Software Update Management Documentation
Software Update Management Documentation
NOTE
Software updates are enabled by default in client settings. However, if you set the Enable software updates on clients
client setting to No to disable software updates on a collection or in the default settings, the location for software update
points are not sent to associated clients. For details, see software updates client settings.
After the client receives the policy, the client starts a scan for software updates compliance and writes the
information to Windows Management Instrumentation (WMI). The compliance information is then sent to the
management point that then sends the information to the site server. For more information about compliance
assessment, see the Software updates compliance assessment section in this topic.
You can install multiple software update points at a primary site. The first software update point that you install
is configured as the synchronization source. This synchronizes from Microsoft Update or a WSUS server not in
your Configuration Manager hierarchy. The other software update points at the site use the first software update
point as the synchronization source.
NOTE
When the software updates synchronization process is complete at the top-level site, the software updates metadata is
replicated to child sites by using database replication. When you connect a Configuration Manager console to the child
site, Configuration Manager displays the software updates metadata. However, until you install and configure a software
update point at the site, clients will not scan for software updates compliance, clients will not report compliance
information to Configuration Manager, and you cannot successfully deploy software updates.
Synchronization on the top-level site
The software updates synchronization process at the top-level site retrieves from Microsoft Update the software
updates metadata that meet the criteria that you specify in Software Update Point Component properties. You
configure the criteria only at the top-level site.
NOTE
You can specify an existing WSUS server that is not in the Configuration Manager hierarchy instead of Microsoft Updates
as the synchronization source.
The following list describes the basic steps for the synchronization process on the top-level site:
1. Software updates synchronization starts.
2. WSUS Synchronization Manager sends a request to WSUS running on the software update point to start
synchronization with Microsoft Update.
3. The software updates metadata is synchronized from Microsoft Update, and any changes are inserted or
updated in the WSUS database.
4. When WSUS has finished synchronization, WSUS Synchronization Manager synchronizes the software
updates metadata from the WSUS database to the Configuration Manager database, and any changes
after the last synchronization are inserted or updated in the site database. The software updates metadata
is stored in the site database as a configuration item.
5. The software updates configuration items are sent to child sites by using database replication.
6. When synchronization has finished successfully, WSUS Synchronization Manager creates status message
6702.
7. WSUS Synchronization Manager sends a synchronization request to all child sites.
8. WSUS Synchronization Manager sends a request one at a time to WSUS running on other software
update points at the site. The WSUS servers on the other software update points are configured to be
replicas of WSUS running on the default software update point at the site.
Synchronization on child primary and secondary sites
During the software updates synchronization process on the top-level site, the software updates configuration
items are replicated to child sites by using database replication. At the end of the process, the top-level site
sends a synchronization request to the child site, and the child site starts the WSUS synchronization. The
following list provides the basic steps for the synchronization process on a child primary site or secondary site:
1. WSUS Synchronization Manager receives a synchronization request from the top-level site.
2. Software updates synchronization starts.
3. WSUS Synchronization Manager makes a request to WSUS running on the software update point to start
synchronization.
4. WSUS running on the software update point on the child site synchronizes software updates metadata
from WSUS running on the software update point on the parent site.
5. When synchronization has finished successfully, WSUS Synchronization Manager creates status message
6702.
6. From a primary site, WSUS Synchronization Manager sends a synchronization request to any child
secondary sites. The secondary site starts the software updates synchronization with the parent primary
site. The secondary site is configured as a replica of WSUS running on the parent site.
7. WSUS Synchronization Manager sends a request one at a time to WSUS running on other software
update points at the site. The WSUS servers on the other software update points are configured to be
replicas of WSUS running on the default software update point at the site.
NOTE
Internet-based clients must connect to the WSUS server by using SSL.
A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server
location that is listed in the local policy, retrieves the software updates metadata that has been synchronized on
the WSUS server, and scans the client computer for the updates. A Software Updates Client Agent process
detects that the scan for compliance has finished, and it creates state messages for each software update that
changed in compliance state after the last scan. The state messages are sent to the management point in bulk
every 15 minutes. The management point then forwards the state messages to the site server, where the state
messages are inserted into the site server database.
After the initial scan for software updates compliance, the scan is started at the configured scan schedule.
However, if the client has scanned for software updates compliance in the time frame indicated by the Time to
Live (TTL) value, the client uses the software updates metadata that is stored locally. When the last scan is
outside the TTL, the client must connect to WSUS running on the software update point and update the software
updates metadata stored on the client.
Including the scan schedule, the scan for software updates compliance can start in the following ways:
Software updates scan schedule : The scan for software updates compliance starts at the configured
scan schedule that is configured in the Software Updates Client Agent settings. For more information
about how to configure the Software Updates client settings, see software updates client settings.
Configuration Manager Proper ties action : The user can start the Software Updates Scan Cycle
or Software Updates Deployment Evaluation Cycle action on the Action tab in the Configuration
Manager Proper ties dialog box on the client computer.
Deployment reevaluation schedule : The deployment evaluation and scan for software updates
compliance starts at the configured deployment reevaluation schedule, which is configured in the
Software Updates Client Agent settings. For more information about the Software Updates client settings,
see software updates client settings.
Prior to downloading update files : When a client computer receives an assignment policy for a new
required deployment, the Software Updates Client Agent downloads the software update files to the local
client cache. Before downloading the software update files, the client agent starts a scan to verify that the
software update is still required.
Prior to software update installation : Just before the software update installation, the Software
Updates Client Agent starts a scan to verify that the software updates are still required.
After software update installation : Just after a software update installation is complete, the Software
Updates Client Agent starts a scan to verify that the software updates are no longer required and creates
a new state message that states that the software update is installed. When the installation has finished,
but a restart is necessary, the state message indicates that the client computer is pending a restart.
After system restar t : When a client computer is pending a system restart for the software update
installation to finish, the Software Updates Client Agent starts a scan after the restart to verify that the
software update is no longer required and creates a state message that states that the software update is
installed.
Time to live value
The software updates metadata that is required for the scan for software updates compliance is stored on the
local client computer, and by default, is relevant for up to 24 hours. This value is known as the Time to Live (TTL).
Scan for software updates compliance types
The client scans for software updates compliance by using an online or offline scan and a forced or non-forced
scan, depending on the way the scan for software updates compliance is started. The following describes which
methods for starting the scan are online or offline and whether the scan is forced or non-forced.
Software updates scan schedule (non-forced online scan)
At the configured scan schedule, the client connects to WSUS running on the software update point to
retrieve the software updates metadata only when the last scan was outside the TTL.
Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle (forced online
scan)
The client computer always connects to WSUS running on the software update point to retrieve the
software updates metadata before the client computer scans for software updates compliance. After the
scan is complete, the TTL counter is reset. For example, if the TTL is 24 hours, after a user starts a scan for
software updates compliance, the TTL is reset to 24 hours.
Deployment reevaluation schedule (non-forced online scan)
At the configured deployment reevaluation schedule, the client connects to WSUS running on the
software update point to retrieve the software updates metadata only when the last scan was outside the
TTL.
Prior to downloading update files (non-forced online scan)
Before the client can download update files in required deployments, the client connects to WSUS
running on the software update point to retrieve the software updates metadata only when the last scan
was outside the TTL.
Prior to software update installation (non-forced online scan)
Before the client installs software updates in required deployments, the client connects to WSUS running
on the software update point to retrieve the software updates metadata only when the last scan was
outside the TTL.
After software update installation (forced offline scan)
After a software update is installed, the Software Updates Client Agent starts a scan by using the local
metadata. The client never connects to WSUS running on the software update point to retrieve software
updates metadata.
After system restar t (forced offline scan)
After a software update is installed and the computer is restarted, the Software Updates Client Agent
starts a scan by using the local metadata. The client never connects to WSUS running on the software
update point to retrieve software updates metadata.
IMPORTANT
You must manually create the shared network folder for the deployment package source files before you specify it in the
wizard. Each deployment package must use a different shared network folder.
IMPORTANT
The SMS Provider computer account and the administrative user who actually downloads the software updates both
require Write permissions to the package source. Restrict access to the package source to reduce the risk of an attacker
tampering with the software updates source files in the package source.
When a new deployment package is created, the content version is set to 1 before any software updates are
downloaded. When the software update files are downloaded by using the package, the content version is
incremented to 2. Therefore, all new deployment packages start with a content version of 2. Every time that the
content changes in a deployment package, the content version is incremented by 1. For more information, see
Fundamental concepts for content management.
Clients install software updates in a deployment by using any distribution point that has the software updates
available, regardless of the deployment package. Even if a deployment package is deleted for an active
deployment, clients still can install the software updates in the deployment as long as each update was
downloaded to at least one other deployment package and is available on a distribution point that can be
accessed from the client. When the last deployment package that contains a software update is deleted, client
computers cannot retrieve the software update until the update is downloaded again to a deployment package.
Software updates appear with a red arrow in the Configuration Manager console when the update files are not
in any deployment packages. Deployments appear with a double red arrow if they contain any updates in this
condition.
The user experience setting that controls the write filter behavior is a check box named Commit changes at
deadline or during a maintenance windows (requires restar ts) .
For more information about how Configuration Manager manages embedded devices that use write filters, see
Planning for client deployment to Windows Embedded devices.
Next steps
Plan for software updates
Icons used for software updates in Configuration
Manager
9/17/2021 • 5 minutes to read • Edit Online
The icon with the green arrow represents a normal software update.
Description:
Normal software updates have been synchronized and are available for software deployment.
Operational Concerns:
There are no operational concerns.
Expired Icon
The icon with the black X represents an expired software update. You can also identify expired software
updates by viewing the Expired column for the software update when it displays in the Configuration Manager
console.
Description:
Expired software updates were previously deployable to client computers, but once a software update is expired,
new deployments can no longer be created for the software updates. Expired software updates are removed
from active deployments and will no longer be made available to clients.
Operational Concerns:
There are no operational concerns.
Superseded Icon
The icon with the yellow star represents a superseded software update. You can also identify superseded
software updates by viewing the Superseded column for the software update when it displays in the
Configuration Manager console.
Description:
Superseded software updates have been replaced with newer versions of the software update. Typically, a
software update that supersedes another software update does one or more of the following things:
Enhances, improves, or adds to the fix provided by one or more previously released software updates.
Improves the efficiency of its software update file package, which clients install if the software update is
approved for installation. For example, the superseded software update might contain files that are no
longer relevant to the fix or to the operating systems now supported by the new software update, so
those files aren't included in the superseding software update's file package.
Updates newer versions of a product, or in other words, is no longer applicable to older versions or
configurations of a product. Software updates can also supersede other software updates if modifications
have been made to expand language support. For example, a later revision of a product update for
Microsoft 365 Apps might remove support for an older operating system, but add additional support for
new languages in the initial software update release.
On the Supersedence Rules tab in the Software Update Point Component properties, you can specify how
to manage superseded software updates. For more information, see Supersedence rules.
Operational Concerns:
Configuration Manager can automatically expire superseded updates based on a schedule you choose.
The default setting is to wait 3 months before expiring a superseded update. The 3 month default is to
give you time to verify the update is no longer needed by any of your client computers. It's recommended
that you don't assume that superseded updates should be immediately expired in favor of the new,
superseding update. You can display a list of the software updates that supersede the software update on
the Supersedence Information tab in the software update properties.
Invalid Icon
The icon with the green arrow represents a software update group that contains only normal software
updates.
Operational Concerns:
There are no operational concerns.
Expired Icon
The icon with the black X represents a software update group that contains one or more expired software
updates.
Operational Concerns:
Remove or replace expired software updates in the software update group when possible.
Superseded Icon
The icon with the yellow star represents a software update group that contains one or more superseded
software updates.
Operational Concerns:
Replace the superseded software update in the software update group with the superseding software update
when possible.
Invalid Icon
The icon with the red X represents a software update group that contains one or more invalid software
updates.
Operational Concerns:
When the content is missing for a software update, clients are unable to install the software update until the
content becomes available on a distribution point. You can redistribute the content to distribution points by
using the Redistribute action. When content is missing for a software update in a deployment created at a
parent site, the software update needs to be replicated or redistributed to the child site. For more information
about content redistribution, see Manage the content you've distributed.
Next steps
Plan for software updates
Plan for software updates in Configuration Manager
9/17/2021 • 33 minutes to read • Edit Online
IMPORTANT
For more information about the internal and external dependencies that are required for software updates, see
Prerequisites for software updates.
Add multiple software update points at a Configuration Manager primary site to provide fault tolerance. The
failover design of the software update point is different than the pure randomization model that's used in the
design for management points. Unlike in the design of management points, there are client and network
performance costs in the software update point design when clients switch to a new software update point.
When the client switches to a new WSUS server to scan for software updates, the result is an increase in the
catalog size and associated client-side and network performance demands. Therefore, the client preserves
affinity with the last software update point from which it successfully scanned.
The first software update point that you install on a primary site is the synchronization source for all additional
software update points that you add at the primary site. After you add software update points and start
synchronization, view the status of the software update points and the synchronization source from the
Software Update Point Synchronization Status node in the Monitoring workspace.
When there's a failure of the software update point configured as the synchronization source for the site,
manually remove the failed role. Then select a new software update point to use as the synchronization source.
For more information, see Remove a site system role.
Software update point list
Configuration Manager provides the client with a software update point list in the following scenarios:
A new client receives the policy to enable software updates
A client can't contact its assigned software update point and needs to switch to another
The client randomly selects a software update point from the list. It prioritizes the software update points in the
same forest. Configuration Manager provides clients with a different list depending on the type of client:
Intranet-based clients : Receive a list of software update points that you can configure to allow
connections only from the intranet, or a list of software update points that allow internet and intranet
client connections.
Internet-based clients : Receive a list of software update points that you configure to allow connections
only from the internet, or a list of software update points that allow internet and intranet client
connections.
Software update point switching
NOTE
Clients use boundary groups to find a new software update point. If their current software update point is no longer
accessible, they also use boundary groups to fallback and find a new one. Add individual software update points to
different boundary groups to control which servers a client can find. For more information, see Software update points.
If you have multiple software update points at a site, and one fails or becomes unavailable, clients will connect to
a different software update point. With this new server, clients continue to scan for the latest software updates.
When a client is first assigned a software update point, it stays assigned to that software update point unless it
fails to scan.
The scan for software updates can fail with a number of different retry and non-retry error codes. When the
scan fails with a retry error code, the client starts a retry process to scan for the software updates on the
software update point. The high-level conditions that result in a retry error code are typically because the WSUS
server is unavailable or because it is temporarily overloaded. When the client fails to scan for software updates,
it uses the following process:
1. The client scans for software updates:
At its scheduled time
When it's manually run from the control panel on the client
When it's manually run from the Configuration Manager console via a client notification action
When it's run from a Configuration Manager SDK method
2. If the scan fails, the client waits 30 minutes to retry the scan. It uses the same software update point.
3. The client retries a minimum of four times every 30 minutes. After the fourth failure, and after it waits an
additional two minutes, the client moves to the next software update point in its list.
4. The client repeats this process with the new software update point. After a successful scan, the client
continues to connect to the new software update point.
The following list provides additional information to consider for software update point retry and switching
scenarios:
If a client is disconnected from the intranet and fails to scan for software updates, it doesn't switch to
another software update point. This failure is expected, because the client can't reach the internal network
or a software update point that allows connections from the intranet. The Configuration Manager client
determines the availability of the intranet software update point.
If you're managing clients on the internet, and have configured multiple software update points to accept
communication from clients on the internet, the switching process follows the standard retry process
previously described.
If the scan process starts, but the client is turned off before the scan completes, it isn't considered a scan
failure and it doesn't count as one of the four retries.
When Configuration Manager receives any of the following Windows Update Agent error codes, the client
retries the connection:
2149842970, 2147954429, 2149859352, 2149859362, 2149859338, 2149859344, 2147954430, 2147747475,
2149842974, 2149859342, 2149859372, 2149859341, 2149904388, 2149859371, 2149859367, 2149859366,
2149859364, 2149859363, 2149859361, 2149859360, 2149859359, 2149859358, 2149859357, 2149859356,
2149859354, 2149859353, 2149859350, 2149859349, 2149859340, 2149859339, 2149859332, 2149859333,
2149859334, 2149859337, 2149859336, 2149859335
To look up the meaning of an error code, convert the decimal error code to hexadecimal, and then search for the
hexadecimal value on a site such as the Windows Update Agent - Error Codes Wiki. For example, the decimal
error code 2149842970 is hexadecimal 8024001A, which means WU_E_POLICY_NOT_SET A policy value was
not set.
Manually switch clients to a new software update point
Switch Configuration Manager clients to a new software update point when there are issues with the active
software update point. This change only happens when a client receives multiple software update points from a
management point.
IMPORTANT
When you switch devices to use a new server, the devices use fallback to find that new server. Clients switch to the new
software update point during their next software updates scan cycle.
Before you start this change, review your boundary group configurations to make sure that your software update points
are in the correct boundary groups. For more information, see Software update points.
Switching to a new software update point generates additional network traffic. The amount of traffic depends on your
WSUS configuration settings, for example, the synchronized classifications and products, or use of a shared WSUS
database. If you plan to switch multiple devices, consider doing so during maintenance windows. This timing reduces the
impact to your network when clients scan with the new software update point.
NOTE
To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help
secure your software update infrastructure. Beginning with the September 2020 cumulative update, HTTP-based WSUS
servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to
leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates
client setting is available to allow these connections. For more information about the changes for scanning WSUS, see
September 2020 changes to improve security for Windows devices scanning WSUS.
Configure firewalls
The software update point at a Configuration Manager central administration site communicates with WSUS on
the software update point. WSUS communicates with the synchronization source to synchronize software
updates metadata. Software update points at a child site communicate with the software update point at the
parent site. When there's more than one software update point at a primary site, the additional software update
points communicate with the default software update point. The default role is the first software update point
that's installed at the site.
You might need to configure the firewall to allow the HTTP or HTTPS traffic that WSUS uses in following
scenarios:
Between the software update point and the internet
Between a software update point and its upstream synchronization source
Between additional software update points
The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. Use a
custom port for the connection from WSUS on the software update point at a child site to WSUS on the
software update point at the parent site. When your security policy doesn't allow the connection, use the export
and import synchronization method. For more information, see the Synchronization source section in this
article. For more information about the ports that WSUS uses, see How to determine the port settings used by
WSUS in Configuration Manager.
Restrict access to specific domains
If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow the active software update point to access internet endpoints. Then WSUS and Automatic Updates
can communicate with the Microsoft Update cloud service.
For more information, see Internet access requirements.
IMPORTANT
If you're sharing the WSUS database (SUSDB) across multiple software update points for the top-level site, make sure that
each of those WSUS servers meets the internet access requirements for software updates. When the database is shared
the top-level site, Configuration Manager can select any one of those WSUS servers to sync with Microsoft Update.
Synchronization schedule
Configure the synchronization schedule only at the software update point on the top-level site in the
Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point
synchronizes with the synchronization source at the date and time that you specified. The custom schedule
allows you to synchronize software updates to optimize for your environment. Consider the performance
demands of the WSUS server, site server, and network. For example, 2:00 AM once a week. Alternatively,
manually start synchronization on the top-level site by using the Synchronization Software Updates action
from the All Software Updates or Software Update Groups nodes in the Configuration Manager console.
TIP
Schedule the software updates synchronization to run by using a time that's appropriate for your environment. One
common scenario is to set the synchronization schedule to run shortly after Microsoft's regular software update release
on the second Tuesday of each month. This day is typically referred to as Patch Tuesday. If you use Configuration Manager
to deliver Endpoint Protection and Windows Defender definition and engine updates, consider setting the synchronization
schedule to run daily.
After the software update point successfully synchronizes, it sends a synchronization request to child sites. If you
have additional software update points at a primary site, it sends a synchronization request to each software
update point. This process is repeated on every site in the hierarchy.
Update classifications
Every software update is defined with an update classification that helps to organize the different types of
updates. During the synchronization process, the site synchronizes the metadata for the specified classifications.
Configuration Manager supports synchronization of the following update classifications:
Critical Updates : A broadly released update for a specific problem that addresses a critical, non-
security-related bug.
Definition Updates : An update to virus or other definition files.
Feature Packs : New product features that are distributed outside of a product release and are typically
included in the next full product release.
Security Updates : A broadly released update for a product-specific, security-related issue.
Ser vice Packs : A cumulative set of hotfixes that is applied to an OS or application. These hotfixes include
security updates, critical updates, and software updates.
Tools : A utility or feature that helps to complete one or more tasks.
Update Rollups : A cumulative set of hotfixes that is packaged together for easy deployment. These
hotfixes include security updates, critical updates, and software updates. An update rollup generally
addresses a specific area, such as security or a product component.
Updates : An update to an application or file that's currently installed.
Upgrades : A feature update to a new version of Windows 10.
Configure the update classification settings only on the top-level site. The update classification settings aren't
configured on the software update point on child sites, because the software updates metadata is replicated
from the top-level site. When you select the update classifications, be aware the more classifications that you
select, the longer it takes to synchronize the software updates metadata.
WARNING
As a best practice, clear all classifications before you synchronize for the first time. After the initial synchronization, select
the desired classifications, and then rerun synchronization.
Products
The metadata for each software update defines one or more products for which the update is applicable. A
product is a specific edition of an OS or application. An example of a product is Microsoft Windows 10. A
product family is the base OS or application from which the individual products are derived. An example of a
product family is Microsoft Windows, of which Windows 10 and Windows Server 2016 are members. Select a
product family or individual products within a product family.
When software updates are applicable to multiple products, and at least one of the products is selected for
synchronization, all of the products appear in the Configuration Manager console even if some products weren't
selected. For example, you only select the Windows Server 2012 product. If a software update applies to
Windows Server 2012 and Windows Server 2012 Datacenter Edition, both products are in the site database.
Configure the product settings only on the top-level site. The product settings aren't configured on the software
update point for child sites because the software updates metadata is replicated from the top-level site. The
more products that you select, the longer it takes to synchronize the software updates metadata.
IMPORTANT
Configuration Manager stores a list of products and product families that you choose from when you first install the
software update point. Products and product families that are released after Configuration Manager is released might not
be available to select until you complete synchronization. The synchronization process updates the list of available
products and product families from which you can choose. Clear all products before you synchronize software updates for
the first time. After the initial synchronization, select the desired products, and then rerun synchronization.
Supersedence rules
Typically, a software update that supersedes another software update does one or more of the following actions:
Enhances, improves, or updates the fix that was provided by one or more previously released updates.
Improves the efficiency of the superseded update file package, which is installed on clients if the update is
approved for installation. For example, the superseded update might contain files that are no longer
relevant to the fix or to the operating systems that are supported by the new update. Those files aren't
included in the superseding file package of the update.
Updates newer versions of a product. In other words, it updates versions that are no longer applicable to
older versions or configurations of a product. Updates can also supersede other updates if modifications
were made to expand language support. For example, a later revision of a product update for Microsoft
365 Apps might remove the support for an older OS, but it might add additional support for new
languages in the initial update release.
In the properties for the software update point, specify that the superseded software updates are immediately
expired. This setting prevents them from being included in new deployments. It also flags the existing
deployments to indicate that they contain one or more expired software updates. Or specify a period of time
before the superseded software updates are expired. This action allows you to continue to deploy them.
Consider the following scenarios in which you might need to deploy a superseded software update:
A superseding software update supports only newer versions of an OS. Some of your client computers
run earlier versions of the OS.
A superseding software update has more restricted applicability than the software update it supersedes.
This behavior would make it inappropriate for some clients.
If a superseding software update wasn't approved for deployment in your production environment.
Configuration Manager can automatically expire superseded updates based on a schedule you choose. You can
specify the supersedence rules behavior for feature updates separately from non-feature updates . The
default setting is to wait 3 months before expiring a superseded update. The 3 month default is to give you time
to verify the update is no longer needed by any of your client computers. It's recommended that you don't
assume that superseded updates should be immediately expired in favor of the new, superseding update. You
can display a list of the software updates that supersede the software update on the Supersedence
Information tab in the software update properties.
Languages
The language settings for the software update point allow you to configure:
The languages for which the summary details (software updates metadata) are synchronized for software
updates
The software update file languages that are downloaded for software updates
Software update file
Configure languages for the Software update file setting in the properties for the software update point. This
setting provides the default languages that are available when you download software updates at a site. Modify
the languages that are selected by default each time that the software updates are downloaded or deployed.
During the download process, the software update files for the configured languages are downloaded to the
deployment package source location, if the software update files are available in the selected language. Next,
they're copied to the content library on the site server. Then they're distributed to the distribution points that are
configured for the package.
Configure the software update file language settings with the languages that are most often used in your
environment. For example, clients in your site use mostly English and Japanese for Windows or applications.
There are few other languages that are used at the site. Select only English and Japanese in the Software
Update File column when you download or deploy the software update. This action allows you to use the
default settings on the Language Selection page of the deployment and download wizards. This action also
prevents unneeded update files from being downloaded. Configure this setting at each software update point in
the Configuration Manager hierarchy.
Summary details
During the synchronization process, the summary details information (software updates metadata) is updated
for software updates in the languages that you specify. The metadata provides information about the software
update, for example:
Name
Description
Products that the update supports
Update classification
Article ID
Download URL
Applicability rules
Configure the summary details settings only on the top-level site. The summary details aren't configured on the
software update point on child sites because the software updates metadata is replicated from the central
administration site by using file-based replication. When you select the summary details languages, select only
the languages that you need in your environment. The more languages that you select, the longer it takes to
synchronize the software updates metadata. Configuration Manager displays the software updates metadata in
the locale of the OS in which the Configuration Manager console runs. If the localized properties for the
software updates aren't available in the locale of this OS, the software updates information displays in English.
IMPORTANT
Select all of the summary details languages that you need. When the software update point at the top-level site
synchronizes with the synchronization source, the selected summary details languages determine the software updates
metadata that it retrieves. If you modify the summary details languages after synchronization ran at least one time, it
retrieves the software updates metadata for the modified summary details languages only for new or updated software
updates. The software updates that have already been synchronized aren't updated with new metadata for the modified
languages unless there's a change to the software update on the synchronization source.
If you need to change the maximum run time of an update, you can configure the software update
settings for it.
Next steps
Once you plan for software updates, see Prepare for software updates management.
For more information about managing Windows as a service, see Fundamentals of Configuration Manager as a
service and Windows as a service.
Prerequisites for software updates in Configuration
Manager
9/17/2021 • 9 minutes to read • Edit Online
NOTE
When you have multiple software update points at a site, ensure that they're all running the same version of WSUS.
IMPORTANT
The WSUS version on the site server must be the same as the WSUS version that's running on the software update
points.
Don't use WSUS Administration Console to configure WSUS settings. Configuration Manager connects to the instance
of WSUS that is running on the software update point and configures the appropriate settings.
IMPORTANT
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client
scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you
still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these
connections. For more information about the changes for scanning WSUS, see September 2020 changes to improve
security for Windows devices scanning WSUS. To ensure that the best security protocols are in place, we highly
recommend that you use the TLS/SSL protocol to help secure your software update infrastructure.
IMPORTANT
Both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. This
means you may not see KB 3095113 and KB 3159706 as installed updates since they may have been installed with a
rollup. However, if you need either of these updates, we recommend installing a Security Monthly Quality Rollup
released after October 2017 since they contain an additional WSUS update to decrease memory utilization on WSUS's
clientwebservice.
Additionally, errors resembling the following are logged in the PatchDownloader.log file:
Download http://wsus.ds.b1.download.windowsupdate.com/d/upgr/2015/12/10586.0.151029-
1700.th2_release_...esd...
Authentication of file C:\Users\{username}\AppData\Local\Temp\2\{temporary_filename}.tmp failed, error
0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633
# This log is truncated for readability.
Historically, when these errors occurred, they would be resolved by doing a modified version of the resolution
steps for WSUS. Because these steps are similar to the resolution for not doing the manual steps required after
KB 3159706 installation, we've combined both sets of steps into a single resolution in the section below:
To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706.
Historical information about KB 3159706
KB 3148812 was initially released in April 2016 to enable WSUS to natively decrypt the .esd files used for
upgrading Windows 10 packages. KB 3148812 caused problems for some customers and was replaced with KB
3159706. KB 3159706 needs to be installed on all your software update points and site servers before you can
service Windows 10 Version 1607 and later devices. However, problems can arise if you don't realize the KB
requires the following manual steps after installation:
1. From an elevated command prompt run
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing .
2. Restart the WSUS service on all of the WSUS servers.
If you don't realize that KB 3159706 had manual steps after installation, or you synchronized in the upgrade for
Windows 10 1607 before installing KB 3159706, you would run into issues connecting to the WSUS console
and deploying the upgrade respectively. When a client downloaded the upgrade file, it would get a
0xC1800118 error code.
Because the resolution steps are similar to the resolution for synchronizing upgrades before KB 3095113
installation, we've combined both sets of steps into a single resolution in the next section.
To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706
Follow the steps below to resolve both the 0xc1800118 error and "Error: Invalid certificate signature":
1. Disable the Upgrades classification in both WSUS and Configuration Manager. You don't want a
synchronization to occur until you're directed to by these instructions.
Uncheck the Upgrades classification in the software update point component properties on the top-
level site.
For more information, see Configure classifications and products.
Uncheck the Upgrades classification from WSUS under Products and Classifications on the
Options page, or use the PowerShell ISE running as administrator.
If you share the WSUS database between multiple WSUS servers, you only need to uncheck
Upgrades once for each database.
2. On each WSUS server, from an elevated command prompt run:
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing . Then, restart the WSUS
service on all of the WSUS servers.
WSUS places the database into single user mode before it checks to see if servicing is needed. The
servicing either runs or doesn't run based on the results of the check. Then, the database is put back
into multi-user mode.
If you share the WSUS database between multiple WSUS servers, you only need to do this servicing
once for each database.
3. Delete all of the Windows 10 upgrades from each WSUS database using the PowerShell ISE running as
administrator.
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.Title -match 'Windows
10'} `
| ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed}
4. Delete files from the tbFile table from each of the WSUS databases used by your software update points. On
the WSUS database, run the following commands from SQL Server Management Studio:
stop-service wuauserv
remove-item -path c:\windows\softwaredistribution\datastore -recurse -force
# If the device has a hidden ~BT folder on the c drive, delete it too by uncommenting the next line.
# remove-item -path c:\~BT -recurse -force
start-service wuauserv
Next steps
Prepare for software updates management
Best practices for software updates in Configuration
Manager
9/17/2021 • 3 minutes to read • Edit Online
IMPORTANT
Also share the local WSUS content folders when you use a shared WSUS database for software update points.
For more information on sharing the WSUS database, see the following blog posts:
How to implement a shared SUSDB for Configuration Manager software update points
Considerations for multiple WSUS instances sharing a content database when using Configuration
Manager.
When Configuration Manager and WSUS use the same SQL Server, configure one to use a named instance
and the other to use the default instance
When the Configuration Manager and WSUS databases share the same instance of SQL Server, you can't easily
determine the resource usage between the two applications. Use different SQL Server instances for
Configuration Manager and WSUS. This configuration makes it easier to troubleshoot and diagnose resource
usage issues that might occur for each application.
Specify the "Store updates locally" setting
When you install WSUS, select the setting to Store updates locally . This setting causes WSUS to download the
license terms that are associated with software updates. It downloads the terms during the synchronization
process and stores them on the local hard drive for the WSUS server. If you don't select this setting, client
computers might fail compliance scans for software updates that have license terms. The WSUS
Synchronization Manager component of the software update point verifies that this setting is enabled every
60 minutes, by default.
Configure your software update points to use TLS/SSL
Configuring Windows Server Update Services (WSUS) servers and their corresponding software update points
to use TLS/SSL may reduce the ability of a potential attacker to remotely compromise a client and elevate
privileges. To ensure that the best security protocols are in place, we highly recommend that you use the
TLS/SSL protocol to help secure your software update infrastructure. For more information, see the Configure a
software update point to use TLS/SSL with a PKI certificate tutorial.
See Also
Plan for software updates
Security and privacy for software updates in
Configuration Manager
9/17/2021 • 3 minutes to read • Edit Online
IMPORTANT
If you configure the software update point to enable SSL communications for the WSUS server, you must
configure virtual roots for SSL on the WSUS server.
IMPORTANT
Before you install the software update point site system role (SUP), you must verify that the server meets the required
dependencies and determines the software update point infrastructure on the site. For more information about how to
plan for software updates and to determine your software update point infrastructure, see Plan for software updates.
The software update point is required on the central administration site and on the primary sites to enable
software updates compliance assessment and to deploy software updates to clients. The software update point
is optional on secondary sites. The software update point site system role must be created on a server that has
WSUS installed. The software update point interacts with the WSUS services to configure the software update
settings and to request synchronization of software updates metadata. When you have a Configuration Manager
hierarchy, install and configure the software update point on the central administration site first, then on child
primary sites, and then optionally, on secondary sites. When you have a stand-alone primary site, not a central
administration site, install and configure the software update point on the primary site first, and then optionally,
on secondary sites. Some settings are only available when you configure the software update point on a top-
level site. There are different options that you must consider depending on where you installed the software
update point.
IMPORTANT
You can install more than one software update points on a site. The first software update point that you install is
configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the
upstream synchronization source. The other software update points on the site are configured as replicas of the first
software update point. Therefore, some settings are not available after you install and configure the initial software
update point.
It is not supported to install the software update point site system role on a server that has been configured and used
as a standalone WSUS server or using a software update point to directly manage WSUS clients. Existing WSUS servers
are only supported as upstream synchronization sources for the active software update point. See Synchronize from
an upstream data source location
You can add the software update point site system role to an existing site system server or you can create a new
one. On the System Role Selection page of the Create Site System Ser ver Wizard or Add Site System
Roles Wizard , depending on whether you add the site system role to a new or existing site server, select
Software update point , and then configure the software update point settings in the wizard. The settings are
different depending on the version of Configuration Manager that you use. For more information about how to
install site system roles, see Install site system roles.
Use the following sections for information about the software update point settings on a site.
WSUS settings
You must configure WSUS settings on different pages of the Create Site System Ser ver Wizard or Add Site
System Roles Wizard depending on the version of Configuration Manager that you use, and in some cases,
only in the properties for the software update point, also known as Software Update Point Component
Properties. Use the information in the following sections to configure the WSUS settings.
IMPORTANT
To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help
secure your software update infrastructure. Beginning with the September 2020 cumulative update, HTTP-based WSUS
servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to
leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates
client setting is available to allow these connections. For more information about the changes for scanning WSUS, see
September 2020 changes to improve security for Windows devices scanning WSUS.
Synchronization source
You can configure the upstream synchronization source for software updates synchronization on the
Synchronization Source page of the wizard, or on the Sync Settings tab in Software Update Point
Component Properties. Your options for the synchronization source vary depending on the site.
Use the following table for the available options when you configure the software update point at a site.
- Additional software update points at a site - Synchronize from an upstream data source location
- Child primary site
- Secondary site
The following list provides more information about each option that you can use as the synchronization source:
Synchronize from Microsoft Update : Use this setting to synchronize software updates metadata from
Microsoft Update. The central administration site must have Internet access; otherwise, synchronization
will fail. This setting is available only when you configure the software update point on the top-level site.
When there's a firewall between the software update point and the Internet, the firewall might
need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site.
You can also choose to restrict access on the firewall to limited domains. For more information
about how to plan for a firewall that supports software updates, see Configure firewalls.
If you're sharing the WSUS database, be aware that Configuration Manager randomly chooses the
software update point between the front-end WSUS servers. Ensure that the internet access
requirements are met for each of the WSUS servers. If internet access requirements aren't met,
then sync failures can occur. You may see different software update points at the top-level site
syncing with Microsoft.
Synchronize from an upstream data source location : Use this setting to synchronize software
updates metadata from the upstream synchronization source. The child primary sites and secondary sites
are automatically configured to use the parent site URL for this setting. You have the option to
synchronize software updates from an existing WSUS server. Specify a URL, such as
https://WSUSServer:8531 , where 8531 is the port that is used to connect to the WSUS server.
Do not synchronize from Microsoft Update or upstream data source : Use this setting to
manually synchronize software updates when the software update point at the top-level site is
disconnected from the Internet. For more information, see Synchronize software updates from a
disconnected software update point.
You can also configure whether to create WSUS reporting events on the Synchronization Source page of the
wizard or on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager
doesn't use these events; therefore, you will normally choose the default setting Do not create WSUS
repor ting events .
Synchronization schedule
Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the
Software Update Point Component Properties. This setting is configured only on the software update point at
the top-level site.
If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you
configure a simple schedule, the start time is based on the local time for the computer that runs the
Configuration Manager console at the time when you create the schedule. When you configure the start time for
a custom schedule, it's based on the local time for the computer that runs the Configuration Manager console.
TIP
Schedule software updates synchronization to run by using a time-frame that is appropriate for your environment. One
typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security
update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical
scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver
the Endpoint Protection definition and engine updates.
NOTE
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software
updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For
more information, see synchronize software updates.
Supersedence rules
Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence
Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on
the top-level site. You can also specify the supersedence rules behavior for feature updates separately from
non-feature updates .
On this page, you can specify when superseded software updates are expired in Configuration Manager, which
prevents them from being included in new deployments and flags the existing deployments to indicate that the
superseded software updates contain one or more expired software updates. You can specify a period of time
before the superseded software updates are expired, which allows you to continue to deploy them. For more
information, see Supersedence rules.
The default setting is to wait 3 months before expiring a superseded update. The 3 month default is to give you
time to verify the update is no longer needed by any of your client computers. It's recommended that you don't
assume that superseded updates should be immediately expired in favor of the new, superseding update. You
can display a list of the software updates that supersede the software update on the Supersedence
Information tab in the software update properties.
NOTE
The Supersedence Rules page of the wizard is available only when you configure the first software update point at the
site. This page is not displayed when you install additional software update points.
Classifications
Configure the classifications settings on the Classifications page of the wizard, or on the Classifications tab
in Software Update Point Component Properties. For more information about software update classifications,
see Update classifications.
NOTE
The Classifications page of the wizard is available only when you configure the first software update point at the site.
This page is not displayed when you install additional software update points.
TIP
When you first install the software update point on the top-level site, clear all of the software updates classifications. After
the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate
synchronization. This setting is configured only on the software update point at the top-level site.
Products
Configure the product settings on the Products page of the wizard, or on the Products tab in Software Update
Point Component Properties.
NOTE
The Products page of the wizard is available only when you configure the first software update point at the site. This
page is not displayed when you install additional software update points.
TIP
When you first install the software update point on the top-level site, clear all of the products. After the initial software
updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is
configured only on the software update point at the top-level site.
Languages
Configure the language settings on the Languages page of the wizard, or on the Languages tab in Software
Update Point Component Properties. Specify the languages for which you want to synchronize software update
files and summary details. The Software Update File setting is configured at each software update point in the
Configuration Manager hierarchy. The Summar y Details settings are configured only on the top-level software
update point. For more information, see Languages.
NOTE
The Languages page of the wizard is available only when you install the software update point at the central
administration site. You can configure the Software Update File languages at child sites from the Languages tab in
Software Update Point Component Properties.
Next steps
You installed the software update point starting at the top-most site in your Configuration Manager hierarchy.
Repeat the procedures in this article to install the software update point on child sites.
Once you have your software update points installed, go to synchronize software updates.
Synchronize software updates
9/17/2021 • 5 minutes to read • Edit Online
NOTE
Software update points must be connected to their upstream synchronization source to synchronize software updates.
When a software update point is disconnected from its upstream synchronization source, you can use the export and
import method to synchronize software updates. For more information, see Synchronize software updates from a
disconnected software update point.
Next steps
After you synchronize software updates for the first time, or after there are new classifications or products
available, you must configure the new classifications and products to synchronize software updates with the
new criteria.
After you synchronize software updates with the criteria that you need, manage settings for software updates.
Configure classifications and products to
synchronize
9/17/2021 • 11 minutes to read • Edit Online
NOTE
Use the procedure from this section only on the top-level site.
NOTE
You can select the Include Microsoft Surface drivers and firmware updates checkbox to synchronize
Microsoft Surface drivers. All software update points must run Windows Server 2016 or later to successfully
synchronize Surface drivers. If you enable a software update point on a computer running Windows Server 2012
after you enable Surface drivers, the scan results for the driver updates are not accurate. This results in incorrect
compliance data displayed in the Configuration Manager console and in Configuration Manager reports. For more
information, see Manage Surface drivers with Configuration Manager.
5. On the Products tab, specify the products for which you want to synchronize software updates, and then
click Close .
Configuration Manager stores a list of products and product families from which you can choose
when you first install the software update point. Products and product families that are released
after Configuration Manager is released might not be available to select until you complete
software updates synchronization, which updates the list of available products and product
families from which you can choose.
The metadata for each software update defines the products for which the update is applicable. A
product is a specific edition of an operating system or application, such as Windows Server 2012.
A product family is the base operating system or application from which the individual products
are derived. An example of a product family is Windows, of which Windows Server 2012 is a
member. You can specify a product family or individual products within a product family. The more
products that you select, the longer it takes to synchronize software updates.
When software updates are applicable to multiple products, and at least one of the products was
selected for synchronization, all of the products appear in the Configuration Manager console even
if some products weren't selected. For example, if Windows Server 2012 is the only operating
system that you selected, and if a software update applies to Windows 8 and Windows Server
2012, both products are displayed in the Configuration Manager console.
NOTE
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being
part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to
ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for
the new product in Configuration Manager version 1906.
When you update to Configuration Manager version 1906 and have the Windows 10 product selected for
synchronization, the following actions occur automatically:
The Windows 10, version 1903 and later product is added for synchronization.
Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10,
version 1903 and later .
Servicing plans are updated to include the Windows 10, version 1903 and later product.
The update will automatically synchronize with WSUS if you have the Windows 10, version
1903 and later product and Upgrades classification selected for synchronization.
In the Configuration Manager console, go to the Software Librar y workspace, expand Windows
10 Ser vicing , and select the All Windows 10 Updates node. Search for the terms
"enablement" or "4517245".
TIP
Since these are feature updates, they aren't in the All Software Updates node.
Windows 10, version 1809 and earlier clients are upgraded with a single direct feature update.
This is just like all other previous installations for Feature Updates that you've done for Windows 10.
NOTE
Both the enablement package and the traditional feature update for Windows 10, version 1909 will show as "Installed" in
reporting, regardless of which path was used to install it.
TIP
Starting in Configuration Manager 2010, you'll be notified in-console about devices with operating systems that are past
the end of support date and that are no longer eligible to receive security updates. For more information, see Console
notifications. This information is provided for your convenience and only for use internally within your company. You
should not solely rely on this information to confirm update or license compliance. Be sure to verify the accuracy of the
information provided to you.
Next steps
Start software updates synchronization to retrieve software updates based on the new criteria. For more
information, see Synchronize software updates.
Manage settings for software updates
9/17/2021 • 10 minutes to read • Edit Online
IMPORTANT
The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration
Manager removes the existing deployment policies from the client.
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A
client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by
default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is
available to allow these connections. For more information about the changes for scanning WSUS, see September
2020 changes to improve security for Windows devices scanning WSUS. To ensure that the best security protocols
are in place, we highly recommend that you use the TLS/SSL protocol to help secure your software update
infrastructure.
For information about how to configure client settings, see How to configure client settings.
For more information about the client settings, see About client settings.
NOTE
On the All Software Updates node, Configuration Manager displays only the software updates that have a
Critical and Security classification and that have been released in the last 30 days.
Ar ticle ID : Specifies the article ID for the software update. The referenced article provides more detailed
information about the software update and the issue that the software update fixes or improves.
Date revised : Specifies the date that the software update was last modified.
Maximum severity rating : Specifies the vendor-defined severity rating for the software update.
Description : Provides an overview of what condition the software update fixes or improves.
Applicable languages : Lists the languages for which the software update is applicable.
Affected products : Lists the products for which the software update is applicable.
Content information
In the Content Information tab, review the following information about the content that is associated with the
selected software update:
Content ID : Specifies the content ID for the software update.
Downloaded : Indicates whether Configuration Manager has downloaded the software update files.
Language : Specifies the languages for the software update.
Source Path : Specifies the path to the software update source files.
Size (MB) : Specifies the size of the software update source files.
Custom bundle information
In the Custom Bundle Information tab, review the custom bundle information for the software update. When
the selected software update contains bundled software updates that are contained in the software update file,
they are displayed in the Bundle information section. This tab does not display bundled software updates that
are displayed in the Content Information tab, such as update files for different languages.
Supersedence information
On the Supersedence Information tab, you can view the following information about the supersedence of the
software update:
This update has been superseded by the following updates : Specifies the software updates that
supersede this update, which means that the updates listed are newer. In most cases, you will deploy one
of the software updates that supersedes the software update. The software updates that are displayed in
the list contain hyperlinks to webpages that provide more information about the software updates. When
this update is not superseded, None is displayed.
This update supersedes the following updates : Specifies the software updates that are superseded
by this software update, which means this software update is newer. In most cases, you will deploy this
software update to replace the superseded software updates. The software updates that are displayed in
the list contain hyperlinks to web pages that provide more information about the software updates.
When this update does not supersede any other update, None is displayed.
Configure software updates settings
In the properties, you can configure software update settings for one or more software updates. You can
configure most software update settings only at the central administration site or stand-alone primary site. The
following sections will help you to configure settings for software updates.
Set maximum run time
In the Maximum Run Time tab, set the maximum amount of time a software update is allotted to complete on
client computers. If the update takes longer than the maximum run-time value, Configuration Manager creates a
status message and stops the software updates installation. You can configure this setting only on the central
administration site or a stand-alone primary site.
Configuration Manager also uses this setting to determine whether to initiate the software update installation
within a configured maintenance window. If the maximum run-time value is greater than the available
remaining time in the maintenance window, the software updates installation is postponed until the start of the
next maintenance window. When there are multiple software updates to be installed on a client computer with a
configured maintenance window (timeframe), the software update with the lowest maximum run time installs
first, then the software update with the next lowest maximum run time installs next, and so on. Before it installs
each software update, the client verifies that the available maintenance window will provide enough time to
install the software update. After a software update starts installing, it will continue to install even if the
installation goes beyond the end of the maintenance window. For more information about maintenance
windows, see the How to use maintenance windows.
On the Maximum Run Time tab, you can view and configure the following settings:
Maximum run time : Specifies the maximum number of minutes allotted for a software update installation
to complete before the installation is stopped by Configuration Manager. This setting is also used to
determine whether there is enough available time remaining to install the update before the end of a
maintenance window. The default setting is 60 minutes for service packs. For other software update types,
the default is 10 minutes if you did a fresh install of Configuration Manager version 1511 or higher and 5
minutes when you upgraded from a previous version. Values can range from 5 to 9999 minutes.
IMPORTANT
Be sure to set the maximum run time value smaller than the configured maintenance window time or increase the
maintenance window time to a value greater than the maximum run time. Otherwise, the software update installation will
never initiate.
Prerequisites
This tutorial covers the most common method to obtain a certificate for use with Internet Information Services
(IIS). Whichever method your organization uses, ensure that the certificate meets the PKI certificate
requirements for a Configuration Manager software update point. As with any certificate, the certificate
authority must be trusted by devices communicating with the WSUS server.
A WSUS server with the software update point role installed
Verify you've followed best practices on disabling recycling and configuring memory limits for WSUS before
enabling TLS/SSL.
One of the two following options:
An appropriate PKI certificate already in the WSUS server's Personal certificate store.
The ability to request and obtain an appropriate PKI certificate for the WSUS server from your
Enterprise root certificate authority (CA).
By default, most certificate templates including the WebServer certificate template will only
issue to Domain Admins. If the logged in user isn't a domain admin, their user account will
need to be granted the Enroll permission on the certificate template.
TIP
If your WSUS server is internet facing, you'll need the external FQDN in the Subject or Subject Alternative Name (SAN) in
your certificate.
TIP
If your WSUS server is internet facing, specify the external FQDN when running WsusUtil.exe configuressl .
5. If your Configuration Manager site server is remote from the software update point, launch the WSUS
console from the site server and verify the WSUS console can connect over SSL.
If the remote WSUS console can't connect, it likely indicates a problem with either trusting the
certificate, name resolution, or the port being blocked.
6. In the WCM.log for the site, you'll see the following entries when you apply the change:
SCF change notification triggered.
Populating config from SCF
Setting new configuration state to 1 (WSUS_CONFIG_PENDING)
...
Attempting connection to local WSUS server
Successfully connected to local WSUS server
...
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)
Log file examples have been edited to remove unneeded information for this scenario.
Starting Sync
...
Full sync required due to changes in main WSUS server location.
...
Found active SUP SERVER.CONTOSO.COM from SCF File.
...
https://SERVER.CONTOSO.COM:8531
...
Done synchronizing WSUS Server SERVER.CONTOSO.COM
...
sync: Starting SMS database synchronization
...
Done synchronizing SMS with WSUS Server SERVER.CONTOSO.COM
TIP
Open this script in community hub. For more information, see Direct links to community hub items.
2. Run a software update scan cycle on your test client. You can force a scan with the following PowerShell
script:
TIP
Open this script in community hub. For more information, see Direct links to community hub items.
3. Review the client's ScanAgent.log to verify the message to scan against the software update point was
received.
4. Review the LocationSer vices.log to verify that the client sees the correct WSUS URL.
LocationSer vices.log
5. Review the WUAHandler.log to verify that the client can successfully scan.
NOTE
Software update scans for devices will continue to run successfully using the default value of Yes for the Enforce TLS
cer tificate pinning for Windows Update client for detecting updates client setting. This includes scans over both
HTTP and HTTPS. The certificate pinning doesn't take effect until a certificate is in the client's
WindowsServerUpdateServices store and the WSUS server is configured to use TLS/SSL.
Enable or disable TLS certificate pinning for devices scanning HTTPS -configured WSUS servers
1. From the Configuration Manager console, go to Administration > Client Settings .
2. Choose the Default Client Settings or a custom set of client settings, then select Proper ties from the
ribbon.
3. Select the Software Updates tab in the Client settings
4. Choose one of the following options for the Enforce TLS cer tificate pinning for Windows Update
client for detecting updates setting:
No : Don't enable enforcement of TLS certificate pinning for WSUS scanning
Yes : Enables enforcement of TLS certificate pinning for devices during WSUS scanning (default)
5. Verify clients can scan for updates.
Next steps
Deploy software updates
Synchronize software updates from a disconnected
software update point
9/17/2021 • 4 minutes to read • Edit Online
Central administration site Microsoft Update (Internet) Choose a WSUS server that is
synchronized with Microsoft Update
Existing WSUS server by using the software update
classifications, products, and languages
that you need in your Configuration
Manager environment.
Stand-alone primary site Microsoft Update (Internet) Choose a WSUS server that is
synchronized with Microsoft Update
Existing WSUS server by using the software update
classifications, products, and languages
that you need in your Configuration
Manager environment.
Before you start the export process, verify that software updates synchronization is completed on the selected
export server to ensure that the most recent software updates metadata is synchronized. To verify that software
updates synchronization has completed successfully, use the following procedure.
To verify that software updates synchronization has completed successfully on the export server
1. Open the WSUS Administration console and connect to the WSUS database on the export server.
2. In the WSUS Administration console, click Synchronizations . A list of the software updates
synchronization attempts are displayed in the results pane.
3. In the results pane, find the latest software updates synchronization attempt and verify that it completed
successfully.
IMPORTANT
The WSUSUtil tool must be run locally on the export server to export the software updates metadata, and it also must
be run on the disconnected software update point server to import the software updates metadata. In addition, the
user that runs the WSUSUtil tool must be a member of the local Administrators group on each server.
If you are using Windows Server 2012, ensure KB2819484 is installed on the WSUS servers.
NOTE
The package (.xml.gz file) and the log file name must be unique in the current folder.
3. Move the export package to the folder that contains WSUSutil.exe on the import WSUS server.
NOTE
If you move the package to this folder, the import experience can be easier. You can move the package to any
location that is accessible to the import server, and then specify the location when you run WSUSutil.exe.
Import software updates metadata
Use the following procedure to import software updates metadata from the export server to the disconnected
software update point.
IMPORTANT
Never import any exported data from a source that you do not trust. If you import content from a source that you do
not trust, it might compromise the security of your WSUS server.
Next steps
After you synchronize software updates for the first time, or after there are new classifications or products
available, you must configure the new classifications and products to synchronize software updates with the
new criteria.
After you synchronize software updates with the criteria that you need, manage settings for software updates.
Synchronize Microsoft 365 Apps updates from a
disconnected software update point
9/17/2021 • 5 minutes to read • Edit Online
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.
Prerequisites
An internet connected WSUS server running a minimum of Windows Server 2012.
The WSUS server needs connectivity to these two internet endpoints:
officecdn.microsoft.com
config.office.com
Copy the OfflineUpdateExporter tool and its dependencies to the internet connected WSUS server.
The tool and its dependencies are in the <ConfigMgrInstallDir>/tools/OfflineUpdateExpor ter
directory.
The user running the tool must be part of the WSUS Administrators group.
The directory created to store the Microsoft 365 Apps update metadata and content should have appropriate
access control lists (ACLs) to secure the files.
This directory must also be empty.
Data being moved from the online WSUS server to the disconnected environment should be moved securely.
IMPORTANT
Content will be downloaded for all Microsoft 365 Apps languages. Each update can have approximately 10 GB of content.
IMPORTANT
Only local paths work for the O365OflBaseUrlConfigured property.
Proxy configuration
Proxy configuration isn't natively built into the tool. If proxy is set in the Internet Options on the server where
the tool is running, in theory it will be used and should function properly.
From a command prompt, run netsh winhttp show proxy to see the configured proxy.
$PropertyValue = "D:\Office365updates\content"
$SiteCode = $providerMachine.SiteCode
$component.props = $properties
$component.put()
Next steps
Add software updates to an update group
Download software updates
9/17/2021 • 5 minutes to read • Edit Online
NOTE
For information about monitoring content status, see the Content status monitoring.
Use the following procedure to download software updates by using the Download Software Updates Wizard.
To download software updates
1. In the Configuration Manager console, go to the Software Librar y workspace, and select the Software
Updates node.
2. Choose the software update to download by using one of the following methods:
Select one or more software update groups from the Software Update Groups node. Then click
Download in the ribbon.
Select one or more software updates from All Software Updates node. Then click Download in
the ribbon.
NOTE
In the All Software Updates node, Configuration Manager displays only software updates with a
Critical and Security classification that have been released in the last 30 days.
TIP
Click Add Criteria to filter the software updates that are displayed in the All Software Updates node.
Save search criteria that you often use, and then manage saved searches on the Search tab.
3. On the Deployment Package page of the Download Software Updates Wizard, configure the following
settings:
Select deployment package : Choose this setting to select an existing deployment package for
the software updates that are in the deployment.
NOTE
Software updates that the site has already downloaded to the selected deployment package won't be
downloaded again.
Create a new deployment package : Select this setting to create a new deployment package for
the software updates in the deployment. Configure the following settings:
Name : Specifies the name of the deployment package. The package must have a unique
name that briefly describes the package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Enable binar y differential replication : Enable this setting to minimize network traffic
between sites. Binary differential replication (BDR) only updates the content that has
changed in the package, instead of updating the entire package contents. For more
information, see Binary differential replication.
4. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
5. The Distribution Settings page is available only when you create a new software update deployment
package. Specify the following settings:
Distribution priority : Use this setting to specify the distribution priority for the deployment
package. The distribution priority applies when the deployment package is sent to distribution
points at child sites. Deployment packages are sent in priority order: high, medium, or low.
Packages with identical priorities are sent in the order in which they were created. If there's no
backlog, the package processes immediately regardless of its priority. By default, the site sends
packages with Medium priority.
Enable for on-demand distribution : Use this setting to enable on-demand content distribution
to distribution points configured for this feature and in the client's current boundary group. When
you enable this setting, the management point creates a trigger for the distribution manager to
distribute the content to all such distribution points when a client requests the content for the
package and the content isn't available. For more information, see On-demand content
distribution.
Prestaged distribution point settings : Use this setting to specify how you want to distribute
content to prestaged distribution points. Choose one of the following options:
Automatically download content when packages are assigned to distribution
points : Use this setting to ignore the prestage settings and distribute content to the
distribution point.
Download only content changes to the distribution point : Use this setting to
prestage the initial content to the distribution point, and then distribute content changes to
the distribution point.
Manually copy the content in this package to the distribution point : Use this
setting to always prestage content on the distribution point. This option is the default.
For more information about prestaging content to distribution points, see Use Prestaged content.
6. On the Download Location page, specify the location that Configuration Manager uses to download
the software update source files. Use one of the following options:
Download software updates from the Internet : Select this setting to download the software
updates from the location on the internet. This option is the default.
Download software updates from a location on my network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
7. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
8. On the Summar y page, verify the settings that you selected in the wizard, and then click Next to
download the software updates.
9. On the Completion page, verify that the software updates were successfully downloaded, and then click
Close .
Add software updates to an update group
9/17/2021 • 2 minutes to read • Edit Online
NOTE
Feature updates can't be added to a software update group. Use the following options to manage feature updates:
Windows servicing
Phased deployments
Upgrade OS task sequences.
Next steps
Deploy software updates
Deploy software updates
9/17/2021 • 4 minutes to read • Edit Online
TIP
If a distribution point isn't available, clients on the intranet can also download software updates from Microsoft Update.
NOTE
Unlike other deployment types, software updates are all downloaded to the client cache. This is regardless of the
maximum cache size setting on the client. For more information about the client cache setting, see Configure the client
cache.
If you configure a required software update deployment, the software updates are automatically installed at the
scheduled deadline. Alternatively, the user on the client computer can schedule or initiate the software update
installation prior to the deadline. After the attempted installation, client computers send state messages back to
the site server to report whether the software update installation was successful. For more information about
software update deployments, see Software update deployment workflows.
There are three main scenarios for deploying software updates:
Manual deployment
Automatic deployment
Phased deployment
Typically, you start by manually deploying software updates to create a baseline for your clients, and then you
manage software updates on clients by using an automatic or phased deployment.
NOTE
You can't use an automatic deployment rule with a phased deployment.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the
Configuration Manager console and supporting documentation while the console is being updated.
When manually deploying Microsoft 365 Apps client updates, find them in the Office 365 Updates node under
Office 365 Client Management of the Software Librar y workspace.
IMPORTANT
A single software update deployment has a limit of 1000 software updates.
NOTE
The All Software Updates node only displays software updates with a Critical and Security classification that
have been released in the last 30 days.
2. In the search pane, filter to identify the software updates that you need. Use one or both of the following
options:
In the search text box, type a search string that filters the software updates. For example, type the
article or bulletin ID for a specific software update. Or enter a string that appears in the title of
several software updates.
Click Add Criteria , and select the criteria to filter software updates. Click Add , and then provide
the values for the criteria.
3. Click Search to filter the software updates.
TIP
Save frequently used filter criteria. On the ribbon, click the option to Save Current Search . Retrieve previous
searches by clicking on Saved Searches .
Step 2: Create a software update group that contains the software
updates
Software update groups let you organize software updates in preparation for deployment. Use the following
procedure to manually add software updates to a new software update group.
Process to manually add software updates to a new software update group
1. In the Configuration Manager console, go to the Software Librar y workspace, and select Software
Updates . Select the desired software updates.
2. Click Create Software Update Group in the ribbon.
3. Specify the name for the software update group and optionally provide a description. Use a name and
description that provide enough information for you to determine what type of updates are in the
software update group. Click Create .
4. Select the Software Update Groups node, and select the new software update group. To display the list
of updates in the group, click Show Members in the ribbon.
NOTE
In the All Software Updates node, Configuration Manager displays only software updates with a
Critical and Security classification that have been released in the last 30 days.
TIP
Click Add Criteria to filter the software updates that are displayed in the All Software Updates node.
Save search criteria that you often use, and then manage saved searches on the Search tab.
3. On the Deployment Package page of the Download Software Updates Wizard, configure the following
settings:
Select deployment package : Choose this setting to select an existing deployment package for
the software updates that are in the deployment.
NOTE
Software updates that the site has already downloaded to the selected deployment package won't be
downloaded again.
Create a new deployment package : Select this setting to create a new deployment package for
the software updates in the deployment. Configure the following settings:
Name : Specifies the name of the deployment package. The package must have a unique
name that briefly describes the package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Enable binar y differential replication : Enable this setting to minimize network traffic
between sites. Binary differential replication (BDR) only updates the content that has
changed in the package, instead of updating the entire package contents. For more
information, see Binary differential replication.
4. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
5. The Distribution Settings page is available only when you create a new software update deployment
package. Specify the following settings:
Distribution priority : Use this setting to specify the distribution priority for the deployment
package. The distribution priority applies when the deployment package is sent to distribution
points at child sites. Deployment packages are sent in priority order: high, medium, or low.
Packages with identical priorities are sent in the order in which they were created. If there's no
backlog, the package processes immediately regardless of its priority. By default, the site sends
packages with Medium priority.
Enable for on-demand distribution : Use this setting to enable on-demand content distribution
to distribution points configured for this feature and in the client's current boundary group. When
you enable this setting, the management point creates a trigger for the distribution manager to
distribute the content to all such distribution points when a client requests the content for the
package and the content isn't available. For more information, see On-demand content
distribution.
Prestaged distribution point settings : Use this setting to specify how you want to distribute
content to prestaged distribution points. Choose one of the following options:
Automatically download content when packages are assigned to distribution
points : Use this setting to ignore the prestage settings and distribute content to the
distribution point.
Download only content changes to the distribution point : Use this setting to
prestage the initial content to the distribution point, and then distribute content changes to
the distribution point.
Manually copy the content in this package to the distribution point : Use this
setting to always prestage content on the distribution point. This option is the default.
For more information about prestaging content to distribution points, see Use Prestaged content.
6. On the Download Location page, specify the location that Configuration Manager uses to download
the software update source files. Use one of the following options:
Download software updates from the Internet : Select this setting to download the software
updates from the location on the internet. This option is the default.
Download software updates from a location on my network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
7. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
8. On the Summar y page, verify the settings that you selected in the wizard, and then click Next to
download the software updates.
9. On the Completion page, verify that the software updates were successfully downloaded, and then click
Close .
Process to monitor content status
1. To monitor the content status for the software updates, go to the Monitoring workspace in the
Configuration Manager console. Expand Distribution Status , and then select the Content Status node.
2. Select the software update package that you previously identified to download the software updates in
the software update group.
3. Click View Status in the ribbon.
IMPORTANT
After you create the software update deployment, you can't change the type of deployment.
Select Required to create a mandatory software update deployment. The software updates
are automatically installed on clients before the installation deadline you configure.
Select Available to create an optional software update deployment. This deployment is
available for users to install from Software Center.
NOTE
When you deploy a software update group as Required , clients download the content in background and
honor BITS settings, if configured.
For software update groups deployed as Available , clients download the content in the foreground and
ignore BITS settings.
NOTE
This applies only when the maintenance window is configured for the client device. If no maintenance
window is defined on the device, the update of the installation and restart will always happen after the
deadline.
Device restar t behavior : This setting is only configurable for Required deployments. Specify
whether to suppress a system restart on servers and workstations if a restart is required to
complete update installation.
WARNING
Suppressing system restarts can be useful in server environments, or when you don't want the target
computers to restart by default. However, doing so can leave computers in an insecure state. Allowing a
forced restart helps to ensure immediate completion of the software update installation.
Write filter handling for Windows Embedded devices : This setting controls the installation
behavior on Windows Embedded devices that are enabled with a write filter. Choose the option to
commit changes at the installation deadline or during a maintenance window. When you select
this option, a restart is required and the changes persist on the device. Otherwise, the update is
installed, applied to the temporary overlay, and committed later.
When you deploy a software update to a Windows Embedded device, make sure the device is a
member of a collection that has a configured maintenance window.
Software updates deployment re-evaluation behavior upon restar t : Select this setting to
configure software updates deployments to have clients run a software updates compliance scan
immediately after a client installs software updates and restarts. This setting enables the client to
check for additional updates that become applicable after the client restarts, then installs them
during the same maintenance window.
7. On the Aler ts page, configure how Configuration Manager generates alerts for this deployment. Review
recent software updates alerts from Configuration Manager in the Software Updates node of the
Software Librar y workspace. If you're also using System Center Operations Manager, configure its
alerts as well. Only configure alerts for Required deployments.
8. On the Download Settings page, configure the following settings:
NOTE
Clients request the content location from a management point for the software updates in a deployment. The
download behavior depends upon how you've configured the distribution point, the deployment package, and the
settings on this page.
Specify if clients should download and install the updates when they use a distribution point from
a neighbor or the default site boundary groups.
Specify if clients should download and install the updates from a distribution point in the site
default boundary group, when the content for the software updates isn't available from a
distribution point in the current or neighbor boundary groups.
Allow clients to share content with other clients on the same subnet : Specify whether to
enable the use of BranchCache for content downloads. For more information, see BranchCache.
Starting in version 1802, BranchCache is always enabled on clients. This setting is removed, as
clients use BranchCache if the distribution point supports it.
If software updates are not available on distribution point in current, neighbor or site
boundar y groups, download content from Microsoft Updates : Select this setting to have
intranet-connected clients download software updates from Microsoft Update if updates aren't
available on distribution points. Internet-based clients always go to Microsoft Update for software
updates content.
Specify whether to allow clients to download after an installation deadline when they use metered
internet connections. Internet providers sometimes charge by the amount of data that you send
and receive when you're on a metered connection.
9. On the Deployment Package page, select one of the following options:
NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.
Software updates that have been previously downloaded to the content library on the site server aren't
downloaded again. This behavior is true even when you create a new deployment package for the software
updates. If all software updates have already been downloaded, the wizard skips to the Summary page.
NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.
11. On the Download Location page, specify whether to download the software update files from the
internet or from your local network. Configure the following settings:
Download software updates from the internet : Select this setting to download the software
updates from a specified location on the internet. This setting is enabled by default.
Download software updates from a location on the local network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
12. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.
13. On the Summar y page, review the settings. To save the settings to a deployment template, click Save As
Template . Enter a name and select the settings you want to include in the template, then click Save . To
change a configured setting, click the associated wizard page and change the setting.
The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or '
(single quotation mark).
14. Click Next to deploy the software update.
After you complete the wizard, Configuration Manager downloads the software updates to the content
library on the site server. It then distributes the content to the configured distribution points, and deploys
the software update group to clients in the target collection. For more information about the deployment
process, see Software update deployment process.
Next steps
Monitor software updates
Automatically deploy software updates
9/17/2021 • 21 minutes to read • Edit Online
WARNING
Before you create an ADR for the first time, verify that the site has completed software updates synchronization. This step
is important when you run Configuration Manager with a non-English language. Software update classifications are
displayed in English before the first synchronization, and then displayed in the localized languages after software update
synchronization completes. Rules that you create before you sync software updates might not work properly after
synchronization because the text string might not match.
The SCEP and Windows Defender Antivirus Updates template provides common
settings to use when you deploy Endpoint Protection definition updates.
Collection : Specifies the target collection to be used for the deployment. Members of the
collection receive the software updates that are defined in the deployment.
Decide whether to add software updates to a new or existing software update group. In most
cases, choose to create a new software update group when the ADR runs. If the rule runs on a
more aggressive schedule, you might choose to use an existing group. For example, if you run the
rule daily for definition updates, then you could add the software updates to an existing software
update group.
Enable the deployment after this rule is run : Specify whether to enable the software update
deployment after the ADR runs. Consider the following options for this setting:
When you enable the deployment, the updates that meet the rule's defined criteria are
added to a software update group. The software update content is downloaded as
necessary. The content is copied to the specified distribution points, and the updates are
deployed to the clients in the target collection.
When you don't enable the deployment, the updates that meet the rule's defined criteria are
added to a software update group. The software update deployment content is downloaded,
as necessary, and distributed to the specified distribution points. The site creates a disabled
deployment on the software update group to prevent the updates from being deployed to
clients. This option provides time to prepare to deploy the updates, verify the updates that
meet the criteria are adequate, and then enable the deployment.
4. On the Deployment Settings page, configure the following settings:
Type of deployment : Starting in version 2107, you can specify the deployment type for the
software update deployment. Prior to version 2107, all deployments created by an automatic
deployment rule are required.
Select Required to create a mandatory software update deployment. The software updates
are automatically installed on clients before the installation deadline you configure.
Select Available to create an optional software update deployment. This deployment is
available for users to install from Software Center.
Use Wake on L AN to wake up clients for required deployments : Specifies whether to
enable Wake On LAN at the deadline. Wake On LAN sends wake-up packets to computers that
require one or more software updates in the deployment. The site wakes up any computers that
are in sleep mode at the installation deadline time so the installation can initiate. Clients that are in
sleep mode that don't require any software updates in the deployment aren't started. By default,
this setting isn't enabled. Before using this option, configure computers and networks for Wake On
LAN. For more information, see How to configure Wake On LAN.
Detail level : Specify the level of detail for the update enforcement state messages that are
reported by clients.
IMPORTANT
When you deploy definition updates, set the detail level to Error only to have the client report a state
message only when a definition update fails. Otherwise, the client reports a large number of state
messages that might impact site server performance.
NOTE
The Error only detail level does not send the enforcement status messages required for tracking pending
reboots.
License terms setting : Specify whether to automatically deploy software updates with
associated license terms. Some software updates include license terms. When you automatically
deploy software updates, the license terms aren't displayed, and there isn't an option to accept the
license terms. Choose to automatically deploy all software updates regardless of an associated
license term, or only deploy updates that don't have associated license terms.
To review the license terms for a software update, select the software update in the All
Software Updates node of the Software Librar y workspace. In the ribbon, click Review
License .
To find software updates with associated license terms, add the License Terms column to
the results pane in the All Software Updates node. Click the heading for the column to
sort by the software updates with license terms.
5. On the Software Updates page, configure the criteria for the software updates that the ADR retrieves
and adds to the software update group.
The limit for software updates in the ADR is 1000 software updates.
If needed, filter on the content size for software updates in automatic deployment rules. For more
information, see Configuration Manager and simplified Windows servicing on down level
operating systems.
Starting in version 1910, you can use Deployed as an update filter for your automatic
deployment rules. This filter helps identify new updates that may need to be deployed to your pilot
or test collections. The software update filter can also help avoid redeploying older updates.
When using Deployed as a filter, be mindful that you may have already deployed the update to
another collection, such as a pilot or test collection.
Starting in version 1806, a property filter for Architecture is now available. Use this filter to
exclude architectures like Itanium and ARM64 that are less common. Remember that there are 32-
bit (x86) applications and components running on 64-bit (x64) systems. Unless you're certain that
you don't need x86, enable it as well when you choose x64.
NOTE
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being
part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to
ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for
the new product in Configuration Manager version 1906. For more information, see Configuring products for
versions of Windows 10
6. On the Evaluation Schedule page, specify whether to enable the ADR to run on a schedule. When
enabled, click Customize to set the recurring schedule.
The start time configuration for the schedule is based on the local time of the computer that runs
the Configuration Manager console.
The ADR evaluation can run as often as three times per day.
Never set the evaluation schedule with a frequency that exceeds the software updates
synchronization schedule. This page displays the software update point sync schedule to help you
determine evaluation schedule frequency.
To manually run the ADR, select the rule in the Automatic Deployment Rule node of the
console, and then click Run Now in the ribbon.
Starting in version 1802, ADRs can be scheduled to evaluate offset from a base day. For example, if
Patch Tuesday actually falls on Wednesday for you, set the evaluation schedule for the second
Tuesday of the month offset by one day.
When scheduling evaluation with an offset during the last week of the month, if you choose an
offset that continues into the next month, the site schedules evaluation for the last day of the
month.
NOTE
This applies only when the maintenance window is configured for the client device. If no maintenance
window is defined on the device, the update of the installation and restart will always happen after the
deadline.
Device restar t behavior : This setting is only configurable for Required deployments. Specify
whether to suppress a system restart on servers and workstations if a restart is required to
complete update installation.
WARNING
Suppressing system restarts can be useful in server environments, or when you don't want the target
computers to restart by default. However, doing so can leave computers in an insecure state. Allowing a
forced restart helps to ensure immediate completion of the software update installation.
Write filter handling for Windows Embedded devices : This setting controls the installation
behavior on Windows Embedded devices that are enabled with a write filter. Choose the option to
commit changes at the installation deadline or during a maintenance window. When you select
this option, a restart is required and the changes persist on the device. Otherwise, the update is
installed, applied to the temporary overlay, and committed later.
When you deploy a software update to a Windows Embedded device, make sure the device is a
member of a collection that has a configured maintenance window.
Software updates deployment re-evaluation behavior upon restar t : Select this setting to
configure software updates deployments to have clients run a software updates compliance scan
immediately after a client installs software updates and restarts. This setting enables the client to
check for additional updates that become applicable after the client restarts, then installs them
during the same maintenance window.
9. On the Aler ts page, configure how Configuration Manager generates alerts for this deployment. Review
recent software updates alerts from Configuration Manager in the Software Updates node of the
Software Librar y workspace. If you're also using System Center Operations Manager, configure its
alerts as well.
10. On the Download Settings page, configure the following settings:
Specify if clients should download and install the updates when they use a distribution point from
a neighbor or the default site boundary groups.
Specify if clients should download and install the updates from a distribution point in the site
default boundary group, when the content for the software updates isn't available from a
distribution point in the current or neighbor boundary groups.
Allow clients to share content with other clients on the same subnet : Specify whether to
enable the use of BranchCache for content downloads. For more information, see BranchCache.
Starting in version 1802, BranchCache is always enabled on clients. This setting is removed, as
clients use BranchCache if the distribution point supports it.
If software updates are not available on distribution point in current, neighbor or site
boundar y groups, download content from Microsoft Updates : Select this setting to have
intranet-connected clients download software updates from Microsoft Update if updates aren't
available on distribution points. Internet-based clients always go to Microsoft Update for software
updates content.
Specify whether to allow clients to download after an installation deadline when they use metered
internet connections. Internet providers sometimes charge by the amount of data that you send
and receive when you're on a metered connection.
NOTE
Clients request the content location from a management point for the software updates in a deployment. The
download behavior depends upon how you've configured the distribution point, deployment package, and the
settings on this page.
11. On the Deployment Package page, select one of the following options:
Select a deployment package : Add these updates to an existing deployment package.
Create a new deployment package : Add these updates to a new deployment package.
Configure the following additional settings:
Name : Specify the name of the deployment package. Use a unique name that describes the
package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Sending priority : Specify the sending priority for the deployment package. Configuration
Manager uses this priority when it sends the package to distribution points. Deployment
packages are sent in priority order: high, medium, or low. Packages with identical priorities
are sent in the order in which they were created. If there's no backlog, the package
processes immediately regardless of its priority.
Enable binar y differential replication : Enable this setting to use binary differential
replication for the deployment package. For more information, see Binary differential
replication.
No deployment package : Starting in version 1806, deploy software updates to devices without
first downloading and distributing content to distribution points. This setting is beneficial when
dealing with extremely large update content. Also use it when you always want clients to get
content from the Microsoft Update cloud service. Clients in this scenario can also download
content from peers that already have the necessary content. The Configuration Manager client
continues to manage the content download, thus can utilize the Configuration Manager peer cache
feature, or other technologies such as Delivery Optimization. This feature supports any update
type supported by Configuration Manager software updates management, including Windows
and Microsoft 365 Apps updates.
NOTE
Once you select this option and apply the settings, it can no longer be changed. The other options are
greyed out.
12. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
13. On the Download Location page, specify whether to download the software update files from the
internet or from your local network. Configure the following settings:
Download software updates from the internet : Select this setting to download the software
updates from a specified location on the internet. This setting is enabled by default.
Download software updates from a location on the local network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard. Another scenario could be when
downloading content that is published through System Center Updates Publisher or a third-party
patching solution. The WSUS content share on the top-level software update point can be entered
as the network location to download from, such as \\server\WsusContent .
14. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
15. On the Summar y page, review the settings. To save the settings to a deployment template, click Save As
Template . Enter a name and select the settings you want to include in the template, then click Save . To
change a configured setting, click the associated wizard page and change the setting.
The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or '
(single quotation mark).
16. Click Next to create the ADR.
After you complete the wizard, the ADR runs. It adds the software updates that meet the specified criteria to a
software update group. Then the ADR downloads the updates to the content library on the site server and
distributes them to the configured distribution points. The ADR then deploys the software update group to
clients in the target collection.
Add a new deployment to an existing ADR
After you create an ADR, add additional deployments to the rule. This action helps you manage the complexity
of deploying different updates to different collections. Each new deployment has the full range of functionality
and deployment monitoring experience.
Process to add a new deployment to an existing ADR
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Software
Updates , select the Automatic Deployment Rules node, and then select the desired rule.
2. In the ribbon, click Add Deployment .
3. On the Collection page of the Add Deployment Wizard, configure the available settings similarly as the
General page of the Create Automatic Deployment Rule Wizard. For more information, see the previous
section on the Process to create an ADR. The rest of the Add Deployment Wizard includes the following
pages, which also match detailed descriptions above:
Deployment Settings
Deployment Schedule
User Experience
Alerts
Download Settings
Deployments can also be added programmatically using Windows PowerShell cmdlets. For a complete
description of using this method, see New-CMSoftwareUpdateDeployment .
For more information about the deployment process, see Software update deployment process.
Known issues
Error code 0x87D20417
Scenario: When running Configuration Manager version 2010, you may notice that an automatic deployment
rule fails and returns Last Error Code of 0x87D20417. In the PatchDownloader.log , you see
Failed to create temp file with GetTempFileName() at temp location C:\Windows\TEMP\, error 80 and 0-byte files
in the %temp% directory.
Workaround: Remove all the files from the temp directory specified in the PatchDownloader.log and rerun
the ADR.
Resolution: Install KB 4600089, Update Rollup for Microsoft Endpoint Configuration Manager current branch,
version 2010.
Script to apply deployment package settings for automatic deployment rule
If you create an ADR with the No deployment package option, you're' unable to go back and add one later. To
help you resolve this issue, we've uploaded the following script into Community hub:
TIP
Open this script directly in Community hub. For more information, see Direct links to Community hub items.
<# Apply-ADRDeploymentPackageSettings #>
#=============================================
# START SCRIPT
#=============================================
param
(
[parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[ValidateLength(1,256)]
[string]$sourceADRName,
[parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[ValidateLength(1,256)]
[string]$targetADRName
)
Try {
# Source ADR that already has the needed deployment package. You may need to create one if it doesn’t
exist.
$sourceADR = Get-CMSoftwareUpdateAutoDeploymentRule -Name $sourceADRName
# Target ADR that will be updated to use the source ADR’s deployment package. Typically, this is the
ADR that used the “No deployment package” option.
$targetADR = Get-CMSoftwareUpdateAutoDeploymentRule -Name $targetADRName
Next steps
Monitor software updates
Create phased deployments with Configuration
Manager
9/17/2021 • 8 minutes to read • Edit Online
Prerequisites
Security scope
Deployments created by phased deployments aren't viewable to any administrative user that doesn't have the
All security scope. For more information, see Security scopes.
Distribute content
Before creating a phased deployment, distribute the associated content to a distribution point.
Application : Select the target application in the console and use the Distribute Content action in the
ribbon. For more information, see Deploy and manage content.
Task sequence : You have to create referenced objects like the OS upgrade package before creating the
task sequence. Distribute these objects before creating a deployment. Use the Distribute Content action
on each object, or the task sequence. To view status of all referenced content, select the task sequence,
and switch to the References tab in the details pane. For more information, see the specific object type in
Prepare for OS deployment.
Software update : create the deployment package and distribute it. Use the Download Software Updates
Wizard. For more information, see Download software updates.
Phase settings
These settings are unique to phased deployments. Configure these settings when creating or editing the phases
to control the scheduling and behavior of the phased deployment process.
Starting in version 2002, use the following Windows PowerShell cmdlets to manually configure phases for
software update and task sequence phased deployments:
New-CMSoftwareUpdatePhase
New-CMTaskSequencePhase
Criteria for success of the first phase
Deployment success percentage : Specify the percent of devices that need to successfully complete
the deployment for the first phase to succeed. By default, this value is 95%. In other words, the site
considers the first phase successful when the compliance state for 95% of the devices is Success for this
deployment. The site then continues to the second phase, and creates a deployment of the software to the
next collection.
Number of devices successfully deployed : Specify the number of devices that need to successfully
complete the deployment for the first phase to succeed. This option is useful when the size of the
collection is variable, and you have a specific number of devices to show success before moving to the
next phase.
Conditions for beginning second phase of deployment after success of the first phase
Automatically begin this phase after a deferral period (in days) : Choose the number of days to
wait before beginning the second phase after the success of the first. By default, this value is one day.
Manually begin the second phase of deployment : The site doesn't automatically begin the second
phase after the first phase succeeds. This option requires that you manually start the second phase. For
more information, see Move to the next phase.
NOTE
This option isn't available for phased deployments of applications.
Gradually make this software available over this period of time (in days)
Configure this setting for the rollout in each phase to happen gradually. This behavior helps mitigate the risk of
deployment issues, and decreases the load on the network that is caused by the distribution of content to clients.
The site gradually makes the software available depending on the configuration for each phase. Every client in a
phase has a deadline relative to the time the software is made available. The time window between the available
time and deadline is the same for all clients in a phase. The default value of this setting is zero, so by default the
deployment isn't throttled. Don't set the value higher than 30.
Configure the deadline behavior relative to when the software is made available
Installation is required as soon as possible : Set the deadline for installation on the device as soon
as the device is targeted.
Installation is required after this period of time : Set a deadline for installation a certain number of
days after device is targeted. By default, this value is seven days.
IMPORTANT
The Create Phased Deployment wizard doesn't notify you if a deployment is potentially high-risk. For more
information, see Settings to manage high-risk deployments and the note when you Deploy a task sequence.
4. On the Settings page, choose one option for each of the scheduling settings. For more information, see
Phase settings. Select Next when complete.
5. On the Phases page, see the two phases that the wizard creates for the specified collections. Select Next .
These instructions cover the procedure to automatically create a default two-phase deployment. The
wizard lets you add, remove, reorder, edit, or view phases for a phased deployment. For more information
on these additional actions, see Create a phased deployment with manually configured phases.
6. Confirm your selections on the Summar y tab, and then select Next to complete the wizard.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.
Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
NOTE
You can't currently manually create phases for an application. The wizard automatically creates two phases for application
deployments.
1. Start the Create Phased Deployment wizard for either a task sequence or software updates.
2. On the General page of the Create Phased Deployment wizard, give the phased deployment a Name ,
Description (optional), and select Manually configure all phases .
3. From the Phases page of the Create Phased Deployment wizard, the following actions are available:
Filter the list of deployment phases. Enter a string of characters for a case-insensitive match of the
Order, Name, or Collection columns.
Add a new phase:
a. On the General page of the Add Phase Wizard, specify a Name for the phase, and then
browse to the target Phase Collection . The additional settings on this page are the same
as when normally deploying a task sequence or software updates.
b. On the Phase Settings page of the Add Phase Wizard, configure the scheduling settings,
and select Next when complete. For more information, see Settings.
NOTE
You can't edit the phase settings, Deployment success percentage or Number of devices
successfully deployed , on the first phase. These settings only apply to phases that have a
previous phase.
c. The settings on the User Experience and Distribution Points pages of the Add Phase
Wizard are the same as when normally deploying a task sequence or software updates.
d. Review the settings on the Summar y page, and then complete the Add Phase Wizard.
Edit : This action opens the selected phase's Properties window, which has tabs the same as the
pages of the Add Phase Wizard.
Remove : This action deletes the selected phase.
WARNING
There is no confirmation, and no way to undo this action.
Move Up or Move Down : The wizard orders the phases by how you add them. The most recently
added phase is last in the list. To change the order, select a phase, and then use these buttons to
move the phase's location in the list.
IMPORTANT
Review the phase settings after changing the order. Make sure the following settings are still consistent
with your requirements for this phased deployment:
Criteria for success of the previous phase
Conditions for beginning this phase of deployment after success of the previous phase
4. Select Next . Review the settings on the Summar y page, and then complete the Create Phased
Deployment wizard.
Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequenceManualPhasedDeployment
After you create a phased deployment, open its properties to make changes:
Add additional phases to an existing phased deployment.
If a phase isn't active, you can Edit , Remove , or Move it up or down. You can't move it before an active
phase.
When a phase is active, it's read-only. You can't edit it, remove it, or move its location in the list. The only
option is to View the properties of the phase.
An application phased deployment is always read-only.
Next steps
Manage and monitor phased deployments:
Application
Software update
Task sequence
Monitor software updates in Configuration
Manager
9/17/2021 • 6 minutes to read • Edit Online
TIP
Starting in version 2107, you can right-click the status of a deployment and select Evaluate Software Update
Deployments to send a notification to the selected devices to run a software update deployment evaluation cycle.
Monitor content
You can monitor content in the Configuration Manager console to review the status for all package types in
relation to the associated distribution points. This can include the content validation status for the content in the
package, the status of content assigned to a specific distribution point group, the state of content assigned to a
distribution point, and the status of optional features for each distribution point (content validation, PXE, and
multicast).
Content status monitoring
The Content Status node in the Monitoring workspace provides information about content packages. You can
review general information about the package, distribution status for the package, and detailed status
information about the package. Use the following procedure to view content status.
To monitor content status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Content Status . The packages are displayed.
2. Select the package for which to view detailed status information.
3. On the Home tab, click View Status . Detailed status information for the package is displayed.
Distribution point group status
The Distribution Point Group Status node in the Monitoring workspace provides information about
distribution point groups. You can review general information about the distribution point group, such as
distribution point group status and compliance rate, as well as detailed status information for the distribution
point group. Use the following procedure to view distribution point group status.
To monitor distribution point group status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Distribution Point Group Status . The distribution point groups are displayed.
2. Select the distribution point group for which to view detailed status information.
3. On the Home tab, click View Status . Detailed status information for the distribution point group is
displayed.
Distribution point configuration status
The Distribution Point Configuration Status node in the Monitoring workspace provides information
about the distribution point. You can review which attributes are enabled for the distribution point, such as the
PXE, Multicast, and content validation. You can also view detailed status information for the distribution point.
Use the following procedure to view distribution point configuration status.
To monitor distribution point configuration status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Distribution Point Configuration Status . The distribution points are displayed.
2. Select the distribution point for which to view distribution point status information.
3. In the results pane, click the Details tab. Status information for the distribution point is displayed.
Next steps
Log files for Software Updates
Software Updates management whitepaper
Manage and monitor phased deployments
9/17/2021 • 4 minutes to read • Edit Online
This article describes how to manage and monitor phased deployments. Management tasks include manually
beginning the next phase, and suspend or resume a phase.
First, you need to create a phased deployment:
Application
Software update
Task sequence
Starting in version 2002, use the following Windows PowerShell cmdlet for this task: Move-
CMPhasedDeploymentToNext.
Suspend and resume phases
You can manually suspend or resume a phased deployment. For example, you create a phased deployment for a
task sequence. While monitoring the phase to your pilot group, you notice a large number of failures. You
suspend the phased deployment to stop further devices from running the task sequence. After resolving the
issue, you resume the phased deployment to continue the rollout.
1. How to start this action varies based on the type of deployed software:
Application : Go to the Software Librar y workspace, expand Application Management , and
select Applications .
Software update : Go to the Software Librar y workspace, and then select one of the following
nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and
select Task Sequences . Select an existing task sequence, and then click Create Phased
Deployment in the ribbon.
2. Select the software with the phased deployment.
3. In the details pane, switch to the Phased Deployments tab.
4. Select the phased deployment, and click Suspend or Resume in the ribbon.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.
Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
Suspend-CMPhasedDeployment
Resume-CMPhasedDeployment
Monitor
Phased deployments have their own dedicated monitoring node, making it easier to identify phased
deployments you have created and navigate to the phased deployment monitoring view. From the Monitoring
workspace, select Phased Deployments , then double-click one of the phased deployments to see the status.
This dashboard shows the following information for each phase in the deployment:
Total devices or Total resources : How many devices are targeted by this phase.
Status : The current status of this phase. Each phase can be in one of the following states:
Deployment created : The phased deployment created a deployment of the software to the
collection for this phase. Clients are actively targeted with this software.
Waiting : The previous phase hasn't yet reached the success criteria for the deployment to
continue to this phase.
Suspended : An administrator suspended the deployment.
Progress : The color-coded deployment states from clients. For example: Success, In Progress, Error,
Requirements Not Met, and Unknown.
Success criteria tile
Use the Select Phase drop-down list to change the display of the Success Criteria tile. This tile compares the
Phase Goal against the current compliance of the deployment. With the default settings, the phase goal is 95%.
This value means that the deployment needs a 95% compliance to move to the next phase.
In the example, the phase goal is 65%, and the current compliance is 66.7%. The phased deployment
automatically moved to the second phase, because the first phase met the success criteria.
The phase goal is the same as the Deployment success percentage on the Phase Settings for the next phase.
For the phased deployment to start the next phase, that second phase defines the criteria for success of the first
phase. To view this setting:
1. Go to the phased deployment object on the software, and open the Phased Deployment Properties.
2. Switch to the Phases tab. Select Phase 2 and click View .
3. In the phase Properties window, switch to the Phase Settings tab.
4. View the value for Deployment success percentage in the Criteria for success of the previous phase
group.
For example, the following properties are for the same phase as the success criteria tile shown above where the
criteria is 65%:
PowerShell
Use the following Windows PowerShell cmdlets to manage phased deployments:
Automatically create phased deployments
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
Manually create phased deployments
New-CMSoftwareUpdatePhase
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequencePhase
New-CMTaskSequenceManualPhasedDeployment
Get existing phased deployment objects
Get-CMApplicationPhasedDeployment
Get-CMSoftwareUpdatePhasedDeployment
Get-CMTaskSequencePhasedDeployment
Get-CMPhase
Monitor phased deployment status
Get-CMPhasedDeploymentStatus
Manage existing phased deployments
Move-CMPhasedDeploymentToNext
Resume-CMPhasedDeployment
Suspend-CMPhasedDeployment
Modify existing phased deployments
Set-CMApplicationPhasedDeployment
Set-CMSoftwareUpdatePhase
Set-CMSoftwareUpdatePhasedDeployment
Set-CMTaskSequencePhase
Set-CMTaskSequencePhasedDeployment
Remove-CMApplicationPhasedDeployment
Remove-CMSoftwareUpdatePhasedDeployment
Remove-CMTaskSequencePhasedDeployment
Software updates maintenance
9/17/2021 • 9 minutes to read • Edit Online
5. Click the Supersedence Rules tab, select Run WSUS cleanup wizard . In version 1806, the option is
renamed to Run WSUS cleanup after synchronization .
6. Click OK (Click Close if you're running version 1806).
All WSUS maintenance needs to be run manually on secondary site WSUS databases. The following WSUS
Ser ver Cleanup Wizard options aren't run on the CAS and primary sites:
Unused updates and update revisions
Computers not contacting the server
Unneeded update files
For more information and instructions, see The complete guide to Microsoft WSUS and Configuration
Manager SUP maintenance blog post.
NOTE
The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. For
example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and
expired in Configuration Manager when the superceding update is 2 months old.
The following WSUS Ser ver Cleanup Wizard options aren't run on the CAS, primary, and secondary sites:
Unused updates and update revisions
Computers not contacting the server
Unneeded update files
For more information and instructions, see The complete guide to Microsoft WSUS and Configuration
Manager SUP maintenance blog post.
NOTE
If the WSUS database is on a remote SQL Server using a non-default port, then indexes might not be added. You can
create a server alias using SQL Server Configuration Manager for this scenario. Once the alias is added and
Configuration Manager can make a connection to the WSUS database, indexes will be added.
If the Software Update Point is remote to the site server and is using a Windows Internal Database, then the indexes
will not be added.
NOTE
If the Software Update Point is remote to the site server and is using a Windows Internal Database, then obsolete
updates will not be removed.
Known issue
Consider the following scenario:
You are using Configuration Manager version 1906 or later
You have remote software update points using a Windows Internal Database
In the Software Update Point Component Proper ties , you have any of the following selected options
under the WSUS Maintenance tab:
Add non-clustered indexes to the WSUS database
Remove obsolete updates from the WSUS database
In this scenario, Configuration Manager is unable to perform the above WSUS Maintenance tasks for the remote
Software Updates Points using a Windows Internal Database. This issue occurs because Windows Internal
Database doesn't allow remote connections. You'll see the following errors in the WSyncMgr.log on the site
server:
Indexing Failed. Could not connect to SUSDB.
SqlException thrown while connect to SUSDB in Server: <SUP.CONTOSO.COM>. Error Message: A network-related or
instance-specific error occurred while establishing a connection to SQL Server. The server was not found or
was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow
remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
...
Could not Delete Obselete Updates because ConfigManager could not connect to SUSDB: A network-related or
instance-specific error occurred while establishing a connection to SQL Server. The server was not found or
was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow
remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
UpdateServer: <SUP.CONTOSO.COM>
To work around the issue, you can automate the WSUS maintenance for the remote software update points
using a Windows Internal Database. For more information and detailed steps, see The complete guide to
Microsoft WSUS and Configuration Manager SUP maintenance.
NOTE
In this version of Configuration Manager, orchestration groups is a pre-release feature. To enable it, see Pre-release
features.
The Orchestration Groups feature is the evolution of the Server Groups feature. An orchestration group is an object in
Configuration Manager.
Prerequisites
Site server and permission prerequisites
To see all of the orchestration groups and updates for those groups, your account needs to be a Full
Administrator .
Role-based administration for orchestration groups currently isn't available.
Enable the Orchestration Groups feature. For more information, see Enable optional features.
When you enable Orchestration Groups , the site disables the Ser ver Groups feature. This
behavior avoids any conflicts between the two features.
Client prerequisites
Upgrade the target devices to the latest version of the Configuration Manager client.
Members of an orchestration group should be assigned to the same site.
Devices can't be in more than one orchestration group.
Devices already in an orchestration group won't be available to select when adding new members.
Limitations
You can have up to 1000 orchestration group members.
Orchestration groups don't work in interoperability mode. For more information, see Interoperability
between different versions of Configuration Manager.
If updates are initiated by users from Software Center, orchestration will be bypassed.
Starting in Configuration Manager version 2103, updates in the Definition classification don't require
orchestration and will always bypass orchestration group rules.
Scripts that have parameters aren't supported
NOTE
In version 2103 and later, the maximum script length is 50,000 characters. In version 2010 and earlier, the
maximum script length is 5,000 characters.
WARNING
Ensure pre-scripts and post-scripts are tested before using them for orchestration groups. The pre-scripts and post-
scripts don't timeout and will run until the orchestration group member timeout has been reached.
Scripts that have parameters aren't supported.
Start orchestration
1. Deploy software updates to a collection that contains the members of the orchestration group.
2. Orchestration starts when any client in the group tries to install any software update at deadline or
during a maintenance window. It starts for the entire group, and makes sure that the devices update by
following the orchestration group rules.
3. You can manually start orchestration by selecting it from the Orchestration Group node, then choosing
Star t Orchestration from the ribbon or right-click menu.
4. If needed, select Ignore all applicable windows for the members to start the installation
immediately and bypass maintenance windows.
This option was introduced in Configuration Manager version 2103
5. If an orchestration group is in a Failed state:
a. Determine why the orchestration failed and resolve any issues.
b. Reset the orchestration state for group members.
c. From the Orchestration Group node, choose the Star t Orchestration button to restart
orchestration.
TIP
Orchestration groups only apply to software update deployments. They don't apply to other deployments.
You can right-click on an Orchestration Group member and select Reset Orchestration Group Member . This
allows you to rerun orchestration.
Log files
Use the following log files on the site server to help monitor and troubleshoot:
Site server
Policypv.log : shows that the site targets the orchestration group to the clients.
SMS_OrchestrationGroup.log : shows the behaviors of the orchestration group.
Client
MaintenanceCoordinator.log : Shows the lock acquisition, update installation, pre and post-scripts, and
lock release process.
UpdateDeployment.log : Shows the update installation process.
PolicyAgent.log : Checks if the client is in an orchestration group.
Next steps
Deploy software updates
Service a server group
9/17/2021 • 4 minutes to read • Edit Online
IMPORTANT
Starting in Configuration Manager version 2002, server groups have been replaced by orchestration groups. For more
information, see Orchestration groups.
Pre-release features are features that are in the Current Branch for early testing in a production environment. These
features are fully supported but are still in active development and might receive changes until they move out of the
pre-release category. You must turn on this feature for it to be available. For more information, see Use pre-release
features from updates.
Starting in Configuration Manager version 1606, you can configure server group settings for a collection to
define how many, what percentage, or in what order computers in the collection will install software updates.
You can also configure pre-deployment and post-deployment PowerShell scripts to run custom actions.
When you deploy software updates to a collection that has server group settings configured, Configuration
Manager determines how many computers in the collection can install the software updates at any given time
and makes the same number of deployment locks available. Only computers that get a deployment lock will
start software update installation. When a deployment lock is available, a computer gets the deployment lock,
installs the software updates, and then releases the deployment lock when software updates installation
successfully completes. Then, the deployment lock becomes available for other computers. If a computer is
unable to release a deployment lock, you can manually release all server group deployment locks for the
collection.
IMPORTANT
All of the computers in the collection must be assigned to the same site.
WARNING
Custom scripts are not signed by Microsoft. It is your responsibility to maintain the integrity of these scripts.
TIP
The following are examples that you can use in testing for pre-deployment and post-deployment scripts that write
the current time to a text file:
Pre-deployment
#Start
$a = Get-Date
Out-File C:\Windows\Temp\start.txt
Post-deployment
#End
$a = Get-Date
Out-File C:\Windows\Temp\end.txt
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.
Beginning in Configuration Manager version 1802, you can review Microsoft 365 Apps client information from
the Office 365 Client Management dashboard. The Office 365 client management dashboard displays a list of
relevant devices when graph sections are selected.
Prerequisites
Enable hardware inventory
The data that is displayed in the Office 365 Client Management dashboard comes from hardware inventory.
Enable hardware inventory and select the Office 365 Configurations hardware inventory class for data to
display in the dashboard.
1. Enable hardware inventory, if it isn't yet enabled. For details, see Configure hardware inventory.
2. In the Configuration Manager console, navigate to Administration > Client Settings > Default Client
Settings .
3. On the Home tab, in the Proper ties group, click Proper ties .
4. In the Default Client Settings dialog box, click Hardware Inventor y .
5. In the Device Settings list, click Set Classes .
6. In the Hardware Inventor y Classes dialog box, select Office 365 Configurations .
7. Click OK to save your changes and close the Hardware Inventor y Classes dialog box.
The Office 365 Client Management dashboard starts displaying data as hardware inventory is reported.
Connectivity for the top-level site server
(Introduced in version 1906 as a prerequisite)
Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness
file:
Starting March 2, 2021: https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
Location prior to March 2, 2021:
https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab
NOTE
The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft
365 Apps readiness file.
Internet connectivity isn't required for the client devices for any of these scenarios.
Enable data collection for Microsoft 365 Apps
(Introduced in version 1910 as a prerequisite)
Starting in version 1910, you'll need to enable data collection for Microsoft 365 Apps to populate information in
the Office 365 Pilot and Health Dashboard . The data is stored in the Configuration Manager site database
and not sent to Microsoft.
This data is different from the diagnostic data, which is described in Diagnostic data sent from Microsoft 365
Apps to Microsoft.
You can enable data collection either by using Group Policy or by editing the registry.
Enable data collection from Group Policy
1. Download the latest Administrative Template files from the Microsoft Download Center.
2. Enable the Turn on telemetr y data collection policy setting under
User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Telemetry Dashboard .
Alternatively, apply the policy setting with the Office cloud policy service.
The policy setting is also used by the Office Telemetry Dashboard, which you don't need to deploy for
this data collection.
Enable data collection from the registry
The command below is an example of how to enable the data collection from the registry:
NOTE
No data is sent to Microsoft for this feature.
For more information, see Getting readiness information for multiple users in an enterprise.
Best practices for compatibility assessment and Microsoft Office 365 upgrades using Office Readiness in
Configuration Manager
Using the Microsoft 365 Apps upgrade readiness dashboard
After verifying you have the prerequisites, use the following instructions to use the dashboard:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Office 365 Client
Management .
2. Select the Microsoft 365 Apps Upgrade Readiness node.
3. Change the Collection and Target Office Architecture to change the information relayed in the
dashboard.
Device Readiness information
Once the add-in and macro inventory on each device is evaluated, the devices are then grouped according to
the information. Devices whose status are listed as Ready to upgrade aren't likely to have any compatibility
issues.
Selecting the Ready to upgrade category on the graph shows more details about the devices in the limiting
collection. You can review the device list, make selections according to your business requirements, and create a
new device collection from your selection. Use your new collection to deploy Microsoft 365 Apps with
Configuration Manager.
Devices that might be at risk for compatibility issues are marked as Needs review . These devices may need
action to be taken before upgrading them to Microsoft 365 Apps. For example, you might update critical add-ins
to a more recent version.
Add-in information
On each device, an inventory of all installed add-ins is collected. The inventory is then compared with the
information Microsoft has about the add-in performance on Microsoft 365 Apps. If an add-in is found which is
likely to cause issues after upgrading, then all devices with the add-in are flagged for review.
Macro information
Configuration Manager looks at the most recently used files on each device. It counts the files in this list that
support macros, including the following types:
Macro-enabled Office file formats.
Older Office formats, which don't indicate if there's macro content.
This report can be used to identify which devices have recently used files which may contain macros. The
Readiness Toolkit for Office can then be deployed using Configuration Manager to scan any devices where
more detailed information is needed, and check if there are any potential compatibility concerns. For example, if
the file uses a function that changed in a more recent version of Microsoft 365 Apps.
For more information about how to carry out the scan, see Detailed macro readiness.
TIP
Macro inventory is populated by default based on the document extensions in the MRU. Macro compatibility and macro
status are populated once the Readiness Toolkit for Office scan runs on the device.
NOTE
Macro inventory is populated by data from the Readiness Toolkit for Office and recently used data files. Macro health is
populated by health data. Due to the different data sources, it's possible for the macro health status to be Needs review
when the macro inventory is Not scanned .
Known issues
There is a known issue with the Deploy Pilot tile. At this time it can't be used to deploy to a pilot. The
workaround is the existing workflow for deploying an application using the Phased Deployment Wizard.
Next steps
Manage Microsoft 365 Apps updates with Configuration Manager
Manage Microsoft 365 Apps with Configuration
Manager
9/17/2021 • 13 minutes to read • Edit Online
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.
Configuration Manager lets you manage Microsoft 365 Apps in the following ways:
Deploy Microsoft 365 Apps: You can start the Microsoft 365 Apps Installer from the Office 365 Client
Management dashboard to make the initial Microsoft 365 Apps installation experience easier. The wizard
lets you configure Microsoft 365 Apps installation settings, download files from Office Content Delivery
Networks (CDNs), and create and deploy a script application with the content.
Deploy Microsoft 365 Apps updates: You can manage Microsoft 365 Apps client updates by using the
software update management workflow. When Microsoft publishes a new Microsoft 365 Apps update to
the Office Content Delivery Network (CDN), Microsoft also publishes an update package to Windows
Server Update Services (WSUS). After Configuration Manager synchronizes the Microsoft 365 Apps
updates from the WSUS catalog to the site server, the update is available to deploy to clients.
Starting in Configuration Manager version 2002, you can import Microsoft 365 Apps updates into
disconnected environments. For more information, see Synchronize Microsoft 365 Apps updates from
a disconnected software update point.
Add languages for Microsoft 365 Apps update downloads: You can add support for Configuration
Manager to download updates for any languages supported by Microsoft 365 Apps. Meaning
Configuration Manager doesn't have to support the language as long as Microsoft 365 Apps does. Prior
to Configuration Manager version 1610 you must download and deploy updates in the same languages
configured on Microsoft 365 Apps clients.
Change the update channel: You can use group policy to distribute a registry key value change to
Microsoft 365 Apps clients to change the update channel.
To review Microsoft 365 Apps client information and start some of these Microsoft 365 Apps management
actions, use the Office 365 Client Management dashboard.
To add support to download updates for additional languages in version 1902 and later
When new languages are added to Microsoft 365 Apps they don't appear in the content download languages,
you can add them if needed. Use the following procedure on the software update point at the central
administration site or stand-alone primary site:
1. From a command prompt, type wbemtest as an administrative user to open the Windows Management
Instrumentation Tester.
2. Select Connect , and then type root\sms\site_<siteCode>.
3. Choose Quer y , and then run the following query: select * from SMS_SCI_Component where
componentname ="SMS_WSUS_CONFIGURATION_MANAGER"
4. In the results pane, double-click the object with the site code for the central administration site or stand-
alone primary site.
5. Select the Props property, select Edit Proper ty , and then View Embedded .
6. Starting at the first query result, open each object until you find the one with
AvailableUpdateLanguagesForO365 for the Proper tyName property.
7. Select Value2 and choose Edit Proper ty .
8. Add additional languages to the Value2 property and select Save Proper ty .
For example, 2057 (for en-gb), 2058 (for es-mx), and 3084 (for fr-ca), you would type 2057, 2058, 3084
for the example languages.
9. Select Close , select Close , select Save Proper ty , and choose Save Object (if you select Close here the
values are discarded). SelectClose , and then Exit to exit the Windows Management Instrumentation
Tester.
10. In the Configuration Manager console, go to Software Librar y > Over view > Office 365 Client
Management > Office 365 Updates .
11. When you download Microsoft 365 Apps updates, the updates are downloaded in the languages that you
select in the wizard and configured in this procedure. To verify that the updates download in the correct
languages, go to the package source for the update and find files with the new language code in the
filename.
5. Select OK .
For more information about how to modify your ADRs, see Automatically deploy software updates. For more
information about the name change, see Name change for Office 365 ProPlus.
Change the update channel after you enable Microsoft 365 Apps
clients to receive updates from Configuration Manager
After deploying Microsoft 365 Apps, you can change the update channel with Group Policy or the Office
Deployment Tool (ODT). For example, you can move a device from Semi-Annual Channel to Semi-Annual
Channel (Targeted). When changing the channel, Office is updated automatically without having to reinstall or
download the full version. For more information, see Change the Microsoft 365 Apps update channel for devices
in your organization.
Next steps
Use the Office 365 Client Management dashboard in Configuration Manager to review Microsoft 365 Apps
client information and deploy Microsoft 365 Apps. For more information, see Office 365 Client Management
dashboard.
Optimize Windows 10 update delivery with
Configuration Manager
9/17/2021 • 13 minutes to read • Edit Online
NOTE
The express version content is considerably larger than the full-file version. An express installation file contains all of the
possible variations for each file it's meant to update. As a result, the required amount of disk space increases for updates
in the update package source and on distribution points when you enable express support in Configuration Manager.
Even though the disk space requirement on the distribution points increases, the content size that clients download from
these distribution points decreases. Clients only download the bits they require (deltas) but not the whole update.
NOTE
Delivery Optimization is a cloud-managed solution. Internet access to the Delivery Optimization cloud service is a
requirement to utilize its peer-to-peer functionality. For information about the needed internet endpoints, see Frequently
asked questions for Delivery Optimization.
For the best results, you may need to set the Delivery Optimization download mode to Group (2) and define
Group IDs. In group mode, peering can cross internal subnets between devices that belong to the same group
including devices in remote offices. Use the Group ID option to create your own custom group independently of
domains and AD DS sites. Group download mode is the recommended option for most organizations looking to
achieve the best bandwidth optimization with Delivery Optimization.
Manually configuring these Group IDs is challenging when clients roam across different networks. Configuration
Manager version 1802 added a new feature to simplify management of this process by integrating boundary
groups with Delivery Optimization. When a client wakes up, it talks to its management point to get policies, and
provides its network and boundary group information. Configuration Manager creates a unique ID for every
boundary group. The site uses the client's location information to automatically configure the client's Delivery
Optimization Group ID with the Configuration Manager boundary ID. When the client roams to another
boundary group, it talks to its management point, and is automatically reconfigured with a new boundary group
ID. With this integration, Delivery Optimization can utilize the Configuration Manager boundary group
information to find a peer from which to download updates.
Delivery Optimization starting in version 1910
Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all
Windows update content for clients running Windows 10 version 1709 or later, not just express installation files.
To use Delivery Optimization for all Windows update installation files, enable the following software updates
client settings:
Allow clients to download delta content when available set to Yes .
Por t that clients use to receive requests for delta content set to 8005 (default) or a custom port
number.
IMPORTANT
Delivery Optimization must be enabled (default) and not bypassed. For more information, see Windows Delivery
Optimization reference.
Verify your Delivery Optimization client settings when changing your software updates client settings for delta
content.
Limitations
Delivery Optimization can't be used for Microsoft 365 Apps client updates if Office COM is enabled.
Office COM is used by Configuration Manager to manage updates for Microsoft 365 Apps clients. You
can deregister Office COM to allow the use of Delivery Optimization for Microsoft 365 Apps updates.
When Office COM is disabled, software updates for Microsoft 365 Apps are managed by the default
Office Automatic Updates 2.0 scheduled task. This means that Configuration Manager doesn't dictate or
monitor the installation process for Microsoft 365 Apps updates. Configuration Manager will continue to
collect information from hardware inventory to populate Office 365 Client Management Dashboard in
the console. For information about how to deregister Office COM, see Enable Office 365 clients to receive
updates from the Office CDN instead of Configuration Manager.
When using a CMG for content storage, the content for third-party updates won't download to clients if
the Download delta content when available client setting is enabled.
Download of feature updates for Windows 10 may take a long time depending on the network and if
additional content is determined to be needed for installation. This additional download time may also
cause the installation to fail because it exceed the maximum runtime.
Configuration recommendations for clients downloading delta content
When the Allow clients to download delta content when available client setting is enabled on clients for
software update content, there are limitations in the distribution point fallback behavior. To ensure these clients
can properly download software update content, we recommend the following configurations:
Ensure that clients are in a boundary group and that there's a reliable distribution point that has the needed
content associated with that boundary group.
Deploy software updates with fallback to Microsoft Update enabled for clients that are able to download
directly from the internet.
The deployment setting for this fallback behavior is If software updates are not available on
distribution point in current, neighbor or site boundar y groups, download content from
Microsoft Updates and it's found on the Download Settings page. For more information, see
Deploy software updates.
If either of the above options aren't viable, Allow clients to download delta content when available can
be disabled in the client settings to allow fallbacks functionality. Delivery Optimization peering won't be
leveraged in this case since the client won't use the delta channel.
TIP
Starting in Configuration Manager version 2010, if delta content is unavailable from distribution points in the current
boundary group, you can immediately fallback to a neighbor or the site default. For more information, see Client settings
for software updates.
NOTE
Clients can only download content from peer cache clients that are in their current boundary group.
Windows BranchCache
BranchCache is a bandwidth optimization technology in Windows. Each client has a cache, and acts as an
alternate source for content. Devices on the same network can request this content. Configuration Manager can
use BranchCache to allow peers to source content from each other versus always having to contact a
distribution point. Using BranchCache, files are cached on each individual client, and other clients can retrieve
them as needed. This approach distributes the cache rather than having a single point of retrieval. This behavior
saves a significant amount of bandwidth, while reducing the time for clients to receive the requested content.
Bandwidth throttling Yes (Native) Yes (via BITS) Yes (via BITS)
Partial content support Yes, for all supported Only for Microsoft 365 Yes, for all supported
content types listed in this Apps and Express Updates content types listed in this
column's next row. column's next row.
Supported content types Through ConfigMgr : All ConfigMgr content All ConfigMgr content
- Express updates types, including images types, except images
- All Windows updates downloaded in Windows PE
(starting version 1910). This
doesn't include Microsoft
365 Apps updates.
Through Microsoft
cloud:
- Windows and security
updates
- Drivers
- Windows Store apps
- Windows Store for
Business apps
WAN usage control Yes (native, can be Boundary groups Subnet support only
controlled via group policy
settings)
F UN C T IO N A L IT Y DEL IVERY O P T IM IZ AT IO N P EER C A C H E B RA N C H C A C H E
Management through Partial (client agent setting) Yes (client agent setting) Yes (client agent setting)
ConfigMgr
Conclusion
Microsoft recommends that you optimize Windows 10 quality update delivery using Configuration Manager
with express installation files and a peer caching technology, as needed. This approach should alleviate the
challenges associated with Windows 10 devices downloading large content for installing quality updates.
Keeping Windows 10 devices current by deploying quality updates each month is also recommended. This
practice reduces the delta of quality update content needed by devices each month. Reducing this content delta
causes smaller size downloads from distribution points or peer sources.
Due to the nature of express installation files, their content size is considerably larger than traditional self-
contained files. This size results in longer update download times from the Windows Update service to the
Configuration Manager site server. The amount of disk space required for both the site server and distribution
points also increases. The total time required to download and distribute quality updates could be longer.
However, the device-side benefits should be noticeable during the download and installation of quality updates
by the Windows 10 devices. For more information, see Using Express Installation Files.
If the server-side tradeoffs of larger-size updates are blockers for the adoption of express support, but the
device-side benefits are critical to your business and environment, Microsoft recommends that you use
Windows Update for Business with Configuration Manager. Windows Update for Business provides all of the
benefits of express without the need to download, store, and distribute express installation files throughout your
environment. Clients download content directly from the Windows Update service, thus can still use Delivery
Optimization.
Log files
Use the following log files to monitor delta downloads:
WUAHandler.log
DeltaDownload.log
Next steps
Deploy software updates
Automatically deploy software updates
Manage express installation files for Windows 10
updates
9/17/2021 • 3 minutes to read • Edit Online
Configuration Manager supports express installation files for Windows 10 updates. Configure the client to
download only the changes between the current month's Windows 10 cumulative quality update and the
previous month's update. Without express installation files, Configuration Manager clients download the full
Windows 10 cumulative update each month, including all updates from previous months. Using express
installation files provides for smaller downloads and faster installation times on clients.
To learn how to use Configuration Manager to manage update content to stay current with Windows 10, see
Optimize Windows 10 update delivery.
IMPORTANT
The OS client support is available in Windows 10, version 1607, with an update to the Windows Update Agent. This
update is included with the updates released on April 11, 2017. For more information about these updates, see support
article 4015217. Future updates leverage express for smaller downloads. Prior versions of Windows 10, and Windows 10
version 1607 without this update don't support express installation files.
NOTE
You can't configure the software update point component to only download express updates. The site downloads the
express installation files in addition to the full files. This increases the amount of content stored in the content library, and
distributed to and stored on your distribution points.
TIP
To determine the actual space being used on disk by the file, check the Size on disk property of the file. The Size on disk
property should be considerably smaller than the Size value. For more information, see FAQs to optimize Windows 10
update delivery.
NOTE
This is a local port that clients use to listen for requests from Delivery Optimization or Background Intelligent Transfer
Service (BITS) to download express content from the distribution point. You don't need to open this port on firewalls
because all traffic is on the local computer.
Once you deploy client settings to enable this functionality on the client, it attempts to download the delta
between the current month's Windows 10 cumulative update and the previous month's update. Clients must run
a version of Windows 10 that supports express installation files.
1. Enable support for express installation files in the properties of the software update point component
(previous procedure).
2. In the Configuration Manager console, go to the Administration workspace, and select Client Settings .
3. Select the appropriate client settings, and click Proper ties on the ribbon.
4. Select the Software Updates group. Configure to Yes the setting to Enable installation of Express
Updates on clients . Configure the Por t used to download content for Express Updates with the
port used by the HTTP listener on the client.
In version 1902, Enable installation of Express Updates on clients was changed to Allow
clients to download delta content when available .
In version 1902, Por t used to download content for Express Updates was changed to Por t that
clients use to receive requests for delta content .
Next steps
Deploy software updates
Manage Surface drivers with Configuration
Manager
9/17/2021 • 9 minutes to read • Edit Online
NOTE
Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are
listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select
only the products that are required by your environment for synchronization.
Surface models
The following table contains the Surface models and versions of Windows 10 on which Configuration Manager
can install drivers. Surface driver updates aren't available in Configuration Manager the same day they're
published to the Microsoft Update catalog. Configuration Manager maintains its own list of which Surface
drivers it will import. Devices needing Windows 10 S products are noted. Microsoft aims to get the Surface
drivers added to the allow list on the second Tuesday each month to make them available for synchronization to
Configuration Manager. For more information, see Frequently asked questions.
SURFA C E W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S
M O DEL 10 1709 10 1803 10 1809 10 1903 10 1909 10 2004 10 20H 2
Surface Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with
Laptop the product the product the product the product the product the product the product
"Windows "Windows "Windows "Windows "Windows "Windows "Windows
10 S 10 S 10 S 10 S 10 S 10 S 10 S
version version version version version version version
1709 and 1803 and 1809 and 1903 and 1903 and 1903 and 1903 and
later later later later later later later
Servicing Servicing Upgrade & Upgrade & Upgrade & Upgrade & Upgrade &
drivers" drivers" Servicing Servicing Servicing Servicing Servicing
selected selected drivers" drivers" drivers" drivers" drivers"
selected selected selected selected selected
Surface Go N/A Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with
the product the product the product the product the product the product
"Windows "Windows "Windows "Windows "Windows "Windows
10 S 10 S 10 S 10 S 10 S 10 S
version version version version version version
1803 and 1809 and 1903 and 1903 and 1903 and 1903 and
later later later later later later
Servicing Upgrade & Upgrade & Upgrade & Upgrade & Upgrade &
drivers" Servicing Servicing Servicing Servicing Servicing
selected drivers" drivers" drivers" drivers" drivers"
selected selected selected selected selected
Surface Go N/A N/A Yes Yes Yes, with Yes, with Yes, with
2 the product the product the product
"Windows "Windows "Windows
10 S 10 S 10 S
version version version
1903 and 1903 and 1903 and
later later later
Upgrade & Upgrade & Upgrade &
Servicing Servicing Servicing
drivers" drivers" drivers"
selected selected selected
Surface Drivers can be supported in this hierarchy since all software update points are on Windows
Server 2016, WCM SCF property Sync Catalog Drivers is set.
…
Sync Catalog Drivers SCF value is set to : 1
2. If either of the following entries are logged in WsyncMgr.log , double check that you selected the
Include Microsoft Surface drivers and firmware updates option in the properties of your software
update point:
Sync Surface Drivers option is not set
Sync Catalog Drivers SCF value is set to : 0
3. Open WCM.log and look for items resembling the following entries:
<Categories>
<Category Id="Product:05eebf61-148b-43cf-80da-1c99ab0b8699"><![CDATA[Windows 10 and later drivers]]>
</Category>
<Category Id="Product:06da2f0c-7937-4e28-b46c-a37317eade73"><![CDATA[Windows 10 Creators Update and
Later Upgrade & Servicing Drivers]]></Category>
<Category Id="Product:c1006636-eab4-4b0b-b1b0-d50282c0377e"><![CDATA[Windows 10 S and Later Servicing
Drivers]]></Category>
… …
</Categories>
This entry is an XML element that lists every product group and classification that's currently
synchronized by your software update point server. If you can't find the products that you've selected,
double-check the products for the software update point are saved.
4. You can also wait until the next synchronization finishes. Then, check whether the Surface driver and
firmware updates are listed in Software Updates in the Configuration Manager console. For example, the
console might display the following information:
Next steps
For more information about Surface drivers, see the following articles:
Considerations for Surface and Configuration Manager
Surface Update History
Download the latest firmware and drivers for Surface devices
Integrate with Windows Update for Business
9/17/2021 • 6 minutes to read • Edit Online
WARNING
If you are using co-management for your devices and you have moved the Windows Update policies to Intune, then your
devices will get their Windows Update for Business policies from Intune.
If the Configuration Manager client is still installed on the co-managed device then settings for Cumulative Updates
and Feature Updates are managed by Intune. However, third-party patching, if enabled in Client Settings , is still
managed by Configuration Manager.
Some Configuration Manager features are no longer available when Configuration Manager clients are
configured to receive updates from WU, which includes WUfB or Windows Insiders:
Windows Update compliance reporting:
Configuration Manager will be unaware of the updates that are published to WU. The
Configuration Manager clients configured to received updates from WU will display unknown for
these updates in the Configuration Manager console.
Troubleshooting overall compliance status is difficult because unknown status was only for the
clients that hadn't reported scan status back from WSUS. Now it also includes Configuration
Manager clients that receive updates from WU.
Definition Updates compliance is part of overall update compliance reporting and won't work as
expected either.
Overall Endpoint Protection reporting for Defender based on update compliance status won't return
accurate results because of the missing scan data.
Configuration Manager won't be able to deploy Microsoft updates, such as Microsoft 365 Apps, IE, and
Visual Studio to clients that are connected to WUfB to receive updates.
Configuration Manager can still deploy 3rd party updates that are published to WSUS and managed
through Configuration Manager to clients that are connected to WUfB to receive updates. If you don't
want any 3rd party updates to be installed on clients connecting to WUfB, then disable the client setting
named Enable software updates on clients.
Configuration Manager full client deployment that uses the software updates infrastructure won't work
for clients that are connected to WUfB to receive updates.
4. Create a client agent setting to disable the software update workflow. Deploy the setting to the collection
of computers that are connected directly to WUfB.
5. The computers that are managed via WUfB will display Unknown in the compliance status and won't be
counted as part of the overall compliance percentage.
NOTE
Beginning in Configuration Manager version 1802, you can set deferral policies for Windows Insider.
For more information about the Windows Insider program, see Getting started with Windows Insider program for
Business.
NOTE
Deploy policies for Semi-Annual Channel to Windows 10, version 1903 or later. Deploy policies for
Semi-Annual Channel (Targeted) to Windows 10, version 1809 or earlier.
If you deploy a policy for Semi-Annual Channel (Targeted) to Windows 10, version 1903 or later, the
deployment fails with the error 0x8004100c.
Deferral period (days) : Specify the number of days for which Feature Updates will be deferred.
You can defer receiving these Feature Updates for up to 365 days from their release.
Pause Features Updates star ting : Select whether to pause devices from receiving Feature
Updates for up to 35 days from the time you pause the updates. After the maximum days have
passed, pause functionality will automatically expire and the device will scan Windows Updates for
applicable updates. Following this scan, you can pause the updates again. You can unpause Feature
Updates by clearing the checkbox.
5. Choose whether to defer or pause Quality Updates. Quality Updates are generally fixes and improvements to
existing Windows functionality and are typically published the second Tuesday of every month, though can
be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving
Quality Updates following their availability.
Deferral period (days) : Specify the number of days for which Quality Updates will be deferred. You
can defer receiving these Quality Updates for up to 30 days from their release.
Pause Quality Updates star ting : Select whether to pause devices from receiving Quality Updates
for up to 35 days from the time you pause the updates. After the maximum days have passed, pause
functionality will automatically expire and the device will scan Windows Updates for applicable
updates. Following this scan, you can pause the updates again. You can unpause Quality Updates by
clearing the checkbox.
6. Select Install updates from other Microsoft Products to enable the group policy setting that make
deferral settings applicable to Microsoft Update, as well as Windows Updates.
7. Select Include drivers with Windows Update to automatically update drivers from Windows Updates. If
you clear this setting, driver updates aren't downloaded from Windows Updates.
8. Complete the wizard to create the new deferral policy.
To deploy a Windows Update for Business deferral policy
1. In Software Librar y > Windows 10 Ser vicing > Windows Update for Business Policies
2. On the Home tab, in the Deployment group, select Deploy Windows Update for Business Policy .
3. Configure the following settings:
Configuration policy to deploy : Select the Windows Update for Business policy that you would like
to deploy.
Collection : Click Browse to select the collection where you want to deploy the policy.
Allow remediation outside the maintenance window : If a maintenance window has been
configured for the collection to which you're deploying the policy, enable this option to let policy
settings remediate the value outside of the maintenance window. For more information about
maintenance windows, see How to use maintenance windows.
Schedule : Specify the compliance evaluation schedule by which the deployed policy is evaluated on
client computers. The schedule can be either a simple or a custom schedule.
4. Complete the wizard to deploy the policy.
Enable third-party updates
9/17/2021 • 16 minutes to read • Edit Online
NOTE
In version 2006 and earlier, Configuration Manager doesn't enable this feature by default. Before using it, enable the
optional feature Enable third par ty update suppor t on clients . For more information, see Enable optional features
from updates.
Prerequisites
Sufficient disk space on the top-level software update point's WSUSContent directory to store the source
binary content for third-party software updates.
The amount of required storage varies based on the vendor, types of updates, and specific updates
that you publish for deployment.
If you need to move the WSUSContent directory to another drive with more free space, see the How to
change the location where WSUS stores updates locally blog post.
The third-party software update synchronization service requires internet access.
For the partner catalogs list, download.microsoft.com over HTTPS port 443 is needed.
Internet access to any third-party catalogs and update content files. Additional ports other than 443
may be needed.
Third-party updates use the same proxy settings as the SUP.
NOTE
The WSUS ser ver connection account can be identified by viewing the Proxy and Account Settings tab on the
Site System role properties of the SUP. If an account is not specified, the site server's computer account is used.
3. Review and approve the catalog certificate on the Review and approve page of the wizard.
NOTE
When you subscribe to a third-party software update catalog, the certificate that you review and approve in the
wizard is added to the site. This certificate is of type Third-par ty Software Updates Catalog . You can manage
it from the Cer tificates node under Security in the Administration workspace.
4. If the third-party catalog is v3, you'll be offered pages to Select Categories and Stage Content . For more
information about configuring these options, see the Third-party v3 catalog options section.
5. Choose your options on the Schedule page:
Simple schedule : Choose the hour, day, or month interval. The default is a simple schedule that
synchronizes every 7 days.
Custom schedule : Set a complex schedule.
6. Review your settings on the Summar y page and complete the wizard.
7. After the catalog is downloaded, the product metadata needs to be synchronized from the WSUS database
into the Configuration Manager database. Manually start the software updates synchronization to
synchronize the product information.
8. Once the product information is synchronized, Configure the SUP to synchronize the desired product into
Configuration Manager.
9. Manually start the software updates synchronization to synchronize the new product's updates into
Configuration Manager.
10. When the synchronization completes, you can see the third-party updates in the All Updates node. These
updates are published as metadata-only updates until you choose to publish them.
The icon with the blue arrow represents a metadata-only software update.
NOTE
When you publish third-party software update content, any certificates used to sign the content are added to the
site. These certificates are of type Third-par ty Software Updates Content . You can manage them from the
Cer tificates node under Security in the Administration workspace.
5. Review the progress in the SMS_ISVUPDATES_SYNCAGENT.log. The log is located on the top-level
software update point in the site system Logs folder.
6. Deploy the updates using the Deploy software updates process.
7. On the Download Locations page of the Deploy Software Updates Wizard , select the default option
to Download software updates from the internet . In this scenario, the content is already published
to the software update point, which is used to download the content for the deployment package.
8. Clients will need to run a scan and evaluate updates before you can see compliance results. You can
manually trigger this cycle from the Configuration Manager control panel on a client by running the
Software Updates Scan Cycle action.
IMPORTANT
This option is only available for v3 third-party update catalogs, which support categories for updates. These options are
disabled for catalogs that aren't published in the v3 format.
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Software
Updates and select the Third-Par ty Software Update Catalogs node.
2. Select the catalog to subscribe and select Subscribe to Catalog in the ribbon.
3. Choose your options on the Select Categories page:
Synchronize all update categories (default)
Synchronizes all updates in the third-party update catalog into Configuration Manager.
Select categories for synchronization
Choose which categories and child categories to synchronize into Configuration Manager.
4. Choose if you want to Stage update content for the catalog. When you stage the content, all updates in
the selected categories are automatically downloaded to your top-level software update point meaning
you don't need to ensure they're already downloaded before deploying. You should only automatically
stage content for updates you are likely to deploy them to avoid excessive bandwidth and storage
requirements.
Do not stage content, synchronize for scanning only (recommended)
Don't download any content for updates in the third-party catalog
Stage the content for selected categories automatically
Choose the update categories that will automatically download content.
The content for updates in selected categories will be downloaded to the top-level software
update point's WSUS content directory.
5. Set your Schedule for catalog synchronization, then complete the wizard.
IMPORTANT
Some options are only available for v3 third-party update catalogs, which support categories for updates. These options
are disabled for catalogs that aren't published in the v3 format.
1. In the Third-Par ty Software Update Catalogs node, right-click on the catalog and select Proper ties or
select Proper ties from the ribbon.
2. You can update the following information from the General tab :
Download URL (not editable): The HTTPS address of the custom catalog.
Publisher : The name of the organization that publishes the catalog.
Name : The name of the catalog to display in the Configuration Manager Console.
Description : A description of the catalog.
Suppor t URL (optional): A valid HTTPS address of a website to get help with the catalog.
Suppor t Contact (optional): Contact information to get help with the catalog.
3. Choose your options on the Select Categories tab.
Synchronize all update categories (default)
Synchronizes all updates in the third-party update catalog into Configuration Manager.
Select categories for synchronization
Choose which categories and child categories to synchronize into Configuration Manager.
4. Choose your options for the Stage update content tab.
Do not stage content, synchronize for scanning only (recommended)
Don't download any content for updates in the third-party catalog
Stage the content for selected categories automatically
Choose the update categories that will automatically download content.
The content for updates in selected categories will be downloaded to the top-level software
update point's WSUS content directory.
5. Select how often to synchronize the catalog on the Schedule tab.
Simple schedule : Choose the hour, day, or month interval.
Custom schedule : Set a complex schedule.
Status messages
M ESSA GEID SEVERIT Y DESC RIP T IO N P O SSIB L E C A USE P O SSIB L E SO L UT IO N
11523 Warning Catalog "X" does not This message can Contact the catalog
include content occur when you provider to obtain an
signing certificates, import a catalog that updated catalog that
attempts to publish is using an older includes the content
update content for version of the cab file signing certificates.
updates from this format.
catalog may be The certificates for
unsuccessful until the binaries aren't
content signing included in the cab
certificates are added file so the content
and approved. will fail to publish.
You can work around
this issue by finding
the certificate in the
Cer tificates node,
unblocking it, then
publish the update
again. If you're
publishing multiple
updates signed with
different certificates,
you'll need to
unblock each
certificate that is
used.
11524 Error Failed to publish The update may have Synchronize the
update "ID" due to been synchronized to update with
missing update WSUS outside of Configuration
metadata. Configuration Manager before
Manager. attempting to
publish it's content.
If an external tool
was used to publish
the update as
Metadata only ,
then use the same
tool to publish the
update content.
PowerShell
You can use the following PowerShell cmdlets to automate the management of third-party updates in
Configuration Manager:
Get-CMThirdPartyUpdateCatalog
New-CMThirdPartyUpdateCatalog
Remove-CMThirdPartyUpdateCatalog
Set-CMThirdPartyUpdateCatalog
Publish-CMThirdPartySoftwareUpdateContent
Get-CMThirdPartyUpdateCategory
Set-CMThirdPartyUpdateCategory
Next step
Deploy software updates
Available third-party software update catalogs
9/17/2021 • 2 minutes to read • Edit Online
https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab
ftp://ftp.dell.com/catalog/DellSDPCatalog.cab
Fujitsu https://support.ts.fujitsu.com/GFSMS/globalflash/FJSVUMCat
alogForSCCM.cab
http://ftp.hp.com/pub/softlib/software/sms_catalog/HpCatalogForSms.latest.cab
Limited catalog
https://patchmypc.com/frequently-asked-questions#trial-
catalog
Next steps
Add custom catalogs for third party software updates
Configure the SUP to synchronize the product into Configuration Manager
Example scenario to deploy and monitor monthly
software updates
9/17/2021 • 5 minutes to read • Edit Online
Review the key concepts for software updates. Introduction to software updates
Plan for software updates. This information helps you to plan Plan for software updates
for capacity considerations, determine the software update
point infrastructure, software update point installation,
synchronization settings, and client settings for software
updates.
Configure software updates. This information helps you to Synchronize software updates
install and configure software update points in your
hierarchy and helps to configure and synchronize software
updates.
The following sections in this topic provide example steps to help you to deploy and monitor Configuration
Manager security software updates in your organization.
From the All Software Updates node in the Configuration No additional information
Manager console, the Configuration Manager administrator
adds criteria to display only security software updates that
are released or revised in year 2015 that meet the following
criteria:
ConfigMgr Administrator adds all of the filtered software Add software updates to an update group
updates to a new software update group with the following
requirements:
ConfigMgr Admin creates an automatic deployment rule Automatically deploy software updates
with the following requirements:
The ConfigMgr Admin verifies that software updates Software updates synchronization status
synchronization completed successfully.
The ConfigMgr Admin creates two test deployments for the Deploy software updates
new software update group. The admin considers the
following environments for each deployment:
The ConfigMgr Admin verifies that the test deployments Software updates deployment status
have successfully deployed.
The ConfigMgr Admin updates the two deployments with No additional information
new collections that include his production workstations and
servers.
The ConfigMgr Admin monitors the software updates Monitor software updates
deployment status in the Configuration Manager console
and checks the software update deployment reports
available from the console.
The ConfigMgr Admin selects the software updates from the Add software updates to a deployed update group
monthly software update group and adds the software
updates to the software updates group that were created for
yearly compliance. The admin tracks the software update
compliance and creates various reports for his management.
The ConfigMgr Admin has successfully completed his monthly deployment for security software updates. The
admin continues to monitor and report on software update compliance to ensure that the clients in his
environment are within acceptable compliance levels.
Workspaces
When you open Updates Publisher, it defaults to the Overview node of the Updates Workspace.
There's a new authoring mode System Center Updates Publisher to help you author your updates. When you
enable authoring mode, a Categories Workspace is added to the start screen. A new Detectoid button is also
added to the Updates Workspace when authoring mode is enabled.
To enable authoring mode
1. In upper left corner of the console, click on the Updates Publisher Proper ties tab, and then choose
Options .
2. Go to the Authoring options.
3. Check the box for Enable authoring mode .
About the categories workspace
The categories workspace enables update authors to organize updates that belong together. For instance, if
you're an OEM, you might wish to organize your updates based on models or product lines. You can define
multiple categories and child categories but not grand child categories as you're limited to two levels.
Release history
2019 RTW version 6.0.394.0. Released November, 6, 2019
Update rollup version 6.0.283.0 from KB4462765. Released September 7, 2018.
2017 RTW version 6.0.276.0. Released March 26, 2018.
Next steps
To get started, first install, and then configure options for Updates Publisher.
Install Updates Publisher
9/17/2021 • 3 minutes to read • Edit Online
Next steps
After you install Updates Publisher, we recommend you configuring the options for Updates Publisher. You must
configure some options before you can use some features of Updates Publisher.
However, if you want to use the defaults and don't plan to deploy updates to an update server or to managed
devices, you can jump right to managing software update catalogs, or create software updates and create
update catalogs of your own.
Configure options for Updates Publisher
9/17/2021 • 6 minutes to read • Edit Online
Update Server
You must configure Updates Publisher to work with update server like Windows Server Update Services
(WSUS) before you can publish updates. This includes specifying the server, methods to connect to that server
when it is remote from the console, and a certificate to use to digitally sign updates you publish.
Configure an update ser ver . When you configure an update server, select the top-level WSUS server
(update server) in your Configuration Manager hierarchy so that all child sites have access to the updates
that you publish.
If your update server is remote from your Updates Publisher server, specify the fully qualified domain
name (FQDN) of the server, and if you will connect by SSL. When you connect by SSL, the default port
changes from 8530 to 8531. Ensure the port you set matches what is in use by your update server.
TIP
If you do not configure an update server, you can still use Updates Publisher to author software updates.
Configure the signing cer tificate . You must configure and successfully connect to an update server
before you can configure the signing certificate.
Updates Publisher uses the signing certificate to sign the software updates that are published to the
update server. Publishing fails if the digital certificate is not available in the certificate store of the update
server or the computer that runs Updates Publisher.
For more information about adding the certificate to the certificate store, see Certificates and security for
Updates Publisher.
If a digital certificate is not automatically detected for the update server, choose one of the following:
Browse : Browse is only available when the update server is installed on the server where you run
the console. After you select a certificate you must choose Create to add that certificate to the
WSUS certificate store on the update server. You must enter the .pfx file password for certificates
that you select by this method.
Create: Use this option to create a new certificate. This also adds the certificate to the WSUS
certificate store on the update server.
If you create your own signing cer tificate , configure the following:
Enable the Allow private key to be expor ted option.
Set Key Usage to digital signature.
Set Minimum key size to a value equal to or greater than 2048 bit.
Use the Remove option to remove a certificate from the WSUS certificate store. This option is available
when the update server is local to the Updates Publisher console you use, or when you used SSL to
connect to a remote update server.
ConfigMgr Server
Use these options when you use Configuration Manager with Updates Publisher.
Specify the Configuration Manager ser ver : After you enable support for Configuration Manager,
specify the location of the top-tier site server from your Configuration Manager hierarchy. If that server is
remote from the Updates Publisher install, specify the FQDN of the site server. Choose Test Connection
to ensure you can connect to the site server.
Configure thresholds: Thresholds are used when you publish updates with a publication type of
Automatic. The threshold values help determine when the full content for an update is published instead
of only the metadata. To learn more publication types, see Assign updates to a publication
You can one or both of the following thresholds:
Requested client count threshold: This defines how many clients must request an update
before Updates Publisher can automatically publish the full set of content for that update. Until the
specified number of clients request the update, only the updates metadata is published.
Package source size threshold (MB): This prevents automatic publishing of updates that
exceed the size you specify. If the updates size exceeds this value, only the metadata is published.
Updates that are smaller than the specified size can have their full content published.
Proxy Settings
Updates Publisher uses the proxy settings when you import software catalogs from the Internet or publish
updates to the Internet.
Specify the FQDN or IP address of a proxy server. IPv4 and IPv6 are supported.
If the proxy server authenticates users for Internet access, you must specify the Windows name. A
universal principle name (UPN) is not supported.
Trusted Publishers
When you import an update catalog, the source of that catalog (based on its certificate), is added as a trusted
publisher. Similarly, when you publish an update, the source of the updates certificate is added as a trusted
publisher.
You can view certificate details for each publisher and remove a publisher from the list of trusted publishers.
Content from publishers that are not trusted can potentially harm client computers when the client scans for
updates. You should accept content only from publishers that you trust.
Advanced
Advanced options include the following:
Repositor y location: View and modify the location of the Database file, scupdb.sdf . This file is the
repository for Updates Publisher.
Timestamp: When enabled, a timestamp is added to updates you sign that identifies when it was signed.
An update that was signed while a certificate was valid can be used after that signing certificate expires.
By default, software updates cannot be deployed after their signing certificate expires.
Check for updates to subscribed catalogs: Each time Updates Publisher starts, it can automatically
check for updates to catalogs that you have subscribed to. When a catalog update is found, details are
provided as Recent Aler ts in the Over view window of the Updates Workspace .
Cer tificate revocation: Choose this option to enable certificate revocation checks.
Local source publishing: Updates Publisher can use a local copy of an update you are publishing
before downloading that update from the Internet. The location must be a folder on the computer that
runs Updates Publisher. By default, this location is My Documents\LocalSourcePublishing. Use this
when you have previously downloaded one or more updates, or have made modifications to an update
you want to deploy.
Software Updates Cleanup Wizard: Start the updates cleanup wizard. The wizard expires updates that
are on the update server but not in the Updates Publisher repository. See Expire unreferenced updates
for more details.
Updates
Updates Publisher can automatically check for new updates each time it opens. You can also opt into receiving
preview builds of Updates Publisher.
Logging
Updates Publisher logs basic information about Updates Publisher to
%WINDIR%\Temp\UpdatesPublisher.log .
Use notepad or CMTrace to view the log. CMTrace is the Configuration Manager log file tool and can be found
in the \SMSSetup\Tools folder of the Configuration Manager source media.
You can change the size of the log and its level of detail.
When you enable database logging, information about the queries that are run against the Updates Publisher
database are included. Use of database logging can lead to reduced performance of the Updates Publisher
computer.
To view the log file, in the console click on to open the Updates Publisher Proper ties , and then
choose View log file .
NOTE
Deleting a catalog from Updates Publisher results in the updates in that catalog being removed from your repository. This
does not affect the updates you have published to your update server. To remove updates from your update server that
are no longer in your repository, see Expire unreferenced software updates.
Import updates
When you import a catalog, Updates Manager adds the updates from that catalog to the Updates Publisher
repository. After updates are imported, you can publish them to your update server to make them available to
managed devices.
To import updates
1. To start the Impor t Catalog wizard, choose Impor t from the Ribbon in one of the following
workspaces:
Catalogs Workspace
Updates Workspace
2. On the Impor t Type page, select one or more catalogs you've added to Updates Publisher, or specify a
path to a catalog you have not yet added as a subscription. Chose Next to view the summary screen, and
when ready, choose Next to start the import.
3. On the Security Warning – Catalog Validation window, review the catalog certificate, and when
ready, chose Accept to import the updates.
Cau t i on
Accept updates only from publishers that you trust. Software updates from publishers who are not
trusted can potentially harm client computers when scanning for updates.
If you no longer trust a publisher, remove that publisher from the trusted publishers list. To find more
information about accepting catalogs, click Tell Me More in the Security Warning – Catalog
Validation dialog box.
If you choose to always accept catalogs from a publisher, that publisher is added to the trusted publishers
list. You can review and edit this list as an Updates Publisher option.
4. Import skips import of an update when the update is already in the repository and one of the following is
true:
The update is unchanged from the last time it was imported.
The update has been edited and has a new digital hash. Editing an update prevents a new update
from overwriting the original as doing so would overwrite changes you might have deployed.
5. On the Confirmation page review the import results.
6. Click Close to complete the wizard. You can now view the updates for this catalog in the Updates
Workspace.
Next steps
After you import updates, common actions include:
Manage updates to bundle, assign, and deploy them your update server.
Create applicability rules to help determine when updates deploy to your update server.
Manage software updates in Updates Publisher
9/17/2021 • 7 minutes to read • Edit Online
NOTE
Updates Publisher can only publish updates that are 375 megabytes (MB) or less in size.
Export updates
You can export updates and bundles from your Updates Publisher repository to create a custom update catalog.
Then, you can add and then import that catalog to another instance of Updates Publisher. (You can also export
updates as a publication.)
To export directly, go to Updates Workspace > All Software Updates and select one or more updates and
bundles. You cannot export a vendor or product folder, but you can select a folder and then select the updates in
that folder for export.
With one or more updates selected, choose Expor t from the Home tab of the ribbon, and then provide a path
and filename for the catalog export.
You will have the option to export (include) dependent software updates.
Create publications
Publications are created two ways:
When you manage updates and bundles in the Updates Workspace , you can assign them to a new
publication that is created at that time.
In the Publications Workspace, you can use the Create button on the Publication tab of the ribbon.
This method lets you create a publication for future use. Later, when you assign updates, you can use this
publication.
Rename a publication
To rename a publication, select the publication from within the Publications Workspace , and then on the
Publication tab of the ribbon, choose Edit .
TIP
When you set the publication type of a bundle, all the software updates in that bundle are published with the publication
type of that bundle.
Publish publications
When you publish updates and bundles, Updates Publisher adds information about those updates and bundles
(metadata) and possibly the binaries for the updates (full content), to an update server for deployment to
devices.
Before you have the option to publish, you must configure the Update Server option for Updates Publisher. To
open this configuration option, go to Updates Workspace > Over view and select Configure WSUS and
Signing Cer tificate. You can also go to the Update Server page in the Updates Publisher options.
NOTE
Updates Publisher can only publish updates that are 375 megabytes (MB) or less in size.
To publish a publication
1. Go to the Publications Workspace , and then select a publication that contains the group of updates
and bundles that you want to publish or export. Then choose Publish from Home tab of the ribbon.
2. On the Select page of the Publish wizard you can choose to sign all updates with a new publishing
certificate, but you cannot change the publication type.
3. Complete the wizard.
If publishing fails, you are presented with a link to the UpdatesPublisher.log file that can provide more
information.
Export a publication
You can export a publication from your Updates Publisher repository. Doing so exports the updates and bundles
that are assigned to that publication and creates an update catalog. You can then add and then import that
catalog to another instance of Updates Publisher. You can also export updates that are not part of a publication.
To export a publication, go to the Publications Workspace and select the publication that contains updates
that you want to export. You can only select one publication at a time.
With the publication selected, choose Expor t from the Home tab of the ribbon, and then provide a path and
filename for the catalog export.
You also have the option to export (include) dependent software updates as part of the export.
Delete a publication
To delete a publication, select the publication the Publications Workspace , and then choose Delete from the
Publication tab of the ribbon.
After the publication is removed from Updates Publisher, the updates that were in the publication remain
available in the Updates Publisher repository.
3. On the Information page, specify details about the update that are included when the update is
published or exported. Details include localized properties like the updates name (title) and description.
Then, you specify more general details such as the classification, vendor, product, and where to learn
more about the update.
Localized proper ties:
Language : Select a language and then specify a title and description. You can then select
additional languages, one at time, with each language supporting its own title and description.
Title : Enter the name of the update. This name displays in the Updates Workspace of the Updates
Publisher console.
Description : A friendly description of the update. You might include what the update installs, and
why or when it should be used.
Classification: The following are common descriptions for the different classifications.
Update : An update to an application or file that is currently installed.
Critical : A broadly released update for a specific problem that addresses a critical bug that is not
related to security.
Feature Pack : New product features that are distributed outside of a product release and are
typically included in the next full product release.
Security : A broadly released update for a product-specific issue that is related to security.
Update Rollup : A cumulative set of hotfixes that are packaged together for easy deployment.
These hotfixes can include security updates, critical updates, updates, and so on. An update rollup
generally addresses a specific area, such as security or a product feature.
Ser vice Pack : A cumulative set of hotfixes that are applied to an application. These hotfixes can
include security updates, critical updates, software updates, and so on.
Tool : Specifies a tool or feature that helps complete one or more tasks.
Driver : An update for driver software.
Vendor : Specify a vendor for the update. You can use the dropdown list to use values from updates that
are in the repository. When you specify a vendor, the wizard creates a folder with that vendor name under
All Software Updates in the Updates Workspace if that folder does not already exist. The following
are Windows Server Update Services (WSUS) reserved names that cannot be entered for updates you
create:
Microsoft Corporation
Microsoft
Update
Software Update
Tools
Tool
Critical
Critical Updates
Security
Security Updates
Feature Pack
Update Rollup
Service Pack
Driver
Driver Update
Bundle
Bundle Update
Product : Specify the type of product that the update is for. You can use the dropdown list to use values
from updates that are in the repository. The same list of WSUS reserved names that cannot be used for
Vendor , cannot be used for Product .
More info URL : Specify the URL where you can find more information about this update. You must use
lowercase letters for https or http when you enter this URL.
4. On the Optional Info page, you can configure details that provide additional information about the
update.
Bulletin ID : Bulletin IDs are usually, but not always, provided by update vendors.
Ar ticle ID : If a software update article is available, the Article ID can be useful to individuals
seeking additional information about the update.
CVE IDs: List one or more Common Vulnerabilities and Exposures (CVE) identifiers that provide
security information about the update or update bundle. When listing more than one, use a
semicolon to separate the CVEs as in this example: CVE1;CVE2.
Suppor t URL: List the URL that contains support information for this update, if available. You
must use lowercase letters for https or http when you enter this URL.
Severity: Set the severity level for this update.
Impact: The following options can be used to specify impact:
Normal – Use this to indicate the update requires typical installation procedures.
Minor – Use this to indicate the update requires minimal installation procedures.
Requires exclusive handling – Use this to indicate the update must be installed by itself,
exclusive from any other updates.
Restar t Behavior : Use this to provide information about the updates restart behavior. This
setting does not affect the actual behavior of the update install.
Never reboots : The computer never performs a system restart after installing the software
update.
Always requires reboot : The computer always performs a system restart after installing the
software update.
Can request reboot : After installing the software update, the computer requests a system
restart only if a restart is necessary. The user has the option to postpone the restart. This is the
default value.
5. On the Prerequisite page, specify the prerequisites that must be installed on a computer before this
update can install. Prerequisites can be detectoids or other updates. Detectoids are high-level rules like
one that requires the computers CPU to be a 64-bit processor. Detectoids can also specify specific
updates that must be installed before this update can install.
For better performance, use detectoids instead of creating installable and installed rules that perform
the same check or action.
Use the search option for Available software updates and detectoids to help you find specific
updates or detectoids. For example, search on CPU to find the detectoids that let you limit installation
based on specific CPU architecture.
You can select one or more items at a time to add as a prerequisite. When adding prerequisites, the
selected detectoids are added as one or more groups. To qualify for installation, a computer must meet
the requirement of at least one member of each group that you configure:
When you click Add Prerequisite, all items you have selected are added to separate, individual,
groups. To qualify for this update, a computer must meet the prerequisite in this group and pass
requirements for any additional groups that are configured.
When you click Add Group, all items you have selected are added to a single group. To qualify for
this update, a computer must meet at least one of the prerequisites in this group and pass
requirements for any additional groups that are configured.
6. On the Supersedence page, specify the updates that are replaced (superseded) by this update. When
this update is published, Configuration Manager will mark each update that is superseded as Expired .
Clients will then install this update instead of the superseded updates.
7. On the Applicability page use the Rule Editor to define a set of rules that determine whether a device
needs this update. (This page is similar to the Installed page, that follows it.)
To add a new rule, click on . This opens the Applicability Rule page where you can configure rules.
Types of rules you can create include:
File – Use this rule to require that a device have a file with properties that meet one or more
criteria you specify before this update can be applied.
Registr y – Use this type to specify registry details that must be present before a device qualifies
to install this update.
System – This rule uses system details to determine applicability. You can choose between
defining a Windows version, a Windows language, processor architecture, or specify a WMI query
to identify the devices operating system.
Windows Installer – Use this rule type to determine applicability based on an installed .MSI or
Windows Installer patch (.MSP). You can also determine if specific components or features are
installed as part of the requirement.
IMPORTANT
On managed devices, the Windows Update Agent cannot detect Windows Install packages that are
installed per-user. When you use this rule type, configure additional applicability rules, like file versions or
registry key values, so that the Windows Installer package can be properly detected regardless of a per-
user or per-system basis.
Saved rule – This option lets you find and use rules you created in the Rules Workspace.
After you create a rule, you can use the other icons to modify the rule, and if there are multiple
rules, to define relationships between those rules.
When you are done creating and adding rules, click OK in the Create Rule Set dialog box to save that
set. You can then create a New rule and add that to the set as well.
When you have multiple rules or rule sets to add to an update, you can use the logical operators in the
Rule Editor to determine conditions between the rules, and in which order they process.
8. On the Installed page use the Rule Editor to define a set of rules that determine whether a device has
already installed the update you are configuring. (This page is similar to the Applicability page, that
proceeds this page.)
This page of the wizard supports configuring rules with the same options and criteria as the
Applicability page.
When the wizard completes, the new update is added to a node in the Updates Workspace that is
identified by the Vendor and Product name you used for that update.
And
File '\[PROGRAM\_FILES\] \\Microsoft\\MyFile' exists
Or
Windows Language is English
Windows Language is Japanese
All updates require at least one applicability rule. Updates you import already have applicability rules applied,
and when you create your own updates, you must add one or more rules to them. You can modify and expand
on the rules for any update in Updates Publisher.
To view rules you have created, in the Rules Workspace , select a rule from the My saved rules list. The
individual conditions and logical operations for that rule display in the Applicability Rules pane of the console.
Rules for updates that you import can only be viewed and modified when you edit that update.
You can create rules in two locations in Updates Publisher:
In the Rules Workspace, you create and save rule sets that you can then use later. When editing or
creating an update you can select Saved rule as the Rule type , and then select from a list of your pre-
created rule sets.
You can also create new rules at the time that you create or edit an update. Rules you create in this way
are not saved for future use.
2. Specify a name for the rule, and then click . This opens the Applicability Rule page where you can
configure rules.
3. For Rule type, select one of the following. The options you must configure vary for each type:
File – Use this rule to require that a device have a file with properties that meet one or more
criteria you specify before this update can be applied.
Registr y – Use this type to specify registry details that must be present before a device qualifies
to install this update.
System – This rule uses system details to determine applicability. You can choose between
defining a Windows version, a Windows language, processor architecture, or specify a WMI query
to identify the devices operating system.
Windows Installer – Use this rule type to determine applicability based on an installed .MSI or
Windows Installer patch (.MSP). You can also determine if specific components or features are
installed as part of the requirement.
IMPORTANT
On managed deices, the Windows Update Agent cannot detect Windows Install packages that are
installed per-user. When you use this rule type, configure additional applicability rules, like file versions or
registry key values, so that the Windows Installer package can be properly detected regardless of a per-
user or per-system basis.
Saved rule – This option lets you find and use rules that you previously configured and saved.
4. Continue to add and configure additional rules as desired.
5. Use the logical operation buttons to order and group different rules to create more complex prerequisite
checks.
6. When the rule set is complete, click OK to save it. The rule set now appears in the My saved rules list.
NOTE
The WUA also checks whether the Allow signed content from intranet Microsoft update ser vice
location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to
scan for the updates that were created and published with Updates Publisher. For more information about
enabling this Group Policy setting, see How to Configure the Group Policy on Client Computers.