Share via

  • Article

Prerequisites for Software Updates in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

This topic lists the prerequisites for software updates and Network Access Protection (NAP) in System Center 2012 Configuration Manager. For each of these, the external dependencies and internal dependencies are listed in separate tables.

Prerequisites for Software Updates in Configuration Manager

This section includes the internal and external prerequisites for software updates in Configuration Manager.

Software Update Dependencies External to Configuration Manager

The following table lists the external dependencies for software updates.

Requirement

More information

Internet Information Services (IIS) on the site system servers in order to run the software update point, the management point, and the distribution point

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Windows Server Update Services (WSUS)

WSUS is necessary for software updates synchronization and for the software updates compliance assessment scan on clients. The WSUS server must be installed before you create the software update point site system role.

Important

For System Center 2012 Configuration Manager SP1 and later:

When you have multiple software update points at a site, ensure that they are all running the same version of WSUS.

WSUS Administration Console

The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server.

Important

The WSUS version on the site server must be the same as the WSUS version running on the software update points.

Important

Do not use the WSUS Administration Console to configure WSUS settings. Configuration Manager connects to WSUS that is running on the software update point and configures the appropriate settings.

Windows Update Agent (WUA)

The WUA client is required on clients to enable them to connect to the WSUS server and retrieve the list of software updates that must be scanned for compliance.

When you install Configuration Manager, the latest version of the WUA is downloaded. Then, when the Configuration Manager client is installed, the WUA is upgraded if necessary. However, if the installation fails, you must use a different method to upgrade the WUA.

Software Update Dependencies Internal to Configuration Manager

The following table lists the dependencies for software updates in Configuration Manager.

Requirement

More information

Management point

Management points transfer information between client computers and the Configuration Manager site. They are required for software updates.

Software update point

You must install a software update point on the WSUS server to be able to deploy software updates in Configuration Manager.

For more information, see Configuring Software Updates in Configuration Manager

Distribution point

Distribution points are required to store the content for software updates.

For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager

Client settings for software updates

By default, software updates is enabled for clients. However there are other available settings that control how and when clients assess compliance for the software updates and control how the software updates are installed.

For more information, see the following:

Reporting services point

The reporting services point site system role can display reports for software updates. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.

Prerequisites for Network Access Protection in Configuration Manager

This section includes the internal and external prerequisites for Network Access Protection (NAP) in System Center 2012 Configuration Manager.

NAP Dependencies External to Configuration Manager

The following table lists the external dependencies for when you use software updates and NAP.

Requirement

More information

NAP enforcement technology installed and configured appropriately for one or more of the following: DHCP, IPsec, VPN, or 802.1X.

Note

All Windows NAP enforcement solutions require a server that runs a version of the operating system that is at least Windows Server 2008.

Documentation is published on the Network Access Protection website.

One or more Network Policy Servers configured appropriately with remediation server groups, health policies, connection request policies, and network policies

Documentation is published in the Network Access Protection Design Guide

Perimeter devices configured to enable traffic between communicating servers

See Technical Reference for Ports Used in Configuration Manager.

NAP Dependencies Internal to Configuration Manager

The following table lists the Configuration Manager dependencies for when you use software updates and NAP.

Requirement

More information

Client settings for NAP

By default, clients are not enabled to support NAP in Configuration Manager. Optionally, you can set the client setting Enable Network Access Protection on clients to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1).

For more information, see the following:

Note

You do not have to enable the software updates client settings to support NAP in Configuration Manager.

An Active Directory forest with the schema extended with the Configuration Manager schema extensions, and provisioned with a System Management container in at least one domain

The site server publishes Configuration Manager NAP health state references to Active Directory Domain Services. The System Health Validator point retrieves them. Publishing to Active Directory Domain Services requires that the schema is extended, but you can select which forest to use.

Configuration Manager sites that are enabled for NAP configured to publish site information to Active Directory Domain Services

See the Configure Active Directory Forest Discovery section in the Configuring Discovery in Configuration Manager topic.

The installation of at least one System Health Validator point on Windows Server 2008 with the server role of Network Policy Server

For more information about how to install a site system role, see Install and Configure Site System Roles for Configuration Manager.

Note

Although the System Health Validator can be installed in a different Active Directory forest than the site server's forest, it must be installed in a domain and is not supported in a workgroup.

Software updates configured, which includes software update deployment packages

Although the software updates client settings do not have to be enabled for clients, you must provide the software updates infrastructure, such as a software update point and synchronized software updates.

For more information, see Configuring Software Updates in Configuration Manager.

Reporting services point

The reporting services point site system role can display reports for software updates and NAP in Configuration Manager. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.