SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression


Few months ago,I blogged about  SCCM Configmgr 2012 SSRS Patch Compliance Report Per Collection Per Update Group .This report tells you ,how your specific software update group (list of patches) is performing on specific collection(list of computers). It has linked report to see what computers are non-compliant for troubleshooting with some additional client information if you compare with default compliance report.

In this post, I have made some changes and bring additional report called patch progression report (have added installed patches to the report) to show how patches each PC is missing and installed with client information like OS,Last hardware scan etc. This information is available on the 2nd report when you click the computer name to see patch progression .

Note: The patch progression report is build only for critical,security updates excluded superseded and expired updates. so if your company is deploying other classification of patches like update classification,service packs etc ,you will have to modify 3rd report .

You might wonder why the installed patches count is less , this count (patches) is installed via SCCM but not other methods of installation (manual or other way).

The first report looks like this (Patch compliance report per collection per software update group):


Click on the required or Unknown count to see the list of computers for troubleshooting.



The above 2 reports are old,nothing changed, but the next report (below) is newly added and linked to the 2nd report . Click on the computer name to see the count of installed and missing patches.



Download all these 3 reports from TechNet here ,upload to your SSRS reports folder (make sure all 3 should be in one folder) ,change the Data source ,run it.

You are supposed to run first report and go through linked reports to know the count of missing patches etc but if you run linked reports directly,you may get error which is expected and designed like that.

Additional patch compliance reports if you are interested in those .

40 Responses to "SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression"

  1. HI Sir,

    We are pushing patches through SCCM to client machines 2012, 2016. We need power shell script to know whether sccm client is available in client machine and is there patches installed or not / patches status.

    Could you please help me on this request?

    1. Hi,
      If you want to know, sccm client installed on machines, you can view it from sccm console with client status yes or no. You can also create collection for client installed. For patches, you can use the default reports. There are many reports with category software update compliance. You can also use the reports available in my blog post.


  2. On the Patch Progression Report it will show x Patches needed can we get that clickable to show what patches are needed?

  3. Hey great job on this, thanks! So how do I see exactly which updates are missing? A count of missing updates is nice, but to properly remediate missing updates, I need to know exactly which updates in my SUG are missing from a specific computer. Something like this...

    Server Name | Missing KB | Description
    ServerName01 | KB111111 | This update is...
    ServerName01 | KB22222 | This update is...

  4. Is there report that can indicate patch levels per server (such as in the WSUS tabular report)?

    Computer Name | Operating System | Updated | Missing Security | Missing Recommended | Etc
    FileServer01 | Windows Server 2008 R2 | Sept 17, 2015 | 57 | 103 | 4
    FileServer02 | Windows Server 2012 R2 | Jan 17, 2016 | 7 | 12 | 1

    Thanks VERY much!


    1. All this information can get from Configmgr 2012 Console for each software update group. you can also refer the default Software update compliance reports as there are predefined reports to start with Customizations.Take a look at default compliance reports .

      1. hi Eswar,
        The report is very good indicating the cumulative % for both NC and Unknown. i have a small query... can we include the name of collection and SUG in this report....

        1. Hi Johny,
          Yes, collection also can be included in the report. You need to edit the rdl file using visual Studio or report builder

  5. Hi Eswar,

    I just tried you report and I like them. I would like to know how can I have the number of missing patches on the second report, instead to drill down on each server. I would like to have a report with the list of servers with the number of missing patches aside.

  6. Hi Eswar,

    Thanks for your repots . do you have compliance report for one SU and multiple collections where we can get the details in one page? eg: I have 10 collections which I have to monitor compliance on SU, pulling reports for each collection is time taken job. if you have any plz share those rdl's too.

    1. One software update group on multiple collections ? yes you can do that also but you need to edit the SQL query to select the multiple collections both in SQL query and prompt.I will update the post when time permits.

      1. Hi Eswar,

        It would also be very awesome if you could also include the reverse of what Krishna requested and that being showing all Software Update Groups per one Collection, all in one page.

        This would be very helpful as we can see the patch tuesday Software Update Group compliance status separated by each month, for the entire year, etc. for the desire Collection.

        If this is too much to ask, perhaps you can point us to how and where to modify the SQL query.

        Thank you!

    2. HI Krishna,

      1.In such scenario create one parent collection and include all collection that you use for patching.
      2.Create A SUG (Not to deploy) and every month include the updates into this.

      Now using Eswar report you can get the complaince.

      1. Hi Eswar,

        currently we are following the same, just asking if it is possible to get multiple collections in one report. anyway thanks for you time and response.

    3. The second report seems to be showing all applicable Security Updates and not security updates only targeted per the software update group.

      1. 2nd report ? what are referring to ? report name: list computer with specific status per UG per per collection will run against to specific software update group per collection to list the computers that are missing patches .If at least 1 patch is missing/required from this SUG ,it shows as non-compliant and troubleshooting is needed.

        1. Eswar
          Sorry for the confusion on my part. Actually it is the third report "Patch Progression Report". Also there is nothing wrong with the report, I was trying to link the report to the built in report "Compliance 5 - Specific computer" which returns all required patches from Microsoft and not limited to the original Software Update group selected in your report. DUH how could I have not seen that. Your reports are working great thanks for them. I will need to spend some more time creating a report linked from your Patch Progression report which shows only targeted updates from the update group selected in your first report.

  7. How could you drill down further to see exactly what patches are needed on a specific machine? For example, I run the first report, "Software Update Deployment Status Per Update Group Per Collection". I then click on Required which pulls up the "List Computers with Specific Status Per UG Per Collection" report. On this report I then click on one of the machine names which pulls up the "Patch Progression Report for Client:xxxxxxxx" report. From here, what report would I have to create, so when I selected the "Needs x Patches" field, it would pull up a list of the missing patches for that machine?

  8. I see what you mean now. In a folder on the SCCM SSRS wesite, I put those 3 reports in. The only one that I can click on and get result is the "SU Deployment Status per Group Per Collection". And for the other two reports, if I click on them directly, I will get errors. They are there as sub reports for that main one. I only get to the other two reports via the "SU Deployment..."

    I tested this and it's as I explained above.

    Thank you for the great reports!

    1. yes,thats true.You are allowed only to know get to know the compliance of computer from parent report SU deployment...." .I will update this as a note in the post for others not to get confuse.

  9. Hi, thank you very much for the reports. However, two of them are not working after changing the datasource using "shared datasource" for all 3 reports.

    1. For the "Patch progression report", I got the error "The 'computer' parameter is missing a value"

    2. For the "List Computers with specific status per UG per Collection" report, it does not have a drop down menu so I could pick the Update Group or Collection. When I manually typed in the UP and Collection, the report returned nothing.

    Please help. Thank you!

  10. I am getting message while running third report : The 'computer' parameter is missing a value
    All three reports are on same folder. :S

  11. I believe you are going to come up with another reports which actually say which are the needed patches for that particluilar machine 🙂 , Really waiting to hear positive from you.


Leave a Reply