Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Update pending verification

December 1, 2015, 2:56 am
$
0
0

Hello guys,

I am facing an issue where I am installing Windows updates on servers through a Task Sequence which run during a Maintenance Window. One particular update (always the same so far) remains in "Pending Verification" and therefore doesn't give back the hand to the Task Sequence to go further. This process works fine on some other servers.

Here is what I see in Software Center :

Here is the status for that paricular update within "Windows Update" on the server :

So the update seems installed, and same story within the WUAHandler.log :

1. Update (Missing): Security Update for Microsoft .NET Framework 4.5, 4.5.1 and 4.5.2 on Windows 7, Vista, Server 2008, Server 2008 R2 x64 (KB3097996) (103a0bdd-e71c-4f33-8cf1-7b68198ad536, 205)	WUAHandler	12/1/2015 02:14:51	9532 (0x253C)

...

Update 1 (103a0bdd-e71c-4f33-8cf1-7b68198ad536) finished installing (0x00000000), Reboot Required? No	WUAHandler	12/1/2015 02:16:35	6380 (0x18EC)
This issue already occured few times, does someone have a solution for this ? What is the "Pending Verification" process doing ? I can't find anything useful on the web ...


Search

Task Sequence hanging after Software Updates

December 1, 2015, 3:13 am
$
0
0

Hello,

I am actually installing Windows Updates on servers through SCCM with a Task Sequence in order to be able to launch few PowerShell scripts before and after the patching. This process works fine for most of the servers but on some I have that particular issue :

So at some point, the Task Sequence begins the updates installation (smsts.log) :

After few minutes, all updates are installed :

WUAHandler.log says taht all updates have been installed as well:

But the smsts.log remains this way, preventing the Task Sequence to go further :

It looks like the Software Update process doesn't give back the hand to the TSAgent, does someone already faced that issue ?

Failed to create assembly name object for Microsoft.UpdateServices.Administration. Error = 0x80131701.

June 3, 2015, 2:55 am
$
0
0

Hi

I originally posted in the WSUS forum but was advised to post here as CM2012 related.

I am getting the above error appearing in my WSUSCtrol.log. I wondered if anyone had come across this?

I am using CM2012 R2 SP1 with WSUS 3 SP2 and WSUS-KB2720211-x64 & WSUS-KB2734608-x64 patches.  WSUS is on a separate box and SQL is on another box. The WSUS console is installed with the aforementioned patches on the CM2012 primary site.

This error reappears approx every 30 mins or so (but occasionally longer).

Thanks

Failed to NotifyProgress through Sdm callback, error = 0x8007012a

November 19, 2015, 7:16 am
$
0
0

Hi All,

I'm having a problem on my Server 2008 R2 x64 clients where a large number of them will install Software Updates deployed to them at the start of their maintenance window, but then they won't reboot when necessary.  They all go to a "Requires Restart" status in Software Center. 

The only clue i'm seeing is in the UpdatesHandler.log, where this error message is spammed a ton of times:

Failed to NotifyProgress through Sdm callback, error = 0x8007012a

After that spamming, the UpdatesHandler.log file looks like this:

WSUS update (a0c88c88-f53e-4fb1-be7e-b2b1d84da0f4) installation result = 0x0, Reboot State = SoftReboot    UpdatesHandler    11/18/2015 10:13:49 PM    11728 (0x2DD0)
Update (a0c88c88-f53e-4fb1-be7e-b2b1d84da0f4) execution completed with state COMPLETE_SOFT_REBOOT_NEEDED.    UpdatesHandler    11/18/2015 10:13:49 PM    11728 (0x2DD0)
WSUS update (e82c9e5b-915c-408f-988b-4d4c232cc6eb) installation result = 0x0, Reboot State = SoftReboot    UpdatesHandler    11/18/2015 10:14:06 PM    11620 (0x2D64)
Update (e82c9e5b-915c-408f-988b-4d4c232cc6eb) execution completed with state COMPLETE_SOFT_REBOOT_NEEDED.    UpdatesHandler    11/18/2015 10:14:06 PM    11620 (0x2D64)
CDeploymentJob::InstallUpdatesInBatch - Batch or non-batch install is not in progress for the job ({AFC6ABD4-6C17-40BC-BCE8-F6F8193B3540}). So allowing install..    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
CDeploymentJob::InstallUpdatesInBatch - Resetting install flag to false as method is complete    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Starting non batched updates processing    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
CDeploymentJob::ExecuteUpdates - Batch or non-batch install is not in progress for the job ({AFC6ABD4-6C17-40BC-BCE8-F6F8193B3540}). So allowing install..    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Executing the updates for the job ({AFC6ABD4-6C17-40BC-BCE8-F6F8193B3540}).    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
CDeploymentJob::ExecuteUpdates - Resetting install flag to false as method is complete    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Execution completed for the job ({AFC6ABD4-6C17-40BC-BCE8-F6F8193B3540}).    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Requesting MTC to delete task with id: {E8A34ABE-96C7-4786-A3DC-2947724911B9}    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Successfully sent job ({AFC6ABD4-6C17-40BC-BCE8-F6F8193B3540}) success completion to the SdmAgent    UpdatesHandler    11/18/2015 10:14:06 PM    6676 (0x1A14)
Deployment Job not found for the supplied MTC Task id: {E8A34ABE-96C7-4786-A3DC-2947724911B9}    UpdatesHandler    11/18/2015 10:14:06 PM    6444 (0x192C)
Initiating updates scan for checking applicability.    UpdatesHandler    11/19/2015 12:12:00 AM    5560 (0x15B8)

Any ideas?  All my Server 2012 R2 clients seem to be fine.  I don't see any other issues in my sccm logs, but i can provide anything anyone wants to see.

Thanks,
J

Automatic Update Rule Configuration Question

December 1, 2015, 8:28 am
$
0
0
I have two groups of SharePoint systems that include the related SQL system. I need to update/reboot the systems in a specific order. SharePoint web server first, SharePoint app server second and the SharePoint SQL server last.  The systems need to come back up in reverse order, SQL, APP then the Web server.  Is there an "easy" way to do this or do I need to create separate update groups and try to set the maintenance windows to accomplish this?  Any help would be greatly appreciated.

Last Scan Package Version

December 1, 2015, 9:19 am
$
0
0
After running report 3, clients of a collection reporting a specific state, I see alot of them are behind in their scan package version. These are currently scanning and the scans are successful. I can't find the version number anywhere in the console. What does this correspond to? It doesn't seem to be the source version of the deployment package so I'm not sure. Also, these are not SMS 2003 and are all SCCM 2012 clients.

Remediate noncompliant rules when supported. Isn't working.

December 1, 2015, 10:06 am
$
0
0

I've imported Microsoft's IE11 Computer Security Compliance baseline into SCCM 2012R2. I've created a device collection with one Win 764bit "test" computer that has IE11 installed on it. I then deployed the baseline configuration to the device collection with "Remediate noncompliant rules when supported" checked. It does the compliance checks and tells me what items are not in compliance. However it doesn't "remediate" the noncompliant settings on the "test" computer. Am I missing a step? As far as I know there are no software updates needed. Its just settings that need to be adjusted. How can I get it to remediate the noncompliant settings?

Compliance Settings - Remediation Scripts

February 18, 2015, 10:32 am
$
0
0

Hi All,

Im expecting a project coming my way to enforce 'Windows Hardening' on all my SCCM managed computers. I have used Compliance Settings before but only lightly, what i expect is coming up is going to be BIG.

My question is with Microsoft Security Compliance Manager and how to remediate computers found not to be compliant. I see a lot of the remediation relies on you providing scripts to carry out the remediation action. Now im no script genius, i can get by but this is on another level considering the lack of time im going to have to get this all done. 

Can anyone offer any good advice with regards to where to get scripts to get the job done, of do i indeed have to construct scripts for what seems like template compliance settings..?

Regards,

Search

ConfigMgr TP4 - Windows 10 servicing - No upgrade category

November 26, 2015, 2:15 pm
$
0
0

Hi everyone,

Yesterday, I installed a windows server 2016 TP3 with ConfigMgr TP4.

I now want to test Windows 10 servicing, but under Windows 10 servicing | All Windows 10 updates, I can't seem to find any updates.. Looking at the categories of my SUP, I can't even select the category "upgrade".

I've read there is a KB for 2012R2 servers so the upgrade category would be available, but it's not applicable for my OS.

Is there something I'm overlooking or do I need to start over with Server 2012 R2?

Thx in advance!

Software updates are installed but have suddenly started marking themselves as not required

December 2, 2015, 9:06 am
$
0
0

I've recently noticed that all our software updates from prior to May this year have shown a dramatic decrease in the amount of x64 updates installed, and are now marking themselves as not required. We have an estate of around 3500 assets, and until recently all updates from 2014 and 2015 have shown approx. 90% compliance for our x64 machines.

However, something has happened recently to show a change in the stats, so now only 1500 or so machines are reporting the updates as successful, while 2000 are showing the updates as not required.

I've checked all the logs, and I can see no errors getting reported, so I'm struggling to search for anything that could be an issue.

The only thing I've seen is that the following error :

2015-12-02 16:02:45:341 1524 2030 Report CWERReporter finishing event handling. (00000000)

is repeated multiple times on any machine having the issue.

I've applied the latest windows update patch : Update for Windows 7 (KB2775511) - and also declined quite a few unnecessary updates in WSUS, to reduce the amount of updates scanned as part of the windowsupdate.log, but to no avail.

Does anyone have ideas why this may have started happening?

Many thanks.

Not able to add an aplication to a Task Sequence

December 2, 2015, 11:29 am
$
0
0

I have an Application setup and running in a deployment. so i was about to add it to a task sequence, but when i look for it in the list, its not there,  how do i enable it to appear?

"Orphaned" local machine cache - safe to delete?

December 2, 2015, 2:24 pm

Software update point advice. WSUS local on SCCM Server or WSUS on its own Server?

December 2, 2015, 11:53 am
$
0
0

Hello,

I need little advice. So In my past two SCCM site server builds my clients were less then 400 employees. My current employer has over 3,500 computers 95% laptops. My team is taking over patching from our Systems team who is using WSUS. So they will manage patching using old school WSUS for their servers and we will patch all laptops using SCCM. I was thinking of installing WSUS on the same server as the SCCM primary site server. On the other hand I do have the option to install WSUS on a separate server and connect SCCM to it.

1) What would be the pros and cons of each (local or remote)

2) Should I be concerned about having two WSUS servers running in our environment? - I know kind dumb question.

Thanks as always

Phillip

Phil Balderos

WSUS configuration for security

November 27, 2015, 11:55 am
$
0
0

We're in the process of setting up an SCCM environment to use WSUS for updates for SCCM client systems.  The domain is a secure domain, so it cannot have direct access to the internet and we cannot give it direct access to the internet. 

What we've come up with is the following, but we're not sure if this will function or not:

We create a stand alone WSUS (as a workgroup) in a DMZ that pulls updates from Microsoft's Update servers.  The internal SCCM/WSUS system will then pull updates from the stand alone, upstream WSUS server.  We plan to use self signed certificates in order to secure the connection between the internal SCCM/WSUS system and the upstream WSUS stand alone.

For security reasons, the upstream WSUS server (the stand alone), must not show any foot print of the secured domain (so if the stand alone system is hacked, there would be no way of finding out information about the internal domain).  The data flow must always be a pull (the internal SCCM/WSUS will initiate connection to the stand alone WSUS system, but the stand alone WSUS system could never initiate connection to the SCCM/WSUS internal system, similarly when the stand alone WSUS system talks to Microsoft update).  There will be no trust relationship (and the stand alone will not be in any domain at all, but just a solitary workgroup system sitting in a DMZ).

Can this be done or do we need to look for some other method in order to move updates into the secured domain (really don't want to do the disconnected domain method where there is an air gap).

Thanks,

Chris

Software Update deployments never changing status from "Unknown"

November 18, 2015, 6:05 am
$
0
0

Hi,

I've deployed Software updates to test client on newly installed sccm server, updates installed few hours ago , but in the monitoring->deployments the client is still in the "Unknown - client check passed/Active" status (tried summarization/refresh).

I have no reporting services point role on my sccm and no SQL reporting services installed, are those required for software update deployments to report their status?

I can not find relevant logs that would indicate some problems.

Search

Software Updates Required

December 3, 2015, 7:54 am
$
0
0

When trying to run reports my Percentages are all jacked up because if a software update is "Required" even though I in know way want these updates and they are not required in our organization.  Is there a way around this?

Let me know if you need additional information.  Thanks!

New Endpoint client not deploying to machines

December 2, 2015, 7:37 pm
$
0
0

I was researching an issue today where endpoint definition updates were not getting installed on 80% of the systems. In troubleshooting the issue I found that those that did get updates were running client version 4.8.204.0 and the machines that were running 4.3.220.0 did not get definition updates installed. To test this theory I went into the software updates\software group, found the 4.8.204.0 client that should have been installed and deployed it with a new software group, package and to several machines with the old client. When I look at the software update group, with only the 4.8.204 client as a member, it shows 2842 compliant. However when I show the update within the software group it shows it's not required. And more importantly this update has not installed on the machines. How do I make sure the new client version gets installed on these machines?

Thanks!

Is CU2 for SCCM 2012 R2 SP1 (KB3100144) Still Available?

December 3, 2015, 9:05 am

Update installation in sequence

December 2, 2015, 6:27 pm
$
0
0

Hi Guys,

In this article about KB3101246, it is said that "Customer who intend to manually install all three update on windows 7 service pack 1 or windows server 2008 R2 service pack 1 should install the update in the following order: 3101246 first, 3081320 second, and 3101746 third."

What is the case if i'm deploying using SCCM Software Update? Will it be handled automatically as WSUS?





SCEP Working Directory Location

December 4, 2015, 10:32 am
$
0
0

SCCM 2012 R2 with Endpoint Protection/Window 7 64bit clients

We have a third party security product installed on our workstations in addition to Endpoint Protection.  The vendor for the third party security software has recommended we set an exclusion in their product for the Endpoint Protection working directory.  Does anyone know where the System Center Endpoint Protection working directory is located on the workstations?  Can't seem to find that info in any of the documentation.

Thanks!


Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>