SOLVED Can I setup SCCM 2012 R2 to do End Point Protection and not using WSUS for updates

[Hayes1959]

I have SCCM 2012 R2 running. we are using this to deploy Endpoint protection to 5 locations. We have one SCCM site. I want the Clients to get endpoint protection and possibly the AV updates from the SCCM server.

Do to the difficulty of setting up updates to be pushed from SCCM and the fact that we already have WSUS servers setup, I want to use WSUS servers that are not tied to the SCCM server for windows updates.

For endpoint protection to work properly, do I need my SCCM server to have WSUS? How can I create groups to get Endpoint protection and yet have stand alone WSUS server deploy windows updates?

 

[Prajwal Desai]

Due to the difficulty of setting up updates to be pushed from SCCM and the fact that we already have WSUS servers setup, I want to use WSUS servers that are not tied to the SCCM server for windows updates. - I recommend you to use SCCM to deploy and manage windows updates. May I know what issues are you facing when you use SCCM to deploy updates ?.

For endpoint protection to work properly, do I need my SCCM server to have WSUS? - SCCM uses WSUS in the background, so yes WSUS is still required.

 

[Hayes1959]

It does seem very easy to approve only the updates that you want, and deny the updates that you don't want. Did I miss something in my studies?

 

[Prajwal Desai]

Agreed. You can manage updates very well in SCCM. You can use ADR (auto deployment rules), filter the updates (expired, superseded, etc..), create software update groups and much more which is not possible with standalone WSUS. So the answer to your question is, if you are willing to use only WSUS for Windows updates and not SCCM, then do not install SUP role. Endpoint protection updates can also be deployed using WSUS.
Also, when you said endpoint protection, did you deploy the endpoint protection clients using SCCM ?.