Install SCCM Software Update Point Role | ConfigMgr SUP

This article covers the steps to install SCCM Software Update Point (SUP) role. Let’s see how to install and configure ConfigMgr SUP (software update point) role.

A software update point (SUP) integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients.

If you decide to deploy software updates to your clients using SCCM, you must ensure the software update point role is installed and configured correctly. You can follow this guide to install SUP role in SCCM.

What is Software Update Point in Configuration Manager?

A software update point is a WSUS server controlled by Configuration Manager. We know that WSUS is a standalone solution that enables the administrators to deploy the latest Microsoft product updates.

Unlike WSUS the clients do not download or install updates directly from a software update point. Instead, the only data downloaded by the client from a software update point is the update metadata.

To deploy updates to client computers, the software update point role is required on the central administration site and on the primary sites. While the ConfigMgr SUP role install is optional on secondary sites.

Planning for a new Software Update Point Install

So if you have got a SCCM hierarchy consisting of CAS, Primary site and Secondary sites, you install the ConfigMgr SUP role on CAS first, then primary site and secondary sites.

Most organizations don’t have CAS and prefer a stand-alone primary site. When you have a stand-alone primary site, you must install and configure the software update point on the primary site first, and then optionally on secondary sites.

The software update point site system role must be installed on a server that has WSUS role installed. I have covered the WSUS role installation in most of my current branch baseline install guides.

For stand-alone WSUS install, check the following post WSUS installation on Windows Server 2019.

The ConfigMgr software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. I recommend reading the “Plan for Software Updates” article by Microsoft.

Software Update Point Requirements

Before you install the SCCM SUP role in SCCM on a Windows Server, ensure you read the below listed prerequisites.

  • Always refer to this article before you install site system servers and roles on Windows Servers. This is important because the role that you intend to install must be on a supported Windows Server OS.
  • Ensure you enable .NET Framework 3.5 under Windows Server roles and features. In addition, install a supported version of the .NET Framework version 4.5 or later. Starting in version 1906, Configuration Manager supports .NET Framework 4.8.
  • Install the Windows Server Update Services on a computer before installing a software update point. This is a critical prerequisite.
  • If you plan to install both WSUS and SUP role on a distribution point server, it is supported.
  • When you install a new site, ConfigMgr automatically installs SQL Server Native Client. However, the Configuration Manager doesn’t upgrade SQL Server Native Client. Make sure this component is up-to-date.

Tip: When you install WSUS role on Windows Server 2019 or 2022, the WSUS version is 10.0.17763.1. And it’s version 10.0.14393 when you install WSUS role on Windows Server 2016.

Install SCCM Software Update Point Role

Using the below steps, install Software Update Point role in SCCM.

  • Launch the SCCM console.
  • Navigate to Administration > Overview > Site Configuration > Servers and Site System Roles.
  • Right-click the server on which you wish to install Software Update Point role and click Add Site System Roles.
Install SCCM Software Update Point Role
Install SCCM Software Update Point Role

On the General page, click Next.

Install SCCM Software Update Point Role
Install SCCM Software Update Point Role

On the Proxy page, you can specify proxy server details if you have it in your setup. Otherwise, click Next.

Install Software Update Point in Configuration Manager Snap3
Install SCCM Software Update Point Role | Proxy Settings

Finally, we are on the System Role Selection page. From the list of available roles, select Software Update Point. This installs SUP role in SCCM. Click Next.

Install Software Update Point in Configuration Manager
Install SCCM Software Update Point Role | System Role Selection

Specify Software Update Point Settings

On the Specify software update point settings page, under WSUS configuration you find two options.

  • WSUS configured to use ports 80 and 443 for client communications.
  • WSUS configured to use ports 8530 and 8531 for client communications.

The WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Select the second option here because it’s a default setting for WSUS installed on Windows Server 2012 and above. The firewall on the WSUS server must be configured to allow inbound traffic on these ports.

We also see two other options :-

  • Require SSL communication to WSUS Server – With this options checked or enabled, you can use the SSL protocol to help secure the WSUS that runs on the software update point. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server.
  • Allow Configuration Manager cloud management gateway traffic – Enable this option for the software update point site system to accept CMG traffic.

Click Next.

select software update point role
Configure Software Update Point Settings

Software Update Point proxy server settings

If you have a proxy server configured in your setup, specify the proxy server settings for SUP. The options are greyed out because you must configure the site system role to use a proxy server first.

WSUS Server Connection Account

You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you don’t configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS.

Click Next.

SUP Proxy Account Settings
SUP Proxy Account Settings

SUP Synchronization Source Settings

In this step you select a synchronization source for the software update point. In other words you define the source from where updates download.

  • Synchronize from Microsoft Update – Use this setting to synchronize software updates metadata from Microsoft Update. In case you have an upstream software update point configure, this option is unavailable. Note that this setting is available only when you configure the software update point on the top-level site.
  • Synchronize from an upstream data source location – Use this option to synchronize software updates metadata from the upstream synchronization source. If you select this option, specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server.
  • Do not synchronize from Microsoft Update or upstream data source – Use this option to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet.

WSUS Reporting Events

You can create WSUS reporting events on the Synchronization Source page of the wizard or on the Sync Settings tab in Software Update Point Component Properties.

  • Do not create WSUS reporting events
  • Create only WSUS status reporting events
  • Create all WSUS reporting events

Since the Configuration Manager doesn’t use these events, you can leave the default option enabled – Do not create WSUS reporting events. Click Next.

Specify Synchronization Source settings
Specify Synchronization Source settings and WSUS reporting events

SUP Synchronization Settings

You can define a synchronization schedule and configure the software updates to sync automatically. Click Enable synchronization on a schedule box and configure the sync schedule.

You can either select Simple Schedule (also known as recurring schedule) or go with a custom schedule. By default, the synchronization occurs every 7 days. You can change it if required.

You can also let Configuration Manager create an alert when the synchronization fails on the site. I prefer to enable this option because I get to see an SUP sync failed alert in the Configuration Manager console.

Click Next.

ConfigMgr SUP Synchronization Schedule
ConfigMgr SUP Synchronization Schedule

SUP Supersedence Rules

On this page, you can configure the software update to expire as soon as it is superseded by a recent update. You can also set a software update to expire after a specific period of time.

Starting in Configuration Manager version 1810, you can specify the Supersedence rules behavior for feature updates separately from non-feature updates. This is a nice addition.

Under Supersedence behavior for updates and feature updates, you find the below options.

  • Immediately expire a superseded software update
  • Do not expire a superseded software update until the software update is superseded for specific period. When you select this option, you must specify the months to wait before a superseded software update expires. By default it is set to 3 months.

At this point, I will go with the default settings and click Next.

Supersedence Rules
Supersedence Rules | Install SUP role in SCCM

WSUS Maintenance Options

To automate the cleanup procedures after each synchronization, Microsoft has added some cool WSUS Maintenance options. If you are using Configuration Manager version 1906 or newer, you will find these new options under WSUS settings.

The WSUS Maintenance options that you get when you install ConfigMgr SUP are as follows:

  • Decline expired updates in WSUS according to Supersedence rules
  • Add non-clustered indexes to the WSUS database
  • Remove obsolete updates from the WSUS database

Since we are installing the SUP on a new server, you can leave these options unchecked. We can later revisit and enable them.

Click Next.

Configure WSUS Maintenance Options
Configure WSUS Maintenance Options | ConfigMgr SUP

Configure Max Run time for Software Update Installation

Specify the maximum amount of time for a software update installation to complete. I am going to leave the values to default because they look fine to me. However, you can change the values if required.

  • Maximum run time for Windows feature updates – 120 minutes
  • Maximum run time for Office 365 updates and non-feature updates for Windows – 60 minutes.

Click Next.

Configure Maximum Run Time
Configure Maximum Run Time

Software Update Content Configuration

On this page you have to select whether you want to deploy full files for approved updates or deploy both full files and express installation files.

Express installation files download quickly because of lesser size and install quickly. I am going to select Download full files for all approved updates and click Next.

software update content configuration
software update content configuration

Software Update Point Classifications

When you say you deploy a software update, it is actually a very broad term. This is because every software update is defined with an update classification. This helps to organize the different types of updates.

When you install SCCM Software Update Point, during the synchronization process, the site synchronizes the metadata for the specified classifications.

Once you know what classifications you require, you can enable them under All Classifications.

Wait a minute, let me cover something significant here. When you first install the software update point on the top-level site, you must clear all the software updates classifications.

After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization.

Click Next.

ConfigMgr SUP Update Classifications
ConfigMgr SUP Update Classifications

ConfigMgr SUP Products Selection

As we didn’t select anything from All Classifications, we won’t select any of these products for now. Moreover, you may not see all the products listed because we haven’t performed the initial SUP synchronization.

We will select the products once we complete the initial SUP synchronization. Click Next.

SUP products
SUP products

SCCM SUP Filter Products

With the ConfigMgr 2203 release, under Software Update Point PropertiesProducts tab, there is a new filter products option available.

In the Filter search box, you can enter the name of any product, and it will be populated or filtered from the list of SUP products.

To know more about the SUP filter products option, read ConfigMgr Software Update Point filter products article.

ConfigMgr Software Update Point Filter Products
ConfigMgr Software Update Point Filter Products

Software Update Point Languages

Here you can configure languages for the Software update file setting in the properties for the software update point. For every language, you can select the software update files and summary info to download.

In this example, I will select only English as Software Update Point language. Click Next.

Specify language settings
Specify language settings

On the Summary page, click Next.

Install SCCM SUP Role

Click Close on Add Site System Roles wizard Completion box. This completes the installation of Software Update point role in SCCM.

Install SCCM SUP Role

Verify Software Update Point Role Installation

The SCCM log files are the best way to find out the SUP role installation status. In my other blog I have listed the software updates related log files which you can refer during software updates troubleshooting.

In most cases the installation goes well however if it fails you must know which log file to check. The SUP log files are located under <Drive:>\Program Files\Microsoft Configuration Manager\Logs

So the first log file you must open is SUPSetup.log. Look for the line Installation was successful. With this we ensure the software update point role installation is successful in SCCM.

SUPSetup.log
Verify SCCM Software Update Point Role Installation using SUPSetup.log
======== Installing Pre Reqs for Role SMSWSUS ========
Found 1 Pre Reqs for Role SMSWSUS 
Pre Req SqlNativeClient found.
SqlNativeClient is already installed (Product Code: {9D93D367-A2CC-4378-BD63-79EF3FE76C78}). But to support TLS1.2, a new version with Product Code: {B9274744-8BAE-4874-8E59-2610919CD419} needs to be manually installed 
Pre Req SqlNativeClient is already installed. Skipping it.
======== Completed Installation of Pre Reqs for Role SMSWSUS ========
Installing the SMSWSUS
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
Checking runtime v4.0.30319...
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.2.17763.1
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.2.17763.678
Supported WSUS version found
Supported WSUS Server version (6.2.17763.678) is installed.
CTool::RegisterManagedBinary: run command line: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" "C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp.dll"
CTool::RegisterManagedBinary: Failed to register C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp.dll with .Net Fx 2.0
CTool::RegisterManagedBinary: run command line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" "C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp.dll"
CTool::RegisterManagedBinary: Registered C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp.dll successfully
Registered DLL C:\Program Files\Microsoft Configuration Manager\bin\x64\wsusmsp.dll
Installation was successful.
~RoleSetup().

Perform Initial SUP Synchronization

Software updates synchronization is the process of retrieving the software updates metadata that meets the criteria that you configure. Software updates are not displayed in the Configuration Manager console until you synchronize software updates.

Here is how you perform the initial software update synchronization after you install SUP role in SCCM.

  • First of all launch the SCCM console.
  • Go to Software Library > Overview > Software Updates > All Software Updates.
  • On the top ribbon, click Synchronize Software Updates.
Perform Initial SUP Synchronization
Perform Initial SUP Synchronization

On the confirmation box, click Yes.

Perform Initial SUP Synchronization
Perform Initial SUP Synchronization

When you run the initial SUP sync, it tries to sync categories but notice what happens. If you open wsyncmgr.log file, it tells you that Request filter does not contain any known categories or classifications. Hence sync will do nothing.

At this point, let the sync complete. If you see the line “Done synchronizing SMS with WSUS Server” it means the SUP sync is complete.

wsyncmgr.log file
wsyncmgr.log file
sync: SMS synchronizing categories	SMS_WSUS_SYNC_MANAGER
sync: SMS synchronizing categories, processed 0 out of 355 items (0%)
sync: SMS synchronizing categories, processed 355 out of 355 items (100%)
sync: SMS synchronizing categories, processed 355 out of 355 items (100%)
WARNING: Request filter does not contain any known classifications. Sync will do nothing.
WARNING: Request filter does not contain any known categories. Sync will do nothing.
Done synchronizing SMS with WSUS Server

Enable SUP Classifications and Products

After the initial WSUS Sync is complete, let’s enable the classifications and products under software update point role.

In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites. Select the site, right click and click Configure Site Components > Software Update Point.

Software Update Point Properties
Software Update Point Properties

On the Software Update Point component properties box, select Classifications tab. Enable the ones that you require. In this example, I am selecting Critical Updates and Security Updates.

Enable SUP Classifications
Enable SUP Classifications

Next, click Products tab and select the products. In this example I am selecting Windows 10 product. Once you are done with selections, click Apply and OK.

Enable SUP Products
Enable SUP Products

After you select Classifications and Products, you must run the software update point synchronization again. Only then you will see the updates for selected products appearing in the console.

Open the wsyncmgr.log file and you will notice the updates synchronization begins. Based on the products and classifications that you select, it takes time for the process to complete.

SCCM SUP Synchronization
SCCM SUP Synchronization

During the sync process, you may not find any updates listed under All Software Updates.

SCCM SUP Role

Once the SUP synchronization is complete, notice the updates listed under Software Updates.

Windows 10 Updates
Windows 10 Updates

What’s Next

Let me list some useful posts that can refer after you set up SCCM software update point role.

29 Comments

  1. Great site, you’ve helped me out on a lot of things. Got an issue though that I’ve been trying to fix for a while.
    Have a SCCM server that is version 2207 (Server 2019) Primary site server
    Have a WSUS server that is also Server 2019.
    About 10 years ago we integrated these 2 servers, they had been completely separate environments until we need to control the client install to only workstations and servers within the domain and then to only ones that windows update was configured to get their updates from the WSUS server. So the WSUS server became an SUP and the SUP role was also installed on the SCCM server. GPO controlled where the clients got their updates from using the WSUS url. This worked great until we needed to deploy office 365 updates from SCCM. Because the updates have to come from the SCCM deployment they don’t play nice when the Set intranet update service value is set to the WSUS server since SCCM is constantly trying to change it to the SCCM server. The updates fail to install with 0x87D00692. If I set the Set intranet update service to not configured then the updates can complete, but then the client is now relying on SCCM server for its updates and for the SCCM client updates. Last week I updated from 2107 to 2207 and found that until I put in the WSUS back in the Set intranet update service the client wouldn’t update, as soon as I did it updated. But then the Office 365 updates didn’t work again. I could point everything to use the SCCM server for updates and client install but then how does the client know to get the SCCM client if it the client is the one setting the parameters for SCCM and the updates?

  2. Hello, have 3 remote dp’s in my organization and i would like to know if wsus is required by the remote DP’s to distribute the monthly windows updates to the computers in those locations.

    Thank you for your help.

    1. No, WSUS isn’t required for remote DP’s. If this is a single primary site, ensure you install WSUS on the main site along with SUP and the updates can be distributed to remote DP’s.

      1. Hi Prajwal,

        i think i have the same issue… i just created an Feature Update to Windows 10 21H1 and deployed it to a Computer Collection. The Update only works on Clients connected to the Main DP but on the other DPs its not working. When i create such an Update i do not have the option “distribute Content”… so i cant choose the other DPs.

        Can u help me?

        Kind Regards

  3. Mr Prajwal Desai,
    Thank for your all blog post regarding SCCM. It is very helpful. But may I know if I want to upgrade my current SCCM server OS 2012 R2 to version server verison 2019. Did I need to also perform upgrade server OS for my WSUS server from 2012 R2 to 2019? Or I can do it later on? Will it have any impact if my SCCM site server is in windows server 2019 and WSUS server is at older version OS?

    Your advise is much appliciated.

  4. Avatar photo Steve Carneol says:

    The question of what Products to select keeps coming up and its sort of like the “Chicken or the egg” conversation right? If you ask Microsoft Support, they recommend only selecting the Products you have in your environment but the only way to know what Products you have in your environment is to select all Products, then scan all of your clients with metadata for all Product updates in order to see what products are Installed and/or Required. Once you have that info, you can deselect those products that are neither Installed or Required. This would be something you would have to do a few times a year to make sure you are patching those Products.

  5. Hi,

    Is there any limitations to install SUP for secondary site on separate server (not on Secondary Site Server machine)? I have one SUP in primary site and it works fine. Now I’m trying to install SUP on separated WSUS server in Secondary Site network location but there is only DP and SMP available in System Roles. But on Secondary Site Server any other roles are available including SUP.

  6. Hi Prajwal,

    Thank you for the brilliant guide !
    However at the step with post configuring products to sync, I am missing a lot of products (including Windows 10).
    How do I get the full list of Products ?

    Kind Regards

    1. Sync without any classification again. this is what i did 2 more times, in order to get full list of products.

  7. Do you have any blog for MBAM deployement on SCCM Server

  8. I have setup a SCCM lab on VM but when I perform windows/software sync its not getting download to SCCM.

    Hello

    I have setup a SCCM lab on VM but when I perform windows/software sync its not getting download to SCCM.

    I have installed SCCM 2002 on Windows server 2012 R2

    Getting a warning – WARNING: Request filter does not contain any known categories. Sync will do nothing. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:38 PM 1232 (0x04D0)

    Below is the log details

    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:10 PM 5724 (0x165C)
    Starting Sync SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:16 PM 5724 (0x165C)
    Performing sync on regular schedule SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:16 PM 5724 (0x165C)
    Read SUPs from SCF for sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:16 PM 5724 (0x165C)
    Found 1 SUPs SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:20 PM 5724 (0x165C)
    Found active SUP sccm.lab.com from SCF File. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:20 PM 5724 (0x165C)
    STATMSG: ID=6701 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM.LAB.COM SITE=PP1 PID=2236 TID=5724 GMTDATE=Sun Apr 11 17:54:20.080 2021 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:20 PM 5724 (0x165C)
    Sync Surface Drivers option is not set SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 5724 (0x165C)
    Synchronizing WSUS, default server is sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 5724 (0x165C)
    STATMSG: ID=6704 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM.LAB.COM SITE=PP1 PID=2236 TID=5724 GMTDATE=Sun Apr 11 17:54:21.221 2021 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 5724 (0x165C)
    SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 6484 (0x1954)
    Synchronizing WSUS server SCCM … SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 6484 (0x1954)
    sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:21 PM 6484 (0x1954)
    sync: WSUS synchronizing categories SMS_WSUS_SYNC_MANAGER 4/11/2021 11:24:27 PM 6484 (0x1954)
    Set content version of update source {E769DBE5-F6D3-46BB-BBE1-B928C413E6EB} for site PP1 to 0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:28 PM 5724 (0x165C)
    Resetting MaxInstall RunTime for Cumulative updates. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:28 PM 5724 (0x165C)
    Synchronizing SMS database with WSUS, default server is sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 5724 (0x165C)
    STATMSG: ID=6705 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM.LAB.COM SITE=PP1 PID=2236 TID=5724 GMTDATE=Sun Apr 11 18:09:29.905 2021 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 5724 (0x165C)
    SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 1232 (0x04D0)
    Synchronizing SMS database with WSUS server SCCM … SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 1232 (0x04D0)
    sync: Starting SMS database synchronization SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 1232 (0x04D0)
    requested localization languages: en SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:29 PM 1232 (0x04D0)
    Syncing updates arrived after 04/07/2021 01:25:19 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    Requested category not found: SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    Requested categories: UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Service Packs, UpdateClassification=Tools, UpdateClassification=Feature Packs, UpdateClassification=Updates, UpdateClassification=Definition Updates, UpdateClassification=Critical Updates SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    Third-party software updates is not enabled. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    sync: SMS synchronizing categories SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    sync: SMS synchronizing categories, processed 0 out of 274 items (0%) SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:30 PM 1232 (0x04D0)
    sync: SMS synchronizing categories, processed 274 out of 274 items (100%) SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:37 PM 1232 (0x04D0)
    sync: SMS synchronizing categories, processed 274 out of 274 items (100%) SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:37 PM 1232 (0x04D0)
    WARNING: Request filter does not contain any known categories. Sync will do nothing. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:38 PM 1232 (0x04D0)
    Done synchronizing SMS with WSUS Server SCCM SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:38 PM 1232 (0x04D0)
    Set content version of update source {E769DBE5-F6D3-46BB-BBE1-B928C413E6EB} for site PP1 to 0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:38 PM 5724 (0x165C)
    Resetting MaxInstall RunTime for Cumulative updates. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:38 PM 5724 (0x165C)
    Starting cleanup on WSUS, default server sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 5724 (0x165C)
    SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Cleaning up WSUS server SCCM … SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    sync: Starting SMS database synchronization SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    requested localization languages: en SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Syncing updates arrived after 04/11/2021 23:39:29 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Requested category not found: SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Requested categories: UpdateClassification=Security Updates, UpdateClassification=Update Rollups, UpdateClassification=Service Packs, UpdateClassification=Tools, UpdateClassification=Feature Packs, UpdateClassification=Updates, UpdateClassification=Definition Updates, UpdateClassification=Critical Updates SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Starting Deletion of ObseleteUpdates SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    0 update(s) were deleted from SUSDB in Server: Database: SUSDB SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Deletion Completed SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:39 PM 2600 (0x0A28)
    Set content version of update source {E769DBE5-F6D3-46BB-BBE1-B928C413E6EB} for site PP1 to 0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    Resetting MaxInstall RunTime for Cumulative updates. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    STATMSG: ID=6702 SEV=I LEV=M SOURCE=”SMS Server” COMP=”SMS_WSUS_SYNC_MANAGER” SYS=SCCM.LAB.COM SITE=PP1 PID=2236 TID=5724 GMTDATE=Sun Apr 11 18:09:40.151 2021 ISTR0=”” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    Sync succeeded. Setting sync alert to canceled state on site PP1 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    No changes made to the SMS database, content version remains 0 SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    Sync time: 0d00h15m20s SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:40 PM 5724 (0x165C)
    SQL MESSAGE: sp_SUM_RemoveUpdateRelations – 23:39:40:860: sp_SUM_RemoveUpdateRelations : There are no expired update relations to delete. SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:41 PM 5724 (0x165C)
    Deleted 0 expired updates SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:44 PM 5724 (0x165C)
    Inbox source is local on sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/11/2021 11:39:44 PM 5724 (0x165C)
    Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 4/12/2021 12:00:03 AM 5724 (0x165C)
    Inbox source is local on sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/12/2021 12:00:08 AM 5724 (0x165C)
    Wakeup for a polling cycle SMS_WSUS_SYNC_MANAGER 4/12/2021 1:00:08 AM 5724 (0x165C)
    Inbox source is local on sccm.lab.com SMS_WSUS_SYNC_MANAGER 4/12/2021 1:00:09 AM 5724 (0x165C)

  9. Mr. Prajwal,

    Thank you for the guide. You have always been an amazing guide in what right looks like. I have a question though. Would you be able to point me in the right direction for the following selection: “Do not synchronize from Microsoft Update or upstream data source”

    I can download the updates for my private network and provide them somewhere for SCCM to see them but I don’t know what the proper steps are after the updates have been downloaded. If I had those steps, I would be solid!

    Thanks again for your assistance and this website!

  10. Great post. My question is in a big organization how do you know which products are in your domain and require updating? Not sure if selecting “All Products” and looking at what needs patching is the best.

  11. Tu publicación está genial; ¡me ha ayudado mucho! Anduve buscando buena documentación hasta que llegué a tu sitio web. En verdad he entendido muchas cosas que no comprendía. ¡Gracias!

    Un saludo desde El Salvador.

  12. Avatar photo Jonathan M says:

    Addendum to my post if I open the WSUS installation on the SCCM server there are statuses for the updates.

  13. Avatar photo Jonathan M says:

    Has anyone seen and dealt with this issue? I have setup SCCM with SUP before and had no issues with SUP which I know is unusual. I was recently asked to add a new SCCM setup using server 2019 (1809) datacenter to perform Windows server patching specifically. I have loaded all server prereqs for sccm to work per this site and microsoft. I also installed SQL 2017 and updated it. I then loaded SCCM current branch base install then added the SUP system role, and patched SCCM with latest hotfixes. I have successfully sync’d critical and security updates for Windows Server OSes. I have created update groups for the servers. I have downloaded the updates to the server. Here is where it gets odd. The Software update list has the various updates listed show them download but the list give no statuses for the update in relation to what server needed the update. The columns with needed, percent compliant all read 0. I understand 0 in the needed column is awesome but the other status columns should have information. I have removed and re-added the SUP, installed new versions of .net, I have even removed SCCM and all components and reinstalled SQL, then SCCM same result as above. Any help would be appreciated I am almost to the point I will reload the server back to 2016 server and native SCCM SQL version and try starting over. One last item the AD ID I am using has domain admin level access and I have tried a service account specific to the servers OU in AD.

  14. Hello Prajwal, thank You for this guide. Just one question left: how to configure the SCCM SUP to work with WSUS located on another server? My one tries to connect to WSUS on the same server and reasonably fails.

  15. Hey , I have sccm 1902 , software update point component properties does not show windows 10

  16. Avatar photo Dan Ceccato says:

    Hey Prajwal,

    Do you know if its possible to restore an update that’s been marked as expired? Our district is still in the midst of transitioning to Win 10 so half our fleet is still windows 7. The 2019-03 Servicing Stack Update has been marked as expired and has been removed from our SCCM library, yet its a major pre-requisite to a number of other updates. Even in our self managed WSUS, its still marked as an active update. Is there anyway to get WSUS force the update back into the SCCM Software Update list?

    Thanks,
    DC

  17. Hi Prajwal
    Can the download path of updates be changed? For example, a remote storage medium or …?
    This is possible in wsus in the Content section. What about sccm?

    regards.

  18. Hi Prajwal, thank you for this brilliant guide.

    Just so you know, your guide was highly recommended from:
    https://serverfault.com/questions/947975/is-it-necessary-to-separate-sccm-sup-and-wsus-roles

    I have a query, as I am new to SCCM:

    We are going to be deploying SCCM into our environment this week, we intend to use it to manage imaging and patching our Dell WYSE Windows 10 thin clients.

    We have built x2 servers in our domain environment to prepare for this:

    x1 SCCM server (Windows Server 2019, SQL Server 2016, SCCM version 1910)
    x1 WSUS server (Windows Server 2019)

    We just have x1 HQ site, both servers and all thin clients are all based at the same site.

    If I’m understanding your guide correctly, then I can follow this guide to:

    1. Install the SUP role onto the SCCM server
    2. Point the SCCM server to download updates from a separate WSUS upstream server

    If this is the case, then this guide is perfect for me.

    Is there anything else I need to install on the WSUS server? Do I need to install SUP there also?

    Please could you advise.

    Brilliant guide once again, many thanks.

    Koncise

  19. Great guide, I do have a question though, If the Primary Site with SUP is in a secure network with no internet access, is it possible to configure it to point to an upstream WSUS to not only download the catalog, but the update files as well? Do I have to configure the upstream sync in the WSUS console seperately to what is configured in SCCM for catalog sync? I can get the catalog to sync with an upstream WSUS, but when I try to configure ADRs It tries to go to the internet, I want sync the updates folder from the top level WSUS server and target that for the ADRs.

  20. Hi Prajwal, as always very nice guide. Can you tell me why I don’t see susdb when I install wsus role ?.

  21. Thank you so much for the guide. Very nice and clear document.

  22. Amazing guide. I think you have covered almost everything about SUP. How can I download it or can you make a PDf and share it ?

Leave a Reply

Your email address will not be published. Required fields are marked *