
Table of Contents
Introduction
As part of a cleanup task for a customer, I had to create a script that would move Software Updates from the latest built Software Update Group (SUG) to a yearly, consolidated one.
In this blog post, I cover my recommendations for Software Update Groups and provide a script for moving Software Updates between different groups.
What are Software Update Groups in SCCM?
A Software Update Group in SCCM collects security updates that you wish to deploy to machines. These are crucial for software update deployment.
Once the security updates have been added to a Software Update Group, they are downloaded to a deployment package.
Software Update Groups can be created manually via the console, scripted via Powershell, or automatically created using an Automatic Deployment Rule.

My recommendation for Software Update Groups
Previously I have automatically created a new Software Update Group (SUG) following the Automatic Deployment Rule evaluation.
You would want to do this because there is a soft limit of 1000 patches per Software Update Group.
I can’t say what happens if you exceed this amount, but it is a general recommendation not to do so.
How to clean Software Update Groups
Cleaning up Software Update Groups (SUGs) is essential.
I have seen examples where a new Software Update Group has been created each time an Automatic Deployment Rule (ADR) has been evaluated.
Usually not an issue, but in this case, it only contained Windows Defender definition updates.
How to move Software Updates between Software Update Groups in SCCM using Powershell
Why should you use the script?
Suppose you have configured an Automatic Deployment Rule (ADR) to create a new Software Update Group upon every new evaluation. In that case, you end up with multiple Software Update Groups, which can turn into a lot after a year.
At the end of the year, I have previously consolidated all Software Updates for that given year into a yearly Software Update Group called All Windows Client Updates 2018 or similar.
When creating yearly Software Update Groups I use Nickolaj Andersen’s excellent tool to create Software Update Groups.
How does the Powershell script work?
If you want to move a Software Update between different Software Update Groups, you don’t move them, but rather change the membership.
The script that I have provided will take the latest created Software Update Group and add those members to a defined Software Update Group.
The Powershell script
Below is the script I have created for editing the membership of a Software Update Group.
<#
.SYNOPSIS
This script will add all updates from the latest Software Update Group to a defined Software Update Group.
.DESCRIPTION
This script will add all updates from the latest Software Update Group to a defined Software Update Group.
Author: Daniel Classon (www.danielclasson.com)
Version: 1.0
Date: 2018-12-18
.EXAMPLE
.\Add-SUGMembers -DestinationSUG SUG1
This will add all updates contained in the latest Software Updates Group to SUG1.
.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>
PARAM(
[string]$DestinationSUG
)
#Load SCCM Powershell module
Try {
Import-Module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1) -ErrorAction Stop
}
Catch [System.UnauthorizedAccessException] {
Write-Warning -Message "Access denied" ; break
}
Catch [System.Exception] {
Write-Warning "Unable to load the Configuration Manager Powershell module from $env:SMS_ADMIN_UI_PATH" ; break
}
#Set current drive to SCCM drive
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location -Path "$($SiteCode.Name):\"
Function Write-Log
{
PARAM(
[String]$Message,
[int]$Severity,
[string]$Component
)
$LogPath = $PSScriptRoot
$TimeZoneBias = Get-WMIObject -Query "Select Bias from Win32_TimeZone"
$Date= Get-Date -Format "HH:mm:ss.fff"
$Date2= Get-Date -Format "MM-dd-yyyy"
$Type=1
"<![LOG[$Message]LOG]!><time=$([char]34)$Date$($TimeZoneBias.bias)$([char]34) date=$([char]34)$date2$([char]34) component=$([char]34)$Component$([char]34) context=$([char]34)$([char]34) type=$([char]34)$Severity$([char]34) thread=$([char]34)$([char]34) file=$([char]34)$([char]34)>"| Out-File -FilePath "$LogPath\Add-SUGMembers.log" -Append -NoClobber -Encoding default
}
#Change membership of Software Update to new Software Update Group
$LatestSUG = Get-CMSoftwareUpdateGroup | Select-Object LocalizedDisplayName,DateCreated | Sort-Object DateCreated | Select-Object -Last 1
$Updates = Get-CMSoftwareUpdate -UpdateGroupName $LatestSUG -Fast
$Count = 0
Foreach ($Update in $Updates) {
$Count++
Try {
Add-CMSoftwareUpdateToGroup -SoftwareUpdateId $($Update.CI_ID) -SoftwareUpdateGroupId $($DestinationSUG.CI_ID)
Write-Progress -Activity "Adding $($Update.LocalizedDisplayName) to $($DestinationSUG.LocalizedDisplayName)" -Status "Adding $Count of $($Updates.Count) updates to $($SourceSUG.LocalizedDisplayName)" -PercentComplete ($Count / $Updates.count * 100)
Write-Log -Message "Adding $($Update.LocalizedDisplayName) to $($DestinationSUG.LocalizedDisplayName)" -Severity 1 -Component "Add SU to SUG"
}
Catch {
Write Warning "$_.Exception.Message"
Write-Log -Message "$_.Exception.Message" -Severity 3 -Component "Add SU to SUG"
}
}
Set-Location $PSScriptRoot
Conclusion
Using the mentioned script helps you keep track of your Software Update Groups. Great!
How do you handle Software Update Groups in SCCM? Please leave a comment below!
References
Related posts
- Create SCCM ADR with multiple deployments
- Create SCCM Maintenance Windows based on Patch Tuesday
- SCCM Automatic Deployment Rules Deadline Configuration
- How to export Task Sequence references in SCCM using Powershell
Subscribe to newsletter:
If you want to receive the latest news for MEMCM, Windows 10, and Powershell, please subscribe to my monthly newsletter!
Hello Daniel, i understand that the link to Nikolaj Andersons Script to create the SUGs and then consolidate the updates to a yearly SUG but Im trying to visualise how your script it fits into the process, are you doing this task everytme a new SUG is created so that it consolidates ongoing instead of doing one massive SUG at the end of the year? which is how i see Nikolaj script being used.