Back in the days when ConfigMgr was called SMS and the version was 2.0 one of its strongest selling points was its ability to deploy Windows Updates to clients as the automatic solution existed apart from a utility called qchain.
Even today while ConfigMgr features have evolved offering a much broader set of functions OS and Application updates deployment is still a fundamental building block of every SCCM deployment I have worked with.
SCCM Updates Deployment Requisites
While the Software Update Point (SUP) is a standalone component it relies on WSUS Services for the synchronization of updates but don’t be mistaken ConfigMgr will take complete control of the WSUS Server so if you want to use WSUS to update a set of client not managed by ConfigMgr you will need to deploy a dedicated WSUS Server.
Microsoft recommends to install WSUS on a dedicated system which allows the management of up to 100.000 clients while if the WSUS is on the same system as the ConfigMgr server this number goes down to 25.000.
If you are going to host the WSUS Server on a separate system you will need to install the WSUS SDK (read console) on the server.
SUP Role and SCCM Updates Deployment
Once all the required components are in place it to deploy the SUP role simply open the ConfigMgr Administration console and navigate to Administration → Site Configuration → Servers and Site System Roles
To deploy the SUP role on an already defined Site System, like the ConfigMgr server in the above example, right-click on it and select Add Site Systems Roles
In the General page most of the settings will already be populated so simply click Next the same holds true for the Proxy page
in the Specify Roles for this Server select the SUP role
[su_spoiler title=”Add SUP Role to external WSUS Server” style=”fancy” anchor=”Add SUP different WSUS”]
If you have deployed WSUS on a separate machine on the Servers and Site Systems Roles right-click on the right pane and select Create Site System Server
In the Create System Site System Server Wizard specify the WSUS Server’s name and the authentication mechanism that will be used to access the new site system
The rest of the process is identical in both deployment scenarios and described below
In the Software Update Point page you need to specify the port used by WSUS (80/443 for Windows 2008 and 8530/8531 for Windows 2012), if SSL is required for communications with the WSUS server and finally if only Internet, Intranet clients will be allowed or both
If no proxy is being used simply leave the following page to its default values
In the Synchronization Source you can specify synchronization settings for the SUP in my lab I have left all values to their default
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In a multisite hierarchy SUP will always synchronize from their parent site[/su_note]
In the Synchronization Schedule you can specify how often the SUP will try to synchronize updates catalog from the configured source as you know Microsoft releases updates the second Tuesday of each month so a schedule of 7 days is usually fine for most environments
In the Supersedence Rules you can specify if a superseded update is immediately expired or a finite number of months have to be waited before update expiration, this is generally a design choice and will be discussed as part of another article for now I will leave the default settings
In the Classifications page you need to select which type of updates will be synchronized and downloaded from the SUP
In the Products page while you can select for which Products updates will be downloaded I usually uncheck all options and configure this in a second stage
Finally in the Languages page check all necessary languages for the updates that will be downloaded, it goes alone the more languages are checked the more data will be downloaded
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: You can monitor the SUP installation process through the SUPSetup.log log file [/su_note]
To check the SUP is able to communicate with the WSUS database you can check the WSUSCtrl.log log file which should report the following line
Successfully checked database connection on WSUS server SZHV-CM01.mcse.lab
Of course you can also monitor the status of the SUP Server under Monitoring → System Status → Component Status
Once the installation and synchronization with the update source is ready you will be able to create Updates Groups for deployment or define automatic deployment rules to keep clients up-to-date and secure, all these scenarios will be described in separate articles.