Configuring Software Update Point within SCCM

[anyweb]

This guide assumes you have SCCM 2007 setup as described here. This guide was based upon a document entitled Patch Management directions for SCCM by Christopher Stauffer which you can find here.

 

Please note that this guide is designed to help you get a working SUP in SCCM in a LAB Environment as quickly as possible. This guide is provided as is, if you find any errors please report them in the forums.

 

In a production environment please consult Technet for best practise, see below links:

 

Superflow:

 

Software Update Deployment SuperFlow

 

 

About Software Update Point:

 

About Software Update Point

 

Planning:

 

Planning for Software Updates Client Settings

 

Configuration:

 

Configuring Software Updates

How to Configure the Software Updates Client Agent

How to Create and Configure an Active Internet-Based Software Update Point

 

Best Practices:

 

Configuring Configuration Manager Sites for Best Performance

Checklist for Security Best Practices

Best Practices for Central and Primary Site Hardware and Software Configuration

Best Practices for Operating System Deployment

 

Software Update Point process Flowcharts:

 

Software Updates Synchronization Process Flowchart

Software Update Deployment Process Flowchart

Deployment Package Process Flowchart

 

Related:

 

How to obtain the latest version of the Windows Update Agent

 

 

1. Install WSUS

 

Install WSUS but do not configure it. Once done, make sure the Software Update Point Role is installed on the SCCM Server.

 

 

Once you've added the Software Update Point role, verify that it is installed by checking the SUPSetup.log, it should have a line which reads Installation was successful

 

2. Create some Search Folders

 

In the Software Updates section, right click on Search Folders and choose New Folder,

 

 

give the new folder a name like Enterprise Searches (we willl store our yearly searches here)

 

 

Right click on our new folder and choose New Search Folder,

 

 

select the following options from step 1 (in the screenshot),

 

BulletinID, Expired and Superseded

 

 

in step 2, Set the BulleinID to MS plus the last two digits of the year eg: MS08

Set Expired to No

Set Superseded to No

 

Make sure that Search All folders under this feature is selected and give the search a name, eg: 2008 patches

 

 

Now that you know how to make a Search Folder, let's make one for Monthly searches, so right click on Enterprise Patches and choose New Search Folder

 

Fill it in as follows

 

 

and now make one for Windows Server 2008, we do this by adding Product as a search criteria and typing in the search phrase to look for, naturally you can customise it to suit your needs.

 

[anyweb]

did you configure the software update component yet ?

 

[Lozloz]

Thanks for a great post. Just a couple of questions regarding updates via SCCM. Firstly I have a test PC which I am testing updates via SCCM. I have denied the Windows updates settings GPO to this PC and now the Sofware Updates client is showing new updates on the client PC. However automatic updates are still prompting to be configured in the system tray. I would have thought the Software update agent would have disabled this prompt. The software update settings have an install schedule configured. I am confused as to how this should work. I have checked all the logs and the PC is looking at the SCCM server for updates so everything seems to be configured correctly. Any ideas?

 

I also got a little confused with the section about downloading updates. How does this work? The WSUS server pulls down the updates to a folder that you configured when setting up the Software update point in a previous guide on Windows-Noob. In this guide you are pulling the updates to a folder call windows updates. Does this mean the updates are stored in multiple locations? Eventually will all updates get downloaded to this Windows Updates folder everytime I set up a new search folder and deployment package?

Any clarification would be appreciated.

 

Lozloz

[anyweb]

regarding your first point see this post > http://www.windows-noob.com/forums/index.php?/topic/788-updates-are-not-being-installed-automatically/

 

the windows updates folder will contain the updates, you can have sub-folders in there for the deployment packages eg:

 

xp updates

7 updates

server 2008 updates

 

and so on

[Jax]

Good to see the guide is still functional even after all the R2 versions (2008 and SCCM) and SP2 release.

 

Just one quick question about setting up software updates...

 

 

This says I have to redownload the updates from the internet when creating the update deployment, wouldn't it be wiser to just use the files downloaded by the initial synchronization of the server?

 

I can't find a clear answer to this question anywhere and I think variations of this question were asked in this thread at least 3 times.

[anyweb]

you need to understand that the initial sync (and all subsequent syncs) only downloads the METADATA of the updates, ie: the information pertaining to what the update is, where it is, what os it's for, etc.

 

therefore we need to download the updates into a deployment package to actually use them, also understand that if you have downloaded the updates already that they will not be re-downloaded unless they have changed,

 

does this answer your question ? if not, please tell me what is unclear

[birz]

you need to understand that the initial sync (and all subsequent syncs) only downloads the METADATA of the updates, ie: the information pertaining to what the update is, where it is, what os it's for, etc.

 

therefore we need to download the updates into a deployment package to actually use them, also understand that if you have downloaded the updates already that they will not be re-downloaded unless they have changed,

 

does this answer your question ? if not, please tell me what is unclear

 

Why the WSUS direcory is about 10 GB on my SCCM/WSUS server? I'm not reffering to the share created for for deployment package. The WSUS role has been installed using your guide. When installing I pointed to the "D" drive so the folder that is about 10GB large is this one: "D:\WSUS\WsusContent" isn't suppose to be only metadata? It's really confusing. It looks like the updates are downloaded twice. It's similar with the software distribution role as well, at one point it asks for the source files when creating the program, but it copies the sourcefile to the D:\SMSPKGD$ folder. Basically I'm confused as to where shiould I put the sources and how it works..

 

Thanks for everything.

[Peter van der Woude]

You probably selected Store updates locally during the installation of WSUS. This means that you are storing the updates on three different places, the WSUS folder, the Updates package and on the DP.

[birz]

You probably selected Store updates locally during the installation of WSUS. This means that you are storing the updates on three different places, the WSUS folder, the Updates package and on the DP.

 

That's terrific! How am I suppose to fix this? I only have 1 SCCM server that has all the roles installed on it, since I'm managing 500 computers or so, it's plenty enough + it's a VM so I can scale the hardware easily if needed. I love redundance, but having the updates at 3 places it's quite useless. Any help in setting this up properly would be appreciated.

 

Thanks again,

[rjatwork]

Hi,

I tried to do like you but it's doesn't work. On a client, in Configuration Manager Property(control panel), in Action, I haven't got (so i can't initiate the action i want)Machine Policy Retrieval & Evaluation Cycle, Software Updates Deployment Evaluation Cycle , Software Updates Scan Cycle.

[anyweb]

try temporarily disbaling the firewall on the client and do a Data Discovery, do you see the client in configmgr collections ? is it approved and client=yes ?