using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent

[Peter van der Woude]

I would start by checking the WindowsUpdate.log.

[Iron_Wofle]

Getting the same error as previously mentioned, install failing with windows update throwing error code 1. According to the ccmsetup log, "No valid source or MP locations could be identified to download content from." I am also getting an "Unexpected row count (0) retrieved from AD" when the installer queries AD for assigned site.

 

I'm assuming there's a configuration error somewhere, but unfortunately most of the configuration was done by external consulents, who didn't document their work. A possible solution would be much appreciated, as it means I won't have to set up the whole setup from the start.

 

(On the other hand, considering that I have no idea what the guys who set this up did, that might be for the best anyway)

[arvin]

Update:

This question was too stupid to answer. Of course all updates needs to be downloaded by my server B before server A can grab the files and package it.

All good now.

 

 

Thanks for the lovely guide.

I am getting quite confused wtih these WSUS/SUP roles and hope someone can point me to the right direction.

 

=========================================================================

I have two server A and B.

A : Standalone Primary Site, Installed with SCCM 2012 SP1 CU1 + SQL 2008 R2 SP2 + WSUS 3.0 SP2 console only and all necessary updates

B: Site system server, installed with WSUS 3.0 SP2 and all necessary updates.

B server is configured with the "Software update Point" role. A isn't.

B server is configured through SCCM to sync with Microsoft Update and store it locally.

B server had synchronized successfully with Microsoft and all updates appeared on Server A under "Software Library"

Step 1 from this guide suggested to also install SUP on the primary server. "Note: Repeat the above on the Primary server P01."

I am planning to manage all Microsoft Updates through SCCM.

Do I need to install SUP on my SCCM server (Server A), in order to deploy Microsoft Updates to all clients?

If not, will they (server A and B sync automatically?

When I try to create software deployment package, it's asking me about the "Package Source", "source location for software updates"

Should I point the source to \\WSUS\WSUSContent instead of downloading it again from the Internet? or?

I will continue to read other posts, perhaps there are answers somewhere out there.

Thanks in advance.

Update: From Microsoft Site: Configuring Software Updates in Configuration Manager

- The software update point is required on the central administration site and on the primary sites in order to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed.

- Starting with Configuration Manager SP1, you have the option to synchronize software updates from a WSUS server that is not in your Configuration Manager hierarchy.

- Sarting with Configuration Manager SP1, you have the option to add multiple software update points at a site.

[nodiaque]

Hello,

 

I have a question. If everything is setup to use SSL and https, should I change the connection for my client to https://server:8530 or it's not needed?

 

edit: I just checked my local GPO and it seems my SCCM client configured my local GPO to https://server:8531/ is that normal? My gpo push http://server:8530/.

 

I do have HTTPS only activated on all of my installation. Should I change the gpo?

 

THanks

[winsupsite]

For step 1 a sub-task was missing:

 

As per http://technet.microsoft.com/en-us/library/gg712304.aspx#BKMK_SUMSync you must also give Change permissions to the SMS Provider computer account (in this example it's the server called CAS) on \\cas\Source folder

 

"The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files."

 

If you don't, whenever you download packages to that share, it will fail with

"Failed to download the update from internet. Error = 5"

as described in http://www.thelazysysadmin.net/2012/04/automatic-deployment-rules-download-failed-system-center-2012-configuration-manager/

This error can be observed in %programfiles%\Microsoft Configuration Manager\Logs\ruleengine.log

[mudkips]

I have a question about using the Software Update Point to push out the Congifuration Manager client.

 

I've enabled this option in SCCM, and I've set up a GPO so that all domain machines point to the WSUS/SUP site.

"Specify intranet Microsoft update service location" is Enabled with both fields set to http://machine.domain:8530 .

 

But I want all domain-joined machines to automatically install the configuration manager client. What I've done to achieve this is set "Configure Automatic Updates" to Enabled, with the options "4 - Auto download and schedule the install", "0 - Every day", and "12:00".

 

The current behavior we're seeing is that while the client is automatically installed as expected, updates cause a restart prompt from Windows Update (once with a countdown timer) in addition to the "Recently installed software requires a computer restart" tray icon from Softare Center. I suspect "Configure Automatic Updates" being Enabled is the cause of this. I've read elsewhere that I should set this option to "Not Configured" so SCCM's SUP can control updating.

 

Is there a way for me to have Windows Update (via the GPO) automatically install the Configuration Manager client without messing with SCCM's SUP control of it afterward?

 

If not, should I just set Configure Automatic Updates to "Not Configured" in the GPO, and manually check updates once for machines joining the domain? I would likely manually check anyway since any machines manually joined to the domain would have to wait to 12:00 (or whatever time I specify) to automatically get the client. If I'm manually joining a machine to the domain I may as well manually click on Windows Update once. And of course, most machines will be deployed via SCCMs OSD stuff via PXE booting.

 

Thanks

[mudkips]

Well I've decided to just grab the client via manual check of Windows Update (for any random things we don't do via PXE OSD).

 

So my Windows Update Group Policy now just has the update server specified, and nothing else configured, as per this image:

 

 

But it looks like this results in machines getting the default Windows Update settings applied. A 22 hour detection frequency, a daily install at 3 AM, and automatic reboots (even with logged on users). What is the proper way to disable the Windows Update stuff and let SCCM's SUP role handle everything?

 

We currently have a Patch Tuesday ADR that is set to evaluate on 2 PM of the 2nd Tuesday in each month (the SUP syncs at noon and midnight, daily). Deployment is as soon as possible, and deadline is 4 hours after. This way users get notified around 2 PM, and the deadline is 6 PM.

The User Experience tabb is set to allow installation outside of maintenance windows, but not restarts. Restart behavior is NOT suppressed.

We have a maintenance window of 2 AM to 5 AM every Saturday.

 

We expect:

Users to be notified of updates a little after 2 PM on Patch Tuesday.

Installation to start a little after 6 PM on Patch Tuesday (or earlier, if the user triggers it).

Restarts to happen on the Saturday after Patch Tuesday, between 2 AM and 5 AM (or earlier, if the user triggers it).

 

Should we configure additional items to the Windows Update GPO (disable scheduled installation, disable automatic restart with logged on users, or just disable automatic updates)?

 

Or would this break SCCM SUP / WSUS pushing out updates / scheduling installations at the deadline / scheduling restarts during the maintenance window?

 

This came up because a machine rebooted this morning at 3:15 AM, and I checked windowsupdate.log and Windows Update was the culprit. We didn't expect this machine to reboot until Saturday morning. The other machines were manually restarted during the day - we're still testing so we only have a few machines. The servers of course have the default option set to not schedule installation.

 

Thanks

[SiD867]

Hi,

 

Thank's for this really great guide - it often helped me!

 

I'm having a question about the inventory mechanism, is it possible to get a hard- and Software inventory of Clients and Server, without installing the configuration Manager Client on each single machine?

 

Thanks - Andy

[Peter van der Woude]

Nope, you need a client.

[tomy_adam]

hi Guys

 

anybody can help me with this Error please ?