Starting SCCM build 2002 Microsoft have introduced a new feature called Orchestration groups. You can find information about Orchestration groups here: https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/orchestration-groups.
The principal of Orchestration groups work is: you arrange several machines in a cluster, set an order and during the maintenance window SCCM deploys software updates in a pre-set order. There is also a possibility to run pre- and post-execution PowerShell script on each member.
However what Microsoft have overlooked is that if you are using Windows Defender as your primary Antivirus solution and distribute updates using ADR, Orchestration group would also consider Windows Defender updates as Windows Updates and because Windows Defender updates ADR is set to override the maintenance window, the next Windows Defender update will trigger Orchestration group in the following fashion:
- Windows Defender update triggers Orchestration group on Node 1 or Set 1.
- Orchestration group executes pre-deployment script on Node 1 or Set 1.
- Windows Defender update is deployed.
- There is no maintenance window so security updates are not deployed.
- Orchestration group timeout has expired and the group goes to ‘Failed’ state.
This issue is repeatable and was reported to Microsoft.