How to Configure Windows Server 2019 with SCCM Updates

How to Configure Windows Server 2019 with SCCM Updates

Microsoft Endpoint Configuration Manager (SCCM), now branded as Microsoft Endpoint Configuration Manager (MECM), is the enterprise-grade solution for software update management on Windows Server 2019 at scale. Unlike WSUS, SCCM adds orchestration capabilities including deployment rings, maintenance windows, phased deployments, and deep integration with the Configuration Manager client for inventory, compliance, and reporting. This guide covers configuring SCCM’s Software Update Point (SUP) and deploying updates to Windows Server 2019 targets.

Prerequisites and Architecture

SCCM update management requires a Software Update Point site system role installed on a site server or a remote server with WSUS installed. The SUP proxies update metadata from Microsoft Update through WSUS but adds SCCM’s orchestration layer. The Configuration Manager client must be installed on all Windows Server 2019 targets. A minimum of SCCM Current Branch version 1910 is recommended for full Windows Server 2019 feature support.

Installing and Configuring the Software Update Point

On the SCCM primary site server, open the Configuration Manager console and navigate to Administration > Site Configuration > Servers and Site System Roles. Add the Software Update Point role:

# WSUS must be installed first on the SUP server
Install-WindowsFeature -Name UpdateServices, UpdateServices-UI, UpdateServices-WidDB -IncludeManagementTools

# Run WSUS post-install to set the content directory
& "C:Program FilesUpdate ServicesToolsWsusUtil.exe" postinstall CONTENT_DIR=E:WSUS_Content

# Verify WSUS service is running
Get-Service -Name WsusService | Select-Object Name, Status, StartType

In the SCCM console, after adding the SUP role, configure the synchronization settings. Navigate to Software Library > Software Updates > Synchronization, then run the wizard to select products including “Windows Server 2019” and classifications: Critical Updates, Security Updates, Update Rollups, and Service Packs.

Configuring Synchronization Schedule

# Trigger manual synchronization via PowerShell (ConfigMgr module)
Import-Module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + 'ConfigurationManager.psd1')
$SiteCode = "PS1"
Set-Location "$($SiteCode):"

# Sync all software update points
Invoke-CMSoftwareUpdatePointSync

# Check sync status
Get-CMSoftwareUpdateSyncStatus | Select-Object LastSyncState, LastSyncTime, LastSyncResult

Creating Software Update Groups

Software Update Groups (SUGs) are collections of updates that are deployed together. Create monthly SUGs aligned to Patch Tuesday:

# Create a Software Update Group for current month's patches
$monthYear = Get-Date -Format "MMM-yyyy"
$sug = New-CMSoftwareUpdateGroup -Name "WS2019-Security-$monthYear" -Description "Windows Server 2019 security updates for $monthYear"

# Add updates to the group - search for Windows Server 2019 security updates published this month
$updates = Get-CMSoftwareUpdate -Fast | Where-Object {
    $_.LocalizedDisplayName -like "*Windows Server 2019*" -and
    $_.IsExpired -eq $false -and
    $_.IsSuperseded -eq $false -and
    $_.DateRevised -gt (Get-Date).AddDays(-35) -and
    ($_.UpdateClassification -eq "Security Updates" -or $_.UpdateClassification -eq "Critical Updates")
}

foreach ($update in $updates) {
    Add-CMSoftwareUpdateToGroup -SoftwareUpdateGroupId $sug.CI_ID -SoftwareUpdateId $update.CI_ID
}
Write-Output "Added $($updates.Count) updates to group $($sug.LocalizedDisplayName)"

Deploying Updates to Windows Server 2019 Collections

Create device collections for update target rings and deploy the SUG:

# Create a collection for Windows Server 2019 servers
$collection = New-CMDeviceCollection -Name "WS2019-Prod-Servers" -LimitingCollectionName "All Systems"

# Add a query membership rule
Add-CMDeviceCollectionQueryMembershipRule `
  -CollectionName "WS2019-Prod-Servers" `
  -QueryExpression "select SMS_R_SYSTEM.ResourceID from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceID where SMS_G_System_OPERATING_SYSTEM.Caption like '%Windows Server 2019%'" `
  -RuleName "WS2019 Systems"

# Deploy the Software Update Group
New-CMSoftwareUpdateDeployment `
  -SoftwareUpdateGroupName "WS2019-Security-$monthYear" `
  -CollectionName "WS2019-Prod-Servers" `
  -DeploymentName "WS2019-Security-$monthYear-Deploy" `
  -DeploymentType Required `
  -TimeBasedOn LocalTime `
  -AvailableDateTime (Get-Date).AddDays(7) `
  -DeadlineDateTime (Get-Date).AddDays(14) `
  -UserNotification DisplaySoftwareCenterOnly `
  -AllowRestart $true `
  -RestartServer $true `
  -SoftDeadlineEnabled $true

Configuring Maintenance Windows

Maintenance windows restrict when SCCM can install updates or reboot servers. Configure a weekly maintenance window for production servers:

# Create a maintenance window: Saturdays 2 AM - 6 AM
$schedule = New-CMSchedule -DayOfWeek Saturday -Start "2000/01/01 02:00:00" -End "2000/01/01 06:00:00" -RecurCount 1

New-CMMaintenanceWindow `
  -CollectionId (Get-CMDeviceCollection -Name "WS2019-Prod-Servers").CollectionID `
  -Name "WS2019-Sat-Maintenance" `
  -Schedule $schedule `
  -ApplyTo SoftwareUpdatesOnly `
  -IsEnabled $true

Generating Software Update Compliance Reports

# View compliance summary for a deployment
$deployment = Get-CMDeployment | Where-Object { $_.ApplicationName -like "*WS2019-Security*" } | Select-Object -First 1

Get-CMDeploymentStatus -DeploymentId $deployment.DeploymentID -StatusType Any |
  Group-Object StatusType | Select-Object Name, Count

# Detailed per-machine compliance status
Get-CMDeploymentStatusDetail -DeploymentId $deployment.DeploymentID |
  Select-Object MachineName, StatusType, StatusDescription, LastStatusTime |
  Sort-Object StatusType | Format-Table -AutoSize

Enabling Phased Deployments for Updates

# Create a phased deployment: Phase 1 (Lab) -> Phase 2 (Prod) with 7-day wait
New-CMSoftwareUpdatePhase -Name "Phase-Lab" -CollectionName "WS2019-Lab" -BeginCondition AfterPeriod -CriteriaOption Compliance -CriteriaValue 90 -DaysAfterPreviousPhaseSuccess 7
New-CMSoftwareUpdatePhase -Name "Phase-Prod" -CollectionName "WS2019-Prod-Servers"

SCCM’s phased deployment automatically advances to the next ring once the success criteria (90% compliance in the lab) is met, eliminating manual gate checks. Combine with SCCM’s built-in reporting to generate executive summaries and technical drill-downs to satisfy internal audit and compliance requirements for patch SLAs.