Why does client point to WSUS where SCCM is managing the updates

Dhirendra 20 Reputation points

My question is very conceptual and its eating my head for days.

Let us say we have an SCCM environment where we have 100 clients managed by SCCM. Now we want to manage the software updates for the clients as well, so we installed SUP (Software Update Point) on the site server and configured it to point to WSUS (installed on the same server, let's say)

We did SUP configuration, initiated sync with WSUS and basically did all the homework so that all the desired updates catalogues are pulled by SUP (through WSUS)

All the 100 clients are scanned and updates compliance is also checked by SCCM (in the software update scan cycle). Updates are managed, downloaded and deployed by SCCM.

In other words, SCCM is solely responsible for managing all the updates for those clients, then why the clients still point to the WSUS server? (via port 8530/8531). We configure this while configuring SUP and also through group policy, we make the clients point to WSUS server. What's the need? Do they get any updates directly from WSUS too? If yes, wouldn't this create an unmanaged update env?

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,868 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
983 questions
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
920 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Pavel yannara Mirochnitchenko 12,221 Reputation points MVP

    8530 and 8531 are correct ports for WSUS, because 80 is used for other communication. But you problem probably is, that you still have GPO configured. You should trust your CM agent to use SCCM SUP and keep your GPOs about WSUS at minimum. Lot of admins have made same mistake, including myself. When you enable Software Updates via CM client settings, it will use registery to enter correct values via CM client, so GPO is not needed. You can also check this with running gpresults /H and populate html report, it will show you local policy settings in WSUS settings after you stop using GPO.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. CherryZhang-MSFT 6,481 Reputation points

    Hi @Dhirendra

    We need to install the WSUS before install SUP, WSUS still exists in our environment as an update source. SUP is only used to manage and deploy updates and does not replace WSUS.

    Besides, it isn't supported to install the software update point site system role on a server that has been configured and used as a standalone WSUS server or using a software update point to directly manage WSUS clients. Existing WSUS servers are only supported as upstream synchronization sources for the active software update point.

    The link for your reference:

    Install and configure a software update point - Configuration Manager | Microsoft Learn

    Looking forward to your feedback.

    Best regards



    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.