In this article we are going to learn how to deploy Windows 11 Updates with SCCM / Configuration Manager / MEMCM using ADR or SUG.
Once you’re managing Windows 11 devices using SCCM / ConfigMgr, you can deploy Windows 11 updates to be protected from the latest security flaws.
Before you can distribute security updates for Windows 11 in Configuration Manager, you need to make sure that you’re syncing Windows 11 security patches.
When Windows 11 updates appear in the SCCM console, you can manually create a Windows 11 Software Update Group or create an ADR for Windows 11 that automatically deploy Windows 11 updates every month (recommended).
TL;DR
Include Windows 11 in the Software Update Point as a Product to sync
- In the SCCM console, go to “Administration \ Overview \ Site Configuration \ Sites“.
- Select “Configure Site Components“.
- Select “Software Update Point“.
- In the “Products” tab, choose Windows 11 and apply changes.
Now that Windows 11 has been added to the Product list of your Software Update Point, the internal WSUS will sync Windows 11’s patches and appear in the SCCM console. You can force update synchronization in “Software Library \ Overview \ Software Updates \ All Software Updates \ Synchronize Software Updates“
In case the updates you want to include don’t appear, you can manually import updates into WSUS and SCCM.
Create a Windows 11 Software Update Group in SCCM / Configuration Manager
- In the SCCM console, go to “Software Library \ Overview \ Software Updates \ All Software Updates“.
- On the right side, click “Add Criteria” and check “Expired, Product and Superseded“.
- Fill in the fields as follows:
- Expired: No
- Product: Windows 11
- Superseded: No
- Select only the security patches you want to deploy and right-click “Create Software Update Group“.
- Follow the wizard to create the Software Update Group.
- Once finished, you can deploy updates from “Software Library \ Overview \ Software Updates \ Software Update Groups“.
Create Windows 11 Automatic Deployment Rule (ADR) in SCCM / Configuration Manager
- In the SCCM console, go to “Software Library \ Overview \ Software Updates \ Automatic Deployment Rules“.
- Click “Create Automatic Deployment Rule“.
- A wizard will open, in the “General” window choose the following options:
- Name: ADR Windows 11
- Template: Patch Tuesday
- Collection: Specify a collection that includes Windows 11 devices.*
- Note*: If you don’t have a collection created for Windows 11 devices, here’s a guide to create a device collection of Windows 11 devices in SCCM.
- Check the following options and click “Next“:
- “Create a new Software Update Group“.
- “Enable the deployment after this rule is run“
- In the “Deployment Settings” tab, choose the following options:
- Type of deployment: Available or Required. As security updates, it is recommended that they be Required.
- Detail level: All messages. So you get all the detail in case of error.
- Check “Automatically deploy all software updates found by this rule, and approve any license agreements“.
- Click “Next“:
- In the “Software Updates” tab, I recommend specifying the following search criteria:
- Date Released or Revised: Last 1 month.
- Product: Windows 11.
- Superseded: No.
- Update Classification: “Critical Updates” OR “Security Updates” OR “Updates”.
- If you only have one architecture, it is recommended to specify with “Architecture“.
- Click on “Preview” to check the security patches that this search would find:
- Check that the security patches are correct and click “Close” and “Next“:
- In the “Evaluation Schedule” tab, check “Run the rule on a schedule” and choose:
- Recurrence pattern: Monthly.
- Recur every: The Second Tuesday
- Offset (days): 1
- This will automatically run the ADR 1 day after the day the patches are released. In my case I specify that it runs at 10:30 AM so that the patches appear during the first hours of the first working day after their release.
- In the “Deployment Schedule” tab you must choose two factors:
- Software available time: When the patches will be available to this collection of computers, once the ADR is run. In this case, as soon as possible.
- Installation deadline: When the patches will be installed on a mandatory basis, once the “Software available time” is finished. In this case, 2 days after they are available.
- Click “Next“:
- In the “User Experience” tab, you can specify the user experience options you want for your computers. My recommendations:
- Deadline behavior: Software Update Installation. In case there are computers with a configured maintenance window.
- Device restart behavior: Servers. There should be no Windows 11 servers, but that’s how we double check.
- Commit changes at deadline or during a maintenance windows (requires restarts). For Windows Embedded computers if any.
- If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart. In this way, the Windows 11 device will upload inventory and report as updated after the mandatory restart of the security patch.
- In the “Alerts” tab, you can configure that SCCM notifies you when the ADR fails or when specific conditions are met. My recommendations are:
- Generate an alert when this Rule fails: To alert us if the ADR is not running correctly.
- Generate an alert when the following conditions are met. Client compliance is below the following percent: 90.
- Offset from the deadline: 7 Days.
- SCCM will notify you if the ADR does not run or if after 7 days 90% of Windows 11 computers have not been updated. Prompts appear when you open Configuration Manager.
- In the “Deployment Package” tab, you must create the package that will contain the Windows 11 updates to be deployed. My recommendations:
- Choose “Create a new deployment package” to make an exclusive package of Windows 11 updates in SCCM.
- Name: Windows 11 Updates
- Package source: path where the patches will be stored.
- Leave the rest of the default options and click on “Next“:
- Note: If you have Windows 11 devices in teleworking or direct access to the Internet, you can check “No deployment package“. In this way, Windows 11 computers will download the updates from Microsoft servers.
- In the “Distribution Points” tab, add with “Add” the Distribution Points of your SCCM and click “Next“:
- In case of having access to the Internet, in the “Download Location” tab choose “Download software updates from the Internet” and click on “Next“:
- In the “Language Selection” tab, you can add the additional languages that your Windows 11 computers have. In case you do not put all the necessary languages, the distribution of Windows 11 updates may fail on some computers due to lack of files (languages):
- In the “Download Settings” tab, choose how Windows 11 computers will behave when downloading. Recommendations:
- Download software updates from distribution point and install: This will download and install updates whenever there is a Distribution Point nearby.
- Download and install software updates from the distribution points in the site default boundary group: This will download and install updates from a Distribution Point even if it is not on its boundary.
- If software updates are not available on distribution point in current, neightbor or site boundary groups, download content from Microsoft Updates: If no Distribution Point is available, it will be downloaded from the Microsoft Updates servers.
- Additionally, you can check “Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs“. In this way, computers that are always with a mobile connection will also be updated.
- When finished, click on “Next“:
- Confirm in “Summary” that the Windows 11 ADR settings are correct and click “Next“:
After a few seconds, the Windows 11 ADR should be created in SCCM and you can click “Close“:
- In case you need to run the ADR already, you can right-click and choose “Run Now” to run the ADR and deploy the patches.
- It will automatically run as often as we have configured it and SCCM will notify us in case of error.
Troubleshooting ADR error Windows 11 in SCCM
In case the execution of the Windows 11 ADR fails, we can see what is happening in the log “ruleengine.log“. This log is located in the Configuration Manager installation folder, in the “Logs” folder. In my case the path is “D:\Program Files\Microsoft Configuration Manager\Logs\ruleengine.log”.
The log ruleengine.log records all the steps performed by the ADR: identification of patches, downloading content, creating the Software Update Group and creating the Deploy. Here’s a guide to troubleshooting Automatic Deployment Rule download failed errors.
Install Windows 11 Updates in Software Center
Whether we have deployed Windows 11 updates as an SUG or with ADR, the updates will appear in the Software Center whenever we have decided to show them.
If the deadline (indicated in “Status”) arrives or you install the updates by clicking Install, the Software Center will notify the user that must restart the computer:
Monitoring Windows updates in SCCM
Finally, in the Configuration Manager console, you can see what status Windows updates are in. See the deploy in “Monitoring \ Overview \ Deployments“:
You can also see how many computers in your SCCM require the patch or not in “Software Library \ Overview \ Software Updates \ Software Update Groups” by selecting the SUG you have created (either manually or using the ADR):
With this, you will already be updating your Windows 11 and safe against monthly security flaws. Any questions or suggestions can be left in the comments.