New Microsoft Update Model & SCCM Automatic Deployment Rule Filters

When Microsoft introduced the new Windows servicing changes in 2016, everyone was confused. Why are we all being forced to change the way we have managed updates for years? Change is bad!

There are three types of monthly updates for the impacted products (my opinion for enterprise use is color coded, green good / red bad) in the new monthly update model:
  • Option 1 is the Security Only Quality Update which is just security updates for the month.
  • Option 2 is the Security Monthly Quality Rollup which contains updates for the month, along with all previous months back to October 2016... think of this like a monthly service pack.
  • Option 3 is the Preview of Monthly Quality Rollup which is released one week after Patch Tuesday and contains everything from Option 2, along with a preview of all the non-security features slated for Option 2 next month. Think of this like a beta or early release.
Products impacted by these update models: 
  • Windows 7 / Server 2008 (and higher)
  • .NET Framework,
  • Internet Explorer
    • Included in Windows Security Monthly Quality Rollup, but not included in the Security Only Quality Update.
    • Updates minor revisions only, it won't do an upgrade from IE 10 to IE 11 for you as this is a major revision.
How do you make an Automatic Deployment Rule that only includes the Security Monthly Quality Rollup? Create your rule and set the filtering on the Title of the update to exclude Security Only, Preview, and then non-rollup updates for .NET and IE. Set your rule to run every second Tuesday and you're good to go! Here is an example rule for Windows Server 2012 R2 that will pull the Security Monthly Quality Rollup for Windows & .NET along with the Windows Malicious Software Removal Tool and a few other pre-October 2016 updates.
*Title filtering says to use the syntax -"Preview" as opposed to -%Preview% but the % method seems to work a million times better when filtering out a particular keyword or phrase.

What happens if you deploy the Security Only Quality Update and the Security Monthly Quality Rollup at the same time? Each of these requires a reboot after installation and if there is a reboot pending, whatever one runs second will have to wait until after that reboot occurs. Once the first update runs, the SCCM client reports back to the site that the first update was successful (flags it as compliant on reporting), but the second update is either failed or still pending (flags it as required on reporting throwing off the compliance numbers for that deployment package) until the reboot has completed and the SCCM client realizes it already has all the updates in either update.

Another great article on the new update methodology can be found on Microsoft's Enterprise Mobility & Security Blog.

Want to find some great custom reports for update compliance reporting by collections? Check out this great custom dashboard that shows update compliance over at


  1. ADR filter for Windows 7 Security Monthly Quality Rollup:

    Product: "Windows 7"
    Required: >=1
    Superseded: No
    Title: -%Security Only% OR -%Preview% OR -%Security Update For Microsoft .NET% OR -%Cumulative Security Update For Internet Explorer% OR -%Update for Windows 7%


Post a Comment

Popular posts from this blog

CMPivot to check Services and start them (with a little help)

Run Scripts with Parameters in MEMCM (R.I.P. SCCM)

SCCM CMPivot and Run Scripts