Monday, May 18, 2020

Perform Monthly ConfigMgr Patch Cycle Work

So I recently updated a document for someone on how to perform their monthly Microsoft patch cycle within ConfigMgr and thought I would share it. Some info has been changed to protect the innocent. 

How does yours compare?








NOTE: Microsoft releases patches around 11:15AM MT on the second Tuesday of each month. They also release other changes throughout the month such as C and D cumulative updates. ConfigMgr is configured to query for updates daily at 1:15am MT. The below process should be performed after about 12:00PM MT on the second Tuesday of the month if doing a monthly cycle. Perform a manual sync if before the daily update is performed. It is preferable to do this on the second Wednesday to let the overnight sync take place and for any release issues resolved by Microsoft.

Perform a Manual Sync

  1. Start ‘Configuration Manager Console’.
  2. Select ‘Software Library’ Node and navigate to ‘Software Updates’ | ‘All Software Updates’.
  3. Right-click ‘All Software Updates’ and select ‘Synchronize Software Updates’. Select YES to the confirmation. This will cause ConfigMgr to go to Microsoft Updates and check for updates.  
  4. Status can be watched via the ‘Monitoring’ Node | ‘Software Update Point Synchronization Status’. The ‘Synchronization Status’ column will show ‘Completed’. This can take upwards of an hour depending on network load, Microsoft Updates load, and how many updates are being synchronized.

Create Monthly Software Update Group

NOTE: Patches need to be organized into a Software Update Group (SUG) to advertise to endpoints. This procedure follows the yearly/monthly methodology. The current year is grouped by month with previous years grouped by year. You CANNOT have a SUG with more than 1000 patches so some years may be split in two or more SUG’s, or multiple years combined into one. As the years progress, these split years can be consolidated as patches are superseded etc., and the count falls under 1000.
  1. Select ‘Software Library’ Node and navigate to ‘Software Update Groups’.
  2. Note the previous month’s Date Created.
  3. Select ‘All Software Updates’.
  4. Click the search bar at the top.
  5. Right-click on any column header to enable ‘Date Released or Revised’ column.  Change ‘is on or before’ to ‘is between’.
  6. Set the first date to the day AFTER the previous month noted above, set the second date to the current month’s release date, and click ‘Search’.

  1. Select all Updates returned, then right-click and select ‘Create Software Update Group’.
  2. Create group with the syntax of ‘YYYY – MM – Monthname – All MS Updates’ and select ‘Create’ (Example: ‘2020 – 03 March – All MS Updates’).


    1. Select ‘Software Update Groups’ on the left.
    2. Double-click newly created SUG.
    3. Click the search bar at the top.
    4. Right-click, select ‘Add Criteria’ and select ‘Title.’
    5. In the title bar enter the first search term to remove. An example list at time of writing

    • ARM64-Based
    • X86-based
    • Preview
    • Itanium
    • Extended Security Updates
    • Microsoft Edge-Dev
    • Microsoft Edge-Preview
    • Cumulative Update for Windows Server, version 1909
    • Cumulative Update for Windows Server, version 1903
    • Windows 10 Version Next
    The following have special operators outside of just title

    • (Title does not contain) x64
    • (Post Jan 14 2020 release) Monthly Quality Rollup for Windows 7
    • (Post Jan 14 2020 release) Security Only Quality Update for Windows 7
    • (Post Jan 14 2020 release) Monthly Quality Rollup for Windows Server 2008 R2
    • (Post Jan 14 2020 release) Security Only Quality Update for Windows Server 2008 R2
    • (Post Jan 14 2020 release) Monthly Quality Rollup for Windows Server 2008
    • (Post Jan 14 2020 release) Security Only Quality Update for Windows Server 2008


    NOTE: While Microsoft only supports Windows 10 builds for 18 months (30 for Enterprise for fall release), they can still release updates for older builds for things like Intel Microcode updates. You should include them if your environment has that version. Otherwise, remove them.
    1. Select all returned results, then right-click and select ‘Edit Membership’.
    2. Uncheck the newly created SUG and click OK.
    3. Repeat for all relevant titles not in the environment.
    4. Click the search bar at the top.
    5. On right-click select ‘Add Criteria’ and select ‘Superseded’.
    6. Verify Superseded is set to YES.
    7. Click the search bar at the top.
    8. Select all returned results, then right-click and select ‘Edit Membership’.
    9. Uncheck the newly created SUG and click OK.
    10. Click ‘Software Update Groups’ on right.
    11. Rightclick newly created SUG and select ‘Download’.
    12. Select ‘Create a New deployment package’.
    13. Use the syntax of ‘SUP – YYYY MM Month Updates’ (Example: ‘SUP – 2015 02 February Updates’).
    14. Enter the package source and create a folder if needed. The source for Software Updates is housed under ‘\\sccmpkgs.mycompany.com\Packages\Software Updates’. There are folders for each year, and the current year has subfolders for each month, whereas previous years have a folder called ‘All Updates’. The syntax for monthly folders is ‘MM – Month’ (Example: ‘02 – Feb’).

    1. On the Distribution Points dialog, click ‘Add’ and select ‘Distribution Point Group’.
    2. Check ‘All Distribution Points’ and select ‘OK’ and then ‘Next’.
    NOTE:  You can select instead ‘Add Distribution Point’ and choose ‘MAINSITEDP’ and select ‘All Distribution Points’ later on the package so the other sites get the files after hours.
    1. On the Distribution Settings page, leave ‘Distribution priority’ at ‘Medium’. Check ‘Distribute the content for this package to preferred distribution points’ and ‘Download only content changes to the distribution point,’ then click ‘Next’.
    2. Click ‘Next’ on the Download Location dialog.
    3. Click ‘Next’ on the Language Selection dialog.
    4. Click ‘Next’ on the Summary dialog.
    5. After downloading updates, select ‘Close’.

    NOTE: If you want to watch the progress or if there are problems downloading, you can look at %TEMP%\PatchDownloader.log.

    Deploy Patches

    1. Select ‘Software Update Groups’.
    2. Right-click newly created SUG and select ‘Deploy’.
    3. Click ‘Choose Template’.
    4. Select ‘All Workstations’ and click ‘OK’.
    5. Change the deployment name using the syntax ‘YYYY MM MS Patches to All Workstations’ (Example: ‘2015 02 MS Patches to All Workstations’).
    6. Click ‘Next’.
    7. Click ‘Next’ on the Deployment Settings dialog.
    8. On the Scheduling dialog, change ‘Software available time’ to 10PM the third Sunday of the month.

    1. Change ‘Installation deadline’ to 10PM on the third Wednesday of the month.

    1. Click ‘Next’.
    2. On User Experience dialog, verify ‘Software update deployment re-evaluation behavior upon restart’ is checked and then click ‘Next’.
    3. Click ‘Next’ on Alerts dialog.
    4. Click ‘Next’ on Download Settings dialog.
    5. Click ‘Next’ on Summary dialog.
    6. After processing, click ‘Close’ on Completion dialog.
    7. For server patching, repeat steps 31 through 44 with the following changes:
      1. Step 33 – Use the ‘All Servers’ template.
      2. Step 34 – Use the syntax ‘YYYY MM MS Patches to Servers’.
    8. For OSD imaging, repeat steps 31 through 44 with the following changes:
      1. Step 33 – Use the ‘OSD Imaging’ template.
      2. Step 34 – Use the syntax ‘YYYY MM MS Patches to Imaging’.
      3. Step 37 – Click ‘as soon as possible’ for Software available time.
      4. Step 38 – Click ‘as soon as possible’ for Installation deadline.

    Clean Up Expired and Superseded Updates


    NOTE: Expired and Superseded updates should be removed from Software Update Groups (SUG), however they will still be available in ConfigMgr in case a specific patch is needed in a particular case. This is configured for three months as of this writing.

    NOTE: The previous month should not be cleaned up until the current month has passed its advertisement deadline. This way you have an overlap of advertised patches in case a system is turned off or otherwise unable to patch by the deadline.
    1. Select ‘Software Library’ Node and navigate to ‘Software Update Groups’. Note Groups that are NOT green. A reference guide on meaning is located here.
    1. Select ‘Software Update Groups’ on left.
    2. Double-lick the relevant SUG.
    3. Click the search bar at the top.
    4. Right-click select ‘Add Criteria’ and select ‘Expired’.
    1. Select ‘Search.’
    2. Select all Updates returned, then right-click and select ‘Edit Membership’.
    3. Uncheck all boxes and click ‘OK’.
    NOTE: This will cause a replication of these packages so make this change at an appropriate time and/or when it will not affect other content distribution.




    1. After a short bit all Software Update Groups will show green.
    2. Repeat steps 5 through 9 for ‘Superseded’ in place of ‘Expired’.

    Package Cleanup


    ConfigMgr will automatically remove content for patches that are not in a SUG. This is configured for three months as of this writing. If space is a concern you can clean them out. Follow the section ‘Cleanup Expired and Superseded Updates’ except for Step one, choose Deployment Packages in place of ‘Software Update Groups’.

    NOTE: The previous month should not be cleaned up until the current month has passed its advertisement deadline. 








    No comments:

    Post a Comment