Install ConfigMgr Software Update Point Role

7/21/2021 Complete Guide To Install SCCM Software Update Point Role
Menu
Complete Guide to Install SCCM Software Update

Point Role
Last Updated : March 23, 2020
This post covers the steps to install SCCM Software Update Point (SUP) role. My goal here is
to cover the detailed steps to install and configure software update point role in SCCM.
A software update point (SUP) integrates with Windows Server Update Services (WSUS) to
provide software updates to Configuration Manager clients.
If you decide to deploy software updates to your clients using SCCM, you must ensure the
software update point role is installed and configured correctly. You can follow this guide to
accomplish the task.
Table of Contents
1. What is Software Update Point in Configuration Manager
2. Software Update Point Requirements
3. Install SCCM Software Update Point Role
3.1. Specify Software Update Point Settings
3.2. Software Update Point proxy server settings
3.3. WSUS Server Connection Account
3.4. SUP Synchronization Source Settings
3.5. WSUS Reporting Events
3.6. SUP Synchronization Settings
3.7. Supersedence Rules

https://www.prajwaldesai.com/install-sccm-software-update-point-role/ 1/35
3.8. WSUS Maintenance Options
3.9. Configure Max Run time for Software Update Installation
3.10. Software Update Content Configuration
3.11. Software Update Point Classifications
3.12. SUP Products Selection
4. Verify Software Update Point Role Installation
5. Perform Initial SUP Synchronization
6. Enable SUP Classifications and Products
7. What’s Next
What is Software Update Point in Configuration Manager
A software update point is a WSUS server controlled by Configuration Manager. We know

that WSUS is a standalone solution that enables the administrators to deploy the latest
Microsoft product updates.
Unlike WSUS the clients do not download or install updates directly from a software update
point. Instead the only data downloaded by the client from a software update point is the
update metadata.
In order to deploy updates to client computers, the software update point role is required
on the central administration site and on the primary sites. While the SUP role install is
optional on secondary sites.
So if you have got a SCCM hierarchy consisting of CAS, Primary site and Secondary sites,
you install the role on CAS first, then primary site and secondary sites.
Most organizations don’t have CAS and prefer to have a stand-alone primary site. When
you have a stand-alone primary site, you must install and configure the software update
point on the primary site first, and then optionally on secondary sites.
Most of all the software update point site system role must be installed on a server that has
WSUS role installed. I have covered the WSUS role installation in most of my current branch
baseline install guides.
For stand-alone WSUS install, check the following post WSUS installation on Windows
Server 2019.
The software update point interacts with the WSUS services to configure the software
update settings and to request synchronization of software updates metadata. I would
recommend reading the “Plan for Software Updates” article by Microsoft.
Software Update Point Requirements
Before you install the SCCM SUP role on a Windows Server, ensure you read the below
listed prerequisites.
Always refer this article before you install site system servers and roles on Windows
Servers. This is important because the role that you intend to install must be on a
supported Windows Server OS.
Ensure you enable .NET Framework 3.5 under Windows Server roles and features. In
addition, install a supported version of the .NET Framework version 4.5 or later.
Starting in version 1906, Configuration Manager supports .NET Framework 4.8.
Install the Windows Server Update Services on a computer before installing a software
update point. This is a very important prerequisite.
If you plan to install both WSUS and SUP role on a distribution point server, it is
supported.
When you install a new site, ConfigMgr automatically installs SQL Server Native Client.
However the Configuration Manager doesn’t upgrade SQL Server Native Client. Make
sure this component is up to date.
Tip – When you install WSUS role on Windows Server 2019, the WSUS version is
10.0.17763.1. And it’s version 10.0.14393 when you install WSUS role on Windows Server
2016.
Install SCCM Software Update Point Role
Using the below steps, install Software Update Point role in SCCM.
Launch the SCCM console.

Navigate to Administration > Overview > Site Configuration > Servers and Site
System Roles.
Right-click the server on which you wish to install Software Update Point role and
click Add Site System Roles.
Install Software Update Point Role in Configuration Manager
On the General page, click Next.
On the Proxy page, you can specify proxy server details if you have it in your setup.
Otherwise click Next.
Finally we are on the System Role Selection step. From the list of available roles, select
Software Update Point. Click Next.
Specify Software Update Point Settings
On the Specify software update point settings page, under WSUS configuration you find
two options.
WSUS configured to use ports 80 and 443 for client communications.

WSUS configured to use ports 8530 and 8531 for client communications.
The WSUS upstream and downstream servers will synchronize on the port configured by
the WSUS Administrator. Select the second option here because it’s a default setting for
WSUS installed on Windows Server 2012 and above. The firewall on the WSUS server must
be configured to allow inbound traffic on these ports.
We also see two other options :-
Require SSL communication to WSUS Server – With this options checked or

enabled, you can use the SSL protocol to help secure the WSUS that runs on the
software update point. WSUS uses SSL to authenticate client computers and
downstream WSUS servers to the WSUS server.
Allow Configuration Manager cloud management gateway traffic – Enable this
option for the software update point site system to accept CMG traffic.
Click Next.
Software Update Point proxy server settings
If you have a proxy server configured in your setup, specify the proxy server settings for
SUP. The options are greyed out because you must configure the site system role to use a
proxy server first.
WSUS Server Connection Account
You can configure an account to be used by the site server when it connects to WSUS that
runs on the software update point. When you don’t configure this account, the
Configuration Manager uses the computer account for the site server to connect to WSUS.
Click Next.
SUP Proxy Account Settings
SUP Synchronization Source Settings
In this step you select a synchronization source for the software update point. In other
words you define the source from where updates download.
Synchronize from Microsoft Update – Use this setting to synchronize software

updates metadata from Microsoft Update. In case you have an upstream software
update point configure, this option is unavailable. Note that this setting is available
only when you configure the software update point on the top-level site.
Synchronize from an upstream data source location – Use this option to
synchronize software updates metadata from the upstream synchronization source. If
you select this option, specify a URL, such as https://WSUSServer:8531, where 8531 is
the port that is used to connect to the WSUS server.
Do not synchronize from Microsoft Update or upstream data source – Use this
option to manually synchronize software updates when the software update point at
the top-level site is disconnected from the Internet.
WSUS Reporting Events
You can create WSUS reporting events on the Synchronization Source page of the wizard or
on the Sync Settings tab in Software Update Point Component Properties.
Do not create WSUS reporting events

Create only WSUS status reporting events
Create all WSUS reporting events
Since the Configuration Manager doesn’t use these events, you can leave the default
option enabled – Do not create WSUS reporting events. Click Next.
Specify Synchronization Source settings and WSUS reporting events
SUP Synchronization Settings
You can define a synchronization schedule and configure the software updates to sync
automatically. Click Enable synchronization on a schedule box and configure the sync
schedule.
You can either select Simple Schedule (also known as recurring schedule) or go with a
custom schedule. By default the synchronization occurs every 7 days. You can change it if
required.
You can also let Configuration Manager create an alert when the synchronization fails on
the site. I prefer to enable this option because I get to see an SUP sync failed alert in the
Configuration Manager console.
Click Next.
SUP Synchronization Schedule
Supersedence Rules
On this page you can configure the software update to expire as soon as it is superseded
by a recent update. You can also set a software update to expire after specific period of
time.
Starting in Configuration Manager version 1810, you can specify the supersedence rules
behavior for feature updates separately from non-feature updates. This is a nice addition.
Under Supersedence behavior for updates and feature updates, you find the below options.
Immediately expire a superseded software update

Do not expire a superseded software update until the software update is superseded
for specific period. When you select this option, you must specify the months to wait
before a superseded software update expires. By default it is set to 3 months.
At this point, I will go with the default settings and click Next.
Supersedence Rules
WSUS Maintenance Options
To automate the cleanup procedures after each synchronization, Microsoft has added some
cool WSUS Maintenance options. If you are using Configuration Manager version 1906 or
newer, you will find these options.
I will explain each of these options in a separate post. For now I will only list the options.
Decline expired updates in WSUS according to supersedence rules

Add non-clustered indexes to the WSUS database
Remove obsolete updates from the WSUS database
Since we are installing the SUP for the first time, you can leave these options unchecked.
We can later revisit and enable them.
Click Next.
Configure WSUS Maintenance Options
Configure Max Run time for Software Update Installation
Specify the maximum amount of time for a software update installation to complete. I am
going to leave the values to default because they look fine to me. However you can change
the values if required.
Maximum run time for Windows feature updates – 120 minutes

Maximum run time for Office 365 updates and non-feature updates for Windows – 60
minutes.
Click Next.
Configure Maximum Run Time
Software Update Content Configuration
On this page you have to select whether you want to deploy full files for approved updates
or deploy both full files and express installation files.
Express installation files download quickly because of lesser size and install quickly.
I am going to select Download full files for all approved updates and click Next.
software update content configuration
Software Update Point Classifications

When you say you deploy a software update, it is actually very broad term. This is because
every software update is defined with an update classification. This helps to organize the
different types of updates.
When you setup SUP, during the synchronization process, the site synchronizes the
metadata for the specified classifications. To know about these software update
classifications, refer this article.
Once you know what classifications you require, you can enable them under All
Classifications.
Wait a minute, let me cover something very important here. When you first install the
software update point on the top-level site, you must clear all of the software updates
classifications.
I don’t know if this is a recommended method but believe me I do this every time I install
software update point in Configuration Manager. After the initial software updates
synchronization, configure the classifications from an updated list, and then re-initiate
synchronization.
Click Next.
SUP classifications
SUP Products Selection
As we didn’t select anything from All Classifications, we won’t select any of these products
for now. Moreover you may not see all the products listed because we haven’t performed
the initial SUP synchronization.
We will select the products once we complete the initial SUP synchronization. Click Next.
SUP products
For every language, you can select the software update files and summary info to
download. In this example, I will select only English language. Click Next.
Specify language settings
On the Summary page, click Next.
Click Close on Add Site System Roles wizard Completion box. This completes the
installation of Software Update point role in SCCM.
Verify Software Update Point Role Installation
The SCCM log files are the best way to find out the SUP role installation status. In my other
blog I have listed the software updates related log files which you can refer during software
updates troubleshooting.
In most cases the installation goes well however if it fails you must know which log file to
check. The SUP log files are located under <Drive:>\Program Files\Microsoft Configuration
Manager\Logs
So the first log file you must open is SUPSetup.log. Look for the line Installation was
successful. With this we ensure the software update point role installation is successful in
SCCM.
SUPSetup.log
======== Installing Pre Reqs for Role SMSWSUS ========

Found 1 Pre Reqs for Role SMSWSUS
Pre Req SqlNativeClient found.
SqlNativeClient is already installed (Product Code: {9D93D367-A2CC-4378-BD63-79E
Pre Req SqlNativeClient is already installed. Skipping it.
======== Completed Installation of Pre Reqs for Role SMSWSUS ========
Installing the SMSWSUS
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734
Checking runtime v4.0.30319...
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0,
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file ver
Supported WSUS version found

Supported WSUS Server version (6.2.17763.678) is installed.
CTool::RegisterManagedBinary: run command line: "C:\Windows\Microsoft.NET\Frame
CTool::RegisterManagedBinary: Failed to register C:\Program Files\Microsoft Configu

CTool::RegisterManagedBinary: run command line: "C:\Windows\Microsoft.NET\Frame
CTool::RegisterManagedBinary: Registered C:\Program Files\Microsoft Configuration
Registered DLL C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp
Installation was successful.
~RoleSetup().
Perform Initial SUP Synchronization
Here is how you perform the initial software update synchronization after you install SUP
role in SCCM.
First of all launch the SCCM console.

Go to Software Library > Overview > Software Updates > All Software Updates.
On the top ribbon, click Synchronize Software Updates.
On the confirmation box, click Yes.
When you run the initial SUP sync, it tries to sync categories but notice what happens. If
you open wsyncmgr.log file, it tells you that Request filter does not contain any known
categories or classifications. Hence sync will do nothing.
At this point, let the sync complete. If you see the line “Done synchronizing SMS with
WSUS Server” it means the SUP sync is complete.
wsyncmgr.log file
sync: SMS synchronizing categories SMS_WSUS_SYNC_MANAGER

sync: SMS synchronizing categories, processed 0 out of 355 items (0%)
WARNING: Request filter does not contain any known classifications. Sync will do no
WARNING: Request filter does not contain any known categories. Sync will do nothin
Done synchronizing SMS with WSUS Server
Enable SUP Classifications and Products
After the initial WSUS Sync is complete, let’s enable the classifications and products under
software update point role.
In the Configuration Manager console, navigate to Administration > Overview > Site
Configuration > Sites. Select the site, right click and click Configure Site Components >
Software Update Point.
Software Update Point Properties
On the Software Update Point component properties box, select Classifications tab. Enable
the ones that you require. In this example, I am selecting Critical Updates and Security
Updates.
Enable SUP Classifications
Next, click Products tab and select the products. In this example I am selecting Windows
10 product. Once you are done with selections, click Apply and OK.
Enable SUP Products
After you select Classifications and Products, you must run the software update point
synchronization again. Only then you will see the updates for selected products appearing
in the console.
Open the wsyncmgr.log file and you will notice the updates synchronization begins. Based
on the products and classifications that you select, it takes time for the process to
complete.
SCCM SUP Synchronization
During the sync process, you may not find any updates listed under All Software Updates.
Once the SUP synchronization is complete, notice the updates listed under Software
Updates.
Windows 10 Updates
What’s Next
Let me list some useful posts that can refer after you setup SCCM software update point
role.
How to deploy Software Updates using SCCM

Deploy Office 365 updates using ConfigMgr
SCCM Catalogs for Third-Party Software Updates
Sponsored AD
Sponsored AD
Sponsored AD
Pulseway
© Copyright 2021 All Rights Reserved | Prajwal Desai

Install ConfigMgr Software Update Point Role

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Install ConfigMgr Software Update Point Role

Uploaded by

Copyright:

Available Formats

7/21/2021 Complete Guide To Install SCCM Software Update Point Role

Complete Guide to Install SCCM Software Update

2. Software Update Point Requirements

3. Install SCCM Software Update Point Role

3.1. Specify Software Update Point Settings

3.2. Software Update Point proxy server settings

3.3. WSUS Server Connection Account

3.4. SUP Synchronization Source Settings

3.5. WSUS Reporting Events

3.6. SUP Synchronization Settings

3.7. Supersedence Rules

3.8. WSUS Maintenance Options

3.9. Configure Max Run time for Software Update Installation

3.10. Software Update Content Configuration

3.11. Software Update Point Classifications

3.12. SUP Products Selection

4. Verify Software Update Point Role Installation

5. Perform Initial SUP Synchronization

6. Enable SUP Classifications and Products

What is Software Update Point in Configuration Manager

A software update point is a WSUS server controlled by Configuration Manager. We know

Software Update Point Requirements

Install SCCM Software Update Point Role

Launch the SCCM console.

Install Software Update Point Role in Configuration Manager

On the General page, click Next.

Specify Software Update Point Settings

WSUS configured to use ports 80 and 443 for client communications.

We also see two other options :-

Require SSL communication to WSUS Server – With this options checked or

Software Update Point proxy server settings

WSUS Server Connection Account

SUP Proxy Account Settings

SUP Synchronization Source Settings

Synchronize from Microsoft Update – Use this setting to synchronize software

WSUS Reporting Events

Do not create WSUS reporting events

Specify Synchronization Source settings and WSUS reporting events

SUP Synchronization Settings

SUP Synchronization Schedule

Immediately expire a superseded software update

WSUS Maintenance Options

Decline expired updates in WSUS according to supersedence rules

Remove obsolete updates from the WSUS database

Configure WSUS Maintenance Options

Configure Max Run time for Software Update Installation

Maximum run time for Windows feature updates – 120 minutes

Configure Maximum Run Time

Software Update Content Configuration

software update content configuration

Software Update Point Classifications

SUP Products Selection

Specify language settings

On the Summary page, click Next.

Verify Software Update Point Role Installation

======== Installing Pre Reqs for Role SMSWSUS ========

Supported WSUS version found

CTool::RegisterManagedBinary: Failed to register C:\Program Files\Microsoft Configu

Perform Initial SUP Synchronization

First of all launch the SCCM console.

Perform Initial SUP Synchronization

On the confirmation box, click Yes.

Perform Initial SUP Synchronization

sync: SMS synchronizing categories SMS_WSUS_SYNC_MANAGER