When I run update status reports, some computers show "not needed" for an update that is clearly needed. For instance, if I run a compliance report and look for the status of KB2775511, I get a lot of computers showing "Update is not required" - however, these computers don't have KB2775511 installed, and clearly need it.

In fact, each client believes it needs the update because it's listed as "Missing" when I check the CCM_UpdateStatus WMI class at "root/ccm/SoftwareUpdates/UpdatesStore". Furthermore, if I deploy the update via SCCM to one of these computers, the computer recognizes it needs the update and installs it. So it seems that the report (or wherever the reports gets its information) is what's at fault here.

The other odd thing I notice about the report is that the computers with incorrect statuses have very recent dates for "Last State Received", and no date for "Last State Change". This is different from computers that are correctly reporting their status, which have values for both, typically with older dates.

Any idea why my reports are incorrect?

Eric Hodges

I've setup an Automatic Deployment rule to deploy Endpoint Definitions, but I'm getting random installation problems on clients. The reason for the error seems to be if the deployment package has more than one definition in it and it tries to install them all at once. The first definition (which isn't the latest) one is installed OK, but the others fail.

The WindowsUpdate.log file has the follow error:
2012-07-1312:19:48:890 976844ReportREPORT EVENT: {1144AA34-E109-4821-8B66-7A3772D1993B}2012-07-13 12:19:41:802+01001183101{5565EBDB-DDAB-412C-B03D-26E8A93729E6} 1000CcmExecSuccessContent InstallInstallation Successful: Windows successfully installed the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.129.1535.0)
2012-07-1312:19:48:890 976844ReportREPORT EVENT: {7B6E3BE1-23E3-46DB-B9FE-C1E7FD85A457}2012-07-13 12:19:42:448+01001182101{7D30C74D-5D97-4CB3-834C-C29D3F133C5B} 10080070643 CcmExecFailureContent InstallInstallation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.129.1557.0).
2012-07-1312:19:48:891 976844ReportREPORT EVENT: {42E7D70E-976E-408E-85DB-E44D04FC22B0}2012-07-13 12:19:42:767+01001182101{DB69B95A-625D-4A25-8264-854460587590} 10080070643 CcmExecFailureContent InstallInstallation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.129.1589.0).

My current Automatic Deployment Rule is setup as:

• Software Updates
  - Date Released or Revised: Last 1 day
  - Product: 'Forefront Endpoint Protection 2010'
  - Update Classification: Definition Updates
• Evaluation Schedule: Run once a day at 10am (update point synchronization schedule set for 8am)
• Deployment Schedule:
  - UTC
  - Software available time: 2 hours
  - Installation deadline: As soon as possible

I could change the Software Update Point and the Automatic Deployment Rule to run every 8 hours (as three definitions are released a day) and I think the problem would go away as there would only be one definition file in the package, but I would prefer to get to the bottom of why they are failing.

Any ideas?

Thanks,
Pete

Hi

I have installed SCCM 2012. 

While viewing a report for software metering date and year are not available for selection. they are blank. 

Platform: SCCM 2012 R2 on Windows 2012 R2 with a separate SQL Server 2008 R2.

Recent changes: Migrated the Primary Site server from a Windows 2008 R2 OS to a new server on Windows 2012 R2 with a backup restore, using the same hostname and IP address on the new server. When setting up the new server I cleaned up a lot of the old Software update packages and program packages that were pretty redundant.

More details: Deploying Programs and Applications work fine (however I had to re-create all Applications to get them to work), OSD builds work fine after fixing a few issues. 

Issue: Deploying Software Updates is giving very random results. Old software updates simply don't seem to work at all. I've tried creating new packages for example Windows 2012 R2, these include:

KB2904440-Deploys just fine

KB2911106-Deploys just fine

KB2909210-Doesn't deploy

KB2912390-Doesn't deploy

KB2916036-Doesn't deploy

KB2923528-Doesn't deploy

And another 9 or so updates that wont deploy as expected.

I tried manually downloading KB2916036, KB2923528 and installing them, works just fine (so its not like they are superseded or not needed). 

Similar behavior with Windows 8.1.

I tried a Silverlight update, deploys just fine. A Report Viewer update doesn't work though.

We re-created some older packages for Windows 7 that were deploying fine before the OS migration, now its the same behavior with the primary site server on Windows 2012 R2, a small amount of updates deploy, but most don't to the Windows 7 clients.

ScanAgent.log and WUAHandler.log shows little of interest that I can see. The server logs seem fine as well.

Any ideas?

Hi,

Is WSUS Server required in the production infrastructure as well for the OS patching ?

We have a 3 separate environments. Development, UAT and Production. UAT and Production environments does not have internet access. So in the Dev. which is in isolated network and has internet connection, have a WSUS server and SUP installed where the MS patches are acquired. Then  we do an export/import process to move our MS patches to the other environments. So do we need WSUS infrastructure as well in the UAT and Production too ?

Regards,

Vinod

Hello,

Quick question on SCEP process exclusions:  Do we need to type in the full path or will just the name.exe suffice?  If you have source that would be great - I have been digging for something that says 1 way or another... I believe I saw a MS page that spelled everything a long time ago, out but cannot find it for the life of me.  Thanks for your help.

BBLAdmin

Hi

I have run a powershell script as a configuration item and it keeps reporting as non compliant even tho when I run on the machine it passes. When it runs I have it authenticating with credssp and invoking a command. It adds the authentication into the Instance Data window and doesn't add the value I want returning.

Can I make it so that this authentication information isn't written to instance data window?

 Thanks

Hello,

I've not had much luck finding an answer to this on my Bing searches, but I fairly new to SCCM and have managed to push an application to a few devices. My SCCM 2012 (SP1) system has... issues, when it comes to deploying the monthly MS patches. So, we've found that some machines are months behind in applied updates. Many of the devices are missing the same updates. Not all are missing the same updates, but enough to where I don't want to logon to the machines individually and patch them one-by-one.

So I thought I would gather up all the missing updates, create a package and deploy them to the machines that are missing them. What I'm finding is if I try to create a application deployment (Software Library > Overview > Application Management > Applications), I'm allowed only one installer per deployment.

Is there a way I can package up all these downloaded updates (stored on a UNC path), create a single deployment and target the needed devices?

TIA

Hello,

I've not had much luck finding an answer to this on my Bing searches, but I fairly new to SCCM and have managed to push an application to a few devices. My SCCM 2012 (SP1) system has... issues, when it comes to deploying the monthly MS patches. So, we've found that some machines are months behind in applied updates. Many of the devices are missing the same updates. Not all are missing the same updates, but enough to where I don't want to logon to the machines individually and patch them one-by-one.

So I thought I would gather up all the missing updates, create a package and deploy them to the machines that are missing them. What I'm finding is if I try to create a application deployment (Software Library > Overview > Application Management > Applications), I'm allowed only one installer per deployment.

Is there a way I can package up all these downloaded updates (stored on a UNC path), create a single deployment and target the needed devices?

TIA

I may answer my own question here but here we go. We have Office 2010 deployed to the majority of our enterprise, however, most of these also have Lync 2013 installed. We only have a handful of systems with the actual Office 2013 suite installed.

The problem I'm coming across is our systems think many of the Office 2013 updates are required (Office 2013, Word 2013, etc.). I've yet to determine whether its Lync 2013 itself or the Office Components 2013 that's tripping it up. Either way, it's throwing off my compliance numbers. A little more background, my software update groups are broken down by workstation updates/year and server updates/year. I've toyed with the idea of creating individual software update groups that are product specific (Office 2010, Office 2013, etc.) and only deploying them to collections limited to those specific products. However, that seems like a lot of work and wouldn't be helpful when it comes to determining the overall compliance of my environment.

My question(s):

Is there a way to keep these systems with Office 2010 & Lync 2013 from thinking they need Office 2013 updates

If the answer to the question above is no.....

How can I structure my software update groups so I can report the overall compliance numbers without having to piece together reports for individual products.

Thanks for your help in advance.

I thought I had this all figured out, but I've seen some random behavior that wasn't what I expected. I just have a few questions about it all.

I'd like for updates to get installed on a particular day of the week, and prompt the user to reboot, as close to the WUA behavior as possible. I know that ConfigMgr doesn't behave the same, but 

As a test, I recently deployed the IE 10 prerequisites, and then IE 10 itself. What happened is that after a few days (A time in which users SHOULD have already restarted their computers (Leaving for the day, etc)) they were having trouble where IE 10 had not fully finished installing, and they were getting "out of memory" errors in IE 10 on our intranet site. Once we have them reboot, they finish getting the updates installed, and all was well. I checked a few other users, and in the deployment monitoring, they were reported back as "compliant", even though IE 10 had not fully installed yet.

Another issue I had early on was that some users were getting the un-hideable countdown to restart in the middle of the day. I like this because it forces the restart, but I'd just like to be able to control it a bit better, and time it for the afternoon, but I'm not sure where that's controlled, or if it's even possible, which I'm guessing would be controlled with the deadline period? (I'm assuming it would vary, depending on if a PC is on during the deadline.)

The weirdest issue I've seen was that some computers wouldn't always finishing installing after a reboot. I've seen it happen if the user just restarts from the start menu, OR the restart button in the software center. After the restart, it will still say that a restart is required.

I'm also a little confused with these settings. The first set is obvious, for behavior outside of the MW, but the bottom box for reboot suppression, how does this tie into any of the above "problems". Does suppressing a reboot, mean all together (including during a MW), or does that only suppress it outside of the MW?

Sorry for all of the questions, but any input is appreciated. 

Just curious if anyone has modified the Security roles summary report to include the individual permissions object class. So for some permissioned userid or group that has the canned role Remote Tools Operator, the report would also show that Collection has Control AMT = Yes, Read = Yes, Read Resource = Yes, and Remote Control = Yes.

Report Builder and I are not friends yet.

Is there a way to change the default "Max run time" for each update? In SCCM 2007 the default run time was 20 minutes per update, now it is 5 minutes. I have machines that repeatedly fail to install updates because the max time of 300 seconds was reached.

I am having an issue trying to capture a Win 7 x64 image using OSD SCCM 2012 R2.  I am using A VMware environment.  I did not have to update the network driver on the boot.wim.  

I checked the Static ip info before I ran the sequence and i was able to ping the machine and connect to it no problem.

When it failes I did and ipconfig /all all setting are correct.  The only way I can get to the machine is by suing the FQDN but I am able to ping and map a drive using the FQDN.  Did not have to use the FQDN PRE RUNNING THE TASK SEQUENCE. 

I am able to downaload the image install updates but when it comes time to capture the machine I get the following error in the SMSTS.log

Connecting to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim"CaptureSystemImage4/18/2014 3:50:43 PM820 (0x0334)
Failed to connect to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim" (53). Retry in 7 seconds.CaptureSystemImage4/18/2014 3:50:46 PM820 (0x0334)
Executing command line: X:\windows\system32\cmd.exe /kTSBootShell4/18/2014 3:50:46 PM616 (0x0268)
The command completed successfully.TSBootShell4/18/2014 3:50:46 PM616 (0x0268)
Successfully launched command shell.TSBootShell4/18/2014 3:50:46 PM616 (0x0268)
Connecting to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim"CaptureSystemImage4/18/2014 3:50:53 PM820 (0x0334)
Failed to connect to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim" (53). Retry in 14 seconds.CaptureSystemImage4/18/2014 3:50:53 PM820 (0x0334)
Connecting to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim"CaptureSystemImage4/18/2014 3:51:07 PM820 (0x0334)
Failed to connect to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim" (53). Retry in 23 seconds.CaptureSystemImage4/18/2014 3:51:07 PM820 (0x0334)
Connecting to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim"CaptureSystemImage4/18/2014 3:51:30 PM820 (0x0334)
bRetryIfFail, HRESULT=80070035 (e:\nts_sccm_release\sms\framework\tscore\tsconnection.cpp,340)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Failed to connect to "\\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim" (53).CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
reconnect(), HRESULT=80070035 (e:\nts_sccm_release\sms\framework\tscore\tsconnection.cpp,129)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
connect(pszPath, pszAccount, pszPassword, L"", uFlags), HRESULT=80070035 (e:\nts_sccm_release\sms\framework\tscore\tsconnection.cpp,148)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
rUncConnection.connect( sCaptureDestinationDir, sCaptureUsername, sCapturePassword, TS::Utility::Connection::IgnoreCred), HRESULT=80070035 (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,809)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Failed to connect the image capture destination \\SCCMSERVER\source$\OSD\WIM Files\Win 7 x 64 Pilot Gold Wim. 
The network path was not found. (Error: 80070035; Source: Windows)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
GetImageFileDestination(UncConnection, sCaptureDestination), HRESULT=80070035 (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,885)CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Finished with error code 0x80070035CaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Unloading offline SOFTWARE registry hiveCaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Unloading offline SYSTEM registry hiveCaptureSystemImage4/18/2014 3:51:32 PM820 (0x0334)
Process completed with exit code 2147942453 TSManager4/18/2014 3:51:32 PM908 (0x038C)
!--------------------------------------------------------------------------------------------!TSManager4/18/2014 3:51:32 PM908 (0x038C)
Failed to run the action: Capture the Reference Machine. 
The network path was not found. (Error: 80070035; Source: Windows)TSManager4/18/2014 3:51:32 PM908 (0x038C)

Any other things i could do to troubleshoot?

I have doen his many times before but have not run into this situation.

Cyndy

Hi, i´m trying to figure out how SCEP updates are working, we are evaluating SCEP on some servers and workstations at the moment and some clients have the latest updates, some have one version old, and som have even older.

For example.
This morning at 04:00 we had an SUP sync and a ADR was created at 04:02 with definition version 1.169.1999.0.
Today at 10:27 one of the clients updated its definition, but to version 1.169.1904.0. Why did it choose an old update? Several clients had already updated to the .1999 version. And why so late? Our antimalware policy is set to check for updates every 1 hour. The computer powered on at 07:45.

I have looked in the MPlog.log file, but it doesnt make sense either, according to one machine it updated to definition v.1.169.1258.0 mars 31. it is the latest record, but when i check SCEP gui on that machine it have updated to 1.169.2028.0 today.

What am i missing?

Regards Erik

Hi

I have created a configuration item that runs as a powershell script to check if a virtual machines hard drives are dynamic or static. I can get the powershell script to work by running locally on the server in question. However when it is ran as a configuration item it reports back as access is denied. I have ran winrm quickconfig on the VMM server and we have no Windows Firewall turned on. The servers are all in the same data center and subnet. Please can I have some pointers on how to get the below script working.

Many thanks

$vguest = $env:COMPUTERNAME

invoke-command -computername VMMSERVERNAME -scriptblock

{param($Vgu)

Add-PSSnapin microsoft.systemcenter.virtualmachinemanager

(get-vm -vmmserver VMMSERVERNAME $vgu).virtualharddisks

|

ForEach-Object {if ($_.VHDType -eq "DynamicallyExpanding") {write-host "Compliant"}

else

{write-host "Non-Compliant"}

}

} -argumentlist $vguest

Hello All,

I have around 400 systems with "Compliance State - Error"and few systems does not have configuration baseline assigned to them. So i have restarted the sms host agent which fixed on very few systems. Could any one please let me know the further troubleshooting steps to re mediate the issue.

Hi all,

Is there a way to patch unix/linux devices using SCCM 2012 R2.

Please Suggest.

Thanks,

Pranay.