MrHaugen

Not much response here. Are there other forums with more people that can help with this subjects?

Hello I'm having a problem with my patch management colletion queries. We want to make sure that we do not include manually patched servers in our SCCM patch management, and want to control this through a Exclusion group in AD. I'm having a hard time getting the correct results though. I want to include servers in Group A, and I want to remove servers that is included in Group B. The point is to remove servers that is in both groups. As a kind of fail safe. I've gotten this far: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName like "Domain\\G_Patch_server_Pilot" and SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where SMS_R_System.SystemGroupName = "Domain\\G_Patch_server_Exclusions") This gives me the servers in G_Patch_server_Pilot group from the correct domain, but it does not honor the Exclusion groups that is not supposed to be added to the query. If I do the same query with OU's, I get the desired result: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like "Domain.com/Machines/Servers" and SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where SMS_R_System.SystemOUName = "Domain.com/Machines/Servers/Database") This query will exclude the sub OU called Databases. We can not however, base this on OU's as there is different types of servers that need to be excluded. What am I doing wrong here?

There are only single patches under Repository -> Critical/Security Updates -> Windows Server 2003. So the problem is only in the search folders it seems. And YES, I have messed a bit with our WSUS server. The problem might very well be from the mistake I did there a few months ago. Before I learned who SCCM operates, I was more familiar with WSUS, and I activated the Automatic Approval of 2003 Critical and Normal Security updates, as I have done in the past with WSUS only environments It was only for a few minutes, but it was enough to start lots of downloads to the server. After disabling this, I have not encountered any serious issues until now. I am wondering why the new patches is still doubled up though. Should it not only be the case with the updates I approved earlier? Anyone have some clue as where I can start to correct this mistake? If this is the underlaying issue that is.. Here's some more background info on the mess I made back then: Older Windows-Noob post

We're starting to use SCCM 2007 for security patching of our servers now. I'm using some time to standardizing things in the different fields like collections, update lists, deployment packages, search folders etc. The search folders is proving to give some strange results. When I'm making search folders, I'm always presented with double Patches for Windows server 2003. All other server versions do not present this double patches. As an example I have Search folders for the last month for both 2003 and 2008 server. 2008 Search Criteria = Date Realeased: Last 1 Month, Expired: No, Superseded: No, Product: Windows Server 2008 2003 Search Criteria = Date Realeased: Last 1 Month, Expired: No, Superseded: No, Product: Windows Server 2003 or 2003 Datacenter As you can see from the last picture, the 2003 Search Folder is giving double updates. Security and other updates. Wvry possible column in this view have the exact same data (I've added all columns to be sure). Even the Unique Patch Identifier is identical. I can not figure out why! This is not an emergency, as the patches is not doubling up when I make Update lists from this search folders, but this is something I would like to fix non the less. You got any idea as to why this is happening? Where do I start?

Guess I'll just have to be very thorough when I'm making the packages then. Have to go through the old patch bulletins to get it all. Let's hope it's only the expired and superseeded updates that's missing.

That's the big problem. I don't. In your list you have 18, 24, 25, 53. If I make the exact same search criteria I get only MS10-002 and MS09-025. I've made several search folders. One clean with only MS10 as Bulletin Search criteria. One with 2010 Updates with Expired set to Yes, and one with 2010 updates with Superseeded set to Yes. It is absolutely possible that this patches I can't see has expired or been superseeded, but I should have seen them in one of my many lists. I'm getting rather concerned about what else might be missing and why. Maybe this have something to do with my "accidental" WSUS approval after all? You know how I can check the actual location of the patchet? Is it taken from our WSUS server, or are WSUS just providing a list of updates from Microsoft? There is also other patches like Office patches that is not on this list, like MS10-038, but those have been filtered out by WSUS earlier and just recently been added to the WSUS categories. Something seems to be off. You guys have some ideas as where to start looking? I'm just to new to SCCM to figure out how all this is working.

Yes, your correct about MS10-002. It was might fault to take this as an example. Did not check my two search folders on that one I think. I did on both MS10-006 and 018 though, and they are neither shown in my Search Folder with or without Expired and Superseeded options. Why is that? Have MS not been consistent in their Patch tagging or what? When I notice irregularities like this, I'm a bit concerned about rolling out bundles of patches. New monthly patches will not be that much of a problem, as I'll check every single one. But I do not want to look through all previous patches.

*Quick update* The MS10-002 is actually a Cumulative security update, which have been superseded or expired. It does not show up when selecting No on Expired and Superseded. MS10-006 and another example like MS10-018 should be in the list though. I've checked several updates, and on the WSUS server I can see no differences on the patches.

Ok..... Glad it's not just me then Where is the rest of the Security Bulletins? Probably something very logical here I'm missing. Let's take a couple of examples of the "missing" patches. MS10-002: Microsoft Security Bulletin MS10-002 - Critical Cumulative Security Update for Internet Explorer (978207) Rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003) MS10-006: Microsoft Security Bulletin MS10-006 - Critical Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) Rated Critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008 R2, and is rated Important for Windows Vista and Windows Server 2008 The first one is not for any particular OS, so if we have somehow managed to select only patches for OS, that would explain something. But I'm missing OS patches also. I don't see the connection. If I go to Security Updates and All Updates insted of the Search Folders I'm still left with the same incomplete list. Where have those other patches gone? What am I not seeing here?

Thanks! Here's a screenshot of a small part of the list, together with the Search Folder Criterias. Just tell me if there is some more info or images that is required.

Hi I've played a bit with our new SCCM setup, and I've messed it up a bit I think. Before I read that SCCM should be the only way you approve updates, I managed to approve a whole lot of security updates in WSUS. What I did was to go to the options for automatic approval in WSUS, and chose to automatically approve all security updates. Immediately after I thought that this might be stupid, so I turned it off, and unapproved all patches. But the damage was done. The server started downloading a lot of patches over the next couple of days. Now it holds about 25GB worth of patches. Now, when I go to SCCM and check the Search Folders for for instance all Bulletin ID's with MS10, I only get a partial list. MS10-001, MS10-002, MS10-005, MS10-007 and so on. It looks like this is only the patches that WSUS downloaded. The WSUS have a SUP configured. I've tried to Synchronize the Update Repository, but the list is still incomplete. It's like there is no connection to Microsofts online software library, and I can only see the downloaded WSUS items. Any of you have an idea on how I can correct this mistake, and start to use SCCM exclusively for software approval and deployment.