How To Deploy Software Updates Using SCCM 2012 R2

How To Deploy Software Updates Using SCCM 2012 R2 In this post we will look at the steps on how to deploy software updates using SCCM 2012 R2. Deploying the software updates for the computers is essential, the software updates are released by major software vendors to address security vulnerabilities in their existing products. To stay protected against cyber-attacks and malicious threats it is very important that you keep the computers patched with latest software updates.

Software updates in System Center 2012 R2 Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Talking about software updates, in SCCM 2012 R2 there are few new features added which includes a new maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates.

When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. A new feature called Software updates preview lets you review the software updates before you create the deployment.

How To Deploy Software Updates Using SCCM 2012 R2

In this post we will see the steps on how to deploy software updates using SCCM 2012 R2. If you are looking for SCCM 2012 R2 step by step guides click here. There are 2 ways to deploy software updates using SCCM 2012 R2, Manual and Automatic. In Manual software updates deployment, a set of software updates is selected the Configuration Manager console and these updates are deployed to the target collection whereas Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.

When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection. In this post we will see the steps to deploy the software updates manually and for automatic software updates deployment, there will be a separate post.

To start with, install the Software Update Point role first. Launch the Configuration Manager Console, click on Administration, expand Overview, click Site Configuration, click on Sites. At the top ribbon click on Add Site System Roles.

Deploy Software Updates Using SCCM 2012 R2 Snap1From the Add Site System Roles Wizard, click on Software Update Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap2For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.

When you install WSUS, you can specify whether to use the default Internet Information Services (IIS) website or create a new custom WSUS website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point for the site.

Deploy Software Updates Using SCCM 2012 R2 Snap3For WSUS Server Connection Account, click Use credentials to connect to the WSUS server, click on Set and choose the account. The account provides authenticated access from the site to WSUS server. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap4Click Synchronize from Microsoft Update and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap5Click Enable synchronization on a schedule and let the schedule be set to default (simple schedule). You may also click Alert when sync fails on any site in hierarchy. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap6For Supersedence behavior, select Immediately expire a superseded software update. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap7Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap8Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap9Choose the desired language, click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap10The Software Update Point role has been installed. Click Close.

Deploy Software Updates Using SCCM 2012 R2 Snap11In the configuration manager console, click Software Library, expand Overview, click Software Updates, click All Software Updates and at the top ribbon click Synchronize Software Updates.

Deploy Software Updates Using SCCM 2012 R2 Snap12To see what’s happening at the background, you need to have 2 files opened wsyncmgr.log and WCM.log file. Below is the screenshot of the wsyncmgr.log file and we can see that the WSUS is synchronizing the categories and updates.

Deploy Software Updates Using SCCM 2012 R2 Snap13The synchronization is completed. The software updates can now be seen when you click All Software Updates option in CM Console. Note that the updates are yet to be downloaded.

Deploy Software Updates Using SCCM 2012 R2 Snap14Out of all the updates we will not deploy all of them rather we will filter the updates by adding criteria. Click on Add criteria. Select Expired, Product, Superseded, Bulletin ID. Click Add. Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.

Deploy Software Updates Using SCCM 2012 R2 Snap15Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.

Deploy Software Updates Using SCCM 2012 R2 Snap16Provide the name to the software update group as Windows 7 Update group. Click Create.

Deploy Software Updates Using SCCM 2012 R2 Snap17Click on Software Update Group and you will find the software update group that was created in the previous step. Right click on the Windows 7 Update Group and click Deploy.

Deploy Software Updates Using SCCM 2012 R2 Snap18On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap19Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.Deploy Software Updates Using SCCM 2012 R2 Snap20Configure the schedule for this deployment, set the Time based on to Client local time. Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap21On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap22For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install. If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap23 Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap24Add the Distribution Point and click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap25For Download Location choose Download software updates from the Internet. Click Next.

Deploy Software Updates Using SCCM 2012 R2 Snap26Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click on Close to close the wizard.

Deploy Software Updates Using SCCM 2012 R2 Snap27After few minutes we see that the updates are installed on one the client machines in the collection and there is a notification that system needs to be restarted.

Deploy Software Updates Using SCCM 2012 R2 Snap28You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.

Deploy Software Updates Using SCCM 2012 R2 Snap29

Leave a Reply

117 Comment threads
77 Thread replies
Most reacted comment
Hottest comment thread
newest oldest most voted

how to get complete status of scan cycle of all client machine

Rakesh Roshan

All i can say is love your work. You the best

Durga Pathak

Hi Prajwal, last week we started deploying Windows Server 2016 in our environment. I am able to see patches for Windows server 2016 in WSUS however they all do not show up in Configuration Manager Console except for KB4462917. I heard people saying this is known issue while others say, Windows Server 2016 all patches supercede previous ones. My environment is System Center Config Manager 2012 v1702 5.00.8498.1711. I would appreciate your kind suggestion. Thanks in advance.


Updates are superseded if they are the monthly cumulative ones. If you go to your SCCM console > Administration > Sites > Configure Site Components > Software Update Point, you can see if you are removing superseded updates immediately or after a specified time.


Hi What are the implications of removing and reinstalling existing SUP? The IIS is not showing sms or cms in application pools like the other SUP. We have 2 SUP. I’m getting wsus error messages from sccm 2012 console.


Do we actually need wsus to download the patch as well or will the SCCM take care of it as long as wsus service is on?

Hasan Ördek

I have a question about the “Install Software Updates” task in a Task Sequence. There are two options which you can select in the task, namely “Required for installation – Mandatory software updates only” and “Available for installation – All software updates”. What do these options mean? Does the first option mean that all the required updates for the concerning OS will be installed? And does the second option mean it will only install the updates deployed to a collection?

Vishal Shah

Hi Prajwal,

there is setting in SUP as below
“months to wait before a superseded software update is expired”. in my environment , currently its set to 1 months however client want to change it to 3 months. can you help us to know what can be the impact of this by changing this from 1 to 3 months?

Akhlaque Khan

Hi Prajwal,

I have configured software update as per your your blog but its not showing in system center on client computers and client is not getting updates from sccm. Please help on this
I am using SCCM2012 Build no.8325

Bojan Zivkovic

Hi Prajwal, I am using SCCM 1702. There are 2 ADRs – one for deploying Windows Defender Definition Updates and one for deploying Windows Server 2016 Updates. Both ADRs are deployed to the same collection containing 19 server members. Today I have noticed that during the weekend Windows Defender Definitions were updated only on one server while on other servers definitions are 3 days old. Having taken a look at updatesdeployment.log on “healthy” server and on other servers one line caught my eye: Evaluation initiated for (2) assignments – on “healthy” server Evaluation initiated for (1) assignments – on other… Read more »

Ahmed Gamal

Hi Prajwal , I Need Your Support Please Because After I Downloaded Windows Update And Deployed It Successfully One Of My Team Removed the Downloaded Updates from It’s Sources And when I tried To Install Windows Update Again It Fail Because I think Its already Downloaded and Took Content Id Number And Status is Downloaded so How I re download windows update again from Microsoft Updates again ??


Hi Prajwal..Could you please help me with any best trainer information or can you give any training for SCCM

thank you in advance

Roberto Sibilani

Hi Prajwal, I have just installed SCCM 2012R2 and upgraded to 1710 version. So, I installed WSUS and Update Point and I tested the deployment successfully. My two clients, Win 7 and Win 10, are compliant with 100%. I found, on the clients, all the required updates using Control Panel and History. The strange thing is that no updates are shown on client Software Center. All the tabs are empty. is this normal?

Christian Velazquez

Hi Prajwal,

I have followed your steps, but the clients dont recieve any updates. I dont even have a windowsupdate.log on the clients. I am syncing updates fine from wsus to sccm, but I cant get updates to move from sccm to clients. I am at a loss of what is my issue here. Any help would be greatly appreciated.


Hi Prajwal,

Question, do you have guide on how to package Dell Firmware/BIOS updates using SCCM


Hi Prajwal,

Great write up! I have a queation. When adding the updates role to the sccm server… Windows 10, Exchange 2013 and other more recent technologies are not listed in the options for updating… how do I get these to appear?


Hi Everyone,
What is the best practices between the test environment and production environment for the update software push. I mean how many days waiting after my test to push in production?

Colleen Beach

The guidance you have posted has been great. Do you have anything for offline networks? I have a wsus server internet connected, did the export/import into the disconnected SCCM/WSUS. Synchronized the SCCM. When I try to setup the deployments I am having issues with the Deploy Software Updates Wizard – where should the download location point to? Should I point to the location of the WSUSContent (import) or the SCCMContentLib?

Zibonele Dlamini

I’d like echo Moe’s comments as well. Prajawal, you save a lot of us Noobies headaches with your blog. Very clear and simple to follow.
I’m also one of your biggest fans


I just want to thank you. Your Blog is my definitive GoTo when I want to understand how things work or need to be configured in SCCM. You explain things simply and have pictures as well.

You and all your effort is appreciated by me …Just a Humble SCCM N00b and a big FAN of yours!

Mark Louie

I have the same issue..tried deploying updates and it says on the configuration that the deployment was succesful, and on the “Title” list where the deployed update was listed under the “Downloaded” and “Deployed” tab there was a “YES” statement. My problem is that no notification from “System Center” on the client machine. I think I missed steps on how to install System Center on the client. How can I see System Center on my client and is there any way that I can do to verify and check if the updates are really deployed on my client machine? Thanks… Read more »

Ryan Odinoidz

Hi Prajwal,
Good Day, Thank you for the manual i did follow all steps. But i have a question, I don’t have an idea where to find the error logs after i run my software updates to my client. My creating and deploying of software update was successful but not showing on the software Center of the client. Hope you solve my problem. Thanks

Cesar Lecca

Estoy realizando despliegue de Updates a equipos Windows 7 y Windows 10, desde el monitor de sccm pasan equipos como completado compliant pero cuando voy al equipo cliente no hay actividad del deployment ejecutado.saben que podría ser? Y desde la herramienta monitoring deployment indica resultados satisfactorios.


Check the folder and share permissions on the location where you selected to download the patches to. Both the share and the folder need to be open to write access by SCCM.

kiran kumar

Every time I try to download any update from SCCM, I get the error. Failed to download content id 16839922. Please help.

Nasir Yilmaz

Hi ,

SCCM Keep waiting user approval “Install All” and it is deployed as a Required. How to deploy Updates automatically without enduser interruption

Nasir Yilmaz

Attached SCCM client Image


How can we know if client updated or not after deploying software updates


First I love your guides! The time you have put in for the community is beyond appreciated! I am trying to learn SCCM as I follow your guides step by step. Here is what I am getting, and any help is beyond appreciated.

After I click on “Synchronize Software Updates” I get this error in my wsyncmgr.logcomment image

Here is the WCM
comment image

and statesys
comment image


How is it possible to make the package install before on some deployment group to validate theres is no regression ?
Also, we starting on this, and we are afraid there are a lot of udpates needed on our client systems, that will annoy users with 12348 reboots until all KB have been installed??


My WSUS sync isn’t work after a restore. Here are the following logs. I was able to remove Adobe by unchecking it and resyncing but I can’t get rid of the Java JRE Client. Please help. WCM Log Subscription contains categories unknown to WSUS.~ $$ Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error~ $$ .. Successfully connected to server: server, port: 8530, useSSL: False $$ Category Company:94d731de-22a6-4458-dc4d-b5267de026fc (Adobe Systems, Inc.) not found on WSUS $$ Category Product:b1d1a5ca-37c4-5805-b271-367467ef10f5 (Java JRE Client) not found on WSUS $$ Starting WSUS category sync from upstream… $$Microsoft.SystemsManagementServer.WSUS.WSUSMSPException: WSUS sync failed with UssNotFound: ~~… Read more »


Hey Prajwal,
I never get prompted to create a deployment package? What am I missing?

Sunil Kaushik

Hi Prajwal,

I want to change the maximum run time (minutes) for software updates by default is 10 min and want to change it for 30 min.

I know I can do it for every update manually. But how can I change it so that i don’t have to do it every month for the update. By default it should be set for 30 min.

Sunil Kaushik.


Please will like to know if you have come across this issue on security update deployment on windows server 2012 r2

i deployed security update via sccm and it recorded complaint for all the windows servers 2012 rs but when i log in to the servers the updates are not recorded on the add and remove programs.
why does SCCM behave that way for windows server 2012r2 because windows server 2012 and 2008 r2 shows the update deployed via sccm.

boris boris

Dear Prajwal,

Sorry to bother you, I have a critical issue in my SCCM 2012 R2, I try to troubleshoot and find the root cause but no luck, could you mind check my attachment file and take a look. Please advise me how can fix this issue, thx.




Thank you for your great how to steps Prajwal!! Is WSUS required for SCCM to manage updates? Since you can point SCCM directly to the Microsoft update servers couldn’t you do this without WSUS running? I have an environment with 100 systems I need to manage so I’m trying to do this as simple as I can. I have no need for secondary sites since everyone can hit my primary site. Thanks again!!

Brandy Reid

Hi Prajwal – Thank you for sharing this post, I’ve found it very helpful 🙂 I think I’m clear on all the steps except for the package source. According to technet, I need to manually create The shared folder for the deployment package source files Deployment package source: Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package. The source location must be entered as a network path (for example, \serversharenamepath), or the Browse button can be used… Read more »

Rahul Srivastva

Hi Prajwal,

Can u define the term “Internet-Based Software Update Point” please, Thanks in advance

Rahul Srivastav

Syed Suleman Gilani

Hi Prajwal
I have configured SCCM for updates but got errors.
Attachment has the scenario.. WCM and wsyncmgr log files..
Any Solution please ??

Syed Suleman Gilani

The above issue is solved.
My Internet Traffic was passing through a firewall and by allowing the ports 8530 and 8531 on my firewall, the updates started downloading.


Greg Kunz

I am just starting to wade into the SCCM pool, and have a question about applying Monthly Windows updates. I believe that my problem lies with the Scan Agent and getting Updates to be detected as required etc. After the process runs I everything comes back as Not Required. I have manually installed at least one of the problematic patches successfully, so they are needed. Going through the ScanAgent.log on the clients I see a lot of: Did not find CategoryID for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22 AM 4472 (0x1178) CScanAgent::ScanByUpdates – Did not find UpdateClassification for Update:786656d5-cf9b-443c-a1bc-744b4ff6d3e7 ScanAgent 7/28/2016 8:51:22… Read more »



I have 2 separate servers, one for WSUS and one for SCCM. I will like to use SCCM to get the updates from this WSUS server.
Do i add site system role or create site system server? or both?


chris davis

Hi Prajwal,

I am new to sccm, and learning how to deploy updates. After creating the software update group and then going to deploy, during following the steps i am not prompted to create the deployment package. Am I doing something wrong or missed a step?

Ed B.

Did you get any info on this? I have same issue. The ‘deployment package’ process is not even in the wizard.comment image

mark reny

Prajwal. When I create the collection, within a few days I receive an error on the distribution site that there is a file missing from the folder and then the deployments fail. I created a patch distribution for Adobe Products and it worked this past Friday, but today when I came in, the deployment package that I created was displaying an error and it failed. It fails for the same reason in that there is a file missing from the folder. I am not sure why this is happening as I am not doing anything to these folders once I… Read more »

Stephen King

Hi Prajwal,

I’ve done a deployment, and it’s saying deployed in the deployment package, however the client doesn’t appear to be receiving the updates (the updates have been downloaded to the “sources/updates/windows 7” folder on the SCCM server.).

I took a look at UpdatesDeployment.log on the client however nothing seems to be standing out (the only thing would be “No current service window available to run updates assignment with time required = 1”).

Any help would be greatly appreciated.




Hi Prajwal, can you configure where the site server should store all these updates? I’ve got a separate hard drive for it but I don’t see an option.


Can you please explain to me how the software update deployment process will work, if I install a new machine in the environment? I installed it via MDT task sequence, added it to the domain, it has SCCM client installed, I even added the machine to the Device collection for which I have set automatic updates. Will the Automatic Deployment Rule apply to the newly added server as well? Or are there some updates that have to be installed manually?

Can someone make this clear to me? Thanks

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More