I am trying to find the machines without the AV installed.

I created a single Configuration Item with two compliance rules specified for 32bit and 64bit machines, these rules were set to check for a particular registry folder, if it exists it will show compliant.

Baseline was created and deployed to a test collection containing two 32bit and two 64bit machines.

Only 64bit machines have reported as Compliant. When checking 32bit machines, it shows at the end of the report that Non compliant rule which was scanned was the one which was set for 64bit machines.

My intention to set two rules was to check two registry entries as its different for 32 and 64bit machines. If it doesnt find entry at one place, it can check at the other defined. I am not sure how to it will differentiate between 32 or 64bit machines, so set two rules to be scanned.

It seems that it scanned any rule out of two randomly and once that was shown non compliant, it didnt check further hence showing as non compliant.

Is it the case ? If yes, how should i proceed?

I would like to set up client push in SCCM 2012 and I have a remote site with about 80 workstations that I would like to deploy the clients to using client push, but this remote site is VERY slow, as in less than 3Mbps slow. There is a remote DP located at this site and I wanted to know if the remote workstations will be hammering my Site Server across the WAN (or MP I guess since the MP role is i installed on the Site Server) to request the client installation, or do the clients just request the client from the Site Server or MP and then the client downloads to the remote DP and then the workstations install the SCCM 2012 client from the local DP at the remote site?

I just do NOT want the WAN link to become overwhelmed with workstation requests to install the client and have the Site Server have to respond to each and every workstation and download the SCCM 2012 client to each system over this slow WAN link. 

How does the client push process actually work?

Thank you

Hi,

I have an application which when installed makes an entry in C:\Program Files\.

I need to use the compliance rules to check if the entry exists on the systems. But it should under both the folders, i.e

C:\Program Files and C:\Program Files (x86),

if the application folder exists in any of these, it should show up as compliant.

Is there a script which someone provide please.

We had our first automated server patching run last night. The idea is to try and automate the patching of 20-30 servers over night, without an engineer overseeing the installation process, just perform final ops checks in the morning.

So the setup is formed of multiple Device Collections with staggered 3-4 hour Maintenance Windows assigned to each.

One server reported this error in UpdatesDeployment.log:

No service window available to run updates assignment at 20:00:04

However, I don't quite understand why considering that:

• The MW has been set to: 20:00 - 01:00
• The Installation Deadline is set to 20:00

The next notable event, which follows the actual installation of updates is:

CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Eventat 21:31:41

I appreciate that SCCM as a whole cannot be expected to like clockwork, to the minute, so would like some understanding as to why it is behaving the way it did, and whether there are other logs I can check to see why it failed to identify the MW at 20:00.

Hi,

I am in the process of upgrading my SCCM clients from 2007 to 2012 (with SCEP). While the clients have been seamless in the upgrade I am trying to get my head round pushing SCCM 2012 clients to my server estate, having SCEP install and the correct policies applied.

The thing that is confusing me is this - presumably I can't create collections based on installed software (eg Exchange) until the client is installed and a software inventory runs. But the client will install SCEP automatically but I don't want it going out with the default server exclusions, I want the Exchange policy to apply. Is there anyway of prestaging this ?

The only solution I can see is either to ;

a) apply all polices to the servers collection and then relax the unwanted ones later on.

b) create a new custom client policy that doesn't install SCEP, push the SCCM client, let it report, build my collections and then revert to a custom client policy that does install SCEP and apply the right policies.

Have I missed something obvious here ?

Many thanks for the assistance !

Brian.

Hi

My internet clients on DMZ Network trying to access my SUP Server over http instead of https.

So the clients are not downloading any updates, here is my ContentTransferManager log on a DMZ Client

Persisted locations for CTM job {31F9D2B4-1289-4EB3-926F-83770BC6D294}:
 (LOCAL) net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2014/02/windows6.1-kb2929733-x64_8856fdc2cde01190e69f849eb279b4e6e0e1868a.cab

 switched to location 'http://xxx.xxx.xx/SMS_DP_SMSPKG$/a48042d8-b0e5-4246-9282-02c331ea184c

The client is activated as PKI client in my sccm site and and everthing else is working except for SUP.

Best regards Andreas

I've seen this question being asked before in another thread (Best practice to run Microsoft Endpoint Protection client in VDI environment) however the answer doesn't provide enough information (for me at least)

We are planning to use a Citrix XenDesktop environment with Provisioning services providing VDI clients. As far as I know the SCCM client will be installed in the VDI golden image and after some adjustments SCCM client registration will go well. We will also use SCCM 2012 and deploy SCEP 2012 for anti-malware scanning.

SCCM 2012 provides offline servicing for Software Updates in WIM images, but what is a best practice in keeping the VDI's up-to-date? I can't find any good information about this, so maybe the answer is very simple?... Is there a way to offline service the VDI image so Software Updates and Anti-Malware updates are injected in the image?
Or do the VDI's get updated as physical systems, at the time they are logged in to the network, discarding all changes when logging off. This doesn't seem the right way to go.

Any help would be appreciated.

thx. Niels

I have a computer assigned a SCEP policy, that seems to have been found and Applied fine by the SCCM Client, looking at the registry.

I find the policy in the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy, With the DWORD values

Just a test to my computer (Excluded)                   REG_DWORD         0x00000002 (2)
Just a test to my computer (Scan Schedule)           REG_DWORD         0x00000002 (2)

What I have configured in this test policy is just "Limit CPU usage during scan to: 10%" and "Start the scheduled scan only when my PC is on but not in use"

But the SCEP Client, in the settings, do not show the correct settings. The CPU limit setting is set to 20% and the "Start the scheduled scan" setting is unchecked, these settings come from the "Default Client Antimalware Policy"

The EndpointProtectionAgent.log says:

Endpoint is triggered by WMI notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Previous state is same with current one: 1, skip notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP version 4.6.305.0 is already installed. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
EP 4.6.305.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
The trigger 10 doesn't make ANY state change. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Handle EP AM policy. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy group lose, group name: Scan Schedule, settingKey: {d6961d76-070d-46af-b898-6d24562fb219}_201_201 EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Policy deployment result: <?xml version="1.0"?><Group Name="Scan Schedule">    <Policy Name="Just a test to my computer" State=2/>    <Policy Name="Default Client Antimalware Policy" State=1/></Group><Group Name="Threat Default Action">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Excluded">   <Policy Name="Default Client Antimalware Policy" State=2/>    <Policy Name="Just a test to my computer" State=2/></Group><Group Name="Realtime Config">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Advance Setting">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Spynet">   <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Signature Update">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Scan">   <Policy Name="Default Client Antimalware Policy" State=2/></Group> EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate Policy XML successfully at C:\Windows\CCM\EPAMPolicy.xml EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)

Any idea what happened to the New settings?

Freddy

I have a remote site that has about 70 systems that have not been patched for the last 4 months due to the WSUS server going down and I am now just getting around to deploying SCCM 2012 there. 

Can one of you SCCM gurus, MCCs, MVPs, someone tell me if the following method makes any sense to you, and if so, is it a good idea? By the way, I already have a software update package that I use to drop Patch Tuesday updates into every month, but would

1. Deploy the SCCM 2012 client to these 70 systems
2. Sync with Microsoft to grab the updates metadata
3. Run the Software Updates Scan cycle to determine what updates on the 70 systems at the remote site are required
4. Create a search criteria to grab updates that fall within my company's patch policy (critical and security only)
5. Download all of these updates into a package and name it after the following convention: SUM_Baseline
6. Create the Software Update Group and name it after the following convention: SUM_Baseline_YYYYMMDD
7. Deploy the SUG to the 70 systems located at the remote site

How does this look to you all?

One more thing, I have a Software Update package that I already use, but it is for Patch Tuesday ONLY patches, not Baseline patches. Does it make sense to have two packages, one for Patch Tuesday updates and one for Baseline updates?

My thinking is that the Patch Tuesday package is used for systems that are up to date and do not require prior patches. The Baseline package would be for systems that are either new, or for whatever reason have not been patched for quite some time. 

Also, is there anyway to be able to just find out what updates are needed on a subset of systems in the SCCM 2012 console rather than all SCCM 2012 clients? I haven't figured out how to do this, or if it is even possible. Would I create a Software Updates Configuration Baseline for this?

If I can get some good feedback here I would very much appreciate it. 

Thanks everyone

Greeting experts

I have a few question on installing SUP on Secondary Sites.

============================================
Our IT enviroment is this

A. Servers are not installed with SCCM clients and are reporting to the WSUS Server on the Primary Site.

B. Client computers are installed with SCCM clients and are reporting to the WSUS Server on the Primary Site. However they are getting Endpoint Protection Definition from the SUP on Configuration Manager. On the WSUS server the Endpoint Protection Definition shows "Not Approved".

============================================

Recently , I installed WSUS Server on one of the Secondary Site servers in one of the remote offices (let's call this server WSUS server ServerB)

1. Previously the client computers were all reporting to the main WSUS server which is on the Primary Site server (Let's call this server ServerA).

2.  I have set the client computers that is residing the same location as ServerB to report to ServerB for Windows updates via Group Policy so they are not longer reporting to ServerA for Windows Updates. They reported to the Server successfully and I can see what updates are required by each computers.

3. I installed SUP on ServerB , it was installed successfully and a few days later , I found out the clients reporting dates are outdated and the dates are not being updated. I deleted the computers from the ServerB. The client computers are listed back again automatically under Unassigned Computers but they are shown "Not Yet Reported" for a few days.

4. I researched online and found out that SUP on ServerB is set to "Do not create WSUS reporting events" and have set the SUP on Server B via the Primary Site to set as "Create all WSUS reporting events", I followed the instructions here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/bd2b958c-c391-4a5e-9b00-67d0cdd56916/wsus-30-sp2-clients-not-reporting-in-but-seem-to-get-updates?forum=winserverwsus

Not sure if this will fix the problem as I have not seen any computers with "Not Yet Reported" to change to the current date on the ServerB WSUS Server.

============================================

Questions
1. Can Servers or client computers (without SCCM client installed) still report their status to ServerB which is now installed with SUP? We would want to see what updates is needed by the Windows Server.

2. Can I still deploy Windows Updates from ServerB to the Servers which are located in the same area as ServerB?

3. I have setup SCUP on the Primary Site Server and has deployed Adobe Updates using SUP to the clients. It is working well. Will the clients connecting to ServerB get Adobe Updates as well?

Thank you for your time

I am trying to find a way to remotely initiate updates deployed to a client as 'Available', like you would in Software Center when you click on them and 'Install'.

I need this for automation purposes in runbooks in Orchestrator.

Powershell ideally. Anyone know?

The only shell tools seem to be the usual config manager cleint 'Actions'. None of these include what i want.

Hi all,

we have randomly following issue:
SCCM 2012 Sp1 CAS, takes a snapshot of a Windows update package in the morning (not sure how the frequency of this check is done). If for any reason it fails, SCCM automatically redistributes the package to all sites. This happened this morning again for 5 Windows updates packages. You understand that this means GB sent to all Secondary sites (66) with an useles amount of data sent out.

From the Status messages I see

Information	Milestone	RC0	06.11.2014 07:12:11	SCHVSGGSC600.rccad.net	SMS_DISTRIBUTION_MANAGER	2300	Distribution Manager is beginning to process package "SUP-2014.09" (package ID = RC00017B).

Then lot of updates lists with comment taking a snapshot and finally

Error	Milestone	RC0	06.11.2014 07:12:29	SCHVSGGSC600.rccad.net	SMS_DISTRIBUTION_MANAGER	2302	Distribution Manager failed to process package "SUP-2014.09" (package ID = RC00017B).    Possible cause: Distribution manager does not have access to either the package source directory or the distribution point.  Solution: Verify that distribution manager can access the package source directory/distribution point.    Possible cause: The package source directory contains files with long file names and the total length of the path exceeds the maximum length supported by the operating system.  Solution: Reduce the number of folders defined for the package, shorten the filename, or consider bundling the files using a compression utility.    Possible cause: There is not enough disk space available on the site server computer or the distribution point.  Solution: Verify that there is enough free disk space available on the site server computer and on the distribution point.    Possible cause: The package source directory contains files that might be in use by an active process.  Solution: Close any processes that maybe using files in the source directory.  If this failure persists, create an alternate copy of the source directory and update the package source to point to it.

This triggers immediately an update of all DPs

Information	Milestone	RC0	06.11.2014 07:43:52	SCHVSGGSC600.rccad.net	SMS_DISTRIBUTION_MANAGER	2304	Distribution Manager is retrying to distribute package "RC00017B".    Wait to see if the package is successfully distributed on the retry.

Any idea

1. How this can be avoided, since nobody changed the package and we suppose it was a temp connection issue between the CAS and the package repository server
2. If this check can be set up to once a week for instance or even less?

Thanks,

Marco

Hello,

I've some problems with update ADR (Full update 2K12R2 server).

So far everything worked perfectly but since a few days, the first 15 updates are installed correctly and then nothing ..

I inspected the logs and saw nothing unusual.

Any ideas ?

Jérémy

Hi, Just wondering if anyone has seen this before and resolved it?

Basically, 2012 Software Updates have been working fine for over a year. Last months Patch Tuesday updates were fine too.

However, this week I added a new update to a Software Update Group/deployment. This update did not deploy, and when I run a report, I get "Enforcement state unknown" for ALL clients in the collection. This happens to any deployment I amend. And also if I create a new update group and new deployment - same thing - "enforcement status unknown".

However, updates previous to this week continue to download and install fine for all deployments. Deployments which I have not changed appear to continue to report correctly (unknown, compliant, pending system restart, etc).

In the SCCM console for Software Updates, the "required" and "installed" figures are still showing correctly.

Custom software packages continue to download and install too.

All servers have sufficient disk space. Most collections dont have maintenance windows, and the deadlines are correct.

Not sure what this could be, a problem with the Management Point? But I can see any errors in the "monitoring" view on the server. The client log files like "wuahandler.log" and "windowsUpdate.log" appear fine also, no obvious errors.

I cant see any evidence of a group policy conflict. The WSUS entry is still correct in the local group policy (GPEDIT.MSC/admin template/windows comp/ windows update).

Any ideas here? Thanks

hi All,

I have faced mentioned error in Win7's ccmexec.log file doing windows pacth deployment on windows 7 by sccm 2012 Sp1

system task 'policyevaluator_unlock ' returned error code 0x8000fff

Kirpal Singh

Hello

I'm trying (with no success) to translate the "Software+Updates+-+A+Compliance%2fCompliance+1+-+Overall+compliance" report into a sql query that must run for a specific Software update group and for a specific Collection ID.

The expected result should be like the report it self, I mean 3 lines with Kpi (pourcentage).

The main query in this report is : 

select
            CollectionID=@CollID,
            Status=sn.StateName,
            cs.NumberOfComputers,
            PComputers=convert(float, isnull(cs.NumberOfComputers, 0)*100.00) / isnull(nullif(cs.NumTotal, 0), 1),
            AuthListID=@AuthListID
          from (select CI_ID, NumTotal, [0]=NumUnknown, [1]=NumPresent+NumNotApplicable, [2]=NumMissing
                from fn_rbac_UpdateSummaryPerCollection(@UserSIDs)
                where CI_ID=@CI_ID and CollectionID=@CollID
               ) cnt
          unpivot (NumberOfComputers for [Status] in ([0], [1], [2])) cs
          left join fn_rbac_StateNames(@UserSIDs)  sn on sn.TopicType=300 and sn.StateID=cs.Status
          where cs.NumberOfComputers>0
          order by cs.NumberOfComputers desc

I have no clue on how to replace or use fr_rbac view when run outside a report.

Can you please help me ?

Thanks

Hello guys.

Anyone have a link or video that show basic or advanced troubleshooting in SUP?

How can i know if client install de update, etc...

Thanks!

Atenciosamente Julio Araujo

I know it has to be me, but I have verified this on a couple different systems and am still scratching my head.

I am using the powershell cmdlet Get-CMSoftwareUpdate with the parameter -Id.  When I wrote the script, it worked great, job done!

Went back to figure out why the script is not working and it now throws the error:

[DBG]: PS S00:\>> Get-CMSoftwareUpdate -Id $update
Get-CMSoftwareUpdate : A parameter cannot be found that matches parameter name 'Id'.
At line:1 char:22
+ Get-CMSoftwareUpdate -Id $update
+                      ~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-CMSoftwareUpdate], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ConfigurationManagement.Cmdlets.Sum.Commands.GetSoftwareUpdateCommand

I am at a complete loss since the documentation says this parameter still exists.

Jim

I created both a Desktop & Server Admin group.

They have there respective security roles.

Also have two scopes for Server Assets and Desktop Assets.

When removing the "Default Scope" from my Desktop Admin group to leave only the "Desktop Assets"...

I noticed the desktop admin account lost it's permissions for software metering. I double checked the security role and it had all the proper permissions. Some rules can be seen because they belong to the proper Desktop Assets scope... but the create, enable/disable, delete are all greyed out now.

Is the default scope a requirement for metering? What am I missing?