How to install Software Update Point in SCCM 2012 R2

Benoit LecoursSCCM18 Comments

Download and own part 1 to 21 of the SCCM Installation Guide in a single PDF file.

The PDF file is a 162 pages document that contains all informations to install and configure SCCM 2012 R2 or SCCM 1511 and later (Current Branch). Use our products page or use the button below to download it .

Icon Info

This blog post applies to both SCCM 2012 R2 , SCCM 1511 and later.

In this part of SCCM 2012 and SCCM 1511 blog series, we will describe how to install SCCM 2012 R2 or SCCM 1511 Software Update Point (SUP).

Role Description

The SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients.

This is not a mandatory Site System but your need  to install a SUP if you’re planning to use SCCM as your patch management platform.

SCCM 2012 SP1 (and thus R2) integrates new features to the Software Update Point that are well documented in this Technet Article.

sccm 2012 software update point

Site System Role Placement in Hierarchy

This Site System is a site-wide option. It’s supported to install this role on a Central Administration Site, child Primary Site, stand-alone Primary Site and Secondary Site.

When your hierarchy contains a Central Administration Site, install a SUP and synchronizes with Windows Server Update Services (WSUS) before you install a SUP at any child Primary Site.

sccm 2012 software update point

When you install a SUP at a child Primary Site, configure it to synchronize with the SUP at the Central Administration Site.

sccm 2012 software update point

Consider installing a SUP in Seconday Site when data transfer across the network is slow.

WSUS Installation

Perform the following on the server that will host the SUP role.

  • Open Server Manager / Add Roles and Features
  • Select the Windows Server Update Services Role, click Next

sccm 2012 software update point

  • Select WSUS Services and Database, click Next

sccm 2012 software update point

  • Launch Windows Server Update Services from the Start Menu. You will be prompt with the following window :

sccm 2012 software update point

  • On the DB instance, enter your server name
  • On Content directory path, use a drive with enough drive space. This is where your WSUS will store updates

sccm 2012 software update point

  • When the WSUS Configuration Wizard starts, click Cancel

sccm 2012 software update point

  • Open SQL Management Studio
  • Under Databases, Right-click SUSDB, select Properties, and click Files
  • Change Owner to SA
  • Change the Autogrowth value to 512MB, click Ok and close SQL MS

4139-222

SUP Installation

  • Open the SCCM console
  • Navigate to Administration / Site Configuration / Servers and Site System Roles
  • Right click your Site System and click Add Site System Roles
  • On the General tab, click Next

sccm 2012 install fallback status point

  • On the Proxy tab, click Next

sccm 2012 install fallback status point

  • On the Site System Role tab, select Software Update Point, click Next

sccm 2012 software update point

  • On the Software Update Point tab, select WSUS is configured to use ports 8530 and 8531, click Next

sccm 2012 software update point

  • On the Proxy and Account Settings tab, specify your credentials if necessary, click Next

sccm 2012 software update point

  • On the Synchronization Source tab, specify if you want to synchronize from Microsoft Update or an upstream source. Refer to the Site System Placement section if you’re unsure. For a stand-alone Primary Site, select Synchronize from Microsoft Update, click Next

sccm 2012 software update point

  • On the Synchronization Schedule tab, check the Enable synchronization on a schedule check box and select your desired schedule. 1 day is usually enough but it can be lowered if you’re synchronizing Endpoint Protection definition files, click Next

sccm 2012 software update point

  • On the Supersedence Rules tab, select Immediately expire a superseded software update, click Next

sccm 2012 software update point

sccm 2012 software update point

  • On the Products tabs, select the products that you want to manage using SCCM, click Next

sccm 2012 software update point

  • On the Languages tab, select the desired Language, click Next

sccm 2012 software update point

  • On the Summary tab, review your settings, click Next, wait for the setup to complete and click Close

sccm 2012 software update pointsccm 2012 software update point

sccm 2012 software update point

Verification

  • ConfigMgrSetup\Logs\SUPSetup.log -Provides information about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file
  • ConfigMgrSetup\Logs\WCM.log – Provides information about the software update point configuration and connecting to the WSUS server for subscribed update categories, classifications, and languages
  • ConfigMgrSetup\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and health of the WSUS server for the site
  • ConfigMgrSetup\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process

Bonus link : I suggest that you read the excellent article written by Kent Agerlund on how to avoid what he calls the House of Cards

sccm 2012 software update point

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
How to install Software Update Point in SCCM 2012 R2
5 - 4 votes

18 Comments on “How to install Software Update Point in SCCM 2012 R2”

  1. Pingback: SCCM Endpoint Protection Management Guide |

    1. Hi Kross,
      I would set up a Custom Client setting with Software Update set to disabled, and applied to “the rest”. Then I would leave the GPO for WSUS on for those computers.

      For the 100, I would remove the GPO for WSUS, and apply custom Client settings with Software Update set to Enabled.
      That should do the trick.

      But I would recommend moving on from WSUS and go 100% with SCCM .
      Jonathan

      1. Hi Jonathan,

        The plan is move 100% with SCCM but need to test before continue with all the computers.
        i’m trying to find a way how to leave the key of the current machines because I notice as soon I disable the Software Update WUServer and WUStatusserver the key gets delete it.

        What would be the process?
        1) leave settings as it is on Default Client Settings? (SCCM Default Profile) > on the software Update > Enable Software Update on clients” leave like it is “YES”

        2) for the Custom Device Settings (I Already have custom one pushed to all machines) should I use this one and the Software Update Set it to “NO” (currently is YES) <>

        3) Create “New Custom Device Settings” with all my custom settings and set “YES” to my 100 computers

        4) add the SUP role

        Thanks for your fast response.

  2. Pingback: Test Post – System Center Arts

  3. Hello,
    I have a little issue. I got 2 boxes (2012R2 brand new). One is CMCB1511 and the other is WSUS.
    When installation of wsus done and configuration of SUP done too, I get this error in wcm.log :

    System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it IP:8530 !!
    But the IP is not the wsus server but cmcb its IP!
    In wsusctrl.log, I got this : Failures reported during periodic health check by the WSUS Server “NAME of the CMCB ServeR”. Will retry check in 1 minutes

    I don’t understand what went wrong. I followed your Installation guide.
    I did it on my DEV environment (all in one box) and worked perfectly. In Prod environment, I have to use to boxes, they are in the same vlan and firewall ports specified in IIS are opened (8530 and 8531).

    Please help !!

    1. HI Gael,
      From what I understand, it seems that you try to install the SUP on the CMCB1511 boxe, while WSUS is installed on another box.

      SUP must be installed on the same box as the WSUS is.

      This would result in having your primary server with Management Point, Distribution point,etc, and an another server with WSUS and SUP role only.

      Instead of doing this :
      Open the SCCM console
      Navigate to Administration / Site Configuration / Servers and Site System Roles
      Right click your Site System and click Add Site System Roles

      Do to following :
      Open the SCCM console
      Navigate to Administration / Site Configuration / Servers and Site System Roles
      Right click your Site System and click Create Site System Server.

      This will allow you to point to the WSUS server and select the SUP role.
      Jonathan

      1. Thank you so much !!!
        It did it .. And also set Primary site server object as Administrator of the WSUS !!

        Thank you again !! You saved my time !

  4. Hi guys. I’ve upgraded my SCCM 2012 R2 server to 1511, then 1602, then 1606 a few months back. All has been good.

    Now since 1602 supported an OS upgrade from Server 2008 R2 –> Server 2012 R2, I performed that today. On the Primary Site (SCCM01) **AND** SUP/DP/Reporting server (SCCM02), I did stop and disable SCCM services, removed WSUS and the WSUS console, and then upgraded them both to Server 2012 R2. I went back and added the WSUS role to SCCM02 and the WSUS Console to SCCM01.

    The main issue is that I’m not seeing all of the products listed (only XP, Vista, Server 2003) and no newer Win10, Win8, etc in the list. I have gone back and removed WSUS again, removed the SUP role from SCCM02, and tried it all again… no luck. I’ve made sure that my upstream is set as the default Microsoft update site but it’s still not working.

    ——————–
    WCM.LOG
    ——————–
    Successfully connected to server: SRVSCCM02.corp.local, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:59f07fb7-a6a1-4444-a9a9-fb4b80138c6d (Forefront TMG) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:a0dd7e72-90ec-41e3-b370-c86a245cd44f (Visual Studio 2005) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:a38c835c-2950-4e87-86cc-6911a52c34a3 (Forefront Endpoint Protection 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:abddd523-04f4-4f8e-b76f-a6c84286cc67 (Visual Studio 2012) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:b0247430-6f8d-4409-b39b-30de02286c71 (Microsoft Online Services Sign-In Assistant) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:c9834186-a976-472b-8384-6bb8f2aa43d9 (Visual Studio 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:cbfd1e71-9d9e-457e-a8c5-500c47cfe9f3 (Visual Studio 2010 Tools for Office Runtime) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Category Product:cf4aa0fc-119d-4408-bcba-181abb69ed33 (Visual Studio 2013) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Subscription contains categories unknown to WSUS. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    STATMSG: ID=6603 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_CONFIGURATION_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3616 GMTDATE=Wed Sep 14 17:59:36.277 2016 ISTR0=”SRVSCCM02.corp.local” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING) SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Waiting for changes for 39 minutes SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    Trigger event array index 0 ended. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
    SCF change notification triggered. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:41 PM 3616 (0x0E20)

    ———————————
    WSYNCMGR.LOG
    ———————————
    Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    DB Server not detected for SUP SRVSCCM02.corp.local from SCF File. skipping. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 17:33:23.363 2016 ISTR0=”getSiteUpdateSource” ISTR1=”WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:34:54 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:41:27 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:48:25 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:49:10 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:11 PM 3632 (0x0E30)
    Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30)
    Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:21 PM 3632 (0x0E30)
    Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30)
    Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:51 PM 3632 (0x0E30)
    Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30)
    Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30)
    Wakeup for scheduled regular sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Starting Sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Performing sync on regular schedule SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 18:00:00.465 2016 ISTR0=”getSiteUpdateSource” ISTR1=”WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    SQL MESSAGE: sp_SUM_RemoveUpdateRelations – 14:00:00:547: sp_SUM_RemoveUpdateRelations : All updates are expired, skipping the delete of update relations till first sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
    Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)

  5. Hi can anyone advise the best approach to remove old WSUS 3.0 sp2 and SUP role on ConfigMgr 2012 R2 Sp1. To implement WSUS v4 which enables feature upgrades for windows 10. Running x2 WSUS servers on different versing is not supported so unable to do side by side. Many Thanks Sam ?

    1. Hi Sam,

      changing to WSUS 4.0 is not, in itself, a big deal. Removing SUP role that depend on WSUS won’t remove your Software Update groups, packages, ADR, etc. So this basically affect the background process of WSUS/SUP.

      Biggest challenge comes by the fact that WSUS 4.0 needs Windows server 2012 or 2012 R2. So if you are using WSUS 3.0, you must be running Windows Server 2008 R2.

      If you use seperate boxes for your primary site and your WSUS servers, I would plan the following :
      – Install new server running Windows Server 2012R2
      – Install WSUS 4.0 + KB https://support.microsoft.com/en-us/kb/3095113
      – Remove SUP role from old WSUS servers
      – Install SUP role on new server

      If you use SUP on the primary site, you will need to upgrade to SCCM 1602 at least to be able to in-place upgrade Windows Server to 2012 R2 and then go ahead with WSUS 4.0

      Hope this help!
      Jonathan

  6. Pingback: SCCM Deploy – Post 1. Setting up VMware AD and SCCM 1511

  7. Pingback: SCCM Deploy – Post 4. Setup SCCM 2012 1511

Leave a Reply

Your email address will not be published. Required fields are marked *