1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3. Add the software update point site system role to a new or existing site system server by using the associated step:

   • New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.
     
     
   • Existing site system server: Click the server in which you want to install the software update point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane.
     
     On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.
     
     

4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6. On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7. On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

   Tip
   To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

8. On the Synchronization Source page, select Synchronize from Microsoft Update to synchronize software updates from Microsoft Update. The central administration site must have Internet access or synchronization will fail. This setting is available only when configuring the software update point on the central administration site or stand-alone primary site.

   Important
   When the software update point on the central administration site is disconnected from the Internet, you must select Do not synchronize from Microsoft Update and manually synchronize software updates. For more information, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.

9. Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10. On the Synchronization Schedule page, specify whether to synchronize software updates on a schedule. This setting is configured only on the software update point for the central administration site.

    Tip
    You should schedule software updates synchronization to run using a timeframe appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after Microsoft’s regular security update release on the second Tuesday of each month, typically referred to as Patch Tuesday.

    Note
    When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the following section in this topic: Software Updates Synchronization.

11. Specify whether to create an alert when synchronization fails, and then click Next. When selected, you can go to the Software Update Point Synchronization Status node in the Monitoring workspace to monitor the synchronization state for all software update points in your hierarchy.

12. On the Supersedence Rules page, specify how to manage superseded software updates, and then click Next. This setting is configured only on the software update point for the central administration site.

    Note

    Typically, a software update that supersedes another software update does one or more of the following: Enhances, improves, or adds to the fix provided by one or more previously released updates. Improves the efficiency of its update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package. Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial update release. On the Supersedence Rules page, you can specify that superseded software updates are immediately expired, which prevents them from being included in new deployments and flags existing deployments to indicate that they contain one or more expired software updates. Or, you can specify a period of time before superseded software updates are expired, which allows you to continue to deploy them. Consider the following scenarios in which you might need to deploy a superseded software update: If a superseding software update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system. If a superseding software update has more restricted applicability than the software update it supersedes, which would make it inappropriate for some client computers. If a superseding software update has not been approved for deployment in your production environment.

13. On the Classifications page, specify the software update classifications for which you want to synchronize software updates, and then click Next. This setting is configured only for the software update point at the central administration site.

    Note

    Every software update is defined with an update classification that helps to organize the software update and better define the type software updates you want to synchronize. During the synchronization process, the software updates metadata for the classifications that you specify will be synchronized. Configuration Manager 2012 provides the ability to synchronize software updates with the following software update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, security-related issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file currently installed.

14. On the Products page, specify the products for which you want to synchronize software updates, and then click Next. This setting is configured only on the software update point for the central administration site.

    Note

    The metadata for each software update defines what product or products the software update is applicable. A product is a specific edition of an operating system or application, for example, Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2008 is a member. You can specify a product family or individual products within a product family. When software updates are applicable to multiple products, and at least one of the products has been selected for synchronization, all of the products will appear in the Configuration Manager console even if some have not been selected. For example, if Windows Server 2008 is the only operating system that you have selected, and if a software update applies to Windows 7 and Windows Server 2008, both products will be displayed in the Configuration Manager console. The more products that you select, the longer it will take to synchronize software updates.

15. On the Languages page, specify the languages for which you want to synchronize software update files and summary details, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. The Summary Details settings are configured only on the software update point for the central administration site.

    Note

    You can specify the languages for software update files and summary details. Software Update File The languages configured for the Software Update File setting provide the default set of languages that will be available when downloading software updates at the site. You should configure the software update file language settings with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Software Update File column and clear the other languages. Later, when you download or deploy software updates, the languages will automatically be selected by default on the Language Selection page of the wizard and can be modified as necessary. Summary Details The summary details information is the metadata for software updates. The metadata provides the information about the software update, such as name, description, products that the update supports, update classification, article ID, download URL, applicability rules, and so on. When you select the summary details languages, select only the languages needed in your environment. The software updates metadata is displayed in the locale of the operating system where the Configuration Manager 2012 console is running. If the localized properties for the software updates are not available, the information displays in English. The more languages you select for summary details, the longer it will take to synchronize software updates.   Important Select all of the summary details languages that will be needed in your Configuration Manager 2012 hierarchy before you run software updates synchronization for the first time. Though you can change the summary details languages after the software update point is synchronized on the central administration site, the metadata in the new languages will not be retrieved for software updates that have already been synchronized unless there is an updated version for the software update available.

16. On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

17. To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations, click Sites, and then select the central administration site.

3. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. Software Update Point Component Properties opens.

4. On the General tab, configure the following settings:

   • Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.
     
     

     Note

     This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server.
     
     

     Note
     The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point. For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.
     
     

     Warning
     When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

   • Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.
     
     

     Note

     This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.
     
     
   • Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.
     
     Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:
     
     
     • The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.
       
       
     • For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance..
       
       

     Important
     When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

5. On the Internet-based tab, configure the following settings:

   Note
   The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

   • Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.
     
     

     Note

     When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.
     
     

     Tip
     For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.
     
     
   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about synchronizing software updates on a disconnected software updates point, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.
     
     

     Important
     Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

6. Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 10-15 in the preceding procedure.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3. Add the software update point site system role to a new or existing site system server by using the associated step:

   • New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.
     
     
   • Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane.
     
     On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.
     
     

4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6. On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7. On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

   Tip
   To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

8. On the Synchronization Source page, select Synchronize from Microsoft Update to synchronize software updates from Microsoft Update. The stand-alone primary site must have Internet access or synchronization will fail. This setting is available only when configuring the software update point on the central administration site or stand-alone primary site.

   Important
   When the software update point on the stand-alone primary site is disconnected from the Internet, you must select Do not synchronize from Microsoft Update and manually synchronize software updates. For more information, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.

   Note
   When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about configuring your firewall to support software updates, see How to Configure a Firewall for Software Updates.

9. Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10. On the Synchronization Schedule page, specify whether to synchronize software updates on a schedule. This setting is configured only on the software update point for the stand-alone primary site.

    Tip
    You should schedule software updates synchronization to run using a timeframe appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after Microsoft’s regular security update release on the second Tuesday of each month, typically referred to as Patch Tuesday.

    Note
    When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the following section in this topic: Software Updates Synchronization.

11. Specify whether to create an alert when synchronization fails, and then click Next. When selected, you can go to the Software Update Point Synchronization Status node in the Monitoring workspace to monitor the synchronization state for all software update points in your hierarchy.

12. On the Supersedence Rules page, specify how to manage superseded software updates, and then click Next. This setting is configured only on the software update point for the stand-alone primary site.

    Note

    Typically, a software update that supersedes another software update does one or more of the following: Enhances, improves, or adds to the fix provided by one or more previously released updates. Improves the efficiency of its update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package. Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial update release. On the Supersedence Rules page, you can specify that superseded software updates are immediately expired, which prevents them from being included in new deployments and flags existing deployments to indicate that they contain one or more expired software updates. Or, you can specify a period of time before superseded software updates are expired, which allows you to continue to deploy them. Consider the following scenarios in which you might need to deploy a superseded software update: If a superseding software update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system. If a superseding software update has more restricted applicability than the software update it supersedes, which would make it inappropriate for some client computers. If a superseding software update has not been approved for deployment in your production environment.

13. On the Classifications page, specify the software update classifications for which you want to synchronize software updates, and then click Next. Secondary sites will automatically use the software update classifications configured for the software update point for the stand-alone primary site.

    Note

    Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications will be synchronized. Configuration Manager 2012 provides the ability to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, security-related issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file currently installed.

14. On the Products page, specify the products for which you want to synchronize software updates, and then click Next. Secondary sites will automatically use the products configured for the software update point for the stand-alone primary site.

    When selecting the products, be aware that the more products that are selected, the longer it takes to complete software updates synchronization.

    Note

    The metadata for each software update defines what product or products for which the update is applicable. A product is a specific edition of an operating system or application, for example, Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2008 is a member. You can specify a product family or individual products within a product family. When software updates are applicable to multiple products, and at least one of the products has been selected for synchronization, all of the products will appear in the Configuration Manager console even if some have not been selected. For example, if Windows Server 2008 is the only operating system that you have selected, and if a software update applies to Windows 7 and Windows Server 2008, both products will be displayed in the Configuration Manager console. The more products that you select, the longer it will take to synchronize software updates.

15. On the Languages page, specify the languages for which you want to synchronize software update files and summary details, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Secondary sites will automatically use the summary details configured for the software update point for the stand-alone primary site.

    Note

    Software Update File The languages configured for the Software Update File setting provide the default set of languages that will be available when downloading software updates at the site. You should configure the software update file language settings with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Software Update File column and clear the other languages. Later, when you download or deploy software updates, the languages will automatically be selected by default on the Language Selection page of the wizard and can be modified as necessary. Summary Details The summary details information is the metadata for software updates. The metadata provides the information about the software update, such as name, description, products that the update supports, update classification, article ID, download URL, applicability rules, and so on. When you select the summary details languages, select only the languages needed in your environment. The more languages that you select, the longer it will take to synchronize software updates. The software updates metadata is displayed in the locale of the operating system where the Configuration Manager 2012 console is running. If the localized properties for the software updates are not available, the information displays in English.   Important Select all of the summary details languages that will be needed for your Configuration Manager 2012 site before you run software updates synchronization for the first time. Though you can change the summary details languages after the software update point is synchronized on the stand-along primary site, the metadata in the new languages will not be retrieved for software updates that have already been synchronized unless there is an updated version for the software update available.

16. On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

17. To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations, click Sites, and then select the central administration site.

3. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4. On the General tab, configure the following settings:

   • Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.
     
     

     Note

     This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server.
     
     

     Note
     The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point. For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.
     
     

     Warning
     When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

   • Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.
     
     

     Note

     This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.
     
     
   • Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.
     
     Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:
     
     
     • The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.
       
       
     • For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance..
       
       

     Important
     When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

5. On the Internet-based tab, configure the following settings:

   Note
   The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

   • Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.
     
     

     Note

     When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.
     
     

     Tip
     For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.
     
     
   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about synchronizing software updates on a disconnected software updates point, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.
     
     

     Important
     Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

6. Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 10-15 in the preceding procedure.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3. Add the software update point site system role to a new or existing site system server by using the associated step:

   • New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.
     
     
   • Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane.
     
     On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.
     
     

4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6. On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7. On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

   Tip
   To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

8. On the Synchronization Source page, Synchronize from an upstream update server is automatically selected to synchronize software updates from the software update point at the central administration site. The child primary site must have access to the software update point on the central administration site or synchronization will fail. The Synchronize from Microsoft Update and Do not synchronize from Microsoft Update settings are available only when configuring the software update point on the central administration site or stand-alone primary site.

9. Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10. On the Languages page, specify the languages for which you want to synchronize software update files, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Child primary sites will automatically use the summary details (metadata about the software updates) configured for the software update point at the central administration site.

    Note

    The languages configured for the Software Update File setting provide the default set of languages that will be available when downloading software updates at the site. You should configure the software update file language settings with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Software Update File column and clear the other languages. Later, when you download or deploy software updates, the languages will automatically be selected by default and can be modified as necessary.

11. On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

12. To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations, click Sites, and then select the child primary site.

3. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4. On the General tab, configure the following settings:

   • Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.
     
     

     Note

     This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point for the site and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server.
     
     

     Note
     The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point. For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.
     
     

     Warning
     When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

   • Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.
     
     

     Note

     This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.
     
     
   • Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.
     
     Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:
     
     
     • The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.
       
       
     • For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance..
       
       

     Important
     When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

5. On the Internet-based tab, configure the following settings:

   Note
   The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

   • Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.
     
     

     Note

     When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.
     
     

     Tip
     For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.
     
     
   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about synchronizing software updates on a disconnected software updates point, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.
     
     

     Important
     Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

6. Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 8-10 in the preceding procedure.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3. Add the software update point site system role to a new or existing site system server by using the associated step:

   • New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.
     
     
   • Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane.
     
     On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.
     
     

4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6. On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7. On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

   Tip
   To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

8. On the Synchronization Source page, Synchronize from an upstream update server is automatically selected to synchronize software updates from the software update point at the parent primary site. The Synchronize from Microsoft Update and Do not synchronize from Microsoft Update settings are available only when configuring the software update point on the central administration site or stand-alone primary site.

9. Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10. On the Languages page, specify the languages for which you want to synchronize software update files, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Secondary sites will automatically use the summary details (metadata about the software updates) configured for the software update point at the central administration site.

    Note

    The languages configured for the Software Update File setting provide the default set of languages that will be available when downloading software updates at the site. You should configure the software update file language settings with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Software Update File column and clear the other languages. Later, when you download or deploy software updates, the languages will automatically be selected by default on the Language Selection page of the wizard and can be modified as necessary.

11. On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

12. To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Operations, click Sites, and then select the secondary site.

3. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4. On the General tab, configure the following settings:

   • Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.
     
     

     Note

     This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point for the site and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server.
     
     

     Note
     The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point. For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.
     
     

     Warning
     When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

   • Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.
     
     

     Note

     This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.
     
     
   • Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.
     
     Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:
     
     
     • The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.
       
       
     • For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance..
       
       

     Important
     When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

5. On the Internet-based tab, configure the following settings:

   Note
   The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

   • Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.
     
     

     Note

     When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

     Important
     When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

   • Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.
     
     

     Tip
     For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS.

   • SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.
     
     
   • Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.
     
     

     Important
     The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

   • Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about synchronizing software updates on a disconnected software updates point, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.
     
     

     Important
     Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

6. Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 8-10 in the preceding procedure.

Typically, the software update points in your Configuration Manager 2012 hierarchy will have access to the upstream update source. In this scenario, the software update point for the central administration site or stand-alone primary site will connect to the Internet and synchronize software updates from Microsoft Update, and then send a synchronization request to other sites to initiate the synchronization process. When the synchronization request is received at a site, the software update point for the site retrieves software updates metadata from the upstream update source.

Note

The software update point on child primary sites and secondary sites must be connected to the upstream update server to synchronize software updates. The software update point for the central administration site, or stand-alone primary site, and Internet-based software update points can use the export and import method for synchronizing software update when disconnected from the upstream update source. For more information, see the following procedure in this topic: Synchronize Software Updates from a Disconnected Software Update Point.

When software updates synchronization is initiated on a configured schedule, the active software update point on the central administration site (or stand-alone primary site) will initiate synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands from the WSUS server, site server, and network are low, such as every week at 2:00 AM. A full synchronization is performed during the scheduled synchronization and all changes to the software updates metadata since the last scheduled synchronization are inserted into the site database. This includes new software updates metadata or metadata that has been modified, removed, or is now expired. After synchronization with Microsoft Update is complete, a synchronization request is sent to any active software update points on child primary or secondary sites. You can also manually initiate software updates synchronization on the central administration site or stand-alone primary site in the Configuration Manager 2012 console from the Software Library workspace.

Use the following procedures on the central administration site or stand-alone primary site to schedule or manually initiate software updates synchronization.

To schedule software updates synchronization

To manually initiate software updates synchronization

After you initiate the synchronization process on the software update point, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software updates synchronization process.

To monitor the software updates synchronization process

Top of page

When the software update point for the central administration site or stand-alone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site, you must use the export and import functions of the WSUSUtil tool to synchronize software updates metadata. You will export software updates metadata from the WSUS database on a specified export server, copy locally stored license terms files to the disconnected software update point, and then import the software updates metadata to the WSUS database on the disconnected software update point. Use the following table to help you identify the export server in which to export the software updates metadata.

Before you start the export process, you should verify that software updates synchronization has completed on the selected export server to ensure that the most recent software updates metadata is synchronized. To verify that software updates synchronization has completed successfully, use the following procedure.

To verify that software updates synchronization has completed successfully on the export server

Important
The WSUSUtil tool must be run locally on the export server to export the software updates metadata and on the disconnected software update point server to import the software updates metadata. In addition, the user running the WSUSUtil tool must be a member of the local Administrators group on each server.

Export Process for Software Updates

Import Software Updates Metadata

Use the following procedure to import software updates metadata from the export server to the disconnected software update point.

Important
Never import exported data from a source that you do not trust. Importing content from a source you do not trust might compromise the security of your WSUS server.

To import metadata to the database of the import server

1. At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at %ProgramFiles%\Update Services\Tools.

2. Type the following:

   wsusutil.exe import packagename logfile

   For example:

   wsusutil.exe import export.cab import.log

   The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name of package file (.cab) created during the export operation (and path to the package file if it is in a different folder), and the name of a log file. WSUSutil.exe imports the metadata from the export server and creates a log file of the operation.

Top of page

After you install the software update point, the software updates client agent is enabled by default and you are not required to configure any specific client agent settings, but you should review the settings to ensure that the default values meet your needs. Use the following procedure to review and configure the client agent settings associated with software updates.

To configure client agent settings

The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.

Specify Intranet Microsoft Update Service Location Local Policy

Allow Signed Content from Intranet Microsoft Update Service Location Group Policy