When building software update packages in SCCM we run into having to build a deployment package to see what size the updates are. The issue we are having is managing the size of these packages which are frequently getting into the multiple GB range. One we ran recently hit almost 6 GB.

This information is on the Windows Update Catalog site, but it doesn't appear to be in SCCM or WSUS. I'm guessing that it isn't in the data that is available to WSUS and as a result SCCM doesn't get it either. It would be very useful if we could see the update size in the All Updates view, in Update Groups and in the Update Packages views as well.

I'd like to have the option, when pushing out software updates to have deadlines for maintenance windows. For example, you set the deadline for automatic install and reboot for sunday at 10pm and set the deadline behaviour to not do anything outside of the maintenance window. This means the patches will only automatically install during the maintenance window and wont interrupt the users during the day. However, I'd like a secondary deadline, so that say on Wednesday night I can set the patches to install outside of the maintenance window from say 6pm onward (i.e the users have had enough time to install the patches out of hours and are now getting them regardless during the business day), as this is how I initially thought the deadline behaviour worked (but obviously doesn't), as at present I have to go into all my deployments after a week and change the behaviour to install patches and reboot outside of maintenance windows (to catch all the people who turn their machines off or take laptops home etc)

We create "year packages" for several products so older updates are in a "static software upgrade". But we still have to maintain these SUG periodically to remove superseeded updates.
An example:
I'd like to have an ADR which selects all updates from 2015 for all my server OS'es and checks this every month or quarter so expired updates are automatically removed and reinstated updates are added again.

In addition, I want my current ADR to select all updates from 1st of Januar till now. This is not possible at the moment because all moments are relative.

Why(?) this seems strange since the option "add to existing Software update group" the SUG cleans before adding the selected updates. This makes the "adding" variant obsolete, isn't it?

On our Primary site server, under Admin > Site System properties, we have set the proxy settings with username and password.

In our company, Domain Admins are blocked at the proxy server from accessing the internet. My colleague, who is an SCCM admin, but not a Domain Admin, can download Software Updates and add them to a Deployment Package. I am a Domain Admin, and when I try this, it fails with: "Error: Failed to download content ID 16902216. Error %1 is not a valid Win32 application."

So, that proxy setting is used by some functions of ConfigMgr, but not all.

According to Scott Breen [MSFT]:

Configuration Manager needs to connect to the Internet to download the source files for Software Updates. This process is initiated via:
- The Configuration Manager server during the execution of an Automated Deployment Rules (ADR);
- The Configuration Manager console (in the user context on the computer where the console is running) during creation of a Software Update package.

The download process requires the computer or user account where the download originates to have access direct to the internet or through a proxy server.

The proxy server configured within Configuration Manager settings is for the server initiated downloads only - NOT the console initiated downloads.

What I would like is for the admin console to have a proxy settings section, so that for software downloads, it can used a specific user account to do the downloads. In my case, using Internet Options proxy settings is not feasible, as that account doesn't have rights to logon to the server.

Desired behaviour: Either use the proxy settings set in the Site Server properties to do the downloads, OR, allow us to specify the settings in the console (including specifying user/password there).

We use a bios password (requirement from our Security admin) which means that Third Party Updates for Dell fail because it can't access the Bios to update. The ability to save a Bios Password somewhere in SCCM TPU's area to be supplied to the TPU process when required. Not sure how complicated this is or how it could be done, but currently the bios update option doesn't seem possible using TPU if you have a Bios password. Yes, I realize I can use CCTK to create a manual deployment but obviously TPU is much simpler. I have verified that once the Pwd is removed the bios update works fine. NOTE- the logs were no help identifying this was the issue, maybe something could be done with that also - "Can't run update because password set on BIOS" or something like that :) (rather than 0x87d00705)

Hi There,

I am wondering if we can have an option in SCCM to force restart desktop endpoints after patch installation when no user logged in. This option certainly not useful for server endpoints but for desktop endpoints, it could be a blessing for work station admins those have to chase users to restart the VDI/desktop endpoints periodically to get patches installed in an environment where admins can't define any specific restart time due to nature of the job. Possible options/ features I see:
1. Define setting in machine collection/ deployment group that if no user logged in install the patches and force restart the endpoint.
2. If the user is logged in and restart is required, the SCCM client waits for the time when the machine has no user logged in to trigger force restart.
3. Option to configure this feature only for client OS to avoid human error to force the setting in server environment.

It would be great to have a menu item to view the specific update reports in the All Software Updates view and within the Software Updates Groups view. Currently we can ascertain the updates' status details, required count, install count etc... from the Software Update list view but this information is not interactive. To actually identify the specific list of systems these updates are needed by or installed on we have to manually run a compliance report for the software update. It would be nice to have that functionality built into the Software Library module where highlighting an update will enable a selection menu to run off reports for that update.

When deploying Software Updates to your server farm, it would be great to have a centralized Dashboard or Web Interface that provides you real time statistics of the patch installation process. This would give you the ability to immediately see if a patch failed to install or a client failed to install a patch or, in the case of a few updates, that a reboot is required to the remaining patches can be installed. I know its kind of getting greedy but if this dashboard existed, and you could right click on a server and launch a remote version of Software Center and siimply initiate a retry from this Dashboard (rather then having to RDP into the server and do it manually), patching servers and workstations would be so much easier.

Sometimes (one time per week) we have a failed automatic deployment rule (ADR).

Error Code:
SMSRULEENGINE
Message ID: 8706
Decription:
Content download failed.
Message: Failed to download one or more content files.
Source: SMS Rule Engine.

Most of the time it is the one of the Windows Defender Definition updates. If I Re-run (Run Now) the ADR it works perfectly. Maybe there is not enough time between sync sup and run ADR. I don't know. After I click "Run Now" it's always success.

It would be great if you can add an option "Re-run failed ADR, after X minutes, try it X times" something like that.

This could be a config thing and if it is I'm sorry, I cannot find where.

Last month I grabbed all updates that have a required > 1 and deployed them (to test first of course). Now, several days (and more accurately, several maintenance windows) after they were deployed I have some updates that in the console show in monitoring\deployments\my deployment\error tab and on the client show as "past due - will be installed". The only way I know to fix these is to manually log into each server, possibly reboot them, then manually click on the retry button for the updates.

Many of my servers must be patched after Midnight. I work 9-5. They have maintenance windows from Midnight to 0500 every day. It would be great if they would retry installing the updates each maintenance window instead of me having to pull all-nighters.

When required updates are delivered, popup the "Required software changes..." dialog window. The current 5 second toast notification and small taskbar icon don't do much to alert the user. This would greatly increase the # users that install and reboot before the deadline. Currently a vast majority get installed automatically at the deadline. It's a likely reason companies have a difficult time requiring a reboot. The "Required software changes..." dialog window provides the date and time it will automatically install and allows them to install now. You can only communicate out so much to the users, so these dialog windows become very important. Thanks.