The following blog runs through the procedure that is required to install a remote SUP in your environment. This could be to off-load site roles from the site server or to scale out.
Note that the installation has taken place on a Windows 2008 R2 server and that the site server is not going to be used as a SUP. For remote WSUS configuration on Server 2012 see here.
Install the WSUS Console on the site server
Download WSUS 3.0 SP2 from here.
Click Next in the WSUS install wizard.
When prompted choose to install the console only. Click Next.
Accept the licence agreement and click Next.
One the install is complete click Finish.
Install MS KB’s 2720211 and 2734608
Go to http://support.microsoft.com/kb/2720211/en-us & http://support.microsoft.com/kb/2734608/en-us respectively and install the WSUS 3.0 SP2 update patches, in no particular order.
Install IIS role on the remote SUP server
Connect to your remote server allocated for the WSUS role and load Server Manager. Choose Add Role. Select Web Server (IIS) and click Next.
Click Next.
Add the following IIS components
| Common HTTP Features
Static Content Default Document Directory Browsing HTTP Errors Application Development ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Health and Diagnostics HTTP logging Request Monitor Security Windows Authentication Request Filtering Performance Static Content Compression Management Tools IIS Management Console IIS 6 Management Compatibility IIS 6 Metabase Compatibility |
Click Install.
Once installation of the IIS role is complete click Close.
Install Report Viewer 2008 on the remote SUP server
Download Report Viewer 2008 from http://www.microsoft.com/en-us/download/details.aspx?id=6576
Run the Reportviewer.exe file. Click Next.
Accept the licence terms and click Install.
Once complete click Finish.
Install WSUS on the remote SUP server
Follow the procedure to install WSUS on the remote SUP server as outlined earlier, however note the difference at the Database Options screen.
Choose ‘Use an existing database server on a remote computer’. Enter the hostname of the site server where the SUSDB was installed previously. Click Next.
Once a connection is made to the remote database choose to use the existing database on the SQL server. Click Next.
Continue the wizard through as per the previous WSUS install until complete. Then patch the SUP server with MS KB’s 2720211 and 2734608.
Add site server as local admin on the remote SUP server
Ensure that the site server has admin rights to the remote SUP server by adding it to the local administrators group.
Add the remote SUP server as a site system and install SUP role
Before the SUP role can be added in, the remote server must be added into SCCM as a site system. In the SCCM console go to the Administration workspace and choose Site Configuration>Servers and Site System Roles. Select ‘Create Site System Server’
Type in the FQDN of the remote SUP server and select the site code from the drop down list. Click Next.
Enter any proxy details if required. Click Next.
Choose to install a Software Update Point and click Next.
Select to use WSUS ports 8530 or 8531. If using 8531 (HTTPS) check the ‘Require SSL communications to the WSUS server’ checkbox. Click Next.
Click Next.
Select a synchronisation source, in this instance I am using the Microsoft Update site. Click Next.
Select a synchronisation schedule. I am using the default of every 7 days. Click Next.
Set the supersedence rules. Click Next.
Select the classification of updates you wish to install. Click Next.
Select the products that you wish to install updates for. Click Next.
Select language settings you want to synchronise. Click Next.
Click Next at the Summary screen.
Click Close once complete.
The SUP will being to install. Check the SMS\Logs folder on the remote server. In particular the SUPSetup.log which will report the success/failure of the SUP.
Also the WCM.log file on the site server will report connectivity to the new SUP.
..and the progress of the sync for product and classifications.
The sync can take a while. Once complete the following will be reported in the WCM.log.
Also take a look at the wsyncmgr.log file on the site server for information about the latest synchronisation that is taking place.
Finally, to check the status of the new SUP check the Site Status health in the Monitoring workspace.
and at the Component Status for the remote server.
The remote SUP is now successful installed.
SCCMentor - Paul Winstanley 
Can u explain a bit more the advantages between deploying updates via DP Vs via SUP. Can we add sup to boundary and restric acess to updates in client side to that SUP?
Thanks in advance.
Bruno. Updates are deployed via dp not sup. The sup just sends over metadata to the clients Therefore you control dp content location via boundary.
Thanks for the feedback.
My question was more related to differences between “DP only” vs DP with SUP role.
Bruno,
I’m not sure what you mean can you elaborate please?
I’ve missed some tips on the article now i get it! 🙂
This is “to off-load site roles from the site server or to scale out.” and “the site server is not going to be used as a SUP”.
Nevermind my question.
Thanks anyway
It is indeed Bruno. Bear in mind that a SUP on a server with other roles can support 25k clients. On it’s own isolated SUP server it can support 100k clients. So worth thinking about.
Hi I need Help,
when I download the software update package has the Internet me this error.
Error: Failed to download content id 16793731. Error: There was an error downloading the software update. (4115)
Package:
Success: The software updates were placed in the existing package:
• July 2015
Software updates that will be downloaded from the internet
Error: Update for Windows 8 (KB2976978)
Errors
Failed to download content id 16793731. Error: There was an error downloading the software update. (4115)
Update for Windows 8 for x64-based Systems (KB2976978)
Update for Windows 7 for x64-based Systems (KB2977759)
Update for Windows 7 (KB2977759)
Update for Windows Server 2008 R2 x64 Edition (KB3065987)
Update for Windows 7 (KB3065987)
Update for Windows Server 2008 R2 for Itanium-based Systems (KB3065987)
Update for Windows 7 for x64-based Systems (KB3065987)
Update for Windows Server 2012 R2 (KB3065988)
Security Update for Internet Explorer Flash Player for Windows 8 (KB3065823)
Security Update for Internet Explorer Flash Player for Windows Server 2012 (KB3065823)
Security Update for Internet Explorer Flash Player for Windows Server 2012 R2 (KB3065823)
Security Update for Internet Explorer Flash Player for Windows 8 for X64-based Systems (KB3065823)
Update for Windows 7 (KB2952664)
Update for Windows 7 for x64-based Systems (KB2952664)
Language Selection:
English
Do you get any further information in the patchdownloader.log located in the %temp% folder when you run the download.? Cheers Paul
Hi
in patchdownloader.log see this error below
GetContentFileInfoForDownload() failed for ContentID 16793732. hRes = 0x80041013 .ERROR: DownloadContentFiles() failed with hr=0x80041013
Take a look here as this may be your issue http://serverfault.com/questions/517138/sccm-2012-sp1-downloadcontentfiles-failed-with-hr-0x80041013
I have done this test but did not work
It might be worth logging this on the TechNet forums to see if anyone else has experienced this issue before – https://social.technet.microsoft.com/Forums/en-US/home?category=systemcenter2012configurationmanager
When I go through on two Server 2012 machines, I get the following error followed by Remote configuration failed on WSUS Server.
System.TypeInitializationException: The type initializer for ‘Microsoft.UpdateServices.Internal.Constants’ threw an exception. —> System.TypeInitializationException: The type initializer for ‘Microsoft.UpdateServices.Internal.UtilConstants’ threw an exception. —> System.ComponentModel.Win32Exception: The system cannot find the file specified~~ at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~ at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~ at Microsoft.UpdateServices.Internal.UtilConstants..cctor()~~ — End of inner exception stack trace —~~ at Microsoft.UpdateServices.Log.InitializeFromConfig()~~ at Microsoft.UpdateServices.Log.InitializeIfNeeded()~~ at Microsoft.UpdateServices.Log.SendMessage(LogLevel logLevel, String message, Object[] args)~~ at Microsoft.UpdateServices.Log.Trace(LogLevel logLevel, String message, Object[] args)~~ at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~ at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~ at Microsoft.UpdateServices.Internal.Constants..cctor()~~ — End of inner exception stack trace —~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
Has the post install of WSUS been run?
What if I want to do patch management of my AWS/Azure cloud infrastructure using On-premise SCCM 2012 servers
This has been supported since ConfigMgr 2012 SP1 https://support.microsoft.com/en-us/help/2889321/system-center-2012-configuration-manager-and-system-center-2012-endpoint-protection-support-for-microsoft-azure-virtual-machines
Thnx for the reply. But what about AWS cloud. How can we leverage on-premise SCCM server to path AWS cloud machines. Also is there any step-by-step procedure document for the same.
There’s no support statement or for that as MS focus is Azure. Treat your AWS like normal endpoints.
Thanks Paul for quick reply. As we have both AWS and Azure cloud for which we are planning to use our existing on-premise SCCM 2012 server. Is there any step by step configuration document that will help us to leverage existing SCCM 2012 server for cloud as well? also which are the best practices in our scenario which help us to reduce overall patching time and achieve patch compliance?
Not aware of one sorry
Question, if you have SUP and WSUS already installed on the site server and wish to off load WSUS to a separate site server how would you go about that?
Depends which release of Configmgr I was running. With the latest releases you can switch clients to a new Sup. So I would build a new Sup, switch clients. Then I would remove Sup from site server and set the new sup as the sync source. Next I would remove wsus and install console only on the site server.
Great, works also with 2016!
Cheers.