Jump to content


using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates

Recommended Posts

Hey and thanks for a great guide.



thanks !


what do the log files mentioned in the guide tell you ?

Share this post

Link to post
Share on other sites

It tells me that the sync is successful, but when I looked closer it doesn't seem to have created a new software update group. Should it do that immediately when running the ADR?


I am able to add updates to the deployment package by manually selecting updates in "all updates" and creating a software update group, and then downloading the updates to the deployment package. But the ADR should do this automatically, right?

Share this post

Link to post
Share on other sites



Can you explain how you deal with the supersedence of patches please? when patches get superseded it appears that it ruins the deployment compliance view and I am unable to see the actual compliance until I delete the expired patches and the clients eventually report back. Have I misconfigured something?



Share this post

Link to post
Share on other sites

I followed this tutorial a while ago and everything is working great... or at least I thought so. Today I noticed none of my machines had Office 2013 SP1, I am correct in thinking that this should just go out as an monthly update. If so what could I have set wrong?

Share this post

Link to post
Share on other sites

An IT consultant configured our SCCM for windows updates last years and it has never worked... I have gone through the different configuration and unable to find any clue where it needs fixing...



Please see attached images...


Not sure where to start and what I am looking for....................



Second Image; All these folders are empty.........


Please help!!!!



Share this post

Link to post
Share on other sites

well there are a few things to check, have any software updates been deployed to your clients ? are the Configuration Manager client agents working on your clients ? are the folders you showed above populated with updates ? what do your logs tell you on your Configuration Manager server...

Share this post

Link to post
Share on other sites

well there are a few things to check, have any software updates been deployed to your clients ? are the Configuration Manager client agents working on your clients ? are the folders you showed above populated with updates ? what do your logs tell you on your Configuration Manager server...


Sorry for being late reply.

In fact I was waiting for an email to alert me regarding an update on this website.... Never mind.... I am here now and will be here everyday....


Well let's get to the topic now.....


our Configuration Manager clients are working perfectly as we deploy other software through it.... so no problem regarding clients installation...


All these folders for windows updates are empty....


Which logs shall I check???


Thanks....Great help...

Share this post

Link to post
Share on other sites

no, you are not looking in the right place, look at my screenshot, and then yours. hint: assets and compliance.




1st let me thank you for all your work - saved me a lot time and helped me several times.


unfortunately - got the same issue - running the script for the first time - everything woks fine, but after accidently deleted the folders and collections, we just re-run the script and it does not recreate the folders and collections.


I'm looking at the right location: Assets and Compliance - Overview - Device Collections


Any idea?





Share this post

Link to post
Share on other sites

and you refreshed your view in the console ? when you ruin the script again did it complain (it does generate log files from the directory you run it from)

Share this post

Link to post
Share on other sites

Yes I did - refreshed the console view - no ist does not

PS output:

PS D:\powershell scripts> .\CreateFoldersAndCollections.ps1 .\FolderAndCollection_Software_Updates.xml
Get and read XML file FolderAndCollection_Software_Updates.xml
Get folder id 16777277 from folder name Software Updates
Get folder id 16777279 from folder name Software Updates - Windows XP
Get folder id 16777240 from folder name Software Updates - Windows 7
Get folder id 16777241 from folder name Software Updates - Windows 8
Get folder id 16777272 from folder name Software Updates - Windows Server 2003
Get folder id 16777243 from folder name Software Updates - Windows Server 2008
Get folder id 16777244 from folder name Software Updates - Windows Server 2012
Get collection id xxx00107 from collection name Software Updates - Windows XP
Get collection id xxx000B5 from collection name Software Updates - Windows 7
Get collection id xxx000B6 from collection name Software Updates - Windows 8
Get collection id xxx00102 from collection name Software Updates - Windows Server 2003 Manual
Get collection id xxx00103 from collection name Software Updates - Windows Server 2003 Automatic
Get collection id xxx00104 from collection name Software Updates - Windows Server 2003 Maintenance Window [Fri 10-12 pm]

Get collection id xxx000BA from collection name Software Updates - Windows Server 2008 Manual
Get collection id xxx000BB from collection name Software Updates - Windows Server 2008 Automatic
Get collection id xxx000BC from collection name Software Updates - Windows Server 2008 Maintenance Window [Fri 10-12 pm]

Get collection id xxx000BD from collection name Software Updates - Windows Server 2012 Manual
Get collection id xxx000BE from collection name Software Updates - Windows Server 2012 Automatic
Get collection id xxx000BF from collection name Software Updates - Windows Server 2012 Maintenance Window [Fri 10-12 pm]


also checked the logfile - looks exactly the same. imho - the folder still exist somehow and are just not visible in the console view.


May it be that the collections are still in the ADR mentioned, that they were not really deleted.


Just tried to create a collection and a folder manually - and surprise - it work's

So I can create them manually but not with the script.

Share this post

Link to post
Share on other sites

show me a screenshot of what you see in Assets and Compliance, and then Device Collections, do you see a software updates folder ? expand it... it should look something like mine below...


software updates.png

Share this post

Link to post
Share on other sites

create the rule as you did before, so choose 'create new software update group'


this will allow you to run compliance reports for that months patches otherwise all the patches would end up month after month in the same software update group and you'd have a problem trying to determine last months compliance


Hi Anyweb, or anyone that can help me.


I understand the part about creating a new SUG for each month.

But, can you tell me why I should continue using the exiting package to distribute my updates?


The reason why I ask is because, I don't want to keep adding updates to my existing package on my DP.


Over time this package will become huge, and some of the updates inside of it will become superseded, expired or not required.


Is my understanding of this correct?


Should I have a separate package for each months updates.





Share this post

Link to post
Share on other sites

you can create a new Deployment Package every month if you wish or reuse the existing, this guide is just one way of doing it and of doing it in an automated way, use whatever works best in your environment.


If you do create a new deployment package every month you'll need to edit the ADR every month to point to a new Deployment package as by default, it will point to the previous one created when you last ran the ADR, so if you select 'new deployment package' and call it 'new package', then the following run it will already be pointing at the existing package called 'new package' so you'll have to edit it to point to 'new package #2' and so on...

Share this post

Link to post
Share on other sites

Followed the guide and it works great, can i ask when the rule runs every month will the updates get added to the package which already contains updates from the previous month and so on? Just wondering as that fine but ideally i want to deploy to my testing group first then deploy once im happy.

Share this post

Link to post
Share on other sites

As with everyone who has visited this guide i want to thank you for the scope and detail you have included here. Even whilst using the R2 version of SCCM the guide has been invaluable.


I have run into an issue though with the powershell script. And I was wondering if you could possibly advise?


PS D:\Powershell scripts> .\CreateFoldersAndCollections.ps1 .\FolderAndCollection_Software_Updates.xml
Get-Variable : The term 'Get-Variable' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At D:\Powershell scripts\CreateFoldersAndCollections.ps1:29 char:29
+ $CurrentPath = Split-Path ((Get-Variable MyInvocation -Scope 0).Value).MyComman ...
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-Variable:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
You cannot call a method on a null-valued expression.


Share this post

Link to post
Share on other sites

So I am having similar issues that statemachine, SiD867, and Apur32 have all reported. Basically it appears that the ADR is running correctly but my Deployment Packages for my Widows clients are empty. Interestingly enough the Endpoint Protection ADR is running without a hitch (at least I think). I also notice that in the Software Library > All Software Updates section I can see that packages are processing but all but the Endpoint ones are listed as not downloaded and not deployed.


I feel like this is a simple "you missed checking box A" problem but I have been trough the tutorials more than just a few times now and everything looks good.


A direction to look in would be great.

Share this post

Link to post
Share on other sites


i'm new here and have read the post which have a wealth of information, thanks


I'm trying to get up to speed quickly with windows 7 updates post sp1


1. can i simply search for all updates after sp1 was released?

2. if I do chose some updates that say a client already has, will the client be smarter enough to know that

it already has the update and not install?



Share this post

Link to post
Share on other sites

1. yes

2. yes




Share this post

Link to post
Share on other sites

In the download settings you indicate to select "Do not install software updates" Why is that? Don't we want the software updates to be installed to the systems?



Share this post

Link to post
Share on other sites

I think creating a Software Update Group with a corresponding deployment would be more suitable for that scenario


In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).


In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups. In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.


In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.


In Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent. In Part 6 we prepared our server for the Endpoint Protection Point role, and installed that role before configuring custom client device settings and custom antimalware policies. We then deployed those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections.


In Part 7 we added operating system deployment ability to our hierarchy by adding Windows 7 X64. We used the Build and Capture process to capture a WIM image which we can later deploy to targeted computers using network boot (PXE). PXE boot requires specific settings on our distribution points and the boot images used to deliver the operating system WIM images were therefore also enabled for PXE support.


In Part 8 we added Applications to our Software Library and configured the requirements in the Deployment Type to add new abilities to the application delivery process. We monitored the approval process of our applications and saw how requirements can influence whether an application is installed or not and we noted the difference between deploying to Users versus Devices. Now we will take a look at how Automatic Deployment Rules can be used to automate the deployment of windows updates on Patch Tuesday using a recurring schedule to patch your infrastructure using Software Updates.


Recommended Reading

Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx

Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx

Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx


Step 1. Create some Folders and Collections.

Perform the following on the CAS server as SMSadmin


To make the management of Software Updates easier we will first create some Folders and populate them with Collections. You can do this manually in the Assets and Compliance workspace or you can do it in an automated way using PowerShell. The below script will create a nice Folder and Collection structure sorting the Client Operating Systems and 3 Windows Server Operating Systems, in addition, the server Operating Systems are further divided into Automatic patching, Manual patching and Maintenance Windows collections. Here's the script (kindly provided by a colleague of mine, Niklas Landqvist), I've customized the XML file to create the Folders and Collections we want for this part of the series.


attachicon.gifpowershell scripts.zip


Note: You may have to do the following for the downloaded powershell scripts.


1. Save the script file on your computer, locate the saved script file.

2. Extract the contents and then locate the powershell PS1 scripts, right-click each script file, and then click Properties.

3. Click Unblock.

To use the script open a Windows PowerShell session as administrator by right-clicking on the Windows PowerShell icon and choosing Run As Administrator as in the screenshot below.


attachicon.gifWindows PowerShell Run As Administrator.png


Change to the Directory where you've unzipped the script using CD (to change directory).


attachicon.gifchange directory.png


Once done we need to Set the Execution Policy to allow this script (RemoteSigned) to run.


Set-ExecutionPolicy RemoteSigned

and answer Yes to the prompt.


attachicon.gifSet-ExecutionPolicy RemoteSigned.png


and then run the script as follows:-


.\CreateFoldersAndCollections.ps1 .\FolderAndCollections_Software_Updates.xml

the screen will update once you press enter...


attachicon.gifrunning the PowerShell Script.png


and once the script is complete you can open the console in Assets and Compliance and refresh, you'll see the following Folders and Collections are already created.


attachicon.gifSoftware Updates folders and collections.png


Note: All of the collections have Membership queries to automatically populate the collections based on Operating System version. You may want to edit the queries further in order to exclude (or include) computers otherwise you will have overlap between those three Windows Server Collections where servers show up in all three of the respective collections.



Step 2. Perform a SUP Sync.

Perform the following on the CAS server as SMSadmin


Before starting our activity we want to make sure that the updates that we are looking at are current and relevant therefore we'll synchronize our Software Update Point with Microsoft Windows Update.


Tip: There are two types of sync, Full or Delta. A Full sync is performed on schedule (as defined in the Software Update Point scheduled synchronization), whereas a Delta sync occurs when you initiate a sync in the console. If a sync fails for whatever reason then it will be retried every 60 minutes. A Delta sync will be forced to a Full sync if you make any change to the Categories (for example, add an additional Product, or add or remove a Classification).


Note: In a hierarchy, when you trigger a sync it will affect all sites in the hierarchy starting with the CAS.


To trigger a Full Sync in the Administration workspace, select Sites, select the CAS server, right click and choose Configure Site-Wide components, and select Software Update Point. Select the Schedule tab and click on Custom Schedule (in Part 5 we configured this to synchronize every 1 day, however setting a Custom schedule allows you to not only sync once a day but to decide what time that sync occurs at).



attachicon.gifcustom schedule.png


Click on Customize and set the Custom Schedule to Every 1 day at 7:00 pm as in the screenshot below. This will force a full sync at 7:00pm (if you want it to happen now, then set the schedule time to approx two minutes after the current time.)


attachicon.gifcustom schedule set to every 1 day at 7 pm.png


To monitor a syncs progress open the WsyncMgr.log. Before continuing, confirm that the sync has succeeded on your CAS server by looking for the following line in WsyncMgr.log



attachicon.gifSync Succeeded.png


Once the Sync has succeeded on CAS it will trigger a signal on the primary site P01 to Sync to it's upstream server (CAS). You can verify this by opening the WsyncMgr.log file on the Primary server and look for the following lines:



attachicon.gifsync signalled to start on Primary.png


Once the Primary server has finished syncing from it's parent server (CAS) it will log the fact. Look for the following lines in WsyncMgr.log on the Primary server P01 for evidence of a succesful sync.



attachicon.gifsync succeeded on P01.png


Tip: To watch the sync in real-time you can start the Windows Server Update Services Console, this will show you any error messages pertaining to the synchronization process (such as services that are not started when they should be) and will give you a percentage reading as the sync takes place.


attachicon.gifsync status in Windows Server Update Services console.png


At this point we are confident our SUPs are synched and we can go ahead and start deploying Updates.


Step 3. Deploying Updates automatically using an ADR

Perform the following on the CAS server as SMSadmin


We've already created some ADR's previously for Deploying Endpoint Protection definition updates in Part 6 of this series, but now we will create a new ADR to automatically deploy Windows 7 Updates once a month on a recurring schedule (after patch Tuesday, Microsoft releases new updates every month on the second Tuesday of the month). Once you understand how this works you can customize it to suit your needs to keep your systems patched in an automated way on a recurring schedule.


In the Software Updates section of the console, select Automatic Deployment Rules and in the ribbon click Create Automatic Deployment Rule.


attachicon.gifCreate Automatic Deployment Rule.png


when the wizard appears give the ADR a suitable name (I like to Pre-pend ADR: Software Updates so they are easy to see in Deployments/Monitoring) such as ADR: Software Updates - Windows 7 monthly Updates.


attachicon.gifADR software updates - windows 7.png


for Collection click on browse and you'll notice our nice folder and collection structure makes it easy to select the right collection, select the Software Updates - Windows 7 collection.


attachicon.gifSoftware Updates - Windows 7.png


As this ADR is for Patch Tuesday and occurs on a recurring schedule every month, we will choose to create a new software update group every time it runs, this means that we can have a single software update group to measure compliance against when the rule runs.


attachicon.gifcreate a new software update group.png


for Deployment Settings set the verbosity level of state messages to Normal (default is minimal) as we want to be able to determine what went wrong if some computers are not compliant after the rule is run and having all those state messages will help.


attachicon.gifDetail Level Normal.png


for the software Updates screen select the following options:-

  • Date release or revised Last 1 day
  • Product Windows 7

this means that when the rule runs it will find all Windows 7 updates released in the last 1 day, this wil become clearer in the next step


attachicon.gifdate release or revised Last 1 day.png


on the Evaluation Schedule screen click on Customize and set the schedule accordingly, set it to start running on the second Tuesday of the current month, and to recur monthly on the second Tuesday of every month at least two hours after the SUP has synched (which should give it time to sync). You can see that the SUP sync time is highlighted and that helps you to plan your ADR deployment.


attachicon.gifevaluation schedule.png


For the Deployment Schedule screen set the Software Available Time to be at least 4 hours after the rule has run in order for the actual software updates deployment packages to reach the destination distribution points.


attachicon.gifDeployment Schedule.png


On the User Experience screen, as we want out users to interact with the Deployment of software updates on Patch Tuesday, for User Notification select display in software center and show all notifications. If you wanted to hide these notifications you can select that ability here also. In this guide we are deploying Windows 7 updates therefore we don't need to surpress any system restarts, however if you were targetting server operating systems with automatic deployment rules then you'd probably want to supress the system restart.


attachicon.gifdisplay in software center and show all notifications.png


If you want to be alerted when the compliance threshold is below the desired compliance level then select the next option on the Alerts screen.




for Download Settings, leave it as default


attachicon.gifdownload Settings.png


The first time you run this ADR select to create a new deployment package (as none will exist that we want to use). Once it has run, you can retire that rule by disabling it (right click on the ADR, choose Disable) and then you should recreate an identical rule except in the replacement rule, for Deployment Package choose the previously created package (Windows 7 Monthly Updates) so that it re-uses the package every month.


So Below screenshot is from the first run of the ADR.


attachicon.gifcreate a new deployment package.png


continue through the rest of the wizard through to the Summary screen, on that screen click on Save as Template so that you can reuse the settings.


attachicon.gifsummary save as template.png


call the template Windows 7 Monthly Updates


attachicon.gifcall the template Windows 7 Monthly Updates.png


right-click on the newly created ADR and choose Run Now, we do this to create the Deployment Package.


attachicon.gifRun ADR Now.png


After running the rule, verify that the Deployment Package is indeed created and when done, right click on the ADR again, and choose Disable.


attachicon.gifDisable ADR.png


Once done recreate the rule (the ADR) but this time point to that package during the wizard in the Select Deployment Package option like in the screenshot below.


attachicon.gifSelect Deployment Package.png


Repeat the above for your Windows XP clients just as we've done for Windows 7, except obviously change the Product name from Windows 7 to Windows XP and point the collection to the Windows XP equivalent...


attachicon.gifWindows XP Monthly Updates ADR.png


At this point your ADR's are created and you are ready to sit back and watch as your Windows XP and Windows 7 clients get automatically patched on Patch Tuesday. Awesome.


attachicon.gifADRs created.png


Later in this series (after Patch Tuesday) I'll show you what happens on the clients, and I'll explain how we can patch our servers using Maintenance windows.


Until then, adios,




Could use some help creating the query for windows 8.1 machines. copied the Windows 8 query, modified the 6.2 to 6.3 but it doesn't work

Any ideas?

Share this post

Link to post
Share on other sites

Hi Anyweb,


Set this up ages ago thanks to your great guide and all is working fine. But....should probably have checked sooner but I have only just noticed that..


Looks like the monthly deployment package is over 2Gb in size. It seems that each month's new updates are being added to the same depolyment package. Is this correct behaviour? Wasn't sure it it would add or replace. I guess each monthly's SUG contains the references to that month's updates within the singluar deployment package - is that correct? I guess my concern is really just the sheer size. Are only the required updates pulled down on the client PCs rather than the whole lot before being assessed for requirements? Is there a way to clean up the package/source folder? I guess, for a start, we can get rid of all expired updates from both the package and the source folders? Is there a neat way of doing this?




Share this post

Link to post
Share on other sites


Thanks for this excellent topic.

Questions do you separate:

1) Windows Server 2008 (Microsoft Windows NT Server 6.0) and Windows Server 2008 R2 (Microsoft Windows NT Server 6.1)

Windows Server 2012 (Microsoft Windows NT Server 6.2) and Windows Server 2012 R2 (Microsoft Windows NT Server 6.3)

as they have different Version name in SMS_R_System.OperatingSystemNameandVersion?

2) as within the script I could not differentiate between:

- ISS - Software Updates - Windows Server 2003 Maintenance Windows (Friday )

ISS - Software Updates - Windows Server 2003 Manual

ISS - Software Updates - Windows Server 2003 Automatic

How to do you split within the Operating System Collections?



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...