Using ConfigMgr to deploy OpsMgr Server 2008 Hotfixes

There are two hotfixes that must be applied to all Windows Server 2008 systems that will have an OpsMgr agent installed on them. Fellow MVP Blake Mengotto did a really good job summarizing what we needed to know to determine the hotfixes required for Windows Server 2008 with OpsMgr agents.

The fixes are 952664 & 953290, with full details are available at Blake’s blog,!A4408C121568CAA4!6047.entry.

Use a Software Update?

One  thoughts on deploying the hotfixes was to provide them as a software update using Configuration Manager. The interesting thing however is that these two patches do not show up as available in the Update catalog. Working with a ConfigMgr SME, we tried to add these in using the CAB files, as these updates are actually MSU files, and an MSU can be converted into a CAB file. To do this, perform the following steps:

  • Extract the MSU files into the CAB files, for example: expand –f:* “<path>\Windows6.0-KB952664-v3-x64.msu”
  • discusses the Windows Update Stand-alone Installer
  • We extracted both of the fixes into their own directories. However, they failed on import into ConfigMgr when attempting to add the CAB files.

So that approach wasn’t going to be useful here.

Find Systems Missing the Patches?

Next, we thought about how to determine what systems do and do not have these hotfixes installed. To address this, we checked to see if ConfigMgr brings back this information. It was verified that ConfigMgr does bring back information from Add/Remove Programs, but does not bring back information about the updates installed on the system (which can be viewed in Add/Remove programs on the Windows Server 2008 systems). There appeared to be no easy way to find this in ConfigMgr. Kevin Holman has good information on how to find this out using an OpsMgr report, documented at

Add/remove programs will show this information, displayed below:


Using Software Deployment: Collections

Having determined that software updates were out, the next approach is a software deployment. To facilitate this, we created a custom collection that met the following criteria:

The top level collection includes Windows Server 2008 systems with the OpsMgr agent that are not OpsMgr management servers (excluding another collection). (This query will eventually have to be changed to disregard all Windows Server 2008 systems with SP1 installed because these hotfixes will be included, but this syntax works currently.)

Using Software Deployment: Top-Level collection

We created a top-level collection using the following syntax:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId where SMS_R_System.Client = 1 and SMS_R_System.OperatingSystemNameandVersion like "%Server 6.0%" and SMS_G_System_SERVICE.DisplayName = "OpsMgr Health Service"  and SMS_R_System.ResourceId not in (Select ResourceID from SMS_FullCollectionMembership where CollectionID="ABC0003E")  

Using Software Deployment: Sub-collections

Next, we created sub-collections for I386, X86, and IA64 based upon the top level collection. Each of these collections was defined to exclude the members of a custom collection created for management servers, which has a collection ID of ABC0003E. The SystemType for each query will vary for the particular operating system.

The syntax for the sub-collection is:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "x64-based PC"

Using Software Deployment: The Packages &Programs

We ended up creating four different packages for these; two for each hotfix. The packages were 952644-x64, 952644-x86, 953290-x64 and 953290-x86 as shown below.


Each was created as a new package (without a definition because this is not a MSI, PDF, or SMS file), and each had a single program defined to install the hotfix. For the package, the customized settings included:


For the program, the syntax looks like:

Command line: wusa.exe \\<ServerFQDN>\952664-x86\Windows6.0-KB952664-v3-x64.msu /quiet /norestart


This was based from the KB article at Each patch needed its own share defined for the hotfix to install. This share is actually referenced in the program command line above to specify from where to run the actual hotfix.

The program was configured to run for a maximum of 10 minutes (above), whether or not a user is logged on (below).

Using Software Deployment: The Advertisement

The advertisements were configured as mandatory assignments targeted at the appropriate collections (as an example, the 953290-x86 package was targeted to the I386 – OpsMgr Hotfixes collection). These advertisements were set to install regardless of maintenance windows but did not allow system restart outside of maintenance windows, shown below:

We next configured the distribution points so that the programs would run directly from them as shown below:

Software Deployment: Results

Some of the server 2008 systems reported back an error of 1, but these appear to have been systems where the hotfix was previously deployed successfully. Those systems that did not have the hotfixes installed appeared to have deployed without issue, although they require a reboot to complete the hotfix installation.


ConfigMgr 2007 can be used to automate the process to deploy the required hotfixes for Windows Server 2008 to machines with the OpsMgr client running on them. This was not exactly a simple process though, hopefully there are better ways out there. If you know about them, please let us know!

This entry was posted in System Center. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s