Friday, 2 September 2016

Synchronizing Updates with Export and Import

When a software update point is not configured or cannot synchronize with its upstream server in the Configuration Manager 2012 hierarchy, the export and import functions of the WSUSUtil tool can be used to synchronize Software Updates metadata manually. The user who performs the export/import must be a member of the local Administrators group on the WSUS server, and the tool must be run locally on the WSUS server itself.

The files found in the WSUSContent folder (by default located in <WSUSInstallDrive>\WSUS\ WSUSContent) must also be copied from the upstream update server to the software update point so that locally stored updates and the license terms for the updates are available to the import server. This procedure can also be used for migrating the software update content from Configuration Manager 2007 to Configuration Manager 2012.

To export and import software updates from the export WSUS server to the import WSUS server, follow these steps:
1. Copy files from the export server to the import server:
     a. On the export server, go to the folder where software updates and the license terms for those software updates are stored. By default, this will be <WSUSInstallDrive>\WSUS\ WSUSContent.
     b. Copy all of these files to the same folder on the import server.

2. Export metadata from the database of the export server:
     a. At a command prompt on the export WSUS server, go to the folder that contains WSUSUtil.exe. By default, this will be located at %ProgramFiles%\Update Service\ Tools.
     b. Then enter the following:
                     WSUSUTIL.exe export packagename logfile 
The name of packagename doesn’t really matter, as long as it and the log file are unique in that folder. This command will export the Software Updates metadata into a file called packagename.cab.
     c. Move the export package that you just made to the folder that contains WSUSUtil.exe on the import WSUS server.

3. Import metadata to the database of the import server:
     a. At a command prompt on the WSUS server that you are importing the updates to, go to the folder that contains WSUSUtil.exe, which is %Program Files%\Update Services\ Tools.
     b. Enter
WSUSUTIL.exe import packagename logfilewith packagename being the name of the export file that you exported in step 2.

This will import all the metadata from the exporting server and create a log file that you can use to review the status.

Configuring Software Updates Settings and Synchronization

Software updates in Configuration Manager 2012 must be synchronized with Microsoft Update or an upstream WSUS server before information on those updates will be available to view in the Configuration Manager console. Synchronization starts at the highest level in the hierarchy that has a software update point and either has a configured schedule or is started manually using the Run Synchronization action.

When synchronization is started on a configured schedule, all changes to the Software Updates metadata since the last scheduled sync are inserted into the site database. This will include metadata for new software updates or metadata that has been modified or deleted. When a sync is started manually, only new software updates metadata since the last sync is inserted into the database. The manual sync process is faster since it is not pulling as much Software Updates metadata. A manual sync action is available only on parent sites.

To manually sync the software update point, do the following:

1. In the Configuration Manager console, choose the Software Library workspace ➢
Overview ➢ Software Updates ➢ All Software Updates.
2. Select the Home tab of the ribbon and click Synchronize Software Updates. Click Yes to initiate a sitewide synchronization of software updates.

The synchronization process might take longer than an hour to finish, depending on several factors, including whether a synchronization has been run before and what languages, products, and update classifications have been configured to be synchronized. You can monitor the synchronization process by looking at the log file for WSUS Synchronization Manager, wsyncmgr.log. This is located by default at %Program Files%/Microsoft Configuration Manager/Logs.

When the synchronization is complete, you will see a 6702 status message from SMS_WSUS_SYNC_MANAGER.
New in Configuration Manager 2012 is that you also can monitor the synchronization in the Configuration Manager console.

To monitor the synchronization in the hierarchy do the following:
1. In the Configuration Manager console, choose the Monitoring workspace ➢ Overview ➢
software update point Synchronization Status.
2. Look at the synchronization status, the link state, and the catalog versions. When the synchronization with Microsoft Update is complete (either from a schedule or started manually) at the highest site in the hierarchy, sync requests are sent to all child sites, and they in turn start synchronization with their configured upstream WSUS servers as soon as the request has finished processing.

The Software Updates metadata that is synced from Microsoft Update is based on the update classes, products, and languages that were selected when the software update point was first configured. A child site will synchronize whatever updates have been configured on its parent site.
Although all of the settings for update classes, products, and so on were configured at
the setup of the software update point, you can still reconfigure these options if needed. To
configure the update properties for software updates, follow these steps.
1. In the Configuration Manager console, choose the Administration workspace ➢
Overview ➢ Site Configuration ➢ Sites, and select the site that is the highest in the
hierarchy.
2. Choose Configure Site Components on the Settings section of the Home tab of the ribbon,
and click software update point.
3. To configure Update Classifications, click the Classifications tab, as shown in Figure 

4. To configure products that are being synced, click the Products tab, as shown in Figure

 5. To configure languages that are being synced, click the Languages tab, as shown in Figure .

 6. To reconfigure the supersedence settings, click the Supersedence Rules tab, as shown in Figure



To configure the software updates synchronization schedule, follow these steps:
1. In the Configuration Manager console choose the Administration workspace ➢ Overview ➢ Site Configuration ➢ Sites, and select the site that is the highest in the hierarchy.
2. Choose Configure Site Components on the Settings section of the Home tab of the ribbon, and click software update point.
3. To configure the synchronization schedule, click the Sync Schedule tab, as shown in Figure



 

4. To enable synchronization on a schedule, select Enable Synchronization On A Schedule, and set the schedule as you want it.
5. When you have finished, click OK to save the schedule.
Unless you change the Start value in the custom schedule, synchronization will be started as soon as possible and will repeat based on the schedule that you configured.
6. If you want alerts to be reported in the Alerts node of the Configuration Manager 2012 console, enable the Alert When Synchronization Fails On Any Site In The Hierarchy option.

How to Check the Installation of the Software Update Point

After the installation of the software update point(s) it is a good idea to check some log files to be sure that the software update point(s) are installed correctly.

1. To monitor the install of the software update point, open the SUPSetup.log in the 
<Configuration Manager Install Path>\Logs or %SMS_LOG_PATH% folder.When the install has finished, you will see the text “Installation Was Successful.”
 
2. Open the WCM.log in the same directory to verify that the connection to the WSUS server worked.
 
When the connection to the WSUS server is made and the WSUS components are checked, you will see

There are no unhealthy WSUS Server components on WSUS Server servername and 
Successfully checked database connection on WSUS server servername in the log file.

Setting Up the Software Update Point in a Stand-alone Primary Site


Setting Up the Software Update Point in a Primary Site That Is a Child of a CAS


Setting Up the Software Update Point in the Central Administration Site


Setting Up the Software Update Point

There can be several Configuration Manager site systems with the software update point system role, but there can be only one site system server configured as the software update point that synchronizes with a synchronization source like Microsoft Update in a Configuration Manager site. By default this is the first software update point you install in your environment. All other software update points are replicas of the first one you installed and use that one as the synchronization source.

When your Configuration Manager site is in HTTPS mode, you can have an Internet-based software update point assigned to a remote site system server that allows communication from only Internet-based client computers. Also, if the first software update point is on a Network Load Balancing cluster, there should be a software update point installed on every server that is in the NLB cluster. When you have a Central Administration Site in your Configuration Manager 2012 hierarchy, you first need to install and configure a software update point at one of the site servers in your Central Administration Site.


Installing the WSUS 3.0 Administrative Console from the Command Prompt

Take the following steps to install the administrative console using the command line:

1. In the folder where you have already downloaded the WSUS installer file, open a command
prompt.
2. In the command prompt window, type the following command:
 
           WSUS3Setupx86.exe /q CONSOLE_INSTALL=1
The WSUS 3.0 SP2 administrative console will then install silently.
3. Verify the install .

To verify that the install completed, click Start ➢ All Programs ➢ Administrative Tools, and then choose Windows Server Update Services. To verify that connectivity, connect to the WSUS server that you are going to use with Configuration Manager.

Installing the WSUS Administrative Console Using the Setup Wizard

Take the following steps to install the administrative console using the wizard:
 
1. Double-click the WSUSSetup_30SP2_x86.exe setup file that you downloaded earlier.
2. Click Next to get past the first page of the wizard, and then select Administrator Console Only. Click Next again.
3. Click I Accept The Terms Of The License Agreement, and click Next.
4. If you see the Required Components to Use Administration UI page, click Next. 

The Microsoft Report Viewer 2005 Redistributable will have to be installed, because it is required to open the WSUS console. It isn’t needed when you are using WSUS with Configuration Manager, however.
 
5. When the wizard is done, click Finish.
6. To verify that the install completed, click Start ➢ All Programs ➢ Administrative Tools, and then choose Windows Server Update Services. To verify that connectivity, connect to the WSUS server that you are going to use with Configuration Manager.

Installing the Windows Server Update Services 3.0 SP2 Administrative Console

The Windows Server Update Services 3.0 SP2 Administrative Console is required on the Configuration Manager 2012 site server, if WSUS is installed on a remote server, to allow it to communicate with WSUS so it can configure and synchronize software update points. The WSUS Administrative Console can be installed using the WSUS 3.0 Setup Wizard or installed silently from a command line.

To install the WSUS on a Configuration Manager site server, follow one of the procedures discussed in the sections that follow.

Installing the Downloaded WSUS Version

To install the downloaded version of WSUS, perform the following steps:
 
1. Double-click the WSUS install file that you downloaded, WSUSSetup_30SP2_x86.exe (or WSUSSetup_30SP2_x64.exe for the 64-bit version of Windows Server 2003), and you will see the opening page of the Windows Server Update Server 3.0 Setup Wizard.
2. Click Next, and then select Full Server Installation Including Administration Console and click Next again.
3. Click the I Accept The Terms Of The License Agreement check box, and then click Next. The next screen will ask you to choose if you want updates to be stored on the WSUS server and where you want to store them. You must accept the default and store a copy of these updates locally.
4. Choose where you want to keep these files, and then click Next.
The next page lets you choose your database options.

     ◆ If you are not installing WSUS on a Configuration Manager site, the default of Install Windows Internal Database On This Computer is probably your best option, because it installs Microsoft SQL Server 2005 Embedded Edition just for the purpose of managing WSUS. This will save you from having to purchase another full SQL Server license for WSUS and managing another instance of SQL as well.
     ◆ If you are installing WSUS on a Configuration Manager primary site server and it has the resources to handle it, then we recommend going ahead and using the instance of the SQL Server that is already installed. (If it doesn’t have the resources, you probably shouldn’t be installing WSUS on this server anyway.) Having two versions of SQL installed on the same server could cause problems in the long run, and they would be competing for the same resources.

Depending on what you choose, WSUS will either create the Windows Internal Database or test the connection to the existing SQL Server instance.
5. Once that is done, click Next.
6. The next page of the wizard, shown in Figure, lets you choose how to configure the WSUS website.
Microsoft recommends that you choose to make a custom website if you are using WSUS as a software update point, even if the WSUS server is remote from the Configuration Manager site system. You should definitely use the custom site option if you are installing WSUS on a Configuration Manager site, so that the install will not interfere with the other Configuration Manager components that use IIS. By default, the custom WSUS website uses HTTP port 8530 and HTTPS 8531. Click Next.
7. Review the settings and click Next. When the wizard is done, click Finish. The WSUS configuration wizard will start up after that, but you should close it, because Configuration Manager will take care of configuring all of the settings for WSUS.

Why we should Never Configure WSUS Using the WSUS Console

When you use WSUS in combination with the software update point role, you should never use the WSUS console to configure WSUS. Always use the Configuration Manager 2012 console to configure the software update point.

Installing WSUS on Windows Server 2008 R2

To add the WSUS role to Windows Server 2008 R2, perform the following steps:

1. Start the Windows Server 2008 R2 Server Manager from the Administrative Tools section
of the console.
2. Click Roles and select Add Roles, and then click Next at the Before You Begin page.
3. Select Windows Server Update Services, and click Next.
4. Read the introduction to WSUS, and click Next.
5. Confirm the settings, and click Install.
 
Once the download is finished, you will see the welcome screen of the WSUS 3.0 SP2 Setup Wizard.

6. Click Next.
7. Click the I Accept The Terms Of The License Agreement check box, and then click Next. If the Microsoft Report Viewer 2008 Redistributable is not installed, the Setup Wizard gives you a warning about it.
8. Click Next.
9. The next screen will ask you to choose if and where you want updates to be stored on the WSUS server, just click Next.
10. The next page lets you choose your database options:

     ◆ If you are not installing WSUS on a Configuration Manager site, the default of Install Windows Internal Database On This Computer is probably your best option, because it installs Microsoft SQL Server 2005 Embedded Edition just for the purpose of managing WSUS. This will save you from having to purchase another full SQL Server license for WSUS and managing another instance of SQL as well.
     ◆ If you are installing WSUS on a Configuration Manager Central Administration Site or a primary site server and it has the resources to handle it, then we recommend going ahead and using the instance of the SQL Server that is already installed. (If it doesn’t have enough resources, you probably shouldn’t be installing WSUS on this server anyway.) Having two versions of SQL installed on the same server could cause problems in the long run, and they would be competing for the same resources. 

Depending on what you choose, WSUS will either create the Windows Internal Database or test the connection to the existing SQL Server instance.

11. After that is done, click Next.
12. On the next page of the wizard, choose how to configure the WSUS website. Microsoft recommends that you choose to make a custom website if you are using WSUS as a software update point, even if the WSUS server is remote from the Configuration Manager site system. You should definitely use the custom site option if you are installing WSUS on a Configuration Manager site so that the install will not interfere with the other Configuration Manager components that use IIS. By default, the custom WSUS website uses HTTP port 8530 and HTTPS port 8531.
13. Click Next.
14. Review the settings, and click Next to install WSUS 3.0 SP2.
15. Click Finish and then Close after the installation.
16. The WSUS configuration wizard will start up after that, but you should close it, because Configuration Manager 2012 will take care of configuring all of the settings for WSUS.

Installing WSUS on Windows Server 2012 R2

To add the WSUS role to Windows Server 2012 R2, you need to perform the following steps:

1. Start the Windows Server 2012 R2 Server Manager from the Start screen.
2. In the Dashboard, click Manage and select Add Roles And Features to start the Add Roles and Features Wizard.
3. Click Next twice, select the server on which the WSUS role needs to be installed, and click Next again.
4. Select Windows Server Update Services, click Add Features, and click Next.
5. Click Next after reviewing the features that are automatically added. Click Next at the WSUS step to start the initial configuration of the WSUS role.
6. On the Roles Services step, select WSUS Services and Database and click Next.
7. On the Content step, disable the Store Updates In The Following Location option and click Next.
8. Supply the SQL Server And Instance Name (if necessary) and click Check Connection. Click Next.
9. On the Web Server Role (IIS) page, click Next.
10. On the Role Services page, click Next.
11. Specify an alternate source path if necessary; then click Install to begin the feature and roles installation.
12. After the installation is finished, start the Windows Server Update Services application from the Start screen to configure the WSUS role. Configure the database server where the WSUS database needs to be stored, and click Run to start the post-installation. Click Close when the post-installation is finished.

Installing Windows Server Update Services 3.0 Server

Windows Server Update Services 3.0 Server (WSUS) SP2 or later is required in order to use Software Updates in Configuration Manager 2012. Installing WSUS for use with Configuration Manager is different from a standard install of WSUS without the Configuration Manager infrastructure.

The WSUS installation procedure that we’re going to use can be used for both the first software update point (the main software update point installed on the Central Administration Site) and all other software update points (those for any other primary Configuration Manager sites) or for installing WSUS on a remote server that is not a Configuration Manager site server. The decision to install WSUS on the same server as your site servers or on another remote server will depend on your server resources and your plans for the software update infrastructure.
Next, you have to go through a series of steps to make a software update point the active one for the Configuration Manager hierarchy.  

Depending on the version of your operating system, you need to either add the Windows Server Update Services role though the Server Manager of Windows Server 2008 R2 or Windows Server 2012 or make sure that you have downloaded the latest version of WSUS at the WSUS home page:

Period Of Time For Which All Pending Deployments With Deadline In This Time Will Also Be Installed

This sets the timeframe for the software updates with a deadline to be installed if the deadline is coming within a specified period of time. The minimum value allowed is 1 to 23 hours, and the maximum is 1 to 365 days. By default, this setting is configured for 1 hour.

When Any Software Update Deployment Deadline Is Reached, Install All Other Software Update Deployments With Deadline Coming Within A Specified Period Of Time

This setting indicates whether to enforce all mandatory software update deployments that have deadlines within a certain timeframe. When a deadline is reached for a mandatory software update deployment, an installation is started on the clients that have been targeted for the mandatory deployment. It also indicates whether to start the install for updates defined in other mandatory deployments that have a configured deadline within a specified timeframe. The benefits of this setting are that it expedites software update installs for mandatory updates and that it might increase security, decrease display notifications, and decrease system restarts on clients. This setting is disabled by default.

Schedule Deployment Re-evaluation

You can configure how often the Software Updates Agent re-evaluates software updates for installation status. When software updates that have been installed are no longer found on client computers and are still required, they will be reinstalled. This re-evaluation schedule will need to be adjusted based on company policy for update compliance, whether users have the ability to uninstall updates, and similar considerations. You also have to consider that every re-evaluation cycle results in some network and client computer activity. The minimum value allowed for the deployment re-evaluation schedule is 1 minute and the maximum is one month. A simple schedule of every 7 days is set by default.

Software Update Scan Schedule

This setting specifies how often the client computer scans for software update compliance. By default, a simple schedule is configured to run the scan every 7 days, and the site database is updated with any changes since the last scan. The minimum value for the scan is 1 minute and the maximum value is 31 days. This setting can be configured only after a software update point site role has been installed on a site system in the site. When a custom schedule is configured, the actual start time on client computers is the start time plus a random amount of time up to 2 hours. This keeps all the clients from starting a scan and connecting to WSUS at the same time.

Enable Software Updates On Clients

This setting defines whether the Software Updates Agent is enabled for the site; this agent is installed and enabled on Configuration Manager clients by default. Make sure that this setting is enabled. If the client agent is disabled, the client agent components are put into a dormant state but not uninstalled, and existing deployment policies will be removed from clients as well. Re-enabling the client agent starts a policy request that the components on clients be enabled and the deployment metadata be downloaded. With Configuration Manager 2012 you can configure more than one client agent settings package.

Configuring the Software Updates Client Agent

The Software Updates Agent is enabled in Configuration Manager by default, but you still have to configure the other settings of this client agent to match your plans for using Software Updates in your environment.
To configure the Software Updates Agent, follow these steps:
1. In the Configuration Manager console, choose the Administration Workspace ➢
Overview ➢ Client Settings, and select the Default Client Agent Settings policy object.
2. Select the Home tab of the ribbon, and then click Properties.
3. Select Software Updates, and (as shown in Figure ) configure the following settings: 

 
 
4. When you have finished setting things the way you want them, click OK to finish