SCCM Configmgr 2012 Software Update Scan error Group policy settings were overwritten by a higher authority Error Code 0x87d00692

Started working with New Customer since few weeks ago ,running Configmgr 2012 R2 CU1 ,yet to upgrade to Latest CU . since few days,I have been running lot of SQL Queries ,reports checking the SCCM client health and analyzing the existing setup for some improvements. For everything what ever you do in SCCM,the first and foremost is ,client health,otherwise ,there is nothing for you to manage  Winking smile.

Using reports/ collections, cleanup lot of old records ,fix SCCM client issues using scripts and clients are now at good success rate (>95%).

Even though, client health success rate is >95% ,for some reason,Software update scan is lower than 80% and that causes the SUP compliance failed to meet the SLA.

I started running the following SQL Query on SSMS (SQL Server Management Studio) to see how many computers are succeeded with software update scan and how many are not.

There is table called v_UpdateScanStatus,  that stores the information about last scan state,lastscanpackagelocation ,WUAgent etc.

By running the following query, you get count of clients for each lasterrorcode that reported to CM12.

select uss.LastErrorCode,count(*) [Total] from v_UpdateScanStatus uss
group by uss.LastErrorCode

I have got lot many computers with error code –2016409966 .Straightaway went to CMtrace log and find what this error means.

using CTRL+L from the CMTrace log viewer, it tells me ‘Group policy conflict’ which means,there is something wrong applying the GPO .

image

Ran below SQL Query to pick one computer with above error code(–2016409966 ):

select sys.name0 from v_r_system sys,v_updatescanstatus uss
where sys.resourceid=uss.resourceid
and uss.LastErrorCode='-2016409966'

connect to computer ccm\logs and check WUAHandler.log.  Below is snippet from the log.

image

The above errors leads to me to think about GPO, if there is any such configured but after checking with Server Team ,there is no such group policy configured.

Some additional information that refers to above problem talking about GPO. http://technet.microsoft.com/en-us/library/bb735866.aspx and http://blogs.technet.com/b/smsandmom/archive/2008/12/02/configmgr-2007-wuahandler-log-failed-to-add-update-source-for-wuagent-error-0x80040692.aspx

I then ran RSOP /GPresult on the problem computer to see if there is any such GPO configured but there is nothing via AD Except local group policy configured with WSU entries.

What next ?  there is no GPO exist that configures the WSUS Settings and Configmgr suppose to configure these WSUS Settings on the client but that’s not happening.

I then looked at registry for windows update details HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ,found the entries with old CM07 WSUS server which was configured via GPO when CM07 running and after the migration to cm12,for some reason,these records were not updated by cm12 .

image

I then ,went ahead and remove the entries under WindowsUpdate folder (WUServer,WUStatusServer) ,started initiating the software update scan results but then ,nothing happened. I get same results.

Recently I come across article that solves the software update sync by deleting the registry.pol file from C:\Windows\System32\GroupPolicy\Machine,even though, the article talks about different software update scan error.

I then thought of giving a try ,by deleting the registry.pol file from C:\Windows\System32\GroupPolicy\Machine as described in the article and initiate software update scan cycle /Software update deployment evaluation cycle action.

review the log if that succeeded or not ,Still the error persists.What next ?

I then restarted the SMS Agent host on the client to download all the policies ,wait a minute and then initiate software update scan cycle /Software update deployment evaluation cycle action.

during the initiation of software update scan cycle,Registry.pol file will be recreated with WSUS settings.

image

Tried the above solution on 2 more computers to see if it works or not, sync succeeded.

Case 2 : If the above solution did not work,try updating the registry entries manually for WUServer and WUStatusServer by taking correct values from working client and restart windows update,SMS agent host service.

do the Software update sync,it should work fine.

Summary:

1. Check if there are any entries in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ,referencing old WSUS server,if so,remove them.

2.Delete Registry.pol from C:\Windows\System32\GroupPolicy\Machine .

3. Restart SMS agent host service from services.msc to download the policies again.

Fix can be automated by creating script that does the removal of registry entries if found ,deletion of file ,restart SMS agent host and initiate the software update scan and deployment evaluation cycle.

I would not say,the above solution will work on all scenarios with above error code but you need to check all the possible solutions to solve the problem.

Hope it helps!

15 Responses to "SCCM Configmgr 2012 Software Update Scan error Group policy settings were overwritten by a higher authority Error Code 0x87d00692"

  1. This is super easy, had the same issue, sharing the script below, enjoy:

    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUStatusServer"

    Remove-Item -Path “C:\Windows\System32\GroupPolicy\Machine\Registry.pol” -Force

    Stop-Service "SMS AGENT HOST"
    Start-Service "SMS AGENT HOST"

    #Intiates Software Update Scan
    Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000113}"

    #Initiates Deployment Evaluation Cycle
    Invoke-WMIMethod -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule "{00000000-0000-0000-0000-000000000114}"

    Reply
  2. I am experiencing the exact same thing on about 600 of my pc's. There is no GPO configured and I have also tried the above fix with no avail. the problem for me is, I have more than one SUP, so importing the reg from a working machine will work but when that sup happens to fail and the client tries to select a new SUP the error happens again. it seems the client can modify the Local policy, but the registry entry does not change.

    Reply
    1. Do you still have issue ? have you fixed it ? if so,what is the solution ?
      have you looked at the client logs ? If you have more than 1 SUP ,would suggest to look at clients logs to troubleshoot further . It requires little deep troubleshooting to identify the issue.

      Regards,
      Eswar

      Reply
    1. Hi Madhu,
      I dont have but you can put the fix lines into batch script and use pxexec.exe tool to run on remote computers.

      Thanks,
      Eswar

      Reply
  3. I have interesting question for you.
    I have 3 prinary servers for 3 regions (APAC,EMEA,AMERICAS) but domain controllers are listed in default OU of Active Directory but since Microsoft doesnt allow to move domain controllers to different OU then how can we solve this problem,
    What happen is for EMEA region its work fine but for other 2 regions we get alert mention in your article.
    My group policy point to London SUP point even in APAC and AMericas region.

    Reply
    1. what happens when you configure the GPO to not configure and leave it with its default configurations ?
      let sccm configure the SUP settings on its managed clients based on its boundaries and boundary groups defined.

      Reply

Leave a Reply to Eswar Koneti Cancel reply