I'm struggling to wrap my head around the proper way of handling software update delivery through Configuration Manager 2012 R2.  I'm hoping you guys and gals and can set me straight.  Anyway, here is my question.

I have a ADR configured that grabs all updates released or revised in the past 1 month.  For the month of October the ADR grabbed all updates released in October, however, it also grabbed updates that were revised in October but were originally released in September.  So, now the same update exists in my software update groups (and same deployment package) for both September and October.  I've also had an instance in August where some updates were revised that were originally released in 2011.  In that case, I had updates existing in my August 2014 software group as well as my 2011 group (and two different deployment packages).  What is the proper way of handling this scenario?  Does it hurt that these updates exist in multiple groups?  Should I perform some type of cleanup? Please help me understand this.  Thanks :)

I have installed SCCM 2012 R2 following the methods given by internet articles. And now I have some problems during setting the updates configuration：

1. I can not deploy all the packets in one soft group. I think the highest number of packets is 1000?

2. So I have to deploy the packets with each product.   The software update packets appears sometimes but sometimes not. Do I deploy so many?

3. Is the group policy necessary anymore? 

4. Can the custom update silently without the notice or choosing the packets?

5. I have set a secondary site, and set the auto-deploy rules using the main site for the source. I find the same folder structures in the disk of the secondary site, but empty folders, what's wrong?

Hello,

We are having issues getting the September 2014 Russia timezone patch to show up in SCCM all software updates list.  My colleague did make sure to change WSUS to include it and he did manually get it.  When we go into SCCM, we are unable to still get it to show up in the list even after doing an update sync.

Please let us know how we can get this update to show up in the list as we would like to deploy it company-wide.

Thank you.

Justin

Hi,

I recently tried to deploy Windows 7 update to my client computers. I am able to download and distribute it to DP, but somehow it wouldn't install into my client computers. Can anyone help me? Below text is copied from my scanagent.log and updatesdeployment.log files from my client computer.

Any assistance is highly appreciated.

Scanagent.log

- - Calling back to client on Scan request complete... ScanAgent 4/10/2014 8:01:17 AM 77868 (0x1302C)
CScanAgent::ScanComplete- Scan completion received. ScanAgent 4/10/2014 8:01:17 AM 77868 (0x1302C)
- -Processing Scan Job TTL invalidity request ScanAgent 4/10/2014 8:04:34 AM 75864 (0x12858)
- -Processing Scan Job TTL invalidity request ScanAgent 4/10/2014 8:09:29 AM 80536 (0x13A98)
*****ScanByUpdates request received with ForceReScan=0, ScanOptions=0x00000008,  WSUSLocationTimeout = 604800 ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
- - -Evaluating Update Status... ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
Found CategoryID of :bfe5b177-a086-47a0-b102-097e4fa1f807 for Update:eaf2ae60-e6f3-4d39-a014-ae25e07361a6 ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
CScanAgent::ScanByUpdates - Found UpdateClassification 0fa1201d-4330-4fa8-8ae9-b877473b6441 for Update:eaf2ae60-e6f3-4d39-a014-ae25e07361a6 ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
Sources are current and valid. TTLs are however, invalid. ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
Sources are Valid, so converting to Offline Scan. ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): CScanJob::Scan- Requesting Offline Scan with last known location. ScanAgent 4/10/2014 8:50:32 AM 90080 (0x15FE0)
No CatScan history exists ScanAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
Sources are current and valid. TTLs are however, invalid. ScanAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): CScanJob::Execute- Requesting scan with CategoryIDs=BFE5B177-A086-47A0-B102-097E4FA1F807 ScanAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): Scan Succeeded, setting flag that performed scan was catscan ScanAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): CScanJob::OnScanComplete - Scan completed successfully, ScanType=2 ScanAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): CScanJobManager::OnScanComplete -ScanJob is completed. ScanAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
ScanJob({1B5BE021-EAEF-43E2-A7A2-329D803F2248}): CScanJobManager::OnScanComplete - Reporting Scan request complete to clients... ScanAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
- - -Evaluating Update Status... ScanAgent 4/10/2014 8:50:41 AM 90080 (0x15FE0)
- - Calling back to client on Scan request complete... ScanAgent 4/10/2014 8:50:41 AM 90080 (0x15FE0)

UpdatesDeployment.log

Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>False</UseCachedResults></SoftwareUpdatesMessage>' UpdatesDeploymentAgent 4/10/2014 8:04:34 AM 75864 (0x12858)
Removing scan history to force non cached results UpdatesDeploymentAgent 4/10/2014 8:04:34 AM 75864 (0x12858)
Evaluation initiated for (0) assignments. UpdatesDeploymentAgent 4/10/2014 8:04:34 AM 75864 (0x12858)
Message received: '<?xml version='1.0' ?><SoftwareUpdatesMessage MessageType='EvaluateAssignments'><UseCachedResults>False</UseCachedResults></SoftwareUpdatesMessage>' UpdatesDeploymentAgent 4/10/2014 8:09:29 AM 80536 (0x13A98)
Removing scan history to force non cached results UpdatesDeploymentAgent 4/10/2014 8:09:29 AM 80536 (0x13A98)
Evaluation initiated for (0) assignments. UpdatesDeploymentAgent 4/10/2014 8:09:29 AM 80536 (0x13A98)
Message received: '<?xml version='1.0' ?>
 <CIAssignmentMessage MessageType='EnforcementDeadline'>
     <AssignmentID>{85D3A208-0AE4-46F6-87C3-8A94CCA8361C}</AssignmentID>
 </CIAssignmentMessage>' UpdatesDeploymentAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
Assignment {85D3A208-0AE4-46F6-87C3-8A94CCA8361C} has total CI = 1 UpdatesDeploymentAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
Deadline received for assignment ({85D3A208-0AE4-46F6-87C3-8A94CCA8361C}) UpdatesDeploymentAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
Detection job ({D4D22069-E341-476B-9048-4C4FAFF7075D}) started for assignment ({85D3A208-0AE4-46F6-87C3-8A94CCA8361C}) UpdatesDeploymentAgent 4/10/2014 8:50:32 AM 94188 (0x16FEC)
DetectJob completion received for assignment ({85D3A208-0AE4-46F6-87C3-8A94CCA8361C}) UpdatesDeploymentAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_95D1BDFA-B063-4820-8D5D-497ECA9F10BB/SUM_eaf2ae60-e6f3-4d39-a014-ae25e07361a6", actionType 12l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l UpdatesDeploymentAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
Update (Site_95D1BDFA-B063-4820-8D5D-497ECA9F10BB/SUM_eaf2ae60-e6f3-4d39-a014-ae25e07361a6) added to the targeted list of deployment ({85D3A208-0AE4-46F6-87C3-8A94CCA8361C}) UpdatesDeploymentAgent 4/10/2014 8:50:41 AM 94188 (0x16FEC)
Failed to attach update to the automation wrapper, error = 0x87d00215 UpdatesDeploymentAgent 4/10/2014 8:50:41 AM 83412 (0x145D4)

Hi all,

I have a SCCM 2012 R2 setup at a customer which has problems with distributing updates to the Windows 7 computers in the environment. The update group (with updates that are 100% sure required) is deployed to some test computers but the updates don't get installed. It is also configured to be able to install the updates without looking at any maintenance windows.  I see in the reporting that the updates are required, so in my opinion they should get installed.

I've checked the registry and the Windows Updates registry keys are pointing towards the right server (my SCCM primary site server). I've created a new software update group with fewer updates, same problem. 

What I find in the UpdatesDeployment.log on one of the test machines is rather strange:

There are several updates found in the assignment (2 in the first, 216 in the second). Some of them are required but still the log says: No actionable updates. 

The SERVICEWINDOWEVENT events originate from the business hours set in the client settings I suppose?

But I don't get why the log sais "No current service window available to run updates assignment with time required = 1"

Any advice?

Kind regards,

Bert

Can I get some help building a custom report or editing the default 'Overall Compliance' such that it can include the breakdown that is always provided in 'Deployments' screen in 'Monitoring'.

Ie. rather than only returning Overall compliance: 'Compliant', 'Non Compliant', 'Unknown', i want the categories that Deployments view lists: 'Compliant', 'Downloaded Updates', 'Awaiting restart', 'Waiting for maintenance window' etc.

Or does anyone know the table/view in the SCCM database that holds these states?

Thanks

There are cleaned computers still on the list of "Malware Detected" computers after 3 weeks.

How can I remove old information?

Thank you,

Hello,

I deployed security updates Mid October 201, however some clients failed to install with the error "0x800705B4 this operation returned because the timeout period expired when installing updates".

Although, i saw an article but this did not address the issue. It was advised  i temporarily disable any third party antivirus software and firewall. Unfortunately, we use SEP antivirus and any attempt to disable it would yanck the clients off the network. Windows Firewall is also disabled on these clients. 

Can anyone help urgently?

I'd like to identify all Application and Software update deployments that are overriding Maintenance windows with Powershell.

If anyone can give me a heads up on how this can be done I'd greatly appreciate it.

I've combed through the Configuration Manager Powershell cmdlets and have come up empty handed.

Currently I've found a hand full of them but have a lot more deployment to look through manually.

Problem is, every deployment set to ignore maintenance windows causes my Windows embedded ThinClients to reboot to servicing mode, which of course locks out my users until it's all done. The fact that they are rebooting isn't the problem because that's just how updates are handled for Embedded systems. I just need to find new deployments with this option set so I can quickly turn them off when they are created by other coworkers.

Thank you in advance

Customer pointed out that KB2868626 (MS13-095) was not showing up for their system (win 2003 SP2).  A quick look showed that it was not available on the SUM console.  Curiosity getting the better of me I looked at the WSUS and viola it was there! Looking closely it shows as being superseded by KB2918614 (MS14-049).  Ok, not out of the ordinary.  However in the SUM console looking at the update that supersedes KB2868626, there is no mention of it doing so.  If this is correct this only supersedes the update for win 2003, no other OS's.  There is no mention of being superseded on Microsoft's site.

So now I'm wondering if something got crossed somewhere.

Jim

I am trying to find the machines without the AV installed.

I created a single Configuration Item with two compliance rules specified for 32bit and 64bit machines, these rules were set to check for a particular registry folder, if it exists it will show compliant.

Baseline was created and deployed to a test collection containing two 32bit and two 64bit machines.

Only 64bit machines have reported as Compliant. When checking 32bit machines, it shows at the end of the report that Non compliant rule which was scanned was the one which was set for 64bit machines.

My intention to set two rules was to check two registry entries as its different for 32 and 64bit machines. If it doesnt find entry at one place, it can check at the other defined. I am not sure how to it will differentiate between 32 or 64bit machines, so set two rules to be scanned.

It seems that it scanned any rule out of two randomly and once that was shown non compliant, it didnt check further hence showing as non compliant.

Is it the case ? If yes, how should i proceed?

Hello,

the three Windows Updates are missing in my SCCM SUP.

Anyone a idea?

Do i have to add more Products in the sync Settings?

I have a computer assigned a SCEP policy, that seems to have been found and Applied fine by the SCCM Client, looking at the registry.

I find the policy in the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy, With the DWORD values

Just a test to my computer (Excluded)                   REG_DWORD         0x00000002 (2)
Just a test to my computer (Scan Schedule)           REG_DWORD         0x00000002 (2)

What I have configured in this test policy is just "Limit CPU usage during scan to: 10%" and "Start the scheduled scan only when my PC is on but not in use"

But the SCEP Client, in the settings, do not show the correct settings. The CPU limit setting is set to 20% and the "Start the scheduled scan" setting is unchecked, these settings come from the "Default Client Antimalware Policy"

The EndpointProtectionAgent.log says:

Endpoint is triggered by WMI notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Previous state is same with current one: 1, skip notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP version 4.6.305.0 is already installed. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP 4.6.305.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
The trigger 10 doesn't make ANY state change. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Handle EP AM policy. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy group lose, group name: Scan Schedule, settingKey: {d6961d76-070d-46af-b898-6d24562fb219}_201_201 EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy deployment result: <?xml version="1.0"?><Group Name="Scan Schedule">    <Policy Name="Just a test to my computer" State=2/>    <Policy Name="Default Client Antimalware Policy" State=1/></Group><Group Name="Threat Default Action">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Excluded">   <Policy Name="Default Client Antimalware Policy" State=2/>    <Policy Name="Just a test to my computer" State=2/></Group><Group Name="Realtime Config">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Advance Setting">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Spynet">   <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Signature Update">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Scan">   <Policy Name="Default Client Antimalware Policy" State=2/></Group> EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate Policy XML successfully at C:\Windows\CCM\EPAMPolicy.xml EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)

Any idea what happened to the New settings?

Freddy

I'm a little stumped to why our users are not seeing any notifications for impending software update installations.

From what I understand if I have set Display in Software Center and show all notificationsin the deployment's User Experience, and Deployment deadline greater than 24 hours, remind user every (hour)in the Client Settings is 48 hours, then users should see a popup advising them on there options for the deployment (i.e. install now, delay to out of business hours, etc).

However it's been almost a week, and both of my test subjects have not seen any notification at all. Any ideas?

Andrew France - http://andrewsprivatecloud.wordpress.com

Hi,

We are currently running SCCM 2012 R2 and will be upgrading to CU3. Will we need to update all the clients/servers before hand? Once we update the SCCM server, will communication stop between all the clients/servers until they are updated? TIA

Dear All,

I have deployed updates to the client machine upto deadline reached all machines were in IN PROGRESS and all of them have downloaded the updates so it was fine up to this but when deadline reached and installation started most of the failed to install the updates and appeared in Error state, further digging in to this i saw there were few updates were failed on many machines.

Q1.Now my query is that why update failed though there are machines in which updates installed successfully.?

Q2. How these failed update will be installed automatically? Do i have to go seat by seat to re trigger the installation.?

Q3. I have made some changes in client settings in Software Update section. Like i have made 2 Hours to check Re Deployment. Is that right to do? To ensure all failure updates are re-installed after recheck.

Find attached snapshot for further reference.

REGARDS DANISH DANIE

Hello,

We have been tasked by the IT security team to close any holes in the server infrastructure as far as SSL 3 POODLE vulnerability is concerned. Is it safe to assume that SCCM uses certificates (self-signed or otherwise) for various components? Even though we do not use https for client management I just wanted  to know if we need to be concerned about the self signed certificates which are being used for DP's. Do these certificates use SSL 3?

To disable SSL 3 on all Windows servers we are planning to configure the registry key and reboot the servers. Just wanted to know your thoughts on this.

Thanks in advance.

I have set up WSUS. I have installed SUP on SCCM. I have created two collections; Available and Required, and split my computers between them

I have deployed various Software Update groups in batches of less-than-a-thousand to get me to the point where i can use ADRs from now on. I have created an ADR for October's updates to deploy to "Required". It downloads (though only directly from MS - cant get it to just use the WSUS folder but thats another issue) and from what i can see it deploys fine

I run Windows Update on my Test PC and Server and it says it's up to date. Great. Just to test though, i click on "Check for updates from Windows Update" and they both come back with "Install new Windows UPdate Software - To check for updates, you must first install an update for Windows Update. Your automatic settings will not change"

So i install that update (direct from Microsoft) and Windows update closes and re-opens as it says it will.

I run another check for updates and they both say "Up to date". So i check from Windows update again since i have now installed  this new update software that i would have thought my SUP WSUS would have installed)

Now from Microsoft's site they both have 45 important updates nad 35 optional updates available. What?? So i check these updates in the list and they are all in the October package. Why arent they available on my internal SUP/WSUS but they are available from MS Update?