SUP separate WSUS

Similar Messages

• Best Practice for SUP and WSUS Installation on Same Server

  Hi Folks,
  I have a question, I am in process of deploying SCCM 2012 R2... I was in process of deploying Software Update Point on SCCM with one of the existing WSUS server installed on a separate server from SCCM.
  A debate has started with of the colleague who says that the using remote WSUS server is recommended by Microsoft because of the scalability security  that WSUS will be downloading the updates from Microsoft and SCCM should be working as downstream
  server to fetch updates from WSUS server.
  but according to my consideration it is recommended to install WSUS server on the same server where SCCM is installed... actually it is recommended to install WSUS on a site system and you can used the same SCCM server to deploy WSUS.
  please advice me the best practices for deploying SCCM and WSUS ... what Microsoft says about WSUS to be installed on same SCCM server OR WSUS should be on a separate server then the SCCM server ???
  awaiting your advices ASAP :)
  Regards, Owais

  Hi Don,
  thanks for the information, another quick one...
  the above mentioned configuration I did is correct in terms of planning and best practices?
  I agree with Jorgen, it's ok to have WSUS/SUP on the same server as your site server, or you can have WSUS/SUP on a dedicated server if you wish.
  The "best practice" is whatever suits your environment, and is a supported-by-MS way of doing it.
  One thing to note, is that if WSUS ever becomes "corrupt" it can be difficult to repair and sometimes it's simplest to rebuild the WSUS Windows OS. If this is on your site server, that's a big deal.
  Sometimes, WSUS goes wrong (not because of ConfigMgr)..
  Note that if you have a very large estate, or multiple primary site servers, you might have a CAS, and you would need a SUP on the CAS. (this is not a recommendation for a CAS, just to be aware)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• SCCM SUP Downstream WSUS Server not getting EULA's

  Hi,
  We have two SUP's in geographically separate areas.  Our SUP's report that they're replicating successfully, and I can see that updates are syncing between the two servers.  My issue is with the 2nd SUP, in which WSUS is downstream to the Primary
  SUP.  
  Any clients that connect to this SUP for updates might receive events in the WindowsUpdate.log file about being unable to download the ELUA's for updates.  When I browse to the WSUS site, I get a 404.  When I view the d:\wsus\wsuscontent folder,
  it's empty.
  On the primary SUP/WSUS server, the WsusContent folder is full of EULA's.  I'm not see any errors anywhere in the logs I've looked at.
  Does anyone know the log files I can check, or might know a solution to this issue?
  Thanks!

  Hi,
  Have you seen this thread?
  SCCM 2012 SP1 Multiple SUP - WsusContent folder empty on secondary SUP
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/77d9203f-265e-4b99-ade4-37d77a64af44/sccm-2012-sp1-multiple-sup-wsuscontent-folder-empty-on-secondary-sup?forum=configmanagersecurity
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SUP and WSUS on the same server.

  Hi,
  My SCCM environment as follows:
  Windows Server 2012 R2 Standard, Configuration Manager 2012 R2, SQL 2012 SP1 CU7
  WSUS 6.3.9600.163.84 . All these running on the same server.
  SCCM SUP role is enabled, WSUS using SQL Express database. This is Central and Primary site server as well.
  Issue is:
  1. SUP does not get updates. SUP is configured to get updates from Internet and WSUS console Sync options pointing to its own server name. I tried to change WSUS console sync option to internet couple of times but it looks WSUS changes this back.
  2. I want to use WSUS/SUP for SCCM Endpoint definitions update and also for patch installation for clients (Clients Windows update pointing to this server)

  What do you mean that this is a Central and Primary site server? Those two roles can not be installed on the same site server.
  When it comes to SUP in ConfigMgr, the installation process on WS 2012 is basically this:
  1. Install the Windows Server Update Services role, run the initial configuration wizard.
  2. Install a SUP site system role on the server and let ConfigMgr configure everything.
  Additionally I'd not run a SQL Express for the WSUS since you already have SQL installed. Instead I'd create the SUSDB on the same SQL server that you're running the ConfigMgr DB on.
  In my preprequisites installation tool, all you need to do is to open a PowerShell console, run the tool and click on the Install WSUS button, specify the SQL Server and the tool will automatically configure everything. When the tool has completed, you can
  go ahead and add the SUP from ConfigMgr and configure it from the ConfigMgr console.
  You'll find the tool here:
  http://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd
  Regards,
  Nickolaj Andersen | www.scconfigmgr.com | @Nickolaja

• SCCM 2012 SP1 - Multiple SUP - common WSUS DB

  Hello,
  Is it supported / recommend to share a common WSUS DB for multiple WSUS / SUP roles ?
  If yes, how to perform a clean deployment of additional SUP dealing with additional KB requirements.Following article explains the problem but the solution looks very complex: http://scug.be/sccm/2012/10/03/configmgr-2012-sp1-installing-multiple-software-update-points-per-single-primary-site-and-use-a-single-shared-wsus-database-on-your-sql-cluster/
  I tried to test this procedure in my test environment but it broken WSUS and now refuse to sync with Microsoft (can't establish SSL connection).
  I have not been able to find any official Microsoft setup guide for this ?
  As an alternative, is it possible to sync additional SUP as downstream servers with the first one. I ask for this because I use SCUP, and I don't want to maintain multiple WSUS environment.
  Regards.

  Hi.
  We have the same problem with our WSUS 3.0 SP2 installation, when I install WSUS on an SCCM 2012 server in the "Secondary Site".
  That server is in a different domain (one way Trust); but I have Logged On to that server with an specific account from the Top Domain that has Owner rights on the excisting DB). The Installation connect's succcesfully to the DB, and on the
  Next Window I get the error "The existing DB is not compatible with this version of Windows Server Update Services 3.0 SP2"
  The first two Wsus Installations  in the "Top" domain worked just fine.
  Anyone an idea?

• SUP and WSUS

  I everyone,
  I have an issue with SCCM 2012 R2 and the windows updates.
  In SCCM, I created several software update groups (and packages) to manage the deployment of the updates on Windows 7 OS.
  I have not deployed any of them yet to any collection but if I "Check the updates" from the Control Panel, Windows Updates, I get a list of updates to install.
  Is that a normal behavior ?
  I thought I shouldn't see any updates since they are not deployed.
  Moreover if I try to install them, they are directly downloaded from my SUP and not from the Distribution Point so.
  Have you already had the same issue ?
  Shoud I reinstall the software update point and WSUS ?
  Thank you.

  I sounds like the WSUS server might have been used to deploy updates outside of ConfigMgr.
  Can you verify the following:
  The client is configured to use the right WSUS Server (might be a GPO that points to an old WSUS Server)
  There is no released updated on the WSUS Server (it should all be managed from ConfigMgr and not WSUS)
  If you're using an old WSUS Server that was previous used to deploy patches outside of ConfigMgr, I'd recommend that you install (or re-install) a new WSUS Server and use that.
  Ronni Pedersen | Microsoft MVP - ConfigMgr | Blogs:
  www.ronnipedersen.com/ and www.SCUG.dk/ | Twitter
  @ronnipedersen

• SUP for WSUS gradually

  Hi,
  We are using SCCM 2007 SP2 R3 for managing our environmnet. However we still do updates through WSUS.
  I wanted to try out SCCM 2007 for handling Updates .
  What i need is to be able to choose lets say some servers to update through SCCM first and if all goes well and according to plan then we will move our client base to be updated through SCCM as well.
  Any idea how i could accomplish this in-phase approach to get SUP into our enviromnet and replace WSUS eventually.
  Thanks in advance

  It doesn't conflict, it overwrites because ConfigMgr sets a local group policy and domain group policies overwrite/override local group policies. There's nothing wrong with doing this though if it's what you want to happen.
  Now, if the domain group policy contains the same WSUS server as what the ConfigMgr agent sets in the local group policy, then everybody is happy. However, if they don't match, then the ConfigMgr agent sees this and stops all software update processing.
  This is exactly what you were asking about and so meets your desired outcome.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• WSUS vs SCCM SUP - What is the point of changing? Pros and Cons of both

  Hi,
  I have been using WSUS forever and have just made a very painful change over to SCCM 2012 SUP. In a room full of experienced WSUS users and facing a handover of SCCM SUP, I really need to have this question answered - What, if any, are the advantages of
  SCCM2012 SUP over WSUS. It's certainly not ease of use, ease of implementation or understandability.
  Even if i accept that yes, they are two different things now and i shouldn't think of SCCM as being like WSUS, I still have to compare and contrast, honestly, what they do and how they do it
  WSUS is ridiculously easy in comparison to SUP. With WSUS, I install it, create some GPOs and assign to OUs. I create security groups and add the servers in scope to to thoise groups and those security groups to the policy. I have different groups set up
  to keep separation of DCs and APP servers and SQL and SCCM and Antivirus servers and workstations
  If needs be i have a text list of all my servers/workstations and can individually target using PSEXEC to run wuauclt on any number of clients. It works great and is easily understandable
  Now, enter SCCM 2010 and SUP.
  The first thing i HAD to know was the last thing i learned. And not from Microsoft.That is that there is really only one method now, imposed by limitations on Software Update Groups and Deployment packages. You can only create a package of 1000 or less updates
  This means chopping up your historic updates and having them deployed as a separate strategy from your newer updates cycles
  Secondly, every month from now on you will need to create and sort your updates into a meaningful Update Group and Deployment package - even if you set up an Automatic Deployment rule, you still need to manually create your Update Groups
  You can only have one deployment package per update group and will need one software update group per "type" of install (available or Required) AND you will need one software update group and deployment package PER COLLECTION!
  To make this work as simply as possible, it will mean having two collections Available and Required (for example)
  Each collection will have a SUG associated with it (each with a limit of 1000 updates remember). Each group of circa 1000 updates takes about 2+ hours to compile and you will have a minimum of 5 groups per collection to get up to October 2014
  After this your ADRs should now do it all for you but lack the ability to create update groups so you have to do this manually every month beforehand. Whew!!
  Thirdly, in the background, WSUS still downloads metadata. In SCCM you should be pointing every update group manually to this folder. Same with Deployment packages and ADRs. Why is this not built-in - intuitive? These are then copied and downloaded as full
  packages into their respectively (manually) created source folders
  Now, when updates expire or are superseded, you have to manually replace them from each SUG
  And also quite a big thing i havent heard anyone else comment on, is the fact that these updates are now NOT shown in the Windows Update feature - they now appear in the Software Center - so now the Servers i sent "Available" updates have to be
  logged onto and manually installed - instead of being able to individually target them like i did with PSEXEC and wuauclt
  And logging?? There are at least 100 different logs to look at using the Trace Log Tool. It's a full time job just figuring out what logs to look at to resolve any problems
  This is, in my opinion, a really poor effort and the documentaion is wildly inconsistent across many forums.
  Some kind of standard document is needed. And i say this after having followed Microsoft's own documentation and using technet forums
  I, for one, just need one BIG question answered for now - how do i remove the SCCM SUP client and revert back to wuauclt on all my clients - if i remove SUP from SCCM will it remove the client from the clients?

  HI Jason,
  I have spent a long time trying to get this to work. My requirements are to have WSUS deploy updates automatically with as little intervention as possible and to be able to explain and show the process to others who will administer the system long after
  I've gone
  The reason I still have to think of things in the WSUS way is that I have a broken update infrastructure that doesn't do what my requirements are. So I now currently need to log into all my "Available " Servers to update them manually instead of
  being able to remotely execute the updates. I'll look at the SDK but this is the first time I've heard of it
  From the top - yes I agree that's a typo it's Update Goups that can only have 1000 updates. Do you agree that this causes a problem for this scenario? Updates since before 2013 amount to several thousand and so I have to break these up into groups of 1000
  - one each for Available and Required groups. That means 8 groups straight away
  Having to cater for these historic updates means painfully waiting 2 hours or so for each package to be created. I've done this already and its not pretty but its essential (unless I'm doing it wrong but I am following TechNet forums)
  My ADRs will absolutely not create the Update Groups and the docs I have read also say that this is a manual monthly process - Create a Group every month and then use an ADR to use that group - is that not correct?
  Update groups - you are mixing my words up and saying the same thing in a different way - "Update groups can absolutely have multiple deployments targeted to different collections" change the "can" for a "must" and you see my
  problem. You cannot create a single Update Group, package it up and the deploy it to both Available and Required groups. You need two update groups for this. One for available and one for Required.
  Metadata - OK then what is it that WSUS downloads to E:\WSUS\WsusContent\...  ? And why is this to be set as the download location for any Update Group, Deployment Package or ADR?? I have to create  or select a deployment package which is another
  manually created folder under "sources" for which the download location is set to my WSUS folder. This doesn't work unless I set my download location to Microsoft. But WSUS should already have synced in the background to WsusContent so why would
  I want to download from Microsoft. And I only want to actually download the "approved" packages. So as far as I'm aware the WSUS\WsusContent folder only contains metadata which is not downloaded until required. Am I wrong? What/who/how downloads
  the binaries and when?
  Lastly, What doesn't make sense? The goal used to be automation. If and when I needed to, I used to be able to manually intervene for single or multiple devices using PSEXEC to run wuauclt. With SCCM I can see for example, 2x non compliant devices just now.
  In the old days I would just psexec onto them and run wuauclt. In SCCM I err... Hmmm.. what? What do I do? Will look at the SDK
  Just one other thing - is there no way at all to continue to use the Windows UPdate control panel and have it show the same available updates as Software Centre? Why can SCCM not just work like Windows Update does? If I run Windows Update on any server it
  says up do date but if go to Microsoft to check it always comes back with updates
  I just want my internal SCCM SUP to work the same way Microsoft updates works for an internet connected computer. Completely Automatic. No intervention. My group of Availabel servers I would like to be able to remotely and individually install from either
  a central console or a script. Again, I will look at the SDK for this
  Thanks for your reply and advice. I'll give it one more week. ;-)

• SUP sync problem: Category products not found on WSUS

  Hello,
  Updates stopped working suddenly for clients, and the clients reported back with message: "Client check passed/Active".
  I can't say much about it because I have to be honest, I didn't do much troubleshooting.
  I went straight to re-configuration of SUP/WSUS.
  So I removed the SUP CM role, and WSUS and re-installed everything again.
  I did this several times now and followed similar procedures, but slightly different.
  Basically:
  Remove SUP
  Remove WSUS
  Restart
  Install WSUS
  Install the two famous updates
  Restart
  Add SUP role
  Environment (one machine):
  Server: 2008 R2
  SCCM: 2012 SP1 - 5.0.7804.1000
  WSUS 3.0 SP2 with both KB's
  Syncing doesn't work.
  From the wsyncmgr.log I'd say that SCCM is unable to communicate with WSUS.
  From the wcm.log I'd think that Category Products are enabled on SCCM which cannot be found on WSUS, which I find a strange reason to block the whole Updating process but who am I to critisize. :-)
  The problem is that I can't find these products in SCCM, let alone disable.
  I really hope someone can help me out with this as this is starting to drive me crazy.
  Also tried to run the WSUS configuration wizard partially until the products but that didn't help either.
  Each time I restart the whole configuration, when I add the SUP role it seems to remember my settings. Is there a proper way to completely remove SUP?
  WCM.log:
  Category Product:70cfad70-6629-b54b-5819-c809a605515e (Adobe Flash Player) not found on WSUS
  SMS_WSUS_CONFIGURATION_MANAGER 13/12/2013 15:32:12
  5572 (0x15C4)
  Category Product:e1d507be-497c-d8fd-61d7-b0d93ee399ca (Adobe Reader) not found on WSUS
  SMS_WSUS_CONFIGURATION_MANAGER 13/12/2013 15:32:12
  5572 (0x15C4)
  Subscription contains categories unknown to WSUS.
  SMS_WSUS_CONFIGURATION_MANAGER 13/12/2013 15:32:12
  5572 (0x15C4)
  Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error
  SMS_WSUS_CONFIGURATION_MANAGER 13/12/2013 15:32:12
  5572 (0x15C4)
  WSYNCMGR.log
  Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
  SMS_WSUS_SYNC_MANAGER 13/12/2013 15:37:12
  5660 (0x161C)
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SVCMSS001.mobilebelgium.be SITE=PS1 PID=5216 TID=5660 GMTDATE=Fri Dec 13 14:37:12.547 2013 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not
  configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER 13/12/2013 15:37:12
  5660 (0x161C)
  Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER
  13/12/2013 15:37:12 5660 (0x161C)

  After 3 days of screwing around and one afternoon being sure it's related to the two category updates, I have been able to find a way to fix this situation. Not sure if it's the correct way, but it IS a way.
  I'd still be grateful if anyone can explain how it could happen, since this fix is not really supported I guess.
  But here is what was wrong.
  At a certain point in those 3 days I was getting following error in WSYNCMGR.log:
  Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
  SMS_WSUS_SYNC_MANAGER
  08/12/2013 23:40:04 4720 (0x1270)
  I went into the DB, in the CI_UpdateSources table and changed the value for IsExprired from True to False.
  Then I got the error from my original post:
  Sync failed: WSUS server not configured. Please refer to WCM.log
  for configuration error details.. Source: CWSyncMgr::DoSync
  I made sure all category products were disabled (I think they were at this time) and went in the DB to the table CI_UpdateCategorySubscription and found that there were two rows with IsSubscribed set to True. What a coïnsidence the error in WCM.log gave
  two category products thta could not be found in WSUS.
  I went ahead and set them to False and there you go, sync is doing fine now.
  Now I'm going to enable some products and check if sync is still ok, and ultimately check if clients receive the updates.
  Questions are:
  How could this UpdteSource be flagged as Expired?
  How are those two Subscriptions enabled?
  The SUP and WSUS have been removed and re-installed at least 3 times or so.
  Cheers, hope this can help someone else!

• SCCM / SUP / WSUS

  Looking for some clarification on SCCM 2012 and WSUS integration.  I was not the person that set this site up and am coming in trying to get everything cleaned up.  The setup is a single Windows Server 2008 R2 with SCCM 2012, SUP, and WSUS
  3.0.  The server has a direct connection to the internet.
  When I login to SCCM and check the "Software Update Point Component Properties" the option to synchronize from Microsoft update is checked.  All of the PCs on the domain seem to be updating OK.
  When I login to the WSUS console it shows over 4000 updates awaiting approval.
  To me it seems like SCCM is bypassing WSUS entire and just downloading the windows updates directly from MS and pushing them out to the domain.  WSUS does not appear to actually be doing anything at this point. 
  My question - is the WSUS role even required at this point with SCCM directly updating from MS?
  Secondary question - If the WSUS role is required for the updates still, does it harm anything to not have SCCM and WSUS synced?

  First question; Yes, WSUS is required. ConfigMgr uses the metadata of WSUS. Also, the clients will still be scanning against WSUS, but based on the deployments send out by ConfigMgr.
  Second question: Once configured ConfigMgr will automatically sync WSUS. You can see that on things like the configured products and categories. One thing you won't see are updates approved in WSUS.
  Also, when you are using ConfigMgr for deploying updates, you should stop touching the WSUS console.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SCCM 2012 on Server 2012 and WSUS 3.0 SP2 on Server 2008

  We are installing SCCM 2012 SP1 fresh into our development environment - the primary site server and the database (SQL 2012) are both being installed on Server 2012.
  We have an existing WSUS box on a Windows 2008 (not R2) server - the WSUS server version is 3.2.7600.256.  We have set this up as the software update point.
  For the purposes of this discussion, these are the server names (obviously obfuscated):
  Primary site server:  sccm.domain.local
  Database server:  sccmdb.domain.local
  WSUS server:  wsus.domain.local
  On the primary SCCM server, I've installed the WSUS user interface (Install-WindowsFeature -Name UpdateServices-UI), in order to work with the remote WSUS server.
  Updates synchronization appears to be working fine, but when I try to setup client distribution via SUP, I'm getting the following error in the Application event log:
  Log Name:      Application
  Source:        SMS Server
  Date:          8/6/2013 11:03:11 AM
  Event ID:      6613
  Task Category: SMS_WSUS_CONFIGURATION_MANAGER
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      sccm.domain.local
  Description:
  On 8/6/2013 11:03:11 AM, component SMS_WSUS_CONFIGURATION_MANAGER on computer sccm.domain.local reported:  WSUS Configuration Manager failed to publish client boot-strapper package "9D5353E5-DA80-48C3-97DE-C9C528F73A2D" with version "5.00.7804.1000"
  to the Software Updates Point.
  As well as this in the WMC.log:
  PublishApplication(9D5353E5-DA80-48C3-97DE-C9C528F73A2D) failed with error System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.~~   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.LoadPackageMetadata(String
  sdpFile)~~   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetPublisher(String sdpFile)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.PublishApplication(String sPackageId, String sSDPFile, String sCabFile)  $$<SMS_WSUS_CONFIGURATION_MANAGER><08-06-2013
  11:03:11.787+240><thread=3704 (0xE78)>
  ERROR: Failed to publish sms client to WSUS, error = 0x80131509  $$<SMS_WSUS_CONFIGURATION_MANAGER><08-06-2013 11:03:11.803+240><thread=3704 (0xE78)>
  It would seem obvious that this is because of a mismatch in versions between the WSUS server version on wsus.domain.local, compared to the UpdateServices UI on sccm.domain.local.
  Is there a way around this, without having to upgrade the WSUS server to Server 2012?
  Thanks for any thoughts you may have!

  Not really. As mentioned though, even the separate WSUS server is probably overkill. In ConfigMgr, WSUS is used to handle the update catalog and that's it. Clients do *not* report status to the WSUS instance and do *not* download updates from the WSUS instance.
  No management is ever done in WSUS.
  So, in reality, once a month, clients connect to WSUS to download the delta update catalog (delta compared to what they currently have) which usually comes out to about a few hundred KB (yes KB, not MB) -- this download is done via BITS. The server also
  syncs the catalog from the WSUS instance, via the SUP, in a similar fashion. If you are using SCEP, the frequency will be greater, but the deltas will be much smaller.
  EULAs, as needed, are also stored in WSUS and accessed by clients -- these are also quite small only a select few updates requires them.
  That's it. Standing up a dedicated WSUS instance means having a server sitting there doing almost nothing else.
  If you are concerned about load on the site server, then you should create a separate site system that contains the MP, SUP (and WSUS instance), and DP. Then, for HA purposes, you can simply build a second site system with these three roles also and HA will
  essentially be automatic (from a client functionality perspective).
  Jason | http://blog.configmgrftw.com

• SCEP Definition Updates from WSUS

  I am currently using ConfigMgr (SUP) for all update patching including SCEP definitions (the 3 times a day scenario) but I was wondering if I can configure the clients so they just get their SCEP definitions from a stand-alone WSUS yet continue to receive
  all other updates from ConfigMgr (SUP)? I've been successful with pointing the clients to Microsoft Update, Microsoft Malware Protection Center and UNC file shares by changing the Definition Update Source using a custom Antimalware Policy but
  I haven't figured out how to point the SCEP client to a WSUS server? There is a setting in the Antimalware policy to set the UNC path so I was expecting to see a setting to set the WSUS URL. It's hard for me to believe the SCEP client can't be independaly
  re-directed to a local WSUS since you can configure the SCEP client it to go directly to Microsoft or the Protection Center which is basically the WSUS mothership.   
    

  I understand that. I just assumed that since I can change the Definition Update Source and pull the definitions down from "Updates distributed from Microsoft Update" or "Updates distributed from Microsoft Malware Protection Center"
  or "Updates distributed from UNC file shares", all which worked fine for me providing the SCEP client (using WUA) can pull definitions down from a different source
  while all other updates come down normally via the SUP/WSUS, that the "Updates distributed from WSUS" option would allow a separate WSUS to work as well.
  Jason: You asked "What's your end goal or reason for wanting to have separate sources?"
  I would rather not discuss this via the forum so feel free to contact me at
  [email protected] and we can continue this conversation and update the thread at a later time.
   

• ConfigMgr 2012 R2/WSUS configuration issue

  In my test environment, I have two systems setup as SUPs. One (SUP01) uses lists the synchronization source as 'Microsoft Update' and the other (SUP02) lists the first one as it's synchronization source. The second is a replica of the first
  SUP and that's reflected in the WSUS options.
  In my production environment, I have basically the same setup, just more SUPs, but any SUPs added after the first will not setup as a replication partner to the first. All SUPs added after the first list 'Microsoft Update' as the
  synchronization source. I've tried uninstalling and reinstalling WSUS and the SUP role more than a few times, with the same result always. I've also tried configuring the WSUS update source in the WSUS options directly to point to the first SUP system.
  The ConfigMgr 2012 R2 console never reflects this change and never synchs. I've been struggling with this issue for days. Is there a way to fix this so that the additional SUPs configure correctly as replicas of the first?

  Technical is can be done (I guess)... Would I do it... Never!!!
  It would be extremely hard to manage, and a million things could go wrong (and most likely would).
  I don't see any reasons not to deploy a separate WSUS Server.
  Ronni Pedersen | Microsoft MVP - ConfigMgr | Blogs:
  www.ronnipedersen.com/ and www.SCUG.dk/ | Twitter
  @ronnipedersen
  Yes, it will work. But never approuve Updates that are managed from SCCM. I will never recommend this because as Ronni said, a million things could go wrong.
  Definitely create a second WSUS Server. If you want, you can synchronise the approval between them using a powershell script.

• Proper WSUS+SCUP on SCCM 2012 SP1 with SQL 2012

  Been pulling my hair out a new build.
  System:
  Windows 2012
  SQL 2012 SP1
  WSUS 4.0
  SCUP 2011
  WSUS itself will synch if I set source= Microsoft Update.
  SCCM SUP will synch with if I set source= Microsoft update.
  SCUP will not connect to "update server" in this config.
  SCUP will not connect if I check connect to local update server.  Nor will it when i try to connect to itself as a remote (ie local host or fqdn in Update server screen)
  Now whats weird is if I throw a proxy on my spare machine and aim WSUS and SCUP to use it try SUP to FQDNof SCCM host:8530....I can connect
  The problem is with the proxy in play I cannot download Dell catalogs as it used FTP not HTTP (Adobe will download though)
  Every so often just for fun it will throw "request for principal permission failed.
  Anyone that has this working can you please tell me what you have on each of the SUp. WSUS and SCUP screens

  Try running SCUP as administrator. This is usually necessary when SCUP is installed on the ConfigMgr/WSUS server and UAC is enabled. heres a guide that may help: http://www.youtube.com/watch?v=fyEGWSFWyy0 using Group Policy is the easiest wat to deploy
  the certificates as well.
  Justin Chalfant | Blog: setupconfigmgr.com | SCUP Catalog: patchmypc.net/scup | Please mark as helpful/answer if this resolved your issue

• SCCM 2012 R2 configure WSUS got error remote SQL Server 2012

  Hi All,
  I got question ask on when i want to configure the WSUS component it failed as per screenshot and my SCCM cant work with it.
  SCCM Server : Windows Server 2012 R2 (WSUS featured installed)
  SCCM Version: System Center Config Manager R2
  Remote SQL Server : Windows Server 2012 R2
  SQL Version: SQL Server 2012 SP1 -11.0.3153
  WSUS Error:
  SCCM Error:
  Hope you all can provide me a good solution on it I had no clue on this.
  Regards,
  Sam

  Sam,
  Recommend you 
  Remove SUP
  Remove WSUS role
  Delete the SUSDB on the remote SQL server
  Reboot the server
  Reinstall WSUS feature
  Reinstall SUP
  Take a look at my blog on installing a SUP on 2012 from the section 'Install WSUS on the remote SUP server'
  http://sccmentor.wordpress.com/2014/09/11/installing-a-remote-sup-in-sccm-2012-r2-on-windows-server-2012-r2/
  Make sure you run the Post Install tasks as well.
  Cheers
  Paul | sccmentor.wordpress.com