The software update point in Configuration Manager 2007 is a required component of software updates and is installed as a site system role in the Configuration Manager console. The software update point site system role must be created on a site system server that has Windows Server Update Services (WSUS) 3.0 installed and that interacts with the WSUS components to configure update settings, to request synchronization to the upstream update server, and to synchronize the updates from the WSUS database to the site server database. For more information about software updates synchronization, see About Software Updates Synchronization.

Software Update Point Settings

The software update point settings configure which site system server is the active software update point, which site system server is the active Internet-based software update point if one is specified at the site, the synchronization source, synchronization schedule, and the products, classifications, and languages for which software updates will be synchronized.

General Settings

The general settings in the New Site Role Wizard and Software Update Point Component properties specify whether the active software update point is a local server or a remote server, or whether it uses a Network Load Balancing (NLB) cluster. These settings also specify which port settings are used for connectivity to the site system server that is assigned the software update point role, whether a Software Update Point Connection account should be used instead of the computer account when the site server connects to the WSUS components on the site system server, whether Internet-based clients are allowed to connect to the software update point when the site is in native mode, and whether Secure Sockets Layer (SSL) is used when synchronizing data from the active software update point and when clients connect to the WSUS server on the active software update point.

When the site is in native mode, the active software update point is configured to accept communication only from client computers on the intranet, and there are Internet-based client computers assigned to the site, you must follow a specific procedure to install and configure an active Internet-based software update point. For more information, see How to Create and Configure an Active Internet-Based Software Update Point.

Important
When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN. For more information about certificate requirements, see Certificate Requirements for Native Mode.

Internet-Based Settings

When the Configuration Manager 2007 site server is in native mode and the active software update point is configured with Do not allow access from Internet-based clients, a software update point site system role must be created (not configured as the active software update point), and then you must configure the software update point site system server to be the active Internet-based software update point on the Internet-Based tab in the Software Update Point Component Properties dialog box. You can specify whether the active Internet-based software update point is a remote server or uses NLB, which port settings are used for connectivity to the software update point server, whether a Software Update Point Connection account should be used instead of the computer account when the site server connects to the WSUS components on the site system server, and whether the Internet-based software update point should synchronize with the active software update point for the site. If synchronization is not configured, the export and import function for the WSUSUtil tool must be used to synchronize software update metadata. Internet-based software update points are automatically configured to use SSL.

Important
Even though the active Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

Synchronization Settings

The synchronization settings for the active software update point specify the synchronization source and whether WSUS reporting events are created during the synchronization process.

  • Synchronization Source: The synchronization source for the active software update point at the central site is configured to use Microsoft Update. The active software update points on child sites are automatically configured to use the active software update point on its parent site as the synchronization source. When there is an active Internet-based software update point, the active software update point for the site is automatically configured to be the synchronization source. Optionally, the active software update point or active Internet-based software update point can be configured not to synchronize with the configured synchronization source, but instead use the export and import function of the WSUSUtil tool. For more information, see How to Synchronize Updates Using Export and Import.

  • WSUS Reporting Events: The Windows Update Agent on client computers can create event messages that are used for WSUS reporting. These events are not used in Configuration Manager 2007 software updates, and therefore, the Do not create WSUS reporting events setting is selected by default. When these events are not created, the only time the client computer should connect to the WSUS server is during software update evaluation and compliance scans. If these events are needed for reporting outside of software updates in Configuration Manager 2007, you will need to modify this setting to create WSUS status reporting events or create all WSUS reporting events depending on your needs.

Synchronization Schedule

The synchronization schedule can be configured only at the active software update point on the central site. When the synchronization schedule is configured, the active software update point on the central site will initiate synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands from the WSUS server, site server, and network are low, such as every week at 2:00 AM. Alternatively, synchronization can be initiated on the central site by using the Run Synchronization action from the Update Repository node in the Configuration Manager console.

Note
Scheduled synchronizations perform full synchronization, but using the Run Synchronization action performs only delta synchronization. Software updates are marked as expired if they are superseded by another software update or marked as expired in the catalog, but are marked as expired only during scheduled synchronization.

After the active software update point has successfully synchronized with Microsoft Update, a synchronization request is sent to the active Internet-based software update point, if installed, and to the active software update point on child sites. The process is repeated on every site in the hierarchy.

Update Classifications

Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications will be synchronized. Configuration Manager 2007 provides the ability to synchronize software updates with the following update classifications:

  • Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non security-related bug.

  • Definition Updates: Specifies an update to virus or other definition files.

  • Drivers: Specifies an update to software components designed to support hardware.

  • Feature Packs: Specifies new product features that are distributed outside of a product release and typically included in the next full product release.

  • Security Updates: Specifies a broadly released update for a product-specific, security-related issue.

  • Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include security updates, critical updates, software updates, and so on.

  • Tools: Specifies a utility or feature that helps to complete one or more tasks.

  • Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component.

  • Updates: Specifies an update to an application or file currently installed.

The update classification settings are configured only on the central site. The update classification settings are not configured on the active software update point and active Internet-based software update point, if configured, on child sites because the software updates metadata is replicated from the central site down the hierarchy. When selecting the update classifications, be aware that the more classifications that are selected, the longer it takes to synchronize the software updates metadata.

Products

The metadata for each software update defines what product or products for which the update is applicable. A product is a specific edition of an operating system or application, for example, Microsoft Windows Server 2003. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Microsoft Windows, of which Microsoft Windows Server 2003 is a member. You can specify a product family or individual products within a product family.

When software updates are applicable to multiple products, and at least one of the products has been selected for synchronization, all of the products will appear in the Configuration Manager console even if some have not been selected. For example, if Windows Server 2003 is the only operating system that you have subscribed to, and if a software update applies to Windows Server 2003 and Windows Server 2003 Datacenter Edition, both products will show up in the Configuration Manager repository.

The product settings are configured only on the active software update point on the central site. The product settings are not configured on the active software update point on child sites and active Internet-based software update point, if configured, because the software updates metadata is replicated from the central site down the hierarchy. When selecting the products, be aware that the more products that are selected, the longer it takes to synchronize the software updates metadata.

Languages

The language settings for the software update point allow you to configure the languages for which the summary details (software updates metadata) will be synchronized for a software update and the update file languages that will be downloaded for the software update.

Note
In Systems Management Server (SMS) 2003, the download.ini file stored the configuration settings for the languages that were used. The download.ini file is no longer used when synchronizing software updates.

Update File

The languages configured for the update file setting provide the default set of languages that will be available when downloading software updates at the site. When on the Language Selection page of the Deploy Software Updates Wizard or Download Software Updates Wizard, the languages configured for the active software update point are automatically selected, but can be modified each time updates are downloaded or deployed. When the wizard completes, the software update files for the configured languages are downloaded, if update files are available in the selected language, to the deployment package source location and copied to the distribution points configured for the package.

The update file language settings should be configured with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Update File column and clear the other languages. This allows you to most often use the default settings on the Language Selection page of the wizards and also prevents unneeded update files from being downloaded. This setting is configured at each software update point in the Configuration Manager 2007 hierarchy.

Summary Details

During the synchronization process, the summary details information (software updates metadata) is updated for the software updates in the languages specified. The metadata provides the information about the software update, such as name, description, products that the update supports, update classification, article ID, download URL, applicability rules, and so on.

The summary details settings are configured only on the active software update point on the central site server. The summary details are not configured on the active software update point on child sites and Internet-based software update point, if configured, because the software updates metadata is replicated from the central site down the hierarchy. When selecting the summary details languages, you should select only the languages needed in your environment. The more languages that are selected, the longer it takes to synchronize the software updates metadata. The software updates metadata is displayed in the locale of the operating system where the Configuration Manager console is running. If the localized properties for the software updates are not available, the information displays in English.

Important
It is very important that you select all of the summary details languages that will be needed in your Configuration Manager hierarchy. When the active software update point on the central site is synchronized, the selected summary details languages determine what software updates metadata is retrieved. If the summary details languages are modified after the synchronization has run at least one time, the metadata is retrieved for the modified summary details languages for only new or updated software updates. The software updates that have already been synchronized will not retrieve metadata for different languages unless there is a change to the update on Microsoft Update.

Using Existing WSUS Servers for the Active Software Update Point

You can use a WSUS server that was active in your environment before installing Configuration Manager 2007. When the active software update point or active Internet-based software update point is configured, the synchronization settings are specified. A component of the software update point then configures the WSUS server with the same settings. When the WSUS server was previously synchronized with products or classifications that were not configured as part of the active software update point settings, the software updates metadata for the products and classifications will be synchronized for all of the software updates metadata from the WSUS server regardless of the synchronization settings for the active software update point. This might result in metadata for products or classifications that is unexpected. You will experience the same behavior when adding products or classifications directly in the WSUS console of the active software update point and immediately initiating synchronization. Every hour, by default, Configuration Manager will connect to WSUS running on the active software update point and reset any settings that were modified within the WSUS console.

See Also