How To Deploy Software Updates Using SCCM 2012 R2

In this post we will see how to deploy software updates using SCCM. Deploying the software updates for the computers is essential.

To stay protected against cyber-attacks and malicious threats, it is very important that you keep the computers patched with latest software updates.

The software updates are released by major software vendors to address security vulnerabilities in their existing products.

Software Updates in SCCM

When it comes to deploying updates, SCCM is the best tool to do it. You must understand that deploying updates is a complex task. SCCM make it easy not only to deploy updates but to gather the depoyment reports as well.

Software updates in SCCM provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.

To deploy software updates, you can use any of the below methods.

  • Automatic Deployment
  • Manual Deployment
  • Phased Deployment

Deploying third-party updates using SCCM

Starting with SCCM 1806, you can deploy third-party updates easily. You can add third-party Software Update Catalogs node in the Configuration Manager console.

You can subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients. For more info read this post.

To summarize this post, we are going to perform the following.

  • Install and configure Software Update point role
  • Create a software update group.
  • Add the updates to a software update group
  • Distribute the update content to distribution points
  • Deploy the update group to clients

Deploy Software Updates Using SCCM

There are 2 ways to deploy software updates using SCCM, Manual and Automatic.

In Manual software updates deployment, a set of software updates is selected the SCCM console and these updates are deployed to the target collection.

Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.

When the rule runs, the software updates that meet a specified criteria are added to a software update group. The content files for the software updates are downloaded and copied to distribution points.

Finally the software updates are deployed to client computers in the target collection. In this post I will cover the steps to deploy the software updates manually.

For automatic deployment of software updates using SCCM, refer this post.

Install Software Update Point Role using SCCM Console

To install software update point role

  1. Launch the SCCM console.
  2. Click Administration > Site Configuration > Sites.
  3. At the top ribbon click on Add Site System Roles.

Deploy Software Updates Using SCCM 2012 R2 Snap1From the Add Site System Roles Wizard, select Software Update Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap2For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap3

Select an account that can connect to WSUS server. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap4

Select Synchronize from Microsoft Update and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap5

Click Enable synchronization on a schedule. Select Simple schedule. You may also click Alert when sync fails on any site in hierarchy. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap6

For Supersedence behavior, select Immediately expire a superseded software update. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap7Software Update Classifications

When you want to deploy updates, selecting the classifications (type of updates) is an important step. In my observation, I have seen most of organizations deploy Critical and Security updates only.

However if your requirement is to deploy other updates in addition to critical and security updates, select them.

Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP as well. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap8

Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap9

Choose the desired language, click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap10

The Software Update Point role has been installed. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap11

Synchronize Software Updates

After installing the software update point role, we must run a initial software updates synchronization.

  • In the SCCM console, click Software Library > Overview > Software Updates.
  • Now click All Software Updates. On the top ribbon click Synchronize Software Updates.

Deploy Software Updates Using SCCM 2012 R2 Snap12

To monitor software updates sync, open wsyncmgr.log and WCM.log file.

Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.

Deploy Software Updates Using SCCM 2012 R2 Snap13

The synchronization is complete. The software updates can now be seen when you click All Software Updates option in CM Console.

Deploy Software Updates Using SCCM 2012 R2 Snap14

Create Software Update Group

In the console we have got several updates. Deploying all the updates is up to your choice. When you want to target updates to specific product, you can do so.

Using the search criteria, we can filter the updates and deploy only the ones that are important. Most of all you can select all that are applicable for specific product.

Click Add criteria.

Select Expired, Product, Superseded, Bulletin ID. Click Add.

Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.

When you specify the above criteria and click Search, the updates are shown based on your criteria.

Deploy Software Updates Using SCCM 2012 R2 Snap15

Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.

Deploy Software Updates Using SCCM 2012 R2 Snap16

Specify software update group name such as Windows 7 Update group. Click Create.

Deploy Software Updates Using SCCM 2012 R2 Snap17

Deploy Software Updates Wizard

When you have the software update group ready, proceed to deploying the updates.

Select the Software Update Group the you created in the previous step. Right click the Windows 7 Update Group and click Deploy.

Deploy Software Updates Using SCCM 2012 R2 Snap18

On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap19

Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.

If you select the deployment as Available, the software updates will be available in software center for installation.

Deploy Software Updates Using SCCM 2012 R2 Snap20

In this step you can schedule the deployment. Configure the schedule for this deployment, set the Time based on to Client local time.

Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap21

On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap22

For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install.

If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap23

Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap24

Add the Distribution Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap25

Select Download software updates from the Internet. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap26

Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap27

After few minutes we see that the updates are installed on one the client machines in the collection.

Deploy Software Updates Using SCCM 2012 R2 Snap28

You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.

Deploy Software Updates Using SCCM 2012 R2 Snap29

Related Posts

209
Leave a Reply

avatar
125 Comment threads
84 Thread replies
3 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Chris
Guest
Chris

Hi Prajawal,

Thank you for this tutorial, really insightful. I have followed the process and deployed windows server update to some servers. on the monitoring, it shows the deployment is successful but it is not installing and on the system, it say click to install. the compliance on SCCM is 0.0%. Please how do I make in install using SCCM.

Thanks.

Rohit
Guest
Rohit

Check if the server having maintenance windows, select the deployment, right click, in the deployment setting>user experience check the box system restart.
check logs if you are getting errors

Tamrat T Amanu
Guest
Tamrat T Amanu

Hi Prajawal,
I followed this tutorial exactly as described but the updates aren’t showing in client machine. Do i need to update anything, let’s say in ” Specify intranet Microsoft update service location” in group policy?

Pavit J
Guest
Pavit J

No you need not Specify intranet Microsoft update service location in group policy. Ensure the updates are properly distributed to distribution points. Go to Monitoring node and check the status of deployment.

nadeem
Guest
nadeem

Hi Prajwal,

I was trying to deploy updates in Available mode instead of Required mode, but it never got deployed, any suggestions to fix it.

While i had seen logs and had found that all the updates were getting synced, and were reaching to the MPs also.

Pavit J
Guest
Pavit J

Go to Monitoring and check the status of deployment.

Puru
Guest
Puru

Suppose we have initiated a OS upgrade using Task sequence and with time window. let say 5 pm on Wed.
Can we change the installation time, will it affect to the initiated Task Sequence.

Pavit J
Guest
Pavit J

Yes you can always make the updates available at specific time and specify the installation deadline as well.

Amisha
Guest
Amisha

Prajwal

I am still a beginner and have a long way to go before I have somewhat mastered SCCM. I just wanted to say your guides are detailed and thorough and have been absolutely invaluable in my journey to learn it. Thank you!

Pavit J
Guest
Pavit J

That’s correct. I followed his guides and finished my updates deployment project. Got appreciation from my manager 🙂

Emiliano
Guest
Emiliano

Hi Prajwal,

congratulations for your guide I want to ask you I have this architecture I have only one server sccm 2016 1902 and another windows server 2016 with wsus role installed and working. Since I want to use sccm as a software update point can I use it connecting it to the existing wsus without installing a second sccm?

Thanks in advance
Emiliano

Jeremy Hauger
Guest
Jeremy Hauger

Unless your environment is very large I would suggest putting WSUS on the SCCM server and getting it configured, then decommissioning your standalone WSUS server. SCCM also may not like to play nicely with an already configured SCCM server.

Just my 2 cents worth.

Paul
Guest
Paul

Hi Prajwal,

We have been doing some server upgrades from Windows 2008>2012>2016. The Severs seem to run well after the upgrade to 2016, but are not showing as requiring any patches. We have new freshly installed 2016 Systems that the updates work fine on. I was wondering if anyone had seen issues with updating Windows 2016 systems that had been upgraded. Its like the systems are a little confused.

Thanks in advance.
Paul

Adriano
Guest
Adriano

Hi Prajwal,

I need to distribute the software updates for windows server 2016 using SCCM 2012 R2. It is possible?
Thanks in advance.

ashwini
Guest
ashwini

how to get complete status of scan cycle of all client machine

Rakesh Roshan
Guest
Rakesh Roshan

All i can say is love your work. You the best

Durga Pathak
Guest
Durga Pathak

Hi Prajwal, last week we started deploying Windows Server 2016 in our environment. I am able to see patches for Windows server 2016 in WSUS however they all do not show up in Configuration Manager Console except for KB4462917. I heard people saying this is known issue while others say, Windows Server 2016 all patches supercede previous ones. My environment is System Center Config Manager 2012 v1702 5.00.8498.1711. I would appreciate your kind suggestion. Thanks in advance.

Fexscm
Guest
Fexscm

Updates are superseded if they are the monthly cumulative ones. If you go to your SCCM console > Administration > Sites > Configure Site Components > Software Update Point, you can see if you are removing superseded updates immediately or after a specified time.

Rizvi
Guest
Rizvi

Hi What are the implications of removing and reinstalling existing SUP? The IIS is not showing sms or cms in application pools like the other SUP. We have 2 SUP. I’m getting wsus error messages from sccm 2012 console.

tony
Guest
tony

Do we actually need wsus to download the patch as well or will the SCCM take care of it as long as wsus service is on?

Hasan Ördek
Guest
Hasan Ördek

I have a question about the “Install Software Updates” task in a Task Sequence. There are two options which you can select in the task, namely “Required for installation – Mandatory software updates only” and “Available for installation – All software updates”. What do these options mean? Does the first option mean that all the required updates for the concerning OS will be installed? And does the second option mean it will only install the updates deployed to a collection?

Vishal Shah
Guest
Vishal Shah

Hi Prajwal,

there is setting in SUP as below
“months to wait before a superseded software update is expired”. in my environment , currently its set to 1 months however client want to change it to 3 months. can you help us to know what can be the impact of this by changing this from 1 to 3 months?

Akhlaque Khan
Guest
Akhlaque Khan

Hi Prajwal,

I have configured software update as per your your blog but its not showing in system center on client computers and client is not getting updates from sccm. Please help on this
I am using SCCM2012 Build no.8325

Bojan Zivkovic
Guest
Bojan Zivkovic

Hi Prajwal, I am using SCCM 1702. There are 2 ADRs – one for deploying Windows Defender Definition Updates and one for deploying Windows Server 2016 Updates. Both ADRs are deployed to the same collection containing 19 server members. Today I have noticed that during the weekend Windows Defender Definitions were updated only on one server while on other servers definitions are 3 days old. Having taken a look at updatesdeployment.log on “healthy” server and on other servers one line caught my eye: Evaluation initiated for (2) assignments – on “healthy” server Evaluation initiated for (1) assignments – on other… Read more »

Ahmed Gamal
Guest
Ahmed Gamal

Hi Prajwal , I Need Your Support Please Because After I Downloaded Windows Update And Deployed It Successfully One Of My Team Removed the Downloaded Updates from It’s Sources And when I tried To Install Windows Update Again It Fail Because I think Its already Downloaded and Took Content Id Number And Status is Downloaded so How I re download windows update again from Microsoft Updates again ??

Naveen
Guest
Naveen

Hi Prajwal..Could you please help me with any best trainer information or can you give any training for SCCM

thank you in advance

Roberto Sibilani
Guest
Roberto Sibilani

Hi Prajwal, I have just installed SCCM 2012R2 and upgraded to 1710 version. So, I installed WSUS and Update Point and I tested the deployment successfully. My two clients, Win 7 and Win 10, are compliant with 100%. I found, on the clients, all the required updates using Control Panel and History. The strange thing is that no updates are shown on client Software Center. All the tabs are empty. is this normal?

Christian Velazquez
Guest
Christian Velazquez

Hi Prajwal,

I have followed your steps, but the clients dont recieve any updates. I dont even have a windowsupdate.log on the clients. I am syncing updates fine from wsus to sccm, but I cant get updates to move from sccm to clients. I am at a loss of what is my issue here. Any help would be greatly appreciated.

Peejay
Guest
Peejay

Hi Prajwal,

Question, do you have guide on how to package Dell Firmware/BIOS updates using SCCM

Karl
Guest
Karl

Hi Prajwal,

Great write up! I have a queation. When adding the updates role to the sccm server… Windows 10, Exchange 2013 and other more recent technologies are not listed in the options for updating… how do I get these to appear?

Bouhdila
Guest
Bouhdila

Hi Everyone,
What is the best practices between the test environment and production environment for the update software push. I mean how many days waiting after my test to push in production?

Colleen Beach
Guest
Colleen Beach

The guidance you have posted has been great. Do you have anything for offline networks? I have a wsus server internet connected, did the export/import into the disconnected SCCM/WSUS. Synchronized the SCCM. When I try to setup the deployments I am having issues with the Deploy Software Updates Wizard – where should the download location point to? Should I point to the location of the WSUSContent (import) or the SCCMContentLib?

Zibonele Dlamini
Guest
Zibonele Dlamini

I’d like echo Moe’s comments as well. Prajawal, you save a lot of us Noobies headaches with your blog. Very clear and simple to follow.
I’m also one of your biggest fans

Moe
Guest
Moe

Sir,
I just want to thank you. Your Blog is my definitive GoTo when I want to understand how things work or need to be configured in SCCM. You explain things simply and have pictures as well.

You and all your effort is appreciated by me …Just a Humble SCCM N00b and a big FAN of yours!

Mark Louie
Guest
Mark Louie

I have the same issue..tried deploying updates and it says on the configuration that the deployment was succesful, and on the “Title” list where the deployed update was listed under the “Downloaded” and “Deployed” tab there was a “YES” statement. My problem is that no notification from “System Center” on the client machine. I think I missed steps on how to install System Center on the client. How can I see System Center on my client and is there any way that I can do to verify and check if the updates are really deployed on my client machine? Thanks… Read more »

Ryan Odinoidz
Guest
Ryan Odinoidz

Hi Prajwal,
Good Day, Thank you for the manual i did follow all steps. But i have a question, I don’t have an idea where to find the error logs after i run my software updates to my client. My creating and deploying of software update was successful but not showing on the software Center of the client. Hope you solve my problem. Thanks

Cesar Lecca
Guest
Cesar Lecca

Estoy realizando despliegue de Updates a equipos Windows 7 y Windows 10, desde el monitor de sccm pasan equipos como completado compliant pero cuando voy al equipo cliente no hay actividad del deployment ejecutado.saben que podría ser? Y desde la herramienta monitoring deployment indica resultados satisfactorios.

jeff
Guest
jeff

Check the folder and share permissions on the location where you selected to download the patches to. Both the share and the folder need to be open to write access by SCCM.

kiran kumar
Guest
kiran kumar

Every time I try to download any update from SCCM, I get the error. Failed to download content id 16839922. Please help.

Nasir Yilmaz
Guest
Nasir Yilmaz

Hi ,

SCCM Keep waiting user approval “Install All” and it is deployed as a Required. How to deploy Updates automatically without enduser interruption
Thanks

Nasir Yilmaz
Guest
Nasir Yilmaz

Attached SCCM client Image

MiT
Guest
MiT

How can we know if client updated or not after deploying software updates

Sparkdudimus
Guest
Sparkdudimus

First I love your guides! The time you have put in for the community is beyond appreciated! I am trying to learn SCCM as I follow your guides step by step. Here is what I am getting, and any help is beyond appreciated.

After I click on “Synchronize Software Updates” I get this error in my wsyncmgr.logcomment image

Here is the WCM
comment image

and statesys
comment image

SCCM2K13
Guest
SCCM2K13

How is it possible to make the package install before on some deployment group to validate theres is no regression ?
Also, we starting on this, and we are afraid there are a lot of udpates needed on our client systems, that will annoy users with 12348 reboots until all KB have been installed??

Charles
Guest
Charles

My WSUS sync isn’t work after a restore. Here are the following logs. I was able to remove Adobe by unchecking it and resyncing but I can’t get rid of the Java JRE Client. Please help. WCM Log Subscription contains categories unknown to WSUS.~ $$ Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error~ $$ .. Successfully connected to server: server, port: 8530, useSSL: False $$ Category Company:94d731de-22a6-4458-dc4d-b5267de026fc (Adobe Systems, Inc.) not found on WSUS $$ Category Product:b1d1a5ca-37c4-5805-b271-367467ef10f5 (Java JRE Client) not found on WSUS $$ Starting WSUS category sync from upstream… $$Microsoft.SystemsManagementServer.WSUS.WSUSMSPException: WSUS sync failed with UssNotFound: ~~… Read more »

AaronSmith86
Guest
AaronSmith86

Hey Prajwal,
I never get prompted to create a deployment package? What am I missing?

Sunil Kaushik
Guest
Sunil Kaushik

Hi Prajwal,

I want to change the maximum run time (minutes) for software updates by default is 10 min and want to change it for 30 min.

I know I can do it for every update manually. But how can I change it so that i don’t have to do it every month for the update. By default it should be set for 30 min.

Regards,
Sunil Kaushik.

peculiar
Guest
peculiar

Please will like to know if you have come across this issue on security update deployment on windows server 2012 r2

i deployed security update via sccm and it recorded complaint for all the windows servers 2012 rs but when i log in to the servers the updates are not recorded on the add and remove programs.
why does SCCM behave that way for windows server 2012r2 because windows server 2012 and 2008 r2 shows the update deployed via sccm.

boris boris
Guest
boris boris

Dear Prajwal,

Sorry to bother you, I have a critical issue in my SCCM 2012 R2, I try to troubleshoot and find the root cause but no luck, could you mind check my attachment file and take a look. Please advise me how can fix this issue, thx.

Regards

Boris

Dave
Guest
Dave

Thank you for your great how to steps Prajwal!! Is WSUS required for SCCM to manage updates? Since you can point SCCM directly to the Microsoft update servers couldn’t you do this without WSUS running? I have an environment with 100 systems I need to manage so I’m trying to do this as simple as I can. I have no need for secondary sites since everyone can hit my primary site. Thanks again!!

Brandy Reid
Guest
Brandy Reid

Hi Prajwal – Thank you for sharing this post, I’ve found it very helpful 🙂 I think I’m clear on all the steps except for the package source. According to technet, I need to manually create The shared folder for the deployment package source files Deployment package source: Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package. The source location must be entered as a network path (for example, \serversharenamepath), or the Browse button can be used… Read more »

Rahul Srivastva
Guest
Rahul Srivastva

Hi Prajwal,

Can u define the term “Internet-Based Software Update Point” please, Thanks in advance

Rahul Srivastav

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More