This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 52%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
My question is very conceptual and its eating my head for days.
Let us say we have an SCCM environment where we have 100 clients managed by SCCM. Now we want to manage the software updates for the clients as well, so we installed SUP (Software Update Point) on the site server and configured it to point to WSUS (installed on the same server, let's say)
We did SUP configuration, initiated sync with WSUS and basically did all the homework so that all the desired updates catalogues are pulled by SUP (through WSUS)
All the 100 clients are scanned and updates compliance is also checked by SCCM (in the software update scan cycle). Updates are managed, downloaded and deployed by SCCM.
In other words, SCCM is solely responsible for managing all the updates for those clients, then why the clients still point to the WSUS server? (via port 8530/8531). We configure this while configuring SUP and also through group policy, we make the clients point to WSUS server. What's the need? Do they get any updates directly from WSUS too? If yes, wouldn't this create an unmanaged update env?
8530 and 8531 are correct ports for WSUS, because 80 is used for other communication. But you problem probably is, that you still have GPO configured. You should trust your CM agent to use SCCM SUP and keep your GPOs about WSUS at minimum. Lot of admins have made same mistake, including myself. When you enable Software Updates via CM client settings, it will use registery to enter correct values via CM client, so GPO is not needed. You can also check this with running gpresults /H and populate html report, it will show you local policy settings in WSUS settings after you stop using GPO.
We need to install the WSUS before install SUP, WSUS still exists in our environment as an update source. SUP is only used to manage and deploy updates and does not replace WSUS.
Besides, it isn't supported to install the software update point site system role on a server that has been configured and used as a standalone WSUS server or using a software update point to directly manage WSUS clients. Existing WSUS servers are only supported as upstream synchronization sources for the active software update point.
The link for your reference:
Install and configure a software update point - Configuration Manager | Microsoft Learn
Looking forward to your feedback.
Best regards
Cherry
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
We are very concerned about the progress on this issue. Do you have any further progress on this issue? If yes, please feel free to let us know and we will do our best to assist you.
Looking forward to your feedback.
Best regards
Cherry