Jump to content


BryanP

Windows Updates - Multiple Reboots / Unpredictable Install Time

Recommended Posts

Hi everyone. I've been working on SCCM for a little while now, inheriting management of an existing setup with about 30,000 clients. I've learned a lot, but I'm still trying to get it all figured out. Please bear with all the background below to get to the real question.

 

I realized recently that a lot of updates weren't being applied and dug into the ADRs to figure out why. I found the problem and ended up having to split it into two ADRs by Severity (Critical/Important in one and Moderate/Low/None in the other) to get everything we need to patch in under the 1000 update limit. I informed my manager that April would be a lot of updates as the ones that were being missed all applied.

 

Forcing users to reboot is a big deal in our environment. You catch a LOT of flack over it. So I distribute the updates over a weekend, which catches about 15000 or so that leave them turned on like they're supposed to. The rest start applying them when they come in Monday and are forced to reboot 4 hours later. You don't leave it turned on over the weekend, you have to reboot for updates in the middle of the day, live with it. Fine.

 

So along comes this extra large round of updates, (people getting 200-500MB of patches depending on their individual setup). I started getting calls about people who left their computers on over the weekend yet they were still rebooting in the middle of the day. Not everyone, but enough to get some people upset.

 

Looking at ccmcache I see where users would download a bunch of updates, reboot, then hours (or the next day), download another round. Sure, that makes sense. You installed a bunch of older updates and there were dependencies for newer updates. This month will be painful, but after that everybody should be back to normal.

 

Using User X as an example. The ADR was set to execute at 8PM on Saturday night. I look in their CCMCACHE folder and see 61 folders (303MB) downloaded between 9 and 9:30PM that night. Then I see 5 more folders (66MB) created at 10PM that Sunday night. No problem. The PC rebooted twice over the weekend, they're fine to go on Monday morning.

 

Except they rebooted yet again at 7PM Tuesday night. So I look and sure enough, 4 updates applied that Tuesday afternoon and forced the reboot 4 hours later.

 

My first thought was they would have been in the second round and for some reason they didn't apply immediately. But no, all of them were in folders dated Saturday night, they just didn't apply until Tuesday afternoon, after a ton of other updates had applied. The KBs that applied late were KB3045999, KB3042553, KB3037574, and KB3045685.

 

So that was a long way to go to get to my question. Anybody know why SCCM would wait like that? I've checked and rechecked the ADR settings. The deployment schedule is set for As Soon As Possible, so there should be no delays there.

 

The only theory I have at this point (other than "Windows is weird, and it just waited to install the updates for a bit, sorry!"), is that instead of splitting the ADRs by Severity, maybe I should have split them by OS to get it down? Is it possible that having two ADRs push updates to the same PC at the same time would be a problem? I could get around that by splitting them by OS instead of Severity so that only one ADR is applying for a given machine. I've checked and it will still be under the 1000 limit, but by a smaller margin.

 

 

 

 

 

Share this post


Link to post
Share on other sites

Doing some more digging on other PCs this is happening to, it seems to be that for some computers, round 1 of updates is applying, then it waits anywhere from a few hours to a few days before deciding to check in again and realize there are more updates to be applied. The question is ... WHY is it waiting so long between checks?

Share this post


Link to post
Share on other sites

Aaaaand I'm an idiot. Remember I inherited this and I've been trying to educate myself on it without, oh, you know, actual training? This means some details I only learn as things go wrong.

 

Client Settings -> Software Updates. The schedule is set for every 2 days. If I had set it to more frequent this wouldn't have happened. Now I just need to get through this month and confirm. I've already been told I'm dead man walking if certain people reboot again tonight.

 

*sigh*

Share this post


Link to post
Share on other sites

i see you realised the problem, but i'll just reiterate for others, check your client agent settings targeted to those clients, how often are they set to check for updates ?

Share this post


Link to post
Share on other sites

To expand on anyweb's advice.

 

You need to check your maintenance windows as well, If you don't want them installing and/or restarting during certain hours then you need to put a maintenance window in effect.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...