Here here is the short explanation of what happens, when you click Update in SCEP client:
1) SCEP does not search for updates directly in SCCM;
2) SCEP uses defined definion updates search order defined by antimalware policy created in SCCM.
3) If you have defined only SCCM as definition update source in antimalware policy, then update installation fails.
So if you have configured sources like this:
then SCEP Update button would first try to connect to WSUS, then Microsoft Update.
More info here https://blogs.technet.microsoft.com/askpfeplat/2016/07/18/endpoint-protection-updates-configuration-manager/