locked
SCEP Definition Updates from WSUS RRS feed

  • Question

  • I am currently using ConfigMgr (SUP) for all update patching including SCEP definitions (the 3 times a day scenario) but I was wondering if I can configure the clients so they just get their SCEP definitions from a stand-alone WSUS yet continue to receive all other updates from ConfigMgr (SUP)? I've been successful with pointing the clients to Microsoft Update, Microsoft Malware Protection Center and UNC file shares by changing the Definition Update Source using a custom Antimalware Policy but I haven't figured out how to point the SCEP client to a WSUS server? There is a setting in the Antimalware policy to set the UNC path so I was expecting to see a setting to set the WSUS URL. It's hard for me to believe the SCEP client can't be independaly re-directed to a local WSUS since you can configure the SCEP client it to go directly to Microsoft or the Protection Center which is basically the WSUS mothership.   

      
    Thursday, April 2, 2015 2:47 PM

Answers

  • As far as I am aware a client can only be pointed to one update server, be it a WSUS or SUP server.
    • Proposed as answer by Joyce L Friday, April 3, 2015 7:44 AM
    • Marked as answer by Joyce L Friday, April 10, 2015 6:56 AM
    Thursday, April 2, 2015 3:31 PM
  • Richard's statement is correct (although clients never really point to a SUP, they use the WSUS instance that the SUP is installed on but that's mostly semantics here).

    This isn't about SCEP's ability to do anything, this is about the Windows Update Agent (WUA). SCEP simply relies on the WUA (just like ConfigMgr does) and it's the WUA that cannot be pointed to more than one update source.

    What's your end goal or reason for wanting to have separate sources?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, April 3, 2015 7:44 AM
    • Marked as answer by Joyce L Friday, April 10, 2015 6:56 AM
    Thursday, April 2, 2015 6:05 PM

All replies

  • As far as I am aware a client can only be pointed to one update server, be it a WSUS or SUP server.
    • Proposed as answer by Joyce L Friday, April 3, 2015 7:44 AM
    • Marked as answer by Joyce L Friday, April 10, 2015 6:56 AM
    Thursday, April 2, 2015 3:31 PM
  • Richard's statement is correct (although clients never really point to a SUP, they use the WSUS instance that the SUP is installed on but that's mostly semantics here).

    This isn't about SCEP's ability to do anything, this is about the Windows Update Agent (WUA). SCEP simply relies on the WUA (just like ConfigMgr does) and it's the WUA that cannot be pointed to more than one update source.

    What's your end goal or reason for wanting to have separate sources?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, April 3, 2015 7:44 AM
    • Marked as answer by Joyce L Friday, April 10, 2015 6:56 AM
    Thursday, April 2, 2015 6:05 PM
  • I understand that. I just assumed that since I can change the Definition Update Source and pull the definitions down from "Updates distributed from Microsoft Update" or "Updates distributed from Microsoft Malware Protection Center" or "Updates distributed from UNC file shares", all which worked fine for me providing the SCEP client (using WUA) can pull definitions down from a different source while all other updates come down normally via the SUP/WSUS, that the "Updates distributed from WSUS" option would allow a separate WSUS to work as well.

    Jason: You asked "What's your end goal or reason for wanting to have separate sources?"

    I would rather not discuss this via the forum so feel free to contact me at steve-carneol@uiowa.edu and we can continue this conversation and update the thread at a later time.

     
    Friday, April 3, 2015 12:46 PM