In this post I will be going through the steps on how to deploy Windows 11 Software Update using SCCM. Windows 11 has recently released on 5th Oct 2021 and Microsoft has released the first every Cumulative Update for Windows 11 on Patch Tuesday for October’2021.

Getting ready with configuration of Software Update settings on SCCM

Configuration Manager should be configured before deploying any patches. This requires WSUS Feature installed on server along with Software Update Point Role installed.

WSUS is configured to download the metadata from Microsoft catalog and then it synchronizes with SCCM database to replicate the metadata.

Enabling Products and Classifications enabled

We need to select Windows 11 Product if all configurations are already in place in your environment.

Before deploying the patches, we need to configure Products and classifications settings under Software Update Point.

Login to Configuration Manager server and launch console, navigate to \Administration\Overview\Site Configuration\Sites. With site selected, click on Configure Site Components > Software Update Point to open Software Update Point Component Properties and click on Products tab, make sure following is selected:

Configure Site Components

Critical Updates
Security Updates

Software Update Point Component Classifications

Though, you can see we may need more than this to deploy other kinds of update which includes Feature Packs, Definition Updates, Feature Packs, Service Packs, Tools, Update Rollups, updates, Upgrades.

Click on tab Products and under All Products > Microsoft > Windows, select Windows 11, other options like Windows 11 Dynamic Update & Windows 11 GDR-DU is also available depending upon the organisation strategy to decide you want to select it or not.

Products Windows 11

Synchronize Software Updates

We made the selection, hence now ready for synchronizing the patches with Microsoft. Navigate to \Software Library\Overview\Software Updates\All Software Updates, from the ribbon click on Synchronize Software Updates.

Synchronize Software Updates

Once selected, this process will go through:

  1. Synchronizing WSUS with Microsoft – WSUS will contact Microsoft to download the metadata which is not the actual patch but just the information of patch ready to be downloaded and deployed. The metadata will be downloaded in WSUS Database and will initiate another sync.
  2. Synchronizing WSUS with SCCM – Another synchronization will be initiated automatically which now consists of already synchronized metadata on WSUS database to SCCM database which is necessary because clients will communicate to SCCM and to under its language it will contact SCCM. Hence WSUS is used in background by configuration manager by using Software Update Point role to download the metadata.
  3. Patches ready to get deployed– once sync is completed, patches are ready to be downloaded and deployed.

Check the progress of synchronization through wcm.log and wsyncmgr.log

As I selected Windows 11 as an additional Products, I can see the information in wcm.log:

Attempting connection to local WSUS server
Successfully connected to local WSUS server
Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING)
Attempting connection to local WSUS server
Successfully connected to local WSUS server
Configuration successful. Will wait for 1 minute for any subscription or proxy changes
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)
Supported WSUS version found

Wsyncmgr.log will show Windows 11 Product now activated

Requested categories: Product=Windows 11, Product=Windows 10, Product=Windows 10, version 1903 and later, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Updates, UpdateClassification=Definition Updates, UpdateClassification=Critical Updates
Found local sync request file               SMS_WSUS_SYNC_MANAGER
Starting Sync               SMS_WSUS_SYNC_MANAGER
Performing sync on local request               SMS_WSUS_SYNC_MANAGER
Full sync required due to changes in main WSUS server location.               SMS_WSUS_SYNC_MANAGER
Read SUPs from SCF for SCCM01.MANBAN.COM               SMS_WSUS_SYNC_MANAGER
Found 1 SUPs               SMS_WSUS_SYNC_MANAGER
Found active SUP SCCM01.MANBAN.COM from SCF File.               SMS_WSUS_SYNC_MANAGER
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM01.MANBAN.COM SITE=MAN PID=3652 TID=9228 GMTDATE=Thu Oct 14 08:44:36.456 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0               SMS_WSUS_SYNC_MANAGER
Sync Surface Drivers option is not set               SMS_WSUS_SYNC_MANAGER
Synchronizing WSUS, default server is SCCM01.MANBAN.COM               SMS_WSUS_SYNC_MANAGER
STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM01.MANBAN.COM SITE=MAN PID=3652 TID=9228 GMTDATE=Thu Oct 14 08:44:37.461 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0               SMS_WSUS_SYNC_MANAGER
http://SCCM01.MANBAN.COM:8530               SMS_WSUS_SYNC_MANAGER
Synchronizing WSUS server SCCM01 ...               SMS_WSUS_SYNC_MANAGER
sync: Starting WSUS synchronization               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing categories               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing categories, processed 2 out of 2 items (100%)               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 3 out of 72 items (4%), ETA in 42.02:25:42               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 25 out of 72 items (34%), ETA in 3.10:37:46               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 39 out of 72 items (54%), ETA in 1.13:12:16               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 51 out of 72 items (70%), ETA in 18:06:45               SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 72 out of 72 items (100%)               SMS_WSUS_SYNC_MANAGER
wsyncmgr.log

Windows 11 Updates available now

Once synchronization is completed, we can see the required updates for Windows 11 is available. For a filtered view to see Windows 11 updates only navigate to \Software Library\Overview\Software Updates\All Software Updates. Select Add Criteria and select Product as “Windows 11” and click on Search.

We can see 2 specific patches related to x64 based devices:

2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)

But right now it is showing not required on any devices (Required = 0 showing). We need to wait on workstations for next Software Update Evaluation cycle or else we can force also.

KB5006674

Navigate to one of the workstation, launch Configuration Manager through control panel (Shortcut key: Windows + R > control smscfgrc). First click on Machine Policy Retrieval & Evaluation Cycle to get the latest policies and then click on Software Updates Scan Cycle

DeployWin11UpdatesSCCM 08

Scan process can be monitored through ScanAgent.log & UpdatesStore.log.

While looking into UpdatesStore.log (Location : c:\windows\ccm\logs), I can see few updates such as:

Successfully raised state message for update (8e15b5ea-08c4-48dc-afbf-54d1da4241f3) with state (Missing).

This only shows update in GUID which might not give you clarity. Use this PowerShell command which will help you showing the missing updates with exact details:

Get-CimInstance -Namespace root\ccm\softwareupdates\updatesstore -ClassName CCM_UpdateStatus | select status,title | where-object {$_.Status -like ‘missing’}

softwareupdates\updatesstore

Hence, we can see Cumulative update showing missing for KB50006674 & KB5005537

Workstation will send status message back to management point and we can see the mentioned patches are showing required on 1 system, hence we can confirm and assure that the patch is required.

Download Cumulative Update – Windows 11

DeployWin11UpdatesSCCM 11

Once again navigate to All Software Updates which is now showing update is required on a system. Lets select these 2 patches, right click and select Download.

Download patches

This will launch Download Software Updates Wizard with Specify a deployment package page. We will go with option Create a new deployment package and provide:
Name : Windows 11 Patches
Package source: \\sccm01\source\Software Update\Windows 11 R001

deployment package

On Distribution Points page add the Distribution Point and click Next.

DeployWin11UpdatesSCCM 14

On Distribution Settings page click Next.

DeployWin11UpdatesSCCM 15

On Download Location page, select Download software updates from the Internet and click Next.

Download Software updates from internet

On Specify the update languages for products page, click Next.

select update languages for products

On Confirm the settings page, verify the following information and click Next.

DeployWin11UpdatesSCCM 18

Software updates that will be downloaded from the internet

 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)


This will go through process of downloading the patch, monitor the patch downloading through PatchDownloader.log (Location: %userprofile%\AppData\Local\Temp\PatchDownloader.log)

PatchDownloader.log

We can see patch is getting downloaded through Microsoft URL’s:

Download destination = \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1\Windows10.0-KB5005537-x64-NDP48.cab .
Contentsource = http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab .              Software Updates Patch Downloader
Query to run: select f.FileName, c.ContentUniqueID from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID where c.ContentID in (16783260) and f.FileHash = 'SHA1:C96F7425CBC6DC785DBE49C8540FF23B8B91B1F8'               Software Updates Patch Downloader
Query to run: select f.FileName, ct.ContentSource from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID join SMS_Content ct on c.ContentID = ct.ContentID where c.ContentDownloaded = 1 and f.FileHash = 'SHA1:C96F7425CBC6DC785DBE49C8540FF23B8B91B1F8'               Software Updates Patch Downloader
Downloading content for ContentID = 16783270,  FileName = Windows10.0-KB5005537-x64-NDP48.cab.       Software Updates Patch Downloader
Proxy is enabled for download, using registry settings or defaults.        Software Updates Patch Downloader
Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-"           Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 10 percent complete               Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 20 percent complete               Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 30 percent complete
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 40 percent complete               Software Updates Patch Downloader
 http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 50 percent complete               Software Updates Patch Downloader
 http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 60 percent complete               Software Updates Patch Downloader
 http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 70 percent complete               Software Updates Patch Downloader
 http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 80 percent complete               Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 90 percent complete               Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab to C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab returns 0             Software Updates Patch Downloader
Using machine settings for CRL checking.               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
Cert revocation check is disabled so cert revocation list will not be checked.               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
Verifying file trust C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
File trust C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab verified:               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
Verifying file hash C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
File hash verified: C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab               Software Updates Patch Downloader       10/14/2021 9:41:45 PM               12948 (0x3294)
Successfully moved C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1\Windows10.0-KB5005537-x64-NDP48.cab         Software Updates Patch Downloader               10/14/2021 9:41:45 PM 12948 (0x3294)
Attempting to delete 0 byte tmp files from previous downloads            Software Updates Patch Downloader               10/14/2021 9:41:45 PM 12948 (0x3294)
Renaming \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1 to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d    Software Updates Patch Downloader               10/14/2021 9:41:45 PM 14704 (0x3970)
Successfully moved \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1 to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d    Software Updates Patch Downloader               10/14/2021 9:41:45 PM 14704 (0x3970)
PatchDownloader.log

Deploy Windows 11 Updates

DeployWin11UpdatesSCCM 21

Under All Software Updates we can see the patch is showing Downloaded , lets deploy now. Right both the patches and click Deploy

Software Update Deploy

Under Specify general information for this deployment, specify:
Deployment Name:
Software Update/Software Update Group:
Collection:

DeployWin11UpdatesSCCM 23

On Deployment Settings, select Type of deployment as Required and click Next.

DeployWin11UpdatesSCCM 25

On Scheduling page, specify Software available time and specify Installation deadline.

DeployWin11UpdatesSCCM 24

On User Experience page, under Device restart behavior, specify Suppress the system restart on the following devices and check Worktations.

DeployWin11UpdatesSCCM 26

Click next pages to complete the deployment process.

Check installation on Windows 11 Workstation

Login to Windows 11 workstation and initiate Machine Policy Retrieval & Evaluation Cycle followed by Software Updates Deployment Evaluation Cycle under Configuration Manager Properties.

Launch Software Center > Updates and we can see the updates are available with Past due – will be installed status and installation will initiate and can be monitored through UpdatesDeployment.log & Wuahandler.log.

Software Center

UpdatesDeployment.log will show the downloading and installation progress in detail.

Update (Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_7a127356-1465-4497-8765-1738d242e43d) Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0
Update (Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a) Progress: Status = ciStateInstalling, PercentComplete = 74, DownloadSize = 0, Result = 0x0
IsRebootNeeded: Update = Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_7a127356-1465-4497-8765-1738d242e43d, UserUIExperience = True, RebootDeadline = 0, set NotifyUI = True for this update
No installations in pipeline, notify reboot. NotifyUI = True
UpdatesDeployment.log

While wuahandler.log will show summary of installation status:

1. Update: 7a127356-1465-4497-8765-1738d242e43d, 203   BundledUpdates: 1
       Update: 23880ebc-6fc3-4e62-af7f-9bf8224e2e7d, 203   BundledUpdates: 0
2. Update: 8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a, 201   BundledUpdates: 1
       Update: a0a48bf7-4baf-498d-b55b-d34022290ced, 201   BundledUpdates: 0
1. Update (Missing): 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537) (7a127356-1465-4497-8765-1738d242e43d, 203)
2. Update (Missing): 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674) (8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a, 201)
Async installation of updates started.
Update 1 (7a127356-1465-4497-8765-1738d242e43d) finished installing (0x00000000), Reboot Required? Yes
Installation of updates completed.

WUAHandler.log

Reboot notification will be generated and will restart based of Client Settings we have specified.