A quick blogpost to trigger the installation of software updates (missing/failed/available in software Center) remotely from the console using built-in scripts feature.

If you have deployed software updates to your clients and during the windows update compliance check, you found that, the clients are still reporting as non-compliance (required).

There could be several reasons why the client is still reporting as non-compliance. For more  information about the software updates compliance states, please refer https://docs.microsoft.com/en-us/mem/configmgr/sum/understand/software-updates-introduction#software-updates-compliance-states

To check if the client has any updates available in software Center but waiting for maintenance window or failed to install or other reason and trigger the installation, we can make use of the built-in scripts feature.

The following is the PowerShell script which will check for the windows updates (it can be Microsoft or 3rd party), and trigger the installation. Doing this action, will ignore the maintenance window ONLY (if you have any) and follow the reboot schedule as per the assignment.

To create and run PowerShell script, please follow the guide here using the following script.

$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
if ( $MissingUpdatesReformatted)
{
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk
write-host "Updates found, initiated"
}
else
{
write-host "No updates found"
}

Once the script is created, approved, you can run it on individual machine or device collection.

Script output:

Microsoft has released the update 2107 for Configuration Manager (Current Branch) which is now available as in-console update. You don’t need to run opt-in script.

You can apply this update on sites that run version 2002 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you see in the console then update to 2107.

For a list of new features and improvements in configuration Manager 2107, please read https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107

Just like any other configuration manager update release, i always try to look and see what is new available from the reporting point of view.

I try to see what is new available in this from previous version (2103).

This build adds up some new SQL views/tables such as user based applications,extensions, client diagnostics etc for custom reporting and it is always good to build some reports when you don’t find what you are looking for.

So what is new in configuration manager 2107 for reporting?

The following are the list of SQL views.

v_GS_CLIENT_DIAGNOSTICS
v_GS_USER_BASED_APPLICATIONS

v_LifecycleDetectedResourceIdsByGroupName
v_SMS_G_System_ExtensionData
v_SMS_G_User_ExtensionData
vNotificationEventRules

For full list of SQL views documentation along with data available in this build and also for previous builds, please refer Github https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Last week, I was having a discussion with the manager about the User IE Home page/Start page to get a report on, how many users are set to Company intranet Page. I then asked him, what is the process/method that company currently follows to set IE Home page .He then replied, GPO ? my response for this was ,if GPO, then the Home page for IE should be set to the required one for all Domain Users (Domain users: where ever the GPO applied to) and using GPO, will have more control to restrict user to not to change the default IE Home page (Disable changing home page settings. and less troubleshooting required .

I have then checked my computer to find the default IE Home Page, it is set to the correct one but I do have flexibility to change it to custom. So boss asked me to check if there is way to get a compliance report on User IE Home page ,in case the GPO may not be applied to some of the OU to be identified.

Since the IE Home Page information stored in HKCU, we cannot use regkeytomof (it works only with HKLM) or MOF Extension or DCM (not easy).

The possible solution for this is involved with, 1) Create Custom WMI location 2) Copy the User IE home page info into this location 3)Edit the MOF to retrieve this WMI information into SCCM Database.

The above solution would work but how would you provide full permissions to WMI location to publish the User Registry info ? If users do not have admin rights on their computers ?

Long ago ,there was a discussion on sccm forum list ,about the this issue to get User IE home pages Using Configuration manager. Our MOF Master Sherry Kissinger has got workaround for this issue which I am going shortly.

This procedure requires creation  of  package with 2 programs (legacy is preferred and easy) 1) machine 2 ) User with dependency on machine.

Create a folder with standard naming convention as per required on your network share and place these files into it .files can be downloaded from Github

1.wmiNameSpaceandSecurity.vbs—>This script will create custom WMI name location ( root\CustomCMClasses—>CM_IEStartPages) using file called WmiSecurity.exe.

2.UserIEStartPage.vbs:This script publish the information from HKCU to custom WMI name location which is created using above script.

Before we start creating the packages,edit the script wmiNameSpaceandSecurity.vbs and replace the domain name to your domain name and save the script.

Create Package with 2 programs:

1.Create package with program cmd line: cscript.exe wminamespaceandsecurity.vbs under system context

2. Right click on the package created above and select Create program  (no need to create new package) with cmd line:cscript.exe UserIEStartPage.vbs under user context

and select ‘Run another program profile first’

we now created package with 2 programs :

Distribute the package to DP group or DP’s.

Now create deployment using UserIEStartPage to required collection.

Time to test the results:

Login to PC that has this deployment ,run machine policy ,monitor execmgr.log for progress of this deployment.

from above log, program executed successfully.

lets checkout the WMI classes and inventory information what is captured from HKCU.

open cmd and type wbemtest.exe ,connect to “root\CustomCMClasses”

lets checkout the homepage values from WMI class using simple WQL Query before we start working with MOF file.

while you are connected to “root\CustomCMClasses” ,Click on Query and use this query to run: SELECT * FROM CM_IEStartPages

From above, se see that ,User has set 2 tabs when IE Opens.Double click on either of the one and click on show MOF to see the URL page.

So far, All good. Now lets try doing some changes to the MOF to collect this information via Inventory on schedule basis (If Required,crate custom inventory to specific collection instead of doing it on default ).

Go to your CM12 Primary Site administration pane (if you have CAS then you should do make these changes there )—>client settings—Default settings. (You must import the custom attributes here before you create custom client settings.

we have now imported the custom WMI info into CM12 but we did not enable this setting to be collected from Configmgr clients.

on the background,Configmgr will be creating new table/view (CM_IESTARTPAGES_DATA/v_GS_CM_IESTARTPAGES) to store the information that comes from clients which can be monitor from dataldr.log from your Site server logs:

Now ,Create custom client agent setting that can be applied onto test collection before making to Big collection .

Deploy this setting to test collection and wait for the results (client should pick the new settings and send the inventory info to Site server). After a while,you see the information in CM12 Database.

Here is the Simple SQL Query:

SQL Quiries:

select sys1.netbios_name0, os.Caption0, st.userdomain0, st.username0, st.tab0 as [Tab], st.startpage0
from v_R_System_Valid sys1
join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys1.ResourceID
left join dbo.v_GS_CM_IESTARTPAGES st on st.resourceid=sys1.resourceid
order by sys1.Netbios_Name0, st.tab0

Get IE pages into same row:

select distinct sys1.netbios_name0, os.Caption0, st.userdomain0, st.username0,
RTRIM(substring(ISNULL((select ','+startpage0
from dbo.v_GS_CM_IESTARTPAGES ie1
where ie1.ResourceID = Sys1.resourceID for xml path('')),' '),2,2000)) as StartPages
from v_R_System_Valid sys1
join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys1.ResourceID
left join dbo.v_GS_CM_IESTARTPAGES st on st.resourceid=sys1.resourceid
order by sys1.Netbios_Name0

This is quick post on the recent inquiry on various forums such as Twitter, reddit and Microsoft forums about the download of configuration manager build (Evaluation) from the evalcenter.

if you try to download the Configuration Manager current branch or technical preview from the evalcenter using https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview , you will be redirected to https://www.microsoft.com/en-us/download and end up seeing the following screen.

Currently, the evaluation center links for downloading of the OS and application builds are broken or down and Microsoft is working on it.

For those who do not have access to MSDN, VLSC or visual studio subscription to download the media, you can use the following links to download the latest builds for Configuration Manager current branch or Technical preview.

ConfigMgr 2203 current branch Eval - https://aka.ms/MECM2203CB-Eval

ConfigMgr 2202 technical preview baseline - https://aka.ms/MECM2202TP-Baseline

Thanks to Yvette O'Meally for arranging the links.

Hope it helps!

Few years ago, I have blogged about the client update scan failure due to GPO’s. https://eskonr.com/2014/10/sccm-configmgr-2012-software-update-scan-error-group-policy-settings-were-overwritten-by-a-higher-authority-error-code-0x87d00692/

Introduction:

When the software update point is configured for a site, client computers receive a machine policy that provides the active software update point server name (WSUS) and configures the Specify intranet Microsoft update service location local policy on the client device.

The windows update agent retrieves the server name (WSUS) specified in the Set the intranet update service for detecting updates setting, and then connects to this server when it scans for software updates compliance.

Problem:

I was working on an issue to troubleshoot the server clients where the software update scan is failing. I have noticed that, it is failing on majority of the servers but not on workstations.

For a client to receive the software updates from SCCM, it must first complete a software update scan successfully.

Software update scan details are tracked in the wuahandler.log located in C:\windows\ccm\logs (client location).

Unable to read existing WUA resultant policy. Error = 0x80070002.

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server  and Policy NOT CONFIGURED

Failed to Add Update Source for WUAgent of type (2) and id ({B9DB41D0-CCA2-4FC4-BC70-5EC97B1FC1A2}). Error = 0x87d00692.

Based on the error, the first check is to review the GPO’s that are applied to the device with the help of RSOP.MSC( run as administrator) and gpresult on the local machine.

From the RSOP.MSC and gpresults, i could only see the following setting for windows update section which do not conflict with GPO. since these are servers, prefer to disable automatic updates (windows side).

The next is to look at the local group policy (gpedit.msc) to see if SCCM client has set the ‘Set the intranet update service for detecting updates ‘ with the WSUS entries.

I can see there are 2 settings configured by the client correctly. These are coming from the device client settings.

Next is to look at the registry if any entries listed for windows update at location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

There are no entries found in the registry location for WUServer.

I have also reviewed the registry.pol (c:\windows\system32\grouppolicy\machine\registry.pol), it has the WSUS entries updated correctly.

The next location is event viewer for GPO entries, I could not find any errors or warnings there too.

During the course of investigation, it happened to see the GPO which is applied to the client ‘Turn off Local Group Policy Objects processing’

If you enable this policy, the client or the system does not process and apply any Local GPOs.

The fix:

Thee GPO policy must be set to either not configured or disabled. Once the configuration is changed, the local GPO that was configured by the client for WSUS will be picked by the client and complete the update scan.

Is there any workaround without making the changes to the GPO?

The SCCM client already applied the local GPO with WSUS server name and port number however it is not up for processing due to the GPO block.

I could not find any other methods to get the update scan work without modifying the ‘Turn off Local Group Policy Objects processing’ setting.

Temporary solution: We can have this policy one time off at the OU level, let the client process the local GPO and once this is done, you can revert the GPO and it should be ok as long as the client is not reinstalled. Any new servers that is onboarded and install the client, it will have the same issue again.

Hope this helps!

Continue reading

Troubleshoot software update management in Configuration Manager

Troubleshoot software update scan failures in Configuration Manager

Introduction:

As a SCCM Configmgr administrator, one of your key responsibilities is to ensure the health of SCCM clients for tasks like application deployment, software updates, and inventory management.

Oftentimes, you may encounter situations where you need to identify computers that haven't contacted the server in a specific number of days or determine the clients with outdated policy requests or communication gaps.

This blog post aims to guide you on creating an SSRS report to present this information, allowing for easier troubleshooting and maintenance of SCCM clients.

Retrieving Client Activity Information:

In the Configuration Manager (ConfigMgr) Console, you have the ability to view and monitor various client activities. These activities include policy requests, heartbeat DDR (Discovery Data Record), hardware scans, and management point as shown in below picture.

To begin, we need to retrieve the client activity information from the SQL database. The data is stored in a view called vWorkstationStatus, which can be joined with collection views to obtain the desired results. Below is an SQL query that retrieves clients whose LastPolicyRequest is more than 25 days old, filtered by a specific collection.

Below is SQL query ,if you want to create powershell grid view. (This query is filtered to get clients if LastPolicyRequest request is more than 25 days and collection).

SELECT ws.Name, ws.UserName,ws.LastMPServerName,
CONVERT ( varchar (26) , ws.CreationDate , 100) CreationDate,
CONVERT ( varchar (26) , ws.LastDDR , 100) LastDDR,
CONVERT ( varchar (26) , ws.LastPolicyRequest,100) LastPolicyRequest,
CONVERT ( varchar (26) , ws.LastHardwareScan,100) LastHardwareScan,
ws.SystemRole,
DATEDIFF ( DAY , ws.LastPolicyRequest , getdate() ) 'Days Since Last Communication'
FROM  vWorkstationStatus ws
JOIN dbo.v_FullCollectionMembership vfcm ON vfcm.ResourceID = ws.ResourceID
JOIN dbo.v_Collection vc ON vc.CollectionID = vfcm.CollectionID
WHERE vc.Name='Your collection Name'
GROUP BY ws.Name, ws.UserName,ws.CreationDate,ws.LastMPServerName,ws.LastDDR,
ws.LastPolicyRequest,ws.LastHardwareScan,ws.SystemRole
HAVING (datediff(dd,max(ws.LastPolicyRequest),getdate()-25) >0)

In SSRS Report, I have made 2 parameters as prompts 1) Collection Name and 2) Number of days .

Below is SSRS report how it looks like?

To access the complete SSRS report, download the RDL file from the provided TechNet here. Once downloaded, upload the report to your SSRS Reports folder. Don't forget to update the data source to connect to your SQL database. After making the necessary configurations, run the report to generate the desired results.

Conclusion:

By utilizing SSRS reports in SCCM, you can easily monitor and troubleshoot client communication issues. This blog post has provided you with an SQL query to retrieve client activity information and guided you through the process of creating an SSRS report. With this report, you can efficiently identify clients with outdated policy requests or communication gaps, enabling you to take appropriate actions to maintain the health of your SCCM environment.

Questions appeared on https://social.technet.microsoft.com/Forums/en-US/b9940352-7382-462d-8ef9-8c7a1483a29f/sccm-client-last-communication-report?forum=configmanagerdeployment

https://social.technet.microsoft.com/Forums/office/en-US/5b21299a-d91a-43bd-bae7-dc02c09a8694/how-to-create-a-collection-based-on-days-since-last-communications?forum=configmanagerapps

https://www.reddit.com/r/SCCM/comments/3l67e8/help_with_custom_report/

Did you ever had difficulties importing, exporting or migrating the SSRS reports from one Configuration infra to other ConfigMgr infra? If so, how do you migrate reports ? When i work with my customers on the hardware migration of the SCCM and especially the SSRS reports, i always use the tool rather powershell scripts.

To get the SSRS Reports from the Configuration Manager , you can either run the SSRS reports,download the reports manually into rdl format and upload to other SSRS report server. This is applicable when you have single digit reports. What if you have large number of reports and you want to migrate them from source SSRS to destination SSRS with same folder structure? Doing manual takes lot of time and is not efficient way of doing it.

This blog post discuss about how to migrate reports ,download,upload your custom reports to Configmgr SSRS folder.

During my Search ,I found a tool called ReportSync that does the following activities .

• Sync reports between two SSRS servers.
• Download RDL Files from SSRS  to local PC.
• Upload RDL files to a SSRS server
• Attach datasources automatically on upload(Data source name given in the report must exist on server)

I use this tool often while working with SSRS Reports since it gives me the flexibility to upload multiple reports to specific folder in SSRS. (Default via SSRS browser allows only one at a time).

Download the tool from https://code.google.com/p/reportsync/

Run the Tool

This tool contains 2 fields 1) Source SSRS Web service and 2 ) Destination SSRS Web service.

As I said before,you can use this tool download SSRS Reports to local Drive,migrate reports between the SSRS Servers,upload the reports from Drive.

If you want to download the Reports (.RDL) files from your SSRS server (Configmgr 2007 or 2012 ),enter the source URL ,User hat has permissions to connect to SSRS,Password in Source URL Web Service and click on Load.

How to get the right SSRS URL that has been configured in your environment ?

From your Configmgr server or SQL Server,Launch Reporting services Configuration manager tool and look for Web service URL

After you run the tool ,It takes few seconds or minute to load the reports from your SSRS Folder .

Select the report that you want ,provide the local path to store these reports (.RDL files) and click on Download.

Each category what you see in this tool will be created as Folder in yours local Path.

Reports folder look like this :

You can also try to upload your customized reports to Destination server ,sync and do other functions with this tool.

Incase you have any issues with this tool, feel free to post in the comment section.

Hope it helps!

This is a quick blog post on an issue that I recently looked at regarding the client issue with content download from the distribution point.

Clients in one specific boundary could not able to download the content from its assigned distribution point.

Though the client was healthy, the inventory cycle is up to date but content download from DP having issues.

Looking at the client logs, especially the DataTransferService.log which is responsible for tracking the information about the content download from the distribution point.

Following the error code from the DataTransferService.log

[CCMHTTP] ERROR INFO: StatusCode=503 StatusText=

GetDirectoryList_HTTP Error sending DAV request. HTTP code 503, status 'Service Unavailable'

[CCMHTTP] ERROR: URL=http://SGCM01:80/SMS_DP_SMSPKG$/Content_18138fe6-0b71-4590-b6ac-16d6af0ba673.1, Port=80, Options=1216, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

DTSJob({3DED9C85-4798-4D9B-A857-C9F933DF2C74}):CDTSJob::ProcessManifestCallback - Error retrieving manifest (0x800705b4).

I have tried accessing the URLhttp://SGCM01:80/SMS_DP_SMSPKG$/Content_18138fe6-0b71-4590-b6ac-16d6af0ba673.1 in the browser, but the request did not succeed.

Based on the above error codes and the URL connectivity, the issue seems to be related to IIS on the distribution point.

After logging to the distribution point, and looking at the IIS configuration, there are a couple of security prompts (bit9) on the server about the wmiprvse.exe and w3wp.exe process.

On the IIS server, application pools, SMS distribution points pool is stopped.

For clients to be able to download the content successfully, this application service pool must be running.

The application pool service will fail immediately after the start. Upon the investigation, looking at the event viewer, there was a security agent (bit9) installed on the server which was blocking the application pool.

Looking at the bit9 security agent, there were so many errors about this specific IIS pool issue.

After adding the following paths to the exclusion list in bit9, the function started working and clients were able to download the content as usual.

• %windir%\System32\inetsrv\w3wp.exe
• %windir%\SysWOW64\inetsrv\w3wp.exe

Microsoft has published an article on the Configuration Manager Current Branch Antivirus Exclusions . This is must read article to follow for a successful device management solution by SCCM.

Hope you find this blog useful.

References:

Configuration Manager Current Branch Antivirus Exclusions

Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients

Co-management is a feature that allows organizations to manage their devices using both Microsoft Intune and System Center Configuration Manager (ConfigMgr). This enables organizations to take advantage of the latest security features and cloud capabilities, such as conditional access and device compliance policies, while also being able to manage certain client actions without the need for access to the ConfigMgr console.

Some of the key benefits of co-management are:

Seamless transition: Co-management allows organizations to gradually transition from traditional management methods to modern management methods without disrupting their current workflow.

Increased security: Co-management enables organizations to take advantage of the latest security features, such as conditional access and device compliance policies, to protect their devices and data.

Improved management capabilities: Co-management gives organizations the ability to manage both Windows and mobile devices from a single console, making it easier to deploy apps, updates, and security policies.

Better end-user experience: Co-management allows organizations to provide their users with a better experience by giving them access to the latest features and apps.

Cost-effective: Co-management allows organizations to take advantage of existing ConfigMgr infrastructure, thus reducing the need for additional infrastructure and costs.

Better insights: With co-management, organizations can gain better insights into the health and security status of their devices, which can help them make more informed decisions about device management.

To enable co-management, you can go through Microsoft's documentation at https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients

In this blog post, we will look at different methods for identifying devices with co-management status, specifically devices that are not co-managed for further troubleshooting.

1. Using Microsoft Intune portal

2. Using Endpoint Configuration Manager console (SCCM)

3. Using SQL report in Configuration Manager

4.Using PowerShell or Graph API. (not covered in this blog post,may be future post).

1. Using Microsoft Intune portal

Login to Endpoint Manager portal click on devices, click on Monitor.

Under the enrollment section, you will find Cloud attached devices (preview). This is still in preview at the time of writing this blog post.

In the summary page, you will find the co-management summary along with the workloads assigned to the device.

In the same section, click on reports

you will find 2 reports available. Click on Co-Management Eligibility

Click on the filer section and select the status.

For devices that are not co-managed, i have selected the following in the filer section.

click on Generate report.

It will take few seconds before you can download the data into csv for troubleshooting purpose.

This method generate the list of devices from the tenant irrespective of the region or country etc.

If you are scoped to manage the devices with co-management at different regions but not all ,then you will need to sort the devices based on the hostname or so. Lets review other methods.

2. Using Configuration Manager console

Using Configuration Manager console, we will create a collection or use built-in co-management status

Collection for devices that are not co-managed. Make sure the limiting collection is all workstation (create a custom) or update the following WQL query to exclude server endpoints.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.CoManaged=0 and sms_combineddeviceresources.IsClient=1

This collection method is more controlled and we can apply a fix to the devices using scripts or package deployment etc.

If you want do a quick search in the console, to find the devices that are not co-managed, we can add filter criteria and search.

Using admin console, we can check the co-management status using monitoring node, co-management tab.

For more information about this chart, refer https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-monitor

By clicking on the count on the enrollment error, we can see the list of devices that are failed to do co-management.

3. Using SQL report in Configuration Manager:

This is the last method in this blog post with SQL report.

Since there is huge data available in the SQL database about the client inventory and it helps us to create multiple reports based on the requirement.

For this post, the criteria is to get list of all workstations that are not co-managed.

As you can see above, from the specific collection, we got about 90 co-managed devices and 21 not co-managed devices. The 21 not co-managed devices are listed in the report for troubleshoot purpose.

This report has client information data along with last logon, HW scan, device last online and is the device ONLINE right now.

You can download the report from Github repository, upload to your reports and change the data source.

you can edit the report for more customizations at your risk.

The following are some of the troubleshooting guides that can you help to fix the issues.

Troubleshoot auto-enrolling existing Configuration Manager devices in Intune - Intune | Microsoft Learn

Troubleshoot Configuration Management bootstrap with modern provisioning - Intune | Microsoft Learn

Troubleshooting Intune and Configuration Manager co-management workloads - Intune | Microsoft Learn

SCCM Right click tools for co-managed workloads

Thank you for reading the post.

Blog post updated on 23 Oct, 2023

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place, deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method  .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem  but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing  ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed  or not even started on client and to troubleshoot ,you must check the logs.  I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

<#
.SYNOPSIS
This script checks for missing software updates on the local system using the CCM_SoftwareUpdate WMI class.
If missing updates are found, it attempts to install them using the CCM_SoftwareUpdatesManager WMI class.

.DESCRIPTION
The script performs the following steps:
1. Queries the CCM_SoftwareUpdate class to retrieve missing updates with ComplianceState=0.
2. Checks if there are missing updates.
3. If missing updates are found, reformats the update information and attempts to install them.
4. Displays a success message or an error message based on the return value of the InstallUpdates method.

.NOTES
Name : Install-MissingUpdates.ps1
Author: Eswar Koneti @eskonr
#>

# Get missing updates
$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$total=$MissingUpdates.Count
# Check if there are missing updates
if ($MissingUpdates -and $MissingUpdates.Count -gt 0) {
# Reformat missing updates
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object { if($_.ComplianceState -eq 0) { [WMI]$_.__PATH } })
# Install missing updates
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk

if ($InstallReturn.ReturnValue -eq 0) {
Write-Host "Initiated installation of $total updates."
} else {
Write-Host "Error installing updates. Return code: $($InstallReturn.ReturnValue)"
}
} else {
Write-Host "No missing updates found."
}

Download the complete PowerShell script from TechNet Gallery Here.

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

Post your feedback via comments section.

In a recent transition from Citrix VDI to AVD (single and multi-session), the AVD devices are being efficiently managed by SCCM and Intune (co-management).

As part of routine maintenance, we have implemented a weekly reboot schedule for our AVD devices to ensure optimal performance and security.

To achieve this, I created a simple package with a command line (shutdown –r –f –t 300 “Rebooting the device as part of weekly maintenance”) for rebooting the devices weekly.

From the time, the weekly reboot job implemented, there were no issues until someone reported to team that AVD device was rebooting daily at 2 AM local time, contrary to our intended schedule.

I picked it up to investigate further to identify the root cause.

First thing is to look at the SCCM client logs specially execmgr.log for the advertisement status and it shows that, the specific package is being run daily at 2AM.

Next is to look deployment properties, if there were any changes to the schedule ? .... found it intact, set to run weekly as intended.

Further investigation, I have also verified that, the weekly schedule information can be seen from the client WMI class.

For that the following Powershell script will help you to get the schedule of specific advertisement applied to the device.

gwmi -Namespace root\ccm\policy\machine -class CCM_Scheduler_ScheduledMessage | where {$_.ScheduledMessageID-like "*ABC21452*"} | Select ScheduledMessageID,ActiveMessage,Triggers | fl *

ABC21452 = Advertisement ID

To convert the Schedule string, we can use Convert-CMSchedule cmdlet available in SCCM powershell module.

Login to SCCM server or a device that has installed with SCCM powershell module.

Import the SCCM powershell module and run the following with schedulestring.

Convert-CMSchedule 00A2AD40001B2000

As you can see from the above, the recurring schedule is same what we have configured it in the deployment.

Despite confirming that the deployment schedule remained unchanged (from SCCM deployment schedule properties), the device continued to reboot daily.

To further investigate deep dive, I have enabled the verbose logging (how to enable verbose logging) and post the reboot, reviewing the client logs reveals there is specific setting in software center that is causing the daily reboot behavior issue.

Software center –> Options –> Computer maintenance—>Automatically install or uninstall required software and restart the computer only outside of specified business hours

This setting is disabled by default.

After disabling the setting in software center, the daily reboot stopped and follow the weekly schedule (original schedule).

Disabling this setting rectified the issue, allowing the device to follow the original weekly schedule as intended. However, the logic behind this setting and its interaction with scheduled deployments remains unclear.

Is this a bug, or is there a deeper understanding required of the specific setting in the Software Center for this use case?

In continuation to our investigation, we will need to identify the list of devices that are having this specific setting enabled in software center that will impact daily reboot,

Software center setting details are stored in WMI class (CCM_SoftwareCenterSettings) hence we can use Powershell scripts feature in SCCM and run it on all target endpoints to see how many devices would expect daily reboot behavior.

$data=(gwmi -Namespace root\ccm\policy\machine -class CCM_SoftwareCenterSettings | Select AutoInstallRequiredSoftware).AutoInstallRequiredSoftware
if ($data)
{
write-host "Not Expected, require fix"
}
else
{
write-host "All Good"
}

Since the devices are managed by intune, it is time to move the legacy tasks Microsoft Intune for better management and flexibility.

Microsoft Configuration Manager (SCCM) remains a cornerstone for IT administrators aiming to streamline patch management and software updates. However, as many sysadmins experience, ensuring high compliance in software update deployments can be challenging, particularly in large environments. Here, we explore strategies to enhance SCCM's capabilities, leveraging advanced tools and automation to address common hurdles.

Identifying Common Challenges in SCCM Updates

In SCCM deployments, issues such as partial compliance, timing constraints within maintenance windows, and troubleshooting failures are prevalent. These problems often stem from:

· Inadequate visibility into endpoint status across the network.

· Limited control over the timing and sequence of updates.

· Difficulties in promptly addressing non-compliant endpoints.

The Role of PowerShell and Enhanced Tools

To mitigate these challenges, PowerShell scripts, like this one detailed by Eswar, are invaluable. They enable admins to automate the retrieval and installation of pending updates before maintenance windows close.

However, to further optimize this process, integrating comprehensive management tools can turn reactive situations into proactive successes.

Advanced SCCM Solutions

Recast Software enhances SCCM with robust tools designed to address the complexities of endpoint management. Our suite includes:

· Right Click Tools: A powerful extension for SCCM that facilitates immediate actions across multiple systems, enhancing the native capabilities of ConfigMgr.

o Software Updates Deployment Status (SUDS) Dashboard: This tool offers real-time insights into update compliance, enabling IT admins to quickly identify and address non-compliant devices.

· Endpoint Insights: Provides deep visibility into hardware and software inventory, crucial for effective patch management.

How Recast Software Complements PowerShell Scripts

While PowerShell scripts provide a solid foundation for handling updates, integrating Recast Software offers several additional benefits:

· Automated Troubleshooting: With Right Click Tools, sysadmins can initiate diagnostic tools directly from the SCCM console, speeding up the resolution of non-compliance issues.

· Better Visibility: Endpoint Insights allows for a detailed examination of each endpoint's status, ensuring that all devices are ready and compliant before and after deploying updates.

· Proactive Management: The Software Updates Deployment Status (SUDS) Dashboard brings potential issues to the administrator's attention in real time, allowing for immediate corrective actions without manual checks.

Real-World Application

Consider a scenario where sysadmins face a tight deadline to update an array of servers. Using Right Click Tools, they can quickly assess and remedy non-compliant servers, ensuring all updates are deployed within the allotted maintenance window. This integration not only saves time but also significantly reduces the workload (and stress) associated with critical update deployments.

See the Capabilities in Action

Check out the following two videos for a glimpse into the potential these tools offer.

https://www.youtube.com/watch?v=nwgpmsuMHUA

https://youtu.be/V28jVr5ouzY?si=OaMyRVkcrblL0TzZ

Conclusion

As SCCM continues to serve as an essential tool for system management, enhancing its functionality with Recast Software’s solutions empowers sysadmins to manage updates more effectively and improve compliance numbers. By combining SCCM, PowerShell, and Recast Software’s tools, IT departments can achieve higher compliance rates, less downtime, and a more secure network. Learn more at Recast Software or reach out to the Recast team.