The SCCM Patching Software Update Deployment Process Guide is here for consumption. This guide is, again, a video tutorial to help IT Pros learn the patching (a.k.a. Software Update patching) process using the latest version of SCCM. Patch Software Update Deployment Process Guide.
Software updates in SCCM provide tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Patching is one of the essential tasks of SCCM admin.
SCCM patching involves many components and can become very complex if you don’t pay proper attention to the details. Windows Update for Business (WUfB) patching is much easier to set up and manage. However, there is less control over picking and choosing in WUfB. Intune Patch management options are explained in the Software Update Patching Options With Intune Setup Guide.
Let’s understand how to install WSUS for ConfigMgr Software Update Point Role | SUP | SCCM and install the SUP role. Also, learn how to Create and Deploy New Software Update Patch packages using SCCM | ConfigMgr.
Table of Contents
- SCCM Patching Issue with Windows 10 KB5003637 June CU | Cumulative Update Confusion | ConfigMgr | WSUS
- ConfigMgr Default Reports Software Updates | SCCM Patching Reports
- SCCM Patching Basics Video Recording Available Now | ConfigMgr
- Enable Microsoft Defender for Endpoint Updates Patching using SCCM and WSUS
NOTE! – Third-Party Patching Best Practices for an Organization guide
Best SCCM Patching Software Update Deployment Process Guide
The following video guide is the high-level Patching Guide for SCCM beginners. There is little difference between SCCM 2012 patching and SCCM Current Branch Patching.
I have an old blog post discussing ConfigMgr Patch Management’s Pros and Cons. Some of the points in this post are still valid, so it’s worth reading better to grasp the SCCM patching process and setup scenarios.
In version SCCM 1806, software updates can be deployed to devices without downloading and distributing content to distribution points. This setting is beneficial when dealing with extensively updated content.
What is SCCM Patching?
All software applications and drivers must undergo the software release life cycle, which includes bug fixing and improvements. Each vendor releases a patch to fix bugs in software and drivers. Deploying/installing these patches to one or more systems or devices is called software patching.
Organizations must patch all existing applications. This process helps to keep the environment secure. Software vendors like Microsoft, Adobe, Android, iOS, macOS, Linux, and Unix OS release patches. These patches cover bug fixes for their software.
Why a Patching Guide? Patch Software Update Deployment Process
Recently, I saw someone looking for a video tutorial related to SCCM Software Updates in our Facebook group (which has about 11000 members now).
I thought, let me create a quick 25-minute video to cover the software update process in SCCM CB. I tried to briefly overview the end-to-end SCCM Software Update (patching) process.
SCCM Patching Infra Setup Videos – SCCM Patching Process is Explained
The free end-to-end SCCM training is below: Free SCCM Training Part 1 | 17 Hours Of Latest Technical Content | ConfigMgr Lab HTMD Blog (anoopcnair.com).
This section teaches you how to set up SCCM patching-related infrastructure components such as WSUS and Software Update Point. It also discusses the architecture of SCCM patching infrastructure in the video tutorial below.
- Install WSUS for ConfigMgr Software Update Point Role – Install WSUS for ConfigMgr Software Update Point Role.
Launch Server Manager, Select Destination Server, Select Server Roles, Select Features, Windows Server Update Services, Select Role Services to Install WSUS, Content-Location Selection for WSUS, Database Instance Selection, Web Server Role (IIS), Select Roles Services for IIS, Install & Confirm Installation Selection, Complete WSUS Installation, Cancel WSUS Configuration Wizard, Completion – Install WSUS for ConfigMgr SUP.
Install WSUS for ConfigMgr SUP |
---|
Post Installation of WSUS Failed – WSUS service is disabled? |
WSUS Reinstallation steps explained |
WSUS post-installation was completed without any issues |
Install ConfigMgr Software Update Point (SUP) – Install New ConfigMgr Software Update Point Role. |
Add Site Systems Roles, Select a Server to Use as a Site System, Specify Internet Proxy Server, Specify Roles for this Server, Specify Software Update Point Settings, Specify Proxy & Account Settings for Software Update Point, Specify synchronization source settings, Synchronization Settings, Select Behavior for Software Updates are Superseded, Configure WSUS Maintenance Behavior, Configure Maximum Run Time, Specify Configuration for Software Update Content, Select the Software update classifications that you want to Synchronize, Select the Products that You Want to Synchronize, Specify the Language Settings that you want to Synchronize and Confirm the Settings.
- Do Not Set up SUP with Default WSUS Product Selection ConfigMgr SCCM.
- Log files to troubleshoot SUPSetup.log, WsyncMgr.log, WCM.log, and WSUSCtrl.log.
- Initiate WSUS Sync twice. The first step is to update the category–products list for software update components.
- Initiate WSUS Sync second to update the KB articles metadata. This is completed only after the second sync.
The SCCM SUP Product List filtering options are helpful in a scenario where you want to add a new product to the SCCM patching. This SUP product filter option has been added to the 2203 version of SCCM.
Step 2: SCCM Software Update Patching WSUS and SUP Infrastructure Configuration
The process is explained in the Video !! Patch Software Update Deployment Process?
- WSUS
- SUP Installation log files
- Software Update Component Configuration – Classifications/Products
- Software Update Sync – Logfile WsyncMgr.log
- Selection of Patch/Software Update and Creation of Software Update Group
- Deployment of Software Update Group
- End-User Experience at Windows 10 1511 device
- What happened to WindowsUpdate.log??
- How to Speed up SCCM policy flow?
- Windows 10 SCCM Client-side logs – Is a reboot required? If yes, reboot the Windows 10 1511 device.
I recommend reading Third-Party Patching Best Practices for an Organization guide for the non-Microsoft app patching process.
STEP 3: SCCM Patch Package Creation Process
In this post, let’s check the SCCM patch package creation process. You must complete the following high-level steps in the SCCM patch package or Software Update package creation process.
- Prerequisites – New Software Update Patch Package Using SCCM
- Select Patches & Create a Software Update Group
- Create Software Update Group
- Create a New Software Update Patch Package using SCCM
- Specify the Distribution Points for this Software Update patch package
- Automatically download content when packages are assigned to distribution points
- Specify the updated language for products for the SCCM Patching Guide
- Download Updates from the Internet for the SCCM Patch Package
- Logs PatchDownloader.Log to check the Download
- Results – Software Update Package Creation
- Deploy SCCM Patch Package to Windows 11 or Windows 10 devices
- SCCM Patch Deployment Settings – Available | Required
- SCCM Patch Deployment Schedule Options
- SCCM Patching Guide – Alert Options for the Patch Deployment
- SCCM Patching Process – Download Options
- Results from the SCCM Patch Deployment Process
The blog post below explains the end-to-end SCCM patch package creation process. Refer to the post linked below to get the end-to-end details of the SCCM software update patch package.
➡️How To Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr
The following video explains How to Create an ADR Patching Client-Side Issues Application Creation Process Manual in SCCM.
SCCM patching troubleshooting can also be very complex if you don’t understand the setup of Software Update or SCCM patching. As a first step, you need to understand the entire patching process explained above.
Fix SCCM Patching-Related Issues
There could be server-side and client-side issues related to SCCM patching or software updates. You need to check the flows from the client side.
- UpdateStore.log to know the status of the updates.
- Updatedeployment.log – % of Download completed? Status = ciStateInstalling, PercentComplete = 16,
- added to the targeted list of deployment
- Progress: Status = ciStateDownloading, PercentComplete = 0, Result = 0x0
- Progress: Status = ciStateWaitInstall, PercentComplete = 0, DownloadSize = 0, Result = 0x0
- Progress: Status = ciStateInstalling, PercentComplete = 89, DownloadSize = 0, Result = 0x0
- Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0
- Progress: Status = ciStatePendingSoftReboot, PercentComplete = 0, DownloadSize = 0, Result = 0x0
- Progress: Status = ciStateInstallComplete, PercentComplete = 0, DownloadSize = 0, Result = 0x0
- Job completion received.
- CCMSDKProvider.log – Get client agent settings…Getting reboot setting whether to show dialog instead of notification
Locationservices.log – Check whether it can find WSUS Path= and Distribution Point with patches. WUAHandler.log to check whether the scan is completed or not.
3. Updatedeployment.log—Check for the assignment deadline and Software Updates client configuration policy, DetectJob completion received for assignment, and Added update (Site_, PercentComplete, etc…
4. Execmgr.log – Execution is complete for program Software Updates Program
5. RebootCoordinator.log – Reboot-related things
- WSUS Cleanup option | SCCM WSUS Cleanup | Fix SCCM Scan Timeout Errors
- Fix SCCM Troubleshooting Scan Errors Patching Software Update Issues
- Fix SCCM Client-Side Patching Or Software Updates Issues, Troubleshooting
- Fix SCCM Patch Deployment Issue With Windows Cumulative Updates
Resources
- SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com).
- SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Hi Anoop,
I was really amazed looking at your website and the detailed SCCM setup or configuration. I have multiple sites for SCCM Distribution point and i followed the same instructions as suggested. However the deployment is getting failed. Do you give support aswell ?
hi Anoop
how to set patch level in SCCM, means we need to install patches to one windows 2012 R2 server only till july 2020 ,
It seems you will need to create a separate Software Update Group to cater to this special requirement. I can’t think of any better ways.
Hi Anoop,
I want complete information about patching nothing but windows server, windows 2003 and windows 2008 servers ,OS patching. Can you provide me please.
Thank you,
prudhvi.
Hi, You can’t patch the 2003 and 2008 servers because it’s already out of support. This is possible if you purchase the extended support for servers in the similar way Ankit explained for Windows 7 https://www.anoopcnair.com/windows-7-extended-security-update-step-by-step/
Thanks for the article. Patching is a process to repair a vulnerability or a flaw that is identified after the release of an application or software.
Great article for a beginner learning the nuts and bolts of SCCM. I have an unusual issue where the patches are showing as required and you can see the installation status. However, once it’s succeeeded and reboot, I don’t see the patch listed as installed in the installation status pane. Is this by designed or is there a configuration that’s missing or not set that will show all the patches that have been installed?