SCCM updates procedure for servers

 SCCM update | patch procedure for windows servers


Today I will describe how I do my monthly servers update with SCCM in my environment.

First lets discus about the update process. Always an action like servers update it's related with a collection of devices, in our case some servers. Always keep in mind that you need to have ALWAYS two environments, testing and production. Many companies structure their infrastructure in more categories/collections, testing, prod A, prob B, Prod C, etc. It;s better to have members of same cluster in different category. If you have more servers for same role like Active Directory, nod clusters, etc split them in different collections. If Somethings gone wrong you will have affected only a part of servers and the services are still online. For more details about how to apply the updates see article Software Updates Strategy. To see click Maintenance Windows concept explained

1)     Create a collection

a)     Go to SCCM console -> Overview -> Assets and Compliance -> Device Collections -> from ribbons Create a Device Collection

i)      In general tab put your collection name and select limiting collection, in my case I use for limiting collections all servers with sccm installed


ii)     Member ship rules. It's a static collection so we will add later manually. Ignore the warning

iii)    Next, Next and finish :)

2)     Add a server in this collection

a)     Go to Assets and Compliance -> Overview -> Devices. In Search field type the name of your server. Right click on him a select Add Selected Items to Existing Device Collection, select your device collection. For Software update we can use only device collections, user collection are inhibited.

3)     Create a maintenance window for apply the serves updates with SCCM 

a)     Right click on the collection who contain the servers -> Properties -> Maintenance Windows TAB, and select create new (golden star).  

b)    Select the name, hours interval, recur interval, etc. In my case is Second Friday each month.    


4)     Select desire updates and create a SUG, Software Update Group.

a)     Go to Software Library -> Overview -> Software Updates -> All Software Updates. In Search you have a button Add Criteria. Once you made a search it's recommended to save and use later. In my case I made a criteria for all windows servers, only security update without .net, are servers for dev and it's not allowed to modified .net versions, internet explorer, etc.



b)    Select the desired update right click and select Create Software Update Group. Named that group, for example Servers security update May

c)     Go to SUG's, it's under Al software Update Groups, right click and select download. Select a package. I like to have only one package for all pc updates including office, IE, etc. and one for servers for security, critical, etc. More easy to maintain on Distribution Point. Select the proper settings for you language, download settings, etc. 

d)    Once that download its finish you need to deploy this SUG to a specific collection so right click on SUG and select deploy.

i)      At general put a name and description and select a proper collection for deployment  

ii)     Type of deployment select required. Required are mandatory user can't stop the process, available the user it will see this updates are available, can chose what to install and when. Most of the time I use mandatory. For pc and servers who are in development environment and software versions is very restricting I used Available and developer chose what to install.


iii)    Select when to make that available. For Servers you need to have a specific maintenance window with a very short time (countdown) to restart. The restart time it's specified in sccm client settings and applied to the server collection

In this page we have 2 important details. Software available time and Installation deadline.

(1)   Software available time. Usually I use as son it's possible. That means updates are available immediately and users and servers it will detect that new updates are available. With this setting plus installation deadline and maintenance window you can chose when updates it will be installed. So in my case I create a period of time when the updates are available 7 days. In this 7 days all the servers it will show to any admin connected that new updates are available. For some special servers you can chose to do this updates manually, if no one install this updates in this week of "available" at finish of installation dead line sccm agent it will go to install the updates. If in the next step we chose to install out of maintenance window, the updates it will be immediately executed, if you don't select install out of maintenance window the sccm agent it will wait for maintenance window. Id you don't have setup a maintenance window the default one it's from 22:00 to 05:00. Usually I setup the deadline to be finished with a few hours before the Maintenance window  

(2)   Specific time. When sccm agent it will go to execute this update. This settings is affected by maintenance window or if you chose in deadline behaviour in user experience to execute out of maintenance window.

iv)    User Experience. 

(1)   Select deadline behaviour. If you want or not to run out of maintenance window or if you want or not to start the restart process out of maintenance window. In normal way I don't force installation out of maintenance window. I do that on my test machines when I don't want to wait and I want to install immediately. In that case I chose also on Scheduling page Installation Deadline immediately  

(2)   Devices restart behaviour. If you want to suppress the restart. In normal way I don't use this option because I want that update process to be complete with restart.

(3)   Alerts, many times I chose default.


(4)   Download settings. Usually I use default settings                                         

(5)   Summary. If you want to save this deployment like a template


What next?

·         The server it will go and check the policy at every 60 minutes. He will discover the updates from sccm and start to download

·         Once he downloads all the updates it will setup a task to install the updates when the installation deadline was setup, in our case 01 AM 

·         At user experience we don't force the the install out of maintenance window so he will wait for the first maintenance window at 02 AM

·         One human operator need to check the servers, all or random, if there are online and everything it's run properly 

How to check if everything it's fine

·         Collections has right deployments and deadline is setup correctly


·         Check maintenance windows for that collection

·         Software update are available


·         Check if the updates are schedule and visible

·         Check if updates are already download in ccmcache (c:\WINDOWS\ccmcache)

·         Check sccm logs for updates UpdatesHandler.log who is store on C:\windows\ccm\logs

·         Check windows update logs WindowsUpdate.log store in C:\Windows\