Things to Know About the Software Update Point (explaining WSUS Integration)
I thought I could put some thoughts down about the Software Update Point (SUP), which is a new site role within SCCM 2007. The job of the SUP is provide software update metadata to clients that are using the Windows Update Agent (WUA) to scan for missing updates. The underlying component of the SUP is an installed WSUS 3.0 server with an additional SCCM component. The additional component is called the WSUS Control Manager, which allows the SCCM site server to control the behavior of the SUP.
Installing the Software Update Point
In practice, the first thing you need to do to get started with Software Updates Management in SCCM is to install the SUP. The basic steps to do this are:
1. Download the latest WSUS 3.0 bits from their website.
2. Install the WSUS server on the machine that is slated to be the SUP
3. If the SUP is remote from the SCCM site server, then the WSUS admin console needs to installed on the SCCM site server.
4. Once WSUS is installed, go to the SCCM admin console and go to the site systems node, pick the server with WSUS and start the New Site Role wizard to install the SUP.
5. Let synchronization happen between the WSUS server and SCCM site server - you can monitor progress of the sync by looking at the wsyncmgr.log file
6. Once this sync has completed successfully, you are done! You can now see updates in the updates repository subnode under the Software Updates main node.
These are only high-level steps - the detailed instructions can be found here.
How does the Software Update Point work?
The top level SUP gets its metadata catalog from Microsoft Update and stores that catalog in its database. That database is also put into the SCCM database via the sync process. For software updates scanning, SCCM clients utilize the WUA to connect with a SUP and get the specific metadata that are relevant for the client. The client is scanned for missing or installed updates and results from the scanning are stored in a WMI repository. The SCCM agent collects the results and passes them through the State message system and those results are stored in the SCCM database for every client and every update. Reports can then be generated from the scan data to produce accurate and detailed compliance reports.
A Few Practical Things about the Software Update Point
One hurdle that every SCCM installation or upgrade will need to get over is the successful SUP sync - it is an indication that you have covered all the important parts and now can begin deployments. But there are some things that I think you should know about:
1. The most common problems I have seen have been around the proxy settings for the SUP - be sure to put the right settings in there, or the SUP won't be able get to the Microsoft Update site to get the catalog
2. You need a SUP at every primary site - unlike other WSUS-based implementations, SCCM requires one at every site to function.
3. Don't get concerned if the sync does not succeed right away, especially if you installed the WSUS server after the SCCM site server. The SUP first needs to successfully complete its initial sync with Microsoft Update to get the metadata catalog, which can take a while. If this process is not completed, you will see failure to sync errors in the wsyncmgr.log, which is normal.
4. In a similar vein, it can take up to a few hours for the initial sync between SUP and SCCM site server to complete, which can be a CPU-intensive process. I don't recommend trying to complete this while other CPU-intensive SCCM processes are happening.
5. As the metadata catalog is revised with new or expired updates within the SUP database, the SCCM site server needs to re-sync. This sync can be accomplished automatically on a schedule as well as through a manual initiation from the updates repository node.
6. All legacy scan tools other than ITMU should be uninstalled prior to upgrade from SMS 2003 and should not be re-installed after upgrade. They will not work anymore with SCCM and can cause serious problems that can break your site.