Benoit Lecours, Author at System Center Dudes

For the past few months, the monthly Windows Updates proved to be a bit more difficult to handle, thanks to Microsoft’s Servicing Stack updates. Servicing Stack updates are basically updating the components that process Windows Update among other management components. This means that pretty much each time a servicing stack update is released, it must be applied prior to being able to install the various cumulative updates required. In this post, we will demonstrate how to manage servicing stack updates with SCCM using Automatic deployment rules (ADR)

Those updates are not necessarily being released each month, and if they are, it may be for only a few OS version or builds. For most environments, it will mean that some OS will require Servicing Stack updates pretty much each month as Microsoft been releasing updates each month for the past few months

This great write up by DamGoodAdmin gives more details on how the servicing stack updates affect monthly updates.

As described by DamGoodAdmin, the Servicing stack updates create a catch 22 situation :

The CU isn’t applicable until the SSU is installed and a full scan is ran.
A full scan won’t run outside of its normal schedule unless you reboot.
The SSU doesn’t trigger a reboot.

Servicing stack update SCCM’s ADR

We usually recommend keeping servers and workstations in separate ADR to prevent accidental patching of servers. The process remains the same as we demonstrate here.

Browse to Software Library/Software Updates/Automatic Deployment Rules and create a new ADR

Give a significant Name, target a test collection and select Create a new Software Update Group

Leave default

The Search Criteria is the most important part.
- Products: select either workstation or server-side of OS.
  - SSU are available for all supported OS version, including LTSB/LTSC builds of Windows 10
- Title: add Servicing Stack
  - In this case, we don’t have x86 or Itanium servers, so we excluded those.
- Hit Preview to see the search criteria result

Search criteria result

For the Recurring schedule for this rule, we use the same as usual. SSU are released along with other cumulative updates, usually on Patch Tuesday

Plan the test phase deployment.

Planning SSU deployment schedule

Much like planning your global patching schedule for various phases(test, pilot, production), SSU should be delt the same way. The most important part is the timing!!!

In order for the cumulative update to be applied on a due date based on your deployment strategy, the servicing stack update must be installed on the computer AND a software update Scan must run after the SSU installation and before the deployment date of the cumulative updates.

To do so, we deploy the SSU at least 24 hours prior to the cumulative updates. To match this, the Software Update scan schedule is set to 1 day.

Careful planning based on your configuration is required to respect those requirements.

The Servicing stack update doesn’t require a reboot. But just in case, check the Suppress system restart. We also hide every notification as no user impact is expected. Be mindful of your maintenance windows in case you need an exemption from it.

Set alerts if desired

The deployment package can be your usual ones. No need for a separate package.

Download update from the internet

Leave the default for languages

We usually check If software updates are not available on DP, download from Microsoft Update as a backup solution

Summary

That’s it. The same can be done for workstations. Adding additional deployment to fit your need is key also. Remember, SSU must be applied and an update scan must have run before the cumulative updates deployment to succeed.

Will it always be required to applied SSU prior to the cumulative updates? So far it seems like it. Will Microsoft change the “rules” again in the future? Probably…

Happy updating!

[ratings]