Jump to content


MrHaugen

Established Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

 Content Type 

Posts posted by MrHaugen

  2. SCCM Query for adding and exluding AD Groups with servers

    in Collections

    Posted

    Hello

     

    I'm having a problem with my patch management colletion queries. We want to make sure that we do not include manually patched servers in our SCCM patch management, and want to control this through a Exclusion group in AD. I'm having a hard time getting the correct results though. I want to include servers in Group A, and I want to remove servers that is included in Group B. The point is to remove servers that is in both groups. As a kind of fail safe.

     

    I've gotten this far:

     

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName like "Domain\\G_Patch_server_Pilot" and SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where SMS_R_System.SystemGroupName = "Domain\\G_Patch_server_Exclusions")

     

     

    This gives me the servers in G_Patch_server_Pilot group from the correct domain, but it does not honor the Exclusion groups that is not supposed to be added to the query. If I do the same query with OU's, I get the desired result:

     

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like "Domain.com/Machines/Servers" and SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where SMS_R_System.SystemOUName = "Domain.com/Machines/Servers/Database")

     

     

    This query will exclude the sub OU called Databases. We can not however, base this on OU's as there is different types of servers that need to be excluded. What am I doing wrong here?

  3. SCCM 2007 Search Folder Curiosity

    in How do I ?

    Posted

    strange..

     

    I would have a look in one of the 2003 folder below update repository...to check if i had doubles there as well.

    If this is the case then you probably have some kind of meta data error in your database..

     

    Have you made any configuration in your wsus console?

     

    There are only single patches under Repository -> Critical/Security Updates -> Windows Server 2003. So the problem is only in the search folders it seems.

     

    And YES, I have messed a bit with our WSUS server. The problem might very well be from the mistake I did there a few months ago. Before I learned who SCCM operates, I was more familiar with WSUS, and I activated the Automatic Approval of 2003 Critical and Normal Security updates, as I have done in the past with WSUS only environments :( It was only for a few minutes, but it was enough to start lots of downloads to the server. After disabling this, I have not encountered any serious issues until now. I am wondering why the new patches is still doubled up though. Should it not only be the case with the updates I approved earlier?

     

    Anyone have some clue as where I can start to correct this mistake? If this is the underlaying issue that is..

     

    Here's some more background info on the mess I made back then: Older Windows-Noob post

  4. SCCM 2007 Search Folder Curiosity

    in How do I ?

    Posted

    We're starting to use SCCM 2007 for security patching of our servers now. I'm using some time to standardizing things in the different fields like collections, update lists, deployment packages, search folders etc. The search folders is proving to give some strange results. When I'm making search folders, I'm always presented with double Patches for Windows server 2003. All other server versions do not present this double patches.

     

    As an example I have Search folders for the last month for both 2003 and 2008 server.

    2008 Search Criteria = Date Realeased: Last 1 Month, Expired: No, Superseded: No, Product: Windows Server 2008

    SCCM%20Search%20Folders%202008.JPG

     

    2003 Search Criteria = Date Realeased: Last 1 Month, Expired: No, Superseded: No, Product: Windows Server 2003 or 2003 Datacenter

    SCCM%20Search%20Folders%202003.JPG

     

    As you can see from the last picture, the 2003 Search Folder is giving double updates. Security and other updates. Wvry possible column in this view have the exact same data (I've added all columns to be sure). Even the Unique Patch Identifier is identical. I can not figure out why! This is not an emergency, as the patches is not doubling up when I make Update lists from this search folders, but this is something I would like to fix non the less. You got any idea as to why this is happening? Where do I start?

  6. SCCM Security Update list messed up by a newbie

    in Deploy software, applications and drivers

    Posted

    That's the big problem. I don't. In your list you have 18, 24, 25, 53. If I make the exact same search criteria I get only MS10-002 and MS09-025.

     

    I've made several search folders. One clean with only MS10 as Bulletin Search criteria. One with 2010 Updates with Expired set to Yes, and one with 2010 updates with Superseeded set to Yes. It is absolutely possible that this patches I can't see has expired or been superseeded, but I should have seen them in one of my many lists. I'm getting rather concerned about what else might be missing and why. Maybe this have something to do with my "accidental" WSUS approval after all? You know how I can check the actual location of the patchet? Is it taken from our WSUS server, or are WSUS just providing a list of updates from Microsoft?

     

    There is also other patches like Office patches that is not on this list, like MS10-038, but those have been filtered out by WSUS earlier and just recently been added to the WSUS categories.

     

    Something seems to be off. You guys have some ideas as where to start looking? I'm just to new to SCCM to figure out how all this is working.

    post-7785-12906892667045_thumb.jpg

    post-7785-12906892731149_thumb.jpg

    post-7785-12906903394205_thumb.jpg

  7. SCCM Security Update list messed up by a newbie

    in Deploy software, applications and drivers

    Posted

    Yes, your correct about MS10-002. It was might fault to take this as an example. Did not check my two search folders on that one I think.

    I did on both MS10-006 and 018 though, and they are neither shown in my Search Folder with or without Expired and Superseeded options. Why is that? Have MS not been consistent in their Patch tagging or what? When I notice irregularities like this, I'm a bit concerned about rolling out bundles of patches. New monthly patches will not be that much of a problem, as I'll check every single one. But I do not want to look through all previous patches.

  9. SCCM Security Update list messed up by a newbie

    in Deploy software, applications and drivers

    Posted

    Ok..... Glad it's not just me then :) Where is the rest of the Security Bulletins? Probably something very logical here I'm missing.

     

    Let's take a couple of examples of the "missing" patches.

     

    MS10-002:

    Microsoft Security Bulletin MS10-002 - Critical

    Cumulative Security Update for Internet Explorer (978207)

    Rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003)

     

    MS10-006:

    Microsoft Security Bulletin MS10-006 - Critical

    Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)

    Rated Critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008 R2, and is rated Important for Windows Vista and Windows Server 2008

     

     

     

    The first one is not for any particular OS, so if we have somehow managed to select only patches for OS, that would explain something. But I'm missing OS patches also. I don't see the connection.

    If I go to Security Updates and All Updates insted of the Search Folders I'm still left with the same incomplete list. Where have those other patches gone? What am I not seeing here?

  11. SCCM Security Update list messed up by a newbie

    in Deploy software, applications and drivers

    Posted

    Hi

     

    I've played a bit with our new SCCM setup, and I've messed it up a bit I think. Before I read that SCCM should be the only way you approve updates, I managed to approve a whole lot of security updates in WSUS. What I did was to go to the options for automatic approval in WSUS, and chose to automatically approve all security updates. Immediately after I thought that this might be stupid, so I turned it off, and unapproved all patches. But the damage was done. The server started downloading a lot of patches over the next couple of days. Now it holds about 25GB worth of patches.

     

    Now, when I go to SCCM and check the Search Folders for for instance all Bulletin ID's with MS10, I only get a partial list. MS10-001, MS10-002, MS10-005, MS10-007 and so on. It looks like this is only the patches that WSUS downloaded. The WSUS have a SUP configured. I've tried to Synchronize the Update Repository, but the list is still incomplete. It's like there is no connection to Microsofts online software library, and I can only see the downloaded WSUS items.

     

    Any of you have an idea on how I can correct this mistake, and start to use SCCM exclusively for software approval and deployment.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.