SCEP Policy and Defination Updates from WSUS


  • Hi,

    I have two questions to ask: 1- I have SCCM Server CAS+PRI and having about 7000 clients and 1500 clients are showing un-managed in SCCM console. i want to know the way to troubleshoot my deployed custom SCEP policy and how turn un-managed to managed clients.

    2- All of my clients currently receiving definition updates from configmgr (ADR) & UNC share, i have one upstream/downstream WSUS servers, my questions is can i create Automatic Rule on WSUS server to provide an extra update source to my clients.


    Friday, August 29, 2014 6:35 PM


All replies

  • 1. With an abundance of clients showing as unmanaged one of the first things I would look for would be to make sure boundaries are correct. Looking at logs on the clients located at c:\windows\ccmsetup to see if there are errors, also looking at c:\windows\ccm\logs and would check LocationServices.log and clientlocation.log. 

    2. Yes, but there are some things to consider. If group policy sets a WSUS server it will supercede the policy that SCCM makes if you are doing updates from SCCM. With that in mind it will keep updates from SCCM from working correctly. If you decide to use WSUS when configuring your AntiMalware policies just be sure WSUS is checked as a source for definition updates. 

    Friday, August 29, 2014 6:44 PM
  • Thanks dear for your reply.

    boundaries are correct and i will re-check them as my clients are distributed location wise. more can you tell me about the logs for SCEP on server side and client side. i usually check mpcmdrun and mpsig.....

    2- yes GP is set but im using the same WSUS server in GPO as my SCCM servers. i just wanted to know that as i have created the ADR in sccm to download SCEP update automatically can i create a rule in WSUS server too.

    Friday, August 29, 2014 6:54 PM
    1. Make sure there is ConfigMgr policy targeted that specifies that  Endpoint will be managed by ConfigMgr.
    2. Editing the same WSUS that's being used by ConfigMgr is not supported.

    My Blog:
    Follow me on twitter: pvanderwoude

    Saturday, August 30, 2014 6:43 AM
  • If there is a GPO conflict it will tell you in the deployment monitoring of the ADR.

    Like Peter says make sure all the clients are in a collection with endpoint enabled in the client settings and make sure they have received policy.

    I usually create a couple of couple of collections for client state:

    Inactive Clients:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0

    No Client:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.Client is null or SMS_R_System.Client = 0) and SMS_R_System.Name != 'Unknown'
    If these clients don't show in any of the two above collections then as long as they are receiving the endpoint enabled settings and malware policy you should be ok.

    Saturday, August 30, 2014 9:29 AM
  • Hi Dear,

    I have checked my ConfigMgr boundaries and definition updates via WSUS is working fine. Actually i have issues with some client showing as unmanaged although they're healthy and receiving updates/policy but i see them as unmanaged in console, Moreover i also seeing some false reporting on my console that majority of my client are up to date but their definition dates are older in console. Is there any database level issue which causing this?

    Thursday, September 04, 2014 6:54 AM
  • I'm cleaning up old post, did you figure this out yet, if so how?

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Saturday, September 13, 2014 1:10 PM
  • Since no one has replied to this post, I recommend that you contact CSS directly for support. They can work with you to solve your problem.  

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Saturday, September 27, 2014 2:40 PM