Configuring WSUS with SCCM Current Branch (Server 2016) – Part I

Introduction

There have been some great guides through the years on configuring WSUS with SCCM from the ground up, but I felt it was time for me to add to the library with an updated version to cover Server 2016, and particularly my personal recommendations for a successful A-Z setup.

In Part I, I’ll take you through configuring the required Server Roles & Features, WSUS Installation and Configuration, IIS settings, Folder Permissions and linking it all up into SCCM.

In Part II, I’ll show you how to deploy updates and properly manage the future with ADRs, whilst catering for the past with Baselines.

Finally, in Part III, I’ll cover Client Settings, Maintenance Windows, Group Policy, Multiple SUP’s, HTTPS, ADR\Baseline Maintenance, and the big scary WSUS Maintenance

In this guide I’ll be configuring WSUS on the same local Server as the Primary Site & SQL Database.

Pre-Read Material

I’d advise you read the following Microsoft documentation prior to installation:

https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/site-and-site-system-prerequisites

https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates

 

Installation

Because this is already a Primary Server, certain roles are already installed.

Required roles:

Software update point

Windows Server roles and features:

• .NET Framework 3.5 SP1 (or later)
• .NET Framework 4.5.2

The default IIS configuration is required.

Windows Server Update Services:

• You must install the Windows server role Windows Server Update Services on a computer before installing a software update point.

Open Server Manager>Manage>Add Roles & Features

Tick Windows Server Update Services

Under Features, ensure the default .Net Framework 3.5 and 4.6 have been ticked.

We’re going to connect to the SQL Database.  Ensure you untick “WID Connectivity”, and select “WSUS Services” & “SQL Server Connectivity”.

Here we need to configure where WSUS will create its directory.

I’ll be storing it on a separate drive in a WSUS folder.

Enter the FQDN of your SQL Server and click Check Connection.

Wait until it confirms a Successful Connection prior to continuing.

Once you’ve confirmed your configuration, Select Install.

Wait for installation to take place..

Once the initial configuration has been complete you will be prompted to “Launch Post-Installation Tasks”.

Select this link..

Wait while configuration takes place.  I’d advise leaving this window open whilst it takes place..

Once Configuration has been successful, click Close.

WSUS Configuration

Opinions will differ here with how people will advise you set this up.  We’re going to go half way through the WSUS Setup Wizard and exit.  I’ve done this a few times now over the years, and this never fails..

Open Windows Server Update Services.

You will be prompted with the Setup Wizard.

Click Next

Click Next again.

Leave settings default.

Click Next.

Leave defaults again (Even if you need proxy configuration).

Click Next

Select Start Connecting

Wait whilst the connection to Microsoft is confirmed.

Click Next once complete

Again, leave default to Download Updates in All Languages.

Click Next.

Do not select any extra Products here.  Leave everything Default.

Click Next.

Now, at the Classifications screen, leave default and Cancel the wizard.

That’s all you should ever need to do in the WSUS console itself, outside of any maintenance tasks.

You should never go into the WSUS Console and change configurations in an SCCM environment.

 

Extra Configuration

A couple extra tweaks to the standard config ensure a successful WSUS distribution.

Folder Permissions

Navigate to the source directory you created earlier.

Mine is E:\WSUS

On the Permissions for E:\WSUS, add the following accounts with Full Control;

• SCCMAdministrators AD group
• Network Service

SCCM Administrators Group is an Active Directory group containing the SCCM Network Service Account, and the Machine Accounts for each Site Server.

A level down on the E:\WSUS\WSUSContent folder, ensure your permissions logically match the below.  Double check the SCCMAdmins and Network Service have inherited down.

Ensure the share permissions on E:\WSUS\WSUSContent has Everyone as Read.

Whilst we’re here, create a new Folder..

Named SCCMDeploymentPackages

Edit the Security and ensure the Network Service and SCCMAdmins Security groups have Full Control.

Share the folder..

Ensuring Permissions are correct again

IIS Configurations

I’d advise you research these settings if you are not aware of their effects prior to setting in any production environments.

However, setting these will mostly avoid common errors you may receive on clients.

Open Internet Information Services (IIS) Manager

Select Application Pools>WSUSPool>Advanced Settings

Change Queue Length to 2000 – This is a good starting point if you’re unsure

Change Private Memory Limit (KB) to 0  – (no limit)

Back in IIS, select your Server on the left, and hit Restart on the right.

Alternatively, now would be a good time to restart entirely.

SCCM Configuration

Finally, now all the groundwork is laid, lets setup SCCM.

If you have installed WSUS on a seperate server to your Primary, then you need to install the WSUS console on your Primary Site Server before moving on.  If you’ve installed WSUS on your Primary Site Server, then you can skip this part and join back up when I say hokey pokey.

Open an admin Powershell, and run the below:

Install-WindowsFeature -Name UpdateServices-Ui

 

Hokey Pokey!

Open System Center Configuration Manager

Navigate to Administration>Site Configuration>Server and Site System Roles

Right click the Site Server you wish to install the Software Update Role onto (this should be the server you’ve configured everything else onto so far), and select Add Site System Roles

Select Next at the first window

Next again

Tick Software Update Point, and click Next

Here you have two options.  Assuming you are installing onto a server of at least 2012 and up (if not, why not!?), select to use ports (8530 and 8531).

Here you can also select to use SSL, and or Internet/Intranet.

Unless you have specific requirements, leave default and click Next

Leave the default to Synchronise from Microsoft Update.

Your prerogative whether to create reporting events on clients.  Read the text to understand fully.

Now we need to specify a schedule to synchronise our Software Update point, with Microsoft Update.

I personally like to run my Production site’s a few weeks behind ‘Patch Tuesday’.  This gives me time to fully test all updates on Development machines to ensure they work as expected and don’t cause any unexpected upset.  It also gives time for the rare occasion that Microsoft need to re-release any updates for whatever the reason may be.

I’ll go into how I really do this in Part II, but for now if you’re following along, customise this schedule to run the First Tuesday of the month.

Since originally writing the above, the world has seen a vast uptake in Windows Updates being the answer to security problems.  For this reason, i’m revising this statement and advise you run your sync on Patch Tuesday, the Second Tuesday of the month.

Microsoft usually release updates at roughly 17:00-18:00 UTC time, so ensure your sync happens at least a few hours after this.

I’d advise you also select to Alert when synchronisation fails on any site in the hierarchy.

See above statement – Set it to Second Tuesday

Select to ‘Do not expire superseded software update until the software update is superseded for a specified period’ of, 1 month.

Tick the ‘Run WSUS Cleanup Wizard’.  – WSUS Cleanups are a good thing!!

Another tip here..

Untick All Classifications.

Trust me..

Under the Products section, leave this default.

Don’t be tempted to go through selecting everything you want to patch.  Now is not the time…

Even if you wanted to, your’ll notice the lack of certain Products..

Leave it default, move on..

Select the languages you require here. Select Next.

Review the brief summary, and click Next to begin the installation.

Finally, your’ll have lots of green ticks, click Close.

Now to review the installation.  Navigate to the log below on the Site Server.

C:\Program Files\Microsoft Configuration Manager\Logs\WCM.log

Here you can see the installation of our SUP (Software Update Point).  Wait for the last line ‘Configuration successful’, before continuing.. it doesn’t take long.

Back in Configuration Manager

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

Press Yes when prompted.

This first Sync should only take a couple minutes.

We can review its progress it two places;

In the GUI under Monitoring>Software Update Points Syncronization Status

Or for more detail, in the log file below;

C:\Program Files\Microsoft Configuration Manager\Logs\Wsyncmgr.log

Here you can see the sync only took just over a minute.  Nice a speedy.  But what about that highlighted line?

“Warning: Request filter does not contain any known classifications. Sync will do nothing.”

Remember I told you not to tick and Classifications?

So what have we just done?

Remember the lack of Products selectable, notably Windows 10 & Server 2016?

Enough Questions! Answers!

By default SCCM doesn’t have knowledge of Windows 10, Server 2016 etc in its product list and we’ve first got to successfully get SCCM and WSUS communicating so it can access the full list of available products.  If you would have ticked a bunch of Classifications in the initial setup then that first sync would have taken a good time longer then a minute to complete, and you wouldn’t even have the Products you want..

Now we’ve confirmed SCCM and WSUS are best buds and happy to communicate to each other, lets take another look at those Products;

Navigate to Administration>Sites

Right click your Site and select Configure Site Components>Software Update Point

Select the Products tab, and scroll down.

*tada* Windows 10 and Server 2016 elsewhere in the list are now available.

Select all Products you wish to be patching.

Select the Classifications tab and tick the ones you require.

Whilst writing this post, Current Branch 1702 has been released! You have a new option here once you’ve upgraded..

Select the Update Files tab

Select Download both full files for all approved updates and express installation files for Windows 10  Express updates are still going through some development problem, so for the moment, lets skip them

Select Download full files for all approved updates

This will allow a much smaller cumulative update package to be deployed to your clients.

Once you’re happy with your final configuration changes (although you can of course change them again later).. Click OK and close the open window.

Once you do this, a log will be made as per below which notes the changes you have made..

We now need to Sync our changes again..

Navigate to Software Library>Software Updates>All Software Updates

Select Synchronise Software Updates

Select Yes when prompted

And again, monitor its progress..

This time, expect it to take some time.. likely at least an hour.

17 thousand updates to process and evalute..

Successful sync of WSUS server:

Now to process and sync each individual update.

Once the Sync is complete, you can return to Configuration Manager.

Navigate to Software Library>Software Updates>All Software Updates

Lo and behold, all our synchronised updates..

Conclusion

You’ve now successfully configured WSUS with SCCM.

In Part II I’ll cover actually downloading and deploying the updates via ADR’s & Baselines, with notes on Client Settings, Maintenance Windows, Group Policy and more.

Rich Mawdsley