Addressing SCCM Software Update Deployment Challenges with PowerShell – Remote install

Blog post updated on 23 Oct, 2023

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place, deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method  .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem  but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing  ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed  or not even started on client and to troubleshoot ,you must check the logs.  I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

<#
.SYNOPSIS
This script checks for missing software updates on the local system using the CCM_SoftwareUpdate WMI class.
If missing updates are found, it attempts to install them using the CCM_SoftwareUpdatesManager WMI class.

.DESCRIPTION
The script performs the following steps:
1. Queries the CCM_SoftwareUpdate class to retrieve missing updates with ComplianceState=0.
2. Checks if there are missing updates.
3. If missing updates are found, reformats the update information and attempts to install them.
4. Displays a success message or an error message based on the return value of the InstallUpdates method.

.NOTES
Name : Install-MissingUpdates.ps1
Author: Eswar Koneti @eskonr
#>

# Get missing updates
$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$total=$MissingUpdates.Count
# Check if there are missing updates
if ($MissingUpdates -and $MissingUpdates.Count -gt 0) {
# Reformat missing updates
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object { if($_.ComplianceState -eq 0) { [WMI]$_.__PATH } })
# Install missing updates
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk

if ($InstallReturn.ReturnValue -eq 0) {
Write-Host "Initiated installation of $total updates."
} else {
Write-Host "Error installing updates. Return code: $($InstallReturn.ReturnValue)"
}
} else {
Write-Host "No missing updates found."
}

Download the complete PowerShell script from TechNet Gallery Here.

image

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

image

Post your feedback via comments section.

21 Responses to "Addressing SCCM Software Update Deployment Challenges with PowerShell – Remote install"

  1. This script works very well.

    However, after using this script every day for the past two weeks I have found that I have the a problem (on some of the servers) where after the PowerShell script starts the process of downloading and installing the updates on a particular server certain updates will install but other updates will initially say Failed.

    I then don't know that these updates have failed until I logon to the server, launch the SCCM Software Center console, and check the Updates tab.

    At this point, I then have to wait for the updates that are currently installing to finish installing and then I have to go back and click the Install All button again to install the remaining updates (or modify the clients.txt file to contain only the FQDN or IP address of the server(s) having this issue and run the PowerShell script again).

    Sometimes I have to do this several times to finish installing all of the updates available within the SCCM Software Center program.

    So I am hoping to have this PowerShell script modified so that it will detect whenever updates within the SCCM Software Center program have failed to install and will then go back and install the remaining updates (or simply run the PowerShell script again for only the server(s) where the updates have failed to install.

    Please help me in modifying this PowerShell script in this way.

    Reply
  2. Hello, I have an issue with some of the servers where the packages can't get installed, I get the "pending patches - nn but unable to install them, check the Server" and on the server from where the script is ran I get the Event Error 10028 "DCOM was unable to communicate with the computer x using any of the configured protocols; requested by PID (C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe)." All the servers have the same configuration (firewall/rights/domain) but somehow only a few are affected. Do you have any tip what else could be checked? Thanks!

    Reply
    1. Hi,
      It seems to be like firewall or dcom issue. you can check wbemtest from run command try to connect to remote server wmi (\\servername\root\CCM\ClientSDK) if it works or not.

      Thanks,
      Eswar

      Reply
      1. Hello, The firewall is configured exactly like the other servers that work, fully disabled it also for a test but it still occurs. I can connect to the remote server wmi (\\servername\root\CCM\ClientSDK) but still on some servers this specific SCCM updates command can't be remotely triggered. Other scripts work, even for restart. This happens on some 2008 and 2012 servers (cross checked them and they are exactly the same configured), the only common error is the 10028 Event log entry mentioned earlier. It seems to be either with the DCOM or something with SCCM, do you have any other tip? Thanks

        Reply
      2. hi Eswar, i tried this script and getting output same as in your screenshot but pending patches are not getting installed using this script. It installed fine when i login on server.

        Reply
        1. Hi Rahul,
          did you verified the script that is running or not? usually when you run the script, you can check the logs wuahandler.log,scanagent.log etc that will help you to see what is going on.

          Thanks,
          Eswar

          Reply
  3. Hello Eswar, What could be the reason why I get the "pending patches - X but unable to install them ,please check Further". This is really random and only some servers have this issue. Same rights/configuration on all of them and the packages can be installed manually via SCCM when logged on that server. Any information would be greatly appreciated. Thanks.

    Reply
  4. In my scenerio I have a part of servers (about 40 - where updates first need to be approved by external software provider and from time to time they not approved some specyfic updates) so I cannot force to install there all what is approved from SCCM point of view. I preffer to make exclusion on scipt level not on sccm - software group / collection level.
    So, is it possibe to point to the script to install just specyfic KB (for example 5 different KB?

    Reply
    1. Hi,
      The script simply go and initiate the software updates that are available in software center. If you want to put some restrictions to install specific patch then every time when you run the script ,you need to change it or when running the script ,have a prompt to input the KB and list of clients to trigger the patch install remotely. This is possible.

      Thanks,
      Eswar

      Reply
  5. Hi Eswar - Thanks for the script!. I'm a beginner to the scripts and I'm trying to write a script to install only OS patches(Not app patches like Java) which are available in Software Center-->Updates. Is it possible to write PS script for the following tasks.
    1. How to include the Adm ID and Password in script to install patches on remote server.
    2. Provide multiple server in text file
    3. List of open OS patches on servers
    4. Status on Patching on Server.
    5. Check if the server rebooted and compliment with the updates.

    Please help me to write a new script or how to make changes to your script to achieve my requirements.

    Regards,
    -R

    Reply
  6. I have found that this generates an error when running against Windows Server 2016 clients. I receive "Get-WmiObject : Generic failure". However, it does appear to correctly process the commands. Any ideas why?

    Reply
    1. I do not have any server 2016 at the moment to check . since the error is generic failure ,i would look at connecting to remote server using wbemtest. Check event viewer for more defails about the error.
      is it happening for all server 2016 or very specific.

      Regards,
      ESwar

      Reply
    1. Yes,it can be anything that you would like to name it but in this case ,it is clients.txt .Either you can change in script or rename the notepad file .
      I have now corrected the script to clients.txt ,thanks for pointing it.

      Regards,
      Eswar

      Reply

Post Comment