Best Practices for ConfigMgr12 Software Updates

When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server

When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application.

Use a custom website for the WSUS installation

When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a WSUS 3.0 website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the active software update point for the site.

Specify the Store updates locally setting for the WSUS installation

When you install WSUS 3.0, select Store updates locally so that license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the active software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

Create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” and for general deployment

There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in many software updates, and the rule runs on a recurring schedule, choose to create a new software update group each time the rule runs to prevent the deployment from surpassing the limit of 1000 software updates per deployment.

Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates

Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, hundreds of software update groups will be created over time. Typically, definition update publishers set definition updates to be expired when they are superseded by 4 newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than 4 definition updates for the publisher (1 active and 3 superseded).