NEW General SCCM/ADR Question - Slow propagation of windows updates to servers


New Member

I wanted to know if there was something I missed when following the ADR or SCCM setup guides on this site. We have one site server that acts as WSUS, MP SUP & DP and one more DP in our data centre. I've got an ADR set up to collect, download amd push out windows updates after patch tuesday to 3 deployments. One for the two SCCM servers and two that split the work of updating the estate roughly equally (We have HVs and VMs so the jobs are configured with maintenance windows to prevent a HV rebooting while one of it's VMs is running updates in)

Every month it's pretty good, pushing out to 99% and there's the odd server here & there with a full disk or WMI issues, I accept that. What I want to know is if there is something I'm doing wrong when the updates don't appear as available on some of the servers for a couple of days after the ADR has run. The deployments are set to ASAP & required and I've seen it where two servers hosted on the same HV in the same subnet with the same spec and roughly the same workload will get their updates showing as available as much as 72h apart. For some servers, the windows updates are available immediately, for some it takes long time. The issue doesn't seem to occur when we push an application out, they appear immediately to all parties. Cycles have been checked and seem to be running OK. To a lesser extent the check in post update seems to take a while too.

The last couple of months this has been most noticeable on the site server itself. I'm frankly baffled how the server where all the relevant info is hosted and therefore should rule out any nw issues etc, can not have updates showing until 7pm Thursday when the ADR ran at 2am on the Wednesday.

The issue has been largely present in some form since inception but has become more noticeable over time. we have approximately 150 servers to update in any given month. The only major change we've implemented to SCCM is switching to PKI certs for HTTPS but they're all OK as much as I can tell.

TO clarify, all servers seem to _eventually_ get their updates if I wait, Given our security conscious overlords I'm finding it more difficult to excuse a delay and I'm personally sick of beating the stragglers on a Friday afternoon that still haven't checked in/updated.

Any general tuning tips would be greatly appreciated. Any specifics I can check would also be warmly eHugged.


Forum statistics

Latest member