Period of time Microsoft release Update rollups for SCOM system.
[Kevin Holman write post "step by step update" - http://blogs.technet.com/b/kevinholman/archive/2016/01/12/ur8-for-scom-2012-r2-step-by-step.aspx ]
After you finish to running the updates for all server roles, all agents that installed remotely or configure 'remotely managed = true' in DB' are enter to Pending management and waiting that you push the Update Rollup to agents remotely.
Agents that installed locally because you cannot open the entire desired ports, you must to transfer the update msp file, and running it locally on agents.
In this post you learn how to push this update automatically [without distribution software like SCCM] by using SCOM rule and file share that all servers have access to it.
1. Extract the msp file from Agent Update Rollup folder to folder in file share.
2. Create new rule that "execute a script": Config schedule and write VB script:
Configure your schedule
Write this script, in <> insert the path of the 'file share' that all servers can access it.
Dim Wshshell, WshProcEnv, System_Architecture, Process_Architecture
Set WshSehll = Wscript.CreateObject("WScript.Shell")
Set WshProcEnv = WshSehll.Environment("Process")
Process_Architecture = WshProcEnv("Processor_Architecture")
if Process_Architecture = "x86" then
const Event_Success = 0
Wshshell.LogEvent Event_Success, "Start UR for x86 Processor_Architecture"
WshShell.Run "Msiexec.exe /Update "i386-Agent.msp"
Wshshell.LogEvent Event_Success, "Start UR for 64 bit Processor_Architecture"
WshShell.Run "Msiexec.exe /Update "AMD64-Agent.msp"
And select Create.
3. Create dynamic group for Override the filter is: select Agent class and add condition "Path List – Does not match - *UR<Number of this update rollup>*"
Select Agent class, and 'Add', the condition is "Where Patch List Does not match wildcard *UR<X>*"
This group include only the agents the Last update rollup does not installed.
Patch List property - under Operations Manager folder in Agent by Version view
4. Find the rule that you create in section 2 and override on this group.
5. Because the agent's service run on Local system and LS don't have permissions to running installation from share, you need to create run as profile with account that have permissions, and configure this rule to running with this profile.
Now in the next interval the script run locally on every agent that does not update and after the update installed, agent out automatically from group and the script don't running on it again.