Skip to main content

Setting Up a Separate WSUS to Work with SCCM Environment

Sometimes I feel thick-headed.

This is especially true, sometimes, with SCCM — but c’mon, it’s SCCM, so it comes with the territory.

The issue I was having was that I didn’t quite understand what the role a separate WSUS server would play in an SCCM environment. I thought it would be configured something like this:


I didn’t quite understand how the WSUS server worked with the SCCM environment. I knew SCCM managed WSUS, but it didn’t make sense to me how. Why wouldn’t I just configure WSUS and SCCM on the same box if I had to have the WSUS role already on the same system? This setup would cause the WSUS role on the SCCM primary site to be managed, but it tried to get updates from a WSUS that wasn’t doing anything, and I would have to manage updates from it, PLUS manage the updates in SCCM for deployment.

This seemed ridiculous to me, and super-redundant. Well, that’s because it is ridiculous and super-redundant.

In reality, it should be something like this:



  • WSUS console is installed on SCCM Primary Site
  • WSUS server has the WSUS role installed, but nothing else
  • No group policy configured for the WSUS server to point to an internal box
  • In SCCM, configure the WSUS server as a ‘Site System’ with the Software Update Point role configured.
  • Your software updates for WSUS then get their updates from Microsoft, unless you haveĀ another WSUS upstream server.
  • Then all updates come from the WSUS server.
  • Note: if you’re running a single SCCM server, the WSUS can be installed on it as well, you just need to make sure you have beefy server.

I kind of feel like a bonehead for this, but hey, I get it now!

More info on the process here (although my setup is a little different):
Installing a remote Software Update Point in SCCM 2012 R2

(Update 20190702 – Made a note to clarify that the role can also be installed on single servers if desired).

7 thoughts to “Setting Up a Separate WSUS to Work with SCCM Environment”

  1. How is the process now that WSUS is a server role? I cannot seem to figure out how to install the administration console only so that SCCM can play with WSUS.

  2. I’m having a heck of a time with my config but am under the impression SCCM feeds updates to WSUS. In my environment, the WSUS server isolated with only a few ports open and none to the internet. WSUS must receive updates from SCCM making the above picture particularly confusing. Apologies for the dated post.

    1. If I’m understanding you correctly, SCCM doesn’t “feed” updates to WSUS, it controls it (which may be what you’re talking about).

      It’s similar to the relationship between SCCM and Windows Deployment Services (WDS): WDS is just a server role that SCCM controls to offer PXE boot services. In the same way, SCCM controls WSUS to synchronize Windows Updates, download them, and offer them to clients. SCCM also uses it to build packages that are deployed to systems.

      All this being said, I recently encountered an issue that confused me with WSUS and SCCM, and I still don’t have an answer to this behavior: I found that even if software updates weren’t deployed to collections, those updates are available to workstations/servers if the option to “Check for Updates” is clicked. I thought that SCCM would restrict software updates on WSUS to the collections they’re deployed to, but this doesn’t appear to the case.

  3. Hello,
    i have sccm with wsus installed and works fine, i can push update to my client, and i have some automatic distribution too that works.
    The only problem is : the update are downloaded from microsoft and not from my sccm/wsus
    the wsus folder on my sccm/wsus is not used , because no download are there only conf file.. very tiny

Leave a Reply

Your email address will not be published. Required fields are marked *