- In this video guide, we will be covering how you can deploy software updates in Microsoft SCCM. This covers important aspects of deploying updates such as collection structure, maintenance windows, automatic deployment rules (ADRs), deadlines, and much more. This will be a great follow up from my last blog Deep Dive in Microsoft SCCM Software Updates Client and Server Components
Topics in Video
- Review Software Update Point Settings (Classifications, Products, Sync) – https://youtu.be/6JHJes1u8Pg?t=62
- Collection Structure for Software Updates – https://youtu.be/6JHJes1u8Pg?t=174
- Maintenance Window for Broad Deployment Collection – https://youtu.be/6JHJes1u8Pg?t=324
- Review Client Policies for Software Updates and Restarts – https://youtu.be/6JHJes1u8Pg?t=496
- Review Software Update Metadata – https://youtu.be/6JHJes1u8Pg?t=754
- Create Software Update Groups for Previous Years – https://youtu.be/6JHJes1u8Pg?t=813
- Creating Software Update Group for the Current Year by Month – https://youtu.be/6JHJes1u8Pg?t=1229
- Create ADR for Windows Defender Definitions – https://youtu.be/6JHJes1u8Pg?t=1430
- Review the ADR log RuleEngine.log – https://youtu.be/6JHJes1u8Pg?t=1749
- Deploy the yearly Software Update Groups to the Broad Collection – https://youtu.be/6JHJes1u8Pg?t=1905
- Create ADR to Create Monthly Software Update Groups Going Forward – https://youtu.be/6JHJes1u8Pg?t=2124
- Review Multiple ADR Deployments for Testing Stages and Production – https://youtu.be/6JHJes1u8Pg?t=3023
Notes From Justin
- Cleaning Up Expired and Superceded Updates from Software Update Groups
- Since we are creating a new SUG each time the ADR runs, you will want to periodically go into your console and remove expired and superseded updates from your SUGs
- This process can be automated using Bryan Dam’s script – https://damgoodadmin.com/2018/04/17/software-update-maintenance-script-updated-all-the-wsusness/
- Another option is to search from “All Software Update” for Deployed = Yes and Expired = Yes. RIght-click all the updates found and choose “Edit Membership” and un-check all checked SUGs.
- Consolidating Previous Years Monthly SUGs
- Forgot to mention in the video, I do consolidate to previous years monthly software update groups when moving to the next year. This helps to keep the number of software update groups low.
- Content Distribution
- Don’t forget to distribute your software update packages to a distribution point. I forgot to mention this in the video.
- Software Update Point Installation
- YouTube Video Guide – https://youtu.be/vZpuBrs0LwM?t=248
- Keep WSUS Clean!
- Maintaining the WSUS Catalog by Declining Updates for Better Update Scanning – https://setupconfigmgr.com/maintaining-the-wsus-catalog-by-declining-updates-for-better-sccm-scanning
- Third-Party Software Updates in SCCM
- Patch My PC Third-Party Update Catalog – https://patchmypc.net/third-party-patch-management-sccm-scup-catalog
- Introduction to software updates in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction
- Scan for software updates compliance process – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#scan-for-software-updates-compliance-process
- Software update deployment packages – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#BKMK_DeploymentPackages
- Software update deployment workflows (ADRs Vs. Manual) – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#BKMK_DeploymentWorkflows
- Required system restart – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#required-system-restart
- Deployment reevaluation cycle – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#deployment-reevaluation-cycle
- Extend software updates in Configuration Manager – https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction#BKMK_ExtendSoftwareUpdates
- Deploy software updates – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/deploy-software-updates
- Manually deploy software updates – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/deploy-software-updates#BKMK_ManualDeployment
- Automatically deploy software updates – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/deploy-software-updates#automatically-deploy-software-updates
- Monitor software updates in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/monitor-software-updates
- Alerts for software updates – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/monitor-software-updates#BKMK_SUAlerts
- Software updates synchronization status – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/monitor-software-updates#BKMK_SUSyncStatus
- Software update deployment status – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/monitor-software-updates#BKMK_SUDeployStatus
- Software updates reports – https://docs.microsoft.com/en-us/sccm/sum/deploy-use/monitor-software-updates#BKMK_SUReports
Hi Justin, while creating ADR, you have selected Security only and cumulative updates together, dont you think that not a great idea and it confuses WSUS agent. what i have observed is if Cumulative update is installed in the first place then security only updates takes time to be marked as Already complaint or Not required. If Security only update is installed first then agent also installs Cumulative updates.
Things get worsed if new machine comes in place and it has 2 months pending updates (sug comprises of CU and Security only updates) targetted. What are your views on it.
My Twitter id :@kmohdnawaz
I don’t see any issue with having multiple update classifications enabled in the same ADR. Applicably will still be determined based on the scan data from the WUAgent. Reporting update state back to the site can take some time based on scan intervals, state messages, and summarization settings, but that won’t affect the client scanning for applicability that happens before each update install. More on this in the deep dive guide.
Thanks Justin for all your videos, your advise on deploy software updates to unknown computers during bare metal and in-place upgrades Task Sequence deployments?
The easiest method would probably be to add the two unknown computer objects into a collection you already use to target software updates too. That would make sure they have the SUG deployment policies in a task sequence.
Is it normal for the deployment status for a deployment to differ from the report for the same deployment? My report shows 1 non compliant while the deployment shows 11 non compliant?
The deployment status is based on the last summarization where the reports are more real-time. I believe default summarization is 1 hour so it could be a little different.
Fantastic stuff Justin. What I was wondering was – If the collection has a maintenance window of 6pm to 6am but the user dutifully shuts down at 5pm every day and powers up at 9am every day, will the updates ever apply?
Not unless you choose the option to apply updates outside the maintenance windows. I have worked with some customers who would enable the option to install and reboot outside the maintenance windows like a week after the deadline for these type of scenarios?
Hi Justin, How would you do the Server updates. Would you put Server Updates into same Development package as Workstation or Would you create new Development package for Servers.
It’s up to you. In my lab, I do put them all in one. Many times, customers prefer to split server update groups differently though for various reasons.
I really appreciate what you are doing here. I find your videos comprehensive and demystifying. One question regarding this video. You never mention what to do if you need to pull a patch. You said when setting up the ADR and the deployment is created the collections get their marching orders, they should be able to carry out their orders even off network. If we find a problem with the pilots, what is the procedure or what are the scenarios where we can pull these back or augment the deployments (especially if the devices go off network).
You could manage the clients over the internet with CMG (https://setupconfigmgr.com/how-to-setup-cloud-management-gateway-cmg-in-microsoft-sccm) to make sure they are always getting the latest policies when on the internet. This would probably be the best route.
I have just want a clarification on windows updates. We have 4 sites across the globe and having primary SCCM site in Auckland. If i configure WSUS here while pushing updates to remote sites will impact my WAN link between primary n remote sites?or should i have local WSUS on all locations?
How many clients are in the remote sites?
Thanks Justin for coming back on this. we have roughly 40-50 clients at all the remote sites.
For that small of a number as long as you have an okay connection between the sites, you could probably run with one software update point
Thank you Justin and the remote clients receive updates through the local DP here? If yes do i need to create packages etc? Sorry just got into this and not quite sure on having this setup/configured?
Yes, the clients will download content from the deployment package. This is covered in the video guide.
thank you so much for this video but I’ve a question: before doing this steps we need to create a GPO correlated to SCCM regarding Windows Updates?
If yes what is the settings that you suggest to set?
The SCCM agent can set any GPOs needed for software updates locally.
Can you do a video on SCCM Maintenance, such as Daily, Monthly. etc.
Good topic I have one for WSUS cleanup could probably do something for SCCM.
Great video! Thank you for doing these.
Wondering if you could explain the different Products under the SUP properties. I see some in there for Windows 10 GDR, GDR-DU, update drivers, upgrade and servicing drivers, etc.
Sorry if this was explained somewhere else.
I had a question on the maintenance windows. I just want to make sure I understand…you create a separate device collection for the maintenance window, then add the collections you want that window applied to into the membership rules? So if I have
and i add A and C to the MaintenanceWindow collection, then do a deployment to Collection A it will automatically use the maintenance window?
Correct, the deployment doesn’t need to be deployed directly to the collection the maintenance window is set on. It will abide by any maintenance window the device is in for any other collection.
What a fantastic tutorial and thank you for posting it.
What is the best approach if the server fleet were last updated
Server 2008- 2008R2 fleet have their last updated time with various dates from Jan 2014-June 2016
Server 2012- 2012R2 fleet was updated with various dates from Jan 2015-December 2016
Hundreds of servers with various last updates.
What happens if I do a search for say Critical Updates, Security Updates, Service Packs, Update Rollups and Updates for Jan-December 2014 and push them out to the 2008-2008R2 fleet, what happens if the updates is not required on the server (as in it is already patched with it)
or is there anther better approach
Sorry for the delay did you figure this out?
Fascinating and thorough procedures for a relative beginner like me. However, in this video your creation of Software Deployment Packages showed you using a share called Sources. Given the extensive partitioning of hard disks in Vid 01 and the Post Install tasks in Vid 02, where did Sources come from? I admit I skimmed the Deep Dive video as without the initial understanding of the process of deploying software updates through SCCM, the range of checks and log analysis is beyond me. The other folders on Sources look like they relate to OS deployment which I will get to in due course.
It was pre-created you can use whatever share name you want.
So is it correct to assume that your UNC path (\\sccm\Sources) is a share of the I:\ disk named “SCCM_Application_Sources” from the “01 – How to Install…” video?
I’ve been using your guides to build a new environment but have found that in our environment the ADR for Software Updates doesn’t work as expected. For the Early Adopters and Broad Deployment collections if I set Software available time to AS soon as possible the updates install immediately but Software Center shows the reboot time is the setting in the Installation deadline. I assume that if I don’t want updates to install then I need to set the Software available time to a later date – or have I missed something.
When they install would be based on the deadline time, not the available time.
I just created a new SCCM server (SCCM 1910) to replace a really old SCCM server that we have. I followed all your videos for the set up but I hit a roadblock. Everytime that I try to deploy windows updates that are required, all the client get stock with status Downloading (0% completed) and in the SCCM server monitoring status reports with error code 0X80D02002 (Unknown Error (-2133843966)).
I reset the windows updates in the clients but nothing. Could it be firewall issue, boundary issue…?
I previously was able to update with Thrid-party updates (Adobe Reader) and I also was able to deploy a feature update (1903) for a windows 10 machine.
Any info will be appreciated. Thanks
It could be a boundary issue or maybe GPO conflict for WSUS.
Did you get to the bottom of this? Our environment is doing similar, all updates used to work perfectly, we did switch over to co-management for the devices with inTune integration though. Aside from that, not much else has changed.
Our business is just about to implement Microsoft updates using SCCM when previously we have just deployed these with WSUS and for critical and security updates these have been automatically approved and pushed out straight away.
How would or do you manage the situation of these updates being released after patch Tuesday or would you wait to pick these up the following month.
Thanks in advance
It depends on the severity of the update. Usually, I stay up to date about any out-of-band updates on places like Twitter for example.