using System Center 2012 Configuration Manager – Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In Part 2 we setup our Primary server  with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups.

In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

Now we will install the WSUS server role (it is required for the Software Update Point role). We will then install the Software Update Point role on our CAS and Primary servers and we will configure the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent.

Recommended Reading
Planning for Software Updates in Configuration Manager – http://technet.micro…y/gg712696.aspx
Prerequisites for Software Updates in Configuration Manager – http://technet.micro…y/hh237372.aspx
Configuring Software Updates in Configuration Manager – http://technet.micro…y/gg712312.aspx

Planning for Client Deployment in Configuration Manager – http://technet.micro…y/gg682136.aspx
Prerequisites for Client Deployment in Configuration Manager – http://technet.micro…y/gg682042.aspx
Best Practices for Client Deployment in Configuration Manager –

Step 1. Add the WSUS Update Services 3.0 SP2 role
Note: Perform the following on the CAS server as SMSadmin

Before starting this step create a folder on D:\ called sources and share it as sources, give Everyone Read access.

sources share.png

The share is created, click done when ready.

cas sources share.png

Note: Repeat the above on the Primary server P01.

p01 sources.png

Start Server Manager and click on Roles. Click on Add Roles to Add the WSUS Server Role.

add roles.png

the Select Server Roles wizard appears, place a checkmark in Windows Server Update Services (WSUS)

Select Server roles.png

when prompted to add role services required for Windows Server Update Services click on Add Required Role Services to continue

add role services required for Windows Server Update Services.png

now you can see WSUS is selected, click next..

wsus selected.png

click next at the introduction to Web Server (IIS)

introduction to Web Server (IIS).png

the IIS Role services will already be  selected, click next

role services already selected.png

click next through the wizard and click Install to start installing the WSUS role, the role will be downloaded from the Internet so make sure you are connected to the internet before doing this step.

install wsus.png

after downloading the role, the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard appears
Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard.png

click next to start install the role, accept the EULA to continue

i accept the license agreement.png

when prompted to Select Update Source, change the path to D:\Sources\WSUS, also make sure the Store Updates Locally option is selected.

Tip: In Production, as a best practice, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

d sources wsus.png

change the database option to Use and Existing Database on this computer and click next

use an existing database on this server.png

click next and watch it connecting to SQL Server Instance

Tip: In Production, as a best practice consider using a different SQL Server instance for the Configuration Manager database  and WSUS database. This will make It easier to troubleshoot and diagnose resource usage issues that might occur for each application.

connecting to SQL Server Instance.png

In web site selection select Create a Windows Server Update Services 3.0 SP2 Web Site

Tip: In Production, as a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTP  and you must configure your Active Software Update Point accordingly.

web site preference.png

click next at the ready to install screen

ready to install wsus.png

Click Finish when done.

finish WSUS installation.png

The Windows Server Update Services Configuration Wizard will appear after a few moments, Cancel it.


and then you can finally close the add roles wizard

close wsus wizard.png

Note: Repeat the above (installation of the WSUS server role) on your Primary server P01.

Step 2. Add the Software Update Point role
Note: Perform the following on the CAS server as SMSadmin

In a Configuration Manager hierarchy, install and configure the software update point on the central administration site before you install it on any other site. The software update point at the central administration site is typically configured to synchronize with Microsoft Update, retrieving the software updates metadata based on the criteria that you specify in the software update point properties. Before you install the software update point site system role, you must verify that the server meets required dependencies and determine the software update point infrastructure on the site. For more information about planning for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager.

In the Administration workspace, select Site Configuration and select our CAS site server, right click and choose Add Site System roles.

add site system roles.png

The Add Site System Roles Wizard appears, if you want to change accounts do so now otherwise click next

add site role wizard.png

on the Specify Roles for this server screen, select Software Update Point

software update point.png

on the specify software update point settings screen you can specify a proxy and connection account if you are using one.

specify software update point settings.png

select Use this server as the Active Software Update Point and then select WSUS is configured to use a custom website as per the screenshot below

wsus is configured to use a custom website.png

select Synchronize from Microsoft Update

synchronize from microsoft update.png

set the Synchronization Schedule to Run every 1 days as you want to synchronize daily for Endpoint Protection definition updates, and select the Alert checkbox as per the screenshot below.

synchroization schedule.png

set your Supersedence Rules as you wish

Supersedence Rules.png

choose your Classifications, if you want to use Endpoint Protection then select Definition Updates otherwise none will appear when you synchronize


select the Products you wish to support, don’t worry about making any choices here at this point as some products won’t appear in this list until after you’ve completed your first successful sync


select your Languages


and click through to completion of the wizard.

Add Site System  Roles Wizard completed successfully.png

Note: Repeat the above on the Primary Site server P01

p01 site role added.png

Tip: the difference you’ll note when adding the SUP role on the Primary is that you cannot select to synchronize from Microsoft Update as it will automatically select to synchronize from an upstream server. This is expected as it will synchronize from the CAS server.

synchronize from an upstream server.png

Step 3. Configure Active Directory GPO
Note: Perform the following on the Active directory server AD1  as a Domain Admininstrator

Software update-based client installation publishes the System Center 2012 Configuration Manager client to a software update point as an additional software update. This method of client installation can be used to install the System Center 2012 Configuration Manager client on computers that do not already have the client installed or to upgrade existing System Center 2012 Configuration Manager clients.

Note: To use software update-based installation, you must use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site (in other words, our Primary site P01). For more information, see Configuring Software Updates in Configuration Manager.

Open Group Policy Managment, right click and choose create a GPO in this domain and link it here

create a GPO in this domain and link it here.png

give it a suitable name like Configuration Manager Client Installation

Configuration Manager Client Installation.png

Right click your newly created GPO, select Edit, select and expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click on Windows Update

windows update.png

select Specify intranet Microsoft update service location, and set it to Enabled, and enter the name and port of our primary server  SUP as per the screenshot below:

specify intranet microsoft update service location.png

Note: If the Configuration Manager site system is not configured to use a fully qualified domain name (FQDN), specify the server name by using a short name format.

Step 4. Configure Client Installation Settings on P01
Note: Perform the following on the Primary server P01  as SMSAdmin

Navigate to the Administration workspace, select Site Configuration, Sites, and select the P01 site, click on Settings in the ribbon.

P01 selected.png

Select Client Installation Settings and then select Software Update-Based Client Installation

Software Update-Based Client Installation.png

place a checkmark in Enable software update based client installation and click apply

Enable Software-update based client installation.png

Step 5. Monitor Client installation on your computers
Note: Perform the following on your LAB computers  as SMSAdmin

Now everything is in place for receiving the ConfigMgr client installation via the Software Update Point, except that your computerss will probably have Windows Update disabled if they are servers. How you enable that is up to you (GPO etc). Below is a sample setting for configuring Automatic Updates via a GPO.

configure automatic updates.png

Once you have enabled Windows Update you’ll see the following appear on your clients, 1 important update is available:-

1 important update is available.png

if you wait it will get installed via the schedule set in your GPO or if you are impatient you can click on Install Updates and you’ll see what the locally published packages actually is, it’s the  Configuration Manager Client.

locally published packages.png

if you check task manager you’ll see CCMSETUP.EXE is running,

ccmsetup is running.png

you can also monitor the C:\Windows\CCMSetup\ccmsetup.log file to see how the installation is progressing..

c windows ccmsetup log.png

Tip: The Ccmsetup command line used to install is revealed in the ccmsetup.log file at the beginning of the LOG, and should reveal that the ccmsetup.exe file was started from C:\Windows\SoftwareDistribution\Download\Install\ccmsetup.exe,  and this is because it was a Critical Windows Update.

and after a while you should see that CCMSetup installation succeeded

installation succeeded.png

and that means you can open Software Center via the start menu and it’ll appear like this

software center.png

click on the Application Catalog link in Software Center and you’ll see the Application Catalog appear !

application catalog.png

job done !

The original post is here on

This entry was posted in ConfigMgr 2012, Software Update Point. Bookmark the permalink.

One Response to using System Center 2012 Configuration Manager – Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent

  1. mhakeem says:

    Dear Sir,
    I am very thank full to for posting such an easy and graphic based guide. I still have some issues which I couldn’t figure out how to solve it.
    1-Can not download updates Microsoft update and even fro WSUS server .
    2- I have about 3 thousand updates in which most of them are expired. How can I clear that?
    could you please help?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.