Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Software Center behaviour: Deadline, maintenance windows, grace period

October 28, 2019, 6:15 am
$
0
0

Hi everyone,

please share with me your experience about this topic, bur first halp me clarifying one thing:

  • "Business hours on Software Center" VS "Windows 10 Settings, Change your active hours": in my environment, we forced active hours from8am to 6pm by Group Policy. In case a user set business hours on Software Center, who is the winner? I guess Group Policy. If not enforced by policies and the user set them on both, which one is taking care?

  • Business hours vs Maintenance Window: let's imagine the same active hours above but I set a maintenance window from 5pm to 7am: when a deployment will start?

Concerning the subject topic, how does Software Center behave on client machines in terms of messages if we set all of them or part of them and/or if we set or not to show all notifications? 

Finally, WHAT IS THE BEST PRACTICE?

Thank you all!

Best,


Search

Update Failed - Error - 0x87d00219 and 0x80240438

November 26, 2018, 1:22 am
$
0
0

Hi people,

We have some problem about update using Sccm. 

We can see all updates on Configuration Manager console. We downloaded them and we deployeded them but we dont see them on the client machine. However, applications work fine, we can see and install it.

Any ideas ? We go crazy! 

This is the WUAhandler.log, i can share another if need. 

THANKS A LOT :) 


OnSearchComplete - Failed CCMGetGlobalService. Error = 0x87d00219WUAHandler26/11/2018 09:42:178732 (0x221C)
Its a WSUS Update Source type ({3E4D2569-325A-4FC1-9698-CBAEF4D472B7}), adding it.WUAHandler26/11/2018 09:44:436524 (0x197C)
Device is not MDM enrolled yet. All workloads are managed by SCCM.WUAHandler26/11/2018 09:44:439356 (0x248C)
SourceManager::GetIsWUfBEnabled - There is no Windows Update for Business settings assignment. Windows Update for Business is not enabled through ConfigMgrWUAHandler26/11/2018 09:44:439356 (0x248C)
Existing WUA Managed server was already set (http://******), skipping Group Policy registration.WUAHandler26/11/2018 09:44:436524 (0x197C)
Added Update Source ({3E4D2569-325A-4FC1-9698-CBAEF4D472B7}) of content type: 2WUAHandler26/11/2018 09:44:436524 (0x197C)
Scan results will include superseded updates only when they are superseded by service packs and definition updates.WUAHandler26/11/2018 09:44:436524 (0x197C)
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')WUAHandler26/11/2018 09:44:436524 (0x197C)
Async searching of updates using WUAgent started. WUAHandler26/11/2018 09:44:436524 (0x197C)
CWuaHandler::SetCategoriesForStateReportingExclusion called with E0789628-CE08-4437-BE74-2495B842F43B;E0789628-CE08-4437-BE74-2495B842F43B,A38C835C-2950-4E87-86CC-6911A52C34A3; for leaves and E0789628-CE08-4437-BE74-2495B842F43B,A38C835C-2950-4E87-86CC-6911A52C34A3; for bundlesWUAHandler26/11/2018 09:44:439224 (0x2408)
Async searching completed.WUAHandler26/11/2018 09:45:505032 (0x13A8)
OnSearchComplete - Failed to end search job. Error = 0x80240438.WUAHandler26/11/2018 09:45:506608 (0x19D0)
Scan failed with error = 0x80240438.WUAHandler26/11/2018 09:45:506608 (0x19D0)
Its a WSUS Update Source type ({3E4D2569-325A-4FC1-9698-CBAEF4D472B7}), adding it.WUAHandler26/11/2018 09:45:506520 (0x1978)
Device is not MDM enrolled yet. All workloads are managed by SCCM.WUAHandler26/11/2018 09:45:506136 (0x17F8)
SourceManager::GetIsWUfBEnabled - There is no Windows Update for Business settings assignment. Windows Update for Business is not enabled through ConfigMgrWUAHandler26/11/2018 09:45:506136 (0x17F8)
Existing WUA Managed server was already set (********), skipping Group Policy registration.WUAHandler26/11/2018 09:45:506520 (0x1978)
Added Update Source ({3E4D2569-325A-4FC1-9698-CBAEF4D472B7}) of content type: 2WUAHandler26/11/2018 09:45:506520 (0x1978)
Scan results will include superseded updates only when they are superseded by service packs and definition updates.WUAHandler26/11/2018 09:45:506520 (0x1978)
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')WUAHandler26/11/2018 09:45:506520 (0x1978)
Async searching of updates using WUAgent started. WUAHandler26/11/2018 09:45:506520 (0x1978)

Problem with Windows Server 2016 Security Updates ADR

October 30, 2019, 2:56 am
$
0
0

Hello

I've experiences a problem with an ADR for windows server 2016, ADR fails with the error 0X87D20417 and ruleengine.log showing the error above.

All the others ADR (Windows 10, 2012R2, etc...) are ok.

I noticed that when deactivating the security updates for this ADR, the error no longer occurs, has anyone encountered this case? Is it a temporary issue with a particular update?

Thanks!

Ruleengine.log:

Failed to download any updateSMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
Failed to download update contents.SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
No new update was added to the package. Package "LME00080" would not be updated.SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
Failed to run the DownloadAction for the AutoDeployment.SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
STATMSG: ID=8706 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_RULE_ENGINE" SYS=myserver SITE=SIT PID=3988 TID=6792 GMTDATE=mer. oct. 30 09:49:34.051 2019 ISTR0="SMS Rule Engine" ISTR1="Failed to download one or more content files" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)

...

  Rule XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <DeploymentId></DeploymentId> <DeploymentName>MAJ Windows 2016</DeploymentName><UpdateGroupId>ScopeId_D078F0C0-D30B-47D6-A6B8-3178E43EA70D/AuthList_d816df14-21bc-4e59-9f14-d818c78278c4</UpdateGroupId> <UpdateGroupName></UpdateGroupName> <LocaleId>1036</LocaleId> <UseSameDeployment>true</UseSameDeployment><AlignWithSyncSchedule>true</AlignWithSyncSchedule> <NoEULAUpdates>false</NoEULAUpdates> <EnableAfterCreate>true</EnableAfterCreate> <ScopeIDs><ScopeID>SMS00UNA</ScopeID> </ScopeIDs> <EnableFailureAlert>true</EnableFailureAlert><IsServicingPlan>false</IsServicingPlan> <IsOldUpdateGroupCurrent>true</IsOldUpdateGroupCurrent> </AutoDeploymentRule>SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
  Criteria Filter Result XML is: <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <DeploymentId></DeploymentId> <DeploymentName>MAJ Windows 2016</DeploymentName> <UpdateGroupId>ScopeId_D078F0C0-D30B-47D6-A6B8-3178E43EA70D/AuthList_d816df14-21bc-4e59-9f14-d818c78278c4</UpdateGroupId> <UpdateGroupName></UpdateGroupName> <LocaleId>1036</LocaleId> <UseSameDeployment>true</UseSameDeployment><AlignWithSyncSchedule>true</AlignWithSyncSchedule> <NoEULAUpdates>false</NoEULAUpdates> <EnableAfterCreate>true</EnableAfterCreate> <ScopeIDs><ScopeID>SMS00UNA</ScopeID> </ScopeIDs> <EnableFailureAlert>true</EnableFailureAlert><IsServicingPlan>false</IsServicingPlan> <IsOldUpdateGroupCurrent>true</IsOldUpdateGroupCurrent> </AutoDeploymentRule>SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
CRuleHandler: Enforcing Actions for Rule 18 failed!SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
CRuleHandler::CreateFailureAlert - Alert ID = 16777273SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)
Updated Failure Information for Rule: 18SMS_RULE_ENGINE30/10/2019 10:49:346792 (0x1A88)


Removing Expired and Superseded Updates

August 14, 2013, 11:47 pm
$
0
0

Trying to clarify removing expired and Superseded updates from SU groups in 2012 SP1. Reading article http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx I understand you need to edit membership to remove any expired updates. It looks from the above article that provided the updates are no longer part of an active deployment they will be deleted after 7 days. Does this mean they are deleted only from DPs ?. If I read this correctly you still have to run a script to clean up your source content directory as well?

Second what happens to Superseded updates?. I had assumed that the SUP setting of "Immediately expire a superseded software Update" would do just that i.e. the updates in your group would change from Superseded to Expired and would therefore be pruned out as discussed above. If this is not the case do you have to edit membership to remove both superseded and expired?

Finally quick aside is there a link as the maintaining the WSUS database to remove out any old updates (particularly endpoint) - I seem to remember there's a WSUS maintenance task to run ?

Ian Burnell, London (UK)

SMS NOTIFICATION SERVER failed to initialize msg ID 9800, error 2147654730

February 9, 2016, 11:54 am
$
0
0

On one of my SCCM suites the SMS_NOTFICATION_SERVER is having trouble. The message ID in monitoring is 9800 and the message says "Notification Server on <server fqdn> failed to initialize. The operating system reported error 2147654730: Error loading type library/DLL." My BGSERVER.LOG is almost solid red. It keeps repeating "Failed to create bgbservercontroller instance 800029c4a." I can't find anything to tell me which library/DLL this is nor how to fix it. The closest thing I can find is a thread on failed to initialize but the error code is different so it didn't help. The other BGB logs look clean. I can't find anything in the Server 2012 event viewer that corresponds to this.

Any help appreciated.

Ben JohnsonWY

Failed to install update ... Error = 0x80240061 (-2145124255) ?

June 19, 2017, 8:39 am
$
0
0

Hello,

We are having trouble pushing out our updates, they keep failing with the above error.  Anyone have any idea what this error code is ?

Thanks...


Deployment Status Unknown.

November 3, 2019, 11:21 pm
$
0
0

Dear All,

We are having a strange issue where Patched SCCM clients are showing as “Unknown” deployment status.

However, when same is checked in the reporting tool of SCCM, those server DO NOT appear under “unknown”

Investigations and tests:

  1. The boundary group corresponding to the servers did not exist.
    1. Same has been created but the deployment status of the servers are still showing as “unknown”.

  1. A new deployment group, software update group and collection was created and applied on 2 Test Servers
    1. But same issue has been observed.

  1. WSUS target, Firewall and telnet were checked 
    1. WSUS points to the correct path
    1. Firewall is off on the machines
    1. Telnet to the wsus/sccm on port8530 is successful.

  1. On the SQL DbAffected server is reporting the last evaluation to be on 26 October 2019

    1. However, on the server itself, the last evaluation is dated to be 04 Nov. 19

  1. Also, the results of the evaluation shows that all tests were passed.

Applied till now:

http://get-cmd.com/?p=4367

https://smsagent.blog/tag/client-check-result-no-results/

https://smsagent.blog/2016/02/12/reading-ccmeval-results-directly-from-a-configmgr-client-with-powershell/

https://social.technet.microsoft.com/Forums/en-US/6a307f01-2fbf-4ded-b46d-3ab29921713f/sccm-2012-clients-status-unknow?forum=configmanagersecurity

Any help/ opinion is welcomed.

Thanks in advanced.

Devesh

Remove collections sccm with Powershell

November 5, 2019, 12:56 am
$
0
0

Hi,

I was doing a powershell script to remove all useless collections . The main line is :

Remove-CMCollection -Name $coll -Force

When you remove a collection in Conf Manager , you get a prompt message with a checkbox : "Delete each collection member from the database" .

I would like to know if "Remove-CMCollection -Name $coll -Force" marks that checkbox or it is only a kind of feature of conf manager.

Thanks in advance



Search

ERROR: DownloadContentFiles() failed with hr=0x800706ba in patchdownloader.log file

November 5, 2019, 2:24 am
$
0
0

While downloading the patches, it is failing with the error "RPC server unavailable".

Patchdownloader log says that server cannot be contacted and the error code recorded is                                               "ERROR: DownloadContentFiles() failed with hr=0x800706ba"

Can anybody please suggest anything.

100% C: usage when SCEP is running a full scan

March 29, 2015, 6:53 pm
$
0
0

Hi,

I currently have an issue where a 2012 Server is filling its C: drive while running full scans.

Files are created in C:\Windows\Temp with the prefix TMP00000 and no extension. These seem to grow in size until they are filling the remaining free space (~40GB) and then once it hits ~100MB free it deletes the file.

Procmon tells me that the MsMpEng.exe is creating and writing to this file.

Can anyone tell me why it is creating these files and why it is trying to use all remaining free space? I cant see any configuration to allow me to change from C:\Windows\Temp (I can only assume its using the %temp% variable).

I notice that while the file is filling up and eating free space, the Item listed on the SCEP console is still changing so it doesn't appear to be getting stuck on a single file. I also note that there are no entries listed in the Event viewer either.

Thanks

Alex

SCCM 2012 Import computer Information and Security Role. Which allows?

May 25, 2012, 6:08 am
$
0
0

Hi!

SCCM 2012 "Import computer Information" in "Security Role" Which allows ?

Perhaps it is a resource which describes all possible entries in "Security Role"?

cenubit

How to import current STIGs into SCCM

November 13, 2019, 12:15 pm
$
0
0

I have been trying for 2 days now to get the current STIGs converted to .cab files so I can import them but am having no luck. I have downloaded all the latest SCAP files and Benchmarks but can't get it to work.

Please Help.....

SCCM User Experience Behavior

November 14, 2019, 3:02 am
$
0
0

Hi everyone,

I'm asking something about how I can deploy Softwares Updates in SCCM. If I choose "Hide in Software Center and all notifications", does it mean that no updates will be shown in Software Center? So I'm wondering when updates will be deployed in that case? Will they be installed when Installation deadline will be reached? Can you help me with that matter? What will happen if I choose "Hide in Software Center and all notifications"?


Thank you very much for your reply


Kind regards,

Laurent

Security update getting failed with 0x800F0902(-2146498302)

March 10, 2016, 7:46 am
$
0
0

Dear Experts,

We are using System Center Configuration Manager 2012 R2 SP1 on our Environment, with one Primary site and multiple secondary site, we have an issue for few user unable to install PATCH from software center getting failed with error code 0x800F0902(-2146498302). checked in WUAHandler log but unable to find any issues.

"Seems Group Policy is not yet initialized because client is on internet, writing WSUS Server location in registry. WUAHandler 3/5/2016 2:42:16 PM 1404 (0x057C)

Exceeded quota (1) of reboots to WU Agent service.

WUAHandler 3/5/2016 2:42:16 PM 1404 (0x057C)
Failed to Add Update Source for WUAgent of type (2) and id ({3CFEF09D-905D-4A31-B004-2156EF72D8EE}). Error = 0x87d0069b. WUAHandler 3/5/2016 2:42:16 PM 1404 (0x057C)"

all the patch is getting failed with same eror code

Kindly share you suggestions to resolve this issue.

THanks

Balaji


SCCM can't download Defender Definition updates

November 18, 2019, 12:00 pm
$
0
0

Hi all,

I was trying to configure SCCM server which will be managing Windows Defender. For some reason the Definition files are not visible neither in the SCCM console nor the WSUS server. All other type of engine updates for Defender are there but I can't find the Definition Updates (even when I search with their new name Security Intelligence Update). I have a configured Automatic Deployment Rule which searches for Classification "Definition Updates" for Windows Defender but can't find any. I sync'ed many times already between SCCM and WSUS but nothing appears in the Software Updates.

Any suggestions where could be the problem?

Thanks.

Search

The Microsoft Software License Terms have not been completely downloaded and cannot be accepted

January 25, 2013, 8:03 pm
$
0
0

I have setup SCCM 2012 Sp1 on Server 2012 with WSUS using the internal database. When I sync updates in SCCM, I get the following error on some of the updates. I have run the sync 3 times over a day with the same updates failing

"Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow"

"Sync failed: Failed to sync some of the updates. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates"

"STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SiteServerxx.COM.AU SITE=MEL PID=2260 TID=2716 GMTDATE=Sat Jan 26 03:56:15.496 2013 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates" ISTR1="Failed to sync some of the updates" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0"

Not all of the updates are showing

Does update metadata (SoftwareDistributionPackage) support script block?

November 25, 2019, 5:06 am
$
0
0

I got a problem when I try to do a firmware update via SCCM-WSUS. Not like other update, there is no information in WMI,REG, or FILE can be used to check if the firmware has been installed or not; we only can check it by powershell script (IPMI command). Here my question is, is it possible to add a script block to the update metadata, so the sdp:IsInstallable or sdp:IsInstalled can be detected by script (powershell)?

Thanks.

Quan

Windows updates from WSUS to SCCM

November 27, 2019, 9:57 am
$
0
0
Greetings. We have a critical application that gets approved windows updates. I have created a software update group that I want to hand pick updates from all software updates and place in this group. The updates are in the Windows Update Server but not in our SCCM software updates. How do I import the updates from WSUS to SCCM? Thank You 

Multiple Antimalware Policies ?

June 4, 2012, 4:15 am
$
0
0

Hi

Can anybody explain to me how multiple antimalware policies are applied to a client?
Lets say I have a antimalware policy for SQL servers and a antimalware policy for SCCM servers.
They have different exclusions and I deploy them to a collection named all SQL servers and all SCCM servers.

Then I have a SCCM server that is a member of both of these collections. Will the antimalware policy exclusions merge or will it only have the one with the higher priority? How should I design my collections and antimalware policys for best practice?

/ALX

SCCM Current Branch 1906 - Compliance Report for Application and Windows Updates

November 28, 2019, 10:41 am
$
0
0

Specs: 

SCCM Current Branch 1906

Windows 2016 x64 Enterprise - Build 1607

Microsoft SQL 2016 Standard

Symptoms:

About 2 weeks ago, around Nov 12th 2019 endpoints and server have stopped reporting their compliance.

Essentially, I can deploy patches and software to systems just fine and they install.

However when I check on the monitoring side via SCCM the packages do not get updated with compliant, in progress and whatnot, I'm completely blind as to what's going on.

Network side, I've verified via our SiEM verified of there's any traffic and none of the network firewalls are blocking and neither are endpoints and server blocking the traffic.

I check on the server and I don't really see any major errors...

I'm kind of dumbfounded at the moment as to what could be the cause... my reports are just not updating.

Also, as a result, let's say I build a compliance baseline config and deploy it to a collection and then build a collection based on the said compliance, no systems are appearing in the list...

Also for testing purposes, I clone one of my application package and re-deployed it and I'm not getting any status report even though I'm able to install and remove the package on the system target.

Please advise...


Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>