Security Updates & Update Deployment Rules

May 2, 2011 at 7:12 pm in Uncategorized by nsienaert

Hi all,

Software Updates Mangement changed slightly compared with ConfigMgr 07. Update Lists and Deployments do not exist anymore and are replaced with Update Groups.

New features like automatically deleting expired updates on the DP and “Automatic Deployment Rules” are very cool. Let’s talk about about these Automatic Deployment Rules…

View of new Software Updates node:


With these rules it possible to approve and deploy patches automatically. Once a rule has been created an appropriate Update Group and Update package will be created.
Let’s elaborate a litte bit deeper….

I create an Update Deployment Rule, the wizard is quite straight forward, I show some screenshots of the most important windows.

I select which criteria should be compliant when an update can be approved. I choose that the custom sevirity needs to be “Important” for x64 architecture.


On the Deployment schedule tab 2 time intervals can be set.

Time between rule run and Deployment available” => period to give SCCM time to distribute the package to the DPs or to give you time to cancel a deployment of a patch [:)]

“Time between update available and deadline” => obvious setting which determines the time before the installation will happen mandatory.

Next, I go to the “All Software Updates” node and I select a few patches and change the custom severity into “Important”

With the excellent new search capabilities I list the updates for the sake of demo.

By default the rule will be evaluated each 7 days, this can be customized or run it automatically by by right clicking the rule and select “Run Now”.

You can follow the status of the download, creation of the packages & groups in ruleengine.log located under SCCM Server Logs.

Beta 2 Gotcha:

It might be possible that you can download updates “manually” by right clicking an update\download even though when using the rules you might facing

issues downloading the updates and following error is listed in the log file.

By default, to connect to the Internet and download software updates when automatic deployment rules run Local System will be used to configure automatic deployment rules. When this account does not have access to the Internet, software updates fail to download, and the following entry is logged in ruleengine.log: Failed to download the update from internet. Error = 12007.

WORKAROUND Use the UpdDwnldCfg.exe tool to specify a different account to download the software updates from the Internet. The tool is located in <ConfigMgr Source Path>\SMSSETUP\BIN\x640000409 and has the following syntax:

UpdDwnldCfg.exe /s:<proxyserver:port> /u:<accountname> /allusers

 Prior to this tool you need to install a required hotfix (2538394) which is avaiable on the Connect site for download.

Other posts will follow, so stay tuned!

Till next time,