Jump to content

Steve G.

Seeking Advice on Update Compliance Reports

Recommended Posts

I've been tasked to generate some reports that will show update compliance. The thing that is not easy for the requestor to appreciate readily is that our enterprise has thousands of computers and there are thousands of updates in question. So, how can such information be presented in a spreadsheet in a practical, digestible fashion?


I could try to generate a report that shows all the computers and then puts their compliance stats next to them (updates #, required #). Or I could try to generate an even more elephantine report with all deployed updates and their compliance stats (computers installed #, computers required #, unknown #, compliance %). Doesn't look like there's a canned report that does either of these for me.


The absence of a canned report gives me the suspicion that I'm missing out on a proper way to skin the cat. Our SCCM environment haven't utilized either update lists or configuration baselines, so would these be of help?




EDIT: Just to clarify, I am talking about overall compliance for updates, not a single specific update or deployment.

Edited by Steve G.

Share this post

Link to post
Share on other sites

I have been looking for a reliable report as well. I was using the Compliance 1 - Overall Compliance report for a long time until I started to have problems with my servers showing as non compliant or compliance unknown. I would check the server and it would appear as though the server was actually compliant. I would try to force a state message but that would not resolve the issue. After submitting a Microsoft ticket, they told me that the Overall Compliance reports works off of WSUS and not the actual deployments I made. They told me to utilize States 3 - States for a deployment and computer. However, I question whether or not that is the correct report as well.


I would love to hear other people weigh on this as well.

Share this post

Link to post
Share on other sites

Can't you just use the buildin report of Compliance 1 - Overall compliance. With that report you can see the overall compliance of a software update group to a collection.

The overall compliance report works off of an update list. So essentially, I'd have to build a massive update list with every update. I suspect that if I made it something broad like all Windows 7 updates, I'd wind up hitting the same kind of cap I run into with software update groups in SCCM 2012.


Worse still, if it is similar to the Overall Compliance report in 2012, then it's just as impractical. What that particular report does is show compliance as a binary state. Computers are either compliant (because they have every update in the specified SUG) or non-compliant (because they are missing even just one). The user can then drill into the report by clicking on individual computers to see all the updates in the universe that are applicable to it (even those not deployed to the SUG), with asterisks in the "Approved", "Installed", and "Required" columns. This does not seem to be an effective means for an admin to provide management with a snapshot view of update compliance.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...