How to Configure Windows Server 2016 with SCCM Updates

Microsoft System Center Configuration Manager (SCCM), now known as Microsoft Endpoint Configuration Manager (MECM), is the enterprise-grade solution for managing software updates, application deployment, operating system deployment, and compliance across large Windows environments. While WSUS handles basic patch management, SCCM provides a far more powerful and flexible platform for organizations with hundreds or thousands of servers and workstations. This guide covers how to configure the Software Update Point (SUP) in SCCM, set up update deployment, and manage Windows Server 2016 patches at enterprise scale.

Prerequisites

Before configuring SCCM for update management, ensure your environment meets the following requirements. SCCM must be installed and operational with at least one primary site server. A Software Update Point site system role must be configured, which requires WSUS to be installed on the SUP server. The SCCM client must be deployed to all Windows Server 2016 machines you want to manage. A database server running SQL Server is required for the SCCM site database, and sufficient disk space must be available for the WSUS content store.

Install the WSUS role on the server designated as the Software Update Point. Do not run the WSUS configuration wizard — SCCM will configure WSUS automatically:

Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
& "C:Program FilesUpdate ServicesToolswsusutil.exe" postinstall CONTENT_DIR="E:WSUS"

Adding the Software Update Point Role in SCCM

In the SCCM console, navigate to Administration > Site Configuration > Servers and Site System Roles. Right-click the server where WSUS is installed and select “Add Site System Roles.” In the Add Site System Roles Wizard, select “Software Update Point” from the available roles list.

Configure the SUP settings. Specify the WSUS port (8530 for HTTP or 8531 for HTTPS). If you are using SSL for WSUS communication, check the option to require SSL. Choose whether this SUP will synchronize from Microsoft Update or from an upstream SCCM site, then complete the wizard.

Wait for SCCM to complete the SUP installation and initial synchronization. Monitor the SUPSetup.log and WCM.log files in the SCCM logs directory to track progress and identify any configuration issues:

Get-Content "C:Program FilesMicrosoft Configuration ManagerLogsSUPSetup.log" -Tail 50

Configuring Software Update Point Properties

After the SUP role is added, configure its synchronization properties. In the SCCM console, go to Software Library > Software Updates > All Software Updates. Right-click “All Software Updates” and choose “Synchronize Software Updates” to trigger an initial sync. To configure ongoing sync settings, go to Administration > Site Configuration > Sites, select your site, click “Configure Site Components” on the ribbon, and choose “Software Update Point.”

In the Software Update Point Component Properties dialog, configure the following settings. On the Products tab, select Windows Server 2016 and any other products you manage. On the Classifications tab, select Critical Updates, Security Updates, Update Rollups, and Definition Updates. On the Sync Schedule tab, configure automatic daily synchronization during off-peak hours. These settings determine what updates SCCM downloads and makes available for deployment.

Creating Software Update Groups

Software Update Groups (SUGs) in SCCM are collections of updates that are deployed together. Create update groups organized by month, patch category, or server role. Navigate to Software Library > Software Updates > Software Update Groups. Right-click and select “Create Software Update Group,” then name it descriptively such as “WS2016-Security-2026-05.”

Add updates to the group by searching the All Software Updates node for updates relevant to Windows Server 2016, selecting them, and right-clicking to add them to the software update group. You can also use automatic deployment rules (ADRs) to automatically populate update groups.

Creating Automatic Deployment Rules

Automatic Deployment Rules automate the process of downloading and deploying newly released updates, making them ideal for maintaining Windows Server 2016 patch currency. Navigate to Software Library > Software Updates > Automatic Deployment Rules and create a new ADR.

Configure the ADR with criteria such as product (Windows Server 2016), classification (Security Updates, Critical Updates), and date released (last 30 days). Configure the deployment schedule to deploy updates to a test collection first, with production deployment occurring one to two weeks later. This staged deployment approach mirrors the best practice workflow from WSUS.

Set the deadline behavior to control when updates are installed. Configure the maintenance window for your servers so SCCM only installs updates and reboots systems during approved maintenance windows:

New-CMMaintenanceWindow -CollectionID "SMS00001" -Name "Weekend Maintenance" `
    -Schedule (New-CMSchedule -DayOfWeek Saturday -Start "2026-05-01 02:00:00" -DurationCount 4 -DurationInterval Hours)

Deploying Updates to Collections

To deploy a software update group to a device collection, right-click the update group and select “Deploy.” In the Deploy Software Updates Wizard, select the target collection (such as “All Windows Server 2016 – Test”), configure the deployment purpose as Required for forced installation, and set the deadline for when updates must be installed.

Configure user notifications and restart behavior appropriate for servers. For servers, suppress notifications and configure the system to restart automatically after the deadline, within the defined maintenance window.

Monitoring Update Compliance

SCCM provides detailed update compliance reporting. Navigate to Monitoring > Deployments to see real-time status of update deployments. Select a deployment to see per-device status showing which servers have installed the updates, which are pending, and which have errors.

Use the built-in Software Updates reports in SCCM for broader compliance visibility. Navigate to Monitoring > Reporting > Reports > Software Updates to access reports such as “Compliance 1 – Overall compliance” and “Compliance 5 – Specific computers.” These reports give management-friendly summaries of your patching posture.

To query update compliance via PowerShell using the SCCM PowerShell module:

Import-Module "$($ENV:SMS_ADMIN_UI_PATH)..ConfigurationManager.psd1"
Set-Location "PS1:"
Get-CMSoftwareUpdateDeploymentStatus -Name "WS2016-Security-2026-05" | Select-Object DeviceName, LastComplianceMessageTime, ComplianceState | Format-Table -AutoSize

SCCM provides a comprehensive platform for enterprise patch management that goes far beyond what WSUS alone can offer. By leveraging automatic deployment rules, maintenance windows, and detailed compliance reporting, you can maintain a strong security posture for your entire Windows Server 2016 fleet with minimal manual effort.