Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Security Updates Best Practice

November 17, 2015, 7:22 am
$
0
0

Hi All,

I'm fairly new to SCCM and I'm in the middle of setting up our software updates just  for Windows 7,8.1 and 10 clients.

They are very security conscious  where I work and would like any security or critical updates deployed asap.,so i would like to stage just the security updates and test them first.

So I have created three device collections for Windows 7 , 8 and 10 pilot machines and three device collections for standard Windows 7,8 and 10 machines.

Then for each of the three pilot collections I have created its own ADR to download any security or critical updates for that OS and set them to install immediately and with the deadline immediate.

Then for each of the standard OS collections I have created it's own ADR and set the updates to be available after 1 day.

My thinking is that the pilot machines get the latest security updates for a day and if there are no issues let the standard machine download then the next day .

I would appreciate anybody's thoughts, if I'm on the right track or am I creating too much work for a simply task?

Many Thanks


Search

SCEP 2012 exclusions during full scan

November 20, 2015, 10:07 am
$
0
0

Hi, I was wondering if the exclusions in SCEP 2012 also apply when you run a full scan on computers, same way they apply for the on access scan.

Thks

joeblow

Using task sequence to rollback patches

November 20, 2015, 2:15 pm
$
0
0

These past November Microsoft patches have caused issues with some of our Windows 7 clients. We've pinpointed down to which KB's are the ones that need to be removed. I found this article that explains how to do it using the task sequence. It works great, but I want to add some conditions that I don't know how.

https://weikingteh.wordpress.com/2013/05/13/how-to-rollback-remove-a-patch-using-sccm-configmgr/

With each command line to uninstall the task sequence, I want a condition to search for the KB first before running the command. Is this possible in this instance, or do I need to create an application instead?

SQL 2008 R2 SP3 listed in All Software Updates...

November 21, 2015, 4:44 am
$
0
0

I don't get it, I understand that in this article it says that SQL 2008 R2 SP3 is not being released to WSUS:

http://blogs.msdn.com/b/sqlreleaseservices/archive/2014/09/26/sql-server-2008-r2-service-pack-3-has-released.aspx

However, I can see it in the updates catalog in SCCM, I was able to download and deploy it, but still none of our SQL servers are showing as needing this update?

Any ideas?

Tony

Server reboot not in defined Maintenance Window

November 17, 2015, 4:43 am
$
0
0

Hi,

Maybe somebody have an explanation of this thing.

I have a collection where exist only Production systems, that i need to reboot at Saturday 3AM-4AM. MW is defined for this collection. All updates are deployed with "as soon as possible" option. And in User experience only "Software updates installation" is enabled in deadline behavior.

But after all updates applied, server going to reboot and not waiting for MW.

checked MW for this system - there is only one, that i defined.

in RebootCoordinator.log i have the following:

<![LOG[Entered ScheduleRebootImpl - requested from 'UpdatesDeploymentAgent'. set Rebootby = 1447224985. set NotifyUI = True. set PreferredRebootWindowType = 4]LOG]!><time="06:56:25.159+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:535">
<![LOG[Scheduled reboot from agent UpdatesDeploymentAgent. Deadline local time: 11/11/2015 06:56:25 AM, PreferredRebootWindowType = 4]LOG]!><time="06:56:25.160+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:625">
<![LOG[User is not logged on]LOG]!><time="06:56:25.160+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1682">
<![LOG[No CCM Identification blob]LOG]!><time="06:56:25.190+00" date="11-11-2015" component="RebootCoordinator" context="" type="2" thread="5896" file="clientstate.cpp:727">
<![LOG[Not in Maintenance/Service Mode, check ServiceWindowsManager next]LOG]!><time="06:56:25.217+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1769">
<![LOG[CheckRebootWindow: Service Windows found for type:4]LOG]!><time="06:56:25.217+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1782">
<![LOG[ServiceWindowsManager has allowed us to Reboot]LOG]!><time="06:56:25.217+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1803">
<![LOG[MTC task does not exist. Creating new request.]LOG]!><time="06:56:25.223+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1166">
<![LOG[MTC allowed us to reboot]LOG]!><time="06:56:25.226+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1183">
<![LOG[System reboot request succeeded.]LOG]!><time="06:56:25.375+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:968">
<![LOG[Reboot initiated]LOG]!><time="06:56:25.380+00" date="11-11-2015" component="RebootCoordinator" context="" type="1" thread="5896" file="rebootcoordinator.cpp:1016">

I need to share the folder for a server to access my wsus update which is deplyoing by SCCM

November 23, 2015, 4:56 am
$
0
0
There's an SCCM & WSUS on ServerA. It needs to read and write files on a folder share on ServerB.

How to check, where my SCCM is storing the updates

November 23, 2015, 4:22 am
$
0
0
How to check, where my SCCM is storing the updates

older updates on software update server not synchronizing with sccm 2012

November 11, 2015, 7:03 pm
$
0
0
older updates on software update server not synchronizing with sccm 2012. updates are not showing up in the sccm server, but if you go to the wsus server you see the update. the update shows as not approved on the wsus server.
Search

WSUS sync failing after cluster failover

November 23, 2015, 7:57 am
$
0
0

Hi All,

We have our SQL DB for SCCM 2012 and WSUS on a remote SQL farm. Over the weekend our DBA team moved the instance from one node in the cluster to another. No issue normally we've done this loads of times.

However in this instance I've come in to find WSUS no longer syncing with its upstream partner. I've dug through logs on the server and can find nothing that suggests a database issue.

I've checked wsyncmgr and found the below message:

Caught exception: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WsysSyncFailedException: UssCommunicationError: WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <IPAddress Removed>:80~~at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)~   at System.Net.HttpWebRequest.GetRequestStream()~   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)~   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()~   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)~   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)~   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()~   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)~~   at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS(SyncMode syncMode)~~   at Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.DoSync()

I have a CAS and 3 Primary Sites and they are all syncing correctly other than the one that had it's DB instance moved to a different node. I've had the DBA team revert their change and we are back on the same server we were on before the weekend but the issue persists. Has anyone seen this issue before or can point me in a direction that doesn't involve uninstalling wsus!

Thanks in advance.

SCCM 2012 - Delete Expired and Superseeded Updates

November 23, 2015, 1:58 am
$
0
0

Hello everyone,

I wanted to know if there is a way to delete the expired and superseeded updates from the console.

I have 219 EXPIRED updates (no one is deployed) and 487 SUPERSEEDED updates (no one is deployed), but they won't disappear after 7 days.

Is there something I do wrong or that I have to configure?

Greetings.

Some Windows Updates fail to install

November 23, 2015, 7:58 am
$
0
0

I have some updates fail to install on brand new machines that have no updates on them when I install from SCCM 2012, but if I download and install from internet, they install fine. The following updates are the ones I'm having problems with.

KB2990967
KB3063843
KB2919355

Need to remove two patches from Software Center

November 24, 2015, 12:12 am
$
0
0

Hi All,

I have pushed patches (security updates) on user machines from SCCM. On one user's machine, there are two patches in his software center with Failed status. these patches keep trying to get installed on his machine and fails. this slows down his system.

I have manually tried to install these patches on his machine but they fail too.

Is there a way to remove these two updates from his machine ( his software center).

Please help.

Thanks, S K Agrawal

Change Collection Names

November 24, 2015, 7:39 am
$
0
0

Hi there,

I want to rename my current production collections. Any issues with this?

Thanks - Travis

Latest Update Notification

November 24, 2015, 7:51 am
$
0
0

hi guys,

is there a way to get sccm to send an e-mail notification when any security/critical windows update is released?

thanks - travis

Some updates are not being installed, neither the superseded update nor the update that supersedes it are installed

November 24, 2015, 7:52 am
$
0
0

Situation: I setup a new 8.1 x64 PC with no updates installed.

SCCM is not installing the any of the following updates below.

I understand why the updates that were superseded are not being installed, my deployments don't include updates that have been superseded.

I don't understand why the updates that superseded the other updates are not being installed. My deployments do include these updates.

On the PC, If I check online (Internet) for updates, the superseded update is the one the PC wants to pull down, not the update that supersedes it. For example the PC wants to pull down KB2931366, not KB2978126

KB2931366 - superseded by KB2978126
KB2962123 - superseded by KB3039066 - superseded by KB3080446
KB2964757 - superseded by KB3062760
KB2962409 - superseded by KB3000850

Search

What should be listed for Specify intranet Microsoft update service location?

November 24, 2015, 11:39 am
$
0
0

Under Local Computer Policy - Computer Configuration>Administrative Templates>Windows Components>Windows Updates>Specify Intranet Microsoft update service location

I have one Primary Site and five Distribution Points, what should be listed in the "Specify intranet Microsoft update service location" on a PC at a site that only has a Distribution Point? Should it be the Primary Site Server or the local Distribution Point server?


SCCM SP2 will not upgrade to R2 SP1

November 24, 2015, 2:22 pm
$
0
0

Hey folks,

I've got a SCCM 2012 SP2 install that does not seem to be wanting to update to R2 SP1.  It's similar to the issue described in this thread: https://social.technet.microsoft.com/Forums/en-US/345d991d-f778-430f-832e-278b5ed794dc/clean-install-of-sccm-2012-sp2-unable-to-upgrade-to-2012-r2-sp1?forum=configmanagergeneral 

The difference here is that ours is not a fresh install that I can just reinstall.  Since we're already at SP2 I went ahead and grabbed the small iso from our volume licensing center that contains the msi to upgrade this platform.  I ran in to the "you must be a local administrator" issue and instead just ran the file from an elevated command prompt.  It appeared to be successful at the end of this process, but after launching the CM console the about menu still indicated that we were on SP2.  This condition persisted through a reboot and attempting to reinstall with the msi produced a message that we needed to have SP2 installed to do this.

I re-ran the msi with msiexec with verbose output to see where the issue was and it looks like it runs successfully as well.  Yet, still not showing R2 in the about information, and the features that it should have enabled are still missing. 

MSI (c) (A8:D0) [11:15:13:261]: Note: 1: 1728
MSI (c) (A8:D0) [11:15:13:261]: Product: Microsoft System Center Configuration Manager -- Configuration completed successfully.

MSI (c) (A8:D0) [11:15:13:262]: Windows Installer reconfigured the product. Product Name: Microsoft System Center Configuration Manager. Product Version: 5.00.8239.1000. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.

MSI (c) (A8:D0) [11:15:13:263]: Grabbed execution mutex.
MSI (c) (A8:D0) [11:15:13:263]: Cleaning up uninstalled install packages, if any exist
MSI (c) (A8:D0) [11:15:13:265]: MainEngineThread is returning 0

This is just a snippet of the end of the verbose logging since there weren't any apparent failures that I could see.  I can provided the entire verbose logfile if needed.  Event viewer did not show any related issues. What's going on?

Silent installation of SCEP Linux Client

November 25, 2015, 2:03 am
$
0
0

Hi, does anyone have an idea on how the SCEP client for Linux can be installed unattended using SCCM?  Just running..

sh ./scep.i386.ext.bin

as per the manual gives prompts which need accepting.

Thanks

Network connection: Windows Update Agent encountered transient network connection-related errors

May 19, 2015, 7:18 am
$
0
0

Hello,

Running the report Scan 3 - Clients of a collection reporting a specific state, I noticed a lot of this kind of error :

Network connection: Windows
Update Agent encountered transient network connection-related errors

I also noticed that the the amout of errors is increasing when new updates are available or deadline reached.Then, the numbers of errors decreases from day to day.

On the client, I've found the following error :

Windowsupdate.log

2015-05-19 11:45:19:396  488 1470 Misc WARNING: Send failed with hr = 80072ee2.
2015-05-19 11:45:19:396  488 1470 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-05-19 11:45:19:396  488 1470 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT   + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-05-19 11:45:19:396  488 1470 PT   + Caller provided credentials = No
2015-05-19 11:45:19:396  488 1470 PT   + Impersonate flags = 0
2015-05-19 11:45:19:396  488 1470 PT   + Possible authorization schemes used =
2015-05-19 11:45:19:396  488 1470 PT WARNING: GetCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-05-19 11:45:19:396  488 1470 PT WARNING: PTError: 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT WARNING: GetCookie_WithRecovery failed : 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT WARNING: RefreshCookie failed: 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT WARNING: RefreshPTState failed: 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT WARNING: Sync of Updates: 0x80072ee2
2015-05-19 11:45:19:396  488 1470 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2015-05-19 11:45:19:396  488 1470 Agent   * WARNING: Failed to synchronize, error = 0x80072EE2
2015-05-19 11:45:22:813  488 1470 Agent   * WARNING: Exit code = 0x80072EE2

WUAUHandler.log

OnSearchComplete - Failed to end search job. Error = 0x80072ee2. WUAHandler 18-May-15 08:51:00 5700 (0x1644)
Scan failed with error = 0x80072ee2. WUAHandler 18-May-15 08:51:00 5700 (0x1644)

ScanAgent.log

ScanJob({15938E9B-160C-4383-9789-97EEFC35AB39}): CScanJob::OnScanComplete -Scan Failed with Error=0x80072ee2 ScanAgent 19-May-15 11:45:24 2448 (0x0990)
ScanJob({15938E9B-160C-4383-9789-97EEFC35AB39}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80072ee2 ScanAgent 19-May-15 11:45:24 2448 (0x0990)

Now going to IIS logs on  the WSUS server à found this :

 StatusHits
 200.04986427
 500.083805
 400.03209
 401.25

So, a lot of 500.0 status that translates to Internal server error.

Checking, the event log, I found a lot of events Event ID 5013 — IIS Application Pool Availability

Event info mention : WsusPool

The time errors 500.0 occurs on IIS match th etime errors are reported by the client.

Also found this in IIS logs :

 UriHttpStatusSubStatusWin32StatusTotal
 /ClientWebService/client.asmx500005152
 /ClientWebService/client.asmx5000641382
 /ClientWebService/client.asmx5000123612
 /ReportingWebService/ReportingWebService.asmx5000010
 /ApiRemoting30/WebService.asmx500005
 /ClientWebService/client.asmx50001212

Do you have any idea to troubleshoot this error ?

Regards,

Michel

Update scanning failed

November 25, 2015, 1:13 am
$
0
0

Hi Guys,

According to SCCM "software update - D scan" - "Scan 2 - Last scan states by site" report, there are a few thousand computer update scanning failed with errror description "Not enough storage is available to complete this operation". I've check a few random pc affected for their disk space, there are still plenty free disk space available.

I need to know storage mentioned in the error description is refering to which storage?

Thanks in advance guys....

Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>