Another interesting report on software update compliance which will really helps lot of people in their daily job . Did you ever receive any requests to report compliance status(in one line report) for bunch of clients for ex: specific collection ? Management or Security guys do not really care about what software updates ,the computer is missing and they always look for final results i.e Compliant or Non-Complaint .Only these 2 status matters for them to ensure the computers are fully patched.
Generally ,how do you check when such requests comes ? Look at default the compliance reports (Software Updates - A Compliance--Compliance 5 - Specific computer ) or other compliance reports?
There are 2 ways to tell if the client is complaint or not using the default reports.
1) You can run the report based on software update group for specific collection—Compliance 1—Overall Compliance
2) Compliance for specific computer--Compliance 5 - Specific computer
Report 1) will give you only the status for specific software update group for specific collection but not for all software updates deployed to specific PC. A PC might have 100 software updates deployed and these software updates coming through multiple software update groups.it will be really challenging to find if PC is compliant for all the Deployed patches unless you have only one software update group.
Report 2) will give you list of all updates with targeted (approved) ,missing and installed but to tell if the PC is compliant for all the patches you see in the report takes time for you to filter the missing/required column and compare it with targeted patch. (Note:You only care about the Deployed patches but not all the updates required by PC,more about it will discuss soon).
Note: This post is strictly talking about software updates compliance but not for Endpoint Protection updates.
If you want to run the report 2) for bunch of PC’s ,you need to create custom report and it is not easy to say in one line,PC is Compliant for all the deployed patches.
So,how do I check quickly, if PC is compliant for all the targeted patches meaning,if I enter the Collection name into the Report,it should give me results of PC Name , How many Patches Targeted ,How many missing and Is Complaint or not ? For this report, I have also included other computer information like Last logged on User Name,Last Hardware Scan,Last Update Scan and what is the Update Scan result etc to identify the PC health.
So,How do I come to the conclusion to say ,PC is Complaint or not based on the Targeted PC’s and Missing PC’s ? Here is the logic I have used in the report if you want to know before editing the report .
If Count of Required Patches =0 and Count of Deployed Patches=0 Then PC is Complaint
If Count of Required Patches!=0 and Count of Deployed Patches!=0 then PC is Non-Complaint
If Count of Required Patches!=0 and Count of Deployed Patches=0 then PC is Complaint
Before you proceed to download the report,you need to understand few things how this SQL query is written and what filters are used in the report to achieve the task.
Client becomes Non-Complaint only when there are updates needed by the PC otherwise ,we can say PC is Complaint. So my primary filter (where condition ) used here is to check if status=2 means Required/Missing from V_updateCompliancestatus. Based on this criteria,I will calculate the total number of patches deployed to the PC and how many are still needed by the PC.
You may wonder on the 3rd logic, how come the count of missing patches>0 and count of target patches=0 ? you really need to check with your admin who manages the SUP deployment ,why these updates are not deployed though.If your organization is only caring about security and critical updates, then you can simply ignore the Required patches but if there are any Deployed count (>0) ,troubleshooting is needed. So we assume that, Client has verified against for all the Deployed patches and it has nothing to do with the missing patches since you never deployed them and it is COMPLAINT.
All clear now ? if you still have questions,please report them via comments section .
Download the RDL file from TechNet Gallery here, upload the report into your Configmgr SSRS Reports ,change the Data Source and run the Report .
Try to run the report ,pick one PC which is Compliant and simultaneously use your favorite default /Custom reports to check if the PC is complaint for all the deployed patches.
How does the report look like ?
Hope you like this report.