In this article, I will explain how to deploy software updates using SCCM (ConfigMgr). Use this guide to deploy the software updates to enterprise computers and patch them with the latest updates.
This SCCM patch management step-by-step guide covers all the steps required to deploy the updates to production machines. To stay protected against cyber-attacks and malicious threats, you must keep the computers patched with latest software updates.
The software updates are released by major software vendors to address security vulnerabilities in their existing products. With Configuration Manager, you can also deploy third-party software updates, which is really an advantage.
Table of Contents
Software Updates in SCCM
When it comes to deploying updates, SCCM is the best tool to do it. You must understand that deploying updates is a complex task. SCCM make it easy not only to deploy updates but to gather the deployment reports as well.
Software updates in SCCM provide a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise.
To deploy software updates, you can use any of the below methods.
- Automatic Deployment
- Manual Deployment
- Phased Deployment
Deploying third-party updates using SCCM
Starting with SCCM 1806, you can deploy third-party updates easily. You can add third-party Software Update Catalogs node in the Configuration Manager console.
You can subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy them to clients. For more info, read this post.
To summarize this post, we are going to perform the following.
- Install and configure Software Update point role
- Create a software update group.
- Add the updates to a software update group
- Distribute the update content to distribution points
- Deploy the update group to clients
Download Software Updates in Configuration Manager
There are several methods available to you for downloading software updates in Configuration Manager. The easiest method is to create an automatic deployment rule (ADR) which downloads the software updates to the content library on the site server.
Another way to download Software Updates is via Manual method. In this method, you select only the essential software updates from the Configuration Manager console and download it to a location on site server.
After the Software Updates are downloaded, they are copied to the content library on the distribution points that are associated with the configured deployment package. You can select multiple distribution points and send the updates to each DP.
If you want to download the software updates before you deploy them, you can use the Download Updates Wizard. Doing this will enable you to verify that the software updates are available on distribution points before you deploy the software updates to client computers.
Deploy Software Updates Using SCCM
There are three ways to deploy software updates using SCCM:
- Manual deployment: In Manual software updates deployment, a set of software updates is selected in the SCCM console and these updates are deployed to the target collection.
- Automatic deployment: Automatic software updates deployment is configured by using automatic deployment rules. This method is used for deploying monthly software updates and for managing definition updates.
- Phased deployment: In SCCM you can create phased deployments for software updates. Phased deployments allow you to orchestrate a coordinated, sequenced rollout of software based on customizable criteria and groups.
The best method for deploying software updates for enterprises is Automatic Deployment, which is listed among the methods above. ADR is the method of choice for the majority of organizations because it is simple and practical. When the ADR rule runs, the software updates that meet specified criteria are added to a software update group. The content files for the software updates are downloaded and copied to distribution points.
If you are looking to create an ADR and deploy software updates using SCCM, take a look at a detailed guide on how to create an Automatic Deployment Rule in SCCM.
Install Software Update Point Role using SCCM Console
To install software update point role:
- Launch the SCCM console.
- Click Administration > Site Configuration > Sites.
- At the top ribbon click on Add Site System Roles.
From the Add Site System Roles Wizard, select Software Update Point and click Next.
For WSUS Configuration, select WSUS is configured to use ports 8530 and 8531 for client communications and click Next.
Select an account that can connect to WSUS server. Click Next.
Select Synchronize from Microsoft Update and click Next.
Click Enable synchronization on a schedule. Select Simple schedule. You may also click Alert when sync fails on any site in hierarchy. Click Next.
For Supersedence behavior, select Immediately expire a superseded software update. Click Next.
When you want to deploy updates, selecting the classifications (types of updates) is an important step. According to what I have observed, the majority of organizations only deploy Critical and Security updates.
However, if your requirement is to deploy other updates in addition to critical and security updates, select them. Select Critical Updates, Definition Updates and Security Updates. Note that you can do this after installation of SUP as well. Click Next.
Choose the products that you want to synchronize, in this step I have selected Windows 7, Forefront Endpoint Protection 2010. Click Next.
Choose the desired language, click Next.
The Software Update Point role has been installed. Click Close.
Synchronize Software Updates
After installing the software update point role, we must run an initial software updates synchronization.
- In the SCCM console, click Software Library > Overview > Software Updates.
- Now click All Software Updates. On the top ribbon click Synchronize Software Updates.
To monitor software updates sync, open wsyncmgr.log and WCM.log file.
Below is the screenshot of the wsyncmgr.log file, and we can see that the WSUS is synchronizing the categories and updates.
The synchronization is complete. The software updates can now be seen when you click All Software Updates option in CM Console.
Create Software Update Group
In the console we have got several updates. Deploying all the updates is up to your choice. When you want to target updates to a specific product, you can do so.
Using the search criteria, we can filter the updates and deploy only the ones that are important. Most of all you can select all that are applicable for specific product.
Click Add criteria.
Select Expired, Product, Superseded, Bulletin ID. Click Add.
Choose the product as Windows 7, Bulletin ID as MS, Expired as NO, Superseded as NO.
When you specify the above criteria and click Search, the updates are shown based on your criteria.
Now select all the updates (hold Shift+page Down), right click on the updates and click Create Software Update Group.
Specify software update group name such as Windows 7 Update group. Click Create.
Deploy Software Updates Wizard
When you have the software update group ready, proceed to deploying the updates.
Select the Software Update Group the you created in the previous step. Right click the Windows 7 Update Group and click Deploy.
On the Deploy Software Updates Wizard, provide a Deployment Name, description and choose the collection for which this software update deployment must be deployed. Click Next.
Set the Type of deployment as Required and detail level can be set to Only success and error messages. Click Next.
If you select the deployment as Available, the software updates will be available in software center for installation.
In this step you can schedule the deployment. Configure the schedule for this deployment, set the Time based on to Client local time.
Choose Software available time to specific time and set the Installation deadline to as soon as possible. Click Next.
On the User Experience page, you can choose to suppress the restart for Server or Workstations. Click Next.
For Deployment options, if a client is within a slow or unreliable network boundary then select Download software updates from distribution point and install.
If the updates are not available with preferred DPs then select Download and install software updates from the fallback content source location. Click Next.
Create a new deployment package by providing a name, location for the Package source and Sending priority. Click Next.
Add the Distribution Point and click Next.
Select Download software updates from the Internet. Click Next.
Choose the language and click Next. The wizard will now download the updates and deploy them to the collection as per the schedule defined. Click Close.
After few minutes we see that the updates are installed on one the client machines in the collection.
You can choose to restart the computer by choosing Restart now or you can choose Snooze and remind me again in hours.