In this post I will be going through the steps on how to deploy Windows 11 Software Update using SCCM. Windows 11 has recently released on 5th Oct 2021 and Microsoft has released the first every Cumulative Update for Windows 11 on Patch Tuesday for October’2021.
Getting ready with configuration of Software Update settings on SCCM
Configuration Manager should be configured before deploying any patches. This requires WSUS Feature installed on server along with Software Update Point Role installed.
WSUS is configured to download the metadata from Microsoft catalog and then it synchronizes with SCCM database to replicate the metadata.
Enabling Products and Classifications enabled
We need to select Windows 11 Product if all configurations are already in place in your environment.
Before deploying the patches, we need to configure Products and classifications settings under Software Update Point.
Login to Configuration Manager server and launch console, navigate to \Administration\Overview\Site Configuration\Sites. With site selected, click on Configure Site Components > Software Update Point to open Software Update Point Component Properties and click on Products tab, make sure following is selected:
Critical Updates
Security Updates
Though, you can see we may need more than this to deploy other kinds of update which includes Feature Packs, Definition Updates, Feature Packs, Service Packs, Tools, Update Rollups, updates, Upgrades.
Click on tab Products and under All Products > Microsoft > Windows, select Windows 11, other options like Windows 11 Dynamic Update & Windows 11 GDR-DU is also available depending upon the organisation strategy to decide you want to select it or not.
Synchronize Software Updates
We made the selection, hence now ready for synchronizing the patches with Microsoft. Navigate to \Software Library\Overview\Software Updates\All Software Updates, from the ribbon click on Synchronize Software Updates.
Once selected, this process will go through:
- Synchronizing WSUS with Microsoft – WSUS will contact Microsoft to download the metadata which is not the actual patch but just the information of patch ready to be downloaded and deployed. The metadata will be downloaded in WSUS Database and will initiate another sync.
- Synchronizing WSUS with SCCM – Another synchronization will be initiated automatically which now consists of already synchronized metadata on WSUS database to SCCM database which is necessary because clients will communicate to SCCM and to under its language it will contact SCCM. Hence WSUS is used in background by configuration manager by using Software Update Point role to download the metadata.
- Patches ready to get deployed– once sync is completed, patches are ready to be downloaded and deployed.
Check the progress of synchronization through wcm.log and wsyncmgr.log
As I selected Windows 11 as an additional Products, I can see the information in wcm.log:
Attempting connection to local WSUS server
Successfully connected to local WSUS server
Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING)
Attempting connection to local WSUS server
Successfully connected to local WSUS server
Configuration successful. Will wait for 1 minute for any subscription or proxy changes
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)
Supported WSUS version found
Wsyncmgr.log will show Windows 11 Product now activated
Requested categories: Product=Windows 11, Product=Windows 10, Product=Windows 10, version 1903 and later, UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Upgrades, UpdateClassification=Updates, UpdateClassification=Definition Updates, UpdateClassification=Critical Updates
Found local sync request file SMS_WSUS_SYNC_MANAGER
Starting Sync SMS_WSUS_SYNC_MANAGER
Performing sync on local request SMS_WSUS_SYNC_MANAGER
Full sync required due to changes in main WSUS server location. SMS_WSUS_SYNC_MANAGER
Read SUPs from SCF for SCCM01.MANBAN.COM SMS_WSUS_SYNC_MANAGER
Found 1 SUPs SMS_WSUS_SYNC_MANAGER
Found active SUP SCCM01.MANBAN.COM from SCF File. SMS_WSUS_SYNC_MANAGER
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM01.MANBAN.COM SITE=MAN PID=3652 TID=9228 GMTDATE=Thu Oct 14 08:44:36.456 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_WSUS_SYNC_MANAGER
Sync Surface Drivers option is not set SMS_WSUS_SYNC_MANAGER
Synchronizing WSUS, default server is SCCM01.MANBAN.COM SMS_WSUS_SYNC_MANAGER
STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM01.MANBAN.COM SITE=MAN PID=3652 TID=9228 GMTDATE=Thu Oct 14 08:44:37.461 2021 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_WSUS_SYNC_MANAGER
http://SCCM01.MANBAN.COM:8530 SMS_WSUS_SYNC_MANAGER
Synchronizing WSUS server SCCM01 ... SMS_WSUS_SYNC_MANAGER
sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing categories SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing categories, processed 2 out of 2 items (100%) SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 3 out of 72 items (4%), ETA in 42.02:25:42 SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 25 out of 72 items (34%), ETA in 3.10:37:46 SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 39 out of 72 items (54%), ETA in 1.13:12:16 SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 51 out of 72 items (70%), ETA in 18:06:45 SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 72 out of 72 items (100%) SMS_WSUS_SYNC_MANAGER
Windows 11 Updates available now
Once synchronization is completed, we can see the required updates for Windows 11 is available. For a filtered view to see Windows 11 updates only navigate to \Software Library\Overview\Software Updates\All Software Updates. Select Add Criteria and select Product as “Windows 11” and click on Search.
We can see 2 specific patches related to x64 based devices:
2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
But right now it is showing not required on any devices (Required = 0 showing). We need to wait on workstations for next Software Update Evaluation cycle or else we can force also.
Navigate to one of the workstation, launch Configuration Manager through control panel (Shortcut key: Windows + R > control smscfgrc). First click on Machine Policy Retrieval & Evaluation Cycle to get the latest policies and then click on Software Updates Scan Cycle
Scan process can be monitored through ScanAgent.log & UpdatesStore.log.
While looking into UpdatesStore.log (Location : c:\windows\ccm\logs), I can see few updates such as:
Successfully raised state message for update (8e15b5ea-08c4-48dc-afbf-54d1da4241f3) with state (Missing).
This only shows update in GUID which might not give you clarity. Use this PowerShell command which will help you showing the missing updates with exact details:
Get-CimInstance -Namespace root\ccm\softwareupdates\updatesstore -ClassName CCM_UpdateStatus | select status,title | where-object {$_.Status -like ‘missing’}
Hence, we can see Cumulative update showing missing for KB50006674 & KB5005537
Workstation will send status message back to management point and we can see the mentioned patches are showing required on 1 system, hence we can confirm and assure that the patch is required.
Download Cumulative Update – Windows 11
Once again navigate to All Software Updates which is now showing update is required on a system. Lets select these 2 patches, right click and select Download.
This will launch Download Software Updates Wizard with Specify a deployment package page. We will go with option Create a new deployment package and provide:
Name : Windows 11 Patches
Package source: \\sccm01\source\Software Update\Windows 11 R001
On Distribution Points page add the Distribution Point and click Next.
On Distribution Settings page click Next.
On Download Location page, select Download software updates from the Internet and click Next.
On Specify the update languages for products page, click Next.
On Confirm the settings page, verify the following information and click Next.
Software updates that will be downloaded from the internet
2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
This will go through process of downloading the patch, monitor the patch downloading through PatchDownloader.log (Location: %userprofile%\AppData\Local\Temp\PatchDownloader.log)
We can see patch is getting downloaded through Microsoft URL’s:
Download destination = \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1\Windows10.0-KB5005537-x64-NDP48.cab .
Contentsource = http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab . Software Updates Patch Downloader
Query to run: select f.FileName, c.ContentUniqueID from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID where c.ContentID in (16783260) and f.FileHash = 'SHA1:C96F7425CBC6DC785DBE49C8540FF23B8B91B1F8' Software Updates Patch Downloader
Query to run: select f.FileName, ct.ContentSource from SMS_CIToContent c join SMS_CIContentFiles f on c.ContentID = f.ContentID join SMS_Content ct on c.ContentID = ct.ContentID where c.ContentDownloaded = 1 and f.FileHash = 'SHA1:C96F7425CBC6DC785DBE49C8540FF23B8B91B1F8' Software Updates Patch Downloader
Downloading content for ContentID = 16783270, FileName = Windows10.0-KB5005537-x64-NDP48.cab. Software Updates Patch Downloader
Proxy is enabled for download, using registry settings or defaults. Software Updates Patch Downloader
Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-" Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 10 percent complete Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 20 percent complete Software Updates Patch Downloader
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 30 percent complete
Download http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 40 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 50 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 60 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 70 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 80 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab in progress: 90 percent complete Software Updates Patch Downloader
http://download.windowsupdate.com/c/msdownload/update/software/updt/2021/08/windows10.0-kb5005537-x64-ndp48_c96f7425cbc6dc785dbe49c8540ff23b8b91b1f8.cab to C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab returns 0 Software Updates Patch Downloader
Using machine settings for CRL checking. Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Cert revocation check is disabled so cert revocation list will not be checked. Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Verifying file trust C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
File trust C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab verified: Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Verifying file hash C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
File hash verified: C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Successfully moved C:\Users\ADMINI~1.MAN\AppData\Local\Temp\CAB80D0.tmp.cab to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1\Windows10.0-KB5005537-x64-NDP48.cab Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Attempting to delete 0 byte tmp files from previous downloads Software Updates Patch Downloader 10/14/2021 9:41:45 PM 12948 (0x3294)
Renaming \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1 to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d Software Updates Patch Downloader 10/14/2021 9:41:45 PM 14704 (0x3970)
Successfully moved \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d.1 to \\sccm01\source\Software Update\Windows 11 R001\23880ebc-6fc3-4e62-af7f-9bf8224e2e7d Software Updates Patch Downloader 10/14/2021 9:41:45 PM 14704 (0x3970)
Deploy Windows 11 Updates
Under All Software Updates we can see the patch is showing Downloaded , lets deploy now. Right both the patches and click Deploy
Under Specify general information for this deployment, specify:
Deployment Name:
Software Update/Software Update Group:
Collection:
On Deployment Settings, select Type of deployment as Required and click Next.
On Scheduling page, specify Software available time and specify Installation deadline.
On User Experience page, under Device restart behavior, specify Suppress the system restart on the following devices and check Worktations.
Click next pages to complete the deployment process.
Check installation on Windows 11 Workstation
Login to Windows 11 workstation and initiate Machine Policy Retrieval & Evaluation Cycle followed by Software Updates Deployment Evaluation Cycle under Configuration Manager Properties.
Launch Software Center > Updates and we can see the updates are available with Past due – will be installed status and installation will initiate and can be monitored through UpdatesDeployment.log & Wuahandler.log.
UpdatesDeployment.log will show the downloading and installation progress in detail.
Update (Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_7a127356-1465-4497-8765-1738d242e43d) Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0
Update (Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a) Progress: Status = ciStateInstalling, PercentComplete = 74, DownloadSize = 0, Result = 0x0
IsRebootNeeded: Update = Site_A01E8F68-CD81-4C08-80FA-477C0E10623B/SUM_7a127356-1465-4497-8765-1738d242e43d, UserUIExperience = True, RebootDeadline = 0, set NotifyUI = True for this update
No installations in pipeline, notify reboot. NotifyUI = True
While wuahandler.log will show summary of installation status:
1. Update: 7a127356-1465-4497-8765-1738d242e43d, 203 BundledUpdates: 1
Update: 23880ebc-6fc3-4e62-af7f-9bf8224e2e7d, 203 BundledUpdates: 0
2. Update: 8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a, 201 BundledUpdates: 1
Update: a0a48bf7-4baf-498d-b55b-d34022290ced, 201 BundledUpdates: 0
1. Update (Missing): 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537) (7a127356-1465-4497-8765-1738d242e43d, 203)
2. Update (Missing): 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674) (8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a, 201)
Async installation of updates started.
Update 1 (7a127356-1465-4497-8765-1738d242e43d) finished installing (0x00000000), Reboot Required? Yes
Installation of updates completed.
Reboot notification will be generated and will restart based of Client Settings we have specified.
Discover more from SCCM | Intune | Azure | Enterprise Mobility & Security
Subscribe to get the latest posts to your email.