SCCM-005 Software Updates
Combining our SCCM (System Center Configuration Manager) server with a WSUS (Windows Server Update Services) server for update management is a common and effective strategy.
When configuring a server to have the Software Update Point (SUP) role, it is mandatory to have the WSUS service installed on that targeted SUP server.
https://learn.microsoft.com/en-us/mem/configmgr/sum/understand/software-updates-introduction
Software Updates Synchronization
Depending on our network architecture and management needs, you can either integrate a WSUS server into Configuration Manager (as an SUP) or use a separate, non-integrated WSUS server for update synchronization. Both are viable options, and the key is to choose the configuration that best fits the needs of your organization.
Synchronization on the top-level site
Synchronization on child primary and secondary sites
Troubleshooting Failure of Software Updates Synchronization
In SCCM, the logs for software update synchronization are crucial for troubleshooting and understanding the synchronization process. These logs are located on the server where the SUP role is installed. Here are the key log files to look at:
Synchronization Service Manager UI
Although not a log file, the Synchronization Service Manager UI in the WSUS Administration Console can be helpful. It provides a visual representation of the synchronization process, including any errors or warnings.
This screenshot shows the Synchronization Service Manager UI and my current sync status, which is problematic. I’ll review additional logs to troubleshoot why the synchronization hasn’t started.
WsyncMgr.log
Location: Located in the <ConfigMgrInstallationPath>\Logs folder on the server where the SCCM primary site or Central Administration Site (CAS) is installed.
Purpose: This log is crucial for troubleshooting software update synchronization. It records the details of the synchronization process, including any issues encountered during synchronization with WSUS or Microsoft Update.
I discovered a log event indicating that the WSUS update source was not found. This directs me to the WCM.log for further configuration details.
WCM.log
Location: Also found in the <ConfigMgrInstallationPath>\Logs folder on the SUP server.
Purpose: It provides information about the configuration manager and WSUS configuration settings.
According to the WCM log, it appears to be attempting to connect to my WSUS server, but the request failed due to a principal permission issue.
WSUSCtrl.log
Location: Located in the <ConfigMgrInstallationPath>\Logs folder on the server where the SUP is installed.
Purpose: This log file records details about the configuration, health, and status of the WSUS service on the SUP.
Based on my analysis of previous screenshots, I encountered an issue with the synchronization manager. This was initially indicated by a ‘Request for principal permission failed‘ error message in the WCM.log. Upon further investigation, I discovered a local admin group named ‘WSUS Administrator.’ It appears that the device or user account managing the SCCM synchronization requires assignment to this role. Consequently, I assigned the ‘WSUS Administrator’ role to both my user account and the SCCM site server. After waiting for approximately one synchronization cycle, which I had set for 1 hour, the issue seemed to be resolved.
🔗Configure the Software Update Point
1. Install WSUS on a Server:
Firstly, we need to have WSUS installed on a server. This can usually be done through the Server Manager in Windows Server by adding the WSUS role.
2. Configure WSUS becomes part of SCCM hierarchy.
In the SCCM console, you’ll need to configure WSUS as a Software Update Point (SUP). This role integrates SCCM with WSUS, enabling SCCM to manage and deploy updates.
Go to the Administration workspace, navigate to Site Configuration > Servers and Site System Roles, and then add the “Software Update Point” role to the server running WSUS.
3. Set Up WSUS Settings in SCCM:
Within the SCCM console, configure your WSUS settings. This includes specifying the products and classifications of updates you want to manage, the schedule for synchronization with Microsoft Update, and other settings.
After completing the setup, the WSUS server will be visible in the list:
Initial WSUS Configuration: Initially, the classifications and products set up on the WSUS server are imported into SCCM when the WSUS is first configured as an SUP.
SCCM Takes Precedence: Once the WSUS server is integrated into SCCM as SUP, the management of update classifications and products primarily happens within SCCM. Any changes made through the SCCM console (like adding or removing update classifications or products) will override the original settings on the WSUS server. Therefore, SCCM’s settings determine which updates are synchronized and managed.
Software updates compliance assessment
Software updates compliance states
Required: This state indicates that the update is necessary for the client computer. It means the update is applicable but has not yet been installed, or a restart is required to complete the installation, or the latest state message about the update’s installation status has not yet been processed by the SCCM server.
Not Required: The update is not applicable to the client computer, so it’s not needed.
Installed: As per the documentation, this indicates that the update is applicable and has already been successfully installed on the client computer.
Unknown: This state is typically shown when the SCCM system has not yet received sufficient information to determine the update’s status on the client.
