WSUS

Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

Introduction

There have been some great guides through the years on configuring WSUS with SCCM from the ground up, but I felt it was time for me to add to the library with an updated version to cover Server 2016, and particularly my personal recommendations for a successful A-Z setup.

In Part I, I’ll take you through configuring the required Server Roles & Features, WSUS Installation and Configuration, IIS settings, Folder Permissions and linking it all up into SCCM.

In Part II, I’ll cover actually deploying the updates via ADR’s & Baselines.

In Part III, I’ll cover Client Settings, Maintenance Windows, Group Policy configuration and HTTPS.

In this guide I’ll be configuring WSUS on the same local Server as the Primary Site & SQL Database.

Pre-Read Material

I’d advise you read the following Microsoft documentation prior to installation:

https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/site-and-site-system-prerequisites

https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates

 

Installation

Because this is already a Primary Server, certain roles are already installed.

Required roles:

Software update point

Windows Server roles and features:

  • .NET Framework 3.5 SP1 (or later)
  • .NET Framework 4.5.2

The default IIS configuration is required.

Windows Server Update Services:

  • You must install the Windows server role Windows Server Update Services on a computer before installing a software update point.

Open Server Manager>Manage>Add Roles & Features

Tick Windows Server Update Services

VpxClient_2017-03-23_21-52-38

Under Features, ensure the default .Net Framework 3.5 and 4.6 have been ticked.

VpxClient_2017-03-23_21-55-43

We’re going to connect to the SQL Database.  Ensure you untick “WID Connectivity”, and select “WSUS Services” & “SQL Server Connectivity”.

VpxClient_2017-03-23_21-56-53

Here we need to configure where WSUS will create its directory.

I’ll be storing it on a separate drive in a WSUS folder.

VpxClient_2017-03-23_21-59-41

Enter the FQDN of your SQL Server and click Check Connection.

VpxClient_2017-03-23_22-00-10

Wait until it confirms a Successful Connection prior to continuing.

VpxClient_2017-03-23_22-00-50

Once you’ve confirmed your configuration, Select Install.

VpxClient_2017-03-23_22-01-09

Wait for installation to take place..

VpxClient_2017-03-23_22-01-49

Once the initial configuration has been complete you will be prompted to “Launch Post-Installation Tasks”.

Select this link..

VpxClient_2017-03-23_22-03-13

Wait while configuration takes place.  I’d advise leaving this window open whilst it takes place..

VpxClient_2017-03-23_22-03-42

Once Configuration has been successful, click Close.

VpxClient_2017-03-23_22-04-38

WSUS Configuration

Opinions will differ here with how people will advise you set this up.  We’re going to go half way through the WSUS Setup Wizard and exit.  I’ve done this a few times now over the years, and this never fails..

Open Windows Server Update Services.

VpxClient_2017-03-23_22-05-56

You will be prompted with the Setup Wizard.

Click Next

VpxClient_2017-03-23_22-06-11

Click Next again.

VpxClient_2017-03-23_22-06-24

Leave settings default.

Click Next.

VpxClient_2017-03-23_22-06-34

Leave defaults again (Even if you need proxy configuration).

Click Next

VpxClient_2017-03-23_22-06-42

Select Start Connecting

VpxClient_2017-03-23_22-07-10

Wait whilst the connection to Microsoft is confirmed.

Click Next once complete

VpxClient_2017-03-23_22-43-56

Again, leave default to Download Updates in All Languages.

Click Next.

VpxClient_2017-03-23_22-44-05

Do not select any extra Products here.  Leave everything Default.

Click Next.

VpxClient_2017-03-23_22-44-17

Now, at the Classifications screen, leave default and Cancel the wizard.

VpxClient_2017-03-23_22-44-51

That’s all you should ever need to do in the WSUS console itself, outside of any maintenance tasks.

You should never go into the WSUS Console and change configurations in an SCCM environment.

pCloud Premium

Extra Configuration

A couple extra tweaks to the standard config ensure a successful WSUS distribution.

Folder Permissions

Navigate to the source directory you created earlier.

Mine is E:\WSUS

VpxClient_2017-03-23_22-51-57

On the Permissions for E:\WSUS, add the following accounts with Full Control;

  • SCCMAdministrators AD group
  • Network Service

SCCM Administrators Group is an Active Directory group containing the SCCM Network Service Account, and the Machine Accounts for each Site Server.

VpxClient_2017-03-23_22-48-35

A level down on the E:\WSUS\WSUSContent folder, ensure your permissions logically match the below.  Double check the SCCMAdmins and Network Service have inherited down.

VpxClient_2017-03-23_22-51-27

Ensure the share permissions on E:\WSUS\WSUSContent has Everyone as Read.

VpxClient_2017-03-23_22-52-33

Whilst we’re here, create a new Folder..

VpxClient_2017-03-30_21-46-27

Named SCCMDeploymentPackages

Edit the Security and ensure the Network Service and SCCMAdmins Security groups have Full Control.

VpxClient_2017-03-30_21-47-39

Share the folder..

VpxClient_2017-03-30_21-50-57

Ensuring Permissions are correct again

VpxClient_2017-03-30_21-51-40

IIS Configurations

I’d advise you research these settings if you are not aware of their effects prior to setting in any production environments.

However, setting these will mostly avoid common errors you may receive on clients.

Open Internet Information Services (IIS) Manager

VpxClient_2017-03-23_22-53-02

Select Application Pools>WSUSPool>Advanced Settings

VpxClient_2017-03-23_22-53-52

Change Queue Length to 2000 – This is a good starting point if you’re unsure

VpxClient_2017-03-23_22-54-30

Change Private Memory Limit (KB) to 0  – (no limit)

VpxClient_2017-03-23_22-55-01

Back in IIS, select your Server on the left, and hit Restart on the right.

VpxClient_2017-03-23_22-55-38

Alternatively, now would be a good time to restart entirely.

VpxClient_2017-03-23_22-56-41

SCCM Configuration

Finally, now all the ground work is laid, lets setup SCCM.

Open System Center Configuration Manager

Navigate to Administration>Site Configuration>Server and Site System Roles

Right click the Site Server you wish to install the Software Update Role onto (this should be the server you’ve configured everything else onto so far), and select Add Site System Roles

VpxClient_2017-03-23_22-59-20

Select Next at the first window

VpxClient_2017-03-23_23-00-20

Next again

VpxClient_2017-03-23_23-01-04

Tick Software Update Point, and click Next

VpxClient_2017-03-23_23-01-24

Here you have two options.  Assuming you are installing onto a server of at least 2012 and up (if not, why not!?), select to use ports (8530 and 8531).

Here you can also select to use SSL, and or Internet/Intranet.

VpxClient_2017-03-23_23-03-12

Unless you have specific requirements, leave default and click Next

VpxClient_2017-03-23_23-04-00

Leave the default to Synchronise from Microsoft Update.

Your prerogative whether to create reporting events on clients.  Read the text to understand fully.

VpxClient_2017-03-23_23-04-32

Now we need to specify a schedule to synchronise our Software Update point, with Microsoft Update.

I personally like to run my Production site’s a few weeks behind ‘Patch Tuesday’.  This gives me time to fully test all updates on Development machines to ensure they work as expected and don’t cause any unexpected upset.  It also gives time for the rare occasion that Microsoft need to re-release any updates for whatever the reason may be.

I’ll go into how I really do this in Part II, but for now if you’re following along, customise this schedule to run the First Tuesday of the month.

Since originally writing the above, the world has seen a vast uptake in Windows Updates being the answer to security problems.  For this reason, i’m revising this statement and advise you run your sync on Patch Tuesday, the Second Tuesday of the month.

Microsoft usually release updates at roughly 17:00-18:00 UTC time, so ensure your sync happens at least a few hours after this.

I’d advise you also select to Alert when synchronisation fails on any site in the hierarchy.

VpxClient_2017-03-23_23-05-44
See above statement – Set it to Second Tuesday

Select to ‘Do not expire superseded software update until the software update is superseded for a specified period’ of, 1 month.

Tick the ‘Run WSUS Cleanup Wizard’.  – WSUS Cleanups are a good thing!!

VpxClient_2017-03-23_23-07-22

Another tip here..

Untick All Classifications.

Trust me..

VpxClient_2017-03-23_23-10-38

Under the Products section, leave this default.

Don’t be tempted to go through selecting everything you want to patch.  Now is not the time…

VpxClient_2017-03-23_23-11-50

Even if you wanted to, your’ll notice the lack of certain Products..

Leave it default, move on..

VpxClient_2017-03-23_23-12-05

Select the languages you require here. Select Next.

VpxClient_2017-03-23_23-12-40

Review the brief summary, and click Next to begin the installation.

VpxClient_2017-03-23_23-12-55

Finally, your’ll have lots of green ticks, click Close.

VpxClient_2017-03-23_23-13-12

Now to review the installation.  Navigate to the log below on the Site Server.

C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log

Here you can see the installation of our SUP (Software Update Point).  Wait for the last line ‘Configuration successful’, before continuing.. it doesn’t take long.

VpxClient_2017-03-23_23-14-20

Back in Configuration Manager

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

VpxClient_2017-03-23_23-15-47

Press Yes when prompted.

VpxClient_2017-03-23_23-16-06

This first Sync should only take a couple minutes.

We can review its progress it two places;

In the GUI under Monitoring>Software Update Points Syncronization Status

VpxClient_2017-03-23_23-20-21

pCloud Premium

Or for more detail, in the log file below;

C:\Program Files\Microsoft Configuration Manager\Logs\Wsyncmgr.log

VpxClient_2017-03-27_22-11-15

Here you can see the sync only took just over a minute.  Nice a speedy.  But what about that highlighted line?

“Warning: Request filter does not contain any known classifications. Sync will do nothing.”

Remember I told you not to tick and Classifications?

So what have we just done?

Remember the lack of Products selectable, notably Windows 10 & Server 2016?

Enough Questions! Answers!

By default SCCM doesn’t have knowledge of Windows 10, Server 2016 etc in its product list and we’ve first got to successfully get SCCM and WSUS communicating so it can access the full list of available products.  If you would have ticked a bunch of Classifications in the initial setup then that first sync would have taken a good time longer then a minute to complete, and you wouldn’t even have the Products you want..

Now we’ve confirmed SCCM and WSUS are best buds and happy to communicate to each other, lets take another look at those Products;

Navigate to Administration>Sites

Right click your Site and select Configure Site Components>Software Update Point

VpxClient_2017-03-23_23-22-05

Select the Products tab, and scroll down.

*tada* Windows 10 and Server 2016 elsewhere in the list are now available.

Select all Products you wish to be patching.

VpxClient_2017-03-23_23-26-00

Select the Classifications tab and tick the ones you require.

VpxClient_2017-03-23_23-25-13

Whilst writing this post, Current Branch 1702 has been released! You have a new option here once you’ve upgraded..

Select the Update Files tab

Select Download both full files for all approved updates and express installation files for Windows 10

This will allow a much smaller cumulative update package to be deployed to your clients.

VpxClient_2017-03-27_22-27-00

Once you’re happy with your final configuration changes (although you can of course change them again later).. Click OK and close the open window.

Once you do this, a log will be made as per below which notes the changes you have made..

VpxClient_2017-03-23_23-27-22

We now need to Sync our changes again..

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

Select Yes when prompted

VpxClient_2017-03-23_23-28-47

And again, monitor its progress..

This time, expect it to take some time.. likely at least an hour.

VpxClient_2017-03-23_23-32-01

17 thousand updates to process and evalute..

VpxClient_2017-03-23_23-35-22

Successful sync of WSUS server:

VpxClient_2017-03-24_00-24-42

Now to process and sync each individual update.

VpxClient_2017-03-24_16-55-14

Once the Sync is complete, you can return to Configuration Manager.

Navigate to Software Library>Software Updates>All Software Updates

Lo and behold, all our synchronised updates..

VpxClient_2017-03-24_16-59-17

Conclusion

You’ve now successfully configured WSUS with SCCM.

In Part II I’ll cover actually downloading and deploying the updates via ADR’s & Baselines, with notes on Client Settings, Maintenance Windows, Group Policy and more.

Rich Mawdsley

12 thoughts on “Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

  1. Hi rich, great article.
    When trying to enable Windows 10 upgrades on a SUP on a 2016 SCCM server, I see the following pop up after selecting “Upgrades” on the Classification tab under Software Update Point component Properties…

    “Before you enable the Upgrades classification, you must install WSUS hotfix 3095113 on all software update points in your hierarchy.

    If you do not install this update, the Windows 10 Servicing feature will not properly function. See http://support.microsoft.com/kb/3095113 for more information.

    Only Windows Server 2012 and later versions running WSUS support the Upgrade classification of updates.

    Additionally, to service Windows 10 Version 1607 and later, you must install and configure KB3159706 using the guidance at https://support.microsoft.com/en-us/kb/3159706.”

    I understand this is RTM functionality in Server 2016 – but note that if I select the upgrades option on the SUP, wsus breaks in that no syncs occur in wsus if they are kicked off from SCCM – removing the upgrade option (and leaving the update option) kicks it back into life…any thoughts?

    Like

    1. Hi Jim,

      Correct, those updates are not required for Server 2016. And Upgrades should work fine.

      Have you got the WCM.log and WSyncmgr.log to hand?

      Rich

      Liked by 2 people

  2. Really great guide! I restarted from scratch. Got WSUS running before, but didn’t work as expected. Processing 17184 updates now 😉 Going to do part II tomorrow or the day after tomorrow I think. When will part III be online?

    Thanks!

    Like

  3. THE best guide I’ve found. I have not found any documentation as complete (and straight forward) as this. I even have the latest SCCM book and they don’t mention the details of setting up WSUS. That was the critical piece for me.

    Thank you!

    Liked by 1 person

  4. This is really a great step by step guide.
    Question… what if all this was set up to the tee then some one goes in and starts mucking around in WSUS and breaks that friendship between WSUS and SCCM, would we need to remove the WSUS role then re-add it?

    Like

    1. Well, firstly that person would have their permission removed!

      You wouldn’t nessesarily ‘need’ to remove/readd.. As there is always a non hammer method.. However, often the quickest way is to blow away the wsus db and start again.

      Like

      1. Awesome, yeah don’t think it was intentional, just some good learning moments were observed for sure…haha.
        So just I’m clear in my head, that would be to delete the SUSDB correct?
        I’m not to new to SCCM, but a bit new to the WSUS side of the fence, just trying to help these folks get their SCCM back talking and able to push updates =^).

        Thanks Rich

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s