Windows 11 Patch Deployment using SCCM

Windows 11 patch deployment using SCCM is today’s topic. You can use either Intune or SCCM to deploy patches to Windows 11 PCs. Both of the methods are fully supported. Configuration Manager uses WSUS and Windows Update to deploy patches.

Microsoft released the first Windows 11 patch on 12th Oct 2021 after the production release of Windows 11 on 4th of Oct 2021. To patch Windows 11 devices, you will need to install WSUS and SUP (Software Update Point) as the first step. If you are already using SCCM for patching Windows 10 devices, WSUS and SUP are already in place.

You will have to enable Windows 11 products from the SCCM software update point component properties product category. SCCM allows you to patch third-party applications as well using the SCCM Third-Party Software Updates Setup. In this post, I will cover only Microsoft patches for Windows 11 devices.

Patch My PC

SCCM Patch Management Infrastructure Setup

If you are not familiar with the SCCM patch management process, the following video guide helps you to set up SCCM patch management infrastructure end to end. I have covered WSUS installation, SUP setup, configuration, and troubleshooting of WSUS and SUP, etc in this video.

You can check out end-to-end SCCM server infra setup and configuration in the HTMD free training videos from the below post.

Watch this video on YouTube.
Windows 11 Patch Deployment using SCCM

How to Initiate a Manual WSUS Sync

You will need to initiate a manual WSUS Sync or schedule a regular WSUS sync for every week. This will initiate a sync between WSUS and Microsoft’s update service to get the latest patches released.

1E Nomad

Once the latest Windows 11 patches are available in WSUS after the sync, it will automatically get reflected in the SCCM console using SUP integration between WSUS.

Let’s see how to initiate the WSUS sync from Software UpdatesAll Software UpdatesSynchronize Software Updates. You can right-click on the All Software Updates node and select Synchronize Software Updates to initiate the sync. Click OK to start the sync.

Windows 11 Patch Deployment using SCCM
Windows 11 Patch Deployment using SCCM

Understanding WSUS Update Sync Process for Windows 11

Let’s now understand the WSUS updates sync process. You can check and confirm the SCCM server-side log called WSyncMgr.log to troubleshoot any issues related to WSUS sync. You can see the following log file entries to understand the WSUS Sync process. The process will first check the connectivity between SCCM and WSUS. Also, start WSUS synchronization for categories and updates.

Synchronizing WSUS server CMMEMCM ..
sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
sync: WSUS synchronizing categories, processed 3 out of 3 items (100%)
sync: WSUS synchronizing updates
sync: WSUS synchronizing updates, processed 140 out of 140 items (100%)

Windows 11 Patch Deployment using SCCM
Windows 11 Patch Deployment using SCCM

Windows 11 Cumilative Update Patching using SCCM

You will need to wait for WSUS sync to complete to show up Windows 11 Cumulative Updates (patches) in the SCCM console. Once the sync is completed, you can see the two patches (KB5006674 and KB5005537) released by Microsoft. These are the first patches released for Windows 11 production release.

Synchronizing update c4b10d7c-a71a-45ed-9158-8039b974246c – 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for ARM64 (KB5005537)
Synchronizing update 7a127356-1465-4497-8765-1738d242e43d – 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
Synchronizing update 676e5d2e-62fb-43ee-bd50-64e53a04c59a – 2021-10 Cumulative Update for Windows 11 for ARM64-based Systems (KB5006674)
Synchronizing update 8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a – 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
sync: SMS synchronizing updates, processed 69 out of 69 items (100%)

The following are the details of Windows 11 patches released this week.

NameVersionKBArch.LanguageEdition.NET version SizeCustom
Windows 11 (original release) Pro22000.258.211007-1642Cumulative KB 5006674x64EN-USPro4.7.2127 GBN/A
.NET KB 5004342
Setup Dynamic Update KB 5006587
SSU KB -within the LCU
SafeOS KB 
5005662
Understanding WSUS Update Sync Process for Windows 11
 Understanding WSUS Update Sync Process for Windows 11
Understanding WSUS Update Sync Process for Windows 11

Windows 11 Patch Deployment using SCCM

Once the Windows 11 patches are available in the SCCM console available in console, you can start creating patch packages using different options. The easiest option is to create an Automatic Deployment Rule to create and deploy patches to Windows 11 devices (Create SCCM Automatic Deployment Rule | ADR).

The following are the 4 patches released for Windows 11 in the month of Oct 2021 patch Tuesday. You can click on add Criteria and add Windows 11 as a product to show only Windows 11 patches from the All Software Updates node.

NOTE!Windows 11 Dynamic Updates are released with a wrong product category called Windows 10 Dynamic Updates.

   Windows 11 Patch Deployment using SCCM
Windows 11 Patch Deployment using SCCM

Windows 11 Patch Package Creation and Deployment

You can now create Windows 11 patch package and deploy this patch package to Windows 11 PCs. I’m going to show you the easiest manual method to create Windows 11 patch package.

You will need to right-click on all the patches that you want to deploy. In my scenario, I’m going to select the following patches for x64 based systems KB5006674 and KB5005537. Windows 11 SSU is included in Latest Cumulative Update (LCU) patch – Windows 11 servicing stack update – 22000.190.

  • Navigate to \Software Library\Overview\Software Updates\All Software Updates.
  • Click on Add Criteria and Add Windows 11 as product as shown in the above screenshot.
  • Right click on those patches and select Create Software Update Group (SUG).
  • Enter the name of Software Update Group – Windows 11 Patches for Oct 2021.
  • Click on the Create button.
 Windows 11 Patch Package Creation and Deployment
Windows 11 Patch Package Creation and Deployment Windows 11 Patch Deployment using SCCM

Now, it’s time to download, create patch packages, and deploy the patches to Windows 11 devices. Navigate to \Software Library\Overview\Software Updates\Software Update Groups and Select SUG created above called Windows 11 Patches for Oct 2021.

  • Right-click on Software Update Group and select Deploy button to continue.
 Windows 11 Patch Package Creation and Deployment
Windows 11 Patch Package Creation and Deployment

Enter the Deployment Name and select the Deployment template if you have already one to deploy patches. You can follow the process mentioned in the following blog post to complete the end-to-end patch package creation process for Windows 11 – How To Create Deploy New Software Update Patch Package Using SCCM.

You can deploy this patch package for Windows 11 to All Windows 11 Devices collections. You will have to create a Windows 11 dynamic device collection if you have not created this already. More details Create Windows 11 SCCM Device Collection Process.

 Windows 11 Patch Package Creation and Deployment
Windows 11 Patch Package Creation and Deployment – Windows 11 Patch Deployment using SCCM

You will also create a Windows 11 patch deployment template also from the Software Update Group deployment wizard. Click on Save As Template button to create the Windows 11 template.

Updates Targeted:
• 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537) 5005537(Article ID)
• 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674) 5006674(Article ID)
General:
• Deployment Name: Windows 11 OCT 2021 Patches
• Collection: All Windows 11 Devices
Deployment Settings:
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
Scheduling:
• Deployment schedules will be based on: Client local time
• Available to target computers: 10/13/2021 5:00:00 AM
• Deadline for software update installation: 10/20/2021 4:52:00 AM
• Delayed enforcement on deployment: No
User Experience:
• User Notifications: Display in Software Center, and only show notifications for computer restarts
• Install software updates outside the maintenance window when deadline is reached: No
• Restart system outside the maintenance window when deadline is reached: Suppressed
• If a restart is required it will be: Allowed
• Commit changes at deadline or during a maintenance window (requires restarts): Yes
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
Alerts:
• On software update installation error generate a Window Event: No
• Disable Window Event while software updates install: No
Package:
The software updates will be placed in a new package:
• Windows 11 OCT 2021
Content (1):
• CMMEMCM.MEMCM.COM
Software updates that will be downloaded from the internet
2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
Windows Update Language Selection:
English
Office 365 Client Update Language Selection:
English (United States)
Download Settings:
• Computers can retrieve content from remote distribution points: No
• Download and install software updates from the fallback content source location: No
Windows 11 Patch Deployment Save as Template
Windows 11 Patch Deployment Save as Template Windows 11 Patch Deployment using SCCM

Windows 11 Automatic Deployment Rule

To make Windows 11 patching easy, you will need to create Windows 11 ADR rules with the following search criteria. The following are the search criteria that are used for Windows 11 ADR rule. I have not added Dynamic Updates into the search criteria.

You will just need to change Windows 11 search criteria from the above guide to adjust it for Windows 11 products.

• Architecture: "x64"
• Date Released or Revised: Last 2 months
• Is Deployed: No
• Product: "Windows 11"
• Superseded: No
• Update Classification: "Security Updates"

You can also add additional settings like mentioned below to filter out Windows 11 updates. There are various options to select the Windows updates that you want to include in the ADR rules.

  • Date Released or Revised: Last 2 Months
  • Is Deployed: No (optional)
  • Product: Windows 11 (only required if you are creating different Software Update Group for different OS products)
  • Superseded: No
  • Required: Greater than or equal to 1
  • Update Classification: “Critical Updates” OR “Security Updates”
Windows 11 Patch Deployment using SCCM 2
Windows 11 Patch Deployment using SCCM

The following is the summary of Windows 11 ADR. You will need to complete ADR wizard so that Windows 11 patches will get automatically deployed to all Windows 11 devices on monthly basis.

General:
• Automatic Deployment Rule: Windows 11 ADR
• Collection: All Windows 11 Devices
• Action that rule should create: Create New Update Group
• Enable Deployment on successful execution of rule: Yes
Deployment Settings:
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
• Only deploy software updates that do not require a license agreement: No
Software Updates:
• Date Released or Revised: Last 1 month
• Is Deployed: No
• Product: "Windows 11"
• Superseded: No
• Update Classification: "Security Updates"
Evaluation Schedule:
• Use a custom schedule to evaluate this rule: Occurs every 30 days effective 10/13/2021 6:32 AM
Deployment Schedule:
• Deployment schedules will be based on: Client local time
• Time between rule run and deployment available: 4 Hours
• Time between deployment available and deadline: 7 Days
• Delayed enforcement on deployment: No
User Experience:
• User Notifications: Display in Software Center and show all notifications
• Install software updates outside the maintenance window when deadline is reached: No
• Restart system outside the maintenance window when deadline is reached: Suppressed
• Commit changes at deadline or during a maintenance window (requires restarts): Allowed
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
• If a restart is required it will be: Allowed
Alerts:
• Enable ADR alerts on failure: Yes
• On update installation error generate a Window Event: No
• Disable Window Event while updates install: No

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.