SCCM Updates Deployment for Windows clients

Back in the days when ConfigMgr was called SMS and the version was 2.0 one of its strongest selling points was its ability to deploy Windows Updates to clients as the automatic solution existed apart from a utility called qchain.

Even today while ConfigMgr features have evolved offering a much broader set of functions OS and Application updates deployment is still a fundamental building block of every SCCM deployment I have worked with.

SCCM Updates Deployment Requisites

While the Software Update Point (SUP) is a standalone component it relies on WSUS Services for the synchronization of updates but don’t be mistaken ConfigMgr will take complete control of the WSUS Server so if you want to use WSUS to update a set of client not managed by ConfigMgr you will need to deploy a dedicated WSUS Server.

Microsoft recommends to install WSUS on a dedicated system which allows the management of up to 100.000 clients while if the WSUS is on the same system as the ConfigMgr server this number goes down to 25.000.

If you are going to host the WSUS Server on a separate system you will need to install the WSUS SDK (read console) on the server.

SUP Role and SCCM Updates Deployment

Once all the required components are in place it to deploy the SUP role simply open the ConfigMgr Administration console and navigate to Administration → Site Configuration → Servers and Site System Roles

SCCM Site System Roles

To deploy the SUP role on an already defined Site System, like the ConfigMgr server in the above example, right-click on it and select Add Site Systems Roles

Add Site System Role

In the General page most of the settings will already be populated so simply click Next the same holds true for the Proxy page

Add Site System Role Wizard

Add Site System Role Wizard Proxy

in the Specify Roles for this Server select the SUP role

Softwre Update Point

[su_spoiler title=”Add SUP Role to external WSUS Server” style=”fancy” anchor=”Add SUP different WSUS”]

If you have deployed WSUS on a separate machine on the Servers and Site Systems Roles right-click on the right pane and select Create Site System Server

Create Site System Server

In the Create System Site System Server Wizard specify the WSUS Server’s name and the authentication mechanism that will be used to access the new site system

Add Siste System Role SUP

The rest of the process is identical in both deployment scenarios and described below


In the Software Update Point page you need to specify the port used by WSUS (80/443 for Windows 2008 and 8530/8531 for Windows 2012), if SSL is required for communications with the WSUS server and finally if only Internet, Intranet clients will be allowed or both


If no proxy is being used simply leave the following page to its default values

WSUS Proxy

In the Synchronization Source you can specify synchronization settings for the SUP in my lab I have left all values to their default

SUP Synchronization Source

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In a multisite hierarchy SUP will always synchronize from their parent site[/su_note]

In the Synchronization Schedule you can specify how often the SUP will try to synchronize updates catalog from the configured source as you know Microsoft releases updates the second Tuesday of each month so a schedule of 7 days is usually fine for most environments

WSUS Sync Schedule

In the Supersedence Rules you can specify if a superseded update is immediately expired or a finite number of months have to be waited before update expiration, this is generally a design choice and will be discussed as part of another article for now I will leave the default settings

WSUS Update Supersedence

In the Classifications page you need to select which type of updates will be synchronized and downloaded from the SUP

Updates Classifications

In the Products page while you can select for which Products updates will be downloaded I usually uncheck all options and configure this in a second stage

WSUS Products

Finally in the Languages page check all necessary languages for the updates that will be downloaded, it goes alone the more languages are checked the more data will be downloaded

WSUS Updates Languages

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: You can monitor the SUP installation process through the SUPSetup.log log file [/su_note]

To check the SUP is able to communicate with the WSUS database you can check the WSUSCtrl.log log file which should report the following line

Successfully checked database connection on WSUS server SZHV-CM01.mcse.lab

Of course you can also monitor the status of the SUP Server under Monitoring → System Status → Component Status

SCCM Component Status

Once the installation and synchronization with the update source is ready you will be able to create Updates Groups for deployment or define automatic deployment rules to keep clients up-to-date and secure, all these scenarios will be described in separate articles.


3 thoughts on “SCCM Updates Deployment for Windows clients

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s