When you don't configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use. For more information about Configuration Manager accounts, see Accounts used.
You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site. Use the following table for the available options when you configure the software update point at a site.
The following list provides more information about each option that you can use as the synchronization source:. Synchronize from Microsoft Update : Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site.
You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see Configure firewalls. Ensure that the internet access requirements are met for each of the WSUS servers. If internet access requirements aren't met, then sync failures can occur.
You may see different software update points at the top-level site syncing with Microsoft. Synchronize from an upstream data source location : Use this setting to synchronize software updates metadata from the upstream synchronization source.
The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. You have the option to synchronize software updates from an existing WSUS server. Do not synchronize from Microsoft Update or upstream data source : Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet.
For more information, see Synchronize software updates from a disconnected software update point. Configuration Manager doesn't use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events. Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties.
This setting is configured only on the software update point at the top-level site. If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule. When you configure the start time for a custom schedule, it's based on the local time for the computer that runs the Configuration Manager console.
Schedule software updates synchronization to run by using a time-frame that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates.
When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see synchronize software updates. You can configure the supersedence rules only on the top-level site. You can also specify the supersedence rules behavior for feature updates separately from non-feature updates. On this page, you can specify when superseded software updates are expired in Configuration Manager, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates.
You can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see Supersedence rules. The default setting is to wait 3 months before expiring a superseded update. The 3 month default is to give you time to verify the update is no longer needed by any of your client computers. It's recommended that you don't assume that superseded updates should be immediately expired in favor of the new, superseding update.
You can display a list of the software updates that supersede the software update on the Supersedence Information tab in the software update properties. The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. Edited by fern. Bless you guys. You have been very helpful. Just to recap. Is that all i need to open for clients that need windows updates?
For the SCCM server all i need to open is Is that all? Thanks Jason. I think i was reading it the wrong way. Is my assumption below correct? Edited by vintagevintage Tuesday, November 18, AM. Tuesday, November 18, AM. File and printer sharing and WMI needs to be opened on the clients since the SCCM server will be initiating the process to install on the clients using client push Not necessarily.
CLient push is just one method to deploy the client agent. There are other methods that do not require this. Internet-based clients always download content from the Microsoft Update cloud service. Don't distribute software update deployment packages to a content-enabled cloud management gateway CMG. Most customers use other third-party applications that also need updates.
There are several options to consider for keeping third-party applications up to date. Use a supersedence relationship with the application management feature in Configuration Manager to upgrade or replace existing applications.
When you supersede an application, specify a new deployment type to replace the deployment type of the superseded application.
Also decide whether to upgrade or uninstall the superseded application before the superseding application is installed. For more information, see Revise and supersede applications. You can use the Third-Party Software Update Catalogs node in the Configuration Manager console to subscribe to third-party catalogs, publish their updates to your software update point, and then deploy them to clients.
For more information, see Third-party software updates. System Center Updates Publisher SCUP is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates. These updates include those with dependencies, like drivers and update bundles.
SCUP can also be used for third-party update catalogs that aren't available directly in the console. For more information, see System Center Updates Publisher. This section provides information about the steps to take to successfully plan and prepare for the software update point installation.
Before you create a site system role for the software update point in Configuration Manager, there are several requirements to consider. The specific requirements depend on your Configuration Manager infrastructure. When you configure the software update point to communicate by using HTTPS, this section is especially important to review. HTTPS-enabled servers require additional steps to work properly. Install the software update point role on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems.
For more information about the minimum requirements for the WSUS server role in Windows Server, see Review considerations and system requirements. For more information about the supported configurations for Configuration Manager site systems, see Site and site system prerequisites. Install a supported version of WSUS on all site system servers that you configure for the software update point role.
When you don't install the software update point on the site server, install the WSUS Administration Console on the site server. This component allows the site server to communicate with WSUS that runs on the software update point. This component performs periodic health checks. Choose one of the following options to configure the required permission:. Configure a minimum of the webService database role membership. When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest.
Sharing the same database improves performance when clients switch to a new software update point. When you install WSUS, you'll need to provide a content directory path. Otherwise it shares the same website that's used by the other Configuration Manager site systems or applications. This configuration is especially necessary when you install the software update point role on the site server.
Specify these ports when you create the software update point at a site. When you add the software update point role on a primary site server, you can't use a WSUS server that's configured as a replica.
The first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point.
Using the SSL protocol to help secure the software update point is highly recommended. If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections.
The software update point at a Configuration Manager central administration site communicates with WSUS on the software update point. WSUS communicates with the synchronization source to synchronize software updates metadata. Software update points at a child site communicate with the software update point at the parent site.
When there's more than one software update point at a primary site, the additional software update points communicate with the default software update point. The default role is the first software update point that's installed at the site.
When your security policy doesn't allow the connection, use the export and import synchronization method. For more information, see the Synchronization source section in this article. If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow the active software update point to access internet endpoints. For more information, see Internet access requirements. Software updates synchronization in Configuration Manager downloads the software updates metadata based on criteria that you configure.
The top-level site in your hierarchy synchronizes software updates from Microsoft Update. You have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software updates metadata from the software update point on the central administration site.
Before you install and configure a software update point, use this section to plan for the synchronization settings. The synchronization source settings for the software update point specify the location for where the software update point retrieves software updates metadata.
It also specifies whether the synchronization process creates WSUS reporting events. Synchronization source : By default, the software update point at the top-level site configures the synchronization source for Microsoft Update.
You have the option to synchronize the top-level site with an existing WSUS server. The software update point on a child primary site configures the synchronization source as the software update point at the central administration site. The first software update point that you install at a primary site, which is the default software update point, synchronizes with the central administration site.
Additional software update points at the primary site synchronize with the default software update point at the primary site. When a software update point is disconnected from Microsoft Update or from the upstream update server, configure the synchronization source not to synchronize with a configured synchronization source.
Instead configure it to use the export and import function of the WSUSUtil tool to synchronize software updates. For more information, see Synchronize software updates from a disconnected software update point. These events aren't used by Configuration Manager. When these events aren't created, the only time that the client should connect to the WSUS server is during software update evaluation and compliance scans.
If these events are needed for reporting outside of Configuration Manager, modify this setting to create WSUS reporting events. Configure the synchronization schedule only at the software update point on the top-level site in the Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point synchronizes with the synchronization source at the date and time that you specified.
The custom schedule allows you to synchronize software updates to optimize for your environment. Consider the performance demands of the WSUS server, site server, and network.
For example, AM once a week. Alternatively, manually start synchronization on the top-level site by using the Synchronization Software Updates action from the All Software Updates or Software Update Groups nodes in the Configuration Manager console. Schedule the software updates synchronization to run by using a time that's appropriate for your environment.
One common scenario is to set the synchronization schedule to run shortly after Microsoft's regular software update release on the second Tuesday of each month. This day is typically referred to as Patch Tuesday. If you use Configuration Manager to deliver Endpoint Protection and Windows Defender definition and engine updates, consider setting the synchronization schedule to run daily.
After the software update point successfully synchronizes, it sends a synchronization request to child sites. If you have additional software update points at a primary site, it sends a synchronization request to each software update point.
This process is repeated on every site in the hierarchy. Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the site synchronizes the metadata for the specified classifications. Critical Updates : A broadly released update for a specific problem that addresses a critical, non-security-related bug. Feature Packs : New product features that are distributed outside of a product release and are typically included in the next full product release.
Security Updates : A broadly released update for a product-specific, security-related issue. Service Packs : A cumulative set of hotfixes that is applied to an OS or application. These hotfixes include security updates, critical updates, and software updates. Update Rollups : A cumulative set of hotfixes that is packaged together for easy deployment. An update rollup generally addresses a specific area, such as security or a product component.
Configure the update classification settings only on the top-level site. The update classification settings aren't configured on the software update point on child sites, because the software updates metadata is replicated from the top-level site. When you select the update classifications, be aware the more classifications that you select, the longer it takes to synchronize the software updates metadata. As a best practice, clear all classifications before you synchronize for the first time.
After the initial synchronization, select the desired classifications, and then rerun synchronization. The metadata for each software update defines one or more products for which the update is applicable.
A product is a specific edition of an OS or application. An example of a product is Microsoft Windows A product family is the base OS or application from which the individual products are derived. An example of a product family is Microsoft Windows, of which Windows 10 and Windows Server are members. Select a product family or individual products within a product family.
When software updates are applicable to multiple products, and at least one of the products is selected for synchronization, all of the products appear in the Configuration Manager console even if some products weren't selected. For example, you only select the Windows Server product. If a software update applies to Windows Server and Windows Server Datacenter Edition, both products are in the site database. Configure the product settings only on the top-level site.
The product settings aren't configured on the software update point for child sites because the software updates metadata is replicated from the top-level site. The more products that you select, the longer it takes to synchronize the software updates metadata.
0コメント