Download and own this SCCM Installation Guide in a single PDF file.

The PDF file is a 162 pages document that contains all informations to install and configure SCCM Current Branch. Use our products page or use the button below to download it .

Download


Icon Info

This blog post has been updated. Please refer to the new SCCM Current Branch Installation Guide.

In this part of SCCM 2012 and SCCM 1511 blog series, we will describe how to install SCCM 2012 R2 or SCCM 1511 Software Update Point (SUP).

Role Description

The SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients.

This is not a mandatory Site System but your need  to install a SUP if you’re planning to use SCCM as your patch management platform.

SCCM 2012 SP1 (and thus R2) integrates new features to the Software Update Point that are well documented in this Technet Article.

sccm 2012 software update point

Site System Role Placement in Hierarchy

This Site System is a site-wide option. It’s supported to install this role on a Central Administration Site, child Primary Site, stand-alone Primary Site and Secondary Site.

When your hierarchy contains a Central Administration Site, install a SUP and synchronizes with Windows Server Update Services (WSUS) before you install a SUP at any child Primary Site.

sccm 2012 software update point

When you install a SUP at a child Primary Site, configure it to synchronize with the SUP at the Central Administration Site.

sccm 2012 software update point

Consider installing a SUP in Secondary Site when data transfer across the network is slow.

Remote WSUS Warning

The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server. The WSUS version on the site server must be the same as the WSUS version running on the software update points.

When using WSUS 3.0 (on server 2008, it was possible to install the console only). This has changed with 2012 and 2016. One way to do it is to add the Windows Software Update Services role and deselecting Database and WID Database. The problem is that will still cause some trouble with the post-install task.

The recommended way to do it :

  • Start PowerShell Console (as Administrator)
  • Run : Install-WindowsFeature -Name UpdateServices-Ui

This will install the console only and not run a post-install task.

WSUS Installation

Perform the following on the server that will host the SUP role.

  • Open Server Manager / Add Roles and Features
  • Select the Windows Server Update Services Role, click Next

sccm 2012 software update point

  • Select WSUS Services and Database, click Next

sccm 2012 software update point

  • Launch Windows Server Update Services from the Start Menu. You will be prompt with the following window :

sccm 2012 software update point

  • On the DB instance, enter your server name
  • On Content directory path, use a drive with enough drive space. This is where your WSUS will store updates

sccm 2012 software update point

  • When the WSUS Configuration Wizard starts, click Cancel

sccm 2012 software update point

  • Open SQL Management Studio
  • Under Databases, Right-click SUSDB, select Properties, and click Files
  • Change Owner to SA
  • Change the Autogrowth value to 512MB, click Ok and close SQL MS

4139-222

SUP Installation

  • Open the SCCM console
  • Navigate to Administration / Site Configuration / Servers and Site System Roles
  • Right click your Site System and click Add Site System Roles
  • On the General tab, click Next

sccm 2012 install fallback status point

  • On the Proxy tab, click Next

sccm 2012 install fallback status point

  • On the Site System Role tab, select Software Update Point, click Next

sccm 2012 software update point

  • On the Software Update Point tab, select WSUS is configured to use ports 8530 and 8531, click Next

sccm 2012 software update point

  • On the Proxy and Account Settings tab, specify your credentials if necessary, click Next

sccm 2012 software update point

  • On the Synchronization Source tab, specify if you want to synchronize from Microsoft Update or an upstream source. Refer to the Site System Placement section if you’re unsure. For a stand-alone Primary Site, select Synchronize from Microsoft Update, click Next

sccm 2012 software update point

  • On the Synchronization Schedule tab, check the Enable synchronization on a schedule check box and select your desired schedule. 1 day is usually enough but it can be lowered if you’re synchronizing Endpoint Protection definition files, click Next

sccm 2012 software update point

  • On the Supersedence Rules tab, select Immediately expire a superseded software update, click Next

sccm 2012 software update point

sccm 2012 software update point

  • On the Products tabs, select the products that you want to manage using SCCM, click Next

sccm 2012 software update point

  • On the Languages tab, select the desired Language, click Next

sccm 2012 software update point

  • On the Summary tab, review your settings, click Next, wait for the setup to complete and click Close

sccm 2012 software update pointsccm 2012 software update point

sccm 2012 software update point

Verification

  • ConfigMgrSetup\Logs\SUPSetup.log -Provides information about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file
  • ConfigMgrSetup\Logs\WCM.log – Provides information about the software update point configuration and connecting to the WSUS server for subscribed update categories, classifications, and languages
  • ConfigMgrSetup\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and health of the WSUS server for the site
  • ConfigMgrSetup\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process

Bonus link : I suggest that you read the excellent article written by Kent Agerlund on how to avoid what he calls the House of Cards

sccm 2012 software update point

Comments (24)

Emiliano

07.17.2019 AT 02:31 AM
Hi Prajwal, congratulations for your guide I want to ask you I have this architecture I have only one server sccm 2016 1902 and another windows server 2016 with wsus role installed and working. Since I want to use sccm as a software update point can I use it connecting it to the existing wsus without installing a second sccm? Thanks in advance Emiliano

Austin

09.15.2017 AT 10:18 AM
Hi, Thanks for this great series. Just wondering, why does the owner of the SUSDB need to be SA? What if you chose Windows Auth during the SQL install instead of mixed mode, and therefore SA is not an option? Thanks!

PREM

07.19.2017 AT 06:06 AM
HOW TO UPGRADE BUSY SOFTWARE 16 TO 17

Kross

04.04.2017 AT 01:55 PM
how would you test SUP on 100 computers and leave the rest intact with same settings WSUS settings?

Jonathan Lefebvre

04.04.2017 AT 02:05 PM
Hi Kross, I would set up a Custom Client setting with Software Update set to disabled, and applied to "the rest". Then I would leave the GPO for WSUS on for those computers. For the 100, I would remove the GPO for WSUS, and apply custom Client settings with Software Update set to Enabled. That should do the trick. But I would recommend moving on from WSUS and go 100% with SCCM . Jonathan

kross

04.05.2017 AT 07:19 AM
Hi Jonathan, The plan is move 100% with SCCM but need to test before continue with all the computers. i'm trying to find a way how to leave the key of the current machines because I notice as soon I disable the Software Update WUServer and WUStatusserver the key gets delete it. What would be the process? 1) leave settings as it is on Default Client Settings? (SCCM Default Profile) > on the software Update > Enable Software Update on clients" leave like it is "YES" 2) for the Custom Device Settings (I Already have custom one pushed to all machines) should I use this one and the Software Update Set it to "NO" (currently is YES) <> 3) Create "New Custom Device Settings" with all my custom settings and set "YES" to my 100 computers 4) add the SUP role Thanks for your fast response.

Gael

10.06.2016 AT 08:43 AM
Hello, I have a little issue. I got 2 boxes (2012R2 brand new). One is CMCB1511 and the other is WSUS. When installation of wsus done and configuration of SUP done too, I get this error in wcm.log : System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it IP:8530 !! But the IP is not the wsus server but cmcb its IP! In wsusctrl.log, I got this : Failures reported during periodic health check by the WSUS Server "NAME of the CMCB ServeR". Will retry check in 1 minutes I don't understand what went wrong. I followed your Installation guide. I did it on my DEV environment (all in one box) and worked perfectly. In Prod environment, I have to use to boxes, they are in the same vlan and firewall ports specified in IIS are opened (8530 and 8531). Please help !!

Jonathan Lefebvre

10.06.2016 AT 10:25 AM
HI Gael, From what I understand, it seems that you try to install the SUP on the CMCB1511 boxe, while WSUS is installed on another box. SUP must be installed on the same box as the WSUS is. This would result in having your primary server with Management Point, Distribution point,etc, and an another server with WSUS and SUP role only. Instead of doing this : Open the SCCM console Navigate to Administration / Site Configuration / Servers and Site System Roles Right click your Site System and click Add Site System Roles Do to following : Open the SCCM console Navigate to Administration / Site Configuration / Servers and Site System Roles Right click your Site System and click Create Site System Server. This will allow you to point to the WSUS server and select the SUP role. Jonathan

Gael

10.06.2016 AT 11:31 AM
Thank you so much !!! It did it .. And also set Primary site server object as Administrator of the WSUS !! Thank you again !! You saved my time !

Chris

09.14.2016 AT 01:12 PM
Hi guys. I've upgraded my SCCM 2012 R2 server to 1511, then 1602, then 1606 a few months back. All has been good. Now since 1602 supported an OS upgrade from Server 2008 R2 --> Server 2012 R2, I performed that today. On the Primary Site (SCCM01) **AND** SUP/DP/Reporting server (SCCM02), I did stop and disable SCCM services, removed WSUS and the WSUS console, and then upgraded them both to Server 2012 R2. I went back and added the WSUS role to SCCM02 and the WSUS Console to SCCM01. The main issue is that I'm not seeing all of the products listed (only XP, Vista, Server 2003) and no newer Win10, Win8, etc in the list. I have gone back and removed WSUS again, removed the SUP role from SCCM02, and tried it all again... no luck. I've made sure that my upstream is set as the default Microsoft update site but it's still not working. -------------------- WCM.LOG -------------------- Successfully connected to server: SRVSCCM02.corp.local, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:59f07fb7-a6a1-4444-a9a9-fb4b80138c6d (Forefront TMG) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:a0dd7e72-90ec-41e3-b370-c86a245cd44f (Visual Studio 2005) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:a38c835c-2950-4e87-86cc-6911a52c34a3 (Forefront Endpoint Protection 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:abddd523-04f4-4f8e-b76f-a6c84286cc67 (Visual Studio 2012) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:b0247430-6f8d-4409-b39b-30de02286c71 (Microsoft Online Services Sign-In Assistant) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:c9834186-a976-472b-8384-6bb8f2aa43d9 (Visual Studio 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:cbfd1e71-9d9e-457e-a8c5-500c47cfe9f3 (Visual Studio 2010 Tools for Office Runtime) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Category Product:cf4aa0fc-119d-4408-bcba-181abb69ed33 (Visual Studio 2013) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Subscription contains categories unknown to WSUS. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Failed to set Subscriptions on the WSUS Server. Error🙁-2147467259)Unspecified error SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) STATMSG: ID=6603 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3616 GMTDATE=Wed Sep 14 17:59:36.277 2016 ISTR0="SRVSCCM02.corp.local" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING) SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Waiting for changes for 39 minutes SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) Trigger event array index 0 ended. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20) SCF change notification triggered. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:41 PM 3616 (0x0E20) --------------------------------- WSYNCMGR.LOG --------------------------------- Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) DB Server not detected for SUP SRVSCCM02.corp.local from SCF File. skipping. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 17:33:23.363 2016 ISTR0="getSiteUpdateSource" ISTR1="WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:34:54 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:41:27 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:48:25 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:49:10 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:11 PM 3632 (0x0E30) Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30) Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:21 PM 3632 (0x0E30) Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30) Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30) Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:51 PM 3632 (0x0E30) Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30) Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30) Wakeup for scheduled regular sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Starting Sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Performing sync on regular schedule SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 18:00:00.465 2016 ISTR0="getSiteUpdateSource" ISTR1="WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) SQL MESSAGE: sp_SUM_RemoveUpdateRelations - 14:00:00:547: sp_SUM_RemoveUpdateRelations : All updates are expired, skipping the delete of update relations till first sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30) Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)

Jonathan Lefebvre

09.15.2016 AT 11:05 AM
Hi Chris, the first time you install a SUP, you will not see newer products. A first sync must be done before seeing all products. Be sure to use latest WSUS 4.0 with SCCM 1606 for Windows 10 servicing with latest KB also. https://support.microsoft.com/en-us/kb/3095113 Jonathan

Sam

08.22.2016 AT 05:22 AM
Hi can anyone advise the best approach to remove old WSUS 3.0 sp2 and SUP role on ConfigMgr 2012 R2 Sp1. To implement WSUS v4 which enables feature upgrades for windows 10. Running x2 WSUS servers on different versing is not supported so unable to do side by side. Many Thanks Sam ?

Jonathan Lefebvre

09.15.2016 AT 11:23 AM
Hi Sam, changing to WSUS 4.0 is not, in itself, a big deal. Removing SUP role that depend on WSUS won't remove your Software Update groups, packages, ADR, etc. So this basically affect the background process of WSUS/SUP. Biggest challenge comes by the fact that WSUS 4.0 needs Windows server 2012 or 2012 R2. So if you are using WSUS 3.0, you must be running Windows Server 2008 R2. If you use seperate boxes for your primary site and your WSUS servers, I would plan the following : - Install new server running Windows Server 2012R2 - Install WSUS 4.0 + KB https://support.microsoft.com/en-us/kb/3095113 - Remove SUP role from old WSUS servers - Install SUP role on new server If you use SUP on the primary site, you will need to upgrade to SCCM 1602 at least to be able to in-place upgrade Windows Server to 2012 R2 and then go ahead with WSUS 4.0 Hope this help! Jonathan

Shahid Nawaz

01.03.2018 AT 09:18 AM
Hi Johnathan, We removed the WSUS role from the SCCM server and installed it on the SQL server which contains the SCCM DB and the newly created WSUS DB instance. Now SCCM is not getting updates from WSUS and also pending updates in SCCM are not being pushed to the enterprise.Any help would be appreciated. Thanks

Dave

04.05.2016 AT 06:05 PM
Is KB3127032 no longer necessary?

Benoit Lecours

04.06.2016 AT 11:24 AM
Yes, it's still needed as this affect WSUS.

Lu

03.09.2016 AT 04:21 AM
Hi there, nice article. Quick question - Why change the SUSDB owner to SA?