hi,

i know this is a popular question and I have read all blogs and posts I could find about it, the problem is that I do not want to give users access to thedefault security scope and without this the computer import is notworking.

I have created in the past two custom roles for different helpdesk levels, so I want to use one of those existing roles to do the import computer information.

the user has already the collection: read, modify and modify resource permissions and also the site: read and import computer information permissions.  BUT since I removed the builtin scopes and collections and assigned a custom scope and two custom collections, the import computer remains greyed out...

once I got the hang of the new security model, I kinda liked it, but this really simple function seems impossible to do with the requirements I have in place

any suggestions?

I´m new to Compliance Baseline and I want to report different clients with different registry values using baseline reporting.

I have 2 Task Sequence in production to deploy clients and to separate which client did run which task sequence, I created 2 different redistry values. So reg value 1 registres during TS 1, and reg value 2 registres during TS 2.

Then I created Baseline 1 and Baseline 2. They both have their own Baseline items which are set with these registry values.


The problem is, that if I create baseline item´s registry keys manually, both 1 and 2 will be compliant. If I browse desired registry values, none of them will become compliant. But I really cannot sepparate them. Any clue, what I´m doing wrong here? I have checked registry values for a few times, I doubt there is any typing errors there.

If it makes easier, I could add some screenshots here of my settings.

Hi,

I created Software Update Groups according to the Years as below:

2003-2010 All SUG , 2011 All SUG, 2012All SUG and 2013 All SUG. I also have an ADR which creates monthly updates for 2014. These are all made as Required and have a deadline (2weeks). Because I know if I make them Available, no one will install updates.

Let's assume that, a computer named Client1 installs the updates on the deadline. 3 months later I need to re-format that Client1 computer with a fresh windows8. I am wondering whether Client1 will get those updates again. Deadline for those updates is already passsed. I think this question is valid for all computers that I newly joined to the domain. Will they get the software updates if deployment deadline is already passed?

Yavuz Selim Atmaca

I need to configure our SCCM site so that the Desktop Team are unable to see any servers which have the SCCM client installed.  I've added their AD group within SCCM Administrative Users, then under the Security Scope tab I have removed all current collections containing servers within the section Only the instances of objects that are assigned to the specified security scope and collections. 

This appears to be fine.  It looks like the servers are hidden for this group.  I have asked them to try to create a new collection and add servers, which they weren't able to do - so that was good.

So my question is, is this sufficient permissioning or do I need to do anything with scopes?

If they create new collections, will the permissions above apply to the new collection?  As they can't see servers does this restrict all access to them?

I'm finally getting around to trying to integrate WSUS with SCCM 2012 - i.e., to begin using SCCM 2012 to manage and deploy all Microsoft updates rather than using plain old WSUS as I have in the past.

My first impression is that it's much more complicated than using WSUS alone. That said, I'm wondering now what are the advantages of using SCCM 2012 to manage Windows Updates rather than using WSUS? So far, I've added all of this complexity to the process, but I'm not seeing the added benefits after having gone through all this. Anyone else agree?

I'm about to just trash the whole thing and go back to doing it the old way. Thoughts?

Shaun

For the past week or so I'm seeing a lot of systems that are unable to download certain updates for installation. In looking at these machines and seeing the following:

updatesstore.log

In this log I can see all the updates and it's identified them as missing.

contenttransfermanager.log

CCTMJob::UpdateLocations - Received empty location update for CTM Job {1EC7F586-46CA-4D46-B8A8-EFDA78050F70} ContentTransferManager 30/10/2013 9:03:53 PM 3696 (0x0E70)
CTM job {1EC7F586-46CA-4D46-B8A8-EFDA78050F70} suspended ContentTransferManager 30/10/2013 9:03:53 PM 3696 (0x0E70)
CCTMJob::UpdateLocations - Received empty location update for CTM Job {CFF477C6-FD7B-4766-BAB1-5317E777FDD5} ContentTransferManager 30/10/2013 9:03:53 PM 1564 (0x061C)
CTM job {CFF477C6-FD7B-4766-BAB1-5317E777FDD5} suspended ContentTransferManager 30/10/2013 9:03:53 PM 1564 (0x061C)

locationservices.log

Current AD site of machine is Admin-Centre LocationServices 30/10/2013 9:03:53 PM 1564 (0x061C)
Calling back with empty distribution points list LocationServices 30/10/2013 9:03:53 PM 1564 (0x061C)

In searching for this problem a lot of talk has been that it's a boundary issue. I use IP subnet boundaries exclusively and can confirm the machines I've looked at have boundaries configured and they're part of a fast boundary group with a DP. I've also validated the packages on that DP and even redistributed them.

Any ideas?

Say I want to undo or rollback a patch that I've deployed to Linux. Is there a way for SCCM to provide a rollback or uninstall of the deployed patch?

Either through script, compliance or otherwise.

The distro of Linux I'm running is Ubuntu 12.04.4

We use SCCM to automatic patching servers on different location. All our customers determine maintanance windows in loca time (GMT +4), but servers have different time settings.

I create collection with Maitanance Windows with UTC checked.  For example

For window between 00-00 and 01-30 moscow time (GMT+4) on wednesday i create MW from 20-00 and 21-30 every tuesday with UTC checked and include server with GMT+4 time settings to this collection.

But server applying updates on Tuesday 00:00 - 01-30, but i expect 00:00 - 01-30 onWednesday.   

Why time is changed, but day not increnment? 

Also we try change Apply this schedule to : All software - without success.

I thought I had this all figured out, but I've seen some random behavior that wasn't what I expected. I just have a few questions about it all.

I'd like for updates to get installed on a particular day of the week, and prompt the user to reboot, as close to the WUA behavior as possible. I know that ConfigMgr doesn't behave the same, but 

As a test, I recently deployed the IE 10 prerequisites, and then IE 10 itself. What happened is that after a few days (A time in which users SHOULD have already restarted their computers (Leaving for the day, etc)) they were having trouble where IE 10 had not fully finished installing, and they were getting "out of memory" errors in IE 10 on our intranet site. Once we have them reboot, they finish getting the updates installed, and all was well. I checked a few other users, and in the deployment monitoring, they were reported back as "compliant", even though IE 10 had not fully installed yet.

Another issue I had early on was that some users were getting the un-hideable countdown to restart in the middle of the day. I like this because it forces the restart, but I'd just like to be able to control it a bit better, and time it for the afternoon, but I'm not sure where that's controlled, or if it's even possible, which I'm guessing would be controlled with the deadline period? (I'm assuming it would vary, depending on if a PC is on during the deadline.)

The weirdest issue I've seen was that some computers wouldn't always finishing installing after a reboot. I've seen it happen if the user just restarts from the start menu, OR the restart button in the software center. After the restart, it will still say that a restart is required.

I'm also a little confused with these settings. The first set is obvious, for behavior outside of the MW, but the bottom box for reboot suppression, how does this tie into any of the above "problems". Does suppressing a reboot, mean all together (including during a MW), or does that only suppress it outside of the MW?

Sorry for all of the questions, but any input is appreciated. 

I have deployed a software update group in a collection. When I check the deployment status from Monitoring - Deployments Node getting 78 % compliance but if I check the enforcement deployment states from Monitoring - Reporting - Reports - Software Updates - C Deployment States - States 1 - Enforcement States for a deployment report getting all together different numbers there are only 5%  computers are showing as Compliant, and rest Computers are showing in Enforcement state unknown. Please help on this issue.

Hello,

I am in the process of migrating SCCM 2007 client over to a new SCCM 2012 R2 site.

I deleted the AD site from 2007 and added it to 2012 and the client is pushed via Client Push. The client upgrades fine and things go well but I run into a little problem after the client is installed.

Basically it seems to be an issue with how SCCM interacts with and controls Windows Update settings on the SCCM client.  I ran into a somewhat of a major issue that caused all (or many) of the newly upgraded clients to go the internet to download updates from Microsoft shortly after the move from the 2007 site and client upgrade to 2012. This was because the client (or at least the ones I checked) had their WU settings to “Always download and install” (or something similar). Obviously, expected  behavior with this setting, but the question is how did it get this way?

Does SCCM control any of these settings?  I know it take over the WSUS settings, etc, but I didn’t think it does anything with the WU client itself. From my understanding the WU client settings are done via GPO (local or domain) or WU setting and SCCM does not control these settings.

I’m not looking for you to solve the problem, because it’s quite tedious, I’m just hoping that someone can lead me in the right direction to find out what if any WU settings are controlled or changed by SCCM 2007 or 2012.

Thanks

Angelo

Angelo

Hi,

In SCCM 2012 R1 , With FEP Role.

When malware is detected, FEP does not do "Apply actions" automatically or remove malware automatically , I have configured its policy settings to Remove.

But its does not remove itself , I have to press "Apply actions" button manually. 

Is there any other settings.

Thanks

We installed SCCM 2012 R2, and we updated our Boot Images. For the x86 version there is no problem, but for the x64image I get this error:

There was no virus scanners active while we were updating SCCM.

For whatever reason I cannot remove or re-install the SCEP client on a window s2008 r2 server. The SCCM client has not been installed yet.

I need to know if there is a KB article on how to manually remove it via the registry and deleting of files and folders. I would hate to have to rebuild the server.

thanks!

Hi

i deployed MS Security Updates via SCCM to my clients. On a few machines a specific update has been installed (checked via Add/Remove progams window and via Event Viewer) but in Software Center the status is on Failed. Reinstall, restart inventory or etc .. status still on failed.

thx for you help in order to find the cause

Hopefully this is a simple one.

I have setup WSUS with SCCM 2012 and currently its sole purpose is for updating our WIM images however... It seems though that all of our devices that have the SCCM 2012 client installed are having their windows updates local group policy settings changed to our distribution point and all other setting changed to not configured(overriding the settings the admins previously had in place).

I don't want the sccm client to make changes to the windows update local group policy... how can I accomplish this?  

I have a fully functional SCCM 2012 R2 setup with automatic updates configured for each collection.

I also have a few computers in a separate completely independant domain. The amount of computers there does not even warrant a full WSUS install, even less SCCM. However, the update cycle needs to be controlled.

Now, I struggle with the following issue:

I would like to allow these few computers to get the updates from SCCM+WSUS config without installing CM clients on them.

What I have tried:

• I have added the IP range in the boundray to make sure that the computers are allowed to connect. --> Now I can see them in WSUS manegement console
• I have enabled reporting (in SCCM site services for WSUS) so now I can see the status of updates in WSUS.
• I have tried to add a device manually to SCCM and place it in a collection that has updates activated.

Despite all of the above and many more things I have tried...When updates are run on the computer, it reports back that the system is up to date.

ANY Suggestions???

The log on the client in WindowsUpdate.log is:

2014-04-29    18:07:37:626     784    550    AU    Triggering AU detection through DetectNow API
2014-04-29    18:07:37:626     784    550    AU    Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-download notify} added to AU services list
2014-04-29    18:07:37:626     784    550    AU    Triggering Online detection (interactive)
2014-04-29    18:07:37:642     784    2e4    AU    #############
2014-04-29    18:07:37:642     784    2e4    AU    ## START ##  AU: Search for updates
2014-04-29    18:07:37:642     784    2e4    AU    #########
2014-04-29    18:07:37:657     784    2e4    AU    Additional Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} with Approval type {Pre-download notify} added to AU services list
2014-04-29    18:07:37:657     784    2e4    IdleTmr    WU operation (CSearchCall::Init ID 14) started; operation # 180; does use network; is not at background priority
2014-04-29    18:07:37:657     784    2e4    IdleTmr    Incremented PDC RefCount for Network to 1
2014-04-29    18:07:37:657     784    2e4    IdleTmr    Incremented idle timer priority operation counter to 2
2014-04-29    18:07:37:657     784    2e4    Agent    *** START ***  Queueing Finding updates [CallerId = AutomaticUpdatesWuApp  Id = 14]
2014-04-29    18:07:37:657     784    2e4    AU    <<## SUBMITTED ## AU: Search for updates  [CallId = {0FF9713D-219E-4556-ADAF-B1C0B64BD449} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-04-29    18:07:37:657     784    e3c    Agent    ***  END  ***  Queueing Finding updates [CallerId = AutomaticUpdatesWuApp  Id = 14]
2014-04-29    18:07:37:657     784    e3c    Agent    *************
2014-04-29    18:07:37:657     784    e3c    Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdatesWuApp  Id = 14]
2014-04-29    18:07:37:657     784    e3c    Agent    *********
2014-04-29    18:07:37:657     784    e3c    Agent      * Online = Yes; Ignore download priority = No
2014-04-29    18:07:37:657     784    e3c    Agent      * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-04-29    18:07:37:657     784    e3c    Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-04-29    18:07:37:657     784    e3c    Agent      * Search Scope = {Machine & All Users}
2014-04-29    18:07:37:657     784    e3c    Agent      * Caller SID for Applicability: S-1-5-21-3882205621-1618688460-3676806654-1001
2014-04-29    18:07:37:657     784    e3c    EP    Got WSUS Client/Server URL: "http://sccm:8530/ClientWebService/client.asmx"
2014-04-29    18:07:37:657     784    e3c    Setup    Checking for agent SelfUpdate
2014-04-29    18:07:37:657     784    e3c    Setup    Client version: Core: 7.9.9600.16422  Aux: 7.9.9600.16384
2014-04-29    18:07:37:657     784    e3c    EP    Got WSUS SelfUpdate URL: "http://sccm:8530/selfupdate"
2014-04-29    18:07:37:673     784    e3c    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-04-29    18:07:37:704     784    e3c    Misc     Microsoft signed: Yes
2014-04-29    18:07:37:704     784    e3c    Misc     Infrastructure signed: Yes
2014-04-29    18:07:37:704     784    e3c    Misc    WARNING: Cab does not contain correct inner CAB file.
2014-04-29    18:07:37:704     784    e3c    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-04-29    18:07:37:720     784    e3c    Misc     Microsoft signed: Yes
2014-04-29    18:07:37:720     784    e3c    Misc     Infrastructure signed: Yes
2014-04-29    18:07:37:720     784    e3c    Setup    Wuident for the managed service is valid but not quorum-signed. Skipping selfupdate.
2014-04-29    18:07:37:720     784    e3c    Setup    Skipping SelfUpdate check based on the /SKIP directive in wuident
2014-04-29    18:07:37:720     784    e3c    Setup    SelfUpdate check completed.  SelfUpdate is NOT required.
2014-04-29    18:07:38:986     784    e3c    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
2014-04-29    18:07:38:986     784    e3c    PT      + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://sccm:8530/ClientWebService/client.asmx
2014-04-29    18:07:41:329     784    e3c    PT      + SyncUpdates round trips: 2
2014-04-29    18:08:20:251     784    e3c    Agent      * Found 0 updates and 72 categories in search; evaluated appl. rules of 2326 out of 2975 deployed entities
2014-04-29    18:08:20:251     784    e3c    Agent    Reporting status event with 171 installable, 39 installed,  0 installed pending, 0 failed and 0 downloaded updates
2014-04-29    18:08:20:251     784    e3c    Agent    *********
2014-04-29    18:08:20:251     784    e3c    Agent    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdatesWuApp  Id = 14]
2014-04-29    18:08:20:251     784    e3c    Agent    *************
2014-04-29    18:08:20:251     784    e3c    IdleTmr    WU operation (CSearchCall::Init ID 14, operation # 180) stopped; does use network; is not at background priority
2014-04-29    18:08:20:251     784    e3c    IdleTmr    Decremented PDC RefCount for Network to 0
2014-04-29    18:08:20:251     784    e3c    IdleTmr    Decremented idle timer priority operation counter to 1
2014-04-29    18:08:20:251     784    3e0    AU    >>##  RESUMED  ## AU: Search for updates [CallId = {0FF9713D-219E-4556-ADAF-B1C0B64BD449} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-04-29    18:08:20:251     784    3e0    AU      # 0 updates detected
2014-04-29    18:08:20:251     784    3e0    AU    #########
2014-04-29    18:08:20:251     784    3e0    AU    ##  END  ##  AU: Search for updates  [CallId = {0FF9713D-219E-4556-ADAF-B1C0B64BD449} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
2014-04-29    18:08:20:251     784    3e0    AU    #############
2014-04-29    18:08:20:251     784    3e0    AU    All AU searches complete.
2014-04-29    18:08:20:251     784    3e0    AU    AU setting next detection timeout to 2014-04-30 18:43:27
2014-04-29    18:08:20:251     784    3e0    AU      # Publishing WNF Per user update count event Count: 17 SID {S-1-5-21-3882205621-1618688460-3676806654-1001} Service {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}
2014-04-29    18:08:20:251     784    3e0    AU      # Publishing WNF Per user update count event Count: 0 SID {S-1-5-21-3882205621-1618688460-3676806654-1001} Service {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2014-04-29    18:08:20:251     784    3e0    AU      # Publishing WNF Per user update count event Count: 0 SID {S-1-5-21-3882205621-1618688460-3676806654-1001} Service {9482F4B4-E343-43B6-B170-9A65BC822C77}