A: System Center Configuration Manager (SCCM) 2012 adds a feature that enables certain software updates to be automatically approved and deployed to selected machines in your organization. A great use of this would be to automatically approve and deploy malware definition updates.

Related: System Center Configuration Manager for Windows 8 and Windows Server 2012

To create an Automatic Deployment Rule, perform the following:

  1. Start System Center 2012 Configuration Manager management tool.
  2. Select the Software Library workspace.
  3. Expand Software Updates and select Automatic Deployment Rules.
  4. From the Ribbon, select the Create Automatic Deployment Rule action.
  5. Give a name and description for the new rule. You must also specify the target collection that will be deployed to the updates selected in the automatic approval and choose whether to add the updates to an existing Software Update Group or create a new one. If you previously deployed updates and have a deployment template available with the settings defined, you can select it. You can also set whether the deployment of these updates should be enabled automatically. (See screen shot below.) Click Next.
    sccm2012asu1
  6. It’s possible to use Wake-on-LAN to wake machines when the updates are deployed. You can set the amount of detail returned during the update deployment, along with the option to deploy all updates that meet the criteria defined in the automatic deployment rule or only those that don't require a license to be accepted. Click Next.
  7. The search criteria and property filters must now be defined to control what updates will automatically be approved with the new rule. Select the properties you want to use in the Property filters area, then use those properties to define your search criteria: In the screen shot below, I am approving all moderate and above Windows Server 2008 R2 updates required by two or more computers.  Click Next.
    sccm2012asu2
  8. Next, select how often to run the rule to identify the patches that should be deployed. Remember that Microsoft releases patches on the second Tuesday of each month. You should run the rule after SCCM has synchronized with Microsoft. (See screen shot below.)  Click Next.
    sccm2012asu3
  9. In the next screen you configure when to make the updates available--immediately or at a specific time--and also set an installation deadline. Click Next.
  10. The next screen gives the option to deploy outside of maintenance windows (generally not advised, as controlling deployments is a key reason for maintenance windows); you can also suppress automatic restart of workstations and/or servers. Click Next.
  11. Here you have the option to generate alerts if compliance for the software updates drops below a certain level, and it’s also possible to control Operations Manager alerts during the deployment of updates. Click Next.
  12. You can configure how clients download the software updates, which includes setting options around behavior on slow links and the use of unprotected distribution points and peer-to-peer content distribution (BranchCache). Click Next.
  13. Select the deployment package to hold the updates or create a new one, then click Next.
  14. Select whether to download updates from the Internet or from an internal location, then click Next. Most people choose to download updates from the Internet, but if your SCCM server doesn’t have connectivity to the Internet to download patches, then you can manually download them and point SCCM to the saved updates.
  15. Select the languages to download. Click Next.
  16. A (very large) summary is displayed. (See screen shot below.)  Click Next.
    sccm2012asu4
  17. The rule is created. Click Close.

You should see the option to run the Automatic Deployment Rule with the Run Now action that’s available when the Automatic Deployment Rule is selected, which enables you to start deploying updates outside of the standard schedule.

Got technology issues? We've got answers. Check out John Savill's FAQs for Windows