다음을 통해 공유


Things to Know About the Software Update Point (explaining WSUS Integration)

I thought I could put some thoughts down about the Software Update Point (SUP), which is a new site role within SCCM 2007.  The job of the SUP is provide software update metadata to clients that are using the Windows Update Agent (WUA) to scan for missing updates.  The underlying component of the SUP is an installed WSUS 3.0 server with an additional SCCM component.  The additional component is called the WSUS Control Manager, which allows the SCCM site server to control the behavior of the SUP.

Installing the Software Update Point

In practice, the first thing you need to do to get started with Software Updates Management in SCCM is to install the SUP.  The basic steps to do this are:

1.  Download the latest WSUS 3.0 bits from their website

2.  Install the WSUS server on the machine that is slated to be the SUP

3.  If the SUP is remote from the SCCM site server, then the WSUS admin console needs to installed on the SCCM site server.

4.  Once WSUS is installed, go to the SCCM admin console and go to the site systems node, pick the server with WSUS and start the New Site Role wizard to install the SUP.

5.  Let synchronization happen between the WSUS server and SCCM site server - you can monitor progress of the sync by looking at the wsyncmgr.log file

6.  Once this sync has completed successfully, you are done!  You can now see updates in the updates repository subnode under the Software Updates main node.

These are only high-level steps - the detailed instructions can be found here

How does the Software Update Point work?

The top level SUP gets its metadata catalog from Microsoft Update and stores that catalog in its database.  That database is also put into the SCCM database via the sync process.  For software updates scanning, SCCM clients utilize the WUA to connect with a SUP and get the specific metadata that are relevant for the client.  The client is scanned for missing or installed updates and results from the scanning are stored in a WMI repository.  The SCCM agent collects the results and passes them through the State message system and those results are stored in the SCCM database for every client and every update.  Reports can then be generated from the scan data to produce accurate and detailed compliance reports.

A Few Practical Things about the Software Update Point

One hurdle that every SCCM installation or upgrade will need to get over is the successful SUP sync - it is an indication that you have covered all the important parts and now can begin deployments.  But there are some things that I think you should know about:

1. The most common problems I have seen have been around the proxy settings for the SUP - be sure to put the right settings in there, or the SUP won't be able get to the Microsoft Update site to get the catalog

2.  You need a SUP at every primary site - unlike other WSUS-based implementations, SCCM requires one at every site to function.

3.  Don't get concerned if the sync does not succeed right away, especially if you installed the WSUS server after the SCCM site server.  The SUP first needs to successfully complete its initial sync with Microsoft Update to get the metadata catalog, which can take a while.  If this process is not completed, you will see failure to sync errors in the wsyncmgr.log, which is normal. 

4.  In a similar vein, it can take up to a few hours for the initial sync between SUP and SCCM site server to complete, which can be a CPU-intensive process.  I don't recommend trying to complete this while other CPU-intensive SCCM processes are happening.

5.  As the metadata catalog is revised with new or expired updates within the SUP database, the SCCM site server needs to re-sync.  This sync can be accomplished automatically on a schedule as well as through a manual initiation from the updates repository node.

6.  All legacy scan tools other than ITMU should be uninstalled prior to upgrade from SMS 2003 and should not be re-installed after upgrade.  They will not work anymore with SCCM and can cause serious problems that can break your site.

Comments

  • Anonymous
    January 01, 2003
    Hi Marc, This is a great post! Just a note here about the updates scanning from the SCCM Clients, despite that WUA is utilized for the microsoft updates scanning there is also extra functionality in order to get updates published in WSUS via "System Center Updates Publisher". The latter is not feasible from a client machine that doesn't have the SCCM client installed. Cheers

  • Anonymous
    January 01, 2003
    If we have two seperate domains with NO trustrelationship and seperate sccm2012 are installed in bothe the domains. Can we get SUP patchet synced from one sccm to another without having domain trust relationship?

  • Anonymous
    January 29, 2013
    Hi Marc, I have an important question to ask. I would like to know that in which case the clients will bypass the secondary servers having SUP installed and will go to the Central site. We had 1200 revised patches recently and caused the clients under secondary sites to go to Central site to download metadata. The sync schedule at central was at 12:45 PM and on secondary it was 7 PM. At 2 PM clients under the secondary sites started to download metadata from Central. So needed to cross check that will the clients download Metadata if its not found on local WSUS server (SUP)?

  • Anonymous
    January 29, 2013
    Correction:  So needed to cross check that will the clients download Metadata from CENTRAL server if metadata is not found on local WSUS server (SUP)?

  • Anonymous
    May 01, 2013
    It’s really a nice post. And the explanation about how SUP works is excellent!!!

  • Anonymous
    January 22, 2014
    Howdy, I was checking out your website and while your product and solution is amazing, as a consumer it can get pretty confusing.Have you ever thought about a promotional video to help simplify your message?Check us out at www.promovideo.us for discounted rates on animated promotional videos or email promovid@promovideo.us

  • Anonymous
    February 09, 2014
    I was checking out your website and while your product and solution is amazing, as a consumer it can get pretty confusing. Have you ever thought about a promotional video to help simplify your message? Check us out at www.promovideo.us for discounted rates on animated promotional videos or email promovid@promovideo.us

  • Anonymous
    May 01, 2014
    Why would I use SCCM instead of WSUS? Installed it but the workstations stiil say: 'You receive updates For Windows from Microsoft Update'...
    Also, WSUS is much easier to manage. I don't see any advantage to use SCCM...

  • Anonymous
    May 01, 2014
    now the policy 'Specify intranet Microsoft update service location' is set to the SCCM server. On the PC's it's now correct: 'You receive updates=Managed by your system administrator'. But still no updates....

  • Anonymous
    September 11, 2014
    HI Mark- Very nice post.

  • Anonymous
    September 20, 2014
    The comment has been removed