I am having a hard time trying to conceptualize ADRs. I would appreciate it if someone can let me know if I am on the right track here. 

The way I see it is I can set up an ADR for every 2nd Tuesday of every month (Patch Tuesday) to run to build my initial deployment to a pilot test group. Then I have to build subsequent deployments after that since ADRs can only build one deployment (the one for my pilot test group). 

My question is, should an ADR be used only for a pilot test deployment and not a production deployment?

Thank you very much everyone, I appreciate your help

Hi,

I'm planning for installing a System Center Updates Publisher. I will be using own PKI for certificate. Is this guide still valid for the cert?

http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx

I have a computer assigned a SCEP policy, that seems to have been found and Applied fine by the SCCM Client, looking at the registry.

I find the policy in the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy, With the DWORD values

Just a test to my computer (Excluded)                   REG_DWORD         0x00000002 (2)
Just a test to my computer (Scan Schedule)           REG_DWORD         0x00000002 (2)

What I have configured in this test policy is just "Limit CPU usage during scan to: 10%" and "Start the scheduled scan only when my PC is on but not in use"

But the SCEP Client, in the settings, do not show the correct settings. The CPU limit setting is set to 20% and the "Start the scheduled scan" setting is unchecked, these settings come from the "Default Client Antimalware Policy"

The EndpointProtectionAgent.log says:

Endpoint is triggered by WMI notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Previous state is same with current one: 1, skip notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP version 4.6.305.0 is already installed. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP 4.6.305.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
The trigger 10 doesn't make ANY state change. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Handle EP AM policy. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy group lose, group name: Scan Schedule, settingKey: {d6961d76-070d-46af-b898-6d24562fb219}_201_201 EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy deployment result: <?xml version="1.0"?><Group Name="Scan Schedule">    <Policy Name="Just a test to my computer" State=2/>    <Policy Name="Default Client Antimalware Policy" State=1/></Group><Group Name="Threat Default Action">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Excluded">   <Policy Name="Default Client Antimalware Policy" State=2/>    <Policy Name="Just a test to my computer" State=2/></Group><Group Name="Realtime Config">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Advance Setting">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Spynet">   <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Signature Update">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Scan">   <Policy Name="Default Client Antimalware Policy" State=2/></Group> EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate Policy XML successfully at C:\Windows\CCM\EPAMPolicy.xml EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)

Any idea what happened to the New settings?

Freddy

Hi all,

I have got from my manager case - I should take care for update all servers which are working in DMZ. I have added IP address range for DMZ servers. I can ping these servers by IP by not via DNS name. Problem is... I can't find it in SCCM console.

What I'm doing wrong guys?

Thank you for any suggestions...

Hi All

We have an environment of a CAS and a Primary site and approximately 15.000 Windows 7 computers

We implemented 3 months ago SCUP for the updates of Adobe everything works perfectly.

We have upgraded our servers to SCCM 2012 R2 CU2.

We now want our clients to be upgraded from SCCM 2012 R2 to SCCM 2012 R2 CU2.

I've imported the CU updates (cab file) into scup afterwards published these 4 updates in SCUP .

These 4 updates are now visible in SCCM underneath all software updates.

I want to deploy these CU2 updates with the monthly patches of November , can I handle these updates as a normal software update and deploy these updates at the same time as the other software updates for the month November.

Second question will the load of my primary server be a problem with the upgrade of the clients to CU2?

I hope someone can help me with these questions?

Regards

Johan

Hello all, 

I am fairly new to SCCM in general and would like to know if I am doing things right with regard to Windows updates.  

My setup:

I have one Windows 7 update group that has all updates as of about 3 weeks ago.  That package is deployed to a win7 collection of machines.

I also have an ADR rule to create a new package containing new Windows 7 updates (within the past year) every month and deploy to the same collection.  (I chose to create a new package due to the 1000 item limit in a package)

Will this setup work or am I doing something wrong here?  I really want to know what best practices are related to configuring update packages/adr for windows updates.

So I've read through some of the other threads I've seen on this and msot point to a boundary issue.  However, we've had our sit eup for 6 months or so now and we haven't changed any settings.  All of a sudden, this month none of our machines can get their updates.  They all just say Downloading (0% Complete)

I don't know what the problem might be but also don't know which logs to check for this.

The CAS.log file ie spammed with lines like this:

<![LOG[Location update from CTM for content 480d1725-7247-494e-b208-ca70ec17ebdb.1 and request {9AC5A063-BEB6-4B39-B37E-EB8FD3FB31C3}]LOG]!><time="14:20:12.834+360" date="11-03-2014" component="ContentAccess" context="" type="1" thread="10916" file="downloadcontentrequest.cpp:1022"><![LOG[Download request only, ignoring location update]LOG]!><time="14:20:12.834+360" date="11-03-2014" component="ContentAccess" context="" type="1" thread="10916" file="downloadcontentrequest.cpp:1039">

Hello,

I am trying to deploy Office 2010 updates to a group of PC's. I am doing everything my normal way, the same how I rollout Windows 7 updates in SCCM. But I just don't get why 2 of my 10 test machines will not download the updates. They go straight to Not-compliant - I have checked the CCMCache and they are not downloading the updates. This is what is logged in UpdatesStore.log:

Every update's status=missing...

Can anyone help me out with this?

Almost all of the ConfigMgr 2012 R2 Clients are failing to install software updates.

When I look updateshandler.log I see lot's of errors:

Deployment status shows:

Hi All,

I have facing WSUS sync issue on few SUP's suddenly, sync was working fine earlier.

SUP, IIS configuration settings are fine, even i re-installed SUP on one of server but no luck.

relative logs as below,

WCM.Log

Attempting connection to WSUS server: SERVER.DOMAIN.COM, port: 8531, useSSL: True SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
Successfully connected to server: SERVER.DOMAIN.COM, port: 8531, useSSL: True SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
Verify Upstream Server settings on the Active WSUS Server SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
No changes - WSUS Server settings are correctly configured and Upstream Server is set to goamsapp233.kworld.kpmg.com SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
WSUS Server configuration has been updated. Updating Group Info. SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
Updating Group Info for WSUS. SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
Attempting connection to WSUS server: SERVER.DOMAIN.COM, port: 8531, useSSL: True SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
Successfully connected to server: SERVER.DOMAIN.COM, port: 8531, useSSL: True SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:07:33 AM 3176 (0x0C68)
HandleSMSClientPublication failed. SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:10:33 AM 3176 (0x0C68)
Waiting for changes for 57 minutes SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:10:33 AM 3176 (0x0C68)
Trigger event array index 0 ended. SMS_WSUS_CONFIGURATION_MANAGER 11/4/2014 10:30:34 AM 3176 (0x0C68)

WsyncMgr.log

Synchronizing WSUS server SERVER.DOMAIN.COM ... SMS_WSUS_SYNC_MANAGER 11/4/2014 9:54:49 AM 10324 (0x2854)
sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER 11/4/2014 9:54:49 AM 10324 (0x2854)
Sync failed: Unknown: InvalidOperationException: cannot save server configuration~~at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SaveServerConfigurationWithRetry(). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS SMS_WSUS_SYNC_MANAGER 11/4/2014 9:55:22 AM 2184 (0x0888)
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER.DOMAIN.COM SITE=PT1 PID=3024 TID=2184 GMTDATE=ter nov 04 09:55:22.223 2014 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS" ISTR1="Unknown: InvalidOperationException: cannot save server configuration~~at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SaveServerConfigurationWithRetry()" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 11/4/2014 9:55:22 AM 2184 (0x0888)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 11/4/2014 9:55:22 AM 2184 (0x0888)
Setting sync alert to active state on site PT1 SMS_WSUS_SYNC_MANAGER 11/4/2014 9:55:22 AM 2184 (0x0888)
Sync time: 0d00h00m34s SMS_WSUS_SYNC_MANAGER 11/4/2014 9:55:22 AM 2184 (0x0888)
Wakeup by SCF change SMS_WSUS_SYNC_MANAGER 11/4/2014 10:30:34 AM 2184 (0x0888)
Next scheduled sync is a retry sync at 04/11/2014 10:55:22 SMS_WSUS_SYNC_MANAGER 11/4/2014 10:30:39 AM 2184 (0x0888)
Wakeup for scheduled retry sync SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Starting Sync SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Performing sync on retry schedule SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Read SUPs from SCF for SERVER.DOMAIN.COM SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Found 1 SUPs SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Found active SUP SERVER.DOMAIN.COM from SCF File. SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER.DOMAIN.COM SITE=PT1 PID=3024 TID=2184 GMTDATE=ter nov 04 10:55:22.188 2014 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:22 AM 2184 (0x0888)
Synchronizing WSUS server SERVER.DOMAIN.COM SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:23 AM 2184 (0x0888)
STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER.DOMAIN.COM SITE=PT1 PID=3024 TID=2184 GMTDATE=ter nov 04 10:55:23.345 2014 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:23 AM 2184 (0x0888)
Synchronizing WSUS server SERVER.DOMAIN.COM ... SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:23 AM 5008 (0x1390)
sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:23 AM 5008 (0x1390)
Sync failed: Unknown: InvalidOperationException: cannot save server configuration~~at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SaveServerConfigurationWithRetry(). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:54 AM 2184 (0x0888)
STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SERVER.DOMAIN.COM SITE=PT1 PID=3024 TID=2184 GMTDATE=ter nov 04 10:55:54.415 2014 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS" ISTR1="Unknown: InvalidOperationException: cannot save server configuration~~at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SaveServerConfigurationWithRetry()" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:54 AM 2184 (0x0888)
Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:54 AM 2184 (0x0888)
Setting sync alert to active state on site PT1 SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:54 AM 2184 (0x0888)
Sync time: 0d00h00m32s SMS_WSUS_SYNC_MANAGER 11/4/2014 10:55:54 AM 2184 (0x0888)

----

Thanks in advance

SCCM 2012 SP1 with the client setting "Suspend BitLocker PIN enrty on restart" problem is after suspending the PIN entry and the system is retarted by SCCM the bitlocker PIN protector is resumed followed by another reboot. From the rebootcoordinator.log

Reboot initiated RebootCoordinator 10/1/2014 10:12:00 AM 844 (0x034C)
Retry resuming bit-locker TPM PIN protector. Retry count 1 RebootCoordinator 10/1/2014 10:16:55 AM 4588 (0x11EC)
Attempting to resume TPM PIN protector. RebootCoordinator 10/1/2014 10:16:55 AM 4588 (0x11EC)
Resumed bit-locker protectors on system volume RebootCoordinator 10/1/2014 10:16:58 AM 4588 (0x11EC)
Retry resuming bit-locker TPM PIN protector. Retry count 1 RebootCoordinator 10/1/2014 10:21:08 AM 1108 (0x0454)
Didn't suspended bit-locker. Do nothing and return. RebootCoordinator 10/1/2014 10:21:08 AM 1108 (0x0454)
Entered ScheduleRebootImpl - requested from 'UpdatesDeploymentAgent'. Rebootby = 0. RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)
Scheduled non mandatory reboot from agent UpdatesDeploymentAgent RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)
Raising client SDK event for class NULL, instance NULL, actionType 3l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l RebootCoordinator 10/1/2014 10:21:09 AM 4728 (0x1278)

So when you log on the prompt for restart ballon starts showing up

Thanks.

Hello-

I am trying to deploy an update for Windows Server 2012R2 (KB2919355) and it is failing on a number of servers. I see thin in the event log:

Update 8452bac0-bf53-4fbd-915d-499de08c338b did not finish in allocated time 300 seconds.

How can I change the timeout? It is being deployed as part of a Software Update Group in CM2012R2. All the other updates install just fine. I think if I could adjust this timeout setting it will go though.

-TIA

Hi,

I have been using WSUS forever and have just made a very painful change over to SCCM 2012 SUP. In a room full of experienced WSUS users and facing a handover of SCCM SUP, I really need to have this question answered - What, if any, are the advantages of SCCM2012 SUP over WSUS. It's certainly not ease of use, ease of implementation or understandability.

Even if i accept that yes, they are two different things now and i shouldn't think of SCCM as being like WSUS, I still have to compare and contrast, honestly, what they do and how they do it

WSUS is ridiculously easy in comparison to SUP. With WSUS, I install it, create some GPOs and assign to OUs. I create security groups and add the servers in scope to to thoise groups and those security groups to the policy. I have different groups set up to keep separation of DCs and APP servers and SQL and SCCM and Antivirus servers and workstations

If needs be i have a text list of all my servers/workstations and can individually target using PSEXEC to run wuauclt on any number of clients. It works great and is easily understandable

Now, enter SCCM 2010 and SUP.
The first thing i HAD to know was the last thing i learned. And not from Microsoft.That is that there is really only one method now, imposed by limitations on Software Update Groups and Deployment packages. You can only create a package of 1000 or less updates

This means chopping up your historic updates and having them deployed as a separate strategy from your newer updates cycles

Secondly, every month from now on you will need to create and sort your updates into a meaningful Update Group and Deployment package - even if you set up an Automatic Deployment rule, you still need to manually create your Update Groups

You can only have one deployment package per update group and will need one software update group per "type" of install (available or Required) AND you will need one software update group and deployment package PER COLLECTION!

To make this work as simply as possible, it will mean having two collections Available and Required (for example)
Each collection will have a SUG associated with it (each with a limit of 1000 updates remember). Each group of circa 1000 updates takes about 2+ hours to compile and you will have a minimum of 5 groups per collection to get up to October 2014
After this your ADRs should now do it all for you but lack the ability to create update groups so you have to do this manually every month beforehand. Whew!!

Thirdly, in the background, WSUS still downloads metadata. In SCCM you should be pointing every update group manually to this folder. Same with Deployment packages and ADRs. Why is this not built-in - intuitive? These are then copied and downloaded as full packages into their respectively (manually) created source folders

Now, when updates expire or are superseded, you have to manually replace them from each SUG

And also quite a big thing i havent heard anyone else comment on, is the fact that these updates are now NOT shown in the Windows Update feature - they now appear in the Software Center - so now the Servers i sent "Available" updates have to be logged onto and manually installed - instead of being able to individually target them like i did with PSEXEC and wuauclt

And logging?? There are at least 100 different logs to look at using the Trace Log Tool. It's a full time job just figuring out what logs to look at to resolve any problems

This is, in my opinion, a really poor effort and the documentaion is wildly inconsistent across many forums.

Some kind of standard document is needed. And i say this after having followed Microsoft's own documentation and using technet forums

I, for one, just need one BIG question answered for now - how do i remove the SCCM SUP client and revert back to wuauclt on all my clients - if i remove SUP from SCCM will it remove the client from the clients?

Hi!

I've deployed the patches released in October 2014 to 8 servers running Windows 2003 Server SP2, these are webservers, they connect to a SQL 2000 Server and this one hasn't been patched with this release.  After the servers were patched we reboot them, and when they start again the Webservice failded to connect to the database, the owner claims that this error is caused due the patch installation, the workaround was the change of the connection string from this:

<add key="xxxx_Connection"  value="Driver={SQL Server};Server=xxxxxxx;Database=xxxxx;uid=xxx;pwd=xx;" />  

to this:

<add key="xxx_Connection"  value="packet size=4096;data source=<server fqdn>;initial catalog=xxx;User ID=xx;pwd=xx;" />

I don't know any patch that could be affecting this but I need to ask to be sure.

thanks

Hello, Is there a report for seeing a list of all installed updates?

What I would really like is a report of all installed updates on all computers within a collection.

We have had a lot of problems recently with Surface Pro's not restarting and losing connection to wifi among other various issues. Mgmt would like to see a comparable list of what is installed on the computers.

Hi 

Recently my SCCM 2012 software update is not syncing with microsoft update, am getting below error.  can any one suggest/help me how to resolve this issue.