SCCM Updates Management

NT Windows Update

In previous articles we’ve gone through the process of Deploying WSUS and the deployment of the SUP SCCM Role and in this article I will describe how SCCM Updates Management works describing the process of synchronizing the SUP Server with Microsoft Update, select products for which updates will be made available and finally how to deploy updates to client machines.

SCCM Updates Management – Synchronizing the SUP

When you first deploy the SUP the list of Products available is rather thin and missing last products, Windows 10 comes to mind, this is easily solved performing the initial full Synchronization  navigating to Software Library → Software Updates → All Software Updates right-click on All Software Updates and finally select synchronize Software Updates 

Synchronizw Software Updates

If you want you can achieve the same result via PowerShell with the following command

# Perform WSUS Full Synchronization

Sync-CMSoftwareUpdate –FullSync $true

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: Please note that when launching the Synchronization process from the console SCCM will always perform a delta sync, if you want to perform a full synch you have to use the above PowerShell command.[/su_note]

Be patient as the synchronization will take some time depending on your internet connection speed you can live follow the process monitoring the wsyncmgr.log log file.

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If you’re running ConfigMgr 2012 R2 SP1 be sure to read this article about possible error messages related to the SUP role.[/su_note]

Once the synchronization is complete you need to define Classifications and Products for which updates will be deployed, in the article where I have described the process of deploying the SUP Role I did not specify any setting on purpose so to not waste resources updating an older version of the WSUS Database (lacking most of the products) to do so in the ConfigMgr console navigate to Administration → Site Configuration → Sites right-click on the Site you are configuring the SUP for and select Configure Site Components → Software Update Point 

Configure SUPIn the Software Update Point Component Properties page under the Classifications tab you can specify classifications for the updates to download

WSUS ClassificationsIn the Products tab select all Products that you will be deploying updates for, in this example I will just select Windows 10 and Windows 7

WSUS Products DownloadOnce you have applied the changes initiate another Synchronization which will download updates metadata to make it available to ConfigMgr again you can follow the whole process through ConfigMgr log files which will contain much more information this time.

WSUS SynchSCCM Updates Management – Download Updates

Once the Synchronization and Import process is complete (be patient it will take some time) go to Software Library → Software Updates → All Software Updates where you will be able to see all available updates that have been synchronized from the Microsoft Update site together with summary deployment status

SCCM All Software UpdatesIt is important to note that at this point no actual update is downloaded on the ConfigMgr server for the purpose I’ve created a filter to show only valid updates for Windows 7 machines which have not been superseded by other updates or are expired

SCCM updates filterSelect some or all the required updates right-click on the them and select Create Software Update Group which will create a group updates that can be deployed to clients as single entity making it easy to manage the deployment of multiple updates as a single package

Software Update GroupCreate Software Update Group

Before proceeding with the actual download of the update files it is necessary create the physical repository where the files will be stored for ease of implementation I will use PowerShell

# Create the folder where to Download update files
New-Item -Path Z: -Name Updates -ItemType Directory

# Share the Updates directorey and set permissions for the ConfigMgr-Admins group
New-SmbShare -Path Z:Updates -Name Updates -CachingMode None –ChangeAccess ConfigMgr-Admins

# Creates a subfolder for Windows 7 Updates
New-Item -Path Z:Updates -Name Windows7Updates -ItemType Directory

Once the necessary folders and permissions are in place navigate to Software Library → Software Update Groups right-click on the Windows 7 Security Updates group and select Download which will start a Wizard to either create a new deployment package or add updates to an existing one

SCCM updates Download

Select the option to create a new Updates deployment package and specify the folder where update files will be downloaded

Updates Deployment Package

Select the Distribution Point or group of DP to which the update package will be copied to

Distribution Point Updates

Select the Download Software Updates from the Internet 

Updates Download Location

If necessary you can specify additional update languages in the following page otherwise skip to the Summary page to start the download process

SUP Updates Download

SCCM Updates Management – Deployment

Finally we are ready to deploy Updates to managed clients, to do so simply right-click on the update package and select Deploy which will launch a wizard to configure the updates deployment, for the purpose of writing this article I have created a collection containing all Windows 7 Systems in my lab to which I will be deploying Updates

Updates Deployment

In the first page of the wizard simply select the collection to which you will be deploying and a descriptive name for the deployment in this example I’ve left it to the default auto-generated value

Update Package Deployment to CollectionIn the next window chose the deployment type Required or Available and the type of logging you want to have here I have chosen a required deployment type and left all the rest to default values

Required Update DeploymentIn the next window specify Update Package availability and dead line, to speed up the whole process I’ve select As soon as possible for both options

Update Installation DeadlineNext we can configure the User Experience options which control aspects like visibility of the updates in Software Center what to do when deadline is reached an system is outside of the maintenance Window and finally if System Restart should be suppressed (useful for servers) in the pictures you can see options I’ve used for this deployment which, just to reiterate, will affect only Windows 7 clients

Deployment Options for Updates

In the Alerts and Download Settings pages I have left all default settings as you can see in the picture below

Update AlertsUpdate Download Settings

Once the package has been configured on the client you can force a Software Updates Deployment Evaluation Cycle which will force the client to check with the ConfigMgr server for the availability of updates, the screenshot below comes from the Windows 7 client that was deployed in a previous article in Windows 8 or 10 the screen will be slightly different

Available UpdatesAs soon as the machine checked needed updates against the available ones defined by the SCCM administrator installation will begin, if updates deployment have been configured as Available and not required they will be available in Software Center for the user to choose when to install them

Software Center Updates


One thought on “SCCM Updates Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s