Configuring Software Updates in Configuration Manager

Before the compliance assessment data of the software update displays in the System Center 2012 Configuration Manager console and before you can deploy software updates to client computers, you must complete the following steps: install and configure a software update point, synchronize the software updates metadata, and verify the configuration for settings that are associated with software updates.

When you have a Configuration Manager hierarchy, install and configure the software update point at the central administration site first, and then install and configure the software update points on other sites. Some settings are only available when you configure the software update point on the top-level site, which is the central administration site or the stand-alone primary site. There are different configuration options that you must consider depending on where the software update point is installed. Use the steps in the following table to install and configure the software update point, synchronize software updates, and configure the settings that are associated with software updates.

Configure Software Updates

Use the following steps and procedures in this topic to configure software updates in Configuration Manager.

Step	Details	More information
Step 1: Install and configure a software update point	The software update point is required on the central administration site and on the primary sites to enable the software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites.	For more information, see the detailed Step 1: Install and Configure a Software Update Point in this topic.
Step 2: Synchronize software updates	Synchronize software updates on a connected software update point The synchronization of software updates is the process of retrieving software updates metadata from the Microsoft Update site and the replication of the metadata to all sites that are enabled for software updates in the Configuration Manager hierarchy. The software update point on the central administration site or on a stand-alone primary site retrieves software updates metadata from Microsoft Update. The child primary sites, secondary sites, and remote Internet-based software update points retrieve the software updates metadata from the software update point that is identified as the upstream update source. You must have access to the upstream update source to successfully synchronize software updates.	For more information, see the detailed Step 2: Synchronize Software Updates in this topic.
Step 2: Synchronize software updates	Synchronize software updates on a disconnected software update point. Automatic synchronization of software updates is not possible when the software update point at the central administration site or stand-alone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site. To retrieve the latest software updates for a disconnected software update point, you must use the WSUSUtil tool to export the software updates metadata and the license terms files from a software update source, and then you must import the metadata and files to the disconnected software update point.	For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.
Step 3: Configure classifications and products to synchronize	Perform this configuration on the central administration site or stand-alone primary site. After you synchronize software updates without any classifications or products selected, you must configure the software updates classifications and products in the Software Update Point Component properties. After you configure the properties, repeat step 2 to initiate the software updates synchronization to retrieve the software updates that meet the configured criteria for classification and products.	For more information, see the detailed Step 3: Configure Classifications and Products to Synchronize in this topic.
Step 4: Verify software updates client settings and Group Policy configurations	There are Configuration Manager client settings and group policy configurations that are associated with software updates, and that you must verify before you deploy software updates.	For more information, see the detailed Step 4: Verify Software Updates Client Settings and Group Policy Configurations in this topic.

Step 1: Install and Configure a Software Update Point

Important
Before you install the software update point site system role, you must verify that the server meets the required dependencies and determines the software update point infrastructure on the site. For more information about how to plan for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager.

The software update point is required on the central administration site and on the primary sites in order to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. When you have a stand-alone primary site, not a central administration site, install and configure the software update point on the primary site first, and then optionally, on secondary sites. Some settings are only available when you configure the software update point on a top-level site. There are different options that you must consider depending on where you installed the software update point.

Important
For Configuration Manager SP1 only: Starting with Configuration Manager SP1, you can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point.

Important

For Configuration Manager SP1 only: Starting with Configuration Manager SP1, you can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point.

You can add the software update point site system role to an existing site system server or you can create a new one. On the System Role Selection page of the Create Site System Server Wizard or Add Site System Roles Wizard , depending on whether you add the site system role to a new or existing site server, select Software update point, and then configure the software update point settings in the wizard. The settings are different depending on the version of Configuration Manager that you use. For more information about how to install site system roles, see the Install Site System Roles section in the Install and Configure Site System Roles for Configuration Manager topic.

Use the following sections for information about the software update point settings on a site.

Proxy Server Settings

You can configure the proxy server settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use.

For Configuration Manager SP1 only:

You must configure the proxy server, and then specify when to use the proxy server for software updates. Configure the following settings:

Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site system Properties. The proxy server settings are site system specific, which means that all site system roles use the proxy server settings that you specify.

Configure whether to use the proxy server when Configuration Manager synchronizes the software updates and when it downloads content by using an automatic deployment rule.

Note
The Use a proxy when downloading content by using automatic deployment rules setting is available but it is not used for a software update point on a secondary site. Only the software update point on the central administration site and primary site downloads content from the Microsoft Update page.

For Configuration Manager with no service pack only:

Configure the proxy server settings on the Active Software Update Point page of the wizard or on the General tab in Software Update Point Component Properties. The proxy server settings are associated only with the software update point at the site.

Important
By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007. Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.

Important

By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007. Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.

WSUS Settings

You must configure WSUS settings on different pages of the wizard, and in some cases, only in the properties for the software update point, also known as Software Update Point Component Properties. Use the information in the following sections to configure the WSUS settings.

WSUS Port Settings

You must configure the WSUS port settings on different pages of the wizard depending on the version of the Configuration Manager that you use.

For Configuration Manager SP1 only:

You must configure the WSUS port settings on the Software Update Point page of the wizard or in the properties of the software update point.

For Configuration Manager with no service pack only:

You can configure the WSUS port settings on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties.

Warning
You have the option to configure the WSUS port settings for the active Internet-based software update point. For more information, see the Active Internet-Based Software Update Point section in this topic.

To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

Configure SSL Communications to WSUS

You can use the SSL protocol to help secure the WSUS that runs on the software update point. You can configure SSL on different pages of the wizard depending on the version of Configuration Manager that you use.

For Configuration Manager SP1 only:

You can configure SSL communication on the General page of the wizard or on the General tab in the properties of the software update point.
For Configuration Manager with no service pack only:

You can configure SSL communication on the General tab in Software Update Point Component Properties. This setting is not available in the wizard.

For more information about how to use SSL, see the Deciding Whether to Configure WSUS to Use SSL section in the Planning for Software Updates in Configuration Manager topic.

WSUS Connection Account

You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you do not configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use.

For Configuration Manager SP1 only:

You can configure the WSUS Server Connection Account on the General page of the wizard, or on the General tab in the software update point properties.
For Configuration Manager with no service pack only:

You can configure the Software Update Point Connection account on the General tab in Software Update Point Component Properties. This setting is not available in the wizard.

For more information about Configuration Manager accounts, see Technical Reference for Accounts Used in Configuration Manager.

Active Software Update Point

Important
This section is for Configuration Manager with no service pack only.

Specify the active software update point for the site on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. In Software Update Point Component Properties, you can change the location for the active software update point or choose to configure the software update point to use NLB. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are available for you to configure.

In Active software update point you can only select the remote site system servers that have the software update point site system role installed. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and they can be available to select as the active software update.

Important
When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Active Internet-Based Software Update Point

Important
This section is for Configuration Manager with no service pack.

You can specify the active Internet-based software update point for the site on the Internet-based tab in Software Update Point Component Properties. You can configure the following settings:

Important
The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab, and when you have installed a non-active software update point on a remote site system computer.

Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.

Note
When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

Note

When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

Important
When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Port number: Specifies the HTTP port number that is configured on the WSUS server. The site server uses this port when it communicates with the WSUS server. This setting is configured when you install the software update point.

Tip

For information about how to find the port numbers that are used by WSUS, see How to Determine the Port Settings Used by WSUS.
SSL port number: Specifies the SSL (HTTPS) port number that is configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when it synchronizes the software updates with the WSUS server. This setting is configured when you install the software update point.
Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or to an active software update point that is configured as an NLB cluster. When this account is not specified, the computer account for the site server is used to connect to the software update point.

Important

The account that is used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

Tip
For information about how to find the port numbers that are used by WSUS, see How to Determine the Port Settings Used by WSUS.

Important
The account that is used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about how to synchronize software updates on a disconnected software updates point, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Important
Even though the Internet-based software update point accepts client connections from the Internet only, the web server certificate must contain both the Internet FQDN and the intranet FQDN.

Synchronization Source

You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site. For more information, see the Synchronization Source section in the Planning for Software Updates in Configuration Manager topic.

Use the following table for the available options when you configure the software update point at a site.

Site	Available synchronization source options
Central administration site Stand-alone primary site	Synchronize from the Microsoft Update website Synchronize from an upstream data source location¹ Do not synchronize from Microsoft Update or upstream data source
Additional software update points at a site² Child primary site Secondary site	Synchronize from an upstream data source location³

The following list provides more information about each option that you can use as the synchronization source:

Synchronize from Microsoft Update: Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site.

Note
When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic.

Note

When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic.

Synchronize from an upstream data source location¹ ²: Use this setting to synchronize software updates metadata from the upstream synchronization source. The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. Starting with Configuration Manager SP1, you have the option to synchronize software updates from an existing WSUS server. Specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server.
Do not synchronize from Microsoft Update or upstream data source: Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

¹Starting with Configuration Manager SP1, you have the option to synchronize software updates from a WSUS server that is not in your Configuration Manager hierarchy.

²Starting with Configuration Manager SP1, you have the option to add multiple software update points at a site.

³In Configuration Manager with no service pack this setting is Synchronize from an upstream update server.

Note
When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic.

Note

You can also configure whether to create WSUS reporting events on the Synchronization Source page of the wizard or on the on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager does not use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events.

Synchronization Schedule

Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties. This setting is configured only on the software update point at the top-level site.

If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule. When you configure the start time for a custom schedule, it is based on the local time for the computer that runs the Configuration Manager console.

Tip
Schedule software updates synchronization to run by using a timeframe that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates.

Tip

Schedule software updates synchronization to run by using a timeframe that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates.

Note
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the Step 2: Synchronize Software Updates section in this topic.

Supersedence Rules

Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on the top-level site.

On this page, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see the Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Classifications

Configure the classifications settings on the Classifications page of the wizard, or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Tip
When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Products

Configure the product settings on the Products page of the wizard, or the on the Products tab in Software Update Point Component Properties.

Note
For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Tip
When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Languages

Configure the language settings on the Languages page of the wizard, or the on the Languages tab in Software Update Point Component Properties. Specify the languages for which you want to synchronize software update files and summary details. The Software Update File setting is configured at each software update point in the Configuration Manager hierarchy. The Summary Details settings are configured only on the top-level software update point. For more information, see the Languages section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Languages page of the wizard is available only when you install the software update point at the central administration site. You can configure the Software Update File languages at child sites from the Languages tab in Software Update Point Component Properties.

Step 2: Synchronize Software Updates

Software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata that meets the criteria that you configure on the top-level site. The software update point on the top-level site retrieves the metadata from the Microsoft Update website or from an existing WSUS server on a schedule, or you can manually initiate synchronization from the Configuration Manager console. To successfully complete the synchronization, the software update point must have access to its upstream synchronization source. When the software update point is disconnected from the upstream synchronization source, you must use the WSUSUtil tool to export software updates metadata from a software updates source and import the metadata to the disconnected software update point. The following table lists the software update point types and the upstream synchronization source for which the software update point requires access.

Software update point	Upstream synchronization source
Central administration site	Microsoft Update (Internet)¹ Existing WSUS server²
Stand-alone primary site	Microsoft Update (Internet)¹ Existing WSUS server²
Child primary site	Central administration site
Secondary site	Parent primary site
Remote Internet-based software update point	Active software update point for the site¹

¹When the software update point is disconnected from the upstream update source, you can manually perform software updates synchronization. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

²Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source.

Synchronize Software Updates from a Connected Software Update Point

Typically, the software update points in your Configuration Manager hierarchy will have access to the upstream update source. In this scenario, the software update point at the top-level site will connect to the Internet and synchronize software updates from the Microsoft Update site, and then the top-level site will send a synchronization request to other sites to initiate the synchronization process. When a site receives the synchronization request from the top-level site, the software update point for the site retrieves software updates metadata from its upstream synchronization source.

Note
The software update point on child primary sites and secondary sites must be connected to their upstream synchronization source to synchronize software updates. When a software update point is disconnected from its upstream synchronization source, you can use the export and import method to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Note

The software update point on child primary sites and secondary sites must be connected to their upstream synchronization source to synchronize software updates. When a software update point is disconnected from its upstream synchronization source, you can use the export and import method to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

When software updates synchronization is initiated on a configured schedule, the top-level software update point initiates synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands of the WSUS server, site server, and network are low, for example when it synchronizes every week at 2:00 AM. During the scheduled synchronization, all changes to the software updates metadata since the last scheduled synchronization are inserted into the site database. This includes new software updates metadata or metadata that has been modified, removed, or is now expired. After the synchronization with the upstream synchronization source is complete, a synchronization request is sent to software update points on child primary or secondary sites. You can also manually initiate software updates synchronization on the top-level site in the Configuration Manager console from the All Software Updates node in the Software Library workspace.

Use the following procedures on the top-level site to schedule or to manually initiate software updates synchronization.

To schedule software updates synchronization

In the Configuration Manager console, click Administration.
In the Administration workspace, expand Site Configuration, and then click Sites.
In the results pane, click the central administration site or stand-alone primary site.
On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point.
In the Software Update Point Component Properties dialog box, select Enable synchronization on a schedule, and then specify the synchronization schedule.

To manually initiate software updates synchronization

In the Configuration Manager console that is connected to the central administration site or stand-alone primary site, click Software Library.
In the Software Library workspace, expand Software Updates and click All Software Updates or Software Update Groups.
On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

After you initiate the synchronization process on the software update point, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software updates synchronization process.

To monitor the software updates synchronization process

In the Configuration Manager console, click Monitoring.
In the Monitoring workspace, click Software Update Point Synchronization Status.

The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. When you want more detailed information about the synchronization process, you can review the wsyncmgr.log file that is located in <ConfigMgrInstallationPath>\Logs on each site server.

Top of page

Synchronize Software Updates from a Disconnected Software Update Point

When the software update point at the top-level site is disconnected from the Internet, you must use the export and import functions of the WSUSUtil tool to synchronize software updates metadata. Starting with Configuration Manager SP1, you can choose an existing WSUS that is not in your Configuration Manager hierarchy as the synchronization source. This section provides information about how to use the export and import functions of the WSUSUtil tool.

To export and import software updates metadata, you must export software updates metadata from the WSUS database on a specified export server, then copy the locally stored license terms files to the disconnected software update point, and then import the software updates metadata to the WSUS database on the disconnected software update point.

Warning
In Configuration Manager with no service pack, you have the option to synchronize an Internet-based software update point that is disconnected from the active software update point for the site.

Use the following table to identify the export server in which to export the software updates metadata.

Software update point	Upstream update source for connected software update points	Export server for a disconnected software update point
Central administration site	Microsoft Update (Internet) Existing WSUS server²	Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment.
Stand-alone primary site	Microsoft Update (Internet) Existing WSUS server²	Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment.
For Configuration Manager with no service pack only: Remote Internet-based software update point	Active software update point for the site	Choose the software update point for the central administration site or choose the active software update point for the same site, if possible. However, you can choose any other software update point in the Configuration Manager hierarchy as long as it contains the most recent software updates.

Software update point

Upstream update source for connected software update points

Export server for a disconnected software update point

Central administration site

Microsoft Update (Internet)

Existing WSUS server²

Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment.

Stand-alone primary site

Microsoft Update (Internet)

Existing WSUS server²

Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment.

For Configuration Manager with no service pack only:

Remote Internet-based software update point

Active software update point for the site

Choose the software update point for the central administration site or choose the active software update point for the same site, if possible.

However, you can choose any other software update point in the Configuration Manager hierarchy as long as it contains the most recent software updates.

²Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source.

Before you start the export process, verify that software updates synchronization is completed on the selected export server to ensure that the most recent software updates metadata is synchronized. To verify that software updates synchronization has completed successfully, use the following procedure.

To verify that software updates synchronization has completed successfully on the export server

Open the WSUS Administration console and connect to the WSUS database on the export server.
In the WSUS Administration console, click Synchronizations. A list of the software updates synchronization attempts are displayed in the results pane.
In the results pane, find the latest software updates synchronization attempt and verify that it completed successfully.

Important
The WSUSUtil tool must be run locally on the export server to export the software updates metadata, and it also must be run on the disconnected software update point server to import the software updates metadata. In addition, the user that runs the WSUSUtil tool must be a member of the local Administrators group on each server.

Export Process for Software Updates

The export process for software updates consists of two main steps: to copy the locally stored license terms files to the disconnected software update point, and to export software updates metadata from the WSUS database on the export server.

Use the following procedure to copy the local license terms metadata to the disconnected software update point.

To copy local files from the export server to the disconnected software update point server

On the export server, navigate to the folder where software updates and the license terms for software updates are stored. By default, the WSUS server stores the files at <WSUSInstallationDrive>\WSUS\WSUSContent\, where WSUSInstallationDrive is the drive on which WSUS is installed.
Copy all files and folders from this location to the WSUSContent folder on the disconnected software update point server.

Use the following procedure to export the software updates metadata from the WSUS database on the export server.

To export software updates metadata from the WSUS database on the export server

At the command prompt on the export server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at %ProgramFiles%\Update Services\Tools. For example, if the tool is located in the default location, type cd %ProgramFiles%\Update Services\Tools.
Type the following to export the software updates metadata to a package file:

wsusutil.exe export packagename logfile

For example:

wsusutil.exe export export.cab export.log

The format can be summarized as follows: WSUSutil.exe is followed by the export option, the name of the export .cab file that is created during the export operation, and the name of a log file. WSUSutil.exe exports the metadata from the export server and creates a log file of the operation.

Note

The package (.cab file) and the log file name must be unique in the current folder.

Note
The package (.cab file) and the log file name must be unique in the current folder.

Move the export package to the folder that contains WSUSutil.exe on the import WSUS server.

Note
If you move the package to this folder, the import experience can be easier. You can move the package to any location that is accessible to the import server, and then specify the location when you run WSUSutil.exe.

Import Software Updates Metadata

Use the following procedure to import software updates metadata from the export server to the disconnected software update point.

Important
Never import any exported data from a source that you do not trust. If you import content from a source that you do not trust, it might compromise the security of your WSUS server.

To import metadata to the database of the import server

At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at %ProgramFiles%\Update Services\Tools.
Type the following:

wsusutil.exe import packagename logfile

For example:

wsusutil.exe import export.cab import.log

The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name of package file (.cab) that is created during the export operation, the path to the package file if it is in a different folder, and the name of a log file. WSUSutil.exe imports the metadata from the export server and creates a log file of the operation.

Top of page

Classifications

Configure the classifications settings on the Classifications page of the wizard or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic.

Note
For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points.

Tip
When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, you must configure the classifications from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Products

Configure the product settings on the Products page of the wizard or the on the Products tab in Software Update Point Component Properties.

Note
For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points.

Tip
When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, you must configure the products from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Step 3: Configure Classifications and Products to Synchronize

Note
Use the procedure from this section only on the top-level site.

In Step 1, you cleared the list classifications and products. In Step 2, you initiated software update synchronization to update the list of classifications and products in Configuration Manager and WSUS. In step 3, you must select the classifications and products to synchronize.

Use the following procedure to configure classifications and products to synchronize.

To configure classifications and products to synchronize

In the Configuration Manager console, click Administration.
In the Administration workspace, expand Site Configuration, click Sites, and then select the central administration site or stand-alone primary site.
On the Home tab, in the Settings group, click Configure Site Components, and then click Software Update Point.

On the Classifications tab, specify the software update classifications for which you want to synchronize software updates.

Note
Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications are synchronized. Configuration Manager provides the ability to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and that are typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, security-related issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include: security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file that is currently installed.

Note

Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications are synchronized. Configuration Manager provides the ability to synchronize software updates with the following update classifications:

Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug.
Definition Updates: Specifies an update to virus or other definition files.
Feature Packs: Specifies new product features that are distributed outside of a product release and that are typically included in the next full product release.
Security Updates: Specifies a broadly released update for a product-specific, security-related issue.
Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include: security updates, critical updates, software updates, and so on.
Tools: Specifies a utility or feature that helps to complete one or more tasks.
Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component.
Updates: Specifies an update to an application or file that is currently installed.

On the Products tab, specify the products for which you want to synchronize software updates, and then click Close.

Note

The metadata for each software update defines the products for which the update is applicable. A product is a specific edition of an operating system or application, such as Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2008 is a member. You can specify a product family or individual products within a product family. The more products that you select, the longer it will take to synchronize software updates.When software updates are applicable to multiple products, and at least one of the products was selected for synchronization, all of the products will appear in the Configuration Manager console even if some products were not selected. For example, if Windows Server 2008 is the only operating system that you selected, and if a software update applies to Windows 7 and Windows Server 2008, both products will be displayed in the Configuration Manager console.

Important

Configuration Manager stores a list of products and product families from which you can choose when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete software updates synchronization, which updates the list of available products and product families from which you can choose.

Repeat Step 2: Synchronize Software Updates to manually initiate software updates synchronization.

Step 4: Verify Software Updates Client Settings and Group Policy Configurations

There are client settings and group policy configurations that you must verify before you deploy software updates.

Client Settings for Software Updates

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to WSUS that runs on the software updates point. These Group Policy settings are also used to successfully scan for software update compliance, and to automatically update the software updates and the WUA.

Specify Intranet Microsoft Update Service Location Local Policy

When the software update point is created for a site, clients receive a machine policy that provides the software update point server name and configures the Specify intranet Microsoft update service location local policy on the computer. The WUA retrieves the server name that is specified in the Set the intranet update service for detecting updates setting, and then it connects to this server when it scans for software updates compliance. When a domain policy is created for the Specify intranet Microsoft update service location setting, it overrides the local policy, and the WUA might connect to a server other than the active software update point. If this happens, the client might scan for software update compliance based on different products, classifications, and languages. Therefore, you should not configure the Active Directory policy for client computers.

Allow Signed Content from Intranet Microsoft Update Service Location Group Policy

You must enable the Allow signed content from intranet Microsoft update service location Group Policy setting before the WUA on computers will scan for software updates that were created and published with System Center Updates Publisher. When the policy setting is enabled, WUA will accept software updates that are received through an intranet location if the software updates are signed in the Trusted Publishers certificate store on the local computer. For more information about the Group Policy settings that are required for Updates Publisher, see Updates Publisher 2011 Documentation Library.

Automatic Updates Configuration

Automatic Updates allows security updates and other important downloads to be received on client computers. Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or through the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive update notifications and, depending on the configured settings, the client computers will download and install the required updates. When Automatic Updates coexists with software updates, each client computer might display notification icons and popup display notifications for the same update. Also, when a restart is required, each client computer might display a restart dialog box for the same update.

Self Update

When Automatic Updates is enabled on client computers, the WUA automatically performs a self-update when a newer version becomes available or when there are problems with a WUA component. When Automatic Updates is not configured or is disabled, and client computers have an earlier version of the WUA, the client computers must run the WUA installation file.

Remove the Software Update Point Site System Role

You can remove the software update point site system role at a site from the Configuration Manager console. The client policy is updated to remove the software update point from the list. When you remove the last software update point at the site, the software update point list will contain no software update points, and software updates is essentially disabled at the site. Starting with Configuration Manager SP1, when you have more than one software update point at a primary site and you remove the software update point that is configured as the synchronization source, you must choose another software update point at the site to be the new synchronization source.

Note
When you remove the software update point site role from a site system, wait at least 15 minutes before you reinstall the software update point site role.

Use the following procedure to remove a software update point.

Configure Software Updates

Step 1: Install and Configure a Software Update Point

Proxy Server Settings

WSUS Settings

WSUS Port Settings

Configure SSL Communications to WSUS

WSUS Connection Account

Active Software Update Point

Active Internet-Based Software Update Point

Synchronization Source

Synchronization Schedule

Supersedence Rules

Classifications

Products

Languages

Step 2: Synchronize Software Updates

Synchronize Software Updates from a Connected Software Update Point

To schedule software updates synchronization

To manually initiate software updates synchronization

To monitor the software updates synchronization process

Synchronize Software Updates from a Disconnected Software Update Point

To verify that software updates synchronization has completed successfully on the export server

Export Process for Software Updates

To copy local files from the export server to the disconnected software update point server

To export software updates metadata from the WSUS database on the export server

Import Software Updates Metadata

To import metadata to the database of the import server

Classifications

Products

Step 3: Configure Classifications and Products to Synchronize

To configure classifications and products to synchronize

Step 4: Verify Software Updates Client Settings and Group Policy Configurations

Client Settings for Software Updates

Group Policy Settings for Software Updates

Specify Intranet Microsoft Update Service Location Local Policy

Allow Signed Content from Intranet Microsoft Update Service Location Group Policy

Automatic Updates Configuration

Self Update

Remove the Software Update Point Site System Role

To remove the software update point

See Also

Concepts