locked
SCEP ADR RRS feed

  • Question

  • I need someone to (hopefully) clarify how SCEP updates function.  I have a SCEP ADR configured to run immediately after a successful wsync, with a wsync that is configured to run every 6 hours beginning at 12 PM.  The SCEP ADR sets a deadline of 'As soon as possible'.  We have a single server OU-based collection with an antimalware policy deployed that checks for definition updates every 8 hours.  In our client policy, we have the Software Update Scan scheduled for every 3 hours.

    The problem i'm running into is that all of our virtual machines are being hammered at the same time thus causing latency on storage.  How does the deadline set via the ADR relate to the definition update interval checking on the malware policy and the software update scan schedule in the client policy?  How do most people spread out when clients are updating?  




    • Edited by Frentic Tuesday, April 14, 2015 8:49 PM
    Tuesday, April 14, 2015 8:21 PM

Answers

  • That's irrelevant. Newly deployed updates always kick of a software update scan cycle to determine compliance thus they don't wait for the next scheduled scan cycle and the statement still stands -- the software update scan cycle do *not* kick off updates. Only deadline deployments do.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    The question still remains, if a deadline of immediately is configured on a SCEP update, is it going to install after an update scan cycle, or based on the malware policy schedule for installing definition updates.

    I found this on a blog, however I wish there was some official documentation from Microsoft.

    The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.

    http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

    • Edited by Frentic Wednesday, April 15, 2015 4:13 PM
    • Proposed as answer by Joyce L Tuesday, April 28, 2015 6:49 AM
    • Marked as answer by Joyce L Tuesday, May 5, 2015 7:29 AM
    Wednesday, April 15, 2015 3:58 PM

All replies

  • Have you enabled/disabled deadline randomization in the (default) client settings?

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Joyce L Wednesday, April 15, 2015 7:02 AM
    Wednesday, April 15, 2015 6:04 AM
  • Have you enabled/disabled deadline randomization in the (default) client settings?

    Torsten Meringer | http://www.mssccmfaq.de

    I had been looking for that, just not in that section.  Thanks for the pointer.

    Do you have anything regarding my other question?  Does a normal windows update scan by the agent ignore definition updates and only apply those according to the schedule in the malware policy?

    • Edited by Frentic Wednesday, April 15, 2015 1:52 PM
    Wednesday, April 15, 2015 1:46 PM
  • The Software Update scan cycle set in ConfigMgr does *not* install updates. It merely scans for applicable updates. Updates are never automatically installed unless they are past their deployment deadline.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, April 15, 2015 2:08 PM
  • The Software Update scan cycle set in ConfigMgr does *not* install updates. It merely scans for applicable updates. Updates are never automatically installed unless they are past their deployment deadline.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    I'm aware of that, but my SCEP ADR sets the deadline 'as soon as possible'.  So that means I have to figure out if the software scan time in the SCCM client policy is triggering that deployment to install, or if it's the definition update interval in the malware policy.
    Wednesday, April 15, 2015 2:46 PM
  • That's irrelevant. Newly deployed updates always kick of a software update scan cycle to determine compliance thus they don't wait for the next scheduled scan cycle and the statement still stands -- the software update scan cycle do *not* kick off updates. Only deadline deployments do.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, April 15, 2015 2:53 PM
  • That's irrelevant. Newly deployed updates always kick of a software update scan cycle to determine compliance thus they don't wait for the next scheduled scan cycle and the statement still stands -- the software update scan cycle do *not* kick off updates. Only deadline deployments do.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    The question still remains, if a deadline of immediately is configured on a SCEP update, is it going to install after an update scan cycle, or based on the malware policy schedule for installing definition updates.

    I found this on a blog, however I wish there was some official documentation from Microsoft.

    The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.

    http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

    • Edited by Frentic Wednesday, April 15, 2015 4:13 PM
    • Proposed as answer by Joyce L Tuesday, April 28, 2015 6:49 AM
    • Marked as answer by Joyce L Tuesday, May 5, 2015 7:29 AM
    Wednesday, April 15, 2015 3:58 PM