none
SCCM-SCEP Design query RRS feed

  • Question

  • Hello everyone,

    I have a query about SCCM-SCEP.

    We are on SCCM CB 1702 at the moment with a single primary site (Windows 2012 R2, SQL Server 2012 R2). Through SCCM we manage whole of the Windows workstation estate and a part of Windows server estate. These managed systems have SCCM agent on. The servers that we don't manage (which so far do not have the SCCM agent on) are managed by another team and they use WSUS for patching them and the WSUS is configured through domain policies.

    We are now in the process of implementing SCEP throughout the estate (to replace the existing Symantec EP). The servers which we don't manage through SCCM are also required to have SCEP agent on. And as far as I know the SCEP requires SCCM agent on those servers as well(please correct me if I am wrong).

    Now this requirement poses a few challenges for us as to how to deal with these other servers which we haven't been managing through SCCM.

    My question is whether it is possible for these others servers to have the SCEP and SCCM agent on, managed through  our SCCM primay site but they are only managed from SCCM as far as antivirus is concerned while we do not want to deal with them when it comes to patching them, nor do we (ideally) want those servers to rely on our DP infrastructure for any content. At the same time we do not want to upset their WSUS based patching done on those servers either.

    Is there a way it can be achieved without incurring additional admin overhead on our part in the long run when it comes to SCCM? Ideally what we want is to configure it once so SCEP fully becomes functional on those servers and then we don't worry about them?

    Or is it a better idea to create a secondary SCCM site to cover only these servers so the management of those is entirely isolated from our existing SCCM operations through delegation model?

    Also, with either of the above 2 approaches, would the periodic SCCM CB upgrade create unforeseen additional complexity which we need to take into account beforehand during the designing of this solution itself?

    I also welcome any other options...

     

    Apologies for too many questions and thanks in advance

    Best wishes,

    Steve

    Tuesday, January 16, 2018 2:13 PM

Answers

  • > "And as far as I know the SCEP requires SCCM agent on those servers as well"

    No, that is not a strict requirement; however, there is no other supported way to manage SCEP without using ConfigMgr so no ConfigMgr agent = no SCEP management.

    > "Is there a way it can be achieved"

    Yes. Simply ensure that the WSUS server configured on these other servers is set to their WSUS instance (using a GPO). You (or they) will also have to configure that WSUS instance to deliver SCEP (definition and engine) updates and you will need to create an antimalware settings package in ConfigMgr for those servers to use SCEP updates from WSUS instead of ConfigMgr.

    > "Or is it a better idea to create a secondary SCCM site"

    Definitely no.

    > "would the periodic SCCM CB upgrade create unforeseen additional complexity"

    Nothing more than you already have to deal with.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Steve DSouza Tuesday, January 16, 2018 4:54 PM
    Tuesday, January 16, 2018 4:04 PM

All replies

  • > "And as far as I know the SCEP requires SCCM agent on those servers as well"

    No, that is not a strict requirement; however, there is no other supported way to manage SCEP without using ConfigMgr so no ConfigMgr agent = no SCEP management.

    > "Is there a way it can be achieved"

    Yes. Simply ensure that the WSUS server configured on these other servers is set to their WSUS instance (using a GPO). You (or they) will also have to configure that WSUS instance to deliver SCEP (definition and engine) updates and you will need to create an antimalware settings package in ConfigMgr for those servers to use SCEP updates from WSUS instead of ConfigMgr.

    > "Or is it a better idea to create a secondary SCCM site"

    Definitely no.

    > "would the periodic SCCM CB upgrade create unforeseen additional complexity"

    Nothing more than you already have to deal with.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Steve DSouza Tuesday, January 16, 2018 4:54 PM
    Tuesday, January 16, 2018 4:04 PM
  • Thanks Jason. Jorgen responded to this same query (posted on SCEP forum) along similar lines.

    So secondary site is out of the question. Implementing another primary site is out of the equation for us at this stage. That leaves us with using the existing primary site to rely on the custom client policies to manage the SCEP on those servers.

    Thanks again for your help.

    Tuesday, January 16, 2018 4:54 PM