One of my Blog reader has posted a comment asking for ‘How to create Collection to pop-up clients from multiple Collections start with ABC% ‘ ? ABC is the Collection Name starts with.

If you want to create a collection to see all clients from different Collections and the Collection Name starts with ABC .How do you get this done ?

For this requirement, You Cannot use Include collection as this is not Dynamic .If you choose to go with Include collection (which is Static) ,you cannot get the clients from collections that will be created in the Future.

To get this task done, we will using concept called sub Selected Queries with IN condition.

Create a New Collection ,Limit the Collection to All systems, Add a Query Rule ,Edit the Query Statement and paste the following WQL into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (
SELECT ResourceID from SMS_COLLECTION CO inner join SMS_FullCollectionMembership FCM
on FCM.COLLECTIONID=CO.COLLECTIONID and CO.Name like 'ABC%')

Where ABC is Name of the Collection that Start with ,for Ex: SU or Microsoft or Adobe etc.

If you have same application with multiple versions installed on machines for ex: JAVA ,it allow to have multiple versions with same name like JAVA 6 update 45,JAVA 7 update 65 and so on….

How do you find computers that have single version application installed and exclude computers that have multiple versions with same name Installed ?

This scenario can be applicable to other applications (like Microsoft Office)  that allow multiple versions on same computer .

Example : I have client A,B and C out of which ,A and B has 3 versions of JAVA installed where as C is installed with One Version of JAVA and want get PC C into the Query results.

We will get this done using concept called Subselect query. Full Details https://social.technet.microsoft.com/Forums/en-US/a1d013ac-34fc-4486-9747-56e3d0027d9f/softwareinventory-query?forum=configmanagergeneral#108b932b-e91c-4b09-8abf-7fbf5701c588

SQL Code:

select sub.name0,arp1.DisplayName0,arp1.Version0

from

(

select

vrs.Name0,vrs.ResourceID,

COUNT(*) Total

from v_Add_Remove_Programs ARP

inner join v_R_System vrs on ARP.ResourceID = VRS.ResourceID

where arp.DisplayName0 like 'Java%'

group by vrs.Name0,vrs.ResourceID

having count(vrs.Name0)=1 )Sub

inner join v_Add_Remove_Programs arp1 on arp1.resourceid=sub.ResourceID

where arp1.DisplayName0 like 'Java%'

order by sub.name0,arp1.DisplayName0,arp1.Version0

You can use this query to create nice SSRS Report and prompt for specific application so you can get information for any application.

Microsoft released SCCM Configmgr Upgrade Assessment Tool that provides administrative users with information that they can use to determine if the computers that are managed by System Center Configuration Manager can run Windows 7, Windows 8 or Windows 10.

The Upgrade Assessment Tool provides the following functionality:

• Retrieves device driver compatibility information for installed peripheral devices and creates reports that you can use to determine which device drivers need to be upgraded to support the Windows operating system.
• Allows you to see which computers meet the recommended system requirements for Windows operating systems and to customize these requirements for your environments.
• Creates summary reports that you can use to see an enterprise wide view of operating system upgrade readiness.
• Allows you to create dynamic collections for an operating system deployment. The collection query rules can be based on system requirements, application compatibility status, and device driver status.

Before you install this tool,you must have the following applications/software's to be in place .

• The site server must be running one of the following configmgr Versions:

Configmgr 2012 SP2 with CU 3
Configmgr 2012 R2 SP1 with CU3
Configmgr (current branch) Version 1602 or Higher

• Configuration Manager clients can run one of the following:

Configmgr 2012 SP1 or higher
Configmgr 2012 R2 or higher
Configmgr (current branch) version 1511 or higher

• You must have a reporting services point to view the compatibility information from clients.
• You must have one or more distribution points to deploy the ACT inventory collection package to clients.
• Clients must run hardware inventory.
• Application Compatibility Toolkit (ACT) 6.1
• Microsoft .NET Framework 4.5.2.

More information and download this tool from https://www.microsoft.com/en-us/download/details.aspx?id=37145

Collections in Configmgr play a crucial role .If you want to do anything(can be software deployment,OSD ,Client agent settings,Software updates,compliance etc) in configmgr against clients,you a collection .

Being Configmgr administrator, it is always important to look at collection performance ,if they are scheduled well and do some maintenance like identifying collections that take longer time to update (collection evaluation viewer tool from Configmgr 2012 toolkit) or identifying the collections that update too frequently than expected etc.

This blog post will assist you to identify collections with count of direct membership rules and type of schedule and other important collection Queries which can be represented in Nice SSRS Report.

The below SQL Code is for Collections with count of Direct Membership rule and what type of Collection Schedule configured.

Usually for Collections with Direct membership rule, you really no need to configure any Schedule at all as they are one time created and do not require any update.

so ,you can simply run this SQL Code ,if the count of Direct membership rule is bigger and if any Schedule configured to get the RID of it.

Direct membership rule info stored in v_CollectionRuleDirect View ,For more information about SQL Views in Configmgr, refer this Excel spreadsheet

Schedule can be of anything listed below:

Scheduled
Incremental
Scheduled and Incremental

SQL Code:

select coll.CollectionName,crd.CollectionID,COUNT(crd.RuleName) [Direct rules],
Case when coll.RefreshType = 1 then 'Manual'
when coll.RefreshType = 2 then 'Scheduled'
when coll.RefreshType = 4 then 'Incremental'
when coll.RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end as RefreshType
from v_CollectionRuleDirect  CRD
inner join v_Collections Coll on CRD.collectionID=coll.SiteID
Group by crd.CollectionID,coll.RefreshType,coll.CollectionName
order by crd.CollectionID

SQL Code for All Collections with its Refresh Type:

Select (Case when RefreshType = 1 then 'Manual'
when RefreshType = 2 then 'Scheduled'
when RefreshType = 4 then 'Incremental'
when RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end) as RefreshType, count(SiteID) as Collections
from v_Collections
group by RefreshType

As you already aware that ,the new version of SCCM Configmgr ( V1511 and later ) uses an in-console service method called Updates and Servicing that synchronizes with the Microsoft cloud service to get updates which allow you to install from within the Configuration Manager console.  This process will get updates that are applicable to your infrastructure and version are downloaded and made available in the console.

To get the updates available in your configmgr console ,you need to have Site system role called ‘Service Connection Point’ .

The service connection Point is new site system role which is replacement for Microsoft Intune connecter that enables additional functionalities like
 To integrate Intune with System Center Configuration Manager On-premises Mobile Device Management
 Is used as a point of contact for devices you manage with
 Uploads usage data about your deployment to the Microsoft cloud service
 Makes updates that apply to your deployment available from within the Configuration Manager console

By default, Configmgr checks for new updates every 24 hours ,if you cannot wait until then ,you can simply go to console Administration > Cloud Services > Updates and Servicing,Check for Updates

With the recent release of Configuration manager version 1602 ,there is question keep coming up in TechNet and other forums that, they cannot see the updates in the updates and servicing node,though they have done all possible workaround to get the updates into the console.

They have service connection point installed, ONLINE (Connected to internet) ,tried automatic method within the console ,Restart SMS Executive service but still no Joy ,even they have looked at the CMUpdate.log ,all looks good ,content being downloaded to cd.latest folder .
If at all you have issue viewing the recent build version updates into the console ,you probably missing the RBA security permissions for the particular account.
So what permissions are need for this to work ?
User must be assigned a security role that includes the Read permission in the permission group Site, and the security scope All.

Points to be noted when doing in-console updates for Configmgr:

1. Always begin installing the updates with Top site (CAS—>Primary—>Secondary) if you have CAS ,else start with Standalone Primary Site.
2. Always install the updates during out of business hours (you can schedule the Service window to install the updates to have least effect to business operations).
3. When you have CAS which is installed with latest update (ex:1602) ,your primary sites will start the update automatically unless you do not have any service window else, it will wait for the service window and install for you.
4. Secondary sites will not be upgraded to automatically and you must manually update them within the configmgr console ,right click on the secondary site and choose upgrade.
5. After you are done with site upgrades ,the configmgr console will be prompted to upgrade to new version (uninstall the existing and install new ,open console automatically) and this happens to all end users when they try to launch the Configmgr console on their workstations connect to the Site.
6. It is good to select Ignore any prerequisite check warnings and install this update regardless of missing requirements while installing the updates . If you do not select this ,it is recommended to run the prerequisite check before the update install to make sure ,there are no warnings.
7. Prerequisite errors always stop the update installation. You must resolve errors before you will be able to successfully retry the update installation.
8. During the updates installation ,it also updates cd.latest folder which will be used during a Site recovery.
9. Until all sites in your hierarchy are upgraded to new build version ,your hierarchy will operate in mixed version mode.

References:

Updates for System Center Configuration Manager

1602 Update not available in console

Unable to bring system to 1602

SCCM 1511 - Updates and Servicing not working

Microsoft SQL Server view is a virtual table whose contents are based on the result from a SQL query. A view saved SQL Query which you can treat this as virtual table. A view consists of a set of named columns and rows of data. However, the contents of a view are not stored in the SQL database. The rows and columns of data come from tables or other SQL views referenced in the query that defines the view and are produced dynamically when the query is run. The query that defines the view can be from one or more tables or from other views in one or more databases.

When you install Configuration manager ,it creates lot of SQL views of following types:

• Views against static (unchanging) tables.
• Views that use data from tables with a dynamic (changing) schema.

For a dynamic schema, setup creates a number of SQL Server stored procedures that create the views. These stored procedures are run by Configuration Manager to refresh the views when the schema of underlying tables changes. Collection evaluation, discovery, and inventory data are examples of data for which new tables or new properties in existing tables might be created during the operation of a Configuration Manager site.

To create effective SSRS reports, you need to know the Configuration manager views available in SCCM Database to get the required data.

It is always helpful ,Handy and easy for you to write SSRS Reports ,if you know the value that you are looking (for ex: Network information) for is stored in which SQL view .

Through this blog post ,I would like to share the Excel spreadsheet that consists of Configuration manager 1602 (Current branch at the time of writing this blog post) views help you to identify the required information for your SSRS report.

I have also highlighted (Orange Color Background) the Views that are available only in 1602 but not in earlier versions (1511) of configuration manager so you know what’s new in 1602 current branch .

Due to the features/Updates added into Current Branch version 1602 ,the 4 interesting (atleast for me) SQL views added are listed below:

v_CollectionMemberClientBaselineStatus

v_CMConsoleUsageData

v_WindowsStoreForBusinessApps

vSMS_HealthAttestationDetails

I will write a another blog post explaining about these 2 newly added SQL views that really helps to find about SCCM Console usage and Client BaseLine Status.

Download the SQL View documentation for SCCM Configmgr 1602 from TechNet Gallery.

For Other Configmgr version, you can download the SQL Views from Configmgr 1511 , Configmgr 2012 R2 SP1, Configmgr 2012

References :

SQL Server Views in System Center 2012 Configuration Manager

Microsoft has introduced new feature in System Center Configuration manager Build Version 1602  called Client Online Status .This is really cool and exciting feature which is really needed these days to know if the computer is online or offline (of course ,SCCM agent must be working and healthy which is different story).

A new status for clients is available for monitoring if a computer is online or not. A computer is considered online if it is connected to it's assigned management point. To indicate that the computer is online, the client sends ping-like messages to the management point. If the management point doesn't receive a message after 5 minutes, the client is considered offline.

How to Monitor the status of individual clients:

In the Configuration Manager console, click Assets and Compliance > Devices or choose a collection under Device Collections.

Beginning in version 1602 of Configuration Manager, the icons at the beginning of each row indicate the online status of the device:

For more detailed online status, add the client online status information to the device view by right-clicking the column header and clicking the online status fields you want to add. The columns you can add are

• Device Online Status indicates whether the client is currently online or offline. (This is the same information given by the icons).
• Last Online Time indicates when the client online status changed to online.
• Last Offline Time indicates when the status changed to offline.

Now ,coming to the subject line , wouldn’t it be nice to create Collection or SSRS Report for client online Status in Configmgr 1602 ?

If you want to create collection or SSRS Report  for Clients with online ,offline Status in 1602 and later build versions ,you must know the correct SQL views (SSRS) and wmi instance that store this information . Download the SQL views documentation for Configmgr 1602 from http://eskonr.com/2016/04/download-sccm-configmgr-1602-sql-views-documentation/

collections Uses WQL and Reports uses SQL .

For Collection , Client online Status stored in wmi namaspace : SMS_CollectionMemberClientBaselineStatus with CNIsOnline =True or False

For SSRS Report ,Client Online Status stored in view: v_CollectionMemberClientBaselineStatus with CNIsOnline=1 or 0

Once we know the wmi instance or SQL view,it is easy to create collection or SSRS Report.

To create collection ,Use the following WQL Code (subselected) for Online Clients:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

To Create SSRS Report ,Use the following SQL Code for Online Clients:

select Name,sitecode,Clientversion,LastHardwareScan,LastMPServerName,CNIsOnline,max(CNLastOfflineTime) CNLastOfflineTime ,
max(CNLastOnlineTime) CNLastOnlineTime
from v_CollectionMemberClientBaselineStatus
where CNIsOnline=1
group by Name,sitecode,Clientversion,LastHardwareScan,CNIsOnline,LastMPServerName
order by Name

Until Next!

With system Center Configuration manager Build Update 1602 (Current branch ) ,we can now monitor the Configuration manager console usage data .

In previous versions of configmgr ,there is no records in database to see who are the users connecting to SCCM console ,though this information is tracked in SMSProv.log, but no stored information for reporting.

Microsoft have made some improvements with Configmgr current branch build 1602 ,that store the information in database,WMI class about users who try to make successful connection .

After you install the Configmgr console update 1602 and try to connect to Site server (CAS or Primary Site) , if the user is having least permissions( RBA) , SMS provider start tracking the information by executing several queries against the permissions defined in RBA (like OS ,software updates,packages ,applications ,collections and many more )  ,all these information can be monitor in smsprov.log .

This process is same in earlier versions of Configuration manager but the change that was added to Build Update 1602 is ,it creates additional stored procedures,tables,views to store machine Name that is trying to connect to console ,User name ,connected site code , admin console Version (all this info appear in SMSProv.log) and other important information and insert into the database by executing stored procedure (spCMUpsertConsoleUsageData )that Update Console Telemetry table with admin console machine telemetry information.

I have installed Console (CB Configmgr 1602) in PC001 and tried to connect to my Site using APAC\Eswar who has permissions defined using RBA,monitor the log (smsprov.log) for more information:

couple of screenshots from SMSprov.log:

All the information coming from client and connecting to Site server will be tracked in the database.

So,where does the information stored in database and WMI about the console usage ?

In Database ,there is view called : v_CMConsoleUsageData ,which stores information about PC ,User who connect to console ,Connected Site ,Site number,What is OS Build of the Connected PC,Console Version Installed,Client Version installed, Memory,.net framework installed version ,Console connect time and other information.

SQL Query :  select * from v_CMConsoleUsageData

After executing the Query ,I have noticed that ,the console connected time is showing in UTC instead of client connected time (Local time) .

This leads me to review the code used in stored procedure and check if any conversion syntax used and Yes ,it is using syntax to convert : (ConsoleConnectTime = GETUTCDATE()) .

So,if you want to have the console connected time but not UTC,you can either change the stored procedure (HIGHLY NOT RECOMENDED) or use the SQL CAST DATE syntax function ,something like below:

select MachineName,UserName,ConsoleConnectTime [ConsoleConnectTime (UTC)],
CAST(GetDate() - GetUtcDate() + ConsoleConnectTime AS datetime) [ConsoleConnectTime]
from v_CMConsoleUsageData

Once you know,there is view exist that store the information ,you can start working on your customized report by joining other views and create Nice SSRS Report.

For more information about SQL views in Configmgr update 1602,refer this post

Report is okay but can I create collection (user device collection probably to see who are all users connecting to site ) ? if you are interested to play with this .

WMI class (for Collection) called: SMS_ConsoleUsageData (Instance: ROOT\SMS\site_sitecode)

For some reason, I had SMS_ConsoleUsageData class with empty information,though I can generate report for console usage data as you see in above snippet.

Run wbemtest from RUN command, connect to ROOT\SMS\Site_PS1 name space. Click on Query and run the following command to see if it returns any value:

select * from SMS_ConsoleUsageData

So ,How to get this corrected ? am still trying to figure out using the stored procedures ,which might help to update the information into WMI ,but no fix yet for me. Am not sure if this is happening to all or Only for me.

So 2 things are pending (at least for me) for confirmation from this post 1) UTC time for console connected time 2)WMI results empty .

I will update this post when I find something on this UTC and WMI class.

I have been putting lot of SQL Queries ,SSRS Reports on my blog and I never explained ,how you can create such SSRS reports on your Own and I know that ,it is not easy to explain in blog post about the SQL/SSRS Reports . This is post will help you ,how to understand Configuration manager reporting and how to write your Own SSRS Reports (Advanced level) .

There are lot of books released on System Center Configuration Manager ,but there is nothing specifically for Reporting (in-depth).

The wait is Over now and Finally ,the only book that was missing since long on Configuration Manager Reporting is now available on the market I.e System Center Configuration Manager Reporting Unleashed.

This Book was written by Well known Configuration Manager MVP Garth Jones  and his export Co-authors Dan Toll and Kerrie Meyler .

The Unleashed book written by Experts is really fantastic and it has all the content what is needed for you to get complete knowledge on Configuration Reporting,RBA ,SQL views ,SSRS Report Builder and lot more.

You’ll walk through installing and configuring SSRS, using SQL views to find the data you need, writing SQL queries, creating basic and advanced reports, and using role-based administration to securely deliver those reports to the correct individuals.

Content at a Glance give you better feeling that ,it consists of of total 411 pages which is all about Reporting.

Contents at a Glance:

I highly recommend to purchase this book ,If you want to become expert in creating Custom based SSRS Reporting in Configuration manager and deliver the content to your management with in No-time .

You can purchase this book (System Center Configuration Manager Reporting Unleashed )from Amazon website ,available in both Paper back and Kindle version http://www.amazon.in/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=configuration+manager+reporting+unleashed

and from InformIT http://www.informit.com/store/system-center-configuration-manager-reporting-unleashed-9780672337789

Long ago ,did blog post on How to get software update compliance for specific update group per collection with drill down report to list the Required/missing ,unknown clients with some additional information like recent hardware inventory, last update scan results ,OS etc .

This report will only work for single software update group per collection ,but in Configuration Manager ,there could Multiple Software update group created as part of Patching process and it would be difficult to know the compliance status for the same collection for multiple update groups and this task become tedious if you run the same report multiple times and write down the results into file.

with the help of Configuration Manager console ,it is possible to see the Compliance % (Required, installed ,Unknown  and %) for the software update group for the deployed collection but if you want to see the same for multiple update groups and get the list of Required Clients etc ,not possible ,Thus you need SSRS Report.

Would it be nice to have SSRS Report that list the Software update compliance for multiple update groups per collection ?

This report is lying in my bucket for longer time and finally going out to public.

I have made little changes to the report (nothing major ) with respect to prompts (select multiple update groups) and drill down report changes as well.

This report allow you to select multiple Update groups and single collection as shown below . you need to action on Required(a.k.a Missing) and Unknown status.

It has 2 RDL files 1) Update compliance Status for multiple Groups per collection and 2) Linked report to know what are the client with specific Software update Status (Required ,Unknown)

First report looks like below:

Installed—>Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed.

Not Required—>Specifies that the software update is not applicable on the client computer, and therefore, the software update is not required.

Required –>Specifies that the software update is applicable and required on the client computer

Unknown—> Specifies that the site server has not received a state message from the client computer,could be various reasons like scan did not run successfully,scan completed but state message did not sent successfully etc.

Click on the Arrow (blue color) to see the Required ,Unknown clients for the selected software update group:

Download the Reports from TechNet Gallery ,Upload to your Configmgr SSRS reports ,Change the Data source and Run the Report .

How to troubleshoot software update issues ,refer http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

if you are working on the Java upgrade using SCCM Configmgr, you will have to cautious to apply the correct version of Java on the existing Client (can be desktop or server) to make sure the dependent applications works. For this to happen,you need to identify the clients that have JAVA installed (can be 32bit or 64bit) and deploy the Java application to the respective collection.

Inventory that comes from the client add and remove programs is stored in 2 locations in WMI SMS_G_System_ADD_REMOVE_PROGRAMS and SMS_G_System_ADD_REMOVE_PROGRAMS_64. You will have to query one of these as per the needs.

If you are using SCUP or third party patching ,you can simply create software update group and deploy it to collection (without any JAVA filter ) and client go through the software update scan and install the required updates.

In this blog post , I posted 2 Collections to list all clients in your infra that are managed by SCCM that are less than Java 8 Update 92 (is the latest version at the time of writing this blog post).

Create new collection ,Limit the collection ,select Query based ,edit and past the following the query for 32bit and 64bit Java Versions.

SCCM Collection for Java < JRE 1.8 Update 92_X86:

Both the Collection Queries excludes the windows server 2003 if you have any for safer side due to EOL for server 2003 .

If you wanted to get the clients that are lower version as per your need, make changes to the bold letters in the query below.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Java%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java%Updater%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "JavaScript%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%liveupdate%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java 8 Update 92" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java%Development%") and SMS_G_System_OPERATING_SYSTEM.Caption not like "%2003%"

SCCM Collection for Java < JRE 1.8 Update 92_X64:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName like "Java%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java%Updater%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "JavaScript%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "%liveupdate%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java 8 Update 92 (64-bit)" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java%Development%" and SMS_G_System_OPERATING_SYSTEM.Caption not like "%2003%"

Recently ,we had an issue with SCCM Configmgr Reporting services role (Remote SQL sitting on VM was crashed ,blog post coming soon ) and we were unable to generate reports mainly for the Software update compliance status that happens every month. This post is about ,how to check the software update compliance status for the deployed software update group/Groups per collection/collections without using Configmgr Reports . The reason for posting this blog is ,fixing the Configmgr Reporting services role took more than expected time and meantime ,we need to check the status of patch compliance status and troubleshoot the non-compliant machines (servers) within the Maintenance window.

I thought the SQL Code which I used to generate the compliance status would be handy for others if they do not want to Use configmgr Reports and use SQL Code for Quick results.

If you are unable to generate compliance status using the SSRS Reports ,the only possible method is ,to depend on Monitoring node—deployments ,look for the software update deployment for particular collection and see the non-compliant machines for troubleshooting which is not easy method if you have large number of deployments and collections.

So ,to overcome this ,you can USE SQL management studio and run the query (posted below) to generate non-compliance list of clients with extra information like hardware inventory,software update scan,,Operating System ,IP address,User Name ,does it have Client etc.

This SQL Query should be helpful to quickly generate compliance Status for multiple software update groups and for multiple collections.

I recently posted a blog about ,how to generate software update compliance Status for multiple update groups per collection but this SQL query helps to generate update compliance status for multiple updates groups against multiple collections.

you can use this SQL query to create nice SSRS Report for multiple update groups per multiple collections in OneClick.

The below SQL code is for list of clients with required/Missing Status ,If you want clients with Unknown ,change the @status value to 0 ,More about Update compliance Status ,see below :

Update compliance Status:

0—Detection Status Unknown

1—Not Applicable

2—Required/Missing

3—Already Installed /Compliant

--SQL Code to Generate Update compliance Status for multiple update groups against multiple collections

Declare @Status nvarchar(255);set @Status='2';
--Status 0 for Unknown, 1 for Not Applicable,2 for Required ,3 for installed
select sys.name0 [Computer Name],sys.User_Name0 [User Name], os.caption0 [OS],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(VARCHAR(26), sys.last_logon_timestamp0, 100) AS 'Last Logon Time',
case when sys.client0='1' then 'Yes' else 'No'
end as 'Client (Yes/No)', c.IPAddress AS [IP Address]
From v_Update_ComplianceStatusAll UCS
left join v_r_system sys on ucs.resourceid=sys.resourceid
left join v_FullCollectionMembership fcm on sys.resourceid=fcm.resourceid
left join v_collection coll on coll.collectionid=fcm.collectionid
left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
left join v_AuthListInfo LI on ucs.ci_id=li.ci_id
INNER JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) c ON c.rsid2 = ucs.resourceid
where li.title IN (‘SUG1’,'SUG2’,SUG3’) and coll.collectionID in ('PS10029A','PS10000D')and ucs.status=@Status
group by sys.name0,sys.User_Name0,os.Caption0,ws.LastHWScan ,uss.LastScanTime,sys.Last_Logon_Timestamp0,sys.client0,c.IPAddress
order by 1

Hope it helps !

Yesterday (22-July-2016) Microsoft released new version of SCCM Configmgr Current Branch 1606 (YY MM) with lot of new features and improvements to the existing features. You can install this update via in-console update.

You can update to latest version of SCCM Configmgr Current branch 1606 either from Configmgr 1511 or 1602 using in-console update.

This Version 1606 for SCCM Configmgr current branch is both a baseline install (which you use to install a new hierarchy), and an update which you can use to update from version 1511 or 1602.

Take a look at the checklist document for installing this update (1606) https://technet.microsoft.com/en-us/library/mt767553.aspx?f=255&MSPPError=-2147217396

As usual ,to get the Latest update (1602) in your console under administrative console—>Cloud services—>updates and Servicing ,you need to run the PowerShell script (fastring) and restart SMS executive service (only if you are on V1511 version) ,monitor dmpdownloader.log

Installing the update 1606 is a straight forward process within the console and is smooth process without any hassle. You can refer this blog post for,how to install SCCM Configmgr Updates using updates and Servicing.

To know more about ,what’s new in SCCM Configmgr Current Branch 1606 ,read https://technet.microsoft.com/en-us/library/mt752488.aspx

Configmgr Console,Site and Console Versions:

Version of Configmgr Console: 5.00.8412.1003

Version of Configmgr Site:5.00.8412.1000

Version of Configmgr Client: 5.00.8412.1006

If you unable to see SCCM Configmgr updates in console ,refer this blog post http://eskonr.com/2016/04/why-dont-i-see-sccm-configmgr-1602-updates-in-my-console/

Recommended Reading:

Updates for System Center Configuration Manager https://technet.microsoft.com/en-us/library/mt607046.aspx?f=255&MSPPError=-2147217396

What’s new in SCCM Configmgr Current Branch 1606 https://technet.microsoft.com/en-us/library/mt752488.aspx

What's changed in System Center Configuration Manager from System Center 2012 Configuration Manager  https://technet.microsoft.com/en-us/library/mt622084.aspx?f=255&MSPPError=-2147217396

Upgrade to System Center Configuration Manager https://technet.microsoft.com/en-us/library/mt627853.aspx

Microsoft released new version of SCCM Configmgr Current Branch 1606 (YY MM) with lot of new features and improvements to the existing features. You can install this update via in-console update.

With this new update ,there are also couple of newly added SQL views compared to its previous update (1602) which will help us to create reports in better way.

So ,what’s new in SCCM Configmgr CB 1606 SQL reporting ? Lets have a look at ,what are SQL views added newly and also have this SQL Views document handy for reporting ,otherwise , you may end up looking into the database for the correct information.

There are 3 SQL views added with this update version (1606) compared to its previous version 1602 ,listed below:

v_GS_ClientEvents
v_GS_OFFICE365PROPLUSCONFIGURATIONS
v_MDMDeviceCategory

Download the SQL View documentation for SCCM Configmgr Current Branch 1606 from TechNet Gallery.

For Other Configmgr version, you can download the SQL Views for Configmgr 1602,  Configmgr 1511 , Configmgr 2012 R2 SP1, Configmgr 2012

SQL Server Views in System Center 2012 Configuration Manager

A friend of mine (you know who you are) asked help (kind of) ,how to clean up the content inside ccmcache folder in better way instead of using script to deploy it as application/package/task sequence .

I would recommended to use compliance settings(configuration item/configuration baseline) to deploy the script on schedule basis (monthly once or how you want) to Clients.

One advantage of using compliance settings is that, you do not need use source files to implement this solution and it would be easier to discovery and remediate if any content found older than x days.

In this blog post, we will see, how to use simple PowerShell script (can get from many sources on internet) to create configuration item and configuration baseline and deploy to clients.

If you do not want to follow all the steps outlined here ,jump to end of the post, to see how you can achieve this task in just 2 to 3 steps.

How to create Configuration Item:

launch SCCM console –>go to Assets and compliance—right click on Configuration Items—create Configuration Item

Give meaning full name something like clean ccmcache content

Leave the default settings and click next

Create new compliance rule

Follow the settings as outlined below .

You need to have 2 PowerShell scripts 1) Discovery to check the count of folders that are older than x days for deletion 2) To remediate (delete) these folders if any exist older than x days

For Discovery script ,click on edit script and use the following PowerShell script.

This script will tell us ,the count of folders inside the ccmcache older than X days which will help us to clean the content.

Change the number of days that you want to delete content older than.

#discovery script
$MinDays = 14
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
($Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
Measure-object).Count

For remediation script, use the following PowerShell script to clean the content older than 14 days:

This script will clean the content (folders) older than 14 days.

#remediate script
$MinDays = 14
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
$Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
foreach {
$Cache.DeleteCacheElement($_.CacheElementID)
}

click on compliance rules and click New

Enter the name that you wish to use for the rule name and select the return value by the discovery script 0.

The setting must comply rule used ,if the content returns by the discovery script is 0 ,there is no content to clean up ,if at all the discovery script return count value other than 0 then perform the content cleanup using the remediation script.

Click Ok, Ok and Next

verify once if the settings are configured correctly below.

Click next,next,next to see the summary page:

with this ,we have completed ,how to create Configuration Item which includes all the settings like discovery ,remediation .

How to create Configuration Baseline:

Right click on Configuration Baseline and select Create configuration Baseline

Give a Name,description and click on Add Configuration Item

Select the configuration item that we created above ,add and click ok .

we are now created configuration baseline and ready to deploy to collection that you are interested in with schedule.

How to deploy Configuration Baseline to Collection:

Right click on the configuration baseline that we created earlier and click on deploy

Adjust the below settings according to your environment like collection and schedule .

Under the deployment tab ,you will see the configuration baseline deployed to collection and its compliance %

Wait the clients to receive the policy (trigger machine policy retrieval ,if you want to speed up the process) and let remediation happen..

Go to any SCCM client ,open configuration manager applet, look at configurations tab ,you will there is no ccmcache cleanup available.

As soon as you refresh the machine policy ,client will poll and get the newly created policy which will appear in configurations tab ,click on evaluate.

Evaluate will take few seconds to run the discovery script and if it find the count other than 0 ,perform the remediation script that we used .

Click on view report to see a nice html report with compliance status

After a while ,client evaluate the baseline and report the status to SCCM ,which you can see in console ,configuration baseline.

With this ,we have completed task of how to clean up content in ccmcache older than 14 days.

How to avoid following these steps and create all in 3 steps ?

To make this task easier for you ,I have exported the Configuration baseline into cab file . So all you need is ,download the cab file from here ,go to configuration baseline ,import the cab file and change the settings how you want in the PowerShell using above steps.

Below are client the logs (C:\windows\ccm\logs) which will help you to check and troubleshoot compliance setting issues:

CIDownloader.log –>Records details about configuration item definition downloads.

DcmWmiProvider.log—>Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).

DCMReporting.log—>Records information about reporting policy platform results into state messages for configuration items.

CIAgent.log—>Records details about the process of remediation and compliance for compliance settings, software updates, and application management.

Since few days ,I am working on a customized Software update compliance dashboard report with some Pie charts for management to see how the patch compliance progress for each Business Unit (I say business unit means for each country).

Management are interested to see the overall patch compliance summary for each country (focused on servers ) into a nice pie chart which can be published to them either Via emails (using SSRS subscriptions or put them on Bigger screens especially for server compliance status).

This dashboard uses lot of pre-existing reports that are already published on my blog ,but there is one report (though SQL query is few lines code) which makes me to spend lot time doing lot of changes and check in the console if the results tally or not and the report is:

Top 5 or 10 missing patches for specific collection and specific update group.

The hard part for getting this report work is ,identifying the correct views to join Software update group ,compliance status . I would strongly recommended to use the SQL views documentation to create any custom SCCM reports.

After going through the SQL view documentation ,found below views that will help me to join the software update group (CI_ID) and software updates (CI_ID)

v_BundledConfigurationItems –contains information about each Update CI_ID and software update group ID

v_AuthListInfo –Contains Software update group Name, Update ID(CI_ID) .

For reporting (ONLY) ,we normally have 1 software update group that contains list of all updates (as per the requirement from IT Security team as they are the ones who decide what security patches to deploy ) that are  deployed to clients from so long to until 2 months old from current month  . Technically speaking, you cannot have more than 1000 updates in software update group which you can deploy to collection but ,in this case ,it is only used for reporting ,I can have more than 1000+ updates into 1 software update group and always make sure this SUG group is at good compliance rate for each BU .

As we move on, add the previous months patches to this Software update group and rerun the report to reflect the status for newly added updates against each country collection.

In this blog post, I will share you couple of SQL queries which are used my dashboard report ,help you to create your own dashboards.

P.S: The reason for not posting the dashboard which I created is because ,it has lot of customizations (more into collection ID’s and Software update group) per country basis and they are unique for each organization ,but I can share how the output of the dashboard look like.

Each pie chart has linked report to see the list of clients status like missing or unknown for troubleshooting purpose.

Below are couple of SQL queries that I wanted to share with you guys.

1.How to get list of top 5 or 10 missing patches against particular collection for specific software update ?

In SCCM console ,if you go to software updates node ,you can see lot of information for each update with Bulletin ID,Title ID,required,installed etc , but there is no way for you to filter against particular collection and if you want see the list of clients that needed by the patch ,no way in the console.

You either have to use default reports (if there is any such) otherwise ,create custom report.

Use the below Query in your SSRS or SQL management studio to get list of all updates from particular software update group against collection with missing count.

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

If you compare the result you get from above SQL query ,the required count of clients will vary from what you see in the SCCM console software updates node and this is due the fact that ,in the console ,the software updates do not have any limitation over any collection(They apply to all clients) .But here ,we are trying to limit the software update against particular collection.

You can use this SQL query in multiple ways as you  need.For example ,if someone want to see the list of updates that are still needed by specific collection(BU) ,you can simply comment Software update group and choose only collection ,you can also do the other way.

To get top 5 or 10 missing updates ,simply use TOP 5 or TOP 10 . Full SQL Query is below:

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select top 5 CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
--SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

Now that, we have count of all updates for specific update group for specific collection with required client count ,but how to get the list of clients needed need specific update ?

This is mainly needed if you want to create linked SSRS report to see the list of clients for specific update for troubleshooting purpose.

SQL Query to list the clients required by specific software update ?

Declare @CollID nvarchar (255),@SUG nvarchar(255),@title nvarchar(255);
Set @CollID='PS100254';set @SUG=''SUM_2016_July_All'';
set @title='Security Update for Windows Server 2008 R2 x64 Edition (KB2992611)'
--CollID=Collection ID , SUG=Software update group Name and Title= Name of Software update title

Select sys.Name0,sys.User_Name0,os.Caption0 [OS],ws.LastHWScan,uss.LastScanTime [Last SUScan],os.LastBootUpTime0
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=ucs.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=ucs.ResourceID
right join v_UpdateScanStatus uss on uss.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
AND UCS.Status='2'
and ui.Title=@title
group by
sys.Name0,sys.User_Name0,os.Caption0,ws.LastHWScan,os.LastBootUpTime0,uss.LastScanTime
order by 1

SQL Query used in Pie Chart to get the patch compliance status for specific Collection and for specific update group ?

select CASE WHEN ucs.status=3 or ucs.status=1  then 'success'
When ucs.status=2 Then 'Missing'
When ucs.status=0 Then 'Unknown' end as 'Status',ucs.status [Status ID],coll.CollectionID
From v_Update_ComplianceStatusAll UCS
    left join v_r_system sys on ucs.resourceid=sys.resourceid
    left join v_FullCollectionMembership fcm on ucs.resourceid=fcm.resourceid
    left join v_collection coll on coll.CollectionID=fcm.CollectionID
    left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
    left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
    left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
    left join v_AuthListInfo LI on li.ci_id=ucs.ci_id
where li.title='Software update group name' and coll.CollectionID=’CollectionID’
and os.Caption0 not like '%2003%'
order by 1

Hope these SQL queries are helpful to you .

Other day,I was looking at the client health dashboard which I published long ago https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240 . From the dashboard report ,noticed that couple of clients were having software update scan issues .

If client fail to perform success software update scan ,it is out of patching window and client will never send or receive any software updates that you deploy from SCCM. You always need to make sure your clients are performing the successful software update scan as per the schedule you configure in SCCM client agent settings. Software update troubleshooting guide http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

So ,the report had couple of clients with software update scan failures with lasterrorcode –2147012894 which leads to me take a look at one client (XXXXXXX) and see what's happening on that.

If you want to see, how your clients are performing software update scan (without dashboard) ,run the below SQL query in management studio.

This query will help you to get list of client that have issues with software update scan (software update scan not success).

--SQL code list clients with software update scan failures

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode

Login to the problem client (it can be workstation or server ) ,open WUAHandler.log located in C:\widows\ccm\logs ,notice the below error.

OnSearchComplete - Failed to end search job. Error = 0x80072ee2.

Scan failed with error = 0x80072ee2.

0x80072ee2—>The operation timed out

The above log (Error) do not give much information  ,so this leads me to look at windowsupdate.log located in C:\windows folder

This log has several entries related to proxy request ,send and download file failed etc.

2016-09-01    12:45:14:216     820    ce0    Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <10.133.48.48:8080> Bypass List used : <(null)> Auth Schemes used : <>

2016-09-01    12:45:14:216     820    ce0    Misc    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2

2016-09-01    12:45:14:216     820    ce0    PT      + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0

Problematic Client is healthy and able to send inventory and receive other deployments like applications etc but software update scan is failing all the time.

if you look at the above log snippet, it is failing to download the cab files from WSUS server . It looks like ,client has some issues downloading the content ,so how do I check what is causing the problem for content download ?

From Windowsupdate.log snippet, client is trying to access the URL http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml which is failed due to proxy settings.

From other working client, found the below URL succeeded but not on the problem client  ,so I ran the below URL on non-working client and it surely have issues with proxy.

http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml

I ran the same URL on working client and got below results:

How do I fix the proxy issues on the problem client and get the rid of software update scan issues ?

There is a registry key on the client machine which you will have to change to get it working. What is the registry ?

Login to working client that is reporting to the same SCCM site( WSUS) ,open the registry and export for the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Save it on desktop ,copy it to the problematic client and run it (double click on it ).

Once the registry key is imported ,Open services.msc from RUN command ,restart windows update service.

follow windowsupdate.log and WUAHandler.log

After few min ,I noticed that, scan still failed with error code ,but this time it is different : OnSearchComplete - Failed to end search job. Error = 0x80244010.

0x80244010.—> The number of round trips to the server exceeded the maximum limit.

After a while ,it will try (you don’t have to do any) again to sync and sync will get Successfully completed .

If the sync is not running ,initiate software update scan cycle and monitor WUAHandler.log

Now go back to your site server ,run the SQL query ,you will see problematic client will no longer appear.

Summary:

For software update scan issues with error code:0x80072ee2

login to the working client ,export the registry key ,import into the problem client ,restart windows update service ,wait for a while ,monitor the logs.

References :

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://s9org.blogspot.sg/2015/03/software-updates-are-not-getting.html

https://blogs.technet.microsoft.com/sus/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010/

Since few days ,have been working on case with Microsoft on client issue wherein ,some clients stuck at downloading the policies/jobs and remain in Queued state without any reason and they never get deployments.

When you deploy the software update group to collection ,you will have to put a special attention to configuration setting in download settings : “If software updates are not available on preferred distribution point or remote distribution point,download content from Microsoft updates”

This is a new feature in Configuration manager 2012 SP1 that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved and deployed to client.

This is good option to select when the content is not available on Distribution point or client has some issues (possibly network)downloading the content from distribution point and client will direct to Microsoft update,download the content and install it.

But ,what happens when client do not have access to the internet (Microsoft update) and content is not available on the DP ? Here the problem comes.

If you check the option “if updates not available on DP, download from Microsoft Updates”, when the local/remote DP’s content location is not available, clients fallback to download from Microsoft Update, however, if it also fails at downloading from MU with some Internet connection issue, the DTS job (DataTransferService) keeps retrying the download the content and increments the Active job count on each failure until reaching the Active Job limit of 50 and  it never gets decremented.

DataTransferService.log shows

Downloading from http://wsus.ds.download.windowsupdate.com:80/c/msdownload/update/software/secu/2016/07 without proxy encountered error: BITS error: 'The operation timed out

Context: 'The error occurred while the remote file was being processed.

QUEUE: Active job count incremented, value = 50

DTSJob {97A264D2-B234-4ED7-B1D9-257F80920063} in state 'Queued'.

If the client exhausts the Active Job limit, the clients get stuck and never receive any policy unless you reset the active job limit .

Though we have successfully distributed the content to DP’s (can see from the console and reports) and hundreds of clients in the same subnet/region are successfully downloaded /installed but not all clients.

So the only possible fix is: Restart SMS agent host on the problematic clients. This process will reset the active job limit and start downloading the policies and content without any further changes on the site server ,but make sure to deselect the setting if your clients do not have access to internet.

I am not sure with the selected settings above (download content from Microsoft update ),if this issue appear in Configuration manager current branch or is it only appear in Configmgr 2012  .

This issue is filed as bug in Microsoft connect and is active Status . https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/956321/css-configmgr-2012-r2-dts-does-not-decrement-active-bits-job-counter-when-it-fails-to-download-content-from-the-mu-location

There is no updated information yet on this issue from product team but can we see this issue fix in next cumulative update for Configmgr 2012 ?

I wrote a blog post year ago on how to get count of MS Office Editions with versions installed across my environment using SCCM Configmgr. This report consists of 2 reports .1st report is ,to get count of Microsoft Editions for ex: how many are office 2003, 2007 ,2010 and 2013 and 2nd report is actually drilled report linked to 1st report to give list of all MS Office editions (what are the editions of office 2003 ,2007,2010 and 2013) with its client count .

Many of my blog viewers have requested through comments and some of them are via social networking sites ,that they want drill down the 2nd report to see the list of clients with each office edition and version.

Having drilled report to see the list of clients will certainly help to investigate and upgrade them to latest version of Microsoft office.

You can always create collection for office editions but having a report like this would help to export them to excel and other SSRS supported formats.

This request is pending from very long ,it was lying in my to-do list and finally going out through this blog post.

So what all you need to get this report (Count of MS office editions ) implemented in your SCCM site ?

Download the 3 reports from the TechNet Gallery ,upload the reports into your SSRS folder (make sure they all in same folder),change the data source for each report and you are good to run.

Note: This report will list only Microsoft Office 2003,2007,2010 and 2013 but not office 365. If you need office 365, you may have to wait for next update ,otherwise you can edit the RDL file and customize it.

How does the report look like ?

1. Count of MS Office editions

2. List MS Office editions for selected version (ex: 2003)

3. List of Clients by specific MS Office edition and version

Hope it helps.

Microsoft releasing the technical preview updates for SCCM Configmgr every month as part of ongoing commitment to quality and innovation .These technical preview updates will help to test in lab environment and report feedback to Microsoft before they made General Available (current Branch).To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 5 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://technet.microsoft.com/library/mt595861.aspx?

Today,28th September 2016 ,Microsoft released latest technical preview update 1609 (YYMM) (Note : this is only for base version Technical preview 5 but not for Current Branch V1606,Production version) with some exciting features .

To use the technical preview you must first install a baseline version of the technical preview build. After installing a baseline version, you then use in-console updates to bring your installation up to date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.Only the version included with System Center Technical Preview 5 can be used for a baseline install.

Features/updates included in this update are:

• Windows 10 Upgrade Analytics – Assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.  This is done through integration with Windows Upgrade Analytics.
• Office 365 Client Management Dashboard – Use the Office 365 client management dashboard to track Office 365 updates and deployments.
• Deploy Office 365 apps to clients – We have added a new Office 365 Servicing node in the Software Library where you can deploy Office 365 apps to clients.
• Improvements for BIOS to UEFI conversion – An OS deployment task sequence can now be customized with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare the drive for transition to UEFI. See the documentation for additional details on the necessary customizations.
• Improvement to Endpoint Protection antimalware policy settings – You can now specify the level at which the Endpoint Protection Cloud Protection Service will block suspicious files.
• Boundary Group Improvements – Improvements have been made to boundary groups to allow more granular control of fallback behavior, and greater clarity of what distribution points are used.

For more information, read the documentation Technical Preview for System Center Configuration Manager https://technet.microsoft.com/library/mt595861.aspx?

Happy exploring new features..