Endpoint Services, SCCM, SCCM Software Updates Information and Set Up

How to use SCCM to manage Windows Updates on your endpoints.

Systems

System Center Configuration Manager (SCCM) Current Branch

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Service SCCM Current Branch

General Information

SCCM can be used to deploy Windows Updates to endpoints as an alternative to Campus WSUS. IT Pros can request which updates get deployed to which device collections, the schedule on which they run, and their installation behavior. 

Some considerations:

  • As deployments will be configured according to provided criteria, IT Pros will be responsible for monitoring compliance and notifying EPS of any issues. As such, it is recommended that additional deployments to test collections with their own configurations also be requested.
  • While deployed updates can be canceled, they cannot be uninstalled via this feature. When requesting a deployment schedule, consider offsetting update availability/deadlines from the release date. 
  • Any changes to active deployments need to be requested through EPS. You may still view the deployment configurations in your console.

In order to leverage this service the following steps must be taken:

  • The SCCM client must be installed on targeted endpoints.
  • Maintenance windows must be configured on the targeted endpoints.
  • Client Policy must be configured to allow SCCM to manage updates. Under "\Administration\Overview\Client Settings", either create or modify an existing policy and ensure that "Enable software updates on clients" under "Software Updates" is set to "Yes". Configure other settings as desired, then deploy this policy to the target collection/s. 
  • Targeted endpoints must not be receiving any Group Policy that governs Windows Updates, such as Campus WSUS, as Group Policy supersedes SCCM policy. Please ensure that any conflicting Group Policy is removed or disinherited prior to using this feature.
    • This includes Windows Update GPO settings that are "Disabled." Relevant GPOs must be set to "Not configured"
  • Local Group Policy must be enabled for SCCM Software Updates to work
The following updates are currently available as ADRs

Windows 10 Cumulative Update
Windows 7 Monthly Quality Rollup
Windows 7 Security-Only Quality Update
Windows Malicious Software Removal Tool
Windows Server 2008 Monthly Quality Rollup
Windows Server 2008 R2 Monthly Quality Rollup
Windows Server 2012 Monthly Quality Rollup
Windows Server 2012 R2 Monthly Quality Rollup
Windows Server 2012 R2 Security-Only Quality Update
Windows Server 2012 Security-Only Quality Update
Windows Server 2016 Cumulative Update
Windows Server 2019 Cumulative Update
Flash Player ActiveX Windows 10 Updates

Windows 10 Feature Updates (e.g. 1903) can be delivered via ADRs but require additional considerations. Please contact EPS using the EPS Support Request Form.

Setting up Deployments

Once ready, please fill out a SCCM support request for Microsoft/Windows Updates and EPS will work with you on the final steps.

Reporting

Reporting ("\Monitoring\Overview\Reporting\Reports\Useful Reports") and Monitoring ("\Monitoring\Overview\Deployments") are available for update deployments.

Certain updates that are not applicable to any endpoints in your targeted collections, such as non-English feature updates, will show as 100% compliant in the Software Updates Status for Specific Update report. Upon clicking on the article, an additional state of "Update is not required" will be displayed.


Contact the EPS team




Keywords:EPS, SCCM, Updates, WSUS, SUP, ADR, automatic deployment rule   Doc ID:91859
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2019-05-20 11:25 CSTUpdated:2019-12-04 08:21 CST
Sites:University of Illinois Technology Services
Feedback:  0   0