How To Deploy Software Updates Using SCCM 2012 R2

In this post we will see how to deploy software updates using SCCM. Deploying the software updates for the computers is essential.

To stay protected against cyber-attacks and malicious threats, it is very important that you keep the computers patched with latest software updates.

The software updates are released by major software vendors to address security vulnerabilities in their existing products.

Software Updates in SCCM

When it comes to deploying updates, SCCM is the best tool to do it. You must understand that deploying updates is a complex task. SCCM make it easy not only to deploy updates but to gather the depoyment reports as well.

Software updates in SCCM provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.

To deploy software updates, you can use any of the below methods.

  • Automatic Deployment
  • Manual Deployment
  • Phased Deployment

Deploying third-party updates using SCCM

Starting with SCCM 1806, you can deploy third-party updates easily. You can add third-party Software Update Catalogs node in the Configuration Manager console.

You can subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients. For more info read this post.

To summarize this post, we are going to perform the following.

  • Install and configure Software Update point role
  • Create a software update group.
  • Add the updates to a software update group
  • Distribute the update content to distribution points
  • Deploy the update group to clients

Deploy Software Updates Using SCCM

There are 2 ways to deploy software updates using SCCM, Manual and Automatic.

In Manual software updates deployment, a set of software updates is selected the SCCM console and these updates are deployed to the target collection.

Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.

When the rule runs, the software updates that meet a specified criteria are added to a software update group. The content files for the software updates are downloaded and copied to distribution points.

Finally the software updates are deployed to client computers in the target collection. In this post I will cover the steps to deploy the software updates manually.

For automatic deployment of software updates using SCCM, refer this post.

Install Software Update Point Role using SCCM Console

To install software update point role

  1. Launch the SCCM console.
  2. Click Administration > Site Configuration > Sites.
  3. At the top ribbon click on Add Site System Roles.

Deploy Software Updates Using SCCM 2012 R2 Snap1From the Add Site System Roles Wizard, select Software Update Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap2For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap3

Select an account that can connect to WSUS server. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap4

Select Synchronize from Microsoft Update and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap5

Click Enable synchronization on a schedule. Select Simple schedule. You may also click Alert when sync fails on any site in hierarchy. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap6

For Supersedence behavior, select Immediately expire a superseded software update. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap7Software Update Classifications

When you want to deploy updates, selecting the classifications (type of updates) is an important step. In my observation, I have seen most of organizations deploy Critical and Security updates only.

However if your requirement is to deploy other updates in addition to critical and security updates, select them.

Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP as well. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap8

Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap9

Choose the desired language, click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap10

The Software Update Point role has been installed. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap11

Synchronize Software Updates

After installing the software update point role, we must run a initial software updates synchronization.

  • In the SCCM console, click Software Library > Overview > Software Updates.
  • Now click All Software Updates. On the top ribbon click Synchronize Software Updates.

Deploy Software Updates Using SCCM 2012 R2 Snap12

To monitor software updates sync, open wsyncmgr.log and WCM.log file.

Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.

Deploy Software Updates Using SCCM 2012 R2 Snap13

The synchronization is complete. The software updates can now be seen when you click All Software Updates option in CM Console.

Deploy Software Updates Using SCCM 2012 R2 Snap14

Create Software Update Group

In the console we have got several updates. Deploying all the updates is up to your choice. When you want to target updates to specific product, you can do so.

Using the search criteria, we can filter the updates and deploy only the ones that are important. Most of all you can select all that are applicable for specific product.

Click Add criteria.

Select Expired, Product, Superseded, Bulletin ID. Click Add.

Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.

When you specify the above criteria and click Search, the updates are shown based on your criteria.

Deploy Software Updates Using SCCM 2012 R2 Snap15

Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.

Deploy Software Updates Using SCCM 2012 R2 Snap16

Specify software update group name such as Windows 7 Update group. Click Create.

Deploy Software Updates Using SCCM 2012 R2 Snap17

Deploy Software Updates Wizard

When you have the software update group ready, proceed to deploying the updates.

Select the Software Update Group the you created in the previous step. Right click the Windows 7 Update Group and click Deploy.

Deploy Software Updates Using SCCM 2012 R2 Snap18

On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap19

Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.

If you select the deployment as Available, the software updates will be available in software center for installation.

Deploy Software Updates Using SCCM 2012 R2 Snap20

In this step you can schedule the deployment. Configure the schedule for this deployment, set the Time based on to Client local time.

Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap21

On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap22

For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install.

If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap23

Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap24

Add the Distribution Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap25

Select Download software updates from the Internet. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap26

Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap27

After few minutes we see that the updates are installed on one the client machines in the collection.

Deploy Software Updates Using SCCM 2012 R2 Snap28

You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.

Deploy Software Updates Using SCCM 2012 R2 Snap29

100%

Deploy Software Updates Using SCCM 2012 R2

Install and configure Software Update point role
Create a software update group.
Add the updates to a software update group
Distribute the update content to distribution points
Deploy the update group to clients

  • Rating
You might also like

196
Leave a Reply

119 Comment threads
77 Thread replies
2 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Paul

Hi Prajwal,

We have been doing some server upgrades from Windows 2008>2012>2016. The Severs seem to run well after the upgrade to 2016, but are not showing as requiring any patches. We have new freshly installed 2016 Systems that the updates work fine on. I was wondering if anyone had seen issues with updating Windows 2016 systems that had been upgraded. Its like the systems are a little confused.

Thanks in advance.
Paul

Adriano

Hi Prajwal,

I need to distribute the software updates for windows server 2016 using SCCM 2012 R2. It is possible?
Thanks in advance.

ashwini

how to get complete status of scan cycle of all client machine

Rakesh Roshan

All i can say is love your work. You the best

Durga Pathak

Hi Prajwal, last week we started deploying Windows Server 2016 in our environment. I am able to see patches for Windows server 2016 in WSUS however they all do not show up in Configuration Manager Console except for KB4462917. I heard people saying this is known issue while others say, Windows Server 2016 all patches supercede previous ones. My environment is System Center Config Manager 2012 v1702 5.00.8498.1711. I would appreciate your kind suggestion. Thanks in advance.

Fexscm

Updates are superseded if they are the monthly cumulative ones. If you go to your SCCM console > Administration > Sites > Configure Site Components > Software Update Point, you can see if you are removing superseded updates immediately or after a specified time.

Rizvi

Hi What are the implications of removing and reinstalling existing SUP? The IIS is not showing sms or cms in application pools like the other SUP. We have 2 SUP. I’m getting wsus error messages from sccm 2012 console.

tony

Do we actually need wsus to download the patch as well or will the SCCM take care of it as long as wsus service is on?

Hasan Ördek

I have a question about the “Install Software Updates” task in a Task Sequence. There are two options which you can select in the task, namely “Required for installation – Mandatory software updates only” and “Available for installation – All software updates”. What do these options mean? Does the first option mean that all the required updates for the concerning OS will be installed? And does the second option mean it will only install the updates deployed to a collection?

Vishal Shah

Hi Prajwal,

there is setting in SUP as below
“months to wait before a superseded software update is expired”. in my environment , currently its set to 1 months however client want to change it to 3 months. can you help us to know what can be the impact of this by changing this from 1 to 3 months?

Akhlaque Khan

Hi Prajwal,

I have configured software update as per your your blog but its not showing in system center on client computers and client is not getting updates from sccm. Please help on this
I am using SCCM2012 Build no.8325

Bojan Zivkovic

Hi Prajwal, I am using SCCM 1702. There are 2 ADRs – one for deploying Windows Defender Definition Updates and one for deploying Windows Server 2016 Updates. Both ADRs are deployed to the same collection containing 19 server members. Today I have noticed that during the weekend Windows Defender Definitions were updated only on one server while on other servers definitions are 3 days old. Having taken a look at updatesdeployment.log on “healthy” server and on other servers one line caught my eye: Evaluation initiated for (2) assignments – on “healthy” server Evaluation initiated for (1) assignments – on other… Read more »

Ahmed Gamal

Hi Prajwal , I Need Your Support Please Because After I Downloaded Windows Update And Deployed It Successfully One Of My Team Removed the Downloaded Updates from It’s Sources And when I tried To Install Windows Update Again It Fail Because I think Its already Downloaded and Took Content Id Number And Status is Downloaded so How I re download windows update again from Microsoft Updates again ??

Naveen

Hi Prajwal..Could you please help me with any best trainer information or can you give any training for SCCM

thank you in advance

Roberto Sibilani

Hi Prajwal, I have just installed SCCM 2012R2 and upgraded to 1710 version. So, I installed WSUS and Update Point and I tested the deployment successfully. My two clients, Win 7 and Win 10, are compliant with 100%. I found, on the clients, all the required updates using Control Panel and History. The strange thing is that no updates are shown on client Software Center. All the tabs are empty. is this normal?

Christian Velazquez

Hi Prajwal,

I have followed your steps, but the clients dont recieve any updates. I dont even have a windowsupdate.log on the clients. I am syncing updates fine from wsus to sccm, but I cant get updates to move from sccm to clients. I am at a loss of what is my issue here. Any help would be greatly appreciated.

Peejay

Hi Prajwal,

Question, do you have guide on how to package Dell Firmware/BIOS updates using SCCM

Karl

Hi Prajwal,

Great write up! I have a queation. When adding the updates role to the sccm server… Windows 10, Exchange 2013 and other more recent technologies are not listed in the options for updating… how do I get these to appear?

Bouhdila

Hi Everyone,
What is the best practices between the test environment and production environment for the update software push. I mean how many days waiting after my test to push in production?

Colleen Beach

The guidance you have posted has been great. Do you have anything for offline networks? I have a wsus server internet connected, did the export/import into the disconnected SCCM/WSUS. Synchronized the SCCM. When I try to setup the deployments I am having issues with the Deploy Software Updates Wizard – where should the download location point to? Should I point to the location of the WSUSContent (import) or the SCCMContentLib?

Zibonele Dlamini

I’d like echo Moe’s comments as well. Prajawal, you save a lot of us Noobies headaches with your blog. Very clear and simple to follow.
I’m also one of your biggest fans

Moe

Sir,
I just want to thank you. Your Blog is my definitive GoTo when I want to understand how things work or need to be configured in SCCM. You explain things simply and have pictures as well.

You and all your effort is appreciated by me …Just a Humble SCCM N00b and a big FAN of yours!

Mark Louie

I have the same issue..tried deploying updates and it says on the configuration that the deployment was succesful, and on the “Title” list where the deployed update was listed under the “Downloaded” and “Deployed” tab there was a “YES” statement. My problem is that no notification from “System Center” on the client machine. I think I missed steps on how to install System Center on the client. How can I see System Center on my client and is there any way that I can do to verify and check if the updates are really deployed on my client machine? Thanks… Read more »

Ryan Odinoidz

Hi Prajwal,
Good Day, Thank you for the manual i did follow all steps. But i have a question, I don’t have an idea where to find the error logs after i run my software updates to my client. My creating and deploying of software update was successful but not showing on the software Center of the client. Hope you solve my problem. Thanks

Cesar Lecca

Estoy realizando despliegue de Updates a equipos Windows 7 y Windows 10, desde el monitor de sccm pasan equipos como completado compliant pero cuando voy al equipo cliente no hay actividad del deployment ejecutado.saben que podría ser? Y desde la herramienta monitoring deployment indica resultados satisfactorios.

jeff

Check the folder and share permissions on the location where you selected to download the patches to. Both the share and the folder need to be open to write access by SCCM.

kiran kumar

Every time I try to download any update from SCCM, I get the error. Failed to download content id 16839922. Please help.

Nasir Yilmaz

Attached SCCM client Image

Nasir Yilmaz

Hi ,

SCCM Keep waiting user approval “Install All” and it is deployed as a Required. How to deploy Updates automatically without enduser interruption
Thanks

MiT

How can we know if client updated or not after deploying software updates

Sparkdudimus

First I love your guides! The time you have put in for the community is beyond appreciated! I am trying to learn SCCM as I follow your guides step by step. Here is what I am getting, and any help is beyond appreciated.

After I click on “Synchronize Software Updates” I get this error in my wsyncmgr.logcomment image

Here is the WCM
comment image

and statesys
comment image

SCCM2K13

How is it possible to make the package install before on some deployment group to validate theres is no regression ?
Also, we starting on this, and we are afraid there are a lot of udpates needed on our client systems, that will annoy users with 12348 reboots until all KB have been installed??

Charles

My WSUS sync isn’t work after a restore. Here are the following logs. I was able to remove Adobe by unchecking it and resyncing but I can’t get rid of the Java JRE Client. Please help. WCM Log Subscription contains categories unknown to WSUS.~ $$ Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error~ $$ .. Successfully connected to server: server, port: 8530, useSSL: False $$ Category Company:94d731de-22a6-4458-dc4d-b5267de026fc (Adobe Systems, Inc.) not found on WSUS $$ Category Product:b1d1a5ca-37c4-5805-b271-367467ef10f5 (Java JRE Client) not found on WSUS $$ Starting WSUS category sync from upstream… $$Microsoft.SystemsManagementServer.WSUS.WSUSMSPException: WSUS sync failed with UssNotFound: ~~… Read more »

AaronSmith86

Hey Prajwal,
I never get prompted to create a deployment package? What am I missing?

Sunil Kaushik

Hi Prajwal,

I want to change the maximum run time (minutes) for software updates by default is 10 min and want to change it for 30 min.

I know I can do it for every update manually. But how can I change it so that i don’t have to do it every month for the update. By default it should be set for 30 min.

Regards,
Sunil Kaushik.

peculiar

Please will like to know if you have come across this issue on security update deployment on windows server 2012 r2

i deployed security update via sccm and it recorded complaint for all the windows servers 2012 rs but when i log in to the servers the updates are not recorded on the add and remove programs.
why does SCCM behave that way for windows server 2012r2 because windows server 2012 and 2008 r2 shows the update deployed via sccm.

boris boris

Dear Prajwal,

Sorry to bother you, I have a critical issue in my SCCM 2012 R2, I try to troubleshoot and find the root cause but no luck, could you mind check my attachment file and take a look. Please advise me how can fix this issue, thx.

Regards

Boris

Dave

Thank you for your great how to steps Prajwal!! Is WSUS required for SCCM to manage updates? Since you can point SCCM directly to the Microsoft update servers couldn’t you do this without WSUS running? I have an environment with 100 systems I need to manage so I’m trying to do this as simple as I can. I have no need for secondary sites since everyone can hit my primary site. Thanks again!!

Brandy Reid

Hi Prajwal – Thank you for sharing this post, I’ve found it very helpful 🙂 I think I’m clear on all the steps except for the package source. According to technet, I need to manually create The shared folder for the deployment package source files Deployment package source: Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package. The source location must be entered as a network path (for example, \serversharenamepath), or the Browse button can be used… Read more »

Rahul Srivastva

Hi Prajwal,

Can u define the term “Internet-Based Software Update Point” please, Thanks in advance

Rahul Srivastav

Syed Suleman Gilani

Hi Prajwal
I have configured SCCM for updates but got errors.
Attachment has the scenario.. WCM and wsyncmgr log files..
Any Solution please ??

Syed Suleman Gilani

The above issue is solved.
My Internet Traffic was passing through a firewall and by allowing the ports 8530 and 8531 on my firewall, the updates started downloading.

Thanks

Greg Kunz

I am just starting to wade into the SCCM pool, and have a question about applying Monthly Windows updates. I believe that my problem lies with the Scan Agent and getting Updates to be detected as required etc. After the process runs I everything comes back as Not Required. I have manually installed at least one of the problematic patches successfully, so they are needed. Going through the ScanAgent.log on the clients I see a lot of: Did not find CategoryID for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22 AM 4472 (0x1178) CScanAgent::ScanByUpdates – Did not find UpdateClassification for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22… Read more »

Higgs

Hi,

I have 2 separate servers, one for WSUS and one for SCCM. I will like to use SCCM to get the updates from this WSUS server.
Do i add site system role or create site system server? or both?

Thanks

chris davis

Hi Prajwal,

I am new to sccm, and learning how to deploy updates. After creating the software update group and then going to deploy, during following the steps i am not prompted to create the deployment package. Am I doing something wrong or missed a step?

Ed B.

Did you get any info on this? I have same issue. The ‘deployment package’ process is not even in the wizard.comment image

mark reny

Prajwal. When I create the collection, within a few days I receive an error on the distribution site that there is a file missing from the folder and then the deployments fail. I created a patch distribution for Adobe Products and it worked this past Friday, but today when I came in, the deployment package that I created was displaying an error and it failed. It fails for the same reason in that there is a file missing from the folder. I am not sure why this is happening as I am not doing anything to these folders once I… Read more »

Stephen King

Hi Prajwal,

I’ve done a deployment, and it’s saying deployed in the deployment package, however the client doesn’t appear to be receiving the updates (the updates have been downloaded to the “sources/updates/windows 7” folder on the SCCM server.).

I took a look at UpdatesDeployment.log on the client however nothing seems to be standing out (the only thing would be “No current service window available to run updates assignment with time required = 1”).

Any help would be greatly appreciated.

Thanks,

Stephen

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More