Jump to content

Recommended Posts


Apologies if this is a repeat thread, but I haven't been able to find the correct info I'm looking for here or anywhere else on the web.  Have been using SCCM for quite some time, but only recently started using the SUP portion of it.  I have created a Software Update Group with 119 updates contained in it (Essentially all Windows 10 Updates) as a base line to push out to my machines to make sure that they are as up to date as possible.  However, the only thing that appears in the Software Center is the Windows Malicious Software Removal Tool.  I have a few Windows 7 machines still in my network (I know I know...) and when I created the baseline SUG for that, it picked up all the updates and went exactly as expected.  Seems to be specific to Windows 10 and, from what I can gather on the web, is likely related to Dual Scan.  However, I have disabled DualScan via GPO, but just can't quite get it to work and am pretty confused as lots of sites seem to say different things from the setup.  A few things to note...

- I have "Do not allow update deferral policies to cause scans against Windows Update" enabled via GPO

- I have "Specify intranet Microsoft update service location" enabled via GPO with the needed URL/Port settings

- My UpdatesStore.log file shows as querying against 119 updates...but then only installs the Microsoft Tool mentioned above.

- If I run a compliance report from SCCM, it shows the machines as being up to date.  My theory on that though is that since they are only applying the Microsoft Tool and that is what is showing as needing to install, it "thinks" that it is compliant.

- Have confirmed that updates are not installing as, if I click the "Check online for updates from Microsoft Update", it finds the needed updates.


I'm sure I'm probably missing something obvious, but am about at my wits end trying to figure this out as was really proud of myself when saw my compliance numbers raise substantially when first deployed everything...then I started to notice that they weren't actually installing all of the updates.

Share this post

Link to post
Share on other sites

So a couple updates / notes:

- I went ahead and tried removing all GPO settings I had related to updates, did a GPUPdate /force on my test VM and re-ran both Software Updates Deployment Evaluation Cycle and Software Updates Scan Cycle...no luck
- In addition to the Windows Malicious Software Removal Tool being installed correctly, I have also noticed that Windows Defender updates are installing normally even though I'm not actually pushing out those via SCCM, so I assume those are coming directly from Microsoft
- I reimaged my test VM just to make sure it wasn't something in my VM as well as checked a few student desktops in one of our labs...still no updates deploying.
- I did notice as well in UpdatesDeployment.log the following error: EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0
- From the way I read that, it is seeing the updates in SCCM, but is thinking, for some reason, that they aren't actually "actionable", meaning needing to be installed
- Have noticed that when I got into my Search Criteria for All Software Updates, if I choose the "required" (set greater than or equal to 1), most of my updates show less than 20 machines requiring the update, but the MS Malicious tool being required by over 2000 machines (about the size of my network).

Really is an odd issue and has to be something that I'm missing on this one...

Share this post

Link to post
Share on other sites

Have you used a tool, like Roger Zander Client Center https://github.com/rzander/sccmclictr, or the MS Client Support Center Tool, https://docs.microsoft.com/en-us/configmgr/core/support/support-center ; to examine a client?

What I would look for is things like... "is the last scan version matching what my environment says"  (in CM Console, Monitoring, Software Updates Point Synchronization Status, the Catalog Version); that'll be the catalog version i'd want my clients to have used.

is wuahandler.log scanning successfully?

In those tools, you can see what CM believes locally is deserved or installed for updates, as scanned by the CM client.  When you say "locally just msrt... but when I go directly to Microsoft, I deserve more" -- are those updates listed locally by the CM client?  If not; are those updates even in CM?  (EXACTLY those updates, by title and kb article--maybe you're missing a category in your CM SUP rules for what patch info to download)


  • Thanks 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...