Jump to content


anyweb

using SCCM 2012 in a LAB - Part 2. Add SUP and WDS

Recommended Posts

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. Now we will configure the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment.

Recommended Reading:-

Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx
Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx

Step 1. Add the WSUS Update Services 3.0 SP2 role

Perform the following on the SCCM server as SMSadmin

Before starting this step create a folder on D:\ called sources and share it as sources, give Everyone Read access.

sources share.png

We'll need the WSUS role installed as part of the Software Update Point role installation in the next step, so start Server Manager and click on Roles, Add Roles. Select Windows Server Update Services and a window will pop up asking to add role services required for Windows Server Update Services (IIS Dynamic Content compression), click Add Required Role Services

add wsus role.png

click next through the wizard, you'll see the Select Role Services window appear, click next again, at the confirmation click Install, the WSUS role will be downloaded (so you'll need a network connection to the Internet)

wsus role services.png

after a while you'll see the Welcome to Windows Server Update Services 3.0 SP2 setup wizard appear click next (which is probably hidden behind the active window, so in your system tray find it and click on it to show the wizard otherwise you'll be twiddling your thumbs for a long time wondering whats going on)

wsus setup.png

Accept the Eula and click next

eula.png

for Select Update Source, choose where to store the updates locally, select D:\sources\WSUS

d wsus.png

for database options choose Use an existing database server on this computer, click next

existing db on server.png

it will connect to your SCCM SQL server instance, click next

sql db.png

accept the web site preference, Use an existing Default website

iis website.png

at the ready to install WSUS, click next

read to install.png

click Finish when done.

finish.png

followed by cancelling the WSUS configuration Wizard.

cancel.png

and close the Roles Wizard

wsus done.png


Step 2. Add Windows Deployment Services.

Perform the following on the SCCM server as SMSadmin

Update:- You no longer need to install the Windows Deployment Services Role because when you enable PXE support on the Distribution Point, the WDS Service will get installed (and configured) by ConfigMgr, so please skip this step unless you specifically want the RemoteInstall folder on a different drive. You can review this via the Distrmgr.log.

In Server Manager, click Add roles select Windows Deployment Services and click next

windows deployment services role.png

click Next, Next, and Install and click Close when done. Close Server Manager.


Step 3. Add the SUP role

Perform the following on the SCCM server as SMSadmin

Note: In a Multi Hierarchy setup (CAS+Primaries+...) you must install a Top Level SUP on your CAS, and your Primaries and optionally on your Secondary site servers. In a standalone setup (such as we have here) we need to install the SUP on our Standalone Primary. In a multi Hierarchy the CAS SUP is the only SUP to sync directly with Microsoft Update to get the update catalog, all the SUPs on the Primaries sync with the CAS SUP. The Primary sites SUP is the only SUP which clients use to scan for Updates Compliance.

Start up the ConfigMgr console, click on Administration in the Wunderbar, click on Site Configuration, and select Servers and Site System Roles, Right click on your server and choose Add Site System Role

add site role.png

click next at the Add Site System Roles Wizard

add site systems role wizard.png

Select Software Update Point and click Next

software update point role selected.png

if you need to input proxy information, do it here

proxy info.png

next select Use this server as the Active Software Update Point and the wizard screen will expand as a result, leave the ports as they are (we didn't change them from the Default when we installed WSUS)

use this server as the active software update point.png

to Specify Synchronization Settings, select Synchronize from Microsoft Update

synchronise from microsoft update.png

next we configure the Schedule and Alert settings, please enable both.

enable sync on a schedule and alert when sync fails on any site in the heirarchy.png

leave the supersedence rules as they are, note the note about Service packs and Endpoint Protection updates.

Supersedence rules.png

As we will be configuring System Center Endpoint Protection (SCEP) later in this series, let's add Definition Updates in the Classifications choice

definition updates.png

Remove the checkmarks from Office and Windows in the Products list, we will revisit this list after our first Sync.

remove office and windows products.png

On the Languages screen, remove all checkmarks in all languages except English (well if you want other languages add them, but for me it's just English)

english selected.png

click next at the summary and progress, review the completion message and click Close.

sup done.png

  • Like 2

Share this post


Link to post
Share on other sites

Where do I get Endpoint Protection 2012 definition updates. I don’t see anything under products in WSUS. And the explanation from TechNet doesn't say anything about it aswell.


  1. On the Software Updates page of the wizard, select Date Released or Revised from the Property filters list.

  2. In the Search criteria list, click <value to find>, and then, in the Search Criteria dialog box, select Last 1 day from the Specify the value to search for drop-down list. Click OK to close the Search Criteria dialog box and then click Next.

  3. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule and then configure the schedule at which definition updates will be downloaded. At a minimum, set the rule to run 2 hours after each software update point synchronization. Click Next.

  • Like 1

Share this post


Link to post
Share on other sites

Hello, and thanks for your helpful posts about sccm2012.

 

i have two questions:

1) during wsus install, i am unsure about the flag "Store Updates Locally". other guides have this checkmark removed. as far as i understand, wsus only downloads the metadata catalog. sccm downloads the updates itself. would you still recommend to leave this checkmark ticked? are updates then downloaded twice (once for wsus, once for sccm)?

 

2) cleanup. our wsus and all secondary wsus instances are scripted to run a monthly cleanup task which removes no longer needed updates - this saves a great amount of disc space, especially on smaller secondary site servers.

is it possible in a sccm2012 environment, with automatic deployment rules in place, to clean up no longer needed updates from the packages? or will the distribution points just grow as new updates arrive?

 

thanks!

Share this post


Link to post
Share on other sites

1. I select this option as license files can be downloaded and stored in the WSUS local store.

2. yes you can run a WSUS cleanup monthly, I haven't tested the exact scenario you are asking about but if you beat me to it then please share your experiences :)

Share this post


Link to post
Share on other sites

about 2), i will share my experiences.

what i have done is: create automatic deployment rules, for each "product" one. e.g. an automatic deployment rule for windows7, one for xp, one for server2008, one for office, etc.

for each automatic deployment rule i have selected "Add to an existing Software Update Group". this makes sure that all windows 7 updates stay in the same windows 7 update group, and so on. in "software updates", i have selected the following:

- product windows 7

- superseded "NO"

- title (remove beta updates, or things you don't need, e.g. -"Internet Explorer 8" removes all IE8 updates, as we use IE9 already)

- update classification "Critical Updates", "Security Updates", "Update Rollups", "Updates"

and here comes the key part:

- required >= 1

 

this last setting makes sure that only updates end up in the group that are actually required by our systems. note that i did not make any limitation to the release date of the updates, so the basic idea is to "include all updates that are required by systems to the software update group". this behaviour is exactly what we had with our old WSUS infrastructure.

 

in my tests so far i can see that initially, the software update group contains a lot of updates. after two or three iterations of updating the clients and having them report back their state to the SCCM server, the number of updates with "required > 0" goes down, until at some point the update group is empty (as no client requires any more updates).

 

i did not yet find out if the actual update files are also removed from the harddisks of our sccm servers. it the moment it doesn't seem so, but i will investigate.

any input on this is appreciated.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.