WSUS

Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

Introduction

There have been some great guides through the years on configuring WSUS with SCCM from the ground up, but I felt it was time for me to add to the library with an updated version to cover Server 2016, and particularly my personal recommendations for a successful A-Z setup.

In Part I, I’ll take you through configuring the required Server Roles & Features, WSUS Installation and Configuration, IIS settings, Folder Permissions and linking it all up into SCCM.

In Part II, I’ll show you how to deploy updates and properly manage the future with ADRs, whilst catering for the past with Baselines.

Finally, in Part III, I’ll cover Client Settings, Maintenance Windows, Group Policy, Multiple SUP’s, HTTPS, ADR\Baseline Maintenance, and the big scary WSUS Maintenance

In this guide I’ll be configuring WSUS on the same local Server as the Primary Site & SQL Database.

Pre-Read Material

I’d advise you read the following Microsoft documentation prior to installation:

https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/site-and-site-system-prerequisites

https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates

 

Installation

Because this is already a Primary Server, certain roles are already installed.

Required roles:

Software update point

Windows Server roles and features:

  • .NET Framework 3.5 SP1 (or later)
  • .NET Framework 4.5.2

The default IIS configuration is required.

Windows Server Update Services:

  • You must install the Windows server role Windows Server Update Services on a computer before installing a software update point.

Open Server Manager>Manage>Add Roles & Features

Tick Windows Server Update Services

VpxClient_2017-03-23_21-52-38

Under Features, ensure the default .Net Framework 3.5 and 4.6 have been ticked.

VpxClient_2017-03-23_21-55-43

We’re going to connect to the SQL Database.  Ensure you untick “WID Connectivity”, and select “WSUS Services” & “SQL Server Connectivity”.

VpxClient_2017-03-23_21-56-53

Here we need to configure where WSUS will create its directory.

I’ll be storing it on a separate drive in a WSUS folder.

VpxClient_2017-03-23_21-59-41

Enter the FQDN of your SQL Server and click Check Connection.

VpxClient_2017-03-23_22-00-10

Wait until it confirms a Successful Connection prior to continuing.

VpxClient_2017-03-23_22-00-50

Once you’ve confirmed your configuration, Select Install.

VpxClient_2017-03-23_22-01-09

Wait for installation to take place..

VpxClient_2017-03-23_22-01-49

Once the initial configuration has been complete you will be prompted to “Launch Post-Installation Tasks”.

Select this link..

VpxClient_2017-03-23_22-03-13

Wait while configuration takes place.  I’d advise leaving this window open whilst it takes place..

VpxClient_2017-03-23_22-03-42

Once Configuration has been successful, click Close.

VpxClient_2017-03-23_22-04-38

WSUS Configuration

Opinions will differ here with how people will advise you set this up.  We’re going to go half way through the WSUS Setup Wizard and exit.  I’ve done this a few times now over the years, and this never fails..

Open Windows Server Update Services.

VpxClient_2017-03-23_22-05-56

You will be prompted with the Setup Wizard.

Click Next

VpxClient_2017-03-23_22-06-11

Click Next again.

VpxClient_2017-03-23_22-06-24

Leave settings default.

Click Next.

VpxClient_2017-03-23_22-06-34

Leave defaults again (Even if you need proxy configuration).

Click Next

VpxClient_2017-03-23_22-06-42

Select Start Connecting

VpxClient_2017-03-23_22-07-10

Wait whilst the connection to Microsoft is confirmed.

Click Next once complete

VpxClient_2017-03-23_22-43-56

Again, leave default to Download Updates in All Languages.

Click Next.

VpxClient_2017-03-23_22-44-05

Do not select any extra Products here.  Leave everything Default.

Click Next.

VpxClient_2017-03-23_22-44-17

Now, at the Classifications screen, leave default and Cancel the wizard.

VpxClient_2017-03-23_22-44-51

That’s all you should ever need to do in the WSUS console itself, outside of any maintenance tasks.

You should never go into the WSUS Console and change configurations in an SCCM environment.

 

Extra Configuration

A couple extra tweaks to the standard config ensure a successful WSUS distribution.

Folder Permissions

Navigate to the source directory you created earlier.

Mine is E:\WSUS

VpxClient_2017-03-23_22-51-57

On the Permissions for E:\WSUS, add the following accounts with Full Control;

  • SCCMAdministrators AD group
  • Network Service

SCCM Administrators Group is an Active Directory group containing the SCCM Network Service Account, and the Machine Accounts for each Site Server.

VpxClient_2017-03-23_22-48-35

A level down on the E:\WSUS\WSUSContent folder, ensure your permissions logically match the below.  Double check the SCCMAdmins and Network Service have inherited down.

VpxClient_2017-03-23_22-51-27

Ensure the share permissions on E:\WSUS\WSUSContent has Everyone as Read.

VpxClient_2017-03-23_22-52-33

Whilst we’re here, create a new Folder..

VpxClient_2017-03-30_21-46-27

Named SCCMDeploymentPackages

Edit the Security and ensure the Network Service and SCCMAdmins Security groups have Full Control.

VpxClient_2017-03-30_21-47-39

Share the folder..

VpxClient_2017-03-30_21-50-57

Ensuring Permissions are correct again

VpxClient_2017-03-30_21-51-40

IIS Configurations

I’d advise you research these settings if you are not aware of their effects prior to setting in any production environments.

However, setting these will mostly avoid common errors you may receive on clients.

Open Internet Information Services (IIS) Manager

VpxClient_2017-03-23_22-53-02

Select Application Pools>WSUSPool>Advanced Settings

VpxClient_2017-03-23_22-53-52

Change Queue Length to 2000 – This is a good starting point if you’re unsure

VpxClient_2017-03-23_22-54-30

Change Private Memory Limit (KB) to 0  – (no limit)

VpxClient_2017-03-23_22-55-01

Back in IIS, select your Server on the left, and hit Restart on the right.

VpxClient_2017-03-23_22-55-38

Alternatively, now would be a good time to restart entirely.

VpxClient_2017-03-23_22-56-41

SCCM Configuration

Finally, now all the ground work is laid, lets setup SCCM.

Open System Center Configuration Manager

Navigate to Administration>Site Configuration>Server and Site System Roles

Right click the Site Server you wish to install the Software Update Role onto (this should be the server you’ve configured everything else onto so far), and select Add Site System Roles

VpxClient_2017-03-23_22-59-20

Select Next at the first window

VpxClient_2017-03-23_23-00-20

Next again

VpxClient_2017-03-23_23-01-04

Tick Software Update Point, and click Next

VpxClient_2017-03-23_23-01-24

Here you have two options.  Assuming you are installing onto a server of at least 2012 and up (if not, why not!?), select to use ports (8530 and 8531).

Here you can also select to use SSL, and or Internet/Intranet.

VpxClient_2017-03-23_23-03-12

Unless you have specific requirements, leave default and click Next

VpxClient_2017-03-23_23-04-00

Leave the default to Synchronise from Microsoft Update.

Your prerogative whether to create reporting events on clients.  Read the text to understand fully.

VpxClient_2017-03-23_23-04-32

Now we need to specify a schedule to synchronise our Software Update point, with Microsoft Update.

I personally like to run my Production site’s a few weeks behind ‘Patch Tuesday’.  This gives me time to fully test all updates on Development machines to ensure they work as expected and don’t cause any unexpected upset.  It also gives time for the rare occasion that Microsoft need to re-release any updates for whatever the reason may be.

I’ll go into how I really do this in Part II, but for now if you’re following along, customise this schedule to run the First Tuesday of the month.

Since originally writing the above, the world has seen a vast uptake in Windows Updates being the answer to security problems.  For this reason, i’m revising this statement and advise you run your sync on Patch Tuesday, the Second Tuesday of the month.

Microsoft usually release updates at roughly 17:00-18:00 UTC time, so ensure your sync happens at least a few hours after this.

I’d advise you also select to Alert when synchronisation fails on any site in the hierarchy.

VpxClient_2017-03-23_23-05-44
See above statement – Set it to Second Tuesday

Select to ‘Do not expire superseded software update until the software update is superseded for a specified period’ of, 1 month.

Tick the ‘Run WSUS Cleanup Wizard’.  – WSUS Cleanups are a good thing!!

VpxClient_2017-03-23_23-07-22

Another tip here..

Untick All Classifications.

Trust me..

VpxClient_2017-03-23_23-10-38

Under the Products section, leave this default.

Don’t be tempted to go through selecting everything you want to patch.  Now is not the time…

VpxClient_2017-03-23_23-11-50

Even if you wanted to, your’ll notice the lack of certain Products..

Leave it default, move on..

VpxClient_2017-03-23_23-12-05

Select the languages you require here. Select Next.

VpxClient_2017-03-23_23-12-40

Review the brief summary, and click Next to begin the installation.

VpxClient_2017-03-23_23-12-55

Finally, your’ll have lots of green ticks, click Close.

VpxClient_2017-03-23_23-13-12

Now to review the installation.  Navigate to the log below on the Site Server.

C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log

Here you can see the installation of our SUP (Software Update Point).  Wait for the last line ‘Configuration successful’, before continuing.. it doesn’t take long.

VpxClient_2017-03-23_23-14-20

Back in Configuration Manager

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

VpxClient_2017-03-23_23-15-47

Press Yes when prompted.

VpxClient_2017-03-23_23-16-06

This first Sync should only take a couple minutes.

We can review its progress it two places;

In the GUI under Monitoring>Software Update Points Syncronization Status

VpxClient_2017-03-23_23-20-21

Or for more detail, in the log file below;

C:\Program Files\Microsoft Configuration Manager\Logs\Wsyncmgr.log

VpxClient_2017-03-27_22-11-15

Here you can see the sync only took just over a minute.  Nice a speedy.  But what about that highlighted line?

“Warning: Request filter does not contain any known classifications. Sync will do nothing.”

Remember I told you not to tick and Classifications?

So what have we just done?

Remember the lack of Products selectable, notably Windows 10 & Server 2016?

Enough Questions! Answers!

By default SCCM doesn’t have knowledge of Windows 10, Server 2016 etc in its product list and we’ve first got to successfully get SCCM and WSUS communicating so it can access the full list of available products.  If you would have ticked a bunch of Classifications in the initial setup then that first sync would have taken a good time longer then a minute to complete, and you wouldn’t even have the Products you want..

Now we’ve confirmed SCCM and WSUS are best buds and happy to communicate to each other, lets take another look at those Products;

Navigate to Administration>Sites

Right click your Site and select Configure Site Components>Software Update Point

VpxClient_2017-03-23_23-22-05

Select the Products tab, and scroll down.

*tada* Windows 10 and Server 2016 elsewhere in the list are now available.

Select all Products you wish to be patching.

VpxClient_2017-03-23_23-26-00

Select the Classifications tab and tick the ones you require.

VpxClient_2017-03-23_23-25-13

Whilst writing this post, Current Branch 1702 has been released! You have a new option here once you’ve upgraded..

Select the Update Files tab

Select Download both full files for all approved updates and express installation files for Windows 10  Express updates are still going through some development problem, so for the moment, lets skip them

Select Download full files for all approved updates

This will allow a much smaller cumulative update package to be deployed to your clients.

Once you’re happy with your final configuration changes (although you can of course change them again later).. Click OK and close the open window.

Once you do this, a log will be made as per below which notes the changes you have made..

VpxClient_2017-03-23_23-27-22

We now need to Sync our changes again..

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

Select Yes when prompted

VpxClient_2017-03-23_23-28-47

And again, monitor its progress..

This time, expect it to take some time.. likely at least an hour.

VpxClient_2017-03-23_23-32-01

17 thousand updates to process and evalute..

VpxClient_2017-03-23_23-35-22

Successful sync of WSUS server:

VpxClient_2017-03-24_00-24-42

Now to process and sync each individual update.

VpxClient_2017-03-24_16-55-14

Once the Sync is complete, you can return to Configuration Manager.

Navigate to Software Library>Software Updates>All Software Updates

Lo and behold, all our synchronised updates..

VpxClient_2017-03-24_16-59-17

Conclusion

You’ve now successfully configured WSUS with SCCM.

In Part II I’ll cover actually downloading and deploying the updates via ADR’s & Baselines, with notes on Client Settings, Maintenance Windows, Group Policy and more.

Rich Mawdsley

33 thoughts on “Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

  1. Hi rich, great article.
    When trying to enable Windows 10 upgrades on a SUP on a 2016 SCCM server, I see the following pop up after selecting “Upgrades” on the Classification tab under Software Update Point component Properties…

    “Before you enable the Upgrades classification, you must install WSUS hotfix 3095113 on all software update points in your hierarchy.

    If you do not install this update, the Windows 10 Servicing feature will not properly function. See http://support.microsoft.com/kb/3095113 for more information.

    Only Windows Server 2012 and later versions running WSUS support the Upgrade classification of updates.

    Additionally, to service Windows 10 Version 1607 and later, you must install and configure KB3159706 using the guidance at https://support.microsoft.com/en-us/kb/3159706.”

    I understand this is RTM functionality in Server 2016 – but note that if I select the upgrades option on the SUP, wsus breaks in that no syncs occur in wsus if they are kicked off from SCCM – removing the upgrade option (and leaving the update option) kicks it back into life…any thoughts?

    Like

    1. Hi Jim,

      Correct, those updates are not required for Server 2016. And Upgrades should work fine.

      Have you got the WCM.log and WSyncmgr.log to hand?

      Rich

      Liked by 2 people

  2. Really great guide! I restarted from scratch. Got WSUS running before, but didn’t work as expected. Processing 17184 updates now 😉 Going to do part II tomorrow or the day after tomorrow I think. When will part III be online?

    Thanks!

    Like

  3. THE best guide I’ve found. I have not found any documentation as complete (and straight forward) as this. I even have the latest SCCM book and they don’t mention the details of setting up WSUS. That was the critical piece for me.

    Thank you!

    Liked by 1 person

  4. This is really a great step by step guide.
    Question… what if all this was set up to the tee then some one goes in and starts mucking around in WSUS and breaks that friendship between WSUS and SCCM, would we need to remove the WSUS role then re-add it?

    Like

    1. Well, firstly that person would have their permission removed!

      You wouldn’t nessesarily ‘need’ to remove/readd.. As there is always a non hammer method.. However, often the quickest way is to blow away the wsus db and start again.

      Like

      1. Awesome, yeah don’t think it was intentional, just some good learning moments were observed for sure…haha.
        So just I’m clear in my head, that would be to delete the SUSDB correct?
        I’m not to new to SCCM, but a bit new to the WSUS side of the fence, just trying to help these folks get their SCCM back talking and able to push updates =^).

        Thanks Rich

        Like

  5. Hi Rich,
    thank you very much for this article, but still areas of shade and I know that you will all be able to respond quickly !!
    1) Must the WSUS role be installed on the SCCM server itself or can I use my current server?
    2) what actions should be carried out on my secondary sites?
    create the collections, deploy the ADR base line or on the secondary DP? or should I do other actions on its sites?
    Thank you for your help.
    B & D

    Like

    1. You’re welcome!

      1) No, the Wsus role does not need installing on the primary server when it isn’t hosting it.. However, it does require the console to be installed, which can be done via:

      Install-WindowsFeature -Name UpdateServices-Ui

      2) Complelety dependant on your setup/boundaries etc. You may need multiple SUP etc.

      Rich Mawdsley

      Like

  6. Hi Rich, thanks for a great guide! I have a couple of areas where I’m still confused though… Hoping you can elaborate. I am looking to migrate from standalone WSUS to using SCCM for updates.

    I have an existing WSUS server that was set up before our install of SCCM. Then we have replica WSUS servers pointing to that. So for each of these servers, WSUS updates were stored in G:\WSUS. Now that we have installed SCCM, each server also has a distribution point pointing to drive H. So drive H has the various SMS* related folders etc.

    1) My understanding is SCCM manages WSUS itself. So do each of these servers still need separate volumes for SCCM and WSUS? If I understand correctly, the software updates generated by SCCM are SCCM packages and these are distributed the way they always are in SCCM. Point being the WSUS packages one would see in G:\WSUS are no longer needed. Could I remove that WSUS volume and just expand the drive H being used for distribution point storage?

    Thanks!

    Like

    1. In this scenario, assuming that this is within a single AD Forest, then you’re best off using a single WSUS DB between all the SUP, and using a share to store what is now the “G:\WSUS” data that all SUP point to.

      Check out the below links for more detail that should help you.

      https://blogs.technet.microsoft.com/wsus/2014/03/22/considerations-for-multiple-wsus-instances-sharing-a-content-database-when-using-system-center-configuration-manager-but-without-network-load-balancing-nlb/

      https://blogs.msdn.microsoft.com/steverac/2013/02/06/configuring-multiple-software-update-points-in-a-configmgr-2012-primary-site-what-to-expect/

      Rich Mawdsley

      Like

  7. Dear Rich,

    Thank you very much for this guide, it was very useful, I had to reinstall my WSUS server thrice before it all came right. Thankfully, the installation itself was an adapted hydration kit, so once I kicked it off, I just had to wait until the post-deployment tasks.

    The biggest issue I had was with synchronising the categories, I was only getting 28 when after following your guide, it is showing 311. I also made the mistake one time of seeing the WSUS Console through to the end, it meant SMS could see WSUS, but WSUS was always terminating every connection SMS made to manage the environment.

    Thank you again.

    Liked by 1 person

  8. Great guide, easy to understand and to the point. (Microsoft guides drive me crazy – hyper-link after hyper-link – you end up reading all the internet.)

    Thanks for taking the time and sharing!

    Like

  9. I’m not understanding something. You said install WSUS on “a” computer. Then in the SUP setup you said, “Sync from Microsoft Update”. How does SCCM connect up with WSUS? can WSUS be on a standalone server or does WSUS have to be fully installed on SCCM server?

    Like

    1. Hi Vince,

      Let me help clear this up.. The WSUS roll can be installed on anything you want, preferably for numerous reasons, on a separate server to your Primary Server. Then when you install the SUP roll, you simply point to whichever server you’ve placed the WSUS roll, and it becomes its own Site Server.

      Rich

      Like

  10. Rich, Thanks for the help.

    I re-worded my Google search question after several hours of failing. What I found was that, if you have a WSUS installation on a separate server, from SCCM you have to push the SUP role to the separate WSUS installation.

    Don’t know why this concept was so difficult for me. Everything I read and saw referred to SCCM and WSUS being on the same server. Read in one place, that at a minimum, WSUS console needed to be on SCCM server. I probably misunderstood.

    The logs kept saying cant connect/sync with (IP of) SCCM server. What? That’s what prompted a new search.

    Just glad it’s over!

    Thanks,

    Vince

    Like

    1. Glad you got it sorted Vince!

      To help clear up a tad more, in the case you have WSUS/SUP on a different server to your Primary, then you must also install only the WSUS console on the primary.

      So to confirm, the Primary just need the WSUS management tools and not the server rolls.

      Rich Mawdsley

      Like

  11. Hi,
    I am getting Client Web Services not working error after successful setup of WSUS 4.0 on Server OS 2012 R2, SCCM upgrade from 1606 to 1710. I hope someone could help me with this. The SUP sync is always successful and I am able to download and create update package too. The only issue is my clients are not getting any updates pushed out to them, which is when I found Client Web Services not working error. Please help.

    Thanks.

    Like

  12. Thanks for the link, but that didn’t help. Event ID 12022 “The Client Web Service is not working” still exist on site server event viewer where wsus role is installed. any other suggestions are much appreciated.

    Like

  13. First of all, thanks for the guide, very helpful!
    My second sync (After choosing all the products) is still at the stage ‘Synchronizing SCCM Database’ and it has been for the past 2 days. I know its still doing things in the background as I checked the wsyncmgr log file and I can see all the info it has synced, but I know in the guide you mentioned it may take around an hour. Just a bit worried as to how long it’s taking, is this usual?

    Like

    1. Hi Tom,

      No, unless the server(s) are heavily under resourced which would be shown by cpu/ram maxed.. Then it shouldn’t take anywhere near that long. Restart, try again.

      Like

      1. Thanks for the quick reply! SCCM server (which is where the WSUS role is installed also) has 16gb RAM and SQL Server (Which serves both SCCM and WSUS) has 10gb RAM. I’ll give the SCCM server a reboot and see if it speeds up. Fingers crossed!

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.