# Part 6 - Setting up Software Update Point ## BEFORE YOU BEGIN {% hint style="warning" %} **Disclaimer**: All information and content in these blog posts is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should Microsoft, its author, or anyone else involved in the creation of these blog posts be held liable for any damage or data loss. {% endhint %} ## SOFTWARE UPDATE POINT In my previous blog post [Part 5](https://www.osdsune.com/home/blog/2020/configmgr-lab/part-5) we completed the configuration of discovery methods and boundaries. In Part 6 I will be setting up the Software Update Point role in Microsoft Endpoint Configuration Manager and I will give you a walk-through of my maintenance configuration for SQL and WSUS. {% hint style="info" %} This blog post does not cover the Windows Server Update Services (**WSUS**) role configuration on the server, but it is covered in [Part 4](https://www.osdsune.com/home/blog/2020/configmgr-lab/part-4/sql#wsus-server-role) {% endhint %} {% hint style="info" %} #### WHAT IS A SOFTWARE UPDATE POINT? A Software Update Point (**SUP**) is a role configured in Microsoft Endpoint Configuration Manager which interacts with the WSUS to configure the software update settings and to request synchronization of software updates metadata. The software update point is required if you wish to enable software updates compliance assessment and to deploy updates to the clients through Microsoft Endpoint Configuration Manager. The SUP role must be installed and configured on the central administration site (**CAS**) first, then on the primary site server and optionally on a secondary site server. Many organizations do not use central administration site, so when you have a stand-alone primary site, install and configure the software update point on the primary site server first, and then optionally, on a secondary site server. Read more about Software Update Point [here](https://docs.microsoft.com/en-us/mem/configmgr/sum/get-started/install-a-software-update-point) {% endhint %} Since I've already prepared the Windows Server Update Services (**WSUS**), let's get started with configuring the software update point role in Microsoft Endpoint Configuration Manager. ### Software Update Point Role **Step 1.** Type "**Configuration**" in the search line next to the start button, and click "**Configuration Manager Console**" ![Configuration Manager - Software Update Point](/files/-MT52Q7Xy8Y-lOpzOklI) **Step 2.** Navigate to "**Administration**" and expand the "**Site Configuration**", now select "**Servers and Site System Roles**", right-click on your site server name and select "**Add Site System Roles**" ![Configuration Manager - Software Update Point](/files/-MT57snY8JMpsVcuEeJm) **Step 3.** Click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58VaLWxQFHbCRpttO) **Step 4.** Click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58YP7SOP0u8qvwQet) **Step 5.** Select "**Software update point**" from the role list and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58dFyO4A_F17RvbYj) **Step 6.** Click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58gzM1LTpVmvPZH_W) **Step 7.** Click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58po4SUia4gNiMzb9) **Step 8.** Select "**Synchronize from Microsoft Update**" and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT58tbiiglgAEX3Rn50) **Step 9.** Select "**Enable Synchronization on a schedule**", configure it to every 1 day and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT590pA9PMz1myO2daW) **Step 10.** Set "**Supersedence behavior**" to 1 month or keep the default value (3 months) and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT593uI7zRva2Y0P4Vj) **Step 11.** Select all maintenance options and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT597nvu3O1Veh50w3p) **Step 12.** Click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT59B0K5C6JAu-KakkC) **Step 13.** Select "**Download full files for all approved updates**" and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT59EHksq55fr597apf) **Step 14.** Do not select any "**Classifications**" at this point, click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT59HoiCxryD44n8CzF) **Step 15.** Do not select any "**Products**" at this point, click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT59LUlGq2BcnHITQuJ) **Step 16.** Select the desired languages and click "**Next**" ![Configuration Manager - Software Update Point](/files/-MT59OEXSGXnsN9dCwqh) **Step 17.** Click "**Next**" and then click "**Close**" when the setup is complete. ![Configuration Manager - Software Update Point](/files/-MT59QzxcPiiqs_bcmIX) **Step 18.** Go to the Microsoft Endpoint Configuration Manager log location and review the **SUPSetup.log** You should see a line in the log that says: **Installation was successful.** ![Configuration Manager - Software Update Point](/files/-MT5Pd9SjGFcc7MTx31j) **Step 19.** In the console go to "**Software Library**" and expand "**Software Updates**", select "**All Software Updates**" which should be empty at this point. Now click on "**Synchronize Software Updates**" ![Configuration Manager - Software Update Point](/files/-MT5O64Mmg4xbvBsU-xr) **Step 20.** Click "**Yes**" ![Configuration Manager - Software Update Point](/files/-MT5ASxSh72ad10y1tHt) **Step 21.** Go to the Microsoft Endpoint Configuration Manager log location and review the **wsyncmgr.log** You should see a line in the log that says: **Sync succeeded.** ![Configuration Manager - Software Update Point](/files/-MT5PR4ugiPiGp8w4MWs) ### Classifications & Products We are now finally ready for the classifications and products configuration. **Step 1.** Navigate to "**Administration**" and expand the "**Site Configuration**", select "**Sites**", right-click on your site name, expand the "**Configure Site Components**" and select "**Software Update Point**" ![Configuration Manager - Software Update Point](/files/-MT5AYZJwactztNa1olt) **Step 2.** Select the "**Classifications**" tab and select the ones you need. ![Configuration Manager - Software Update Point](/files/-MT5AcnnRgYlIs9G8t0W) **Step 3.** Select the "**Products**" tab and select the ones you need. ![Configuration Manager - Software Update Point](/files/-MT5AfUwTZh3aOCmmQIG) ![Configuration Manager - Software Update Point](/files/-MT5Ai7hqRwQi7wgdrET) **Step 4.** In the console go to "**Software Library**" and expand "**Software Updates**", select "**All Software Updates**" which should still be empty at this point. Now, click on "**Synchronize Software Updates**" ![Configuration Manager - Software Update Point](/files/-MT5O64Mmg4xbvBsU-xr) **Step 5.** Click "**Yes**" ![Configuration Manager - Software Update Point](/files/-MT5ApxqXVLWDFRKjbJ6) **Step 6.** Go to the Microsoft Endpoint Configuration Manager log location and review the **wsyncmgr.log** You should see a line in the log that says: **sync: Starting WSUS synchronization** This **WILL** take a while to finish, so go grab a coffee, go for a walk or go to bed (I'll let you decide...):sunglasses: ![Configuration Manager - Software Update Point](/files/-MT5UP5P-BZHdNkPPYv1) **Step 7.** Okay, so almost 5 hours later and it is finally done! You should see a line in the log that says: **Done synchronizing WSUS Server** ![Configuration Manager - Software Update Point](/files/-MT5WOO6a8DStFxek6Bj) **Step 8.** You should now see the software updates in the console. Fantastic :star\_struck: ![Configuration Manager - Software Update Point](/files/-MT5B7ykDItbYn2_2jUp) ## SQL & WSUS MAINTENANCE Now that the software update point for this LAB has been configured and synchronized, let's continue with the SQL and WSUS maintenance which is important in order to prevent the whole house of cards from collapsing in the future - We have all been there at one point, right ? {% hint style="info" %} In my search for a maintenance solution, I found a blog post by [Kent Agerlund](https://twitter.com/agerlund) which led me to a PowerShell script created by [Kaido Järvemets](https://twitter.com/kaidja) and a SQL script created by [Ola Hallengren](https://twitter.com/olahallengren) You can read Kent's entire blog post [here](https://blog.ctglobalservices.com/configuration-manager-sccm/kea/house-of-cardsthe-configmgr-software-update-point-and-wsus/) {% endhint %} ### Prerequisites * Download WSUS Script & Scheduled Task [here](https://github.com/SuneThomsenDK/OSDSUNE/tree/master/WSUS_Maintenance) * Download SQL Script [here](https://ola.hallengren.com/sql-server-index-and-statistics-maintenance.html) ### SQL Maintenance **Step 1.** Type "**SQL Server Management**" in the search line next to the start button, and click "**Microsoft SQL Server Management Studio 18**" ![SQL Maintenance](/files/-MT5uf2lZYLE2pXi1GvO) **Step 2.** Click "**Connect**" ![SQL Maintenance](/files/-MT5rplCgi7NQtXr1_IA) **Step 3.** Click "**File**" -> "**Open**" -> "**File...**" or "**Ctrl+O**". Now, select the **MaintenanceSolution.sql** script previously downloaded from [Ola Hallengren's](https://twitter.com/olahallengren) website. ![SQL Maintenance](/files/-MT9pSXs0C3cDEO_E-qa) ![SQL Maintenance](/files/-MT5rvWjTyAhFNsHDRiA) **Step 4.** Modify the configuration or keep the defaults and click "**Execute**" ![SQL Maintenance](/files/-MT9sJcFhB1Xn0ymk8kq) **Step 5.** You should see a line in the messages pane that says: **Commands completed successfully.** ![SQL Maintenance](/files/-MT5sCdwYPYLZpq4vpkr) **Step 6.** Expand the "**SQL Server Agent**", right-click on "**Jobs**" and select "**Manage Schedules**" ![SQL Maintenance](/files/-MT9u6mIzsqTH6HcZEGI) **Step 7.** Click "**New\...**" ![SQL Maintenance](/files/-MT9uhzEVP3awfaUS8MC) **Step 8.** Configure the new job schedule to fit your needs or use my configuration in the below print screen and click "**OK**" {% hint style="info" %} **Note**. I recommend running the SQL maintenance before the WSUS maintenance. {% endhint %} ![SQL Maintenance](/files/-MTCba1Ggkq1XbVQQ2rP) **Step 9.** Expand the "**Jobs**", right-click "**IndexOptimize - USER\_DATABASES**" and select "**Properties**" ![SQL Maintenance](/files/-MT9wYDYqfLQiOWOVQh2) **Step 10.** On the "**Steps**" page, click "**New\...**" ![SQL Maintenance](/files/-MTCb7sJO51eCSEcTnrg) **Step 11.** Give the step a name, add a command that the step should run once a week and click "**OK**" You can use my command below or find inspiration at [Ola Hallengren's](https://twitter.com/olahallengren) website [here](https://ola.hallengren.com/sql-server-index-and-statistics-maintenance.html) ![SQL Maintenance](/files/-MT6-ESCv5mOLSZ9zZYD) ``` EXECUTE dbo.IndexOptimize @Databases = 'SUSDB', @FragmentationLow = NULL, @FragmentationMedium = 'INDEX_REORGANIZE,INDEX_REBUILD_ONLINE,INDEX_REBUILD_OFFLINE', @FragmentationHigh = 'INDEX_REBUILD_ONLINE,INDEX_REBUILD_OFFLINE', @FragmentationLevel1 = 5, @FragmentationLevel2 = 30, @UpdateStatistics = 'ALL', @OnlyModifiedStatistics = 'Y', @SortInTempdb = 'Y', @MaxDOP = 0 ``` **Step 12.** On the "**Schedules**" page, click "**New\...**", select the job schedule previously created in step 8 and click "**OK**" twice. ![SQL Maintenance](/files/-MTCbGwRTYysi2cDymgm) **Step 13.** Open the "**Job Activity Monitor**", right-click on "**IndexOptimize - USER\_DATABASES**" and select "**Start Job at Step...**" ![SQL Maintenance](/files/-MTA0Z1v_XG97jC8Gu3R) **Step 14.** Click "**Close**" when it's done. ![SQL Maintenance](/files/-MT5t0QFfl7bG16fxgVU) **Step 15.** Right-click on "**IndexOptimize - USER\_DATABASES**" again and now select "**View history**" ![SQL Maintenance](/files/-MTA1pqcCVv6h8-QbHDS) **Step 16.** Expand the log and review the details. You should see that the last messages says: **The step succeeded.** ![SQL Maintenance](/files/-MTA3HxEXpORocjhRuPS) ### WSUS Maintenance **Step 1.** Download the **WSUSCleanupTask.ps1** and **WSUSCleanupTask.xml** from my GitHub repository and place it somewhere on your WSUS server. **Important** - Before proceeding with step 2, you need to modify the **WSUSCleanupTask.ps1** configuration. ![WSUS Maintenance](/files/-MT5p-SU1bv6RwYejAuU) ``` #Configuration $UseSSL = $False <-- HTTPS or HTTP (Mandatory) $PortNumber = 8530 <-- Port for HTTPS or HTTP (Mandatory) $Server = "cm.domain.local" <-- FQDN of the WSUS Server (Mandatory) $ReportLocation = "E:\WSUS\CleanupReport.html" <-- Report location (Mandatory) $SMTPServer = "mail.domain.com" <-- FQDN of the mail server (Optional) $SMTPPort = 25 <-- SMTP Port (Optional) $To = "Full Name " <-- Mail recipient (Optional) $From = "System Notify " <-- Mail sender (Optional) ``` **Step 2.** Type "**Task Scheduler**" in the search line next to the start button, and click "**Task Scheduler**" ![WSUS Maintenance ](/files/-MT5pHJJGGbIsAoUCVBZ) **Step 3.** Click "**Import Task...**" from the "**Actions**" pane and import the **WSUSCleanupTask.xml** previously downloaded from my GitHub repository. Make the necessary changes so it will fit your environment e.g. when should it run and where is the script located? Click "**OK**" when finish. ![WSUS Maintenance](/files/-MT7LATLXlf2AARX-r1q) ![WSUS Maintenance](/files/-MT7H3dRK5emkhmzH5X_) ![WSUS Maintenance](/files/-MT7H9TWIxoVYZabZL8K) ![WSUS Maintenance](/files/-MT7HCrk7xATZ-UopPEr) ![WSUS Maintenance](/files/-MT7HGsLPVdO6GVNFANc) ![WSUS Maintenance](/files/-MT7HKROCCCmVB2HzNWG) **Step 4.** Select the "**General**" tab and make sure that the configuration is correct for your environment. ![WSUS Maintenance](/files/-MT7Mh5VT-ugo4IOeC-4) **Step 5.** Select the "**Triggers**" tab and make sure that the configuration is correct for your environment. ![WSUS Maintenance](/files/-MT7Mm2TP-MEIEzZwHuS) **Step 6.** Select the "**Actions**" tab and make sure that the configuration is correct for your environment. ![WSUS Maintenance](/files/-MT7MpzKx0l0P-fLm7IF) **Step 7.** Select the "**Conditions**" tab and make sure that the configuration is correct for your environment. ![WSUS Maintenance](/files/-MT7N-ZOoiBq0C9e0tGJ) **Step 8.** Select the "**Settings**" tab and make sure that the configuration is correct for your environment. ![WSUS Maintenance](/files/-MT7N3Vll8-I9ZAtOjcZ) **Step 9.** Run the scheduled task and look for any issues in the "**History**" tab. ![WSUS Maintenance](/files/-MT7N8ZCjMH1e78Nyu1w) **Step 10.** If the scheduled task ran successfully, you should see a **CleanupReport.html** in the location that you defined earlier in the **WSUSCleanupTask.ps1** configuration and if you open the report, you can see which job was performed by the script. ![WSUS Maintenance](/files/-MT7NrQ7wPvzzhJL4qtp) ![WSUS Maintenance](/files/-MT7NvuBcznk3-P9hDFY) This should conclude setting up the Software Update Point role in Microsoft Endpoint Configuration Manager and the maintenance configuration for SQL and WSUS. Now, Part 7 was actually on the drawing board, but I've decided that Part 6 will be the last one in this blog series. I will continue to blog about Endpoint Management in the 2021 section, this has been an awesome and a long blog series but I know that it has helped others and that makes it all worthwhile to me :nerd: If you have any questions regarding this topic, feel free to reach out to me. I am most active on [Twitter](https://twitter.com/SuneThomsenDK)! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.osdsune.com/home/archive/microsoft-configuration-manager/configmgr-lab/part-6.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.