How can I setup Software Updates in System Center Configuration Manager (Current Branch)

Introduction

At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes:

In this post you will learn how to setup Software Updates which is a necessary step in preparing your environment  for Windows 10 servicing. You can setup the Software Update Point manually using the ConfigMgr console or fully automated using the supplied  PowerShell script in the Downloads section of this guide.

What’s new in Software Updates ?

The following points explain what’s new in Software Updates for System Center Configuration Manager Current Branch [source:Technet]

  • System Center Configuration Manager now has the ability to differentiate a Windows 10 computer that connects to Windows Update for Business (WUfB) for software update management versus the computers connected to WSUS for software update management. The UseWUServer attribute is new and specifies whether the computer is manage with WUfB. You can use this setting in a collection to remove these computers from software update management. For more information, see Integration with Windows Update for Business in Windows 10.
  • You can now schedule and run the WSUS clean up task from the Configuration Manager console. You can now manually run the WSUS cleanup task from in Software Update Point Component properties. When you select to run the WSUS cleanup task, it will run at the next software updates synchronization. The expired software updates will be set to a status of declined on the WSUS server and the Windows Update Agent on computers will no longer scan these software updates. For more information, see Schedule and run the WSUS clean up task.

Step 1. Install a hotfix (recommended)

If you are impacted by either of the issues below or if you installed ConfigMgr before the hotfix was released then you’ll need to install the hotfix. Microsoft released a hotfix (KB3127032) January 9th, 2016 to address the following issues:

  • The “Upgrades” entry is missing from the list of classifications in the Software Update Point Component Properties. This issue occurs even after the following Windows Server Update Services (WSUS) update is applied: 3095113 Update to enable WSUS support for Windows 10 feature upgrades
  • Windows 10 upgrades cannot be downloaded by using the Download Software Updates Wizard. Errors that resemble the following appear on the Completion page of the wizard

Before installing the hotfix though, restart the server via the following command in an administrative command prompt:

shutdown /r

you are about to be signed out.png

After downloading the hotfix, run it by double clicking on the CM1511RTM-QFE-KB3127032-X64-ENU.exe file. The wizard will appear.

execute hotfix.png

Click next and accept the License terms

hotfix license terms.png

Click next and the prerequisite checker will run.

hotfix prerequisite check.png

Click next and when prompted to upgrade the database answer yes.

upgrade database.png

if you’d like the Deployment Assistance options to create a package, leave the default settings and click next

default assistance.png

click next at the Update Package for Configuration Manager Servers screen

update package for configuration manager servers.png

and click Install at the summary screen

install hotfix.png

and review the progress before clicking Next

hotfix installed.png

at the Installation Complete screen click Finish.

hotfix finished installing.png

Even though it’s not a requirement, i’d suggest you reboot the server again as I’ve seen reports of it being necessary.

you are about to be signed out.png

Step 2. Add and configure the SUP role using ConfigMgr Console

Note: If you want to automate this instead using PowerShell, please skip to Step 4.

Using the ConfigMgr console, in the Administration workspace, expand Site Configuration and select Sites. On the ribbon, select Add Site System Roles, the Add Site System Roles Wizard appears, click next,

add site system roles wizard.png

On the Specify internet proxy server enteryour proxy details before clicking next

specify internet proxy server.png

on the Specify Roles for this server screen, select Software Update Point

software update point role.png

In the Specify Software Update Point properties, select the following options:

  •     WSUS Configuration: WSUS is configured to use ports 8530 and 8531
  •     Client Connection Type: Allow intranet-only client connections

specify software update point properties.png

on the Specify Proxy and Account settings for the software update point configure it as appropriate for your environment and click next

specify proxy and account settings for the sup.png

on the Specify Synchronization Sources page, as this is a standalone Primary, use the defaults. If you have a CAS in an hierarchy then point it to the upstream server as appropriate.

specify sychronization source settings.png

and on the Specify a synchronization schedule page place a check mark in Enable synchronization on  a schedule and leave it at the default of every 7 days.

sync every 7 days.png

Note: If you want to have precise control over the time, day and frequency when the SUP synchronizes with Microsoft Update, then you should select the Custom Schedule option and configure it as appropriate. If you also intend to update Endpoint Protection definition updates then you should configure the sync to run at least daily in order to get the latest definition updates and Endpoint Protection engine updates as soon as they are released.

On the Select behavior for software updates that are superseded page, select Do not expire…, leave the default of 3 months and then place a check mark in Run WSUS cleanup Wizard as shown below:

supersedence rules.png

 

Note: When you select to run the WSUS cleanup task, it will run at the next software updates synchronization. The expired software updates will be set to a status of declined on the WSUS server and the Windows Update Agent on computers will no longer scan these software updates.

 

On the Select the software update classifications that you want to synchronize screen select those that are shown below:

 

Note: If the Upgrades classification is not listed review Step 1.

select classifications.png

 

On the Select the products that you want to synchronize screen place a check mark in All Products and then remove it again, this will deselect everything before the first synchronization (recommended).

 

all products are NOT selected.png

On the Specify the language settings that you want to synchronize screen, deselect everything except English (don’t forget to scroll down as some languages are hidden from view)

sync languages.png

review the Summary

summary sup setup.png

Note: Using CMTrace, review the SUPSetup.log on the server hosting the Software Update Point (SUP) role in <ConfigMgr Installation Path>\Logs to confirm that the installation of the SUP role succeeded. Look for a line that states “Installation was successful” as shown below.

SUPSETUP was successful.png

At this point you can close the Add Site System Roles wizard.

 

The first sync from the SUP will take some time, and you should monitor the following logs to verify that the sync is in progress and working as expected.

 

  • <ConfigMgr Installation Path>\Logs\WCM.log – Provides information about the software update point configuration and connecting to the WSUS server for subscribed update categories, classifications, and languages
  • <ConfigMgr Installation Path>\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and health of the WSUS server for the site
  • <ConfigMgr Installation Path>\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process

Here you can see the WCM.log file showing that WSUS was sucessfully configured

 

WCM log file.png

 

Here you can see the wsyncmgr.log file showing that the sync was successful

 

wsyncmgr log.png

 

Here you can see the WSUSctrl.log file showing information about the configuration

 

wsusctrl log.png

 

Step 3. Selecting Windows 10 as a product

After the first successful sync, the SUP should now have updated the list of Products available. Below you can see the Windows Products listed before (on the left) and after (on the right) the first SUP sync takes place.

 

before and after sync.png

 

You will not see the updated products until the WCM.log states the following “Successfully refreshed categories from WSUS server

 

As you want Windows 10 to be secure and up to date, you’ll need to re-configure the SUP role and specify Windows 10 from the list of  available products. Using the ConfigMgr console, in the Administration workspace, expand Site Configuration and select Sites. Select the P01 Primary site, right click and choose Configure Site Components and then select Software Update Point

 

configure software update point.png

 

In the Software Update Point Component Properties screen select the Products tab and scroll down to Windows 10, make selections appropriate to your organization, click Apply and OK when done to apply and close the Software Update Point Component Properties.

 

all windows 10 products selected.png

 

Now that you’ve made a change to the Products, perform a sync. To perform a sync do as follows. In the ConfigMgr console select the Software Library workspace, select Software Updates, right click on All Software Updates and choose Synchronize Software Updates. Answer Yes to the popup.

 

perform a sync.png

 

Using CMTrace, monitor the sync progress in <ConfigMgr Installation Path>\Logs\Wsyncmgr.log. This sync will take some time as you’ve changed the list of Products to sync and therefore a Full sync is required and noted in the log file.

 

wsyncmgr log showing sync starting.png

 

Look for the Sync succeeded. Setting sync alert to canceled state on site P01 text in the log file to notify you of a successful sync.

 

sync succeeded.png

 

Now that the sync is completed it’s time to refresh the All Software Updates view in the console. In the ConfigMgr console select the Software Library workspace, select Software Updates, select All Software Updates and press the Refresh All Software Updates button.

 

refresh all software updates.png

 

And you should see a whole bunch of updates (and upgrades) listed for Windows 10.

 

windows 10 updates listed.png

 

To see the Windows 10 Upgrade updates listed in the Windows 10 servicing section, in the ConfigMgr console select the Software Library workspace, select Windows 10 Servicing, select All Windows 10 Updates.

 

Note: I will cover servicing Windows 10 in a later post.

 

windows 10 servicing.png

 

Step 4. Add and configure the SUP role using PowerShell

The above steps show how you can configure the SUP role using the ConfigMgr console, however you could script it all using PowerShell. The ConfigMgr PowerShell cmdlets for Software Update Point can be listed with the below command once you’ve connected to PowerShell in ConfigMgr.

Get-Command -Module configurationmanager -Noun *SoftwareUpdatePoint*

software update point noun in PowerShell.png

 

To add the Software Update Point (SUP) role using PowerShell do as follows. Download the Add SUP Role.ps1 contained in a zip file in the Downloads section at the bottom of this guide and extract it to C:\Temp.

 

Start Windows PowerShell ISE as Administrator and open Add SUP Role.ps1 script. Edit any variables in the script to match your environment before proceeding, and then save your changes.

 

variables to be edited.png

 

When you are happy with the variables, consider changing which Products to sync. Check line number 192 and remove anything you are not interested in (for example, Windows 10 Language Packs). If you want to add Products to the script, do so here but make sure you specify it correctly or it will fail.

 

line 192.png

 

Save any changes, then run the script by pressing F5 or clicking on the Green arrow. Below you can see the script is running, don’t worry about that warning in Orange, it’s benign (safe to ignore). The script will perform two SUP syncs, the first is used to update the index (classifications, products etc) and the second sync actually syncs the Windows 10 updates which are appropriate to the  Windows 10 products selected.

 

Note: Depending on the number of products you select, you may want to adjust the sleep settings of the second sync to work with your environment.

 

script in action along with logs in the background.png

 

After the script is completed (it takes about 30 minutes for syncing All Windows 10 updates available, over 3240 items..) check the All Software Updates section of the ConfigMgr console. You might have to wait even longer for the console to display everything.

 

synched via PowerShell.png

 

Job done ! Isn’t PowerShell automation amazing.

 

Note: The observant amongst you will notice different languages listed even though we only specified English. This is a bug (either in SCCM or WSUS, not sure which yet) and Microsoft is working on it.

Summary

In this guide you learned about configuring the Software Update Point role in ConfigMgr to get it ready for deploying security updates and to perform Windows 10 servicing in your enterprise and you were shown how to do it manually and full automated using PowerShell. Thanks for reading my guides !

 

Related Reading

Downloads

You can download a Microsoft Word copy of this guide here dated 2016/01/16 Attached File  Setting up Software Updates with System Center Configuration Manager Current Branch.zip   2.44MB   5 downloads

 

You can download the PowerShell script used above here. Attached File  Add SUP role.zip   2.9KB   5 downloads

This entry was posted in System Center Configuration Manager (Current Branch). Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.