Over the past few weeks,I posted several patch Compliance reports because ,the default report do not meet the requirements what I need thus ,created custom reports that would help the team to analyze the patch Statistics and troubleshooting non compliant machines.

Software update compliance report month Wise: http://eskonr.com/2013/11/sccm-configmgr-2012-patch-compliance-summary-report-month-wise/

Software update Compliance report month Wise for Specific Collection:http://eskonr.com/2014/09/configmgr-2012-summary-of-patch-compliance-status-report-month-wise-for-specific-collection-ssrs-report/

Software update compliance report Per Update Group Per OU: http://eskonr.com/2014/11/sccm-configmgr-2012-patch-report-ou-based-compliance-status-per-update-group/

Software Update Scan Results: http://eskonr.com/2014/10/sccm-configmgr-2012-report-get-the-status-of-software-update-scan-results/

Recently ,while running the Default patch compliance report Compliance 1 - Overall compliance from category called Software Updates - A Compliance ,it gives me the count of clients with  Compliant ,Non-compliant ,Compliance state unknown for selected  Software update group and collection . This report looks good with overall compliance but the linked report for non-compliant and  Compliance state unknown do not give much information to start or analyze before you take any action.

It provides the basic information about the client like  computer name,last logged on user,assigned site and client version ,but this information do not really help you  to start troubleshooting why it is non-complaint .

I feel that, It would be good to have some additional information like last logged on time,OS,last hardware inventory,last software update scan ,client is Yes or No and other important information.

Overall Compliance (Default report):                                            Linked report for Non-Complaint(Default Report):

Having this additional information about client in linked reports will help the team to analyze whether SCCM client is having problem or issue with SUP component or offline line since long time ?

I tried modifying the default report but I find some difficulties with functions and other stuff used in the report.

So ,I thought of creating a new report with my requirement and Yes,this report runs faster than the Default report.

Overall Compliance (Custom report):

The blue color indicates the Linked report to get list of clients with specific status.

Linked report : list clients with specific Status (Custom Report):

Download the RDL files from TechNet Gallary ,uploaded to your SSRS Folder (both reports should be in same folder) ,change the Data Source ,run the report.

Enjoy!

SCCM Configmgr 2012 SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients is a post from: Eswar Koneti's Blog

There are multiple posts online, discuss about how to uninstall Windows updates if something goes wrong with deployed patches, but I did not find anything related to Office security updates.

In this post,I will discuss about, how to remove the Microsoft Office Updates using Configmgr /Configuration manager 2012.

Background: With the release of December 2014 patches, A Bulletin ID (MS14-082- KB2726958 )related to Microsoft Office 2013  caused the macros in Excel 2010 spreadsheets stop working /breaks the macros to work.

More information about this issue was discussed on the TechNet forum https://social.technet.microsoft.com/Forums/en-US/17254fab-9ecd-49e7-bab7-f76906167d4a/office-2013-update-kb-2726958-problem?forum=officeitpro

When user tries to execute the Excel that has Macros/VBA ,it give's error code ‘Run Time Error ‘438’’  Object doesn’t no support this property or method.

Uninstalling the update Security Update for Microsoft Office 2013 (KB2726958) 32-Bit Edition from add and remove programs returns the Excel to normal and all works good.

Microsoft had also released the fix for this problem ,can be found here ,it basically remove the files with extension ".exd" from %temp% and other folders ,but for some reason,this fix did not work for all users .

I decided to remove this patch from all the installed computers to avoid further tickets to service desk.

Since this is MS Office security updates ,you cannot use the wusa.exe to uninstall. wusa.exe is used for Windows security updates.

What other methods to try ,that will remove the specific patche on windows computers ?

Here is the command line to uninstall Microsoft Office security updates .

msiexec /package {ProductID} /uninstall {PatchID} /qn /quiet /norestart

ProductID—>Product ID of the Windows update component for Ex: Microsoft Office ,Microsoft Visio,Microsoft Lync etc.

PatchID—> PatchID is self explanatory

How do I find the Product ID and PatchID before I run the command line using Configuration manager or other methods?

If you are running configuration manager 2012, simply go to devices,find the computer and do resource explorer for that computer.

Right click on the Lync product ID row and click copy the Product ID information.

Update for Microsoft Office 2013 (KB2817626) 32-Bit Edition    {90150000-012C-0000-0000-0000000FF1CE}_Office15.LYNC_{BC369230-B0E0-4BB0-82D6-E93196060BFA}        Microsoft

So from above,you have got both product ID and Patch ID for Lync update (KB2817626).

To uninstall this Update ,replace the Product ID and Patch ID in the command line:

Uninstallation command line syntax:

msiexec /package {90150000-012C-0000-0000-0000000FF1CE} /uninstall {BC369230-B0E0-4BB0-82D6-E93196060BFA} /qn /quiet /norestart

If you have multiple patches causing trouble,create a batch file and supply the command line in each row.

Create a standard package using the batch file and deploy this to all workstations (irrespective of whether this update installed or  not) .if the update did not install on any of the computer,it will simply ignore it.

Monitor Client log execmgr.log if the command successfully executed or not.

How to find the product ID and Patch ID instead of using Configuration manager 2012 ? (if the patch inventory not reported to CM Site successfully) ?

You can get these values from Registry on the computer that have these patches installed.

Go to registry and drill down to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ (if 64bit) else HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

and use find option to search for patch with display name Security Update for Microsoft Office 2013 (KB2726958) 32-Bit Edition (you see from add and remove programs or from SCCM Console)

Look for the uninstalstring ,you can see the product ID and patch ID information.

you may wonder,why cant I use the uninstall string from registry  .You can use ,but this command line varies based on the OS architecture .I Prefer to use the msiexec method works on all platforms.

Hope it helps!

In order to check the Patch compliance/Deployment status,there are some default reports ,one of the widely used report to know the compliance status for specific Update group on specific collection is –>Compliance 1-Overall Compliance.

But the sub report /drill down/Linked report to view the list of non complaint computers do not provide you the required information for troubleshooting clients like its last hardware inventory, os, last logged on user, last loggedon timestamp etc.For this reason,I created custom SSRS Report that will help me to get some nice statistics and extra client information .

Last month I did post about Software update Patch Compliance report Per OU Per Update Group to get the patch compliance status based on OU.

This time ,I would like to share another Software Update Compliance report per Collection Per Update Group with linked report to list non-compliant computers.

Here is the first report to know compliance % per collection.

Drill down report to list the non-Compliant computers (Required/UnKnown):

Download the RDL Files available from TechNet Gallary ,upload to your SSRS Reports,change the Data source .

Happy troubleshooting .

This blog post is quick one to check ,patch (BulletinID) is member of what software update package.You may be wondering why do you need to check since clients can connect to the DP and download the patches as long as these patches are available on the DP. Here is short background of it.

Background :I was looking at patches released during February 2015 as part of patching process in Configuration manager 2012 console at customer.Configmgr site used by 2 different departments with different procedures (one dept manage X  number of  Clients and other manages Y number of clients) within the company with their own site servers(DP’s). So basically patching is done by 2 different guys using the same console .

so as usual ,patching activity ,I was looking at the console for Feb 2015 patches using the search criteria ,these were already downloaded and deployed to collection.I didn’t realized that,this was done by other department guys. So this leads me to think whether should I just add these downloaded and deployed patches to my Feb,2015 month software update group or not ? if I add these patches to Feb 2015 SUP group ,my client would definitely fail since clients do not have access to other department DP’s to download the content and boundaries/boundary group were not configured as such.I can simply distribute the source content from their DP to my DP’s but later if they do any changes to the source content ..huh, No.

If at all ,these patches are downloaded by someone with in my department,then there is no necessity for me to re-download the patches again but I need to verify these patches are member of what packages ? (if same department or different department) .

How do I check if the downloaded patches( No need to check for all but few 1-5 in this case) to confirm . you can get this by looking at package in the console –show members but if there are multiple packages ,not possible to check each package.

So instead,use the SQL query ,to check if patch is part of  which package then decide whether to download patches to your package source location.

SELECT vui.BulletinID,vui.ArticleID,vui.Title,p.Name,p.StoredPkgPath,p.Description
FROM dbo.vUpdateToPkg AS vutp
INNER JOIN dbo.v_UpdateInfo AS vui ON vui.CI_ID = vutp.CI_ID
INNER JOIN dbo.v_Package AS p ON p.PackageID=vutp.PkgID
WHERE vui.BulletinID='MS15-015'

You can replace the BulletinID with articleID or title whatever you need.

Download the Configmgr 2012 R2 SQL views to create customized reports using http://eskonr.com/2013/10/download-sccm-configmgr-2012-r2-sql-views/

Software update groups in Configmgr 2012 simplifies lot of administrative work ,which simply  contains list of updates (must be downloaded before you add any updates) merged to single deployment (can have multiple deployments for single software update group).

Coming to the subject line, It is necessary (during cleanup activity) to find software updates that are downloaded but not in any software update group (I said software update group but not deployment group ..there is little difference with these two).

If you want to get software updates that are downloaded but not in any deployment group ,you can refer Stephen blog here.

so how do I write SQL query here  ? I used sub-selected query to get the updates .

1) first get list of software updates that are downloaded and part of software update groups

2) filter the software updates that are not in First query.

So here is the complete SQL Query for you:

If you are smart enough in SQL,you can use this SQL ,to create different reports like updates not member of particular software update group or list all updates from specific software update group etc.

select ui.Title, ui.ArticleID, ui.BulletinID,
case when ui.IsSuperseded=0 then 'No' else  'Yes' end as [IsSuperseded],
case when ui.IsExpired=0 then 'No' else  'Yes' end as [IsExpired]
FROM v_updateinfo ui
INNER JOIN V_UpdateContents uc ON uc.CI_ID=ui.CI_ID
WHERE ui.CI_ID NOT IN (SELECT upd.CI_ID from vSMS_CIRelation as cr
INNER JOIN fn_ListUpdateCIs(1033) upd ON upd.CI_ID = cr.ToCIID
INNER JOIN V_UpdateContents CC ON cc.CI_ID=upd.CI_ID
INNER JOIN v_AuthListInfo AL ON al.CI_ID =cr.FromCIID
where CC.ContentProvisioned='1')
AND uc.ContentProvisioned='1'
AND (ui.CIType_ID=1 OR ui.CIType_ID=8)
GROUP BY
ui.Title, ui.ArticleID, ui.BulletinID,ui.IsSuperseded,ui.IsExpired
order by 2

If you need further information about the Patch URL,Description etc,you can get it from view v_updateinfo.

In Configuration manager 2012,the update limit per update-deployment group has been increased (hard limit) to 1000 where was in Configmgr 2007,it was just 500 updates.More information about the hard limit and further questions ,worth reading the blog post by Kevin http://blogs.technet.com/b/server-cloud/archive/2012/02/20/managing-software-updates-in-configuration-manager-2012.aspx

The hard limit is --the list of software updates what you see in software update group from Configmgr console but not how what is downloaded to the source path.(I figure this in below SQL query)

With above reference,the max hard limit that deployment group can contains only 1000 updates ( am sure, no one reaches there due its to package size and replication issue over to the DP’s) but how to I track this information ? check each software update group from Configmgr 2012 console to know its count ? and I cannot do this every time when needed .

Here is the SQL query (you can create nice SSRS Report as well ) .to get count of software updates from each SUP Group.

with the below SQL query (output) ,I see 2 different things 1) Software updates available in Deployment Group and 2) Downloaded updates from the software updates available in Deployment group.

Why there is count mismatch ? Very simple.A single software update can have 2 or more content information which you can see it from the software update properties.

For ex: Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB3021952) will have 2 content information ,both are required to download for deployment to the source path.

SQL Query:

select AL.Title [SU Group], count(DISTINCT upd.CI_ID ) 'Software updates Count',
count(upd.CI_ID ) 'Content downloaded Count'
from vSMS_CIRelation as cr
INNER JOIN fn_ListUpdateCIs(1033) upd ON  upd.CI_ID = cr.ToCIID AND cr.RelationType = 1
INNER JOIN v_CIToContent CC ON cc.CI_ID=upd.CI_ID
INNER JOIN v_AuthListInfo AL ON al.CI_ID =cr.FromCIID
where CC.ContentDownloaded='1'
GROUP BY
AL.Title
ORDER BY 1

Happy checking

One of most important and critically used feature in configuration manager 2012 is  Software updates .It is always challenging and import task for any sccm administrator to achieve good patch compliance success rate within the given SLA(Service level agreement).Patch compliance success rate is depends mainly on heath of your SCCM clients and some times things may go wrong even though sccm client is healthy (able to receive applications/packages and performing inventory except patches).

I have created lot of SSRS reports on software update compliance out of many,one of the widely used report is get the patch compliance status of software update group for specific collection with linked report to get the computers with unknown and required status for troubleshooting (to check when was the last hardware,last software scan,last user ,OS etc).

Coming to the subject line, I have been seeing many questions on the configuration manager forums and social networking sites on software update patching issues .couple of questions on the subject line are like

1) Client getting packages ,applications but not software updates

2) Most of the clients receiving deployed software updates but still few do not get.

3)Clients not detecting software updates

4) clients log says ,patches required but sccm reports says,updates not required( means complaint)

5) Client log says patches not required but sccm report says ,updates required.

6)Software update failing to install ,how to fix 

7) I have added patches to the existing software update group/deployment and these newly added patches not deploying successful and many more ….

The solution for the most of the above issues can be identified and solved by analyzing the the client logs before we do in-depth troubleshooting.

In this blog post (SCCM 2012 Troubleshoot software update client issues),I will explain you the basic troubleshooting steps (only on client side ) which will help you to resolve issues on your own by analyzing the logs and take it further afterwards.

Before we jump into the troubleshooting,I would like to illustrate the main components which are involved in deploying software updates.

When you enable software update agent setting in client agent settings,a policy will be created with this setting and stored in SQL Database.So when client initiate machine policy,it communicate with management point which includes the software update client feature installation instructions to be installed or applied on the client. In this process, Client will create local GPO with WSUS Settings by leaving automatic updates .

If you do not  disable automatic updates (Via GPO) leaving the door open for the WUA to do things on its own outside the control of ConfigMgr including installing any updates approved directly in WSUS (including new versions of the agent itself which are automatically approved) and rebooting systems which have a pending reboot. Neither of these is desirable in a ConfigMgr managed environment and thus the recommendation for disabling automatic updates. As for the rest of the Windows Update GPO settings, they are meaningless in the context of ConfigMgr so it doesn't really matter what you set those to if you disable automatic updates,more from here

If you choose to create a GPO for WUA, you must configure the Windows Update Server option to point to the active software update point server in the site or location. If there is an existing GPO that was intended to manage standalone WSUS prior to implementing Configuration Manager in your environment, the GPO could override the local GPO created by Configuration Manager, which can cause issues when the software update client tries to communicate with the software update point server.

Software update Components involved are:

1.Windows update agent (WUA)

2.Software update client agent (from SCCM)

3.Windows management instrumentation (WMI)

Note: Make sure you disable the automatic updates via GPO,further reading http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

Windows Update agent(WUA): is responsible for scheduling and initializing scan, detection, download, and install of updates on the client machine. WUA Agent is an implanted service in a Windows service (SVCHOST.exe) and is named Windows Update which you can see from services.msc.

If you disable WUA Agent, software update agent will not function correctly. So it always recommended to not disable this service.

Software update client agent (from SCCM): When you enable the software update agent,it will install 2 actions on the client 1) Software update scan cycle 2) software update deployment Evaluation Cycle

Software Update Scan Schedule :This action perform the software update scan (along with WUA) against the Microsoft update catalog, which occurs every 7 days by default.

software update Deployment evaluation:This action Initiate the software update deployment to start download and install the updates.

Note: when you create software update deployment with deadline for ex: at 4.00 PM ,the actual time that software update client start updating the installation is depends on on setting disable deadline randomization ((located in the Computer Agent client settings)

A delay of up to 2 hours will be applied with deadline time to install required software updates . This randomization prevents all software update clients from starting update installations at the same time (This setting is disabled by default). More info,read https://technet.microsoft.com/en-in/library/gg682067.aspx?f=255&MSPPError=-2147217396 . If you enable this setting,then the deployed software updates will be installed with deadline what you set i.e at 4.00PM (based on Client local time or UTC).

It is also good to know the patch compliance states which are sent as state messages by client to site server .Patch compliance is calculated based on these 4 states.

Installed :This means the software update is applicable and the client already has the update installed. 

Not Required: This means the software update is not applicable to the client .

Required: This means the software update is applicable but is not yet installed.Alternatively, it may mean that the software update was installed but the state message has not yet been sent to to the site server.

Unknown :This means either that the client system did not complete the software scan or the site server did not receive the scan status from the client system.

Enough theory , Lets have a look at client troubleshooting steps. (Note: Client logs can be found at %windir%\ccm\logs\ ,if you have not changed the default path).

There are many logs on the client which help you to troubleshoot client issues,but we only look at important logs what is required for software updates.

1. First log to check is locationservices.log—>This log is used to check the correct software update point has been detected by the client.You can also see the management point and distribution point entries from this log.

2. 2nd log to check is wuahander.log –> when the software update scan cycle initiated, Windows update agent (windows update service) will contact WSUS (SUP) for scanning and if is successful,a state message will be sent to site server confirming that,software update scan is completed successfully which can be seen from this log. Get the report to know the software update scan results from here

For some reason,if you don’t see the successfully completed scan message,you should start troubleshooting from this log based on the error .

You can get the error description from CMTrace.exe tool. Copy the error code and use ctrl+L (Error lookup) from your cmtrace.exe ,get the error description  .

If WSUS entries are not set correctly or having any issues locating the correct WSUS,you can set WSUS entry manually or script.Further troubleshooting is required .

The registry location for the WSUS entries as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU with UseWUSserver =1

3. 3rd log is windowsupdate.log –>If software update scan is successful from wuahandler.log ,you can ignore this log file and directly move to next log (updatesdeployment.log) .If Software update scan is not successful then,you should look at this log for more information.  This log Provides information about when the Windows Update Agent connects to the WSUS server and retrieves the software updates for compliance assessment and whether there are updates to the agent components.

Using these 2 logs (wuahandler.log and windowsupdate.log) ,try to fix the errors and make sure ,you see the scanning successful from wuahandler.log

4.4th log to check is UpdatesDeployment.log—> Provides information about the deployment on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

This log shows the number of updates and deployments being targeted to a machine.

From above log snippet ,you see that,the total actionable updates = 0 means ,client do not require any additional updates that you targeted to this PC.For some reason,if the client says non-compliant from your sccm reports,try to refresh compliance state using https://msdn.microsoft.com/en-us/library/cc146437.aspx ,and monitor updatestore.log to see if the state messages (like Successfully raised Resync state message)has been sent to the site server (MP) or not.

you can alternatively use the below PowerShell script ,advertise to your clients monthly twice or once as per the business needs.

$SCCMUpdatesStore = New-Object -ComObject Microsoft.CCM.UpdatesStore
$SCCMUpdatesStore.RefreshServerComplianceState()
New-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinue
Write-EventLog -LogName Application -Source SyncStateScript -EventId 555 -EntryType Information -Message "Sync State ran successfully"

updatedeployment.log also tell you that,what assignments (Update deployments) made with count of updates in each deployment. From above log, Assignment {C37C45D8-E722-4EB7-AC21-014925079560} has total CI = 6 ,means ,the assignment has total 6 patches .

How do you check the deployment name for particular assignment ? well ,you can add Deployment Unique ID column for software update deployment or use below SQL syntax .

SELECT * FROM vSMS_UpdateGroupAssignment
WHERE vSMS_UpdateGroupAssignment.Assignment_UniqueID= '{C37C45D8-E722-4EB7-AC21-014925079560}'

For some reason,if you don’t see the newly added patches installing ( issue no:7) ,you can check updatedeployment.log with particular assignment group and patch count .If the count of patches are less than what it supposed to be,then you may have to refresh the machine policy ,initiate software update scan and wait for a while before client start downloading the policies.

If you see some updates are pending for action (total actionable updates <>0)  but not installing,look at CAS.log if your client is able to locate the content on the Distribution point or not.

UpdatesDeployment.log will also tell you ,if enough maintenance window (ServiceWindowManager.log) time available to install the updates.Read the following blogs to know the maintenance window calculation for software update installation.

http://blogs.technet.com/b/configurationmgr/archive/2013/06/11/configmgr-2012-support-tip-clients-never-reboot-even-when-required-in-a-deployment.aspx

http://blogs.technet.com/b/csloyan/archive/2010/10/24/maintenance-window-calculations-explained.aspx

5.5th log to check check is UpdatesStore.log—>Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle (Status like Missing/Installed).

If you see all things working good, the final log to refer is RebootCoordinator.log—>Provides information about the process for coordinating system restarts on client computers after software update installations.

Below diagram shows the configuration manager Client side software update deployment flowchart captured from configuration manager software update management filed experience guide.

For troubleshooting clients, You can use tools like deployment monitoring tool,configuration manager support center etc.

I normally use the configuration manager support center to troubleshoot the client issues to check if the policy for the deployed software update group received correctly or not based on the PolicyIVersion.

Open the support center (you can download from Microsoft) ,connect to remote machine (need admin rights on remote computer) .

go to policy tab,click on requested  and then Load requested policy .you will see list of wmi instances on the left.

click on settings(root\ccm\policy\machine\requestedconfig) ,click on CCM_updateCIassignment ,click the policyID ,on the right side,you will see information about the software update group.

check the policy version on the client and on the site server .now you know how to take it further troubleshooting. Good luck.

Couple of common workarounds when troubleshooting software update issues :

1. Stop the windows update service,rename or delete the Software Distribution folder (%windir%\softwareDistribution) and start windows update service. This approach provides a fresh start with a new Windows Update data store if the Datastore.edb file is corrupted.

2. Restart the windows update service ,trigger software update scan cycle and software update deployment evaluation cycle.follow the logs.

4.http://eskonr.com/2014/11/sccm-configmgr-2012-software-update-scan-failed-onsearchcomplete-failed-to-end-search-job-error-0xc8000222/

5.http://eskonr.com/2014/11/sccm-configmgr-2012-patch-report-ou-based-compliance-status-per-update-group/

6.http://eskonr.com/2014/10/sccm-configmgr-2012-software-update-scan-error-group-policy-settings-were-overwritten-by-a-higher-authority-error-code-0x87d00692/

7.Refer software update client issues  https://technet.microsoft.com/en-in/library/bb932189.aspx

This post will be updating with possible solutions frequently.So keep checking this blog post.

Feel free to comment if corrections or anything missed via comment section.

Few months ago,I blogged about  SCCM Configmgr 2012 SSRS Patch Compliance Report Per Collection Per Update Group .This report tells you ,how your specific software update group (list of patches) is performing on specific collection(list of computers). It has linked report to see what computers are non-compliant for troubleshooting with some additional client information if you compare with default compliance report.

In this post, I have made some changes and bring additional report called patch progression report (have added installed patches to the report) to show how patches each PC is missing and installed with client information like OS,Last hardware scan etc. This information is available on the 2nd report when you click the computer name to see patch progression .

Note: The patch progression report is build only for critical,security updates excluded superseded and expired updates. so if your company is deploying other classification of patches like update classification,service packs etc ,you will have to modify 3rd report .

You might wonder why the installed patches count is less , this count (patches) is installed via SCCM but not other methods of installation (manual or other way).

The first report looks like this (Patch compliance report per collection per software update group):

Click on the required or Unknown count to see the list of computers for troubleshooting.

The above 2 reports are old,nothing changed, but the next report (below) is newly added and linked to the 2nd report . Click on the computer name to see the count of installed and missing patches.

Download all these 3 reports from TechNet here ,upload to your SSRS reports folder (make sure all 3 should be in one folder) ,change the Data source ,run it.

You are supposed to run first report and go through linked reports to know the count of missing patches etc but if you run linked reports directly,you may get error which is expected and designed like that.

Additional patch compliance reports if you are interested in those .

http://eskonr.com/2015/03/configmgr-2012-sql-query-count-updates-from-software-update-groups-if-they-are-bigger-than-hard-limit-1000-or-not/

http://eskonr.com/2015/03/configmgr-sql-query-get-software-updates-that-are-downloaded-but-not-in-any-software-update-group/

http://eskonr.com/2015/03/configmgr-2012-check-patch-is-member-of-what-software-update-package/

http://eskonr.com/2014/11/sccm-configmgr-2012-ssrs-report-overall-compliance-per-update-group-per-collection-will-help-to-troubleshoot-the-clients/

http://eskonr.com/2014/11/sccm-configmgr-2012-patch-report-ou-based-compliance-status-per-update-group/

There are instances (you might want to get list of required patches by server ,so can download and install in DMZ who do not have internet or for patch compliance checking for specific computer and many) , where you might be searching for list patches of required by specific computer/computers and generally ,we look at default reports if there is any report which can give me the required information.

If you look at default reports,there is no exact report give you the list of patches required by specific computer with targeted,required,when was it released and other information.

You can use below SQL Query to run  from SQL SERVER MANAGEMENT STUDIO or use this in your SSRS Reports with parameter for computer name.

This query has been customized to present the Month posted,Title of the patch,Targeted to the client,Required ,KB URL,Date posted and deadline if there is any.

Note: This Query is filtered with Severity (Security and critical)  from view v_UpdateInfo.

SQL Code:

select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.bulletinid [BulletinID],ui.articleid [ArticleID], ui.Title,
    Targeted=(case when ctm.ResourceID is not null then '*' else '' end),
    IsRequired=(case when css.Status=2 then '*' else '' end),
    ui.InfoURL as InformationURL,
    ui.dateposted [Date Posted] ,
    Deadline=cdl.Deadline
    from V_UpdateComplianceStatus  css
    join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
    left join v_CITargetedMachines  ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
    INNER join v_CICategories_All catall2 on catall2.CI_ID=css.CI_ID
    INNER  join v_CategoryInfo catinfo2 on catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID
    and catinfo2.CategoryTypeName='UpdateClassification'
    JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
       outer apply (
       select Deadline=min(a.EnforcementDeadline)
       from v_CIAssignment  a
       join v_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
       ) cdl
   WHERE vrs.Name0='Win7X64-001' and
   ui.Severity IN (8, 10) --this is for security and critical updates
  AND css.Status=2  --for required
ORDER BY 1

I posted the same query on TechNet forums ,more info https://social.technet.microsoft.com/Forums/en-US/8fe96532-d9ef-48f2-a356-6e1195d9273e/report-of-what-updates-are-needed-by-server?forum=configmanagergeneral#7185a84e-afab-47d2-82bd-7418e02dd75f

Few months ago,I posted blog on How to get list of missing/Required software updates for specific computer which helps to identify if a PC is 100% complaint or not for list of available patches(metadata) from SCCM,but that report gives you overall missing patches from SCCM DB irrespective of whether they are part of any software update groups or not.

Since the previous report do not have any limitation to apply on specific software update group,lot of guys commented on the blog post to have filter with software update group so that,they can apply the PC to specific software update group to know the compliance level.

This report is all about that ,to get the list of missing/Required software updates for particular PC from specific Software update group.

Report looks like this:

Download the RDL report from TechNet Gallery here, upload to your Configmgr SSRS Reports,change the data source and run it.

Note: I have tested this report both in Configmgr 2012 R2 SP1 and Configmgr V1511 ,it works fine.

There are couple of posts on TechNet blog and other forums asking for ‘Is there any report that list all updates with compliance status for specific collection’ ? Read it once again ,A software update compliance report that list all updates whether Targeted, Installed, Missing for specific Collection. A collection may contain X number of clients and each client may produce Y Number of patches for sure from your Configmgr environment with compliance status . So when you generate report with this requirement,you know how many rows do you get ? X (number of clients)* Y (number of patches).

Assume X=200 Clients and Y =100 Patches (till date) ,the report consists of 200* 100=20,000 rows.

So if you are going to generate report for management to show ,what is the compliance status (this is not really compliance status required for Management) with this requirement,Are they going to read it ? How does it matter to them,if particular computer is missing XX number of patches .Management wants to know if the PC is compliant or not .

You should not encourage for such unrealistic requests,if they are going to ask you,tell them ,what they are going to get .Garth has blogged similar kind of requirement How to perform basic Software Audit ,read it here http://www.enhansoft.com/blog/how-to-perform-a-basic-software-audit

So ,how do you perform basic software update compliance audit ? There are variety of reports available by default in Configmgr with category  Software Updates - A Compliance.

if your management asked for any patch compliance report, get them overall compliance status of each machine from specific collection for specific update (this will get overall compliance from specific software update group only) or compliance status for each machine from specific collection (this will generate report with all updates in your Configmgr).

There are lot of patch compliance reports on my blog with different requirements ,so have a look at them ,download the RDL file ,edit the RDL file using your favorite Tool(Report builder or BI or Visual studio etc) ,

edit the RDL file,copy the code into SQL server management studio ,do adjustments what is needed for you and get back the query to SSRS Report.

The recommended procedure /best practice is ,try to use the existing default reports or reports posted on my blog for compliance status per collection OR Per OU etc and start looking at computers that are NON-Compliant (if at least one patch is required by Client,it report as Non-Compliant)  and start troubleshooting the non-Compliant PC rather generating unnecessary date.

If you still want to generate such report, here is the SQL query for you .All you need is ,just change the collection ID  and run it from SQL Server management Studio.

select
vsv.Netbios_Name0 [PC Name],
CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.BulletinID,
ui.ArticleID,
ui.Title,
UpdateClassification=cls.CategoryInstanceName,
Targeted=(case when ctm.ResourceID is not null then '*' else '' end),
Installed=(case when css.Status=3 then '*' else '' end),
IsRequired=(case when css.Status=2 then '*' else '' end),
Deadline=CONVERT ( varchar (26) , cdl.Deadline , 100),
ui.dateposted [Date Posted],
ui.InfoURL as InformationURL
from V_UpdateComplianceStatus  css
join V_UpdateInfo ui on ui.CI_ID=css.CI_ID
join V_CICategoryInfo_All vnd on vnd.CI_ID=ui.CI_ID and vnd.CategoryTypeName='Company'
join V_CICategoryInfo_All cls on cls.CI_ID=ui.CI_ID and cls.CategoryTypeName='UpdateClassification'
join v_ClientCollectionMembers ccm on ccm.ResourceID=css.ResourceID
JOIN dbo.v_R_System_valid vsv ON vsv.ResourceID = css.ResourceID
left join V_CITargetedMachines   ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
outer apply (
select Deadline=min(a.EnforcementDeadline)
from V_CIAssignment  a
join V_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
) cdl
where ccm.CollectionID='PS100018'
order by ui.Title

Output of the SQL Query:

Another interesting report  on software update compliance which will really helps lot of people in their daily job . Did you ever receive any requests to report compliance status(in one line report) for bunch of clients for ex: specific collection ? Management or Security guys do not really care about what software updates ,the computer is missing and they always look for final results i.e Compliant or Non-Complaint .Only these 2 status matters for them to ensure the computers are fully patched.

Generally ,how do you check when such requests comes ? Look at default the compliance reports (Software Updates - A Compliance--Compliance 5 - Specific computer ) or other compliance reports?

There are 2 ways to tell if the client is complaint or not using the default reports.

1) You can run the report based on software update group for specific collection—Compliance 1—Overall Compliance

2) Compliance for specific computer--Compliance 5 - Specific computer 

Report 1) will give you only the status for specific software update group for specific collection but not for all software updates deployed to specific PC. A PC might have 100 software updates deployed and these software updates coming through multiple software update groups.it will be really challenging to find if PC is compliant for all the Deployed patches unless you have only one software update group.

Report 2) will give you list of all updates with targeted (approved) ,missing and installed but to tell if the PC is compliant for all the patches you see in the report takes time for you to filter the missing/required column and compare it with targeted patch. (Note:You only care about the Deployed patches but not all the updates required by PC,more about it will discuss soon).

Note: This post is strictly talking about software updates compliance but not for Endpoint Protection updates.

If you want to run the report 2) for bunch of PC’s ,you need to create custom report and it is not easy to say in one line,PC is Compliant for all the deployed patches.

So,how do I check quickly, if PC is compliant for all the targeted patches meaning,if I enter the Collection name into the Report,it should give me results of PC Name , How many Patches Targeted ,How many missing and Is Complaint or not ? For this report, I have also included other computer information like Last logged on User Name,Last Hardware Scan,Last Update Scan and what is the Update Scan result etc to identify the PC health.

So,How do I come to the conclusion to say ,PC is Complaint or not based on the Targeted PC’s and Missing PC’s ? Here is the logic I have used in the report if you want to know before editing the report .

If Count of Required Patches =0 and Count of Deployed Patches=0 Then PC is Complaint

If Count of Required Patches!=0 and Count of Deployed Patches!=0 then PC is Non-Complaint

If Count of Required Patches!=0 and Count of Deployed Patches=0 then PC is Complaint

Before you proceed to download the report,you need to understand few things how this SQL query is written and what filters are used in the report to achieve the task.

Client becomes Non-Complaint only when there are updates needed by the PC otherwise ,we can say PC is Complaint. So my primary filter (where condition ) used here is to check if status=2 means Required/Missing from V_updateCompliancestatus. Based on this criteria,I will calculate the total number of patches deployed to the PC and how many are still needed by the PC.

You may wonder on the 3rd logic, how come the count of missing patches>0 and count of target patches=0 ? you really need to check with your admin who manages the SUP deployment ,why these updates are not deployed though.If your organization is only caring about security and critical updates, then you can simply ignore the Required patches but if there are any Deployed count (>0) ,troubleshooting is needed.                So we assume that, Client has verified against for all the Deployed patches and it has nothing to do with the missing patches since you never deployed them and it is COMPLAINT.

All clear now ? if you still have questions,please report them via comments section .

Download the RDL file from TechNet Gallery here, upload the report into your Configmgr SSRS Reports ,change the Data Source and run the Report .

Try to run the report ,pick one PC which is Compliant and simultaneously use your favorite default /Custom reports to check if the PC is complaint for all the deployed patches.

How does the report look like ?

Hope you like this report.

There was a question raised by someone on MyItform list ,asking for ‘is there a way to get superseded patch list’ for all windows 7”. when I read the question ,I was thinking ,we can get this using the default reports but when I check the default reports,there is no such report that match this requirement  .

So ,I sat for sometime in the lab ,started writing the SQL Query ,found something . So thought of writing this blog post that helps others who are in similar needs.

If you want to know particular patch (ex:Cumulative Update for Windows 10 Version 1511 (KB3124200)) superseded by what software updates in SCCM/Configmgr ,you can simply browse Software Library /Software updates nodes,search with this title ,right click on the Software Update Properties ,Go to Supersedence Information ,You can see, this software update is superseded by (To replace ) also ,if this software update supersedes by any other update .

This method is easy if you want to check for specific software update but,what if you want to have a list of software updates that are superseded by what software updates ? 

In Configmgr ,Software update information is scattered across multiple tables/views and depends on your requirement ,you must choose right table to query the information.

For Writing the SQL Queries /SSRS Reports,always have these 2 as reference 1)Configmgr SQL views and 2)SSRS expressions

For our requirement, we will be retrieving the software update information from V_updateinfo and superseded information from v_CIRelation_all.

Based on the above 2 SQL views, I will be retrieving the Software updates that are superseded by what updates.

SQL Code:

select UI1.Title,UI1.IsSuperseded,ui1.BulletinID,UI1.InfoURL,
UI2.Title [S Title],ui2.IsSuperseded,UI2.BulletinID [S BulletinID],UI2.InfoURL [S InfoURL]
from v_CIRelation_all CA
left join v_UpdateInfo UI1 on CA.ReferencedCI_ID=UI1.CI_ID
left join v_UpdateInfo UI2 on ca.CI_ID=ui2.CI_ID
where RelationType=6
and UI1.title like '%Windows 10%'

If you want to list only windows 7 updates ,replace 10 with 7 .if you want to list all Software updates irrespective of OS ,then simply comment the last line using --

you can use this SQL Code to put in SSRS Reports with your customizations.

Long ago ,did blog post on How to get software update compliance for specific update group per collection with drill down report to list the Required/missing ,unknown clients with some additional information like recent hardware inventory, last update scan results ,OS etc .

This report will only work for single software update group per collection ,but in Configuration Manager ,there could Multiple Software update group created as part of Patching process and it would be difficult to know the compliance status for the same collection for multiple update groups and this task become tedious if you run the same report multiple times and write down the results into file.

with the help of Configuration Manager console ,it is possible to see the Compliance % (Required, installed ,Unknown  and %) for the software update group for the deployed collection but if you want to see the same for multiple update groups and get the list of Required Clients etc ,not possible ,Thus you need SSRS Report.

Would it be nice to have SSRS Report that list the Software update compliance for multiple update groups per collection ?

This report is lying in my bucket for longer time and finally going out to public.

I have made little changes to the report (nothing major ) with respect to prompts (select multiple update groups) and drill down report changes as well.

This report allow you to select multiple Update groups and single collection as shown below . you need to action on Required(a.k.a Missing) and Unknown status.

It has 2 RDL files 1) Update compliance Status for multiple Groups per collection and 2) Linked report to know what are the client with specific Software update Status (Required ,Unknown)

First report looks like below:

Installed—>Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed.

Not Required—>Specifies that the software update is not applicable on the client computer, and therefore, the software update is not required.

Required –>Specifies that the software update is applicable and required on the client computer

Unknown—> Specifies that the site server has not received a state message from the client computer,could be various reasons like scan did not run successfully,scan completed but state message did not sent successfully etc.

Click on the Arrow (blue color) to see the Required ,Unknown clients for the selected software update group:

Download the Reports from TechNet Gallery ,Upload to your Configmgr SSRS reports ,Change the Data source and Run the Report .

How to troubleshoot software update issues ,refer http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

Recently ,we had an issue with SCCM Configmgr Reporting services role (Remote SQL sitting on VM was crashed ,blog post coming soon ) and we were unable to generate reports mainly for the Software update compliance status that happens every month. This post is about ,how to check the software update compliance status for the deployed software update group/Groups per collection/collections without using Configmgr Reports . The reason for posting this blog is ,fixing the Configmgr Reporting services role took more than expected time and meantime ,we need to check the status of patch compliance status and troubleshoot the non-compliant machines (servers) within the Maintenance window.

I thought the SQL Code which I used to generate the compliance status would be handy for others if they do not want to Use configmgr Reports and use SQL Code for Quick results.

If you are unable to generate compliance status using the SSRS Reports ,the only possible method is ,to depend on Monitoring node—deployments ,look for the software update deployment for particular collection and see the non-compliant machines for troubleshooting which is not easy method if you have large number of deployments and collections.

So ,to overcome this ,you can USE SQL management studio and run the query (posted below) to generate non-compliance list of clients with extra information like hardware inventory,software update scan,,Operating System ,IP address,User Name ,does it have Client etc.

This SQL Query should be helpful to quickly generate compliance Status for multiple software update groups and for multiple collections.

I recently posted a blog about ,how to generate software update compliance Status for multiple update groups per collection but this SQL query helps to generate update compliance status for multiple updates groups against multiple collections.

you can use this SQL query to create nice SSRS Report for multiple update groups per multiple collections in OneClick.

The below SQL code is for list of clients with required/Missing Status ,If you want clients with Unknown ,change the @status value to 0 ,More about Update compliance Status ,see below :

Update compliance Status:

0—Detection Status Unknown

1—Not Applicable

2—Required/Missing

3—Already Installed /Compliant

--SQL Code to Generate Update compliance Status for multiple update groups against multiple collections

Declare @Status nvarchar(255);set @Status='2';
--Status 0 for Unknown, 1 for Not Applicable,2 for Required ,3 for installed
select sys.name0 [Computer Name],sys.User_Name0 [User Name], os.caption0 [OS],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(VARCHAR(26), sys.last_logon_timestamp0, 100) AS 'Last Logon Time',
case when sys.client0='1' then 'Yes' else 'No'
end as 'Client (Yes/No)', c.IPAddress AS [IP Address]
From v_Update_ComplianceStatusAll UCS
left join v_r_system sys on ucs.resourceid=sys.resourceid
left join v_FullCollectionMembership fcm on sys.resourceid=fcm.resourceid
left join v_collection coll on coll.collectionid=fcm.collectionid
left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
left join v_AuthListInfo LI on ucs.ci_id=li.ci_id
INNER JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) c ON c.rsid2 = ucs.resourceid
where li.title IN (‘SUG1’,'SUG2’,SUG3’) and coll.collectionID in ('PS10029A','PS10000D')and ucs.status=@Status
group by sys.name0,sys.User_Name0,os.Caption0,ws.LastHWScan ,uss.LastScanTime,sys.Last_Logon_Timestamp0,sys.client0,c.IPAddress
order by 1

Hope it helps !

Since few days ,I am working on a customized Software update compliance dashboard report with some Pie charts for management to see how the patch compliance progress for each Business Unit (I say business unit means for each country).

Management are interested to see the overall patch compliance summary for each country (focused on servers ) into a nice pie chart which can be published to them either Via emails (using SSRS subscriptions or put them on Bigger screens especially for server compliance status).

This dashboard uses lot of pre-existing reports that are already published on my blog ,but there is one report (though SQL query is few lines code) which makes me to spend lot time doing lot of changes and check in the console if the results tally or not and the report is:

Top 5 or 10 missing patches for specific collection and specific update group.

The hard part for getting this report work is ,identifying the correct views to join Software update group ,compliance status . I would strongly recommended to use the SQL views documentation to create any custom SCCM reports.

After going through the SQL view documentation ,found below views that will help me to join the software update group (CI_ID) and software updates (CI_ID)

v_BundledConfigurationItems –contains information about each Update CI_ID and software update group ID

v_AuthListInfo –Contains Software update group Name, Update ID(CI_ID) .

For reporting (ONLY) ,we normally have 1 software update group that contains list of all updates (as per the requirement from IT Security team as they are the ones who decide what security patches to deploy ) that are  deployed to clients from so long to until 2 months old from current month  . Technically speaking, you cannot have more than 1000 updates in software update group which you can deploy to collection but ,in this case ,it is only used for reporting ,I can have more than 1000+ updates into 1 software update group and always make sure this SUG group is at good compliance rate for each BU .

As we move on, add the previous months patches to this Software update group and rerun the report to reflect the status for newly added updates against each country collection.

In this blog post, I will share you couple of SQL queries which are used my dashboard report ,help you to create your own dashboards.

P.S: The reason for not posting the dashboard which I created is because ,it has lot of customizations (more into collection ID’s and Software update group) per country basis and they are unique for each organization ,but I can share how the output of the dashboard look like.

Each pie chart has linked report to see the list of clients status like missing or unknown for troubleshooting purpose.

Below are couple of SQL queries that I wanted to share with you guys.

1.How to get list of top 5 or 10 missing patches against particular collection for specific software update ?

In SCCM console ,if you go to software updates node ,you can see lot of information for each update with Bulletin ID,Title ID,required,installed etc , but there is no way for you to filter against particular collection and if you want see the list of clients that needed by the patch ,no way in the console.

You either have to use default reports (if there is any such) otherwise ,create custom report.

Use the below Query in your SSRS or SQL management studio to get list of all updates from particular software update group against collection with missing count.

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

If you compare the result you get from above SQL query ,the required count of clients will vary from what you see in the SCCM console software updates node and this is due the fact that ,in the console ,the software updates do not have any limitation over any collection(They apply to all clients) .But here ,we are trying to limit the software update against particular collection.

You can use this SQL query in multiple ways as you  need.For example ,if someone want to see the list of updates that are still needed by specific collection(BU) ,you can simply comment Software update group and choose only collection ,you can also do the other way.

To get top 5 or 10 missing updates ,simply use TOP 5 or TOP 10 . Full SQL Query is below:

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select top 5 CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
--SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

Now that, we have count of all updates for specific update group for specific collection with required client count ,but how to get the list of clients needed need specific update ?

This is mainly needed if you want to create linked SSRS report to see the list of clients for specific update for troubleshooting purpose.

SQL Query to list the clients required by specific software update ?

Declare @CollID nvarchar (255),@SUG nvarchar(255),@title nvarchar(255);
Set @CollID='PS100254';set @SUG=''SUM_2016_July_All'';
set @title='Security Update for Windows Server 2008 R2 x64 Edition (KB2992611)'
--CollID=Collection ID , SUG=Software update group Name and Title= Name of Software update title

Select sys.Name0,sys.User_Name0,os.Caption0 [OS],ws.LastHWScan,uss.LastScanTime [Last SUScan],os.LastBootUpTime0
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=ucs.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=ucs.ResourceID
right join v_UpdateScanStatus uss on uss.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
AND UCS.Status='2'
and ui.Title=@title
group by
sys.Name0,sys.User_Name0,os.Caption0,ws.LastHWScan,os.LastBootUpTime0,uss.LastScanTime
order by 1

SQL Query used in Pie Chart to get the patch compliance status for specific Collection and for specific update group ?

select CASE WHEN ucs.status=3 or ucs.status=1  then 'success'
When ucs.status=2 Then 'Missing'
When ucs.status=0 Then 'Unknown' end as 'Status',ucs.status [Status ID],coll.CollectionID
From v_Update_ComplianceStatusAll UCS
    left join v_r_system sys on ucs.resourceid=sys.resourceid
    left join v_FullCollectionMembership fcm on ucs.resourceid=fcm.resourceid
    left join v_collection coll on coll.CollectionID=fcm.CollectionID
    left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
    left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
    left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
    left join v_AuthListInfo LI on li.ci_id=ucs.ci_id
where li.title='Software update group name' and coll.CollectionID=’CollectionID’
and os.Caption0 not like '%2003%'
order by 1

Hope these SQL queries are helpful to you .

Other day,I was looking at the client health dashboard which I published long ago https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240 . From the dashboard report ,noticed that couple of clients were having software update scan issues .

If client fail to perform success software update scan ,it is out of patching window and client will never send or receive any software updates that you deploy from SCCM. You always need to make sure your clients are performing the successful software update scan as per the schedule you configure in SCCM client agent settings. Software update troubleshooting guide http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

So ,the report had couple of clients with software update scan failures with lasterrorcode –2147012894 which leads to me take a look at one client (XXXXXXX) and see what's happening on that.

If you want to see, how your clients are performing software update scan (without dashboard) ,run the below SQL query in management studio.

This query will help you to get list of client that have issues with software update scan (software update scan not success).

--SQL code list clients with software update scan failures

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode

Login to the problem client (it can be workstation or server ) ,open WUAHandler.log located in C:\widows\ccm\logs ,notice the below error.

OnSearchComplete - Failed to end search job. Error = 0x80072ee2.

Scan failed with error = 0x80072ee2.

0x80072ee2—>The operation timed out

The above log (Error) do not give much information  ,so this leads me to look at windowsupdate.log located in C:\windows folder

This log has several entries related to proxy request ,send and download file failed etc.

2016-09-01    12:45:14:216     820    ce0    Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <10.133.48.48:8080> Bypass List used : <(null)> Auth Schemes used : <>

2016-09-01    12:45:14:216     820    ce0    Misc    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2

2016-09-01    12:45:14:216     820    ce0    PT      + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0

Problematic Client is healthy and able to send inventory and receive other deployments like applications etc but software update scan is failing all the time.

if you look at the above log snippet, it is failing to download the cab files from WSUS server . It looks like ,client has some issues downloading the content ,so how do I check what is causing the problem for content download ?

From Windowsupdate.log snippet, client is trying to access the URL http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml which is failed due to proxy settings.

From other working client, found the below URL succeeded but not on the problem client  ,so I ran the below URL on non-working client and it surely have issues with proxy.

http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml

I ran the same URL on working client and got below results:

How do I fix the proxy issues on the problem client and get the rid of software update scan issues ?

There is a registry key on the client machine which you will have to change to get it working. What is the registry ?

Login to working client that is reporting to the same SCCM site( WSUS) ,open the registry and export for the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Save it on desktop ,copy it to the problematic client and run it (double click on it ).

Once the registry key is imported ,Open services.msc from RUN command ,restart windows update service.

follow windowsupdate.log and WUAHandler.log

After few min ,I noticed that, scan still failed with error code ,but this time it is different : OnSearchComplete - Failed to end search job. Error = 0x80244010.

0x80244010.—> The number of round trips to the server exceeded the maximum limit.

After a while ,it will try (you don’t have to do any) again to sync and sync will get Successfully completed .

If the sync is not running ,initiate software update scan cycle and monitor WUAHandler.log

Now go back to your site server ,run the SQL query ,you will see problematic client will no longer appear.

Summary:

For software update scan issues with error code:0x80072ee2

login to the working client ,export the registry key ,import into the problem client ,restart windows update service ,wait for a while ,monitor the logs.

References :

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://s9org.blogspot.sg/2015/03/software-updates-are-not-getting.html

https://blogs.technet.microsoft.com/sus/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010/

Since few days ,have been working on case with Microsoft on client issue wherein ,some clients stuck at downloading the policies/jobs and remain in Queued state without any reason and they never get deployments.

When you deploy the software update group to collection ,you will have to put a special attention to configuration setting in download settings : “If software updates are not available on preferred distribution point or remote distribution point,download content from Microsoft updates”

This is a new feature in Configuration manager 2012 SP1 that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved and deployed to client.

This is good option to select when the content is not available on Distribution point or client has some issues (possibly network)downloading the content from distribution point and client will direct to Microsoft update,download the content and install it.

But ,what happens when client do not have access to the internet (Microsoft update) and content is not available on the DP ? Here the problem comes.

If you check the option “if updates not available on DP, download from Microsoft Updates”, when the local/remote DP’s content location is not available, clients fallback to download from Microsoft Update, however, if it also fails at downloading from MU with some Internet connection issue, the DTS job (DataTransferService) keeps retrying the download the content and increments the Active job count on each failure until reaching the Active Job limit of 50 and  it never gets decremented.

DataTransferService.log shows

Downloading from http://wsus.ds.download.windowsupdate.com:80/c/msdownload/update/software/secu/2016/07 without proxy encountered error: BITS error: 'The operation timed out

Context: 'The error occurred while the remote file was being processed.

QUEUE: Active job count incremented, value = 50

DTSJob {97A264D2-B234-4ED7-B1D9-257F80920063} in state 'Queued'.

If the client exhausts the Active Job limit, the clients get stuck and never receive any policy unless you reset the active job limit .

Though we have successfully distributed the content to DP’s (can see from the console and reports) and hundreds of clients in the same subnet/region are successfully downloaded /installed but not all clients.

So the only possible fix is: Restart SMS agent host on the problematic clients. This process will reset the active job limit and start downloading the policies and content without any further changes on the site server ,but make sure to deselect the setting if your clients do not have access to internet.

I am not sure with the selected settings above (download content from Microsoft update ),if this issue appear in Configuration manager current branch or is it only appear in Configmgr 2012  .

This issue is filed as bug in Microsoft connect and is active Status . https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/956321/css-configmgr-2012-r2-dts-does-not-decrement-active-bits-job-counter-when-it-fails-to-download-content-from-the-mu-location

There is no updated information yet on this issue from product team but can we see this issue fix in next cumulative update for Configmgr 2012 ?

Since few months ,Microsoft publishing some great guides (deep dive) on SCCM Configmgr understanding and troubleshooting process ,tips and tricks that will help Configmgr administrators in solving issues.

It is really hard to find these useful links through search engines when needed for reference and to  send it internally for the team to go through .

I have tracked all the useful links in my OneNote and I have decided to let it go out for public incase for reference.

This blog post will be updating now and then ,when there is new content available.

1. Understanding and Troubleshooting Content Distribution in Microsoft Configuration Manager: This guide helps administrators understand the content distribution process and serves to build a foundation for diagnosing and resolving general content distribution related problems

2.Software Updates in Configuration Manager Current Branch Deep Dive – Client Operations

3.Troubleshooting the Database Replication Service in Microsoft Configuration Manager: This guide helps determine the type of DRS problem you are experiencing, explains how the processes work and offers troubleshooting suggestions for some of the most common problems.

4.Troubleshoot the Install Application task sequence in Microsoft Configuration Manager: This guide helps you understand the Install Application task sequence process and troubleshoot common problems that may occur. The Install Application task sequence step issued to install applications as part of the overall task sequence.

5.Troubleshooting PXE boot issues in Configuration Manager 2012:Helps administrators diagnose and resolve PXE boot failures in System Center 2012 Configuration Manager(ConfigMgr 2012 or ConfigMgr 2012 R2).

6.Software Update Management Troubleshooting in Configuration Manager: This guide helps you troubleshoot the software update management process in Microsoft System Center Configuration Manager, including client software update scanning, synchronization issues and detection problems with specific updates.

7.Configuring Software Update synchronization in System Center Configuration Manager: This guide explains the System Center Configuration Manager software update synchronization process from start to finish. Each step in the process is explained, including the various settings that control how update retrieval and synchronization are performed, common problems seen with each step in the process, as well as general troubleshooting tips.

8.complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

9.Flowchart - Update replication for System Center Configuration Manager :These data flows display the process by which an in-console update you select to install replicates to additional sites. These flows also display the process of extracting the update to run prerequisite checks and to install updates at a central administration site and at primary sites.

See you all in the next post!

Introduction:

Few months ago ,we had an issue with one of the deployment (it was software updates) that was deployed to collection with override service window due to emergency patch to be installed on the clients.

Deployment went fine and results were positive .All good ,but after few days ,some clients were added to the above deployed collection and you know what, as soon the clients are added to the collection ,they had new policy now and try to perform scan against the deployed software updates to check if they are already installed or not ,if not installed ,they try to install right away due to the setting ‘Override Service Window’ .What happens after the installation ? If the patch you have deployed to the collection require reboot ,it will check if there is any MW available to reboot ,if there is no maintenance window, it will reboot else wait for the maintenance window.

Unfortunately ,some of the newly added clients had maintenance window on different collection on the next few days ,which no one noticed and client REBOOTED .

For sure if there is any such unplanned reboot occur, you must be in position to explain with root cause and how are you going to prevent such issues in the future with RCA (Root cause analysis).

So a request came to identify/create report that will help us to identify how many such deployments (it can be application,package or software update ) do exist with OverrideServiceWindows and RebootOutsideOfServiceWindows options selected.

Have got some time to allocate for this request ,so am posting it here for you guys incase you need to identify such deployments (applications,packages,software updates,baselines) .

Below screen show the Deployment settings under User experience Tab with User notifications,deadline behavior and device restart behavior settings.

How to get list of deployments with OverrideServiceWindows and RebootOutsideOfServiceWindows selected ?

To get information about OverrideServiceWindows and RebootOutsideOfServiceWindows for deployments, you need to first identify the right SQL views in SCCM.

All Deployments information (packages,applications,baselines ,software updates) stored in view called: v_CIAssignment

So have used this view to retrieve the information and put it in a nice SSRS report with options to choose OverrideServiceWindows and RebootOutsideOfServiceWindows  Yes or No.

How to identify if the deployment is package or application or software update ?

Use the below numbers to identify the deployment or package type.

When 0 Then 'Package'
When 2 Then 'Application'
When 3 Then 'Driver'
When 4 Then 'Task Sequence'
When 5 Then 'Software Update'
When 7 Then 'Virtual'
When 257 Then 'Image'
When 258 Then 'Boot Image'
When 259 Then 'OS Package'

Below is the report how it looks like: you can choose the options what you want and based on the selection ,report will give you the deployment information.

As usual ,have posted the report into TechNet Gallery ,download it from Here ,upload it your SSRS reports ,change the data source and run it.