Link to home
Start Free TrialLog in
Avatar of UHampton
UHamptonFlag for United States of America

asked on

SCCM and WSUS Integration

Our current Architecture is as follows:

We have one Primary site located at our Data center which also has our internet access for the company.  We have multiple branch offices connected via T1s with Secondary Child sites at each.
The primary site server has WSUS installed on it and has the Software Update Point Role installed on it.  Each secondary site has the management point role installed. We are trying to implement software updates via sccm to the remote branch offices in way that will minimize bandwith on our WAN.  Windows updates on the workstations are shut off.


1)      How does the client at the branch offices communicate with WSUS for windows updates?

2)       Will it go thru the management point or will it go directly to the primary site at our data center.

3)      My understanding is that clients will scan the primary site for updates and then report state messages to the management point.  Once the needed updates are determined, will the client get the updates from the primary site or will the primary download the needed updates to the management point that will inturn be accessed by the client?

4)      Is there any advantage to placing the Software Update Point Role on the secondary sites?  I assume that the local clients will communicate with the secondary site directly instead of going back to the primary.  

5)  In this scenario, will clients always go to the SUP at the primary site when performing scans or will it go to the SUP at the secondary site?

6)      How do we force workstations to go to SCCM/WSUS for their windows updates (i.e is a GPO needed to shut it done or does the SCCM client take care of this.
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image

Ok so here is my take on the situation.

1. You will need to re-enable automatic updates on the client this is how they communicate with WSUS. Rather than going to ms website you point them to your WSUS server with a GPO. See number 6

2. Depending on how your have your WSUS configured it could go to either. If you have only the main WSUS server they will go there but if you configure the other servers to be downstream servers they will go to their local server.

3.  Again this depends on if you use a downstream server. If you dont use a downstream server the updates will come from the main server. If you do use the downstream server then the updates will be downloaded one time to the downstream server and then pushed out from there.

4. You are correct this should decrease your bandwith usage and give your clients a local install source.

5. Im not 100% sure on this but I belive it will go to the local server at the site and you can configure those servers to update the main server with their status.

6. You can use a GPO in order to point your clients to the correct servers.
ASKER CERTIFIED SOLUTION
Avatar of JonLambert
JonLambert
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Al-Qadri
Al-Qadri

How can one be sure that clients are going to the SUP and not to the primary site?  I have SCCM/WSUS set up in a primary site and at my remote sites I have BDP/SUP/DP roles on the machines.  I also have WSUS console on those machines.  For some reason, clients continue to come to the main site for updates.  What am I doing wrong here?
I regret to say that my original post has some misinformation .. though I was lead to believe that clients will go to a local passive SUP to download their scan package, this (as far as I've been able to prove) is incorrect, and clients will only go to an active SUP.  The only purpose of a passive SUP is to act as a fallback in case the active SUP fails.  My sincere apologies for ths incorrect information.
JonLambert: I have a question about your clarification: Does this mean I will not be able to push update lists from the Primary Site server to the Secondary Site servers? Or will each Secondary Site server have to host its own Active SUP? Can I do that? My architecture is similar to that of the original poster, UHampton. Additionally, does each Secondary Site server require a full, but non-configured WSUS install? That is, do I install WSUS on the Secondary Site server and let SCCM manage it, as per the Primary Site instructions. Thanks.