One of most important and critically used feature in configuration manager 2012 is Software updates .It is always challenging and import task for any sccm administrator to achieve good patch compliance success rate within the given SLA(Service level agreement).Patch compliance success rate is depends mainly on heath of your SCCM clients and some times things may go wrong even though sccm client is healthy (able to receive applications/packages and performing inventory except patches).
I have created lot of SSRS reports on software update compliance out of many,one of the widely used report is get the patch compliance status of software update group for specific collection with linked report to get the computers with unknown and required status for troubleshooting (to check when was the last hardware,last software scan,last user ,OS etc).
Coming to the subject line, I have been seeing many questions on the configuration manager forums and social networking sites on software update patching issues .couple of questions on the subject line are like
1) Client getting packages ,applications but not software updates
2) Most of the clients receiving deployed software updates but still few do not get.
3)Clients not detecting software updates
4) clients log says ,patches required but sccm reports says,updates not required( means complaint)
5) Client log says patches not required but sccm report says ,updates required.
6)Software update failing to install ,how to fix
7) I have added patches to the existing software update group/deployment and these newly added patches not deploying successful and many more ….
The solution for the most of the above issues can be identified and solved by analyzing the the client logs before we do in-depth troubleshooting.
In this blog post (SCCM 2012 Troubleshoot software update client issues),I will explain you the basic troubleshooting steps (only on client side ) which will help you to resolve issues on your own by analyzing the logs and take it further afterwards.
Before we jump into the troubleshooting,I would like to illustrate the main components which are involved in deploying software updates.
When you enable software update agent setting in client agent settings,a policy will be created with this setting and stored in SQL Database.So when client initiate machine policy,it communicate with management point which includes the software update client feature installation instructions to be installed or applied on the client. In this process, Client will create local GPO with WSUS Settings by leaving automatic updates .
If you do not disable automatic updates (Via GPO) leaving the door open for the WUA to do things on its own outside the control of ConfigMgr including installing any updates approved directly in WSUS (including new versions of the agent itself which are automatically approved) and rebooting systems which have a pending reboot. Neither of these is desirable in a ConfigMgr managed environment and thus the recommendation for disabling automatic updates. As for the rest of the Windows Update GPO settings, they are meaningless in the context of ConfigMgr so it doesn't really matter what you set those to if you disable automatic updates,more from here
If you choose to create a GPO for WUA, you must configure the Windows Update Server option to point to the active software update point server in the site or location. If there is an existing GPO that was intended to manage standalone WSUS prior to implementing Configuration Manager in your environment, the GPO could override the local GPO created by Configuration Manager, which can cause issues when the software update client tries to communicate with the software update point server.
Software update Components involved are:
1.Windows update agent (WUA)
2.Software update client agent (from SCCM)
3.Windows management instrumentation (WMI)
Note: Make sure you disable the automatic updates via GPO,further reading http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
Windows Update agent(WUA): is responsible for scheduling and initializing scan, detection, download, and install of updates on the client machine. WUA Agent is an implanted service in a Windows service (SVCHOST.exe) and is named Windows Update which you can see from services.msc.
If you disable WUA Agent, software update agent will not function correctly. So it always recommended to not disable this service.
Software update client agent (from SCCM): When you enable the software update agent,it will install 2 actions on the client 1) Software update scan cycle 2) software update deployment Evaluation Cycle
Software Update Scan Schedule :This action perform the software update scan (along with WUA) against the Microsoft update catalog, which occurs every 7 days by default.
software update Deployment evaluation:This action Initiate the software update deployment to start download and install the updates.
Note: when you create software update deployment with deadline for ex: at 4.00 PM ,the actual time that software update client start updating the installation is depends on on setting disable deadline randomization ((located in the Computer Agent client settings)
A delay of up to 2 hours will be applied with deadline time to install required software updates . This randomization prevents all software update clients from starting update installations at the same time (This setting is disabled by default). More info,read https://technet.microsoft.com/en-in/library/gg682067.aspx?f=255&MSPPError=-2147217396 . If you enable this setting,then the deployed software updates will be installed with deadline what you set i.e at 4.00PM (based on Client local time or UTC).
It is also good to know the patch compliance states which are sent as state messages by client to site server .Patch compliance is calculated based on these 4 states.
Installed :This means the software update is applicable and the client already has the update installed.
Not Required: This means the software update is not applicable to the client .
Required: This means the software update is applicable but is not yet installed.Alternatively, it may mean that the software update was installed but the state message has not yet been sent to to the site server.
Unknown :This means either that the client system did not complete the software scan or the site server did not receive the scan status from the client system.
Enough theory , Lets have a look at client troubleshooting steps. (Note: Client logs can be found at %windir%\ccm\logs\ ,if you have not changed the default path).
There are many logs on the client which help you to troubleshoot client issues,but we only look at important logs what is required for software updates.
1. First log to check is locationservices.log—>This log is used to check the correct software update point has been detected by the client.You can also see the management point and distribution point entries from this log.
2. 2nd log to check is wuahandler.log –> when the software update scan cycle initiated, Windows update agent (windows update service) will contact WSUS (SUP) for scanning and if is successful,a state message will be sent to site server confirming that,software update scan is completed successfully which can be seen from this log. Get the report to know the software update scan results from here
For some reason,if you don’t see the successfully completed scan message,you should start troubleshooting from this log based on the error .
You can get the error description from CMTrace.exe tool. Copy the error code and use ctrl+L (Error lookup) from your cmtrace.exe ,get the error description .
If WSUS entries are not set correctly or having any issues locating the correct WSUS,you can set WSUS entry manually or script.Further troubleshooting is required .
The registry location for the WSUS entries as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU with UseWUSserver =1
3. 3rd log is windowsupdate.log –>If software update scan is successful from wuahandler.log ,you can ignore this log file and directly move to next log (updatesdeployment.log) .If Software update scan is not successful then,you should look at this log for more information. This log Provides information about when the Windows Update Agent connects to the WSUS server and retrieves the software updates for compliance assessment and whether there are updates to the agent components.
Using these 2 logs (wuahandler.log and windowsupdate.log) ,try to fix the errors and make sure ,you see the scanning successful from wuahandler.log
4.4th log to check is UpdatesDeployment.log—> Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.
This log shows the number of updates and deployments being targeted to a machine.
From above log snippet ,you see that,the total actionable updates = 0 means ,client do not require any additional updates that you targeted to this PC.For some reason,if the client says non-compliant from your sccm reports,try to refresh compliance state using https://msdn.microsoft.com/en-us/library/cc146437.aspx ,and monitor updatestore.log to see if the state messages (like Successfully raised Resync state message)has been sent to the site server (MP) or not.
you can alternatively use the below PowerShell script ,deploy to your clients monthly twice or once as per the business needs.
$SCCMUpdatesStore = New-Object -ComObject Microsoft.CCM.UpdatesStore
$SCCMUpdatesStore.RefreshServerComplianceState()
New-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinue
Write-EventLog -LogName Application -Source SyncStateScript -EventId 555 -EntryType Information -Message "Sync State ran successfully"
updatedeployment.log also tell you that,what assignments (Update deployments) made with count of updates in each deployment. From above log, Assignment {C37C45D8-E722-4EB7-AC21-014925079560} has total CI = 6 ,means ,the assignment has total 6 patches .
How do you check the deployment name for particular assignment ? well ,you can add Deployment Unique ID column for software update deployment or use below SQL syntax .
SELECT * FROM vSMS_UpdateGroupAssignment
WHERE vSMS_UpdateGroupAssignment.Assignment_UniqueID= '{C37C45D8-E722-4EB7-AC21-014925079560}'
For some reason,if you don’t see the newly added patches installing ( issue no:7) ,you can check updatedeployment.log with particular assignment group and patch count .If the count of patches are less than what it supposed to be,then you may have to refresh the machine policy ,initiate software update scan and wait for a while before client start downloading the policies.
If you see some updates are pending for action (total actionable updates <>0) but not installing,look at CAS.log if your client is able to locate the content on the Distribution point or not.
UpdatesDeployment.log will also tell you ,if enough maintenance window (ServiceWindowManager.log) time available to install the updates.Read the following blogs to know the maintenance window calculation for software update installation.
http://blogs.technet.com/b/csloyan/archive/2010/10/24/maintenance-window-calculations-explained.aspx
5.5th log to check check is UpdatesStore.log—>Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle (Status like Missing/Installed).
If you see all things working good, the final log to refer is RebootCoordinator.log—>Provides information about the process for coordinating system restarts on client computers after software update installations.
Below diagram shows the configuration manager Client side software update deployment flowchart captured from configuration manager software update management filed experience guide.
For troubleshooting clients, You can use tools like deployment monitoring tool,configuration manager support center etc.
I normally use the configuration manager support center to troubleshoot the client issues to check if the policy for the deployed software update group received correctly or not based on the PolicyIVersion.
Open the support center (you can download from Microsoft) ,connect to remote machine (need admin rights on remote computer) .
go to policy tab,click on requested and then Load requested policy .you will see list of wmi instances on the left.
click on settings(root\ccm\policy\machine\requestedconfig) ,click on CCM_updateCIassignment ,click the policyID ,on the right side,you will see information about the software update group.
check the policy version on the client and on the site server .now you know how to take it further troubleshooting. Good luck.
Couple of common workarounds when troubleshooting software update issues :
1. Stop the windows update service,rename or delete the Software Distribution folder (%windir%\softwareDistribution) and start windows update service. This approach provides a fresh start with a new Windows Update data store if the Datastore.edb file is corrupted.
2. Restart the windows update service ,trigger software update scan cycle and software update deployment evaluation cycle.follow the logs.
7.Refer software update client issues https://technet.microsoft.com/en-in/library/bb932189.aspx
8. Software Update Management Troubleshooting in Configuration Manager https://support.microsoft.com/en-sg/help/10680/software-update-management-troubleshooting-in-configuration-manager
This post will be updating with possible solutions frequently.So keep checking this blog post.
67 Comments
Thank you for your excellent article. I having issues with the "Async searching of updates using WUAgent started." process starting and never completing, then errors out and start over again. I have restarted the Update Service, reinstalled agents, deleted the Software Dist folder, but still nothing. Any suggestions?
Hi,
Is the issue happening on servers or workstation? if servers, you can refer this article http://eskonr.com/2017/08/sccm-configmgr-software-update-scan-stuck-with-error-code-80080005/
Thanks,
Eswar
Hope you can help. I have couple of servers on different sites that are showing as non-compliant but software is installed. I run PS script above and all possible advices from web but non-compliant message is persistent. There are bunch of servers that are showing as compliant on same site. Under details for those assets status for all packages are "Installed" but there fields are blank for "Enforcement State" and "Last Enforcement Message Time". I suspect that SCCM is receiving this info from client and thus puts assets in "In Progress" state. Any idea how can I force "Enforcement State"
Hi Eswar,
Seems to WUAHandler Log name mentioned like wuahander (spell mistake). it may new learner will confuse.
Thanks Madhu. I have corrected it.
Thanks,
Eswar
Good information! Very helpful for day-to-day ConfigMgr administrators.
Any clue about this error message (by the way, only one of my servers is experiencing this behavior; everything fine on DPs):
CCCMUpdatesDeployment::GetUpdate failed, error - 0x87d00215
GetUpdate - failed to get targeted update, error = 0x87d00215.
GetUpdate failed, error 87d00215
EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0
Hi,
Error code 0x87d00215 refers to item not found. Check if the deployment or the content is active.
Thanks,
Eswar
Hi Eswar,
Can you advice what are the basic checks to do if 20H2 upgrade package deployment for windows 10 is not showing up in software center for download by user.
Hi,
You can check the policyagent and policyevalutor log if the client receive the policy first in place.
if the policy received by the client, check the deployment settings such as deadline, user experience etc.
For some reason, if the content not distributed to DP, the deployment wont appear in the software center unless you choose to download from internet (if CMG available).
Thanks,
Eswar
Very Good information provided here in this article.
I’m facing continuously a problem.. The patches shown in some of the Client machine after the desired patching window. Nearly 4 Hours later the deployment deadline. Could you please let me know the exact solution for such issues?
Hi,
Check if you have enabled deadline randomization in client settings that would delay the patches to upto 4 hrs after the deadline.
hello, it often happens to me that software center for updates says: "Waiting for another installation to complete". why? how to solve?
Hi,
"Waiting for another installation to complete" is due to other installation running and it must complete.
To check the current installation, you can read the client logs such as wuahandler.log, updatesdeployment.log.
Thanks,
Eswar
Hi Eswar
I found your script today:
https://gallery.technet.microsoft.com/SCCM-Configmgr-Powershell-ebbb2c0e/view/Reviews
It saved my day, rather week… many thanks for your effort.
If I can leave a positive Feedback somewhere, let me know…
cheers
Reto
Thanks for the feedback Reto. Glad you liked it.
Hello,
Excellent article again.
I have an issue with 4500331 which is not downloading in May 2019 or June 2019... I did not see any trace of this KB/Article in any log!!!
Any idea
Thanks,
Dom
Hi,
Did you check cas.log, contenttransfer and datatransfer service log for content download ? that should tell you why is the content failing to download.
Thanks,
Eswar
Hello Eswar, I am having issue with newly created environment. When running ADR, it create SUP and when trying to deploy to machines, all machines just sits with in Unknown tab for days... Any idea what am i missing here?
Hi,
are these computers did the successful software update scan ? Unknown means, client did not get the policy of this ADR deployment yet hence unknown. you can troubleshoot further by looking at policyagent,policyevalutor logs etc
Thanks,
Eswar
Hello , I recently have installed SCCM current branch VERSION 5.00.8634.1000 BUILD 5.00.8634.1000. We detected that the most Patches for example for Windows 7 are showing in thee summary like NOT REQUIRED. I used your SQL query and only a few patches are required for Windows 7 (total 14) when the MACHINE has not been patche for almost a year. I download the patch from MS directly and I can install the same without problem. I checked all cient logs and the same looks fine. There is any idea what is going on? Thanks
Did you check in the wmi of client in software update instance if that particular patch is not required ? Looks like, more investigating needs to be done on the client PC rather installing the patch manually.
Do you have any other clients that have same behavior so it would be easier to check from client WMI. I haven't encountered such issue .
Regards,
Eswar
Very good article and very useful. But I have a question/problem.
I use for application testing 2 desktops and when necessary I will refresh them with an image using SCCM. But at the moment I don’t get the updates of last month. In all the logfiles you described in your article I don’t see any error messages. When I use SCCM reporting to check the compliance of a security update I see the 2 desktops with the state “Update is not required”.
On the desktops the update is NOT installed. When I download the update from Microsoft I can install it without any problem. Very strange is that a week ago I installed these updates on the 2 desktops for testing and there was no problem.
Before I image the desktops I first remove them from SCCM with hopefully all the history it has. But I have the idea that somewhere it is still noted that the update are installed and there for the state is “Update is not required”.
I already used your Powershell script to refresh the compliance state.
Any idea how this problem can be solved.
Regards Ron
this article should be mandatory for every SCM administrator. Fantastic! Thank you very much.
Thanks for your kind words .
Regards,
Eswar
Eswar, I am getting a strange issue with updates on my servers. in the Updatedeployment.log I am getting this verbiage:
Update already available, just resolve properties. So the updates are there however not installing due to a properties issue. I checked maintenance windows ( they are good) and I checked to make sure clients were pointing to the SUP... any thoughts?
Agree!!!
Eswar,
First off: Thank you for this article! This is invaluable information to have as an SCCM administrator.
Secondly: The obligatory question =) Have you ever run into an issue where the clients are installing the updates successfully, but not showing the correct status in the Console? For example, recently in my environment we deployed the 2017-08 Security-only Update for 2012 R2 to various servers. Subsequently, most of these servers reflect an 'Unknown' deployment status (Asset Details only show 'Client check passed/Active')... but a few of the targeted servers correctly show the expected In Progress status (Asset Details: Pending system restart).
I've been pouring over the client and server logs (per your article) and can see that all the targeted servers DID correctly discover the software update deployment at the expected time, installed the update by the deadline time, and locally are reporting that they are now in a pending reboot state. All looks well client-side, I can't find a single issue there. I've even run the above PowerShell to refresh the server compliance state; no issues found in updatestore.log - the resend (client side) appears to be perfectly fine.
However on the server side, these systems still show up as Deployment Status: Unknown. I've rerun the summarization multiple times and refreshed, as well viewed from a separate console installation on another machine- no change. It acts like the MP server is either (a) not receiving the status message, or (b) not correctly reporting on it.
Thanks in advance,
Jared
Hi Jared,
Is this issue happening to all clients or few clients ? If this is happening to all clients, then there must be something to suspect on the server side components .If this is affecting only few ,it is something to do with client side or server side processing.
For machine status that shows unknown ,when was the last update scan completed successfully for the problem client ? if the clients showing unknown status in report,then it must be that ,client is either not doing update scan or state messages are processing at site server.
can you delete the client from SCCM console and initiate the heartbeat DDR cycle on the client ,wait for while to let client info appear in SCCM console if this makes any difference ? I am not saying this is full solution but to give a try.
Regards,
Eswar
Hi Eswar,
Pretty informative article!!
Is there an easy way to identify if the updates were installed by windows automatic updates or from SCCM updates deployment?
Thanks!
You can go through the windowsupdate.log, updatesdeployment.log and wuahandler.log . If you are using SCCM to manage patching, it is always recommended to disable windows automatic updates to avoid the conflicts with SCCM and auto reboot issues (default is every day 3AM).
Regards,
Eswar
http://sccmtooltraining.blogspot.in/2017/07/sccm-training-tutorials-for-beginners.html
Hello, I currently have SCCM 2012 on a Server 2008. I am building a new SCCM Branch 1702 on Server 2016. The 2008 Server is still in production and we use that for deploying updates, with our WSUS server stand alone and it being the Site System Server on the SCCM 2012 server.
I have added that same WSUS server as well as a Site System Server on the new 2016 Server so i can test to clients. When I setup a package to deploy, nothing happens on the client. When I view Component Status on the 2016 server, i see SMS_SITE_COMPONENT_MANAGER error
Site Component Manager detected that site system "\\WSUSAP1.LOCAL.INTRANET" is currently in use by ConfigMgr site (Server 2008).
Possible cause: You accidentally configured this site system as part of this site and as part of site XXX(2008 Server).
Solution: Remove this site system from the list of site systems for this site or for site XXX(2008 Server).
AND also this
Site Component Manager failed to configure site system "\\WSUSAP1.LOCAL.INTRANET" to receive Configuration Manager Server Components.
Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager cannot install any Configuration Manager Server Components on this site system until the site system is configured successfully. Site Component Manager will automatically retry this operation in 60 minutes. To force Site Component Manager to immediately retry this operation, stop and restart Site Component Manager using the Configuration Manager Service Manager.
Am I able to have 2 different SCCM servers with different Site Codes using 1 WSUS server??
Always like your article sir. very helpful to me as a beginner
Hello Eswar. I was facing with problem while execution scan for updates from SUP the error is OnSearchComplete - Failed to end search job. Error = 0x8024401c.
Scan failed with error = 0x8024401c.
Machine is Windows Server 2016, sccm client installed correctly, the version of WUA is 10.0.14393.82 Do you know, if it possible to do something?
the Scan failed with error = 0x8024401c -- > Same as HTTP status 408 - the server timed out waiting for the request. Looks like downloading or scanning may be timedout. can you check the windowsupdate.log to see if the WSUS location is pointed correctly.
Try to initiate update scan ,post the logs.
Regards,
Eswar
Hi all,
I would like to get severity of patches from client side? Could you please tell me how to do that?
Hi,
what do you mean by severity of patches ? you can use the default software update report to get different kinds of data.
Regards,
Eswar
Hi Eswar. So for some reason non of my machines are taking patches anymore. They are not taking anything from Dec patch Tuesday, the last set they took was the end of Nov. Except for WINDOWSUPDATE.LOG (I don't seem to have that file) I don't see anything out of the ordinary in the client logs. How would I even know if it's a client issue and not a server issue?
what does the client logs says ? do you see anything wrong in wuahalnder.log,windowsupdate.log about software update scan ? if the scan is doing correctly ,go back to your SCCM server ,look for the client ,what patches is it requesting. if there are no patches needed by the client ,then you are good else try to deploy any of the client requested patches and see if any progress.
Use the below SQL Query to find the patches required by specific client for troubleshooting purpose:
Replace the hostname and run the SQL query from SQL management studio.
declare @PC nvarchar (255);set @PC='VSGWin701'
select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
CONVERT(VARCHAR(26),ui.DatePosted, 103) [Date Posted],
ui.bulletinid [BulletinID],ui.articleid [ArticleID], ui.Title,
Approved=(case when ctm.ResourceID is not null then 'Yes' else 'No' end),
Required=(case when css.Status=2 then 'Yes' else 'No' end),
ui.InfoURL as InformationURL,ui.ci_uniqueID,
CONVERT(VARCHAR(26),ui.DateLastModified, 100) [Date LastModified] ,
Deadline=CONVERT(VARCHAR(26),cdl.Deadline, 100) ,
case when ui.IsSuperseded=1 then 'Yes' else 'No' end as 'Superseded',
case when ui.IsExpired=1 then 'Yes' else 'No' end as 'Expired'
from V_UpdateComplianceStatus css
join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
left join v_CITargetedMachines ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
INNER join v_CICategories_All catall2 on catall2.CI_ID=css.CI_ID
INNER join v_CategoryInfo catinfo2 on catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
outer apply (
select Deadline=min(a.EnforcementDeadline)
from v_CIAssignment a
join v_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
) cdl
WHERE vrs.Name0=@PC and css.Status=2
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.BulletinID,ui.ArticleID,ui.Title,ctm.ResourceID,css.Status,ui.InfoURL,ui.DateLastModified,cdl.Deadline ,ui.IsSuperseded,ui.IsExpired,ui.DatePosted,ui.ci_uniqueID
ORDER BY 1
Regards,
Eswar
Hi Eswar, I love your blog! It helps with my work all the time.
One question.. I ran this query to try and see what software updates I need to install to get a computer in my company from Non-compliant to compliant state running the Software Update- Compliance A report. I ran this query against a compliant machine and against a non-compliant machine. In both cases, there are numbers that indicate that there are required updates for both and are not approved. How do I figure what software updates a particular machine needs to get to compliance state?
I would assume when running this query against a compliant machine, then no rows should show, but that wasn't the case.
Thanks in advance!
Hi Eswar
This is a great information you shared with us.
I have one query can you please send me all the steps of Software update point and Software distribution in SCCM 2012 with all logs files associated with.
what all steps do you need ? you can go through the microsoft document (newly formatted) which has all the information nicely written.
http://www.docs.microsoft.com/sccm
Nice Blog
In SCCM 2012 auto client deploy is not working in Suprface pro 4 and desktops.Can you please give the solution.
When i installed through SCCM client is installing,but when i connect new machine is not able to install sccm client default.
Hi,
Did you enable automatic site wide client push installation as described here http://www.windowsnetworking.com/articles-tutorials/common/sccm-2012-client-deployment-part3.html ? what does the log (ccm.log) says ?
thanks,
Eswar
Hi Eswar,
In my company environment we are using SCCM 2012 R2 Sp1 CU2 (5.0.8239.1301), recent days I am facing a weird issue, we have disabled software updates deployment (crossed deadline) which has been deployed for a collection, due to an issue we had to rollback the patches from installed server manually, however the members of the collection getting the software updates installed automatically, the behavior looks like a bug? is there any fix available for this issue? anyone facing similar issue? any help much appreciated.
Hi Sudarsan,
can you check the logs as mentioned in the blog post to see what software update group is deploying the patches ? pick one server and check if that server is member of any other collection that has patches deployed ? client logs can help you to find more information.
Thanks,
Eswar
hi,
Can u explain me how to use the power shell script to advertise the client.
IF possible with screenshot.
regards,
sree
here is step by step instructions to deploy powershell script https://blogs.technet.microsoft.com/scotts-it-blog/2015/02/23/refreshing-state-messages-in-system-center-configuration-manager-2012/
thanks,
Eswar
very useful information..
Hi Eswar,
Thank you for great article. Hopefully I am not too late to follow up and if possible get a couple of answers.
1. I am preparing Windows updates deployments with SCCM in medium size company - around 500 computers.
In my test environment I deployed Windows updates for last 6 months, more than 200 definitions got updated but a couple failed temporarily on some machines. When I mentioned temporarily they are installed after retry in software center.
Challenge is the notification in status bar which shows that update failed, even though more than 200 updates got installed notification points to couple of failing updates.
I can hide all notifications when I configure settings for deployment and keep only end user notified for computer restart. This will probably bypass failing updates notification but will not install required (failed) updates.
If I keep this notification then end users will generate numerous tickets for Help Desk assuming updates are not installing.
I can't send introductory email to 500 people with something like:
"If you notice you have a couple of updates which failed please hit retry and they will get installed"
What are the best practices in the industry?
2. Second thing would be restart policy with SCCM. We can configure in Administration/Client Settings/Default Client Settings ( or create a custom client settings)/Computer Restart option to reboot computer max 24hours after updates are installed.
This will make sure updates got installed and computer is compliant. But it's not that simple as it seems.
VIP people don't want to be forced to reboot their computers after 24 hours if they are in the middle of presentation or on meeting.
It's really hard to plan and reboot computer prior to important events but there is no option to postpone.
If we don't make reboot mandatory than computers will be vulnerable.
There are 3rd party tools on the market, like shutdown tool from deploymentresearch group but not sure if this would be desirable as it may reboot computers which are not even patched by mistake after 7 days. I have to test it.
Any advice, the best solutions out there?
Thanks,
Blaf
have you ever tried the Maintanance Window for collection ? this should answer all your questions. have a look at it what maintenance Window does http://blog.configmgrftw.com/maintenance-windows-oh-maintenance-windows/
VERY GOOD TROUBLESHOOTING ARTICLE
Dear Eswar
Can you please help me on the below mentioned issue? I am not able to find the solution yet.
https://social.technet.microsoft.com/Forums/en-US/4c088ce4-e7c2-4f81-8963-ee7bb2534c21/wsus-sup?forum=configmanagersecurity
Regards
TechMan
replied to technet link. you should look at windowsupdate.log and wuahandler.log for troubleshooting.
thanks for sharing information
good and very useful article sir,
sir I had an issue, as mentioned I renamed the c:\windows\software distribution folder and tried to install the failed update (Adobe activeX update), it installed sucessfully. but on the next day again it is showing the update as failed in software center.
my WUAhandler.log shows: Failed to download updates to the WUAagent datastore. ERROR: 0x800b0109,
the error lookup description is: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
the same update is sucessful in 70% of machines and is failed in remaining machines,
all are in the same location.
please guide me sir...
Superb job. Very useful information.
thanks Rajesh.
Hello and thanks for the informations.
Just a little question. How to check the policy version of the sotware update group on the server ?
thank you
this is stored in the database .have you looked at the Software update deployment by right click properties and select Version ID ?
i don't see this tab.
Could you show me a screenshot of this ?
thank you
ok ,I could not able to find what I said earlier but may I know why are you looking for that info ? for client troubleshooting to know if the particular deployment has updated on the client or not ,you can simply check UpdatesDeployment.log for number of updates as I described in the blog.
master in troubleshooting.. nice article.
Thanks .
Eswar, I am getting a strange issue with updates on my servers. in the Updatedeployment.log I am getting this verbiage:
Update already available, just resolve properties. So the updates are there however not installing due to a properties issue. I checked maintenance windows ( they are good) and I checked to make sure clients were pointing to the SUP... any thoughts?
You simply rock dude, I like your interest in sharing the information...!!!