Sccm Software Update Point Configuration
- Sccm 2012 R2 Software Update Point Configuration
- Sccm Software Update Point Synchronization
- Configuration Manager Software Update Po…
- Setup Sccm Wsus Software Updates
The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. Software Update management is not the simplest SCCM tasks. Over the years, we trained many SCCM administrator using a simple approach and deployment strategy. We finally decided to create this complete SCCM Software Update Management Guide. This guide is a best-practice guide on how to plan, configure, manage and deploy software updates with SCCM. 6.Specify whether to use the existing Internet Information Services (IIS) Default Web site or to create a custom WSUS 3.0 Web site. When using the WSUS server for a software update point, it is recommended that Create a Windows Server Update Services 3.0 Web site is selected.
Applies to: System Center Configuration Manager (Current Branch)
Before you use software updates in a Configuration Manager production environment, it's important that you go through the planning process. Having a good plan for the software update point infrastructure is key to a successful software updates implementation. For information about capacity planning for software updates, see Size and scale numbers.
Determine the software update point infrastructure
This section includes the following subtopics:
The central administration site and all child primary sites must have a software update point. As you plan for the software update point infrastructure, determine the following dependencies:
- Where to install the software update point for the site
- Which sites require a software update point that accepts communication from internet-based clients
- Whether you need a software update point at secondary sites
Important
For more information about the internal and external dependencies that are required for software updates, see Prerequisites for software updates.
Add multiple software update points at a Configuration Manager primary site to provide fault tolerance. The failover design of the software update point is different than the pure randomization model that's used in the design for management points. Unlike in the design of management points, there are client and network performance costs in the software update point design when clients switch to a new software update point. When the client switches to a new WSUS server to scan for software updates, the result is an increase in the catalog size and associated client-side and network performance demands. Therefore, the client preserves affinity with the last software update point from which it successfully scanned.
The first software update point that you install on a primary site is the synchronization source for all additional software update points that you add at the primary site. After you add software update points and start synchronization, view the status of the software update points and the synchronization source from the Software Update Point Synchronization Status node in the Monitoring workspace.
When there's a failure of the software update point configured as the synchronization source for the site, manually remove the failed role. Then select a new software update point to use as the synchronization source. For more information, see Remove the software update point site system role.
Software update point list
Configuration Manager provides the client with a software update point list in the following scenarios:
A new client receives the policy to enable software updates
A client can't contact its assigned software update point and needs to switch to another
The client randomly selects a software update point from the list. It prioritizes the software update points in the same forest. Configuration Manager provides clients with a different list depending on the type of client:
Intranet-based clients: Receive a list of software update points that you can configure to allow connections only from the intranet, or a list of software update points that allow internet and intranet client connections.
Internet-based clients: Receive a list of software update points that you configure to allow connections only from the internet, or a list of software update points that allow internet and intranet client connections.
Software update point switching
Note
Clients use boundary groups to find a new software update point. If their current software update point is no longer accessible, they also use boundary groups to fallback and find a new one. Add individual software update points to different boundary groups to control which servers a client can find. For more information, see Software update points.
If you have multiple software update points at a site, and one fails or becomes unavailable, clients will connect to a different software update point. With this new server, clients continue to scan for the latest software updates. When a client is first assigned a software update point, it stays assigned to that software update point unless it fails to scan.
The scan for software updates can fail with a number of different retry and non-retry error codes. When the scan fails with a retry error code, the client starts a retry process to scan for the software updates on the software update point. The high-level conditions that result in a retry error code are typically because the WSUS server is unavailable or because it is temporarily overloaded. When the client fails to scan for software updates, it uses the following process:
The client scans for software updates:
- At its scheduled time
- When it's manually run from the control panel on the client
- When it's manually run from the Configuration Manager console via a client notification action
- When it's run from a Configuration Manager SDK method
If the scan fails, the client waits 30 minutes to retry the scan. It uses the same software update point.
The client retries a minimum of four times every 30 minutes. After the fourth failure, and after it waits an additional two minutes, the client moves to the next software update point in its list.
The client repeats this process with the new software update point. After a successful scan, the client continues to connect to the new software update point.
The following list provides additional information to consider for software update point retry and switching scenarios:
If a client is disconnected from the intranet and fails to scan for software updates, it doesn't switch to another software update point. This failure is expected, because the client can't reach the internal network or a software update point that allows connections from the intranet. The Configuration Manager client determines the availability of the intranet software update point.
If you're managing clients on the internet, and have configured multiple software update points to accept communication from clients on the internet, the switching process follows the standard retry process previously described.
If the scan process starts, but the client is turned off before the scan completes, it isn't considered a scan failure and it doesn't count as one of the four retries.
When Configuration Manager receives any of the following Windows Update Agent error codes, the client retries the connection:
2149842970, 2147954429, 2149859352, 2149859362, 2149859338, 2149859344, 2147954430, 2147747475, 2149842974, 2149859342, 2149859372, 2149859341, 2149904388, 2149859371, 2149859367, 2149859366, 2149859364, 2149859363, 2149859361, 2149859360, 2149859359, 2149859358, 2149859357, 2149859356, 2149859354, 2149859353, 2149859350, 2149859349, 2149859340, 2149859339, 2149859332, 2149859333, 2149859334, 2149859337, 2149859336, 2149859335
To look up the meaning of an error code, convert the decimal error code to hexadecimal, and then search for the hexadecimal value on a site such as the Windows Update Agent - Error Codes Wiki. For example, the decimal error code 2149842970 is hexadecimal 8024001A, which means WU_E_POLICY_NOT_SET A policy value was not set.
Manually switch clients to a new software update point
Switch Configuration Manager clients to a new software update point when there are issues with the active software update point. This change only happens when a client receives multiple software update points from a management point.
Important
When you switch devices to use a new server, the devices use fallback to find that new server. Clients switch to the new software update point during their next software updates scan cycle.
Before you start this change, review your boundary group configurations to make sure that your software update points are in the correct boundary groups. For more information, see Software update points.
Switching to a new software update point generates additional network traffic. The amount of traffic depends on your WSUS configuration settings, for example, the synchronized classifications and products, or use of a shared WSUS database. If you plan to switch multiple devices, consider doing so during maintenance windows. This timing reduces the impact to your network when clients scan with the new software update point.
Process to switch software update points
Start this change on a device collection. Once triggered, the clients look for another software update point at the next scan.
In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Device Collections node.
Select the target collection. On the Home tab of the ribbon, in the Collection group, click Client Notification, and then click Switch to next Software Update Point.
Software update points in an untrusted forest
Create one or more software update points at a site to support clients in an untrusted forest. To add a software update point in another forest, first install and configure a WSUS server in that forest. Then start the wizard to add a Configuration Manager site server with the software update point site system role. In the wizard, configure the following settings to successfully connect to WSUS in the untrusted forest:
Specify a Site System Installation account that can access the WSUS server in the untrusted forest.
Specify a WSUS Server Connection account to connect to the WSUS server.
For example, you have a primary site in forest A with two software update points (SUP01 and SUP02). For the same primary site, you also have two software update points (SUP03 and SUP04) in forest B. When switching to the next software update point, the clients prioritize the servers from the same forest.
Use an existing WSUS server as the synchronization source at the top-level site
Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with Microsoft Update. When your organizational security policy doesn't allow the top-level site to access to the internet, configure the synchronization source for the top-level site to use an existing WSUS server. This WSUS server isn't in your Configuration Manager hierarchy. For example, you have a WSUS server in an internet-connected network (DMZ), but your top-level site is in an internal network without internet access. Configure the WSUS server in the DMZ as your synchronization source for software updates metadata. Configure the WSUS server in the DMZ to synchronize software updates with the same criteria that you need in Configuration Manager. Otherwise, the top-level site might not synchronize the software updates that you expect. When you install the software update point, configure a WSUS server connection account. This account needs access to the WSUS server in the DMZ. Also confirm that the firewall permits traffic for the appropriate ports. For more information, see the ports used by the software update point to the synchronization source.
Software update point on a secondary site
The software update point is optional on a secondary site. Install only one software update point at a secondary site. When a software update point isn't installed at the secondary site, devices within the boundaries of a secondary site use a software update point at their assigned primary site. You typically install a software update point at a secondary site when there's limited network bandwidth between the devices in the secondary site and the software update points at the parent primary site. You may also use this configuration when the software update point at the primary site approaches the capacity limit. After you successfully install and configure a software update point at the secondary site, a site-wide policy is updated for clients, and they start to use the new software update point.
Plan for internet-based clients
When you need to manage devices that roam off your network onto the internet, develop a plan for how to manage software updates on these devices. Configuration Manager supports several technologies for this scenario. Use one or a combination as necessary to meet the requirements of your organization.
Cloud management gateway
Create a cloud management gateway in Microsoft Azure and enable at least one on-premises software update point to allow traffic from internet-based clients. As clients roam onto the internet, they continue to scan against your software update points. All internet-based clients always get content from the Microsoft Update cloud service.
For more information, see Plan for the cloud management gateway.
Internet-based client management
Place a software update point in an internet-facing network and enable it to allow traffic from internet-based clients. As clients roam onto the internet, they switch to this software update point for scanning. All internet-based clients always get content from the Microsoft Update cloud service.
For more information on the advantages and disadvantages of internet-based client management, see Manage clients on the internet.
Windows Update for Business
Windows Update for Business allows you to keep Windows 10 devices always up-to-date with the latest quality and feature updates. These devices connect directly to the Windows Update cloud service. Configuration Manager can differentiate between Windows 10 computers that use WUfB and WSUS for getting software updates.
For more information, see Integration with Windows Update for Business.
Plan software update content
Clients need to download the content files for software updates in order to install them. Configuration Manager provides several technologies to support management and delivery of this content. Or configure software update deployments to allow or require clients to get content directly from the Microsoft Update cloud service.
Download and distribute content
By default, the software update management process in Configuration Manager uses the built-in content management features. These features include the centralized, single-instance store content library, and the distributed design of the distribution point site system role. You use these features when you download and distribute software update deployment packages.
For more information, see Download software updates.
Manage express installation files for Windows 10
Configuration Manager supports the use of express installation files for Windows 10 updates. Express update files and supporting technologies such as Delivery Optimization can help reduce the network impact of large content files downloading to clients.
For more information, see Optimize Windows 10 update delivery.
Clients download content from the internet
When you deploy software updates to clients, configure the deployment for clients to download content from the Microsoft Update cloud service. When clients aren't able to download content from another content source, they can still download the content from the internet.
Starting in version 1806, you don't have to create a deployment package when deploying software updates. When you select the No deployment package option, clients can still download content from local sources if available, but typically download from the Microsoft Update service.
Internet-based clients always download content from the Microsoft Update cloud service. Don't distribute software update deployment packages to a cloud distribution point. You're charged for storage with the cloud distribution point, but clients won't download these packages.
Plan for third-party updates
Configuration Manager integrates with WSUS, which natively supports software updates published by Microsoft. Most customers use other third-party applications that also need updates. There are several options to consider for keeping third-party applications up to date.
Supersede applications to update
Sccm 2012 R2 Software Update Point Configuration
Use a supersedence relationship with the application management feature in Configuration Manager to upgrade or replace existing applications. When you supersede an application, specify a new deployment type to replace the deployment type of the superseded application. Also decide whether to upgrade or uninstall the superseded application before the superseding application is installed.
For more information, see Revise and supersede applications.
Third-party software updates
Starting in version 1806, use the Third-Party Software Update Catalogs node in the Configuration Manager console to subscribe to third-party catalogs, publish their updates to your software update point, and then deploy them to clients.
For more information, see Third-party software updates.
System Center Updates Publisher
System Center Updates Publisher (SCUP) is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates. These updates include those with dependencies, like drivers and update bundles.
For more information, see System Center Updates Publisher.
Plan for software update point installation
This section includes the following subtopics:
This section provides information about the steps to take to successfully plan and prepare for the software update point installation. Before you create a site system role for the software update point in Configuration Manager, there are several requirements to consider. The specific requirements depend on your Configuration Manager infrastructure. When you configure the software update point to communicate by using HTTPS, this section is especially important to review. HTTPS-enabled servers require additional steps to work properly.
Requirements for the software update point
Install the software update point role on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems.
Sccm Software Update Point Synchronization
For more information about the minimum requirements for the WSUS server role in Windows Server, see Review considerations and system requirements.
For more information about the supported configurations for Configuration Manager site systems, see Site and site system prerequisites.
Plan for WSUS installation
Install a supported version of WSUS on all site system servers that you configure for the software update point role. When you don't install the software update point on the site server, install the WSUS Administration Console on the site server. This component allows the site server to communicate with WSUS that runs on the software update point.
When you use WSUS on Windows Server 2012 or later, configure additional permissions to allow the WSUS Configuration Manager component in Configuration Manager to connect to WSUS. This component performs periodic health checks. Choose one of the following options to configure the required permission:
Add the SYSTEM account to the WSUS Administrators group
Add the NT AUTHORITYSYSTEM account as a user for the WSUS database (SUSDB). Configure a minimum of the webService database role membership.
For more information about how to install WSUS on Windows Server, see Install the WSUS Server Role.
When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. Sharing the same database improves performance when clients switch to a new software update point. For more information, see Use a shared WSUS database for software update points.
Configuring the WSUS content directory path
When you install WSUS, you'll need to provide a content directory path. The WSUS content directory is primarily used for storing the Microsoft Software License Terms files needed by clients during scanning. The Configuration Manager The WSUS content directory should not overlap with your content source directory for Configuration Manager software deployment packages. Overlapping the WSUS content directory and the Configuration Manager package source will result in incorrect files being removed from the WSUS content directory.
Configure WSUS to use a custom website
When you install WSUS, you have the option to use the existing IIS Default website, or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website. Otherwise it shares the same website that's used by the other Configuration Manager site systems or applications. This configuration is especially necessary when you install the software update point role on the site server. When you run WSUS in Windows Server 2012 or later, WSUS is configured by default to use port 8530 for HTTP and port 8531 for HTTPS. Specify these ports when you create the software update point at a site.
Use an existing WSUS infrastructure
Select a WSUS server that was active in your environment before you installed Configuration Manager as a software update point. When the software update point is configured, specify the synchronization settings. Configuration Manager connects to the WSUS server that runs on the software update point server and configures WSUS with the same settings.
Before you configure the server as a software update point, compare its configuration for products and classifications with your Configuration Manager settings. If you synchronized the existing WSUS server before configuring it as a software update point, and the lists of products and classifications are different, it syncs all of the software updates metadata regardless of the configured settings. This behavior results in unexpected software updates metadata in the site database.
You experience the same behavior when you add products or classifications directly in the WSUS Administration console, and then immediately initiate a synchronization. By default, every hour Configuration Manager connects to WSUS and resets any settings that were modified outside of Configuration Manager. The software updates that don't meet the products and classifications that you specify in synchronization settings are set to expired. Then they are removed from the site database.
When a WSUS server is configured as a software update point, you're no longer able to use it as a standalone WSUS server. If you need a separate standalone WSUS server that isn't managed by Configuration Manager, configure it on a different server.
Configure WSUS as a replica server
When you add the software update point role on a primary site server, you can't use a WSUS server that's configured as a replica. When the WSUS server is configured as a replica, Configuration Manager fails to configure the WSUS server, and the WSUS synchronization fails. The first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point.
Decide whether to configure WSUS to use SSL
Use the SSL protocol to help secure the software update point. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. WSUS also uses SSL to encrypt software update metadata. When you choose to secure WSUS with SSL, prepare the WSUS server before you install the software update point. For more information, see the Configure SSL on the WSUS server article in the documentation for WSUS.
When you install and configure the software update point, select the option to Enable SSL communications for the WSUS Server. Otherwise, Configuration Manager configures WSUS not to use SSL. When you enable SSL on a software update point, also configure any software update points at child sites to use SSL.
Configure firewalls
The software update point at a Configuration Manager central administration site communicates with WSUS on the software update point. WSUS communicates with the synchronization source to synchronize software updates metadata. Software update points at a child site communicate with the software update point at the parent site. When there's more than one software update point at a primary site, the additional software update points communicate with the default software update point. The default role is the first software update point that's installed at the site.
You might need to configure the firewall to allow the HTTP or HTTPS traffic that WSUS uses in following scenarios:
- Between the software update point and the internet
- Between a software update point and its upstream synchronization source
- Between additional software update points
The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. Use a custom port for the connection from WSUS on the software update point at a child site to WSUS on the software update point at the parent site. When your security policy doesn't allow the connection, use the export and import synchronization method. For more information, see the Synchronization source section in this article. For more information about the ports that WSUS uses, see How to determine the port settings used by WSUS in Configuration Manager.
Restrict access to specific domains
If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow the active software update point to access internet endpoints. Then WSUS and Automatic Updates can communicate with the Microsoft Update cloud service.
For more information, see Internet access requirements.
Plan for synchronization settings
This section includes the following subtopics:
Software updates synchronization in Configuration Manager downloads the software updates metadata based on criteria that you configure. The top-level site in your hierarchy synchronizes software updates from Microsoft Update. You have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software updates metadata from the software update point on the central administration site. Before you install and configure a software update point, use this section to plan for the synchronization settings.
Synchronization source
The synchronization source settings for the software update point specify the location for where the software update point retrieves software updates metadata. It also specifies whether the synchronization process creates WSUS reporting events.
Synchronization source: By default, the software update point at the top-level site configures the synchronization source for Microsoft Update. You have the option to synchronize the top-level site with an existing WSUS server. The software update point on a child primary site configures the synchronization source as the software update point at the central administration site.
The first software update point that you install at a primary site, which is the default software update point, synchronizes with the central administration site. Additional software update points at the primary site synchronize with the default software update point at the primary site.
When a software update point is disconnected from Microsoft Update or from the upstream update server, configure the synchronization source not to synchronize with a configured synchronization source. Instead configure it to use the export and import function of the WSUSUtil tool to synchronize software updates. For more information, see Synchronize software updates from a disconnected software update point.
WSUS reporting events: The Windows Update Agent on client computers can create event messages for WSUS reporting. These events aren't used by Configuration Manager. Thus, the option, Do not create WSUS reporting events, is selected by default. When these events aren't created, the only time that the client should connect to the WSUS server is during software update evaluation and compliance scans. If these events are needed for reporting outside of Configuration Manager, modify this setting to create WSUS reporting events.
Synchronization schedule
Configure the synchronization schedule only at the software update point on the top-level site in the Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point synchronizes with the synchronization source at the date and time that you specified. The custom schedule allows you to synchronize software updates to optimize for your environment. Consider the performance demands of the WSUS server, site server, and network. For example, 2:00 AM once a week. Alternatively, manually start synchronization on the top-level site by using the Synchronization Software Updates action from the All Software Updates or Software Update Groups nodes in the Configuration Manager console.
Tip
Schedule the software updates synchronization to run by using a time that's appropriate for your environment. One common scenario is to set the synchronization schedule to run shortly after Microsoft's regular software update release on the second Tuesday of each month. This day is typically referred to as Patch Tuesday. If you use Configuration Manager to deliver Endpoint Protection and Windows Defender definition and engine updates, consider setting the synchronization schedule to run daily.
After the software update point successfully synchronizes, it sends a synchronization request to child sites. If you have additional software update points at a primary site, it sends a synchronization request to each software update point. This process is repeated on every site in the hierarchy.
Update classifications
Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the site synchronizes the metadata for the specified classifications.
Configuration Manager supports synchronization of the following update classifications:
Critical Updates: A broadly released update for a specific problem that addresses a critical, non-security-related bug.
Definition Updates: An update to virus or other definition files.
Feature Packs: New product features that are distributed outside of a product release and are typically included in the next full product release.
Security Updates: A broadly released update for a product-specific, security-related issue.
Service Packs: A cumulative set of hotfixes that is applied to an OS or application. These hotfixes include security updates, critical updates, and software updates.
Tools: A utility or feature that helps to complete one or more tasks.
Update Rollups: A cumulative set of hotfixes that is packaged together for easy deployment. These hotfixes include security updates, critical updates, and software updates. An update rollup generally addresses a specific area, such as security or a product component.
Updates: An update to an application or file that's currently installed.
Upgrades: A feature update to a new version of Windows 10.
Configure the update classification settings only on the top-level site. The update classification settings aren't configured on the software update point on child sites, because the software updates metadata is replicated from the top-level site. When you select the update classifications, be aware the more classifications that you select, the longer it takes to synchronize the software updates metadata.
Warning
As a best practice, clear all classifications before you synchronize for the first time. After the initial synchronization, select the desired classifications, and then rerun synchronization.
Products
The metadata for each software update defines one or more products for which the update is applicable. A product is a specific edition of an OS or application. An example of a product is Microsoft Windows 10. A product family is the base OS or application from which the individual products are derived. An example of a product family is Microsoft Windows, of which Windows 10 and Windows Server 2016 are members. Select a product family or individual products within a product family.
When software updates are applicable to multiple products, and at least one of the products is selected for synchronization, all of the products appear in the Configuration Manager console even if some products weren't selected. For example, you only select the Windows Server 2012 product. If a software update applies to Windows Server 2012 and Windows Server 2012 Datacenter Edition, both products are in the site database.
Configure the product settings only on the top-level site. The product settings aren't configured on the software update point for child sites because the software updates metadata is replicated from the top-level site. The more products that you select, the longer it takes to synchronize the software updates metadata.
Important
Configuration Manager stores a list of products and product families that you choose from when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete synchronization. The synchronization process updates the list of available products and product families from which you can choose. Clear all products before you synchronize software updates for the first time. After the initial synchronization, select the desired products, and then rerun synchronization.
Supersedence rules
Typically, a software update that supersedes another software update does one or more of the following actions:
Enhances, improves, or updates the fix that was provided by one or more previously released updates.
Improves the efficiency of the superseded update file package, which is installed on clients if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems that are supported by the new update. Those files aren't included in the superseding file package of the update.
Updates newer versions of a product. In other words, it updates versions that are no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications were made to expand language support. For example, a later revision of a product update for Microsoft Office might remove the support for an older OS, but it might add additional support for new languages in the initial update release.
In the properties for the software update point, specify that the superseded software updates are immediately expired. This setting prevents them from being included in new deployments. It also flags the existing deployments to indicate that they contain one or more expired software updates. Or specify a period of time before the superseded software updates are expired. This action allows you to continue to deploy them.
Consider the following scenarios in which you might need to deploy a superseded software update:
A superseding software update supports only newer versions of an OS. Some of your client computers run earlier versions of the OS.
A superseding software update has more restricted applicability than the software update it supersedes. This behavior would make it inappropriate for some clients.
If a superseding software update wasn't approved for deployment in your production environment.
Note
- Before Configuration Manager version 1806, when Configuration Manager sets a superseded software update to Expired, it doesn't set the update to Declined in WSUS. Clients continue to scan for an expired update until the update is declined manually or via a custom script. After Configuration Manager version 1806, Configuration Manager will also decline the superseded updates in WSUS. For more information about the WSUS cleanup task, see Software updates maintenance.
- Starting in Configuration Manager version 1810, you can specify the supersedence rules behavior for feature updates separately from non-feature updates.
Languages
The language settings for the software update point allow you to configure:
- The languages for which the summary details (software updates metadata) are synchronized for software updates
- The software update file languages that are downloaded for software updates
Software update file
Configure languages for the Software update file setting in the properties for the software update point. This setting provides the default languages that are available when you download software updates at a site. Modify the languages that are selected by default each time that the software updates are downloaded or deployed. During the download process, the software update files for the configured languages are downloaded to the deployment package source location, if the software update files are available in the selected language. Next, they're copied to the content library on the site server. Then they're distributed to the distribution points that are configured for the package.
Configure the software update file language settings with the languages that are most often used in your environment. For example, clients in your site use mostly English and Japanese for Windows or applications. There are few other languages that are used at the site. Select only English and Japanese in the Software Update File column when you download or deploy the software update. This action allows you to use the default settings on the Language Selection page of the deployment and download wizards. This action also prevents unneeded update files from being downloaded. Configure this setting at each software update point in the Configuration Manager hierarchy.
Summary details
During the synchronization process, the summary details information (software updates metadata) is updated for software updates in the languages that you specify. The metadata provides information about the software update, for example:
- Name
- Description
- Products that the update supports
- Update classification
- Article ID
- Download URL
- Applicability rules
Configure the summary details settings only on the top-level site. The summary details aren't configured on the software update point on child sites because the software updates metadata is replicated from the central administration site by using file-based replication. When you select the summary details languages, select only the languages that you need in your environment. The more languages that you select, the longer it takes to synchronize the software updates metadata. Configuration Manager displays the software updates metadata in the locale of the OS in which the Configuration Manager console runs. If the localized properties for the software updates aren't available in the locale of this OS, the software updates information displays in English.
Important
Select all of the summary details languages that you need. When the software update point at the top-level site synchronizes with the synchronization source, the selected summary details languages determine the software updates metadata that it retrieves. If you modify the summary details languages after synchronization ran at least one time, it retrieves the software updates metadata for the modified summary details languages only for new or updated software updates. The software updates that have already been synchronized aren't updated with new metadata for the modified languages unless there's a change to the software update on the synchronization source.
Maximum run time
(Introduced in version 1906)Watch hindi movies online free.
Starting in version 1906, you can specify the maximum amount of time a software update installation has to complete. You can specify the maximum run time for the following:
Maximum run time for Windows feature updates (minutes)
- Feature updates - An update that is in one of these three classifications:
- Upgrades
- Update rollups
- Service packs
- Feature updates - An update that is in one of these three classifications:
Maximum run time for Office 365 updates and non-feature updates for Windows (minutes)
- Non-feature updates - An update that isn't a feature upgrade and whose product is listed as one of the following:
- Windows 10 (all versions)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Office 365
- Non-feature updates - An update that isn't a feature upgrade and whose product is listed as one of the following:
These settings only change the maximum runtime for new updates that are synchronized from Microsoft Update. It doesn't change the run time on existing feature or non-feature updates.
All other products and classifications are not configurable with this setting. If you need to change the maximum run time of one of these updates, configure the software update settings
Note
In version 1906, the maximum runtime isn't available when you install the top-level software update point. After installation, edit the maximum run time on your top-level software update point.
Plan for a software updates maintenance window
Add a maintenance window dedicated for software updates installation. This action lets you configure a general maintenance window and a different maintenance window for software updates. When you configure both a general maintenance window and software updates maintenance window, clients install software updates only during the software updates maintenance window.
Starting with Configuration Manager version 1810, you can change this behavior and allow software updates to install during a general maintenance window. For more information about this client setting, see Software updates client settings.
For more information about maintenance windows, see How to use maintenance windows.
Restart options for Windows 10 clients after software update installation
When a software update that requires a restart is deployed and installed using Configuration Manager, the client schedules a pending restart and displays a restart dialog box.
When there's a pending restart for a Configuration Manager software update, the option to Update and Restart and Update and Shutdown is available on Windows 10 computers in the Windows power options. After using one of these options, the restart dialog doesn't display after the computer restarts.
Next steps
Once you plan for software updates, see Prepare for software updates management.
For more information about managing Windows as a service, see Fundamentals of Configuration Manager as a service and Windows as a service.
-->Applies to: System Center Configuration Manager (Current Branch)
Important
Before you install the software update point site system role (SUP), you must verify that the server meets the required dependencies and determines the software update point infrastructure on the site. For more information about how to plan for software updates and to determine your software update point infrastructure, see Plan for software updates.
The software update point is required on the central administration site and on the primary sites to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. When you have a stand-alone primary site, not a central administration site, install and configure the software update point on the primary site first, and then optionally, on secondary sites. Some settings are only available when you configure the software update point on a top-level site. There are different options that you must consider depending on where you installed the software update point.
Important
You can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point.
Important
It is not supported to install the software update point site system role on a server that has been configured and used as a standalone WSUS server or using a software update point to directly manage WSUS clients. Existing WSUS servers are only supported as upstream synchronization sources for the active software update point. See Synchronize from an upstream data source location
You can add the software update point site system role to an existing site system server or you can create a new one. On the System Role Selection page of the Create Site System Server Wizard or Add Site System Roles Wizard, depending on whether you add the site system role to a new or existing site server, select Software update point, and then configure the software update point settings in the wizard. The settings are different depending on the version of Configuration Manager that you use. For more information about how to install site system roles, see Install site system roles.
Use the following sections for information about the software update point settings on a site.
Proxy server settings
You can configure the proxy server settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use.
You must configure the proxy server, and then specify when to use the proxy server for software updates. Configure the following settings:
Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site system Properties. The proxy server settings are site system specific, meaning that all site system roles use the proxy server settings that you specify.
Specify whether to use the proxy server when Configuration Manager synchronizes the software updates and when it downloads content by using an automatic deployment rule. Configure the software update point proxy server settings on the Proxy and Account Settings page of the wizard or on the Proxy and Account Settings tab in Software update point Properties.
Note
The Use a proxy when downloading content by using automatic deployment rules setting is available but it is not used for a software update point on a secondary site. Only the software update point on the central administration site and primary site downloads content from the Microsoft Update page.
Important
By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007. Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.
WSUS settings
You must configure WSUS settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use, and in some cases, only in the properties for the software update point, also known as Software Update Point Component Properties. Use the information in the following sections to configure the WSUS settings.
WSUS port settings
You must configure the WSUS port settings on the Software Update Point page of the wizard or in the properties of the software update point. Use the following procedure to determine the port settings used by WSUS.
To determine the port settings used in IIS
On the WSUS server, open Internet Information Services (IIS) Manager.
Expand Sites, right-click the Web site for the WSUS server, and then click Edit Bindings. In the Site Bindings dialog, the HTTP and HTTPS port values are displayed in the Port column.
Configure SSL communications to WSUS
You can configure SSL communication on the General page of the wizard or on the General tab in the properties of the software update point.
For more information about how to use SSL, see Decide whether to configure WSUS to use SSL.
WSUS Server Connection Account
You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you don't configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. Configure the WSUS Server Connection Account on the Proxy and Account Settings page of the wizard, or on the Proxy and Account Settings tab in Software update point Properties. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use.
For more information about Configuration Manager accounts, see Accounts used in System Center Configuration Manager.
Synchronization source
You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site.
Use the following table for the available options when you configure the software update point at a site.
Site | Available synchronization source options |
---|---|
- Central administration site - Stand-alone primary site | - Synchronize from the Microsoft Update website - Synchronize from an upstream data source location - Do not synchronize from Microsoft Update or upstream data source |
- Additional software update points at a site - Child primary site - Secondary site | - Synchronize from an upstream data source location |
The following list provides more information about each option that you can use as the synchronization source:
Synchronize from Microsoft Update: Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site.
Note
When there is a firewall between the software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see Configure firewalls.
Synchronize from an upstream data source location: Use this setting to synchronize software updates metadata from the upstream synchronization source. The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. You have the option to synchronize software updates from an existing WSUS server. Specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server.
Do not synchronize from Microsoft Update or upstream data source: Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet. For more information, see Synchronize software updates from a disconnected software update point.
Note
When there is a firewall between the software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see Configure firewalls.
You can also configure whether to create WSUS reporting events on the Synchronization Source page of the wizard or on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager doesn't use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events.
Synchronization schedule
Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties. This setting is configured only on the software update point at the top-level site.
Configuration Manager Software Update Po…
If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule. When you configure the start time for a custom schedule, it's based on the local time for the computer that runs the Configuration Manager console.
Tip
Schedule software updates synchronization to run by using a time-frame that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates.
Note
In Indian Astrology, Rahu Kalam, YamaGandam and Gulika Kalam have an important place. Vedic astrology software free.
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see synchronize software updates.
Supersedence rules
Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on the top-level site. Starting in Configuration Manager version 1810, you can specify the supersedence rules behavior for feature updates separately from non-feature updates.
On this page, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see Supersedence rules.
Note
The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.
Classifications
Configure the classifications settings on the Classifications page of the wizard, or on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see Update classifications.
Note
Setup Sccm Wsus Software Updates
The Classifications page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.
Products
Configure the product settings on the Products page of the wizard, or on the Products tab in Software Update Point Component Properties.
Note
The Products page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.
Languages
Configure the language settings on the Languages page of the wizard, or on the Languages tab in Software Update Point Component Properties. Specify the languages for which you want to synchronize software update files and summary details. The Software Update File setting is configured at each software update point in the Configuration Manager hierarchy. The Summary Details settings are configured only on the top-level software update point. For more information, see Languages.
Note
The Languages page of the wizard is available only when you install the software update point at the central administration site. You can configure the Software Update File languages at child sites from the Languages tab in Software Update Point Component Properties.
Third party updates
Beginning in Configuration Manager version 1802, you can enable third party updates for Configuration Manager clients. When you Enable third party software updates in the SUP component properties, the SUP will download the signing certificate used by WSUS for third party updates. This option is not available during install of the software update point, and should be configured after the SUP is installed. To enable the client settings for third party updates, see the About client settings article.
Next steps
You installed the software update point starting at the top-most site in your Configuration Manager hierarchy. Repeat the procedures in this article to install the software update point on child sites.
Once you have your software update points installed, go to synchronize software updates.