Using a Shared WSUS Database for Multiple SUPs in SCCM

Overview

• In this video guide, we will be covering how to use a shared WSUS database for multiple software update points in SCCM. Using a shared WSUS Database is generally considered a best practice in well-connected scenarios since this offloads the vast majority of network impact if a client were to switch SUPs in SCCM.

Topics in Video

• Review the SCCM docs and why a WSUS shared DB is usually a good idea - https://youtu.be/y7w7hBSHShc?t=42
• Review why wsyncmgr syncs are faster when using shared WSUS database - https://youtu.be/y7w7hBSHShc?t=93
• Review current labs primary SUP with SQL DB, and secondary SUP using WID - https://youtu.be/y7w7hBSHShc?t=175
• Enable Debug and Verbose logging to wsyncmgr.log and wcm.log - https://youtu.be/y7w7hBSHShc?t=293
• Review how the WSUS_Configuration_Manager tread reads all available SUPs at startup and how it determines if it's using a shared WSUS database - https://youtu.be/y7w7hBSHShc?t=419
• Review wsyncmgr.log for multiple SUPs in a non shared WSUS Database - https://youtu.be/y7w7hBSHShc?t=508
• Remove WID WSUS role service and add SQL WSUS role service - https://youtu.be/y7w7hBSHShc?t=686
• Configure SUP-2 to use SUP-1's WSUSContent library folder for EULA/3rd-Party Update Content - https://youtu.be/y7w7hBSHShc?t=843
• Run WSUSUTIL.exe postinstall to change WSUS to use the shared SQL Database and Shared WSUSContent folder - https://youtu.be/y7w7hBSHShc?t=1005
• Resolve IIS misconfigurations after postinstall - https://youtu.be/y7w7hBSHShc?t=1215
  • Add "\\" to the beginning of Physical path in IIS Content virtual directly
  • Change Authentication for Anonymous Authentication to use WSUS Application Pool Identity instead of local IUSR account
• Start WSUS_Configuration_Manager and validate it updates SUP-2 configuration in the active SUP list to be a shared WSUS database - https://youtu.be/y7w7hBSHShc?t=1505
• Publish a third-party update to get a WSUS catalog change and run a SUP sync to review how the sync is now treated as a single SUP sync - https://youtu.be/y7w7hBSHShc?t=1637
• Setup shared WSUS database in a new clean WSUS installation on a new SUP rather than converting an existing SUP to a shared WSUS database - https://youtu.be/y7w7hBSHShc?t=1744

Commands and Notes:

• Powershell command to see WSUS installed role services: Get-WindowsFeature -Name UpdateServices*
• Powershell command to remove WSUS WidDB: Remove-WindowsFeature -Name UpdateServices-WidDB
• Powershell command to install WSUS SQL Database Connectivity: Install-WindowsFeature -Name UpdateServices-DB
• WsusUtil command: WsusUtil.exe postinstall SQL_INSTANCE_NAME="SCUP.CONTOSO.LOCAL" CONTENT_DIR="\\SCCM3-DPMPSUP-1.CONTOSO.LOCAL\WSUS"
  • SQL_INSTANCE_NAME and CONTENT_DIR should be changed to for your environment details

Helpful Resources:

• Great blog post version of using a shared WSUS Database - https://blogs.technet.microsoft.com/configurationmgr/2016/10/12/how-to-implement-a-shared-susdb-for-configuration-manager-software-update-points/
• Manually switch clients to a new software update point - /en-us/sccm/sum/plan-design/plan-for-software-updates#BKMK_ManuallySwitchSUPs
• Use a shared WSUS database for software update points (Installation Best Practices) - /en-us/sccm/sum/plan-design/software-updates-best-practices#bkmk_shared-susdb
• Managing WSUS from the Command Line - /de-de/security-updates/windowsupdateservices/18127395