WSUS Configuration and Synchronization
After you have installed the WSUS Server, as described in this article, it still lacks configuration settings and synchronized catalog and mass data. Normally, WSUS Server configuration is done via the SCCM console when the server role "Software Update Point" (SUP) is installed.
If you have already modified the WSUS Service via the WSUS administration console, it may not be possible to apply configuration changes done via SCCM correctly into WSUS.
Go to "Site Configuration -> Server and Site System Roles“ in the SCCM administration console and add a new site system role in the context menu of the respective server.
Normally, you can click "Next" to skip the following dialog. Then you must configure the proxy server, which is used to establish connection to the Internet.
Once you have specified the proxy server, you can select the "Software Update Point" role.
If you have created a SSL certificate for the WSUS Server, as described, you can checkmark/enable the respective option to enforce SSL communications.
If a proxy server is used, it must be enabled accordingly. You must also specify the account used to access the WSUS Server. For this user, no specific AD permissions are required, but it must be a member of the local group "WSUS Administrators" of the WSUS Server (we recommend that you create an AD group that is added to the local group of each WSUS Server).
The next step is to specify the synchronization settings specifically for the WSUS Server.
This does not refer to WSUS -> SCCM synchronization! If you specify the WSUS Server, the WSUS Server will synchronize itself.
Now you must define the schedule for synchronization of the WSUS Server with its source.
In the next step, you define when patches shall be marked as "expired". This setting must be configured, based on the internal IT policies, since roll-outs of expired patches are stopped.
Now you must select the classification of patches that shall be used within your company. A detailed description of the relevance of classifications can be found here.
Then you select the products used within your company...
… and configure the languages accordingly.
When you have finished the wizard, you can check the success of the installation in the SUPSetup.log file (C:\Program Files\Microsoft Configuration Manager\Logs\SUPSetup.log), where the installation must be confirmed with the "Installation was successful" line.
Now go to "Overview -> Software Updates -> All Software Updates" in the "Software Library" view, where you can use the respective option in the ribbon to initiate patch synchronization.
Synchronization can be checked in the log file wsyncmgr.log (C:\Program Files\Microsoft Configuration Manager\Logs\wsyncmgr.log).
When you have completed WSUS Server configuration, it is essential to ensure WSUS Server maintenance, since without maintenance, the server will not work properly anymore after a while, due to the constantly increasing catalog and resulting defragmentation of the database as well as the increasing amount of mass data. Valuable tips to avoid this problem can be found here.