0% found this document useful (0 votes)
219 views218 pages

Software Update Management Documentation

This document provides an overview of software update management in Configuration Manager, including: 1. It describes the process for synchronizing software updates from Microsoft Update and distributing them to client computers through software update points. 2. It explains how Configuration Manager assesses software update compliance on clients to determine which updates are required before deploying updates. 3. It provides details on the different compliance states for software updates and the process for clients to scan for updates and report compliance information.

Uploaded by

bestplayer66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
219 views218 pages

Software Update Management Documentation

This document provides an overview of software update management in Configuration Manager, including: 1. It describes the process for synchronizing software updates from Microsoft Update and distributing them to client computers through software update points. 2. It explains how Configuration Manager assesses software update compliance on clients to determine which updates are required before deploying updates. 3. It provides details on the different compliance states for software updates and the process for clients to scan for updates and report compliance information.

Uploaded by

bestplayer66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 218

Contents

Software update management documentation


Understand and explore
Introduction to software updates
Icons used for software updates
Plan and design
Plan for software updates
Prerequisites for software updates
Best practices for software updates
Security and privacy for software updates
Get started
Prepare for software updates management
Install a software update point
Synchronize software updates
Configure classifications and products
Manage settings for software updates
Configure a software update point to use SSL
Synchronize software updates in disconnected environments
Synchronize software updates from a disconnected software update point
Synchronize Microsoft 365 Apps updates from a disconnected software update
point
Deploy and use
Download software updates
Add software updates to an update group
Deploy software updates
Manually deploy software updates
Automatically deploy software updates
Create a phased deployment
Monitor software updates
Manage and monitor phased deployments
Software updates maintenance
Orchestration groups
Service a server group
Office 365 client management dashboard
Manage Microsoft 365 Apps updates
Optimize Windows 10 update delivery
Manage Express installation files for Windows 10 updates
Manage Surface drivers
Integration with Windows Update for Business in Windows 10
Third-party software updates
Third-party update catalogs
Example scenario to deploy security updates
System Center Updates Publisher
Install
Configure options
Manage catalogs
Manage updates
Manage publications
Create new updates
Applicability rules
Certificates and security
Introduction to software updates in Configuration
Manager
9/17/2021 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Software updates in Configuration Manager provides a set of tools and resources that can help manage the
complex task of tracking and applying software updates to client computers in the enterprise. An effective
software update management process is necessary to maintain operational efficiency, overcome security issues,
and maintain the stability of the network infrastructure. However, because of the changing nature of technology
and the continual appearance of new security threats, effective software update management requires
consistent and continual attention.
For an example scenario that shows how you might deploy software updates in your environment, see Example
scenario to deploy security software updates.

Software updates synchronization


Software updates synchronization in Configuration Manager connects to Microsoft Update to retrieve software
updates metadata. The top-level site (central administration site or stand-alone primary site) synchronizes with
Microsoft Update on a schedule or when you manually start synchronization from the Configuration Manager
console. When Configuration Manager finishes software updates synchronization at the top-level site, software
updates synchronization starts at child sites, if they exist. When synchronization is complete at each primary site
or secondary site, a site-wide policy is created that provides to client computers the location of the software
update points.

NOTE
Software updates are enabled by default in client settings. However, if you set the Enable software updates on clients
client setting to No to disable software updates on a collection or in the default settings, the location for software update
points are not sent to associated clients. For details, see software updates client settings.

After the client receives the policy, the client starts a scan for software updates compliance and writes the
information to Windows Management Instrumentation (WMI). The compliance information is then sent to the
management point that then sends the information to the site server. For more information about compliance
assessment, see the Software updates compliance assessment section in this topic.
You can install multiple software update points at a primary site. The first software update point that you install
is configured as the synchronization source. This synchronizes from Microsoft Update or a WSUS server not in
your Configuration Manager hierarchy. The other software update points at the site use the first software update
point as the synchronization source.

NOTE
When the software updates synchronization process is complete at the top-level site, the software updates metadata is
replicated to child sites by using database replication. When you connect a Configuration Manager console to the child
site, Configuration Manager displays the software updates metadata. However, until you install and configure a software
update point at the site, clients will not scan for software updates compliance, clients will not report compliance
information to Configuration Manager, and you cannot successfully deploy software updates.
Synchronization on the top-level site
The software updates synchronization process at the top-level site retrieves from Microsoft Update the software
updates metadata that meet the criteria that you specify in Software Update Point Component properties. You
configure the criteria only at the top-level site.

NOTE
You can specify an existing WSUS server that is not in the Configuration Manager hierarchy instead of Microsoft Updates
as the synchronization source.

The following list describes the basic steps for the synchronization process on the top-level site:
1. Software updates synchronization starts.
2. WSUS Synchronization Manager sends a request to WSUS running on the software update point to start
synchronization with Microsoft Update.
3. The software updates metadata is synchronized from Microsoft Update, and any changes are inserted or
updated in the WSUS database.
4. When WSUS has finished synchronization, WSUS Synchronization Manager synchronizes the software
updates metadata from the WSUS database to the Configuration Manager database, and any changes
after the last synchronization are inserted or updated in the site database. The software updates metadata
is stored in the site database as a configuration item.
5. The software updates configuration items are sent to child sites by using database replication.
6. When synchronization has finished successfully, WSUS Synchronization Manager creates status message
6702.
7. WSUS Synchronization Manager sends a synchronization request to all child sites.
8. WSUS Synchronization Manager sends a request one at a time to WSUS running on other software
update points at the site. The WSUS servers on the other software update points are configured to be
replicas of WSUS running on the default software update point at the site.
Synchronization on child primary and secondary sites
During the software updates synchronization process on the top-level site, the software updates configuration
items are replicated to child sites by using database replication. At the end of the process, the top-level site
sends a synchronization request to the child site, and the child site starts the WSUS synchronization. The
following list provides the basic steps for the synchronization process on a child primary site or secondary site:
1. WSUS Synchronization Manager receives a synchronization request from the top-level site.
2. Software updates synchronization starts.
3. WSUS Synchronization Manager makes a request to WSUS running on the software update point to start
synchronization.
4. WSUS running on the software update point on the child site synchronizes software updates metadata
from WSUS running on the software update point on the parent site.
5. When synchronization has finished successfully, WSUS Synchronization Manager creates status message
6702.
6. From a primary site, WSUS Synchronization Manager sends a synchronization request to any child
secondary sites. The secondary site starts the software updates synchronization with the parent primary
site. The secondary site is configured as a replica of WSUS running on the parent site.
7. WSUS Synchronization Manager sends a request one at a time to WSUS running on other software
update points at the site. The WSUS servers on the other software update points are configured to be
replicas of WSUS running on the default software update point at the site.

Software updates compliance assessment


Before you deploy software updates to client computers in Configuration Manager, start a scan for software
updates compliance on client computers. For each software update, a state message is created that contains the
compliance state for the update. The state messages are sent in bulk to the management point and then to the
site server, where the compliance state is inserted into the site database. The compliance state for software
updates is displayed in the Configuration Manager console. You can deploy and install software updates on
computers that require the updates. The following sections provide information about the compliance states and
describe the process for scanning for software updates compliance.
Software updates compliance states
The following lists and describes each compliance state that is displayed in the Configuration Manager console
for software updates.
Required
Specifies that the software update is applicable and required on the client computer. Any of the following
conditions could be true when the software update state is Required :
The software update was not deployed to the client computer.
The software update was installed on the client computer. However, the most recent state message
has not yet been inserted into the database on the site server. The client computer rescans for the
update after the installation has finished. There might be a delay of up to two minutes before the
client sends the updated state to the management point that then forwards the updated state to
the site server.
The software update was installed on the client computer. However, the software update
installation requires a computer restart before the update is completed.
The software update was deployed to the client computer but has not yet been installed.
Not Required
Specifies that the software update is not applicable on the client computer. Therefore, the software update
is not required.
Installed
Specifies that the software update is applicable on the client computer and that the client computer
already has the software update installed.
Unknown
Specifies that the site server has not received a state message from the client computer, typically because
one of the following:
The client computer did not successfully scan for software updates compliance.
The scan finished successfully on the client computer. However, the state message has not yet been
processed on the site server, possibly because of a state message backlog.
The scan finished successfully on the client computer, but the state message has not been received
from the child site.
The scan finished successfully on the client computer, but the state message file was corrupted in
some way and could not be processed.
Scan for software updates compliance process
When the software update point is installed and synchronized, a site-wide machine policy is created that informs
client computers that Configuration Manager software updates was enabled for the site. When a client receives
the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours.
When the scan is started, a Software Updates Client Agent process clears the scan history, submits a request to
find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS
server location.

NOTE
Internet-based clients must connect to the WSUS server by using SSL.

A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server
location that is listed in the local policy, retrieves the software updates metadata that has been synchronized on
the WSUS server, and scans the client computer for the updates. A Software Updates Client Agent process
detects that the scan for compliance has finished, and it creates state messages for each software update that
changed in compliance state after the last scan. The state messages are sent to the management point in bulk
every 15 minutes. The management point then forwards the state messages to the site server, where the state
messages are inserted into the site server database.
After the initial scan for software updates compliance, the scan is started at the configured scan schedule.
However, if the client has scanned for software updates compliance in the time frame indicated by the Time to
Live (TTL) value, the client uses the software updates metadata that is stored locally. When the last scan is
outside the TTL, the client must connect to WSUS running on the software update point and update the software
updates metadata stored on the client.
Including the scan schedule, the scan for software updates compliance can start in the following ways:
Software updates scan schedule : The scan for software updates compliance starts at the configured
scan schedule that is configured in the Software Updates Client Agent settings. For more information
about how to configure the Software Updates client settings, see software updates client settings.
Configuration Manager Proper ties action : The user can start the Software Updates Scan Cycle
or Software Updates Deployment Evaluation Cycle action on the Action tab in the Configuration
Manager Proper ties dialog box on the client computer.
Deployment reevaluation schedule : The deployment evaluation and scan for software updates
compliance starts at the configured deployment reevaluation schedule, which is configured in the
Software Updates Client Agent settings. For more information about the Software Updates client settings,
see software updates client settings.
Prior to downloading update files : When a client computer receives an assignment policy for a new
required deployment, the Software Updates Client Agent downloads the software update files to the local
client cache. Before downloading the software update files, the client agent starts a scan to verify that the
software update is still required.
Prior to software update installation : Just before the software update installation, the Software
Updates Client Agent starts a scan to verify that the software updates are still required.
After software update installation : Just after a software update installation is complete, the Software
Updates Client Agent starts a scan to verify that the software updates are no longer required and creates
a new state message that states that the software update is installed. When the installation has finished,
but a restart is necessary, the state message indicates that the client computer is pending a restart.
After system restar t : When a client computer is pending a system restart for the software update
installation to finish, the Software Updates Client Agent starts a scan after the restart to verify that the
software update is no longer required and creates a state message that states that the software update is
installed.
Time to live value
The software updates metadata that is required for the scan for software updates compliance is stored on the
local client computer, and by default, is relevant for up to 24 hours. This value is known as the Time to Live (TTL).
Scan for software updates compliance types
The client scans for software updates compliance by using an online or offline scan and a forced or non-forced
scan, depending on the way the scan for software updates compliance is started. The following describes which
methods for starting the scan are online or offline and whether the scan is forced or non-forced.
Software updates scan schedule (non-forced online scan)
At the configured scan schedule, the client connects to WSUS running on the software update point to
retrieve the software updates metadata only when the last scan was outside the TTL.
Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle (forced online
scan)
The client computer always connects to WSUS running on the software update point to retrieve the
software updates metadata before the client computer scans for software updates compliance. After the
scan is complete, the TTL counter is reset. For example, if the TTL is 24 hours, after a user starts a scan for
software updates compliance, the TTL is reset to 24 hours.
Deployment reevaluation schedule (non-forced online scan)
At the configured deployment reevaluation schedule, the client connects to WSUS running on the
software update point to retrieve the software updates metadata only when the last scan was outside the
TTL.
Prior to downloading update files (non-forced online scan)
Before the client can download update files in required deployments, the client connects to WSUS
running on the software update point to retrieve the software updates metadata only when the last scan
was outside the TTL.
Prior to software update installation (non-forced online scan)
Before the client installs software updates in required deployments, the client connects to WSUS running
on the software update point to retrieve the software updates metadata only when the last scan was
outside the TTL.
After software update installation (forced offline scan)
After a software update is installed, the Software Updates Client Agent starts a scan by using the local
metadata. The client never connects to WSUS running on the software update point to retrieve software
updates metadata.
After system restar t (forced offline scan)
After a software update is installed and the computer is restarted, the Software Updates Client Agent
starts a scan by using the local metadata. The client never connects to WSUS running on the software
update point to retrieve software updates metadata.

Software update deployment packages


A software update deployment package is the vehicle used to download software updates to a network shared
folder, and copy the software update source files to the content library on site servers and on distribution points
that are defined in the deployment. By using the Download Updates Wizard, you can download software
updates and add them to deployment packages before you deploy them. This wizard lets you provision software
updates on distribution points and verify that this part of the deployment process is successful before you
deploy the software updates to clients.
When you deploy downloaded software updates by using the Deploy Software Updates Wizard, the deployment
automatically uses the deployment package that contains the software updates. When software updates that
have not been downloaded are deployed, you must specify a new or existing deployment package in the Deploy
Software Updates Wizard, and the software updates are downloaded when the wizard is finished.

IMPORTANT
You must manually create the shared network folder for the deployment package source files before you specify it in the
wizard. Each deployment package must use a different shared network folder.

IMPORTANT
The SMS Provider computer account and the administrative user who actually downloads the software updates both
require Write permissions to the package source. Restrict access to the package source to reduce the risk of an attacker
tampering with the software updates source files in the package source.

When a new deployment package is created, the content version is set to 1 before any software updates are
downloaded. When the software update files are downloaded by using the package, the content version is
incremented to 2. Therefore, all new deployment packages start with a content version of 2. Every time that the
content changes in a deployment package, the content version is incremented by 1. For more information, see
Fundamental concepts for content management.
Clients install software updates in a deployment by using any distribution point that has the software updates
available, regardless of the deployment package. Even if a deployment package is deleted for an active
deployment, clients still can install the software updates in the deployment as long as each update was
downloaded to at least one other deployment package and is available on a distribution point that can be
accessed from the client. When the last deployment package that contains a software update is deleted, client
computers cannot retrieve the software update until the update is downloaded again to a deployment package.
Software updates appear with a red arrow in the Configuration Manager console when the update files are not
in any deployment packages. Deployments appear with a double red arrow if they contain any updates in this
condition.

Software update deployment workflows


There are two main scenarios for deploying software updates in your environment, manual deployment and
automatic deployment. Typically, you deploy software updates manually to create a baseline for client
computers, and then you manage software updates on clients by using automatic deployment. The following
sections provide a summary for the workflow for manual and automatic deployment for software updates.
Manual deployment of software updates
Manual deployment of software updates is the process of selecting software updates in the Configuration
Manager console and manually starting the deployment process. You typically use this method of deployment
to get the client computers up-to-date with required software updates before you create automatic deployment
rules that manage ongoing monthly software update deployments, and to deploy out of band software update
requirements. The following list provides the general workflow for manual deployment of software updates:
1. Filter for software updates that use specific requirements. For example, you could provide criteria that
retrieves all security or critical software updates that are required on more than 50 client computers.
2. Create a software update group that contains the software updates.
3. Download the content for the software updates in the software update group.
4. Manually deploy the software update group.
Automatic deployment of software updates
Automatic software updates deployment is configured by using an automatic deployment rule (ADR). You
typically use this method of deployment for your monthly software updates (generally known as Patch Tuesday)
and for managing definition updates. When the rule runs, software updates are removed from the software
update group (if using an existing group), the software updates that meet a specified criteria (for example, all
security software updates released in the last week) are added to a software update group, the content files for
the software updates are downloaded and copied to distribution points, and the software updates are deployed
to client computers in the target collection. The following list provides the general workflow for automatic
deployment of software updates:
1. Create an ADR that specifies deployment settings such as the following:
Target collection
Decide whether to enable the deployment or report on software updates compliance for the client
computers in the target collection
Software updates criteria
Evaluation and deployment schedules
User experience
Download properties
2. The software updates are added to a software update group.
3. The software update group is deployed to the client computers in the target collection, if it is specified.
You must determine what deployment strategy to use in your environment. For example, you might
create the ADR and target a collection of test clients. After you verify that the software updates are
installed on the test group, you can add a new deployment to the rule or change the collection in the
existing deployment to a target collection that includes a larger set of clients. The software update objects
that are created by the ADRs are interactive.
Software updates that were deployed by using an ADR are automatically deployed to new clients added
to the target collection.
New software updates added to a software update group are automatically deployed to the clients in the
target collection.
You can enable or disable deployments at any time for the ADR.
After you create an ADR, you can add additional deployments to the rule. This can help you manage the
complexity of deploying different updates to different collections. Each new deployment has the full
range of functionality and deployment monitoring experience, and each new deployment that you add:
Uses the same update group and package which is created when the ADR first runs
Can specify a different collection
Supports unique deployment properties including:
Activation time
Deadline
Show or hide end user experience
Separate alerts for this deployment

Software update deployment process


After you deploy software updates or when an automatic deployment rule runs and deploys software updates, a
deployment assignment policy is added to the machine policy for the site. The software updates are downloaded
from the download location, the Internet, or network shared folder, to the package source. The software updates
are copied from the package source to the content library on the site server, and then copied to the content
library on the distribution point.
When a client computer in the target collection for the deployment receives the machine policy, the Software
Update Client Agent starts an evaluation scan. The client agent downloads the content for required software
updates from a distribution point to the local client cache at the Software available time setting for the
deployment and then the software updates are available to install. The software updates in optional
deployments (deployments that do not have an installation deadline) are not downloaded until a user manually
starts the installation.
When the configured deadline passes, the Software Updates Client Agent performs a scan to verify that the
software updates are still required. Then it checks the local cache on the client computer to verify that the
software update source files are still available. Finally, the client installs the software updates. If the content was
deleted from the client cache to make room for another deployment, the client re-downloads the software
updates from the distribution point to the client cache. Software updates are always downloaded to the client
cache regardless of the configured maximum client cache size. When the installation is complete, the client
agent verifies that the software updates are no longer required, and then sends a state message to the
management point to indicate that the software updates are now installed on the client.
Required system restart
By default, when software updates from a required deployment are installed on a client computer and a system
restart is required for the installation to finish, the system restart is started. For software updates that were
installed before the deadline, the automatic system restart is postponed until the deadline, unless the computer
is restarted before that for some other reason. The system restart can be suppressed for servers and
workstations. These settings are configured in the User Experience page of the Deploy Software Updates
Wizard or Create Automatic Updates Rule Wizard.
Deployment reevaluation cycle
By default, client computers start a deployment reevaluation cycle every 7 days. During this evaluation cycle, the
client computer scans for software updates that were previously deployed and installed. If any software updates
are missing, the software updates are reinstalled from the local cache. If a software update is no longer available
in the local cache, it is downloaded from a distribution point and then installed. You can configure the
reevaluation schedule on the Software Updates page in client settings for the site.

Support for Windows embedded devices that use write filters


When you deploy software updates to Windows Embedded devices that are write filter-enabled, you can specify
whether to disable the write filter on the device during the deployment and then restart the device after the
deployment. If the write filter is not disabled, the software is deployed to a temporary overlay and the software
will no longer be installed when the device restarts unless another deployment forces changes to be persisted.
NOTE
When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a
collection that has a configured maintenance window. This lets you manage when the write filter is disabled and enabled,
and when the device restarts.

The user experience setting that controls the write filter behavior is a check box named Commit changes at
deadline or during a maintenance windows (requires restar ts) .
For more information about how Configuration Manager manages embedded devices that use write filters, see
Planning for client deployment to Windows Embedded devices.

Extend software updates in Configuration Manager


Use System Center Updates Publisher to manage software updates that are not available from Microsoft
Update. After you publish the software updates to the update server and synchronize the software updates in
Configuration Manager, you can deploy the software updates to Configuration Manager clients. For more
information about Updates Publisher, see Updates Publisher 2011.

Next steps
Plan for software updates
Icons used for software updates in Configuration
Manager
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Synchronized software updates are displayed in the Configuration Manager console, and the first column for
each software update contains an icon that indicates a specific state. Software update groups are also
represented with an icon that provides information about the state of the software updates contained in the
group. This section provides information about the software update icons and what each icon represents.

Icons for Software Updates


Synchronized software updates are represented by one of the following icons.
Normal Icon

The icon with the green arrow represents a normal software update.
Description:
Normal software updates have been synchronized and are available for software deployment.
Operational Concerns:
There are no operational concerns.
Expired Icon

The icon with the black X represents an expired software update. You can also identify expired software
updates by viewing the Expired column for the software update when it displays in the Configuration Manager
console.
Description:
Expired software updates were previously deployable to client computers, but once a software update is expired,
new deployments can no longer be created for the software updates. Expired software updates are removed
from active deployments and will no longer be made available to clients.
Operational Concerns:
There are no operational concerns.
Superseded Icon

The icon with the yellow star represents a superseded software update. You can also identify superseded
software updates by viewing the Superseded column for the software update when it displays in the
Configuration Manager console.
Description:
Superseded software updates have been replaced with newer versions of the software update. Typically, a
software update that supersedes another software update does one or more of the following things:
Enhances, improves, or adds to the fix provided by one or more previously released software updates.
Improves the efficiency of its software update file package, which clients install if the software update is
approved for installation. For example, the superseded software update might contain files that are no
longer relevant to the fix or to the operating systems now supported by the new software update, so
those files aren't included in the superseding software update's file package.
Updates newer versions of a product, or in other words, is no longer applicable to older versions or
configurations of a product. Software updates can also supersede other software updates if modifications
have been made to expand language support. For example, a later revision of a product update for
Microsoft 365 Apps might remove support for an older operating system, but add additional support for
new languages in the initial software update release.
On the Supersedence Rules tab in the Software Update Point Component properties, you can specify how
to manage superseded software updates. For more information, see Supersedence rules.
Operational Concerns:
Configuration Manager can automatically expire superseded updates based on a schedule you choose.
The default setting is to wait 3 months before expiring a superseded update. The 3 month default is to
give you time to verify the update is no longer needed by any of your client computers. It's recommended
that you don't assume that superseded updates should be immediately expired in favor of the new,
superseding update. You can display a list of the software updates that supersede the software update on
the Supersedence Information tab in the software update properties.
Invalid Icon

The icon with the red X represents an invalid software update.


Description:
Invalid software updates are in an active deployment, but for some reason the content (software update files)
isn't available. The following are scenarios in which this state can occur:
You successfully deploy the software update, but the software update file is removed from the
deployment package and is no longer available.
You create a software update deployment at a site and the deployment object is successfully replicated to
a child site, but the deployment package hasn't successfully replicated to the child site.
Operational Concerns:
When the content is missing for a software update, clients are unable to install the software update until
the content becomes available on a distribution point. You can redistribute the content to distribution
points by using the Redistribute action. When content is missing for a software update in a deployment
created at a parent site, the software update must be replicated or redistributed to the child site. For more
information about content redistribution, see Manage the content you've distributed.
Metadata-Only Icon
The icon with the blue arrow represents a metadata-only software update.
Description:
Metadata-only software updates are available in the Configuration Manager console for reporting. You can't
deploy or download metadata-only software updates because a software update file isn't associated with the
software updates metadata.
Operational Concerns:
Metadata-only software updates are available for reporting purposes and aren't intended for software update
deployment.
Icons for Software Update Groups
Software update groups are represented by one of the following icons.
Normal Icon

The icon with the green arrow represents a software update group that contains only normal software
updates.
Operational Concerns:
There are no operational concerns.
Expired Icon

The icon with the black X represents a software update group that contains one or more expired software
updates.
Operational Concerns:
Remove or replace expired software updates in the software update group when possible.
Superseded Icon

The icon with the yellow star represents a software update group that contains one or more superseded
software updates.
Operational Concerns:
Replace the superseded software update in the software update group with the superseding software update
when possible.
Invalid Icon

The icon with the red X represents a software update group that contains one or more invalid software
updates.
Operational Concerns:
When the content is missing for a software update, clients are unable to install the software update until the
content becomes available on a distribution point. You can redistribute the content to distribution points by
using the Redistribute action. When content is missing for a software update in a deployment created at a
parent site, the software update needs to be replicated or redistributed to the child site. For more information
about content redistribution, see Manage the content you've distributed.

Next steps
Plan for software updates
Plan for software updates in Configuration Manager
9/17/2021 • 33 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Before you use software updates in a Configuration Manager production environment, it's important that you
go through the planning process. Having a good plan for the software update point infrastructure is key to a
successful software updates implementation. For information about capacity planning for software updates, see
Size and scale numbers.

Determine the software update point infrastructure


This section includes the following subtopics:
Software update point list
Software update point switching
Manually switch clients to a new software update point
Software update points in an untrusted forest
Use an existing WSUS server as the synchronization source at the top-level site
Software update point on a secondary site
Plan for internet-based clients
Plan software update content
Plan for third-party updates
The central administration site and all child primary sites must have a software update point. As you plan for the
software update point infrastructure, determine the following dependencies:
Where to install the software update point for the site
Which sites require a software update point that accepts communication from internet-based clients
Whether you need a software update point at secondary sites

IMPORTANT
For more information about the internal and external dependencies that are required for software updates, see
Prerequisites for software updates.

Add multiple software update points at a Configuration Manager primary site to provide fault tolerance. The
failover design of the software update point is different than the pure randomization model that's used in the
design for management points. Unlike in the design of management points, there are client and network
performance costs in the software update point design when clients switch to a new software update point.
When the client switches to a new WSUS server to scan for software updates, the result is an increase in the
catalog size and associated client-side and network performance demands. Therefore, the client preserves
affinity with the last software update point from which it successfully scanned.
The first software update point that you install on a primary site is the synchronization source for all additional
software update points that you add at the primary site. After you add software update points and start
synchronization, view the status of the software update points and the synchronization source from the
Software Update Point Synchronization Status node in the Monitoring workspace.
When there's a failure of the software update point configured as the synchronization source for the site,
manually remove the failed role. Then select a new software update point to use as the synchronization source.
For more information, see Remove a site system role.
Software update point list
Configuration Manager provides the client with a software update point list in the following scenarios:
A new client receives the policy to enable software updates
A client can't contact its assigned software update point and needs to switch to another
The client randomly selects a software update point from the list. It prioritizes the software update points in the
same forest. Configuration Manager provides clients with a different list depending on the type of client:
Intranet-based clients : Receive a list of software update points that you can configure to allow
connections only from the intranet, or a list of software update points that allow internet and intranet
client connections.
Internet-based clients : Receive a list of software update points that you configure to allow connections
only from the internet, or a list of software update points that allow internet and intranet client
connections.
Software update point switching

NOTE
Clients use boundary groups to find a new software update point. If their current software update point is no longer
accessible, they also use boundary groups to fallback and find a new one. Add individual software update points to
different boundary groups to control which servers a client can find. For more information, see Software update points.

If you have multiple software update points at a site, and one fails or becomes unavailable, clients will connect to
a different software update point. With this new server, clients continue to scan for the latest software updates.
When a client is first assigned a software update point, it stays assigned to that software update point unless it
fails to scan.
The scan for software updates can fail with a number of different retry and non-retry error codes. When the
scan fails with a retry error code, the client starts a retry process to scan for the software updates on the
software update point. The high-level conditions that result in a retry error code are typically because the WSUS
server is unavailable or because it is temporarily overloaded. When the client fails to scan for software updates,
it uses the following process:
1. The client scans for software updates:
At its scheduled time
When it's manually run from the control panel on the client
When it's manually run from the Configuration Manager console via a client notification action
When it's run from a Configuration Manager SDK method
2. If the scan fails, the client waits 30 minutes to retry the scan. It uses the same software update point.
3. The client retries a minimum of four times every 30 minutes. After the fourth failure, and after it waits an
additional two minutes, the client moves to the next software update point in its list.
4. The client repeats this process with the new software update point. After a successful scan, the client
continues to connect to the new software update point.
The following list provides additional information to consider for software update point retry and switching
scenarios:
If a client is disconnected from the intranet and fails to scan for software updates, it doesn't switch to
another software update point. This failure is expected, because the client can't reach the internal network
or a software update point that allows connections from the intranet. The Configuration Manager client
determines the availability of the intranet software update point.
If you're managing clients on the internet, and have configured multiple software update points to accept
communication from clients on the internet, the switching process follows the standard retry process
previously described.
If the scan process starts, but the client is turned off before the scan completes, it isn't considered a scan
failure and it doesn't count as one of the four retries.
When Configuration Manager receives any of the following Windows Update Agent error codes, the client
retries the connection:
2149842970, 2147954429, 2149859352, 2149859362, 2149859338, 2149859344, 2147954430, 2147747475,
2149842974, 2149859342, 2149859372, 2149859341, 2149904388, 2149859371, 2149859367, 2149859366,
2149859364, 2149859363, 2149859361, 2149859360, 2149859359, 2149859358, 2149859357, 2149859356,
2149859354, 2149859353, 2149859350, 2149859349, 2149859340, 2149859339, 2149859332, 2149859333,
2149859334, 2149859337, 2149859336, 2149859335
To look up the meaning of an error code, convert the decimal error code to hexadecimal, and then search for the
hexadecimal value on a site such as the Windows Update Agent - Error Codes Wiki. For example, the decimal
error code 2149842970 is hexadecimal 8024001A, which means WU_E_POLICY_NOT_SET A policy value was
not set.
Manually switch clients to a new software update point
Switch Configuration Manager clients to a new software update point when there are issues with the active
software update point. This change only happens when a client receives multiple software update points from a
management point.

IMPORTANT
When you switch devices to use a new server, the devices use fallback to find that new server. Clients switch to the new
software update point during their next software updates scan cycle.
Before you start this change, review your boundary group configurations to make sure that your software update points
are in the correct boundary groups. For more information, see Software update points.
Switching to a new software update point generates additional network traffic. The amount of traffic depends on your
WSUS configuration settings, for example, the synchronized classifications and products, or use of a shared WSUS
database. If you plan to switch multiple devices, consider doing so during maintenance windows. This timing reduces the
impact to your network when clients scan with the new software update point.

Process to switch software update points


Start this change on a device collection. Once triggered, the clients look for another software update point at the
next scan.
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node.
2. Select the target collection. On the Home tab of the ribbon, in the Collection group, click Client
Notification , and then click Switch to next Software Update Point .
Software update points in an untrusted forest
Create one or more software update points at a site to support clients in an untrusted forest. To add a software
update point in another forest, first install and configure a WSUS server in that forest. Then start the wizard to
add a Configuration Manager site server with the software update point site system role. In the wizard,
configure the following settings to successfully connect to WSUS in the untrusted forest:
Specify a Site System Installation account that can access the WSUS server in the untrusted forest.
Specify a WSUS Ser ver Connection account to connect to the WSUS server.
For example, you have a primary site in forest A with two software update points (SUP01 and SUP02). For the
same primary site, you also have two software update points (SUP03 and SUP04) in forest B. When switching to
the next software update point, the clients prioritize the servers from the same forest.
Use an existing WSUS server as the synchronization source at the top-level site
Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with
Microsoft Update. When your organizational security policy doesn't allow the top-level site to access to the
internet, configure the synchronization source for the top-level site to use an existing WSUS server. This WSUS
server isn't in your Configuration Manager hierarchy. For example, you have a WSUS server in an internet-
connected network (DMZ), but your top-level site is in an internal network without internet access. Configure the
WSUS server in the DMZ as your synchronization source for software updates metadata. Configure the WSUS
server in the DMZ to synchronize software updates with the same criteria that you need in Configuration
Manager. Otherwise, the top-level site might not synchronize the software updates that you expect. When you
install the software update point, configure a WSUS server connection account. This account needs access to the
WSUS server in the DMZ. Also confirm that the firewall permits traffic for the appropriate ports. For more
information, see the ports used by the software update point to the synchronization source.
Software update point on a secondary site
The software update point is optional on a secondary site. Install only one software update point at a secondary
site. When a software update point isn't installed at the secondary site, devices within the boundaries of a
secondary site use a software update point at their assigned primary site. You typically install a software update
point at a secondary site when there's limited network bandwidth between the devices in the secondary site and
the software update points at the parent primary site. You may also use this configuration when the software
update point at the primary site approaches the capacity limit. After you successfully install and configure a
software update point at the secondary site, a site-wide policy is updated for clients, and they start to use the
new software update point.
Plan for internet-based clients
When you need to manage devices that roam off your network onto the internet, develop a plan for how to
manage software updates on these devices. Configuration Manager supports several technologies for this
scenario. Use one or a combination as necessary to meet the requirements of your organization.
Cloud management gateway
Create a cloud management gateway in Microsoft Azure and enable at least one on-premises software update
point to allow traffic from internet-based clients. As clients roam onto the internet, they continue to scan against
your software update points. All internet-based clients always get content from the Microsoft Update cloud
service.
For more information, see Overview of cloud management gateway and Configure boundary groups.
Internet-based client management
Place a software update point in an internet-facing network and enable it to allow traffic from internet-based
clients. As clients roam onto the internet, they switch to this software update point for scanning. All internet-
based clients always get content from the Microsoft Update cloud service.
For more information on the advantages and disadvantages of internet-based client management, see Manage
clients on the internet.
Windows Update for Business
Windows Update for Business allows you to keep Windows 10 devices always up-to-date with the latest quality
and feature updates. These devices connect directly to the Windows Update cloud service. Configuration
Manager can differentiate between Windows 10 computers that use WUfB and WSUS for getting software
updates.
For more information, see Integration with Windows Update for Business.
Plan software update content
Clients need to download the content files for software updates in order to install them. Configuration Manager
provides several technologies to support management and delivery of this content. Or configure software
update deployments to allow or require clients to get content directly from the Microsoft Update cloud service.
Download and distribute content
By default, the software update management process in Configuration Manager uses the built-in content
management features. These features include the centralized, single-instance store content library, and the
distributed design of the distribution point site system role. You use these features when you download and
distribute software update deployment packages.
For more information, see Download software updates.
Manage express installation files for Windows 10
Configuration Manager supports the use of express installation files for Windows 10 updates. Express update
files and supporting technologies such as Delivery Optimization can help reduce the network impact of large
content files downloading to clients.
For more information, see Optimize Windows 10 update delivery.
Clients download content from the internet
When you deploy software updates to clients, configure the deployment for clients to download content from
the Microsoft Update cloud service. When clients aren't able to download content from another content source,
they can still download the content from the internet.
You don't have to create a deployment package when deploying software updates. When you select the No
deployment package option, clients can still download content from local sources if available, but typically
download from the Microsoft Update service.
Internet-based clients always download content from the Microsoft Update cloud service. Don't distribute
software update deployment packages to a content-enabled cloud management gateway (CMG).
Plan for third-party updates
Configuration Manager integrates with WSUS, which natively supports software updates published by
Microsoft. Most customers use other third-party applications that also need updates. There are several options
to consider for keeping third-party applications up to date.
Supersede applications to update
Use a supersedence relationship with the application management feature in Configuration Manager to upgrade
or replace existing applications. When you supersede an application, specify a new deployment type to replace
the deployment type of the superseded application. Also decide whether to upgrade or uninstall the superseded
application before the superseding application is installed.
For more information, see Revise and supersede applications.
Third-party software updates
You can use the Third-Par ty Software Update Catalogs node in the Configuration Manager console to
subscribe to third-party catalogs, publish their updates to your software update point, and then deploy them to
clients.
For more information, see Third-party software updates.
System Center Updates Publisher
System Center Updates Publisher (SCUP) is a stand-alone tool that enables independent software vendors or
line-of-business application developers to manage custom updates. These updates include those with
dependencies, like drivers and update bundles. SCUP can also be used for third-party update catalogs that aren't
available directly in the console.
For more information, see System Center Updates Publisher.

Plan for software update point installation


This section includes the following subtopics:
Requirements for the software update point
Plan for WSUS installation
Configure firewalls
This section provides information about the steps to take to successfully plan and prepare for the software
update point installation. Before you create a site system role for the software update point in Configuration
Manager, there are several requirements to consider. The specific requirements depend on your Configuration
Manager infrastructure. When you configure the software update point to communicate by using HTTPS, this
section is especially important to review. HTTPS-enabled servers require additional steps to work properly.
Requirements for the software update point
Install the software update point role on a site system that meets the minimum requirements for WSUS and the
supported configurations for Configuration Manager site systems.
For more information about the minimum requirements for the WSUS server role in Windows Server,
see Review considerations and system requirements.
For more information about the supported configurations for Configuration Manager site systems, see
Site and site system prerequisites.
Plan for WSUS installation
Install a supported version of WSUS on all site system servers that you configure for the software update point
role. When you don't install the software update point on the site server, install the WSUS Administration
Console on the site server. This component allows the site server to communicate with WSUS that runs on the
software update point.
When you use WSUS on Windows Server 2012 or later, configure additional permissions to allow the WSUS
Configuration Manager component in Configuration Manager to connect to WSUS. This component
performs periodic health checks. Choose one of the following options to configure the required permission:
Add the SYSTEM account to the WSUS Administrators group
Add the NT AUTHORITY\SYSTEM account as a user for the WSUS database (SUSDB). Configure a
minimum of the webService database role membership.
For more information about how to install WSUS on Windows Server, see Install the WSUS Server Role.
When you install more than one software update point at a primary site, use the same WSUS database for each
software update point in the same Active Directory forest. Sharing the same database improves performance
when clients switch to a new software update point. For more information, see Use a shared WSUS database for
software update points.
Configuring the WSUS content directory path
When you install WSUS, you'll need to provide a content directory path. The WSUS content directory is
primarily used for storing the Microsoft Software License Terms files needed by clients during scanning. The
Configuration Manager The WSUS content directory should not overlap with your content source directory for
Configuration Manager software deployment packages. Overlapping the WSUS content directory and the
Configuration Manager package source will result in incorrect files being removed from the WSUS content
directory.
Configure WSUS to use a custom website
When you install WSUS, you have the option to use the existing IIS Default website, or to create a custom WSUS
website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website.
Otherwise it shares the same website that's used by the other Configuration Manager site systems or
applications. This configuration is especially necessary when you install the software update point role on the
site server. When you run WSUS in Windows Server 2012 or later, WSUS is configured by default to use port
8530 for HTTP and port 8531 for HTTPS. Specify these ports when you create the software update point at a
site.
Configure WSUS as a replica server
When you add the software update point role on a primary site server, you can't use a WSUS server that's
configured as a replica. When the WSUS server is configured as a replica, Configuration Manager fails to
configure the WSUS server, and the WSUS synchronization fails. The first software update point that you install
at a primary site is the default software update point. Additional software update points at the site are
configured as replicas of the default software update point.
Decide whether to configure WSUS to use SSL
Using the SSL protocol to help secure the software update point is highly recommended. WSUS uses SSL to
authenticate client computers and downstream WSUS servers to the WSUS server. WSUS also uses SSL to
encrypt software update metadata. When you choose to secure WSUS with SSL, prepare the WSUS server
before you install the software update point.
When you install and configure the software update point, select the option to Enable SSL communications
for the WSUS Ser ver . Otherwise, Configuration Manager configures WSUS not to use SSL. When you enable
SSL on a software update point, also configure any software update points at child sites to use SSL. For more
information, see the Configure a software update point to use TLS/SSL with a PKI certificate tutorial.

NOTE
To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help
secure your software update infrastructure. Beginning with the September 2020 cumulative update, HTTP-based WSUS
servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to
leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates
client setting is available to allow these connections. For more information about the changes for scanning WSUS, see
September 2020 changes to improve security for Windows devices scanning WSUS.

Configure firewalls
The software update point at a Configuration Manager central administration site communicates with WSUS on
the software update point. WSUS communicates with the synchronization source to synchronize software
updates metadata. Software update points at a child site communicate with the software update point at the
parent site. When there's more than one software update point at a primary site, the additional software update
points communicate with the default software update point. The default role is the first software update point
that's installed at the site.
You might need to configure the firewall to allow the HTTP or HTTPS traffic that WSUS uses in following
scenarios:
Between the software update point and the internet
Between a software update point and its upstream synchronization source
Between additional software update points
The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. Use a
custom port for the connection from WSUS on the software update point at a child site to WSUS on the
software update point at the parent site. When your security policy doesn't allow the connection, use the export
and import synchronization method. For more information, see the Synchronization source section in this
article. For more information about the ports that WSUS uses, see How to determine the port settings used by
WSUS in Configuration Manager.
Restrict access to specific domains
If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow the active software update point to access internet endpoints. Then WSUS and Automatic Updates
can communicate with the Microsoft Update cloud service.
For more information, see Internet access requirements.

Plan for synchronization settings


This section includes the following subtopics:
Synchronization source
Synchronization schedule
Update classifications
Products
Supersedence rules
Languages
Maximum run time
Software updates synchronization in Configuration Manager downloads the software updates metadata based
on criteria that you configure. The top-level site in your hierarchy synchronizes software updates from Microsoft
Update. You have the option to configure the software update point on the top-level site to synchronize with an
existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software
updates metadata from the software update point on the central administration site. Before you install and
configure a software update point, use this section to plan for the synchronization settings.
Synchronization source
The synchronization source settings for the software update point specify the location for where the software
update point retrieves software updates metadata. It also specifies whether the synchronization process creates
WSUS reporting events.
Synchronization source : By default, the software update point at the top-level site configures the
synchronization source for Microsoft Update. You have the option to synchronize the top-level site with
an existing WSUS server. The software update point on a child primary site configures the
synchronization source as the software update point at the central administration site.
The first software update point that you install at a primary site, which is the default software
update point, synchronizes with the central administration site. Additional software update points
at the primary site synchronize with the default software update point at the primary site.
When a software update point is disconnected from Microsoft Update or from the upstream
update server, configure the synchronization source not to synchronize with a configured
synchronization source. Instead configure it to use the export and import function of the
WSUSUtil tool to synchronize software updates. For more information, see Synchronize software
updates from a disconnected software update point.
WSUS repor ting events: The Windows Update Agent on client computers can create event messages
for WSUS reporting. These events aren't used by Configuration Manager. Thus, the option, Do not
create WSUS repor ting events , is selected by default. When these events aren't created, the only time
that the client should connect to the WSUS server is during software update evaluation and compliance
scans. If these events are needed for reporting outside of Configuration Manager, modify this setting to
create WSUS reporting events.

IMPORTANT
If you're sharing the WSUS database (SUSDB) across multiple software update points for the top-level site, make sure that
each of those WSUS servers meets the internet access requirements for software updates. When the database is shared
the top-level site, Configuration Manager can select any one of those WSUS servers to sync with Microsoft Update.

Synchronization schedule
Configure the synchronization schedule only at the software update point on the top-level site in the
Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point
synchronizes with the synchronization source at the date and time that you specified. The custom schedule
allows you to synchronize software updates to optimize for your environment. Consider the performance
demands of the WSUS server, site server, and network. For example, 2:00 AM once a week. Alternatively,
manually start synchronization on the top-level site by using the Synchronization Software Updates action
from the All Software Updates or Software Update Groups nodes in the Configuration Manager console.

TIP
Schedule the software updates synchronization to run by using a time that's appropriate for your environment. One
common scenario is to set the synchronization schedule to run shortly after Microsoft's regular software update release
on the second Tuesday of each month. This day is typically referred to as Patch Tuesday. If you use Configuration Manager
to deliver Endpoint Protection and Windows Defender definition and engine updates, consider setting the synchronization
schedule to run daily.

After the software update point successfully synchronizes, it sends a synchronization request to child sites. If you
have additional software update points at a primary site, it sends a synchronization request to each software
update point. This process is repeated on every site in the hierarchy.
Update classifications
Every software update is defined with an update classification that helps to organize the different types of
updates. During the synchronization process, the site synchronizes the metadata for the specified classifications.
Configuration Manager supports synchronization of the following update classifications:
Critical Updates : A broadly released update for a specific problem that addresses a critical, non-
security-related bug.
Definition Updates : An update to virus or other definition files.
Feature Packs : New product features that are distributed outside of a product release and are typically
included in the next full product release.
Security Updates : A broadly released update for a product-specific, security-related issue.
Ser vice Packs : A cumulative set of hotfixes that is applied to an OS or application. These hotfixes include
security updates, critical updates, and software updates.
Tools : A utility or feature that helps to complete one or more tasks.
Update Rollups : A cumulative set of hotfixes that is packaged together for easy deployment. These
hotfixes include security updates, critical updates, and software updates. An update rollup generally
addresses a specific area, such as security or a product component.
Updates : An update to an application or file that's currently installed.
Upgrades : A feature update to a new version of Windows 10.
Configure the update classification settings only on the top-level site. The update classification settings aren't
configured on the software update point on child sites, because the software updates metadata is replicated
from the top-level site. When you select the update classifications, be aware the more classifications that you
select, the longer it takes to synchronize the software updates metadata.

WARNING
As a best practice, clear all classifications before you synchronize for the first time. After the initial synchronization, select
the desired classifications, and then rerun synchronization.

Products
The metadata for each software update defines one or more products for which the update is applicable. A
product is a specific edition of an OS or application. An example of a product is Microsoft Windows 10. A
product family is the base OS or application from which the individual products are derived. An example of a
product family is Microsoft Windows, of which Windows 10 and Windows Server 2016 are members. Select a
product family or individual products within a product family.
When software updates are applicable to multiple products, and at least one of the products is selected for
synchronization, all of the products appear in the Configuration Manager console even if some products weren't
selected. For example, you only select the Windows Server 2012 product. If a software update applies to
Windows Server 2012 and Windows Server 2012 Datacenter Edition, both products are in the site database.
Configure the product settings only on the top-level site. The product settings aren't configured on the software
update point for child sites because the software updates metadata is replicated from the top-level site. The
more products that you select, the longer it takes to synchronize the software updates metadata.

IMPORTANT
Configuration Manager stores a list of products and product families that you choose from when you first install the
software update point. Products and product families that are released after Configuration Manager is released might not
be available to select until you complete synchronization. The synchronization process updates the list of available
products and product families from which you can choose. Clear all products before you synchronize software updates for
the first time. After the initial synchronization, select the desired products, and then rerun synchronization.

Supersedence rules
Typically, a software update that supersedes another software update does one or more of the following actions:
Enhances, improves, or updates the fix that was provided by one or more previously released updates.
Improves the efficiency of the superseded update file package, which is installed on clients if the update is
approved for installation. For example, the superseded update might contain files that are no longer
relevant to the fix or to the operating systems that are supported by the new update. Those files aren't
included in the superseding file package of the update.
Updates newer versions of a product. In other words, it updates versions that are no longer applicable to
older versions or configurations of a product. Updates can also supersede other updates if modifications
were made to expand language support. For example, a later revision of a product update for Microsoft
365 Apps might remove the support for an older OS, but it might add additional support for new
languages in the initial update release.
In the properties for the software update point, specify that the superseded software updates are immediately
expired. This setting prevents them from being included in new deployments. It also flags the existing
deployments to indicate that they contain one or more expired software updates. Or specify a period of time
before the superseded software updates are expired. This action allows you to continue to deploy them.
Consider the following scenarios in which you might need to deploy a superseded software update:
A superseding software update supports only newer versions of an OS. Some of your client computers
run earlier versions of the OS.
A superseding software update has more restricted applicability than the software update it supersedes.
This behavior would make it inappropriate for some clients.
If a superseding software update wasn't approved for deployment in your production environment.
Configuration Manager can automatically expire superseded updates based on a schedule you choose. You can
specify the supersedence rules behavior for feature updates separately from non-feature updates . The
default setting is to wait 3 months before expiring a superseded update. The 3 month default is to give you time
to verify the update is no longer needed by any of your client computers. It's recommended that you don't
assume that superseded updates should be immediately expired in favor of the new, superseding update. You
can display a list of the software updates that supersede the software update on the Supersedence
Information tab in the software update properties.
Languages
The language settings for the software update point allow you to configure:
The languages for which the summary details (software updates metadata) are synchronized for software
updates
The software update file languages that are downloaded for software updates
Software update file
Configure languages for the Software update file setting in the properties for the software update point. This
setting provides the default languages that are available when you download software updates at a site. Modify
the languages that are selected by default each time that the software updates are downloaded or deployed.
During the download process, the software update files for the configured languages are downloaded to the
deployment package source location, if the software update files are available in the selected language. Next,
they're copied to the content library on the site server. Then they're distributed to the distribution points that are
configured for the package.
Configure the software update file language settings with the languages that are most often used in your
environment. For example, clients in your site use mostly English and Japanese for Windows or applications.
There are few other languages that are used at the site. Select only English and Japanese in the Software
Update File column when you download or deploy the software update. This action allows you to use the
default settings on the Language Selection page of the deployment and download wizards. This action also
prevents unneeded update files from being downloaded. Configure this setting at each software update point in
the Configuration Manager hierarchy.
Summary details
During the synchronization process, the summary details information (software updates metadata) is updated
for software updates in the languages that you specify. The metadata provides information about the software
update, for example:
Name
Description
Products that the update supports
Update classification
Article ID
Download URL
Applicability rules
Configure the summary details settings only on the top-level site. The summary details aren't configured on the
software update point on child sites because the software updates metadata is replicated from the central
administration site by using file-based replication. When you select the summary details languages, select only
the languages that you need in your environment. The more languages that you select, the longer it takes to
synchronize the software updates metadata. Configuration Manager displays the software updates metadata in
the locale of the OS in which the Configuration Manager console runs. If the localized properties for the
software updates aren't available in the locale of this OS, the software updates information displays in English.

IMPORTANT
Select all of the summary details languages that you need. When the software update point at the top-level site
synchronizes with the synchronization source, the selected summary details languages determine the software updates
metadata that it retrieves. If you modify the summary details languages after synchronization ran at least one time, it
retrieves the software updates metadata for the modified summary details languages only for new or updated software
updates. The software updates that have already been synchronized aren't updated with new metadata for the modified
languages unless there's a change to the software update on the synchronization source.

Maximum run time


(Introduced in version 1906)
You can specify the maximum amount of time a software update installation has to complete. You can specify
the maximum run time for the following:
Maximum run time for Windows feature updates (minutes)
Feature updates - An update that is in one of these three classifications:
Upgrades
Update rollups
Service packs
Maximum run time for Office 365 updates and non-feature updates for Windows (minutes)
Non-feature updates - An update that isn't a feature upgrade and whose product is listed as one of
the following:
Windows 10 (all versions)
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Office 365
All other updates outside of these categories, such as third-party updates, are given a default maximum
run time of 10 minutes. These settings only change the maximum runtime for new updates that are
synchronized from Microsoft Update. It doesn't change the run time on existing feature or non-feature
updates.
NOTE
Starting in Configuration Manager 2103, the default maximum run time for all other updates outside of these
categories, such as third-party updates, is 60 minutes rather than 10 minutes. The new maximum run time will
only apply to new updates that are synchronized from Microsoft Update. It doesn't change the run time on
existing updates.

If you need to change the maximum run time of an update, you can configure the software update
settings for it.

Plan for a software updates maintenance window


Add a maintenance window dedicated for software updates installation. This action lets you configure a general
maintenance window and a different maintenance window for software updates. When you configure both a
general maintenance window and software updates maintenance window, clients install software updates only
during the software updates maintenance window.
You can change this behavior and allow software updates to install during a general maintenance window. For
more information about this client setting, see Software updates client settings.
For more information about maintenance windows, see How to use maintenance windows.

Restart options for Windows 10 clients after software update


installation
When a software update that requires a restart is deployed and installed using Configuration Manager, the client
schedules a pending restart and displays a restart dialog box.
When there's a pending restart for a Configuration Manager software update, the option to Update and
Restar t and Update and Shutdown is available on Windows 10 computers in the Windows power options.
After using one of these options, the restart dialog doesn't display after the computer restarts. In certain
circumstances, the operating system may remove the pending restart options. This can happen if the Fast
Startup feature in Windows 10 is enabled. For more information, see Updates may not be installed with Fast
Startup in Windows 10.

Evaluate software updates after a servicing stack update


Starting in version 2002, Configuration Manager detects if a servicing stack update (SSU) is part of an
installation for multiple updates. When an SSU is detected, it's installed first. After install of the SSU, a software
update evaluation cycle runs to install the remaining updates. This change allows a dependent cumulative
update to be installed after the servicing stack update. The device doesn't need to restart between installs, and
you don't need to create an additional maintenance window. SSUs are installed first only for non-user initiated
installs. For instance, if a user initiates an installation for multiple updates from Software Center, the SSU might
not be installed first. Installation of SSUs first isn't available for Windows Server operating systems when using
Configuration Manager version 2002. This functionality was added in Configuration Manager version 2006 for
Windows Server operating systems.

Next steps
Once you plan for software updates, see Prepare for software updates management.
For more information about managing Windows as a service, see Fundamentals of Configuration Manager as a
service and Windows as a service.
Prerequisites for software updates in Configuration
Manager
9/17/2021 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


This article lists the prerequisites for software updates in Configuration Manager. For each of the prerequisites,
the external dependencies and internal dependencies are listed in separate tables.

Software update dependencies that are external to Configuration


Manager
The following sections list the external dependencies for software updates.
Internet Information Services
Internet Information Services (IIS) must be installed on the site system servers to run the software update point,
the management point, and the distribution point. For more information, see Prerequisites for site system roles.
Windows Server Update Services
Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software
updates applicability scan on clients. The WSUS server must be installed before you create the software update
point role. The following versions of WSUS are supported for a software update point:
WSUS 10.0.14393 (role in Windows Server 2016)
WSUS 10.0.17763 (role in Windows Server 2019) (Requires Configuration Manager 1810 or later)
WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
KB 3095113 and KB 3159706 (or an equivalent update) are needed for WSUS 6.2 and 6.3 if you
deploy Windows 10 upgrades.

NOTE
When you have multiple software update points at a site, ensure that they're all running the same version of WSUS.

WSUS Administration Console


The WSUS Administration Console is required on the Configuration Manager site server when the software
update point is on a remote site system server and WSUS isn't already installed on the site server.

IMPORTANT
The WSUS version on the site server must be the same as the WSUS version that's running on the software update
points.
Don't use WSUS Administration Console to configure WSUS settings. Configuration Manager connects to the instance
of WSUS that is running on the software update point and configures the appropriate settings.

Windows Update Agent


The Windows Update Agent (WUA) client is required on clients so that they can connect to the WSUS server.
WUA retrieves the list of software updates that must be scanned for compliance.
When you install Configuration Manager, the latest version of WUA is downloaded. Then, when you install the
Configuration Manager client, WUA is upgraded if necessary. If the installation fails, you must use a different
method to upgrade WUA.

Software update dependencies that are internal to Configuration


Manager
The following sections list the internal dependencies for software updates in Configuration Manager.
Management points
Management points transfer information between client computers and the Configuration Manager site. The
management points are required for software updates.
Software update points
You must install a software update point on the WSUS server to deploy software updates in Configuration
Manager. For more information, see Install and configure a software update point.
Distribution points
Distribution points are required to store the content for software updates. For more information about how to
install distribution points and manage content, see Manage content and content infrastructure.
Client settings for software updates
Software updates are enabled for clients by default. There are other available settings that control how and
when clients assess compliance for the software updates and control how the software updates are installed.
For more information, see the following articles:
Client settings for software updates
Software updates client settings

IMPORTANT
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client
scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you
still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these
connections. For more information about the changes for scanning WSUS, see September 2020 changes to improve
security for Windows devices scanning WSUS. To ensure that the best security protocols are in place, we highly
recommend that you use the TLS/SSL protocol to help secure your software update infrastructure.

Reporting services points


The reporting services point site system role can display reports for software updates. This role is optional but
recommended. For more information about how to create a reporting services point, see Configuring reporting.

Which updates are required on WSUS 6.2 and 6.3?


Two updates are required for syncing Upgrades classification in WSUS 6.2 and 6.3. Occasionally, you might see
an error downloading or deploying upgrades if they synchronized before KB3095113 and KB3159706 were
installed. Information about possible issues is in the next section.
You must install KB 3095113, released in October 2015, on your software update points and site servers
before you synchronize the Upgrades classification.
This update enables the Upgrades classification.
To service Windows 10 version 1607 and later, you must install and configure KB 3159706. KB 3159706 was
released in May 2016.
This update enables WSUS to natively decrypt the files used for upgrading Windows 10 version 1607
and later.

IMPORTANT
Both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. This
means you may not see KB 3095113 and KB 3159706 as installed updates since they may have been installed with a
rollup. However, if you need either of these updates, we recommend installing a Security Monthly Quality Rollup
released after October 2017 since they contain an additional WSUS update to decrease memory utilization on WSUS's
clientwebservice.

Download of Windows 10 upgrades fails with "Error: Invalid certificate


signature" or 0xc1800118
The updates and issue described in this section only apply to WSUS running on Windows Server 2012 or
Windows Server 2012 R2 machines (WSUS 6.2 and 6.3). Typically, you'll only see the issues described in this
section if you installed WSUS before July 2017 and you've recently enabled the Upgrades classification.
However, it's possible to see these issues in other situations too.
Historical information about KB 3095113
KB 3095113 was released as a hotfix in October 2015 to add support for Windows 10 upgrades to WSUS. The
update enables WSUS to synchronize and distribute updates in the Upgrades classification for Windows 10.
If you synchronize any upgrades without having first installed KB 3095113, you populate the WSUS database
(SUSDB) with unusable data. That data must be cleared before the upgrades can be properly deployed. Windows
10 upgrades in this state can't be downloaded by using the Download Software Updates Wizard.
Errors that resemble the following appear on the Completion page of the Download Software Updates Wizard:

Error: Upgrade to Windows 10 Pro, version 1511, 10586


Failed to download content id {content_id}. Error: Invalid certificate signature

Additionally, errors resembling the following are logged in the PatchDownloader.log file:

Download http://wsus.ds.b1.download.windowsupdate.com/d/upgr/2015/12/10586.0.151029-
1700.th2_release_...esd...
Authentication of file C:\Users\{username}\AppData\Local\Temp\2\{temporary_filename}.tmp failed, error
0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633
# This log is truncated for readability.

Historically, when these errors occurred, they would be resolved by doing a modified version of the resolution
steps for WSUS. Because these steps are similar to the resolution for not doing the manual steps required after
KB 3159706 installation, we've combined both sets of steps into a single resolution in the section below:
To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706.
Historical information about KB 3159706
KB 3148812 was initially released in April 2016 to enable WSUS to natively decrypt the .esd files used for
upgrading Windows 10 packages. KB 3148812 caused problems for some customers and was replaced with KB
3159706. KB 3159706 needs to be installed on all your software update points and site servers before you can
service Windows 10 Version 1607 and later devices. However, problems can arise if you don't realize the KB
requires the following manual steps after installation:
1. From an elevated command prompt run
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing .
2. Restart the WSUS service on all of the WSUS servers.
If you don't realize that KB 3159706 had manual steps after installation, or you synchronized in the upgrade for
Windows 10 1607 before installing KB 3159706, you would run into issues connecting to the WSUS console
and deploying the upgrade respectively. When a client downloaded the upgrade file, it would get a
0xC1800118 error code.
Because the resolution steps are similar to the resolution for synchronizing upgrades before KB 3095113
installation, we've combined both sets of steps into a single resolution in the next section.
To recover from synchronizing the upgrades before you install KB 3095113 or KB 3159706
Follow the steps below to resolve both the 0xc1800118 error and "Error: Invalid certificate signature":
1. Disable the Upgrades classification in both WSUS and Configuration Manager. You don't want a
synchronization to occur until you're directed to by these instructions.
Uncheck the Upgrades classification in the software update point component properties on the top-
level site.
For more information, see Configure classifications and products.
Uncheck the Upgrades classification from WSUS under Products and Classifications on the
Options page, or use the PowerShell ISE running as administrator.

Get-WsusClassification | Where-Object -FilterScript {$_.Classification.Title -Eq "Upgrades"} |


Set-WsusClassification -Disable

If you share the WSUS database between multiple WSUS servers, you only need to uncheck
Upgrades once for each database.
2. On each WSUS server, from an elevated command prompt run:
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing . Then, restart the WSUS
service on all of the WSUS servers.
WSUS places the database into single user mode before it checks to see if servicing is needed. The
servicing either runs or doesn't run based on the results of the check. Then, the database is put back
into multi-user mode.
If you share the WSUS database between multiple WSUS servers, you only need to do this servicing
once for each database.
3. Delete all of the Windows 10 upgrades from each WSUS database using the PowerShell ISE running as
administrator.

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$wsus.GetUpdates() | Where {$_.UpdateClassificationTitle -eq 'Upgrades' -and $_.Title -match 'Windows
10'} `
| ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed}

4. Delete files from the tbFile table from each of the WSUS databases used by your software update points. On
the WSUS database, run the following commands from SQL Server Management Studio:

declare @NotNeededFiles table (FileDigest binary(20) UNIQUE)


insert into @NotNeededFiles(FileDigest) (select FileDigest from tbFile where FileName like '%.esd%'
except select FileDigest from tbFileForRevision)
delete from tbFileOnServer where FileDigest in (select FileDigest from @NotNeededFiles)
delete from tbFile where FileDigest in (select FileDigest from @NotNeededFiles)
5. Start the software updates synchronization on your top-level site in Configuration Manager and wait for it to
complete. A full synchronization occurs because we made a change to the classifications Configuration
Manager when we removed Upgrades . (For more information, see Synchronize software updates.
6. Select the Upgrades classification in the software update point component properties. Then, start another
software updates synchronization to bring the Upgrades back into WSUS and Configuration Manager. You
don't have to enable the Upgrades classification in WSUS since Configuration Manager will do it for you.
7. If your clients received the 0xC1800118 error code when downloading an upgrade, you'll need to delete the
data store used by the Windows Update Agent. You may also have to delete the hidden ~BT folder on the
device. The next time the client scans, it will be a full scan against the WSUS server rather than a delta. You
can use a PowerShell script that's similar to the following sample script:

stop-service wuauserv
remove-item -path c:\windows\softwaredistribution\datastore -recurse -force
# If the device has a hidden ~BT folder on the c drive, delete it too by uncommenting the next line.
# remove-item -path c:\~BT -recurse -force
start-service wuauserv

Next steps
Prepare for software updates management
Best practices for software updates in Configuration
Manager
9/17/2021 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


This article includes best practices for software updates in Configuration Manager. The information is sorted into
best practices for initial installation and for ongoing operations.

Installation best practices


Use the following best practices when you install software updates in Configuration Manager.
Use a shared WSUS database for software update points
When you install more than one software update point at a primary site, use the same WSUS database for each
software update point in the same Active Directory forest. If you share the same database, it significantly
mitigates, but doesn't completely eliminate, the client and the network performance impact that you might
experience when clients switch to a new software update point. A delta scan still occurs when a client switches to
a new software update point that shares a database with the old software update point, but the scan is much
smaller than it would be if the WSUS server has its own database. For more information about software update
point switching, see Software update point switching.

IMPORTANT
Also share the local WSUS content folders when you use a shared WSUS database for software update points.

For more information on sharing the WSUS database, see the following blog posts:
How to implement a shared SUSDB for Configuration Manager software update points
Considerations for multiple WSUS instances sharing a content database when using Configuration
Manager.
When Configuration Manager and WSUS use the same SQL Server, configure one to use a named instance
and the other to use the default instance
When the Configuration Manager and WSUS databases share the same instance of SQL Server, you can't easily
determine the resource usage between the two applications. Use different SQL Server instances for
Configuration Manager and WSUS. This configuration makes it easier to troubleshoot and diagnose resource
usage issues that might occur for each application.
Specify the "Store updates locally" setting
When you install WSUS, select the setting to Store updates locally . This setting causes WSUS to download the
license terms that are associated with software updates. It downloads the terms during the synchronization
process and stores them on the local hard drive for the WSUS server. If you don't select this setting, client
computers might fail compliance scans for software updates that have license terms. The WSUS
Synchronization Manager component of the software update point verifies that this setting is enabled every
60 minutes, by default.
Configure your software update points to use TLS/SSL
Configuring Windows Server Update Services (WSUS) servers and their corresponding software update points
to use TLS/SSL may reduce the ability of a potential attacker to remotely compromise a client and elevate
privileges. To ensure that the best security protocols are in place, we highly recommend that you use the
TLS/SSL protocol to help secure your software update infrastructure. For more information, see the Configure a
software update point to use TLS/SSL with a PKI certificate tutorial.

Operational Best Practices


Use the following best practices when you use software updates:
Limit software updates to 1000 in a single software update deployment
Limit the number of software updates to 1000 in each software update deployment. When you create an
automatic deployment rule, verify that the specified criteria doesn't result in more than 1000 software updates.
If you manually deploy software updates, don't select more than 1000 updates.
Create a new software update group each time an ADR runs for "Patch Tuesday" and for general
deployments
There's a limit of 1000 software updates in a deployment. When you create an automatic deployment rule
(ADR), you specify whether to use an existing update group or create a new update group each time the rule
runs. If you specify criteria in an ADR that results in multiple software updates, and the rule runs on a recurring
schedule, create a new software update group each time the rule runs. This behavior prevents the deployment
from surpassing the limit of 1000 software updates per deployment.
Use an existing software update group for ADRs for Endpoint Protection definition updates
When you use an ADR to deploy Endpoint Protection definition updates on a frequent basis, always use an
existing software update group. Otherwise, the ADR potentially creates hundreds of software update groups
over time. Definition update publishers typically set definition updates to expire when they're superseded by
four newer updates. Therefore, the software update group that's created by the ADR never contains more than
four definition updates for the publisher: one active, and three superseded.

See Also
Plan for software updates
Security and privacy for software updates in
Configuration Manager
9/17/2021 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


This topic contains security and privacy information for software updates in Configuration Manager.

Security best practices for software updates


Use the following security best practices when you deploy software updates to clients:
Do not change the default permissions on software update packages.
By default, software update packages are set to allow administrators Full Control and users to have
Read access. If you change these permissions, it might allow an attacker to add, remove, or delete
software updates.
Control access to the download location for software updates.
The computer accounts for the SMS Provider, the site server, and the administrative user who will actually
download the software updates to the download location require Write access to the download location.
Restrict access to the download location to reduce the risk of attackers tampering with the software
updates source files in the download location.
In addition, if you use a UNC share for the download location, secure the network channel by using IPsec
or SMB signing to prevent tampering of the software updates source files when they are transferred over
the network.
Use UTC for evaluating deployment times.
If you use local time instead of UTC, users could potentially delay installation of software updates by
changing the time zone on their computers
Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services
(WSUS).
Identify and follow the security best practices for the version of WSUS that you use with Configuration
Manager.
For more information on enabling SSL, see the Configure a software update point to use TLS/SSL with a
PKI certificate tutorial.

IMPORTANT
If you configure the software update point to enable SSL communications for the WSUS server, you must
configure virtual roots for SSL on the WSUS server.

Enable CRL checking.


By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the
signature on software updates before they are deployed to computers. Checking the CRL each time a
certificate is used offers more security against using a certificate that has been revoked, but it introduces
a connection delay and incurs additional processing on the computer performing the CRL check.
For more information about how to enable CRL checking for software updates, see How to enable CRL
checking for software updates.
Configure WSUS to use a custom website.
When you install WSUS on the software update point, you have the option to use the existing IIS Default
Web site or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the
WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the
other Configuration Manager site systems or other applications.
For more information, see Configure WSUS to use a custom web site.

Privacy information for software updates


Software updates scans your client computers to determine which software updates you require, and then sends
that information back to the site database. During the software updates process, Configuration Manager might
transmit information between clients and servers that identify the computer and logon accounts.
Configuration Manager maintains state information about the software deployment process. State information
is not encrypted during transmission or storage. State information is stored in the Configuration Manager
database and it is deleted by the database maintenance tasks. No state information is sent to Microsoft.
The use of Configuration Manager software updates to install software updates on client computers might be
subject to software license terms for those updates, which is separate from the Software License Terms for
Configuration Manager. Always review and agree to the Software Licensing Terms prior to installing the
software updates by using Configuration Manager.
Configuration Manager does not implement software updates by default and requires several configuration
steps before information is collected.
Before you configure software updates, consider your privacy requirements.
Prepare for software updates management
9/17/2021 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Before the compliance assessment data of the software update displays in the Configuration Manager console
and before you can deploy software updates to client computers, you must complete the steps in the following
sections.

Step 1: Install a software update point


The software update point is required on the central administration site, or stand-alone primary site, and on
primary sites to enable the software updates compliance assessment and to deploy software updates to clients.
The software update point is optional on secondary sites. For details, see Install a software update point

Step 2: Synchronize Software Updates


Software updates synchronization is the process of retrieving the software updates metadata that meets the
criteria that you configure. Software updates are not displayed in the Configuration Manager console until you
synchronize software updates. For details, see Synchronize software updates.

Step 3: Configure classifications and products to synchronize


Perform this configuration on the central administration site or stand-alone primary site. After you synchronize
software updates the first time, Configuration Manager retrieves an updated list of classifications and products.
Now, you can select from the new options in the Software Update Point Component properties. After you
configure the new classifications and products, repeat step 2 to start software updates synchronization to
retrieve software updates metadata for the new criteria. For details, see Configure classifications and products to
synchronize.

Step 4: Manage settings for software updates


After you synchronize software updates, verify Configuration Manager client settings, group policy
configurations, and software updates settings before you deploy software updates. For details, see Manage
settings for software updates.
Install and configure a software update point
9/17/2021 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Before you install the software update point site system role (SUP), you must verify that the server meets the required
dependencies and determines the software update point infrastructure on the site. For more information about how to
plan for software updates and to determine your software update point infrastructure, see Plan for software updates.

The software update point is required on the central administration site and on the primary sites to enable
software updates compliance assessment and to deploy software updates to clients. The software update point
is optional on secondary sites. The software update point site system role must be created on a server that has
WSUS installed. The software update point interacts with the WSUS services to configure the software update
settings and to request synchronization of software updates metadata. When you have a Configuration Manager
hierarchy, install and configure the software update point on the central administration site first, then on child
primary sites, and then optionally, on secondary sites. When you have a stand-alone primary site, not a central
administration site, install and configure the software update point on the primary site first, and then optionally,
on secondary sites. Some settings are only available when you configure the software update point on a top-
level site. There are different options that you must consider depending on where you installed the software
update point.

IMPORTANT
You can install more than one software update points on a site. The first software update point that you install is
configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the
upstream synchronization source. The other software update points on the site are configured as replicas of the first
software update point. Therefore, some settings are not available after you install and configure the initial software
update point.
It is not supported to install the software update point site system role on a server that has been configured and used
as a standalone WSUS server or using a software update point to directly manage WSUS clients. Existing WSUS servers
are only supported as upstream synchronization sources for the active software update point. See Synchronize from
an upstream data source location

You can add the software update point site system role to an existing site system server or you can create a new
one. On the System Role Selection page of the Create Site System Ser ver Wizard or Add Site System
Roles Wizard , depending on whether you add the site system role to a new or existing site server, select
Software update point , and then configure the software update point settings in the wizard. The settings are
different depending on the version of Configuration Manager that you use. For more information about how to
install site system roles, see Install site system roles.
Use the following sections for information about the software update point settings on a site.

Proxy server settings


You can configure the proxy server settings on different pages of the Create Site System Ser ver Wizard or
Add Site System Roles Wizard depending on the version of Configuration Manager that you use.
You must configure the proxy server, and then specify when to use the proxy server for software updates.
Configure the following settings:
Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site
system Properties. The proxy server settings are site system specific, meaning that all site system
roles use the proxy server settings that you specify.
Specify whether to use the proxy server when Configuration Manager synchronizes the software
updates and when it downloads content by using an automatic deployment rule. Configure the
software update point proxy server settings on the Proxy and Account Settings page of the
wizard or on the Proxy and Account Settings tab in Software update point Properties.
The Use a proxy when downloading content by using automatic deployment rules
setting is available but it is not used for a software update point on a secondary site. Only the
software update point on the central administration site and primary site downloads content from
the Microsoft Update page.
By default, the Local System account for the server on which an automatic deployment rule was
created is used to connect to the Internet and download software updates when the automatic
deployment rules run. When this account does not have access to the Internet, software updates
fail to download and the following entry is logged to ruleengine.log: Failed to download the
update from internet. Error = 12007 . Configure the credentials to connect to the proxy server
when the Local System account does not have Internet access.

WSUS settings
You must configure WSUS settings on different pages of the Create Site System Ser ver Wizard or Add Site
System Roles Wizard depending on the version of Configuration Manager that you use, and in some cases,
only in the properties for the software update point, also known as Software Update Point Component
Properties. Use the information in the following sections to configure the WSUS settings.

IMPORTANT
To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help
secure your software update infrastructure. Beginning with the September 2020 cumulative update, HTTP-based WSUS
servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to
leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates
client setting is available to allow these connections. For more information about the changes for scanning WSUS, see
September 2020 changes to improve security for Windows devices scanning WSUS.

WSUS port settings


You must configure the WSUS port settings on the Software Update Point page of the wizard or in the
properties of the software update point. Use the following procedure to determine the port settings used by
WSUS.
To determine the port settings used in IIS
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Sites , right-click the Web site for the WSUS server, and then click Edit Bindings . In the Site
Bindings dialog, the HTTP and HTTPS port values are displayed in the Por t column.
Configure SSL communications to WSUS
To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol
to help secure your software update infrastructure. You can configure SSL communication on the General page
of the wizard or on the General tab in the properties of the software update point.
For more information about how to use SSL, see Decide whether to configure WSUS to use SSL and Configure a
software update point to use TLS/SSL with a PKI certificate.
Allow cloud management gateway traffic
You can enable a software update point to accept communication from clients on the internet via a cloud
management gateway (CMG). For more information about this setting, see Configure client-facing roles for
CMG traffic.
WSUS Server Connection Account
You can configure an account to be used by the site server when it connects to WSUS that runs on the software
update point. When you don't configure this account, the Configuration Manager uses the computer account for
the site server to connect to WSUS. Configure the WSUS Server Connection Account on the Proxy and
Account Settings page of the wizard, or on the Proxy and Account Settings tab in Software update point
Properties. You can configure the account in different places of the wizard depending on the version of
Configuration Manager that you use.
For more information about Configuration Manager accounts, see Accounts used.

Synchronization source
You can configure the upstream synchronization source for software updates synchronization on the
Synchronization Source page of the wizard, or on the Sync Settings tab in Software Update Point
Component Properties. Your options for the synchronization source vary depending on the site.
Use the following table for the available options when you configure the software update point at a site.

SIT E AVA IL A B L E SY N C H RO N IZ AT IO N SO URC E O P T IO N S

- Central administration site - Synchronize from the Microsoft Update website


- Stand-alone primary site - Synchronize from an upstream data source location
- Do not synchronize from Microsoft Update or upstream
data source

- Additional software update points at a site - Synchronize from an upstream data source location
- Child primary site
- Secondary site

The following list provides more information about each option that you can use as the synchronization source:
Synchronize from Microsoft Update : Use this setting to synchronize software updates metadata from
Microsoft Update. The central administration site must have Internet access; otherwise, synchronization
will fail. This setting is available only when you configure the software update point on the top-level site.
When there's a firewall between the software update point and the Internet, the firewall might
need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site.
You can also choose to restrict access on the firewall to limited domains. For more information
about how to plan for a firewall that supports software updates, see Configure firewalls.
If you're sharing the WSUS database, be aware that Configuration Manager randomly chooses the
software update point between the front-end WSUS servers. Ensure that the internet access
requirements are met for each of the WSUS servers. If internet access requirements aren't met,
then sync failures can occur. You may see different software update points at the top-level site
syncing with Microsoft.
Synchronize from an upstream data source location : Use this setting to synchronize software
updates metadata from the upstream synchronization source. The child primary sites and secondary sites
are automatically configured to use the parent site URL for this setting. You have the option to
synchronize software updates from an existing WSUS server. Specify a URL, such as
https://WSUSServer:8531 , where 8531 is the port that is used to connect to the WSUS server.
Do not synchronize from Microsoft Update or upstream data source : Use this setting to
manually synchronize software updates when the software update point at the top-level site is
disconnected from the Internet. For more information, see Synchronize software updates from a
disconnected software update point.
You can also configure whether to create WSUS reporting events on the Synchronization Source page of the
wizard or on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager
doesn't use these events; therefore, you will normally choose the default setting Do not create WSUS
repor ting events .

Synchronization schedule
Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the
Software Update Point Component Properties. This setting is configured only on the software update point at
the top-level site.
If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you
configure a simple schedule, the start time is based on the local time for the computer that runs the
Configuration Manager console at the time when you create the schedule. When you configure the start time for
a custom schedule, it's based on the local time for the computer that runs the Configuration Manager console.

TIP
Schedule software updates synchronization to run by using a time-frame that is appropriate for your environment. One
typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security
update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical
scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver
the Endpoint Protection definition and engine updates.

NOTE
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software
updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For
more information, see synchronize software updates.

Supersedence rules
Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence
Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on
the top-level site. You can also specify the supersedence rules behavior for feature updates separately from
non-feature updates .
On this page, you can specify when superseded software updates are expired in Configuration Manager, which
prevents them from being included in new deployments and flags the existing deployments to indicate that the
superseded software updates contain one or more expired software updates. You can specify a period of time
before the superseded software updates are expired, which allows you to continue to deploy them. For more
information, see Supersedence rules.
The default setting is to wait 3 months before expiring a superseded update. The 3 month default is to give you
time to verify the update is no longer needed by any of your client computers. It's recommended that you don't
assume that superseded updates should be immediately expired in favor of the new, superseding update. You
can display a list of the software updates that supersede the software update on the Supersedence
Information tab in the software update properties.

NOTE
The Supersedence Rules page of the wizard is available only when you configure the first software update point at the
site. This page is not displayed when you install additional software update points.

Classifications
Configure the classifications settings on the Classifications page of the wizard, or on the Classifications tab
in Software Update Point Component Properties. For more information about software update classifications,
see Update classifications.

NOTE
The Classifications page of the wizard is available only when you configure the first software update point at the site.
This page is not displayed when you install additional software update points.

TIP
When you first install the software update point on the top-level site, clear all of the software updates classifications. After
the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate
synchronization. This setting is configured only on the software update point at the top-level site.

Products
Configure the product settings on the Products page of the wizard, or on the Products tab in Software Update
Point Component Properties.

NOTE
The Products page of the wizard is available only when you configure the first software update point at the site. This
page is not displayed when you install additional software update points.

TIP
When you first install the software update point on the top-level site, clear all of the products. After the initial software
updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is
configured only on the software update point at the top-level site.

Languages
Configure the language settings on the Languages page of the wizard, or on the Languages tab in Software
Update Point Component Properties. Specify the languages for which you want to synchronize software update
files and summary details. The Software Update File setting is configured at each software update point in the
Configuration Manager hierarchy. The Summar y Details settings are configured only on the top-level software
update point. For more information, see Languages.
NOTE
The Languages page of the wizard is available only when you install the software update point at the central
administration site. You can configure the Software Update File languages at child sites from the Languages tab in
Software Update Point Component Properties.

Third party updates


Beginning in Configuration Manager version 1802, you can enable third party updates for Configuration
Manager clients. When you Enable third party software updates in the SUP component properties, the SUP will
download the signing certificate used by WSUS for third party updates. This option is not available during install
of the software update point, and should be configured after the SUP is installed. To enable the client settings for
third party updates, see the About client settings article.

Next steps
You installed the software update point starting at the top-most site in your Configuration Manager hierarchy.
Repeat the procedures in this article to install the software update point on child sites.
Once you have your software update points installed, go to synchronize software updates.
Synchronize software updates
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Software update synchronization in Configuration Manager is the process of retrieving the software update
metadata that meets the criteria that you configure. This includes specific products, classifications, and
languages. Typically, the software update point on the central administration site, or on a stand-alone primary
site, retrieves the metadata from Microsoft Update. Then, the top-level site will send a synchronization request
to other sites. When a site receives the synchronization request from the parent site, the software update point
for the site retrieves software updates metadata from its upstream synchronization source. For more
information about software update synchronization process, see Software updates synchronization.
You configure software update synchronization to run on a schedule in the properties for the software update
point at the top-level site. Once you configure the synchronization schedule, you'll typically not change the
schedule as part of normal operations. However, you can manually initiate software update synchronization
when it's necessary.

NOTE
Software update points must be connected to their upstream synchronization source to synchronize software updates.
When a software update point is disconnected from its upstream synchronization source, you can use the export and
import method to synchronize software updates. For more information, see Synchronize software updates from a
disconnected software update point.

Schedule software updates synchronization


When you configure a schedule for software updates synchronization, the top-level software update point starts
synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to
synchronize software updates on a date and time when the demands of the Windows Server Update Services
(WSUS) server, site server, and network are low. For example, you can set the schedule so that software updates
are synchronized every week at 2:00 AM. During the scheduled synchronization, all changes to the software
updates metadata since the last scheduled synchronization are inserted into the site database. This includes new
software updates metadata or metadata that has been modified, removed, or is now expired.
Use the following procedures on the top-level site to schedule software updates synchronization.
To schedule software updates synchronization
1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Site Configuration , and then click Sites .
3. In the results pane, click the central administration site or stand-alone primary site.
4. On the Home tab, in the Settings group, expand Configure Site Components , and then click
Software Update Point .
5. In the Software Update Point Component Properties dialog box, select Enable synchronization on a
schedule , and then specify the synchronization schedule.

Manually start software updates synchronization


You can manually initiate software updates synchronization on the top-level site in the Configuration Manager
console from the All Software Updates node in the Software Librar y workspace.
Use the following procedures on the top-level site to manually initiate software updates synchronization.
To manually start software updates synchronization
1. In the Configuration Manager console that is connected to the central administration site or stand-alone
primary site, click Software Librar y .
2. In the Software Library workspace, expand Software Updates and click All Software Updates or
Software Update Groups .
3. On the Home tab, in the All Software Updates group, click Synchronize Software Updates . Click
Yes in the dialog box to confirm that you want to initiate the synchronization process.
After you initiate the synchronization process on the software update point, you can monitor the
synchronization process from the Configuration Manager console for all software update points in your
hierarchy. Use the following procedure to monitor the software updates synchronization process.

Monitor software updates synchronization


After you initiate the synchronization process, you can use the Configuration Manager console to monitor the
process for all software update points in your hierarchy. Use the following procedure to monitor the software
update synchronization process. For more information about monitoring software updates, including the
synchronization process, see Monitor software updates.
To monitor the software updates synchronization process
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, click Software Update Point Synchronization Status .
The software update points in your Configuration Manager hierarchy are displayed in the results pane.
From this view, you can monitor the synchronization status for all software update points. When you
want more detailed information about the synchronization process, you can review the wsyncmgr.log file
that is located in <ConfigMgrInstallationPath>\Logs on each site server.

Import updates from the Microsoft Update Catalog


The top-level Software Update Point uses WSUS to get information about software updates from Microsoft into
Configuration Manager. Occasionally, you might need an update that doesn't automatically synchronize into
WSUS for your selected products and classifications but is available in the Microsoft Update Catalog. Updates
that don't automatically synchronize into WSUS are typically meant to resolve highly specific issues. Usually if
an update is available in the catalog, you can import it into WSUS. You can then synchronize it into
Configuration Manager and deploy it like any other update.
To import an update from the Microsoft Update Catalog
1. Open the WSUS administration console and connect it to the top-level WSUS server in your hierarchy.
If Internet Explorer isn't the computer's default web browser, temporarily set it as the default.
2. Click on Updates or click your WSUS server's name.
3. In the Actions pane, select Impor t Updates... which will open a browser window to the Microsoft Update
Catalog.
4. If prompted, install the Microsoft Update Catalog ActiveX control. The control must be installed to import
updates into WSUS.
5. In the browser window, search for the update that you want. Click the Add * button to add it to the basket.
6. Click view basket . Make sure that the option to Impor t directly into Windows Ser ver Update
Ser vices is selected. Then, click Impor t .

7. Once the import is complete, click Close on the browser window.


Reset your default browser if needed.
8. Synchronize your Configuration Manager Software Update Point.

Next steps
After you synchronize software updates for the first time, or after there are new classifications or products
available, you must configure the new classifications and products to synchronize software updates with the
new criteria.
After you synchronize software updates with the criteria that you need, manage settings for software updates.
Configure classifications and products to
synchronize
9/17/2021 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Software updates metadata is retrieved during the synchronization process in Configuration Manager based on
the settings that you specify in the Software Update Point component properties. After you synchronize
software updates for the first time, or when new products and classifications are released, you must go to the
properties to select the new items. Use the following procedure to configure classifications and products to
synchronize.

NOTE
Use the procedure from this section only on the top-level site.

To configure classifications and products to synchronize


1. In the Configuration Manager console, navigate to Administration > Site Configuration > Sites .
2. Select the central administration site or the stand-alone primary site.
3. On the Home tab, in the Settings group, click Configure Site Components , and then click Software
Update Point .
4. On the Classifications tab, specify the software update classifications for which you want to synchronize
software updates.
Every software update is defined with an update classification that helps to organize the different types of
updates. During the synchronization process, the software updates metadata for the specified
classifications are synchronized. Configuration Manager provides the ability to synchronize software
updates with the following update classifications:
Critical Updates : Specifies a widely released fix for a specific problem that addresses a critical, non-
security-related bug.
Definition Updates : Specifies a widely released and frequent software update that contains
additions to a product's definition database.
Feature Packs : Specifies new product functionality that is first distributed outside of a product
release and that's typically included in the next full product release.
Security Updates : Specifies a widely released fix for a product-specific, security-related vulnerability.
Ser vice Packs : Specifies a tested, cumulative set of all hotfixes, security updates, critical updates, and
updates that are applied to a product. Additionally, service packs may contain additional fixes for
problems that are found internally since the release of the product.
Tools : Specifies a utility or feature that helps to complete one or more tasks.
Update Rollups : Specifies a tested, cumulative set of hotfixes, security updates, critical updates, and
updates that are packaged together for easy deployment. An update rollup generally addresses a
specific area, such as a security or product component.
Updates : Specifies a widely released fix for a specific problem. An update addresses a non-critical,
non-security-related bug.
Upgrade : Specifies an upgrade for Windows 10 features and functionality. These updates are also
known as feature updates for Windows 10 operating systems. Your software update points and sites
must run a minimum of WSUS 6.2 with the hotfix 3095113 to get the Upgrade classification. For
more information about installing this update and other updates for Upgrades , see Prerequisites for
software updates.

NOTE
You can select the Include Microsoft Surface drivers and firmware updates checkbox to synchronize
Microsoft Surface drivers. All software update points must run Windows Server 2016 or later to successfully
synchronize Surface drivers. If you enable a software update point on a computer running Windows Server 2012
after you enable Surface drivers, the scan results for the driver updates are not accurate. This results in incorrect
compliance data displayed in the Configuration Manager console and in Configuration Manager reports. For more
information, see Manage Surface drivers with Configuration Manager.

5. On the Products tab, specify the products for which you want to synchronize software updates, and then
click Close .
Configuration Manager stores a list of products and product families from which you can choose
when you first install the software update point. Products and product families that are released
after Configuration Manager is released might not be available to select until you complete
software updates synchronization, which updates the list of available products and product
families from which you can choose.
The metadata for each software update defines the products for which the update is applicable. A
product is a specific edition of an operating system or application, such as Windows Server 2012.
A product family is the base operating system or application from which the individual products
are derived. An example of a product family is Windows, of which Windows Server 2012 is a
member. You can specify a product family or individual products within a product family. The more
products that you select, the longer it takes to synchronize software updates.
When software updates are applicable to multiple products, and at least one of the products was
selected for synchronization, all of the products appear in the Configuration Manager console even
if some products weren't selected. For example, if Windows Server 2012 is the only operating
system that you selected, and if a software update applies to Windows 8 and Windows Server
2012, both products are displayed in the Configuration Manager console.

NOTE
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being
part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to
ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for
the new product in Configuration Manager version 1906.
When you update to Configuration Manager version 1906 and have the Windows 10 product selected for
synchronization, the following actions occur automatically:
The Windows 10, version 1903 and later product is added for synchronization.
Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10,
version 1903 and later .
Servicing plans are updated to include the Windows 10, version 1903 and later product.

Configuring products for versions of Windows 10


Windows 10, version 1909
Windows 10, version 1909 shares a common core operating system with Windows 10, version 1903. Both of
these versions are serviced with the same cumulative updates. For more information about Windows 10,
version 1909, see the Windows 10, version 1909 delivery options blog post.
To make sure both your Windows 10 version 1909 and Windows 10, version 1903 clients install updates from
Configuration Manager:
Approve updates for both the 1909 and 1903 versions of Windows 10.
The updates have different titles and applicability rules for each OS version.
Approving each update per version and architecture of the OS maintains the normal approval process
for admins.
The cumulative update installation files are the same for both the 1909 and 1903 versions of Windows 10.
Configuration Manager will only download the update source files once.
Feature Updates for Windows 10, version 1909
When you approve feature updates for Windows 10, version 1909, there are a few different options you'll see:
Windows 10, version 1903 clients are offered an Enablement Package, released November 12, 2019.
The enablement package is a small, quick to install file that activates the Windows 10, version
1909 features and restarts the device.
Prerequisites for the enablement package include:
A minimum cumulative update of KB4517389, released October 8, 2019.
A minimum servicing stack update of KB4520390, released September 24, 2019.
This update, like any other Feature Update, isn't available for import from
https:\\catalog.update.microsoft.com .

The update will automatically synchronize with WSUS if you have the Windows 10, version
1903 and later product and Upgrades classification selected for synchronization.
In the Configuration Manager console, go to the Software Librar y workspace, expand Windows
10 Ser vicing , and select the All Windows 10 Updates node. Search for the terms
"enablement" or "4517245".

TIP
Since these are feature updates, they aren't in the All Software Updates node.

Windows 10, version 1809 and earlier clients are upgraded with a single direct feature update.
This is just like all other previous installations for Feature Updates that you've done for Windows 10.

NOTE
Both the enablement package and the traditional feature update for Windows 10, version 1909 will show as "Installed" in
reporting, regardless of which path was used to install it.

Windows 10, version 1903 and later


Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being
part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps
to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take
for the new product in Configuration Manager version 1906.
Windows 10, version 1903 and later with Configuration Manager version 1906
When you update to Configuration Manager version 1906 and have the Windows 10 product selected for
synchronization, the following actions occur automatically:
The Windows 10, version 1903 and later product is added for synchronization.
Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10,
version 1903 and later .
Servicing plans are updated to include the Windows 10, version 1903 and later product.
Windows 10, version 1903 and later with Configuration Manager version 1902
If you are using Configuration Manager 1902 with Windows 10,version 1903 clients, you'll need to:
Select the Windows 10, version 1903 and later product for synchronization.
Update any Automatic Deployment Rules for Windows 10, version 1903 clients.
Update Servicing plans for Windows 10, version 1903 clients.

Windows Insider Program


Starting in September 2019, you can service and update devices running Windows Insider Preview builds with
Configuration Manager. This change means you can manage these devices without changing your normal
processes or enabling Windows Update for Business. You can download Feature Updates and Cumulative
Updates for Windows Insider Preview builds into Configuration Manager just like any other Windows 10 update
or upgrade. For more information, see the Publishing pre-release Windows 10 Feature Updates to WSUS blog
post.
For more information about support for Windows Insider in Configuration Manager, see Support for Windows
10.
Prerequisites
Configuration Manager version 1906 or higher, configured for software update management.
Windows 10 devices running Windows Insider Preview build.
A collection containing the Windows Insider devices.
Enable Windows Insider upgrades and updates
You need to enable the products and classifications for Windows Insider upgrades and updates. Feature
Updates, Cumulative updates, and other updates for Windows Insider are under the Windows Insider Pre-
Release product category.
1. In the Configuration Manager console, navigate to Administration > Site Configuration > Sites .
2. Select the central administration site or the stand-alone primary site.
3. On the Home tab, in the Settings group, click Configure Site Components , and then click Software
Update Point .
4. On the Products tab, make sure the following products are selected for synchronization:
Windows Insider Pre-Release
Windows 10, version 1903 and later
5. On the Classifications tab, make sure the following classifications are selected for synchronization:
Upgrades
Security Updates
Updates (optional)
6. Click OK to close the Software Update Point Component Proper ties .
Upgrading Windows Insider devices
Once the upgrades for Windows Insiders are synchronized, you can see them from Software Librar y >
Windows 10 Ser vicing > All Windows 10 Updates .
Deploy Feature Updates for Windows Insider to your target collection just like any other upgrade. However,
you'll want to keep the following items in mind when you're deploying these Feature Updates:
These upgrades will be applicable to all Windows 10 clients 1903 or earlier, with matching architecture,
edition, and language.
There are license terms, your deployment must accept the terms in order to install.
Consider using the thread priority in client settings.
Dynamic Update automatically installs critical updates, including the latest Cumulative Update, directly from
Microsoft Update. This behavior started with Feature Updates for Windows 10 version 1903.
You can explicitly disable Dynamic Update in client settings or with a setupconfig.ini file.
For more information, see the Windows 10 Dynamic Update blog post.
For more information on how to deploy upgrades, see Manage Windows as a service.
Keeping Insider devices up-to date
Cumulative Updates for Windows Insider will be available for WSUS and by extension for Configuration
Manager. These Cumulative Updates will be released at a frequency similar to Windows 10 version 1903
Cumulative Updates. The Windows Insider Cumulative updates are in the Windows Insider Pre-Release
product category and classified as either Security Updates or Updates . You can deploy the Cumulative
Updates for Windows Insider using your regular software update process like using automatic deployment rules
or phased deployments.

Extended Security Updates and Configuration Manager


The Extended Security Updates (ESU) program is a last resort option for customers who need to run certain
legacy Microsoft products past the end of support. It includes Critical and/or Important security updates (as
defined by the Microsoft Security Response Center (MSRC)) for a maximum of three years after the product's
End of Extended Support date.
Products that are beyond their support lifecycle aren't supported for use with Configuration Manager. This
includes any products that are covered under the ESU program. For example, Windows 7. Security updates
released under the ESU program will be published to Windows Server Update Services (WSUS). These updates
will appear in the Configuration Manager console. While products that are covered under the ESU program are
no longer supported for use with Configuration Manager, the latest released version of Configuration Manager
current branch can be used to deploy and install Windows security updates released under the program. The
latest released version can also be used to deploy Windows 10 to devices running Windows 7.
Client management features not related to Windows software update management or OS deployment will no
longer be tested on the operating systems covered under the ESU program and we don't guarantee that they'll
continue to function. It's highly recommended to upgrade or migrate to a current version of the operating
systems as soon as possible to receive client management support.

TIP
Starting in Configuration Manager 2010, you'll be notified in-console about devices with operating systems that are past
the end of support date and that are no longer eligible to receive security updates. For more information, see Console
notifications. This information is provided for your convenience and only for use internally within your company. You
should not solely rely on this information to confirm update or license compliance. Be sure to verify the accuracy of the
information provided to you.
Next steps
Start software updates synchronization to retrieve software updates based on the new criteria. For more
information, see Synchronize software updates.
Manage settings for software updates
9/17/2021 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


After you synchronize software updates in Configuration Manager, configure and verify the settings in the
following sections.

Client settings for software updates


After you install the software update point, software updates is enabled on clients by default, and the settings on
the Software Updates page in client settings have default values. The client settings are used site-wide and
affect when software updates are scanned for compliance, and how and when software updates are installed on
client computers. Before you deploy software updates, verify that the client settings are appropriate for software
updates at your site.

IMPORTANT
The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration
Manager removes the existing deployment policies from the client.
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A
client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by
default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is
available to allow these connections. For more information about the changes for scanning WSUS, see September
2020 changes to improve security for Windows devices scanning WSUS. To ensure that the best security protocols
are in place, we highly recommend that you use the TLS/SSL protocol to help secure your software update
infrastructure.

For information about how to configure client settings, see How to configure client settings.
For more information about the client settings, see About client settings.

Group policy settings for software updates


There are specific group policy settings that are used by Windows Update Agent (WUA) on client computers to
connect to WSUS that runs on the software updates point. These group policy settings are also used to
successfully scan for software update compliance, and to automatically update the software updates and the
WUA.
Specify Intranet Microsoft Update Service Location local policy
When the software update point is created for a site, clients receive a machine policy that provides the software
update point server name and configures the Specify intranet Microsoft update ser vice location local
policy on the computer. The WUA retrieves the server name that is specified in the Set the intranet update
ser vice for detecting updates setting, and then it connects to this server when it scans for software updates
compliance. When a domain policy is created for the Specify intranet Microsoft update ser vice location
setting, it overrides the local policy, and the WUA might connect to a server other than the software update
point. If this happens, the client might scan for software update compliance based on different products,
classifications, and languages. Therefore, you should not configure the Active Directory policy for client
computers.
Allow Signed Content from Intranet Microsoft Update Service Location group policy
You must enable the Allow signed content from intranet Microsoft update ser vice location Group
Policy setting before the WUA on computers will scan for software updates that were created and published
with System Center Updates Publisher. When the policy setting is enabled, WUA will accept software updates
that are received through an intranet location if the software updates are signed in the Trusted Publishers
certificate store on the local computer. For more information about the Group Policy settings that are required
for Updates Publisher, see Updates Publisher 2011 Documentation Library.
Automatic updates configuration
Automatic Updates allows security updates and other important downloads to be received on client computers.
Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or through
the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive
update notifications and, depending on the configured settings, the client computers will download and install
the required updates. When Automatic Updates coexists with software updates, each client computer might
display notification icons and popup display notifications for the same update. Also, when a restart is required,
each client computer might display a restart dialog box for the same update.
Self Update
When Automatic Updates is enabled on client computers, the WUA automatically performs a self-update when a
newer version becomes available or when there are problems with a WUA component. When Automatic
Updates is not configured or is disabled, and client computers have an earlier version of the WUA, the client
computers must run the WUA installation file.

Software updates properties


The software update properties provide information about software updates and associated content. You can
also use these properties to configure settings for software updates. When you open the properties for multiple
software updates, only the Maximum Run Time and Custom Severity tabs are displayed.
Use the following procedure to open software update properties.
To open software update properties
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Library workspace, expand Software Updates , and click All Software Updates .
3. Select one or more software updates, and then, on the Home tab, click Proper ties in the Proper ties
group.

NOTE
On the All Software Updates node, Configuration Manager displays only the software updates that have a
Critical and Security classification and that have been released in the last 30 days.

Review software updates information


In software update properties, you can review detailed information about a software update. The detailed
information is not displayed when you select more than one software update. The following sections describe
the information that is available for a selected software update.
Software update details
In the Update Details tab, you can view the following summary information about the selected software
update:
Bulletin ID : Specifies the bulletin ID that is associated with security software updates. You can find security
bulletin details by searching on the bulletin ID on the Microsoft Security Response Center Web page.
NOTE
The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and
included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation,
including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the
new guide pivots on vulnerability ID numbers and KB Article ID numbers. For more information, see the Security Update
Guide FAQs.

Ar ticle ID : Specifies the article ID for the software update. The referenced article provides more detailed
information about the software update and the issue that the software update fixes or improves.
Date revised : Specifies the date that the software update was last modified.
Maximum severity rating : Specifies the vendor-defined severity rating for the software update.
Description : Provides an overview of what condition the software update fixes or improves.
Applicable languages : Lists the languages for which the software update is applicable.
Affected products : Lists the products for which the software update is applicable.
Content information
In the Content Information tab, review the following information about the content that is associated with the
selected software update:
Content ID : Specifies the content ID for the software update.
Downloaded : Indicates whether Configuration Manager has downloaded the software update files.
Language : Specifies the languages for the software update.
Source Path : Specifies the path to the software update source files.
Size (MB) : Specifies the size of the software update source files.
Custom bundle information
In the Custom Bundle Information tab, review the custom bundle information for the software update. When
the selected software update contains bundled software updates that are contained in the software update file,
they are displayed in the Bundle information section. This tab does not display bundled software updates that
are displayed in the Content Information tab, such as update files for different languages.
Supersedence information
On the Supersedence Information tab, you can view the following information about the supersedence of the
software update:
This update has been superseded by the following updates : Specifies the software updates that
supersede this update, which means that the updates listed are newer. In most cases, you will deploy one
of the software updates that supersedes the software update. The software updates that are displayed in
the list contain hyperlinks to webpages that provide more information about the software updates. When
this update is not superseded, None is displayed.
This update supersedes the following updates : Specifies the software updates that are superseded
by this software update, which means this software update is newer. In most cases, you will deploy this
software update to replace the superseded software updates. The software updates that are displayed in
the list contain hyperlinks to web pages that provide more information about the software updates.
When this update does not supersede any other update, None is displayed.
Configure software updates settings
In the properties, you can configure software update settings for one or more software updates. You can
configure most software update settings only at the central administration site or stand-alone primary site. The
following sections will help you to configure settings for software updates.
Set maximum run time
In the Maximum Run Time tab, set the maximum amount of time a software update is allotted to complete on
client computers. If the update takes longer than the maximum run-time value, Configuration Manager creates a
status message and stops the software updates installation. You can configure this setting only on the central
administration site or a stand-alone primary site.
Configuration Manager also uses this setting to determine whether to initiate the software update installation
within a configured maintenance window. If the maximum run-time value is greater than the available
remaining time in the maintenance window, the software updates installation is postponed until the start of the
next maintenance window. When there are multiple software updates to be installed on a client computer with a
configured maintenance window (timeframe), the software update with the lowest maximum run time installs
first, then the software update with the next lowest maximum run time installs next, and so on. Before it installs
each software update, the client verifies that the available maintenance window will provide enough time to
install the software update. After a software update starts installing, it will continue to install even if the
installation goes beyond the end of the maintenance window. For more information about maintenance
windows, see the How to use maintenance windows.
On the Maximum Run Time tab, you can view and configure the following settings:
Maximum run time : Specifies the maximum number of minutes allotted for a software update installation
to complete before the installation is stopped by Configuration Manager. This setting is also used to
determine whether there is enough available time remaining to install the update before the end of a
maintenance window. The default setting is 60 minutes for service packs. For other software update types,
the default is 10 minutes if you did a fresh install of Configuration Manager version 1511 or higher and 5
minutes when you upgraded from a previous version. Values can range from 5 to 9999 minutes.

IMPORTANT
Be sure to set the maximum run time value smaller than the configured maintenance window time or increase the
maintenance window time to a value greater than the maximum run time. Otherwise, the software update installation will
never initiate.

Set custom severity


In the properties for a software update, you can use the Custom Severity tab to configure custom severity
values for the software updates. This may be necessary if the predefined severity values do not meet your
needs. The custom values are listed in the Custom Severity column in the Configuration Manager console. You
can sort the software updates by the defined custom severity values and can also create queries and reports
that can filter on these values. You can configure this setting only on the central administration site or stand-
alone primary site.
You can configure the following settings on the Custom Severity tab.
Custom severity : Sets a custom severity value for the software updates. Select Critical , Impor tant ,
Moderate , or Low from the list. By default, the custom severity value is empty.

CRL checking for software updates


By default, the certificate revocation list (CRL) is not checked when verifying the signature on Configuration
Manager software updates. Checking the CRL each time a certificate is used offers more security against using a
certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the
computer performing the CRL check.
If used, CRL checking must be enabled on the Configuration Manager consoles that process software updates.
To enable CRL checking
On the computer performing the CRL check, from the product DVD, run the following from a command prompt:
\SMSSETUP\BIN\X64\ <language>\UpdDwnldCfg.exe /checkrevocation .
For example, for English (US) run \SMSSETUP\BIN\X64\00000409\UpdDwnldCfg.exe /checkrevocation
Tutorial: Configure a software update point to use
TLS/SSL with a PKI certificate
9/17/2021 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Configuring Windows Server Update Services (WSUS) servers and their corresponding software update points
(SUP) to use TLS/SSL may reduce the ability of a potential attacker to remotely compromise a client and elevate
privileges. To ensure that the best security protocols are in place, we highly recommend that you use the
TLS/SSL protocol to help secure your software update infrastructure. This article walks you through the steps
required to configure each of your WSUS servers and the software update point to use HTTPS. For more
information about securing WSUS, see the Secure WSUS with the Secure Sockets Layer Protocol article in the
WSUS documentation.
In this tutorial, you will:
Obtain a PKI certificate, if needed
Bind the certificate to the WSUS Administration website
Configure the WSUS web services to require SSL
Configure the WSUS application to use SSL
Verify the WSUS console connection can use SSL
Configure the software update point to require SSL communication to the WSUS server
Verify functionality with Configuration Manager

Considerations and limitations


WSUS uses TLS/SSL to authenticate client computers and downstream WSUS servers to the upstream WSUS
server. WSUS also uses TLS/SSL to encrypt update metadata. WSUS doesn't use TLS/SSL for an update's content
files. The content files are signed and the hash of the file is included in the update's metadata. Before the files are
downloaded and installed by the client, both the digital signature and hash are checked. If either check fails, the
update won't be installed.
Consider the following limitations when you use TLS/SSL to secure a WSUS deployment:
Using TLS/SSL increases the server workload. You should expect a small performance loss from encrypting
all the metadata that is sent over the network.
If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the
database server isn't secured by TLS/SSL. If the database connection must be secured, consider the following
recommendations:
Move the WSUS database to the WSUS server.
Move the remote database server and the WSUS server to a private network.
Deploy Internet Protocol security (IPsec) to help secure network traffic.
When configuring WSUS servers and their software update points to use TLS/SSL, you may want to phase in the
changes for large Configuration Manager hierarchies. If you choose to phase in these changes, start at the
bottom of the hierarchy and move upwards ending with the central administration site.

Prerequisites
This tutorial covers the most common method to obtain a certificate for use with Internet Information Services
(IIS). Whichever method your organization uses, ensure that the certificate meets the PKI certificate
requirements for a Configuration Manager software update point. As with any certificate, the certificate
authority must be trusted by devices communicating with the WSUS server.
A WSUS server with the software update point role installed
Verify you've followed best practices on disabling recycling and configuring memory limits for WSUS before
enabling TLS/SSL.
One of the two following options:
An appropriate PKI certificate already in the WSUS server's Personal certificate store.
The ability to request and obtain an appropriate PKI certificate for the WSUS server from your
Enterprise root certificate authority (CA).
By default, most certificate templates including the WebServer certificate template will only
issue to Domain Admins. If the logged in user isn't a domain admin, their user account will
need to be granted the Enroll permission on the certificate template.

Obtain the certificate from the CA if needed


If you already have an appropriate certificate in the WSUS server's Personal certificate store, skip this section
and start with the Bind the certificate section. To send a certificate request to your internal CA to install a new
certificate, follow the instructions in this section.
1. From the WSUS server, open an administrative command prompt and run certlm.msc . Your user account
needs to be a local administrator to manage certificates for the local computer.
The Certificate Manager tool for the local device appears.
2. Expand Personal , then right-click on Cer tificates .
3. Select All Tasks then Request New Cer tificate .
4. Choose Next to begin certificate enrollment.
5. Choose the type of certificate to enroll. The certificate purpose is Ser ver Authentication and the
Microsoft certificate template to use is Web Ser ver or a custom template that has Ser ver
Authentication specified as Enhanced Key Usage . You may be prompted for additional information to
enroll the certificate. Typically, you'll specify the following information at minimum:
Common name: Found on the Subject tab, set the value to the WSUS server's FQDN.
Friendly name: Found on the General tab, set the value to a descriptive name to help you identify
the certificate later.
6. Select Enroll then Finish to complete the enrollment.
7. Open the certificate if you want to see details about it such as the certificate's thumbprint.

TIP
If your WSUS server is internet facing, you'll need the external FQDN in the Subject or Subject Alternative Name (SAN) in
your certificate.

Bind the certificate to the WSUS Administration site


Once you have the certificate in the WSUS server's personal certificate store, bind it to the WSUS Administration
site in IIS.
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Go to Sites > WSUS Administration .
3. Select Bindings from either the action menu or by right-clicking on the site.
4. In the Site Bindings window, select the line for https , then select Edit....
Don't remove the HTTP site binding. WSUS uses HTTP for the update content files.
5. Under the SSL cer tificate option, choose the certificate to bind to the WSUS Administration site. The
certificate's friendly name is shown in the drop-down menu. If a friendly name wasn't specified, then the
certificate's IssuedTo field is shown. If you're not sure which certificate to use, select View and verify the
thumbprint matches the one you obtained.
6. Select OK when you're done, then Close to exit the site bindings. Keep Internet Information Services (IIS)
Manager open for the next steps.

Configure the WSUS web services to require SSL


1. In IIS Manager on the WSUS server, go to Sites > WSUS Administration .
2. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS.
3. For each of the below WSUS web services:
ApiRemoting30
ClientWebService
DSSAuthWebService
ServerSyncWebService
SimpleAuthWebService
Make the following changes:
a. Select SSL Settings .
b. Enable the Require SSL option.
c. Verify the Client cer tificates option is set to Ignore .
d. Select Apply .
Don't set the SSL settings at the top-level WSUS Administration site since certain functions, such as content,
need to use HTTP.

Configure the WSUS application to use SSL


Once the web services are set to require SSL, the WSUS application needs to be notified so it can do some
additional configuration to support the change.
1. Open an admin command prompt on the WSUS server. The user account running this command must be
a member of either the WSUS Administrators group or the local Administrators group.
2. Change directory to the tools folder for WSUS:
cd "c:\Program Files\Update Services\Tools"

3. Configure WSUS to use SSL with the following command:


WsusUtil.exe configuressl server.contoso.com
Where server.contoso.com is the FQDN of the WSUS server.
4. WsusUtil returns the URL of the WSUS server with the port number specified at the end. The port will be
either 8531 (default) or 443. Verify the URL returned is what you expected. If something was mistyped,
you can run the command again.

TIP
If your WSUS server is internet facing, specify the external FQDN when running WsusUtil.exe configuressl .

Verify the WSUS console can connect using SSL


The WSUS console uses the ApiRemoting30 web service for connection. The Configuration Manager software
update point (SUP) also uses this same web service to direct WSUS to take certain actions such as:
Initiating a software update synchronization
Setting the proper upstream server for WSUS, which is dependent on where the SUP's site resides in your
Configuration Manager hierarchy
Adding or removing products and classifications for synchronization from the hierarchy's top-level WSUS
server.
Removing expired updates
Open the WSUS console to verify you can use an SSL connection to the WSUS server's ApiRemoting30 web
service. We'll test some of the other web services later.
1. Open the WSUS console and select Action > Connect to Ser ver .
2. Enter the FQDN of the WSUS server for the Ser ver name option.
3. Choose the Por t number returned in the URL from WSUSutil.
4. The Use Secure Sockets Layer (SSL) to connect to this ser ver option automatically enables when
either 8531 (default) or 443 are chosen.

5. If your Configuration Manager site server is remote from the software update point, launch the WSUS
console from the site server and verify the WSUS console can connect over SSL.
If the remote WSUS console can't connect, it likely indicates a problem with either trusting the
certificate, name resolution, or the port being blocked.

Configure the software update point to require SSL communication to


the WSUS server
Once WSUS is set up to use TLS/SSL, you'll need to update the corresponding Configuration Manager software
update point to require SSL too. When you make this change, Configuration Manager will:
Verify it can configure the WSUS server for the software update point
Direct clients to use the SSL port when they're told to scan against this WSUS server.
To configure the software update point to require SSL communication to the WSUS server, do the following
steps:
1. Open the Configuration Manager console and connect to either your central administration site or the
primary site server for the software update point you need to edit.
2. Go to Administration > Over view > Site Configuration > Ser vers and Site System Roles .
3. Select the site system server where WSUS is installed, then select the software update point site system
role.
4. From the ribbon, choose Proper ties .
5. Enable the Require SSL communication to the WSUS ser ver option.

6. In the WCM.log for the site, you'll see the following entries when you apply the change:
SCF change notification triggered.
Populating config from SCF
Setting new configuration state to 1 (WSUS_CONFIG_PENDING)
...
Attempting connection to local WSUS server
Successfully connected to local WSUS server
...
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS)

Log file examples have been edited to remove unneeded information for this scenario.

Verify functionality with Configuration Manager


Verify the site server can sync updates
1. Connect the Configuration Manager console to the top-level site.
2. Go to Software Librar y > Over view > Software Updates > All Software Updates .
3. From the ribbon, select Synchronize Software Updates .
4. Select Yes to the notification asking if you want to initiate a site-wide synchronization for software
updates.
Since the WSUS configuration changed, a full software updates synchronization will occur rather than
a delta synchronization.
5. Open the wsyncmgr.log for the site. If you're monitoring a child site, you'll need to wait for the parent
site to finish synchronization first. Verify that the server syncs successfully by reviewing the log for
entries similar to the following:

Starting Sync
...
Full sync required due to changes in main WSUS server location.
...
Found active SUP SERVER.CONTOSO.COM from SCF File.
...
https://SERVER.CONTOSO.COM:8531
...
Done synchronizing WSUS Server SERVER.CONTOSO.COM
...
sync: Starting SMS database synchronization
...
Done synchronizing SMS with WSUS Server SERVER.CONTOSO.COM

Verify a client can scan for updates


When you change the software update point to require SSL, Configuration Manager clients receive the updated
WSUS URL when it makes a location request for a software update point. By testing a client, we can:
Determine if the client trusts the WSUS server's certificate.
If the SimpleAuthWebService and the ClientWebService for WSUS are functional.
That the WSUS content virtual directory is functional, if the client happened to get a EULA during the scan
1. Identify a client that scans against the software update point recently changed to use TLS/SSL. Use Run
scripts with the below PowerShell script if you need help with identifying a client:
$Last = (Get-CIMInstance -Namespace "root\CCM\Scanagent" -Class
"CCM_SUPLocationList").LastSuccessScanPath
$Current= Write-Output (Get-CIMInstance -Namespace "root\CCM\Scanagent" -Class
"CCM_SUPLocationList").CurrentScanPath
Write-Host "LastGoodSUP- $last"
Write-Host "CurrentSUP- $current"

TIP
Open this script in community hub. For more information, see Direct links to community hub items.

2. Run a software update scan cycle on your test client. You can force a scan with the following PowerShell
script:

Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-


0000-000000000113}"

TIP
Open this script in community hub. For more information, see Direct links to community hub items.

3. Review the client's ScanAgent.log to verify the message to scan against the software update point was
received.

Message received: '<?xml version='1.0' ?>


<UpdateSourceMessage MessageType='ScanByUpdateSource'>
<ForceScan>TRUE</ForceScan>
<UpdateSourceIDs>
<ID>{A1B2C3D4-1234-1234-A1B2-A1B2C3D41234}</ID>
</UpdateSourceIDs>
</UpdateSourceMessage>'

4. Review the LocationSer vices.log to verify that the client sees the correct WSUS URL.
LocationSer vices.log

WSUSLocationReply : <WSUSLocationReply SchemaVersion="1


...
<LocationRecord WSUSURL="https://SERVER.CONTOSO.COM:8531" ServerName="SERVER.CONTOSO.COM"
...
</WSUSLocationReply>

5. Review the WUAHandler.log to verify that the client can successfully scan.

Enabling WUA Managed server policy to use server: https://SERVER.CONTOSO.COM:8531


...
Successfully completed scan.

TLS certificate pinning for devices scanning HTTPS-configured WSUS


servers
(Introduced in 2103)
Starting in Configuration Manager 2103, you can further increase the security of HTTPS scans against WSUS by
enforcing certificate pinning. To fully enable this behavior, add certificates for your WSUS servers to the new
WindowsServerUpdateServices certificate store on your clients and ensure certificate pinning is enabled through
Client Settings . For more information about the changes to the Windows Update Agent, see Scan changes and
certificates add security for Windows devices using WSUS for updates - Microsoft Tech Community.
Prerequisites for enforcing TLS certificate pinning for Windows Update client
Configuration Manager version 2103
Ensure your WSUS servers and software update points are configured to use TLS/SSL
Add the certificates for your WSUS servers to the new WindowsServerUpdateServices certificate store on your
clients

NOTE
Software update scans for devices will continue to run successfully using the default value of Yes for the Enforce TLS
cer tificate pinning for Windows Update client for detecting updates client setting. This includes scans over both
HTTP and HTTPS. The certificate pinning doesn't take effect until a certificate is in the client's
WindowsServerUpdateServices store and the WSUS server is configured to use TLS/SSL.

Enable or disable TLS certificate pinning for devices scanning HTTPS -configured WSUS servers
1. From the Configuration Manager console, go to Administration > Client Settings .
2. Choose the Default Client Settings or a custom set of client settings, then select Proper ties from the
ribbon.
3. Select the Software Updates tab in the Client settings
4. Choose one of the following options for the Enforce TLS cer tificate pinning for Windows Update
client for detecting updates setting:
No : Don't enable enforcement of TLS certificate pinning for WSUS scanning
Yes : Enables enforcement of TLS certificate pinning for devices during WSUS scanning (default)
5. Verify clients can scan for updates.

Next steps
Deploy software updates
Synchronize software updates from a disconnected
software update point
9/17/2021 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


When the software update point at the top-level site is disconnected from the Internet, you must use the export
and import functions of the WSUSUtil tool to synchronize software updates metadata. You can choose an
existing WSUS server not in your Configuration Manager hierarchy as the synchronization source. This article
provides information about how to use the export and import functions of the WSUSUtil tool.
To export and import software updates metadata, you must export software updates metadata from the WSUS
database on a specified export server, then copy the locally stored license terms files to the disconnected
software update point, and then import the software updates metadata to the WSUS database on the
disconnected software update point.
Use the following table to identify the export server in which to export the software updates metadata.

UP ST REA M UP DAT E SO URC E F O R EXP O RT SERVER F O R A


C O N N EC T ED SO F T WA RE UP DAT E DISC O N N EC T ED SO F T WA RE UP DAT E
SO F T WA RE UP DAT E P O IN T P O IN T S P O IN T

Central administration site Microsoft Update (Internet) Choose a WSUS server that is
synchronized with Microsoft Update
Existing WSUS server by using the software update
classifications, products, and languages
that you need in your Configuration
Manager environment.

Stand-alone primary site Microsoft Update (Internet) Choose a WSUS server that is
synchronized with Microsoft Update
Existing WSUS server by using the software update
classifications, products, and languages
that you need in your Configuration
Manager environment.

Before you start the export process, verify that software updates synchronization is completed on the selected
export server to ensure that the most recent software updates metadata is synchronized. To verify that software
updates synchronization has completed successfully, use the following procedure.
To verify that software updates synchronization has completed successfully on the export server
1. Open the WSUS Administration console and connect to the WSUS database on the export server.
2. In the WSUS Administration console, click Synchronizations . A list of the software updates
synchronization attempts are displayed in the results pane.
3. In the results pane, find the latest software updates synchronization attempt and verify that it completed
successfully.
IMPORTANT
The WSUSUtil tool must be run locally on the export server to export the software updates metadata, and it also must
be run on the disconnected software update point server to import the software updates metadata. In addition, the
user that runs the WSUSUtil tool must be a member of the local Administrators group on each server.
If you are using Windows Server 2012, ensure KB2819484 is installed on the WSUS servers.

Export process for software updates


The export process for software updates consists of two main steps: to copy the locally stored license terms files
to the disconnected software update point, and to export software updates metadata from the WSUS database
on the export server.
Use the following procedure to copy the local license terms metadata to the disconnected software update point.
To copy local files from the export server to the disconnected software update point server
1. On the export server, navigate to the folder where software updates and the license terms for software
updates are stored. By default, the WSUS server stores the files at
<WSUSInstallationDrive>\WSUS\WSUSContent\, where WSUSInstallationDrive is the drive on which
WSUS is installed.
2. Copy all files and folders from this location to the WSUSContent folder on the disconnected software
update point server.
Use the following procedure to export the software updates metadata from the WSUS database on the
export server.
To export software updates metadata from the WSUS database on the export server
1. At the command prompt on the export server, navigate to the folder that contains WSUSutil.exe. By
default, the tool is located at %ProgramFiles%\Update Services\Tools. For example, if the tool is located in
the default location, type cd %ProgramFiles%\Update Ser vices\Tools .
2. Type the following to export the software updates metadata to a package file:
wsusutil.exe expor t packagename logfile
For example:
wsusutil.exe expor t expor t.xml.gz expor t.log
The format can be summarized as follows: WSUSutil.exe is followed by the export option, the name of the
export .xml.gz file that is created during the export operation, and the name of a log file. WSUSutil.exe
exports the metadata from the export server and creates a log file of the operation.

NOTE
The package (.xml.gz file) and the log file name must be unique in the current folder.

3. Move the export package to the folder that contains WSUSutil.exe on the import WSUS server.

NOTE
If you move the package to this folder, the import experience can be easier. You can move the package to any
location that is accessible to the import server, and then specify the location when you run WSUSutil.exe.
Import software updates metadata
Use the following procedure to import software updates metadata from the export server to the disconnected
software update point.

IMPORTANT
Never import any exported data from a source that you do not trust. If you import content from a source that you do
not trust, it might compromise the security of your WSUS server.

To import metadata to the database of the import server


1. At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe.
By default, the tool is located at %ProgramFiles%\Update Services\Tools.
2. Type the following:
wsusutil.exe impor t packagename logfile
For example:
wsusutil.exe impor t expor t.xml.gz impor t.log
The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name
of package file (.xml.gz) that is created during the export operation, the path to the package file if it is in a
different folder, and the name of a log file. WSUSutil.exe imports the metadata from the export server
and creates a log file of the operation.

Next steps
After you synchronize software updates for the first time, or after there are new classifications or products
available, you must configure the new classifications and products to synchronize software updates with the
new criteria.
After you synchronize software updates with the criteria that you need, manage settings for software updates.
Synchronize Microsoft 365 Apps updates from a
disconnected software update point
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Starting in Configuration Manager version 2002, you can use a tool to import Microsoft 365 Apps updates from
an internet connected WSUS server into a disconnected Configuration Manager environment. Previously when
you exported and imported metadata for software updated in disconnected environments, you were unable to
deploy Microsoft 365 Apps updates. Microsoft 365 Apps updates require additional metadata downloaded from
an Office API and the Office CDN, which isn't possible for disconnected environments.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.

Prerequisites
An internet connected WSUS server running a minimum of Windows Server 2012.
The WSUS server needs connectivity to these two internet endpoints:
officecdn.microsoft.com
config.office.com
Copy the OfflineUpdateExporter tool and its dependencies to the internet connected WSUS server.
The tool and its dependencies are in the <ConfigMgrInstallDir>/tools/OfflineUpdateExpor ter
directory.
The user running the tool must be part of the WSUS Administrators group.
The directory created to store the Microsoft 365 Apps update metadata and content should have appropriate
access control lists (ACLs) to secure the files.
This directory must also be empty.
Data being moved from the online WSUS server to the disconnected environment should be moved securely.

IMPORTANT
Content will be downloaded for all Microsoft 365 Apps languages. Each update can have approximately 10 GB of content.

Synchronize then decline unneeded Microsoft 365 Apps updates


1. On your internet connected WSUS, open the WSUS console.
2. Select Options then Products and Classifications .
3. In the Products tab, select Office 365 Client and select Updates in the Classifications tab.
4. Go to Synchronizations and select Synchronize Now to get the Microsoft 365 Apps updates into WSUS.
5. When the synchronization completes, decline any Microsoft 365 Apps updates that you don't want to deploy
with Configuration Manager. You don't need to approve Microsoft 365 Apps updates in order for them to be
downloaded.
Declining unwanted Microsoft 365 Apps updates in WSUS doesn't stop them from being exported
during a WsusUtil.exe export, but it does stop the OfflineUpdateExporter tool from downloading the
content for them.
The OfflineUpdateExporter tool does the download of Microsoft 365 Apps updates for you. Other
products will still need to be approved for download if you're exporting updates for them.
Create a new update view in WSUS to easily see and decline unneeded Microsoft 365 Apps updates in
WSUS.
6. If you're approving other product updates for download and export, wait for the content download to
complete before running WsusUtil.exe export and copying the contents of the WSUSContent folder. For more
information, see Synchronize software updates from a disconnected software update point

Exporting the Microsoft 365 Apps updates


1. Copy the OfflineUpdateExporter folder from Configuration Manager to the internet connected WSUS
server.
The tool and its dependencies are in the <ConfigMgrInstallDir>/tools/OfflineUpdateExpor ter
directory.
2. From a command prompt on the internet connected WSUS server, run the tool with the following usage:
OfflineUpdateExpor ter.exe -O -D <destination path>

O F F L IN EUP DAT EEXP O RT ER PA RA M ET ER DESC RIP T IO N

-O -Office . Specifies product for updates export is Office


365 or Microsoft 365 Apps

-D -Destination . Destination is a required parameter and


the entire path to the destination folder is needed.

The OfflineUpdateExpor ter tool does the following:


Connects to WSUS
Reads the Microsoft 365 Apps update metadata in WSUS
Downloads the content and any additional metadata needed by the Microsoft 365 Apps
updates to the destination folder
3. At the command prompt on the internet connected WSUS server, navigate to the folder that contains
WsusUtil.exe. By default, the tool is located in %ProgramFiles%\Update Services\Tools. For example, if the
tool is located in the default location, type cd %ProgramFiles%\Update Ser vices\Tools .
If you're using Windows Server 2012, ensure KB2819484 is installed on the WSUS servers.
The user that runs the WsusUtil tool must be a member of the local Administrators group on the
server.
4. Type the following to export the software updates metadata to a GZIP file:
WsusUtil.exe expor t packagename logfile
For example:
WsusUtil.exe expor t expor t.xml.gz expor t.log
5. Copy the expor t.xml.gz file to the top-level WSUS server on the disconnected network.
6. If you approved updates for other products, copy the contents of the WSUSContent folder to the top-level
disconnected WSUS server's WSUSContent folder.
7. Copy the destination folder used for the OfflineUpdateExpor ter to the top-level Configuration
Manager site server on the disconnected network.

Import the Microsoft 365 Apps updates


1. On the disconnected top-level WSUS server, import the update metadata from the expor t.xml.gz you
generated on the internet connected WSUS server.
For example:
WsusUtil.exe impor t expor t.xml.gz impor t.log
By default, the WsusUtil.exe tool is located in %ProgramFiles%\Update Services\Tools.
2. Once the import is complete, you'll need to configure a site control property on the disconnected top-
level Configuration Manager site server. This configuration change points Configuration Manager to the
content for Microsoft 365 Apps. To change the property's configuration:
a. Copy the O365OflBaseUrlConfigured PowerShell script to the top-level disconnected Configuration
Manager site server.
b. Change "D:\Office365updates\content" to the full path of the copied directory containing the
Microsoft 365 Apps content and metadata generated by OfflineUpdateExporter.

IMPORTANT
Only local paths work for the O365OflBaseUrlConfigured property.

c. Save the script as O365OflBaseUrlConfigured.ps1


d. From an elevated PowerShell window on the disconnected top-level Configuration Manager site
server, run .\O365OflBaseUrlConfigured.ps1 .
e. Restart the SMS_Executive service on the site server.
3. In the Configuration Manager console, navigate to Administration > Site Configuration > Sites .
4. Right-click on your top-level site, then select Configure Site Components > Software Update Point .
5. In the Classifications tab, select Updates. In the Products tab, select Office 365 Client.
6. Synchronize software updates for Configuration Manager
7. When the synchronization completes, use your normal process to deploy Microsoft 365 Apps updates.

Proxy configuration
Proxy configuration isn't natively built into the tool. If proxy is set in the Internet Options on the server where
the tool is running, in theory it will be used and should function properly.
From a command prompt, run netsh winhttp show proxy to see the configured proxy.

Modify O365OflBaseUrlConfigured property


# Name: O365OflBaseUrlConfigured.ps1
#
# Description: This sample sets the O365OflBaseUrlConfigured property for the SMS_WSUS_CONFIGURATION_MANAGER
component on the top-level site.
# This script must be run on the disconnected top-level Configuration Manager site server
#
# Replace "D:\Office365updates\content" with the full path to the copied directory containing all the Office
metadata and content generated by the OfflineUpdateExporter tool.
# Only local paths work for the O365OflBaseUrlConfigured property.

$PropertyValue = "D:\Office365updates\content"

# Don't change any of the lines below


$PropertyName = "O365OflBaseUrlConfigured"

# Get provider instance


$providerMachine = Get-WmiObject -namespace "root\sms" -class "SMS_ProviderLocation"

if($providerMachine -is [system.array])


{
$providerMachine=$providerMachine[0]
}

$SiteCode = $providerMachine.SiteCode

$component = gwmi -ComputerName $providerMachine.Machine -namespace root\sms\site_$SiteCode -query 'select


comp.* from sms_sci_component comp join SMS_SCI_SiteDefinition sdef on sdef.SiteCode=comp.SiteCode where
sdef.ParentSiteCode="" and comp.componentname="SMS_WSUS_CONFIGURATION_MANAGER"'
$properties = $component.props

Write-host "Updating $PropertyName property for site " $SiteCode

foreach ($property in $properties)


{
if ($property.propertyname -eq $PropertyName)
{
Write-host "Current value for $PropertyName is $($property.value2)"
$property.value2 = $PropertyValue
Write-host "Updating value for $PropertyName to $($property.value2)"
break
}
}

$component.props = $properties
$component.put()

Next steps
Add software updates to an update group
Download software updates
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


There are several methods available to you for downloading software updates in Configuration Manager. When
you create an automatic deployment rule (ADR) or manually deploy software updates, the software updates are
downloaded to the content library on the site server. Then, the software updates are copied to the content
library on the distribution points that are associated with the configured deployment package. If you want to
download the software updates before you deploy them, you can use the Download Updates Wizard. Doing this
will enable you to verify that the software updates are available on distribution points before you deploy the
software updates to client computers.

NOTE
For information about monitoring content status, see the Content status monitoring.

Use the following procedure to download software updates by using the Download Software Updates Wizard.
To download software updates
1. In the Configuration Manager console, go to the Software Librar y workspace, and select the Software
Updates node.
2. Choose the software update to download by using one of the following methods:
Select one or more software update groups from the Software Update Groups node. Then click
Download in the ribbon.
Select one or more software updates from All Software Updates node. Then click Download in
the ribbon.

NOTE
In the All Software Updates node, Configuration Manager displays only software updates with a
Critical and Security classification that have been released in the last 30 days.

TIP
Click Add Criteria to filter the software updates that are displayed in the All Software Updates node.
Save search criteria that you often use, and then manage saved searches on the Search tab.

3. On the Deployment Package page of the Download Software Updates Wizard, configure the following
settings:
Select deployment package : Choose this setting to select an existing deployment package for
the software updates that are in the deployment.
NOTE
Software updates that the site has already downloaded to the selected deployment package won't be
downloaded again.

Create a new deployment package : Select this setting to create a new deployment package for
the software updates in the deployment. Configure the following settings:
Name : Specifies the name of the deployment package. The package must have a unique
name that briefly describes the package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Enable binar y differential replication : Enable this setting to minimize network traffic
between sites. Binary differential replication (BDR) only updates the content that has
changed in the package, instead of updating the entire package contents. For more
information, see Binary differential replication.
4. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
5. The Distribution Settings page is available only when you create a new software update deployment
package. Specify the following settings:
Distribution priority : Use this setting to specify the distribution priority for the deployment
package. The distribution priority applies when the deployment package is sent to distribution
points at child sites. Deployment packages are sent in priority order: high, medium, or low.
Packages with identical priorities are sent in the order in which they were created. If there's no
backlog, the package processes immediately regardless of its priority. By default, the site sends
packages with Medium priority.
Enable for on-demand distribution : Use this setting to enable on-demand content distribution
to distribution points configured for this feature and in the client's current boundary group. When
you enable this setting, the management point creates a trigger for the distribution manager to
distribute the content to all such distribution points when a client requests the content for the
package and the content isn't available. For more information, see On-demand content
distribution.
Prestaged distribution point settings : Use this setting to specify how you want to distribute
content to prestaged distribution points. Choose one of the following options:
Automatically download content when packages are assigned to distribution
points : Use this setting to ignore the prestage settings and distribute content to the
distribution point.
Download only content changes to the distribution point : Use this setting to
prestage the initial content to the distribution point, and then distribute content changes to
the distribution point.
Manually copy the content in this package to the distribution point : Use this
setting to always prestage content on the distribution point. This option is the default.
For more information about prestaging content to distribution points, see Use Prestaged content.
6. On the Download Location page, specify the location that Configuration Manager uses to download
the software update source files. Use one of the following options:
Download software updates from the Internet : Select this setting to download the software
updates from the location on the internet. This option is the default.
Download software updates from a location on my network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
7. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
8. On the Summar y page, verify the settings that you selected in the wizard, and then click Next to
download the software updates.
9. On the Completion page, verify that the software updates were successfully downloaded, and then click
Close .
Add software updates to an update group
9/17/2021 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Software update groups provide you with an effective method to organize software updates in your
environment. You can manually add software updates to a software update group or automatically add software
updates to a software update group by using an ADR. You can also deploy a software update group manually or
deploy the group automatically by using an ADR. After you deploy a software update group, you can add new
software updates to the group and Configuration Manager will automatically deploy them. Use the following
procedures to add software updates to a new or existing software update group.

Add software updates to a new software update group


1. In the Configuration Manager console, select Software Librar y .
2. In the Software Library workspace, expand Software Updates , and then select All Software Updates .
3. Select the software updates to be added to the new software update group.
4. On the Home tab, in the Update group, select Create Software Update Group .
5. Specify the name for the software update group and optionally provide a description. Use a name and
description that provide enough information for you to determine what type of software updates are in
the software update group. To proceed, select Create .
6. Select Software Update Groups to display the new software update group.
7. Select the software update group, and in the Home tab, in the Update group, select Show Members to
display a list of the software updates that are included in the group.

NOTE
Feature updates can't be added to a software update group. Use the following options to manage feature updates:
Windows servicing
Phased deployments
Upgrade OS task sequences.

Add software updates to an existing software update group


1. In the Configuration Manager console, select Software Librar y .
2. In the Software Library workspace, expand Software Updates , and then select All Software Updates .
3. Select the software updates that you want to add to the new software update group.
On the All Software Updates node, Configuration Manager displays all updates except those in the
Upgrades classification and Office 365 Client product classification.
4. On the Home tab, in the Update group, select Edit Membership .
5. Select the software update group into which you want to add the software updates.
6. Select the Software Update Groups node to display the software update group.
7. Select the software update group, and in the Home tab, in the Update group, select Show Members to
display a list of the software updates that are included in the software update group.

Remove software updates from an existing software update group


1. In the Configuration Manager console, select Software Librar y .
2. In the Software Library workspace, expand Software Updates , and then select Software Update Groups .
3. Select the software update group from which you want to remove updates, then select Show members
4. Right-click on the update to remove and select Edit Membership .
Select multiple updates by using either the Shift or Ctrl keys.
From the All Software Updates node, you can also use Edit Membership from the ribbon after
selecting an update.
5. Uncheck the box for the software update group from which you'd like to remove the update, then select Ok .

Next steps
Deploy software updates
Deploy software updates
9/17/2021 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


The software update deployment phase is the process of deploying software updates. No matter how you
deploy software updates, the site:
Adds the updates to a software update group
Distributes the update content to distribution points
Deploys the update group to clients
After you create the deployment, the site sends an associated software update policy to targeted clients. The
clients download the software update content files from a content source to their local cache. Clients on the
internet always download content from the Microsoft Update cloud service. The software updates are then
available for installation by the client.

TIP
If a distribution point isn't available, clients on the intranet can also download software updates from Microsoft Update.

NOTE
Unlike other deployment types, software updates are all downloaded to the client cache. This is regardless of the
maximum cache size setting on the client. For more information about the client cache setting, see Configure the client
cache.

If you configure a required software update deployment, the software updates are automatically installed at the
scheduled deadline. Alternatively, the user on the client computer can schedule or initiate the software update
installation prior to the deadline. After the attempted installation, client computers send state messages back to
the site server to report whether the software update installation was successful. For more information about
software update deployments, see Software update deployment workflows.
There are three main scenarios for deploying software updates:
Manual deployment
Automatic deployment
Phased deployment
Typically, you start by manually deploying software updates to create a baseline for your clients, and then you
manage software updates on clients by using an automatic or phased deployment.

NOTE
You can't use an automatic deployment rule with a phased deployment.

Manually deploy software updates


Select software updates in the Configuration Manager console and manually start the deployment process. You
typically use this method of deployment to:
Get clients up-to-date with required software updates before you create automatic deployment rules that
manage monthly deployments
Deploy out-of-band software updates
The following list provides the general workflow for manual deployment of software updates:
1. Filter for software updates that use specific requirements. For example, provide criteria that retrieves all
security or critical software updates that are required on more than 50 clients.
2. Create a software update group that contains the software updates.
3. Download the content for the software updates in the software update group.
4. Manually deploy the software update group.
For more information and detailed steps, see Manually deploy software updates.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the
Configuration Manager console and supporting documentation while the console is being updated.
When manually deploying Microsoft 365 Apps client updates, find them in the Office 365 Updates node under
Office 365 Client Management of the Software Librar y workspace.

Automatically deploy software updates


Configure automatic software updates deployment by using an automatic deployment rule (ADR). This method
of deployment is common for monthly software updates (typically known as "Patch Tuesday") and for managing
definition updates. You define the criteria for an ADR to automate the deployment process. The following list
provides the general workflow to automatically deploy software updates:
1. Create an ADR that specifies deployment settings.
2. The site adds the software updates to a software update group.
3. The site deploys the software update group to the clients in the target collection.
First, determine your automatic software update deployment strategy. For example, create the ADR to initially
target a collection of test clients. After you verify the test group successfully installed the software updates, add a
new deployment to the rule. You could also change the targeted collection in the existing deployment to one that
includes a larger set of clients. Consider the following behaviors when deciding upon the strategy to use:
You're able to modify the properties of the software update objects that the ADR creates.
The ADR automatically deploys software updates to clients when you add them to the target collection.
When you or the ADR adds new software updates to the software update group, the site automatically
deploys them to the clients in the target collection.
Enable or disable deployments at any time for the ADR.
After you create an ADR, add additional deployments to the rule. This action helps you manage the complexity
of deploying different updates to different collections. Each new deployment has the full range of functionality
and deployment monitoring experience.
Each new deployment that you add:
Uses the same update group and package, which the ADR creates when it first runs
Can target a different collection
Supports unique deployment properties including:
Activation time
Deadline
User experience
Separate alerts for each deployment
For more information and detailed steps, see Automatically deploy software updates

Deploy software updates in phases


Starting in version 1810, create phased deployments for software updates. Phased deployments allow you to
orchestrate a coordinated, sequenced rollout of software based on customizable criteria and groups.
For more information, see Create phased deployments.
Manually deploy software updates
9/17/2021 • 22 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


A manual software update deployment is the process of selecting software updates from the Configuration
Manager console and manually starting the deployment process. Or add selected software updates to an update
group, and then manually deploy the update group. You typically use manual deployments to get your clients
up-to-date with required software updates. You then use automatic deployment rules (ADR) to manage ongoing
monthly software update deployments. Also use this manual method to deploy out-of-band software updates.
For more information on which deployment method is right for you, see Deploy software updates.

Step 1: Specify search criteria for software updates


Depending upon the combinations of products and classifications that your site synchronizes, there are
potentially thousands of software updates displayed in the Configuration Manager console. The first step in the
workflow for manually deploying software updates is to identify the software updates that you want to deploy.
For example, show all software updates required on more than 50 client devices with a Security or Critical
classification.

IMPORTANT
A single software update deployment has a limit of 1000 software updates.

Process to specify search criteria for software updates


1. In the Configuration Manager console, go to the Software Librar y workspace, expand Software
Updates , and click All Software Updates . This node displays all synchronized software updates.

NOTE
The All Software Updates node only displays software updates with a Critical and Security classification that
have been released in the last 30 days.

2. In the search pane, filter to identify the software updates that you need. Use one or both of the following
options:
In the search text box, type a search string that filters the software updates. For example, type the
article or bulletin ID for a specific software update. Or enter a string that appears in the title of
several software updates.
Click Add Criteria , and select the criteria to filter software updates. Click Add , and then provide
the values for the criteria.
3. Click Search to filter the software updates.

TIP
Save frequently used filter criteria. On the ribbon, click the option to Save Current Search . Retrieve previous
searches by clicking on Saved Searches .
Step 2: Create a software update group that contains the software
updates
Software update groups let you organize software updates in preparation for deployment. Use the following
procedure to manually add software updates to a new software update group.
Process to manually add software updates to a new software update group
1. In the Configuration Manager console, go to the Software Librar y workspace, and select Software
Updates . Select the desired software updates.
2. Click Create Software Update Group in the ribbon.
3. Specify the name for the software update group and optionally provide a description. Use a name and
description that provide enough information for you to determine what type of updates are in the
software update group. Click Create .
4. Select the Software Update Groups node, and select the new software update group. To display the list
of updates in the group, click Show Members in the ribbon.

Step 3: Download the content for the software update group


Before you deploy the software updates, download the content for the software updates in the software update
group. This step lets you verify that the content is available on distribution points before you deploy the
software updates. It also helps you avoid any unexpected issues with content distribution. If you skip this step, as
part of the deployment process the site downloads the content and distributes to the distribution points. Use the
following procedure to download the content for software updates in the software update group.
Process to download content for the software update group
1. In the Configuration Manager console, go to the Software Librar y workspace, and select the Software
Updates node.
2. Choose the software update to download by using one of the following methods:
Select one or more software update groups from the Software Update Groups node. Then click
Download in the ribbon.
Select one or more software updates from All Software Updates node. Then click Download in
the ribbon.

NOTE
In the All Software Updates node, Configuration Manager displays only software updates with a
Critical and Security classification that have been released in the last 30 days.

TIP
Click Add Criteria to filter the software updates that are displayed in the All Software Updates node.
Save search criteria that you often use, and then manage saved searches on the Search tab.

3. On the Deployment Package page of the Download Software Updates Wizard, configure the following
settings:
Select deployment package : Choose this setting to select an existing deployment package for
the software updates that are in the deployment.
NOTE
Software updates that the site has already downloaded to the selected deployment package won't be
downloaded again.

Create a new deployment package : Select this setting to create a new deployment package for
the software updates in the deployment. Configure the following settings:
Name : Specifies the name of the deployment package. The package must have a unique
name that briefly describes the package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Enable binar y differential replication : Enable this setting to minimize network traffic
between sites. Binary differential replication (BDR) only updates the content that has
changed in the package, instead of updating the entire package contents. For more
information, see Binary differential replication.
4. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
5. The Distribution Settings page is available only when you create a new software update deployment
package. Specify the following settings:
Distribution priority : Use this setting to specify the distribution priority for the deployment
package. The distribution priority applies when the deployment package is sent to distribution
points at child sites. Deployment packages are sent in priority order: high, medium, or low.
Packages with identical priorities are sent in the order in which they were created. If there's no
backlog, the package processes immediately regardless of its priority. By default, the site sends
packages with Medium priority.
Enable for on-demand distribution : Use this setting to enable on-demand content distribution
to distribution points configured for this feature and in the client's current boundary group. When
you enable this setting, the management point creates a trigger for the distribution manager to
distribute the content to all such distribution points when a client requests the content for the
package and the content isn't available. For more information, see On-demand content
distribution.
Prestaged distribution point settings : Use this setting to specify how you want to distribute
content to prestaged distribution points. Choose one of the following options:
Automatically download content when packages are assigned to distribution
points : Use this setting to ignore the prestage settings and distribute content to the
distribution point.
Download only content changes to the distribution point : Use this setting to
prestage the initial content to the distribution point, and then distribute content changes to
the distribution point.
Manually copy the content in this package to the distribution point : Use this
setting to always prestage content on the distribution point. This option is the default.
For more information about prestaging content to distribution points, see Use Prestaged content.
6. On the Download Location page, specify the location that Configuration Manager uses to download
the software update source files. Use one of the following options:
Download software updates from the Internet : Select this setting to download the software
updates from the location on the internet. This option is the default.
Download software updates from a location on my network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
7. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
8. On the Summar y page, verify the settings that you selected in the wizard, and then click Next to
download the software updates.
9. On the Completion page, verify that the software updates were successfully downloaded, and then click
Close .
Process to monitor content status
1. To monitor the content status for the software updates, go to the Monitoring workspace in the
Configuration Manager console. Expand Distribution Status , and then select the Content Status node.
2. Select the software update package that you previously identified to download the software updates in
the software update group.
3. Click View Status in the ribbon.

Step 4: Deploy the software update group


After you determine the updates you want to deploy, and add them to a software update group, manually
deploy the software update group.
Process to manually deploy the software updates in a software update group
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Software
Updates , and select the Software Update Groups node.
2. Select the software update group that you want to deploy. Click Deploy in the ribbon.
3. On the General page of the Deploy Software Updates Wizard, configure the following settings:
Name : Specify the name for the deployment. The deployment must have a unique name that
describes its purpose, and differentiates it from other deployments in the site. This name field has
a limit of 256 characters. By default, Configuration Manager automatically provides a name for the
deployment in the following format: Microsoft Software Updates - YYYY-MM-DD <time>
Description : Specify a description for the deployment. The description is optional, but provides an
overview of the deployment. Include any other relevant information that helps to identify and
differentiate it among others in the site. The description field has a limit of 256 characters, and has
a blank value by default.
Software Update/Software Update Group : Verify that the displayed software update group or
software update is correct.
Select Deployment Template : Specify whether to apply a previously saved deployment
template. Configure a deployment template to save common software update deployment
properties. Then apply the template when you deploy software updates in the future. These
templates save time and help to ensure consistency across similar deployments.
Collection : Specify the collection for the deployment. Devices in the collection receive the
software updates in this deployment.
4. On the Deployment Settings page, configure the following settings:
Type of deployment : Specify the deployment type for the software update deployment.

IMPORTANT
After you create the software update deployment, you can't change the type of deployment.

Select Required to create a mandatory software update deployment. The software updates
are automatically installed on clients before the installation deadline you configure.
Select Available to create an optional software update deployment. This deployment is
available for users to install from Software Center.

NOTE
When you deploy a software update group as Required , clients download the content in background and
honor BITS settings, if configured.
For software update groups deployed as Available , clients download the content in the foreground and
ignore BITS settings.

Use Wake-on-L AN to wake up clients for required deployments : Specifies whether to


enable Wake On LAN at the deadline. Wake On LAN sends wake-up packets to computers that
require one or more software updates in the deployment. The site wakes up any computers that
are in sleep mode at the installation deadline time so the installation can initiate. Clients that are in
sleep mode that don't require any software updates in the deployment aren't started. By default,
this setting isn't enabled. It's only available for Required deployments. Before using this option,
configure computers and networks for Wake On LAN. For more information, see How to configure
Wake On LAN.
Detail level : Specify the level of detail for the state messages that clients report to the site.
5. On the Scheduling page, configure the following settings:
Schedule evaluation : Specify the time that Configuration Manager evaluates the available time
and installation deadline times. Choose to use Coordinated Universal Time (UTC) or the local time
of the computer that runs the Configuration Manager console.
When you select Client local time here, and then select As soon as possible for the
Software available time , the current time on the computer running the Configuration
Manager console is used to evaluate when updates are available. This behavior is the same with
the Installation deadline and the time when updates are installed on a client. If the client is in
a different time zone, these actions occur when the client's time reaches the evaluation time.
Software available time : Select one of the following settings to specify when the software
updates are available to clients:
As soon as possible : Makes the software updates in the deployment available to clients
as soon as possible. When you create the deployment with this setting selected,
Configuration Manager updates the client policy. At the next client policy polling cycle,
clients become aware of the deployment and the software updates are available for
installation.
Specific time : Makes software updates included in the deployment available to clients at a
specific date and time. When you create the deployment with this setting enabled,
Configuration Manager updates the client policy. At the next client policy polling cycle,
clients become aware of the deployment. However, the software updates in the deployment
aren't available for installation until after the configured date and time.
Installation deadline : These options are only available for Required deployments. Select one of
the following settings to specify the installation deadline for the software updates in the
deployment
As soon as possible : Select this setting to automatically install the software updates in the
deployment as soon as possible.
Specific time : Select this setting to automatically install the software updates in the
deployment at a specific date and time.
The actual installation deadline time is the displayed deadline time plus a random
amount of time up to two hours. The randomization reduces the potential impact of
clients in the collection installing updates in the deployment at the same time.
To disable the installation randomization delay for required software updates,
configure the client setting to Disable deadline randomization in the Computer
Agent group. For more information, see Computer Agent client settings.
Delay enforcement of this deployment according to user preferences, up to the grace
period defined in client settings : Enable this setting to give users more time to install required
software updates beyond the deadline.
This behavior is typically required when a computer is turned off for long time, and needs
to install many software updates or applications. For example, when a user returns from
vacation, they have to wait for a long time as the client installs overdue deployments.
Configure this grace period with the property Grace period for enforcement after
deployment deadline (hours) in client settings. For more information, see the Computer
agent section. The enforcement grace period applies to all deployments with this option
enabled and targeted to devices to which you also deployed the client setting.
After the deadline, the client installs the software updates in the first non-business window,
which the user configured, up to this grace period. However, the user can still open Software
Center and install the software updates at any time. Once the grace period expires,
enforcement reverts to normal behavior for overdue deployments.
6. On the User Experience page, configure the following settings:
User notifications : Specify whether to display notification in Software Center at the configured
Software available time . This setting also controls whether to notify users on the client
computers. For Available deployments, you can't select the option to Hide in Software Center
and all notifications .
Deadline behavior : This setting is only configurable for Required deployments. Specify the
behaviors when the software update deployment reaches the deadline outside of any defined
maintenance windows. The options include whether to install the software updates, and whether
to perform a system restart after installation. For more information about maintenance windows,
see How to use maintenance windows.

NOTE
This applies only when the maintenance window is configured for the client device. If no maintenance
window is defined on the device, the update of the installation and restart will always happen after the
deadline.

Device restar t behavior : This setting is only configurable for Required deployments. Specify
whether to suppress a system restart on servers and workstations if a restart is required to
complete update installation.

WARNING
Suppressing system restarts can be useful in server environments, or when you don't want the target
computers to restart by default. However, doing so can leave computers in an insecure state. Allowing a
forced restart helps to ensure immediate completion of the software update installation.

Write filter handling for Windows Embedded devices : This setting controls the installation
behavior on Windows Embedded devices that are enabled with a write filter. Choose the option to
commit changes at the installation deadline or during a maintenance window. When you select
this option, a restart is required and the changes persist on the device. Otherwise, the update is
installed, applied to the temporary overlay, and committed later.
When you deploy a software update to a Windows Embedded device, make sure the device is a
member of a collection that has a configured maintenance window.
Software updates deployment re-evaluation behavior upon restar t : Select this setting to
configure software updates deployments to have clients run a software updates compliance scan
immediately after a client installs software updates and restarts. This setting enables the client to
check for additional updates that become applicable after the client restarts, then installs them
during the same maintenance window.
7. On the Aler ts page, configure how Configuration Manager generates alerts for this deployment. Review
recent software updates alerts from Configuration Manager in the Software Updates node of the
Software Librar y workspace. If you're also using System Center Operations Manager, configure its
alerts as well. Only configure alerts for Required deployments.
8. On the Download Settings page, configure the following settings:
NOTE
Clients request the content location from a management point for the software updates in a deployment. The
download behavior depends upon how you've configured the distribution point, the deployment package, and the
settings on this page.

Specify if clients should download and install the updates when they use a distribution point from
a neighbor or the default site boundary groups.
Specify if clients should download and install the updates from a distribution point in the site
default boundary group, when the content for the software updates isn't available from a
distribution point in the current or neighbor boundary groups.
Allow clients to share content with other clients on the same subnet : Specify whether to
enable the use of BranchCache for content downloads. For more information, see BranchCache.
Starting in version 1802, BranchCache is always enabled on clients. This setting is removed, as
clients use BranchCache if the distribution point supports it.
If software updates are not available on distribution point in current, neighbor or site
boundar y groups, download content from Microsoft Updates : Select this setting to have
intranet-connected clients download software updates from Microsoft Update if updates aren't
available on distribution points. Internet-based clients always go to Microsoft Update for software
updates content.
Specify whether to allow clients to download after an installation deadline when they use metered
internet connections. Internet providers sometimes charge by the amount of data that you send
and receive when you're on a metered connection.
9. On the Deployment Package page, select one of the following options:

NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.
Software updates that have been previously downloaded to the content library on the site server aren't
downloaded again. This behavior is true even when you create a new deployment package for the software
updates. If all software updates have already been downloaded, the wizard skips to the Summary page.

Select a deployment package : Add these updates to an existing deployment package.


Create a new deployment package : Add these updates to a new deployment package.
Configure the following additional settings:
Name : Specify the name of the deployment package. Use a unique name that describes the
package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specify the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you continue to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Sending priority : Specify the sending priority for the deployment package. Configuration
Manager uses this priority when it sends the package to distribution points. Deployment
packages are sent in priority order: high, medium, or low. Packages with identical priorities
are sent in the order in which they were created. If there's no backlog, the package
processes immediately regardless of its priority.
Enable binar y differential replication : Enable this setting to minimize network traffic
between sites. Binary differential replication (BDR) only updates the content that has
changed in the package, instead of updating the entire package contents. For more
information, see Binary differential replication.
No deployment package : Starting in version 1806, deploy software updates to devices without
first downloading and distributing content to distribution points. This setting is beneficial when
dealing with extremely large update content. Also use it when you always want clients to get
content from the Microsoft Update cloud service. Clients in this scenario can also download
content from peers that already have the necessary content. The Configuration Manager client
continues to manage the content download, thus can utilize the Configuration Manager peer cache
feature, or other technologies such as Delivery Optimization. This feature supports any update
type supported by Configuration Manager software updates management, including Windows
and Office updates.
10. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations.

NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.

11. On the Download Location page, specify whether to download the software update files from the
internet or from your local network. Configure the following settings:
Download software updates from the internet : Select this setting to download the software
updates from a specified location on the internet. This setting is enabled by default.
Download software updates from a location on the local network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard.
12. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.

NOTE
If you already performed Step 3: Download the content for the software update group, then the wizard doesn't
display the Deployment Package , Distribution Points , and Language Selection pages. Skip to the
Summary page of the wizard.

13. On the Summar y page, review the settings. To save the settings to a deployment template, click Save As
Template . Enter a name and select the settings you want to include in the template, then click Save . To
change a configured setting, click the associated wizard page and change the setting.
The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or '
(single quotation mark).
14. Click Next to deploy the software update.
After you complete the wizard, Configuration Manager downloads the software updates to the content
library on the site server. It then distributes the content to the configured distribution points, and deploys
the software update group to clients in the target collection. For more information about the deployment
process, see Software update deployment process.

Next steps
Monitor software updates
Automatically deploy software updates
9/17/2021 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Use an automatic deployment rule (ADR) rather than adding new updates to an existing software update group.
Typically, you use ADRs to deploy monthly software updates (also known as "Patch Tuesday" updates) and for
managing Endpoint Protection definition updates. If you need help to determine which deployment method is
right for you, see Deploy software updates.

Create an automatic deployment rule (ADR)


Automatically approve and deploy software updates by using an ADR. The rule can add software updates to a
new software update group each time the rule runs, or add software updates to an existing group. When a rule
runs and adds software updates to an existing group, the rule removes all updates from the group. It then adds
to the group the updates that meet the criteria you define.

WARNING
Before you create an ADR for the first time, verify that the site has completed software updates synchronization. This step
is important when you run Configuration Manager with a non-English language. Software update classifications are
displayed in English before the first synchronization, and then displayed in the localized languages after software update
synchronization completes. Rules that you create before you sync software updates might not work properly after
synchronization because the text string might not match.

Process to create an ADR


1. In the Configuration Manager console, go to the Software Librar y workspace, expand Software
Updates , and select the Automatic Deployment Rules node.
2. In the ribbon, click Create Automatic Deployment Rule .
3. On the General page of the Create Automatic Deployment Rule Wizard, configure the following settings:
Name : Specify the name for the ADR. The name must be unique, help to describe the purpose of
the rule, and identify it from others in the Configuration Manager site.
Description : Specify a description for the ADR. The description should provide an overview of the
deployment rule and other relevant information that helps to differentiate the rule from others.
The description field is optional, has a limit of 256 characters, and has a blank value by default.
Template : Select a deployment template to specify whether to apply previously saved ADR
configurations. Configure a deployment template containing multiple common update
deployment properties that you can use when creating additional ADRs. These templates save
time and help to ensure consistency across similar deployments. Select from one of the following
built-in software update deployment templates:
The Patch Tuesday template provides common settings to use when you deploy software
updates on a monthly cycle.
The Office 365 Client Updates template provides common settings to use when you
deploy updates for Microsoft 365 Apps clients.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for
enterprise . If your ADRs rely on the "Title" property, you'll need to edit it starting June 9, 2020.
Microsoft 365 Apps Update - Semi-annual Channel Version 1908 for x64 based Edition
(Build 11929.50000)
is an example of the new title. For more information on modifying your ADRs for the title change,
see Update channels for Microsoft 365 Apps. For more information about the name change, see
Name change for Office 365 ProPlus.

The SCEP and Windows Defender Antivirus Updates template provides common
settings to use when you deploy Endpoint Protection definition updates.
Collection : Specifies the target collection to be used for the deployment. Members of the
collection receive the software updates that are defined in the deployment.
Decide whether to add software updates to a new or existing software update group. In most
cases, choose to create a new software update group when the ADR runs. If the rule runs on a
more aggressive schedule, you might choose to use an existing group. For example, if you run the
rule daily for definition updates, then you could add the software updates to an existing software
update group.
Enable the deployment after this rule is run : Specify whether to enable the software update
deployment after the ADR runs. Consider the following options for this setting:
When you enable the deployment, the updates that meet the rule's defined criteria are
added to a software update group. The software update content is downloaded as
necessary. The content is copied to the specified distribution points, and the updates are
deployed to the clients in the target collection.
When you don't enable the deployment, the updates that meet the rule's defined criteria are
added to a software update group. The software update deployment content is downloaded,
as necessary, and distributed to the specified distribution points. The site creates a disabled
deployment on the software update group to prevent the updates from being deployed to
clients. This option provides time to prepare to deploy the updates, verify the updates that
meet the criteria are adequate, and then enable the deployment.
4. On the Deployment Settings page, configure the following settings:
Type of deployment : Starting in version 2107, you can specify the deployment type for the
software update deployment. Prior to version 2107, all deployments created by an automatic
deployment rule are required.
Select Required to create a mandatory software update deployment. The software updates
are automatically installed on clients before the installation deadline you configure.
Select Available to create an optional software update deployment. This deployment is
available for users to install from Software Center.
Use Wake on L AN to wake up clients for required deployments : Specifies whether to
enable Wake On LAN at the deadline. Wake On LAN sends wake-up packets to computers that
require one or more software updates in the deployment. The site wakes up any computers that
are in sleep mode at the installation deadline time so the installation can initiate. Clients that are in
sleep mode that don't require any software updates in the deployment aren't started. By default,
this setting isn't enabled. Before using this option, configure computers and networks for Wake On
LAN. For more information, see How to configure Wake On LAN.
Detail level : Specify the level of detail for the update enforcement state messages that are
reported by clients.

IMPORTANT
When you deploy definition updates, set the detail level to Error only to have the client report a state
message only when a definition update fails. Otherwise, the client reports a large number of state
messages that might impact site server performance.

NOTE
The Error only detail level does not send the enforcement status messages required for tracking pending
reboots.

License terms setting : Specify whether to automatically deploy software updates with
associated license terms. Some software updates include license terms. When you automatically
deploy software updates, the license terms aren't displayed, and there isn't an option to accept the
license terms. Choose to automatically deploy all software updates regardless of an associated
license term, or only deploy updates that don't have associated license terms.
To review the license terms for a software update, select the software update in the All
Software Updates node of the Software Librar y workspace. In the ribbon, click Review
License .
To find software updates with associated license terms, add the License Terms column to
the results pane in the All Software Updates node. Click the heading for the column to
sort by the software updates with license terms.
5. On the Software Updates page, configure the criteria for the software updates that the ADR retrieves
and adds to the software update group.
The limit for software updates in the ADR is 1000 software updates.
If needed, filter on the content size for software updates in automatic deployment rules. For more
information, see Configuration Manager and simplified Windows servicing on down level
operating systems.
Starting in version 1910, you can use Deployed as an update filter for your automatic
deployment rules. This filter helps identify new updates that may need to be deployed to your pilot
or test collections. The software update filter can also help avoid redeploying older updates.
When using Deployed as a filter, be mindful that you may have already deployed the update to
another collection, such as a pilot or test collection.
Starting in version 1806, a property filter for Architecture is now available. Use this filter to
exclude architectures like Itanium and ARM64 that are less common. Remember that there are 32-
bit (x86) applications and components running on 64-bit (x64) systems. Unless you're certain that
you don't need x86, enable it as well when you choose x64.
NOTE
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being
part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to
ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for
the new product in Configuration Manager version 1906. For more information, see Configuring products for
versions of Windows 10

6. On the Evaluation Schedule page, specify whether to enable the ADR to run on a schedule. When
enabled, click Customize to set the recurring schedule.
The start time configuration for the schedule is based on the local time of the computer that runs
the Configuration Manager console.
The ADR evaluation can run as often as three times per day.
Never set the evaluation schedule with a frequency that exceeds the software updates
synchronization schedule. This page displays the software update point sync schedule to help you
determine evaluation schedule frequency.
To manually run the ADR, select the rule in the Automatic Deployment Rule node of the
console, and then click Run Now in the ribbon.
Starting in version 1802, ADRs can be scheduled to evaluate offset from a base day. For example, if
Patch Tuesday actually falls on Wednesday for you, set the evaluation schedule for the second
Tuesday of the month offset by one day.
When scheduling evaluation with an offset during the last week of the month, if you choose an
offset that continues into the next month, the site schedules evaluation for the last day of the
month.

7. On the Deployment Schedule page, configure the following settings:


Schedule evaluation : Specify the time that Configuration Manager evaluates the available time
and installation deadline times. Choose to use Coordinated Universal Time (UTC) or the local time
of the computer that runs the Configuration Manager console.
When you select Client local time here, and then select As soon as possible for the
Software available time , the current time on the computer running the Configuration
Manager console is used to evaluate when updates are available. This behavior is the same with
the Installation deadline and the time when updates are installed on a client. If the client is in
a different time zone, these actions occur when the client's time reaches the evaluation time.
Software available time : Select one of the following settings to specify when the software
updates are available to clients:
As soon as possible : Makes the software updates in the deployment available to clients
as soon as possible. When you create the deployment with this setting selected,
Configuration Manager updates the client policy. At the next client policy polling cycle,
clients become aware of the deployment and the software updates are available for
installation.
Specific time : Makes software updates included in the deployment available to clients at a
specific date and time. When you create the deployment with this setting enabled,
Configuration Manager updates the client policy. At the next client policy polling cycle,
clients become aware of the deployment. However, the software updates in the deployment
aren't available for installation until after the configured date and time.
Installation deadline : These options are only available for Required deployments. Select one of
the following settings to specify the installation deadline for the software updates in the
deployment:
As soon as possible : Select this setting to automatically install the software updates in the
deployment as soon as possible.
Specific time : Select this setting to automatically install the software updates in the
deployment at a specific date and time. Configuration Manager determines the deadline to
install software updates by adding the configured Specific time interval to the Software
available time .
The actual installation deadline time is the displayed deadline time plus a random
amount of time up to two hours. The randomization reduces the potential impact of
clients in the collection installing updates in the deployment at the same time.
The Disable deadline randomization in the Computer Agent group doesn't
override the randomization behavior. For more information, see Computer Agent
client settings.
Delay enforcement of this deployment according to user preferences, up to the grace
period defined in client settings : Enable this setting to give users more time to install required
software updates beyond the deadline.
This behavior is typically required when a computer is turned off for long time, and needs
to install many software updates or applications. For example, when a user returns from
vacation, they have to wait for a long time as the client installs overdue deployments.
Configure this grace period with the property Grace period for enforcement after
deployment deadline (hours) in client settings. For more information, see the Computer
agent section. The enforcement grace period applies to all deployments with this option
enabled and targeted to devices to which you also deployed the client setting.
After the deadline, the client installs the software updates in the first non-business window,
which the user configured, up to this grace period. However, the user can still open Software
Center and install the software updates at any time. Once the grace period expires,
enforcement reverts to normal behavior for overdue deployments.
8. On the User Experience page, configure the following settings:
User notifications : Specify whether to display notification in Software Center at the configured
Software available time . This setting also controls whether to notify users on the clients.
Deadline behavior : This setting is only configurable for Required deployments. Specify the
behaviors when the software update deployment reaches the deadline outside of any defined
maintenance windows. The options include whether to install the software updates, and whether
to perform a system restart after installation. For more information about maintenance windows,
see How to use maintenance windows.

NOTE
This applies only when the maintenance window is configured for the client device. If no maintenance
window is defined on the device, the update of the installation and restart will always happen after the
deadline.

Device restar t behavior : This setting is only configurable for Required deployments. Specify
whether to suppress a system restart on servers and workstations if a restart is required to
complete update installation.

WARNING
Suppressing system restarts can be useful in server environments, or when you don't want the target
computers to restart by default. However, doing so can leave computers in an insecure state. Allowing a
forced restart helps to ensure immediate completion of the software update installation.

Write filter handling for Windows Embedded devices : This setting controls the installation
behavior on Windows Embedded devices that are enabled with a write filter. Choose the option to
commit changes at the installation deadline or during a maintenance window. When you select
this option, a restart is required and the changes persist on the device. Otherwise, the update is
installed, applied to the temporary overlay, and committed later.
When you deploy a software update to a Windows Embedded device, make sure the device is a
member of a collection that has a configured maintenance window.
Software updates deployment re-evaluation behavior upon restar t : Select this setting to
configure software updates deployments to have clients run a software updates compliance scan
immediately after a client installs software updates and restarts. This setting enables the client to
check for additional updates that become applicable after the client restarts, then installs them
during the same maintenance window.
9. On the Aler ts page, configure how Configuration Manager generates alerts for this deployment. Review
recent software updates alerts from Configuration Manager in the Software Updates node of the
Software Librar y workspace. If you're also using System Center Operations Manager, configure its
alerts as well.
10. On the Download Settings page, configure the following settings:
Specify if clients should download and install the updates when they use a distribution point from
a neighbor or the default site boundary groups.
Specify if clients should download and install the updates from a distribution point in the site
default boundary group, when the content for the software updates isn't available from a
distribution point in the current or neighbor boundary groups.
Allow clients to share content with other clients on the same subnet : Specify whether to
enable the use of BranchCache for content downloads. For more information, see BranchCache.
Starting in version 1802, BranchCache is always enabled on clients. This setting is removed, as
clients use BranchCache if the distribution point supports it.
If software updates are not available on distribution point in current, neighbor or site
boundar y groups, download content from Microsoft Updates : Select this setting to have
intranet-connected clients download software updates from Microsoft Update if updates aren't
available on distribution points. Internet-based clients always go to Microsoft Update for software
updates content.
Specify whether to allow clients to download after an installation deadline when they use metered
internet connections. Internet providers sometimes charge by the amount of data that you send
and receive when you're on a metered connection.

NOTE
Clients request the content location from a management point for the software updates in a deployment. The
download behavior depends upon how you've configured the distribution point, deployment package, and the
settings on this page.

11. On the Deployment Package page, select one of the following options:
Select a deployment package : Add these updates to an existing deployment package.
Create a new deployment package : Add these updates to a new deployment package.
Configure the following additional settings:
Name : Specify the name of the deployment package. Use a unique name that describes the
package content. It's limited to 50 characters.
Description : Specify a description that provides information about the deployment
package. The optional description is limited to 127 characters.
Package source : Specifies the location of the software update source files. Type a network
path for the source location, for example, \\server\sharename\path , or click Browse to find
the network location. Create the shared folder for the deployment package source files
before you proceed to the next page.
You can't use the specified location as the source of another software deployment
package.
You can change the package source location in the deployment package properties
after Configuration Manager creates the deployment package. If you do, first copy
the content from the original package source to the new package source location.
The computer account of the SMS Provider and the user that's running the wizard to
download the software updates must both have Write permissions to the download
location. Restrict access to the download location. This restriction reduces the risk of
attackers tampering with the software update source files.
Sending priority : Specify the sending priority for the deployment package. Configuration
Manager uses this priority when it sends the package to distribution points. Deployment
packages are sent in priority order: high, medium, or low. Packages with identical priorities
are sent in the order in which they were created. If there's no backlog, the package
processes immediately regardless of its priority.
Enable binar y differential replication : Enable this setting to use binary differential
replication for the deployment package. For more information, see Binary differential
replication.
No deployment package : Starting in version 1806, deploy software updates to devices without
first downloading and distributing content to distribution points. This setting is beneficial when
dealing with extremely large update content. Also use it when you always want clients to get
content from the Microsoft Update cloud service. Clients in this scenario can also download
content from peers that already have the necessary content. The Configuration Manager client
continues to manage the content download, thus can utilize the Configuration Manager peer cache
feature, or other technologies such as Delivery Optimization. This feature supports any update
type supported by Configuration Manager software updates management, including Windows
and Microsoft 365 Apps updates.

NOTE
Once you select this option and apply the settings, it can no longer be changed. The other options are
greyed out.

12. On the Distribution Points page, specify the distribution points or distribution point groups to host the
software update files. For more information about distribution points, see Distribution point
configurations. This page is available only when you create a new software update deployment package.
13. On the Download Location page, specify whether to download the software update files from the
internet or from your local network. Configure the following settings:
Download software updates from the internet : Select this setting to download the software
updates from a specified location on the internet. This setting is enabled by default.
Download software updates from a location on the local network : Select this setting to
download the software updates from a local directory or shared folder. This setting is useful when
the computer that runs the wizard doesn't have internet access. Any computer with internet access
can preliminarily download the software updates. Then store them in a location on the local
network that's accessible from the computer that runs the wizard. Another scenario could be when
downloading content that is published through System Center Updates Publisher or a third-party
patching solution. The WSUS content share on the top-level software update point can be entered
as the network location to download from, such as \\server\WsusContent .
14. On the Language Selection page, select the languages for which the site downloads the selected
software updates. The site only downloads these updates if they're available in the selected languages.
Software updates that aren't language-specific are always downloaded. By default, the wizard selects the
languages that you've configured in the software update point properties. At least one language must be
selected before proceeding to the next page. When you select only languages that a software update
doesn't support, the download fails for the update.
15. On the Summar y page, review the settings. To save the settings to a deployment template, click Save As
Template . Enter a name and select the settings you want to include in the template, then click Save . To
change a configured setting, click the associated wizard page and change the setting.
The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or '
(single quotation mark).
16. Click Next to create the ADR.
After you complete the wizard, the ADR runs. It adds the software updates that meet the specified criteria to a
software update group. Then the ADR downloads the updates to the content library on the site server and
distributes them to the configured distribution points. The ADR then deploys the software update group to
clients in the target collection.
Add a new deployment to an existing ADR
After you create an ADR, add additional deployments to the rule. This action helps you manage the complexity
of deploying different updates to different collections. Each new deployment has the full range of functionality
and deployment monitoring experience.
Process to add a new deployment to an existing ADR
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Software
Updates , select the Automatic Deployment Rules node, and then select the desired rule.
2. In the ribbon, click Add Deployment .
3. On the Collection page of the Add Deployment Wizard, configure the available settings similarly as the
General page of the Create Automatic Deployment Rule Wizard. For more information, see the previous
section on the Process to create an ADR. The rest of the Add Deployment Wizard includes the following
pages, which also match detailed descriptions above:
Deployment Settings
Deployment Schedule
User Experience
Alerts
Download Settings
Deployments can also be added programmatically using Windows PowerShell cmdlets. For a complete
description of using this method, see New-CMSoftwareUpdateDeployment .
For more information about the deployment process, see Software update deployment process.

Known issues
Error code 0x87D20417
Scenario: When running Configuration Manager version 2010, you may notice that an automatic deployment
rule fails and returns Last Error Code of 0x87D20417. In the PatchDownloader.log , you see
Failed to create temp file with GetTempFileName() at temp location C:\Windows\TEMP\, error 80 and 0-byte files
in the %temp% directory.
Workaround: Remove all the files from the temp directory specified in the PatchDownloader.log and rerun
the ADR.
Resolution: Install KB 4600089, Update Rollup for Microsoft Endpoint Configuration Manager current branch,
version 2010.
Script to apply deployment package settings for automatic deployment rule
If you create an ADR with the No deployment package option, you're' unable to go back and add one later. To
help you resolve this issue, we've uploaded the following script into Community hub:

TIP
Open this script directly in Community hub. For more information, see Direct links to Community hub items.
<# Apply-ADRDeploymentPackageSettings #>

#=============================================
# START SCRIPT
#=============================================
param
(
[parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[ValidateLength(1,256)]
[string]$sourceADRName,

[parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[ValidateLength(1,256)]
[string]$targetADRName
)

Try {
# Source ADR that already has the needed deployment package. You may need to create one if it doesn’t
exist.
$sourceADR = Get-CMSoftwareUpdateAutoDeploymentRule -Name $sourceADRName

# Target ADR that will be updated to use the source ADR’s deployment package. Typically, this is the
ADR that used the “No deployment package” option.
$targetADR = Get-CMSoftwareUpdateAutoDeploymentRule -Name $targetADRName

# Apply the deployment package settings


$targetADR.ContentTemplate = $sourceADR.ContentTemplate

# Update the wmi object


$targetADR.Put()
}
Catch{
$exceptionDetails = "Exception: " + $_.Exception.Message + "HResult: " + $_.Exception.HResult
Write-Error "Failed to apply ADR deployment package settings: $exceptionDetails"
}
#=============================================
# END SCRIPT
#=============================================

Next steps
Monitor software updates
Create phased deployments with Configuration
Manager
9/17/2021 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Phased deployments automate a coordinated, sequenced rollout of software across multiple collections. For
example, deploy software to a pilot collection, and then automatically continue the rollout based on success
criteria. Create phased deployments with the default of two phases, or manually configure multiple phases.
Create phased deployments for the following objects:
Task sequence
The phased deployment of task sequences doesn't support PXE or media installation
Application
Software update
You can't use an automatic deployment rule (ADR) with a phased deployment

Prerequisites
Security scope
Deployments created by phased deployments aren't viewable to any administrative user that doesn't have the
All security scope. For more information, see Security scopes.
Distribute content
Before creating a phased deployment, distribute the associated content to a distribution point.
Application : Select the target application in the console and use the Distribute Content action in the
ribbon. For more information, see Deploy and manage content.
Task sequence : You have to create referenced objects like the OS upgrade package before creating the
task sequence. Distribute these objects before creating a deployment. Use the Distribute Content action
on each object, or the task sequence. To view status of all referenced content, select the task sequence,
and switch to the References tab in the details pane. For more information, see the specific object type in
Prepare for OS deployment.
Software update : create the deployment package and distribute it. Use the Download Software Updates
Wizard. For more information, see Download software updates.

Phase settings
These settings are unique to phased deployments. Configure these settings when creating or editing the phases
to control the scheduling and behavior of the phased deployment process.
Starting in version 2002, use the following Windows PowerShell cmdlets to manually configure phases for
software update and task sequence phased deployments:
New-CMSoftwareUpdatePhase
New-CMTaskSequencePhase
Criteria for success of the first phase
Deployment success percentage : Specify the percent of devices that need to successfully complete
the deployment for the first phase to succeed. By default, this value is 95%. In other words, the site
considers the first phase successful when the compliance state for 95% of the devices is Success for this
deployment. The site then continues to the second phase, and creates a deployment of the software to the
next collection.
Number of devices successfully deployed : Specify the number of devices that need to successfully
complete the deployment for the first phase to succeed. This option is useful when the size of the
collection is variable, and you have a specific number of devices to show success before moving to the
next phase.
Conditions for beginning second phase of deployment after success of the first phase
Automatically begin this phase after a deferral period (in days) : Choose the number of days to
wait before beginning the second phase after the success of the first. By default, this value is one day.
Manually begin the second phase of deployment : The site doesn't automatically begin the second
phase after the first phase succeeds. This option requires that you manually start the second phase. For
more information, see Move to the next phase.

NOTE
This option isn't available for phased deployments of applications.

Gradually make this software available over this period of time (in days)
Configure this setting for the rollout in each phase to happen gradually. This behavior helps mitigate the risk of
deployment issues, and decreases the load on the network that is caused by the distribution of content to clients.
The site gradually makes the software available depending on the configuration for each phase. Every client in a
phase has a deadline relative to the time the software is made available. The time window between the available
time and deadline is the same for all clients in a phase. The default value of this setting is zero, so by default the
deployment isn't throttled. Don't set the value higher than 30.
Configure the deadline behavior relative to when the software is made available
Installation is required as soon as possible : Set the deadline for installation on the device as soon
as the device is targeted.
Installation is required after this period of time : Set a deadline for installation a certain number of
days after device is targeted. By default, this value is seven days.

Automatically create a default two-phase deployment


1. Start the Create Phased Deployment wizard in the Configuration Manager console. This action varies
based on the type of software you're deploying:
Application : Go to the Software Librar y , expand Application Management , and select
Applications . Select an existing application, and then choose Create Phased Deployment in
the ribbon.
Software update : Go to the Software Librar y , expand Software Updates , and select All
Software Updates . Select one or more updates, and then choose Create Phased Deployment
in the ribbon.
This action is available for software updates from the following nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and
select Task Sequences . Select an existing task sequence, and then choose Create Phased
Deployment in the ribbon.
2. On the General page, give the phased deployment a Name , Description (optional), and select
Automatically create a default two phase deployment .
3. Select Browse and choose a target collection for both the First Collection and Second Collection
fields. For a task sequence and software updates, select from device collections. For an application, select
from user or device collections. Select Next .

IMPORTANT
The Create Phased Deployment wizard doesn't notify you if a deployment is potentially high-risk. For more
information, see Settings to manage high-risk deployments and the note when you Deploy a task sequence.

4. On the Settings page, choose one option for each of the scheduling settings. For more information, see
Phase settings. Select Next when complete.
5. On the Phases page, see the two phases that the wizard creates for the specified collections. Select Next .
These instructions cover the procedure to automatically create a default two-phase deployment. The
wizard lets you add, remove, reorder, edit, or view phases for a phased deployment. For more information
on these additional actions, see Create a phased deployment with manually configured phases.
6. Confirm your selections on the Summar y tab, and then select Next to complete the wizard.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.

Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment

Create a phased deployment with manually configured phases


Create a phased deployment with manually configured phases for a task sequence. Add up to 10 additional
phases from the Phases tab of the Create Phased Deployment wizard.

NOTE
You can't currently manually create phases for an application. The wizard automatically creates two phases for application
deployments.

1. Start the Create Phased Deployment wizard for either a task sequence or software updates.
2. On the General page of the Create Phased Deployment wizard, give the phased deployment a Name ,
Description (optional), and select Manually configure all phases .
3. From the Phases page of the Create Phased Deployment wizard, the following actions are available:
Filter the list of deployment phases. Enter a string of characters for a case-insensitive match of the
Order, Name, or Collection columns.
Add a new phase:
a. On the General page of the Add Phase Wizard, specify a Name for the phase, and then
browse to the target Phase Collection . The additional settings on this page are the same
as when normally deploying a task sequence or software updates.
b. On the Phase Settings page of the Add Phase Wizard, configure the scheduling settings,
and select Next when complete. For more information, see Settings.

NOTE
You can't edit the phase settings, Deployment success percentage or Number of devices
successfully deployed , on the first phase. These settings only apply to phases that have a
previous phase.

c. The settings on the User Experience and Distribution Points pages of the Add Phase
Wizard are the same as when normally deploying a task sequence or software updates.
d. Review the settings on the Summar y page, and then complete the Add Phase Wizard.
Edit : This action opens the selected phase's Properties window, which has tabs the same as the
pages of the Add Phase Wizard.
Remove : This action deletes the selected phase.

WARNING
There is no confirmation, and no way to undo this action.

Move Up or Move Down : The wizard orders the phases by how you add them. The most recently
added phase is last in the list. To change the order, select a phase, and then use these buttons to
move the phase's location in the list.

IMPORTANT
Review the phase settings after changing the order. Make sure the following settings are still consistent
with your requirements for this phased deployment:
Criteria for success of the previous phase
Conditions for beginning this phase of deployment after success of the previous phase

4. Select Next . Review the settings on the Summar y page, and then complete the Create Phased
Deployment wizard.
Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequenceManualPhasedDeployment
After you create a phased deployment, open its properties to make changes:
Add additional phases to an existing phased deployment.
If a phase isn't active, you can Edit , Remove , or Move it up or down. You can't move it before an active
phase.
When a phase is active, it's read-only. You can't edit it, remove it, or move its location in the list. The only
option is to View the properties of the phase.
An application phased deployment is always read-only.

Next steps
Manage and monitor phased deployments:
Application
Software update
Task sequence
Monitor software updates in Configuration
Manager
9/17/2021 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Configuration Manager provides many ways to help you to monitor software updates objects, processes, and
compliance information. Use the following sections to monitor software updates.

Software updates dashboard


(Introduced in version 1610)
Starting in Configuration Manager version 1610, you can use the Software Updates Dashboard to view the
current compliance status of devices in your organization and quickly analyze the data to see which devices are
at risk. To view the dashboard, navigate to Monitoring > Over view > Security > Software Updates
Dashboard .

Drill through required updates


(Introduced in version 1906)
You can drill through compliance statistics to see which devices require a specific Microsoft 365 Apps software
update. To view the device list, you need permission to view updates and the collections the devices belong to. To
drill down into the device list:
1. Go to Software Librar y > Software Updates > All Software Updates .
2. Select any update that is required by at least one device.
3. Look at the Summar y tab and find the pie chart under Statistics .
4. Select the View Required hyperlink next to the pie chart to drill down into the device list.
5. This action takes you to a temporary node under Devices where you can see the devices requiring the
update. You can also take actions for the node such as creating a new collection from the list.

Alerts for software updates


You can configure alerts for software updates to notify administrative users when compliance levels for software
update deployments are below the configured percentage. You can configure alerts for software update
deployments in the following locations:
ADR setting: You can configure the alerts settings in the Automatic Deployment Rule Wizard and in the
properties for the ADR.
Deployment setting: You can configure the alerts settings in the Deploy Software Updates Wizard and in
deployment properties.
After you configure the alert settings, if the specified conditions occur, Configuration Manager generates an
alert. You can review software update alerts at the following locations:
1. Review recent alerts in the Software Updates node in the Software Librar y workspace.
2. Manage the configured alerts in the Aler ts node in the Monitoring workspace.
Software updates synchronization status
After you start the synchronization process, you can monitor the synchronization process from the
Configuration Manager console for all software update points in your hierarchy. Use the following procedure to
monitor the software update synchronization process.
To monitor the software updates synchronization process
In the Configuration Manager console, navigate to Monitoring > Over view > Software Update Point
Synchronization Status .
The software update points in your Configuration Manager hierarchy are displayed in the results pane.
From this view, you can monitor the synchronization status for all software update points. To see more
detailed information about the synchronization process, you can review the wsyncmgr.log file, which is
located in <ConfigMgrInstallationPath>\Logs on each site server.

Software update deployment status


After you deploy the software updates in a software update group or deploy an individual software update, you
can monitor the deployment status. Use the following procedure to monitor the deployment status for a
software update group or software update.
To monitor deployment status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Deployments .
2. Click the software update group or software update for which you want to monitor the deployment
status.
3. On the Home tab, in the Deployment group, click View Status .

TIP
Starting in version 2107, you can right-click the status of a deployment and select Evaluate Software Update
Deployments to send a notification to the selected devices to run a software update deployment evaluation cycle.

Software updates reports


The state messages for software updates provide information about the compliance of software updates and
about the evaluation and enforcement state of software update deployments. You can run software update
reports to display these state messages. There are more than 30 predefined software update reports available.
They're organized in several categories and can be used to report on specific information about software
updates and deployments. In addition to using the preconfigured reports, you can also create custom software
update reports according to the needs of your enterprise. For more information, see Operations and
maintenance for reporting.
Recommended software updates reports
The following are some of the reports that are useful in identifying potential issues:
Compliance 9 - Overall health and compliance (starting in version 1806)
The report includes the following parts:
Healthy Clients vs Total Clients : This bar chart compares the "healthy" clients that have communicated
with the site in the specified time period against the total number of clients in the specified collection.
Compliance Over view : This pie chart shows overall compliance state for the specific software update
group on active clients in the specified collection.
Top 5 Non-Compliant by Ar ticle ID : This bar chart displays the top five software updates in the specified
group that are non-compliant on active clients in the specified collection.
The bottom of the report is a table with further details, which lists the software updates in the specified
group.
Management 2 - Updates required but not deployed
This report displays vendor-specific software updates in a specific updates classification that have been detected
as required on clients but that have not been deployed to a specific collection.
Troubleshooting 2 - Deployment errors
This report returns the deployment errors at the site and a count of computers that are experiencing each error.

Monitor content
You can monitor content in the Configuration Manager console to review the status for all package types in
relation to the associated distribution points. This can include the content validation status for the content in the
package, the status of content assigned to a specific distribution point group, the state of content assigned to a
distribution point, and the status of optional features for each distribution point (content validation, PXE, and
multicast).
Content status monitoring
The Content Status node in the Monitoring workspace provides information about content packages. You can
review general information about the package, distribution status for the package, and detailed status
information about the package. Use the following procedure to view content status.
To monitor content status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Content Status . The packages are displayed.
2. Select the package for which to view detailed status information.
3. On the Home tab, click View Status . Detailed status information for the package is displayed.
Distribution point group status
The Distribution Point Group Status node in the Monitoring workspace provides information about
distribution point groups. You can review general information about the distribution point group, such as
distribution point group status and compliance rate, as well as detailed status information for the distribution
point group. Use the following procedure to view distribution point group status.
To monitor distribution point group status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Distribution Point Group Status . The distribution point groups are displayed.
2. Select the distribution point group for which to view detailed status information.
3. On the Home tab, click View Status . Detailed status information for the distribution point group is
displayed.
Distribution point configuration status
The Distribution Point Configuration Status node in the Monitoring workspace provides information
about the distribution point. You can review which attributes are enabled for the distribution point, such as the
PXE, Multicast, and content validation. You can also view detailed status information for the distribution point.
Use the following procedure to view distribution point configuration status.
To monitor distribution point configuration status
1. In the Configuration Manager console, navigate to Monitoring > Over view > Distribution Status >
Distribution Point Configuration Status . The distribution points are displayed.
2. Select the distribution point for which to view distribution point status information.
3. In the results pane, click the Details tab. Status information for the distribution point is displayed.

Next steps
Log files for Software Updates
Software Updates management whitepaper
Manage and monitor phased deployments
9/17/2021 • 4 minutes to read • Edit Online

This article describes how to manage and monitor phased deployments. Management tasks include manually
beginning the next phase, and suspend or resume a phase.
First, you need to create a phased deployment:
Application
Software update
Task sequence

Move to the next phase


When you select the setting, Manually begin the second phase of deployment , the site doesn't
automatically start the next phase based on success criteria. You need to move the phased deployment to the
next phase.
1. How to start this action varies based on the type of deployed software:
Application : Go to the Software Librar y workspace, expand Application Management , and
select Applications .
Software update : Go to the Software Librar y workspace, and then select one of the following
nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and
select Task Sequences .
2. Select the software with the phased deployment.
3. In the details pane, switch to the Phased Deployments tab.
4. Select the phased deployment, and click Move to next phase in the ribbon.

Starting in version 2002, use the following Windows PowerShell cmdlet for this task: Move-
CMPhasedDeploymentToNext.
Suspend and resume phases
You can manually suspend or resume a phased deployment. For example, you create a phased deployment for a
task sequence. While monitoring the phase to your pilot group, you notice a large number of failures. You
suspend the phased deployment to stop further devices from running the task sequence. After resolving the
issue, you resume the phased deployment to continue the rollout.
1. How to start this action varies based on the type of deployed software:
Application : Go to the Software Librar y workspace, expand Application Management , and
select Applications .
Software update : Go to the Software Librar y workspace, and then select one of the following
nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and
select Task Sequences . Select an existing task sequence, and then click Create Phased
Deployment in the ribbon.
2. Select the software with the phased deployment.
3. In the details pane, switch to the Phased Deployments tab.
4. Select the phased deployment, and click Suspend or Resume in the ribbon.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.

Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
Suspend-CMPhasedDeployment
Resume-CMPhasedDeployment

Monitor
Phased deployments have their own dedicated monitoring node, making it easier to identify phased
deployments you have created and navigate to the phased deployment monitoring view. From the Monitoring
workspace, select Phased Deployments , then double-click one of the phased deployments to see the status.
This dashboard shows the following information for each phase in the deployment:
Total devices or Total resources : How many devices are targeted by this phase.
Status : The current status of this phase. Each phase can be in one of the following states:
Deployment created : The phased deployment created a deployment of the software to the
collection for this phase. Clients are actively targeted with this software.
Waiting : The previous phase hasn't yet reached the success criteria for the deployment to
continue to this phase.
Suspended : An administrator suspended the deployment.
Progress : The color-coded deployment states from clients. For example: Success, In Progress, Error,
Requirements Not Met, and Unknown.
Success criteria tile
Use the Select Phase drop-down list to change the display of the Success Criteria tile. This tile compares the
Phase Goal against the current compliance of the deployment. With the default settings, the phase goal is 95%.
This value means that the deployment needs a 95% compliance to move to the next phase.
In the example, the phase goal is 65%, and the current compliance is 66.7%. The phased deployment
automatically moved to the second phase, because the first phase met the success criteria.
The phase goal is the same as the Deployment success percentage on the Phase Settings for the next phase.
For the phased deployment to start the next phase, that second phase defines the criteria for success of the first
phase. To view this setting:
1. Go to the phased deployment object on the software, and open the Phased Deployment Properties.
2. Switch to the Phases tab. Select Phase 2 and click View .
3. In the phase Properties window, switch to the Phase Settings tab.
4. View the value for Deployment success percentage in the Criteria for success of the previous phase
group.
For example, the following properties are for the same phase as the success criteria tile shown above where the
criteria is 65%:
PowerShell
Use the following Windows PowerShell cmdlets to manage phased deployments:
Automatically create phased deployments
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
Manually create phased deployments
New-CMSoftwareUpdatePhase
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequencePhase
New-CMTaskSequenceManualPhasedDeployment
Get existing phased deployment objects
Get-CMApplicationPhasedDeployment
Get-CMSoftwareUpdatePhasedDeployment
Get-CMTaskSequencePhasedDeployment
Get-CMPhase
Monitor phased deployment status
Get-CMPhasedDeploymentStatus
Manage existing phased deployments
Move-CMPhasedDeploymentToNext
Resume-CMPhasedDeployment
Suspend-CMPhasedDeployment
Modify existing phased deployments
Set-CMApplicationPhasedDeployment
Set-CMSoftwareUpdatePhase
Set-CMSoftwareUpdatePhasedDeployment
Set-CMTaskSequencePhase
Set-CMTaskSequencePhasedDeployment
Remove-CMApplicationPhasedDeployment
Remove-CMSoftwareUpdatePhasedDeployment
Remove-CMTaskSequencePhasedDeployment
Software updates maintenance
9/17/2021 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


You can schedule and run WSUS cleanup tasks from the Configuration Manager console from the Software
Update Point Component properties. When you first select to run the WSUS cleanup task, it will run after the
next software updates synchronization.

To schedule and run the WSUS cleanup job


Schedule the WSUS cleanup job by running the following steps:
1. In the Configuration Manager console, navigate to Administration > Over view > Site Configuration
> Sites .
2. Select the site at the top of your Configuration Manager hierarchy.
3. Click Configure Site Components in the Settings group, and then click Software Update Point to
open Software Update Point Component Properties.
4. Review the Supersedence behavior . Modify the behavior if needed.

5. Click the Supersedence Rules tab, select Run WSUS cleanup wizard . In version 1806, the option is
renamed to Run WSUS cleanup after synchronization .
6. Click OK (Click Close if you're running version 1806).

WSUS cleanup behavior in version 1802 and earlier


Before Configuration Manager version 1806, the WSUS cleanup option runs the following item:
The Expired updates option from the WSUS cleanup wizard on the top-level site's WSUS server only.
A cleanup for software update configuration items in the Configuration Manager database occurs every
seven days and removes unneeded updates from the console.
This cleanup won't remove expired updates from the Configuration Manager console if they're
currently deployed.
Additional maintenance is still needed on the top-level WSUS database and all other WSUS databases in the
environment. For more information and instructions, see The complete guide to Microsoft WSUS and
Configuration Manager SUP maintenance blog post.

WSUS cleanup behavior starting in version 1806


Starting version 1806, the WSUS cleanup option occurs after every sync and does the following cleanup items:
The Expired updates option for WSUS servers on CAS and primary sites.
WSUS servers for secondary sites don't run the WSUS cleanup for expired updates.
Configuration Manager builds a list of superseded updates from its database. The list is based on the
supersedence behavior in the Software Update Point component properties.
The update configuration items meeting the supersedence behavior criteria are expired in the
Configuration Manager console.
The updates are declined in WSUS for CAS and primary sites but not for secondary sites.
A cleanup for software update configuration items in the Configuration Manager database occurs every
seven days and removes unneeded updates from the console.
This cleanup won't remove expired updates from the Configuration Manager console if they're
currently deployed.
NOTE
The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. For
example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and
expired in Configuration Manager when the superceding update is 2 months old.

All WSUS maintenance needs to be run manually on secondary site WSUS databases. The following WSUS
Ser ver Cleanup Wizard options aren't run on the CAS and primary sites:
Unused updates and update revisions
Computers not contacting the server
Unneeded update files
For more information and instructions, see The complete guide to Microsoft WSUS and Configuration
Manager SUP maintenance blog post.

WSUS cleanup behavior starting in version 1810


Starting version 1810, you can specify supersedence rules for feature updates separately from non-feature
updates in the Software Update Point component properties. The WSUS cleanup option occurs after every sync
and does the following cleanup items:
The Expired updates option for WSUS servers on CAS, primary, and secondary sites.
Configuration Manager builds a list of superseded updates from its database. The list is based on the
supersedence behavior in the Software Update Point component properties.
The update configuration items meeting the supersedence behavior criteria are expired in the
Configuration Manager console.
The updates are declined in WSUS for CAS, primary, and secondary sites.
A cleanup for software update configuration items in the Configuration Manager database occurs every
seven days and removes unneeded updates from the console.
This cleanup won't remove expired updates from the Configuration Manager console if they're
currently deployed.

NOTE
The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. For
example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and
expired in Configuration Manager when the superceding update is 2 months old.

The following WSUS Ser ver Cleanup Wizard options aren't run on the CAS, primary, and secondary sites:
Unused updates and update revisions
Computers not contacting the server
Unneeded update files
For more information and instructions, see The complete guide to Microsoft WSUS and Configuration
Manager SUP maintenance blog post.

WSUS cleanup starting in version 1906


You have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software
update points. In addition to declining expired updates in WSUS, Configuration Manager can add non-clustered
indexes to the WSUS databases and remove obsolete updates from the WSUS databases. The WSUS
maintenance occurs after every synchronization.
Decline expired updates in WSUS according to supersedence rules
Declining updates in WSUS improves performance by removing those updates from the catalogs sent to clients.
Declining updates that Configuration Manager marks as superseded further minimizes the catalogs and
improves performance.
1. In the Configuration Manager console, navigate to Administration > Over view > Site Configuration >
Sites .
2. Select the site at the top of your Configuration Manager hierarchy.
3. Click Configure Site Components in the Settings group, and then click Software Update Point to open
Software Update Point Component Properties.
4. In the WSUS Maintenance tab, select Decline expired updates in WSUS according to supersedence
rules .
Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance
The addition of non-clustered indexes improves the WSUS cleanup performance that Configuration Manager
does.
1. In the Configuration Manager console, navigate to Administration > Over view > Site Configuration >
Sites .
2. Select the site at the top of your Configuration Manager hierarchy.
3. Click Configure Site Components in the Settings group, and then click Software Update Point to open
Software Update Point Component Properties.
4. In the WSUS Maintenance tab, select Add non-clustered indexes to the WSUS database .
5. On each SUSDB used by Configuration Manager, indexes are added to the following tables:
tbLocalizedPropertyForRevision
tbRevisionSupersedesUpdate
SQL Server permissions for creating indexes
When the WSUS database is on a remote SQL Server, you might need to add permissions in SQL Server to
create indexes. The account used to connect to the WSUS database and create the indexes can vary. If you
specify a WSUS Server Connection Account in the software update point properties, then ensure the connection
account has the SQL Server permissions. If you don't specify a WSUS Server Connection Account, then the site
server's computer account needs the SQL Server permissions.
Creating an index requires ALTER permission on the table or view. The account must be a member of the
sysadmin fixed server role or the db_ddladmin and db_owner fixed database roles. For more information
about creating and index and permissions, see CREATE INDEX (Transact-SQL).
The CONNECT SQL server permission must be granted to the account. For more information, see GRANT
Server Permissions (Transact-SQL).

NOTE
If the WSUS database is on a remote SQL Server using a non-default port, then indexes might not be added. You can
create a server alias using SQL Server Configuration Manager for this scenario. Once the alias is added and
Configuration Manager can make a connection to the WSUS database, indexes will be added.
If the Software Update Point is remote to the site server and is using a Windows Internal Database, then the indexes
will not be added.

Remove obsolete updates from the WSUS database


Obsolete updates are unused updates and update revisions in the WSUS database. Generally speaking, an
update is considered obsolete once it's no longer in the Microsoft Update Catalog and it isn't needed by other
updates as a prerequisite or dependency.
1. In the Configuration Manager console, navigate to Administration > Over view > Site Configuration >
Sites .
2. Select the site at the top of your Configuration Manager hierarchy.
3. Click Configure Site Components in the Settings group, and then click Software Update Point to open
Software Update Point Component Properties.
4. In the WSUS Maintenance tab, select Remove obsolete updates from the WSUS database .
The obsolete update removal will be allowed to run for a maximum of 30 minutes before being
stopped. It will start up again after the next synchronization occurs.
SQL Server permissions for removing obsolete updates
When the WSUS database is on a remote SQL Server, the site server's computer account needs the following
SQL Server permissions:
The db_datareader and db_datawriter fixed database roles. For more information, see Database-Level Roles.
The CONNECT SQL server permission must be granted to the site server's computer account. For more
information, see GRANT Server Permissions (Transact-SQL).

NOTE
If the Software Update Point is remote to the site server and is using a Windows Internal Database, then obsolete
updates will not be removed.

WSUS cleanup wizard


Starting in version 1906, the following WSUS Ser ver Cleanup Wizard options aren't run on the CAS,
primary, and secondary sites:
Computers not contacting the server
Unneeded update files
For more information and instructions, see The complete guide to Microsoft WSUS and Configuration
Manager SUP maintenance blog post.

Known issue
Consider the following scenario:
You are using Configuration Manager version 1906 or later
You have remote software update points using a Windows Internal Database
In the Software Update Point Component Proper ties , you have any of the following selected options
under the WSUS Maintenance tab:
Add non-clustered indexes to the WSUS database
Remove obsolete updates from the WSUS database
In this scenario, Configuration Manager is unable to perform the above WSUS Maintenance tasks for the remote
Software Updates Points using a Windows Internal Database. This issue occurs because Windows Internal
Database doesn't allow remote connections. You'll see the following errors in the WSyncMgr.log on the site
server:
Indexing Failed. Could not connect to SUSDB.
SqlException thrown while connect to SUSDB in Server: <SUP.CONTOSO.COM>. Error Message: A network-related or
instance-specific error occurred while establishing a connection to SQL Server. The server was not found or
was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow
remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
...
Could not Delete Obselete Updates because ConfigManager could not connect to SUSDB: A network-related or
instance-specific error occurred while establishing a connection to SQL Server. The server was not found or
was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow
remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
UpdateServer: <SUP.CONTOSO.COM>

To work around the issue, you can automate the WSUS maintenance for the remote software update points
using a Windows Internal Database. For more information and detailed steps, see The complete guide to
Microsoft WSUS and Configuration Manager SUP maintenance.

Updates cleanup log entries


You can verify this cleanup by reviewing the wsyncmgr.log for the following entries:
The decline of superseded updates in WSUS is complete when you see this log entry:
Cleanup processed <number> total updates and declined <number>
The WSUS cleanup is starting when you see this entry: Calling WSUS Cleanup.
The WSUS cleanup for expired updates is complete when you see this entry:
Successfully completed WSUS Cleanup.
The Configuration Manager expired updates configuration items cleanup is starting when you see this entry:
Deleting old expired updates...
The Configuration Manager expired updates configuration items cleanup is complete when you see this
entry: Deleted <number> expired updates total
Orchestration groups in Configuration Manager
9/17/2021 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Create an orchestration group to better control the deployment of software updates to devices. Many server
administrators need to carefully manage updates for specific workloads, and automate behaviors in between.
An orchestration group gives you the flexibility to update devices based on a percentage, a specific number, or
an explicit order. You can also run a PowerShell script before and after the devices run the update deployment.
Members of an orchestration group can be any Configuration Manager client, not just servers. The orchestration
group rules apply to the devices for all software update deployments to any collection that contains an
orchestration group member. Other deployment behaviors still apply. For example, maintenance windows and
deployment schedules.

NOTE
In this version of Configuration Manager, orchestration groups is a pre-release feature. To enable it, see Pre-release
features.
The Orchestration Groups feature is the evolution of the Server Groups feature. An orchestration group is an object in
Configuration Manager.

Orchestration group usage example


As the software updates administrator, you manage all updates for your organization.
You have one large collection for all servers and one large collection for all clients. You deploy all updates to
these collections.
The SQL Server administrators want to control all the software installed on the SQL Servers. They want to
patch five servers in a specific order. Their current process is to manually stop specific services before
installing updates, and then restart the services afterwards.
You create an orchestration group and add all five SQL Servers. You also add pre- and post-scripts, using the
PowerShell scripts provided by the SQL Server administrators.
During the next update cycle, you create and deploy the software updates as normal to the large collection of
servers. The SQL Server administrators run the deployment, and the orchestration group automates the
order and services.

Prerequisites
Site server and permission prerequisites
To see all of the orchestration groups and updates for those groups, your account needs to be a Full
Administrator .
Role-based administration for orchestration groups currently isn't available.
Enable the Orchestration Groups feature. For more information, see Enable optional features.
When you enable Orchestration Groups , the site disables the Ser ver Groups feature. This
behavior avoids any conflicts between the two features.
Client prerequisites
Upgrade the target devices to the latest version of the Configuration Manager client.
Members of an orchestration group should be assigned to the same site.
Devices can't be in more than one orchestration group.
Devices already in an orchestration group won't be available to select when adding new members.

Limitations
You can have up to 1000 orchestration group members.
Orchestration groups don't work in interoperability mode. For more information, see Interoperability
between different versions of Configuration Manager.
If updates are initiated by users from Software Center, orchestration will be bypassed.
Starting in Configuration Manager version 2103, updates in the Definition classification don't require
orchestration and will always bypass orchestration group rules.
Scripts that have parameters aren't supported

Server groups are automatically updated to orchestration groups


The Orchestration Groups feature is the evolution of the Server Groups feature. When you install
Configuration Manager version 2002 or later and you have Server Groups enabled, your server groups are
automatically moved to orchestration groups.

Create an orchestration group


1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Orchestration Group node.
2. In the ribbon, select Create Orchestration Group to open the Create Orchestration Group Wizard .
3. On the General page, give your orchestration group a Name and optionally a Description . Specify your
values for the following items:
Orchestration Group timeout (in minutes) : Time limit for all group members to complete update
installation.
Orchestration Group member timeout (in minutes) : Time limit for a single device in the group
to complete the update installation.
4. On the Member Selection page, first specify the Site code . Then select Add to add device resources as
members of this orchestration group. Search for devices by name, and then Add them. You can also
filter your search to a single collection by using Search in Collection . Select OK when you finish adding
devices to the selected resources list.
When selecting resources for the group, only valid clients are shown. Checks are made for verifying
the site code, that the client is installed, and that resources aren't duplicated.
5. On the Rule Selection page, select one of the following options:
Allow a percentage of the machines to be updated at the same time , then select or enter
a number for this percentage. Use this setting to allow for future flexibility of the size of the
orchestration group. For example, your orchestration group contains 50 devices, and you set this
value to 10. During a software update deployment, Configuration Manager allows five devices to
simultaneously run the deployment. If you later increase the size of the orchestration group to 100
devices, then 10 devices update at once.
Allow a number of the machines to be updated at the same time , then select or enter a
number for this specific count. Use this setting to always limit to a specific number of devices,
whatever the overall size of the orchestration group.
Specify the maintenance sequence , then sort the selected resources in the proper order. Use
this setting to explicitly define the order in which devices run the software update deployment.
6. Choose a Pre-installation script and Post-installation script for your orchestration group as needed.
The script should return a value of 0 for success. Any non-zero value is considered a script failure.
Scripts with parameters can't be used.
a. For Configuration Manager 2103 and later, choose a Pre-installation script and Post-installation
script on the Script Picker page. Choose from the following options when adding or modifying a
script:
Add : Allows you to choose a script to add. Type or paste a PowerShell script into the pane or
use one fo the following options:
Open : Open a specific .ps1 file
Browse : Choose a script that's already approved from the Scripts list. Scripts with
parameters will be hidden from the list.
Clear : Clears the current script in the script pane
Edit : Edit the currently selected script
Delete : Removes the current script
Script timeout (in seconds) : The allowed time in seconds for the script to run before it times
out
b. For Configuration Manager 2010 and earlier, add scripts to your orchestration groups on the Pre-
Script and Post-Script pages.
a. On the Pre-Script page, enter a PowerShell script to run on each device before the
deployment runs.
b. On the Post-Script page, enter a PowerShell script to run on each device after the deployment
runs and a restart, if required, occurs. The behavior is otherwise the same as the PreScript.

NOTE
In version 2103 and later, the maximum script length is 50,000 characters. In version 2010 and earlier, the
maximum script length is 5,000 characters.

7. Complete the wizard.

WARNING
Ensure pre-scripts and post-scripts are tested before using them for orchestration groups. The pre-scripts and post-
scripts don't timeout and will run until the orchestration group member timeout has been reached.
Scripts that have parameters aren't supported.

View orchestration groups and members


From the Assets and Compliance workspace, select the Orchestration Group node. To view members,
select an orchestration group and select Show Members in the ribbon. For more information about the
available columns for the nodes, see Monitor orchestration groups and members.

Edit or delete an orchestration group


To delete the orchestration group, select it then select Delete in the ribbon or from the right-click menu. To edit
an orchestration group, select it then select Proper ties in the ribbon or from the right-click menu. Change the
settings from the following tabs:
General :
Name : The name of your orchestration group
Description : Orchestration group description (optional)
Orchestration Group timeout (in minutes) : Time limit for all group members to complete update
installation.
Orchestration Group member timeout (in minutes) : Time limit for a single device in the group
to complete the update installation.
Member Selection :
Site Code : Site code for the orchestration group.
Members : Select Add to select more devices for the orchestration group. Choose Remove to remove
the selected device.
Rules Selection :
Allow a percentage of the machines to be updated at the same time , then select or enter a
number for this percentage. Use this setting to allow for future flexibility of the size of the
orchestration group. For example, your orchestration group contains 50 devices, and you set this
value to 10. During a software update deployment, Configuration Manager allows five devices to
simultaneously run the deployment. If you later increase the size of the orchestration group to 100
devices, then 10 devices update at once.
Allow a number of the machines to be updated at the same time , then select or enter a
number for this specific count. Use this setting to always limit to a specific number of devices,
whatever the overall size of the orchestration group.
Specify the maintenance sequence : Sort the selected resources to the proper order. Use this
setting to explicitly define the order in which devices run the software update deployment.
Choose a Pre-installation script and Post-installation script for your orchestration group as needed.
The script should return a value of 0 for success. Any non-zero value is considered a script failure.
Scripts with parameters can't be used.
For Configuration Manager version 2103 and later, choose a Pre-installation script and Post-
installation script on the Script Picker page. Choose from the following options when adding
or modifying a script:
Add : Allows you to choose a script to add. Type or paste a PowerShell script into the pane or
use one fo the following options:
Open : Open a specific .ps1 file
Browse : Choose a script that's already approved from the Scripts list. Scripts with
parameters will be hidden from the list.
Clear : Clears the current script in the script pane
Edit : Edit the currently selected script
Delete : Removes the current script
Script timeout (in seconds) : The allowed time in seconds for the script to run before it times
out
For Configuration Manager version 2010 and earlier, add scripts to your orchestration groups on
the Pre-Script and Post-Script tabs.
On the Pre-Script tab, enter a PowerShell script to run on each device before the deployment
runs.
On the Post-Script tab, enter a PowerShell script to run on each device after the deployment
runs and a restart, if required, occurs. The behavior is otherwise the same as the PreScript.
WARNING
For Configuration Manager version 2010 and earlier, ensure pre-scripts and post-scripts are tested
before using them for orchestration groups. The pre-scripts and post-scripts don't timeout and will run
until the orchestration group member timeout has been reached.
Scripts that have parameters aren't supported

Start orchestration
1. Deploy software updates to a collection that contains the members of the orchestration group.
2. Orchestration starts when any client in the group tries to install any software update at deadline or
during a maintenance window. It starts for the entire group, and makes sure that the devices update by
following the orchestration group rules.
3. You can manually start orchestration by selecting it from the Orchestration Group node, then choosing
Star t Orchestration from the ribbon or right-click menu.
4. If needed, select Ignore all applicable windows for the members to start the installation
immediately and bypass maintenance windows.
This option was introduced in Configuration Manager version 2103
5. If an orchestration group is in a Failed state:
a. Determine why the orchestration failed and resolve any issues.
b. Reset the orchestration state for group members.
c. From the Orchestration Group node, choose the Star t Orchestration button to restart
orchestration.

TIP
Orchestration groups only apply to software update deployments. They don't apply to other deployments.
You can right-click on an Orchestration Group member and select Reset Orchestration Group Member . This
allows you to rerun orchestration.

Monitor orchestration groups


From the Assets and Compliance workspace, select the Orchestration Group node. Add any of the
following columns to get information about the groups:
Orchestration Name : The name of your orchestration group.
Site Code : Site code for the group.
Orchestration Type : is one of the following types:
Number
Percentage
Sequence
Orchestration Value : How many members or the percentage of members that can get a lock
simultaneously. Orchestration Value is only populated when Orchestration Type is either Number or
Percentage.
Orchestration State : In progress during orchestration. Idle when not in progress.
Orchestration Star t Time : Date and time that the orchestration started.
Current Sequence Number : Indicates for which member of the group orchestration is active. This
number corresponds with the Sequence Number for the member.
Orchestration Timeout (in minutes) : Value of The Orchestration Group timeout (in minutes)
set on the General page when creating the group, or the General tab when editing the group.
Orchestration Group Member Timeout (in minutes) : Value of Orchestration Group member
timeout (in minutes) set on the General page when creating the group, or the General tab when
editing the group.
Orchestration Group ID : ID of the group, The ID is used in logs and the database.
Orchestration Group Unique ID : Unique ID of the group, The Unique ID is used in logs and the
database.

Monitor orchestration group members


In the Orchestration Group node, select an orchestration group. In the ribbon, select Show Members . You
can see the members of the group, and their orchestration status. Add any of the following columns to get
information about the members:
Name : Device name of the orchestration group member
Current State : Gives you the state of the member device.
In progress during orchestration.
Waiting : Indicates the client is waiting on the lock for its turn to install updates.
Idle when orchestration is complete or not running.
State Code : You can right-click on the Orchestration Group member and select Reset Orchestration
Group Member . This reset allows you to rerun orchestration. States include:
Idle
Waiting, the device is waiting its turn
In progress, installing an update
Failed
Reboot pending
Lock Acquired Time : Locks are requested by the client based on its policy. Once the client acquires a lock,
orchestration is triggered on it.
-Last State Repor ted Time : Time the member last reported a state.
Sequence Number : The client's location in the queue for installing updates.
Site Code : The site code for the member.
Client Activity : Tells you if the client is active or inactive.
Primar y User(s) : Which users are primary for the device.
Client Type : What type of device the client is.
Currently Logged on User : Which user is currently logged on to the device.
OG ID : ID of the orchestration group the member belongs to.
OG Unique ID : Unique ID of the orchestration group the member belongs to.
Resource ID : Resource ID of the device.

Reset the orchestration state for a group member


If you want to rerun orchestration on a group member, you can clear its state such as Complete or Failed. To
clear the state, right-click on the Orchestration Group member and select Reset Orchestration Group
Member . You can also select Reset Orchestration Group Member from the ribbon. Before resetting the
state, you should check the client to see why it failed and correct any issues found.

Log files
Use the following log files on the site server to help monitor and troubleshoot:
Site server
Policypv.log : shows that the site targets the orchestration group to the clients.
SMS_OrchestrationGroup.log : shows the behaviors of the orchestration group.
Client
MaintenanceCoordinator.log : Shows the lock acquisition, update installation, pre and post-scripts, and
lock release process.
UpdateDeployment.log : Shows the update installation process.
PolicyAgent.log : Checks if the client is in an orchestration group.

Next steps
Deploy software updates
Service a server group
9/17/2021 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in Configuration Manager version 2002, server groups have been replaced by orchestration groups. For more
information, see Orchestration groups.
Pre-release features are features that are in the Current Branch for early testing in a production environment. These
features are fully supported but are still in active development and might receive changes until they move out of the
pre-release category. You must turn on this feature for it to be available. For more information, see Use pre-release
features from updates.

Starting in Configuration Manager version 1606, you can configure server group settings for a collection to
define how many, what percentage, or in what order computers in the collection will install software updates.
You can also configure pre-deployment and post-deployment PowerShell scripts to run custom actions.
When you deploy software updates to a collection that has server group settings configured, Configuration
Manager determines how many computers in the collection can install the software updates at any given time
and makes the same number of deployment locks available. Only computers that get a deployment lock will
start software update installation. When a deployment lock is available, a computer gets the deployment lock,
installs the software updates, and then releases the deployment lock when software updates installation
successfully completes. Then, the deployment lock becomes available for other computers. If a computer is
unable to release a deployment lock, you can manually release all server group deployment locks for the
collection.

IMPORTANT
All of the computers in the collection must be assigned to the same site.

To create a collection for a server group


The server group settings are configured in the properties for a device collection. To service a server group, all
members in the collection must be assigned to the same site. Use the following steps to create a collection and
configure the server group settings:
1. Create a device collection that contains the computers in the server group.
2. In the Assets and Compliance workspace, click Device Collections , right-click the collection that
contains the computers in the server group, and then click Proper ties .
3. On the General tab, select All devices are par t of the same ser ver group , and then click Settings .
4. On the Ser ver Group Settings page, specify one of the following settings:
Allow a percentage of machines to be updated at the same time : Specifies that only a
certain percentage of clients are updated at any one time. If, for example, the collection has 10
clients, and the collection is configured to update 30% of clients at the same time, then only 3
clients will install software updates at any given time.
Allow a number of machines to be updated at the same time : Specifies that only a certain
number of clients are updated at any one time.
Specify the maintenance sequence : Specifies that the clients in the collection will be updated
one at a time in the sequence that you configure. A client will only install software updates after
the client that is ahead of it in the list has finished installing its software updates.
5. Specify whether to use a pre-deployment (node drain) script or post-deployment (node resume) script.

WARNING
Custom scripts are not signed by Microsoft. It is your responsibility to maintain the integrity of these scripts.

TIP
The following are examples that you can use in testing for pre-deployment and post-deployment scripts that write
the current time to a text file:
Pre-deployment
#Start

$a = Get-Date

Write-Output "Universal Time: " + $a.ToUniversalTime() |

Out-File C:\Windows\Temp\start.txt

Post-deployment
#End

$a = Get-Date

Write-Output "Universal Time: " + $a.ToUniversalTime() |

Out-File C:\Windows\Temp\end.txt

Deploy software updates to the server group and monitor status


You deploy software updates to the server group collection by using the typical deployment process. After you
deploy the software updates, you can monitor the software update deployment in the Configuration Manager
console.
1. Deploy software updates to the server group collection.
2. Monitor the software update deployment. In addition to the standard monitoring views for software
updates deployment, the Waiting for lock state is displayed when a client is waiting for its turn to install
the software updates. You can review the UpdatesDeployment.log file for more information.

Clear the deployment locks for computers in a server group


When a computer fails to release a deployment lock, you can manually release all server group deployment
locks for the collection. Clear locks only when a deployment is stuck updating computers in the collection and
there are computers that are still not compliant.
1. In the Assets and Compliance workspace, click Device Collections , and click the collection to clear
deployment locks.
2. On the Home tab, in the Deployment group, click Clear Ser ver Group Deployment Locks . When
clients have failed to install the software updates and are preventing other clients from installing their
software updates, the deployment locks can be manually cleared.
Office 365 Client Management dashboard
9/17/2021 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.

Beginning in Configuration Manager version 1802, you can review Microsoft 365 Apps client information from
the Office 365 Client Management dashboard. The Office 365 client management dashboard displays a list of
relevant devices when graph sections are selected.

Prerequisites
Enable hardware inventory
The data that is displayed in the Office 365 Client Management dashboard comes from hardware inventory.
Enable hardware inventory and select the Office 365 Configurations hardware inventory class for data to
display in the dashboard.
1. Enable hardware inventory, if it isn't yet enabled. For details, see Configure hardware inventory.
2. In the Configuration Manager console, navigate to Administration > Client Settings > Default Client
Settings .
3. On the Home tab, in the Proper ties group, click Proper ties .
4. In the Default Client Settings dialog box, click Hardware Inventor y .
5. In the Device Settings list, click Set Classes .
6. In the Hardware Inventor y Classes dialog box, select Office 365 Configurations .
7. Click OK to save your changes and close the Hardware Inventor y Classes dialog box.
The Office 365 Client Management dashboard starts displaying data as hardware inventory is reported.
Connectivity for the top-level site server
(Introduced in version 1906 as a prerequisite)
Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness
file:
Starting March 2, 2021: https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
Location prior to March 2, 2021:
https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab

NOTE
The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft
365 Apps readiness file.
Internet connectivity isn't required for the client devices for any of these scenarios.
Enable data collection for Microsoft 365 Apps
(Introduced in version 1910 as a prerequisite)
Starting in version 1910, you'll need to enable data collection for Microsoft 365 Apps to populate information in
the Office 365 Pilot and Health Dashboard . The data is stored in the Configuration Manager site database
and not sent to Microsoft.
This data is different from the diagnostic data, which is described in Diagnostic data sent from Microsoft 365
Apps to Microsoft.
You can enable data collection either by using Group Policy or by editing the registry.
Enable data collection from Group Policy
1. Download the latest Administrative Template files from the Microsoft Download Center.
2. Enable the Turn on telemetr y data collection policy setting under
User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Telemetry Dashboard .
Alternatively, apply the policy setting with the Office cloud policy service.
The policy setting is also used by the Office Telemetry Dashboard, which you don't need to deploy for
this data collection.
Enable data collection from the registry
The command below is an example of how to enable the data collection from the registry:

reg add HKCU\Software\Policies\Microsoft\office\16.0\OSM /v EnableLogging /t REG_DWORD /d 1

Viewing the Office 365 Client Management dashboard


To view the Office 365 Client Management dashboard in the Configuration Manager console, go to Software
Librar y > Over view > Office 365 Client Management . At the top of the dashboard, use the Collection
drop-down setting to filter the dashboard data by members of a specific collection. Beginning in Configuration
Manager version 1802, the dashboard displays a list of relevant devices when graph sections are selected.
The Office 365 Client Management dashboard provides charts for the following information:
Number of Microsoft 365 Apps clients
Microsoft 365 Apps client versions
Microsoft 365 Apps client languages
Microsoft 365 Apps client channels For more information, see Overview of update channels for Microsoft
365 Apps.

Integration for Microsoft 365 Apps readiness


Starting in Configuration Manager version 1902, you can use the dashboard to identify devices with high
confidence that are ready to upgrade to Microsoft 365 Apps. This integration provides insights into potential
compatibility issues with add-ins and macros in your environment. Then use Configuration Manager to deploy
Microsoft 365 Apps to ready devices.
The Office 365 client management dashboard includes a tile, Office 365 Apps Upgrade Readiness . This tile
is a bar chart of devices in the following states:
Not assessed
Ready to upgrade
Needs review
Select a state to drill-through to a device list. This readiness report shows more detail about devices. It includes
columns for the compatibility state of both add-ins and macros.
Prerequisites for Microsoft 365 Apps readiness integration
Enable hardware inventory in client settings. For more information, see the Prerequisites section.
The device needs connectivity to the Office content delivery network (CDN) to download an add-in
readiness file. For more information, see Content delivery networks. If the device can't download this file,
the add-ins state is Needs review .

NOTE
No data is sent to Microsoft for this feature.

Detailed macro readiness


By default, the scanning agent looks at the most recently used (MRU) files list on each device. It counts the files
in this list that support macros. These files include the following types:
Macro-enabled Office file formats, such as Excel macro-enabled workbooks (.xlsm) or Word macro-enabled
document (.docm)
Older Office formats that don't indicate whether there's macro content. For example, an Excel 97-2003
workbook (.xls).
If you need more detailed information about macro compatibility, deploy the Readiness Toolkit for Office to
analyze the code within the macro files. It checks if there are any potential compatibility concerns. For example,
the file uses a function that changed in a more recent version of Office. After you run the Readiness Toolkit for
Office and select the option for Most recently used Office documents and installed add-ins on this
computer , or use the -mru flag in the command line, the results can be picked up by Configuration Manager's
hardware inventory agent. This additional data enhances the device readiness calculation. For more information,
see Use the Readiness Toolkit for Office to assess application compatibility for Microsoft 365 Apps.
Note that the Readiness Toolkit does not need to be installed on every target device in order to carry out the
scan. You can use the sample command line option below to scan each desired device. The output flag is
required, but the files will not be used to generate the results in the dashboard, so any valid location can be
selected.

ReadinessReportCreator.exe -mru -output c:\temp -silent

For more information, see Getting readiness information for multiple users in an enterprise.

Microsoft 365 Apps readiness dashboard


(Introduced in version 1906)
To help you determine which devices are ready to upgrade to Microsoft 365 Apps, there's a readiness dashboard
starting in version 1906. It includes the Office 365 Apps Upgrade Readiness tile that released in
Configuration Manager current branch version 1902. The following new tiles on this dashboard help you
evaluate add-in and macro readiness:
Deployment
Device readiness
Add-in readiness
Add-in support statements
Top add-ins by count of version
Number of devices that have macros
Macro readiness
Macro advisories
The following video is a session from Ignite 2019, which includes more information:

Best practices for compatibility assessment and Microsoft Office 365 upgrades using Office Readiness in
Configuration Manager
Using the Microsoft 365 Apps upgrade readiness dashboard
After verifying you have the prerequisites, use the following instructions to use the dashboard:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Office 365 Client
Management .
2. Select the Microsoft 365 Apps Upgrade Readiness node.
3. Change the Collection and Target Office Architecture to change the information relayed in the
dashboard.
Device Readiness information
Once the add-in and macro inventory on each device is evaluated, the devices are then grouped according to
the information. Devices whose status are listed as Ready to upgrade aren't likely to have any compatibility
issues.
Selecting the Ready to upgrade category on the graph shows more details about the devices in the limiting
collection. You can review the device list, make selections according to your business requirements, and create a
new device collection from your selection. Use your new collection to deploy Microsoft 365 Apps with
Configuration Manager.
Devices that might be at risk for compatibility issues are marked as Needs review . These devices may need
action to be taken before upgrading them to Microsoft 365 Apps. For example, you might update critical add-ins
to a more recent version.
Add-in information
On each device, an inventory of all installed add-ins is collected. The inventory is then compared with the
information Microsoft has about the add-in performance on Microsoft 365 Apps. If an add-in is found which is
likely to cause issues after upgrading, then all devices with the add-in are flagged for review.
Macro information
Configuration Manager looks at the most recently used files on each device. It counts the files in this list that
support macros, including the following types:
Macro-enabled Office file formats.
Older Office formats, which don't indicate if there's macro content.
This report can be used to identify which devices have recently used files which may contain macros. The
Readiness Toolkit for Office can then be deployed using Configuration Manager to scan any devices where
more detailed information is needed, and check if there are any potential compatibility concerns. For example, if
the file uses a function that changed in a more recent version of Microsoft 365 Apps.
For more information about how to carry out the scan, see Detailed macro readiness.

TIP
Macro inventory is populated by default based on the document extensions in the MRU. Macro compatibility and macro
status are populated once the Readiness Toolkit for Office scan runs on the device.

Office 365 Pilot and Health dashboard


(Introduced in version 1910)
Starting in version 1910, the Office 365 Pilot and Health Dashboard helps you plan, pilot, and perform
your Microsoft 365 Apps deployment. The dashboard provides health insights for devices with Microsoft 365
Apps to help identify possible issues that may affect your deployment plans. The Office 365 Pilot and Health
Dashboard provides a recommendation for pilot devices based on add-in inventory. The following tiles are in
the dashboard:
Generate pilot
Recommended pilot devices
Deploy pilot
Devices sending health data
Devices not meeting health goals
Add-ins not meeting health goals
Macros not meeting health goals
Using the Office 365 Pilot and Health dashboard
After verifying you have the prerequisites, use the following instructions to use the dashboard:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Office 365 Client
Management .
2. Select the Office 365 Pilot and Health node.
Generate pilot
Generate a pilot recommendation from a limiting collection at the click of a button. As soon as the action is
launched, a background task starts calculating your pilot collection. Your limiting collection must contain at least
one device with an Office version that isn't Office 365 Apps.
Recommended pilot devices
Recommended pilot devices are a minimal set of devices representing all installed add-ins across the
limiting collection you used when generating the pilot. Drill down to get a list of these devices. Then use the
details to exclude any devices from the pilot if needed. If all of your add-ins are already on Microsoft 365 Apps
devices, then devices with those add-ins won't be included in the calculation. This also means it's possible that
you won't get any results in your pilot collection since all of your add-ins have been seen on devices where
Microsoft 365 Apps is installed.
Deploy pilot
Once you accept your pilot devices, deploy Microsoft 365 Apps to the pilot collection using the phased
deployment wizard. Admins can define the pilot and limiting collection in the wizard to manage deployments.
Health data
Once Microsoft 365 Apps is installed, enable health data on your pilot devices. The health data gives you insight
into which add-ins and macros don't meet health goals. The Devices ready to deploy chart identifies non-
pilot devices that are ready for deployment by using the health insights. Get a count of devices that are sending
health data from the Devices sending health data chart.
Devices not meeting health goals
This tile summarizes devices that have issues with add-ins, macros, or both.
Add-ins not meeting health goals
Load failures: The add-in failed to start.
Crashes: The add-in failed while it was running.
Error: The add-in reported an error.
Multiple issues: The add-in has more than one of the above issues.
Macros not meeting health goals
Load failures: The document failed to load.
Runtime errors: An error happened while the macro was running. These errors can be dependent on the
inputs so may not always occur.
Compile errors: The macro didn't compile correctly so it won't attempt to run.
Multiple issues: The macro has more than one of the above issues.

NOTE
Macro inventory is populated by data from the Readiness Toolkit for Office and recently used data files. Macro health is
populated by health data. Due to the different data sources, it's possible for the macro health status to be Needs review
when the macro inventory is Not scanned .

Known issues
There is a known issue with the Deploy Pilot tile. At this time it can't be used to deploy to a pilot. The
workaround is the existing workflow for deploying an application using the Phased Deployment Wizard.

Next steps
Manage Microsoft 365 Apps updates with Configuration Manager
Manage Microsoft 365 Apps with Configuration
Manager
9/17/2021 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.

Configuration Manager lets you manage Microsoft 365 Apps in the following ways:
Deploy Microsoft 365 Apps: You can start the Microsoft 365 Apps Installer from the Office 365 Client
Management dashboard to make the initial Microsoft 365 Apps installation experience easier. The wizard
lets you configure Microsoft 365 Apps installation settings, download files from Office Content Delivery
Networks (CDNs), and create and deploy a script application with the content.
Deploy Microsoft 365 Apps updates: You can manage Microsoft 365 Apps client updates by using the
software update management workflow. When Microsoft publishes a new Microsoft 365 Apps update to
the Office Content Delivery Network (CDN), Microsoft also publishes an update package to Windows
Server Update Services (WSUS). After Configuration Manager synchronizes the Microsoft 365 Apps
updates from the WSUS catalog to the site server, the update is available to deploy to clients.
Starting in Configuration Manager version 2002, you can import Microsoft 365 Apps updates into
disconnected environments. For more information, see Synchronize Microsoft 365 Apps updates from
a disconnected software update point.
Add languages for Microsoft 365 Apps update downloads: You can add support for Configuration
Manager to download updates for any languages supported by Microsoft 365 Apps. Meaning
Configuration Manager doesn't have to support the language as long as Microsoft 365 Apps does. Prior
to Configuration Manager version 1610 you must download and deploy updates in the same languages
configured on Microsoft 365 Apps clients.
Change the update channel: You can use group policy to distribute a registry key value change to
Microsoft 365 Apps clients to change the update channel.
To review Microsoft 365 Apps client information and start some of these Microsoft 365 Apps management
actions, use the Office 365 Client Management dashboard.

Deploy Microsoft 365 Apps


Start the Microsoft 365 Apps Installer from the Office 365 Client Management dashboard for the initial
Microsoft 365 Apps installation. The wizard lets you configure Microsoft 365 Apps installation settings,
download files from the Office Content Delivery Networks (CDNs), and create and deploy a script application for
the files. Until Microsoft 365 Apps is installed on clients and the Microsoft 365 Apps automatic updates task
runs, Microsoft 365 Apps updates aren't applicable. For testing purposes, you can run the update task manually.
For previous Configuration Manager versions, you must take the following steps to install Microsoft 365 Apps
for the first time on clients:
Download Office Deployment Tool (ODT)
Download the Microsoft 365 Apps installation source files, including all of the language packs that you need.
Generate the Configuration.xml that specifies the correct Microsoft 365 Apps version and channel.
Create and deploy either a legacy package or a script application for clients to install Microsoft 365 Apps.
Requirements
The computer that runs the installer must have Internet access.
The user that runs the installer must have Read and Write access to the content location share provided in
the wizard.
If you receive a 404 download error, copy the following files to the user %temp% folder:
releasehistory.xml
o365client_32bit.xml
Limitations
Content-enabled cloud management gateways don't support content for Microsoft 365 Apps updates.
Deploy Microsoft 365 Apps using Configuration Manager version 1806 or higher:
Starting in Configuration Manager 1806, the Office Customization Tool is integrated with the installer in the
Configuration Manager console. When creating a deployment for Microsoft 365 Apps, you can dynamically
configure the latest manageability settings.
1. In the Configuration Manager console, navigate to Software Librar y > Over view > Office 365 Client
Management .
2. Select Office 365 Installer in the upper-right pane. The installation wizard opens.
3. On the Application Settings page, provide a name and description for the app, enter the download
location for the files, and then choose Next . The location must be specified as \\server\share.
4. On the Office Settings page, select Go to the Office Customization Tool . This will open the Office
Customization Tool for Click-to-Run.
5. Configure the desired settings for your Microsoft 365 Apps installation. Select Submit in the upper right of
the page when you complete the configuration.
6. On the Deployment page, determine if you would like to deploy now or at a later time. If you choose to
deploy later, you can find the application in Software Librar y > Application Management >
Applications .
7. Confirm the settings on the Summar y page.
8. Select Next then Close once the wizard completes.
After you create and deploy Microsoft 365 Apps using the installer, Configuration Manager may not manage the
Microsoft 365 Apps updates by default. To enable Microsoft 365 Apps clients to receive updates from
Configuration Manager, see Deploy Microsoft 365 Apps updates with Configuration Manager.
After you deploy Microsoft 365 Apps, you can create automatic deployment rules to maintain the apps. To create
an automatic deployment rule for Microsoft 365 Apps, select Create an ADR from the Office 365 Client
Management dashboard. Select Office 365 Client when you choose the product. For more information, see
Automatically deploy software updates.

Drill through required Microsoft 365 Apps updates


(Introduced in version 1906)
You can drill through compliance statistics to see which devices require a specific Microsoft 365 Apps software
update. To view the device list, you need permission to view updates and the collections the devices belong to. To
drill down into the device list:
1. Go to Software Librar y > Office 365 Client Management > Office 365 Updates .
2. Select any update that is required by at least one device.
3. Look at the Summar y tab and find the pie chart under Statistics .
4. Select the View Required hyperlink next to the pie chart to drill down into the device list.
5. This action takes you to a temporary node under Devices where you can see the devices requiring the
update. You can also take actions for the node such as creating a new collection from the list.

Deploy Microsoft 365 Apps updates


Use the following steps to deploy Microsoft 365 Apps updates with Configuration Manager:
1. Verify the requirements for using Configuration Manager to manage Microsoft 365 Apps client updates
in the Requirements for using Configuration Manager to manage Microsoft 365 Apps client
updates section of the article.
2. Configure software update points to synchronize the Microsoft 365 Apps client updates. Set Updates for
the classification and select Office 365 Client for the product. Synchronize software updates after you
configure the software update points to use the Updates classification.
3. Enable Microsoft 365 Apps clients to receive updates from Configuration Manager. Use Configuration
Manager client settings or group policy to enable the client.
Method 1 : Beginning in Configuration Manager version 1606, you can use the Configuration Manager
client setting to manage the Microsoft 365 Apps client agent. After you configure this setting and deploy
Microsoft 365 Apps updates, the Configuration Manager client agent communicates with the Microsoft
365 Apps client agent to download the updates from a distribution point and install them. Configuration
Manager takes inventory of Microsoft 365 Apps client settings.
a. In the Configuration Manager console, select Administration > Over view > Client Settings .
b. Open the appropriate device settings to enable the client agent. For more information about
default and custom client settings, see How to configure client settings.
c. Select Software Updates and choose Yes for the Enable management of the Office 365
Client Agent setting.
Method 2 : Enable Microsoft 365 Apps clients to receive updates from Configuration Manager by using
the Office Deployment Tool or Group Policy.
4. Deploy the Microsoft 365 Apps updates to clients.
If Microsoft 365 Apps was installed recently, and depending on how it was installed, it is possible that the update
channel has not been set yet. In that case, deployed updates will be detected as not applicable. There is a
scheduled Automatic Updates task created when Microsoft 365 Apps installs. In this situation, this task needs to
run at least once in order for the update channel to be set and updates detected as applicable.
If Microsoft 365 Apps was installed recently and deployed updates are not detected, for testing purposes, you
can start the Office Automatic Updates task manually and then start the Software Updates Deployment
Evaluation Cycle on the client. For instructions on how to do this in a task sequence, see Updating Microsoft 365
Apps in a task sequence.

Restart behavior and client notifications for Microsoft 365 Apps


updates
The client receives pop-up and in-app notifications, and a countdown dialog, prior to installing the update. If any
Microsoft 365 Apps are running during a client update enforcement, the Microsoft 365 Apps will not be forced
to close. Instead, the update install will return as requiring a system restart. For more information about
notifications from Microsoft 365 Apps see End-user update notifications for Microsoft 365 Apps.

Add languages for Microsoft 365 Apps update downloads


You can add support for Configuration Manager to download updates for any languages that are supported by
Microsoft 365 Apps.
Download updates for additional languages in version 1902, or later
Starting in Configuration Manager version 1902, the update workflow separates the 38 languages for
Windows Update from the numerous additional languages for Office 365 Client Update .
To select the necessary languages, use the Language Selection page in the following locations:
Create Automatic Deployment Rule Wizard
Deploy Software Updates Wizard
Download Software Updates Wizard
Automatic Deployment Rule Properties
In the Language Selection page, select Office 365 Client Update , then select Edit . Add the needed
languages for Microsoft 365 Apps, then choose OK .

To add support to download updates for additional languages in version 1902 and later
When new languages are added to Microsoft 365 Apps they don't appear in the content download languages,
you can add them if needed. Use the following procedure on the software update point at the central
administration site or stand-alone primary site:
1. From a command prompt, type wbemtest as an administrative user to open the Windows Management
Instrumentation Tester.
2. Select Connect , and then type root\sms\site_<siteCode>.
3. Choose Quer y , and then run the following query: select * from SMS_SCI_Component where
componentname ="SMS_WSUS_CONFIGURATION_MANAGER"

4. In the results pane, double-click the object with the site code for the central administration site or stand-
alone primary site.
5. Select the Props property, select Edit Proper ty , and then View Embedded .

6. Starting at the first query result, open each object until you find the one with
AvailableUpdateLanguagesForO365 for the Proper tyName property.
7. Select Value2 and choose Edit Proper ty .
8. Add additional languages to the Value2 property and select Save Proper ty .
For example, 2057 (for en-gb), 2058 (for es-mx), and 3084 (for fr-ca), you would type 2057, 2058, 3084
for the example languages.

9. Select Close , select Close , select Save Proper ty , and choose Save Object (if you select Close here the
values are discarded). SelectClose , and then Exit to exit the Windows Management Instrumentation
Tester.
10. In the Configuration Manager console, go to Software Librar y > Over view > Office 365 Client
Management > Office 365 Updates .
11. When you download Microsoft 365 Apps updates, the updates are downloaded in the languages that you
select in the wizard and configured in this procedure. To verify that the updates download in the correct
languages, go to the package source for the update and find files with the new language code in the
filename.

Updating Microsoft 365 Apps in a task sequence


When using Install Software Updates task sequence step to Install Microsoft 365 Apps updates, it is possible that
deployed updates will be detected as not applicable. This might happen if the scheduled Office Automatic
Updates task hasn't run at least once (see the note in Deploy Microsoft 365 Apps updates). For example, this
might happen if Microsoft 365 Apps was installed immediately before running this step.
To ensure that the update channel is set so that deployed updates will be properly detected, use one of the
following methods:
Method 1:
1. On a machine with the same version of Microsoft 365 Apps, open Task Scheduler (taskschd.msc) and identify
the Microsoft 365 Apps automatic updates task. Typically, it is located under Task Scheduler Librar y
>Microsoft >Office .
2. Right-click on the automatic updates task and select Proper ties .
3. Go to the Actions tab and choose Edit . Copy the command and any arguments.
4. In the Configuration Manager console, edit your task sequence.
5. Add a new Run Command Line step before the Install Software Updates step in the task sequence. If
Microsoft 365 Apps is installed as part of the same task sequence, make sure this step runs after Office is
installed.
6. Copy in the command and arguments that you gathered from the Office automatic updates scheduled task.
7. Select OK .
Method 2:
1. On a machine with the same version of Microsoft 365 Apps, open Task Scheduler (taskschd.msc) and
identify the Microsoft 365 Apps automatic updates task. Typically, it is located under Task Scheduler
Librar y >Microsoft >Office .
2. In the Configuration Manager console, edit your task sequence.
3. Add a new Run Command Line step before the Install Software Updates step in the task sequence. If
Microsoft 365 Apps is installed as part of the same task sequence, make sure this step runs after Office is
installed.
4. In the command line field, enter the command line that will run the scheduled task. See example below
making sure the string in quotes matches the path and name of the task identified in step 1.
Example: schtasks /run /tn "\Microsoft\Office\Office Automatic Updates 2.0"

5. Select OK .

Update channels for Microsoft 365 Apps


When Office 365 ProPlus was renamed to Microsoft 365 Apps for enterprise , the update channels were
also renamed. If you use an automatic deployment rule (ADR) to deploy updates, you'll need to make changes to
your ADRs if they rely on the Title property. That's because the name of update packages in the Microsoft
Update Catalog is changing.
Currently, the title of an update package for Office 365 ProPlus begins with "Office 365 Client Update" as seen in
the following example:
Office 365 Client Update - Semi-annual Channel Version 1908 for x64 based Edition (Build 11929.20648)
For update packages released on and after June 9, 2020, the title will begin with "Microsoft 365 Apps Update" as
seen in the following example:
Microsoft 365 Apps Update - Semi-annual Channel Version 1908 for x64 based Edition (Build 11929.50000)
N EW C H A N N EL N A M E P REVIO US C H A N N EL N A M E

Semi-Annual Enterprise Channel Semi-Annual Channel

Semi-Annual Enterprise Channel (Preview) Semi-Annual Channel (Targeted)

Monthly Enterprise Channel NA

Current Channel Monthly Channel

Current Channel (Preview) Monthly Channel (Targeted)

Beta Channel Insider

Beta Channel needs to be updated from the Office CDN on


the internet instead of having Configuration Manager
manage the update process. For more information, see Use
Configuration Manager to install Office Insider builds.

For more information about how to modify your ADRs, see Automatically deploy software updates. For more
information about the name change, see Name change for Office 365 ProPlus.

Change the update channel after you enable Microsoft 365 Apps
clients to receive updates from Configuration Manager
After deploying Microsoft 365 Apps, you can change the update channel with Group Policy or the Office
Deployment Tool (ODT). For example, you can move a device from Semi-Annual Channel to Semi-Annual
Channel (Targeted). When changing the channel, Office is updated automatically without having to reinstall or
download the full version. For more information, see Change the Microsoft 365 Apps update channel for devices
in your organization.

Next steps
Use the Office 365 Client Management dashboard in Configuration Manager to review Microsoft 365 Apps
client information and deploy Microsoft 365 Apps. For more information, see Office 365 Client Management
dashboard.
Optimize Windows 10 update delivery with
Configuration Manager
9/17/2021 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


For many customers, a successful path to getting and staying current with Windows 10 monthly updates starts
with a good content distribution strategy using Configuration Manager. The size of the monthly quality updates
can be a cause of concern for large organizations. There are a few technologies available that are intended to
help reduce bandwidth and network load to optimize update delivery. This article explains these technologies,
compares them, and provides recommendations to help you make decisions on which one to use.
Windows 10 provides several types of updates. For more information, see Update types in Windows Update for
Business. This article focuses on Windows 10 quality updates with Configuration Manager.

Express update delivery


Windows 10 quality update downloads can be large. Every package contains all previously released fixes to
ensure consistency and simplicity. Microsoft has been able to reduce the size of Windows 10 update content that
each client downloads with a feature called express. Express is used today by millions of devices that pull
updates directly from the Windows Update service and significantly reduces the download size. This benefit is
also available to customers whose clients don't directly download from the Windows Update service.
Configuration Manager added support for express installation files of Windows 10 quality updates in version
1702. However, for the best experience it's recommended that you use Configuration Manager version 1802 or
later. For the best performance in download speeds, it's also recommended that you use Windows 10, version
1703 or later.

NOTE
The express version content is considerably larger than the full-file version. An express installation file contains all of the
possible variations for each file it's meant to update. As a result, the required amount of disk space increases for updates
in the update package source and on distribution points when you enable express support in Configuration Manager.
Even though the disk space requirement on the distribution points increases, the content size that clients download from
these distribution points decreases. Clients only download the bits they require (deltas) but not the whole update.

Peer-to-peer content distribution


Even though clients download only the parts of the content that they require, expedite Windows updates in your
environment by utilizing peer-to-peer content distribution. Leveraging peers as a download source for quality
updates can be beneficial for environments where local distribution points aren't present in remote offices. This
behavior prevents the need for all clients to download content from a remote distribution point across a slow
WAN link. Using peers can also be beneficial when clients fallback to the Windows Update service. Only one
peer is needed to download update content from the cloud before making it available to other devices.
Configuration Manager supports many peer-to-peer technologies, including the following:
Windows Delivery Optimization
Configuration Manager peer cache
Windows BranchCache
The next sections provide further information on these technologies.
Windows Delivery Optimization
Delivery Optimization is the main download technology and peer-to-peer distribution method built into
Windows 10. Windows 10 clients can get content from other devices on their local network that download the
same updates. Using the Windows options available for Delivery Optimization, you can configure clients into
groups. This grouping allows your organization to identify devices that are possibly the best candidates to fulfill
peer-to-peer requests. Delivery Optimization significantly reduces the overall bandwidth that's used to keep
devices up-to-date while speeding up the download time.

NOTE
Delivery Optimization is a cloud-managed solution. Internet access to the Delivery Optimization cloud service is a
requirement to utilize its peer-to-peer functionality. For information about the needed internet endpoints, see Frequently
asked questions for Delivery Optimization.

For the best results, you may need to set the Delivery Optimization download mode to Group (2) and define
Group IDs. In group mode, peering can cross internal subnets between devices that belong to the same group
including devices in remote offices. Use the Group ID option to create your own custom group independently of
domains and AD DS sites. Group download mode is the recommended option for most organizations looking to
achieve the best bandwidth optimization with Delivery Optimization.
Manually configuring these Group IDs is challenging when clients roam across different networks. Configuration
Manager version 1802 added a new feature to simplify management of this process by integrating boundary
groups with Delivery Optimization. When a client wakes up, it talks to its management point to get policies, and
provides its network and boundary group information. Configuration Manager creates a unique ID for every
boundary group. The site uses the client's location information to automatically configure the client's Delivery
Optimization Group ID with the Configuration Manager boundary ID. When the client roams to another
boundary group, it talks to its management point, and is automatically reconfigured with a new boundary group
ID. With this integration, Delivery Optimization can utilize the Configuration Manager boundary group
information to find a peer from which to download updates.
Delivery Optimization starting in version 1910
Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all
Windows update content for clients running Windows 10 version 1709 or later, not just express installation files.
To use Delivery Optimization for all Windows update installation files, enable the following software updates
client settings:
Allow clients to download delta content when available set to Yes .
Por t that clients use to receive requests for delta content set to 8005 (default) or a custom port
number.

IMPORTANT
Delivery Optimization must be enabled (default) and not bypassed. For more information, see Windows Delivery
Optimization reference.
Verify your Delivery Optimization client settings when changing your software updates client settings for delta
content.

Limitations
Delivery Optimization can't be used for Microsoft 365 Apps client updates if Office COM is enabled.
Office COM is used by Configuration Manager to manage updates for Microsoft 365 Apps clients. You
can deregister Office COM to allow the use of Delivery Optimization for Microsoft 365 Apps updates.
When Office COM is disabled, software updates for Microsoft 365 Apps are managed by the default
Office Automatic Updates 2.0 scheduled task. This means that Configuration Manager doesn't dictate or
monitor the installation process for Microsoft 365 Apps updates. Configuration Manager will continue to
collect information from hardware inventory to populate Office 365 Client Management Dashboard in
the console. For information about how to deregister Office COM, see Enable Office 365 clients to receive
updates from the Office CDN instead of Configuration Manager.
When using a CMG for content storage, the content for third-party updates won't download to clients if
the Download delta content when available client setting is enabled.
Download of feature updates for Windows 10 may take a long time depending on the network and if
additional content is determined to be needed for installation. This additional download time may also
cause the installation to fail because it exceed the maximum runtime.
Configuration recommendations for clients downloading delta content
When the Allow clients to download delta content when available client setting is enabled on clients for
software update content, there are limitations in the distribution point fallback behavior. To ensure these clients
can properly download software update content, we recommend the following configurations:
Ensure that clients are in a boundary group and that there's a reliable distribution point that has the needed
content associated with that boundary group.
Deploy software updates with fallback to Microsoft Update enabled for clients that are able to download
directly from the internet.
The deployment setting for this fallback behavior is If software updates are not available on
distribution point in current, neighbor or site boundar y groups, download content from
Microsoft Updates and it's found on the Download Settings page. For more information, see
Deploy software updates.
If either of the above options aren't viable, Allow clients to download delta content when available can
be disabled in the client settings to allow fallbacks functionality. Delivery Optimization peering won't be
leveraged in this case since the client won't use the delta channel.

TIP
Starting in Configuration Manager version 2010, if delta content is unavailable from distribution points in the current
boundary group, you can immediately fallback to a neighbor or the site default. For more information, see Client settings
for software updates.

Configuration Manager peer cache


Peer cache is a feature of Configuration Manager that enables clients to share with other clients content directly
from their local Configuration Manager cache. Peer cache doesn't replace the use of other peer caching solutions
like Windows BranchCache. It works together with them to provide more options for extending traditional
content deployment solutions such as distribution points. Peer cache doesn't rely upon BranchCache. If you don't
enable or use BranchCache, peer cache still works.

NOTE
Clients can only download content from peer cache clients that are in their current boundary group.

Windows BranchCache
BranchCache is a bandwidth optimization technology in Windows. Each client has a cache, and acts as an
alternate source for content. Devices on the same network can request this content. Configuration Manager can
use BranchCache to allow peers to source content from each other versus always having to contact a
distribution point. Using BranchCache, files are cached on each individual client, and other clients can retrieve
them as needed. This approach distributes the cache rather than having a single point of retrieval. This behavior
saves a significant amount of bandwidth, while reducing the time for clients to receive the requested content.

Selecting the right peer caching technology


Selecting the right peer caching technology for express installation files depends upon your environment and
requirements. Even though Configuration Manager supports all of the above peer-to-peer technologies, you
should use those that make the most sense for your environment. For most customers, assuming clients can
meet the internet requirements for Delivery Optimization, the Windows 10 built-in peer caching with Delivery
Optimization should be sufficient. If your clients can't meet these internet requirements, consider using the
Configuration Manager peer cache feature. If you're currently using BranchCache with Configuration Manager
and it meets all your needs, then express files with BranchCache may be the right option for you.
Peer cache comparison chart
F UN C T IO N A L IT Y DEL IVERY O P T IM IZ AT IO N P EER C A C H E B RA N C H C A C H E

Supported across subnets Yes Yes No

Bandwidth throttling Yes (Native) Yes (via BITS) Yes (via BITS)

Partial content support Yes, for all supported Only for Microsoft 365 Yes, for all supported
content types listed in this Apps and Express Updates content types listed in this
column's next row. column's next row.

Supported content types Through ConfigMgr : All ConfigMgr content All ConfigMgr content
- Express updates types, including images types, except images
- All Windows updates downloaded in Windows PE
(starting version 1910). This
doesn't include Microsoft
365 Apps updates.

Through Microsoft
cloud:
- Windows and security
updates
- Drivers
- Windows Store apps
- Windows Store for
Business apps

Cache size on disk control Yes Yes Yes

Discovery of a peer source Automatic Manual (client agent Automatic


setting)

Peer discovery Via Delivery Optimization Via management point Multicast


cloud service (requires (based on client boundary
internet access) groups)

Reporting Update Compliance ConfigMgr client data ConfigMgr client data


sources dashboard sources dashboard

WAN usage control Yes (native, can be Boundary groups Subnet support only
controlled via group policy
settings)
F UN C T IO N A L IT Y DEL IVERY O P T IM IZ AT IO N P EER C A C H E B RA N C H C A C H E

Management through Partial (client agent setting) Yes (client agent setting) Yes (client agent setting)
ConfigMgr

Conclusion
Microsoft recommends that you optimize Windows 10 quality update delivery using Configuration Manager
with express installation files and a peer caching technology, as needed. This approach should alleviate the
challenges associated with Windows 10 devices downloading large content for installing quality updates.
Keeping Windows 10 devices current by deploying quality updates each month is also recommended. This
practice reduces the delta of quality update content needed by devices each month. Reducing this content delta
causes smaller size downloads from distribution points or peer sources.
Due to the nature of express installation files, their content size is considerably larger than traditional self-
contained files. This size results in longer update download times from the Windows Update service to the
Configuration Manager site server. The amount of disk space required for both the site server and distribution
points also increases. The total time required to download and distribute quality updates could be longer.
However, the device-side benefits should be noticeable during the download and installation of quality updates
by the Windows 10 devices. For more information, see Using Express Installation Files.
If the server-side tradeoffs of larger-size updates are blockers for the adoption of express support, but the
device-side benefits are critical to your business and environment, Microsoft recommends that you use
Windows Update for Business with Configuration Manager. Windows Update for Business provides all of the
benefits of express without the need to download, store, and distribute express installation files throughout your
environment. Clients download content directly from the Windows Update service, thus can still use Delivery
Optimization.

Frequently asked questions


How do Windows express downloads work with Configuration Manager?
The Windows update agent (WUA) requests express content first. If it fails to install the express update, it can fall
back to the full-file update.
1. The Configuration Manager client tells WUA to download the update content. When WUA initiates an
express download, it first downloads a stub (for example, Windows10.0-KB1234567-<platform>-express.cab ),
which is part of the express package.
2. WUA passes this stub to the Windows update installer, component-based servicing (CBS). CBS uses the
stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to
the latest version of the file being offered.
3. CBS then asks WUA to download the required ranges from one or more express .psf files.
4. If Delivery Optimization is enabled and peers are discovered to have the needed ranges, the client will
download from peers independently of the ConfigMgr client. If Delivery Optimization is disabled or no
peers have the needed ranges, the ConfigMgr client will download these ranges from a local distribution
point (or a peer or Microsoft Update). The ranges are passed to the Windows Update Agent which makes
them available to CBS to apply the ranges.
Why are the express files (.psf ) so large when stored on Configuration Manager peer sources in the ccmcache folder?
The express files (.psf) are sparse files. To determine the actual space being used on disk by the file, check the
Size on disk property of the file. The Size on disk property should be considerably smaller than the Size value.
Does Configuration Manager support express installation files with Windows 10 feature updates?
No, Configuration Manager currently only supports express installation files with Windows 10 quality updates.
How much disk space is needed per quality update on the site server and distribution points?
It depends. For each quality update, both the full-file and express version of the update are stored on servers.
Windows 10 quality updates are cumulative, so the size of these files increases each month. Plan for a minimum
of 5 GB per update per language.
Do Configuration Manager clients still benefit from express installation files when falling back to the Windows Update service?
Yes. If you use the following software update deployment option, then clients still use express updates and
Delivery Optimization when they fall back to the cloud service:
If software updates are not available on distribution point in current, neighbor or site groups,
download content from Microsoft Updates
Why is express file content not downloaded for existing updates after I enable express file support?
The changes only take effect for any new updates synchronized and deployed after enabling support.
Is there any way to see how much content is downloaded from peers using Delivery Optimization?
Windows 10, version 1703 (and later) includes two new PowerShell cmdlets, Get-
Deliver yOptimizationPerfSnap and Get-Deliver yOptimizationStatus . These cmdlets provide more insight
into Delivery Optimization and cache usage. For more information, see Delivery Optimization for Windows 10
updates
How do clients communicate with Delivery Optimization over the network?
For more information about the network ports, proxy requirements, and hostnames for firewalls, see FAQs for
Delivery Optimization.

Log files
Use the following log files to monitor delta downloads:
WUAHandler.log
DeltaDownload.log

Next steps
Deploy software updates
Automatically deploy software updates
Manage express installation files for Windows 10
updates
9/17/2021 • 3 minutes to read • Edit Online

Configuration Manager supports express installation files for Windows 10 updates. Configure the client to
download only the changes between the current month's Windows 10 cumulative quality update and the
previous month's update. Without express installation files, Configuration Manager clients download the full
Windows 10 cumulative update each month, including all updates from previous months. Using express
installation files provides for smaller downloads and faster installation times on clients.
To learn how to use Configuration Manager to manage update content to stay current with Windows 10, see
Optimize Windows 10 update delivery.

IMPORTANT
The OS client support is available in Windows 10, version 1607, with an update to the Windows Update Agent. This
update is included with the updates released on April 11, 2017. For more information about these updates, see support
article 4015217. Future updates leverage express for smaller downloads. Prior versions of Windows 10, and Windows 10
version 1607 without this update don't support express installation files.

Enable the site to download express installation files for Windows 10


updates
To start synchronizing the metadata for Windows 10 express installation files, enable it in the properties of the
software update point.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the central administration site or the stand-alone primary site.
3. In the ribbon, click Configure Site Components , and then click Software Update Point . Switch to the
Update Files tab, and select Download both full files for all approved updates and express
installation files for Windows 10 .

NOTE
You can't configure the software update point component to only download express updates. The site downloads the
express installation files in addition to the full files. This increases the amount of content stored in the content library, and
distributed to and stored on your distribution points.

TIP
To determine the actual space being used on disk by the file, check the Size on disk property of the file. The Size on disk
property should be considerably smaller than the Size value. For more information, see FAQs to optimize Windows 10
update delivery.

Enable clients to download and install express installation files


To enable express installation files support on clients, enable express installation files in the Software Updates
group of client settings. This setting creates a new HTTP listener that listens for requests to download express
installation files on the port that you specify.

NOTE
This is a local port that clients use to listen for requests from Delivery Optimization or Background Intelligent Transfer
Service (BITS) to download express content from the distribution point. You don't need to open this port on firewalls
because all traffic is on the local computer.

Once you deploy client settings to enable this functionality on the client, it attempts to download the delta
between the current month's Windows 10 cumulative update and the previous month's update. Clients must run
a version of Windows 10 that supports express installation files.
1. Enable support for express installation files in the properties of the software update point component
(previous procedure).
2. In the Configuration Manager console, go to the Administration workspace, and select Client Settings .
3. Select the appropriate client settings, and click Proper ties on the ribbon.
4. Select the Software Updates group. Configure to Yes the setting to Enable installation of Express
Updates on clients . Configure the Por t used to download content for Express Updates with the
port used by the HTTP listener on the client.
In version 1902, Enable installation of Express Updates on clients was changed to Allow
clients to download delta content when available .
In version 1902, Por t used to download content for Express Updates was changed to Por t that
clients use to receive requests for delta content .

Next steps
Deploy software updates
Manage Surface drivers with Configuration
Manager
9/17/2021 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Configuration Manager allows you to synchronize drivers for Surface devices and deploy them like a software
update. This functionality allows you to ensure that your Surface devices are running the latest available drivers.
This synchronization was first introduced in version 1706 as a pre-release feature and it became a feature in
1710.

Prerequisites for synchronizing Surface drivers


An internet connected top-level software update point.
All software update points must run Windows Server 2016 with cumulative update KB4025339 or later
installed.
In version 2006 and earlier, Configuration Manager doesn't enable this optional feature by default. Enable
this feature before using it. For more information, see Enable optional features from updates.

Enable sync for Surface drivers


To enable synchronization of Surface drivers, do following steps:
1. Connect the Configuration Manger console to the top-level site server.
2. Go to Administration > Site Configuration > Sites , then click on your top-level site.
3. In the ribbon, select Settings > Configure Site Components > Software Update Point .
4. Click on the Classifications tab, then click the checkbox for Include Microsoft Surface drivers and
firmware updates and click Apply .
5. In the Software Update Point Component Properties, click the Products tab. For more information, see
the Products for Surface drivers and Surface Models sections.
6. Select the products for each version of Windows 10 for which you would like to support Surface drivers.
You'll notice that there are two different versions of each of the products for drivers:
Windows 10 version Update and later Ser vicing Drivers
Windows 10 version Update and later Upgrade & Ser vicing Drivers .
7. When you have finished selecting the products, click OK .
8. Synchronize your software update point to bring the Surface drivers into Configuration Manager.
9. Once the Surface drivers are synchronized, deploy them in the same manner as you deploy other
updates.

Products for Surface drivers


Most drivers belong to the following product groups:
Windows 10 and later version drivers
Windows 10 and later Upgrade & Servicing Drivers
Windows 10 Anniversary Update and Later Servicing Drivers
Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers
Windows 10 Creators Update and Later Servicing Drivers
Windows 10 Creators Update and Later Upgrade & Servicing Drivers
Windows 10 Fall Creators Update and Later Servicing Drivers
Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers
Windows 10 S and Later Servicing Drivers
Windows 10 S Version 1709 and Later Servicing Drivers for testing
Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing
Windows 10 S Version 1803 and Later Servicing Drivers
Windows 10 S Version 1803 and Later Upgrade & Servicing Drivers
Windows 10 S version 1809 and later, Servicing Drivers
Windows 10 S version 1809 and later, Upgrade & Servicing Drivers
Windows 10 S version 1903 and later, Servicing Drivers
Windows 10 S version 1903 and later, Upgrade & Servicing Drivers
Windows 10 Version 1803 and Later Servicing Drivers
Windows 10 Version 1803 and Later Upgrade & Servicing Drivers
Windows 10 version 1809 and later, Servicing Drivers
Windows 10 Version 1809 and later, Upgrade & Servicing Drivers
Windows 10 version 1903 and later, Servicing Drivers
Windows 10 Version 1903 and later, Upgrade & Servicing Drivers

NOTE
Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are
listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select
only the products that are required by your environment for synchronization.

Surface models
The following table contains the Surface models and versions of Windows 10 on which Configuration Manager
can install drivers. Surface driver updates aren't available in Configuration Manager the same day they're
published to the Microsoft Update catalog. Configuration Manager maintains its own list of which Surface
drivers it will import. Devices needing Windows 10 S products are noted. Microsoft aims to get the Surface
drivers added to the allow list on the second Tuesday each month to make them available for synchronization to
Configuration Manager. For more information, see Frequently asked questions.

SURFA C E W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S
M O DEL 10 1709 10 1803 10 1809 10 1903 10 1909 10 2004 10 20H 2

Surface Pro Yes Yes Yes Yes Yes Yes Yes


3

Surface Pro Yes Yes Yes Yes Yes Yes Yes


4

Surface Pro N/A Yes Yes Yes Yes Yes Yes


6

Surface Pro N/A N/A N/A Yes Yes Yes Yes


7

Surface Pro N/A N/A N/A N/A N/A N/A Yes


7+

Surface Pro N/A N/A N/A Yes Yes Yes Yes


X

Surface Pro N/A N/A N/A N/A N/A Yes Yes


X with SQ2
chip

Surface Yes Yes Yes Yes Yes Yes Yes


Book
SURFA C E W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S W IN DO W S
M O DEL 10 1709 10 1803 10 1809 10 1903 10 1909 10 2004 10 20H 2

Surface Yes Yes Yes Yes Yes Yes Yes


Book 2

Surface N/A N/A N/A Yes Yes Yes Yes


Book 3

Surface Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with
Laptop the product the product the product the product the product the product the product
"Windows "Windows "Windows "Windows "Windows "Windows "Windows
10 S 10 S 10 S 10 S 10 S 10 S 10 S
version version version version version version version
1709 and 1803 and 1809 and 1903 and 1903 and 1903 and 1903 and
later later later later later later later
Servicing Servicing Upgrade & Upgrade & Upgrade & Upgrade & Upgrade &
drivers" drivers" Servicing Servicing Servicing Servicing Servicing
selected selected drivers" drivers" drivers" drivers" drivers"
selected selected selected selected selected

Surface N/A Yes Yes Yes Yes Yes Yes


Laptop 2

Surface N/A N/A N/A Yes Yes Yes Yes


Laptop 3

Surface Go N/A Yes, with Yes, with Yes, with Yes, with Yes, with Yes, with
the product the product the product the product the product the product
"Windows "Windows "Windows "Windows "Windows "Windows
10 S 10 S 10 S 10 S 10 S 10 S
version version version version version version
1803 and 1809 and 1903 and 1903 and 1903 and 1903 and
later later later later later later
Servicing Upgrade & Upgrade & Upgrade & Upgrade & Upgrade &
drivers" Servicing Servicing Servicing Servicing Servicing
selected drivers" drivers" drivers" drivers" drivers"
selected selected selected selected selected

Surface Go N/A N/A Yes Yes Yes, with Yes, with Yes, with
2 the product the product the product
"Windows "Windows "Windows
10 S 10 S 10 S
version version version
1903 and 1903 and 1903 and
later later later
Upgrade & Upgrade & Upgrade &
Servicing Servicing Servicing
drivers" drivers" drivers"
selected selected selected

Surface N/A N/A N/A N/A N/A Yes Yes


Laptop Go

Surface Yes Yes Yes Yes Yes Yes Yes


Studio

Surface N/A Yes Yes Yes Yes Yes Yes


Studio 2
Verify the configuration
To verify the software update point is configured correctly, use the WsyncMgr.log and the WCM.log .
1. Open WsyncMgr.log and check for the following log entry:

Surface Drivers can be supported in this hierarchy since all software update points are on Windows
Server 2016, WCM SCF property Sync Catalog Drivers is set.

Sync Catalog Drivers SCF value is set to : 1

2. If either of the following entries are logged in WsyncMgr.log , double check that you selected the
Include Microsoft Surface drivers and firmware updates option in the properties of your software
update point:
Sync Surface Drivers option is not set
Sync Catalog Drivers SCF value is set to : 0
3. Open WCM.log and look for items resembling the following entries:

<Categories>
<Category Id="Product:05eebf61-148b-43cf-80da-1c99ab0b8699"><![CDATA[Windows 10 and later drivers]]>
</Category>
<Category Id="Product:06da2f0c-7937-4e28-b46c-a37317eade73"><![CDATA[Windows 10 Creators Update and
Later Upgrade & Servicing Drivers]]></Category>
<Category Id="Product:c1006636-eab4-4b0b-b1b0-d50282c0377e"><![CDATA[Windows 10 S and Later Servicing
Drivers]]></Category>
… …
</Categories>

This entry is an XML element that lists every product group and classification that's currently
synchronized by your software update point server. If you can't find the products that you've selected,
double-check the products for the software update point are saved.
4. You can also wait until the next synchronization finishes. Then, check whether the Surface driver and
firmware updates are listed in Software Updates in the Configuration Manager console. For example, the
console might display the following information:

Frequently asked questions (FAQ)


After I follow the steps in this article, my Surface drivers are still not synchronized. Why?
If you synchronize from an upstream Windows Server Update Services (WSUS) server, instead of Microsoft
Update, make sure that the upstream WSUS server is configured to support and synchronize Surface driver
updates. All downstream servers are limited to updates that are present in the upstream WSUS server database.
There are more than 68,000 updates that are classified as drivers in WSUS. To prevent non-Surface related
drivers from synchronizing to Configuration Manager, Microsoft filters driver synchronization against an allow
list. After the new allow list is published and incorporated into Configuration Manager, the new drivers are
added to the console following the next synchronization. Microsoft aims to get the Surface drivers added to the
allow list on the second Tuesday each month to make them available for synchronization to Configuration
Manager.
If your Configuration Manager environment is offline, a new allow list is imported every time you import
servicing updates to Configuration Manager. You will also have to import a new WSUS catalog that contains the
drivers before the updates are displayed in the Configuration Manager console. Because a stand-alone WSUS
environment contains more drivers than a Configuration Manager SUP, we recommend that you establish a
Configuration Manager environment that has online capabilities, and that you configure it to synchronize
Surface drivers. This provides a smaller WSUS export that closely resembles the offline environment.
If your Configuration Manager environment is online and able to detect new updates, you will receive updates
to the list automatically. If you don’t see the expected drivers, please review the WCM.log and WsyncMgr.log for
any synchronization failures.
My Configuration Manager environment is offline, can I manually import Surface drivers into WSUS?
No. Even if the update is imported into WSUS, the update won't be imported into the Configuration Manager
console for deployment if it isn't listed in the allow list. You must use the Service Connection Tool to import
servicing updates to Configuration Manager to update the allow list.
What alternative methods do I have to deploy Surface driver and firmware updates?
For information about how to deploy Surface driver and firmware updates through alternative channels, see
Manage Surface driver and firmware updates. If you want to download the .msi or .exe file, and then deploy
through traditional software deployment channels, see Keeping Surface Firmware Updated with Configuration
Manager.
My Surface drivers are expired or no longer visible after removing my CAS. What should I do?
If you recently removed a central administration site from your hierarchy, you may notice that the option to
Include Microsoft Surface drivers and firmware updates is no longer enabled. You may also see that the
driver updates are expired in your Configuration Manager console. When you remove a CAS, you'll need to re-
enable synchronization of Surface drivers and reconfigure this feature. For more information about post-setup
tasks for CAS removal, see Removing the central administration site (CAS).

Next steps
For more information about Surface drivers, see the following articles:
Considerations for Surface and Configuration Manager
Surface Update History
Download the latest firmware and drivers for Surface devices
Integrate with Windows Update for Business
9/17/2021 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


Windows Update for Business (WUfB) allows you to keep Windows 10-based devices in your organization
always up-to-date with the latest security defenses and Windows features when these devices connect directly
to the Windows Update (WU) service. Configuration Manager can differentiate between Windows 10 computers
that use WUfB and WSUS for getting software updates.

WARNING
If you are using co-management for your devices and you have moved the Windows Update policies to Intune, then your
devices will get their Windows Update for Business policies from Intune.
If the Configuration Manager client is still installed on the co-managed device then settings for Cumulative Updates
and Feature Updates are managed by Intune. However, third-party patching, if enabled in Client Settings , is still
managed by Configuration Manager.

Some Configuration Manager features are no longer available when Configuration Manager clients are
configured to receive updates from WU, which includes WUfB or Windows Insiders:
Windows Update compliance reporting:
Configuration Manager will be unaware of the updates that are published to WU. The
Configuration Manager clients configured to received updates from WU will display unknown for
these updates in the Configuration Manager console.
Troubleshooting overall compliance status is difficult because unknown status was only for the
clients that hadn't reported scan status back from WSUS. Now it also includes Configuration
Manager clients that receive updates from WU.
Definition Updates compliance is part of overall update compliance reporting and won't work as
expected either.
Overall Endpoint Protection reporting for Defender based on update compliance status won't return
accurate results because of the missing scan data.
Configuration Manager won't be able to deploy Microsoft updates, such as Microsoft 365 Apps, IE, and
Visual Studio to clients that are connected to WUfB to receive updates.
Configuration Manager can still deploy 3rd party updates that are published to WSUS and managed
through Configuration Manager to clients that are connected to WUfB to receive updates. If you don't
want any 3rd party updates to be installed on clients connecting to WUfB, then disable the client setting
named Enable software updates on clients.
Configuration Manager full client deployment that uses the software updates infrastructure won't work
for clients that are connected to WUfB to receive updates.

Identify clients that use WUfB for Windows 10 updates


Use the following procedure to identify clients that use WUfB to get Windows 10 updates and upgrades. Then
configure these clients to stop using WSUS to get updates, and deploy a client agent setting to disable the
software updates workflow for these clients.
Prerequisites for WUfB
Clients that run Windows 10 Desktop Pro or Windows 10 Enterprise Edition version 1511 or later
Windows Update for Business is deployed and clients use WUfB to get Windows 10 updates and
upgrades.
To identify clients that use WUfB
1. Ensure the Windows Update Agent isn't scanning against WSUS, if it was previously enabled. The
following registry key can be used to indicate whether the computer is scanning against WSUS or
Windows Update. If the registry key doesn't exist, it's not scanning against WSUS.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUSer ver
2. There's a new attribute, UseWUSer ver , under the Windows Update node in Configuration Manager
Resource Explorer.
3. Create a collection based on the UseWUSer ver attribute for all the computers that are connected via
WUfB for updates and upgrades. You can create a collection based on a query similar to the one below:

Select sr.* from SMS_R_System as sr join SMS_G_System_WINDOWSUPDATE as su on


sr.ResourceID=su.ResourceID where su.UseWUServer is null

4. Create a client agent setting to disable the software update workflow. Deploy the setting to the collection
of computers that are connected directly to WUfB.
5. The computers that are managed via WUfB will display Unknown in the compliance status and won't be
counted as part of the overall compliance percentage.

Configure Windows Update for Business deferral policies


Beginning in Configuration Manager version 1706, you can configure deferral policies for Windows 10 Feature
Updates or Quality Updates for Windows 10 devices managed directly by Windows Update for Business. You
can manage the deferral policies in the new Windows Update for Business Policies node under Software
Librar y > Windows 10 Ser vicing .

NOTE
Beginning in Configuration Manager version 1802, you can set deferral policies for Windows Insider.
For more information about the Windows Insider program, see Getting started with Windows Insider program for
Business.

Prerequisites for deferral policies


Windows 10 version 1703 or later
Windows 10 devices managed by Windows Update for Business must have Internet connectivity
To create a Windows Update for Business deferral policy
1. In Software Librar y > Windows 10 Ser vicing > Windows Update for Business Policies
2. On the Home tab, in the Create group, select Create Windows Update for Business Policy to open the
Create Windows Update for Business Policy Wizard.
3. On the General page, provide a name and description for the policy.
4. On the Deferral Policies page, configure whether to defer or pause Feature Updates. Feature Updates are
generally new features for Windows. After you configure the Branch readiness level setting, you can then
define if, and for how long, you would like to defer receiving Feature Updates following their availability from
Microsoft.
Branch readiness level : Set the branch for which the device will receive Windows updates.
Choose either Semi-Annual Channel (Targeted), Semi-Annual Channel, or a Windows Insider build.

NOTE
Deploy policies for Semi-Annual Channel to Windows 10, version 1903 or later. Deploy policies for
Semi-Annual Channel (Targeted) to Windows 10, version 1809 or earlier.
If you deploy a policy for Semi-Annual Channel (Targeted) to Windows 10, version 1903 or later, the
deployment fails with the error 0x8004100c.

Deferral period (days) : Specify the number of days for which Feature Updates will be deferred.
You can defer receiving these Feature Updates for up to 365 days from their release.
Pause Features Updates star ting : Select whether to pause devices from receiving Feature
Updates for up to 35 days from the time you pause the updates. After the maximum days have
passed, pause functionality will automatically expire and the device will scan Windows Updates for
applicable updates. Following this scan, you can pause the updates again. You can unpause Feature
Updates by clearing the checkbox.
5. Choose whether to defer or pause Quality Updates. Quality Updates are generally fixes and improvements to
existing Windows functionality and are typically published the second Tuesday of every month, though can
be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving
Quality Updates following their availability.
Deferral period (days) : Specify the number of days for which Quality Updates will be deferred. You
can defer receiving these Quality Updates for up to 30 days from their release.
Pause Quality Updates star ting : Select whether to pause devices from receiving Quality Updates
for up to 35 days from the time you pause the updates. After the maximum days have passed, pause
functionality will automatically expire and the device will scan Windows Updates for applicable
updates. Following this scan, you can pause the updates again. You can unpause Quality Updates by
clearing the checkbox.
6. Select Install updates from other Microsoft Products to enable the group policy setting that make
deferral settings applicable to Microsoft Update, as well as Windows Updates.
7. Select Include drivers with Windows Update to automatically update drivers from Windows Updates. If
you clear this setting, driver updates aren't downloaded from Windows Updates.
8. Complete the wizard to create the new deferral policy.
To deploy a Windows Update for Business deferral policy
1. In Software Librar y > Windows 10 Ser vicing > Windows Update for Business Policies
2. On the Home tab, in the Deployment group, select Deploy Windows Update for Business Policy .
3. Configure the following settings:
Configuration policy to deploy : Select the Windows Update for Business policy that you would like
to deploy.
Collection : Click Browse to select the collection where you want to deploy the policy.
Allow remediation outside the maintenance window : If a maintenance window has been
configured for the collection to which you're deploying the policy, enable this option to let policy
settings remediate the value outside of the maintenance window. For more information about
maintenance windows, see How to use maintenance windows.
Schedule : Specify the compliance evaluation schedule by which the deployed policy is evaluated on
client computers. The schedule can be either a simple or a custom schedule.
4. Complete the wizard to deploy the policy.
Enable third-party updates
9/17/2021 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


The Third-Par ty Software Update Catalogs node in the Configuration Manager console allows you to
subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy
them to clients.

NOTE
In version 2006 and earlier, Configuration Manager doesn't enable this feature by default. Before using it, enable the
optional feature Enable third par ty update suppor t on clients . For more information, see Enable optional features
from updates.

Prerequisites
Sufficient disk space on the top-level software update point's WSUSContent directory to store the source
binary content for third-party software updates.
The amount of required storage varies based on the vendor, types of updates, and specific updates
that you publish for deployment.
If you need to move the WSUSContent directory to another drive with more free space, see the How to
change the location where WSUS stores updates locally blog post.
The third-party software update synchronization service requires internet access.
For the partner catalogs list, download.microsoft.com over HTTPS port 443 is needed.
Internet access to any third-party catalogs and update content files. Additional ports other than 443
may be needed.
Third-party updates use the same proxy settings as the SUP.

Additional requirements when the SUP is remote from the top-level


site server
1. SSL should be enabled on the SUP when it's remote. This requires a server authentication certificate
generated from an internal certificate authority or via a public provider.
Configure SSL on WSUS
When you configure SSL on WSUS, note some of the web services and the virtual directories
are always HTTP and not HTTPS.
Configuration Manager downloads third-party content for software update packages from
your WSUS content directory over HTTP.
Configure SSL on the SUP
2. When setting the third-party updates WSUS signing certificate configuration to Configuration
Manager manages the cer tificate in the Software Update Point Component Properties, the following
configurations are required to allow the creation of the self-signed WSUS signing certificate:
Remote registry should be enabled on the SUP server.
The WSUS ser ver connection account should have remote registry permissions on the
SUP/WSUS server.
3. Create the following registry key on the Configuration Manager site server:
HKLM\Software\Microsoft\Update Services\Server\Setup , create a new DWORD named
EnableSelfSignedCer tificates with a value of 1 .
4. To enable installing the self-signed WSUS signing certificate to the Trusted Publishers and Trusted Root
stores on the remote SUP server:
The WSUS ser ver connection account should have remote administration permissions on the
SUP server.
If this item isn't possible, export the certificate from the local computer's WSUS store into the
Trusted Publisher and Trusted Root stores.

NOTE
The WSUS ser ver connection account can be identified by viewing the Proxy and Account Settings tab on the
Site System role properties of the SUP. If an account is not specified, the site server's computer account is used.

Enable third-party updates on the SUP


If you enable this option, you can subscribe to third-party update catalogs in the Configuration Manager
console. You can then publish those updates to WSUS and deploy them to clients. The following steps should be
run once per hierarchy to enable and set up the feature for use. The steps may need to be rerun if you ever
replace the top-level SUP's WSUS server.
1. In the Configuration Manager console, go to the Administration workspace. Expand Site
Configuration , and select the Sites node.
2. Select the top-level site in the hierarchy. In the ribbon, select Configure Site Components , and select
Software Update Point .
3. Switch to the Third-Par ty Updates tab. Select the option Enable third-par ty software updates .
Configure the WSUS signing certificate
You'll need to decide if you want Configuration Manager to automatically manage the third-party WSUS signing
certificate using a self-signed certificate, or if you need to manually configure the certificate.
Automatically manage the WSUS signing certificate
If you don't have a requirement to use PKI certificates, you can choose to automatically manage the signing
certificates for third-party updates. The WSUS certificate management is done as part of the sync cycle and gets
logged in the wsyncmgr.log .
1. In the Configuration Manager console, go to the Administration workspace. Expand Site Configuration ,
and select the Sites node.
2. Select the top-level site in the hierarchy. In the ribbon, select Configure Site Components , and select
Software Update Point .
3. Switch to the Third-Par ty Updates tab. Select the option Configuration Manager manages the
cer tificate .
4. A new certificate of type Third-par ty WSUS Signing is created in the Cer tificates node under Security
in the Administration workspace.
Manually manage the WSUS signing certificate
If you need to manually configure the certificate, such as needing to use a PKI certificate, you'll need to use
either System Center Updates Publisher or another tool to do so.
1. Configure the signing certificate using System Center Updates Publisher.
2. In the Configuration Manager console, go to the Administration workspace. Expand Site Configuration ,
and select the Sites node.
3. Select the top-level site in the hierarchy. In the ribbon, select Configure Site Components , and select
Software Update Point .
4. Switch to the Third-Par ty Updates tab. Select the option for Manually manage the cer tificate .

Enable third-party updates on the clients


Enable third-party updates on the clients in the client settings. The setting sets the Windows Update agent policy
for Allow signed updates for an intranet Microsoft update service location. This client setting also installs the
WSUS signing certificate to the Trusted Publisher store on the client. The certificate management logging is seen
in updatesdeployment.log on the clients. Run these steps for each custom client setting you want to use for
third-party updates. For more information, see the About client settings article.
1. In the Configuration Manager console, go to the Administration workspace and select the Client Settings
node.
2. Select an existing custom client setting or create a new one.
3. Select the Software Updates tab on the left-hand side. If you don't have this tab, make sure that the
Software Updates box is enabled.
4. Set Enable third-par ty software updates to Yes .

Add a custom catalog


Partner catalogs are software vendor catalogs that have their information already registered with Microsoft.
With partner catalogs, you can subscribe to them without having to specify any additional information. Catalogs
that you add are called custom catalogs. You can add a custom catalog from a third-party update vendor to
Configuration Manager. Custom catalogs must use https and the updates must be digitally signed.
1. Go to the Software Updates Librar y workspace, expand Software updates , and select the Third-
Par ty Software Update Catalogs node.

2. select Add Custom Catalog in the ribbon.

3. On the General page, specify the following items:


Download URL : A valid HTTPS address of the custom catalog.
Publisher : The name of the organization that publishes the catalog.
Name : The name of the catalog to display in the Configuration Manager Console.
Description : A description of the catalog.
Suppor t URL (optional): A valid HTTPS address of a website to get help with the catalog.
Suppor t Contact (optional): Contact information to get help with the catalog.
4. Select Next to review the catalog summary and to continue with completing the Third-par ty Software
Updates Custom Catalog Wizard .

Subscribe to a third-party catalog and sync updates


When you subscribe to a third-party catalog in the Configuration Manager console, the metadata for every
update in the catalog are synced into the WSUS servers for your SUPs. The sync of the metadata allows the
clients to determine if any of the updates are applicable. Perform the following steps for each third-party catalog
to which you want to subscribe:
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Software Updates
and select the Third-Par ty Software Update Catalogs node.
2. Select the catalog to subscribe and then select Subscribe to Catalog in the ribbon.

3. Review and approve the catalog certificate on the Review and approve page of the wizard.

NOTE
When you subscribe to a third-party software update catalog, the certificate that you review and approve in the
wizard is added to the site. This certificate is of type Third-par ty Software Updates Catalog . You can manage
it from the Cer tificates node under Security in the Administration workspace.

4. If the third-party catalog is v3, you'll be offered pages to Select Categories and Stage Content . For more
information about configuring these options, see the Third-party v3 catalog options section.
5. Choose your options on the Schedule page:
Simple schedule : Choose the hour, day, or month interval. The default is a simple schedule that
synchronizes every 7 days.
Custom schedule : Set a complex schedule.
6. Review your settings on the Summar y page and complete the wizard.
7. After the catalog is downloaded, the product metadata needs to be synchronized from the WSUS database
into the Configuration Manager database. Manually start the software updates synchronization to
synchronize the product information.
8. Once the product information is synchronized, Configure the SUP to synchronize the desired product into
Configuration Manager.
9. Manually start the software updates synchronization to synchronize the new product's updates into
Configuration Manager.
10. When the synchronization completes, you can see the third-party updates in the All Updates node. These
updates are published as metadata-only updates until you choose to publish them.
The icon with the blue arrow represents a metadata-only software update.

Publish and deploy third-party software updates


Once the third-party updates are in the All Updates node, you can choose which updates should be published
for deployment. When you publish an update, the binary files are downloaded from the vendor and placed into
the WSUSContent directory on the top-level SUP.
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Software
Updates and select the All Software Updates node.
2. Select Add Criteria to filter the list of updates. For example, add Vendor for HP . to view all updates
from HP.
3. Select the updates that are required by your organization. Select Publish Third-Par ty Software
Update Content .
This action downloads the update binaries from the vendor then stores them in the WSUSContent
directory on the top-level software update point.
4. Manually start the software updates synchronization to change the state of the published updates from
metadata-only to deployable updates with content.

NOTE
When you publish third-party software update content, any certificates used to sign the content are added to the
site. These certificates are of type Third-par ty Software Updates Content . You can manage them from the
Cer tificates node under Security in the Administration workspace.

5. Review the progress in the SMS_ISVUPDATES_SYNCAGENT.log. The log is located on the top-level
software update point in the site system Logs folder.
6. Deploy the updates using the Deploy software updates process.
7. On the Download Locations page of the Deploy Software Updates Wizard , select the default option
to Download software updates from the internet . In this scenario, the content is already published
to the software update point, which is used to download the content for the deployment package.
8. Clients will need to run a scan and evaluate updates before you can see compliance results. You can
manually trigger this cycle from the Configuration Manager control panel on a client by running the
Software Updates Scan Cycle action.

Third-party v3 catalog options


V3 catalogs allow for categorized updates. When using catalogs that include categorized updates, you can
configure synchronization to include only specific categories of updates to avoid synchronizing the entire
catalog. With categorized catalogs, when you're confident you'll deploy a category, you can configure it to
automatically download and publish to WSUS.

IMPORTANT
This option is only available for v3 third-party update catalogs, which support categories for updates. These options are
disabled for catalogs that aren't published in the v3 format.

1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Software
Updates and select the Third-Par ty Software Update Catalogs node.
2. Select the catalog to subscribe and select Subscribe to Catalog in the ribbon.
3. Choose your options on the Select Categories page:
Synchronize all update categories (default)
Synchronizes all updates in the third-party update catalog into Configuration Manager.
Select categories for synchronization
Choose which categories and child categories to synchronize into Configuration Manager.

4. Choose if you want to Stage update content for the catalog. When you stage the content, all updates in
the selected categories are automatically downloaded to your top-level software update point meaning
you don't need to ensure they're already downloaded before deploying. You should only automatically
stage content for updates you are likely to deploy them to avoid excessive bandwidth and storage
requirements.
Do not stage content, synchronize for scanning only (recommended)
Don't download any content for updates in the third-party catalog
Stage the content for selected categories automatically
Choose the update categories that will automatically download content.
The content for updates in selected categories will be downloaded to the top-level software
update point's WSUS content directory.
5. Set your Schedule for catalog synchronization, then complete the wizard.

Edit an existing subscription


You can edit and existing subscription by selecting Proper ties from the ribbon or the right-click menu.

IMPORTANT
Some options are only available for v3 third-party update catalogs, which support categories for updates. These options
are disabled for catalogs that aren't published in the v3 format.

1. In the Third-Par ty Software Update Catalogs node, right-click on the catalog and select Proper ties or
select Proper ties from the ribbon.
2. You can update the following information from the General tab :
Download URL (not editable): The HTTPS address of the custom catalog.
Publisher : The name of the organization that publishes the catalog.
Name : The name of the catalog to display in the Configuration Manager Console.
Description : A description of the catalog.
Suppor t URL (optional): A valid HTTPS address of a website to get help with the catalog.
Suppor t Contact (optional): Contact information to get help with the catalog.
3. Choose your options on the Select Categories tab.
Synchronize all update categories (default)
Synchronizes all updates in the third-party update catalog into Configuration Manager.
Select categories for synchronization
Choose which categories and child categories to synchronize into Configuration Manager.
4. Choose your options for the Stage update content tab.
Do not stage content, synchronize for scanning only (recommended)
Don't download any content for updates in the third-party catalog
Stage the content for selected categories automatically
Choose the update categories that will automatically download content.
The content for updates in selected categories will be downloaded to the top-level software
update point's WSUS content directory.
5. Select how often to synchronize the catalog on the Schedule tab.
Simple schedule : Choose the hour, day, or month interval.
Custom schedule : Set a complex schedule.

Unsubscribe from catalog and delete custom catalogs


In the Third-Par ty Software Update Catalogs node, right-click on the catalog and select Unsubscribe to
stop synchronizing the catalog. You can also use the Unsubscribe option from the ribbon. When you
unsubscribe from a catalog, the approval for catalog signing and update content certificates are removed.
Existing updates aren't removed, but you may not be able to deploy them. With custom catalogs, you also have
the option of deleting it after you've unsubscribed. Select Delete Custom Catalog from either the ribbon or
the right-click menu for the catalog. Deleting the custom catalog removes it from view in the Third-Par ty
Software Update Catalogs node.

Monitoring progress of third-party software updates


Synchronization of third-party software updates is handled by the SMS_ISVUPDATES_SYNCAGENT component
on the top-level default software update point. You can view status messages from this component, or see more
detailed status in the SMS_ISVUPDATES_SYNCAGENT.log. This log is on the top-level software update point in
the site system Logs folder. By default this path is C:\Program Files\Microsoft Configuration Manager\Logs. For
more information on monitoring the general software update management process, see Monitor software
updates

List additional third-party updates catalogs


To help you find custom catalogs that you can import for third-party software updates, there's a documentation
page with links to catalog providers. Starting in Configuration Manager 2107, you can also choose More
Catalogs from the ribbon in the Third-par ty software update catalogs node. Right-clicking on Third-
Par ty Software Update Catalogs node displays a More Catalogs menu item. Selecting More Catalogs
opens a link to a documentation page containing a list of additional third-party software update catalog
providers.
Known issues
The machine where the console is running is used to download the updates from WSUS and add it to the
updates package. The WSUS signing certificate must be trusted on the console machine. If it isn't, you may
see issues with the signature check during the download of third-party updates.
The third-party software update synchronization service can't publish content to metadata-only updates that
were added to WSUS by another application, tool, or script, such as SCUP. The Publish third-par ty
software update content action fails on these updates. If you need to deploy third-party updates that this
feature doesn't yet support, use your existing process in full for deploying those updates.
Configuration Manager has a new version for the catalog cab file format. The new version includes the
certificates for the vendor's binary files. These certificates are added to the Cer tificates node under
Security in the Administration workspace once you approve and trust the catalog.
You can still use the older catalog cab file version as long as the download URL is https and the
updates are signed. The content will fail to publish because the certificates for the binaries aren't in the
cab file and already approved. You can work around this issue by finding the certificate in the
Cer tificates node, unblocking it, then publish the update again. If you're publishing multiple updates
signed with different certificates, you'll need to unblock each certificate that is used.
For more information, see status messages 11523 and 11524 in the below status message table.
When the third-party software update synchronization service on the top-level software update point
requires a proxy server for internet access, digital signature checks may fail. To mitigate this issue, configure
the WinHTTP proxy settings on the site system. For more information, see Netsh commands for WinHTTP.
When using a CMG for content storage, the content for third-party updates won't download to clients if the
Download delta content when available client setting is enabled.
If the catalog provider has changed the catalog’s signing certificate since you last approved it or subscribed,
the catalog sync will fail until the certification is approved in the Cer tificates node. For more information,
see MessageID 11508 in status messages table.

Status messages
M ESSA GEID SEVERIT Y DESC RIP T IO N P O SSIB L E C A USE P O SSIB L E SO L UT IO N

11508 Error Failure when The signing Make sure to review


checking signature certification on the and approve the
for catalog <catalog catalog may have certificate in the
name> to WSUS. changed since it was Cer tificates node to
Make sure the originally subscribed allow the catalog to
catalog is subscribed or last approved. synchronize.
and the catalog
certificate
<certificate> is not
blocked. See
SMS_ISVUPDATES_SY
NCAGENT.log for
further details.

11516 Error Failed to publish Configuration Publish the update in


content for update Manager doesn't an alternate way.
"Update ID" because allow unsigned See if a signed
the content is updates to be update is available
unsigned. Only published. from the vendor.
content with valid
signatures can be
published.
M ESSA GEID SEVERIT Y DESC RIP T IO N P O SSIB L E C A USE P O SSIB L E SO L UT IO N

11523 Warning Catalog "X" does not This message can Contact the catalog
include content occur when you provider to obtain an
signing certificates, import a catalog that updated catalog that
attempts to publish is using an older includes the content
update content for version of the cab file signing certificates.
updates from this format.
catalog may be The certificates for
unsuccessful until the binaries aren't
content signing included in the cab
certificates are added file so the content
and approved. will fail to publish.
You can work around
this issue by finding
the certificate in the
Cer tificates node,
unblocking it, then
publish the update
again. If you're
publishing multiple
updates signed with
different certificates,
you'll need to
unblock each
certificate that is
used.

11524 Error Failed to publish The update may have Synchronize the
update "ID" due to been synchronized to update with
missing update WSUS outside of Configuration
metadata. Configuration Manager before
Manager. attempting to
publish it's content.

If an external tool
was used to publish
the update as
Metadata only ,
then use the same
tool to publish the
update content.

Working with third-party updates video


https://www.youtube.com/embed/ai8rLCLtuTI?rel=0

PowerShell
You can use the following PowerShell cmdlets to automate the management of third-party updates in
Configuration Manager:
Get-CMThirdPartyUpdateCatalog
New-CMThirdPartyUpdateCatalog
Remove-CMThirdPartyUpdateCatalog
Set-CMThirdPartyUpdateCatalog
Publish-CMThirdPartySoftwareUpdateContent
Get-CMThirdPartyUpdateCategory
Set-CMThirdPartyUpdateCategory
Next step
Deploy software updates
Available third-party software update catalogs
9/17/2021 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


The Third-Par ty Software Update Catalogs node in the Configuration Manager console allows you to
subscribe to third-party catalogs, publish their updates to your software update point (SUP), and then deploy
them to clients. You can add custom catalogs from third-party vendors.

Third-party update catalogs available for import


To make it easier to find custom catalogs, we're providing a list of links as a convenience. Some catalogs are
freely available and some catalogs have an additional cost associated with them. This list includes catalogs that
may only work with System Center Updates Publisher and not the Third-Par ty Software Update Catalogs
node in the Configuration Manager console. Check with the catalog provider for details including pricing,
support, and if the catalog supports in-console third-party updates.

C USTO M C ATA LO G P RO VIDER URL

Adobe Multiple catalogs are available from Adobe.


https://www.adobe.com/devnet-
docs/acrobatetk/tools/DesktopDeployment/sccm.html

Centero Software Manager https://software-manager.com/csm-for-sccm-patch-


management-solution

Dell Partner catalog available in the Third-Par ty Software


Update Catalogs node
https://www.dell.com/support/article/sln311138/

https://downloads.dell.com/Catalog/DellSDPCatalogPC.cab

ftp://ftp.dell.com/catalog/DellSDPCatalog.cab

Fujitsu https://support.ts.fujitsu.com/GFSMS/globalflash/FJSVUMCat
alogForSCCM.cab

HP Partner catalog available in the Third-Par ty Software


Update Catalogs node
https://hpia.hpcloud.hp.com/downloads/sccmcatalog/HpCata
logForSms.latest.cab

http://ftp.hp.com/pub/softlib/software/sms_catalog/HpCatalogForSms.latest.cab

Ivanti Patch for MEM https://www.ivanti.com.au/products/patch-management-for-


mem

Lenovo Partner catalog available in the Third-Par ty Software


Update Catalogs node
https://download.lenovo.com/luc/v2/LenovoUpdatesCatalog
2v2.cab

Lenovo updates catalog V3 information


https://thinkdeploy.blogspot.com/2020/06/lenovo-updates-
catalog-v3-for-sccm.html
Lenovo Patch
https://www.lenovo.com/us/en/software/lenovo-patch-sccm

ManageEngine Patch Connect Plus https://www.manageengine.com/sccm-third-party-patch-


management
C USTO M C ATA LO G P RO VIDER URL

Patch My PC Full catalog


https://patchmypc.com/third-party-patch-management-for-
sccm-and-intune

Limited catalog
https://patchmypc.com/frequently-asked-questions#trial-
catalog

SolarWinds Patch Manager https://www.solarwinds.com/patch-manager/use-


cases/third-party-patch-management-sccm

Open this article from the Configuration Manager console


Starting in Configuration Manager 2107, you can choose More Catalogs from the ribbon in the Third-par ty
software update catalogs node to get to this article. Right-clicking on Third-Par ty Software Update
Catalogs node displays a More Catalogs menu item. Selecting More Catalogs opens a link to to this page.

Next steps
Add custom catalogs for third party software updates
Configure the SUP to synchronize the product into Configuration Manager
Example scenario to deploy and monitor monthly
software updates
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


This topic provides an example scenario of how you can use software updates in Configuration Manager to
deploy and monitor the security software updates that Microsoft releases monthly.
In this scenario, we follow the actions of the Configuration Manager administrator at Woodgrove Bank. The
administrator needs to create a software update deployment strategy with the following conditions and
requirements:
Active software update deployment occurs one week after Microsoft releases the security software
updates on the second Tuesday of each month. This event is typically referred to as Patch Tuesday.
Software updates are downloaded and staged on distribution points. Then a deployment is tested to a
subset of clients before the ConfigMgr Admin fully deploys the software updates in his production
environment.
The administrator must be able to monitor the software updates' compliance by month or by year.
This scenario assumes that the software update point infrastructure has already been implemented. Use
the following information to plan for and configure software updates in Configuration Manager.

P RO C ESS REF EREN C E

Review the key concepts for software updates. Introduction to software updates

Plan for software updates. This information helps you to plan Plan for software updates
for capacity considerations, determine the software update
point infrastructure, software update point installation,
synchronization settings, and client settings for software
updates.

Configure software updates. This information helps you to Synchronize software updates
install and configure software update points in your
hierarchy and helps to configure and synchronize software
updates.

In this scenario, our ConfigMgr Admin configures the


software updates synchronization schedule to occur on the
second Wednesday of each month to ensure that they
retrieve the latest security software updates from Microsoft.

The following sections in this topic provide example steps to help you to deploy and monitor Configuration
Manager security software updates in your organization.

Step 1: Create a software update group for yearly compliance


The Configuration Manager administrator creates a software update group that can be used to monitor
compliance for all of the security software updates that they release in 2016. The admin performs the steps in
the following table.
P RO C ESS REF EREN C E

From the All Software Updates node in the Configuration No additional information
Manager console, the Configuration Manager administrator
adds criteria to display only security software updates that
are released or revised in year 2015 that meet the following
criteria:

Criteria : Date Released or Revised


Condition : is greater than or equal to specific date
Value : 1/1/2015
Criteria : Update Classification
Value : Security Updates
Criteria : Expired
Value : No

ConfigMgr Administrator adds all of the filtered software Add software updates to an update group
updates to a new software update group with the following
requirements:

Name : Compliance Group - Microsoft Security


Updates 2015
Description : Software updates

Step 2: Create an automatic deployment rule for the current month


The Configuration Manager administrator creates an automatic deployment rule for the security software
updates that are released by Microsoft for the current month. The admin performs the steps in the following
table.
P RO C ESS REF EREN C E

ConfigMgr Admin creates an automatic deployment rule Automatically deploy software updates
with the following requirements:

1. On the General tab, the ConfigMgr Admin


configures the following:
Specifies Monthly Security Updates for
the name.
Selects a test collection with limited clients.
Selects Create a new Software Update
Group .
Verifies that Enable the deployment after
this rule is run is not selected.
2. On the Deployment Settings tab, the ConfigMgr
Admin selects the default settings.
3. On the Software Updates page, the ConfigMgr
Admin configures the following property filters and
search criteria:
Date Released or Revised Last 1 month .
Update Classification Security Updates .
4. On the Evaluation page, the ConfigMgr Admin
enables the rule to run on a schedule for the second
Thursday of every month . The ConfigMgr Admin
also verifies that his synchronization schedule is set
to run on the second Wednesday of every month .
5. The ConfigMgr Admin uses the default settings on
the Deployment Schedule, User Experience, Alerts,
and Download Settings pages.
6. On the Deployment Package page, the ConfigMgr
Admin specifies a new deployment package.
7. The ConfigMgr Admin uses the default settings on
the Download Location and Language Selection
pages.

Step 3: Verify that software updates are ready to deploy


On the second Thursday of every month, the ConfigMgr Admin verifies that the software updates are ready to
deploy. The admin performs the following step.

P RO C ESS REF EREN C E

The ConfigMgr Admin verifies that software updates Software updates synchronization status
synchronization completed successfully.

Step 4: Deploy the software update group


After the ConfigMgr Admin verifies that the software updates are ready to deploy, they deploy the software
updates. The admin performs the steps in the following table.
P RO C ESS REF EREN C E

The ConfigMgr Admin creates two test deployments for the Deploy software updates
new software update group. The admin considers the
following environments for each deployment:

Workstation test deployment : the ConfigMgr Admin


considers the following for the workstation test deployment:

Specifies a deployment collection that contains a


subset of workstation clients to verify the
deployment.
Configures the deployment settings that are
appropriate for the workstation clients in his
environment.

Ser ver test deployment : the ConfigMgr Admin considers


the following for the server test deployment:

Specifies a deployment collection that contains a


subset of server clients to verify the deployment.
Configures the deployment settings that are
appropriate for the server clients in his environment.

The ConfigMgr Admin verifies that the test deployments Software updates deployment status
have successfully deployed.

The ConfigMgr Admin updates the two deployments with No additional information
new collections that include his production workstations and
servers.

Step 5: Monitor compliance for deployed software updates


The ConfigMgr Admin monitors compliance of his software update deployments. The admin performs the step
in the following table.

P RO C ESS REF EREN C E

The ConfigMgr Admin monitors the software updates Monitor software updates
deployment status in the Configuration Manager console
and checks the software update deployment reports
available from the console.

Step 6: Add monthly software updates to the yearly update group


The ConfigMgr Admin adds the software updates from the monthly software update group to the yearly
software update group. The admin performs the step in the following table.

P RO C ESS REF EREN C E

The ConfigMgr Admin selects the software updates from the Add software updates to a deployed update group
monthly software update group and adds the software
updates to the software updates group that were created for
yearly compliance. The admin tracks the software update
compliance and creates various reports for his management.
The ConfigMgr Admin has successfully completed his monthly deployment for security software updates. The
admin continues to monitor and report on software update compliance to ensure that the clients in his
environment are within acceptable compliance levels.

Recurring monthly process to deploy software updates


After the first month that our ConfigMgr Admin deploys software updates, the admin performs steps three
through six to deploy the monthly security software updates released by Microsoft.
System Center Updates Publisher
9/17/2021 • 3 minutes to read • Edit Online

Applies to: System Center Updates Publisher


System Center Updates Publisher (Updates Publisher) is a stand-alone tool that enables independent software
vendors or line-of-business application developers to manage custom updates. This custom updates
management includes updates that have dependencies, like drivers and update bundles.
Using Updates Publisher, you can:
Import updates from external catalogs (non-Microsoft update catalogs).
Modify update definitions including applicability, and deployment metadata.
Export updates to external catalogs.
Publish updates to an update server.
After you publish updates to an update server, you can then use Configuration Manager to detect and deploy
those updates to your managed devices.

Workspaces
When you open Updates Publisher, it defaults to the Overview node of the Updates Workspace.

Updates Publisher has four workspaces to help organize it.


Updates Workspace: Use this workspace to create and manage software updates and update bundles. This
workspace includes assigning updates and bundles to a publication, publishing, and exporting to another
Updates Publisher repository.
Publications Workspace: This workspace is where you manage publications. A publication is group of
updates you create to simplify the export and publishing of the updates.
Managing publications includes publishing updates to a server so your clients can find and install them,
exporting updates and bundles for use by other Updates Publisher installations, or modifying the contents of or
details of a publication.
Rules Workspace: Here is where you manage applicability rules that can be saved and then used with updates
you deploy. There are two types of rules:
Installable rules – These rules help determine if a client should install an update.
Installed rules – These rules verify if an update is already installed.
Catalogs Workspace: Use this workspace to add and manage software update catalogs. This workspace
includes the import of software updates from those catalogs to the Updates Publisher repository.

What's new in System Center Updates Publisher


NOTE
The latest version of System Center Updates Publisher was released on November 6, 2019. For more information, see the
Release history section.

There's a new authoring mode System Center Updates Publisher to help you author your updates. When you
enable authoring mode, a Categories Workspace is added to the start screen. A new Detectoid button is also
added to the Updates Workspace when authoring mode is enabled.
To enable authoring mode
1. In upper left corner of the console, click on the Updates Publisher Proper ties tab, and then choose
Options .
2. Go to the Authoring options.
3. Check the box for Enable authoring mode .
About the categories workspace
The categories workspace enables update authors to organize updates that belong together. For instance, if
you're an OEM, you might wish to organize your updates based on models or product lines. You can define
multiple categories and child categories but not grand child categories as you're limited to two levels.

Assign an update to a category


Once you've authored your update, you can assign it to a category by selecting the update then clicking the
Categorize button. You can also right-click the update and select Categorize .
About detectoids
Once authoring mode is enabled, you can create detectoids for updates. Detectoids are useful when you have
multiple updates that use the same rule (or a set of rules) to determine applicability. In those instances, you
would create a detectoid and assign it as a prerequisite for an update. You can assign multiple detectoids to an
authored update.
Create a detectoid
1. Open the Updates Workspace .
2. In the ribbon, click the Detectoid button.
3. Follow the prompts in the wizard to create your detectoid.

Release history
2019 RTW version 6.0.394.0. Released November, 6, 2019
Update rollup version 6.0.283.0 from KB4462765. Released September 7, 2018.
2017 RTW version 6.0.276.0. Released March 26, 2018.

Next steps
To get started, first install, and then configure options for Updates Publisher.
Install Updates Publisher
9/17/2021 • 3 minutes to read • Edit Online

Applies to: System Center Updates Publisher


The information in these articles can help you download, install, and set up Updates Publisher for use with your
Configuration Manager environment.

Prerequisites and limitations


System Center Updates Publisher can only be used with Configuration Manager. It isn't intended for use with
stand-alone WSUS hierarchies.
The following sections detail requirements to install and use Updates Publisher, and limitations or known issues
for its use.
Operating systems
Install and run Updates Publisher on a 64-bit editions of the following operating systems. There are no
minimum cumulative update or service pack requirements.
Windows Server 2016 (Standard, Datacenter)
Windows Server 2012 R2 (Standard, Datacenter)
Windows 10 (Pro, Education, Pro Education, Enterprise)
Windows 8.1 (Professional, Enterprise)
Prerequisites
The following are required on the computer that runs Updates Publisher.
64-bit operating system : The computer where you install Updates Publisher must run a 64-bit operating
system.
WSUS 6.2 or later :
On Windows Server, install the default Administration Console to meet this requirement.
For Windows 10 and Windows 8.1, install the Remote Server Administration Tools (RSAT) for
Windows operating systems. This installs the necessary support to use Updates Publisher (API and
PowerShell cmdlets, and User Interface Management Console).
Permissions :
Installation: Local admin
Most operations: local user
Publishing, or operations that involve WSUS: Member of WSUS Administrators group on the WSUS
Server.
Supported languages
Updates Publisher is available only in English but can manage updates for other languages. The language
support depends on the task, such as publishing, creating, or editing updates.
When exporting or publishing updates, Updates Publisher displays the title and description of the software
update based on the locale of the computer where Updates Publisher is installed.
For example, you create a software update that has an English and Spanish title.
If you create the update on a computer whose locale is English, by default, you would see the title and
description in English.
If you then export or publish that update to a computer whose locale is Spanish, on that computer you would
see the title and description in Spanish.
Publishing
When you publish software updates, you can specify the language of the software update binary file. You can
also specify that the binary is language neutral. The following languages are supported:
Arabic
Chinese (Hong Kong S.A.R.)
Chinese (Traditional)
Chinese (Simplified)
Czech
Danish
Dutch
English
Finnish
French
German
Greek
Hebrew
Hungarian
Italian
Japanese
Korean
Norwegian
Polish
Portuguese
Portuguese (Brazil)
Russian
Spanish
Swedish
Turkish
Software update titles and descriptions
The following languages are supported for software update titles and descriptions.
Chinese (Traditional)
Chinese (Simplified)
English
French
German
Italian
Japanese
Korean
Portuguese (Brazil)
Russian
Spanish
Install Updates Publisher
Get the UpdatesPubliser.msi for installing System Center Updates Publisher from
https://aka.ms/SCUPDownload.
To install Updates Publisher, run UpdatesPublisher.msi on a computer that meets the prerequisites. The
installer creates the following folder to contain the files necessary to run Updates Publisher:
%PROGRAMFILES%\Microsoft\UpdatesPublisher*.
Because this folder contains all the files necessary to use Updates Publisher, you can copy the folder and its
contents to a new location or computer and then use Updates Publisher from that location. However, the new
location or computer must meet the prerequisites to run Updates Publisher.
After installation completes, run UpdatesPublisher.exe from the UpdatesPublisher folder to start Updates
Publisher.

Next steps
After you install Updates Publisher, we recommend you configuring the options for Updates Publisher. You must
configure some options before you can use some features of Updates Publisher.
However, if you want to use the defaults and don't plan to deploy updates to an update server or to managed
devices, you can jump right to managing software update catalogs, or create software updates and create
update catalogs of your own.
Configure options for Updates Publisher
9/17/2021 • 6 minutes to read • Edit Online

Applies to: System Center Updates Publisher


Review and configure the options and related settings that affect the operation of Updates Publisher.
To access the Updates Publisher options, in upper left corner of the console, click on the Updates Publisher
Proper ties tab, and then choose Options .

Options are divided into the following:


Update Server
ConfigMgr Server
Proxy Settings
Trusted Publishers
Advanced
Updates
Logging

Update Server
You must configure Updates Publisher to work with update server like Windows Server Update Services
(WSUS) before you can publish updates. This includes specifying the server, methods to connect to that server
when it is remote from the console, and a certificate to use to digitally sign updates you publish.
Configure an update ser ver . When you configure an update server, select the top-level WSUS server
(update server) in your Configuration Manager hierarchy so that all child sites have access to the updates
that you publish.
If your update server is remote from your Updates Publisher server, specify the fully qualified domain
name (FQDN) of the server, and if you will connect by SSL. When you connect by SSL, the default port
changes from 8530 to 8531. Ensure the port you set matches what is in use by your update server.

TIP
If you do not configure an update server, you can still use Updates Publisher to author software updates.

Configure the signing cer tificate . You must configure and successfully connect to an update server
before you can configure the signing certificate.
Updates Publisher uses the signing certificate to sign the software updates that are published to the
update server. Publishing fails if the digital certificate is not available in the certificate store of the update
server or the computer that runs Updates Publisher.
For more information about adding the certificate to the certificate store, see Certificates and security for
Updates Publisher.
If a digital certificate is not automatically detected for the update server, choose one of the following:
Browse : Browse is only available when the update server is installed on the server where you run
the console. After you select a certificate you must choose Create to add that certificate to the
WSUS certificate store on the update server. You must enter the .pfx file password for certificates
that you select by this method.
Create: Use this option to create a new certificate. This also adds the certificate to the WSUS
certificate store on the update server.
If you create your own signing cer tificate , configure the following:
Enable the Allow private key to be expor ted option.
Set Key Usage to digital signature.
Set Minimum key size to a value equal to or greater than 2048 bit.
Use the Remove option to remove a certificate from the WSUS certificate store. This option is available
when the update server is local to the Updates Publisher console you use, or when you used SSL to
connect to a remote update server.

ConfigMgr Server
Use these options when you use Configuration Manager with Updates Publisher.
Specify the Configuration Manager ser ver : After you enable support for Configuration Manager,
specify the location of the top-tier site server from your Configuration Manager hierarchy. If that server is
remote from the Updates Publisher install, specify the FQDN of the site server. Choose Test Connection
to ensure you can connect to the site server.
Configure thresholds: Thresholds are used when you publish updates with a publication type of
Automatic. The threshold values help determine when the full content for an update is published instead
of only the metadata. To learn more publication types, see Assign updates to a publication
You can one or both of the following thresholds:
Requested client count threshold: This defines how many clients must request an update
before Updates Publisher can automatically publish the full set of content for that update. Until the
specified number of clients request the update, only the updates metadata is published.
Package source size threshold (MB): This prevents automatic publishing of updates that
exceed the size you specify. If the updates size exceeds this value, only the metadata is published.
Updates that are smaller than the specified size can have their full content published.

Proxy Settings
Updates Publisher uses the proxy settings when you import software catalogs from the Internet or publish
updates to the Internet.
Specify the FQDN or IP address of a proxy server. IPv4 and IPv6 are supported.
If the proxy server authenticates users for Internet access, you must specify the Windows name. A
universal principle name (UPN) is not supported.

Trusted Publishers
When you import an update catalog, the source of that catalog (based on its certificate), is added as a trusted
publisher. Similarly, when you publish an update, the source of the updates certificate is added as a trusted
publisher.
You can view certificate details for each publisher and remove a publisher from the list of trusted publishers.
Content from publishers that are not trusted can potentially harm client computers when the client scans for
updates. You should accept content only from publishers that you trust.

Advanced
Advanced options include the following:
Repositor y location: View and modify the location of the Database file, scupdb.sdf . This file is the
repository for Updates Publisher.
Timestamp: When enabled, a timestamp is added to updates you sign that identifies when it was signed.
An update that was signed while a certificate was valid can be used after that signing certificate expires.
By default, software updates cannot be deployed after their signing certificate expires.
Check for updates to subscribed catalogs: Each time Updates Publisher starts, it can automatically
check for updates to catalogs that you have subscribed to. When a catalog update is found, details are
provided as Recent Aler ts in the Over view window of the Updates Workspace .
Cer tificate revocation: Choose this option to enable certificate revocation checks.
Local source publishing: Updates Publisher can use a local copy of an update you are publishing
before downloading that update from the Internet. The location must be a folder on the computer that
runs Updates Publisher. By default, this location is My Documents\LocalSourcePublishing. Use this
when you have previously downloaded one or more updates, or have made modifications to an update
you want to deploy.
Software Updates Cleanup Wizard: Start the updates cleanup wizard. The wizard expires updates that
are on the update server but not in the Updates Publisher repository. See Expire unreferenced updates
for more details.

Updates
Updates Publisher can automatically check for new updates each time it opens. You can also opt into receiving
preview builds of Updates Publisher.

To manually check for updates, in the Updates Publisher console click on


to open the Updates Publisher Proper ties , and then choose Check for update .
After Updates Publisher finds a new update, it displays the Update Available window and you can then choose
to install it. If you choose to not install the update, it is offered the next time you open the console.

Logging
Updates Publisher logs basic information about Updates Publisher to
%WINDIR%\Temp\UpdatesPublisher.log .
Use notepad or CMTrace to view the log. CMTrace is the Configuration Manager log file tool and can be found
in the \SMSSetup\Tools folder of the Configuration Manager source media.
You can change the size of the log and its level of detail.
When you enable database logging, information about the queries that are run against the Updates Publisher
database are included. Use of database logging can lead to reduced performance of the Updates Publisher
computer.

To view the log file, in the console click on to open the Updates Publisher Proper ties , and then
choose View log file .

Expire unreferenced software updates


You can run the Software Update Cleanup Wizard to expire updates that are on your update server but not
in the Updates Publisher repository. This notifies Configuration Manager which then removes those updates
from any future deployments.
The act of expiring an update cannot be reversed. Only perform this task when you are sure that the software
updates you select are no longer required by your organization.
To remove expired software updates
1. In the Updates Publisher console, click on to open the Updates Publisher Proper ties , and
then choose Options .
2. Choose Advanced , and then under Software Update Clean Wizard, choose Star t .
3. Select the software updates you want to expire, and then choose Next .
4. After reviewing your selections, chose Next to accept the selections and expire those updates.
5. After the wizard finishes, choose Close to complete the wizard.
Manage software update catalogs in Updates
Publisher
9/17/2021 • 4 minutes to read • Edit Online

Applies to: System Center Updates Publisher


Use the Catalogs Workspace to manage software update catalogs. This includes adding new catalogs,
managing existing catalog subscriptions, and importing information about the updates from a catalog to the
Updates Publisher repository.
Software update catalogs contain information about related updates that are created by organizations other
than Microsoft. Other organizations include your own organization and third-party software vendors that have
registered their catalogs with Microsoft. Registered catalogs from software vendors are called partner catalogs.
Catalogs that you create, and that are not registered with Microsoft, are called user catalogs.

Add software update catalogs


You must add an update catalog to Updates Publisher before you can manage the updates that it contains. When
you add a catalog, Updates Publisher:
Creates a subscription to that catalog, so it can check for updates to that catalog.
Adds the catalog to a list in the My Software Update Catalogs window of the Catalogs Workspace .
Information about each subscribed catalog is available in the console. Information includes the download URL
or location, the name of the company or organization who created the catalog, and when it was last imported or
modified.
Updates Publisher can automatically check your subscriptions for changes each time it starts. This is configured
as an Advanced option. When configured, Updates Publisher references the download URL or location
information for the subscription and alerts you when there are changes to the catalog that were made since the
last time you imported it to the repository.
To manually check for a catalog update, select the catalog from the My Software Update Catalogs list and
then choose Refresh from the ribbon.
In addition to adding catalogs, and viewing information about subscribed catalogs, you can:
Edit information for user catalogs.
Delete (remove) a catalog from Updates Publisher.
Impor t updates from a catalog into the Updates Publisher repository. When you import updates, you import
all updates contained in that catalog. You can then view the updates in the Updates workspace where you can
then select and publish updates to your update server.

NOTE
Deleting a catalog from Updates Publisher results in the updates in that catalog being removed from your repository. This
does not affect the updates you have published to your update server. To remove updates from your update server that
are no longer in your repository, see Expire unreferenced software updates.

Manage update catalogs


You can view the list catalogs you have imported in the My Software Update Catalogs window of the
Catalogs Workspace . From this workspace you can:
Add a par tner catalog: Use one of the following to find new partner catalogs:
In the console, go to Updates Workspace > Over view . In the Getting Star ted window, choose
Add Par tner Software Updates Catalogs .
In the console, go to Catalogs Workspace > My Catalogs . Then, from the ribbon, choose Add
Catalogs .
Add a user catalog: In the console, go to Catalogs Workspace > My Catalogs . Then, from the
ribbon, choose Add Catalogs . In addition to the location of the .cab file, you must specify a Publisher,
Name, and Description to identify the catalog.
Check for updates to catalogs: Select one or more catalogs and then choose Refresh from the
ribbon.
Edit a user catalog: Select a user catalog and then choose Edit from the ribbon. You can then modify
the user defined properties.
Delete catalogs: Select one or more catalogs and then choose Remove from the ribbon. This removes
the catalog, your subscription, and the updates from those catalogs from your Updates Publisher
repository.
Add updates from a catalog to your repositor y : Choose Impor t from the ribbon to start the
Impor t Catalog wizard. For more infomration, see Import updates

Import updates
When you import a catalog, Updates Manager adds the updates from that catalog to the Updates Publisher
repository. After updates are imported, you can publish them to your update server to make them available to
managed devices.
To import updates
1. To start the Impor t Catalog wizard, choose Impor t from the Ribbon in one of the following
workspaces:
Catalogs Workspace
Updates Workspace
2. On the Impor t Type page, select one or more catalogs you've added to Updates Publisher, or specify a
path to a catalog you have not yet added as a subscription. Chose Next to view the summary screen, and
when ready, choose Next to start the import.
3. On the Security Warning – Catalog Validation window, review the catalog certificate, and when
ready, chose Accept to import the updates.
Cau t i on

Accept updates only from publishers that you trust. Software updates from publishers who are not
trusted can potentially harm client computers when scanning for updates.
If you no longer trust a publisher, remove that publisher from the trusted publishers list. To find more
information about accepting catalogs, click Tell Me More in the Security Warning – Catalog
Validation dialog box.
If you choose to always accept catalogs from a publisher, that publisher is added to the trusted publishers
list. You can review and edit this list as an Updates Publisher option.
4. Import skips import of an update when the update is already in the repository and one of the following is
true:
The update is unchanged from the last time it was imported.
The update has been edited and has a new digital hash. Editing an update prevents a new update
from overwriting the original as doing so would overwrite changes you might have deployed.
5. On the Confirmation page review the import results.
6. Click Close to complete the wizard. You can now view the updates for this catalog in the Updates
Workspace.

Next steps
After you import updates, common actions include:
Manage updates to bundle, assign, and deploy them your update server.
Create applicability rules to help determine when updates deploy to your update server.
Manage software updates in Updates Publisher
9/17/2021 • 7 minutes to read • Edit Online

Applies to: System Center Updates Publisher


In System Center Updates Publisher, you use the Updates Workspace to manage software updates and
bundles that you have imported to the repository.
Management tasks include duplicating, editing, and expiring or reactivating updates and bundles, and assigning
updates and bundles to publications. You can also export custom catalogs for use with other Updates Publisher
installations.
To get updates that you can manage:
Add an update catalog to your installation of Updates Publisher
Import the updates from that catalog to your repository.
You can also create your own updates.

Create a duplicate of an update


You can create duplicates, or copies, of updates that are in your repository. Then you can modify the copy
instead of modifying the original update. You cannot create copies of update bundles.
To create a copy, select an update in the Updates Workspace , and then choose Duplicate . The copy of the
update appears in the same location in the Updates Workspace with Copy of added to its name.
A new copy you create has a status of Unexpired , but otherwise retains the settings of the original.

Edit updates and bundles


You can select updates and bundles that are in your repository to modify them.
In the Updates Workspace select an update or bundle, and then select Edit from the Home tab to open the
edit wizard. Updates and bundles each have separate but closely related wizards that present the same options
as the Create Update or Create Bundle wizards.
When editing, you can change any available detail about the update or bundle so that it can be used in your
environment. For example, you can edit the applicability or precedence rules, or change the language. You can
also change the product and vendor to move the update or bundle to a custom folder to group updates for your
own use.

Assign updates and bundles to a publication


You can select updates and bundles in the Updates Workspace and then choose Assign from the Home tab
of the ribbon to add them to a publication. This starts the Assign Software Updates wizard.
See Publish updates and bundles for information on how to select and publish updates and bundles as a
single task.
See Manage publications for information on how to manage groups of updates and bundles as a single
object. After you assign updates to a publication, you can manage that publication, which in turn includes all
its assigned updates.
When you assign updates to a publication:
You can include expired and non-expired updates and bundles in the same publication.
Specify the publication type:
Full Content – This publishes the full content of the update to your WSUS Server. This includes
metadata and the update binaries.
Metadata only – This publishes only the metadata; update binaries are not published. You might
choose this option when you want to gather compliance data.
Automatic – This mode is only available when you have connected Updates Publisher to
Configuration Manager (See the ConfigMgr Server option.)
With this type, Updates Publisher queries Configuration Manager to determine if the updates or bundles
should be published with full content or only metadata. Full content for an update is published only when
that update meets the Requested client count threshold and Package source size threshold,
which are specified on the ConfigMgr Ser ver page of Updates Publisher options.
Select a publication:
Use Assign software update to existing publications when you have already created a
publication that you want to use. This option is not available until at least one publication exists.
Use Assign software update to a new publication when you do not have a suitable
publication. This will create a new publication with the name that you specify.
After you assign updates to a publication, you can use the Publication Workspace to publish or export the
publication as a group.

Publish updates and bundles from the Updates Workspace


When you publish updates and bundles, Updates Publisher adds information about those updates and bundles
(metadata) and possibly the binaries for the updates (full content), to an update server for deployment to
devices.
Before you have the option to publish, you must configure the Update Server option for Updates Publisher. To
open this configuration option, go to Updates Workspace > Over view and select Configure WSUS and
Signing Cer tificate. You can also go to the Update Server page in the Updates Publisher options.
There are two ways to publish updates and bundles:
Directly from the Updates Workspace. (See the following procedure, To publish updates and bundles.)
As a publication from the Publications Workspace.

NOTE
Updates Publisher can only publish updates that are 375 megabytes (MB) or less in size.

To publish updates and bundles


1. Go to Updates Workspace and select one or more updates and bundles that you want to publish. Then
choose Publish from Home tab of the ribbon.
2. On the Select page of the Publish wizard, select how you want to publish the updates. The options are
the same as for assigning updates: Full Content , Metadata only , or Automatic .
You can also choose to sign all updates with a new publishing certificate.
3. Complete the wizard.
If publishing fails, you are presented with a link to the UpdatesPublisher.log file that can provide more
information.

Export updates
You can export updates and bundles from your Updates Publisher repository to create a custom update catalog.
Then, you can add and then import that catalog to another instance of Updates Publisher. (You can also export
updates as a publication.)
To export directly, go to Updates Workspace > All Software Updates and select one or more updates and
bundles. You cannot export a vendor or product folder, but you can select a folder and then select the updates in
that folder for export.
With one or more updates selected, choose Expor t from the Home tab of the ribbon, and then provide a path
and filename for the catalog export.
You will have the option to export (include) dependent software updates.

Delete updates and bundles


You can delete updates and bundles of updates to remove them from the Updates Publisher repository.
Go to Updates Workspace > All Software Updates and select one or more individual updates. Then choose
Delete from the Home tab of the ribbon.
If your selection contains only updates or bundles that have not been published or that are expired, you
are asked to confirm deletion before they are removed.
If your selection includes an update or bundle that has been published and is not yet expired, you are
given a warning. You should expire those updates and then publish that change before you delete them
from the repository.
If you delete an update or bundle from a vendor and then import that catalog again, that update is restored to
your repository.

Manage vendor and product folders


To view a list of vendors, and products for each vendor for which you have imported or created updates, go to
Updates Workspace > Over view > All Software Updates .
Folders for vendors and products are automatically created by Updates Publisher when you use a wizard to
import or create a software update or bundle. You can also create these folders manually.
To create a vendor folder, in the navigation pane of the Updates Workspace , right-click on All
Software Updates , and then choose Create Vendor .
To create a product folder under a vendor folder, right-click on the vendor folder and choose Create
Product .
In addition to creating folders, you can rename or delete any vendor or product folder in your repository. To do
so, right-click on the folder and choose the option you want, Rename or Delete . Deleting a folder removes all
the updates and bundles in that folder and its product folders from the Updates Publisher repository.
You can move updates between vendor and product folders, including to folders you create. To move an update
or bundle to a new folder, you must select and then Edit the update or bundle. Then, on the Information page
of the Edit Update wizard you can reassign the vendor and product. When the Edit Update wizard completes,
the change applies and the update moves to the new folder.

View the XML of an update or bundle


You can select a single update or bundle in the Updates Workspace and then choose View XML to display the
XML structure of that update. There are no options to edit the XML structure directly.
Manage publications in Updates Publisher
9/17/2021 • 4 minutes to read • Edit Online

Applies to: System Center Updates Publisher


You can use publications to manage groups of updates and bundles as a single object. This includes publishing
the updates to a management server and exporting the publication as group for use with another install of
Updates Publisher.

Create publications
Publications are created two ways:
When you manage updates and bundles in the Updates Workspace , you can assign them to a new
publication that is created at that time.
In the Publications Workspace, you can use the Create button on the Publication tab of the ribbon.
This method lets you create a publication for future use. Later, when you assign updates, you can use this
publication.

Rename a publication
To rename a publication, select the publication from within the Publications Workspace , and then on the
Publication tab of the ribbon, choose Edit .

Change the publication type of updates in a publication


From the Publication Workspace , you can modify the publication type of updates and bundles that are
assigned to a publication.
1. Select the publication that contains the updates you want to modify, and then select one or more update
or bundles from the All <publication name> member updates list.
2. Next, on the Home tab, choose one of the following options. The options that are available depend on the
publication type of the updates you have selected.
Automatic
Full Content
Metadata only
After making a change, you might need to refresh the publication view to see the new values.
For information about the different publication types, see Assign updates and bundles to a publication.

TIP
When you set the publication type of a bundle, all the software updates in that bundle are published with the publication
type of that bundle.

Remove updates from a publication


To remove updates or bundles from a publication, in the Publications Workspace select the publication you
want to modify, and then select the updates and bundles you want to remove. Next, on the Home tab of the
ribbon, choose Remove .
After updates are removed from a publication, they remain available in the Updates Publisher repository.

Publish publications
When you publish updates and bundles, Updates Publisher adds information about those updates and bundles
(metadata) and possibly the binaries for the updates (full content), to an update server for deployment to
devices.
Before you have the option to publish, you must configure the Update Server option for Updates Publisher. To
open this configuration option, go to Updates Workspace > Over view and select Configure WSUS and
Signing Cer tificate. You can also go to the Update Server page in the Updates Publisher options.

NOTE
Updates Publisher can only publish updates that are 375 megabytes (MB) or less in size.

To publish a publication
1. Go to the Publications Workspace , and then select a publication that contains the group of updates
and bundles that you want to publish or export. Then choose Publish from Home tab of the ribbon.
2. On the Select page of the Publish wizard you can choose to sign all updates with a new publishing
certificate, but you cannot change the publication type.
3. Complete the wizard.
If publishing fails, you are presented with a link to the UpdatesPublisher.log file that can provide more
information.

Export a publication
You can export a publication from your Updates Publisher repository. Doing so exports the updates and bundles
that are assigned to that publication and creates an update catalog. You can then add and then import that
catalog to another instance of Updates Publisher. You can also export updates that are not part of a publication.
To export a publication, go to the Publications Workspace and select the publication that contains updates
that you want to export. You can only select one publication at a time.
With the publication selected, choose Expor t from the Home tab of the ribbon, and then provide a path and
filename for the catalog export.
You also have the option to export (include) dependent software updates as part of the export.

Delete a publication
To delete a publication, select the publication the Publications Workspace , and then choose Delete from the
Publication tab of the ribbon.
After the publication is removed from Updates Publisher, the updates that were in the publication remain
available in the Updates Publisher repository.

Expire or reactivate updates and bundles


You can use the Updates Workspace to select and then expire or reactivate updates and bundles. You can
expire and reactivate updates and bundles as many times as you choose.
To expire updates or bundles , in the Updates Workspace select one or more updates or bundles that
are not expired, and then choose Expire from the Home tab. Until you publish the update or bundle as
expired to Configuration Manager, you can reactivate it.
Before you can remove (delete) a custom update or bundle from Configuration Manager, you must expire
it and then publish that expired status to Configuration Manager. After updates or bundles are expired in
Configuration Manager, you can no longer deploy or reactivate the update or bundle.
To reactivate updates or bundles , in the Updates Workspace select one or more updates that are
expired, and then choose Reactivate from the Home tab of the ribbon. If the expired update was
previously published as expired to Configuration Manager, you cannot reactivate it.
Create software updates and update bundles with
Updates Publisher
9/17/2021 • 10 minutes to read • Edit Online

Applies to: System Center Updates Publisher


With Updates Publisher you can use the Create Update wizard to create your own updates and the Create
Bundle wizard to create bundles of updates.
Because these two wizards have a similar workflow, the procedure to create an update bundle refers to the
procedure for creating updates, with only the relevant differences detailed.

Use the Create Update wizard


1. In the console go to Updates Workspace , and then in the Getting Star ted pane, choose Update from
the Home tab of the ribbon. This opens the Create Update wizard.
2. On the Package page, use the following information to help you configure the update:
Choose Browse to locate the software update package you will use as a package source. Valid
sources include .MSI, .MSP, or .EXE files. Updates Publisher requires access to the file to create a file
hash. The hash and file name are then used in the update metadata for the update that you are
creating.
Specify the source location of the content for this update. Normally this is the location where the
update binary will be downloaded from during publishing to a WSUS server. If the Use a local
source to publish software update content option is selected, then the path is not required.
Later, when the update is published to a WSUS server, Updates Publisher downloads the binaries
for the update from the indicated source location. If no path is provided then Update Publisher will
search the local source publishing path for the update binary.
Specify the Binar y language of the software update.
Specify Success return codes , and Success pending reboot codes for the update. Separate
multiple return codes by using a comma. You can use return codes to determine when update
install was successful, and when reboots were required.
Windows installer files and patches (.MSI and .MSP files) automatically set these values, and
they cannot be modified.
For .EXE updates, the default codes defined by the .EXE file are used if no return codes are
specified.
Specify any command-line arguments that are required to install the software update.
Windows installer files and patches (.MSI and .MSP files) automatically set these values. For
these file types the arguments must be specified as [name]=[value] . In addition, all
options that start with a / (like /qn ) are not supported for .MSI or .MSP software updates.
For .EXE updates, all arguments are valid.
NOTE
You can use Updates Publisher to create only packages that are smaller than 2 GB. Import options are disabled if
the software update package is too large.

3. On the Information page, specify details about the update that are included when the update is
published or exported. Details include localized properties like the updates name (title) and description.
Then, you specify more general details such as the classification, vendor, product, and where to learn
more about the update.
Localized proper ties:
Language : Select a language and then specify a title and description. You can then select
additional languages, one at time, with each language supporting its own title and description.
Title : Enter the name of the update. This name displays in the Updates Workspace of the Updates
Publisher console.
Description : A friendly description of the update. You might include what the update installs, and
why or when it should be used.
Classification: The following are common descriptions for the different classifications.
Update : An update to an application or file that is currently installed.
Critical : A broadly released update for a specific problem that addresses a critical bug that is not
related to security.
Feature Pack : New product features that are distributed outside of a product release and are
typically included in the next full product release.
Security : A broadly released update for a product-specific issue that is related to security.
Update Rollup : A cumulative set of hotfixes that are packaged together for easy deployment.
These hotfixes can include security updates, critical updates, updates, and so on. An update rollup
generally addresses a specific area, such as security or a product feature.
Ser vice Pack : A cumulative set of hotfixes that are applied to an application. These hotfixes can
include security updates, critical updates, software updates, and so on.
Tool : Specifies a tool or feature that helps complete one or more tasks.
Driver : An update for driver software.
Vendor : Specify a vendor for the update. You can use the dropdown list to use values from updates that
are in the repository. When you specify a vendor, the wizard creates a folder with that vendor name under
All Software Updates in the Updates Workspace if that folder does not already exist. The following
are Windows Server Update Services (WSUS) reserved names that cannot be entered for updates you
create:
Microsoft Corporation
Microsoft
Update
Software Update
Tools
Tool
Critical
Critical Updates
Security
Security Updates
Feature Pack
Update Rollup
Service Pack
Driver
Driver Update
Bundle
Bundle Update
Product : Specify the type of product that the update is for. You can use the dropdown list to use values
from updates that are in the repository. The same list of WSUS reserved names that cannot be used for
Vendor , cannot be used for Product .
More info URL : Specify the URL where you can find more information about this update. You must use
lowercase letters for https or http when you enter this URL.
4. On the Optional Info page, you can configure details that provide additional information about the
update.
Bulletin ID : Bulletin IDs are usually, but not always, provided by update vendors.
Ar ticle ID : If a software update article is available, the Article ID can be useful to individuals
seeking additional information about the update.
CVE IDs: List one or more Common Vulnerabilities and Exposures (CVE) identifiers that provide
security information about the update or update bundle. When listing more than one, use a
semicolon to separate the CVEs as in this example: CVE1;CVE2.
Suppor t URL: List the URL that contains support information for this update, if available. You
must use lowercase letters for https or http when you enter this URL.
Severity: Set the severity level for this update.
Impact: The following options can be used to specify impact:
Normal – Use this to indicate the update requires typical installation procedures.
Minor – Use this to indicate the update requires minimal installation procedures.
Requires exclusive handling – Use this to indicate the update must be installed by itself,
exclusive from any other updates.

Restar t Behavior : Use this to provide information about the updates restart behavior. This
setting does not affect the actual behavior of the update install.
Never reboots : The computer never performs a system restart after installing the software
update.
Always requires reboot : The computer always performs a system restart after installing the
software update.
Can request reboot : After installing the software update, the computer requests a system
restart only if a restart is necessary. The user has the option to postpone the restart. This is the
default value.

5. On the Prerequisite page, specify the prerequisites that must be installed on a computer before this
update can install. Prerequisites can be detectoids or other updates. Detectoids are high-level rules like
one that requires the computers CPU to be a 64-bit processor. Detectoids can also specify specific
updates that must be installed before this update can install.
For better performance, use detectoids instead of creating installable and installed rules that perform
the same check or action.
Use the search option for Available software updates and detectoids to help you find specific
updates or detectoids. For example, search on CPU to find the detectoids that let you limit installation
based on specific CPU architecture.
You can select one or more items at a time to add as a prerequisite. When adding prerequisites, the
selected detectoids are added as one or more groups. To qualify for installation, a computer must meet
the requirement of at least one member of each group that you configure:
When you click Add Prerequisite, all items you have selected are added to separate, individual,
groups. To qualify for this update, a computer must meet the prerequisite in this group and pass
requirements for any additional groups that are configured.
When you click Add Group, all items you have selected are added to a single group. To qualify for
this update, a computer must meet at least one of the prerequisites in this group and pass
requirements for any additional groups that are configured.
6. On the Supersedence page, specify the updates that are replaced (superseded) by this update. When
this update is published, Configuration Manager will mark each update that is superseded as Expired .
Clients will then install this update instead of the superseded updates.
7. On the Applicability page use the Rule Editor to define a set of rules that determine whether a device
needs this update. (This page is similar to the Installed page, that follows it.)

To add a new rule, click on . This opens the Applicability Rule page where you can configure rules.
Types of rules you can create include:
File – Use this rule to require that a device have a file with properties that meet one or more
criteria you specify before this update can be applied.
Registr y – Use this type to specify registry details that must be present before a device qualifies
to install this update.
System – This rule uses system details to determine applicability. You can choose between
defining a Windows version, a Windows language, processor architecture, or specify a WMI query
to identify the devices operating system.
Windows Installer – Use this rule type to determine applicability based on an installed .MSI or
Windows Installer patch (.MSP). You can also determine if specific components or features are
installed as part of the requirement.

IMPORTANT
On managed devices, the Windows Update Agent cannot detect Windows Install packages that are
installed per-user. When you use this rule type, configure additional applicability rules, like file versions or
registry key values, so that the Windows Installer package can be properly detected regardless of a per-
user or per-system basis.

Saved rule – This option lets you find and use rules you created in the Rules Workspace.
After you create a rule, you can use the other icons to modify the rule, and if there are multiple
rules, to define relationships between those rules.
When you are done creating and adding rules, click OK in the Create Rule Set dialog box to save that
set. You can then create a New rule and add that to the set as well.
When you have multiple rules or rule sets to add to an update, you can use the logical operators in the
Rule Editor to determine conditions between the rules, and in which order they process.
8. On the Installed page use the Rule Editor to define a set of rules that determine whether a device has
already installed the update you are configuring. (This page is similar to the Applicability page, that
proceeds this page.)
This page of the wizard supports configuring rules with the same options and criteria as the
Applicability page.
When the wizard completes, the new update is added to a node in the Updates Workspace that is
identified by the Vendor and Product name you used for that update.

Use the Create Bundle wizard


Because this wizard uses the same workflow as the Create Update wizard, use that workflow, but note the
following difference for bundles:
1. To start the wizard, in the console go to Updates Workspace , and then select Bundle from the Home
tab of the ribbon.
2. Unlike the Create Update wizard, there is no Package page when creating a bundle.
3. On the Information page, specify details about the update bundle that are included when the update is
published, or exported.
4. On the Optional Info page, you can configure details that provide additional information about the
update bundle. The available options are the same as for creating an update. However, options for Impact
and Restart Behavior are not available as they do not apply to bundles.
5. On the Prerequisite page, specify the prerequisites that must be installed on a computer before this
bundle can install. These rules are the same as seen for individual updates.
6. On the Supersedence page, specify the updates that are replaced (superseded) by this update bundle.
These rules are the same as seen for individual updates.
7. On the Members page, you select updates to add to the update bundle. Only updates you have created
or imported to Updates Publisher are available.
When the wizard completes, the new update bundle is added to a node in the Updates Workspace that is
identified by the Vendor name you used for the update bundle.
Manage Applicability rules in Updates Publisher
9/17/2021 • 4 minutes to read • Edit Online

Applies to: System Center Updates Publisher


With Updates Publisher, applicability rules define requirements that must be met before a device can install an
update. The rules are also used to determine if the computer has an update installed. An applicability rule that is
complex with multiple parts is referred to as a rule set.
Update bundles do not use applicability rules.

Overview of applicability rules


You manage applicability rules from the Rules Workspace . When you create a rule, you are specifying one or
more conditions. When multiple conditions are specified, you can configure relationships between the
conditions so they are evaluated sequentially or combined into logical And or Or statements.
For example, the following is a rule set that contains three rules. The first rule verifies that the MyFile file exists,
and the second and third rules verify that the language of the Windows operating system is either English or
Japanese.

And
File '\[PROGRAM\_FILES\] \\Microsoft\\MyFile' exists
Or
Windows Language is English
Windows Language is Japanese

All updates require at least one applicability rule. Updates you import already have applicability rules applied,
and when you create your own updates, you must add one or more rules to them. You can modify and expand
on the rules for any update in Updates Publisher.
To view rules you have created, in the Rules Workspace , select a rule from the My saved rules list. The
individual conditions and logical operations for that rule display in the Applicability Rules pane of the console.
Rules for updates that you import can only be viewed and modified when you edit that update.
You can create rules in two locations in Updates Publisher:
In the Rules Workspace, you create and save rule sets that you can then use later. When editing or
creating an update you can select Saved rule as the Rule type , and then select from a list of your pre-
created rule sets.
You can also create new rules at the time that you create or edit an update. Rules you create in this way
are not saved for future use.

Create applicability rule


The following information is similar to how you create rules from within the Create Update wizard. But unlike
the wizard, you have the option to save your rule sets for future use.
1. In the Rules Workspace , choose Create to open the Create Rule wizard.

2. Specify a name for the rule, and then click . This opens the Applicability Rule page where you can
configure rules.
3. For Rule type, select one of the following. The options you must configure vary for each type:
File – Use this rule to require that a device have a file with properties that meet one or more
criteria you specify before this update can be applied.
Registr y – Use this type to specify registry details that must be present before a device qualifies
to install this update.
System – This rule uses system details to determine applicability. You can choose between
defining a Windows version, a Windows language, processor architecture, or specify a WMI query
to identify the devices operating system.
Windows Installer – Use this rule type to determine applicability based on an installed .MSI or
Windows Installer patch (.MSP). You can also determine if specific components or features are
installed as part of the requirement.

IMPORTANT
On managed deices, the Windows Update Agent cannot detect Windows Install packages that are
installed per-user. When you use this rule type, configure additional applicability rules, like file versions or
registry key values, so that the Windows Installer package can be properly detected regardless of a per-
user or per-system basis.

Saved rule – This option lets you find and use rules that you previously configured and saved.
4. Continue to add and configure additional rules as desired.
5. Use the logical operation buttons to order and group different rules to create more complex prerequisite
checks.
6. When the rule set is complete, click OK to save it. The rule set now appears in the My saved rules list.

Edit applicability rule sets


To edit an applicability rule, in the Rules Workspace select any rule that is saved in the My saved rules list,
and then choose Edit from the ribbon. This opens the Edit Rule wizard.
The Edit Rule wizard displays the current rules for the rule set. You edit rules in the same way as you use the
Create Rule wizard to create new rules. You can use this wizard to rename the rule set, delete rules, re-order
rules and relationships, or add new rules.
After you make changes, choose OK to save the changes and close the wizard.
For more details about using the rule wizard, see Step 7 , the applicability page, of the Create Update wizard.

Delete applicability rules


To delete a saved applicability rule, in the Rules Workspace select the rule or rule set from the My saved
rules list, and then choose Delete from the ribbon. This removes the saved rule or rule set from Updates
Publisher.
To delete a rule from a specific update, you must edit the update.
Manage certificates and security for Updates
Publisher
9/17/2021 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)


The following procedures can help you to configure the certificate store on the update server, configure a self-
signing certificate on the client computer, and to configure the Group Policy to allow the Windows Update
Agent on computers to scan for published updates.

Configure the certificate store on the update server


Updates Publisher uses a digital certificate to sign the updates in the catalogs it publishes. Before a catalog can
be published to the update server, that certificate must be in the certificate store on the update server, and in the
certificate store of the Updates Publisher computer if that computer is remote from the update server.
The following procedure is one of several possible methods to add the certificate to the certificate store on the
update server.
To configure the certificate store
1. On a computer that can access both the Updates Publisher computer and the update server, Click Star t ,
click Run , type MMC in the text box, and then click OK to open the Microsoft Management Console
(MMC).
2. Click File , click Add/Remove Snap-in , click Add , click Cer tificates , click Add , select Computer
account , and then click Next .
3. Select Another computer , type the name of the update server or click Browse to find the update server
computer, click Finish , click Close , and then click OK .
4. Expand Cer tificates ( update ser ver name ) , expand WSUS , and then click Cer tificates .
5. In the results pane, right-click the desired certificate, click All Tasks , and then click Expor t .
6. In the Certificate Export Wizard, use the default settings to create an export file with the name and
location specified in the wizard. This file must be available to the update server before proceeding to the
next step.
7. Right-click Trusted Publishers , click All Tasks , and then click Impor t . Complete the Certificate Import
Wizard using the exported file from step 6.
8. If a self-signed certificate is used, such as WSUS Publishers Self-signed , right-click Trusted Root
Cer tification Authorities , click All Tasks , and then click Impor t . Complete the Certificate Import
Wizard using the exported file from step 6.
9. Right-click Cer tificates ( update ser ver name ) , click Connect to another computer , enter the
computer name for the Updates Publisher computer, and click OK .
10. If Updates Publisher is remote from the update server, repeat steps 7 through 9 to import the certificate
to the certificate store on the Updates Publisher computer.

Configure a self-signing certificate on client computers


On client computers, the Windows Update Agent (WUA) will scan for the updates from the catalog. This process
will fail to install updates when the agent cannot locate that digital certificate in the Trusted Publishers store on
the local computer. If a self-signed certificate was used to publishing the updates catalog, such as WSUS
Publishers Self-signed , the certificate must also be in the Trusted Root Certification Authorities certificate
store on the local computer so that the agent can verify the validity of the certificate.
You can use one of several methods for configuring certificates on client computers, like using Group Policy and
the Cer tificate Impor t Wizard or by using the Certutil tool and software distribution.
The following is provided as one example of how to configure the signing certificate on client computers.
To configure a self-signing certificate on client computers
1. On a computer with access to the update server, click Star t , click Run , type MMC in the text box, and
then click OK to open the Microsoft Management Console (MMC).
2. Click File , click Add/Remove Snap-in , click Add , click Cer tificates , click Add , select Computer
account , and then click Next .
3. Select Another computer , type the name of the update server or click Browse to find the update server
computer, click Finish , click Close , and then click OK .
4. Expand Cer tificates ( update ser ver name ) , expand WSUS , and then click Cer tificates .
5. Right-click the certificate in the results pane, click All Tasks , and then click Expor t . Complete the
Cer tificate Expor t Wizard using the default settings to create an export certificate file with the name
and location specified in the wizard.
6. Use one of the following methods to add the certificate used to sign the updates catalog to each client
computer that will use WUA to scan for the updates in the catalog. Add the certificate on the client
computer as follows:
For self-signed certificates: Add the certificate to the Trusted Root Cer tification Authorities
and Trusted Publishers certificate stores.
For certification authority (CA) issued certificates: Add the certificate to the Trusted Publishers
certificate store.

NOTE
The WUA also checks whether the Allow signed content from intranet Microsoft update ser vice
location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to
scan for the updates that were created and published with Updates Publisher. For more information about
enabling this Group Policy setting, see How to Configure the Group Policy on Client Computers.

Configuring Group Policy to allow WUA on computers to scan for


published updates
Before the Windows Update Agent (WUA) on computers will scan for updates that were created and published
with Updates Publisher, a policy setting must be enabled to allow signed content from an intranet Microsoft
update service location. When the policy setting is enabled, WUA will accept updates received through an
intranet location if the updates are signed in the Trusted Publishers certificate store on the local computer.
There are several methods for configuring Group Policy on computers in the environment.
For computers that are not on the domain, a registry key setting can be configured that allows signed content
from an intranet Microsoft Update service location.
The following procedures provide the basic steps that can be used to configure Group Policy for computers on
the domain and a registry key value on computers that are not on the domain.
To configure Group Policy to allow WUA to scan for published updates
1. Open the Group Policy Object Editor Microsoft Management Console (MMC) snap-in with a user that has
the appropriate security rights to configure Group Policy.
2. Click Browse and select the domain, OU, or GPOs linked to the site where the configured Group Policy
will propagate to the desired client computers. Click OK , click Finish , click Close , and then click OK .
3. Expand the selected policy setting in the console tree, expand Computer Configuration , expand
Administrative Templates , expand Windows Components , and then click Windows Update .
4. In the results pane, right-click Allow signed content from intranet Microsoft update ser vice
location , click Proper ties , click Enabled , and then click OK .

You might also like