SCCM Patch Management for Azure Virtual Machines

Patch Management for Azure:  SCCM Implementation

  • In Azure, we can deploy SCCM 2012 R2 in two scenarios
    1. SCCM server and client machines are in the same subscription.
    2. SCCM server in one subscription and client machines are in different subscriptions.
  • In order to achieve the second scenario, we need PKI certificate infrastructure and Internet Based Management Point.
  • In both the Scenarios Patching process will the same.


  • Considering that you have a working SCCM environment with Software Update Point role installed and configured to deploy the Windows Patches using SCCM.
  • Since this environment is in Azure, we are not going to configure boundary and boundary groups for distribution points.
  • We will deploy this package to DP. Since there is no boundaries configured, clients will automatically download the updates from the Internet directly. (This option more suits the second scenario)

Monthly Windows Update Process:

  • In SCCM 2012 R2, Microsoft Introduced a new feature called Automatic Deployment Rule and we are going to use this functionality to deploy monthly patches to the server.

Create Automatic Deployment Rule (One time activity):

  • Open SCCM console, go to software library, software updates, Automatic deployment rules

Patch Management for Azure 1

  • Create Automatic Deployment Rule with the following details

Patch Management for Azure 2

In General

  • ADR Rule Name : HMA – Patch_Tuesday_Updates
  • Deploy this to Device collection, where the servers are grouped. Here we deployed to “$$Empty Collection”
  • This ADR will create new Software Update Group every time it runs.

In Deployment Settings

  • Detail level : Only error messages
  • Enable automatically deploy all software updates found by this rule and approve any license agreements.

In Software Updates

Patch Management for Azure 3

    • Date Released or Revised : Last 1 Month
    • Product : Windows Server 2012 R2 (Change the product depends on your requirement)
    • Update Classification : Critical Updates, Definition Updates, Security Updates, update rollups, updates

In Evaluation Schedule

  • Select do not run this rule automatically

In Deployment Schedule

Patch Management for Azure 4

  • Schedule Evaluation : Time based on “Client local time”
  • Software available time : As soon as possible
  • Installation deadline : 3 days

In User Experience

Patch Management for Azure 5

  • User notifications : Display in Software Center and show all notifications
  • Deadline behavior : Enable Software Installation
  • Device restart behavior : Suppress the system restart on the following devices
    • Enable both Servers and Workstations

In Download Settings

Patch Management for Azure 6

  • Slow or unreliable network : Enable software updates from distribution point and install
  • When software updates are not available on any preferred distribution points, client can download and install from fallback source location or content
    • Enable download and install from fallback source location or content
  • Also enable this settings
    • Allow client to share content with other clients on the same subnet
    • If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft updates

In Language settings : Select English

In Deployment Package :

  • Select a deployment package : HMA_Patch_Tuesday

Once you have created this rule, we now see the new Rule in the console and we can choose to Run Now from the ribbon.

Patch Management for Azure 7

Monthly Activities for Patch deployment:

    • Open the SCCM console, go to software library, software updates, automatic deployment rule and select this ADR “HMA-Patch_Tuesday_Updates”
    • Right click this rule and Enable it, once it is enabled click “Run now”
    • This will run this rule and create a new software update group with this name “HMA – Patch_Tuesday_ Updates YYYY-MM-dd hh:mm:ss”
    • You can view the status by seeing the “ruleengine.log” also
    • If ADR runs successfully, you can see the last error status in ADR as Success and if it failed it will post the error.
    • We will be able to see all the newly released patch in this software update group and got deployed to all clients.

Azure Managed Services