Windows Patching

Windows patching is configured by default for endpoints when they are onboarded into Configuration Manager.  This is accomplished by automatic membership into three collections:

1. A global EPM managed Maintenance Window collection that applies a governance approved global maintenance window for all devices.
2. An ITSO controlled 'include' maintenance window collection whose membership is included in the global collection.
3. An ITSO Software Update collection where updates are deployed to.

Maintenance Window collections

A Maintenance Window collection, that is controlled by EPM, but from which clients can be excluded by ITSOs. Its Maintenance Schedule is "Every Day 0000-0600"

Department specific collections can be found by going to Assets and Compliance, expand Device Collections, your DEPT collection, Software and Update Maintenance and select Maintenance Windows.

• Include: Devices in this collection use the defined maintenance window
• Exclude: Devices in this collection are removed from the "global maintenance window" (include collection) to allow an ITSO to define their own. 

If devices are "excluded" then an ITSO must define a maintenance window for them, otherwise devices in the exclude collection will install updates and possibly restart as soon as those updates are available. Adding devices to the exclude collection does not exclude them from getting updates.

Inventory collections

A range of "inventory collections" have been created to limit and scope the application of updates and other software.  These are located in the "Operating Systems" and "Software Installations" collections.

Software Updates collections

Software Update deployment collections exist in the ITSO Subscription per Operating System major version and for each Office major architecture type, and membership of those is limited to the inventory collections above.  Software Update deployments are applied to the collections in the Software Update folder in the ITSO Subscription.  Refer to Configuration Manager #1 Glossary of Key Terms and Concepts for definitions for Available vs Required deployments. 

This infrastructure creates the necessary framework to automatically patch a client with appropriate OS and Office Updates every day at midnight.

Feature updates (Enablement Package)

Patching as described at the onset of this page will not upgrade Windows to a new build. Deploy a new build when you are ready as old builds that are unsupported will no longer receive patches. The process of deploying an enablement package is similar to deploying a Software Update.

From the Configuration Manager console:

• Go to Software Library \ Windows Servicing \ All Windows Feature Updates
• Use search to filter, for example type in "22H2" and click Search to see just those builds
• Right click and select Deploy
  
  
    
• Step through the wizard to deploy this to the Device Collection you want to target along with your desired settings such as making the deployment required and perhaps hiding user notifications.

You can monitor the deployment in Monitoring \ Deployments.

Servicing Plan

You can alternatively create your own deployment rings to keep Windows up to date when new builds are released.
See:

• Overview of Windows as a service - Windows Deployment | Microsoft Learn
• Manage Windows as a Service - Configuration Manager | Microsoft Learn

3rd Party Updates (Patch My PC)

The update mechanism is the same as is used for Windows patching. 

Visit the page CM Deploying 3rd Party Updates to Collections (Patch My PC) for information about custom software update groups. 

Related Information

• Page:
  CM Deploying 3rd Party Updates to Collections (Patch My PC) (Endpoint Management)

  • configmgr
  • administration
  • updates
  • pmpc
• Page:
  3rd Party Updates List (Endpoint Management)

  • configmgr
  • administration
  • updates
  • pmpc