How To Deploy Software Updates Using SCCM 2012 R2

In this post we will see how to deploy software updates using SCCM. Deploying the software updates for the computers is essential.

To stay protected against cyber-attacks and malicious threats, it is very important that you keep the computers patched with latest software updates.

The software updates are released by major software vendors to address security vulnerabilities in their existing products.

Software Updates in SCCM

When it comes to deploying updates, SCCM is the best tool to do it. You must understand that deploying updates is a complex task. SCCM make it easy not only to deploy updates but to gather the depoyment reports as well.

Software updates in SCCM provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.

To deploy software updates, you can use any of the below methods.

  • Automatic Deployment
  • Manual Deployment
  • Phased Deployment

Deploying third-party updates using SCCM

Starting with SCCM 1806, you can deploy third-party updates easily. You can add third-party Software Update Catalogs node in the Configuration Manager console.

You can subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients. For more info read this post.

To summarize this post, we are going to perform the following.

  • Install and configure Software Update point role
  • Create a software update group.
  • Add the updates to a software update group
  • Distribute the update content to distribution points
  • Deploy the update group to clients

Deploy Software Updates Using SCCM

There are 2 ways to deploy software updates using SCCM, Manual and Automatic.

In Manual software updates deployment, a set of software updates is selected the SCCM console and these updates are deployed to the target collection.

Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.

When the rule runs, the software updates that meet a specified criteria are added to a software update group. The content files for the software updates are downloaded and copied to distribution points.

Finally the software updates are deployed to client computers in the target collection. In this post I will cover the steps to deploy the software updates manually.

For automatic deployment of software updates using SCCM, refer this post.

Install Software Update Point Role using SCCM Console

To install software update point role

  1. Launch the SCCM console.
  2. Click Administration > Site Configuration > Sites.
  3. At the top ribbon click on Add Site System Roles.

Deploy Software Updates Using SCCM 2012 R2 Snap1From the Add Site System Roles Wizard, select Software Update Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap2For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap3

Select an account that can connect to WSUS server. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap4

Select Synchronize from Microsoft Update and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap5

Click Enable synchronization on a schedule. Select Simple schedule. You may also click Alert when sync fails on any site in hierarchy. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap6

For Supersedence behavior, select Immediately expire a superseded software update. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap7Software Update Classifications

When you want to deploy updates, selecting the classifications (type of updates) is an important step. In my observation, I have seen most of organizations deploy Critical and Security updates only.

However if your requirement is to deploy other updates in addition to critical and security updates, select them.

Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP as well. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap8

Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap9

Choose the desired language, click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap10

The Software Update Point role has been installed. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap11

Synchronize Software Updates

After installing the software update point role, we must run a initial software updates synchronization.

  • In the SCCM console, click Software Library > Overview > Software Updates.
  • Now click All Software Updates. On the top ribbon click Synchronize Software Updates.

Deploy Software Updates Using SCCM 2012 R2 Snap12

To monitor software updates sync, open wsyncmgr.log and WCM.log file.

Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.

Deploy Software Updates Using SCCM 2012 R2 Snap13

The synchronization is complete. The software updates can now be seen when you click All Software Updates option in CM Console.

Deploy Software Updates Using SCCM 2012 R2 Snap14

Create Software Update Group

In the console we have got several updates. Deploying all the updates is up to your choice. When you want to target updates to specific product, you can do so.

Using the search criteria, we can filter the updates and deploy only the ones that are important. Most of all you can select all that are applicable for specific product.

Click Add criteria.

Select Expired, Product, Superseded, Bulletin ID. Click Add.

Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.

When you specify the above criteria and click Search, the updates are shown based on your criteria.

Deploy Software Updates Using SCCM 2012 R2 Snap15

Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.

Deploy Software Updates Using SCCM 2012 R2 Snap16

Specify software update group name such as Windows 7 Update group. Click Create.

Deploy Software Updates Using SCCM 2012 R2 Snap17

Deploy Software Updates Wizard

When you have the software update group ready, proceed to deploying the updates.

Select the Software Update Group the you created in the previous step. Right click the Windows 7 Update Group and click Deploy.

Deploy Software Updates Using SCCM 2012 R2 Snap18

On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap19

Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.

If you select the deployment as Available, the software updates will be available in software center for installation.

Deploy Software Updates Using SCCM 2012 R2 Snap20

In this step you can schedule the deployment. Configure the schedule for this deployment, set the Time based on to Client local time.

Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap21

On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap22

For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install.

If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap23

Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap24

Add the Distribution Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap25

Select Download software updates from the Internet. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap26

Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap27

After few minutes we see that the updates are installed on one the client machines in the collection.

Deploy Software Updates Using SCCM 2012 R2 Snap28

You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.

Deploy Software Updates Using SCCM 2012 R2 Snap29

Related Posts
Oldest Most Voted
Inline Feedbacks
View all comments

Hi Prajwal,

If I create multiple deployments from a SUG, will the deployments automatically run every time there are new patches in the SUG? Or do I need to create new deployments? For example, we deploy patches every month and I don’t want to create a new deployment each month. I just want the same deployment to push updates.

I already, created the ADR, which then creates the SUG. The ADR runs every day, but I have a maintenance window (one night a month) on the device collections I have updates pushed to.


Abhishek Kumar

Hi Prajwal,

Can we still manage patches from SCCM 2012. If yes, is it feasible to install SCCM 2012 client to server OS.


Hi Prajwal
I wanted to stop the update sync as I had selected all the windows updates starting from windows server 2003 unknowingly. Please reply regarding the steps to stop the update sync as its taking a lot of time for updates synchronization.


Hi Prajwal
I found out that to do this you need to the remove software update services site role installed in SCCM and select the WSUS cleanup ie, put a check mark for the option on the role removal window. And then later again add this role. This will delete the old updates after a span of couple of hours and when again the site role in added you can select only the required updates of Microsoft.
Anyways thanks for these very helpful blogs about SCCM. It has helped me gain in depth knowledge about SCCM.


In a patch deployment can we only download patches and not install the patches for a specific collection. Kindly let me know the way


Hi Prajawal,

Thank you for this tutorial, really insightful. I have followed the process and deployed windows server update to some servers. on the monitoring, it shows the deployment is successful but it is not installing and on the system, it say click to install. the compliance on SCCM is 0.0%. Please how do I make in install using SCCM.



Check if the server having maintenance windows, select the deployment, right click, in the deployment setting>user experience check the box system restart.
check logs if you are getting errors

Tamrat T Amanu

Hi Prajawal,
I followed this tutorial exactly as described but the updates aren’t showing in client machine. Do i need to update anything, let’s say in ” Specify intranet Microsoft update service location” in group policy?

Pavit J

No you need not Specify intranet Microsoft update service location in group policy. Ensure the updates are properly distributed to distribution points. Go to Monitoring node and check the status of deployment.


Also check the correct site server with correct SUP is assigned to the relevant boundary


Hi Prajwal,

I was trying to deploy updates in Available mode instead of Required mode, but it never got deployed, any suggestions to fix it.

While i had seen logs and had found that all the updates were getting synced, and were reaching to the MPs also.

Pavit J

Go to Monitoring and check the status of deployment.


Go to Administration -> Hierarchy Configuration -> Boundaries -> Locate your boundary and the Boundary Groups -> Locate the Boundary Group where your IP range sits, now here make sure under references you have your SUP Server listed as Site System Servers.


Suppose we have initiated a OS upgrade using Task sequence and with time window. let say 5 pm on Wed.
Can we change the installation time, will it affect to the initiated Task Sequence.

Pavit J

Yes you can always make the updates available at specific time and specify the installation deadline as well.



I am still a beginner and have a long way to go before I have somewhat mastered SCCM. I just wanted to say your guides are detailed and thorough and have been absolutely invaluable in my journey to learn it. Thank you!

Pavit J

That’s correct. I followed his guides and finished my updates deployment project. Got appreciation from my manager 🙂


Hi Prajwal,

congratulations for your guide I want to ask you I have this architecture I have only one server sccm 2016 1902 and another windows server 2016 with wsus role installed and working. Since I want to use sccm as a software update point can I use it connecting it to the existing wsus without installing a second sccm?

Thanks in advance

Jeremy Hauger

Unless your environment is very large I would suggest putting WSUS on the SCCM server and getting it configured, then decommissioning your standalone WSUS server. SCCM also may not like to play nicely with an already configured SCCM server.

Just my 2 cents worth.


Hi Prajwal,

We have been doing some server upgrades from Windows 2008>2012>2016. The Severs seem to run well after the upgrade to 2016, but are not showing as requiring any patches. We have new freshly installed 2016 Systems that the updates work fine on. I was wondering if anyone had seen issues with updating Windows 2016 systems that had been upgraded. Its like the systems are a little confused.

Thanks in advance.


Hi Prajwal,

I need to distribute the software updates for windows server 2016 using SCCM 2012 R2. It is possible?
Thanks in advance.


how to get complete status of scan cycle of all client machine

Rakesh Roshan

All i can say is love your work. You the best

Durga Pathak

Hi Prajwal, last week we started deploying Windows Server 2016 in our environment. I am able to see patches for Windows server 2016 in WSUS however they all do not show up in Configuration Manager Console except for KB4462917. I heard people saying this is known issue while others say, Windows Server 2016 all patches supercede previous ones. My environment is System Center Config Manager 2012 v1702 5.00.8498.1711. I would appreciate your kind suggestion. Thanks in advance.


Updates are superseded if they are the monthly cumulative ones. If you go to your SCCM console > Administration > Sites > Configure Site Components > Software Update Point, you can see if you are removing superseded updates immediately or after a specified time.


Hi What are the implications of removing and reinstalling existing SUP? The IIS is not showing sms or cms in application pools like the other SUP. We have 2 SUP. I’m getting wsus error messages from sccm 2012 console.


Do we actually need wsus to download the patch as well or will the SCCM take care of it as long as wsus service is on?

Hasan Ördek

I have a question about the “Install Software Updates” task in a Task Sequence. There are two options which you can select in the task, namely “Required for installation – Mandatory software updates only” and “Available for installation – All software updates”. What do these options mean? Does the first option mean that all the required updates for the concerning OS will be installed? And does the second option mean it will only install the updates deployed to a collection?

Vishal Shah

Hi Prajwal,

there is setting in SUP as below
“months to wait before a superseded software update is expired”. in my environment , currently its set to 1 months however client want to change it to 3 months. can you help us to know what can be the impact of this by changing this from 1 to 3 months?

Akhlaque Khan

Hi Prajwal,

I have configured software update as per your your blog but its not showing in system center on client computers and client is not getting updates from sccm. Please help on this
I am using SCCM2012 Build no.8325

Bojan Zivkovic

Hi Prajwal, I am using SCCM 1702. There are 2 ADRs – one for deploying Windows Defender Definition Updates and one for deploying Windows Server 2016 Updates. Both ADRs are deployed to the same collection containing 19 server members. Today I have noticed that during the weekend Windows Defender Definitions were updated only on one server while on other servers definitions are 3 days old. Having taken a look at updatesdeployment.log on “healthy” server and on other servers one line caught my eye: Evaluation initiated for (2) assignments – on “healthy” server Evaluation initiated for (1) assignments – on other… Read more »

Ahmed Gamal

Hi Prajwal , I Need Your Support Please Because After I Downloaded Windows Update And Deployed It Successfully One Of My Team Removed the Downloaded Updates from It’s Sources And when I tried To Install Windows Update Again It Fail Because I think Its already Downloaded and Took Content Id Number And Status is Downloaded so How I re download windows update again from Microsoft Updates again ??


Hi Prajwal..Could you please help me with any best trainer information or can you give any training for SCCM

thank you in advance

Roberto Sibilani

Hi Prajwal, I have just installed SCCM 2012R2 and upgraded to 1710 version. So, I installed WSUS and Update Point and I tested the deployment successfully. My two clients, Win 7 and Win 10, are compliant with 100%. I found, on the clients, all the required updates using Control Panel and History. The strange thing is that no updates are shown on client Software Center. All the tabs are empty. is this normal?

Christian Velazquez

Hi Prajwal,

I have followed your steps, but the clients dont recieve any updates. I dont even have a windowsupdate.log on the clients. I am syncing updates fine from wsus to sccm, but I cant get updates to move from sccm to clients. I am at a loss of what is my issue here. Any help would be greatly appreciated.


Hi Prajwal,

Question, do you have guide on how to package Dell Firmware/BIOS updates using SCCM


Hi Prajwal,

Great write up! I have a queation. When adding the updates role to the sccm server… Windows 10, Exchange 2013 and other more recent technologies are not listed in the options for updating… how do I get these to appear?


Prajwal… no I had not. I’ve done that now and we are in business!

Vahid can i do that?


Hi Everyone,
What is the best practices between the test environment and production environment for the update software push. I mean how many days waiting after my test to push in production?

Colleen Beach

The guidance you have posted has been great. Do you have anything for offline networks? I have a wsus server internet connected, did the export/import into the disconnected SCCM/WSUS. Synchronized the SCCM. When I try to setup the deployments I am having issues with the Deploy Software Updates Wizard – where should the download location point to? Should I point to the location of the WSUSContent (import) or the SCCMContentLib?

Zibonele Dlamini

I’d like echo Moe’s comments as well. Prajawal, you save a lot of us Noobies headaches with your blog. Very clear and simple to follow.
I’m also one of your biggest fans


I just want to thank you. Your Blog is my definitive GoTo when I want to understand how things work or need to be configured in SCCM. You explain things simply and have pictures as well.

You and all your effort is appreciated by me …Just a Humble SCCM N00b and a big FAN of yours!

Mark Louie

I have the same issue..tried deploying updates and it says on the configuration that the deployment was succesful, and on the “Title” list where the deployed update was listed under the “Downloaded” and “Deployed” tab there was a “YES” statement. My problem is that no notification from “System Center” on the client machine. I think I missed steps on how to install System Center on the client. How can I see System Center on my client and is there any way that I can do to verify and check if the updates are really deployed on my client machine? Thanks… Read more »

Ryan Odinoidz

Hi Prajwal,
Good Day, Thank you for the manual i did follow all steps. But i have a question, I don’t have an idea where to find the error logs after i run my software updates to my client. My creating and deploying of software update was successful but not showing on the software Center of the client. Hope you solve my problem. Thanks

kiran kumar

Every time I try to download any update from SCCM, I get the error. Failed to download content id 16839922. Please help.

Nasir Yilmaz

Attached SCCM client Image

Nasir Yilmaz

Hi ,

SCCM Keep waiting user approval “Install All” and it is deployed as a Required. How to deploy Updates automatically without enduser interruption


First I love your guides! The time you have put in for the community is beyond appreciated! I am trying to learn SCCM as I follow your guides step by step. Here is what I am getting, and any help is beyond appreciated.

After I click on “Synchronize Software Updates” I get this error in my wsyncmgr.logcomment image

Here is the WCM
comment image

and statesys
comment image


Please will like to know if you have come across this issue on security update deployment on windows server 2012 r2

i deployed security update via sccm and it recorded complaint for all the windows servers 2012 rs but when i log in to the servers the updates are not recorded on the add and remove programs.
why does SCCM behave that way for windows server 2012r2 because windows server 2012 and 2008 r2 shows the update deployed via sccm.

Brandy Reid

Hi Prajwal – Thank you for sharing this post, I’ve found it very helpful 🙂 I think I’m clear on all the steps except for the package source. According to technet, I need to manually create The shared folder for the deployment package source files Deployment package source: Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package. The source location must be entered as a network path (for example, \serversharenamepath), or the Browse button can be used… Read more »

Rahul Srivastva

Hi Prajwal,

Can u define the term “Internet-Based Software Update Point” please, Thanks in advance

Rahul Srivastav

Greg Kunz

I am just starting to wade into the SCCM pool, and have a question about applying Monthly Windows updates. I believe that my problem lies with the Scan Agent and getting Updates to be detected as required etc. After the process runs I everything comes back as Not Required. I have manually installed at least one of the problematic patches successfully, so they are needed. Going through the ScanAgent.log on the clients I see a lot of: Did not find CategoryID for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22 AM 4472 (0x1178) CScanAgent::ScanByUpdates – Did not find UpdateClassification for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22… Read more »

Stephen King

Hi Prajwal,

I’ve done a deployment, and it’s saying deployed in the deployment package, however the client doesn’t appear to be receiving the updates (the updates have been downloaded to the “sources/updates/windows 7” folder on the SCCM server.).

I took a look at UpdatesDeployment.log on the client however nothing seems to be standing out (the only thing would be “No current service window available to run updates assignment with time required = 1”).

Any help would be greatly appreciated.



Patmanaban Narayanan Kutty

Hi Prajwal, I deployed windows 7 updates to pilot users. I Check report, Security Update for Windows 7 (KB3146963) is required and installed on my laptop. But 2 more Desktop PC shows the update not required. All machines are windows 7 32bit. Is it a problem? Please help thanks.


Hello Prajwal I am currently installing a newer version of SCCM 2012 in our dev enviroment before it goes to production we originally had 2007 but I have not migrated anything with the old version this is a fresh intall. I am trying to connect my WSUS server which is on a different box to my newly built 2012 sccm box, I have tried conneting using your guide and guide and to no avail I have not succeded. This is very baffling as the 2007 box connected with no problems. Do I need a fresh install of the WSUS… Read more »


Hi Phil,

Have you figured out how to connect your existing WSUS server? I’ve hit the same road block. It’s not clear if I use “Synchronize from and upstream data source…” or not.




hey Prajwal now updates appears but on the client machine nothing updating those software updates. what is the major reason why client machine dnt have acces for updating installation? System center installation showing empty after done those step can you solve this issue please


Dear Prajwal

i couldnt find out the solution of sync updates nothing showing i cheek its log file there showing error. i already attached snaps what error became during sync updates tell me what is its final solution? thnx



i have problem with the updates i tired many time as you described but no updates showing in the when i try you do updates sync nothing showing after performs all these steps im tired tell me what to do sir? what can be mistake ? what to do then it will work ?


Please help…
I have created a Windows Update Package for Windows 7. When I tried to run the deployment, everything look fine and completed with no errors. However, nothing is happening on the client hosts (i.e. Windows 7 hosts). I don’t know where to check for error, and what did I do wrong or need to perform?


Hi, I’m confused with he last few step od the Deploy Software Update Wizard: I’m stuck at the Deployment Package step. Which location should I pick? Can I pick local hard drive? Thank you in advance!


SCCM is complaining that the WSUS server cannot be contacted. I check IIS and there is no WSUS server running. I have reinstalled WSUS twice now, and there is no such step prompting me to “Create a Windows Server Update Services 3.0 Web site”. It’s not there. This is installing it from the add roles and features section of the Server Manager in server 2012 R2. The error I’m getting in the event log is this: “On 3/12/2015 12:21:25 PM, component SMS_WSUS_CONTROL_MANAGER on computer blah reported: WSUS Control Manager failed to configure proxy settings on WSUS Server “blah”. Possible cause:… Read more »

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More