With the recent unveiling of Windows 11, I thought it was time to write about how to manage Windows updates with ConfigMgr. It’s generally agreed that keeping Windows updated with patches from Microsoft is one of the easiest and best ways to improve the security stance of your servers and desktops. Unfortunately, no matter what size of an environment you are managing, it can be difficult to determine which computers have been updated, and which have not.
How to Easily Manage Windows Updates with ConfigMgr
The Software Updates Deployment Status dashboard, which is included in the Enterprise version of Right Click Tools, will quickly show your environment’s device compliance status. Not only does the dashboard give you a comprehensive overview of what’s going on, but it also allows you to take action to ensure all computers are updated.
After you select the Software Updates Deployment Status dashboard, it will look something like the screenshot below. All it needs is your input.
Choose Your Collection(s)and Software Update Group(s)
The items you need to specify are the collection of computers that you would like to check compliance on and the software update groups that you would like to verify compliance against.
So, for example, in our demo environment, we have a collection of “Recast Workstations.” We also have an Automatic Deployment Rule (ADR) running that creates a new software update group for each month’s updates. When we compare the Recast Workstations collection with the most recently deployed software update group, we find that we have two devices in the collection that are compliant, and nine devices that are not compliant.
Customize the Results
There are a few things you can do to personalize the results so that they work with your environment. For example, you can limit the pie charts to only show information about updates that have been deployed in your environment. You can also deselect certain types of updates on the far left. And, you can set the slider to only show updates that are older than a specific number of days.
The date slider can be a very useful tool if your organization waits a certain number of days before patches become mandatory in your environment. For example, if you wait 30 days to install updates anyway, it makes sense that you just care about patches that are older than 30 days when trying to determine your compliance numbers. This simple adjustment should help with that horrible dip that always seems to happen in compliance numbers when the computers start to know about the new updates yet haven’t met their required install dates.
Now that you’ve discovered which devices need to install updates, it’s time to take some action. When you click on any of the wedges in the pie chart (see up above) the computers that make up those pie pieces will show in the bottom section of the dashboard. For example, in the screenshot below I’m showing you the 9 computers that need updates in our environment. As you can see, we can run Right Click Tools actions against them right inside the dashboard!
You can run actions against one device, or multi-select devices and run actions against all selected devices. In this example, I’m going to look at, “Client Tools.”
How to Install Updates from the ConfigMgr Console
Now that you know what computers need updates, it’s time to talk about getting those devices updated. One of the tools that you can use is called, “Install Missing Software Updates.” It’s located under the “Client Tools” section. Once selected, a window opens that looks like the one below.
From here you can choose the update you’d like to install, as well as the computer you want to install it on. Warning: If you decide to use this method, please remember that it will be just like clicking on “Install” from Software Center on the local computer. The update will start installing immediately, and it will adhere to any reboot policies that are set in your environment. Make sure you don’t happen to restart the CEO’s computer in the middle of his Board of Directors meeting. You have been warned.
Troubleshooting Updates that Are Failing to Install
Another feature of the Install Missing Software Updates tool is that it will show the status of an update. You’ll see when updates are in progress and you’ll see error codes if an update has failed. When this happens you can start researching what might have gone wrong for that computer when it was trying to install updates.
All the Updates Are Gone!
Once the updates are installed, they will disappear from the Install Missing Software Updates tool. You may, however, still see the devices as out of compliance in the Software Updates Deployment Status dashboard. The reason for this is the difference between where the data is coming from. The dashboard is getting its information from the ConfigMgr database, whereas the Install Missing Software Updates tool is getting its information directly from the device. These may be out of sync until the computer checks back into ConfigMgr and lets it know that the updates have been installed.
Manage Windows Updates
Hopefully, this tour of the Software Updates Deployment Status dashboard and the Install Missing Software Updates tool gives you a good idea of what can be done in the Enterprise Edition of Right Click Tools. Now you know an easier way to manage Windows updates with ConfigMgr.
As always, if you have questions, please feel free to reach out to https://recastsoftware.com/support.