I just noticed something a little weird with the delivery of Endpoint defs through SCCM.

The definitions are downloading and installing at different local times across the globe. For instance, in Europe they are installing at around 3:30am as expected - but in new Zealand, they happen at around 13:30pm. This indicates it is being delivered based on the time at the Primary Server. But the deployment settings quite clearly show that the deployment should be done at LOCAL CLIENT TIME.

The ADR runs at 3:30am - but that has no option for local or 'server' time.

What the hell is going on and how do i ensure that this happens at local client time? It is affecting performance at some sites as it is happening during key business hours.

Anybody any ideas what i can look at?

This is causing me some serious pain now...

Assumption: Single Primary located in Europe

The ADR will run at the Primary local time.  Then it will push the files to the Secondary/DP. The policy in the Software Updates tells you when it will be available for the client to install. 

What do you have as far as the check/install time in your SCEP policy.  The clients need to know there is a policy for the updates, they also need to know what updates are available, scan against the WSUS and then download and install.  Is the SCEP policy set for specific time to update or set to run every x hours?

I'll try and detail everything i have set up for this. Please try and read through it and provide some help or advice on your own experiences - this is causing me some serious pain now and i can't seem to find a way around it. I can't believe this hasn't come up for somebody else? i have had to put my whole migration on hold until i can get this sorted.

I have a single primary site - 2012 R2 with CU4 - and it is based in our global DC in the Netherlands. I have a small number of DPs located around the world, and clients all around the world.

The issue is this: each day an ADR runs for SCEP def updates, but it is not running on client time, it seems to be running on Primary Server time. I want the AV to update during the early hours so that any machines online update outside of core business hours. So in Europe they all update at 2am as expected - but in New Zealand (for example) they run at 2pm in the afternoon, slap bang in the middle of their busiest period.

The deployment schedule tab in the ADR shows 'time based on: client local time'. But it is clearly ignoring this. Why? I have set 'as soon as possible' for both updates available and install deadline.

The deployment itself also has time based on client local time and i have set a specific time of 3:30am for available time and deadline time.

Lastly, in the Endpoint policy, under Definition Updates I have: check for definitions daily at 2am. 

The ADR runs on the server and does nothing more than creating the required ConfigMgr objects (update groups, deployments etc).

Isn't that conflicting information? "

I have set 'as soon as possible' for both updates available and install deadline.

The deployment itself also has time based on client local time and i have set a specific time of 3:30am for available time and deadline time"

No, it's not conflicting information. Perhaps i just didn't word it right...

As soon as possible is what is set in the ADR. That translates to 3:30am in the deployment when the ADR runs it.

But it says 'based on client local time' - and clearly isn't...

The way it work with as soon as possible. is simple it will append as soon as it can.

The ADR run at 3:30 am and create the deployment for the patch the issue is that it`s available for everyone and now the soon as possible kick in.

If you want different time for this you will need to create multiple ADR if you plan to use the soon as possible.

SO let me recap 3:30 AM SCCM sync get`s the new patch and make a software/update software group. The deployment is than update/created now all client in the entire company see the deployment that tells them  AS SOON AS POSSIBLE. so guess the client listen.

Ok - so how do i get it to work with installing at a set client local time?

I can't be the first person in the history of SCCM that needs this!!

You can't set a specific time in the ADR - the only option is for asap or a certain amount of time after the rule is run

• Edited by Hackmuss 19 hours 26 minutes ago

Well you could do multiple things.

Make multiple ADR for each site and deploy them to different collection and different DP

But honestly dealing with update you should maybe look into making a maintenance window that way they would install at the time you desire.

You could also when you get in the office manually deploy it to the new Zealand collection.

Might be other ways but i strongly suggest looking into making a maintenance windows for software Update.

 

• Edited by Frederick Dicaire 19 hours 22 minutes ago

Thanks for your help.

I find it hard to believe that i have to create a different ADR for every time zone i have. Does everybody else just update SCEP at any old time during the day? I can't be the first person who needs to do this - i would have thought EVERYBODY would who has clients in multiple locations around the world.

The trouble with a maintenance window is that PCs that are routinely switched off at night would never get the AV updates. At the moment if they aren't 'live' at update time they get updated when they switch on next.

Well normally people want the update for the AV as soon as possible everybody is afraid these days.

You can have the update install outside maintenance windows and only respect the reboot during maintenance windows. This way people get update but they don't get the nasty reboot and such.

The way the ADR work it just make a deployment with the rule you specified and since those rule are AS SOON AS POSSIBLE once the client make the request for the policy/update they get the deployment flag as it need to be install right now.

You could play with the deadline and such  but like i said maintenance windows are the easy part to make sure things get install/rebooted when you desire.

Maybe Torsen or Jason can provide another alternative.

• Edited by Frederick Dicaire 19 hours 8 minutes ago

As i said - i don't think a maintenance window would work.

If i set it for, say, 2am to 5am - no reboot just software install - any PCs that are always switched off at that time, will never get updated.

Without a maintenance window, the deployment runs, installs straight away on those online - and those offline pick it up when they get powered on and check in.

Like i said you have the option to bypass the maintenance windows for the install part. SO it would install as soon as possible but would never ask for a reboot until the maintenance window.

Any way I will let the big guy`s try to answer your post as clearly you want nothing to do with any of the alternative i have provided.

But that's what i have now but it's not working at the right time!!!