Configuring WSUS with SCCM Current Branch (Server 2016) – Part I


There have been some great guides through the years on configuring WSUS with SCCM from the ground up, but I felt it was time for me to add to the library with an updated version to cover Server 2016, and particularly my personal recommendations for a successful A-Z setup.

In Part I, I’ll take you through configuring the required Server Roles & Features, WSUS Installation and Configuration, IIS settings, Folder Permissions and linking it all up into SCCM.

In Part II, I’ll cover actually deploying the updates via ADR’s & Baselines.

In Part III, I’ll cover Client Settings, Maintenance Windows, Group Policy configuration and HTTPS.

In this guide I’ll be configuring WSUS on the same local Server as the Primary Site & SQL Database.

Pre-Read Material

I’d advise you read the following Microsoft documentation prior to installation:



Because this is already a Primary Server, certain roles are already installed.

Required roles:

Software update point

Windows Server roles and features:

  • .NET Framework 3.5 SP1 (or later)
  • .NET Framework 4.5.2

The default IIS configuration is required.

Windows Server Update Services:

  • You must install the Windows server role Windows Server Update Services on a computer before installing a software update point.

Open Server Manager>Manage>Add Roles & Features

Tick Windows Server Update Services


Under Features, ensure the default .Net Framework 3.5 and 4.6 have been ticked.


We’re going to connect to the SQL Database.  Ensure you untick “WID Connectivity”, and select “WSUS Services” & “SQL Server Connectivity”.


Here we need to configure where WSUS will create its directory.

I’ll be storing it on a separate drive in a WSUS folder.


Enter the FQDN of your SQL Server and click Check Connection.


Wait until it confirms a Successful Connection prior to continuing.


Once you’ve confirmed your configuration, Select Install.


Wait for installation to take place..


Once the initial configuration has been complete you will be prompted to “Launch Post-Installation Tasks”.

Select this link..


Wait while configuration takes place.  I’d advise leaving this window open whilst it takes place..


Once Configuration has been successful, click Close.


WSUS Configuration

Opinions will differ here with how people will advise you set this up.  We’re going to go half way through the WSUS Setup Wizard and exit.  I’ve done this a few times now over the years, and this never fails..

Open Windows Server Update Services.


You will be prompted with the Setup Wizard.

Click Next


Click Next again.


Leave settings default.

Click Next.


Leave defaults again (Even if you need proxy configuration).

Click Next


Select Start Connecting


Wait whilst the connection to Microsoft is confirmed.

Click Next once complete


Again, leave default to Download Updates in All Languages.

Click Next.


Do not select any extra Products here.  Leave everything Default.

Click Next.


Now, at the Classifications screen, leave default and Cancel the wizard.


That’s all you should ever need to do in the WSUS console itself, outside of any maintenance tasks.

You should never go into the WSUS Console and change configurations in an SCCM environment.

pCloud Premium

Extra Configuration

A couple extra tweaks to the standard config ensure a successful WSUS distribution.

Folder Permissions

Navigate to the source directory you created earlier.

Mine is E:\WSUS


On the Permissions for E:\WSUS, add the following accounts with Full Control;

  • SCCMAdministrators AD group
  • Network Service

SCCM Administrators Group is an Active Directory group containing the SCCM Network Service Account, and the Machine Accounts for each Site Server.


A level down on the E:\WSUS\WSUSContent folder, ensure your permissions logically match the below.  Double check the SCCMAdmins and Network Service have inherited down.


Ensure the share permissions on E:\WSUS\WSUSContent has Everyone as Read.


Whilst we’re here, create a new Folder..


Named SCCMDeploymentPackages

Edit the Security and ensure the Network Service and SCCMAdmins Security groups have Full Control.


Share the folder..


Ensuring Permissions are correct again


IIS Configurations

I’d advise you research these settings if you are not aware of their effects prior to setting in any production environments.

However, setting these will mostly avoid common errors you may receive on clients.

Open Internet Information Services (IIS) Manager


Select Application Pools>WSUSPool>Advanced Settings


Change Queue Length to 2000 – This is a good starting point if you’re unsure


Change Private Memory Limit (KB) to 0  – (no limit)


Back in IIS, select your Server on the left, and hit Restart on the right.


Alternatively, now would be a good time to restart entirely.


SCCM Configuration

Finally, now all the ground work is laid, lets setup SCCM.

Open System Center Configuration Manager

Navigate to Administration>Site Configuration>Server and Site System Roles

Right click the Site Server you wish to install the Software Update Role onto (this should be the server you’ve configured everything else onto so far), and select Add Site System Roles


Select Next at the first window


Next again


Tick Software Update Point, and click Next


Here you have two options.  Assuming you are installing onto a server of at least 2012 and up (if not, why not!?), select to use ports (8530 and 8531).

Here you can also select to use SSL, and or Internet/Intranet.


Unless you have specific requirements, leave default and click Next


Leave the default to Synchronise from Microsoft Update.

Your prerogative whether to create reporting events on clients.  Read the text to understand fully.


Now we need to specify a schedule to synchronise our Software Update point, with Microsoft Update.

I personally like to run my Production site’s a few weeks behind ‘Patch Tuesday’.  This gives me time to fully test all updates on Development machines to ensure they work as expected and don’t cause any unexpected upset.  It also gives time for the rare occasion that Microsoft need to re-release any updates for whatever the reason may be.

I’ll go into how I really do this in Part II, but for now if you’re following along, customise this schedule to run the First Tuesday of the month.

Since originally writing the above, the world has seen a vast uptake in Windows Updates being the answer to security problems.  For this reason, i’m revising this statement and advise you run your sync on Patch Tuesday, the Second Tuesday of the month.

Microsoft usually release updates at roughly 17:00-18:00 UTC time, so ensure your sync happens at least a few hours after this.

I’d advise you also select to Alert when synchronisation fails on any site in the hierarchy.

See above statement – Set it to Second Tuesday

Select to ‘Do not expire superseded software update until the software update is superseded for a specified period’ of, 1 month.

Tick the ‘Run WSUS Cleanup Wizard’.  – WSUS Cleanups are a good thing!!


Another tip here..

Untick All Classifications.

Trust me..


Under the Products section, leave this default.

Don’t be tempted to go through selecting everything you want to patch.  Now is not the time…


Even if you wanted to, your’ll notice the lack of certain Products..

Leave it default, move on..


Select the languages you require here. Select Next.


Review the brief summary, and click Next to begin the installation.


Finally, your’ll have lots of green ticks, click Close.


Now to review the installation.  Navigate to the log below on the Site Server.

C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log

Here you can see the installation of our SUP (Software Update Point).  Wait for the last line ‘Configuration successful’, before continuing.. it doesn’t take long.


Back in Configuration Manager

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates


Press Yes when prompted.


This first Sync should only take a couple minutes.

We can review its progress it two places;

In the GUI under Monitoring>Software Update Points Syncronization Status


pCloud Premium

Or for more detail, in the log file below;

C:\Program Files\Microsoft Configuration Manager\Logs\Wsyncmgr.log


Here you can see the sync only took just over a minute.  Nice a speedy.  But what about that highlighted line?

“Warning: Request filter does not contain any known classifications. Sync will do nothing.”

Remember I told you not to tick and Classifications?

So what have we just done?

Remember the lack of Products selectable, notably Windows 10 & Server 2016?

Enough Questions! Answers!

By default SCCM doesn’t have knowledge of Windows 10, Server 2016 etc in its product list and we’ve first got to successfully get SCCM and WSUS communicating so it can access the full list of available products.  If you would have ticked a bunch of Classifications in the initial setup then that first sync would have taken a good time longer then a minute to complete, and you wouldn’t even have the Products you want..

Now we’ve confirmed SCCM and WSUS are best buds and happy to communicate to each other, lets take another look at those Products;

Navigate to Administration>Sites

Right click your Site and select Configure Site Components>Software Update Point


Select the Products tab, and scroll down.

*tada* Windows 10 and Server 2016 elsewhere in the list are now available.

Select all Products you wish to be patching.


Select the Classifications tab and tick the ones you require.


Whilst writing this post, Current Branch 1702 has been released! You have a new option here once you’ve upgraded..

Select the Update Files tab

Select Download both full files for all approved updates and express installation files for Windows 10  Express updates are still going through some development problem, so for the moment, lets skip them

Select Download full files for all approved updates

This will allow a much smaller cumulative update package to be deployed to your clients.

Once you’re happy with your final configuration changes (although you can of course change them again later).. Click OK and close the open window.

Once you do this, a log will be made as per below which notes the changes you have made..


We now need to Sync our changes again..

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

Select Yes when prompted


And again, monitor its progress..

This time, expect it to take some time.. likely at least an hour.


17 thousand updates to process and evalute..


Successful sync of WSUS server:


Now to process and sync each individual update.


Once the Sync is complete, you can return to Configuration Manager.

Navigate to Software Library>Software Updates>All Software Updates

Lo and behold, all our synchronised updates..



You’ve now successfully configured WSUS with SCCM.

In Part II I’ll cover actually downloading and deploying the updates via ADR’s & Baselines, with notes on Client Settings, Maintenance Windows, Group Policy and more.

Rich Mawdsley

19 thoughts on “Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

  1. Hi rich, great article.
    When trying to enable Windows 10 upgrades on a SUP on a 2016 SCCM server, I see the following pop up after selecting “Upgrades” on the Classification tab under Software Update Point component Properties…

    “Before you enable the Upgrades classification, you must install WSUS hotfix 3095113 on all software update points in your hierarchy.

    If you do not install this update, the Windows 10 Servicing feature will not properly function. See for more information.

    Only Windows Server 2012 and later versions running WSUS support the Upgrade classification of updates.

    Additionally, to service Windows 10 Version 1607 and later, you must install and configure KB3159706 using the guidance at”

    I understand this is RTM functionality in Server 2016 – but note that if I select the upgrades option on the SUP, wsus breaks in that no syncs occur in wsus if they are kicked off from SCCM – removing the upgrade option (and leaving the update option) kicks it back into life…any thoughts?


    1. Hi Jim,

      Correct, those updates are not required for Server 2016. And Upgrades should work fine.

      Have you got the WCM.log and WSyncmgr.log to hand?


      Liked by 2 people

  2. Really great guide! I restarted from scratch. Got WSUS running before, but didn’t work as expected. Processing 17184 updates now 😉 Going to do part II tomorrow or the day after tomorrow I think. When will part III be online?



  3. THE best guide I’ve found. I have not found any documentation as complete (and straight forward) as this. I even have the latest SCCM book and they don’t mention the details of setting up WSUS. That was the critical piece for me.

    Thank you!

    Liked by 1 person

  4. This is really a great step by step guide.
    Question… what if all this was set up to the tee then some one goes in and starts mucking around in WSUS and breaks that friendship between WSUS and SCCM, would we need to remove the WSUS role then re-add it?


    1. Well, firstly that person would have their permission removed!

      You wouldn’t nessesarily ‘need’ to remove/readd.. As there is always a non hammer method.. However, often the quickest way is to blow away the wsus db and start again.


      1. Awesome, yeah don’t think it was intentional, just some good learning moments were observed for sure…haha.
        So just I’m clear in my head, that would be to delete the SUSDB correct?
        I’m not to new to SCCM, but a bit new to the WSUS side of the fence, just trying to help these folks get their SCCM back talking and able to push updates =^).

        Thanks Rich


  5. Hi Rich,
    thank you very much for this article, but still areas of shade and I know that you will all be able to respond quickly !!
    1) Must the WSUS role be installed on the SCCM server itself or can I use my current server?
    2) what actions should be carried out on my secondary sites?
    create the collections, deploy the ADR base line or on the secondary DP? or should I do other actions on its sites?
    Thank you for your help.
    B & D


    1. You’re welcome!

      1) No, the Wsus role does not need installing on the primary server when it isn’t hosting it.. However, it does require the console to be installed, which can be done via:

      Install-WindowsFeature -Name UpdateServices-Ui

      2) Complelety dependant on your setup/boundaries etc. You may need multiple SUP etc.

      Rich Mawdsley


  6. Hi Rich, thanks for a great guide! I have a couple of areas where I’m still confused though… Hoping you can elaborate. I am looking to migrate from standalone WSUS to using SCCM for updates.

    I have an existing WSUS server that was set up before our install of SCCM. Then we have replica WSUS servers pointing to that. So for each of these servers, WSUS updates were stored in G:\WSUS. Now that we have installed SCCM, each server also has a distribution point pointing to drive H. So drive H has the various SMS* related folders etc.

    1) My understanding is SCCM manages WSUS itself. So do each of these servers still need separate volumes for SCCM and WSUS? If I understand correctly, the software updates generated by SCCM are SCCM packages and these are distributed the way they always are in SCCM. Point being the WSUS packages one would see in G:\WSUS are no longer needed. Could I remove that WSUS volume and just expand the drive H being used for distribution point storage?



    1. In this scenario, assuming that this is within a single AD Forest, then you’re best off using a single WSUS DB between all the SUP, and using a share to store what is now the “G:\WSUS” data that all SUP point to.

      Check out the below links for more detail that should help you.

      Rich Mawdsley


  7. Dear Rich,

    Thank you very much for this guide, it was very useful, I had to reinstall my WSUS server thrice before it all came right. Thankfully, the installation itself was an adapted hydration kit, so once I kicked it off, I just had to wait until the post-deployment tasks.

    The biggest issue I had was with synchronising the categories, I was only getting 28 when after following your guide, it is showing 311. I also made the mistake one time of seeing the WSUS Console through to the end, it meant SMS could see WSUS, but WSUS was always terminating every connection SMS made to manage the environment.

    Thank you again.

    Liked by 1 person

  8. Great guide, easy to understand and to the point. (Microsoft guides drive me crazy – hyper-link after hyper-link – you end up reading all the internet.)

    Thanks for taking the time and sharing!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s