Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Updates not required but manual installation works

July 23, 2014, 11:46 pm
$
0
0

Hey guys,

i am trying to deploy some Update Rollups for Windows Server 2012 (NON R2). Its KB2934016 and KB2955163. Both Updates are shown as "not required" in the Config Mgr Console (2012R2). But if i download the Update and try to install it manualy on a W2k12 Server it can be installed. And they are NOT shown as "installed" after manual installation.<o:p></o:p>

I thought maybe all Updates from the Rollup are already installed on the machine but searching for the KB Numbers listed in the Rollup description returns no results. ( in Config Mgr Console and on the Client´s Control Panel --> Installed Updates)<o:p></o:p>

I can see that both Updates have been revised a month after they were released. Is it possible they switched the KB Numbers??? ( Sorry for that stupid question :D)<o:p></o:p>

Any other ideas what´s happening here? Thanks a lot..<o:p></o:p>

best regards<o:p></o:p>

Philipp<o:p></o:p>

Search

SCCM 2012 patching schedule

June 13, 2012, 7:45 am
$
0
0

Hi,

I'm trying to configure a patching schedule for the servers in our environment through collections. I want to schedule maintenance windows on each collection based on a certain number of days after patch Tuesday. The default schedule allows you to use the second, third etc... day of the month but this is not always going to usable compared to patch Tuesday which will always be the second Tuesday of the month i.e. if the first of the month is a Wednesday, the second Thursday of the month will be the week before the second Tuesday.

I hope that makes sense? Any ideas?

managing SCEP without Software Update Point

June 12, 2015, 12:35 pm
$
0
0

I have a client with a brand new SCCM 2012 install.  They want to leverage all of SCCM down the road, but for now all they want to implement is SC Endpoint Protection.  They will NOT be managing software updates via SCCM.  For software updates, they are still managing their clients through their existing WSUS servers which are assigned via GPO.  Some clients do NOT have internet access, so I can't let them pull updates from Microsoft directly.  I want to have them pull from DPs.  

SCCM has its own WSUS server which is pulling SCEP updates down, and an ADR is running to generate the SCEP packages.  But managing software updates are DISABLED in the client policy.  If we don't do this, then obviously, the clients will have a GPO conflict.  

I've disabled WSUS as a source point for SCEP updates in the SCEP policy agents, so it should only be pulling from SCCM or microsoft.  But I think that the SCEP client wont update if the WSUS server isn't syncing Forefront updates.  

Is there a way to manage SCEP updates when a client environment has a WSUS server/Software updates environment that is NOT linked to SCCM?   How can we push updates to clients via a package without using the WSUS components?  

Thanks!

If any method to identify non complaint machines

June 13, 2015, 3:25 am
$
0
0

If any method to identify non complaint machines like if machines installed some additional software’s how identify those machines in enterprise level? It is possible to use compliance settings using PowerShell? Or via reporting possible to identify non-compliant machines?

File extenssions changed to vhatpse

February 10, 2015, 9:49 am
$
0
0

Hi,

We are using System Center End point protection for our workstations. Today, all the file extensions of a notebook data changed to vhatpse extension. I am unable to search anything related to this file extension and also not able to decide that is it a virus, trojan or ransom etc. Full scanned via SCEP with the latest definition file is already performed and nothing found on that notebook. Can anyone please assist how to find the exact problem? What should I do to not to spread this thing with other workstations? How could I recover the data?

 

Regards, Syed Fahad Ali


The license terms of one or more updates are unavailable.

February 12, 2015, 3:37 am
$
0
0

Hi,

I have a 2003 server in a DMZ that reports the above error in the WUAHAndler.log.

There is both a MP and a SUP in the DMZ that connects to an internal primary site. I am running SCCM 2012 SP1.

Servers on the internal Network are installing the update just fine, so it doesn´t seem to be the license file that is corrupt.

I am wondering, to be able to troubleshoot this, how are the license obtained by the client ?

Thanks in advance.

Thomas

SCCM Security Roles

February 4, 2015, 12:03 am
$
0
0

Hi,

I have the following requirement for the site admins roles

1) They should be able to add the machines to the collections.

2) Do a client Push

3) Able to see visible members only for the collections they have access

What I have noticed that they are able to create and delete collections which I dont want. 

Current roles are :

Application Administrator
Read-only Analyst
Remote Tools Operator
Report Users

Can i prevent this from happening by modifying the roles permissions ?

WSUS complete install

June 14, 2015, 12:11 am
$
0
0
Software update point role frist needs to install WSUS 3.0 SP2 and next WSUS role in windows 2012 server? why question is if i install WSUS role instead of WSUS 3.0 SP2 what will happen again secaond question what is diffrence between WID Database and database after installation of WSUS how to know which option is selected?
Search

Consolidate monthly updates into yearly

June 8, 2015, 8:34 pm
$
0
0

Hi,

I have inherited SCCM at a new company and what to re-organise the updates. We have monthly updates running via an ADR rule but I would like to know the correct process for moving (archiving) all the 2014 monthly updates to a 2014 Yearly Software Update Group and Deployment Package. I have seem lots of incomplete information about doing this out there but nothing which explains it fully.

From what I understand I would have to go into each 2014 monthly Software Update Group (SUG) and click 'edit membership' and remove it's membership to that monthly group and add it to the 2014 yearly SUG? I would then have to create a new Deployment for 2014 also - but does this mean all updates are downloaded again?As I would still need all the 2014 and previous years updates deployed out just in case, or all Windows 7 updates post SP1 at least. I have noticed though that if you have too many deployments of updates assigned out then the OSD TS fails so am looking to correct that issue as well.

Thanks

KB3025417 breaks SCEP reporting about malware

June 1, 2015, 12:19 am
$
0
0

So, this is one of the odd ones.

We have setup our SCCM/SCEP to send e-mails when new malware are found in selected collections (Alerts).

During last week, I was surprised to see that our environment was without malware at all (according to the endpoint protection status in the SCCM console) . That's very unlikely to happen, so I started to go about test the SCEP client on a newly installed W81 machine. I did a few test with the following http://www.eicar.org/86-0-Intended-use.html

SCEP instantly found the string as malware, which is what I hoped for. I waited to see if the client would report that back to SCCM as usually, but no. Nothing ever shows up in the console.

Long story short; we went back to see when the last time we ever recieved an e-mail based on a malware-alert in SCCM. The last e-mail was dated march 14th 2015.

So we went back to see what happened on our clients back in march, and during our troubleshooting we went through every software update we released in march, and it appears thatKB3025417 is causing the trouble here. (Note: I also suspect that the update itself is unnecessary given we have SCEP, and the update is related to windows defender. However, the update is seen as required by all W81 clients)

We ended up excluding the mentioned update, and reinstalled a client and voila; SCEP works fine again. The minute we install the update, SCEP on the client is no longer reporting the found malware back to SCCM. Also, uninstalling the update doesn't do anything. The damage is done.

We found a few other reporting similar behaviour. While they don't mention the KB itself, I suspect it's very same issue: https://social.technet.microsoft.com/Forums/en-US/34903763-b423-41b4-8783-b75df94337d0/scep-email-alerts-stopped-working-in-sccm-2012-r2?forum=FCSNext

The environment is SCCM 2012 R2 CU4, Antimalware Client Version: 4.8.204.0, Windows 8.1 x64

Also, note that everything around the SCCM client seems healthy. Deployments are installing and reporting back as usual. Nothing else seems broken, and the SCEP component is also healthy.

This is probably a case for MS Support, but given that I see a few others with the same issue, I also suspect that there's alot more out there with the same problem. They just don't know yet, or haven't figured out why it stopped working.

Any pointers or comments to above is much appreciated.

Thanks in advance.


Martin Bengtsson | www.imab.dk







Info missing from the "Compliance 5 - Specific computer" for various computers, but not all computers

April 24, 2015, 9:47 am
$
0
0

I am trying to access this report for some systems and when I open it up, it is completely blank for some computers, but not all of them. 

What is the reason for this behavior?

Thanks

Error in installing the available updates in Software center, getting failed and the Event ID is 1001

June 15, 2015, 6:06 am
$
0
0

We have some servers that we just added to our SCCM environment.  These servers are placed into a collection where no updates are currently approved.  There is a good chance prior to the addition to SCCM that there were some updates available from MS.  I've tried to manually run the windows update and get the error: 800B0100

  Could it be that the following error message is related to the "loss" of available updates after our transistion to SCCM?  Any advice would be appreciated!

Log Name:      Application
Source:        Windows Error Reporting
Date:          8/3/2012 10:05:00 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      server.domain.local
Description:
Fault bucket , type 0
Event Name: WindowsUpdateFailure
Response: Not available
Cab Id: 0

Problem signature:
P1: 7.6.7600.256
P2: 800b0001
P3: D67661EB-2423-451D-BF5D-13199E37DF28
P4: Scan
P5: 101
P6: Managed
P7: 
P8: 
P9: 
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7600.256_7ee366d547bf512b2fbe156dd7b5f890708bd5e0_9ed2619a

Analysis symbol: 
Rechecking for solution: 0
Report Id: 59061364-dd8d-11e1-9acc-001d09f31d5a
Report Status: 4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-08-03T17:05:00.000000000Z" />
    <EventRecordID>3954</EventRecordID>
    <Channel>Application</Channel>
    <Computer>server.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>WindowsUpdateFailure</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>7.6.7600.256</Data>
    <Data>800b0001</Data>
    <Data>D67661EB-2423-451D-BF5D-13199E37DF28</Data>
    <Data>Scan</Data>
    <Data>101</Data>
    <Data>Managed</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.6.7600.256_7ee366d547bf512b2fbe156dd7b5f890708bd5e0_9ed2619a</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>59061364-dd8d-11e1-9acc-001d09f31d5a</Data>
    <Data>4</Data>
  </EventData>
</Event>

maintenance window report

June 15, 2015, 6:36 am
$
0
0

Hi guys, I got some questions...

scenario:

I have a collection A with a few members

There is a maintenance windows for this collection A

The collection A does not have any deployments.

questions:

1)

If I have a maintenance window for a collection, sccm won't install any updates or applications on its members outside the maintenance window? Even though they are required? So when the maintenance window starts, sccm tries to install all pending stuff and if something fails or there is to less time sccm tries it again in the next maintenance window?

2)

How can I create a report which tells me which updates/applications have been installed on the collection A members during the last maintenance window?

thanks in advice

SCEP: how good is it?

June 15, 2015, 6:55 am
$
0
0

Hi,

We're worried about effectiveness of System Center Endpoint protection 2012. Some people claim since it's not Microsofts core business, release & quality of virus definitions/actions are bad.
Would like to have your feedback on that or even better, official statements that it isn't :-)

J.

Jan Hoedt

Updates Deployment - There are too many files for not selected languages

June 15, 2015, 10:32 am
$
0
0

Hi,

Scenario:

  • SCCM 2012 R2.
  • Software Deployment for Spanish and English only (SUP configured languages: Spanish and English only)
  • Updates for Windows 7x64, Office2010x64, Office2013x64
  • Updates wich date released is between jun01 - jun10 2015

There are downloaded update files for not selected languages (e.g):

The problem: quickly consume disk space

The questions are:

Is the above normal behavior in SCCM?

if not

How to avoid download update files for languages not selected?

Thanks in advance!

Search

Problem with Sharepoint 2013 'Farm Deployment' patches

June 16, 2015, 4:09 am
$
0
0

I am seeing a strange issue with certain sharepoint patches in our SCCM environment (ConfigMgr 2012 R2 CU3 currently) . Specifically, it is with patches that are released both in a 'Farm-Deployment' version and a 'normal' version.

I have so far been unable to find any solid info about these farm-deployment patches, but my guess would be that they contain functionality to ensure consistent patching across a farm of sharepoint servers in environments where you do not use WSUS/SCCM to ensure patch conformity.

What I see is that, checking a sharepoint server against windows update manually, or running MBSA on it locally, it will report the (Farm-Deployment version of the) patch missing and required, but configmgr does not report it as required.

The WSUS repository contains both versions of the patch (farm-deployment and none farm-deployment)

SCCM Software Updates only contains the 'none farm-deployment' version (by design I guess), but NO SERVERS report it as required although MBSA clearly shows the patch is missing and required by the server (albeit the farm-deployment version). Consequently the patch is not applied anywhere.

The two versions are as far as I can determine quite identical, the only difference discernable in the update repository is that the farm-deployment version does not allow interaction.

Is anyone else seeing the same thing in their environment, and how are you handling these 'Farm-deployment' patches?

Getting a more in-depth report using reportbuilder.

June 16, 2015, 4:43 am
$
0
0

Hi,

When I open the default sccm report that shows all updates and on how many servers they are missing, Compliancy 3, I want to change it in report builder so when I click the missing count, it shows which servers that specific patch is missing.

E.g:

Security Update for Microsoft Office 2007 suites (KB2883029)2883029MS15-044Microsoft0146

(one of the results)

I want to be able to click the 146 so it shows which machines those are. Any hint on which code I should add?

Strange Windows Server 2012 R2 OS problem

June 16, 2015, 5:15 am
$
0
0

Hello,

I'm having some issues with SUP and Windows Server 2012 R2 and software updates deployment.

In SCNotify_username.log the following appear:

The update "Name of update" has no UI experience,  it will not be displayed in the UI(Microsoft.SoftwareCenter.Client.Data.UtilityClass at IsSoftwareAvailable).

It doesn't show me the update in Software Center and i cannot install it. I have to go to Windows Update online and install that udates...

Does anyone else have this problem?

It works fine with other operating systems(Win7, Win2003, Win2008, Win2008R2).

Version : SCCM 2012 R2 on Windows 2008R2

Thank in advance.

Catalin.

Some security permissions or roles or check sysadmin box

June 16, 2015, 2:40 am
$
0
0

Before installing WSUS (Database) need to check what account is used for installing and needs to edit or modify anything in SQL management studio? Some security permissions or roles or check sysadmin box?

Few questions before Upgrading SCCM 2012 to R2

June 16, 2015, 6:48 am
$
0
0
I am getting ready to upgrade my SCCM 2012 SP1 (version 5.0.7804.1000) to SCCM 2012 R2.  Last night I got what seems a good backup by using Site Maintenance feature then Backup Site Server.  Later this afternoon I am getting with my company's programmer to make a backup of the database, and move the backup of sql to another server.  We will also test to see if the db can be upgraded.  

I have been using this guided:  http://deploymentresearch.com/Research/Post/422/A-Geeks-Guide-for-upgrading-to-ConfigMgr-2012-R2-and-MDT-2013

I have a few questions that I would like to ask before proceeding any further.  

1. Is my version high enough to upgrade to R2?  From what I read it seems it is but want to make sure.

2.  After the upgrade has taken place to R2 and applying KB2905002 hotfix, are their any other upgrades needed?  

3.  After the upgrade will the client System Center 2012 Configuration Manager need to be upgraded to a newer version?  If so how do I go about doing this.  My company has about 8-10 people who use this on their pc currently.

4. Do I have to turn off my AV?  On the server it is currently System Center Endpoint Protection.

5.  The server that has SCCM 2012 installed on it currently is Windows 2012.  I would like to upgrade that also to Windows Server 2012 R2.  Should I be doing that before or after I upgrade SCCM?  

6.  For the upgrade of SCCM 2012 R2, how much free space should be available?  Currently have about 110gb free.

Thanks for the help in advance! 
Viewing all 6382 articles
Browse latest View live
Search