By default, the task to synchronize the Microsoft Update catalog runs under the context of the logged on user. This means that a user with appropriate permissions must be logged on when the synchronization program runs.

Important
If the synchronization host runs under the context of a user account, ensure that you lock the computer when it is not in use.

If you do not have a client computer that can remain logged in, you can configure the synchronization program to run in unattended mode. If you configure unattended mode, the synchronization task will run as Local System.

To run as local system instead of a user account, you must grant several different permissions to the synchronization host computer. If your firewall requires authentication, you must also configure credentials that the synchronization host can use to traverse the firewall.

To share the package source folder for unattended mode

  1. In the PkgSource Properties window, click the Sharing tab and click Permissions.

  2. In the Permissions for PackageSrc window, click Add. The Select Users, Computers, or Groups window appears.

  3. In the Select Users, Computers, or Groups window, click Object Types.

  4. In the Object Types window, click Computers and click OK.

  5. In the Select Users, Computers, or Groups window, under Enter the objects names to select, type domain\synchostcomputer and click OK.

  6. In the Permissions for PackageSrc window, under Allow, click Full Control and click OK one time.

To set the NTFS security permissions on the package source folder for unattended mode

  1. In the PkgSource Properties window, click the Security tab and click Add. The Select Users, Computers, or Groups window appears.

  2. In the Select Users, Computers, or Groups window, click Object Types.

  3. In the Object Types window, click Computers and click OK.

  4. In the Select Users, Computers, or Groups window, under Enter the objects names to select, type domain\synchostcomputer and click OK.

  5. In the PkgSource Properties window, under Allow, click Full Control and click OK.

To set WMI permissions for unattended mode

  1. On the SMS Provider computer, right-click the My Computer shortcut on the desktop and then click Manage. The Computer Management window appears.

    Note
    The SMS Provider computer is either the Configuration Manager site server or the Configuration Manager site database server. The SMS Provider computer was determined when Configuration Manager 2007 was installed. If the site server is not installed on the site database server, the computer with the SMS Admins local group is usually the SMS Provider.
  2. In the Computer Management window, under Services and Applications, right-click WMI Control and click Properties. The WMI Control Properties window appears.

  3. In the WMI Control Properties window, click the Security tab, expand Root, click the SMS node, and click the Security button. The Security for Root\SMS window appears.

  4. In the Security for Root\SMS window, click Add. The Select Users, Computers, or Groups window appears.

  5. In the Select Users, Computers, or Groups window, click Object Types.

  6. In the Object Types window, click Computers and click OK.

  7. In the Select Users, Computers, or Groups window, under Enter the objects names to select, type domain\synchostcomputer and then click OK.

  8. In the Security for Root\SMS window, select domain\synchostcomputer.

  9. Under Permissions for domain\synchostcomputer, click to select the following permissions under Allow and click OK:

    • Execute Methods

    • Full Write

    • Partial Write

    • Provider Write

    • Enable Account

    • Remote Enable

  10. In the WMI control Properties window, expand Root and click the SMS node.

  11. Expand the SMS node to select Site_sitecode.

  12. Click the Security button. The Security for Root\SMS\Site_sitecode window appears.

  13. In the Security for Root\SMS\Site_sitecode window, click Add. The Select Users, Computers, or Groups window appears.

  14. In the Select Users, Computers, or Groups window, click Object Types.

  15. In the Object Types window, click Computers and click OK.

  16. In the Select Users, Computers, or Groups window, under Enter the objects names to select, type domain\synchostcomputer$ and click OK.

  17. In the Security for Root\SMS\ Site_sitecode window, select domain\synchostcomputer$.

  18. Under Permissions for domain\synchostcomputer$, click to select the following permissions under Allow and click OK:

    • Execute Methods

    • Full Write

    • Partial Write

    • Provider Write

    • Enable Account

    • Remote Enable

  19. Click OK twice.

To provide access to the SMS Provider for the synchronization host when the provider is on a system running Windows 2000

  • On the SMS provider computer, at the command prompt, type:

    net localgroup "sms admins" /add domain \ synchostcomputer $

To provide access to the SMS Provider for the synchronization host when the provider is on a system running Windows Server 2003

  1. On the SMS Provider computer running Windows Server 2003 as a member server, right-click the My Computer shortcut on the desktop and click Manage. The Computer Management window appears. If your Windows Server 2003 is a domain controller, use Active Directory Users and Computers.

  2. On a member server, locate the SMS Admins group under Local Users and Groups. On a domain controller, locate the SMS Admins domain local group (by default under the Users container).

  3. On a member server, right-click SMS Admins, click Add to Group, and on the SMS Admins Properties window, click Add. On a domain controller, right-click SMS Admins, click Properties, and select the Members tab and click Add.

  4. In the Select Users, Computers, or Groups window, click Object Types.

  5. In the Object Types window, click Computers and click OK.

  6. In the Select Users, Computers, or Groups window, under Enter the objects names to select, type domain\synchostcomputer and click OK.

To grant permissions for the synchronization host computer to the Software Updates object

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Computer Management / Security Rights / Users.

  2. Right-click Users, and then click Manage ConfigMgr Users.

  3. Click Next.

  4. Type <domain>\<synchostcomputer> in the Add a new user text box, click Next, and then click Next.

  5. Select Configuration items for Class, and click Select All to configure all security rights. Click Next, click Next, click Next, and then click Close.

To update distribution points for the Microsoft Updates Tool package’s modified permissions

  1. In the Configuration Manager console, expand Packages, and then select the Microsoft Updates Tool package.

  2. Right-click the Microsoft Updates Tool package, click All Tasks, and click Update Distribution Points.

  3. Click Yes.

To re-run the Microsoft Updates Tool Sync advertisement

  1. In the Configuration Manager console, select Advertisements.

  2. In the right pane, select the Microsoft Updates Tool Sync advertisement.

  3. Right-click the Microsoft Updates Tool Sync advertisement, point to All Tasks, and click Re-run Advertisement.

  4. Click Yes.

Configuring Credentials for Firewalls That Do Not Allow Anonymous Access

The following procedure creates a registry key that specifies a user account and password with credentials for access through the firewall. Although this registry key is created in an encrypted form, it is stored such that only local Windows administrators may access the data. When the synchronization task runs, the download process on the synchronization host (PatchDownloader.dll) uses the account you specify when it tries to access the Internet through the firewall.

To configure credentials for firewalls that do not allow anonymous access

  1. Locate the program named PatchDownloader.exe in the installation directory of the primary site server or Configuration Manager console, and run it on the computer that is running the synchronization component.

  2. The following command line syntax is used for the program:

    < driveletter >:\sms\bin\i386\00000409\PatchDownloader.exe /?

  3. After entering the syntax for the program, the following command line help appears where username is the account with access permissions through the firewall:

    Usage: PatchDownloader /s:<server[:port]> [/u:<domain\username>] [/clean]

    If domain is not specified, the synchronization host domain is used by default. If port is not specified, port 80 is used by default. The program will prompt you for the password. To remove the configuration, use the /clean option.

    Example:

    PatchDownloader.exe /s:myserver:80 /u:myaccount

    Important
    For security reasons, make sure that the account you specify does not have more security credentials than are necessary to connect through the firewall.