Table of Contents
Introduction
Upon creating an automatic Software Update strategy in your organization, you need to automate this process as much as possible.
If you are using SCCM, you should be creating Automatic Deployment Rules (ADRs).
ADRs require configuration with deployment deadlines for software update installation on the clients.
This blog post describes in short what ADRs are and how they deploy to clients in different phases.
What are Automatic Deployment Rules?
ADRs are used to accomplish the following tasks automatically:
- Filter out Software Updates according to a set amount of criteria from the database.
- Add the filtered out Software Updates to a Software Update Group
- Download the Software Updates to a Deployment Package
- Deploy the Software Update Group to a collection
I have previously created a blog post which describes how to add multiple deployments for one Automatic Deployment Rule.
Configure ADRs in SCCM
The Deployment Schedule page looks like this in the Create Automatic Deployment Rule Wizard:
The different options that you can configure are defined by Microsoft here: https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
Above we can see that Available Time is two days. After two days, the software updates are available in the Software Center on the client.
Installation Deadline is configured for 7 days, which means that after 2+7 days, the software updates are forcefully installed on the clients.
Maintenance Windows and Deployment Deadlines
If you deploy software updates manually or using an Automatic Deployment Rule, any maintenance windows on a device will take precedence.
When looking into UpdatesDeployment.log, you can see the following line if a maintenance window is targeted to a machine.
no current service window available to run updates assignment with time required
If you want to see which maintenance windows are configured on a device, I recommend using Nickolaj Andersen’s Powershell script.
Conclusion
The key take away from this is that the software updates’ installation deadline is the sum of Available time + Deadline time.
I hope this short explanation can help someone! Did you know this? Please leave a comment below!
Related posts
- How to configure maintenance windows in SCCM with a Patch Tuesday offset
- How to configure update schedule for collections in SCCM using Powershell
Is the screen shot above, you have the “actual time” listed under available time and deadline time. I dont see that option on SCCM 1902. What version are you running?
Hi Ben,
Sorry for the extremely late reply… I am also seeing the same thing here without the box. I will investigate 🙂
Thanks!
/Daniel
Did this question ever get answered?
Hello Daniel,
Could you please help me on below point?
I have deployed software update on system, no user logged in that system (LAB system’s). System power is on.
Type of deployment is Required.
But patches not installed on that system from last 2 days.
I have pull log from system and observed.
Windows update scan run completed. system downloaded required patches. but still not installing.
Is it required to user login in that system for install patches,
or any other deployment setting is require for this scenario ?
Hello Daniel,
Please find Updatedeployment.log
Update (Site_4126B8CA-59A6-48B0-B3FF-69F92E5D04B5/SUM_54c61861-e5d2-4b07-82f3-54c0d167c0a6) Name (Security Update for Microsoft Word 2016 (KB4484268) 32-Bit Edition) ArticleID (4484268) added to the targeted list of deployment ({EF0CF867-76B4-48C6-BD9E-2C4E61276725}) UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
Update (Site_4126B8CA-59A6-48B0-B3FF-69F92E5D04B5/SUM_876138e5-4624-4dd6-b4e6-b063bf57efef) added to the targeted list of deployment ({EF0CF867-76B4-48C6-BD9E-2C4E61276725}) UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
Update (Site_4126B8CA-59A6-48B0-B3FF-69F92E5D04B5/SUM_8d642417-1aa0-4b95-b294-fc9b7159e62d) added to the targeted list of deployment ({EF0CF867-76B4-48C6-BD9E-2C4E61276725}) UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
Update (Site_4126B8CA-59A6-48B0-B3FF-69F92E5D04B5/SUM_e85c7796-010e-4f92-a901-852563815598) added to the targeted list of deployment ({EF0CF867-76B4-48C6-BD9E-2C4E61276725}) UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
Update (Site_4126B8CA-59A6-48B0-B3FF-69F92E5D04B5/SUM_b9f38079-d7b9-4519-8435-7a0fe43f511e) Name (2020-03 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4551762)) ArticleID (4551762) added to the targeted list of deployment ({EF0CF867-76B4-48C6-BD9E-2C4E61276725}) UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
Evaluation completed for the assignment {EF0CF867-76B4-48C6-BD9E-2C4E61276725} UpdatesDeploymentAgent 4/2/2020 1:02:24 AM 964 (0x03C4)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event UpdatesDeploymentAgent 4/2/2020 5:00:00 AM 1356 (0x054C)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 4/2/2020 5:00:00 AM 1356 (0x054C)
Hi Husen,
Sorry for the very late reply. Did you manage to solve this? Required patch deployments do not require the user to be logged on, so that shouldn’t be the problem…
/Daniel
How do maintenance windows factor in?
If a client has an assigned maintenance window, the updates will not install even if the deadline has been reached. However, you can override this behavior in the deployment settings. If you want to control when updates are installed, I would recommend controlling this through maintenance windows and not using deadlines. I will add this as a reference in the post. Thanks!
/Daniel
Following up to a question that was asked earlier – your screenshot shows the “actual time” listed under available time and deadline time. I am running 2103 but I don’t see that as an option anywhere. This would be an awesome addition to the interface if I can find out how to enable it.
Thanks,
Scott
Hi, I have ADR deployed to 2 collections with deadline of 10 days (a day before MW for reboot starts) – for this month it is 26th of February, however today I saw that on all servers in both collections updates had been installed with pending reboot info. This is very annoying and unwanted behavior – anyone with idea what might be causing this?