In this post we will see how to deploy software updates using SCCM. Deploying the software updates for the computers is essential.
To stay protected against cyber-attacks and malicious threats, it is very important that you keep the computers patched with latest software updates.
The software updates are released by major software vendors to address security vulnerabilities in their existing products.
Software Updates in SCCM
When it comes to deploying updates, SCCM is the best tool to do it. You must understand that deploying updates is a complex task. SCCM make it easy not only to deploy updates but to gather the depoyment reports as well.
Software updates in SCCM provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.
To deploy software updates, you can use any of the below methods.
- Automatic Deployment
- Manual Deployment
- Phased Deployment
Deploying third-party updates using SCCM
Starting with SCCM 1806, you can deploy third-party updates easily. You can add third-party Software Update Catalogs node in the Configuration Manager console.
You can subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients. For more info read this post.
To summarize this post, we are going to perform the following.
- Install and configure Software Update point role
- Create a software update group.
- Add the updates to a software update group
- Distribute the update content to distribution points
- Deploy the update group to clients
Deploy Software Updates Using SCCM
There are 2 ways to deploy software updates using SCCM, Manual and Automatic.
In Manual software updates deployment, a set of software updates is selected the SCCM console and these updates are deployed to the target collection.
Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.
When the rule runs, the software updates that meet a specified criteria are added to a software update group. The content files for the software updates are downloaded and copied to distribution points.
Finally the software updates are deployed to client computers in the target collection. In this post I will cover the steps to deploy the software updates manually.
For automatic deployment of software updates using SCCM, refer this post.
Install Software Update Point Role using SCCM Console
To install software update point role
- Launch the SCCM console.
- Click Administration > Site Configuration > Sites.
- At the top ribbon click on Add Site System Roles.
Select an account that can connect to WSUS server. Click Next.
Select Synchronize from Microsoft Update and click Next.
Click Enable synchronization on a schedule. Select Simple schedule. You may also click Alert when sync fails on any site in hierarchy. Click Next.
For Supersedence behavior, select Immediately expire a superseded software update. Click Next.
When you want to deploy updates, selecting the classifications (type of updates) is an important step. In my observation, I have seen most of organizations deploy Critical and Security updates only.
However if your requirement is to deploy other updates in addition to critical and security updates, select them.
Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP as well. Click Next.
Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.
Choose the desired language, click Next.
The Software Update Point role has been installed. Click Close.
Synchronize Software Updates
After installing the software update point role, we must run a initial software updates synchronization.
- In the SCCM console, click Software Library > Overview > Software Updates.
- Now click All Software Updates. On the top ribbon click Synchronize Software Updates.
To monitor software updates sync, open wsyncmgr.log and WCM.log file.
Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.
The synchronization is complete. The software updates can now be seen when you click All Software Updates option in CM Console.
Create Software Update Group
In the console we have got several updates. Deploying all the updates is up to your choice. When you want to target updates to specific product, you can do so.
Using the search criteria, we can filter the updates and deploy only the ones that are important. Most of all you can select all that are applicable for specific product.
Click Add criteria.
Select Expired, Product, Superseded, Bulletin ID. Click Add.
Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.
When you specify the above criteria and click Search, the updates are shown based on your criteria.
Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.
Specify software update group name such as Windows 7 Update group. Click Create.
Deploy Software Updates Wizard
When you have the software update group ready, proceed to deploying the updates.
Select the Software Update Group the you created in the previous step. Right click the Windows 7 Update Group and click Deploy.
On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.
Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.
If you select the deployment as Available, the software updates will be available in software center for installation.
In this step you can schedule the deployment. Configure the schedule for this deployment, set the Time based on to Client local time.
Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.
On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.
For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install.
If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.
Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.
Add the Distribution Point and click Next.
Select Download software updates from the Internet. Click Next.
Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click Close.
After few minutes we see that the updates are installed on one the client machines in the collection.
You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.