Before the compliance assessment data of the software update displays in the System Center 2012 Configuration Manager console and before you can deploy software updates to client computers, you must complete the following steps: install and configure a software update point, synchronize the software updates metadata, and verify the configuration for settings that are associated with software updates.

When you have a Configuration Manager hierarchy, install and configure the software update point at the central administration site first, and then install and configure the software update points on other sites. Some settings are only available when you configure the software update point on the top-level site, which is the central administration site or the stand-alone primary site. There are different configuration options that you must consider depending on where the software update point is installed. Use the steps in the following table to install and configure the software update point, synchronize software updates, and configure the settings that are associated with software updates.

Configure Software Updates

Use the following steps and procedures in this topic to configure software updates in Configuration Manager.

Step Details More information

Step 1: Install and configure a software update point

The software update point is required on the central administration site and on the primary sites to enable the software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites.

For more information, see the detailed Step 1: Install and Configure a Software Update Point in this topic.

Step 2: Synchronize software updates

Synchronize software updates on a connected software update point

The synchronization of software updates is the process of retrieving software updates metadata from the Microsoft Update site and the replication of the metadata to all sites that are enabled for software updates in the Configuration Manager hierarchy. The software update point on the central administration site or on a stand-alone primary site retrieves software updates metadata from Microsoft Update. The child primary sites, secondary sites, and remote Internet-based software update points retrieve the software updates metadata from the software update point that is identified as the upstream update source. You must have access to the upstream update source to successfully synchronize software updates.

For more information, see the detailed Step 2: Synchronize Software Updates in this topic.

Synchronize software updates on a disconnected software update point.

Automatic synchronization of software updates is not possible when the software update point at the central administration site or stand-alone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site. To retrieve the latest software updates for a disconnected software update point, you must use the WSUSUtil tool to export the software updates metadata and the license terms files from a software update source, and then you must import the metadata and files to the disconnected software update point.

For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Step 3: Configure classifications and products to synchronize

Perform this configuration on the central administration site or stand-alone primary site.

After you synchronize software updates without any classifications or products selected, you must configure the software updates classifications and products in the Software Update Point Component properties. After you configure the properties, repeat step 2 to initiate the software updates synchronization to retrieve the software updates that meet the configured criteria for classification and products.

For more information, see the detailed Step 3: Configure Classifications and Products to Synchronize in this topic.

Step 4: Verify software updates client settings and Group Policy configurations

There are Configuration Manager client settings and group policy configurations that are associated with software updates, and that you must verify before you deploy software updates.

For more information, see the detailed Step 4: Verify Software Updates Client Settings and Group Policy Configurations in this topic.

Step 1: Install and Configure a Software Update Point

Important
Before you install the software update point site system role, you must verify that the server meets the required dependencies and determines the software update point infrastructure on the site. For more information about how to plan for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager.

The software update point is required on the central administration site and on the primary sites in order to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. When you have a stand-alone primary site, not a central administration site, install and configure the software update point on the primary site first, and then optionally, on secondary sites. Some settings are only available when you configure the software update point on a top-level site. There are different options that you must consider depending on where you installed the software update point.

Important
For Configuration Manager SP1 only: Starting with Configuration Manager SP1, you can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point.

You can add the software update point site system role to an existing site system server or you can create a new one. On the System Role Selection page of the Create Site System Server Wizard or Add Site System Roles Wizard , depending on whether you add the site system role to a new or existing site server, select Software update point, and then configure the software update point settings in the wizard. The settings are different depending on the version of Configuration Manager that you use. For more information about how to install site system roles, see the Install Site System Roles section in the Install and Configure Site System Roles for Configuration Manager topic.

Use the following sections for information about the software update point settings on a site.

Proxy Server Settings

You can configure the proxy server settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use.

  • For Configuration Manager SP1 only:

    You must configure the proxy server, and then specify when to use the proxy server for software updates. Configure the following settings:

    • Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site system Properties. The proxy server settings are site system specific, which means that all site system roles use the proxy server settings that you specify.

    • Configure whether to use the proxy server when Configuration Manager synchronizes the software updates and when it downloads content by using an automatic deployment rule.

      Note
      The Use a proxy when downloading content by using automatic deployment rules setting is available but it is not used for a software update point on a secondary site. Only the software update point on the central administration site and primary site downloads content from the Microsoft Update page.
  • For Configuration Manager with no service pack only:

    Configure the proxy server settings on the Active Software Update Point page of the wizard or on the General tab in Software Update Point Component Properties. The proxy server settings are associated only with the software update point at the site.

Important
By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007. Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.

WSUS Settings

You must configure WSUS settings on different pages of the wizard, and in some cases, only in the properties for the software update point, also known as Software Update Point Component Properties. Use the information in the following sections to configure the WSUS settings.

WSUS Port Settings

You must configure the WSUS port settings on different pages of the wizard depending on the version of the Configuration Manager that you use.

  • For Configuration Manager SP1 only:

    You must configure the WSUS port settings on the Software Update Point page of the wizard or in the properties of the software update point.

  • For Configuration Manager with no service pack only:

    You can configure the WSUS port settings on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties.

    Warning
    You have the option to configure the WSUS port settings for the active Internet-based software update point. For more information, see the Active Internet-Based Software Update Point section in this topic.

To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

Configure SSL Communications to WSUS

You can use the SSL protocol to help secure the WSUS that runs on the software update point. You can configure SSL on different pages of the wizard depending on the version of Configuration Manager that you use.

  • For Configuration Manager SP1 only:

    You can configure SSL communication on the General page of the wizard or on the General tab in the properties of the software update point.

  • For Configuration Manager with no service pack only:

    You can configure SSL communication on the General tab in Software Update Point Component Properties. This setting is not available in the wizard.

For more information about how to use SSL, see the Deciding Whether to Configure WSUS to Use SSL section in the Planning for Software Updates in Configuration Manager topic.

WSUS Connection Account

You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you do not configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use.

  • For Configuration Manager SP1 only:

    You can configure the WSUS Server Connection Account on the General page of the wizard, or on the General tab in the software update point properties.

  • For Configuration Manager with no service pack only:

    You can configure the Software Update Point Connection account on the General tab in Software Update Point Component Properties. This setting is not available in the wizard.

For more information about Configuration Manager accounts, see Technical Reference for Accounts Used in Configuration Manager.

Active Software Update Point

Important
This section is for Configuration Manager with no service pack only.

Specify the active software update point for the site on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. In Software Update Point Component Properties, you can change the location for the active software update point or choose to configure the software update point to use NLB. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are available for you to configure.

In Active software update point you can only select the remote site system servers that have the software update point site system role installed. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and they can be available to select as the active software update.

Important
When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Active Internet-Based Software Update Point

Synchronization Source

You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site. For more information, see the Synchronization Source section in the Planning for Software Updates in Configuration Manager topic.

Use the following table for the available options when you configure the software update point at a site.

Site Available synchronization source options
  • Central administration site

  • Stand-alone primary site

  • Synchronize from the Microsoft Update website

  • Synchronize from an upstream data source location1

  • Do not synchronize from Microsoft Update or upstream data source

  • Additional software update points at a site2

  • Child primary site

  • Secondary site

  • Synchronize from an upstream data source location3

The following list provides more information about each option that you can use as the synchronization source:

  • Synchronize from Microsoft Update: Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site.

    Note
    When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic.
  • Synchronize from an upstream data source location1 2: Use this setting to synchronize software updates metadata from the upstream synchronization source. The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. Starting with Configuration Manager SP1, you have the option to synchronize software updates from an existing WSUS server. Specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server.

  • Do not synchronize from Microsoft Update or upstream data source: Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

1Starting with Configuration Manager SP1, you have the option to synchronize software updates from a WSUS server that is not in your Configuration Manager hierarchy.

2Starting with Configuration Manager SP1, you have the option to add multiple software update points at a site.

3In Configuration Manager with no service pack this setting is Synchronize from an upstream update server.

Note
When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic.

You can also configure whether to create WSUS reporting events on the Synchronization Source page of the wizard or on the on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager does not use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events.

Synchronization Schedule

Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties. This setting is configured only on the software update point at the top-level site.

If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule. When you configure the start time for a custom schedule, it is based on the local time for the computer that runs the Configuration Manager console.

Tip
Schedule software updates synchronization to run by using a timeframe that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates.
Note
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the Step 2: Synchronize Software Updates section in this topic.

Supersedence Rules

Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on the top-level site.

On this page, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see the Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Classifications

Configure the classifications settings on the Classifications page of the wizard, or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Products

Configure the product settings on the Products page of the wizard, or the on the Products tab in Software Update Point Component Properties.

Note
For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Languages

Configure the language settings on the Languages page of the wizard, or the on the Languages tab in Software Update Point Component Properties. Specify the languages for which you want to synchronize software update files and summary details. The Software Update File setting is configured at each software update point in the Configuration Manager hierarchy. The Summary Details settings are configured only on the top-level software update point. For more information, see the Languages section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Languages page of the wizard is available only when you install the software update point at the central administration site. You can configure the Software Update File languages at child sites from the Languages tab in Software Update Point Component Properties.

Step 2: Synchronize Software Updates

Software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata that meets the criteria that you configure on the top-level site. The software update point on the top-level site retrieves the metadata from the Microsoft Update website or from an existing WSUS server on a schedule, or you can manually initiate synchronization from the Configuration Manager console. To successfully complete the synchronization, the software update point must have access to its upstream synchronization source. When the software update point is disconnected from the upstream synchronization source, you must use the WSUSUtil tool to export software updates metadata from a software updates source and import the metadata to the disconnected software update point. The following table lists the software update point types and the upstream synchronization source for which the software update point requires access.

Software update point Upstream synchronization source

Central administration site

Microsoft Update (Internet)1

Existing WSUS server2

Stand-alone primary site

Microsoft Update (Internet)1

Existing WSUS server2

Child primary site

Central administration site

Secondary site

Parent primary site

Remote Internet-based software update point

Active software update point for the site1

1When the software update point is disconnected from the upstream update source, you can manually perform software updates synchronization. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

2Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source.

Synchronize Software Updates from a Connected Software Update Point

Synchronize Software Updates from a Disconnected Software Update Point

Classifications

Configure the classifications settings on the Classifications page of the wizard or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, you must configure the classifications from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Products

Configure the product settings on the Products page of the wizard or the on the Products tab in Software Update Point Component Properties.

Note
For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points.
Tip
When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, you must configure the products from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Step 3: Configure Classifications and Products to Synchronize

Note
Use the procedure from this section only on the top-level site.

In Step 1, you cleared the list classifications and products. In Step 2, you initiated software update synchronization to update the list of classifications and products in Configuration Manager and WSUS. In step 3, you must select the classifications and products to synchronize.

Use the following procedure to configure classifications and products to synchronize.

To configure classifications and products to synchronize

Step 4: Verify Software Updates Client Settings and Group Policy Configurations

There are client settings and group policy configurations that you must verify before you deploy software updates.

Client Settings for Software Updates

Group Policy Settings for Software Updates

Remove the Software Update Point Site System Role

You can remove the software update point site system role at a site from the Configuration Manager console. The client policy is updated to remove the software update point from the list. When you remove the last software update point at the site, the software update point list will contain no software update points, and software updates is essentially disabled at the site. Starting with Configuration Manager SP1, when you have more than one software update point at a primary site and you remove the software update point that is configured as the synchronization source, you must choose another software update point at the site to be the new synchronization source.

Note
When you remove the software update point site role from a site system, wait at least 15 minutes before you reinstall the software update point site role.

Use the following procedure to remove a software update point.

To remove the software update point

See Also