Thursday, November 7, 2013

SCCM 2012 - WSUS and Software Update Point

In Windows 2008R2 - WSUS Installation I covered how to install WSUS on a stand alone server which would then be utilized by SCCM. In this post I am going to cover how to install WSUS and the Software Update Point site role on our Primary server and have it function as both.

 WSUS Installation:
Before we install WSUS we need to setup a storage location to house the updates. This drive should be an NTFS drive with a minimum of 2GB of free space. On a drive other than the system drive create a folder called WSUSUpdates and share that folder with everyone as read only. 

Click Close

Note: You will need to repeat this step for all Primary and Secondary servers that will be hosting Software Update Point.

Next you need to download and install the Microsoft Report Viewer 2008 Redistributable. It is available from Microsoft.

Once we have our storage location and Report Viewer installed we can start the WSUS install. On our SCCM server open Server Manager and Select Add Role. In the Add Roles Wizard Check Windows Server Update Services.

You will be prompted to add additional roles for IIS, Click Add Required Role Services.

Click Next

We don't need to add any additional roles at this point so Click Next

Click Next

Click Install

The wizard will download all of the required WSUS install files.

Then you will get a new window for the WSUS 3.0 SP2 Setup

Accept the EULA and Click Next

Check Store updates locally and choose the folder you created earlier. Click Next

I am going to run the database locally so I put it in the same folder that the updates will go in.

Since we already have SCCM using IIS on this server we do not want to use the Default Web site. Select the Create a Windows Server Update Service site and Click Next

Click Next

You can monitor the progress of the install.

Click Finish when complete.

You will be prompted to setup WSUS after the install has finished Click Cancel, we will be configuring these settings through SCCM.

Click Close

Note: You will need to repeat these steps for all Primary and Secondary servers that will be hosting Software Update Point.

Configure Software Update Point

Now that WSUS is installed, open the SCCM Console. In the Administration Space go into Site Configuration > Sites. Right Click on your SCCM server and Add Site System Role. If not already selected browse your site server and Click Next.

Setup your Proxy Server if required for your environment, otherwise Click Next

Check Software update point and Click Next

Remember that we elected to create a new web site during the WSUS install using Port 8530, this requires us to choose the second option for WSUS configuration. Otherwise we will not be able to connect SCCM to WSUS. Click Next

Click Next

Since this will be our Primary WSUS server Select Synchronize from Microsoft Update.

Note: When configuring additional Primary and Secondary servers the only option available here will be Synchronize from an upstream data source location. This is OK, what it means is all of the other SUP servers will rely on this one for which updates to download and deploy.

I like to keep the synchronization schedule fairly short in case a critical update is release mid cycle, but you can configure it according to your patching plan. Click Next

Dealers Choice here. Click Next

You can select which ever classifications you require for your Patching Plan. Click Next

Note: If you plan to install Endpoint Protection in your enterprise you will need to select Definition Updates

You can select the products that are appropriate for your enterprise. Keep in mind that everyone you select will increase the time it will take to complete the first synchronization. It is better to not select anything here and add items after the first synchronization. Click Next

Select the appropriate languages and Click Next

Click Next

Click Close

Depending on the number of products you selected it may take several hours to complete the first Synchronization. There are several logs you can monitor to ensure that the sync is running normally.

C:\Program Files\SMS_CCM\Logs\WUAHandler.log - Provides information on the synchronization with Microsoft, WSUS and SCCM

C:\Program Files\SMS_CCM\Logs\UpdatesDeployment.log - Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

C:\Program Files\SMS_CCM\Logs\UpdatesHandler.log - Provides information about software update compliance scanning and about the download and installation of software updates on the client.

C:\Program Files\SMS_CCM\Logs\UpdatesStore.log - Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle.

Note: Depending on the version of WSUS installed and the Version of SCCM you may be required to install the following updates before the initial synchronization may occur:

KB2530678 - KB2720211 - KB2734608

Setup Group Policy
You can utilize the Software Update Point as a method of installing the SCCM agent. Software update-based client installation utilizes SUP to manage client installs in the same manner that updates are deployed.

Keep in mind that in order to use this feature, WSUS and SUP need to live on the same server and it must be an active software update point on a primary site.

Note: The following actions will need to be performed by someone with Domain Administrator level access in Group Policy Management.

On a Domain Controller open Group Policy Management. Expand out Forests and Domains. Right Click on Group Policy Objects and Select New. I generally like to keep policies as descriptive as possible, but you can call it what ever suits you. Click OK

Expand out Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Double Click on Specify intranet Microsoft Update service Location. Select Enabled. You can add a comment if you like. I generally do to help remind me later of what this setting was used for. In Options, enter the URL of the server including port 8530 in both fields. Click OK

Now Double Click on Configure Automatic Updates. Select #4 and define the schedule according to your patching plan. Click OK
Exit out of the Group Policy and apply it to the appropriate OU's where your computers and servers reside.

Back on your SCCM Server highlight the primary server you were just working on and Click Client Installation Settings the Software Update-Based Client Installation.

Check Enable software update-based installation. Click OK

More to come!

If you like this blog, give it a g+1

No comments:

Post a Comment