The PDF file is a 162 pages document that contains all informations to install and configure SCCM Current Branch. Use our products page or use the button below to download it . |
 | This blog post has been updated. Please refer to the new SCCM Current Branch Installation Guide. |
In this part of SCCM 2012 and SCCM 1511 blog series, we will describe how to install SCCM 2012 R2 or SCCM 1511 Software Update Point (SUP).
Role Description
The SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients.
This is not a mandatory Site System but your need to install a SUP if you’re planning to use SCCM as your patch management platform.
SCCM 2012 SP1 (and thus R2) integrates new features to the Software Update Point that are well documented in this Technet Article.
Site System Role Placement in Hierarchy
This Site System is a site-wide option. It’s supported to install this role on a Central Administration Site, child Primary Site, stand-alone Primary Site and Secondary Site.
When your hierarchy contains a Central Administration Site, install a SUP and synchronizes with Windows Server Update Services (WSUS) before you install a SUP at any child Primary Site.
When you install a SUP at a child Primary Site, configure it to synchronize with the SUP at the Central Administration Site.
Consider installing a SUP in Secondary Site when data transfer across the network is slow.
Remote WSUS Warning
The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server. The WSUS version on the site server must be the same as the WSUS version running on the software update points.When using WSUS 3.0 (on server 2008, it was possible to install the console only). This has changed with 2012 and 2016. One way to do it is to add the Windows Software Update Services role and deselecting Database and WID Database. The problem is that will still cause some trouble with the post-install task.
The recommended way to do it :
- Start PowerShell Console (as Administrator)
- Run : Install-WindowsFeature -Name UpdateServices-Ui
This will install the console only and not run a post-install task.
WSUS Installation
Perform the following on the server that will host the SUP role.
- Open Server Manager / Add Roles and Features
- Select the Windows Server Update Services Role, click Next
- Select WSUS Services and Database, click Next
- Launch Windows Server Update Services from the Start Menu. You will be prompt with the following window :
- On the DB instance, enter your server name
- On Content directory path, use a drive with enough drive space. This is where your WSUS will store updates
- When the WSUS Configuration Wizard starts, click Cancel
- Open SQL Management Studio
- Under Databases, Right-click SUSDB, select Properties, and click Files
- Change Owner to SA
- Change the Autogrowth value to 512MB, click Ok and close SQL MS
SUP Installation
- Open the SCCM console
- Navigate to Administration / Site Configuration / Servers and Site System Roles
- Right click your Site System and click Add Site System Roles
- On the General tab, click Next
- On the Proxy tab, click Next
- On the Site System Role tab, select Software Update Point, click Next
- On the Software Update Point tab, select WSUS is configured to use ports 8530 and 8531, click Next
- On the Proxy and Account Settings tab, specify your credentials if necessary, click Next
- On the Synchronization Source tab, specify if you want to synchronize from Microsoft Update or an upstream source. Refer to the Site System Placement section if you’re unsure. For a stand-alone Primary Site, select Synchronize from Microsoft Update, click Next
- On the Synchronization Schedule tab, check the Enable synchronization on a schedule check box and select your desired schedule. 1 day is usually enough but it can be lowered if you’re synchronizing Endpoint Protection definition files, click Next
- On the Supersedence Rules tab, select Immediately expire a superseded software update, click Next
- On the Classifications tab, select your organisation needs, click Next
- Full description on this Microsoft Support Article
- On the Products tabs, select the products that you want to manage using SCCM, click Next
- On the Languages tab, select the desired Language, click Next
- On the Summary tab, review your settings, click Next, wait for the setup to complete and click Close
Verification
- ConfigMgrSetup\Logs\SUPSetup.log -Provides information about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file
- ConfigMgrSetup\Logs\WCM.log – Provides information about the software update point configuration and connecting to the WSUS server for subscribed update categories, classifications, and languages
- ConfigMgrSetup\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and health of the WSUS server for the site
- ConfigMgrSetup\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process
Bonus link : I suggest that you read the excellent article written by Kent Agerlund on how to avoid what he calls the House of Cards
24 Comments on “How to install Software Update Point in SCCM 2012 R2”
Pingback: Step by step download sync software update - Sync-Download
Pingback: Sccm Update Point - Install And Configure A Software Update Point - Configuration ...
Pingback: Complete SCCM Installation Guide and Configuration
Hi Prajwal,
congratulations for your guide I want to ask you I have this architecture I have only one server sccm 2016 1902 and another windows server 2016 with wsus role installed and working. Since I want to use sccm as a software update point can I use it connecting it to the existing wsus without installing a second sccm?
Thanks in advance
Emiliano
Hi,
Thanks for this great series.
Just wondering, why does the owner of the SUSDB need to be SA? What if you chose Windows Auth during the SQL install instead of mixed mode, and therefore SA is not an option?
Thanks!
HOW TO UPGRADE BUSY SOFTWARE 16 TO 17
Pingback: SCCM Endpoint Protection Management Guide |
how would you test SUP on 100 computers and leave the rest intact with same settings WSUS settings?
Hi Kross,
I would set up a Custom Client setting with Software Update set to disabled, and applied to “the rest”. Then I would leave the GPO for WSUS on for those computers.
For the 100, I would remove the GPO for WSUS, and apply custom Client settings with Software Update set to Enabled.
That should do the trick.
But I would recommend moving on from WSUS and go 100% with SCCM .
Jonathan
Hi Jonathan,
The plan is move 100% with SCCM but need to test before continue with all the computers.
i’m trying to find a way how to leave the key of the current machines because I notice as soon I disable the Software Update WUServer and WUStatusserver the key gets delete it.
What would be the process?
1) leave settings as it is on Default Client Settings? (SCCM Default Profile) > on the software Update > Enable Software Update on clients” leave like it is “YES”
2) for the Custom Device Settings (I Already have custom one pushed to all machines) should I use this one and the Software Update Set it to “NO” (currently is YES) <>
3) Create “New Custom Device Settings” with all my custom settings and set “YES” to my 100 computers
4) add the SUP role
Thanks for your fast response.
Pingback: Test Post – System Center Arts
Hello,
I have a little issue. I got 2 boxes (2012R2 brand new). One is CMCB1511 and the other is WSUS.
When installation of wsus done and configuration of SUP done too, I get this error in wcm.log :
System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it IP:8530 !!
But the IP is not the wsus server but cmcb its IP!
In wsusctrl.log, I got this : Failures reported during periodic health check by the WSUS Server “NAME of the CMCB ServeR”. Will retry check in 1 minutes
I don’t understand what went wrong. I followed your Installation guide.
I did it on my DEV environment (all in one box) and worked perfectly. In Prod environment, I have to use to boxes, they are in the same vlan and firewall ports specified in IIS are opened (8530 and 8531).
Please help !!
HI Gael,
From what I understand, it seems that you try to install the SUP on the CMCB1511 boxe, while WSUS is installed on another box.
SUP must be installed on the same box as the WSUS is.
This would result in having your primary server with Management Point, Distribution point,etc, and an another server with WSUS and SUP role only.
Instead of doing this :
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right click your Site System and click Add Site System Roles
Do to following :
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right click your Site System and click Create Site System Server.
This will allow you to point to the WSUS server and select the SUP role.
Jonathan
Thank you so much !!!
It did it .. And also set Primary site server object as Administrator of the WSUS !!
Thank you again !! You saved my time !
Hi guys. I’ve upgraded my SCCM 2012 R2 server to 1511, then 1602, then 1606 a few months back. All has been good.
Now since 1602 supported an OS upgrade from Server 2008 R2 –> Server 2012 R2, I performed that today. On the Primary Site (SCCM01) **AND** SUP/DP/Reporting server (SCCM02), I did stop and disable SCCM services, removed WSUS and the WSUS console, and then upgraded them both to Server 2012 R2. I went back and added the WSUS role to SCCM02 and the WSUS Console to SCCM01.
The main issue is that I’m not seeing all of the products listed (only XP, Vista, Server 2003) and no newer Win10, Win8, etc in the list. I have gone back and removed WSUS again, removed the SUP role from SCCM02, and tried it all again… no luck. I’ve made sure that my upstream is set as the default Microsoft update site but it’s still not working.
——————–
WCM.LOG
——————–
Successfully connected to server: SRVSCCM02.corp.local, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:59f07fb7-a6a1-4444-a9a9-fb4b80138c6d (Forefront TMG) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:a0dd7e72-90ec-41e3-b370-c86a245cd44f (Visual Studio 2005) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:a38c835c-2950-4e87-86cc-6911a52c34a3 (Forefront Endpoint Protection 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:abddd523-04f4-4f8e-b76f-a6c84286cc67 (Visual Studio 2012) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:b0247430-6f8d-4409-b39b-30de02286c71 (Microsoft Online Services Sign-In Assistant) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:c9834186-a976-472b-8384-6bb8f2aa43d9 (Visual Studio 2010) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:cbfd1e71-9d9e-457e-a8c5-500c47cfe9f3 (Visual Studio 2010 Tools for Office Runtime) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Category Product:cf4aa0fc-119d-4408-bcba-181abb69ed33 (Visual Studio 2013) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Subscription contains categories unknown to WSUS. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
STATMSG: ID=6603 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_CONFIGURATION_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3616 GMTDATE=Wed Sep 14 17:59:36.277 2016 ISTR0=”SRVSCCM02.corp.local” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING) SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Waiting for changes for 39 minutes SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
Trigger event array index 0 ended. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:36 PM 3616 (0x0E20)
SCF change notification triggered. SMS_WSUS_CONFIGURATION_MANAGER 9/14/2016 1:59:41 PM 3616 (0x0E20)
———————————
WSYNCMGR.LOG
———————————
Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
DB Server not detected for SUP SRVSCCM02.corp.local from SCF File. skipping. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 17:33:23.363 2016 ISTR0=”getSiteUpdateSource” ISTR1=”WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Skipping Delete Expired Update relations since this is not a scheduled sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:33:23 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:34:54 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:41:27 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:48:25 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:49:10 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:11 PM 3632 (0x0E30)
Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30)
Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:16 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:21 PM 3632 (0x0E30)
Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30)
Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:26 PM 3632 (0x0E30)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:51 PM 3632 (0x0E30)
Next scheduled sync is a regular sync at 9/14/2016 2:00:00 PM SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30)
Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 1:59:56 PM 3632 (0x0E30)
Wakeup for scheduled regular sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Starting Sync SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Performing sync on regular schedule SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Read SUPs from SCF for SRVSCCM01.corp.local SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Found 1 SUPs SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Found active SUP SRVSCCM02.corp.local from SCF File. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Sync failed: WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
STATMSG: ID=6703 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SRVSCCM01.corp.local SITE=XYZ PID=2284 TID=3632 GMTDATE=Wed Sep 14 18:00:00.465 2016 ISTR0=”getSiteUpdateSource” ISTR1=”WSUS update source not found on site XYZ. Please refer to WCM.log for configuration error details.” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Setting sync alert to active state on site XYZ SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Sync time: 0d00h00m00s SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
SQL MESSAGE: sp_SUM_RemoveUpdateRelations – 14:00:00:547: sp_SUM_RemoveUpdateRelations : All updates are expired, skipping the delete of update relations till first sync. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Skipping WSUS Cleanup because of the SCF setting. SMS_WSUS_SYNC_MANAGER 9/14/2016 2:00:00 PM 3632 (0x0E30)
Hi Chris,
the first time you install a SUP, you will not see newer products.
A first sync must be done before seeing all products.
Be sure to use latest WSUS 4.0 with SCCM 1606 for Windows 10 servicing with latest KB also.
https://support.microsoft.com/en-us/kb/3095113
Jonathan
Hi can anyone advise the best approach to remove old WSUS 3.0 sp2 and SUP role on ConfigMgr 2012 R2 Sp1. To implement WSUS v4 which enables feature upgrades for windows 10. Running x2 WSUS servers on different versing is not supported so unable to do side by side. Many Thanks Sam ?
Hi Sam,
changing to WSUS 4.0 is not, in itself, a big deal. Removing SUP role that depend on WSUS won’t remove your Software Update groups, packages, ADR, etc. So this basically affect the background process of WSUS/SUP.
Biggest challenge comes by the fact that WSUS 4.0 needs Windows server 2012 or 2012 R2. So if you are using WSUS 3.0, you must be running Windows Server 2008 R2.
If you use seperate boxes for your primary site and your WSUS servers, I would plan the following :
– Install new server running Windows Server 2012R2
– Install WSUS 4.0 + KB https://support.microsoft.com/en-us/kb/3095113
– Remove SUP role from old WSUS servers
– Install SUP role on new server
If you use SUP on the primary site, you will need to upgrade to SCCM 1602 at least to be able to in-place upgrade Windows Server to 2012 R2 and then go ahead with WSUS 4.0
Hope this help!
Jonathan
Hi Johnathan,
We removed the WSUS role from the SCCM server and installed it on the SQL server which contains the SCCM DB and the newly created WSUS DB instance. Now SCCM is not getting updates from WSUS and also pending updates in SCCM are not being pushed to the enterprise.Any help would be appreciated. Thanks
Is KB3127032 no longer necessary?
Yes, it’s still needed as this affect WSUS.
Hi there, nice article. Quick question – Why change the SUSDB owner to SA?
Pingback: SCCM Deploy – Post 1. Setting up VMware AD and SCCM 1511
Pingback: SCCM Deploy – Post 4. Setup SCCM 2012 1511