eyetea6

I am testing clients downloading from WSUS only and something has got me confused. 1) This client checks for updates from WSUS every hour. 2) The SUP is configured to sync at 1:00am. 3) All ADRs run between 3:00 am and 4:00 am. What I saw in this clients MpCmdRun.log was that it was checking in to the wsus server every hour and not getting updates. Then, at 1:20am (after the 1:00am SUP sync), it checks in and gets updates. ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -ManagedUpdate Start Time: ‎Sun ‎Aug ‎25 ‎2013 01:20:28 Start: Signatures Update Service Update Started Search Started (WSUS update) (Path: http://wsus-server:8530)... Search Completed Download Started... Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 2% Download Progress- Update Index:0 of 1 - 4% Download Progress- Update Index:0 of 1 - 6% Download Progress- Update Index:0 of 1 - 11% Download Progress- Update Index:0 of 1 - 20% Download Progress- Update Index:0 of 1 - 38% Download Progress- Update Index:0 of 1 - 75% Download Progress- Update Index:0 of 1 - 100% Download Progress- Update Index:0 of 1 - 100% Download Completed Download Completed Installation Started... Installation Progress- Percent Complete:0, Current Update Index:0 (of 1) Installation Progress- Percent Complete:0, Current Update Index:0 (of 1) Time Info - ‎Sun ‎Aug ‎25 ‎2013 01:20:56 Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Completed Update completed succesfully End: Signatures Update Service MpCmdRun: End Time: ‎Sun ‎Aug ‎25 ‎2013 01:20:56 ------------------------------------------------------------------------------------- This confuses me because I didn't think that the wsus server would have any updates until after ADR runs and actually downloads updates since SUP syncs, as far as I know, don't actually download updates and make them available. And when I look at PatchDownloader.log on the server, I see that no updates are downloaded until 3:00am which is after this client updated at 1:20 am. So the question is this: How did this client (which only is configured to update from wsus) get new definitions from the wsus server AFTER the SUP sync but BEFORE any ADR ran?

Ah. Well that blows my mind. I can see in patchdownloader.log that it is downloading at the time one of the ADRs are set. I was oblivious to this before and thought that SUP was responsible for downloading. But I guess since SUP started updating daily and getting the metadata, the daily ADR rule was then able to download daily. Thanks.

I'm lost because I saw that I was only getting definition updates in "All Software Updates" every 7 days. Then after I changed the sync schedule for the SUP from 7 days to 1 days, I started getting updates every day. I didn't change any ADR though. Does that make sense?

Excellent. One more question about SUP/ADR. I noticed that SCCM was only downloading definitions every 7 days. When I changed the sync schedule of SUP to daily, I then started seeing new updates every day in "All Software Updates" which were downloaded from Microsoft and put into the distribution point. So since SUP is downloading the updates from Microsoft, what do you mean by your second point that "ADR will download updates?" Do you mean that ADR will download the updates from SCCM to the different distribution points or that ADR will download updates from Microsoft too? Thank you.

What do you mean that it makes new updates available? I have SCCM 2012 downloading defintions every few hours so they are fresh. Are those updates not available until they are "deployed" somehow through the automatic deployment rules? For example, if the ADR runs once per day at 3:00am and the clients check every two hours for updates, the clients will get a new update after 3:00am and then continue to check every 2 hours. If SCCM downloads new updates throughout the day, will the clients not be able to get them until the next morning when ADR runs again? Secondly, if the client is updating from MicrosoftUpdate, do the ADR rules even matter? Thanks. I'm just not sure what ADR really is and the literature I'm finding doesn't really answer my questions.

I can't find the answer anywhere so I'd like to ask you all. What is the reason for using ADR to deploy endpoint definition updates from the SCCM server when the clients already check for updates every 2 hours (or whatever interval you set)? I don't understand why I would need to deploy from the server with ADR rules when the clients already handle checking for updates themselves. Am I misunderstanding something? Thanks.