Managing production breaking updates in SCCM 2012

If you’re managing updates through SCCM 2012 with the help of Automatic Deployment Rules (ADR). Why wouldn’t you? I mean, what could possibly go wrong? There’s no need for pre-prod testing!

It’s a couple of days past patch tuesday, the new patches are deployed and installed. This is when you get the dreadful call about how a production application broke over night. Ooops?


Patch KB123456 has been installed into the production environment and it broke core functionality.


This is resovled by creating a package with an uninstall program which is deployed to the collection with the affected devices.

1. The Collection

Navigate into the Asset and Compliance workspace and create a new Device Collection.


Give the collection a proper name, ie. “Uninstall KB123456” and choose a limiting collection. All Desktops and Server Clients is usually a good choice.


Click on Add Rule and choose Query Rule.


Give the new Query Rule a name and click on Edit Query Statement…


Navigate into the Criteria tab and click on the sun to add a new criteria.


Click on Select… to choose an attribute class.


Choose the Installed Applications and Display Name. Click OK.


Change the Operator to is like and the Value to %KB123456%. Click OK.7

If you click on Show Query Language you can see the query in text. Click OK.


Check Use incremental updates for the collection to speed up the collection popluation process.


Click Next and Finish to complete the wizard.

2. The Package

Navigate into the Software Library and create a new Package. This  Package will be used as a container for all the Programs which will be used for uninstalling updates.


Give the Package a proper name, ie. “Microsoft KB Uninstall Package”. Click Next.


Choose Do not create a program. Click Next and Finish to complete the wizard.


3. The Program

Right-click on the newly created Package and choose Create Program.


Select Standard Program and click Next.


Give the Program a name, ie. “Uninstall KB123456” and enter the command line:

wusa.exe /uninstall /kb:123456 /quiet

On Program can run, choose Wheather or not a user is logged on. Click Next and Finish to complete the wizard.


4. The Deployment

Right-click on the Package created in the earlier steps and choose Deploy.


Click on Browse… next to the text box for Collection and choose the Collection you created in the earlier steps. Verify that correct Program is selected on the Software text box. If the Package only contains one Program it will automatically be selected. Click Next.


Since this Package does not contain any source files we do not need to specify any content locations. Click Next.


On Purpose, select Required. If needed, select Send wake-up packets. Click Next.


On Rerun behavior, select Rerun if failed previous attempt to avoid possible program execution behavior. Click on New… to open the Assignment Schedule dialog.


Select As soon as possible. Click OK and Next.


Select Software installation and System restart (if required to complete the installation) to ignore possible Maintenance Windows. Click Next.


On the second Deployment options select Download content from distribution point and run locally to avoid possible slow-linka and boundry issues. Click Next and Finish to complete the wizard.


5. Speed up the process

To speed up the process of clients polling for new computer policies you can right-click on the Collection, choose Client Notification and click Download Computer Policy.


Download Computer Policy is a SCCM 2012 SP1 feature. The same function could be achieved with the SCCM Right-Click Tools.


Patch deployments in SCCM could (and should) be considered as a regular software/package (not an application per definition since we don’t have detection rules and removal programs) deployment and with this in mind it should be quite obvious of how removal and enforcement should be managed with SCCM.

The wusa.exe command will only work on Windows Vista and Windows Server 2008 and later. For earlier versions of Windows other command lines would have to be used.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s