In another post, I mentioned that one of the differences between Windows Server Update Services (WSUS) and System Center Configuration Manager (ConfigMgr) is that you have to build deployment packages in ConfigMgr before you can deploy the updates. One of the reasons for this is that ConfigMgr does not approve or disapprove updates the way WSUS does, so the Windows Update Agent doesn't know what updates to grab from the update server. In ConfigMgr environments, clients don't install updates until there is a deployment package for them.

 

In this post, I'd like to discuss about patch management and a little-known feature of SolarWinds Patch Manager that allows you to deploy updates to ConfigMgr clients without having to build or test any deployment packages. This feature adds a level of flexibility to ConfigMgr environments by interacting directly with the update server and Windows Update Agent, essentially bypassing ConfigMgr altogether. With the right patch management software, patch management is never complex.

 

Getting Updates from the Update Server to ConfigMgr Clients

After you have published your third-party updates to the update server, you have to get them to the ConfigMgr clients. Normally, you would do this by creating a deployment package for one or more ConfigMgr collections. In this procedure, however, we're skipping this step.

 

To instruct the ConfigMgr clients to grab updates from the update server without building a deployment package, use the Update Management Wizard in Patch Manager. On the second screen, in the Approval Options section, there is an option to Include only approved updates. Clear it. This allows the Windows Update agent on the selected clients to download the applicable updates even though they have never been approved on the update server. (Remember from my previous post that the ConfigMgr deployment packages take the place of standard WSUS approvals.)

 

After you select the updates you want to deploy and the system(s) to which you want to deploy them, Patch Manager instructs the clients to grab the updates and install them if applicable. The important note to make here is that, even though you haven't approved the updates or created a deployment package, the Windows Update Agent will still check the applicability and installed rules in the update package to determine whether or not it actually needs the update. That way, you can select a large number of updates and a large pool of clients in a single task, and each client will only download and install what they need.

 

For a step-by-step procedure to do this in your own environment, see How to deploy third-party updates to ConfigMgr clients without building deployment packages on the SolarWinds knowledge base and identify the ideal patch management solution.