SCCM
Trending

Deploy Windows 11 Updates using SCCM / Configuration Manager

()

In this article we are going to learn how to deploy Windows 11 Updates with SCCM / Configuration Manager / MEMCM using ADR or SUG.

Once you’re managing Windows 11 devices using SCCM / ConfigMgr, you can deploy Windows 11 updates to be protected from the latest security flaws.

Before you can distribute security updates for Windows 11 in Configuration Manager, you need to make sure that you’re syncing Windows 11 security patches.

When Windows 11 updates appear in the SCCM console, you can manually create a Windows 11 Software Update Group or create an ADR for Windows 11 that automatically deploy Windows 11 updates every month (recommended).

Include Windows 11 in the Software Update Point as a Product to sync

  • In the SCCM console, go to “Administration \ Overview \ Site Configuration \ Sites“.
  • Select “Configure Site Components“.
  • Select “Software Update Point“.
  • In the “Products” tab, choose Windows 11 and apply changes.
Configuration Manager - Software Update Point Component Properties - Products - Windows 11
Configuration Manager – Software Update Point Component Properties – Products – Windows 11

Now that Windows 11 has been added to the Product list of your Software Update Point, the internal WSUS will sync Windows 11’s patches and appear in the SCCM console. You can force update synchronization in “Software Library \ Overview \ Software Updates \ All Software Updates \ Synchronize Software Updates

All Software Updates > Synchronize Software Updates
Force Update Synchronization in SCCM / Configuration Manager

In case the updates you want to include don’t appear, you can manually import updates into WSUS and SCCM.

Create a Windows 11 Software Update Group in SCCM / Configuration Manager

  • In the SCCM console, go to “Software Library \ Overview \ Software Updates \ All Software Updates“.
  • On the right side, click “Add Criteria” and check “Expired, Product and Superseded“.
  • Fill in the fields as follows:
    • Expired: No
    • Product: Windows 11
    • Superseded: No
  • Select only the security patches you want to deploy and right-click “Create Software Update Group“.
  • Follow the wizard to create the Software Update Group.
  • Once finished, you can deploy updates from “Software Library \ Overview \ Software Updates \ Software Update Groups“.
Windows 11 - Create Software Update Group - Criteria
Windows 11 – Create Software Update Group – Criteria

Create Windows 11 Automatic Deployment Rule (ADR) in SCCM / Configuration Manager

  • In the SCCM console, go to “Software Library \ Overview \ Software Updates \ Automatic Deployment Rules“.
  • Click “Create Automatic Deployment Rule“.
  • A wizard will open, in the “General” window choose the following options:
    • Name: ADR Windows 11
    • Template: Patch Tuesday
    • Collection: Specify a collection that includes Windows 11 devices.*
  • Check the following options and click “Next“:
    • Create a new Software Update Group“.
    • Enable the deployment after this rule is run
SCCM ADR - Windows 11 - Deploy Updates
SCCM ADR – Windows 11 – General
  • In the “Deployment Settings” tab, choose the following options:
    • Type of deployment: Available or Required. As security updates, it is recommended that they be Required.
    • Detail level: All messages. So you get all the detail in case of error.
    • Check “Automatically deploy all software updates found by this rule, and approve any license agreements“.
  • Click “Next“:
SCCM ADR - Windows 11 - Deploy Updates
SCCM ADR – Windows 11 – Deployment Settings
  • In the “Software Updates” tab, I recommend specifying the following search criteria:
    • Date Released or Revised: Last 1 month.
    • Product: Windows 11.
    • Superseded: No.
    • Update Classification: “Critical Updates” OR “Security Updates” OR “Updates”.
    • If you only have one architecture, it is recommended to specify with “Architecture“.
  • Click on “Preview” to check the security patches that this search would find:
SCCM ADR - Windows 11 - Search criteria
SCCM ADR – Windows 11 – Search criteria
  • Check that the security patches are correct and click “Close” and “Next“:
SCCM ADR - Windows 11 - Preview Updates
SCCM ADR – Windows 11 – Preview Updates
  • In the “Evaluation Schedule” tab, check “Run the rule on a schedule” and choose:
    • Recurrence pattern: Monthly.
    • Recur every: The Second Tuesday
    • Offset (days): 1
  • This will automatically run the ADR 1 day after the day the patches are released. In my case I specify that it runs at 10:30 AM so that the patches appear during the first hours of the first working day after their release.
SCCM ADR - Windows 11 - Evaluation Schedule - Custom Schedule
SCCM ADR – Windows 11 – Evaluation Schedule – Custom Schedule
  • In the “Deployment Schedule” tab you must choose two factors:
    • Software available time: When the patches will be available to this collection of computers, once the ADR is run. In this case, as soon as possible.
    • Installation deadline: When the patches will be installed on a mandatory basis, once the “Software available time” is finished. In this case, 2 days after they are available.
  • Click “Next“:
SCCM ADR - Windows 11 - Deployment Schedule
SCCM ADR – Windows 11 – Deployment Schedule
  • In the “User Experience” tab, you can specify the user experience options you want for your computers. My recommendations:
    • Deadline behavior: Software Update Installation. In case there are computers with a configured maintenance window.
    • Device restart behavior: Servers. There should be no Windows 11 servers, but that’s how we double check.
    • Commit changes at deadline or during a maintenance windows (requires restarts). For Windows Embedded computers if any.
    • If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart. In this way, the Windows 11 device will upload inventory and report as updated after the mandatory restart of the security patch.
SCCM ADR - Windows 11 - User Experience
SCCM ADR – Windows 11 – User Experience
  • In the “Alerts” tab, you can configure that SCCM notifies you when the ADR fails or when specific conditions are met. My recommendations are:
    • Generate an alert when this Rule fails: To alert us if the ADR is not running correctly.
    • Generate an alert when the following conditions are met. Client compliance is below the following percent: 90.
    • Offset from the deadline: 7 Days.
  • SCCM will notify you if the ADR does not run or if after 7 days 90% of Windows 11 computers have not been updated. Prompts appear when you open Configuration Manager.
SCCM ADR - Windows 11 - Alerts
SCCM ADR – Windows 11 – Alerts
  • In the “Deployment Package” tab, you must create the package that will contain the Windows 11 updates to be deployed. My recommendations:
    • Choose “Create a new deployment package” to make an exclusive package of Windows 11 updates in SCCM.
    • Name: Windows 11 Updates
    • Package source: path where the patches will be stored.
  • Leave the rest of the default options and click on “Next“:
SCCM ADR - Windows 11 - Create Deployment Package
SCCM ADR – Windows 11 – Create Deployment Package
  • Note: If you have Windows 11 devices in teleworking or direct access to the Internet, you can check “No deployment package“. In this way, Windows 11 computers will download the updates from Microsoft servers.
  • In the “Distribution Points” tab, add with “Add” the Distribution Points of your SCCM and click “Next“:
SCCM ADR - Windows 11 - Distribution Points
SCCM ADR – Windows 11 – Distribution Points
  • In case of having access to the Internet, in the “Download Location” tab choose “Download software updates from the Internet” and click on “Next“:
SCCM ADR - Windows 11 - Download Location
SCCM ADR – Windows 11 – Download Location
  • In the “Language Selection” tab, you can add the additional languages that your Windows 11 computers have. In case you do not put all the necessary languages, the distribution of Windows 11 updates may fail on some computers due to lack of files (languages):
SCCM ADR - Windows 11 - Language Selection
SCCM ADR – Windows 11 – Language Selection
  • In the “Download Settings” tab, choose how Windows 11 computers will behave when downloading. Recommendations:
    • Download software updates from distribution point and install: This will download and install updates whenever there is a Distribution Point nearby.
    • Download and install software updates from the distribution points in the site default boundary group: This will download and install updates from a Distribution Point even if it is not on its boundary.
    • If software updates are not available on distribution point in current, neightbor or site boundary groups, download content from Microsoft Updates: If no Distribution Point is available, it will be downloaded from the Microsoft Updates servers.
    • Additionally, you can check “Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs“. In this way, computers that are always with a mobile connection will also be updated.
  • When finished, click on “Next“:
SCCM ADR - Windows 11 - Download Settings
SCCM ADR – Windows 11 – Download Settings
  • Confirm in “Summary” that the Windows 11 ADR settings are correct and click “Next“:
SCCM ADR - Windows 11 - Summary
SCCM ADR – Windows 11 – Summary

After a few seconds, the Windows 11 ADR should be created in SCCM and you can click “Close“:

SCCM ADR - Windows 11 - Completion
SCCM ADR – Windows 11 – Completion
  • In case you need to run the ADR already, you can right-click and choose “Run Now” to run the ADR and deploy the patches.
SCCM ADR - Windows 11 - Run Now
SCCM ADR – Windows 11 – Run Now
  • It will automatically run as often as we have configured it and SCCM will notify us in case of error.

Troubleshooting ADR error Windows 11 in SCCM

In case the execution of the Windows 11 ADR fails, we can see what is happening in the log “ruleengine.log“. This log is located in the Configuration Manager installation folder, in the “Logs” folder. In my case the path is “D:\Program Files\Microsoft Configuration Manager\Logs\ruleengine.log”.

ruleenngine.log

The log ruleengine.log records all the steps performed by the ADR: identification of patches, downloading content, creating the Software Update Group and creating the Deploy. Here’s a guide to troubleshooting Automatic Deployment Rule download failed errors.

Install Windows 11 Updates in Software Center

Whether we have deployed Windows 11 updates as an SUG or with ADR, the updates will appear in the Software Center whenever we have decided to show them.

SCCM - Software Center - Windows 11 Updates
SCCM – Software Center – Windows 11 Updates

If the deadline (indicated in “Status”) arrives or you install the updates by clicking Install, the Software Center will notify the user that must restart the computer:

SCCM - Software Center - Restart
SCCM – Software Center – Restart

Monitoring Windows updates in SCCM

Finally, in the Configuration Manager console, you can see what status Windows updates are in. See the deploy in “Monitoring \ Overview \ Deployments“:

SCCM - Deployments Monitoring

You can also see how many computers in your SCCM require the patch or not in “Software Library \ Overview \ Software Updates \ Software Update Groups” by selecting the SUG you have created (either manually or using the ADR):

SCCM - Software Update Groups

With this, you will already be updating your Windows 11 and safe against monthly security flaws. Any questions or suggestions can be left in the comments.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Nando Corzo

Passionate about IT and Microsoft technologies with more than 5 years of experience in complex environments (Banking, Congresses and Public Services). Exploring and learning about Modern Workplace every day. I write about SCCM, Windows, Microsoft Intune, Hyper-V, etc...

Related Articles

One Comment

  1. windows 11 23h2 monthly security cumulative update patch size is big and content information shows multiple patches (streaming files) . how to get only monthly security cumulative update patch

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button