Hi, we have sccm 2012 R2 with SCEP clients configured to use UNC path as a 3rd and last resort to get the definition updates.
When we click on Update on localy on a system with the SCEP interface, I know it won't go look into SCCM, but will go through the rest of the list.
Ref: https://support.microsoft.com/en-us/kb/2831244?wa=wsignin1.0
When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager.
The issue we have is that we have 2 UNC path configured, since we have two domains. Yes we could create two seperate policies and only apply the UNC path to each domain, but shouldn't the SCEP client go through both UNC path and find that he can access on of them and start to update?
Right now it doesn't, it looks at the 1st and if he can't access it, it'll fail and report a timeout.
Is this by design or an known/unknown issue with SCEP?
Thks in advance and don't hesitate if you have any questions.
Steph