Configure classifications and products to synchronize

Applies to: System Center Configuration Manager (Current Branch)

Software updates metadata is retrieved during the synchronization process in Configuration Manager based on the settings that you specify in the Software Update Point component properties. After you synchronize software updates for the first time, or when new products and classifications are released, you must go to the properties to select the new items. Use the following procedure to configure classifications and products to synchronize.

Note

Use the procedure from this section only on the top-level site.

To configure classifications and products to synchronize

  1. In the Configuration Manager console, navigate to Administration > Site Configuration > Sites.

  2. Select the central administration site or the stand-alone primary site.

  3. On the Home tab, in the Settings group, click Configure Site Components, and then click Software Update Point.

  4. On the Classifications tab, specify the software update classifications for which you want to synchronize software updates.

    Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications are synchronized. Configuration Manager provides the ability to synchronize software updates with the following update classifications:

    • Critical Updates: Specifies a widely released fix for a specific problem that addresses a critical, non-security-related bug.
    • Definition Updates: Specifies a widely released and frequent software update that contains additions to a product's definition database.
    • Feature Packs: Specifies new product functionality that is first distributed outside of a product release and that's typically included in the next full product release.
    • Security Updates: Specifies a widely released fix for a product-specific, security-related vulnerability.
    • Service Packs: Specifies a tested, cumulative set of all hotfixes, security updates, critical updates, and updates that are applied to a product. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product.
    • Tools: Specifies a utility or feature that helps to complete one or more tasks.
    • Update Rollups: Specifies a tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. An update rollup generally addresses a specific area, such as a security or product component.
    • Updates: Specifies a widely released fix for a specific problem. An update addresses a non-critical, non-security-related bug.
    • Upgrade: Specifies an upgrade for Windows 10 features and functionality. Your software update points and sites must run a minimum of WSUS 6.2 with the hotfix 3095113 to get the Upgrade classification. For more information about installing this update and other updates for Upgrades, see Prerequisites for software updates.

    Note

    You can select the Include Microsoft Surface drivers and firmware updates checkbox to synchronize Microsoft Surface drivers. For more information, see the Include Microsoft Surface drivers and firmware updates section.

  5. On the Products tab, specify the products for which you want to synchronize software updates, and then click Close.

    • Configuration Manager stores a list of products and product families from which you can choose when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete software updates synchronization, which updates the list of available products and product families from which you can choose.

    • The metadata for each software update defines the products for which the update is applicable. A product is a specific edition of an operating system or application, such as Windows Server 2012. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2012 is a member. You can specify a product family or individual products within a product family. The more products that you select, the longer it takes to synchronize software updates.

    • When software updates are applicable to multiple products, and at least one of the products was selected for synchronization, all of the products appear in the Configuration Manager console even if some products weren't selected. For example, if Windows Server 2012 is the only operating system that you selected, and if a software update applies to Windows 8 and Windows Server 2012, both products are displayed in the Configuration Manager console.

    Note

    Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for the new product in Configuration Manager version 1906.

    When you update to Configuration Manager version 1906 and have the Windows 10 product selected for synchronization, the following actions occur automatically:

    • The Windows 10, version 1903 and later product is added for synchronization.
    • Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10, version 1903 and later.
    • Servicing plans are updated to include the Windows 10, version 1903 and later product.

Include Microsoft Surface drivers and firmware updates

You can select the Include Microsoft Surface drivers and firmware updates checkbox to synchronize Microsoft Surface drivers. All software update points must run Windows Server 2016 with cumulative update KB4025339 or later installed to successfully synchronize Surface drivers. If you enable a software update point on a computer running Windows Server 2012 after you enable Surface drivers, the scan results for the driver updates are not accurate. This results in incorrect compliance data displayed in the Configuration Manager console and in Configuration Manager reports.

  • This feature was first introduced in version 1706 as a pre-release feature. Beginning with version 1710, this feature is no longer a pre-release feature.
  • Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.
  • Drivers for ARM devices aren't supported for synchronization.

Configuring products for versions of Windows 10

Windows 10, version 1909

Windows 10, version 1909 shares a common core operating system with Windows 10, version 1903. Both of these versions are serviced with the same cumulative updates. For more information about Windows 10, version 1909, see the Windows 10, version 1909 delivery options blog post.

To make sure both your Windows 10 version 1909 and Windows 10, version 1903 clients install updates from Configuration Manager:

  • Approve updates for both the 1909 and 1903 versions of Windows 10.
    • The updates have different titles and applicability rules for each OS version.
    • Approving each update per version and architecture of the OS maintains the normal approval process for admins.
  • The cumulative update installation files are the same for both the 1909 and 1903 versions of Windows 10.
    • Configuration Manager will only download the update source files once.

Feature Updates for Windows 10, version 1909

When you approve feature updates for Windows 10, version 1909, there are a few different options you'll see:

  • Windows 10, version 1903 clients are offered an Enablement Package, released November 12, 2019.

    • The enablement package is a small, quick to install file that activates the Windows 10, version 1909 features and restarts the device.

    • Prerequisites for the enablement package include:

      • A minimum cumulative update of KB4517389, released October 8, 2019.
      • A minimum servicing stack update of KB4520390, released September 24, 2019.
    • This update, like any other Feature Update, isn't available for import from https:\\catalog.update.microsoft.com.

    • The update will automatically synchronize with WSUS if you have the Windows 10, version 1903 and later product and Upgrades classification selected for synchronization.

    • In the Configuration Manager console, go to the Software Library workspace, expand Windows 10 Servicing, and select the All Windows 10 Updates node. Search for the terms "enablement" or "4517245".

      Tip

      Since these are feature updates, they aren't in the All Software Updates node.

  • Windows 10, version 1809 and earlier clients are upgraded with a single direct feature update.

    • This is just like all other previous installations for Feature Updates that you've done for Windows 10.

Note

Both the enablement package and the traditional feature update for Windows 10, version 1909 will show as "Installed" in reporting, regardless of which path was used to install it.

Windows 10, version 1903 and later

Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for the new product in Configuration Manager version 1906.

Windows 10, version 1903 and later with Configuration Manager version 1906

When you update to Configuration Manager version 1906 and have the Windows 10 product selected for synchronization, the following actions occur automatically:

  • The Windows 10, version 1903 and later product is added for synchronization.
  • Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10, version 1903 and later.
  • Servicing plans are updated to include the Windows 10, version 1903 and later product.

Windows 10, version 1903 and later with Configuration Manager version 1902

If you are using Configuration Manager 1902 with Windows 10,version 1903 clients, you'll need to:

  • Select the Windows 10, version 1903 and later product for synchronization.
  • Update any Automatic Deployment Rules for Windows 10, version 1903 clients.
  • Update Servicing plans for Windows 10, version 1903 clients.

Windows Insider Program

Starting in September 2019, you can service and update devices running Windows Insider Preview builds with Configuration Manager. This change means you can manage these devices without changing your normal processes or enabling Windows Update for Business. You can download Feature Updates and Cumulative Updates for Windows Insider Preview builds into Configuration Manager just like any other Windows 10 update or upgrade. For more information, see the Publishing pre-release Windows 10 Feature Updates to WSUS blog post.

For more information about support for Windows Insider in Configuration Manager, see Support for Windows 10.

Prerequisites

Enable Windows Insider upgrades and updates

You need to enable the products and classifications for Windows Insider upgrades and updates. Feature Updates, Cumulative updates, and other updates for Windows Insider are under the Windows Insider Pre-Release product category.

  1. In the Configuration Manager console, navigate to Administration > Site Configuration > Sites.
  2. Select the central administration site or the stand-alone primary site.
  3. On the Home tab, in the Settings group, click Configure Site Components, and then click Software Update Point.
  4. On the Products tab, make sure the following products are selected for synchronization:
    • Windows Insider Pre-Release
    • Windows 10, version 1903 and later
  5. On the Classifications tab, make sure the following classifications are selected for synchronization:
    • Upgrades
    • Security Updates
    • Updates (optional)
  6. Click OK to close the Software Update Point Component Properties.

Upgrading Windows Insider devices

Once the upgrades for Windows Insiders are synchronized, you can see them from Software Library > Windows 10 Servicing > All Windows 10 Updates.

Windows Insiders feature updates for Windows 10 servicing

Deploy Feature Updates for Windows Insider to your target collection just like any other upgrade. However, you'll want to keep the following items in mind when you're deploying these Feature Updates:

  • These upgrades will be applicable to all Windows 10 clients 1903 or earlier, with matching architecture, edition, and language.
  • There are license terms, your deployment must accept the terms in order to install.
  • Consider using the thread priority in client settings.
  • Dynamic Update automatically installs critical updates, including the latest Cumulative Update, directly from Microsoft Update. This behavior started with Feature Updates for Windows 10 version 1903.

For more information on how to deploy upgrades, see Manage Windows as a service.

Keeping Insider devices up-to date

Cumulative Updates for Windows Insider will be available for WSUS and by extension for Configuration Manager. These Cumulative Updates will be released at a frequency similar to Windows 10 version 1903 Cumulative Updates. The Windows Insider Cumulative updates are in the Windows Insider Pre-Release product category and classified as either Security Updates or Updates. You can deploy the Cumulative Updates for Windows Insider using your regular software update process like using automatic deployment rules or phased deployments.

Extended Security Updates and Configuration Manager

The Extended Security Updates (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates (as defined by the Microsoft Security Response Center (MSRC)) for a maximum of three years after the product’s End of Extended Support date.

Products that are beyond their support lifecycle aren't supported for use with Configuration Manager. This includes any products that are covered under the ESU program. Security updates released under the ESU program will be published to Windows Server Update Services (WSUS). These updates will appear in the Configuration Manager console. While products that are covered under the ESU program are no longer supported for use with Configuration Manager, the latest released version of Configuration Manager current branch can be used to deploy and install Windows security updates released under the program. The latest released version can also be used to deploy supported OSes via operating system deployment (OSD).

Client management features not related to Windows software update management or OSD will no longer be tested on the operating systems covered under the ESU program and we don't guarantee that they'll continue to function. It's highly recommended to upgrade or migrate to a current version of the operating systems as soon as possible to receive client management support.

Next steps

Start software updates synchronization to retrieve software updates based on the new criteria. For more information, see Synchronize software updates.