I'm troubleshooting a problem at a customer with clients showing up in the temporary Collection "Active clients at risk" looking in the SCCM console.

Several clients have the "Endpoint Protection Product Status" like "Service not running" or "Service started without any malware protection engine; AV signatures out of date; AS signatures out of date".

When connecting to these clients with RDP and looking in the SCEP Client UI I can see that they are working as expected and have the latest definitions.

The question are why are they not reporting correct.

I’m looking in StateMessage.log and can see “Successfully forwarded State Messages to the MP”

At a couple of clients it seems that state messages like “State message(State ID : 1) with TopicType 1901 and TopicId AntimalwareHealthStatus has been recorded for SYSTEM” where missing and i tried to kill the WMI provider and restarted the SCCM-client. This worked but I don’t know why.

Anyone seen this behaviour and got a good solution or troubleshooting technique?

I'm getting the message below:

Alert: Synchronization failure alert for software update point: SCCM2012 (BBB)
Alert type: Software update synchronization failure
Severity: Critical
Active time (UTC): 6/22/2015 11:32 PM
Condition: Generate an alert if software updates synchronization fails for the Software Update Point role at the Primary Site (BBB) site.
Alert Text: Software updates synchronization for the Software Update Point role at the Primary Site (BBB) site failed.

I've looked in the wsyncmgr and WCM log files for errors but do not see any. Is there any other places to look for issues around this alert?

Hello All,

I am facing issue in patch deployment. Here is my case story.

I have one primary site. DP, SUP and FSP is configured in another servers which hosts the WSUS too. I am able to sync updates with SUP, create software update group and corresponding deployment package. Updates are getting downloaded to shared location (Every one has full control on this share). My package is getting distributed to DP, I can see the content status as successful and the one .ini file in the name of Package ID is present is PakageLib too.

But still this is not getting deployed on my client machine. Here is what all the logs says:

UpdatesDeployment.log
=====================

Message received: '<?xml version='1.0' ?>
 <CIAssignmentMessage MessageType='Activation'>
     <AssignmentID>{FBCED315-2ED9-4DA0-8A73-003229DB33ED}</AssignmentID>
 </CIAssignmentMessage>' UpdatesDeploymentAgent 03/02/2015 15:06:11 3524 (0x0DC4)
Assignment {FBCED315-2ED9-4DA0-8A73-003229DB33ED} has total CI = 2 UpdatesDeploymentAgent 03/02/2015 15:06:11 3524 (0x0DC4)
Assignment ({FBCED315-2ED9-4DA0-8A73-003229DB33ED}) received activation trigger UpdatesDeploymentAgent 03/02/2015 15:06:11 3524 (0x0DC4)
Detection job ({763BFB0C-283F-4522-8C42-D0FE88C7C387}) started for assignment ({FBCED315-2ED9-4DA0-8A73-003229DB33ED}) UpdatesDeploymentAgent 03/02/2015 15:06:11 3524 (0x0DC4)
DetectJob completion received for assignment ({FBCED315-2ED9-4DA0-8A73-003229DB33ED}) UpdatesDeploymentAgent 03/02/2015 15:06:11 2592 (0x0A20)
Update (Site_AA3D21FB-01AC-4E92-A3FF-A038E1628EB0/SUM_695961b4-6e6c-4fe4-9b47-6e51d05f6186) added to the targeted list of deployment ({FBCED315-2ED9-4DA0-8A73-003229DB33ED}) UpdatesDeploymentAgent 03/02/2015 15:06:11 2592 (0x0A20)
Update (Site_AA3D21FB-01AC-4E92-A3FF-A038E1628EB0/SUM_36451b50-3f6f-48cb-89d0-ee69ff62a67f) added to the targeted list of deployment ({FBCED315-2ED9-4DA0-8A73-003229DB33ED}) UpdatesDeploymentAgent 03/02/2015 15:06:11 2592 (0x0A20)

Updateshandler.log
==================
Initiating updates scan for checking applicability. UpdatesHandler 03/02/2015 15:06:11 2592 (0x0A20)
Successfully initiated scan. UpdatesHandler 03/02/2015 15:06:11 2592 (0x0A20)
Updates scan completion received, result = 0x0. UpdatesHandler 03/02/2015 15:06:11 2592 (0x0A20)

UpdatesStore.log
================
Querying update status of 2 updates. UpdatesStore 03/02/2015 15:06:11 2592 (0x0A20)
Querying update status completed successfully. UpdatesStore 03/02/2015 15:06:11 2592 (0x0A20)
Querying update status of 2 updates. UpdatesStore 03/02/2015 15:06:11 2592 (0x0A20)
Querying update status completed successfully. UpdatesStore 03/02/2015 15:06:11 2592 (0x0A20)

WUAhandler
=======
Its a WSUS Update Source type ({AA3D21FB-01AC-4E92-A3FF-A038E1628EB0}), adding it. WUAHandler 03/02/2015 14:24:23 3020 (0x0BCC)
Existing WUA Managed server was already set (http://<ServerName>/SMS_DP_SMSPKG$/Content_b16ab79e-2914-4835-aaae-32c5399363b5.1 ContentAccess 03/02/2015 15:07:11 228 (0x00E4)
Download request only, ignoring location update ContentAccess 03/02/2015 15:07:11 228 (0x00E4)
Location update from CTM for content Content_65c5626e-d263-4c1f-b813-8cc10dd6cc17.1 and request {24ABBA1F-2AC2-4F4B-B9E9-85A3FB8FA53B} ContentAccess 03/02/2015 15:07:11 228 (0x00E4)
Download location found 0 - <a href="http:///SMS_DP_SMSPKG$/Content_65c5626e-d263-4c1f-b813-8cc10dd6cc17.1">http://<ServerName>/SMS_DP_SMSPKG$/Content_65c5626e-d263-4c1f-b813-8cc10dd6cc17.1 ContentAccess 03/02/2015 15:07:11 228 (0x00E4)
Download request only, ignoring location update ContentAccess 03/02/2015 15:07:11 228 (0x00E4)

LocationServices.log
====================
Executing Task LSRefreshLocationsTask LocationServices 03/02/2015 15:31:47 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3724 (0x0E8C)
Unable to retrieve AD site membership LocationServices 03/02/2015 15:31:48 3772 (0x0EBC)
Calling back with empty distribution points list LocationServices 03/02/2015 15:31:48 3772 (0x0EBC)

CAS.log
=======
Location update from CTM for content Content_6a5bb598-43c9-4923-95e0-a6fa3ec4224d.1 and request {65A53442-51A0-495A-960F-E3147FD676E6} ContentAccess 03/02/2015 15:31:48 3724 (0x0E8C)
Download request only, ignoring location update ContentAccess 03/02/2015 15:31:48 3724 (0x0E8C)

My site was crashed recently and we made this up from site backup. Other features including Application Deployment is working fine. I tried uninstallation and reinstallation of SUP too. But couldn't give any result.

Please help.

V I S H N U

I am setting up SCCM 2012 R2 and testing the Win 7 updates. I have configured the SUP Products to Sync for Windows 7, performed a sync successfully followed the steps through deploying the package (my Windows 7 update group currently has 457 items).  Once a test client has all of the updates installed, I had the machine sync with MS update site and it found 61 additional important updates and more 11 that are optional.

A search under All Software Updates does not find the missing updates.

I have plugged about 20 of these Updates into the WSUS Update Catalog and per the Package Details, none of them have been replaced by newer updates or request user input.  I have also searched my wsyncmgr.log and none of them are found in the log file (which does list many updates that were skipped because they were superseded).  

Per a Blog I found describing the differences between Windows Update Catalog and Windows Update (Windows-update-what-is-it-good-for), I looked up the updates and all of the updates from 2012 and 2013 show, “Locale: All” and, “Deployment: Recommended/Automatic Updates, WSUS, and Catalog .“  Half of the ones from 2014 show the same while others are just listed under a non-descript,“Changes to existing non-security content.”

So why are these not identified as updates my server should download?

Here are some of the updates I am looking at:

KB2719857          KB2726535          KB2729094          KB2732059        

KB2732487          KB2750841          KB2761217          KB2763523

KB2773072          KB2791765          KB2800095          KB2808679

KB2820331          KB2834140          KB2843630          KB2852386

KB2853952          KB2882822         

Thanks for any help

We have a bunch of CIs in our baseline and I want to be able to create a collection for non-compliance on the individual CI instead of the complete baseline. Is it possible to do this in 2012?

I am using SMS_G_System_CI_ComplianceState (ComplianceStateName) instead of SMS_G_System_DCMDeploymentState (ComplianceState) for the collection query.

But the problem is the CI_UniqueID in SCCM 2012 seems to end with the version/revision (like abc/5) of the CI. So the UniqueID changes everytime I make a change to the CI and is not really unique.

We are facing some issues(Client computer Memory activity is high) on client pcs.

From 'https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_SoftwareUpdatesDeviceSetting'

I came to know that 'The deployment re-evaluation schedule should be adjusted based on company policy for software update compliance, whether users have the ability to uninstall software updates, and so on, and with the consideration that every deployment re-evaluation cycle results in some network and client computer CPU activity.' In our environment we don't allow users to uninstall/install updates.

Can we change this scan schedule to initiate for every 30 days?? What is the impact?

Current scenario:
We deploy patches every month(After patch Tuesday)
Schedule deployment re-evaluation runs for every 7 days.
Software update scan schedule runs for every 7 days.

Any help would be appreciated..!!

Thanks,
Lokesh

We are implementing SCCM SUP.  This installation will replace a 2003 WSUS install.

The old system primarily worked with Automatic Approvals.  It was a "set it and forget it" kind of setup that they primarily used to manage bandwidth, rather than managing updates.  I would like to implement test groups, and automatic installs in a tiered way.

Entering this organization at this point in the game, I have questions centered around setting up SCCM to mirror the old approach first, and then moveing to something more controlled once it is up.

Do you have to deploy packages only to machines that need those updates, or does it work like WSUS used to, and just not install the Windows 7 Update onto the Windows 2008 server, for instance?  If so, do the examples of creating Baseline and Incremental update packages do this primarily to keep the number of updates below 1000?

Once I have packages created in this "shotgun blast...install everything on everything" approach, can I simply delete these packages later, and re-create the Automatic Deployment rules in a more controlled manner then?

Does it matter if an update is deployed to a machine twice?

When I get to making this system more manageable, can I create a deployment rule that will deploy in a tiered manner, or does each rule only deploy to one group?  If that is the case, I assume that I have to create 2 Automatic Deployment rules that match eachother in their selection of updates.  Is this true?  If so, is there a way to save and re-use Deployment Rule criteria?

Do other administrators take this approach of having a baseline package, and having a patch Tuesday Deployment rule that creates a new Software Update Group each month?

Do you use a test group/production group setup?  Do you you automate either or both groups?

Thank you in advance for your time.

I thought we were around 90 percent compliant on workstations but now it looks like 70-75 percent.

Some workstations are months behind too. What are my options are far as trying to get caught up? Can I adjust the maintenance window for the group? Can I initiate the installation of patches another way besides babysitting it in Software Center?

Thanks for any help

Hi Everyone,

I been researching this problem for some weeks now and haven't had any success.  The weird part is, Software Center is showing the update as installed.

The update KB3033929 fails to install even though 3035131 is installed.

If I manually download the patch and attempt installation using /log: I see the following, yet the server reboots and searching for the update in WMI using PowerShell

gwmi -ComputerName Server101 -Namespace root\ccm\clientsdk -Query "select * from ccm_softwareupdate WHERE compliancestate ='0'"

H R E S U L T   o f   t h e   i n s t a l l a t i o n :   0 X 0

O p e r a t i o n R e s u l t C o d e   o f   t h e   u p d a t e :   0 X 2

H R E S U L T   o f   t h e   u p d a t e :   0 X 0

 I n s t a l l W o r k e r . 0 1 2 3 3 :

R e b o o t   w a s   r e q u i r e d   f o r   u p d a t e   S e c u r i t y   U p d a t e   f o r   W i n d o w s

( K B 3 0 3 3 9 2 9 )

S e c u r i t y   U p d a t e   f o r   W i n d o w s   ( K B 3 0 3 3 9 2 9 )

" C : \ W I N D O W S \ s y s t e m 3 2 \ w u s a . e x e "

" C : \ t e m p \ W i n d o w s 6 . 1 - K B 3 0 3 3 9 2 9 - x 6 4 . m s u "

/ l o g : c : \ t e m p \ K B 3 0 3 3 9 2 9 . l o g   / q u i e t   / n o r e s t a r t

C:\Windows\Logs\CBS\CBS.log shows error code 0x8031004a "BitLocker Drive
Encryption cannot be used because critical BitLocker system files are missing or
corrupted. Use Windows Startup Repair to restore these files to your computer."

Hi

I originally posted in the WSUS forum but was advised to post here as CM2012 related.

I am getting the above error appearing in my WSUSCtrol.log. I wondered if anyone had come across this?

I am using CM2012 R2 SP1 with WSUS 3 SP2 and WSUS-KB2720211-x64 & WSUS-KB2734608-x64 patches.  WSUS is on a separate box and SQL is on another box. The WSUS console is installed with the aforementioned patches on the CM2012 primary site.

This error reappears approx every 30 mins or so (but occasionally longer).

Thanks

For the two options you can select for software distribution or software update deployments:

Disable Operations Manager alerts while software updates run

Generate Operations Manager alert when a software update installation fails

Do you need to have the SCCM management pack for SCOM installed for these to work? For the first one, the SCCM agent will pause the SCOM health service during update installs. The second one I'd think you'd have to have the MP installed and the SCCM client forwards an alert to the SCOM agent which shows in Operations Manager console. If not, how does the alert for failed update get processed through SCOM? Please clarify.

Hi all,

I am facing a very strange issue recently, I am using SCCM2012 to deploy MS updates every month.

I created a group for all the required updates and deploy it to one collection.

After waiting sometime, I checked the deployment status and I found most of the clients showing as compliant while they did not receive or install the updates.

Can you please help where to start to find a solution.

Thank you

We've recently noticed performance issues with our SCCM clients when downloading Endpoint updates so we've been advised my Premier Support to run a WSUS cleanup.  The problem I have is that we have never run a clean up before and when I tried it in test it took hours and hours to complete (it crashed via the GUI so I have been given a SQL script).

The performance should definitely be better on our production boxes however I'm unable to obtain a maintance window long enough to complete the work.  I need to run it on our two Primarys and CAS.  Is there any way of staging the clean up so that I can do small amounts gradually over a few weeks, rather attempting to do all three servers over a weekend?

I'd be grateful if anyone could let me know.

Thanks 

Hello,

I have deployed updates to device collection all updates seem to have installed, on monitoring -> deployments all clients are listed under "compliant". However if I check properties of individual clients one of them lists one update as "required". Checking locally on the server the update is actually installed and installation date is weeks ago, how do I fix it to show properly on the sccm console?

Screenshot: http://i.imgur.com/X6v60At.png?1

Hello,

Is it possible to exclude processes that are started with an DLL instead of a executable?  

By example can you add %windir%\system32\*****.dll as an excluded service?

Thank you in advance

I have a significant number (but not all) of my SCCM 2012 R2 CU3 clients not updating though my SCCM software updates. On these problem clients, I get this error in WindowsUpdate.log:

"COMAPI WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E"

Then these machines report "Compliant" even though they don't install the updates. Almost all of our workstations are Windows 7 SP1 32bit. We are running SCCM 2012 R2 CU3. My site servers are running Windows 2008 R2.

I don't see much in WUAhandler.log or scanagent.log. These client are however, getting my SCEP definition updates just fine. (I have an ADR for those.) And when you go out to Microsoft for security updates it works. I have tried all of the usual Windows Updates repair suggestions (re-register dlls, rename software distribution folder, etc.) And I tried un-installing and re-installing the SCCM client on a problem PC, to no avail. I also tried using a Software Update Group with fewer updates (<100) and targeting a problem system with only that SUG, to no avail.

Any assistance would be greatly appreciated. Thank you.

Hi All,

I am trying to automate end to end patch tuesday deployment that includes sync, ADR kickoff, software group creation and deployment package  creation.

I have all i need from SQL/Status messages except for Rulengine execution status.

I am trying to track and execution of ADR through SQL or event traces instead of reading through ruleengine.log scriptomatically.

Does anyone have SQL views or queries to track different stages of execution of ruleengine?

Thanks

Arun

I am attempting to use System Center 2012 to download, deploy, and install Windows Updates on all of the servers in my environment. I just installed and configured the Software Update Point within System Center and pointed it at my single WSUS server. The WSUS is located on the same machine as System Center. Now after adding the SUP to SCCM, I ran the "Synchronize Software Updates" from the Software Library view. I checked the logs for any errors and everything confirmed that it was set up properly and after a while I began to see my WSUS updates pour into the System Center under "All Software Updates" I created a Software Update Group and went to deploy the specific updates to a test collection. I specified it to download the content and install, reboot if necessary. Created a new share on the server and gave SCCM, and the machine full permission to the share. I then pointed the SCCM deployment to look in E:\WSUS\WSUScontent directory. When I clicked next and waited for the files to copy, I watched the new share I set up. 1 single update copies over and then I get an error that the network cannot be contacted. No other updates come over. I just retried it and pointed to Microsoft's WSUS servers instead and the content downloaded to SCCM share perfectly. 

Hi,

Scenario:

• SCCM 2012 R2.
• Software Deployment for Spanish and English only (SUP configured languages: Spanish and English only)
  
• Updates for Windows 7x64, Office2010x64, Office2013x64
• Updates wich date released is between jun01 - jun10 2015

There are downloaded update files for not selected languages (e.g):

The problem: quickly consume disk space

The questions are:

Is the above normal behavior in SCCM?

if not

How to avoid download update files for languages not selected?

Thanks in advance!

SCUP 2011 will not import any Adobe updates when I run the Software Update Catalog Wizard. I get the following error:

19 updates were processed

0 updates were imported

19 updates were skipped due to not being updated.

SCUP was last updated with an April update. I know there must be updates since then, but I can't get them to import. I don't know what I'm doing wrong in SCUP and can't find any clues on Google about how to fix this.