What are 'Global Software Update Groups'?

Global Software Update Groups (SUGs) are groups of updates that are created for campus-use. These update groups are prefixed with 'ISU' and are available in ConfigMgr for all IT units to deploy to their environment

There are three sub-types of SUGs available:

• Monthly Windows Update SUGs - Contains the specified month's worth of Windows Updates for Endpoints.
• Annual Windows Update SUGs - Contains the specified year's worth of Windows Updates for Endpoints.
• Defender Definition Update SUGs - Contains Windows Defender updates and definitions on a daily basis.

Windows Updates Global SUGs

What products and OS versions are included?

Currently we are supporting the following OS versions:

• All supported Windows 10 and LTSC releases
• Windows 8.1

Additionally we deploy and include the following product updates:

• Office 365 Semi-Annual Channel (Latest)
• Office 2016
• Office 2019

We exclude the following kinds of updates:

• Updates that are known to cause issues with the environment

• ARM-processor updates

• Microsoft 'Preview' Monthly Updates

• Microsoft Security-only updates

• Language pack updates

• Server operating system updates

• Server program or application updates (i.e. SharePoint Updates)

When does the SUG get released for deployment?

Windows Update SUGs will be released on the first day of every month for the previous month. In the case of critical vulnerabilities, deployments outside our standard patch cycle are performed.

How do you know what updates are safe to deploy? Are problematic updates removed? How do I know which ones?

As a preventative method, we always deploy our updates one month after they have been released by Microsoft. Our team is also going through each update and checking MS docs and other community sites for known issues. Any update that was pulled will be noted in the description field of the SUG with the reason why.

Is this safe for my environment?

We always recommend that you create a test collection of low risk computers to user when deploying any Windows Update SUG regardless of whether it is global or not. Our best practice is to create a 'pilot' group of machines to patch and test with for a few days before pushing to the rest of your environment.

Defender Definition Updates Global SUGs

Whats the difference between the 12PM and 3AM update groups? Which one should I use?

We have two different update cycles available for deployment, at 12PM and 3AM each day. It does not matter which one is used as the Definition Updates install silently without user interference.

It is recommended however that you only choose one of these update SUGs to use and deploy only one to limit confusion and troubleshooting issues.