Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Question about WSUS Update (KB2938066 & KB2937636)

May 20, 2015, 11:26 pm
$
0
0

Hi there Experts,

I'm currently planing the update of my Configuration Manager 2012 R2 Primary Site to Service Pack 1. During the upgrade process i would also like to apply KB2938066 to my WSUS / SUP Server.

There are some blog Posts which mention, that i need to manually deploy an updated Windows Update Agent Update (KB2937636) to my Windows 7 / 2008 R2 Clients. Could someone answer me the following questions about this?

- When i apply KB2938066 to my WSUS, Clients without the updated WUA Agent (KB2937636) will still work?
- I don't see KB2937636 for Windows 8.1 / Windows Server 2012 R2. I assume that this update is already not needed on those Opearting Systems?

Thank you very much!

Best regards, Simon



Search

SCCM 2012 R2 but windows 8.1 and server 2012 r2 not provided as supported OS for configuration item.

May 21, 2015, 9:51 am
$
0
0

Production environment is SCCM 2012 R2 CU4 and just noticed that when creating a CI for compliance windows 8.1 and windows server 2012 R2 are not available under supported platforms. 

Checked our lab environment, same SCCM 2012 R2 CU4 and when creating a CI in the lab, Windows 8.1 and Windows Server 2012 R2 are listed as supported platforms. 

I've looked through settings and compared ms updates in case we missed something in production, but my understanding is SCCM 2012 R2 comes out of the box with windows 8.1 and server 2012 R2 support?

Any help on this matter is greatly appreciated. 

Thank you!

SCEP Definition Date

May 21, 2015, 9:44 am
$
0
0

Hello Experts,

Is it possible to make or get a report which says about Current definition a SCEP client has and the definition available on Microsoft.

I was looking at 

TimeLastUpdated and SignatureUpTo1DayOld
V_EndPointProtection table

 but how to check whats latest from Microsoft? I wanted to make a report which shows clients def and defs from MS. Thanks in Advance.

Configuration Manager 2012 R2 Clients asking for reboot when user logs on

May 19, 2014, 7:45 am
$
0
0

Hi,

We are distributing software updates during the weekends. Based on the logs everything goes as planned, software updates are installed and the machines reboot. However, when a user logs on after the weekend they receive a notification of a pending reboot.

The RebootCoordinator.log states "Reboot initiated" after the patches have been installed and the machine is rebooted, then there are these entries:

  • Entered ScheduleRebootImpl - requested from 'UpdatesDeploymentAgent'. set Rebootby = 0. set NotifyUI = True. set PreferredRebootWindowType = 4RebootCoordinator17.5.2014 22:15:052748 (0x0ABC)
  • Scheduled non mandatory reboot from agent UpdatesDeploymentAgentRebootCoordinator17.5.2014 22:15:052748 (0x0ABC)

Has anyone seen this before? Why is ConfigMgr asking for a non-mandatory reboot after the mandatory one?

Regards,

Carl



SCCM doesn't install client updates on on 'shutdown and start'

September 2, 2014, 6:56 pm
$
0
0

Hello,

I'm confused why SCCM doesn't install client updates on on 'shutdown and start' behavior, which instead is 'restart' works only? Does this behavior can be changed through depolyment?

Scheduled Updates - Calendar Bug...

May 22, 2015, 2:23 am
$
0
0

Good morning,

I've noticed a bug with SCCM wherein scheduled sync's and deployments don't function as configured. My environment is configured to check for new updates on the second Thursday of each month. The clients are then configured to run the software update scan and then the schedule deployment re-evaluation on the third Thursday of each month thus installing any required updates. Issues occur, for example, as SCCM seems to view the third Thursday of the month (in the below example) as the 14th... and not the 21st! 

 

This causes obvious issues with the scheduling of each stage of the process becoming out of sync (on certain months). Is there a hotfix to resolve this issue? Does bringing 2012 to the latest release resolve this issue? 

Thank you to anyone that takes the time to respond to this post. 

M Tipler

Software Update Groups - All Deployments changed from Available to Required after Last Evaluation ADR

May 22, 2015, 12:32 am
$
0
0

I need help to get an explanation for the result of what the ADR did to the Software Update Group Deployments.

After the evaluation of the ADR all the deployments of that Software Update Group the Type of deployment changed from "Available" to "Required". The result of this was that all members were forced to update. I thought i prevented this to happen by setting the target collection of the ADR to an empty device collection. After the creation of the Software Update Group i placed an additional deployment on it and changed the Deployment Type to "Available". On this second deployment i pointed the software update group to a device collection filled with Windows Servers.

Before this all happened, because all functioned good first, there have been time issues on the internal domain. Because of these problems SCCM had time settings in the past but also far into the future. After this problem when the evaluation of the ADR had changed because of new updates available the Software Update Group got corrupted.

This happened once, after i recreated all ADR's en redeployed the Software Update Groups everything looks fine again.

Can anyone help me to explain how this all happened en how to prevent this from happening again?

Could it be possible that there are more issues and where do i have to look for these?

Performance impact of SMB Signing

May 22, 2015, 8:21 am
$
0
0

Hello,

One of my customers is planning to enable SMB Signing for their SCCM infrastructure, and there are concerns when it comes to performance. We realize that SMB is used for a variety of communication among the systems involved:
https: // technet.microsoft.com/en-us/library/bb632618.aspx

Also, it is a Best Practice to use either IPsec or SMB signed traffic to protect communication channels:
https: // technet.microsoft.com/en-us/library/gg682165.aspx

Do you have any expierence on the performance impact and things to watch out for?

Thanks

Search

SCCM - compliance reports in SCCM 2012 R2

February 23, 2015, 11:16 am
$
0
0

Hi All,

Last week we were able to finish the deployment of software updates, but when we were checking for the compliance reports the report shows as enforcement state unknown or non-compliance , but when we checked for those machines , the machine was patched with latest updates. Did any one come across this situation ever before?. Is there a robust way of pulling compliance report in SCCM 2012 R2.

Regards,

SCCM 2012 Endpoint Protection Status Update Issue on Console

May 22, 2015, 12:35 am
$
0
0

Hello Dear All,

We're testing out Endpoint Protection in SCCM 2012 and would like to set up some reporting/alerts to go along with it. Unfortunately it doesn't look like SCCM is updating with accurate data from the endpoints. For example, if I launch Endpoint Protection on my computer it tells me it was updated today and has definition 1.199.413.0 but within the SCCM console my computer shows that it hasn't received definition updates in 7 days and shows my computer as having definitions 1.197.280.0 My hardware and software scans are running and have both run in the past 24 hours.

I can't see any way to force Endpoint Protection to refresh it's status information. If the reports are going to give me data that's old they won't be of any use to me. How do I go about refreshing the status info and having it auto refresh sooner than it obviously is? Running a Summarization did not help.

Regards,

Faisal Alvi

SCCM Engineer

Regards, Faisal Alvi PPL

Two software update packages per year instead of one?

May 23, 2015, 5:09 pm
$
0
0

I was reading somewhere (can't recall now where it was) that it is best to create two software update packages per year instead of one and name it according to the year, such as2015 SUM Annual - 1 and 2012 SUM Annual - 2. The Annual 1 package would be from January-June and the Annual 2 would be from July-December.

I cannot remember why this was recommended from wherever I read it, but I wanted to know if anyone can tell me why this is a good practice rather than just using one annual package?

Thank you all


Can I have multiple software update deployments targeting the same collection, but have the same deadline time?

May 23, 2015, 7:50 pm
$
0
0

I have 3 different update deployments: software updates, cumulative updates, and Adobe updates. 

These update deployments are all scheduled to have the same deadline time. 

Is this okay, or do I have to stagger them like for software updates have a deadline at 2AM, cumulative updates a deadline at 3AM, and Adobe updates a deadline at 4AM?

Thanks



Post Build patching TSQ failuer

May 21, 2015, 12:27 am
$
0
0

Hi All,

we are getting the below error when trying to install the software updates after the build using a TSQ, could you please help me.

smsts.log

Policy evaluation initiated 
Successfully initiated RefreshUpdates operation  
Waiting for RefreshUpdates complete notification from Updates Deployment Agent 
Timedout waiting for updates refresh complete notification  
Process completed with exit code 2147943860 
!--------------------------------------------------------------------------------------------! 
Failed to run the action: Install Software Updates.
This operation returned because the timeout period expired. (Error: 800705B4; Source: Windows) 
Set authenticator in transport 
Set a global environment variable _SMSTSLastActionRetCode=-2147023436 
Set a global environment variable _SMSTSLastActionSucceeded=false 
Clear local default environment 
Let the parent group (Post Build patching) decides whether to continue execution 
The execution of the group (Post Build patching) has failed and the execution has been aborted. An action failed.
Operation aborted (Error: 80004004; Source: Windows) 
Failed to run the last action: Install Software Updates. Execution of task sequence failed.
This operation returned because the timeout period expired. (Error: 800705B4; Source: Windows) 
Set authenticator in transport 
Task Sequence Engine failed! Code: enExecutionFail 
**************************************************************************** 
Task sequence execution failed with error code 80004005 
Cleaning Up. 
Removing Authenticator 
Cleaning up task sequence folder 
Unable to delete file C:\_SMSTaskSequence\TSEnv.dat (0x80070005). Continuing. 
Failed to delete directory 'C:\_SMSTaskSequence' 
SetNamedSecurityInfo() failed. 
SetObjectOwner() failed. 0x80070005. 
RemoveFile() failed for C:\_SMSTaskSequence\TSEnv.dat. 0x80070005. 
RemoveDirectoryW failed (0x80070091) for C:\_SMSTaskSequence 
Deleting volume ID file C:\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca ... 

Prashanth Kumar System Center Administrator

Updates not installing

May 20, 2015, 3:03 am
$
0
0

Hi,

     We handle more than 50000 clients for a customer and recently we are having problems in some machines when we deploy the patches.The patches(Security and office) get stuck at 0% or getting failed in some machines. We tried uninstall and then re install client(2012 R2) or WMI rebuild. But still the issue persist.  Could some one help me how to fix this issue.

Thanks,

Natthom.

Trend Micro Updated Compliance Report

May 19, 2015, 11:06 pm
$
0
0

Hi All,

I am looking for some solution where SCCM can sense Whether Trend Micro anti-virus is patched with latest definition update or not.

Please guide how can we achieve this from compliance in SCCM

Thanks Rahul$

Search

WSUS updates in CM12 from local WSUS

May 13, 2015, 1:42 pm
$
0
0
I am currently working in an environment that uses WSUS for updates that are hand selected based on need, in CM12 under software updates we get all our updates from microsoft and then have to filter and decide which ones go into our update package and then injected into the windows wim. The issue is that the windows updates in CM12 don't match up with what our WSUS is pushing so we still get stuck with having to run windows updates after imaging. Is there any way we could have CM12 only see updates from our local WSUS server that way we inject exactly what is needed every time?

SCEP and UAC - Basic\Limited Users cannot change scan times

May 14, 2015, 1:52 pm
$
0
0

I have mostly limited users on workstations in my environment. SCCM/SCEP works great except that I cannot allow my limited users to manage SCEP settings even though I DO ALLOW them to do this via SCCM policy. 

I tried enabling UAC to see if that somehow resolves the issue for my limited users but that's not the case.

With UAC off I get access denied.

With UAC on I get a prompt, and then it looks like the prompt doesn't accept the creds. You just get re-prompted (perhaps access denied).

Anything I can do short of granting them local admin access which seems silly? I am surprised I could not find anything regarding this issue.

Please help! Thanks!


Patching Office 365 with Configuration Manager 2012!

May 25, 2015, 2:20 am
$
0
0

Dear All,

I need procedure to update all office 365 on network via SCCM 2012 R2.

Please guide me how to update office 365 via SCCM. i would be very thankful to you.


Regards, Faisal Alvi PPL

Troubles applying Windows Updates with SCCM 2012 r2

May 25, 2015, 6:04 am
$
0
0

Hello,

I am experiencing a frustrating issue when attempting to push out windows updates via SCCM in either a manual fashion or with an automatic deployment rule. About 50% of the computers in our test area are attempting to get their updates from the primary site server (which they cannot access because of network configurations) instead of the secondary site servers they are able to connect to. The other 50% of the area all contact the secondary site server and apply their updates as expected.

The "LocationServices.log" from both the working and non working computers look the same and properly identify the secondary site server a valid WSUS Path, the only difference is in the "WUAHandler.log" which will show the Primary site server as the WUA Manager server instead of the secondary site server.

All the machines are in the same boundary, have the same client version installed on them, and they all preform other SCCM operations as expected, Application distribution, Software/hardware inventory, Endpoint protection, etc.

Any assistance with this would be greatly appreciated.

Chris

LocationServices.log
Current AD site of machine is Staff-Academic-Public    LocationServices    5/20/2015 8:23:50 PM    2176 (0x0880)
Created and Sent Location Request '{32CEE48D-074F-42A6-ADED-8A5BAE30C272}' for package {3B1C6533-2073-4D89-97E2-241013CC360D}    LocationServices    5/20/2015 8:23:50 PM    2176 (0x0880)
Calling back with the following WSUS locations    LocationServices    5/20/2015 8:23:50 PM    4128 (0x1020)
WSUS Path='http://vapp1660.DOMAIN:8530', Server='VAPP1660.DOMAIN', Version='2093'    LocationServices    5/20/2015 8:23:50 PM    4128 (0x1020)
WSUS Path='http://VAPP1663.DOMAIN:8530', Server='VAPP1663.DOMAIN', Version='2093'    LocationServices    5/20/2015 8:23:50 PM    4128 (0x1020)
WSUS Path='http://vapp1660.DOMAIN:8530', Server='VAPP1660.DOMAIN', Version='2093'    LocationServices    5/20/2015 8:23:50 PM    4128 (0x1020)
Calling back with locations for WSUS request {32CEE48D-074F-42A6-ADED-8A5BAE30C272}    LocationServices    5/20/2015 8:23:50 PM    4128 (0x1020)
Executing Task LSSiteRoleCycleTask    LocationServices    5/20/2015 8:28:59 PM    2664 (0x0A68)
The MP name retrieved is 'vapp1660.DOMAIN' with version '7958' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>'    LocationServices   5/21/2015 7:21:40 AM    4736 (0x1280)
MP 'vapp1660.DOMAIN' is compatible    LocationServices    5/21/2015 7:21:40 AM    4736 (0x1280)


WUAHandler.log
Its a WSUS Update Source type ({3B1C6533-2073-4D89-97E2-241013CC360D}), adding it.    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Existing WUA Managed server was already set (http://vapp1660.DOMAIN:8530), skipping Group Policy registration.    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Added Update Source ({3B1C6533-2073-4D89-97E2-241013CC360D}) of content type: 2    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Scan results will include superseded updates only when they are superseded by service packs and definition updates.    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Async searching of updates using WUAgent started.    WUAHandler    5/18/2015 9:03:50 PM    5116 (0x13FC)
Async searching completed.    WUAHandler    5/18/2015 9:04:15 PM    2408 (0x0968)
OnSearchComplete - Failed to end search job. Error = 0x80072ee2.    WUAHandler    5/18/2015 9:04:15 PM    4312 (0x10D8)
Scan failed with error = 0x80072ee2.    WUAHandler    5/18/2015 9:04:15 PM    4312 (0x10D8)

Failed software update returns error code 0x87D00668

July 6, 2012, 10:39 am
$
0
0

We are using Secunia CSI to create and publish 3rd party software update packages to SCCM 2012.  I have one client computer running Windows 7 Pro x64 that is having a problem with one update.  When the user tries to install the Adobe Reader update in Software Center it fails and returns the following error.

The software change returned error code 0x87D00668(-2016410008).

I haven't been able to find any information on this error code.  I was just wondering if anyone else has encountered this error and might have any information on it??

Viewing all 6382 articles
Browse latest View live
Search