Patch Management Deployment Guide – System Center Configuration Manager

How to create Software update group and deploy to device collection

Go to Assets and Compliance
Go to device collections, right click and Create device collection
Name your device collection and assign a limiting collection
Limiting collections can be per site or “All systems” or a custom group

e. Create rules for the collection (based on the limiting collection)
i. Direct Rule will explicitly define systems
ii. Query rule will create an SQL query for systems.

Create Software Update group (note that you may have to make multiple groups for deploying multiple updates for different OS Patches such as (Desktop OS) and (Server OS), good idea to split them up so that the SUGs are small.
Go to Software Library
Go to Software Updates All Software updates
Search for your criteria of updates.

Search Criteria should contain the following,

Required
Expired
Date release and revised
superceded
Product

Select the updates you want to deploy and Right click to “Create update group”
Name the group
Download the updates after validating that the updates contained in the SUG has no issues. Test the updates against a pilot of computer to ensure update does not break anything.
Create a new folder for your Updates in \sccm server\Packages\Updates\
Select all your updates > Right click > Download
“Create new deployment package”
Name it and point it to the Package Directory
\sccm server\Packages\Updates\_{d. Add all the Distribution points you need to deploy to. (except primary server)}

_{Download software from the internet. (Might take a while to complete)
Monitor MS update group content, see screenshot below}

Goto monitoring tab and confirm the content has been distributed to all DPs prior to deployment of MS update group to a collection.

Deploy your software update
Right click your update group Deploy
Name the Deployment and Select the collection to deploy to

Select a time (Deadline) to install the patches. (Patches can be available as soon as possible)

Select User Experience options
Notifications, (Only for restarts)
Deadline Behavior (Software Updates installation, and optional forced restart)
Suppress server reboots

Setup Alerts if desired
Set to 80% suggested

Set client download settings

Next and finish.

Monitor Patching deployments
Goto Monitoring section and click on deployments

Double click on the Deployment task and you will see deployment status dialog box with 4 tabs (complaint, in progress, Error, Unknown)
The unknown means that clients have not check-in to download and install MS Updates yet or has a corrupted SSCM Agent installation.

Those machines with error, would suggest either resolving those on weekly basis.