Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

Report Compliance 1 shows incorrectly non complianed servers

April 14, 2014, 3:06 am
$
0
0

We have a problem with the software update compliance on some servers.

We have deployed a software update group to a collection of servers. When I run the report "Compliance 1 – Overall compliance", I get two non compliant servers. I have compared all updates in the group with the list from the update history on the two servers. All updates are installed.

I run the report "Compliance8 – Computer in a specific compliance state for an update" for one of the patches with the same Collection and the state "Update is required". I get a "state last received" from 23.3.2014, three weeks ago.

For me, it looks like the SCCM DB is not updated.

What can I do to correct this?

Thanks

Daniel

Search

Custom SCEP policy

April 14, 2014, 3:58 am
$
0
0
I need to create a SCEP policy that applies to a single computer, which will have a list of files to not scan. Would I have to create a new collection for this single computer, or is there a way that I can apply a policy to a computer directly?

Security Scopes for Antimalware Policy

April 3, 2014, 7:56 am
$
0
0

A few others and myself have begun discussing our problems with security permissions on Antimalware Policies in a previous thread: http://social.technet.microsoft.com/Forums/en-US/ee5baed5-095b-4a02-8e60-cbe3e32b5b3c/security-scopes-and-antimalware-policies?forum=configmanagersecurity

We require the ability to limit administrators permission "by policy". As it currently stands, the only option is to grant Administrators Full permissions which gives them the ability to modify every Antimalware Policy.

This is a request to enable the ability to use Security Scopes for Antimalware Policies.

Thank you.

RBA - import computer without the default scope!

April 14, 2014, 4:31 am
$
0
0

hi,

i know this is a popular question and I have read all blogs and posts I could find about it, the problem is that I do not want to give users access to thedefault security scope and without this the computer import is notworking.

I have created in the past two custom roles for different helpdesk levels, so I want to use one of those existing roles to do the import computer information.

the user has already the collection: read, modify and modify resource permissions and also the site: read and import computer information permissions.  BUT since I removed the builtin scopes and collections and assigned a custom scope and two custom collections, the import computer remains greyed out...

once I got the hang of the new security model, I kinda liked it, but this really simple function seems impossible to do with the requirements I have in place

any suggestions?

How do I excude a specific folder from Endpoint Protection scans on *ANY* drive?

April 14, 2014, 10:56 am
$
0
0

I see this question come up over and over again, and I still have not managed to find a straight answer. Sure hope someone here can help. I am in a situation where I have the same exact folder name on multiple random drives that I need to exclude from Endpoint Protection client scans. So for example here is what I need to exclude:

C:\MyFolder
D:\MyFolder
E:\MyFolder
F:\MyFolder
G:\MyFolder
H:\MyFolder
J:\MyFolder
Z:\MyFolder

I have tried the following with no success:

*\MyFolder
*:\MyFolder

How to I tell Endpoint Protection to exclude "MyFolder" across the board on every drive letter? Can it be done with wildcards?

Issues with WSUS

April 14, 2014, 12:32 pm
$
0
0

Hi All,

I have setup sccm 2012 R2 but have not been having any luck with the integration of wsus.  i have attempted to uninstall wsus and re-install but right now i am getting an error regarding issues with local setup.  see log below...

Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Checking runtime v2.0.50727...SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Did not find supported version of assembly Microsoft.UpdateServices.Administration.SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Checking runtime v4.0.30319...SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.3.9600.16384SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.3.9600.16384SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Supported WSUS version foundSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Attempting connection to local WSUS serverSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.Constants' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.UtilConstants' threw an exception. ---> System.ComponentModel.Win32Exception: The system cannot find the file specified~~   at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~   at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~  at Microsoft.UpdateServices.Internal.UtilConstants..cctor()~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Log.InitializeFromConfig()~~   at Microsoft.UpdateServices.Log.InitializeIfNeeded()~~   at Microsoft.UpdateServices.Log.SendMessage(LogLevel logLevel, String message, Object[] args)~~   at Microsoft.UpdateServices.Log.Trace(LogLevel logLevel, String message, Object[] args)~~   at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~   at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~   at Microsoft.UpdateServices.Internal.Constants..cctor()~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Failed to set WSUS Local Configuration. Will retry configuration in 1 minutesSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Attempting connection to local WSUS serverSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.Constants' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.Internal.UtilConstants' threw an exception. ---> System.ComponentModel.Win32Exception: The system cannot find the file specified~~   at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~   at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~  at Microsoft.UpdateServices.Internal.UtilConstants..cctor()~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Log.InitializeFromConfig()~~   at Microsoft.UpdateServices.Log.InitializeIfNeeded()~~   at Microsoft.UpdateServices.Log.SendMessage(LogLevel logLevel, String message, Object[] args)~~   at Microsoft.UpdateServices.Log.Trace(LogLevel logLevel, String message, Object[] args)~~   at Microsoft.UpdateServices.Internal.UtilClassFactory.CreateInstance(Type type, Object[] args)~~   at Microsoft.UpdateServices.Internal.SetupInfo.GetInstallDirectory()~~   at Microsoft.UpdateServices.Internal.Constants..cctor()~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)SMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Failures reported during periodic health check by the WSUS Server U**.***.***. Will retry check in 1 minutesSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)
Waiting for changes for 1 minutesSMS_WSUS_CONTROL_MANAGER2014-04-14 12:29:19 PM5532 (0x159C)

Any assistance would be appreciated.

thanks,

JAK

System Center Update Publisher 2011 - cannot create a signing certificate

April 14, 2014, 2:27 pm
$
0
0

Hi,

I am using SCCM 2012 R2 (Win2012 R2).

2 servers: ServerA is site server and ServerB is site database server.

WSUS installed at ServerA. SCCM database and WSUS database hosted at ServerB.

System Center Updates Publisher was installed OK on ServerA.

When I click "Create" under Singning certificate, I get the following message:

The above message is the same when I click "Test Connection" button for Connect to a local update server.

The question is:

How to create a signing certificate for System Center Updates Publisher?

Thanks in advance!

WSUS Update Files Store will not change setting

April 14, 2014, 10:22 am
$
0
0

Hello,

I have a Server 2008 R2 SP1 machine with the WSUS role on it.  It is going to work in conjunction with our SCCM 2012 SUP to handle Windows Updates.  

When we go to WSUS Role -> Update Services -> Options -> Update Files and Languages and change the setting from "Store update files locally on this server" to "Do not store update files locally. . ."  the server acts like it's going to change the setting.  When we check on it after a few minutes it tells us that the server is changing setting and therefore we can't alter anymore settings.  

When we come back about an hour later the settings are back to the original settings.  

We've tried with a Domain Admin account and local admin Account.  

Any help would be greatly appreciated.

-Thanks,

T_Albus


Search

Default maximum run time for updates

May 19, 2013, 4:11 pm
$
0
0

Is there a way to change the default "Max run time" for each update? In SCCM 2007 the default run time was 20 minutes per update, now it is 5 minutes. I have machines that repeatedly fail to install updates because the max time of 300 seconds was reached.


Report needed for overall view of update compliancy

April 15, 2014, 6:00 am
$
0
0

I've been asked to provide a custom report to give an overall status for the update compliancy for the servers in place.

Have been fiddling about in sql mgmt studio and kind of understand where to get the information from, but am missing something.  so I was hoping someone could point me in the right direction

I realize that this kind of report might take some querying time, but this is what the customer wants: instead of him going to the builtin report compliance 7 (category sw updates - compliance A) where he has to select a collection AND a baseline AND a compliance status, he wants to obtain a list of all server systems being compliant to some server baselines and a list of all server systems being non-compliant to some server baselines

currently the sqlcode i Have to show the compliant servers, is:

SELECT

     v_R_System.Name0AS Servername, v_GS_OPERATING_SYSTEM.Caption0AS OS, v_ConfigurationItems.CI_ID, v_AuthListInfo.Title, v_StateNames.TopicType,

                      v_StateNames

.StateID, v_StateNames.StateName


FROM

         v_ConfigurationItemsINNERJOIN


                      v_AuthListInfo

ON v_ConfigurationItems.CI_ID= v_AuthListInfo.CI_IDCROSSJOIN


                      v_R_System

INNERJOIN


                      v_GS_OPERATING_SYSTEM

ON v_R_System.ResourceID= v_GS_OPERATING_SYSTEM.ResourceIDCROSSJOIN


                      v_StateNames


WHERE    

(v_R_System.Client0= 1) AND(v_R_System.Operating_System_Name_and0LIKE'%server%')AND


                     

(v_AuthListInfo.TitleLIKE'%server%')AND(v_StateNames.TopicType= 300)AND(v_StateNames.StateID='1')


ORDER

BY Servername

BUT if I now change the stateid to 2 in the query I get the same amount of rows back (being 134 servers with an sccm client times 4 server update groups)

so my problem is: how and when do i make the correct join here ?

Question about where updates are downloaded to for installation

April 15, 2014, 5:30 am
$
0
0

Good Morning,

We are in the process of implementing Config Mgr 2012, moving from a third party application from patch management. I have managed SCCM 2007 in the past.  My co-worker and I setup a deployment for Thursday morning using a Maintenance window.  When I went and checked one of the servers scheduled for deployment, I noticed that CCMCache folder had a folder named '1', but this was empty.  However, in the software center window it indicates that there is an update waiting to installed.  In 2012, when a deployment is scheduled, do the updates "live" in Software Center until the maintenance window begins?? It indicates that the update is past due for installation.  In 2007, the updates would be downloaded to the ccmcache folder and installed from there.  I ran a similar deployment in my test environment and the updates were downloaded to the ccmcache folder and installed in the maintenance window. 

I just want to verify if this is how it works in 2012or if more investigation is needed to find out why the updates are not being pushed to the ccmcache folder ahead of being installed and if I should scrap my deployment for Thursday morning. 

Thank You

Brian Dougherty

Updates not applying: Scan failed with error = 0x80072efd.

April 9, 2014, 2:19 pm
$
0
0

Hi, I'm trying to troubleshoot windows updates which are configured through SCCM2012R2.  The WSUS server is installed on server 2012R2, version 6.3.9600.16384.   I have it running on the custom website (using ports 8530 and 8531).  For a few weeks, my clients were configured with a conflicting group policy (pointing to the old wsus server).  I removed that policy, and now the sccm agent is setting the local group policy to use the proper wusus server.  Clients are windows 7 enterprise.

These clients do not have access to the internet.

Now, updates are still failing, with the following events in the wuahandler.log

Its a WSUS Update Source type ({8C51EBC1-265B-4889-8CC4-0B9EF237D704}), adding it.WUAHandler	4/9/2014 4:53:09 PM	4028 (0x0FBC)

Existing WUA Managed server was already set (http://Myserver-12R2-WSUS.mydomain.local:8530), skipping Group Policy registration. WUAHandler 4/9/2014 4:53:09 PM 4028 (0x0FBC)

Added Update Source ({8C51EBC1-265B-4889-8CC4-0B9EF237D704}) of content type: 2	WUAHandler	4/9/2014 4:53:09 PM 4028 (0x0FBC)

Scan results will include superseded updates only when they are superseded by service packs and definition updates. WUAHandler 4/9/2014 4:53:09 PM 4028 (0x0FBC)

Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')	WUAHandler 4/9/2014 4:53:09 PM 4028 (0x0FBC)

Async searching of updates using WUAgent started. WUAHandler 4/9/2014 4:53:09 PM 4028 (0x0FBC)

Async searching completed. WUAHandler 4/9/2014 4:53:12 PM 3452 (0x0D7C)

OnSearchComplete - Failed to end search job. Error = 0x80072efd. WUAHandler 4/9/2014 4:53:12 PM	4028 (0x0FBC)

Scan failed with error = 0x80072efd. WUAHandler	4/9/2014 4:53:12 PM 4028 (0x0FBC)


For troubleshooting so far, I have disabled the client firewall, restarted the wsus server, and confirmed that the clients can get to the default IIS page on the wsus server.  I'll try reinstalling the sccm client now, and will report back.

After much searching, none of the answers I have found online were of any help.

Any advice will be greatly appreciated.

Thanks,


Kevin




Updates - manual vs sccm managed and required updates

April 15, 2014, 12:33 pm
$
0
0

Hello everyone,

Is there a way to stop systems that are not patched via SCCM but have SCCM client to stop reporting missing updates?
I just don't want to see updates showing Required count for these systems.

If I create separate SCCM policy to a collection of such systems with Software Updates tab set to disabled, would that be enough?

isolated WSUS environment

March 19, 2014, 5:24 am
$
0
0

I have a WSUS isolated from the Master WSUS.  I have to do a wsusutil export xxxx.cab xxxx.log and copy the WSUSContent folder over to the environment.  Likewise I perform a wsusutil import xxxx.cab xxxx.log and copy the contents of WSUSContent over to the isolated WSUS server.  The problem is that our servers in this environments repeatedly show missing MS patches (i.e. MS13-052 is a popular one) that our Internet-connected environment has.  One of the big problems in the isolated environment is that the updates/patches are trying to do a download.  Its seems that the WSUSContent does not have the full information it needs to update my servers.

I cannot seem find a solution to this problem.  Please advise.

Bryan

  

Updating servers and reboot during MW

March 17, 2014, 3:05 am
$
0
0

Hi.

Our main goal is to install software updates en reboot the server only during Maintenance Windows (MW) I’ve been searching the Internet but i’m stuck. Software updates are installing and servers are waiting for reboot.

The setting are;Collection: MW is set to 03-04 hour

Server: Business hours are from 05-22 hour and software center\computer maintenance\only suspend software center ….ticked on

GPO: Automatic updates are disabled

ADR: tab User Experience\Deadline behavior\software installation ticked on and Device restart behavior\Supress Servers ticked on

TIA.

Thanks, Harmen


Search

WSUS Server Cleanup Wizard... to run or not to run?

April 15, 2014, 9:26 am
$
0
0

Hi,

Sometimes on my server, the WSUS synchronization fails (operation timed out) and I heard that running the Server Cleanup Wizard could help. I also heard that nothing should be done in the WSUS console because it's managed by SCCM.

For SCCM, is it a good or bad practice to run Server Cleanup Wizard from WSUS console and why? SCCM isn't cleaning stuff already? I don't want to mess things up.

Thanks for your help!

Cannot download Office 2013 Service Pack 1 (KB2850036)

April 15, 2014, 9:41 am
$
0
0

I'm using SCCM 2012 Config Manager.  I've created a software update date for Office 2013 - Service Pack 1.  It contains only 1 update, and that's the Office 2013 SP1 (KB2850036).

The standalone installer for this KB is around 640MB, according to the following link.

http://support.microsoft.com/kb/2817430/en-us

When I choose to Download this update with SCCM, it starts the normal "Provisioning Update" process but sits at 0%.   The deployment package directory grows to 334 folders, 329 files taking 3,707,522,416 bytes on the hard drive, and then eventually throws the following error in SCCM.

Error:  Service pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition.   Failed to download content id 16844655.  Invalid certificate signature.

I've tried the download a couple of times, and I get the same thing.

Any suggestions?

Software Updates Not Applied properly

April 15, 2014, 7:25 am
$
0
0

Hello,

        I'm facing Software deployment Issue on SCCM 2012 R2 environment, I deployed the Definition patches for Group of 1000 machines, Some of them are failed with below Error 

I have started working on the GPO issue,

Request someone to help with the rest of the Errors.

MsMpSvc terminates with definitions 1.171.1.0 on Server 2003

April 16, 2014, 12:35 am
$
0
0

The definitions seem to have had a version increment overnight from 1.169.x to 1.171.x and now several of my Windows Server 2003 machines are having the msmpsvc terminate on a fairly frequent basis.

The machines are running System Center Endpoint Protection Client 2012 R2. The previous definition version was 1.169.2706.0, the new one is 1.171.1.0.

SCEP client version is 4.5.216.0 (which I believe to be the latest). I tried uninstalling and reinstalling which gave me version 4.3.220.0 which also experienced the same problem.

Is there anyone from Microsoft reading this and would they care to a) test/replicate the issue and b) fix it? Thanks very much :-)

Have blogged about this here too: https://rcmtech.wordpress.com/2014/04/16/msmpsvc-terminates-on-windows-server-2003-with-defininition-version-1-171-1-0/

System Center Endpoint Protection - error 0x80004005

April 16, 2014, 12:31 am
$
0
0

Hi,

Not sure where to place this thread, please move if necessery.

We're having an issue in two completely different customer environments. The Microsoft Antimalware Service stops and in some occasions the servers hangs. In the Event Viewer the following event occurs (ID 3002). On some servers we had to uninstall FEP completely, restarting the service or server didn't resolve the issue. Memory and CPU levels seems normal.

Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.

Feature: On Access

Error Code: 0x80004005

Error description: Unspecified error

Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.

The following signatures are updated:

Microsoft Antimalware signature version has been updated.

Current Signature Version: 1.171.1.0

Previous Signature Version: 1.169.2706.0

Signature Type: AntiSpyware

Update Type: Full

User: NT AUTHORITY\SYSTEM

Current Engine Version: 1.1.10501.0

Previous Engine Version: 1.1.10401.0

Has anyone seen this before?

Thanks.

Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>