Error! Failed to perform the AJAX query
Error! You are not authorized to perform this action!
Error! A potentially dangerous request was detected and blocked. Please try again.

How to Identify Which Products to Select in the MECM/SCCM Software Update Point (SUP) Products tab

Created by Scott Fairchild on Apr 06, 2022
Tags:

Have you ever wanted to know which Configuration Manager Software Update Point (SUP)/WSUS products you should enable so your devices receive all available patches?

An easy way, but definitely not recommended, would be to enable all products. This is a bad idea as workstations would have to download a large amount of metadata and that would impact the scanning process.

Before today, there was no easy way to identify which products to select. You could go through all of the software titles in your environment, and then try and figure out which products they match to. Or you could just know your environment well enough to know which ones to select.

As an Architect for a global MSP, I routinely go into environments I have no knowledge of. Verifying they have all the required products selected is a task I cannot do without extensive data gathering. I searched the internet looking for an easy way to identify which products should be selected, but found none. I even posted in online forums, but no one was able to provide an answer.

After doing some more research, I devised a PowerShell script that can identify which products each device needs updates for.

Using the Microsoft.Update.Searcher COM object, the PowerShell script goes online and scans directly against Microsoft Update. The results of the scan are then parsed and the products related to the updates Microsoft identified are captured. The results are then loaded into a custom WMI class so they can be inventoried by MECM/SCCM. By default, the WMI class is called Update_Product_List and it is found under the ROOT\ITLocal namespace

Once the Hardware Inventory classes are extended to inventory this information (not detailed here), you can report against those metrics. I created a report that compares the products devices have installed, with what is selected on the Products tab of the SUP. I've included the report, along with the script, in the download at the end of this post.

As you can see, in my lab environment, there were a couple of products that I needed to enable. You may also notice that some products are listed twice. This is because they are listed twice in the Products tab of the SUP. For example, Windows Server 2019 is listed under 'Developer Tools, Runtimes, and Redistributables' and also under 'Windows'

You may also see Windows versions and Products that are not in your environment. For example, in my lab, it is showing 'Windows 10 LTSB' as a product found on a device, but in reality, I do not have LTSB installed anywhere. What is happening here is that some updates, like the monthly CU, apply to multiple products, and all of those products will be included by the scan.

At this point it is important to point out what needs to be enabled for the script to work.

The devices MUST be able to communicate with Windows Update (download.windowsupdate.com) to get metadata. If your company blocks access, then the script won't work.

You can check if you can communicate with Windows Update by going into Settings and clicking on Update and Security. If you see the link 'Check online for updates from Microsoft Update.' you should be good to go.

If you do not see the link, more than likely it is being blocked by the following GPO setting

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings
Turn off access to all Windows Update features = Enabled

The script also requires that 'Give me updates for other Microsoft products when I update Windows' under Advanced Options is enabled.

No worries if that option is not enabled. The script will turn it on if it is not enabled, and then turn it back off when done scanning. If it is already enabled, the script will not touch the setting.

NOTE: The script DOES NOT install any updates it detects, it just scans for them.

The script creates the following three files in C:\Windows\CCM\Logs.

  • Get-UpdateProductList.log - The log file for the script itself
  • UpdateProductListScanResults.csv - A list of all the updates Microsoft identified that were applicable to your device. It includes whether they are installed or not and what product categories they belong to.
  • UpdateProductListProductsFound.txt - Contains a distinct list of products that were found. This is the information that is loaded into WMI.

During my testing I noticed that 'Microsoft Edge' was not reported by any device. I'm assuming this is because Microsoft Update doesn't scan for that since Edge updates itself.

As always, test, test, test before putting into production.


Download: GetUpdateProductList.zip


THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


Error! Unauthorized! Unable to delete post.