Hi Gang!

So I provided this information to one of my customers recently, and Georgy said it would be quite helpful for you dedicated ConfigMgrDogs readers too, so here it is.

This is a high-level view of the Windows Update process from a ConfigMgr clients view utilizing a SUP (Software Update Point).

The Software Update process from the ConfigMgr client

image

Following the flow

After refreshing machine policy, kick off the Software Update Scan. We can then see the Software Update Scan Cycle has started via the WUAHandler.log (C:\Windows\CCM\Logs\WUAHandler.log)

image

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

image

After the scan is completed, we then run the Software Update Deployment Evaluation Cycle. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)

image

The Content Access Service finds the content on the CMPRI-MATTSLABS Distribution Point and downloads it

image

Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

SNAGHTMLad0f073

Service Window Manager blocking the installation (C:\Windows\CCM\Logs\ServiceWindowManager.log)

clip_image002

And when the window opens, the updates should install. Check the UpdatesDeployment.log

image

Also, the WindowsUpdate.log success

image

And reboot if required (and scheduled)

image

image

Update: An ex-colleague reached out to me to add some extra info around the process for the SCEP update trigger. As my SCEP knowledge isn't the greatest, it's something I'll be sure to remember and very helpful for the community.

The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.


Thanks David!