Configuring WSUS/SUP with SCCM Current Branch

Introduction

So to update you on my progress, i have the following in place within my test environment:

  • DC
  • AD DS
  • DHCP
  • SCCM Primary Site
  • IIS Installed on my Primary Site
  • SQL Installed and Configured with an Instance specified on my Primary Site

I now wish to enable SCCM to serve windows updates to my Servers and Client machines, you can do this through a feature called WSUS (Most people are moving to WUFB now but this is still a tried and tested method). Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update (Usually on Patch Tuesday) to computers on your network. This post provides an overview of this server role and more information about how to deploy and configure WSUS

Instructions

  • Open Server Manager>Add Roles and Features
  • Tick the box for WSUS Services, Add Features and Next
  • Ensure you already have .Net Framework 3.5 and 4.6 installed, if not install it now and click Next
  • Observe and click Next
  • specify your database instance
  • edit: I had to go back and enter mine as London\SCCM as my instance name is called SCCM), click Check Connection, click Next
  • Click Install
  • You can close at this point but i would advise you select Launch Post-Installation Tasks, you can do this later on from the Server Manager window on the WSUS Blade
p
  • If you are asked where to store the updates ensure you have a secondary drive or a secondary Partition in a live environment, for test purposes the local system drive will suffice
  • Click Run
  • Now you will see you have an option from your Server Manager to start Windows Server Update Services, this will open up the wizard for further configuration
  • Click Next
  • Tick the box as shown and select Next
  • Select the option shown below, if you have another WSUS Server that you can synchronise to then go ahead, click Next
  • Click Next unless you need to specify a proxy server
  • Start connecting
  • Click Next once complete
  • You can choose your language at this point
  • Click Next
  • Specify the products you have in your environment, i would advise you run a report via SCCM or other means to see what OS versions you have in place, click Next
  • At this point you can Cancel and come back to this at later notice, i got this advice from another blogger as you can carry out the rest within the SCCM console
  • I would also recommend you add any SCCM Administrators and the Network Service accounts with Full Control to the folder you are storing your Windows Updates on to avoid future errors
  • Now we want to add a SUP (Software Update Point)
  • Open your SCCM Manager Console
  • Go to Servers and Site System Roles
  • Right click on your Primary Site and click Add Site System Roles
  • Ensure your settings look similar to mine below (With your own AD Forest/Domain of course)
  • Click Next
  • Click Next again
  • Select Software Update Point and
  • Click Next
  • You have 2 options at this point, as you are probably using Server 2012 (I’m using 2016) or above select the option shown below
  • I don’t require SSL Communcation to the WSUS Server so i am ignoring this
  • Select your Client Connection Type, i picked allow Intranet only connections but you may have remote sites you wish to manage so you would select internet and intranet
  • Click Next
  • Click Next
  • Leave the default as Synchronise from Microsoft Update
  • It’s entirely up to you whether to create reporting events on clients.  Read the text to understand fully,
  • Click Next
  • This is an important part of the process, i’m sure most of you know about “Patch Tuesday” which relates to when Microsoft release their updates as this was formalised back in 2003
  • edit: Note i set mine to a Wednesday at 13:23 to allow time for the release in North America at around 5-6pm but you can set it to reflect Patch Tuesday
  • I would advise you tick the box to Alert When Synchronisation falls on any site in the hierarchy
  • Click Next
  • Ensure you select Do not expire a superseded software update until the software update is superseeded for a specified period of 1 month
  • Tick the box to Run WSUS Cleanup Wizard, i’m all for good housekeeping
  • Click Next
  • Untick all the Classifications (This will save you a lot of time whilst performing your first Sync, Trust me)
  • Click Next
  • Leave this as default
  • You will notice you may not see Windows 10 and Server 2016 products listed, add the products later once the SUP has been added
  • Click Next
  • Tick the boxes for your preferred language(s)
  • Click Next
  • Observe and Click Next
  • Hopefully you see this window, almost there now so hang tight
  • If you wish to observe the installation log then navigate to C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log
  • Click Close
  • Within Config Mgr navigate to Software Library>Software Updates>All Software Updates
  • Select Synchronize Software Updates
  • Observe the brief and click Yes
  • As this is a first sync it should not take more than 5 minutes (If it does check the logs)
  • You can monitor the sync status at Monitoring>Software Update Points Syncronization Status
  • You can also observe the log file at
    C:\Program Files\Microsoft Configuration Manager\Logs\Wsyncmgr.log
  • As you can see below, i have a large number of updates waiting to be downloaded/deployed etc
  • At this point i would navigate back to Administration>Sites and right click your site
  • Select Configure Site Components>Software Update Point
  • Tick the products you wish to patch
  • Now this is optional of course but if you want to download updates for your Config Mgr infrastructure you need to add this
  • The service connection point is a site system role that serves several important functions for the hierarchy such as Manage mobile devices with Intune, download updates for config mgr and you can find out more here
  • Navigate back to Administration>Sites and right click your site
  • Select Add Site System Roles
  • Click Next on the General Window and the Proxy window
  • Select Service Connection Point
  • Click Next
  • Select Online (Unless you want the manual overhead)
  • Click Next
  • Click Next
  • Click Close once completed
  • Now go to Administration>Updates and Servicing
  • Right Click and select Check for Updates
  • You should see any hotfixes or CB version updates available to install
  • I am covering an upgrade from 1606 to 1706 in my next post (I used 1606 rather than 1806 so i could carry out multiple upgrades from 1606>1706, 1706>1806 etc)
  • One last bit to add is that you should ensure you change some settings on your IIS Config located on your Primary SCCM Site
  • Open the IIS Manager from your Server Manager or the Windows Administrative Tools located on your start menu
  • Go to your Application Pools>WSUSpool and click on Advanced Settings on the right pane
  • Change your queue length to 2000 (Default is 1000 but may not suffice)
  • Also change the Private Memory Limit to 0 (No limit)
  • Click OK

So that is it for now, of course you can expand on all of this and carry out some patching, upgrade your SCCM Version but i would suggest researching each feature before deploying and always sandbox your updates to a single machine if possible for testing before you deploy en-masse.

As always please let me know if i had made any errors or if i could have carried out this process better