F0-272A10359929}): Delete job from WMI
WUA then installs the updates, and you see the following in the CBS.log file:
Info CBS Opened cabinet package, package directory: \\?\C:\WINDOWS\SoftwareDistribution\Download\b0e4281cd82e8b66165a25b8a4ae6648\, sandbox location: \\?\C:\WINDOWS\SoftwareDistribution\Download\b0e4281cd82e8b66165a25b8a4ae6648\inst\, cabinet location: \\?\C:\WINDOWS\SoftwareDistribution\Download\b0e4281cd82e8b66165a25b8a4ae6648\Windows10.0-KB3176493-x86.cab, manifest location: \\?\C:\WINDOWS\SoftwareDistribution\Download\b0e4281cd82e8b66165a25b8a4ae6648\inst\update.mum
Info CBS Extracting all files from cabinet \\?\C:\WINDOWS\SoftwareDistribution\Download\b0e4281cd82e8b66165a25b8a4ae6648\inst\Cab_1_for_KB3176493.cab
Next, state messages are created for each software update that changed in the compliance state, and these state messages are sent to the management point, as shown in StateMessage.log:
State message(State ID : 3) with TopicType 500 and TopicId 4d52d21e-e4a1-4043-bcda-69a696b2b257 has been recorded for SYSTEM
At this point, the updates are installed, and the hierarchy is updated.
