SCCM Windows Updates (configuration)

Eduards 791 Reputation points
2020-11-20T06:28:22.947+00:00

Hello,

We need to configure Windows Updates using SCCM.

I allready installed WSUS role, and SUP role.

Now i need to determine what kind of products i need to add to sync updates? Is there some kind of default apps? Or what is the best practices?

Also we opened 8350 port from workstation network to SCCM server.

Things i need to do.

  1. Deliver windows updates to workstation that are using VPN - is there a possibility to configure boundary?
  2. Install newest updates using task sequence.
  3. If there some kind of other ports needed to be open so the clients that ar connected using VPN could receive updates?

Also i have a problem that after updates are synced.

My Automatic deployment rules showes nothing in the "Preview" .

I runned harware and inventory check and nothing changed

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Sherry Kissinger 4,646 Reputation points
    2020-11-25T13:56:36.407+00:00

    The client will need to run an Update Scan Cycle. If you have absolutely no changes at all; a client will scan weekly.

    It will also scan/rescan if the client receives just about any policy change related to updates. I've seen a scan trigger because of the client receiving a software update group deployment policy, a deadline for an already-received software update group deployment policy has passed, CM synchronized and received a policy change for the updates available.

    It will also scan more frequently than weekly-by-default if you modify the client agent setting for software update scanning. Personally; because a client scans frequently due to other policy triggers; you can likely leave it at weekly scanning-by-default; because if you update the scan rules by doing a sync for new rules--the clients will re-scan.

    Just start looking at some of the default reports for scan results; there are lots of built-in reports for software update scan results.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Sherry Kissinger 4,646 Reputation points
    2020-11-24T13:21:55.507+00:00

    My suggestion is to pick a client--any client--and look at local logs.

    Specifically, start with wuahandler.log
    Then you may need to look at local windows update logs; which if it is a later OS (windows 10) are in a format you can't easily see without first running a powershell command to format legibly.

    https://learn.microsoft.com/en-us/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps

    Those logs are a good place to start to see if a client is even trying to scan against your CM software update point server; and if it is at least attempting to do so, if it is failing to do so.

    1 person found this answer helpful.

  2. Amandayou-MSFT 11,136 Reputation points
    2020-11-23T02:49:20.163+00:00

    Hi @Eduards ,

    -->There might not be the default update to sync, we could sync the update needed.

    -->Between client and software update point, the 8530 port could be open when using HTTP, the 8531 port could be open when using HTTPS.
    Between site server and software update point, the 445 port could be open by Server Message Block.
    Here is the detailed information about port:
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports

    -->To manage the VPN client better, we could configure a boundary for them separately.

    -->Maybe we could follow this method to deploy the update:
    https://www.prajwaldesai.com/deploy-software-updates-using-sccm-2012-r2/
    Note: the above links are not from MS, and just for your reference.

    -->Could we check if the software update that meet the specified criteria are added to the associated sofwse update group? If not, it will show nothing.
    Here is the article about ADR deployment:
    https://www.anoopcnair.com/create-sccm-automatic-deployment-rule-adr-configmgr/
    Note: the above links are not from MS, and just for your reference.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Eduards 791 Reputation points
    2020-11-26T07:11:17.493+00:00

    Thank you!

    Computers started to show in my sccm server WSUS console and after some time in SCCM console i started to see '''required', '''installed' information about my workstations


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.