My env. is ConfigMgr 2007 installed on windows server 2008R2, and now, we built two windows server 2012 and 2012R2 servers.

I installed the ConfigMgr client on the windows server 2012, and the status is normal as I check.

Now when I download the security updates, it shows the errors:  The server returned an invalid or unrecognized response

I checked the PatchDownloader.log and it shows the errors as below:

Michael Chiang

I deleted the Remote Desktop certificate, I remember it will be generated automatically in windows server 2008. But now, it can not generate in windows server 2012. How to restore it back or generate it? Thanks.

Michael Chiang

Hi,

I have several users "over 150" that connects over an SSL VPN from their home networks, hotel network etc.
Now there is a little problem, with installing security patches on these clients:
On the one hand i have several users which are working ONLY over a SSL VPN connection over home network (good and unlimted bandwith).
On the other hand there are a lot of users, which are using SSL VPN regurarely for some weeks over networks from hotel, resteraunt, cafe, hotspot (which are subject to charge and not very fast). After some weeks they are back in the office.

Now how would it be possible to make a seperation of these two kind of users with pushing Windows Update (inter alia security pataches of applications) to this SSL VPN members:
- where we know, that they are mostly using subject to charger SSL VPN connection?
- where we now, that they are using free internet altough they are using SSL VPN reguarly ?

At the moment we blocked the SSL VPN IP range with a boundary (no site assignment, no site system server), that they cannot download any windows updates / or anything else. But if we are thinking about the security site, that will be in the future tense a security problem.

How would you prefere to solve this problem or would it even be possible to solve this problem?

Would it even be possible to solve this problem? If yes, is there another soloution to solve the problem without doing either/or. (block VPN IP Range with Boundary / allow VPN IP Range to receive updates, patches etc)

Thank you in advance!

We don't have a maintenance window defined for the client collection but see servicewindowmanager.log references 'out of hours' 22:00-5:00.  The deployment doesn't have a tick against allow software updates installation outside the maintenance window.  Does out of hours count as a maintenance window re this tick box?   We have also increased the computer restart client setting to 9 hours which exceeds the out of hours window - could this be the issue?  I tried reducing this in a new client setting and publishing to a test collection but no difference

Software center shows many required updates as 'waiting to install'

Thanks

David

CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
Suspend activity in presentation mode is selected UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
At least one user has elected to suspend non-business hours activity when in presentation mode. Checking for presentation mode. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
Proceeding to non-business hours activites as presentation mode is off. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
Auto install during non-business hours is disabled or never set, selecting only scheduled updates. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
A user-defined service window(non-business hours) is available. We will attempt to install any scheduled updates. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
Attempting to install 0 updates UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
No actionable updates for install task. No attempt required. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
Updates could not be installed at this time. Waiting for the next maintenance window. UpdatesDeploymentAgent 27/05/2015 22:00:00 6816 (0x1AA0)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event UpdatesDeploymentAgent 28/05/2015 05:00:00 6316 (0x18AC)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 28/05/2015 05:00:00 6316 (0x18AC)
Attempting to cancel any job started at non-business hours. UpdatesDeploymentAgent 28/05/2015 05:00:00 6316 (0x18AC)
Cancellation not allowed in the current job state UpdatesDeploymentAgent 28/05/2015 05:00:00 6316 (0x18AC)

A Timer Event has occurred ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
    Sending Message SERVICEWINDOWEVENT:START event ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
    The Service Window=45dca355-3249-4845-b8aa-72d0e604548e has started at 05/27/15 22:00:00 ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
Checking Service Windows to find Next Event..... ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
    Next Event Time is at 05/28/15 05:00:00. Service Window with ID:45dca355-3249-4845-b8aa-72d0e604548e. Is the next event the beginning of the window? No ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
    Scheduling the Timer Task ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
    Scheduled the timer to fire on 05/28/15 05:00:00 ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
OnIsServiceWindowAvailable called with: Runtime:900, Type:2 ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
No Restricting Service Windows exist. It can therefore run... ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
OnIsServiceWindowAvailable called with: Runtime:1, Type:4 ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
No Restricting Service Windows exist. It can therefore run... ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
OnIsServiceWindowAvailable called with: Runtime:1, Type:6 ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
        Biggest Active Service Window has ID = 45dca355-3249-4845-b8aa-72d0e604548e having Starttime=05/27/15 22:00:00 ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
            Duration is 0 days, 07 hours, 00 mins, 00 secs ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
ActiveServiceWindow has 25200 seconds left ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
Program can run! Setting *canProgramRun to TRUE ServiceWindowManager 27/05/2015 22:00:00 6816 (0x1AA0)
OnIsServiceWindowAvailable called with: Runtime:900, Type:6 ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
        Biggest Active Service Window has ID = 45dca355-3249-4845-b8aa-72d0e604548e having Starttime=05/27/15 22:00:00 ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
            Duration is 0 days, 07 hours, 00 mins, 00 secs ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
ActiveServiceWindow has 25200 seconds left ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)
Program can run! Setting *canProgramRun to TRUE ServiceWindowManager 27/05/2015 22:00:00 1676 (0x068C)

Hello,

What would be the log or logs for changes made to the rate limits for a distribution point.  I have a feeling someone in my group is bumping up the rate limits for a particular distribution point prior to deploying software packages and once done, setting it back to the original value. We are getting a large network spike in our distributions, even though Rate throttling is in effect.

Thanks,

Mark

At my current customer, we are currently switching over to SCCM for all Software Update Management.

For now, the only issue we are experiencing is that we do not receive SharePoint updates on our SharePoint Server 2013 farm. With WSUS we can detect these, but they are not listed in SCCM. We sync directly with Windows Update.

It are specifically the updates that are marked as "farm-deployment", as you can see in example in this image.:
http://2.bp.blogspot.com/-gI8Ew7RlY0g/VPqM0QUn6oI/AAAAAAAAIDQ/S1Ufp0x-mSU/s1600/windows%2Bupdate%2Bincludes%2Bsharepoint%2B2013%2Bpatches.png

In the SUP properties, we have enabled the Office 2013 product and all classifications besides "Tools".

Am I missing something?

Hello,

I am attempting to use the Microsoft Security Compliance Manager 3.0 (SCM), Group Policy Objects (GPO) and System Center Configuration Manager 2012 R2 (SCCM) to enforce security configuration compliance on devices. I have successfully

• Imported GPO Backups into SCM
• Exported the settings from SCM using  the SCCM DCM 2007 (.cab) option
• Imported the resulting cab file into SCCM 2012 R2      configuration baselines
• Deployed the SCCM 2012 R2 configuration baselines, I made sure to select Remediate when supported
  • Verified the devices are getting the assigned configuration baselines by reviewing compliance reports

  What I have not been able to accomplish is having SCCM 2012 R2 automatically remediate the non-compliant findings. Delving deeper into the SCCM 2012 R2 settings I found that

  • On the Configuration Item “Settings” tab, each setting has a Setting Type of Script
  • On the Configuration Item “Compliance Rules” tab, each rule has a “Remediate” value of “No”
• The selection to “Run the specified remediation script when this setting is noncompliant” is not visible.
• When I check the properties of the compliance rules, the Discovery script is created, but the Remediation script is not.

I’ve noticed the same thing on configuration baselines based on the Microsoft Baselines as well as custom baselines created from GPO backups.

I assumed everything required to configure automatic remediation were included in the baselines (from the Microsoft Baselines and any custom baselines created in SCM).

Is that incorrect? Do I need to perform a different step to get the remediation scripts?

Do I have to manually create all the remediation scripts?

Is there something in the process of getting the settings transferred from GPOs to SCM, or from SCM to SCCM 2012 R2 that would cause auto remediation to fail?

I am attempting to create my first automatic deployment rule and noticed that I can't create one on my deployment share but can locally.  In my ruleengine.log I get a bunch of error 5's so security access is the obvious answer.  When I look at the directories created by the local test automatic deployment rule I see that the owner is my local administrator.  When I setup SCCM I though I told it to use a different user for creation/configuration but looks like I didn't.  Where can I change the user that the system uses to create these packages?

Thanks for any help.

We got SCEP  Definition Update error "80070643" "fatal error during installation" with an ADR Rule.

What I can understand that this clients missing mpam-fe.exe or the mpam-feX64.exe. I cant found this files in ADR source package. I only find files like "AM_Delta_Patch_1.197.2044.0.exe". 

The error means client need a full engine definition update (mpam-fe.exe) to install the delta definition update (mpam-d.exe). You need to created a package for the mpam-fe.exe and sent it out to the clients and after that they were able to install the delta definition updates.

http://support.microsoft.com/kb/935934

I thought the "full engine definition update" get included when you created the ADR Endpoint definition update "SUG".

Have I missed to create an deployment for "mpam-fe.exe" and the "mpam-feX64.exe" files? Or is there some thing else I can have missed.

/SaiTech

Hi, NAP has been an untouched domain for me till now as nowhere was it needed. But now I need to configure it for a customer who is using SCCM 2012 for only patching and Software distribution for 3000 clients.

Looking for a step by step approach so that I could do it in my lab and then production.

Regards..

Hi All,

We are running SCCM 2012R2 as a standalone primary site.

Recently, we deployed MS updates for June (about 26) to some test machines (around 100) and schduled it to run as soon as possible.

The deployment was working perfectly, then I noticed an error "The policy for this program does not exist or is invalid" for a specific update which failed on about 80 machines.

I checked and ensured that the update in question was downloaded/deployed and was a part of the update deployment. But not sure as why we got that error.

We tried running the machine /update scan/update deployment cycle policy but the issue remained the same.

When left with no other option, I rebooted one of the problematic machine and re-ran the machine policy, this time the machine installed the update.

We then did the same thing for all the remaining machines and were able to get the update to install.

The same thing happend with a different update in May patching cycle and we installed the updates (manually or by rebooting the machines and running the machine policy/update deployment cycle policy.

However, I would be interested in finding if anyone else has came across this issue, If yes, then what is the reason. As we cannot manually reboot all the machines to fix (if same issue occurs the next time),

Any suggestion on the same is highly appreciated.

Thanks

Manish

Hi all,

I have a situation with more than 30 servers. Many are 2003 SP2 x86 and are citrix hosts. I have a lot of error like this:

Error Microsoft Antimalware ID 2001:

We are using System Center Endpoint Protection 2012 and recently we have had 2 Windows 2003 servers and 1 Windows 7 workstation start failing definition updates through WSUS. If I click on the update button in Endpoint Protection it comes back with a connection failed and the following events show up in the application log:

EventType mptelemetry, P1 0x80508007, P2 mpupdateengine, P3 am delta, P4 11.1.4958.0, P5 mpsigstub.exe, P6 4.6.305.0, P7 system center endpoint protection, P8 NIL, P9 NIL, P10 NIL.

and

The description for Event ID ( 5000 ) in Source ( Microsoft Security Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mssecurityclient, msseces.exe, 4.6.305.0, 0x80070643, update, cmainwindow__onsignatureupdatestatus, 0, system center endpoint protection, NIL, NIL, NIL.

The system log also gives me the following errors:

Microsoft Antimalware has encountered an error trying to update signatures.
  New Signature Version: 1.191.2687.0
  Previous Signature Version: 1.191.2665.0
  Update Source: User
  Update Stage: Install
  Source Path:
  Signature Type: AntiVirus
  Update Type: Delta
  User: NT AUTHORITY\SYSTEM
  Current Engine Version: 1.1.11302.0
  Previous Engine Version: 1.1.11302.0
  Error code: 0x80508007
  Error description: Your computer is low on memory. Close some programs and try again, or search Help and Support for information about preventing low memory problems.

and

Microsoft Antimalware has encountered an error trying to update signatures.
  New Signature Version:
  Previous Signature Version: 1.191.2665.0
  Update Source: Internal Definition Update Server
  Update Stage: Install
  Source Path: <WSUS Server>
  Signature Type: AntiVirus
  Update Type: Full
  User: NT AUTHORITY\SYSTEM
  Current Engine Version:
  Previous Engine Version: 1.1.11302.0
  Error code: 0x80070643
  Error description: Fatal error during installation.  

I can download the definition updates manually and they will install fine. WSUS updates will then start working for a few days and then they start failing again. I have uninstalled the System Center client and Endpoint Protection several times and then reinstalled and still no good. We are not low on memory and there is nothing wrong with our connection.

Does anyone know what could be causing definition updates to fail through WSUS all of the sudden?

I am hoping someone can help me figure this out.  I have some collections (shown in the attachment) that list all of the IE versions in my organization.  When looking at the IE8 machines and above, I see 1838 machines, however, when I look at what is required to push this as a software update, I only see 578.  I am not sure why it isnt seeing something closer to 1800 machines that need IE8...

Do I maybe need to upgrade IE 8 to IE 9 or 10 before pushing out IE11? 

Any info is appreciated.  Thanks.

Howdy,

We use SCCM 2012 R2 to handle all our updates and patches for Windows.  We do NOT have SCCM do any patching of our clustered machines since that's what CAU is for.  How do I use these two things together?

Can I deploy patches to the clustered machines with no deadline or with available instead of required and then use CAU to install them or does CAU look directly to WSUS?  We don't do anything directly with our WSUS server as far as approving patches or anything since SCCM takes care of that for all the other workstations and servers.

If I approve patches within WSUS then I'm assuming those patches would show up in Windows Update for all the machines which we don't want to have happen so I'm just stuck figuring out how this all works.

If anyone can shed some light on this for me, that'd be great.

Thanks!

 I've approved the IE 11 Update, and downloaded it, and deployed it.

When i check compliance of the update I am seeing multiple computers showing compliant but they are actually still running IE 9 even after multiple reboots.  See attached screenshots.

Additionally when just looking at the software updates from the sccm console I'm also seeing the update "not required" for over 1/3 of the computers in the organization but i KNOW they are only running ie 9.

How do I get IE 11 onto these machines via the SCCM Software Update service?

Thanks

How do I go about re-publishing an expired update from SCUP after reactivating it? 

When I re-publish it, I receive the following messages:

1 updates were selected for publish

1 updates were skipped as no action is necessary

If I cannot re-publish the reactivated update, how will WSUS on my SUP know to un-expire it?

Thanks

Is there a way to have software update notifications display ONLY within Maintenance Windows? 

For instance, when I enable a Software Update deployment on a Maintenance Window collection, is there a way to have the notifications to the users display only within that MW and not before?

I don't think there is, but wanted to get some confirmation on this. 

Thanks everyone

Hi All,

Can some one help with the understanding of "Not Required" software updates. How does actually SCCM decides why a particular software update is not required for a machine.

Rgs,