How To Deploy Software Updates Using SCCM

In this article I will show you step by step how to deploy software updates using SCCM.

Over the years I have taken on many SCCM environments where the setup of software updates was a complete mess.

Because of this I have experienced lots of different issues and I have a specific process I use to setup software update deployments which I will teach you today.

In this article you will learn

• Setup Device Collections For Software Updates
• Configure Client Settings
• Create Automatic Deployment Rule
• Enable Peer Caching
• Reporting On Software Update Installs

Pre-Requites

Before we can begin there are some pre-requites we need to make sure have been done. They are

• Installed WSUS On Primary Site Server : This is to get information about the software updates available, if you need help with this check out this guide I wrote on how to install wsus
• Installed Software Update Point Role On Primary Site Server : SCCM will use this role to communicate with WSUS to get software update information as well as some base settings for software updates. I also have written an article on how to install the software update point

When the pre-requites are met we can begin.

How To Deploy Software Updates Using SCCM

Below I am going to show you the exact process I use when I setup software update deployments for my clients when I am contracted with them as a consultant.

My clients pay me for the information I am about to share below.

To setup software update deployments in SCCM follow these steps.

1 : Create Software Updates Folder

First thing we are going to do is create a folder for software updates in the device collections section. This is to make it easier in the future if you need to find any device collection related to software updates.

To create a software updates folder follow these steps

1. Open the SCCM Console
2. Go to \Assets and Compliance\Overview\Device Collections
3. Right click on Device collections
4. Click Folder > Create Folder
   
5. Enter the name “Software Updates” and click ok
   
6. Confirm the folder was created
   

2 : Create Device Collections

We are going to start by creating the device collections for the software update process, these device collections will be used to do the following

• Disable Software Updates : Devices put in to this device collection will not get any software updates
• Download Patches : This collection will be used to deploy the software updates to
• Set Maintenance Window : Set maintenance window for when the software updates can install
• All Machines Not Being Patched : So we can know about the machines not currently setup for receiving updates

I will create the device collections one by one and will explain exactly what each one does.

1.1 : Disable Software Updates

Here we will create a device collection so that any sccm client that is in this device collection will not get any software updates.

This can then be used for any machines that you do not want to receive patches.

To create the disable software updates device collection follow these steps

1. Open Powershell ISE via the start menu
   
2. Enter the below code in to powershell
   

   # Set Site Code
   $SiteCode = Get-PSDrive -PSProvider CMSITE
   Set-Location “$($SiteCode.Name):”#Create Schedule
   $UpdateSchedule = New-CMSchedule -Start “01/01/2017 23:00 PM” -DayOfWeek Sunday -RecurCount 1

   #Create Software Update Device Collections
   $NewCollection01 = New-CMDeviceCollection -Name “SU | Disable Software Updates” -LimitingCollectionName “All Systems” -RefreshType Both -RefreshSchedule $UpdateSchedule

3. Replace the device collection name “SU | Disable Software Updates” if you want to use another name
4. Click run in powershell, the script usually fails the first time so run it twice
   
5. In the SCCM console go to \Assets and Compliance\Overview\Device Collections
6. Confirm the device collection was created
   

1.2 : Create Patch Groups

Below we are going to create three patch groups

• SU | Test Machines : These machines will receive software updates first
• SU | Test Machines Extended : These will receive software updates a week later
• SU | All Patched Machines : These will receive software updates two weeks later

To create these groups follow these steps

1. Enter the below code in to powershell
   

   # Set Site Code
   $SiteCode = Get-PSDrive -PSProvider CMSITE
   Set-Location “$($SiteCode.Name):”#Create Schedule
   $UpdateSchedule = New-CMSchedule -Start “01/01/2017 23:00 PM” -DayOfWeek Sunday -RecurCount 1#Create Software Update Device Collections
   $NewCollection01 = New-CMDeviceCollection -Name “SU | Test Machines” -LimitingCollectionName “All Systems” -RefreshType Both -RefreshSchedule $UpdateSchedule
   $NewCollection01 = New-CMDeviceCollection -Name “SU | Test Machines Extended” -LimitingCollectionName “All Systems” -RefreshType Both -RefreshSchedule $UpdateSchedule
   $NewCollection01 = New-CMDeviceCollection -Name “SU | All Patched Machines” -LimitingCollectionName “All Systems” -RefreshType Both -RefreshSchedule $UpdateSchedule

   #Add Exclude Collection
   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | Test Machines” -excludeCollectionName “SU | Disable Software Updates”
   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | Test Machines Extended” -excludeCollectionName “SU | Disable Software Updates”
   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | All Patched Machines” -excludeCollectionName “SU | Disable Software Updates”

   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | All Patched Machines” -excludeCollectionName “SU | Test Machines”
   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | All Patched Machines” -excludeCollectionName “SU | Test Machines Extended”
   Add-CMDeviceCollectionExcludeMembershipRule -CollectionName “SU | Test Machines Extended” -excludeCollectionName “SU | Test Machines”

2. Replace the device collection names if you want to use another name
3. Click run in powershell, the script usually fails the first time so run it twice
4. In the SCCM console go to \Assets and Compliance\Overview\Device Collections
5. Confirm the device collections were created
6. Then right click on one, Click Membership Rules tab, confirm you can see the “SU | Disable Software Updates” collection
7. Click ok to close the properties box
   

1.3 : Create Maintenance Windows

A maintenance window is a set time when machines can do things such as install software and software updates. We are now going to configure the maintenance windows for the device collections we just created.

We will configure the “SU | Test Machines” maintenance window first, We will configure it to be able to install patches every day between 01:00 and 08:00.  We will use “Wake On LAN” to wake the machines up so they can install software updates out of hours.

To add maintenance windows on to the device collections we just created follow these steps

1. In the SCCM console go to \Assets and Compliance\Overview\Device Collections
2. Right click on “SU | Test Machines” and click properties
3. Click the maintenance windows tab
4. Click the sun icon
   
5. Give the maintenance window a descriptive name
6. Set the start time to 01:00 (Or What ever time you require)
7. Set the end time to 08:00 (Or What ever time you require)
8. Click Daily
9. Make sure 1 day is selected
   
10. Click ok
11. Confirm the maintenance window has been set
12. Click ok to save the changes
    

Next we will set the maintenance window for the “SU | Test Machines Extended” group.  This group will install the software updates one week after patch tuesday.

To configure the maintenance window for the “SU | Test Machines Extended” group follow these steps

1. In the SCCM console go to \Assets and Compliance\Overview\Device Collections
2. Right click on “SU | Test Machines” and click properties
3. Click the maintenance windows tab
4. Click the sun icon
5. Fill out the details same as before
6. This time select monthly, recur the third Tuesday of the month
   
7. Click ok
8. Confirm the maintenance window has been set
9. Click ok to save the changes

Now we will configure the “SU | All Patched Machines” maintenance window. Repeat the steps above but select the fourth Tuesday of the month. I also recommend to add more maintenance windows for fourth Wednesday + Thursday + Friday of the month.

If you need help with any of these settings please post a question in one of the below communities and I will help you out.

• Reddit
• Facebook

Next we need to move the device collections

1.4 : Move Device Collections

The last thing we need to do is move the device collections we created in to the “Software Updates” folder we created.

1. In the SCCM console go to \Assets and Compliance\Overview\Device Collections
2. Highlight the device collections we just created
3. Right click and select move
   
4. Select Software Updates and click ok
5. Go to \Assets and Compliance\Overview\Device Collections\Software Updates
6. Confirm the device collections moved correctly
   

3 : Configure Client Settings

There are many settings we need to set in the SCCM Client Settings section which will increase the success rate of software updates getting installed.

In my experience over the years I have found that changing the client settings as per below will reduce the amount of failures you will get.

To edit the client settings do the following.

1. Open the SCCM console
2. Go to \Administration\Overview\Client Settings
3. Right click on Default Client Settings and select properties
   
4. Click  “Client Cache Settings” on the left
5. Make sure “Configure Client Cache Size” is set to YES
6. Enter 10240 for the “Maximum Cache Size (MB)” This will increase the default amount of SCCM cache a client can store
   
7. Click on “Computer Agent”
8. Enter an organization name
9. Make sure “Use New Software Center” is set to yes
   
10. Click on “Computer Restart”
11. In this guide I will configure the software updates to install out of hours, so I am going to configure short notification time for reboots.  If you plan to push out software updates in hours I recommend to increate the time the user gets to reboot the system
12. Set “Specify the amount of time after the deadline before a device gets restarted” to 15 minutes, or 120 if pushing software updates when users are logged on to the machine. The user will get a message the system needs to reboot and they have 120 minutes before a reboot is forced.
13. Set “Specify the amount of time that a user is presented a final countdown” this is a prompt to reboot that a user can not supress, I recommend to set this to 5 or 30 if pushing software updates when users are logged on to the machine.
14. Set the last two options to yes
    
15. Click on “Power Management”
16. set “Allow power management of devices” to yes
17. Set “Allow network wake-up” to Enable, this will enable the client machines to be woken up when software updates are pushed out of hours
    
18. Click On “Software Updates”
19. Make sure “Enable software updates on clients” is set to yes
20. Confirm all other settings are as per below
    

4 : Create Automatic Deployment Rule

We are now going to create an automatic deployment rule, also known as an ADR.

An automatic deployment rule can be configured to automatically run at a certain time, the rule will apply the latest software updates to a group and then deploy to the device collections.

To create an automatic deployment rule do the following

1. Log in to the SCCM console
2. Go to \Software Library\Overview\Software Updates\Automatic Deployment Rules
3. Right click on “Automatic Deployment Rules” then select “Create Automatic Deployment Rule”
   
4. IMPORTANT : If you are deploying software updates to more than 1 product I highly recommend you to create a separate ADR for each product.
5. Below I am creating an ADR to deploy updates to Windows 2016 machines, if you want to deploy to windows 10 machines create a separate ADR for windows 10 updates.
6. Give the ADR a descriptive name. Below I used “SU – Windows 2016”
7. Click browse and select the “SU | Test Machines” collection
8. Select “Create a new Software Update Group”
9. Click next
   
10. On the deployment settings screen make sure required is selected (Required means the software updates automatically install, Available means they need to be manually installed on the client in system center)
11. Tick the box “Use Wake-on-LAN to wake up clients” this will wake up the clients when we push out the updates at 1am
12. In my experience it is best to select “All messages” as this will give you the most detail on the software updates install status
13. Click next
    
14. Here we need to specify the filters for the software updates we want to deploy. We only want to download the updates we need so in my experience I have found the below filter the best to use.
15. Product = Select only 1 product, Below I have selected Windows Server 2016
    Custom Severity = Set to none, we will use this to exclude single software updates from being installed if we need to in the future.
    Required = Set >=1 This will only download an update if there is a machine that required it to be installed
    Superseded = No  We dont want to download superseded updates as they will never install
    Update Classification : Select Critical Updates, Security Updates and Update Rollups
16. Click Preview
17. This will now show all the updates that are available to deploy for your ADR
18. Click close
    
19. Click next
20. Select “Run the rule on a schedule” click customize
21. If you want to manually run the ADR then select “Do not run this rule automatically”
    
22. There are a few things that need to happen for the SCCM ADR to find new patches which is,
    2nd Tuesday Of The Month at 23:30 : WSUS needs to run and complete a sync
    SCCM Software Update Synchronize at every day at 01:00 : Should take 30 minutes to complete
23. In the custom schedule I like to set the time to run at 03:00 as this gives plenty of time for the WSUS and SCCM syncs to complete
24. Then run on the second tuesday with 1 off set day.  An off set day is +1 day, so it will run on a wednesday at 03:00
25. Do not set the recurrence to the second wednesday of the month because sometime the 2nd wednesday comes before the 2nd tuesday
26. Click ok
    
27. Confirm the schedule
28. Click next
    
29. Select as soon as possible for both settings
30. Click Next
    
31. Under user notifications I recommend to select “Display in software center and only show notifications for computer restarts”
32. Leave all other options as default / not selected
33. Click next
    
34. Click next on the alerts page
35. Select “Create a new deployment package”
36. I recommend to enter the same name you gave the ADR
37. Enter a UNC path where the software updates will be downloaded to
38. Tick “Enable binary differential replication”
39. Click next
    
40. Click add and add the distribution groups you want to copy the software updates to
41. Click next
    
42. Click next on downloads location page
43. Click next on language selection page
44. On the download settings page keep the defaults and click next
    
45. On summary page click next
46. Click close
47. Repeat steps 3 – 46 to create ADRs for other required products such as windows 11
48. Below we can now see the ADR we created and the deployment we configured at the bottom
    
49. We now need to setup the deployment for the other two device collections
50. Right click on the ADR we created and select add deployment
    
51. Click the browse button and select the “SU | Test Machines Extended”
52. Make sure the “Enable the deployment after this rule is run” is selected
53. Click next
    
54. Make sure required is selected for deployment type
55. Tick the box “Use Wake-on-LAN”
56. Detail level select all messages
57. Click next
    
58. Under “Software available time” set the specific time to 2 days.  This will schedule the software updates to be pushed out 2 days after the ADR has run
59. Make sure “Install deadline” is set to as soon as possible
60. Click next
61. Note : The updates will not install on “SU | Test Machines Extended” until 6 days after the ADR has run because we configured the maintenance window for this time.
    
62. I recommend to set the user notifications to “Display in software center and only show notifications for computer restarts”
63. Click next
    
64. On the alerts page click next
65. On the download settings page leave the defaults
66. Click next
    
67. On summary page click next
68. Click close
69. Repeat steps 50 – 68 for the device collection “SU | All Patched Machines” On step 58 make sure to set 7 days for the software available time
70. We have now finished setting up the automatic deployment rule, it should now look like below
    

Just to summarise we did the below in this step

• Created an automatic deployment rule to download only required software updates
• Created a deployment rule to push software updates to the test machines as soon as the ADR was run
• Software updates will then get deployed to the Test Machine Extended group 2 days after the ADR was run
• Software updates will then get deployed to all machines 7 days after the ADR was run

5 : Enable Peer Cache (Optional)

This step is optional but I highly recommend that you enable peer cache on your clients.

When a SCCM client downloads a package / software update or application it will download it from a SCCM distribution point.  If you enable peer caching the SCCM client can download the package from any other SCCM client on the same network.

Advantages of peer caching include

• Adds multiple locations to download content from
• Can replace the need for SCCM distributions points
• Content can be download from the LAN and not acorss the WAN (If the SCCM DP is located on the WAN)

I recommend to enable peer caching on the device collections “SU | Test Machines” and “SU | Test Machines Extended” To do this follow these steps

1. Open the SCCM console
2. Go to \Administration\Overview\Client Settings
3. Right click on client settings, select Create custom client device settings
   
4. Give the custom device settings a name such as “Enable Peer Cache”
5. Tick the box “Client Cache Settings”
   
6. Select “Client Cache Settings” in the left coulmn
7. Select yes for “Enable as peer cache source”
8. Click ok
   
9. Right click on the policy we just created, select deploy
   
10. Select the “SU | Test Machines” collection and click ok
11. Repeat steps 9 and 10 for the collection “SU | Test Machines Extended”
    
12. In the SCCM console go to \Administration\Overview\Hierarchy Configuration\Boundary Groups
    
13. Right click on each boundary group you want to enable peer caching for and select properties
14. Click the options tab
15. tick the boxes “Allow peer download in this boundary group” and “During peer downloads only use peers within the same network”
16. Click ok
    

6 : Populate Device Collection Groups

Now we have completed all the above steps we can start to add device in to the device collections.

To do this follow these steps

1. Open the SCCM console
2. go to \Assets and Compliance\Overview\Device Collections\Software Updates
3. Right click on “SU | Test Machines” Click add resources, top right of screenshot below
4. In “Name String Contains” enter the name of the machines you want to add
5. Click search
6. highlight the machines you want to add and click add
7. Click ok
   
8. Repeat steps 3-7 for the device collection “SU | Test Machines Extended”
9. I recommend to wait at least a few hours for the machines to apply that they are in a new device collection and also apply the Client Settings / policies we created
10. Repeat steps 3-7 for the device collection “SU | All Patched Machines” I recommend to add an include device collection such as “All Windows 2016 Machines”

7 : Run The Automatic Deployment Rule

I highly recommend to let the automatic deployment rule run at the scheduled time and not run manually.

Wait until the day the ADR is due to run and then follow the below steps to check that it ran correctly.

1. Log in to the SCCM console
2. go to \Software Library\Overview\Software Updates\Automatic Deployment Rules
3. Confirm last error description is 0x00000000 which means no error
4. And last evaluation time ran at the expected time
   
5. Go to \Software Library\Overview\Software Updates\Software Update Groups
6. Confirm the software update group was created like below
   
7. Go to \Monitoring\Overview\Deployments
8. Confirm 3 deployments have been created
9. Click on the tool bar to bring up the options shown below and select “Deployment Start Time”
10. Now confirm the start times are set as expected
11. You can also check the compliance here
    

Check Updates Have Been Downloaded On a Client

Now we have setup everything on the SCCM server it is time to log on to a client to make sure they have downloaded the patches.

I recommend to wait at least two hours after the ADR ran before checking the clients.

To check if a client has downloaded the patches do the following

1. Log on to the client
2. In the start menu type “C:\Windows\CCM\ClientUX\SCClient.exe” and hit enter
3. Click updates in the left column
4. Here you should see all the software updates that have been downloaded to the client
5. Below they are on available status, this is because the software update has been downloaded and is availing the maintenance window to install the update
6. You can install the updates now by clicking on install all
   

Conclusion

Setting up software updates is quite a long and complicated process.  Hopefully this guide has helped you in this task.

I have included many things I have learned over the years to get the most successful patching rate within SCCM, I hope these tips serve you well.

I would be very interested in your experiences with configuring and deploying software updates, let me know in a comment below or by posting in one of our communities.