Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Software Update Status?

October 7, 2014, 2:17 pm
$
0
0
I created a new software update package for Windows 2008 servers.  I deployed this to a collection that had 1 Microsoft 2008 server.  

While the deployment was running I was in Monitoring\Deployments.   The status went from Unknown > In Progress > Pending Reboot.

I then rebooted the server.  The status actually stayed under "In Progress" and it went back to "Downloaded Update(s).

What would cause that?

mqh7

Search

Updates not making deadline: Maintenance Window Issue

September 24, 2014, 12:51 am
$
0
0

We are trying to get to the bottom of how updates are deployed based on 1) Deadline 2) Maintenance Windows.

Our maintenance window is 1am to 5am every night/morning. This should be ample time to apply updates.

Our deadline for these updates was last friday 19/09/2014 2am

According to 'UpdatesDeployment.log' as of today 23/09/2014: 'No Service window available to run updates assignment.

'ServiceWindowManager.log', has recent output exclaiming 'No Service Window of this type exit', and then the very next line says 'There exists an All Programs window for this duration. The program will run eventually'.

This happens every night and the updates dont run.

Questions: How can we be sure pc's will be awake during this service window WITHOUT using wake on lan (Can SCCM client schedule a wake up for the maintenance window?)

How can we figure out why these updates arent happening?

Does SCEP (2012 R2) scan mail archives like .pst?

October 8, 2014, 12:27 am
$
0
0

Hi,

Does SCEP (2012 R2) scan mail archives like .pst?

/SaiTech

Edit Membership dialog won't close after removing large number of expired updates

October 8, 2014, 9:29 am
$
0
0

Hi,

I was following the directions from this link and on the first step

http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx

to remove expired updates and after unchecking all the updates I wanted to remove I clicked the OK button.  That was about 20 hours ago and the dialog box is still open with an hour glass.  I was attempting to remove close to two years worth of old/expired updates so maybe this should take a long time?

If I look in task manager on the server I can see that the smsexec.exe and Microsoft.ConfigurationManagment.exe*32 processes appear to cranking away and have been since I clicked the OK button.  If I look at the SQL Server that is hosting the SCCM database the SQLServer.exe process is also busy cranking away.  I'm a little hesitant to click the Cancel or X button on the Edit Membership dialog as I'm not sure what that would do at this point.

Is there a log or something I can check to see if the process of updating the update group memberships is done?

Thanks in advance,

Nick

SCCM 2012 SP1 - Secondary SUP Sync Source Server Changed without intervention

October 6, 2014, 8:45 am
$
0
0

Hi,

Recently I noticed that some of ours Secondary SUP's have stopped syncing. Looking at the logs I found that they cannot found SUP parent. Name resolution was OK, no firewall blocking traffic flow, SUP at Primary Site working normally, all replica SUP services online.

Then I went to the Sync Settings at Site Components of the SUP replica and the value of the option "Synchronize from a upstream data source location (URL)" had been changed!

The URL of the upstream server has the correct server name, but the 8530 port is missing! The interesting fact is that I have other SUP replicas working normally with the correct upstream server name and port.

So, my question is: Since I've installed all the replicas SUP's with the same upstream SUP settings, they have been working normally until last week, how the settings are now wrong? The property is greyed out and I cannot change it back to the correct parameter.

Is there any way to correct it without having to reinstall all the replicas SUPs?

Thanks!! 

sccm Malware Detected Old List

October 7, 2014, 12:45 pm
$
0
0

There are cleaned computers still on the list of "Malware Detected" computers after 3 weeks.

How can I remove old information?

Thank you,

SUP Error

October 2, 2014, 6:51 am
$
0
0

Hi All

Configuration is as follow

OS:2012

CAS and Primary server running SCCM2012 R2 CU2

CAS has WSUS installed and syncs from MS

SUP is installed on the primary which synchronizes from the CAS

I was patching systems up until 29 September and now nothing is working - not one system is patching

I reinstalled the SUP - supsetup.log reports no errors

below is an extract from WSUSCTRL.LOG file

 



WSUS Connection and Synchronization Problems

October 8, 2014, 11:49 pm
$
0
0

Hi,

Yesterday I read the article below and it says a certificate for wsus web site is also required for ssl communication. I haven’t created this wsus web site certificate yet, because I am still not sure if I have to create this certificate or not. Maybe the problems I mentioned below are because I havent created the wsus certificate. 

http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/


In my environment, I have 1 Site Server that has SUP role installed and 1 database server that has wsus database. All communication was done via http then I changed sccm communication from HTTP to HTTPS. Clients and server can communicate without any problems over SSL.

However if I try to open WSUS admin console, it gives error: ”Error Connection, Click Reset Server Node to try to connect”.

I see following error logs in wsyncmgr.log:

Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync

STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=srvsccm2012.sehir.edu.local SITE=ISU PID=916 TID=4120 GMTDATE=Wed Oct 08 12:25:33.212 2014 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

And I see the following error logs in WCM.log:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---

Remote configuration failed on WSUS Server.

I did the required changes for WSUS for SSL Communication:

  1. APIRemoting30,ClientWebService,DSSAuthWebService,ServerSyncWebService, andSimpleAuthWebService virtual directories that reside under the WSUS Web site are configured and I ran the commandWSUSUtil.exe configuresslMySiteserver.local
  2. My WSUS web site is a secondary web site (not default)
  3. I configured SUP properties to use SSL on port 8531
  4. No proxy server is involved
  5. Both servers’ firewalls are disabled


Yavuz Selim Atmaca

Search

SCCM 2012 SCUP Updates problem

October 8, 2014, 11:19 pm
$
0
0

Hi Everyone,

I'm having a strange issue in my SCCM2012 environment.

We deploy updates via WSUS and SCUP.

Actually we have two infrastructure, one with SCCM2007 and one with SCCM2012.

We are planning to migrate the 100% of the infrastructure on SCCM2012.

The problem is that when I deploy an OSD Task from SCCM2012 the updates on the client are installed (java & Apple).

If I upgrade a SCCM2007 Client on 2012, the Java & Apple updates fail.

Any suggestion?
Cheers

Systems restarting after resuming BitLocker when restarted by update.

October 2, 2014, 10:49 am
$
0
0

SCCM 2012 SP1 with the client setting "Suspend BitLocker PIN enrty on restart" problem is after suspending the PIN entry and the system is retarted by SCCM the bitlocker PIN protector is resumed followed by another reboot. From the rebootcoordinator.log

Reboot initiated RebootCoordinator 10/1/2014 10:12:00 AM 844 (0x034C)
Retry resuming bit-locker TPM PIN protector. Retry count 1 RebootCoordinator 10/1/2014 10:16:55 AM 4588 (0x11EC)
Attempting to resume TPM PIN protector. RebootCoordinator 10/1/2014 10:16:55 AM 4588 (0x11EC)
Resumed bit-locker protectors on system volume RebootCoordinator 10/1/2014 10:16:58 AM 4588 (0x11EC)
Retry resuming bit-locker TPM PIN protector. Retry count 1 RebootCoordinator 10/1/2014 10:21:08 AM 1108 (0x0454)
Didn't suspended bit-locker. Do nothing and return. RebootCoordinator 10/1/2014 10:21:08 AM 1108 (0x0454)
Entered ScheduleRebootImpl - requested from 'UpdatesDeploymentAgent'. Rebootby = 0. RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)
Scheduled non mandatory reboot from agent UpdatesDeploymentAgent RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)
Raising client SDK event for class NULL, instance NULL, actionType 3l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)

So when you log on the prompt for restart ballon starts showing up

Thanks.

Determine DP being used by client PCs

October 9, 2014, 11:31 am
$
0
0

In which log file can you determine which DP is being used by a client to download:

a: Endpoint Protection signature updates.

b: Software Updates.

I've trawled around forums and google a few times looking for the answer to this and never found it. Can anyone help.

Compliance Settings & Powershell Commands

October 8, 2014, 3:02 pm
$
0
0

I have started using Configuration Baseline's and I followed a blog on how to add an inbound firewall rules via a Configuration Item using Powershell.  The Powershell script is using the commands 'Get-NetFirewallRule'& 'New-NetFirewallRule' which work fine for my Windows 8 clients however those commands are not available for the version of powershell in the Win 7 clients.  The post was not OS specific and such it answer how you would use this for win 7 devices? Maybe I'm missing something and those commands would work on a Win 7 device...?

I'm hopefully making a good assumption that all Win 7 devices would have to have Import-Module NetSecurity' run in Powershell before we are able to deploy that Configuration Baseline calling those commands?  Am I off here?  Is there a better way to go about this?  Or would I have to make two Configuration Item's by OS.... (Win 7 and Win8)? 



Help with a Compliance Report that includes deployments states like 'downloaded' 'awaiting restart'

October 8, 2014, 6:45 pm
$
0
0

Can I get some help building a custom report or editing the default 'Overall Compliance' such that it can include the breakdown that is always provided in 'Deployments' screen in 'Monitoring'.

Ie. rather than only returning Overall compliance: 'Compliant', 'Non Compliant', 'Unknown', i want the categories that Deployments view lists: 'Compliant', 'Downloaded Updates', 'Awaiting restart', 'Waiting for maintenance window' etc.

Or does anyone know the table/view in the SCCM database that holds these states?

Thanks

How to add servers exclusion for FEP push install?

October 10, 2014, 2:30 am
$
0
0

Hello,

I do have setting enabled that SCCM 2012 should push its client and FEP AV to all servers and workstation,

which are joined to our domain.

Is there way for me to add the exclusion for certain servers, that FEP client wont be pushed to them or even complete SCCM client wont be reinstalled.

Thanks

Best way to configure patching of multiple groups?

October 10, 2014, 1:03 pm
$
0
0
Howdy,

We're looking to start using Config Manager 2012 R2 to handle patching of our servers.  I'm looking for any advice or opinions as to how to set everything up to run in the best way.

We have 3 primary groups that we want to update
QA/Dev Pilot group (~20 machines)
QA/Dev All group (~100 machines including the 20 above)
Production (~90 machines)

We want to do patching on the weekend and do each group on consecutive weekends.
Pilot - 3rd saturday
QA/Dev - 4th Saturday
Prod - 1st Saturday

I'm just looking for the best way to set things up in SCCM to handle this.

We were going to have an Automatic Deployment Rule for each group and schedule them that way.
Then I saw something that said to just have 1 ADR that points to a collection that contains all those group collections and just set maintenance windows on each group collection to handle the scheduling.

I'm just trying to figure out if there's a "best" way to do this or if there are multiple ways that all lead to the same end result and it really doesn't matter which one we choose or what.

We're all still pretty new to SCCM so any advice would be much appreciated.

Thanks.
Search

Custom Report - Show Deployed, But Not Installed, Security Updates

October 10, 2014, 1:21 pm
$
0
0
I'm trying to create a custom report that will show all patches that have been deployed, but have not been installed for a particular collection. Any ideas?

Using SCCM Compliance Settings to Change Desktop Wallpaper

October 10, 2014, 11:51 pm
$
0
0

Hi,

I need to use the SCCM compliance settings to change the existing wallpaper to a new one.

If yes, do we have to copy the new image locally on the machines, can this be done using compliance ?
If not, how could we use the network location to do this?

I know the registry key to change this already.

SCCM 2012 R2 - Updates not installing

September 30, 2014, 1:34 am
$
0
0

Hi all,

I have a SCCM 2012 R2 setup at a customer which has problems with distributing updates to the Windows 7 computers in the environment. The update group (with updates that are 100% sure required) is deployed to some test computers but the updates don't get installed. It is also configured to be able to install the updates without looking at any maintenance windows.  I see in the reporting that the updates are required, so in my opinion they should get installed.

I've checked the registry and the Windows Updates registry keys are pointing towards the right server (my SCCM primary site server). I've created a new software update group with fewer updates, same problem. 

What I find in the UpdatesDeployment.log on one of the test machines is rather strange:

Assignment {8209BD9C-A86C-460B-99B3-CD6364F8BD1B} has total CI = 2UpdatesDeploymentAgent29/09/2014 15:21:051244 (0x04DC)
Assignment ({8209BD9C-A86C-460B-99B3-CD6364F8BD1B}) reconnected to the existing job ({779CA9E2-ABB8-43E1-B8AE-F4A94BA8C761}) successfully.UpdatesDeploymentAgent29/09/2014 15:21:051244 (0x04DC)
Assignment {c076f100-c2f7-43f9-a3f9-51fd33872b94} has total CI = 216UpdatesDeploymentAgent29/09/2014 15:21:051244 (0x04DC)
Assignment ({c076f100-c2f7-43f9-a3f9-51fd33872b94}) reconnected to the existing job ({A9758363-1871-4BD9-86D9-1BE0D82531AE}) successfully.UpdatesDeploymentAgent29/09/2014 15:21:051244 (0x04DC)

OnPolicyModify for assignment ({8209BD9C-A86C-460B-99B3-CD6364F8BD1B})... UpdatesDeploymentAgent29/09/2014 15:23:182740 (0x0AB4)
Work in progress for assignment {8209BD9C-A86C-460B-99B3-CD6364F8BD1B}, forced trigger (TriggerEnforce) will be attempted when doneUpdatesDeploymentAgent29/09/2014 15:23:182740 (0x0AB4)
EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0UpdatesDeploymentAgent29/09/2014 15:30:324532 (0x11B4)
EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0UpdatesDeploymentAgent29/09/2014 15:30:324000 (0x0FA0)
Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>False</UseCachedResults></SoftwareUpdatesMessage>'UpdatesDeploymentAgent29/09/2014 15:46:474836 (0x12E4)
Removing scan history to force non cached results UpdatesDeploymentAgent29/09/2014 15:46:474836 (0x12E4)
Assignment({8209BD9C-A86C-460B-99B3-CD6364F8BD1B}) already in progress state (AssignmentStateDetecting). No need to evaluateUpdatesDeploymentAgent29/09/2014 15:46:474836 (0x12E4)
Assignment({c076f100-c2f7-43f9-a3f9-51fd33872b94}) already in progress state (AssignmentStateDetecting). No need to evaluateUpdatesDeploymentAgent29/09/2014 15:46:474836 (0x12E4)
Evaluation initiated for (0) assignments.UpdatesDeploymentAgent29/09/2014 15:46:474836 (0x12E4)
Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>True</UseCachedResults></SoftwareUpdatesMessage>'UpdatesDeploymentAgent29/09/2014 17:06:316032 (0x1790)
Assignment({8209BD9C-A86C-460B-99B3-CD6364F8BD1B}) already in progress state (AssignmentStateDetecting). No need to evaluateUpdatesDeploymentAgent29/09/2014 17:06:316032 (0x1790)
Assignment({c076f100-c2f7-43f9-a3f9-51fd33872b94}) already in progress state (AssignmentStateDetecting). No need to evaluateUpdatesDeploymentAgent29/09/2014 17:06:316032 (0x1790)
Evaluation initiated for (0) assignments.UpdatesDeploymentAgent29/09/2014 17:06:316032 (0x1790)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START EventUpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
Suspend activity in presentation mode is selected UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
Proceeding to non-business hours activites as presentation mode is off.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
Auto install during non-business hours is disabled or never set, selecting only scheduled updates.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
Attempting to install 0 updatesUpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
No actionable updates for install task. No attempt required.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
Updates could not be installed at this time. Waiting for the next maintenance window.UpdatesDeploymentAgent29/09/2014 22:00:003240 (0x0CA8)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END EventUpdatesDeploymentAgent30/09/2014 5:00:003132 (0x0C3C)
No current service window available to run updates assignment with time required = 1UpdatesDeploymentAgent30/09/2014 5:00:003132 (0x0C3C)
Attempting to cancel any job started at non-business hours.UpdatesDeploymentAgent30/09/2014 5:00:003132 (0x0C3C)

There are several updates found in the assignment (2 in the first, 216 in the second). Some of them are required but still the log says: No actionable updates. 

The SERVICEWINDOWEVENT events originate from the business hours set in the client settings I suppose?

But I don't get why the log sais "No current service window available to run updates assignment with time required = 1"

Any advice?

Kind regards,

Bert

Disable AV

September 4, 2014, 1:32 pm
$
0
0

I have a collection in SCCM 2012 R2 where I want SCCM installed, but not SCEP.  I created a client policy with a higher priority and Managed Endpoint, and set Install SCEP on Clients to No.  However, when I push SCCM to systems with this policy it is still installing SCEP.

To me, it looks like when the SCCM client is installed, the system is temporarily removed from collections based on OU until the next incremental/full update.  At that point it only has a policy for managing SCEP and installing it.

How can I exclude specific collections from getting SCEP?


Removing updates from deployment package causes replication issue

September 11, 2014, 6:55 am
$
0
0

Hi,

We are on SCCM 2012 R2 CU1 and wondering if anyone noticed the same or there is something we were doing wrong.

There were few patches pulled back from deployment so we just edited the membership from Software Update Group and also deleted these few updates from deployment package. Unfortunately, the deployment package did not like deleting those updates from active deployment and it started giving errors about missing updates when DP were refreshed and would not replicate. As a workaround I had created empty folders  for each updates in source location so the package can at least continue with replication but I believe that is not right way of doing it. Would anyone know (other then script) if there removing updates like this really causes issue or there is something else at my site caused replication errors?

Thanks

Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>