Before you implement software updates in System Center 2012 Configuration Manager in a production environment, you must first plan for this implementation. Use the following sections in this topic to plan for software updates in your Configuration Manager hierarchy:

Capacity Planning Recommendations for Software Updates

You can use the following recommendations as a baseline that can help you determine the information for the software updates capacity planning that is appropriate to your organization. The actual capacity requirements might vary from the recommendations that are listed in this topic depending on the following criteria: your specific networking environment, the hardware that you use to host the software update point site system, the number of clients that are installed, and the site system roles that are installed on the server.

Capacity Planning for the Software Update Point

The number of supported clients depends on the version of Windows Server Update Services (WSUS) that runs on the software update point, and it also depends on whether the software update point site system role co-exists with another site system role.

  • The software update point can support up to 25,000 clients1 when WSUS 3.0 Service Pack 2 (SP2) runs on the software update point computer and the software update point co-exists with another site system role.

  • The software update point can support up to 100,000 clients2 when WSUS 3.0 SP2 runs on the software update point computer and the software update point does not co-exist with another site system role.

1To support more than 25,000 clients, the software update point can be configured to use Network Load Balancing (NLB).

2To support up to 100,000 clients, the software update point must meet the WSUS. For more information, see Determine WSUS Capacity Requirements.

Capacity Planning for Software Updates Objects

Use the following capacity information to plan for software updates objects.

  • Limit of 1000 software updates in a deployment

    You must limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule, specify a criteria that limits the number of software updates that are returned. The automatic deployment rule fails when the criteria that you specify returns more than 1000 software updates. You can check the status of the automatic deployment rule from the Automatic Deployment Rules node in the Configuration Manager console. When you manually deploy software updates, do not select more than 1000 updates to deploy.

Determine the Software Update Point Infrastructure

The central administration site and all child primary sites must have a software update point where you will deploy software updates. As you plan for the software update point infrastructure, you need to determine the following dependencies: where to install the software update point for the site; which sites require a software update point that accepts communication from Internet-based clients; whether you will configure the software update point as an NLB cluster’ and whether you need a software update point at a secondary site.

Important
For information about the internal and external dependencies that are required for software updates, see Prerequisites for Software Updates in Configuration Manager.

Software Update Points in Configuration Manager SP1

Important
The information in this section applies only to Configuration Manager SP1.

Use the following sections to determine the software update point infrastructure in Configuration Manager SP1.

Starting with Configuration Manager SP1, you can add multiple software update points at a Configuration Manager primary site. The ability to have multiple software update points at a site provides fault tolerance without requiring the complexity of NLB. However, the failover that you receive with multiple software update points is not as robust as NLB for pure load balancing, but it is rather designed for fault-tolerance. Also, the failover design of the software update point is different than the pure randomization model that is used in the design for management points. Unlike in the design of management points, in the software update points there are client and network performance costs that are associated with switching to a new software update point. When the client switches to a new WSUS server to scan for software updates, the result is an increase in the catalog size and associated client-side and network performance demands. Therefore, the client preserves affinity with the last software update point for which it successfully scanned.

The first software update point that you install on a primary site is the synchronization source for all additional software update points that you add at the primary site. After you added your software update points and initiated software updates synchronization, you can view the status of the software update points and the synchronization source from the Software Update Point Synchronization Status node in the Monitoring workspace.

When a software update point fails, and that software update point is configured as the synchronization source for the other software update points at the site, you must manually remove the failed software update point and select a new software update point to use as the synchronization source. For more information about how to remove a software update point, see the Remove the Software Update Point Site System Role section in the Configuring Software Updates in Configuration Manager topic.

Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1

When you upgrade an existing Configuration Manager with no service pack site to Configuration Manager SP1, consider the following:

  • Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell. For more information about how to switch a software update point, see the Software Update Point Switching section in this topic.

  • When you have an active Internet-based software update point in a Configuration Manager with no service pack site, and then you upgrade the site to Configuration Manager SP1, the active Internet-based software update point is upgraded to a software update point in the software update point list that allows connections only from clients on the Internet.

  • When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will automatically be assigned to SUP01. The clients will switch to SUP02 only on the condition of a failed scan. After you upgraded your site, all new clients will randomly be assigned to SUP01 or SUP02 For more information about the software update point list, see the Software Update Point List section in this topic.

Software Update Point List

Configuration Manager provides the client with a software update point list in the following scenarios: when a new client receives the policy to enable software updates, or when a client cannot contact its software update point and needs to switch to another software update point. The client randomly selects a software update point from the list, and it prioritizes the software update points that are in the same forest. Configuration Manager provides clients with a different list depending on the type of client.

  • Intranet-based clients: Receive a list of software update points that you can configure to allow connections only from the intranet, or a list of software update points that allow Internet and intranet client connections.

  • Internet-based clients: Receive a list of software update points that you configure to allow connections only from the Internet, or a list of software update points that allow Internet and intranet client connections.

Software Update Point Switching

If you have multiple software update points at a site, and then one fails or becomes unavailable, clients will connect to a different software update point and continue to scan for the latest software updates. When a client is first assigned a software update point, it will stay assigned to that software update point unless it fails to scan for software updates on that software update point.

Note
When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will only switch to SUP02 on the condition of a failed scan. All new clients will randomly be assigned to SUP01 or SUP02 after you upgraded your site to Configuration Manager SP1.

The scan for software updates can fail with a number of different retry and non-retry error codes. When the scan fails with a retry error code, the client starts a retry process to scan for the software updates on the software update point. The high-level conditions that result in a retry error code are typically because the WSUS server is unavailable or because it is temporarily overloaded. The client uses the following process when it fails to scan for software updates:

  1. The client scans for software updates at its scheduled time, or when it is initiated through the control panel on the client, or by using the SDK. If the scan fails, the client waits 30 minutes to retry the scan, and it uses the same software update point.

  2. The client retries a minimum of four times at 30 minute intervals. After the fourth failure, and after it waits an additional two minutes, the client will move to the next software update point in the software update point list.

  3. After a successful scan, the client will continue to connect to the software update point.

The following list provides additional information that you can consider for software update point retry and switching scenarios:

  • If a client is disconnected from the corporate intranet and fails to scan for software updates, it will not switch to another software update point. This is an expected failure, because the client cannot reach the corporate network or the software update point that allows connection from the intranet. The Configuration Manager client determines the availability of the intranet software update point.

  • If Internet-based client management is enabled, and there are multiple software update points that are configured to accept communication from clients on the Internet, the switching process will follow the standard retry process that is described in the previous scenario.

  • If the scan process started, but the client was powered down before the scan completed, it is not considered a scan failure and it does not count as one of the four retries.

Software Update Points in an Untrusted Forest

You can create one or more software update points at a site to support clients in an untrusted forest. To add a software update point in another forest, you must first install and configure a WSUS server in the forest. Then start the wizard to add a Configuration Manager site server with the software update point site system role. In the wizard, configure the following settings to successfully connect to WSUS in the untrusted forest:

  • Specify a Site System Installation account that can access the WSUS server in the forest.

  • Specify the WSUS Server Connection account to use to connect to the WSUS server.

For example, you have a primary site in forest A with two software update points (SUP01 and SUP02). Also, for the same primary site you have two software update points (SUP03 and SUP04) in forest B. When the switching occurs in this example, the software update points from the same forest as the client are prioritized first.

Use an Existing WSUS Server as the Synchronization Source at the Top-Level Site

Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with Microsoft Update. When your corporate security policy does not allow access to the Internet from the top-level site, you can configure the synchronization source for the top-level site to use an existing WSUS server that is not in your Configuration Manager hierarchy. For example, you might have a WSUS server installed in your DMZ that has Internet access, but your top-level site does not. You can configure the WSUS server in the DMZ as your synchronization source for software updates metadata. You must ensure that the WSUS server in the DMZ synchronizes software updates that meet the criteria that you need in your Configuration Manager hierarchy. Otherwise, the top-level site might not synchronize the software updates that you expect. When you install the software update point, configure a WSUS connection account that has access to the WSUS server in the DMZ and confirm that the firewall permits traffic for the appropriate ports. For more information about the ports that are used by the software update point to the synchronization source, see the Software Update Point -- > Upstream WSUS Server section in the Technical Reference for Ports Used in Configuration Manager topic.

Software Update Point Configured to Use an NLB

Starting with Configuration Manager SP1, software update point switching will likely address the fault tolerance needs that you have. However, NLB is more robust than software update point failover for pure load balancing, and NLB can increase the reliability and performance of a network. Though there is no option in the Configuration Manager console to configure the software update point to use NLB, you have the option to configure NLB by using the Set-CMSoftwareUpdatePoint PowerShell cmdlet. For more information about the Set-CMSoftwareUpdatePoint PowerShell cmdlet, see the Set-CMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide.

Note
Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB from your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell.

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica of the default software update point at the parent primary site. You can install only one software update point at a secondary site. The devices that are assigned to a secondary site are configured to use a software update point at the parent site when a software update point is not installed at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between the devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

Software Update Points in Configuration Manager with No Service Pack

Important
The information in this topic applies only to Configuration Manager with no service pack.

Use the following sections to determine the software update point infrastructure in Configuration Manager with no service pack.

Note
For more information about how to install a software update point in an untrusted forest, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Active Software Update Point

The central administration site and all child primary sites in the Configuration Manager hierarchy must have an active software update point to support software update deployments to client computers. The active software update point on a primary site uses the central administration site as the synchronization source. The software update point communicates with WSUS to configure settings and to synchronize software updates. You can configure the active software update point to accept communication only from clients on the intranet or to accept communication from clients on the intranet and Internet. When the active software update point is not configured to accept communication from clients on the Internet, you have the option to create an Internet-based software update point on a remote site system. You can add the software update site role to a secondary site, or client computers at the secondary site can connect directly to the active software update point on the parent primary site.

Internet-Based Software Update Point

The Internet-based software update point accepts communication from client computers on the Internet. You can create the Internet-based software update point only when the active software update point is not configured to accept communication from client computers on the Internet. You must install the Internet-based software update point on a site system that is remote from the site server, located in a perimeter network, and accessible to Internet-based client computers. The Internet-based software update point synchronizes with the active software update point at the same site by default. When the Internet-based software update point is disconnected from the active software update point, you can manually synchronize software updates by using the export and import process. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Active Software Update Point Configured to Use an NLB

NLB can increase the reliability and performance of a network. You can set up multiple WSUS servers that share a single SQL Server failover cluster, and then configure a software update point to use NLB. If you configure the active software update point site system in a NLB cluster, it does not necessarily increase client capacity, but it might provide higher availability for the software update point. Before you configure the software update point to use an NLB cluster, you must complete several configuration steps. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica instead of an autonomous WSUS instance that is used when you install the software update point on a primary site or central administration site.

The devices that are assigned to a secondary site are configured to use the active software update point at the parent site when a software update point is not configured at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

Planning for Software Update Point Installation

Before you create a software update point site system role in Configuration Manager, there are several requirements that you must consider depending on your Configuration Manager infrastructure. When you configure the software update point to communicate by using SSL, this section is especially important to review because you must take additional steps for the software update points in your hierarchy will work properly. This section provides information about the steps that you must take to successfully plan and prepare for the software update point installation.

Requirements for the Software Update Point

The software update point site system role must be installed on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems.

  1. For more information about the minimum requirements for WSUS 3.0 SP2, see Confirm WSUS 3.0 SP2 installation requirements in the Windows Server Update Services 3.0 SP2 documentation library.

  2. For more information about the minimum requirements for the WSUS server role in Windows Server 2012, see Step 1: Prepare for Your WSUS Deployment in the Windows Server 2012 documentation library.

  3. For more information about the supported configurations for Configuration Manager site systems, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Plan for WSUS Installation

Software updates requires that a supported version of WSUS is installed on all site system servers that you configure for the software update point site system role. Additionally, when you do not install the software update point on the site server, you must install the WSUS Administration Console on the site server computer, if it is not already installed. This allows the site server to communicate with WSUS that runs on the software update point.

When you use WSUS on Windows Server 2012, you must configure additional permissions to allow WSUS Configuration Manager in Configuration Manager to connect to the WSUS in order to perform periodic health checks. Choose one of the following options to configure the permissions:

  • Add the SYSTEM account to the WSUS Administrators group

  • Add the NT AUTHORITY\SYSTEM account as a user for the WSUS database (SUSDB) and configure a minimum of the webService database role membership

For more information about how to install WSUS 3.0 SP2, see Install WSUS Server or Administration Console in the Windows Server Update Services 3.0 SP2 documentation library.

For more information about how to install WSUS on Windows Server 2012, see Install the WSUS Server Role in the Windows Server 2012 documentation library.

For Configuration Manager SP1 only:

When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. If you share the same database, it significantly mitigates, but does not completely eliminate the client and the network performance impact that you might experience when clients switch to a new software update point. A delta scan still occurs when a client switches to a new software update point that shares a database with the old software update point, but the scan is much smaller than it would be if the WSUS server had its own database.

Configure WSUS to Use a Custom Web Site

When you install WSUS, you have the option to use the existing IIS Default website, or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website, instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications. This is especially true when you install the software update point site system role on the site server. When you run WSUS in Windows Server 2012 or you configure a custom website for WSUS 3.0 SP2, WSUS is configured by default to use port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point at a site.

Use an Existing WSUS Infrastructure

You can use a WSUS server that was active in your environment before you installed Configuration Manager. When the software update point is configured, you must specify the synchronization settings. Configuration Manager connects to the WSUS that runs on the software update point and configures the WSUS server with the same settings. When the WSUS server was previously synchronized with products or classifications that you did not configure as part of the software update point synchronization settings, the software updates metadata for the products and classifications are synchronized for all of the software updates metadata in the WSUS database regardless of the synchronization settings for the software update point. This might result in unexpected software updates metadata in the site database. You will experience the same behavior when you add products or classifications directly in the WSUS Administration console, and then immediately initiate synchronization. Every hour, by default, Configuration Manager connects to the WSUS that runs on the software update point and resets any settings that were modified outside of Configuration Manager.

Starting with Configuration Manager SP1, the software updates that do not meet the products and classifications that you specify in synchronization settings are set to expired, and then they are removed from the site database.

Configure WSUS as a Replica Server

When you create a software update point site system role on a primary site server, you cannot use a WSUS server that is configured as a replica. When the WSUS server is configured as a replica, Configuration Manager fails to configure the WSUS server, and the WSUS synchronization fails as well. When a software update point is created on a secondary site, Configuration Manager configures WSUS to be a replica server of the WSUS that runs on the software update point at the parent primary site. Starting with Configuration Manager SP1, the first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point.

Decide Whether to Configure WSUS to Use SSL

You can use the SSL protocol to help secure the WSUS that runs on the software update point. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. WSUS also uses SSL to encrypt software update metadata. When you choose to secure WSUS with SSL, you must prepare the WSUS server before you install the software update point. For more information about how to configure WSUS for SSL, see the Secure WSUS with the Secure Sockets Layer Protocol in the WSUS 3.0 SP2 documentation library.

When you install and configure the software update point, you must select the Enable SSL communications for the WSUS Server setting. Otherwise, Configuration Manager will configure WSUS not to use SSL. When you enable SSL for WSUS that runs on a software update point, WSUS that runs on the software update point at any child sites must also be configured to use SSL.

Configure Firewalls

Software updates on a Configuration Manager central administration site communicate with the WSUS that runs on the software update point, which in turn communicates with the synchronization source to synchronize software updates metadata. Software update points on a child site communicate with the software update point at the parent site. When there is a remote active Internet-based software update point at a Configuration Manager with no service pack site, the site server must communicate with the active Internet-based software update point, and the Internet-based software update point must communicate with the active software update point of the site, so that the synchronization completes successfully. Starting with Configuration Manager SP1, when there is more than one software update point at a primary site, the additional software update points must communicate with the first software update point that is installed at the site, which is the default software update point.

The firewall might need to be configured to accept the HTTP or HTTPS ports that are used by WSUS in following scenarios: when you have a corporate firewall between the Configuration Manager software update point and the Internet; when you have a software update point and its upstream synchronization source; when you have an active Internet-based software update point and the active software update point for the Configuration Manager with no service pack site, or when you have the additional software update points and the default software update point at a Configuration Manager SP1 site. The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. You can use a custom port for the connection from WSUS that runs on the software update point at a child site to WSUS that runs on the software update point at the parent site. During software updates synchronization, WSUS that runs on the Internet-based software update point always connects to WSUS that runs on the active software update point by using HTTPS. When your security policy does not allow an HTTPS connection, you must use the export and import synchronization method. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. For more information about the ports that are used by WSUS, see How to Determine the Port Settings Used by WSUS.

Restrict Access to Specific Domains

Plan for Synchronization Settings

The software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata based on criteria that you configure. The top-level site in your hierarchy, the central administration site or stand-alone primary site synchronizes software updates from Microsoft Update. Starting with Configuration Manager SP1, you have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software updates metadata from the software update point on the central administration site. Before you install and configure a software update point, use this section to plan for the synchronization settings.

Synchronization Source

Synchronization Schedule

Update Classifications

Products

Supersedence Rules

Languages

Plan for Settings Associated with Software Updates

The software updates client settings in Configuration Manager are site-wide and are configured with default values. There are software updates and network access protection (NAP) client settings that affect when software updates are scanned for compliance, and how and when software updates are installed on client computers. There are also Group Policy settings on the client computer that might need to be configured depending on your environment. For more information about how to configure settings that are associated with software updates, see the Configure the Settings Associated with Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Client Settings for Software Updates

After you install the software update point, the software updates client agent is enabled by default and you are not required to configure specific client settings, but you should review the settings to ensure that the default values meet your needs. You configure software updates and NAP client settings in Client Settings in the Administration workspace. For more information about how to configure the settings that are associated with software updates, see the Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Important
The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration Manager removes the existing deployment policies from client. Also, NAP and compliance settings policies that rely on the software updates device setting will no longer function.

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to the WSUS that runs on the active software updates point, successfully scan for software update compliance, and automatically update the software updates and the WUA.

Warning
If you have an Active Directory Group Policy object assigned to clients that specify a WSUS server that is not a Configuration Manager software update point, it will override the local Group Policy setting that is configured by Configuration Manager. Before you can assess software updates compliance and manage software update deployments on these clients, you must reconfigure the Active Directory Group Policy setting, or move client computers to an organizational unit (OU) that does not have this Group Policy setting applied.

For more information about how to configure the settings that are associated with software updates, see the Group Policy Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Client Cache Setting

The Configuration Manager client downloads the content for required software updates to the local client cache soon after it receives the deployment. However, the client waits download the content until after the Software available time setting for the deployment. The client does not download software updates in optional deployments (deployments that do not have a scheduled installation deadline) until the user manually initiates the installation. When the configured deadline passes, the software updates client agent performs a scan to verify that the software update is still required, then the software updates client agent checks the local cache on the client computer to verify that the software update source file is still available, and then installs the software update. If the content was deleted from the client cache to make room for another deployment, the client downloads the software updates to the cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size. For other deployments, such as applications or packages, the client only downloads content that is within the maximum cache size that you configure for the client. Cached content is not automatically deleted, but it remains in the cache for at least one day after the client used that content.

Supplemental Topics for Planning Software Updates

Use the following topics to plan for software updates in Configuration Manager.

See Also