Jump to content


wobmewin

Compliance Reporting Incorrectly - Updates Not Showing Deployed on Server

Recommended Posts

I am seeing an issue on Server 2012 R2 Clients that are reporting ‘Compliant’ in SCCM against a Windows Update Deployment but when I look on the server I am not seeing the KBs in the deployment installed under ‘Installed Updates’.

On the 2008 R2 servers everything is installing properly.

Below is a screenshot showing nothing installed on Server for some time. But yet this server is complaint against all Monthly deployments in SCCM.

 

I am still digging into the SCCM and Windows Update logs. Wondering if anyone has come across this issue.

post-30274-0-75114800-1435599871_thumb.jpg

Share this post


Link to post
Share on other sites


I like looking at at the update history by going to windows updates then click view update history and sorting by date installed there.

By doing it in the programs menu like you are doing it does a group organization so depending on how you have it grouped it sorts them. So your saying that in all the groups that your arranged in nothing later than 5/20/2015 is installed?

Share this post


Link to post
Share on other sites

I am not seeing anything installed between 8/13/2014 - 5/20/2015. Yet all deployments for Critical/Security, that also have 2012 R2 Security patches, report those servers are in compliance. Seems odd that none of the Security patches between 8/13/2014 - 5/20/2014 apply to any of these server. Some are just general OS Security patches.

I have run Windows Updates, bypassing SCCM and looking to the internet, on one of those Servers and it shows multiple Security Patches required. HOwever, as i have been checking them in WSUS and SCCM i am noticing the ones fromthe internet are old and have been superseded. But the newer update that superseded the old one is in SCCM and part of a deployment. However it is not installed to the server yet the server is in complaince to that deployment the update is a part of.

 

This has lead me to more questions and attempts to understand logic in SCCM....

 

For Instance......
If I run Windows Updates from one of the 2012 R2 Servers to look to the internet(bypassing SCCM) it comes up with a bunch of Security Updates not applied.
When I look for this Update in WSUS it exists but does not show in SCCM search - The reason for this, as I discovered, is it has been superseded by another update so when SCCM syncs it appears to not be pulling in updates that have already been superseded.(makes sense)
However, The Security Update that Supersedes this old Update is in SCCM and part of one of my deployments in May. However, I do not see this KB installed on the 2012 R2 Server, yet the Software Update Group that contains this update states this server is in Compliance.

Does the old superseded update need to be installed in order for the server to see this new Security Update as "Required" that takes its place?

 

And....

In SCCM where it shows a Software Update with a 'Required' count and an 'Installed' count - Is a server that gets an update deployed via SCCM no longer part of that 'Required' count and move under the 'Installed' count?
I am seeing the percentage of 'Percent Compliant' on many updates not calculating correctly according to Required/Installed.
Also, is there a way to see all servers that are part of the Required count to confirm what servers do not have the update installed?
I would like to see all servers part of that 'Required' count for a particular Software Update. Not seeing a report yet or able to click into the summary of the Update.

 

Thanks again for any light you can help shed on this matter. I've looked this up and see others with the same qustions but never really an answer in how the logic works which may answer why certain things are functioning in this manner.


Share this post


Link to post
Share on other sites

I'm having the same issue with my Windows updates. I deploy critical updates to servers once a year and my server 2008 R2 device collection was last updated August 2014. New deployment (all critical updates) was done last week and some of my servers are showing compliant even though I can't see any updates since August 2014.

 

Tried below and when I run the x64 msu it says "the update is not applicable to your computer"

http://blogs.technet.com/b/configurationmgr/archive/2015/04/15/support-tip-configmgr-2012-update-scan-fails-and-causes-incorrect-compliance-status.aspx

Share this post


Link to post
Share on other sites

I am having the exact same issue. In fact, the only patches applied to my servers are those installed at time of deployment. Has anybody found a solution to this?

Share this post


Link to post
Share on other sites

I've come across the same issue and was sure it was a ConfigMgr \ Client Agent \ WUAgent \ WMI etc. issue. But, I found the following

 

https://support.microsoft.com/en-us/kb/2919355

 

All security and non-security updates will depend on the April 2014 roll-up noted above... If you install manually, you will need to install the package in a specific order noted below.

1) clearcompressionflag.exe
2) KB2919355
3) KB2932046
4) KB2959977
5) KB2937592
6) KB2938439
7) KB2934018

 

Prior to me installing KB2919355 if I would only see 48 Instances when querying WMI (SELECT * FROM CCM_UpdateStatus) which is in the following WMI Class (Root\ccm\SoftwareUpdates\UpdatesStore). After installing them and forcing a Scan \ Deployment evaluation cycle and resyncing compliance state messages I now see 421 instances. I can correlate these in the UpdatesStore.log and they show up as "Missing" Updates which correlates to my Compliance Reports.

 

Not a bad idea to update WUA on the server. The following URL will point you to the March 2016 update. You will not be able to install this until KB2919355 is installed...

 

https://support.microsoft.com/en-us/kb/3138615

 

Hope this helps...

 

 

 

 

Share this post


Link to post
Share on other sites

In My instance on Server 2012 Standard, No updates showed up as being installed after the deployment of the server in "View Update History".  But when I clicked on the "Installed Updates" link at top of that page, my recent updates showed up as installed on that page.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...