Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent

Recommended Posts

Hi All,

Thank you for these step by step guides, excellent. New to SCCM - Question with the wsus intergration?

 

Have only a primary. We had WSUS handling updates. After installing sccm we uninstalled\reinstalled wsus and followed the steps outlined. Set the automatic GPO policy to disabled for our workstations. Our servers we set the policy to not configured and not pointing to a automatic update site - we always updated servers manually and want to keep it that way.

 

Setting the server policy to not configured, seems that wsus is picking up all servers\but wsus is reporting this computer has not reported status yet- should I be concerned snice were not using wsus or sccm to deploy updates to servers?

 

SCCM is installed on server 2008 one of the servers wsus is picking up - Will there be any issues?

 

The local windows update on the SCCM server, should that be set to never check for updates, this setting causes SCCM software update sync fails according ot the log, if I set it to the check updates but let me choose, sync goes through

 

When the sync is successful, I see mostly expired updates in all software updates in sccm, is the sync not going through?

 

Thanks experts in advance, for your answers.

Share this post


Link to post
Share on other sites

Thank you for these step by step guides, excellent.

 

thanks

 

Have only a primary. We had WSUS handling updates. After installing sccm we uninstalled\reinstalled wsus and followed the steps outlined. Set the automatic GPO policy to disabled for our workstations. Our servers we set the policy to not configured and not pointing to a automatic update site - we always updated servers manually and want to keep it that way.

 

you do realise you can use configmgr to patch workstations as well as servers, servers usually end up in collections that use maintenance windows to decide exactly when they get patched, it's up to you to decide what those patches are and what the maintenance windows should be.

 

 

should I be concerned snice were not using wsus or sccm to deploy updates to servers?

 

as long as you havn't configured wsus to deploy updates to those machines and as long as you havn't got a GPO pointing to WSUS as the source for updates then you should be ok..

 

 

The local windows update on the SCCM server, should that be set to never check for updates, this setting causes SCCM software update sync fails according ot the log, if I set it to the check updates but let me choose, sync goes through

 

is the Configuration manager server managed by a configmgr client ?

 

 

When the sync is successful, I see mostly expired updates in all software updates in sccm, is the sync not going through?

 

please review what I've posted in part 9 (and 10) to get a better overview of the whole sync process and deploying updates..

Share this post


Link to post
Share on other sites

Hi I have been getting some issues when WSUS is deploying the client,

 

post-12738-0-62594600-1366583361_thumb.jpg

 

in the GP shown in the config it was listed as " SITE.Server.domain.local:port

I find that when the SITE included and the client forced to do a windows update

it just fails but when SITE is removed the Process seems to go through it detects

that there is an update to install it reports to be downloading and then fails.

 

the WSUS agent is seen to be installed the client has been seen to be downloaded

and is present on the machine

 

any ideas ????

 

keep up the good work with the site

 

Ade

 

ccmsetup.log

WindowsUpdate.log

Share this post


Link to post
Share on other sites

Hi Anweb,

 

Do I need to set an GPO Specify intranet Microsoft update service location, and set it to Enabled it, if I have installed an standalone sccm server and put http://mysccmserver.mydomainname.com:8530 or not? I have installed SUP and set it so:

 

 

 

What should I do in GPO? Should I set too or not?

 

 

 

Thanks for help

post-17658-0-07558600-1368004288_thumb.jpg

post-17658-0-91313200-1368004289_thumb.jpg

post-17658-0-32344500-1368004291_thumb.jpg

Share this post


Link to post
Share on other sites

are you planning on deploying the Configuration Manager client via the SUP or not ? that is why we create the Group Policy

Share this post


Link to post
Share on other sites

It should be noted, as it caught me out, that WSUS 3.0 needs the SP2 update, as well as KB2720211 and KB2734608 to succeed. Until then, you keep getting "Supported WSUS version not found" errors.

Share this post


Link to post
Share on other sites

Hello,

 

I currently have three systems, one each dedicated to perform a service, WDS, WSUS, and Endpoint Definition File updates (SCCM 2012). With that said, I would like to consolidate all three into one, if not WDS, at least WSUS and Endpoint Updates in one.

 

I see that is possible, thanks to your tutorial, however, can I use the existing WSUS updates contents, and migrate that over to the new WSUS server? I rather not have to download all updates.

 

Consolidating an existing WSUS server and Endpoint Definitions (SCCM) into a new server, SCCM is this achievable with your tutorial? Also I do not want to implement a CAS, only a primary server.

Share this post


Link to post
Share on other sites

Do mean I need that entry only for deploying the Configuration Manager client? Or I need that for others too? If that ebtry is only for deploying the Configuration Manager client

then I do not to do that

Share this post


Link to post
Share on other sites

I wanted to say thank you for these step-by-steps. I have used them exclusively to deploy SCCM12 throughout my environment, so thank you.

 

However I get a monthly report that runs on the Sunday following Patch Tuesday (See Captures Below). I have the workstations apply these updates between Wednesday and Friday of the same week and then the report runs that Sunday.

 

Why does it tell me that I have Critical and Security Patches that are needed on my workstations but not being deployed?

post-18089-0-90696600-1369262458_thumb.jpg

post-18089-0-88835100-1369262460_thumb.jpg

Share this post


Link to post
Share on other sites

if you drill down further into either of the reports what does it tell you ?

Share this post


Link to post
Share on other sites

It should be noted, as it caught me out, that WSUS 3.0 needs the SP2 update, as well as KB2720211 and KB2734608 to succeed. Until then, you keep getting "Supported WSUS version not found" errors.

 

Strictly speaking... only KB2734608 is required, as all of the content from KB2720211 was rolled up into KB2734608.

Share this post


Link to post
Share on other sites

Hello,

 

I currently have three systems, one each dedicated to perform a service, WDS, WSUS, and Endpoint Definition File updates (SCCM 2012). With that said, I would like to consolidate all three into one, if not WDS, at least WSUS and Endpoint Updates in one.

 

I see that is possible, thanks to your tutorial, however, can I use the existing WSUS updates contents, and migrate that over to the new WSUS server? I rather not have to download all updates.

 

Consolidating an existing WSUS server and Endpoint Definitions (SCCM) into a new server, SCCM is this achievable with your tutorial? Also I do not want to implement a CAS, only a primary server.

 

If you're using a Configuration Manager SUP for Endpoint Updates, but a standalone WSUS for Windows updates, you will not be able to roll them up into a single system, as they will have two completely different configurations for the WSUS environment.

 

WDS and WSUS will happily co-exist on the same system. I have WDS and WSUS running together. To migrate your existing WSUS environment to the current WDS server, the easiest methodlogy is simply to install a new WSUS role on the WDS server as a replica, and replicate from your existing WSUS server (which will transfer all updates, groups, approvals, and content). When the replication is completed, reconfigure the server as an upstream server, synchronize, verify normal operation, and point the clients to the new server. If the WSUS URL is configured via GPO, you should see all of the clients registered/reported to the new server within a couple hours of updating the GPO.

Share this post


Link to post
Share on other sites

I'm wanting some feedback on deploying the client through the SUP. I have that enabled and a GPO to enable Windows updates on clients. I have tested and the client gets deployed. I'm a little concerned going forward that the automatically approved WSUS updates will get picked up by clients and they will reboot outside of the control of ConfigMgr. This is how I currently have my ConfigMgr Client GPO configured. I've read a little and wonder if these two highlighted policy settings will get my clients installed faster and avoid any reboots caused by WSUS

 

If someone has feedback, that would be appreciated.

 

post-19919-0-59495600-1369321590_thumb.jpg

 

 

 

 

Share this post


Link to post
Share on other sites

can you clarify this

 

 

that the automatically approved WSUS updates

 

 

 

have you configured WSUS ? you shouldn't, you should let ConfigMGr do all the configuring of WSUS via the SUP

Share this post


Link to post
Share on other sites

At the moment I have an SCCM server, configured your recommended way and dishing out Endpoint Protection, and a separate WSUS server performing Windows updates (pointed to in Group Policy). What's the best way to rationalise this? Can I configure WSUS on the SCCM server to perform normal Windows update duties and decommission the other server?

Share this post


Link to post
Share on other sites

Hi,

 

i am planing to install SCCM 2012SP1.

 

Server1 - (SCCM2012SP1)

Server2 - (SQLServer2012SP1)

 

my question is about selecting WSUS database (SQL or WID). which one is recommended for production environment and why?

 

thanks in advance

Share this post


Link to post
Share on other sites

why are you separating SQL in the first place ? I would use SQL locally for the WSUS database for performance and scalability reasons.

Share this post


Link to post
Share on other sites

why are you separating SQL in the first place ? I would use SQL for the WSUS database for performance and scalability reasons.

thanks for prompt reply

because in future we like to use same SQL for SCOM server.

is there any other reasons for selecting SQL database for WSUS.

 

thanks

Share this post


Link to post
Share on other sites

Any opinions on whether I can rationalise to a single WSUS server? See post #90.

 

you can continue using the old wsus server by until Configuration Managers new WSUS server is set up and running, once done remove any gpo's pointing to the old WSUS infrastructure and retire it. Configuration Manager will set local gpo's pointing to the SUP (which is the software update point role hosting wsus...)

Share this post


Link to post
Share on other sites

...so, just to be clear, the WSUS configuration (which you said to cancel when setting up SCCM) is ok to now run so that the server becomes a fully fledged WSUS server, too?

Share this post


Link to post
Share on other sites

i don't recommend that you configure WSUS in any way on the Configmgr server, configuration manager's SUP role will take control of WSUS and that's all that needs to be done. Does that make sense ?

Share this post


Link to post
Share on other sites

Hi,
I'm new to SCCM and have plenty of time at the moment to train on this so I decided to use a Hyper-V platform I already did to validate DirectAccess and add an SCCM 2012 SP1 server to this.
My platform is composed of :

  • 2 x Windows Server 2012 with Active Directory role (W2K12DC-AD01 and W2K12DC-AD02)
  • Windows Server 2012 with File server role (W2K12STD-FILES)
  • Windows Server 2012 with WSUS and File server roles (W2K12STD-INSTALL)
  • Windows Server 2012 with Exchange 2013 (W2K12DC-EXCH01)
  • Windows Server 2012 with SCCM 2012 SP1 (W2K12DC-SCCM)
  • Windows Server 2012 used for Edge role (W2K12DC-EDGE01)
  • 2 x Windows 8 clients (WIN8FR-001 and WIN8US-001)
  • Windows XP client (just for fun)

My WSUS server is configured to synchronize all Windows Server 2012 and Windows 8 updates + Office 2013. It already has all patches and updates needed to handle these products.
It automatically approves every update and stores them locally.

I'm confused even though I read all the questions and replies... and I'm sorry if I'm asking something you've already answered.
What I cannot understand regarding my config is :

  • Do I need to reinstall a WSUS server on SCCM ?

Reading this seems the explain that it's a yes :

you can continue using the old wsus server by until Configuration Managers new WSUS server is set up and running, once done remove any gpo's pointing to the old WSUS infrastructure and retire it. Configuration Manager will set local gpo's pointing to the SUP (which is the software update point role hosting wsus...)

  • If no, how can I use SCCM to point at WSUS server (that has around 90 GB of updates) ? I have tried this but I cannot see Windows 8 / 2012 and Office 2013 in the list of products... So I imagine I have done something wrong.
  • If yes, I imagine I need to configure WSUS on SCCM to use my current WSUS as an upstream in order to avoid downloading 90 GB again... And here, I have a problem : configuring it as an upstream will replicated all approvals. When you say that we have to let SCCM handle the approvals

Reading this seems to explain that it's not the way it should be :

i don't recommend that you configure WSUS in any way on the Configmgr server, configuration manager's SUP role will take control of WSUS and that's all that needs to be done. Does that make sense ?


So what should I do in my case ?
I tend to think it's the same case as MartinL but I'm not really sure about it... So I prefer asking
Thanks

Share this post


Link to post
Share on other sites

Hi I have been getting some issues when WSUS is deploying the client,

 

attachicon.gifCapture1.JPG

 

in the GP shown in the config it was listed as " SITE.Server.domain.local:port

I find that when the SITE included and the client forced to do a windows update

it just fails but when SITE is removed the Process seems to go through it detects

that there is an update to install it reports to be downloading and then fails.

 

the WSUS agent is seen to be installed the client has been seen to be downloaded

and is present on the machine

 

any ideas ????

 

keep up the good work with the site

 

Ade

 

 

 

Did you ever get this resolved? Im having the same issue and would appreciate any information that can assist me. Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...