It is no exaggeration to say that this task is the single most important thing that a SCEP admin does on a day-to-day basis. Keeping your SCCM CAS server's Software Update Point up-to-date with the newest SCEP definitions is the first link in the chain to get your SCEP clients the newest possible definitions.
In order to complete this recipe, you'll need to utilize an account that has at least the SCEP administrators SCCM role assigned to it.
Follow these steps:
- Log into your SCCM CAS server and launch your SCCM 2012 management console.
- Navigate to
Software Library|Overview|Software Updates|All Software Updates. - In the Search bar, type the word
Endpointand press Enter, as shown in the following screenshot:
- From the search results, select the item that ends in the highest numerical number; in this example that would be (Definition 1.123.1813.0). You can typically determine which version is the newest by looking for the title that has a green icon preceding it, as shown in the following screenshot:
- Now look for the Date Released: information on the bottom half of the console. If this date and time stamp is more than 8 hours in the past, you may not have the most up-to-date definition on your Software Update Point.
- Click the X button at the end of the search bar to return to main window for Software Updates.
- If you wish to force an unscheduled synchronization, click on the Synchronize Software Updates button in the top left-hand side corner of the console. Click on Yes on the information pop-up window to proceed, as shown in the following screenshot:
- To check the status of the sync, navigate to
Monitoring|Overview|System Status|Component Statusand locate the SMS_WSUS_Sync_Manager item. Right-click and select Show Messages, then select All. The Status Messages: Set Viewing Period window will pop up. In the Select date and time field, choose 1 day ago and click on OK. - You should be presented with a window titled Configuration Manager Status Message Viewer for <SEC> <Secure Lab>. If you see that top message in the window has Message ID of 6702, then you know WSUS synchronization is complete. If 6702 is not the newest status message, then wait for a few minutes and refresh the screen by hitting F5.
- Once WSUS synchronization is complete, repeat steps 2 through 5 to see if the Software Update Component has a newer definition file than before. If so, proceed to step 11.
- You will also want to manually execute your Automatic Deployment Rule for SCEP definitions, as the output of this rule is the package from which your SCEP clients actually get their definitions. To do this, navigate to
Software Library|Overview|Software Updates|Automatic Deployment Rules, locate your rule for SCEP definitions, right-click, and select Run Now.
The Software Updates component of your SCCM server uses Windows Server Update Services or WSUS to synchronize with Microsoft Updates over the Internet. It is important to remember that when you click on the Synchronize Software Updates button, SCCM will sync all of the available Microsoft Updates for all of the products it has been configured to receive in products and classifications.
On a normal day, this should usually just cause SCEP definitions to sync. However, if you manually kicked off a sync on Patch Tuesday, you may be pulling down a lot of data from Microsoft Updates. Unfortunately, there is no way to tell SCCM to only sync the SCEP definitions, and nothing else.
If everything is working correctly with SCCM, you will usually only need to follow step 1 through step 5, as everything else should be happening automatically on a regular basis. Steps 6 through step 11 are not something that you should need to do on a daily basis. If you do find yourself doing these steps routinely, then you should troubleshoot your SCCM server to determine why it is not syncing on its own.