Switching from WSUS to SCCM for Windows Updates

This checklist is incomplete however contains most of the important steps to consider when switching Windows Updates for your workstations and servers to use SCCM instead of WSUS as your Software Update Point.

Articles are written based on CM version 1806 or later. Official documentation can be found here: https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates

Modify GPO for Windows Updates: Launch GPMC.msc > Computer Configuration > Policies >  Administrative Templates > Windows Components/Windows Update and change the intranet update service and intranet statistics server to your current CM server where you’ve installed your Software Update Point (SUP).

Client Settings > Enable Software Update-based Installation: Launch CM Console > Administration > Site Configuration > Sites > select Client Installation Settings from top ribbon and select Software Update-Based Client Installation, then check or Enable software update-based client installation.

For more info on client deployment methods, see: https://blogs.technet.microsoft.com/smartinez/2013/09/27/top-3-configmgr-2012-client-installation-methods/

Run WSUS Wizard on Software Update Point (CM server) by going to your new SUP server (in our case CM Primary server), go to Roles and Features > WSUS > run through wizard to configure WSUS. To verify if this has already been performed, go to CM Console > Administration > Site Configuration > Sites > right-click on your Site and select Configure Site Components > Software Update Point > check Classifications or Products tab and verify that the Classifications/Products you would like to support have been selected (e.g. Adobe Reader).

Verify Default Client Settings: Launch CM Console > Administration > Client Settings > Default Client Settings > Software Updates >
Enable software updates on clients = Yes
Enable third party software updates = Yes (optional).

This setting is Optional if you chose to manage 3rd party products during the Classifications/Products configuration.

Push SSL certificate to Distribution Points / Verify SSL cert. is deployed on SUP: Launch CM Console > Administration > Site Configuration > Sites > right-click on your site and select Configure Site Component > Software Update Point > Third Party Updates > WSUS signing certificate configuration (check status of Current WSUS signing certificate details). As you can see in below screenshot, we’ve chosen to allow CM to manage the certificate and it’s using a self-signed WSUS certificate as opposed to a certificate vendor (e.g. Entrust or Verisign).

Verify Windows Updates component is Enabled in client’s Configuration Manager: After making your changes, check to see if your laptop or a computer that has the agent deployed (Run > control smscfgrc > Components tab or Control Panel > Configuration Manager > Components tab > Software Updates Agent status is set to Enabled. If it’s set to Disabled, restart your computer and check again after 5 minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *