Software update compliance is a critical aspect of maintaining a secure and well-functioning IT environment. However, reporting the compliance status for a large number of clients can be time-consuming and challenging. In this blog post, we will explore an efficient method to quickly determine the compliance status of clients for specific software update groups. By leveraging custom reports in System Center Configuration Manager (SCCM), we can provide a concise summary of the targeted, missing, and required patches for each client, ultimately indicating whether they are compliant or non-compliant in a single line.
The Need for Efficient Compliance Reporting:
When it comes to software update compliance reporting, management and security teams are primarily interested in knowing whether the computers are fully patched or not. They require a clear indication of compliance without delving into the specific missing updates. Default compliance reports, such as "Software Updates - A Compliance--Compliance 5 - Specific computer," can provide detailed information, but extracting the desired summary quickly becomes a tedious task.
Understanding the Reporting Challenges:
The two commonly used default reports, "Compliance 1—Overall Compliance" and "Compliance 5 - Specific computer," have limitations in providing a concise compliance status for all deployed patches. The former only reports on a specific software update group for a given collection, while the latter requires manual filtering of missing/required patches to assess overall compliance.
Simplifying Compliance Reporting:
To address these limitations, we need a custom report that can quickly determine the compliance status of clients for all approved (deployed) patches. The report's logic relies on the number of required patches and the number of deployed (approved) patches. By following a set of rules, we can determine whether a client is compliant or non-compliant in a single line.
The Report's Logic: The logic used to determine compliance in the report is as follows:
- If the count of required patches is 0 and the count of deployed (approved) patches is 0, the client is compliant.
- If the count of required patches is not 0 and the count of deployed (approved) patches is not 0, the client is non-compliant.
- If the count of required patches is not 0 and the count of deployed (approved) patches is 0, the client is compliant.
Understanding the Report's Filters:
The report's SQL query includes filters to achieve the desired compliance reporting. The primary filter checks if the status is 2, indicating missing/required patches. Based on this criterion, the report calculates the total number of patches deployed to each client and how many are still needed.
Customizing the Report:
The report provided in the article can be downloaded from the TechNet TechNet Gallery here. After uploading the report to your SCCM SSRS Reports, make sure to change the Data Source as required. Running the report will generate a clear summary of compliance status for the specified collection, displaying the number of targeted, missing, and required patches, along with the final compliance status.
How does the report look like ?
Hope it helps!