Partial integration of WSUS and SCCM SP1

Similar Messages

• Can we re-activate Adobe patches once expired in SCUP and syncronized to WSUS and SCCM 2012 as expired?

  Hi,
  I expired a couple of Adobe patches in SCUP and published them in WSUS. They got synchronized in WSUS and SCCM as expired. After about two weeks those expired patches got cleaned from SCCM ( at least from UI).
  I want to activate them again in SCUP and re-publish as active patches in SCCM. But its not working - I've tried WSUS cleanup and  SCUP cleanup already!
  Is there any way to re-active expired patches published by SCUP in WSUS and SCCM ? & How?
  Excerpt from SCUP.Log:
  PublishItem: Item 'Reader Multi Lingual User Interface 10.1.4 Update (UpdateId:'5c22235f-a3d9-48db-95eb-a60ec1886e8e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')' is on the update server and is expired, no publish actions are possible.

  The key here is knowing WHY those updates were "expired" in the first place.
  Most likely they were expired because they superseded another update. If so, merely duplicating and publishing won't achieve anything, because the duplicated/re-published update will also be superseded and get promptly expired again.
  Ergo, if expired because superseded, the superseding package will need to be customized to remove the supersession references and it also will need to be republished, which also means that certain other considerations may need to be taken as well ... such
  as the fact that you now have multiple packages that will conflict with one another that no longer have the requisite supersession metadata.
  Regarding this scenario. Configuration Manager 2012 introduced the option to NOT EXPIRE superseded updates, or to defer the expiration for a specified number of days. This is not a SCUP thing; it's a ConfigMgr thing.
  Configure the ConfigMgr product to behave the way you desire. Problem solved. :)
  If YOU actually expired them in SCUP... then just UNEXPIRE them and republish. Shouldn't be any need to duplicate and republish. This is what Microsoft does all the time. Expire Update 'A' Rev 100 on Monday; publish Update 'A' Rev 101 on Patch Tuesday.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Content Transfer between WSUS and SCCM client on port 8530

  Dear All
  In my environment from last few days we are facing an strange situtaion where huge contents is getting transferred between WSUS server and SCCM client on port 8530.
  I check logs on client and found that client are getting contents from their associated DP's but still weekly network utlisation report showing that data in GB's was transferred between SCCM primary server and clients on port 8530.
  Kindly suggest what else need to check in this scenario
  Regards Suresh

  The only other possible traffic from WSUS is actual updates if and only if you have been approving updates directly in WSUS which you should not be doing.
  Thus, assuming you are not doing what you should not be doing, the only possibility is the update catalog. 150-200MB sounds excessive but that will be based upon what you all have selected for your catalog. There are also a handful of reasons why a full
  catalog resync would be initiated instead of just a delta.
  Jason | http://blog.configmgrftw.com

• WSUS and SCCM 2012

  I'm finally getting around to trying to integrate WSUS with SCCM 2012 - i.e., to begin using SCCM 2012 to manage and deploy all Microsoft updates rather than using plain old WSUS as I have in the past.
  My first impression is that it's much more complicated than using WSUS alone. That said, I'm wondering now what are the advantages of using SCCM 2012 to manage Windows Updates rather than using WSUS? So far, I've added all of this complexity to the
  process, but I'm not seeing the added benefits after having gone through all this. Anyone else agree?
  I'm about to just trash the whole thing and go back to doing it the old way. Thoughts?
  Shaun

  Jorgen summed it up nicely here:
  http://ccmexec.com/2012/08/top-11-reasons-why-you-should-use-configmgr-2012-for-managing-software-updates/
  Jason | http://blog.configmgrftw.com

• Manage SCUP published updates under WSUS and SCCM.

  After completion of SCUP environment, I published Adobe Flash player update successfully.
  Some where in blogs it was mentioned that published updates are under 'software library' but under SCCM2007 SP2 I am able to see 'software update' and there are no entry of published updates. Under 'software update' there is only Microsoft vendor and no updates
  under same.
  Also, there is no entry about Adobe updates in WSUS, only Micosoft specific updates are present as per sync.
  environment details:
  SCUP 2011
  WSUS on Win 2008 R2 Server
  SCCM 2007 SP2
  SQL Server 2008 R2
  Please let me know how can I view & manage published updates under SCCM and WSUS.
  Below are logs entry specific to SCUP:
  Publications workspace: Remove selected updates from publication AdobeFlashPlayer$$<Updates Publisher><Tue Feb 24 12:48:28.584 2015.1><thread=1>
  Publications workspace: Starting publish wizard for publication 'AdobeFlashPlayer'.$$<Updates Publisher><Tue Feb 24 12:48:33.573 2015.1><thread=1>
      Publish: Preparing list of selected updates for publishing.$$<Updates Publisher><Tue Feb 24 12:48:37.587 2015.12><thread=12>
      Connecting to a local update server with locally detected settings.$$<Updates Publisher><Tue Feb 24 12:48:37.588 2015.12><thread=12>
      Publish: Update server name: WIN2008R2DC$$<Updates Publisher><Tue Feb 24 12:48:37.610 2015.12><thread=12>
      Publish: Publish operation starting for 1 updates.$$<Updates Publisher><Tue Feb 24 12:48:37.611 2015.12><thread=12>
      Publish: Publish: Verifying update server is configured with a certificate prior to publishing.$$<Updates Publisher><Tue Feb 24 12:48:37.614 2015.12><thread=12>
      Publish: Publish: Update server appears to be configured with a certificate.$$<Updates Publisher><Tue Feb 24 12:48:37.656 2015.12><thread=12>
      Building dependency graph for update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'$$<Updates Publisher><Tue Feb 24
  12:48:37.687 2015.12><thread=12>
      No dependencies found for update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'$$<Updates Publisher><Tue Feb 24 12:48:37.717
  2015.12><thread=12>
  Found total of 0 dependencies (may include duplicates).$$<Updates Publisher><Tue Feb 24 12:48:37.717 2015.12><thread=12>
  PublishItem: Update ''Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'' has no dependencies.$$<Updates Publisher><Tue Feb 24 12:48:37.718
  2015.12><thread=12>
  PublishItem: Publishing update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'.$$<Updates Publisher><Tue Feb 24 12:48:37.718 2015.12><thread=12>
  PublishItem: --- Evaluating software update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')' for publishing as FullContent.$$<Updates Publisher><Tue
  Feb 24 12:48:37.719 2015.12><thread=12>
  PublishItem: --- Software update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')' needs to be published with full content.$$<Updates Publisher><Tue
  Feb 24 12:48:37.732 2015.12><thread=12>
  PublishItem: Retrieving content for update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'.$$<Updates Publisher><Tue Feb 24 12:48:37.756
  2015.12><thread=12>
  PublishItem: --- Content will be saved to C:\Users\Administrator\AppData\Local\Temp\2\\kzfk4dzk.yiy\install_flash_player_16_plugin.msi.$$<Updates Publisher><Tue Feb 24 12:48:37.757 2015.12><thread=12>
  PublishItem: Download Content: file was downloaded successfully.$$<Updates Publisher><Tue Feb 24 12:48:57.68 2015.12><thread=12>
  PublishItem: Successfully retrieved content for software update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')' to local file: C:\Users\Administrator\AppData\Local\Temp\2\\kzfk4dzk.yiy\install_flash_player_16_plugin.msi$$<Updates
  Publisher><Tue Feb 24 12:48:57.69 2015.12><thread=12>
  File C:\Users\Administrator\AppData\Local\Temp\2\\kzfk4dzk.yiy\install_flash_player_16_plugin.msi appears to be signed, retrieved certificate, checking signature...$$<Updates Publisher><Tue Feb 24 12:48:57.204 2015.12><thread=12>
  TrustChecker: User trusts file.$$<Updates Publisher><Tue Feb 24 12:51:30.548 2015.1><thread=1>
  PublishItem: --- SDP XML file for publishing created at C:\Users\Administrator\AppData\Local\Temp\2\tmp182E.tmp$$<Updates Publisher><Tue Feb 24 12:51:30.640 2015.12><thread=12>
  PublishItem: --- Calling update server API for publishing update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'$$<Updates
  Publisher><Tue Feb 24 12:51:30.752 2015.12><thread=12>
  PublishItem: --- PublishPackage call successful for update 'Adobe Flash Player 32-bit/64-bit Plugin 16.0.0.305 (UpdateId:'a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4' Vendor:'Adobe Systems, Inc.' Product:'Adobe Flash Player')'$$<Updates Publisher><Tue
  Feb 24 12:51:59.290 2015.12><thread=12>
  PublishProgress: Publish operation completed.$$<Updates Publisher><Tue Feb 24 12:51:59.305 2015.12><thread=12>
  Publish: Background processing completed.$$<Updates Publisher><Tue Feb 24 12:51:59.306 2015.1><thread=1>
  WizardBase: closing Publish Software Updates Wizard wizard.$$<Updates Publisher><Tue Feb 24 12:55:37.211 2015.1><thread=1>
  Publications workspace: Publish wizard completed.$$<Updates Publisher><Tue Feb 24 12:55:37.234 2015.1><thread=1>
  I verified SCCM primary site but not able to trace published updates here. Please let me know how can I see published updates and how can I manage them as well.
  Thanks in advance!!!

  what does wsyncmgr.log,wsuscontrol.log and WCM.log says ? do they have any adobe related entries ? check if the published adobe products appearing in software update classification ?
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• WSUS and SCCM configuration

  I recently started a new position and have been asked to re setup their updates through sccm. Now im not that experienced since my last position had a fubar WSUS server but this one seems to be simple and kind of working. 
  The configuration is as follows. 
  SCCM SUP points to MSUpdate
  Clients look at MSUpdate and never sees SUP
  WSUS looks at MSUpate and hasn't downstream sync'd to sccm in 470+ days.
  Now am i wrong for thinking that the flow should looks like Cloud->WSUS->SCCM->Client or should it be Cloud->SCCM->Client with WSUS parallel to SCCM? 

  Keep in mind that ConfigMgr doesn't use WSUS in the same way as a standalone WSUS implementation. ConfigMgr is basically using the WSUS catalog to find which updates are available. The updates can then be added to Software Update Groups and can then be downloaded
  to deployment packages, which in turn can be distributed to DPs and deployed to clients.
  Your generalized flow would be Internet ("Cloud")-> ConfigMgr server(s) (with all that entails) -> Clients.
  Check wsyncmgr.log (site server) for information about why a sync hasn't happened recently. You can also check WUAHandler.log on the clients to see what they're up to.
  -Nick O.

• ISE wsus and sccm

  Hi..
  We are deploying ISE 1.1.1 for an enterprise customer. Having some doubts about postering. Customer wants to check windows update as part of posture check. What I understood, ise supports only wsus. There is a predefined rule pr_WSUSRule,which can't be edited and don't know how it works. customer is using SCCM to periodically deploy windows patches. Don't know whether pr_WSUSRule is applicable in this scenario. How to go ahead in our case.
  Thanks and waiting for your valuable input....

  Hi,
  I have had this scenario on a few of my ISE deployments and I have made a check so that sms service on the clients are enabled on the workstations before they are granted access to the network. I also run an audit requirement for win 7 32 bit updates (for example) so their administrators can perform checks to see if the sccm patches are being recognized. If the check fails then I have the agent turn it on.
  Keep in mind when you deploy ISE you have provide customers a policy and in this case we are using as an enforcement and audit tool over their current sccm architecture.
  Sent from Cisco Technical Support Android App

• Mdt integration boot image and SCCM boot image

  I created a MDT task sequence in SCCM and went through all the steps for setting up the toolkit and settings and boot image. After all that, I distributed everything to my DP. When i try to boot to pxe and run that new MDT task sequence it finds the pxe
  server, but just sits at "Contacting server" for some time until it times out. If I select the SCCM boot image in the task sequence properties then it works. the one created when i create the task sequence doesn't.
  Any Idea?

  Sounds like you didn't enable the boot image for PXE. This is a checkbox at the bottom of the Data Source page in the properties of the boot image.
  Have you reviewed smspxe.log?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• WSUS and SCCM

  Hi,
  Is WSUS Server required in the production infrastructure as well for the OS patching ?
  We have a 3 separate environments. Development, UAT and Production. UAT and Production environments does not have internet access. So in the Dev. which is in isolated network and has internet connection, have a WSUS server and SUP installed where the MS
  patches are acquired. Then  we do an export/import process to move our MS patches to the other environments. So do we need WSUS infrastructure as well in the UAT and Production too ?
  Regards,
  Vinod

  Hi,
  Yes you do as the clients use the WSUS server to scan for updates, here is a great post on how to manage software updates in an isolated envrionment.
  http://blogs.technet.com/b/aaronczechowski/archive/2008/11/11/configmgr-software-updates-on-an-isolated-network.aspx
  Regards,
  jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Cost of Intune and SCCM 2012 r2 vs SCCM 2012 r2 ICBM

  Is there any research/info on pros and cons of SCCM 2012 using intune for internet clinet management vs SCCM 2012 r2 and ICBM?  Things like cost, supportabiliy, etc.  I have seen intune vs sccm not Intune & SCCM vs SCCM and Internet Client
  Based Management. 
  Cyndy

  Hi,
  I think the reason is that you cannot manage Windows clients using the WIndows Intune Agent and integrate it with SCCM 2012. The integration with Intune and SCCM 2012 is for Mobile Device Management only so there is no possibility to install the Windows
  Intune Agent on a client and then manage it through the SCCM Admin Console.
  THe only scenario where that would work is if you manage a Windows 8.1 with the OMA-DM agent and enroll them in Intune as a mobile device with a limited set of features.
  So ICBM is still the way to go if you need all the features in SCCM or you want one console to rule them all.
  Regards,
  Jörgen  
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Using WSUS for Cluster Aware Updates and SCCM???

  Can WSUS support SCCM and CAU(cluster aware update) from the same WSUS instance? E.G. If I have my SCCM infrastructure getting its patches from a server called SCCM01 lets say and the primary/central site is also on this box, can the WSUS instance on
  this server support CAU or will that break SCCM? I ask because one of our admins did exactly this a few weeks ago and we end up having to reinstall WSUS. It could have been a coincidence but that WSUS instance had been running fine since it was built. Seems
  kina strange it broke relatively quickly.
  I've read plenty of sites that say to avoid meddling in the WSUS console once SCCM is installed but I can't find a specific technet article saying not to do this. I just built the 2012 environment and they're wanting to configure it the same way and I'm
  refusing because I suspect it will break either SCCM 2012 or WSUS or both! Please if someone could point me in the right direction or offer some clarity I would very much appreciate it. So far all I've seen about CAU is that it does support SCCM and WSUS but
  I can't find any documents saying what the repercussions of configuring CAU to use the same WSUS instance that SCCM uses. Thanks in advance. -KR.

  Correct, ConfigMgr is unaware of cluster updating or the WSUS capabilities around clustering.
  Also correct that direct WSUS administration after WSUS is integrated with ConfigMgr is a bad thing. There is no specific article that says don't do "stuff" in the WSUS admin console but it is eluded to in the TechNet docs (http://technet.microsoft.com/en-us/library/gg712696.aspx) and
  I do know that it is specifically unsupported. I also know from experience that it will/can cause issues.
  Cluster patching with ConfigMgr can be done using multiple techniques including maintenance windows, Orchestrator, or other automation tools but there's nothing definitively built in
  Jason | http://blog.configmgrftw.com | @jasonsandys

• WSUS with SCCM 2012 - Products Missing, and Best Practices

  Good morning all
  I am integrating SCCM with WSUS, and I have a few questions regarding products.  I've noticed when running through the "Add site system roles wizard" in SCCM 2012 console that when I go to "Products" it does NOT list a few major
  products, such as office 2013, sql server 2013, exchange 2013, etc. 
  Am I missing something? I'm sure I am...what do I need to do? 
  Also, if there are any other gotchas or best practices you all can point me in the right direction as far as managing SCCM / WSUS together i'd be greatly appreciated. 
  Thanks so much!

  Do not use WSUS Console to manage the updates. All you things you can finish is in the SCCM Console. Refer to the link posted by Jason.
  Juke Chou
  TechNet Community Support

• WSUS vs SCCM SUP - What is the point of changing? Pros and Cons of both

  Hi,
  I have been using WSUS forever and have just made a very painful change over to SCCM 2012 SUP. In a room full of experienced WSUS users and facing a handover of SCCM SUP, I really need to have this question answered - What, if any, are the advantages of
  SCCM2012 SUP over WSUS. It's certainly not ease of use, ease of implementation or understandability.
  Even if i accept that yes, they are two different things now and i shouldn't think of SCCM as being like WSUS, I still have to compare and contrast, honestly, what they do and how they do it
  WSUS is ridiculously easy in comparison to SUP. With WSUS, I install it, create some GPOs and assign to OUs. I create security groups and add the servers in scope to to thoise groups and those security groups to the policy. I have different groups set up
  to keep separation of DCs and APP servers and SQL and SCCM and Antivirus servers and workstations
  If needs be i have a text list of all my servers/workstations and can individually target using PSEXEC to run wuauclt on any number of clients. It works great and is easily understandable
  Now, enter SCCM 2010 and SUP.
  The first thing i HAD to know was the last thing i learned. And not from Microsoft.That is that there is really only one method now, imposed by limitations on Software Update Groups and Deployment packages. You can only create a package of 1000 or less updates
  This means chopping up your historic updates and having them deployed as a separate strategy from your newer updates cycles
  Secondly, every month from now on you will need to create and sort your updates into a meaningful Update Group and Deployment package - even if you set up an Automatic Deployment rule, you still need to manually create your Update Groups
  You can only have one deployment package per update group and will need one software update group per "type" of install (available or Required) AND you will need one software update group and deployment package PER COLLECTION!
  To make this work as simply as possible, it will mean having two collections Available and Required (for example)
  Each collection will have a SUG associated with it (each with a limit of 1000 updates remember). Each group of circa 1000 updates takes about 2+ hours to compile and you will have a minimum of 5 groups per collection to get up to October 2014
  After this your ADRs should now do it all for you but lack the ability to create update groups so you have to do this manually every month beforehand. Whew!!
  Thirdly, in the background, WSUS still downloads metadata. In SCCM you should be pointing every update group manually to this folder. Same with Deployment packages and ADRs. Why is this not built-in - intuitive? These are then copied and downloaded as full
  packages into their respectively (manually) created source folders
  Now, when updates expire or are superseded, you have to manually replace them from each SUG
  And also quite a big thing i havent heard anyone else comment on, is the fact that these updates are now NOT shown in the Windows Update feature - they now appear in the Software Center - so now the Servers i sent "Available" updates have to be
  logged onto and manually installed - instead of being able to individually target them like i did with PSEXEC and wuauclt
  And logging?? There are at least 100 different logs to look at using the Trace Log Tool. It's a full time job just figuring out what logs to look at to resolve any problems
  This is, in my opinion, a really poor effort and the documentaion is wildly inconsistent across many forums.
  Some kind of standard document is needed. And i say this after having followed Microsoft's own documentation and using technet forums
  I, for one, just need one BIG question answered for now - how do i remove the SCCM SUP client and revert back to wuauclt on all my clients - if i remove SUP from SCCM will it remove the client from the clients?

  HI Jason,
  I have spent a long time trying to get this to work. My requirements are to have WSUS deploy updates automatically with as little intervention as possible and to be able to explain and show the process to others who will administer the system long after
  I've gone
  The reason I still have to think of things in the WSUS way is that I have a broken update infrastructure that doesn't do what my requirements are. So I now currently need to log into all my "Available " Servers to update them manually instead of
  being able to remotely execute the updates. I'll look at the SDK but this is the first time I've heard of it
  From the top - yes I agree that's a typo it's Update Goups that can only have 1000 updates. Do you agree that this causes a problem for this scenario? Updates since before 2013 amount to several thousand and so I have to break these up into groups of 1000
  - one each for Available and Required groups. That means 8 groups straight away
  Having to cater for these historic updates means painfully waiting 2 hours or so for each package to be created. I've done this already and its not pretty but its essential (unless I'm doing it wrong but I am following TechNet forums)
  My ADRs will absolutely not create the Update Groups and the docs I have read also say that this is a manual monthly process - Create a Group every month and then use an ADR to use that group - is that not correct?
  Update groups - you are mixing my words up and saying the same thing in a different way - "Update groups can absolutely have multiple deployments targeted to different collections" change the "can" for a "must" and you see my
  problem. You cannot create a single Update Group, package it up and the deploy it to both Available and Required groups. You need two update groups for this. One for available and one for Required.
  Metadata - OK then what is it that WSUS downloads to E:\WSUS\WsusContent\...  ? And why is this to be set as the download location for any Update Group, Deployment Package or ADR?? I have to create  or select a deployment package which is another
  manually created folder under "sources" for which the download location is set to my WSUS folder. This doesn't work unless I set my download location to Microsoft. But WSUS should already have synced in the background to WsusContent so why would
  I want to download from Microsoft. And I only want to actually download the "approved" packages. So as far as I'm aware the WSUS\WsusContent folder only contains metadata which is not downloaded until required. Am I wrong? What/who/how downloads
  the binaries and when?
  Lastly, What doesn't make sense? The goal used to be automation. If and when I needed to, I used to be able to manually intervene for single or multiple devices using PSEXEC to run wuauclt. With SCCM I can see for example, 2x non compliant devices just now.
  In the old days I would just psexec onto them and run wuauclt. In SCCM I err... Hmmm.. what? What do I do? Will look at the SDK
  Just one other thing - is there no way at all to continue to use the Windows UPdate control panel and have it show the same available updates as Software Centre? Why can SCCM not just work like Windows Update does? If I run Windows Update on any server it
  says up do date but if go to Microsoft to check it always comes back with updates
  I just want my internal SCCM SUP to work the same way Microsoft updates works for an internet connected computer. Completely Automatic. No intervention. My group of Availabel servers I would like to be able to remotely and individually install from either
  a central console or a script. Again, I will look at the SDK for this
  Thanks for your reply and advice. I'll give it one more week. ;-)

• WSUS Update KB2938066 and SCCM 2012 R2

  Looking at the newly release WSUS update KB2938066 and wondering if I need to apply it to my SCCM WSUS component. If so, what type of impact on the SCCM clients should I be aware of?
  Orange County District Attorney

  As the update is about securing and hardening WSUS and also the communication with WU/MU, I would definitely apply this update.
  The client-side is going to be tricky, depending on the configuration of your windows updates. Jason did a very good post about this here:
  http://blog.configmgrftw.com/the-wua-dilemma-in-configmgr/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• WSUS and SQL login failures

  We're having problems with the WSUS configuration.
  In the wcm.log:
  System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'domain\localmachine$'.~~   at Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow(SoapException soapException)~~   at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.ExecuteSPGetConfiguration()~~  
  at Microsoft.UpdateServices.Internal.BaseApi.UpdateServerConfiguration.Load()~~   at Microsoft.UpdateServices.Internal.ClassFactory.CreateWellKnownType(Type type, Object[] args)~~   at Microsoft.UpdateServices.Internal.ClassFactory.CreateInstance(Type
  type, Object[] args)~~   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetConfiguration()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.SetUpstreamServerSettings(Boolean SyncFromMicrosoftUpdate, Boolean ReplicaServer,
  String UpstreamWSUSServerName, Int32 UpstreamWSUSServerPortNumber, Boolean UseSSL, Boolean HostBinariesOnMU, Int32 ReportingLevel, Int32 MaximumAllowedComputers)~~ClientConnectionId:00000000-0000-0000-0000-000000000000
  Remote configuration failed on WSUS Server.
  In the softwaredistribution.log file:
  2014-02-06 20:49:29.092 UTC    Error    WsusService.8    SusEventDispatcher.DispatchManagerDatabasePollingThreadProc    SusEventDispatcher got exception while polling database. Polling will continue:
  Excpetion details: System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'domain\localmachine$'.
  Of course, these errors are causing the sync to fail as well.
  SQL is installed on the site server.  We have a separate database for WSUS.  This is on SCCM 2012 R2, SQL 2012.  The localmachine$ is the site server.
  In the SQL management studio, the site server is in the Security\logins.  So my question is, what rights (and where) should the site server have?  Under the Databases\SUSDB\Security\Users should the site server be added?  If so, what default
  schema should it have?
  Or under the "dbo" user, should I change the login name to the site server?  The login name for dbo is listed as another account and I think this is where the issue is, but I'm definitely not a SQL person and I don't have anyone here to ask....
  thanks

  So, you used a separate instance of SQL Server for the WSUS DB?
  If so, is that instance remote from the WSUS instance
  It's interesting that you say that as for some reason, WSUS was installed on 2 of the SCCM servers - once on the site server and then again on another server.  I'm not sure why as I didn't install SCCM and/or WSUS here but I'm trying to understand why
  this was done.  SQL is on the site server, so we have the site db, the SUSDB, Reportserver and ReportServerTempDB. 
  On the site server there's a folder for WSUS which has the UpdateServicesPackages and the WsusContent folders.  The SUP resides on the primary site server.
  So, I removed the WSUS from the non-site server (and now I think this may be what broke things).
  I guess I have 3 choices -
  Try to keep WSUS on the site server and get it working
  Try and put WSUS back on the other server and see if it fixes things
  Uninstall WSUS and the SUP and start over