I am not seeing anything installed between 8/13/2014 - 5/20/2015. Yet all deployments for Critical/Security, that also have 2012 R2 Security patches, report those servers are in compliance. Seems odd that none of the Security patches between 8/13/2014 - 5/20/2014 apply to any of these server. Some are just general OS Security patches.
I have run Windows Updates, bypassing SCCM and looking to the internet, on one of those Servers and it shows multiple Security Patches required. HOwever, as i have been checking them in WSUS and SCCM i am noticing the ones fromthe internet are old and have been superseded. But the newer update that superseded the old one is in SCCM and part of a deployment. However it is not installed to the server yet the server is in complaince to that deployment the update is a part of.
This has lead me to more questions and attempts to understand logic in SCCM....
For Instance...... If I run Windows Updates from one of the 2012 R2 Servers to look to the internet(bypassing SCCM) it comes up with a bunch of Security Updates not applied. When I look for this Update in WSUS it exists but does not show in SCCM search - The reason for this, as I discovered, is it has been superseded by another update so when SCCM syncs it appears to not be pulling in updates that have already been superseded.(makes sense) However, The Security Update that Supersedes this old Update is in SCCM and part of one of my deployments in May. However, I do not see this KB installed on the 2012 R2 Server, yet the Software Update Group that contains this update states this server is in Compliance. Does the old superseded update need to be installed in order for the server to see this new Security Update as "Required" that takes its place?
In SCCM where it shows a Software Update with a 'Required' count and an 'Installed' count - Is a server that gets an update deployed via SCCM no longer part of that 'Required' count and move under the 'Installed' count? I am seeing the percentage of 'Percent Compliant' on many updates not calculating correctly according to Required/Installed. Also, is there a way to see all servers that are part of the Required count to confirm what servers do not have the update installed? I would like to see all servers part of that 'Required' count for a particular Software Update. Not seeing a report yet or able to click into the summary of the Update.
Thanks again for any light you can help shed on this matter. I've looked this up and see others with the same qustions but never really an answer in how the logic works which may answer why certain things are functioning in this manner.