Deploying Software Updates
Overview
This document describes the client-side and infrastructure behavior of software update deployments in Configuration Manager (ConfigMgr).
It applies to:
Manual deployments
Automatic Deployment Rules (ADR)
All deployments are policy-driven and continuously re-evaluated to maintain compliance.
Deployment Workflow
Content Distribution
After a deployment is created:
Updates are downloaded to the package source
Content is copied to:
Site server content library
Distribution points (DPs)
EPM Guidance
Confirm content is successfully distributed before enforcement deadlines
Validate DP availability for all boundary groups
Client Policy Processing
Deployment creates a deployment assignment policy
Clients in the target collection receive machine policy
The Software Updates Client Agent performs an evaluation scan
Key Dependency
Policy retrieval and successful scan are required for all update activity
Content Download Behavior
Required Deployments
Updates download automatically at Software Available time
Content is staged in the local client cache
Available Deployments
Content downloads only after user initiates installation
Important
Updates are always downloaded to the client cache regardless of configured cache size
Deadline and Installation
At deployment deadline:
Client re-scans to verify updates are still required
Validates content exists in cache
Installs updates
If content is missing:
Client automatically re-downloads content from the DP
Post-Install Compliance
After installation:
Client verifies updates are no longer required
Sends state messages to the Management Point
Compliance status is updated in reporting
Restart Behavior
Required deployments trigger restart if needed
If updates install before deadline → restart delayed until deadline
Manual restart before deadline satisfies restart requirement
EPM Guidance
Align restart behavior with maintenance windows and service requirements
Deployment Re-evaluation Cycle
Runs once per day
Re-scans previously deployed updates
Reinstalls missing updates from cache
Purpose
Maintains compliance over time
Automatically remediates drift
Log File Reference
Phase | Log File | Description |
|---|---|---|
Policy Retrieval | PolicyAgent.log | Deployment policy receipt |
Scan / Detection | ScanAgent.log | Update scan activity |
Compliance State | UpdatesStore.log | Update state tracking |
Content Transfer | ContentTransferManager.log | Download job control |
Data Download | DataTransferService.log | Content download activity |
Installation | UpdatesHandler.log | Update installation execution |
WUA Integration | WUAHandler.log | Windows Update Agent communication |
Enforcement | UpdatesDeployment.log | Deadline and enforcement tracking |
Troubleshooting
Updates Not Showing as Required
Check
PolicyAgent.log
ScanAgent.log
WUAHandler.log
Common Causes
Scan failure
SUP issues
Incorrect collection targeting
Updates Not Downloading
Check
ContentTransferManager.log
DataTransferService.log
Common Causes
Distribution Point unavailable
Boundary group misconfiguration
Updates Fail to Install
Check
UpdatesHandler.log
WUAHandler.log
Common Causes
Pending reboot
Missing prerequisites
Installation failure
Deployment Stuck (Downloading / Installing)
Check
UpdatesDeployment.log
ContentTransferManager.log
Common Causes
Missing or corrupt content
Client cache issues
Compliance Not Updating
Check
UpdatesStore.log
State message flow to Management Point
Common Causes
Client not sending state messages
Management Point communication issues
Operational Notes
Policy is the control plane — no policy = no deployment activity
Content availability must be validated before deadlines
Client cache is required for installation
Deadlines enforce compliance regardless of user interaction
Re-evaluation ensures continuous enforcement
Update Notifications
To stop clients from receiving notifications when monthly patches are released, do the following:
In the Configuration Manager console, select Monitoring then Deployments. Find the deployment you want to change notifications for. Sort by purpose to view all required deployments.
For example, right click on "Windows 10 All - Required" with a purpose of required and click on Properties. Click on the User Experience tab. From the drop-down list, select Hide in Software Center and all notifications. Then click OK.
Repeat the process for each deployment you want to hide notifications for. For example, you might want to repeat this process with "Microsoft 365 Apps and Office LTSC - Required".
