Best SCCM Patching Software Update Deployment Process Guide

The SCCM Patching Software Update Deployment Process Guide is here to consume. This guide is again a video tutorial to help the IT Pros in learning the patching (a.k.a Software Update patching) process with the latest version of SCCM. Patch Software Update Deployment Process Guide.

Software updates in SCCM provide a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. Patching is one of the important tasks of SCCM admin.

SCCM patching involves a lot of components, and it can become very complex if you don’t pay proper attention to the details. Windows Update for Business (WUfB) patching is much easier to set up and manage. However, there is very less control to pick and choose in WUfB. Intune Patch management options are explained in Software Update Patching Options With Intune Setup Guide.

Let’s understand how to install WSUS for ConfigMgr Software Update Point Role | SUP | SCCM and install SUP role. Also, learn how to Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr.

NOTE!Third-Party Patching Best Practices for an Organization guide

The following video guide is the high-level Patching Guide for SCCM beginners. There is not much difference between SCCM 2012 patching and SCCM Current Branch Patching.

I have an old blog post where I discussed ConfigMgr Patch Management Pros Cons. Some of the points in this blog post are still valid. So it’s worth going through to get more grasp of the SCCM patching process and setup scenarios as well.

Starting in version SCCM 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large updated content.

What is SCCM Patching?

All software applications/drivers need to go through the software release life cycle. This Software release life cycle includes bug fixing and improvements.

To fix the bugs in software and drivers, each vendor releases a patch. The process of deploying/installing these patches to one or more systems or devices is called software patching.

Patching all existing applications is mandatory for organizations. The patching process helps to keep the environment secure.

The software vendors like Microsoft, Adobe, Android, iOS, macOS, Linux, Unix OSes, etc. release patches. These patches cover bug fixes for their software.

Patch Software Update Deployment Process
SCCM Patching Software Update Deployment Process Guide | ConfigMgr

Why a Patching Guide? Patch Software Update Deployment Process

Recently, I saw someone is looking for a video tutorial related to SCCM Software Updates in our Facebook group (which has about 11000 members now).

I thought ok, let me create a quick 25 minutes video to cover the software update process in SCCM CB. I tried to give a quick overview of the end-to-end SCCM Software Update (patching) process.

SCCM Patching Infra Setup VideosSCCM Patching Process is Explained

The end-to-end SCCM free training is shared in the below post – Free SCCM Training Part 1 | 17 Hours Of Latest Technical Content | ConfigMgr Lab HTMD Blog (anoopcnair.com).

In this section, you learn how to set up SCCM patching-related infrastructure components such as WSUS, and Software Update point. The architecture of SCCM patching infrastructure is also discussed in this section and the video tutorial below.

Launch Server Manager, Select Destination Server, Select Server Roles, Select Features, Windows Server Update Services, Select Role Services to Install WSUS, Content-Location Selection for WSUS, Database Instance Selection, Web Server Role (IIS), Select Roles Services for IIS, Install & Confirm Installation Selection, Complete WSUS Installation, Cancel WSUS Configuration Wizard, Completion – Install WSUS for ConfigMgr SUP

  • Post Installation of WSUS Failed – WSUS service is disabled?
  • WSUS Reinstallation steps explained
  • WSUS post-installation completed without any issues
  • Install ConfigMgr Software Update Point (SUP) – Install New ConfigMgr Software Update Point Role.

Add Site Systems Roles, Select a Server to Use as a Site System, Specify Internet Proxy Server, Specify Roles for this Server, Specify Software Update Point Settings, Specify Proxy & Account Settings for Software Update Point, Specify synchronization source settings, Synchronization Settings, Select Behavior for Software Updates are Superseded, Configure WSUS Maintenance Behavior, Configure Maximum Run Time, Specify Configuration for Software Update Content, Select the Software update classifications that you want to Synchronize, Select the Products that You Want to Synchronize, Specify the Language Settings that you want to Synchronize and Confirm the Settings

  • Do Not Setup up SUP with Default WSUS Product Selection ConfigMgr SCCM.
  • Log files to troubleshoot SUPSetup.log, WsyncMgr.log, WCM.log, and WSUSCtrl.log.
  • Initiate WSUS Sync twice – First is to update the category – products list for Software update components
  • Initiate WSUS Sync second to update the KB articles metadata. This is completed only after the second sync.

The SCCM SUP Product List filtering options are useful in a scenario where you want to add a new product to the SCCM patching. This SUP product filter option is added starting from the 2203 version of SCCM.

HTMD-CM0️⃣8️⃣Install WSUS for ConfigMgr Software Update Point Role SCCM Patch Management WSUSSync – YouTube

Step 2: SCCM Software Update Patching WSUS and SUP Infrastructure Configuration

The process is explained in the Video !! Patch Software Update Deployment Process?

  1. WSUS
  2. SUP Installation log files
  3. Software Update Component Configuration – Classifications/Products
  4. Software Update Sync – Logfile WsyncMgr.log
  5. Selection of Patch/Software Update and Creation of Software Update Group
  6. Deployment of Software Update Group
  7. End-User Experience at Windows 10 1511 device
  8. What happened to WindowsUpdate.log??
  9. How to Speed up SCCM policy flow?
  10. Windows 10 SCCM Client-side logs – Reboot required? If yes reboot the Windows 10 1511 device

I would recommend reading Third-Party Patching Best Practices for an Organization guide for the non-Microsoft app patching process.

Patch Software Update Deployment Process Guide | ConfigMgr | Configuration Manager | SCCM?

STEP 3: SCCM Patch Package Creation process

Let’s check the SCCM patch package creation process in this section of the post. The following are the high-level steps that you need to complete as part of the SCCM patch package or Software Update package creation process.

  • Prerequisites – New Software Update Patch Package Using SCCM
  • Select Patches & Create a Software Update Group
  • Create Software Update Group
  • Create a New Software Update Patch Package using SCCM
  • Specify the Distribution Points for this Software Update patch package
  • Automatically download content when packages are assigned to distribution points
  • Specify the updated language for products for SCCM Patching Guide
  • Download Updates from the Internet for the SCCM Patch Package
  • Logs PatchDownloader.Log to check the Download
  • Results – Software Update Package Creation
  • Deploy SCCM Patch Package to Windows 11 or Windows 10 devices
  • SCCM Patch Deployment Settings – Available | Required
  • SCCM Patch Deployment Schedule Options
  • SCCM Patching Guide – Alert Options for the Patch Deployment
  • SCCM Patching Process – Download Options
  • Results from SCCM Patch Deployment Process

I have explained end to end process of SCCM patch package creation in the below blog post. Refer to the post linked below to get the end-to-end details of the SCCM software update patch package.

➡️How To Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr

The following video explains the process – How to Create ADR Patching Client-Side Issues Application Creation Process Manual in SCCM.

SCCM How to Create ADR Patching Client-Side Issues Application Creation Process Manual
STEP 3: SCCM Patch Package Creation process
STEP 3: SCCM Patch Package Creation process

Fix SCCM Patching Related Issues

The SCCM patching troubleshooting can also be very complex if you don’t understand the setup of Software Update or SCCM patching. You need to understand the entire patching process explained above as a first step.

There could be server-side and client-side issues that are related to SCCM patching or software updates. The flows which you need to check things from the client-side.

  1. UpdateStore.log to know the status of the updates?
  2. Updatedeployment.log – % of Download completed? Status = ciStateInstalling, PercentComplete = 16,
    1. added to the targeted list of deployment
    2. Progress: Status = ciStateDownloading, PercentComplete = 0, Result = 0x0
    3. Progress: Status = ciStateWaitInstall, PercentComplete = 0, DownloadSize = 0, Result = 0x0
    4. Progress: Status = ciStateInstalling, PercentComplete = 89, DownloadSize = 0, Result = 0x0
    5. Progress: Status = ciStateInstalling, PercentComplete = 100, DownloadSize = 0, Result = 0x0
    6. Progress: Status = ciStatePendingSoftReboot, PercentComplete = 0, DownloadSize = 0, Result = 0x0
    7. Progress: Status = ciStateInstallComplete, PercentComplete = 0, DownloadSize = 0, Result = 0x0
    8.  Job completion received.
  3. CCMSDKProvider.log – Get client agent settings…Getting reboot setting whether to show dialog instead of notification
Fix SCCM Patching Related Issues
Fix SCCM Patching Related Issues

1. Locationservices.log – Check whether it’s able to find WSUS Path= and Distribution Point with patches

2. WUAHandler.log to check whether the scan is completed or not

3. Updatedeployment.log – Check for the deadline of the assignment and Software Updates client configuration policy, DetectJob completion received for assignment, Added update (Site_, PercentComplete, etc…

4. Execmgr.log – Execution is complete for program Software Updates Program

5. RebootCoordinator.log – Reboot related things

Best SCCM Patching Software Update Deployment Process Guide
Best SCCM Patching Software Update Deployment Process Guide

Resources

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel ConfigMgr

Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel ConfigMgr? This is a video tutorial that helps to understand the process of SCCM/ConfigMgr CB Update and Servicing. Learn How to Install SCCM CB 1602 Update Rollup KB 3155482 via New Updates and Servicing channel.   

Today, Microsoft released a new  Update Rollup KB 3155482 for SCCM CB 1602, which is already available in my LAB setup, as you can see in the video. 

This is available under “\Administration\Overview\Cloud Services\Updates and Servicing”. No features in this Update rollup for SCCM 1602 !!!  

How to Install SCCM CB 1602 Update Rollup via New Updates and Servicing channel

  How to install the Rollup? Right click on the available update and complete the Wizard !! Update is already download to C:\Program Files\Microsoft Configuration Manager\EasySetupPayload\59bca34e-df87-4041-b9b7-f53395849e81.  

Following are the 3 logs you have to keep watching while updating the hotfix. 1) dmpdownloader.log 2) CMUpdate.log, and 3) hman.log.  

You can also check the status via the SCCM CB console “\Monitoring\Overview\Site Servicing Status”. In this video, you can see there was an error in the HMAN.log because it was not able to contact local AD, and that is very specific to my lab you can safely ignore that 😉

Install SCCM CB Update Rollup

I disabled my internet connection, and that resolved issue of AD connectivity.  Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel ConfigMgr?

Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel ConfigMgr
Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel ConfigMgr

AS you can see in the video, the update Rollup has been installed successfully. Thank you for watching !!!!

Resources

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create Deploy Custom Policies using OMA URI Configuration Manager SCCM ConfigMgr

SCCM CB Hybrid Video Tutorial How to Create and Deploy Custom Policies using OMA URI? I have created a Video tutorial for helping the SCCM admins to create custom policies in SCCM/ConfigMgr Current Branch using OMA DM/OMA URI.

Following are the topics covered in the video “How to Create and Deploy Custom Policies using OMA URI and SCCM CB Hybrid“. How to Create Deploy Custom Policies OMA URI Configuration Manager?

1. How to create SCCM CB Configuration Items

2. How to create custom policies within  Configuration Items

3. How to create SCCM Configuration Baselines

4. How to Deploy Configuration Baselines to a user collection via MDM channel to Windows 10 device

5. How to troubleshoot on Windows 10 machine any issues related to MDM management

6. End user experience of Windows 10 after deploying the custom policies

How to Create Deploy Custom Policies using OMA URI Configuration Manager
How to Create Deploy Custom Policies using OMA URI Configuration Manager

SCCM Video Tutorial How to Create and Deploy Custom Policies using OMA URI and SCCM CB Hybrid

A few months before, I created a blog post o this topic and you can read that post here.

Resources

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB? To Manage iOS and Mac OS devices via Intune and Hybrid SCCM CB, we need an APNs cert. 

In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create Apple Push Notification Service (APNs) Certificate to Manage iOS and Mac OS X devices via Intune.

You must have an apple id/user name and password to upload and download the certs for SCCM CB hybrid. More detailed Videos are coming up on my YouTube Channel Subscribe here.  

Following is the location and file where I saved the downloaded cert from the SCCM CB  hybrid environment C:\Users\anoop\Documents\Apple Cert\Apple_Cert_4_How_2_Manage.CSR

SCCM_Apple_Push_Certificates How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

 

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Go to the following website !! Apple Website:-

https://identity.apple.com/pushcert/  

At the end of this process, you would be able to manage iOS and Mac OS devices via Microsoft Intune and or SCCM CB hybrid environment !!

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr

Using Azure AD Connect, you can sync on-prem AD users identities/attributes and passwords to Azure AD. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).

I have a video tutorial here that helps you understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 devices and Twitter app integration with Azure AD.

In this post, I will cover two other topics related to Azure AD (AAD) Sync.

  1. Where is the Scheduled Task used to get created for Azure AD?
  2. How to Create a service connection point in on-premises Active Directory?
  3. Video Tutorial – How to Sync On-Prem AD User accounts With Azure AD

Windows 10 MDM devices can write back to on-prem AD more details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.  

Earlier versions of Azure AD connect used  Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version of Azure AD connect has a sync engine inbuilt. Hence we won’t find a scheduled task for AAD Connect. 

The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here. Window  

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr

  PS C:\Users\anoop\Desktop> Get-ADSyncSchedulerAllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 26-05-2016 02:06:23
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False

I was getting trouble creating a service connection point in on-premises Active Directory. This service connection point is used to “Connect domain-joined devices to Azure AD for Windows 10 experiences”. I followed the documentation to configure the service connection points in on-prem AD but was getting stuck with PowerShell Commands. I ran the PowerShell commands as per the above documentation. However, with no luck.

After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell. Then I tried to run the following PowerShell commands, which worked like a champ!

How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
How to Sync On-Prem AD Users with Azure AD Intune ConfigMgr
PS C:\Users\anoop\Desktop> Connect-MsolService

PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"

PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync

cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: nair\Anoop
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete

How to Sync On-Prem AD Users accounts With Azure AD

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? We are going to How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? Ok, at 3 topics in this post. 

1. How to Create Compliance policies using intune and SCCM CB Hybrid environment.

2. How to deploy Compliance policies and

3. Differences between the compliance policy settings !!

I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.

To have permission to access corporate resources like Mails, SharePoint online, etc… the device must be compliant with the policies we set!  SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.

How to Create SCCM CB Hybrid Compliance Policy?

As you can see in the following picture: – In SCCM CB, we can specify the type of compliance policy that you want to create. There are two options 1. Compliance rules for devices managed with SCCM clients 2. Compliance rules for devices managed without SCCM clients (MDM clients etc…).

Moreover, it gives the granularity to select the different device platforms like Windows 8.1, Windows 10 mobile, iOS and Android and KNOX, etc… a Very useful option in SCCM CB Hybrid compliance settings! The steps to create an SCCM CB compliance policy are explained in the video tutorial above.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to create a Compliance Policy using Intune?

As you must have noticed one general compliance policy for all the platforms. There is no option to create different compliance policies for different device platforms like iOS, Android, and Windows.

Yes, in Intune compliance policies, we don’t have the option to select a specific OS platform.

The three common segregation available is

1. System Security

2. Device Health and

3. Device Properties.

All the steps to create Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_1 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Deploy Compliance Policies using SCCM CB Hybrid?

Yes, compliance policies can deploy only to User Collections, not to device collections in SCCM. No DEVICE Collections in the drop-down menu !! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.

And another point is the granularity that SCCM CB provides in terms of Compliance rules/policy evaluation schedule. You can change the Compliance policies evaluation schedule !!! By default SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The steps to deploy the SCCM compliance policy are explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_2 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to deploy compliance policy using Intune?

Yes, compliance policies can deploy only to User Groups in Intune, not device groups. Moreover, there is no granularity given in the scheduling of the compliance policies if you compare it with SCCM CB. Rather Intune provides global settings for all the compliance policies we create for that tenant.

Check out the Intune compliance policy settings… what is that?? It’s compliance status validity period ……Nice !!  It’s a global setting – We can’t specify 31 days for one compliance setting and 20 days for another compliance setting!! All the steps to deploy Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_4 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:-
There is no option to select a specific supported platform in Intune. However, with SCCM CB, we can create platform-specific compliance policies.

Intune_Vs_SCCM_Compliance_Policies_5
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

– There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.

Intune_Vs_SCCM_Compliance_Policies_3
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Outcome/Result of Compliance policies – Windows 10 device

Following is an example of a Windows 10 machine that is AAD and MDM joined, but it’s not in compliance. The device encryption is not enabled on the Windows 10 machine.

Intune_Vs_SCCM_Compliance_Policies_6
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

  Following is an example of a Windows 10 device that is compliant with the policies which an organization set. Once Windows 10 is compliant, the user can access corporate mail and other resources.

Intune_Vs_SCCM_Compliance_Policies_7

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…