We are seeing this as well with machines less than 4Gb. If you find that article, please pass it along.
From: [email protected] [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Monday, April 13, 2015 10:11 AM To: [email protected] Subject: [mssms] RE: Software updates deployments clarification Well, there should be a way to tell SCEP itself not to check for updates if SCCM is already doing it. It's just wasting resources all around. As for the WUAgent, yes, it is the latest. It causes SVCHOST to suck an enormous amount of memory during its scan cycle. Check these out and you will see: https://social.technet.microsoft.com/Forums/windows/en-US/4a782e40-bbd8-40b7-869d-68e3dfd1a5b4/windows-update-scan-high-memory-usage?forum=w7itproperf https://social.technet.microsoft.com/Forums/windows/en-US/4cdfc214-0da9-43e4-be2e-4e0a356bf77d/why-is-svchostexe-consuming-700-mb-of-memory-on-my-sccm-2012-clients?forum=configmanagergeneral I've also tried every WMI hotfix available. If your clients have 4GB of memory or better, you probably are not hearing anything. If they have less than that, WUAgent will turn the machine to molasses when it does a scan cycle. Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Monday, April 13, 2015 12:18 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Software updates deployments clarification The way I see things work is like this. I have an ADR that runs every time a SUP sync occurs and I have a SUP sync occur every 4 hours. And I have the updates set to Product: forefront Endpoint Protection 2010, superseded: no, update classification: definition updates. When my ADR runs it only ever has the most recent definitions in it. I also have it re-use the same software update group over and over. It's smart enough to know, and you can watch it in the logs, that the update group changed and so it updates the deployment. Ruleengine.log is where you can watch that. So every 4 hours I have a SUG with only the most recent SCEP definition in it deployed to my "all my systems" collection, so everybody gets it. Now clients. You're right, that clients get the deployment as a SU deployment like any other, and can install it on whatever schedule you set for it to for SU re-evaluation, in your client policy. 2 hours, 2 days, 2 weeks, 4 weeks, whatever. Software Update re-evaluation will pick up that the deployment has changed and install the updates available in the deployment. You can also set definition updating in the EP policy. You can have it check at an interval, a number of hours, or daily, but you can see that call in windowsupdate.log, the caller will be {System Center Endpoint Protection} or the like. If you've set your update location you should see that in windowsupdate.log too. What version of WUA are you running? 1 GB is excessive. I would check to make sure the WUA agent is up to date. In any case, the WUA agent is what drives everything. The SCCM client leverages WUA to do SU re-eval, and EP Policy uses the WUA agent to look for updates against whatever source you set in the policy. WUA is at the center of it all. Todd From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Sunday, April 12, 2015 9:56 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Software updates deployments clarification I am looking to get some clarification on SU deployments, specifically with SCEP definitions. First, correct me if I am wrong but a Deployment of a SU group is the same as a SW Deployment. Meaning, if you set a deadline, when policy is refreshed on the client and it sees the scheduled time it kicks off the deployment. Correct? Now, we use an Automatic Deployment Rule for SCEP. Following some published guidance, I set the Deployment deadline to "as soon as possible". I am assuming then that when policy refreshes on the client it's going to run the definition updates. Where I am getting confused is how/where it determines if it ran it. Is there some identifier on the deployment that the client notes so that it doesn't repeat it? Is there a "success" tied to that specific deployment? Also, if my Automatic Rule runs daily (around 8PM), is it then creating a new deployment each time with a new identifier? As it stands, I have the rule run at 8PM which also then sets the deployment deadline to as soon as possible after the rule completes. To add to this confusion, the SCEP policies also have an entry to set a definition update schedule. And there really doesn't seem to be anyway to turn this off. Nor does there seem to be a way in the Automatic Rule to NOT create a deployment. So, in the SCEP policy, I set it to check for updates at 4AM when our machines power up. At this point I am left wondering who is in charge here. If it wasn't incurring much overhead I couldn't care less. But with the Windows Update Agent seemingly broken on Win7 and causing massive memory consumption (close to 1GB) when it runs, it's becoming a debilitating problem in our environment. Any input is appreciated, thanks! Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State
