Re-use a WSUS-SCCM integrated server for manual patches

Hello! :)

In our environment we have a SCCM Current Branch Primary Site Server integrated with a WSUS Server in our Data Center to retrieve Microsoft Security patches.

We have several geographically distributed locations where we have a lot of computers not being administered by SCCM due to business needs.

Recently we were given the task of providing some power users with the capability to update the computers that are not SCCM clients with Microsoft Security patches at their convenience.

I want to re-use the existing central WSUS "SCCM-integrated" server so that in addition of being used by SCCM it also is capable of acting as an upstream server - for this manual patching process - and then configure additional WSUS downstream servers connected to it at each large site to relieve traffic from the WAN links.

Is this solution possible (have an existing WSUS "SCCM-integrated" server to both be used by SCCM and also be capable of act as an upstream server for a manual patching process)... or should a separate server be setup and configured to be the upstream WSUS server for the manual patching process?

Fernando MonterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike TLeading EngineerCommented:

I am not sure "upstream" is being used in the right context here. Normally (forget SCCM), you have an Internet connect server that has WSUS role installed. This is the master source for patches. You can install a second server, add WSUS role to it and then point THAT to the first server, which is upstream.

It is a simple Father-son setup. Is that what you mean?

If you do, then those PCs need a GPO to point to the son WSUS box only, so they will need a separate OU to avoid mixing up with the managed clients (CM machines). There is NO GPO for those.

If on the other hand you mean totally manual - running patch installs by hand, then none of this matters. You can just share the WSUS folder, but depending on your security needs that might not be allowed! In that case creating a share with patches on a new server is best.

I hope I've understood what you were after.


Fernando MonterAuthor Commented:
Hi Mike! Thank you for your interest in our case.

Perhaps I did not explain myself very well hehe... In our central installation we have a SCCM primary server that is integrated to a WSUS that lives in another server. This WSUS is only used to synchronize information from the Microsoft web site and show it into the SCCM console.

Later on we select what patches we want to download for our environment through the SCCM console, not through the WSUS console, and then we deploy the selected patches to the environment's SCCM clients.

In this case, in our environment we have also non-SCCM clients and the business wants to have a way to patch them as well but they refused to install the SCCM client into them.

That being said, the other alternative we thought of is configuring these non-SCCM clients - through Registry Keys manipulation - to download them from WSUS when someone manually wants to search and install security patches.

I hope this explanation was better than my previous one hehe... Now, I think the questions might be:

Can we download the patches from the Microsoft web site by the use of the central WSUS that is integrated with SCCM - and store them inside this WSUS server - as a separate process to what we do with SCCM and without causing any disruption or misconfiguration? ... and can we configure this WSUS SCCM-integrated server and configure it to downstream the information to distributed WSUS servers?

... or should our approach be to build a new central and "clean" WSUS server to use it for this purpose and sync this new server to the distributed WSUS servers?

Again, thanks much for your interest in our case :)
Mike TLeading EngineerCommented:

Thanks for the clarification. That does change things to be simpler.
The short answer is yes, create a brand new WSUS instance and point it at the original one.

Note, I would ask what the objection the customer has with putting the SCCM agent on machines is. It is harmless on its own and won't do anything to the other PCs unless you a) create a boundary b) add them to a collection. You have to do deliberate acts.
The second big point I would make is WSUS has very basic reporting. One major reason to use SCCM just for patching alone is the reporting. That's all same firms use it for.

I admit I am biased as an SCCM admin but it's a fact you can't escape.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fernando MonterAuthor Commented:
Thanks for your input Mike!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.