In this blog I will demonstrate you how to deploy Software Update / patches using SCCM. Usually Microsoft releases patches on 2nd Tuesday every month, however they may release patches on other day or week depending upon current threat or vulnerability resolving issue for the system.

Making SCCM Infra ready before deploying Software Update

Before deploying software updates to the systems, we need to make sure making the SCCM infra ready for this. This consists of several components.

Installation of WSUS Feature & SCCM’s Software Update Point Role

We need to install WSUS Feature on one of the server which will be later used as Software Update Point Role installation. You may use following link to install and configure Software update Point Role. Once installed, this role is responsible to connect on-premises WSUS with Microsoft update and downloads Windows Update catalog required for scanning to software update.


Configure Site Components

Login to SCCM Server, launch Configuration Manager console. Navigate to Administration > Overview > Site Configuration > Sites. Select your site and click on Configure Site Components from Ribbon and select Software Update Point from drop down menu.

Click on Classifications tab and select following Software update classifications:

Critical Updates
Security Updates
Upgrades

Critical Updates & Security Updates are the most important one we are interested for deploying patches, I have gone with Upgrades for deploying this feature as well. Select other classifications based upon your need.

Click on Products tab, scroll down to see Windows category and select the OS versions you wanted to get patches for. You need to select:

Windows 10 – For Windows 10 version prior to 1903 version
Windows 10, version 1903 and later – For 1903 and above version

Select any other products which wanted to control for patches.

Synchronize Software Updates

Navigate to Software Library > Overview > Software Updates > All Software Updates. From the Ribbon click Syncrhonize Software Updates to initiate downloading of Metadata from Microsoft’s Catalog.

This process consists of following: Metadata from Microsoft’s Catalog will be downloaded to WSUS database, there on WSUS database synchronization with SCCM database to inject Software Update metadata in SCCM. Hence this whole process has a dependency upon WSUS Server to download the metadata, however WSUS itself is not playing any role in any configuration setting for Products and Classifications. Hence, no deployment from WSUS will be done. Everything will be taken control by SCCM for downloading the patches and deploying. Downloading metadata should not be confused with download the update as metadata is just the information of patch not the actual patch download.

Verify the synchronization process through wcm.log & wsyncmgr.log. You might see similar entries in wsyncmgr.log the number might be different.

sync: SMS synchronizing categories, processed 365 out of 365 items (100%)
Synchronizing update 65c53f07-c84f-42e9-8ff9-65d75aa347dd - Microsoft 365 Apps Update - Current Channel (Preview) Version 2009 for x64 based Edition (Build 13231.20200)
sync: SMS synchronizing updates, processed 4 out of 4 items (100%)
STATMSG: ID=6702 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM01.MANBAN.COM SITE=MAN PID=4444 TID=10764 GMTDATE=Wed Sep 23 12:07:45.101 2020 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

Configuration Client Settings

Navigate to Administration > Overview > Client Settings. Select Default Client Settings and click on Properties from Ribbon. Navigate to Software Updates.

Under Device Settings, make sure Enable software updates on clients is set to Yes.

Software Update scan schedule & Schedule deployment re-evaluation is set to 7 days which will revaluate the patches every 7 days if missing. This can be changed as per organization requirement, but I believe 7 days is a decent option as more aggressive setting such as 1 or 2 days will create lot of traffic to be sent from clients to SCCM server quite frequently.

Select Computer Restart setting under Default Settings. Though is not mandatory option, but it’s a very good option to come here and specify the settings of your choice. These settings controls the restart behavior when the patches are installed on the system. Under Specify behavior on client computers, select:

Configuration Manager can force a device to restart: Yes
Specify the amount of time after the deadline before a device gets restarted (minutes): 90
Specify the amount of time that a user is presented a final countdown notification before a device gets restarted (minutes): 15
After the deadline, specify the frequency of restart reminder notifications to the user (minutes): 240

There will be 4 hours (equivalent to 240 mins) of notification window giving users a time before forceful restart happens. You may increase this time to allow extra time between deadline and restart.

Allow couple of hours so that clients can get the new policy about of Software Update is enabled. Each client (System) will run Software Update Deployment Evaluation cycle and send the information of what patches are required and what not and that information will be saved in SCCM database.

Deploy Software Update

Deploying Software update patches consists of downloading and deploying it to a specific collection. Navigate to \Software Library\Overview\Software Updates\All Software Updates, under Right Pane you will be able to see all patches synched with Microsoft Catalog with showing status about on how many systems it is required, installed etc. We need to Add Criteria to see only those patches which we require for our Windows 10, version 1909 system. Click on Add Criteria.

Under Add Criteria, add following:
Required is greater than or equal to : 1
Product Windows 10, version 1903 and Later: 1
Expired : No
Superseded : No

Click on search and it will show only required patches for Windows 10, version 1903 which is required on atleast 1 system and filtering out expired and superseded updates as we don’t require that.

I would highly recommend to save the current search by clicking on Ribbon and providing a name, as you might be coming here again and again every month to deploy the software updates / patches.

I will be going with installing 3 patches, KB4576751, KB4574727 and KB4576484, select the 3 patches right click and click on Deploy.

Selecting Deploy will go through Downloading and deploying phase as we haven’t downloaded these patches before.

This will open Deploy Software Updates Wizard, under General specify the name, I am going with default one. Browse for collection to target this deployment.

Under Deployment Settings, select type of deployment as Required, we have options available for Required (forceful deploying a patch with deadline) and Available (software update available under Software Center to install, this does not force the user / system to install).

Under Scheduling page, select Software available time, this will be used to provide software update policy to user and to download the software updates at that specific time. Under Installation deadline, specify the time when you want to deploy the software updates.

Under User Experience, I will be going with default options, click Next.

Under Alerts page, click Next.

Under Deployment Package, select Create a new deployment package. Provide Name and Package source to download software update. We also have option with No deployment package which provides option Clients download content from peers or the Microsoft cloud, this could be a good option for slow link boundaries where connection to DP is quite slow to download the content and would prefer to download updates from Microsoft.

Under Distribution Points page, specify the distribution points or distribution point groups to host the content, click Next.

Under Download Location page, select Download software updates from the internet.

Under Language Selection page, click Next.

Under Download Settings page, click Next.

Under Summary page, verify the details and click Next.

This will progress through downloading the patches, allow some time to download it.

Once completed, you will get message The Deploy Software Updates Wizard completed successfully.

For troubleshooting purpose, verify the download of software update through PatchDownloader.log located under appdata > Local > temp and some random folder. For my system this was the location:

C:\Users\svc-sccmadmin\AppData\Local\Temp\2\PatchDownloader.log

Important information from PatchDownloader.log which I found:

Download destination = \\sccm01\d$\Source\Updates\Workstation 1909\9a23b790-6cb5-409f-abed-96b79a45fa2b.1\windows10.0-kb4576484-x64-ndp48.cab
Download http://download.windowsupdate.com/d/msdownload/update/software/secu/2020/08/windows10.0-kb4576484-x64-ndp48_d91f96082d4a8db9f1bdccaeb06a29cb6c1341b7.cab in progress: 90 percent complete
Successfully moved C:\Users\SVC-SC~1\AppData\Local\Temp\2\CABF3CC.tmp to \\sccm01\d$\Source\Updates\Workstation 1909\9a23b790-6cb5-409f-abed-96b79a45fa2b.1\windows10.0-kb4576484-x64-ndp48.cab
Successfully moved \\sccm01\d$\Source\Updates\Workstation 1909\9a23b790-6cb5-409f-abed-96b79a45fa2b.1 to \\sccm01\d$\Source\Updates\Workstation 1909\9a23b790-6cb5-409f-abed-96b79a45fa2b

Verify installation of software update on client system

Login to the system on which we deployed the software update. Wait for 1 hour to get the Machine Policy or initiate Machine Policy Retrieval & Evaluation Cycle under Configuration manager properties > Actions.

Launch Software Center > Updates. We will be able to see 3 patches which we targeted to this system. The status will change to Past due – will be installed once the deadline is reached, and it’s a matter of time only to see the installation progress.

Once installation starts, we can see the status changing to Waiting to Install, Installing, Pending Verification.

Once installation is done, we can see Software Center notification showing restart window along with countdown timer for a forced restart to happen. As per the window it will restart the system after 1 hour 20 mins you can only snooze upto this time only and there after system will restart to apply the patches.