Configuration Manager 2012 and WSUS/SUP – How Windows Updates Works

Check these posts:

There are four components that work together to deliver a complete patching scenario:

  • SCCM Agent on the client machine
  • Windows Update Agent on the client machine
  • WSUS Server.
  • SCCM Site server and Distribution Points.

First of all, the SCCM will configure the WSUS with the Update Classifications and Products that should be in the scope of the update process via the SUP components as per the previous section.
WSUS will contact Microsoft Update Services and will download the catalog (metadata) of the matching updates. This is only the metadata (Description of the update) and not the update files themselves.

The SCCM client on Windows client machines will configure the local group policy on client machine with the WSUS server (Server2) as the WSUS server for Windows Updates.
The Windows Update Agent on client machines will contact the WSUS server configured via the local group policy (Server2) to download the catalog and will scan the machine for matching updates needed and will report back to WSUS what updates are needed.

Then on the SCCM site server will contact WSUS and get the catalog file that contains the description of the updates (not the update files themselves).
On the SCCM console, you will see those update descriptions and you will choose to deploy them to a collection of machines.

SCCM (not WSUS) then will contact Microsoft Update Services and will download the actual update files and will store them locally and push them to distribution points.
The SCCM client on the client machines will then see those updates and will download them locally. The Windows Update Agent will continue the work and will install the updates on client machines.

Now, the client machine will read the local group policy setting and the Windows Update Agent will contact the WSUS (server2) to download the
In other words, the WSUS server on Server2 will not download the update files. Actually the WSUS server on Server2 will only has the catalog on its disks, while the distribution points will have the actual update files on its disks.
Since the SCCM client on Windows client machines will configure the local group policy to point to Server2 as the WSUS server, it is so important to be careful when you have a domain group policy that configures the WSUS server as the source of update servers since domain group policy are stronger than the local group policies configured by SCCM client. Just make sure if you have a domain group policy that configures the WSUS settings to configure it with Server2 as the WSUS server and nothing else. Not even a CNAME for Server2.

If you have configured the GPO with (Configure Automatic Updates) to Enabled, then the Windows Update Agent on machines will display an extra notification to the client that a restart is pending. Disabling that setting will prevent Windows machines to download updates to the (Windows Update Agent) component. Check out this.

One comment on “Configuration Manager 2012 and WSUS/SUP – How Windows Updates Works

  1. I am an SCCM admin and this explanation is a concise summary. I would like to thank you for posting this article. I can point this article to others trying to understand using SCCM to perform patch management.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s