Windows 11 patch deployment using SCCM is today’s topic. You can use either Intune or SCCM to deploy patches to Windows 11 PCs. Both of the methods are fully supported. Configuration Manager uses WSUS and Windows Update to deploy patches.
Microsoft released the first Windows 11 patch on 12th Oct 2021 after the production release of Windows 11 on 4th of Oct 2021. To patch Windows 11 devices, you will need to install WSUS and SUP (Software Update Point) as the first step. If you are already using SCCM for patching Windows 10 devices, WSUS and SUP are already in place.
You will have to enable Windows 11 products from the SCCM software update point component properties product category. SCCM allows you to patch third-party applications as well using the SCCM Third-Party Software Updates Setup. In this post, I will cover only Microsoft patches for Windows 11 devices.
- Fix: Windows Update Issues For Windows 11 Errors Troubleshooting Tips
- Fixed – SCCM WSUS Sync Failed With UssInternalError SoapException Error 0x80131500
- SCCM WSUS Office Updates Sync Failed with Error 400
- Monthly Patching process using Intune
SCCM Patch Management Infrastructure Setup
If you are not familiar with the SCCM patch management process, the following video guide helps you to set up SCCM patch management infrastructure end to end. I have covered WSUS installation, SUP setup, configuration, and troubleshooting of WSUS and SUP, etc in this video.
You can check out end-to-end SCCM server infra setup and configuration in the HTMD free training videos from the below post.
- Free SCCM Training Part 1 | 17 Hours of Latest Technical Content
- Free ConfigMgr Training Part 2 | 20 Hours of Technical | SCCM
How to Initiate a Manual WSUS Sync
You will need to initiate a manual WSUS Sync or schedule a regular WSUS sync for every week. This will initiate a sync between WSUS and Microsoft’s update service to get the latest patches released.
Once the latest Windows 11 patches are available in WSUS after the sync, it will automatically get reflected in the SCCM console using SUP integration between WSUS.
Let’s see how to initiate the WSUS sync from Software Updates – All Software Updates – Synchronize Software Updates. You can right-click on the All Software Updates node and select Synchronize Software Updates to initiate the sync. Click OK to start the sync.
Understanding WSUS Update Sync Process for Windows 11
Let’s now understand the WSUS updates sync process. You can check and confirm the SCCM server-side log called WSyncMgr.log to troubleshoot any issues related to WSUS sync. You can see the following log file entries to understand the WSUS Sync process. The process will first check the connectivity between SCCM and WSUS. Also, start WSUS synchronization for categories and updates.
Synchronizing WSUS server CMMEMCM ..
sync: Starting WSUS synchronization
sync: WSUS synchronizing categories
sync: WSUS synchronizing categories, processed 3 out of 3 items (100%)
sync: WSUS synchronizing updates
sync: WSUS synchronizing updates, processed 140 out of 140 items (100%)
Windows 11 Cumilative Update Patching using SCCM
You will need to wait for WSUS sync to complete to show up Windows 11 Cumulative Updates (patches) in the SCCM console. Once the sync is completed, you can see the two patches (KB5006674 and KB5005537) released by Microsoft. These are the first patches released for Windows 11 production release.
Synchronizing update c4b10d7c-a71a-45ed-9158-8039b974246c – 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for ARM64 (KB5005537)
Synchronizing update 7a127356-1465-4497-8765-1738d242e43d – 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
Synchronizing update 676e5d2e-62fb-43ee-bd50-64e53a04c59a – 2021-10 Cumulative Update for Windows 11 for ARM64-based Systems (KB5006674)
Synchronizing update 8cf5c03f-1b45-4d8f-a6d6-9fc9a927f92a – 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
sync: SMS synchronizing updates, processed 69 out of 69 items (100%)
The following are the details of Windows 11 patches released this week.
|Windows 11 (original release) Pro||22000.258.211007-1642||Cumulative KB 5006674||x64||EN-US||Pro||4.7.2||127 GB||N/A|
|.NET KB 5004342|
|Setup Dynamic Update KB 5006587|
|SSU KB -within the LCU|
Windows 11 Patch Deployment using SCCM
Once the Windows 11 patches are available in the SCCM console available in console, you can start creating patch packages using different options. The easiest option is to create an Automatic Deployment Rule to create and deploy patches to Windows 11 devices (Create SCCM Automatic Deployment Rule | ADR).
The following are the 4 patches released for Windows 11 in the month of Oct 2021 patch Tuesday. You can click on add Criteria and add Windows 11 as a product to show only Windows 11 patches from the All Software Updates node.
NOTE! – Windows 11 Dynamic Updates are released with a wrong product category called Windows 10 Dynamic Updates.
Windows 11 Patch Package Creation and Deployment
You can now create Windows 11 patch package and deploy this patch package to Windows 11 PCs. I’m going to show you the easiest manual method to create Windows 11 patch package.
You will need to right-click on all the patches that you want to deploy. In my scenario, I’m going to select the following patches for x64 based systems KB5006674 and KB5005537. Windows 11 SSU is included in Latest Cumulative Update (LCU) patch – Windows 11 servicing stack update – 22000.190.
- Navigate to \Software Library\Overview\Software Updates\All Software Updates.
- Click on Add Criteria and Add Windows 11 as product as shown in the above screenshot.
- Right click on those patches and select Create Software Update Group (SUG).
- Enter the name of Software Update Group – Windows 11 Patches for Oct 2021.
- Click on the Create button.
Now, it’s time to download, create patch packages, and deploy the patches to Windows 11 devices. Navigate to \Software Library\Overview\Software Updates\Software Update Groups and Select SUG created above called Windows 11 Patches for Oct 2021.
- Right-click on Software Update Group and select Deploy button to continue.
Enter the Deployment Name and select the Deployment template if you have already one to deploy patches. You can follow the process mentioned in the following blog post to complete the end-to-end patch package creation process for Windows 11 – How To Create Deploy New Software Update Patch Package Using SCCM.
You can deploy this patch package for Windows 11 to All Windows 11 Devices collections. You will have to create a Windows 11 dynamic device collection if you have not created this already. More details Create Windows 11 SCCM Device Collection Process.
You will also create a Windows 11 patch deployment template also from the Software Update Group deployment wizard. Click on Save As Template button to create the Windows 11 template.
• 2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537) 5005537(Article ID)
• 2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674) 5006674(Article ID)
• Deployment Name: Windows 11 OCT 2021 Patches
• Collection: All Windows 11 Devices
• Send wake-up packets: No
• Verbosity Level: Only success and error messages
• Deployment schedules will be based on: Client local time
• Available to target computers: 10/13/2021 5:00:00 AM
• Deadline for software update installation: 10/20/2021 4:52:00 AM
• Delayed enforcement on deployment: No
• User Notifications: Display in Software Center, and only show notifications for computer restarts
• Install software updates outside the maintenance window when deadline is reached: No
• Restart system outside the maintenance window when deadline is reached: Suppressed
• If a restart is required it will be: Allowed
• Commit changes at deadline or during a maintenance window (requires restarts): Yes
• If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No
• On software update installation error generate a Window Event: No
• Disable Window Event while software updates install: No
The software updates will be placed in a new package:
• Windows 11 OCT 2021
Software updates that will be downloaded from the internet
2021-10 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 11 for x64 (KB5005537)
2021-10 Cumulative Update for Windows 11 for x64-based Systems (KB5006674)
Windows Update Language Selection:
Office 365 Client Update Language Selection:
English (United States)
• Computers can retrieve content from remote distribution points: No
• Download and install software updates from the fallback content source location: No
Windows 11 Automatic Deployment Rule
To make Windows 11 patching easy, you will need to create Windows 11 ADR rules with the following search criteria. The following are the search criteria that are used for Windows 11 ADR rule. I have not added Dynamic Updates into the search criteria.
- Step by Step guide to Create SCCM Automatic Deployment Rule | ADR | ConfigMgr
You will just need to change Windows 11 search criteria from the above guide to adjust it for Windows 11 products.
• Architecture: "x64" • Date Released or Revised: Last 2 months • Is Deployed: No • Product: "Windows 11" • Superseded: No • Update Classification: "Security Updates"
You can also add additional settings like mentioned below to filter out Windows 11 updates. There are various options to select the Windows updates that you want to include in the ADR rules.
- Date Released or Revised: Last 2 Months
- Is Deployed: No (optional)
- Product: Windows 11 (only required if you are creating different Software Update Group for different OS products)
- Superseded: No
- Required: Greater than or equal to 1
- Update Classification: “Critical Updates” OR “Security Updates”
The following is the summary of Windows 11 ADR. You will need to complete ADR wizard so that Windows 11 patches will get automatically deployed to all Windows 11 devices on monthly basis.
General: • Automatic Deployment Rule: Windows 11 ADR • Collection: All Windows 11 Devices • Action that rule should create: Create New Update Group • Enable Deployment on successful execution of rule: Yes Deployment Settings: • Send wake-up packets: No • Verbosity Level: Only success and error messages • Only deploy software updates that do not require a license agreement: No Software Updates: • Date Released or Revised: Last 1 month • Is Deployed: No • Product: "Windows 11" • Superseded: No • Update Classification: "Security Updates" Evaluation Schedule: • Use a custom schedule to evaluate this rule: Occurs every 30 days effective 10/13/2021 6:32 AM Deployment Schedule: • Deployment schedules will be based on: Client local time • Time between rule run and deployment available: 4 Hours • Time between deployment available and deadline: 7 Days • Delayed enforcement on deployment: No User Experience: • User Notifications: Display in Software Center and show all notifications • Install software updates outside the maintenance window when deadline is reached: No • Restart system outside the maintenance window when deadline is reached: Suppressed • Commit changes at deadline or during a maintenance window (requires restarts): Allowed • If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart: No • If a restart is required it will be: Allowed Alerts: • Enable ADR alerts on failure: Yes • On update installation error generate a Window Event: No • Disable Window Event while updates install: No
About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.