Controlling WSUS from SCCM and delivering updates to clients

Question

Hello.

I'm having a hard time in understanding the way SCCM configures and interacts with WSUS and how updates are then deploied to the clients.
I already read some docs on the microsoft website, but I'm still confused.
I'd be grateful for an easy explanation and hopefully some easy steps to follow..

I understand that from SCCM
Administration>Sites>mysite>Configure Site Components>Software Update Point
I can partially define how WSUS behaves. Things like Sync Settings, Classifications, Products, etc
Once I modified that, WSUS started to obtain updates for Windows 10 (before it was configured for Windows 8.1).

But I'm having trouble with understanding the deployment to the clients.

1. What is the role of "Software Update Groups"?
2. What is the role of "Deployment Packages"?
3. How the two above relate and interact with "Automatic Deployment Rules"?
4. Why are all my client getting the updates even though I associated my automatic deployment rule to deploy to a collection that includes only a handfull PC?

After configuring WSUS from SCCM "Software Update Point component Properties", I went on and made an Automatic Deployment Rule called "Windows 10 - 1 - PC Test". This rule is associated with a Collection including only a small fraction of our clients. Here "Add to an existing Software Update Group" is selected. This rule is also associated with a deployment package (Select a deployment package is selected and I choose a package named "Windows 10").
The updates went anyways to a lot of PC that were not in the selected collection.

Please see the attached images for more details.

Because of KB5000808 a lot of my clients got blue screen and so, in an attempt to remediate, 1) I modified WSUS directly changing Approval from Install to Removal
2) in my rule selected "Do not install software updates" and deselected "Download and install software updates from the fallback content source location" (I guess that tells clients to download updates from WSUS when SCCM will not give any update?)
3) Deleted the Windows 10 Software Update group

Are the above steps the right way to handle the problem? If not, what would it be?

Thank you and best regards.
Roberto

Answer 1

Hi, @Roberto
Thank you for posting in Microsoft Q&A forum.

1. What is the role of "Software Update Groups"(SUG)?
   If we only deploy one update to clients, we do not need the SUG, if we deploy multiple updates to clients, we need to put the multiple updates to a SUG, then deploy the SUG to clients.

2) What is the role of "Deployment Packages"?
We need to download the updates content and put them into deployment packages, then distribute them to the DP, then client contact to DP for the contents.

3) How the two above relate and interact with "Automatic Deployment Rules"?
ADR used to deploy multiple updates automatically to clients, so it will need the SUG and Deployment Packages.

4) Why are all my client getting the updates even though I associated my automatic deployment rule to deploy to a collection that includes only a handfull PC?
You may check the update in SCCM console "All Software Updates" to see how many deployments are assigned to the update.

When we use SCCM to deploy updates to clients, we do not need to do any operations in WSUS normally, the settings in SUG component properties will sync to WSUS automatically.

To uninstall windows updates by SCCM, we may refer to this article:
https://systemcenterdudes.com/sccm-uninstall-windows-update/

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.