Join Brien Posey for an in-depth discussion in this video Configure SCCM to act as a software update point, part of Windows 10: Plan and Implement Software Updates.
- [Instructor] System Center Configuration Manager can push updates to the workstations and servers on your network, but it can't do it by itself. There's an underlying dependency on Windows Server Update Services, or WSUS as it's often referred to. So right now I'm logged in to my domain controller, and I've got Server Manager open; and the first thing that we need to do in order to allow System Center Configuration Manager to push updates is to set up a service account. So I'm going to go to the Tools menu, and I'm going to go to Active Directory Users and Computers.
And I'm going to right-click on the Users container, and I'm going to go to New, User; and I'm going to call my service account WSUS_SRV. You can call the account anything that you want. And I'll click Next and enter a password for the service account, and I'm going to set this account to never expire and click Next and click Finish and now the account has been created. You can see it down here at the bottom of the screen.
So now I want to switch over to my configuration manager server. So here I am on my configuration manager server, and I've got server manager open; and you'll notice that WSUS is installed locally on this machine. So let's take a look. I'm going to go into Tools, and I'm going to choose Windows Server Update Services; and I've already gone ahead and configured Windows Server Update Services ahead of time, but there are a couple of things that I want to point out.
First of all, if I come up here to Approval and I set this to Approved and click Refresh, you can see that there are a few updates that I've already approved. If you want to approve additional updates, you can easily do that. All we need to do is go up to Approval and set this to Unapproved and click Refresh and then just choose the updates that you want to approve, right-click and choose Approve; and then we set this to Approve for Install and click Okay and those updates are approved.
Now if we look at the list of approved updates, it should be a little bit longer than it was before. The other thing that I want to point out is that if you go to Options and go to Update Source and Proxy Server, Windows Server Update Services needs to be configured to Synchronize for Microsoft Update, which it is. So Windows Server Update Services is going to be our upstream source of updates. It's going to be responsible for initially downloading those updates and System Center Configuration Manager is going to pull the updates from the Windows Server Update Services server.
So I'm going to close this out, and let's open up the configuration manager console. So within the configuration manager console, we're going to go to the administration workspace, and then from there I'm going to go to Overview, Site Configuration, Sites, and then at the top on the ribbon I'm going to click Add Site System Roles; and this is going to launch the Add Site System Roles Wizard. Now there's nothing that we have to do on the first two screens of the wizard, so I'm just going to click Next and then click Next again.
Now we're taken to a screen that asks us to choose the role that we want to install. So we're going to choose the Software Update Point Role. So I'll click Next, and now we have to specify how WSUS is configured. So WSUS is configured to use ports 8530 and 8531 for client communication. That's the default behavior for the version of WSUS that I'm using, so that's what I want to choose. We also have to specify the client connection type. The default behavior is to allow internet only client connections.
We could specify internet only or internet and intranet. We can use any of these options that we want. You just want to choose the option that's right for your own environment. I'll click Next, and now we're taken to the Proxy and Account Settings screen. We don't have to do anything with a proxy server because we don't have one, but we do need to specify the WSUS server connection account; and that's going to be the account that we set up earlier. So I'm going to select the Use Credentials to Connect to the WSUS Server checkbox, and I'm going to choose the New Account option.
Now we're not actually creating a new account here. We've already created a new account. We're basically just making the systems center aware of the account. So the account is going to be poseylab, which is my domain name, slash WSUS_SVC. And then I'm going to enter the accounts password and click Okay and click Next. Now I have to specify my synchronization source. So by default, Systems Center is configured to synchronize from Microsoft Update.
Well, we don't want it to synchronize from Microsoft Update. We want it to synchronize from our WSUS server, so I'm going to choose the option to synchronize from an upstream data source location; and then we have to enter the URL for our WSUS server. So in this case the URL is going to be HTTP://localhost:8531 and I'm not going to worry about creating WSUS reporting events. I'm just going to click Next. Now we have to set a synchronization schedule.
So I'm going to enable synchronization on a schedule, and we could set a simple schedule or we could build a custom schedule. I'm going to go with a simple schedule, and I'm going to set this to synchronize every one hour. In a production environment, you probably wouldn't want to synchronize quite so frequently; but this is good for our purposes here. I'll click Next, and now we have to specify our supersedence behavior. We can immediately expire a superseded software update or we could choose to not expire a superseded update until the software update is superseded for a specific amount of time.
So by default, we're waiting three months to expire an update, and that's fine. I'm going to go ahead and go with that. I'll click Next, and now I get to the Update Files option; and we have two choices here. We can download full files for all approved updates, or we could download both full files for all approved updates and express installation files for Windows 10. I'm going to go with the default and download the full files for all approved updates and click Next, and now I get to the Classification screen.
This screen lets you choose what types of updates you want to download. So I want to make sure and download critical updates, and everything else looks good here. I'll click Next, and then I have to specify the products that I want to synchronize. So I'm going to expand this out, and I'm just going to choose a few different versions of Windows. So I'll choose Windows 7, Windows 8, Windows Server 2012, and I'll click Next; and now we have to specify the languages that we want to download updates in.
And I don't speak Chinese, so I'm going to clear that out and I'm going to set English to be the only update language and click Next; and now we see a summary of our configuration. Everything appears to be accurate here, so I will click Next; and it looks like the configuration was successful.
- Deploying updates manually
- Monitoring deployments
- Configuring automatic deployment rules
- Analyzing log files
- Approving and declining updates in Intune
- Deploying software from SCCM, WSUS, and Intune