To my understanding, software update-based installation of the Config Manager client agent works by importing it into WSUS (which is a requisite component for the server with the software update point role) where it is classified as a critical update. So far so good.

However, while a WSUS server can automatically approve an update's installation, the actual download and installation of an update is dependent upon the configuration of a client's Windows Update policy. This local policy needs to be configured to use the SUP server as its WSUS server, and it likely must have some kind of schedule to download and install the update (unless someone is taking upon themselves the unenviable task of manually updating computers).

Thus, it would seem to make good sense to use an Active Directory group policy to ensure that these WSUS settings are configured correctly on computers when they join a company's domain. Unfortunately, in my environment we've found that such a group policy creates a conflict, because once a computer has the Config Manager client, SCCM will then require uncontested control over the Windows Updates policy. The resultant conflict causes update deployments to fail with a "group policy conflict" error and, worse still, client computers will wind up running two separate SVCHOST processes that result in uncontrolled memory consumption.

I've contacted Microsoft software assurance support on this issue, and they found it no less a catch-22 than I have. I'd be interested to hear how others handle SU-based installation effectively in their environment. I suppose in many places, it's simply effected on workstation images. In others, perhaps the settings are applied directly as registry edits in group policy preferences. I'd be especially interested to find out if anyone has created a WMI filter than can distinguish clients with the agent from those without it.

We have several clients with the antimalware client version 4.5.216.0.  Running Windows update manually doesn't list an update for this.  I've tried the following:

1) Wiping out the softwaredistribution folder
2) Re-installing SCEP

Also, quick scans on these systems seem to hang when they're nearly complete.  On the current quick scan the time elapsed paused at 4:33.  If I click cancel, it goes back to the home screen, and if I click scan again, it just goes back to the paused progress.

Any ideas?

My software updates stopped working. Software deployment and OSD are fine.

UpdateHandler.log 

Update with CIID Site_ failed with hr = 0x80070005

ContentTransferManager.log 

CTM job {} encountered error 0x80070005 during download ('Error processing manifest.')- The error maps to denied access.

From the datatransferservices.log

Error sending DAV request. HTTP code 401, status 'Unauthorized'

GetDirectoryList_HTTP('http://servername:80/SMS_DP_SMSPKG$/5af63dcf-5dba-4460-b800-3c11900ba082') failed with code 0x80070005.

The updates seem to process fine until the download starts and then  fail immediately.

No content makes it to my client cache except for software deployment packages which download and install no problem.

My site is syncing my update packages look healthy  and "update distribution point", without a problem.

I've got IIS authentication for SMS_DP_SMSPKG$ set to Anonymous Authentication only.

Not sure what the defaults should be. Any help or redirection would be great.

Hi all,

We were working on patching systems with 3rd party update basically Adobe Reader. We are having a CAS & PS site hierarchy & have installed SCUP on the primary site. We were also able to publish the adobe updates from SCUP to CAS but few of our team members removed the Adobe Reader & Security updates from the list of SCUP products & Update classification (they were totally unaware of the SCUP changes & it was done by mistake). Once these settings were removed we found the updates were Expired we added the settings back again and after some time the updates were back but the downloaded tab shows "NO" for all the adobe updates. When we tried to download the Adobe updates again using SCCM it gave us error. Then we tried to remove the updates from SCCM & found that the SCUP updates cannot be removed.

We again tried to publish the same set of updates from SCUP but it gave fatal error.

What should we do at this point to start the 3rd party update deployment.

Experts please help.

Thanks,

Pranay.

Hi,

RBAC for SCEP "Full Scan", "Download Definition" and "Client Notification"

Try to fix an RBAC role for our support technicians. I would like that them can run "Full Scan", "Download Definition" and "Client Notification"

RBAC Viewer give me "no permission required" for this, but it is greyed out as an option?

/SaiTech

Hi,

I am downloading manually endpoint protection definition updates from SCCM 2012 R2, which log file I have to check for download progress.

Regards,

Manzoor Ahmed

Hi ,

i had configure one Compliance baseline for Mcafee Agent , if the Mcafee agent not found on machines it will reports those machines as Non Complaint..

Such Baseline worked properly and 64 Machines are reported as Non Complaint and after that i  create application of mcafee agent  and deployed Macfee Agent on those non Complaint Machines (64)

I checked the deployment status of Mcafee Agent and found on 48 machines mcafee agent installed successfully but when i checked the configuration baseline its still shows 64 Machines are non Complaint.. such machines are also showing as non complaint in Reports..

can you please suggest what we have to do next to update these things or reports. 

Shailendra Dev

I have a significant number (but not all) of my SCCM 2012 R2 CU3 clients not updating though my SCCM software updates. On these problem clients, I get this error in WindowsUpdate.log:

"COMAPI WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E"

Then these machines report "Compliant" even though they don't install the updates. Almost all of our workstations are Windows 7 SP1 32bit. We are running SCCM 2012 R2 CU3. My site servers are running Windows 2008 R2.

I don't see much in WUAhandler.log or scanagent.log. These client are however, getting my SCEP definition updates just fine. (I have an ADR for those.) And when you go out to Microsoft for security updates it works. I have tried all of the usual Windows Updates repair suggestions (re-register dlls, rename software distribution folder, etc.) And I tried un-installing and re-installing the SCCM client on a problem PC, to no avail. I also tried using a Software Update Group with fewer updates (<100) and targeting a problem system with only that SUG, to no avail.

Any assistance would be greatly appreciated. Thank you.

Hi

I have a problem with Silverlight Updates, and I think it is not linked to my environment only.

I tried to deploy version 5.1.30514 but the download I get for Sccm via WSUS contains version 5.1.30214 instead, even though it should be the newer version.

When I look at my Sccm updates, all are set to expired. I checked why and saw that there were two newer versions (see KB3011970), with internal versions 5.1.31010.0 which was recalled because of problems, and replaced by version 5.1.31211.0.

The problem is that those latest versions do not show up in my SCCM view, and are set to Declined in the Wsus console.

Does one know how I could (and if I should) override the Declined status for the latest version or how I could make the previous version 5.1.30514 to deploy ? I think I could just use SCUP but since the updates are already there...

Thanks in advance

Bruno

bruno

If I have an existing collection with previous Software Update Group deployments. (IE 2012 Update SUG, 2013 Update SUG, etc) If I put a new computer in the collection will it pickup those updates or will I need to deploy them again?

Thanks!

Hi

We're using SCCM 2012 to send patch to my clients using ADR, but in the monitor for the deployment, shows aroud 35% of equipment in the status unknow: "Client ckeck passed/inactive" and "Client check passed/Active", I took some of the equipments and manually refreshed all the Action, but this continue showin in unknow state.

Any Idea why all these machines appear like unknow? I refreshed the actions in the client machine and continue with the same status.

Thanks

Doc MX

Hello,

Yesterday Microsoft revised KB3001652 which was initially published in October 2014.

Because the original KB was part of a software update group currently deployed (to cover patch new computers), the new/revised version has been automatically deployed to all existing computers.

How can I prevent automatic deployment of new version of an existing update ?

Regards.

Firstly, my apologies if this has been answered elsewhere, however I have been unable to find anything solid.

I am implementing software updates via SCCM and my management is requiring me to use the following timing for update:

1. Catalog is synchronized and updates downloaded Thursday.
2. Updates are made available and required to be installed on Thursday night.
3. A restart is not required until the following Monday night, when there is a countdown and then is forced.

I have been trying to make this work however have as yet been unsuccessful, so I was hoping someone could help sort out exactly how this is supposed to work.  

From what I have read there are a couple of ways this could be achieved. 

• Create a deployment with an installation deadline of ASAP, do not allow forced restarts outside a maintenance window, and then create a MW for the Monday night. 
• Create a deployment with an installation deadline of ASAP, do not allow restarts. Then create another deployment of a restart script (batch or something like Coretech Shutdowntool) scheduled to deploy Monday night to handle the rebooting side of things.

I have attempted the first one however I have had no luck getting the restart to actually occur.  The installation works, but the restart just never happens.  I fear I am doing something wrong, however I am not familiar enough with aspects of the software to say for certain what is and isn't possible.  

Any help or information I could get would be very much appreciated.  

Many thanks.

I need someone to (hopefully) clarify how SCEP updates function.  I have a SCEP ADR configured to run immediately after a successful wsync, with a wsync that is configured to run every 6 hours beginning at 12 PM.  The SCEP ADR sets a deadline of 'As soon as possible'.  We have a single server OU-based collection with an antimalware policy deployed that checks for definition updates every 8 hours.  In our client policy, we have the Software Update Scan scheduled for every 3 hours.

The problem i'm running into is that all of our virtual machines are being hammered at the same time thus causing latency on storage.  How does the deadline set via the ADR relate to the definition update interval checking on the malware policy and the software update scan schedule in the client policy?  How do most people spread out when clients are updating?  

Hi All

Recently we deployed some MS patches to some machine, though most of the machines have got them installed successfully there is a machine showing few KBs as "Waiting to Install" and one KB as "Pending Verification". [Screen Shot below]

I think "Pending verification" is causing others to wait. Does pending verification means checking if the given KB is applicable to the machine?

I checked few logs but could not able to find that can help me to resolve:

UpdatesDeployment.log

UpdatesHandler.log

UpdatesStore.log

Based on the UpdateStore.log it says the particular KB with "Pending Verification" status is not applicable to this machine.

Please help how to resolve this issue.

THank you

Regards Ram

Hi All,

I am on the process of deploying Windows 7 ADR (which has last 1 year Win 7 Critical & security updates) on client machines, I am having 5 Win 7 test machines all with the same configuration. The problem is when i am deploying this ADR, many of the Updates fails (I am checking this status from software center), when i retry the installation of these updates from software center they installs fine but they fails initially. I have increased the time of installation of the updates to be 60 mins. This has improved the condition but still some of the updates are failing. It's like on the first machine the KB is deployed successfully & on the second one it fails.

What should i do to install the updates successfully on the machines. Please suggest.

Thanks,

Pranay.

Hello,

My WSUS refuses to syncronize the updates we all know has been released this Tuesday. Also expressed as, nothing gets synced down besides a few SCEP definitions. (yes, I have selected the correct products and classifications on my SUP)

I can see a few other people reporting similar behaviour, but I have the feeling that this forum can add further to that.

https://social.technet.microsoft.com/Forums/en-US/a323d2f9-a1ac-48e3-978a-054915c3f1ea/wsus-april-2015-updates-not-synced-from-microsoft?forum=winserverwsus

Anyone that can shed more light on this, anyone seeing something similar?

My WSUS has been working for years, all green lights in component status, and no errors in wsyncmgr or wsusctrl.log. :-(

Martin Bengtsson | www.imab.dk

I have an update for which I need to check compliance.  The ConfigMgr Compliance 2 - Specific Software Update shows that a particular system needs the update; however, if I look in Control Panel at the Installed Updates, the update shows as installed.  Is there something simple I am missing here?

What causes the compliance reports to update?

Thanks,

Jeff

Hi,

I've got one annoying system that has stopped successfully downloading the updates that I deploy from my SCCM 2012 SP1 server.  This one client was working fine up until October and successfully downloaded the October 2014 patch Tuesday updates I deployed but after that it now only successfully gets the Endpoint protection virus definition updates that are deployed with an ADR.  I can bring up the SCCM Configuration Manger client on the system and it seems to be ok as well as the Software Center application.  Another strange thing is that in Configuration Manager deployment status it shows that this client has successfully installed the November and December patch Tuesday updates that I deployed but these updates were never installed on this machine.  In the Devices view this client shows up as active so it seems that the SCCM client is working ok I guess.

I've looked at the WindowsUpdate.log file and I can see the following errors:

2015-01-07 02:35:29:601 1104 225c PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =HTTP://SCCMServer.mydomain.COM:8530/ClientWebService/client.asmx
2015-01-07 02:35:29:684 1104 225c PT WARNING: Cached cookie has expired or new PID is available
2015-01-07 02:35:29:684 1104 225c PT Initializing simple targeting cookie, clientId = 1148919b-ec11-4ecf-9866-36a0771211c2, target group = , DNS name = win7.mydomain.com
2015-01-07 02:35:29:684 1104 225c PT   Server URL = HTTP://SCCMServer.mydomain.COM:8530/SimpleAuthWebService/SimpleAuth.asmx
2015-01-07 02:39:48:167 1104 225c PT +++++++++++  PT: Synchronizing extended update info  +++++++++++
2015-01-07 02:39:48:167 1104 225c PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =HTTP://SCCMServer.mydomain.COM:8530/ClientWebService/client.asmx
2015-01-07 02:40:48:717 1104 225c Misc WARNING: Send failed with hr = 80072ee2.
2015-01-07 02:40:48:717 1104 225c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-01-07 02:40:48:717 1104 225c PT   + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-01-07 02:40:48:718 1104 225c PT   + Caller provided credentials = No
2015-01-07 02:40:48:718 1104 225c PT   + Impersonate flags = 0
2015-01-07 02:40:48:718 1104 225c PT   + Possible authorization schemes used =
2015-01-07 02:40:48:718 1104 225c PT WARNING: GetExtendedUpdateInfo failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-01-07 02:40:48:718 1104 225c PT WARNING: PTError: 0x80072ee2
2015-01-07 02:40:48:718 1104 225c PT WARNING: GetExtendedUpdateInfo_WithRecovery: 0x80072ee2
2015-01-07 02:40:48:718 1104 225c PT WARNING: Sync of Extended Info: 0x80072ee2
2015-01-07 02:40:48:718 1104 225c PT WARNING: SyncServerUpdatesInternal failed : 0x80072ee2
2015-01-07 02:40:49:120 1104 225c Agent   * WARNING: Exit code = 0x80072EE2
2015-01-07 02:40:49:121 1104 225c Agent *********
2015-01-07 02:40:49:121 1104 225c Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2015-01-07 02:40:49:121 1104 225c Agent *************
2015-01-07 02:40:49:121 1104 225c Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2015-01-07 02:40:49:434 1104 1450 AU >>##  RESUMED  ## AU: Search for updates [CallId = {28885A5E-C1C2-437F-B573-08CD6F34557B}]
2015-01-07 02:40:49:434 1104 1450 AU   # WARNING: Search callback failed, result = 0x80072EE2
2015-01-07 02:40:49:434 1104 1450 AU   # WARNING: Failed to find updates with error code 80072EE2
2015-01-07 02:40:49:434 1104 1450 AU #########
2015-01-07 02:40:49:434 1104 1450 AU ##  END  ##  AU: Search for updates [CallId = {28885A5E-C1C2-437F-B573-08CD6F34557B}]
2015-01-07 02:40:49:434 1104 1450 AU #############
2015-01-07 02:40:49:461 1104 1450 AU Successfully wrote event for AU health state:0
2015-01-07 02:40:49:462 1104 1450 AU AU setting next detection timeout to 2015-01-07 15:40:49
2015-01-07 02:40:49:615 1104 1450 AU Successfully wrote event for AU health state:0
2015-01-07 02:40:49:646 1104 1450 AU Successfully wrote event for AU health state:0
2015-01-07 02:40:54:133 1104 225c Report REPORT EVENT: {12E232BD-CC1D-47D0-9D6D-E912CA3A6FE6} 2015-01-07 02:40:49:119-0800 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2015-01-07 02:40:54:433 1104 225c Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2015-01-07 02:40:54:433 1104 225c Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2015-01-07 02:40:54:434 1104 225c Report CWERReporter finishing event handling. (00000000)
2015-01-07 03:31:16:845 1104 c18 AU AU received policy change subscription event

it seems very strange to me that the client gets the Endpoint protection updates which are coming from SCCM but doesn't get any of the software updates.  Is there somewhere else to look to try and figure out what is going wrong?

Thanks in advance,

Nick