Started working with New Customer since few weeks ago ,running Configmgr 2012 R2 CU1 ,yet to upgrade to Latest CU . since few days,I have been running lot of SQL Queries ,reports checking the SCCM client health and analyzing the existing setup for some improvements. For everything what ever you do in SCCM,the first and foremost is ,client health,otherwise ,there is nothing for you to manage 
.
Using reports/ collections, cleanup lot of old records ,fix SCCM client issues using scripts and clients are now at good success rate (>95%).
Even though, client health success rate is >95% ,for some reason,Software update scan is lower than 80% and that causes the SUP compliance failed to meet the SLA.
I started running the following SQL Query on SSMS (SQL Server Management Studio) to see how many computers are succeeded with software update scan and how many are not.
There is table called v_UpdateScanStatus, that stores the information about last scan state,lastscanpackagelocation ,WUAgent etc.
By running the following query, you get count of clients for each lasterrorcode that reported to CM12.
select uss.LastErrorCode,count(*) [Total] from v_UpdateScanStatus uss
group by uss.LastErrorCode
I have got lot many computers with error code –2016409966 .Straightaway went to CMtrace log and find what this error means.
using CTRL+L from the CMTrace log viewer, it tells me ‘Group policy conflict’ which means,there is something wrong applying the GPO .
Ran below SQL Query to pick one computer with above error code(–2016409966 ):
select sys.name0 from v_r_system sys,v_updatescanstatus uss
where sys.resourceid=uss.resourceid
and uss.LastErrorCode='-2016409966'
connect to computer ccm\logs and check WUAHandler.log. Below is snippet from the log.
The above errors leads to me to think about GPO, if there is any such configured but after checking with Server Team ,there is no such group policy configured.
Some additional information that refers to above problem talking about GPO. http://technet.microsoft.com/en-us/library/bb735866.aspx and http://blogs.technet.com/b/smsandmom/archive/2008/12/02/configmgr-2007-wuahandler-log-failed-to-add-update-source-for-wuagent-error-0x80040692.aspx
I then ran RSOP /GPresult on the problem computer to see if there is any such GPO configured but there is nothing via AD Except local group policy configured with WSU entries.
What next ? there is no GPO exist that configures the WSUS Settings and Configmgr suppose to configure these WSUS Settings on the client but that’s not happening.
I then looked at registry for windows update details HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ,found the entries with old CM07 WSUS server which was configured via GPO when CM07 running and after the migration to cm12,for some reason,these records were not updated by cm12 .
I then ,went ahead and remove the entries under WindowsUpdate folder (WUServer,WUStatusServer) ,started initiating the software update scan results but then ,nothing happened. I get same results.
Recently I come across article that solves the software update sync by deleting the registry.pol file from C:\Windows\System32\GroupPolicy\Machine,even though, the article talks about different software update scan error.
I then thought of giving a try ,by deleting the registry.pol file from C:\Windows\System32\GroupPolicy\Machine as described in the article and initiate software update scan cycle /Software update deployment evaluation cycle action.
review the log if that succeeded or not ,Still the error persists.What next ?
I then restarted the SMS Agent host on the client to download all the policies ,wait a minute and then initiate software update scan cycle /Software update deployment evaluation cycle action.
during the initiation of software update scan cycle,Registry.pol file will be recreated with WSUS settings.
Tried the above solution on 2 more computers to see if it works or not, sync succeeded.
Case 2 : If the above solution did not work,try updating the registry entries manually for WUServer and WUStatusServer by taking correct values from working client and restart windows update,SMS agent host service.
do the Software update sync,it should work fine.
Summary:
1. Check if there are any entries in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ,referencing old WSUS server,if so,remove them.
2.Delete Registry.pol from C:\Windows\System32\GroupPolicy\Machine .
3. Restart SMS agent host service from services.msc to download the policies again.
Fix can be automated by creating script that does the removal of registry entries if found ,deletion of file ,restart SMS agent host and initiate the software update scan and deployment evaluation cycle.
I would not say,the above solution will work on all scenarios with above error code but you need to check all the possible solutions to solve the problem.
Hope it helps!
15 Comments
This is super easy, had the same issue, sharing the script below, enjoy:
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUStatusServer"
Remove-Item -Path “C:\Windows\System32\GroupPolicy\Machine\Registry.pol” -Force
Stop-Service "SMS AGENT HOST"
Start-Service "SMS AGENT HOST"
#Intiates Software Update Scan
Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000113}"
#Initiates Deployment Evaluation Cycle
Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000114}"
Thank you and it helps others.
Thanks,
Eswar
Pingback: SCCM Configmgr Troubleshooting Client software update issues | Eswar Koneti Blog
I am getting this error from the compliance reporting 87D00692
Hi,
Did you follow the blog post ?
Regards,
Eswar
I am experiencing the exact same thing on about 600 of my pc's. There is no GPO configured and I have also tried the above fix with no avail. the problem for me is, I have more than one SUP, so importing the reg from a working machine will work but when that sup happens to fail and the client tries to select a new SUP the error happens again. it seems the client can modify the Local policy, but the registry entry does not change.
Do you still have issue ? have you fixed it ? if so,what is the solution ?
have you looked at the client logs ? If you have more than 1 SUP ,would suggest to look at clients logs to troubleshoot further . It requires little deep troubleshooting to identify the issue.
Regards,
Eswar
Pingback: Troubleshoot client side software updates issue. | system center experts
Hi Eawar,
thanks for the great post.
is there any script available to run on the remote machines.
thanks and regards
Madhu R
Hi Madhu,
I dont have but you can put the fix lines into batch script and use pxexec.exe tool to run on remote computers.
Thanks,
Eswar
Hi Eawar,
thanks for the great post.
is there any script available to run on the remote machines.
thanks and regards
Madhu R
Cool Eswar, Will check that if thats been done. I believe we have ISA server as our proxy server and when we dont have group policy in place that SCCM client settings are done properly but in upper case fro e.g http://PRIMARYSERVER.DOMAIN.COM:8530 which again cause it to fail,
WSUS entries are not Case Sensitive but should check logs windowsupdate.log and ccm logs.
I have interesting question for you.
I have 3 prinary servers for 3 regions (APAC,EMEA,AMERICAS) but domain controllers are listed in default OU of Active Directory but since Microsoft doesnt allow to move domain controllers to different OU then how can we solve this problem,
What happen is for EMEA region its work fine but for other 2 regions we get alert mention in your article.
My group policy point to London SUP point even in APAC and AMericas region.
what happens when you configure the GPO to not configure and leave it with its default configurations ?
let sccm configure the SUP settings on its managed clients based on its boundaries and boundary groups defined.