Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Identify application and software update deployments with "Override Maintenance Windows" enabled with Powershell

October 27, 2014, 12:56 pm
$
0
0

I'd like to identify all Application and Software update deployments that are overriding Maintenance windows with Powershell.

If anyone can give me a heads up on how this can be done I'd greatly appreciate it.

I've combed through the Configuration Manager Powershell cmdlets and have come up empty handed.

Currently I've found a hand full of them but have a lot more deployment to look through manually.

Problem is, every deployment set to ignore maintenance windows causes my Windows embedded ThinClients to reboot to servicing mode, which of course locks out my users until it's all done. The fact that they are rebooting isn't the problem because that's just how updates are handled for Embedded systems. I just need to find new deployments with this option set so I can quickly turn them off when they are created by other coworkers.

Thank you in advance


Search

SCCM 2012 SUP User Notification

May 19, 2012, 6:28 pm
$
0
0

Good Evening All - 

After presenting SCCM 2012's SUP feature to my manager, he wants me to implement it.  The only thing that he requested, though, is for a few changes (if possible) for user notification.

Through research and testing, I've found that when updates are advertised to a workstation, a system tray icons appears with a balloon.  If clicked on, there are a few options that the user has including viewing detail of the updates in the Software Center.  Example

Here are the changes my manager asked if I could make.  Any ideas on how this may be possible if it all?  

-  Instead of system tray icon notification, have a window pop up on their screen that must be dismissed

-  Possible to not use Software Center for updates (users don't need all of that detail as it would just confuse them)?  Actually, is there any way to not have Software Center install with the client on workstations altogether?

I think that's it - Thanks for your thoughts!

Ben K.

How to Configure A Software Update Baseline in SCCM 2012

November 5, 2014, 11:21 pm
$
0
0

I have a remote site that has about 70 systems that have not been patched for the last 4 months due to the WSUS server going down and I am now just getting around to deploying SCCM 2012 there. 

Can one of you SCCM gurus, MCCs, MVPs, someone tell me if the following method makes any sense to you, and if so, is it a good idea? By the way, I already have a software update package that I use to drop Patch Tuesday updates into every month. I would just like to know if the following strategy makes any sense: 

  1. Deploy the SCCM 2012 client to these 70 systems
  2. Sync with Microsoft to grab the updates metadata
  3. Run the Software Updates Scan cycle to determine what updates on the 70 systems at the remote site are required
  4. Create a search criteria to grab updates that fall within my company's patch policy (critical and security only)
  5. Download all of these updates into a package and name it after the following convention: SUM_Baseline
  6. Create the Software Update Group and name it after the following convention: SUM_Baseline_YYYYMMDD
  7. Deploy the SUG to the 70 systems located at the remote site

How does this look to you all?

One more thing, I have a Software Update package that I already use, but it is for Patch Tuesday ONLY patches, not Baseline patches. Does it make sense to have two packages, one for Patch Tuesday updates and one for Baseline updates?

My thinking is that the Patch Tuesday package is used for systems that are up to date and do not require prior patches. The Baseline package would be for systems that are either new, or for whatever reason have not been patched for quite some time. 

Also, is there anyway to be able to just find out what updates are needed on a subset of systems in the SCCM 2012 console rather than all SCCM 2012 clients? I haven't figured out how to do this, or if it is even possible. Would I create a Software Updates Configuration Baseline for this?

If I can get some good feedback here I would very much appreciate it. 

Thanks everyone






Software Updates and Maintenance Windows

November 6, 2014, 4:34 pm
$
0
0

Hi, I just wanted to confirm a few things before setting up windows updates for our servers.

We are hoping to update a group of our servers automatically, other business critical servers will be updated manually.

We want to have a different group of servers updated each Monday as below..

-Week 1 Monday- 1AM(First group of servers)

-Week 1 Monday- 2AM(Second group of servers)

-Week 1 Monday- 3AM(Third group of servers)

-Week 2 Monday- 1AM(Fourth group of servers)

-Week 2 Monday- 2AM(Fifth group of servers)

-Week 2 Monday- 3AM(Sixth group of servers)

Etc...

That way we spread out the updates in case we run into any issues and split the deployment times to reduce traffic.

My question is this.  I created a collection for each deployment day/time and created a maintenance window for each with the appropriate time we would like to deploy the updates.

It looks like each deployment rule is deployed to one Collection.  Would it work if I created one master collection and included all of the collections with maintenance windows attached to them into that collection, then deployed the auto deployment rule to the master collection.  I assume that any updates servers in the included collections will have the maintenance window apply to them, so they will wait to install the updates based on their maintenance window?

Also can I include Win Server 2003, 2008, 2008 R2, 2012 and 2012 R2 patches in the same deployment rule?  deploy them all in one rule to the master collection and depending on which OS it's getting deployed to it will pick up the appropriate patches?

Hopefully this makes sense, sorry it's a bit confusing.

Update Failed during installation on machines

October 29, 2014, 2:44 am
$
0
0

Dear All,

I have deployed updates to the client machine upto deadline reached all machines were in IN PROGRESS and all of them have downloaded the updates so it was fine up to this but when deadline reached and installation started most of the failed to install the updates and appeared in Error state, further digging in to this i saw there were few updates were failed on many machines.

Q1.Now my query is that why update failed though there are machines in which updates installed successfully.?

Q2. How these failed update will be installed automatically? Do i have to go seat by seat to re trigger the installation.?


Q3. I have made some changes in client settings in Software Update section. Like i have made 2 Hours to check Re Deployment. Is that right to do? To ensure all failure updates are re-installed after recheck.

Find attached snapshot for further reference.


 

REGARDS DANISH DANIE

Force any needed reboots

November 7, 2014, 4:21 am
$
0
0

Hi,

When building new PCs it can be a pain waiting for all the patches and apps to install as they tend to sit waiting for reboots to be allowed rather than just immediately rebooting when needed.

How can I specify a device collection, OU/GPO or whatever other options are available to basically say "do whatever you need to do to these machines until all apps, packages and updates are installed without waiting for any user intervention"?

Thanks

Gary

Office Updates - Not Compliant on 2 PC's.

October 24, 2014, 3:07 am
$
0
0

Hello,

I am trying to deploy Office 2010 updates to a group of PC's. I am doing everything my normal way, the same how I rollout Windows 7 updates in SCCM. But I just don't get why 2 of my 10 test machines will not download the updates. They go straight to Not-compliant - I have checked the CCMCache and they are not downloading the updates. This is what is logged in UpdatesStore.log:

<![LOG[Queried Update (fadb5ac1-8a92-441e-b520-0241c887c1c3): Status=Missing, Title=Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition, BulletinID=, QNumbers=2878252, LocaleID=, ProductID=e6cf1350-c01b-414d-a61f-263d14d133b4, UpdateClassification = e6cf1350-c01b-414d-a61f-263d14d133b4, ExcludeForStateReporting=FALSE.]LOG]!><time="09:17:05.920-60" date="10-24-2014" component="UpdatesStore" context="" type="1" thread="3096" file="cupdatesstore.cpp:1313">
<![LOG[Queried Update (a5eb2e13-dad4-46a6-a6fc-d047c1f9b6d7): Status=Missing, Title=Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition, BulletinID=, QNumbers=2878252, LocaleID=, ProductID=e6cf1350-c01b-414d-a61f-263d14d133b4, UpdateClassification = e6cf1350-c01b-414d-a61f-263d14d133b4, ExcludeForStateReporting=FALSE.]LOG]!><time="09:17:05.920-60" date="10-24-2014" component="UpdatesStore" context="" type="1" thread="3096" file="cupdatesstore.cpp:1313">
<![LOG[Queried Update (fe594d9e-9828-451f-aa56-2c2cf431ade3): Status=Missing, Title=Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition, BulletinID=MS14-024, QNumbers=2880971, LocaleID=, ProductID=84f5f325-30d7-41c4-81d1-87a0e6535b66, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.]LOG]!><time="09:17:05.920-60" date="10-24-2014" component="UpdatesStore" context="" type="1" thread="3096" file="cupdatesstore.cpp:1313">
<![LOG[Queried Update (1e7848a5-8772-4ef3-a089-7a94ac8c9a5c): Status=Missing, Title=Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition, BulletinID=MS14-024, QNumbers=2880971, LocaleID=, ProductID=84f5f325-30d7-41c4-81d1-87a0e6535b66, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.]LOG]!><time="09:17:05.920-60" date="10-24-2014" component="UpdatesStore" context="" type="1" thread="3096" file="cupdatesstore.cpp:1313">
<![LOG[Querying update status completed successfully.]LOG]!><time="09:17:05.920-60" date="10-24-2014" component="UpdatesStore" context="" type="1" thread="3096" file="cupdatesstore.cpp:1287">

Every update's status=missing...

Can anyone help me out with this?


Expired updates not being cleaned up

October 30, 2014, 1:44 pm
$
0
0

Hi,

I've been trying to clean up old expired updates on my SCCM 2012 SP1 server and for whatever reason it seems that the updates files are never actually getting removed.

At first I tried the instructions at http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx

When I run the script they provide it appears to go thru all the updates but never actually deletes any of them. The script always seems to say found it found an existing folder and then later it says that that it is excluding the same folder because it is active.

Then I read that SP1 for SCCM 2012 is actually supposed to do the clean up process automatically.  But in this case do I need to do anything like expire the updates manually or does SCCM now do that?  How can I see what is preventing either the manual script or the automatic clean up process from actually removing the unneeded files and folders?

And does anything need to be done with superseded updates as well?

Also I've always thought that when you SCCM 2012 to do your updates that you should never go to the WSUS console and do anything but I read http://blog.coretech.dk/kea/house-of-cardsthe-configmgr-software-update-point-and-wsus/ and he is going the WSUS console and doing a clean up there as well.

Thanks in advance,

Nick

Search

Supersedence not reflecting in SCCM 2012 R2 from WSUS

September 25, 2014, 4:17 pm
$
0
0

Customer pointed out that KB2868626 (MS13-095) was not showing up for their system (win 2003 SP2).  A quick look showed that it was not available on the SUM console.  Curiosity getting the better of me I looked at the WSUS and viola it was there! Looking closely it shows as being superseded by KB2918614 (MS14-049).  Ok, not out of the ordinary.  However in the SUM console looking at the update that supersedes KB2868626, there is no mention of it doing so.  If this is correct this only supersedes the update for win 2003, no other OS's.  There is no mention of being superseded on Microsoft's site.

So now I'm wondering if something got crossed somewhere.

Jim

 

SCEP scheduled scan time problem with daylight-saving time?

October 30, 2014, 7:24 am
$
0
0

Since the daylight-saving time change from last weekend (1 hour earlier) we see that a large group of SCEP clients start their scheduled scan at 11:00 where we have it set in the policy in SCCM2012 at 12:00.

Most workstations still begin their scan at 12:00.

Any idea?

Regards, Bob

Problem with add DMZ servers to SCCM

November 3, 2014, 3:39 am
$
0
0

Hi all,

I have got from my manager case - I should take care for update all servers which are working in DMZ. I have added IP address range for DMZ servers. I can ping these servers by IP by not via DNS name. Problem is... I can't find it in SCCM console.

What I'm doing wrong guys?

Thank you for any suggestions...


SCCM 2012 R2 CU3 - ADR Update 2K12R2

November 6, 2014, 1:55 am
$
0
0

Hello,

I've some problems with update ADR (Full update 2K12R2 server).

So far everything worked perfectly but since a few days, the first 15 updates are installed correctly and then nothing ..

I inspected the logs and saw nothing unusual.

Any ideas ?

Jérémy

SRS reports and security scopes

August 22, 2012, 1:01 am
$
0
0

is it correct that security scopes/collection-limitation isn't applied to the SRS reports? it looks like a user with a limited scope can still see everything.

or is this maybe a configuration error in our environment?

Understanding background work for software distribution in SCCM 2012

November 10, 2014, 8:05 am
$
0
0

Hi Team,

1.I want to know site to site communication for SCCM 2012.. and

2. want to know about package transfer to secondary site or content share background process.

3. In many of the content share server 200 package out of this 90 still showing inprogress.. I checked distribution point but no error.. I checked conponent status " saying xxx001 package processed.

Can some one answer this three question?

SCEP Definitions

November 10, 2014, 9:04 am
$
0
0

I have an ADR that automatically downloads and deploys SCEP definitions.  I have noticed a number of my clients are on newer versions of definitions than what is available from the SUP.  For example, my desktop was on 1.187.1710.0 today which matches what is on the SUP, but when I manually updated it went to 1.187.1788.0 which isn't available from SCCM.  I have a number of clients that are on 1.187.1741.0.

Any idea why this is occurring?

Search

Deadline behaviour for ADR deployments from month to month

November 10, 2014, 11:05 am
$
0
0

I have set up an ADR rule to run on patch Tuesday to get updates. I configured the ADR to re-use the software update group each time. The dates configured on the ADR are:

- Software available to install: in 3 days

- Installation deadline: 4 days

This creates a corresponding deployment when run. However, the deployment has hard dates in it. For eg: if I run the rule today (Nov 10), it will have dates of Nov 13 and Nov 14 for the available and deadline dates.

I was wondering if these dates will be updated every month when the ADR is run? Otherwise all clients will deadline immediately when the ADR runs during the second month (as the deadline would have already been past).

if that is the case, I will have to set it to create a new software update group each time, but I was just trying to avoid that to reduce the clutter that would result each month.

thanks,

-Ravi

System Center Endpoint Protection Antimalware client version - wont upgrade

November 10, 2014, 11:46 pm
$
0
0

Hi

Running SCCM 2012 SP1 CU4 on Server A. Endpoint Protection role on Server B. Both Servers 2008 R2. there is only one primary site server and no secondary sites in the hierarchy.

All clients are Windows 7.

The SCEP client is not upgrading on clients as I would have expected. After enabling the automatic client upgrade option in site hierarchy settings I found all the clients upgraded their SCCM agent. I was expecting the SCEP client to be upgraded also. Machines have been rebooted since the SCCM agent upgrade.

How can I go about upgrading the SCEP agent on all computers?

Many thanks


Received 'SucceededWithErrors' code from WUA during search

November 11, 2014, 5:45 am
$
0
0

I am getting the below message in WUAHandler.log

The Updatesdeployment.log is clean it shows there are no updates to install, but the concern is actually, there should be updates available as this machine hasn't been patches for 3-4 months now and there should be older patches available.

......................................................................................................................

Received 'SucceededWithErrors' code from WUA during search. Check WindowsUpdate.log in Windows directory.WUAHandler11/11/2014 1:49:38 PM5480 (0x1568)
WU Agent reported the following 1 warning messages:WUAHandler11/11/2014 1:49:38 PM5480 (0x1568)
    HResult: 0x80240033 Context: uecGeneral Msg: The license terms of one or more updates are unavailable..WUAHandler11/11/2014 1:49:38 PM5480 (0x1568)
Successfully completed scan.WUAHandler11/11/2014 1:49:39 PM5480 (0x1568)

......................................................................................................................

Please assist!


SUP State Messages not accurate

November 10, 2014, 11:14 am
$
0
0

Hi,

I'm having an issue where a number of servers are not displaying the correct patch levels.  For instance one server is showing as having 4 patches installed when I run the "Compliance 5 - Specific computer" report against it and there are dozens of patches installed.  When I checked the WMI database on the client itself it was not sending out the state messages.  I rebooted the machines and checked again, now it says that state messages are being sent, but when I run the "Compliance 5 - Specific computer" report it still only shows the 4 patches.

Is there a way to refresh the compliance data for the clients that are missing it on the SCCM server?

Thanks,

Travis

Workstations not downloading their patches. Downloading (0% Complete)

November 3, 2014, 2:19 pm
$
0
0

So I've read through some of the other threads I've seen on this and msot point to a boundary issue.  However, we've had our sit eup for 6 months or so now and we haven't changed any settings.  All of a sudden, this month none of our machines can get their updates.  They all just say Downloading (0% Complete)

I don't know what the problem might be but also don't know which logs to check for this.

The CAS.log file ie spammed with lines like this:

<![LOG[Location update from CTM for content 480d1725-7247-494e-b208-ca70ec17ebdb.1 and request {9AC5A063-BEB6-4B39-B37E-EB8FD3FB31C3}]LOG]!><time="14:20:12.834+360" date="11-03-2014" component="ContentAccess" context="" type="1" thread="10916" file="downloadcontentrequest.cpp:1022"><![LOG[Download request only, ignoring location update]LOG]!><time="14:20:12.834+360" date="11-03-2014" component="ContentAccess" context="" type="1" thread="10916" file="downloadcontentrequest.cpp:1039">

Are there other logs I can check to get more insight on this?  I don't know why it stopped working after working fine for quite a while.

Viewing all 6382 articles
Browse latest View live
Search