Last week I implemented one of the new features of SCCM 2012 SP1. With SCCM 2012 SP1 it’s possible to use an existing WSUS upstream server for the local Software Update Point(SUP) in your environment. The SUP do not have any connection with the Internet. Based on my research I expected that it would work differently than it did.
Let’s start with explaining that a Microsoft Update consists of 2 parts. The first part is the update Meta data of the software update and the second part is the software update itself. The Meta data of the update contains information like the description, severity, classification, etc. The Metadata is needed to show the update in the WSUS/SCCM Console. The software updates file is needed for the installation on the clients.
Let’s first start with a graphical view of the WSUS upstream server / Local SCCM SUP solution:
What I was expecting from this configuration that the internal SUP would use the WSUS upstream server for both the update metadata and the update file itself. Unfortunately this was not the case. The SCCM SUP would only download the update Meta data from the WSUS upstream server. With this Meta data the update will show up inside the SCCM console and you can create software groups and deploy them to you collections. But there it go’s wrong, during the deployment process you have to choose from where you want to download the update file. I was expecting again that if I choose the Internet the WSUS upstream server would handle the file download for me so the SUP could automatically download this from the WSUS upstream server. But that was not the case. If you want this process to work you need to do some additional configuration on the WSUS upstream server and the WSUS server on you SUP.
The following configuration steps are needed before your SCCM software update point can download updates locally without the need of an internet connection:
- Configure your upstream server to download all the updates from the products and classifications you the selected during the WSUS configuration and cache them locally.
- Configure the above setting also in the WSUS console of your SUP. Normally it’s not recommended to set WSUS configuration settings on a SUP directly in WSUS. But this setting is not managed by SCCM.
- During the deployment of your updates when you arrive in the download location section choose the option “Download Software Update from a network location on the local network”. As network location you have to type in the WSUS content share of you internal WSUS Server installed on your SUP.
With the above configuration the updates will be downloaded and deployed to your client. The downside of the above configuration is that the updates will be saved on 3 servers: The WSUS Upstream Server, the local SUP and the Distribution Point.
Thanks to Peter van der Woude for the support during this case..
15 thoughts on “SCCM 2012: Upstream WSUS Server Support”
Thanks for this blog. We have the same Scenario here , does file transter from Upstream server(DMZ) to Downstream server need to enable ?
You have to enable the upstream WSUS server in the configuration of the Software Update Point in SCCM. During a deployment of software updates in SCCM you have to select ‘Download Software Update from a network location on the local network’ as explained above. Before you can do this. You have to setup the upstream WSUS server to download all content to a network location which can be you used from your SCCM environment.
Please let me know if this answers your question.
I followed this guide and it doesn’t seem to work for SCCM 2012 R2.
“Download Software Update from a network location on the local network”. As network location you have to type in the WSUS content share of you internal WSUS Server installed on your SUP.
The downloaded content appears in wsuscontent folder on on the local wsus/sup server, however I receive the following error:
Failed to download content id 16796738. Error: The system cannot find the file specified.
I’ve also attempted the above but with no luck. You mention a step ‘setup the upstream WSUS server to download all content to a network location’, is this via the Export tool? If so this makes the whole approach very non-automated 🙁 ..did you manage to get this automated in the end?
I don’t have a testing environment where I can test above in ConfigMgr 2012 R2.
You have to configure WSUS to download all content. This configuration step is done in the WSUS console in the options section.
Please let me know if you need further assistance.
You posted instructions without testing them?
Thanks for your comment. Everything on my blog is tested on the versions described in the post. This scenario is tested in SCCM2012 and this is also described in the post. There was a question about SCCM2012R2 and I’ve not tested it in that environment. But based on the comments it’s also working on SCCM 2012R2.
So if you’ve any questions related to the post let me know,
You’re quick, thanks for the speedy response.
I’ve set WSUS to download approved updates and afterwards I’ll attempt to get SCCM to utilize the WSUSContent folder as the location to download the software updates in SCCM.
Thank you for this tip, it worked a treat.
I can confirm that this worked in ConfigMgr 2012 R2.
Hi, which ports need to be open from the ConfigMgr to the WSUS? Is it only Fileshare (SMB) and 8531 (https in my case)?
Any scenario with SUP that the clients download updates from Internet themselves? with 0 updates stored on any servers?
Compared to simple WSUS GPO the maintenance time have to be managed by SCCM client.
We would like to have a similar setup. I just have a question about it, do you think the SCCM server will make any changes to the upstream wsus server. We don’t want that to happen.
All we want is this SUP installed on our stand alone primary SCCM site to get updates from the pre-existing WSUS server(which is not a part of SCCM hierarchy)
That’s a good question. I haven’t tried this configuration in the last couple of months. So I cannot give you the 100% clear answer.
I would expect that you have to configure your upstream SCCM yourself and SCCM is not doing this for you.
Hi Arjan, I have the same situation, but even after configuring the required settings the updates are not downloaded at the wsus content folder on either wsus servers. Do I have to enable auto approve rule in DMZ wsus?
It’s some time ago when I configured this and around that time I configured auto-approval. But I’m not 100% sure and probably this can be changed in newer builds.
So my advice is to test it without auto approval and if that’s not working test it with auto approval enabled.