Endpoint Protection

Hello all,

I have a domain of about 20k clients...sometimes clients will take their own sweet time to upgrade from the SEPM. What I'd like to know is if there is a way to force a client to start it's upgrade installation OR somehow force the the upgrade process from the SEPM.

What I have already tried on the "Install Packages" section of the SEPM:

1) No upgrade schedule and distribute upgrades over 0 days.
2) Upgrade schedule of 12:00am to 11:59pm over 0 days
3) Upgrade schedule of 6:00pm to 6:00am (Servers) over many days

So far these attempts have gotten "most" of the machines, but not all...and never very expediently.

The clients I have tested with all have green dots on the clinet and the server, updated defs and policies, no pendingfilerenames. Seeming stable clients in good health.

What would truly be handy Symantec is if you had a command-line operation that could be run against smc.exe that jump started the Auto Upgrade process.

Something like: smc.exe -upgradeclient

Any thoughts?

Thanks,

-Mike

Well you could right click on all clients and choose Run Command on Clients > Update Content.  This would make the client check-in, see an upgrade and thoeretically start the upgrade.

You could remotely restart the services using smc -stop, then smc -start.  That would have the client ping the SEPM and maybe kick start the upgrade.  I use PSEXEC to remotely run that smc command on clients.

I've always wondered this to.

When I assign an install package to a small group of clients, 5-15, it seems to go smoothly and be done in less than 24 hours

When I assign to larger groups, 25+, it takes days some times a week or so for all to be fully upgraded.

I do, however, use a remote tool as well, which makes it easier.

I'm wondering if the new SEPPrep tool will help with this....

I've not heard of that? Is it part of RU6? We have a beta of RU6...but so far no time to install or test with it.

Sadly...my finger is already numb from running update content on either the machine itself, the group (OU) it's in or "My Company". I have a utility I wrote that upgrades (re-applies) the Sylink.xml and part of it's process stops and starts smc.exe. Didn't seem to help.

Oh and yes I forgot to mention...we are syncing to AD and no, I cannot break the sync and delete random machines.

:-(

Check this too :

https://www-secure.symantec.com/connect/videos/demo-how-use-symantec-endpoint-protection-prep-tool

http://www.symantec.com/connect/forums/sep-prep-tool

I assigned an RU6a install package to all our client groups and waited for Auto-Upgrade to install it on our clients.  In general this worked, but one client is still at 11.0.5, and it has been for almost a week.

I tried blanahan's suggestion: Run Command on Clients > Update Content on this client.  SEPM says the command is complete, but nothing has changed on the client.  

Is there any way I can investigate what happened on this client?  Are there logs anywhere on the client or server that would record the result of an attempt to run an "Update Content" command?  I've looked at all the logs I can think of, and none of them show anything useful. 
 

Once you set a time frame, no amount of coaxing will make the clients perform their update immediately. This is because when a schedule is defined, the SEPM assigns a specific time for the client to update. The client will wait until that time has passed before requesting the update.

Working example:
8:00 AM
 - You assign an update policy for your clients that tells them to update between 6 PM and 6 AM.
8:05 AM
 - Your clients check in (lets say you have 2 clients)
 - The client sees there is an update available and requests it from the SEPM.
 - The SEPM assigns a time between 6 PM and 6 AM for each client to check-in.
 - Client1 @ 6 PM, Client2 @ 12 AM (midnight)
6:01 PM
 - Both clients check in.
 - Client1 downloads and installs the package.
 - Client2 checks in and continues to wait for 12:00 AM.
6:02 PM
 - Impatient admin checks Client2, sees it hasn't updated yet and clicks "Update Content"
 - Client2 checks in, sees it hasn't reached its scheduled update time and continues waiting
6:04 PM
 - Impatient admin decides to call it a night and shuts down Client2.
Next day, 8:00 AM
 - Client2 gets turned back on, sees that it's passed it's assigned update time and requests the update from the SEPM again
 - SEPM checks the update schedule and assigns a new time to Client2... 6:00 PM
6:03 PM
 - Client 2 checks in, sees it has reached its scheduled update time, downloads the update and installs it

The SEPM has an algorithm for update schedules that spreads updates over the time period for updates. This keeps the SEPM from getting slammed with requests when there are lots of clients. It also can be troublesome because it will usually distribute small numbers of clients evenly over large periods of time.

Ryan,

That was a great explanation and it appears that this would be the cause behind what I see as random, hit-or-miss upgrade success. Is there a location that I can check to see just when each client's assigned uprgade time is? I promise I'll be patient and not try to edit the timeframe ;)

Thanks,