This won't be technically supported as the WSUS versions must match (which means the OS versions must match also). To my knowledge it should work though.
However, why? ConfigMgr doesn't care at all about forests or trusts when it comes to client management. It's literally irrelevant. There is no need to deploy an MP, DP, or SUP to trusted or untrusted forests. Forests and trusts are about trusting principals from other forests for authentication purposes. ConfigMgr doesn't care about this, require this, or use this (except for user targeting). Finally, in terms of ConfigMgr, you don't configure your WSUS instances to be downstream or upstream. ConfigMgr will do this for you when you install the SUP role which should be done on a clean, unconfigured instance of WSUS. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Vann, Gerry Sent: Monday, November 27, 2017 3:31 PM To: mssms@lists.myitforum.com Subject: [mssms] SUP in an Untrusted Forrest Hello, I'm looking for some ideas. We are currently managing Windows updates with SCCM on our corp network. We have a handful of separate forests that are currently using WSUS only for updates. Some of these forests have a one way trust other have no trust. I set up MP/DP's in each of the forests a while back and all works well like inventory and software delivery. Recently I've been tasked with getting the forests Windows updates managed by SCCM. Since I already have a presence in each of the domains I was thinking about creating a downstream WSUS server in the untrusted forests and installing the SUP role on each of the servers much like this post https://www.systemcenterdudes.com/installing-a-sccm-dpmpsup-in-an-untrusted-domain/ . One problem I may have is our existing WSUS server is 2012 R2 while the MP's out in the untrusted forests are Server 2016 WSUS 10. So, more specifically will I have an issue with the different versions of WSUS? I'm curious if there are more ways to accomplish that I have not thought of? SCCM Version 1706 Thank you, Gerry
