Hi, we have sccm 2012 R2 with SCEP clients configured to use UNC path as a 3rd and last resort to get the definition updates.

When we click on Update on localy on a system with the SCEP interface, I know it won't go look into SCCM, but will go through the rest of the list.

Ref: https://support.microsoft.com/en-us/kb/2831244?wa=wsignin1.0

When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager. 

The issue we have is that we have 2 UNC path configured, since we have two domains. Yes we could create two seperate policies and only apply the UNC path to each domain, but shouldn't the SCEP client go through both UNC path and find that he can access on of them and start to update?

Right now it doesn't, it looks at the 1st and if he can't access it, it'll fail and report a timeout.

Is this by design or an known/unknown issue with SCEP?

Thks in advance and don't hesitate if you have any questions.

Steph

Hi,

In the same location you posted there is a key definitionupdatefilesharesources. I guess the client will only look for definition updates via a UNC from the value of that key.

http://blog.thesysadmins.co.uk/sccm-2012-scep-unc-definition-updates-automation-powershell.html

• Edited by Richard.Knight 12 hours 57 minutes ago

Yes that's what we configured in the Policy.

Our two UNC paths are there, but I don't know why it doesn't look for the second one.

Let's say the 1st UNC path is in Domain X and the second Unc path is in Domain Y (no access between the domains for UNC paths)

If a server in Domain Y tries to look in the UNC paths (by clicking on Update) it'll fail, since it can't access the 1st UNC path (but it can access the second one)

If a server in Domain X tries the same, it'll work since it can access the 1st UNC path (but it can't access the second one)

I have only ever used one definition source for unc updates. The technet page states you can add one or more though.

Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box, add one or more UNC paths to the location of the definition updates files on a network share

https://technet.microsoft.com/en-gb/library/jj822983.aspx?f=255&MSPPError=-2147217396

Bet one of the guys on here knows though.

Hi,

In the same location you posted there is a key definitionupdatefilesharesources. I guess the client will only look for definition updates via a UNC from the value of that key.

http://blog.thesysadmins.co.uk/sccm-2012-scep-unc-definition-updates-automation-powershell.html

• Edited by Richard.Knight Wednesday, April 29, 2015 6:46 PM