Patching with SCCM and WSUS

An essential function of SCCM is deploying patches and providing compliance reporting around that patching.

The Overview

  1. Prepare our environment for WSUS
  2. Install WSUS
  3. Configure SCCM
  4. Optimize updates
  5. Set up an automatic deployment rule
  6. Examine update compliance reports

The Sources

  1. Rich Mawdsley’s three-part series for configuring WSUS is my defacto guide for initial setup. This post is honestly just going to be 99% shamelessly stealing Part 1 with minor customizations.
  2. Justin Chalfant’s WSUS maintenance guide has a terrific step-by-step video and the definitive list of WSUS maintenance resource links.
  3. Bryan Dam’s “Software Update Maintenance” script is necessary for maintaining an efficient set of updates. It can be automated to remove/expire update metadata that our environment will never need, but otherwise clogs up and drastically slows down the patch scanning process.

Prepare the environment

Expand the Server

DISCLAIMER: It is not considered best practice to install SCCM or keep any content on the C: drive. However that is how the 365 Powered Device Lab is set up by default, so we need to increase the amount of disk space to make room for WSUS.
  1. Launch Hyper-V. Right-click HYD-CM1 and select Settings.
  2. Select Hard Drive. Copy the path to the Virtual hard disk. Click Cancel.


  3. Click Edit Disk. At the Before you Begin screen click Next. Paste the path to the HYD-CM1 disk. Click Next.


  4. Choose Expand and click Next.
  5. Set New size to 300 or so and click Next. Click Finish.


  6. Connect to HYD-CM1. Launch the Create and format hard disk partitions control panel.
  7. Click Action and choose Rescan disks.
  8. Right-click Windows (C:) and choose Extend Volume. Click Next.


  9. The wizard should already have the amount at it’s maximum. Click Next then click Finish.


Update Group Policy

We need to inform our systems that they will check for updates from WSUS/SCCM. Since it’s a lab we’ll just use the built-in Default Domain Policy.
  1. Log into the domain controller HYD-DC1.
  2. Launch Group Policy Management.
  3. Expand Domains ->
  4. Right-click Default Domain Policy and select Edit.


  5. Expand Computer Configuration -> Policies -> Administrative Templates, Windows Components -> Windows Update.


  6. Double-click Specify intranet Microsoft update service location and set it to Enabled. For Set the intnranet update service for detecting updates and Set the intranet statistics server enter and click OK.

    gpo_set-intranet-update-service.png gpo_enable-intranet-update-service.png

  7. Double-click Allow signed updates from an intranet Microsoft update service location and set it to Enabled. This will allow us to deploy third party updates later if we want. Click OK.

    gpo_allow-signed-updates.png gpo_enable-allow-signed-updates.png

  8. Close the Group Policy Management Editor.

Install WSUS

The default WSUS configuration in the 365 Powered Device Lab needs to be redone

Remove Roles and Features

  1. Connect to HYD-CM1 and launch Server Manager. Click Manage and select Remove Roles and Features.


  2. If the Before you begin screen comes up first, click Next.
  3. Server Selection - Leave selected and click Next.


  4. Remove server roles - Uncheck Windows Server Update Services. When the Remove Roles and Features Wizard pops up, click Remove Features. Click Next.

    wsus_remove-role_remove-roles-wizard.png wsus_remove-role_remove-server-roles.png

  5. Remove features - Don’t make any changes. Click Next. Click Remove.


  6. Wait for removal to succeed and click Close.


  7. Reboot HYD-CM1.

Add Roles and Features

  1. Log into HYD-CM1 and launch Server Manager. Click Add roles and features. If the Before you begin screen comes up first, click Next.


  2. Installation Type - Select Role-based or feature-based installation and click Next.
  3. Leave selected and click Next.


  4. Select server roles - Check Windows Server Update Services. When the Add Roles and Features Wizard pops up, click Add Features. Click Next.

    wsus_add-role_add-roles-and-features-wizard.png wsus_add-role_select-server-roles.png

  5. Select features - Expand .NET Framework 4.6 Features, expand WCF Services, and check all features. For any wizards that pop up, click Add Features. Click Next, and click Next again.


  6. Select role services - Uncheck WID Connectivity and check SQL Server Connectivity. Click Next.


  7. Content location selection - Leave Store updates in the following location checked, and paste C:\PackageSource\WSUS. Click Next.


  8. Database instance selection - Type CM1.CORP.CONTOSO.COM and click Check connection. Click Next.


  9. At the confirmation screen, check Restart the destination server automatically if required and click Install.


  10. Wait for the installation to succeed and click Launch Post-Installation tasks.


  11. Wait for configuration to successfuly complete and click Close.


  12. Reboot HYD-CM1.

Configure WSUS

Rich’s guide will do a partial set up and then cancel setup. The goal is to speed up the SCCM sync and reduce metadata.
  1. Connect to HYD-CM1 and launch Windows Server Update Services.
  2. When the Windows Sever Update Services Configuration Wizard launches, click Next until you reach Connect to Upstream Server.
  3. Connect to Upstream Server - Click Start Connecting. When it completes, click Next.


  4. Choose Languages - Select Download updates in all languages, including new languages and click Next.


  5. Choose Products - Leave the defaults and click Next.
  6. Choose Classifications - Click Cancel to abort set up. We’ll finish configuration from within SCCM. Close the Update Services console.


Folder and Share permissions

The script we used from Odd-Magne in the OSD guide sets the permissions on our WSUS folder. If you’ve performed that setup you can skip this step.
  1. If the network access account and NETWORK SERVICE account do not yet have permission to C:\PackageSource\WSUS, continue with the rest of the steps.
  2. Log into HYD-CM1 and launch Windows Powershell ISE as administrator. Paste the following code into the top script pane. It’s a truncated and modified version of Odd-Magne’s package source script.
     #Set the Following Parameters
     $Source = 'C:\PackageSource'
     $ShareName = 'PackageSource'
     $NetworkAccount = 'CORP\CM_NetAcc'
     #Create SCCMDeploymentPackages Directory
     New-Item -ItemType Directory -Path "$Source\WSUS\SCCMDeploymentPackages"
     #Create the Share and Permissions
     New-SmbShare -Name "SCCMDeploymentPackages” -Path "$Source\WSUS\SCCMDeploymentPackages" -CachingMode None -FullAccess $NetworkAccount,"NETWORK SERVICE"
     #Set Security Permissions
     $Acl = Get-Acl "$Source\WSUS"
     $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetworkAccount","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
     Set-Acl "$Source\WSUS" $Acl
     $Acl = Get-Acl "$Source\WSUS"
     $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
     Set-Acl "$Source\WSUS" $Acl


Configure IIS

Microsoft recommends modifying the IIS application pool for WSUS when used with a Software Update Point.
  1. Connect to HYD-CM1 and launch the Internet Information Services (IIS) Manager.
  2. Expand CM1 and select Application Pools.


  3. Right-click WsusPool and select Advanced Settings.


  4. Set Queue Length to 2000 and set Private Memory Limit (KB) to 0.

    iis_wsus-pool_queue-length.png iis_wsus-pool_private-memory-limit.png

  5. Click OK and reboot HYD-CM1.

Configure SCCM

The Software Update Point

The 365 Powered Device Lab already has the Software Update Point role installed, so we just need to configure it.
  1. Connect to HYD-CM1 and launch the Configuration Manager Console.
  2. Expand Administration -> Site Configuration, and select the Sites node.
  3. Select CHQ - Constoso Headquarters and click the Configure Site Components dropdown from the ribbon. Select Software Update Point.


  4. Classifications tab - Select everything except Feature Updates, Tools, and Upgrades.


  5. Products tab - Uncheck everything, then check Windows 10.


  6. Sync Schedule tab - Check Enable synchroniztion on a schedule and select Custom schedule. Click Customize.
  7. On the Custom Schedule page, select: Monthly, Recur every 1 months on, and The Second Tuesday. Set the Start time to something after noon, say 2:00 PM. Remember this for later when we schedule the cleanup script. Click OK.


  8. Check Alert when synchronization fails on any site in the hierarchy.
  9. Supersedence Rules tab - Set Months to wait before a superseded software update is expired to 1. Check Run WSUS cleanup wizard.


  10. Languages tab - Uncheck everything except English for both columns. Click OK.


Synchronize Software Updates

  1. In the SCCM console, expand the Software Library -> Software Updates node.
  2. Select All Software Updates and click the Synchronize Software Updates button in the ribbon. Click Yes.


  3. Navigate to the Monitoring -> Software Update Points Synchronization Status node. Look at the fields in the bottom pane, and wait for the Synchronization Status to change to Completed.


  4. Alternatively, you can open “C:\Program Files\Microsoft Configuration Manager\Logs\wsyncmgr.log” in CMTrace and monitor progress.
  5. Once complete, navigate to the Software Library -> Software Updates -> All Software Updates node. It should now be full of patches.


Optimize WSUS

Justin did a great write up on optimizing WSUS, including the set up for Bryan’s cleanup script. We’re JUST going to focus on configuring and scheduling the cleanup.

Configure the script

  1. On HYD-CM1, download Bryan Dam’s Software Update Maintenance Script.
  2. Create a folder in C:\PackageSource\Script called SAM. Extract the script and plugins folder to C:\PackageSource\Script\SAM.


  3. Navigate to C:\PackageSource\Script\SAM\Plugins\Disabled. Right-click Decline-Windows10Versions.ps1 and choose Edit so it opens in PowerShell ISE.
  4. Un-comment (remove the #) before UnsupportedVersions = @(“1511”).
  5. Add all versions we do NOT want to support. Since I’m deploying 1703 in the lab with the plans to upgrade to 1803 (or later), mine would look like $UnsupportedVersions = @(“1507”,”1511”,”1607”,”1709”). Save the script and close PowerShell ISE.


  6. Move the Decline-Windows10Versions.ps1 and Decline-Windows10Languages.ps1 scripts out of the Disabled folder and into the root Plugins folder.


Schedule the script

  1. On HYD-CM1, launch Task Scheduler.
  2. Click Create Basic Task.


  3. Name it WSUS Maintenance and click Next.


  4. Trigger wizard - Select Monthly and click Next.


  5. Monthly wizard - Click the Months dropdown and check Select all months. Select On and set it to Second Tuesday. Set the Start time to two hours after the WSUS sync we set above. In this example, we’ll set the task to run at 4:00 PM. Click Next.


  6. Action wizard - Select Start a program and click Next.


  7. Start a Program wizard - Set Program/Script to powershell.exe. Set Add arguments to -NoLogo -NoProfile -NonInteractive -ExecutionPolicy ByPass -command C:\PackageSource\Script\SAM\Invoke-DGASoftwareUpdateMaintenance.ps1 -DeclineSuperseded -UpdateListOutputFile C:\PackageSource\Logs\DeclinedUpdates.csv -DeclineByTitle @(‘Itanium’,’ia64’,’Beta’) -DeclineByPlugins -CleanSUGs -RemoveEmptySUGs -RunCleanUpWizard -Force and click Next.


  8. Finish - Check Open the Properties dialog for this task when I click Finish and click Finish. The WSUS Maintenence Properties screen will open.


  9. General tab - Click Change User or Group. Type SYSTEM and click OK. Check Run with highest privileges and click OK.


  10. Right-click the WSUS Maintenance task we created and select Run.


  11. Open C:\PackageSource\Script\SAM\updatemaint.log in CMtrace.exe and watch as the unnecessary updates are declined.


Automatic Deployment Rules

ADRs are the method by which we schedule the creation of a Software Update Group, define the updates for the SUG, and select the collection to which we deploy.

Create the collection

To avoid ever deploying anything to the built-in All Systems collection, we’ll create one for workstations. Anders Rodland has a great list of collection query examples.
  1. Connect to HYD-CM1 and launch the Configuration Manager Console.
  2. Navigate to the Assets and Compliance -> Device Collections node.
  3. Click Create and select Create Device Collection.


  4. In the Create Device collection Wizard, name the collection All Workstations. Set the limiting collection to All Systems and click Next.


  5. Membership Rules wizard - click the Add Rule dropdown and select Query Rule.


  6. At the Query Rules Properties screen, set the name to All Workstations and click Edit Query Statement.
  7. Criteria tab - On the Criteria tab click the star to add criterion.
  8. At the Criterion Propteries screen, leave Criterion Type as Simple value. Click the Select button.
  9. Set the Attribute class to System Resource and set the Attribute to Operating System Name and Version. Click OK.


  10. Set the Operator to is like. Click the Value button.
  11. Set the Values to Microsoft Windows NT Workstation% and click OK.


  12. Click OK to close the Criterion Properties screen. Click OK again to close the Query Statement Properties screen. Click OK yet again to close the Query Rule Properties screen.


  13. Check Schedule a full update on this collection and click Schedule.
  14. Select Custom interval and set it to recur every 1 days. Change the Start time to 11:59 PM. Click OK.


  15. Click Next. At the Summary screen, click Next. At the Completion screen, click Close.

Create the ADR

  1. In the Configuration Manager Console, expand the Software Library -> Software Updates node.
  2. Right-click Automatic Deployment Rules and select Create Automatic Deployment Rule to launch the Create Automatic Deployment Rule Wizard.


  3. General - Set the name to Workstation Patching. For Collection click Browse select All Workstations and click OK. Leave the rest of the settings default and click Next.


  4. Deployment Settings - Leave defaults and click Next.
  5. Software Updates - Check Product, Required, Superseded, and Update Classification.


  6. For Product, click items to find. Check Windows 10 and click OK.
  7. For Required, click text to find. Type >0 and click Add. Click OK.
  8. For Superseded, click value to find. Select No and click OK.
  9. For Update Classification, click items to find. Check Critical Updates, Security Updates, Update Rollups, and Updates. Click OK. Click Next.


  10. Evaluation Schedule - Select Run the rule on a schedule. We want to provide time between the SUP sync, the optimization script scheduled task, and the ADR evaluation. Click Customize.
  11. On the Custom Schedule page, select: Monthly, Recur every 1 months on, and The Second Tuesday. We’ve set the WSUS sync to 2:00pm, the script is scheduled for 4:00pm, so we’ll set the Start time to 6:00 PM. Click OK and click Next.


  12. Set Installation deadline to As soon as possible so our patches start deploying immediately. Click Next.


  13. User Experience - For Suppress the system restart on the following devices check Servers and Workstations. Check If any update in this deployment requires a system restart, run updates deployment evaulation cycle after restart. Click Next until you reach the Deployment Package wizard.


  14. Deployment Package - Set the deployment package Name to WorkstationPatches. For Package source click Browse. In the address bar paste \CM1.CORP.CONTOSO.COM\PackageSource\WSUS\SCCMDeploymentPackages and click Select Folder. Check Enable binary differential replication and click Next.


  15. Distribution Points - Click Add and select Distribution Point. Check CM1.CORP.CONTOSO.COM and click OK. Click Next.


  16. Click Next until you reach the Completion screen. Click Close.
  17. At this point we’ve already synced WSUS and performed a cleanup using Bryan’s script. Right-click the newly created Workstation Patching ADR and select Run Now.