All Software update groups expired

Similar Messages

• Export and Import members of a Software Update Group

  Greetings,
  I am looking for a method I can use to Export a Software Update Group (or just it's members) to a file that I can then use to Import into another 2012 hierarchy. I can't use the built-in Migration process as it is already connected to a different Hierarchy.
  I have scripts that will pull Approvals from WSUS and then import into Update groups, but I also need something that I can use to copy update groups from "DEV" to "PROD" and back again.
  Any thought or suggestions most welcome.
  Scott.

  Hi
  You cannot export Software Update Groups in ConfigMgr 2012.
  One way of doing what you what is to use Powershell to "dump" all the settings of your Software Update Groups and then use that file as a basis for creating the Software Update Group in production. Or you could just create all Software Update Groups using
  a Powerscript which runs in dev and production.
  To get you started, you could look at the snippet of code below, which I use for creating Software Update Group automatically.
  import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
  $PSD = Get-PSDrive -PSProvider CMSite
  CD "$($PSD):"
  $DPDate = get-date "22-02-2011 19:00:00"
  $SUGName = "Workstaitions 2011 02 February"
  $SUGMembers = Get-CMSoftwareUpdate | Where-Object {$_.DatePosted -eq $DPDate -and $_.NumMissing -ge 1} | select CI_ID
  New-CMSoftwareUpdateGroup -Name $SUGName -UpdateId $SUGMembers.CI_ID

• Several Updates Missing from "All Software Updates"

  We've been using SCCM 2012 to patch our systems for a few months now and I thought everything was going smoothly until we got an audit back from out Security office about our boxes missing several patches, listed below.  
  So I go back to the SCCM console to check whether or not the patches were listed in the "All Software Updates" group and also the custom Software Update Group that I was deploying to the systems.  And to my surprise, none of the updates were
  listed.  The only Software Update Point Classifications we have
  not enabled are Tools, the rest are enabled. I've also verified that the Software Update Point Products have Windows Server 2003, Windows Server 2008, R2, 2012, and 2012 R2 which encompass the OS of the servers that were found to be deficient.
  Why are these updates not listed in SCCM?
  How can we ensure they get listed in SCCM and applied to our servers?
  How can we prevent this from happening in the future?
  2750841: An IPv6 readiness update is available
  2775511: An enterprise hotfix rollup is available
  2732673: "Delayed write failed" error message when .pst files are stored on a network file server
  2728738: You experience a long logon time when you try to log on to a Windows client that uses roaming profiles
  2862973: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program
  2574819: An update is available that adds support for DTLS
  2894854: An update is available - .NET Framework 4.5.1
  2894844: Description of the security update for the .NET Framework 3.5.1
  HOTFIX : RDS-based applications crash in Windows 7 SP1 or Windows Server 2008 R2 SP1 or Windows Server 2008 R2 SP1 (x64)

  Hi,
  I can't say I have checked all of the updates that you post here but the ones I did check and I normally deploy as well are not published in Windows Update and that is why you don't see them i either WSUS och Configuration Manager. They are Hotfixes and
  not updates that are published there. So you need to download them and either import them using SCUP or deploy them using normal Software Distribution.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Three updates from the same Software Update Group showing as unknown, while all the others are showing as expected.

  Hi
  I have an issue from Septembers security updates where three updates from the same software update group are showing as unknown status rather than required / not required / installed etc.
  There are multiple other updates in the same update group and they are all displaying correctly with the figures I would roughly expect.
  I would have expected if something was wrong with the clients not returning software update scans that all the updates in this software update group (all deployed automatically as part of the same ADR) would show the same status of unknown, rather than just
  three of them.
  The updates in question are: KB2894842, KB2972215 & KB2977629 (First two .net 4.0 and last one IE11).
  Now these updates would largely be not required in our organisation as for the most part we use different versions so I would expect them to show as not required.
  Short of kicking off a mass software update scan cycle I don't know a) why this has happened b) if a scan cycle will fix it. Our clients scan every week and its been several weeks since the updates were deployed, that and the other updates have all reported
  back in.
  Anyone have any ideas? Its making the compliance results look quite poor :(
  Thanks
  Jonathan

  Hi,
  Is there any clue in the logs? Please review WUAHandler.log.
  What is the code you get when you run compliance report, like that in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/becda545-4a5e-4ea3-bd83-8c7026767af5/software-update-compliance-report-showing-status-unknown?forum=configmanagerdeployment

• Automatic create Software Update Group and assign patches

  Does someone has a e.g. powershell/vbs script which does the following:
  - step 1: verify which patches are added to Windows 7 image using SCCM 2012 Offline Servicing
  - step 2: verify all downloaded and deployed patches in the SCCM 2012 environment
  - step 3: get the multi-reboot patches
  Then creates a Software Update Group and add all patches obtained in step 2 and exclude all patches obtained in step 1 and step 3..
  Then I can assign that software update group to my Reference Image task sequence and I will not ran in the currently available problems where lists are to big and software updates during the task sequence are failing :-)
  Does some likes this and want to help me with it ?
  I think it is a nice solution for the patch deployment problem during the reference image task sequence phase.

  1.  I've not written a script for that but to be plain:  why?  There's no reason you shouldnt have those patches downloaded and deployed anyway in case someone makes a computer "the old fashioned way" then joins it to the domain.
  2.  This is what ADR is for.  I've got a few runbooks to help with things like cleaning up expired patches, but you shouldn't need any script for this step specifically.
  3.  Getting multi-reboot patches someone already did for you :)  http://blogs.technet.com/b/deploymentguys/archive/2015/03/11/excluding-known-multi-reboot-updates-during-a-zti-deployment.aspx
  Basically for #3, you just replace the update task with the MDT version and put this script right in front.  Bam, done :)  As for the extra scripting to exclude downloading patches you injected with DISM (#1)... I honestly don't see a point ...
  but I could probably write something if you wanted.

• Software update group question

  I did my June updates in June seems to pushing updates fine but now I look at the JUNE update group and the icon looks like this and I know it is not finished  updating all workstations.  Is there a setting to keep it active longer?
  MSB

  Also, the icon simply indicates that the group itself contains at least one expired update. This does not in any way affect the deployment of the software update group as a whole or the other updates within the group -- they will still be deployed normally.
  Only the actual update(s) that are expired will not be deployed.
  Jason | http://blog.configmgrftw.com

• I can not update a Windows Server 2008 R2 with Software Update Group in SCCM2012

  Hi all,
  I got some problems with update deployments these days.
  I try to configure SCCM2012 to update 1 Windows Server 2008 R2 (with Hyper-V / This server is in a cluster)
  Actually i've 4 other Hyper-V servers and i would like to add one more in the cluster called Hyper-V5. To do that i need that all Hyper-V servers use the same Windows Updates.
  I created a collection for my Hyper-V servers and then a Software Update Group with all needed updates (checked the list of another HV-Server).
  I did a deployment on this collection using this new Software Update Group.
  I checked the Sofwtare Center's logs on the Hyper-V5 server and i saw that synchronization has a successfull state.
  But there is no updates installed or displayed in Sofwtare Center.
  Here is some screenshots : Oh no i can't post image because ... "Body text cannot contain images or links until we are able to verify your account." waiting to be verified since months.
  Thanks for your help.

  Hi,
  Have you try to run Software Updates Scan Cycle and Software Updates Deployment Evaluation Cycle Actions on the client? Please check ScanAgent.log and PolicyAgent.log to see whether the client received the updates deployment policy.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Collections based on Software Update Group compliance

  Hi!
  Is it possible to create a collection based on software update group compliance? This is for software update groups which are
  not deployed, they are just monitor groups (for example, groups for yearly or quarterly software update compliance).
  I would like to create a collection that lists all devices which are non-compliant in software update groups with names like "%Client Updates" - is this possible?
  The reason for this is so I can impose some stricter Compliance Settings (among some other stuff) on devices that are not compliant.
  I looked around a bit, but I could not find anything that I can use. Even Google couldn't solve my question :/

  you can try something like this:
  This collection is basically sub selected query get list of computers that do not have specific assignment enabled.
  select *  from  SMS_R_System where SMS_R_System.ResourceId not in (SELECT distinct SMS_UpdateComplianceStatus.MachineID  FROM SMS_UpdateComplianceStatus JOIN SMS_UpdateDeploymentSummary ON SMS_UpdateComplianceStatus.CI_ID = SMS_UpdateDeploymentSummary.CI_ID
  WHERE SMS_UpdateDeploymentSummary.AssignmentName like "%Client Updates%")
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• What Changes to Software Update Group Causes Clients to Re-check Compliance

  Hello,
  I have a number of software update groups that have been deployed over the past couple of years. When Microsoft release new updates etc. some of the updates already deployed change their status e.g. an update might get marked as expired. As a result of this
  I can go from having clients reporting as being compliant to a situation where they are in an unknown state until they report back again.
  Does anyone know what changes to an update already deployed would cause clients to have to check their compliance status for that software update group?
  Thank you.
  Stephen

  If you are referring to the enforcement state, this is indeed specific to the deployment, not the group itself.
  With regards to your question - Upon a change to your deployment, your clients will receive updated policy.  On a successful evaluation of the deployment, it will re-send a state message if necessary.  Unfortunately I do not know if there are certain
  things that do not trigger a policy update (i.e. change in the name or description vs. update membership or deadline change)

• Block, Remove, Delete an Update (KB2959936, KB2932354) from "All Software Updates"

  First off I do not understand updates "KB2959936, KB2932354" as they install the program "Embedded Lockdown Manager" in my Enterprise Windows 7 and 8.1.  My understanding is Embedded Lockdown Manager is only for Windows Embedded....
  I would like to know if there is a way to remove an update from the "All Software Updates" as I know how to block an update from not being deployed however I use the "Schedule Updates" feature for an image and as far as I understand it
  makes all updates available which leaves me having to uncheck each update that I do not want in the WIM.  Since I would never want KB2959936 & KB2932354 to install EVER I would like to remove it entirely, how can I do that.

  You can't remove it. Just don't put it into a deployed software update groups.
  Alternatively, what I do for updates like this is create a new folder under the All Software Updates node and move unwanted updates there (I actually create multiple folders like one for Itanium, one for Beta, one for media center, etc.).
  For these updates though, even if you accidentally deploy it though, there's no risk of anything bas because they aren't applicable to anything in your environment so adding them to a deployed update group no end effect.
  Yes, it will bloat your WMI a bit because its part of the catalog that gets scanned and the results added to WMI, but there's nothing you can do about that (in a supported fashion anyway).
  For WIM files and scheduled updates, DISM will properly recognize these as N/A and won't add them. You can verify this by going to your OfflineServicingMgr.log.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Software update group problem on Primary SUP

  Hi All
  I hope someone can help me with the following issue it is related to SUP
  We have an environment of a CAS and a Primary Site ( I know not an ideal situation ;-))
  We have the SCCM 2012 Sp1 version with no CU update.
  We have two separate SUPS installed at separate servers one connected to the CAS site and one connected to the Primary site.
  The one connected to the CAS site connects to the internet and the one connected to primary sync’s with the other one.
  Everything works perfect but after the implementation of the new updates from the month April we have some problems.
  When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
  When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
  Strange !!!
  I created a new update group and new package downloaded all updates again and the same thing happens as above.
  The updates KB2837579 , KB2553444 , KB973688 , KB2687567 are correct when I connect to the CAS but when I connect to the Primary they have status downloaded NO. Al other updates 150 are correct on both sites.
  There is no problem with the Sync between the SUPs when I check Software Update Point Sync status and wsyncmgr.log.
  I am lost in this one I hope someone can help me with this .or can help me where to troubleshoot
  regards
  Johan

  When I connect to the CAS site with the configuration manager console every update in the software update group have a green icon ( some are superseded and have an orange icon) and the updates all have the status of downloaded Yes and deployed Yes.
  When I connect to our primary site with the configuration manager console some updates in the same update group (as mentioned above) have a red icon and have the status of deployed yes and downloaded NO.
  Strange !!!
  Yes, even I've seen these kind of issues several times even after CM12 R2 upgrade. I had these issues normally (ONLY) with Windows XP and Windows Server 2003 server patches. It seems to me like when you DON'T have Win XP and Windows Server 2003 machines
  in Primary server DB then we're facing this issue. But I'm not very sure. This is just a thought.
  Primary server CM12 console - When you look at software update group or Package then in the “summary” there would one or more  patches show as “not downloaded” 
  But when you take a look at the properties of the patch and look at  “Content information”, it says downloaded = yes
  Anoop C Nair -
  @anoopmannur :: MY Site:
   www.AnoopCNair.com ::
  FaceBook:
   ConfigMgr(SCCM) Page ::
  Linkedin:
   Linkedin<

• Software Update Group not created...?

  SCCM 2012 R2
  So I'm working on patching up our servers and am not sure how the Software Update Group gets created.
  I created an Automatic Deployment Rule for the group of machines I want to patch and chose to Add to an existing Software Update Group.  However, it never prompted me for what group to update.  I checked under Software Update Groups and only have
  ones from our workstations that have been in there for a while.
  Do I have to manually create the Software Update Group for the servers to use and if so, where do I do that in the Confir Manager program?
  Also, on a side note, when I view my ADRs, a couple of them say: Auto Deployment Rule results exceeded maximum number of updates.  Not sure if that's when I need to somehow break them up into Monthly groups or something like that? 
  I know there's a hard limit of updates per something but this was all originalyl configured by an external consultant so no one here is fully up to speed on all the nuances yet.
  Thanks!

  OK, so my ADRs are setup so that they all run on a certain date and then the have a 0, 7, or 14 day delay on when the patches become available so certain groups patch each weekend.  Since they all failed with the Too many patches error, I need to redo
  them.  If I make the changes and then do a "Run Now" to force them to update, will it start the 7 day delay over from when I do the Run Now or will that still go from the original date?
  And if I have the patches set to Deadline immediately, but have maintenance windows setup as Saturday 1AM - 11PM, and do not have the checkboxes checked to allow them to go outside a maintenance window, I can still do the Run Now any time and all the patches
  will then install at 1 AM on Saturday.  right?  Just don't want things to start installing in the middle of the day and mess everything up. :)
  Thanks!

• Add an Update to the Software Update Group - where it's been monitored?

  Hello all,
  I'm looking for a solution to get the Updates for adding to a Software Update Group in SCCM 2012 R2.
  Which components (Message type, Severity, Message ID,...) are concerned?
  Or which log files are concerned?
  I will use the "Status Filer Rules" to create an new rule that will send me an E-Mail which let me know all the Updates what have been added to the Software Update Group.
  Many Thanks
  Andreas

  Just add an update to a software update group and see if a status message is being generated. Without having tested it: I think there will be one, but it will only tell that user xyz modified SUG abc, but you won't see which update was added. 
  Torsten Meringer | http://www.mssccmfaq.de

• Create software update group that only contains post service pack hotfixes?

  I'm creating software update groups for server and workstation OS.  Is there a way to exclude pre-service pack updates from an update group (or even the search itself)?  Example: all of our machines already have Windows 7 SP1 installed, therefore
  I don't need to include any updates that were included in SP1.  I know only required updates will be installed, but I'd rather not waste disk space downloading ones I don't need.  Thx

  The console shows you how many devices in your hierarchy require a given update. If you don't want to see updates that are not required by any devices, select Add Criteria > Required > Greater or Equal to 1 > Search. This assumes that the Software
  Updates Evaluation cycle is run on the devices...
  If you apply SP1 to all devices, the individual updates (pre-SP1), should not be required by the devices (they may even become superseded by SP1 - depends)... The count of Required in the console should be 0...
  I know this is not the exact answer you're looking for, but it's easy...

• Limit 'Specific computer' report to a Software Update Group

  I'm trying to get the SCCM 2012 report 'Compliance 5 - Specific computer' limited to an updae group rather than reporting against every applicable patch.
  In the environment I'm working in we are only interested in reporting on compliance against an agreed list of 'released' updates (we don't release all updates to our server estate). When you start reporting with the 'Compliance 1  - Overall compliance'
  we can select our 'master' software update group here and get the correct compliance status. We can then drillthrough these status into the next report, 'Compliance 7' and the update group is passed through into this report along with the collection and relevant
  status.
  However when we drillthrough to the next report, 'Compliance 5 - Specific computer', the update group is not passed through or used in this report so we get a compliance status for the specific computer against every update. I want to use the update group
  in the last report to limit what's returned here.
  Can anyone help with this? I'm lacking the SQL expertise to be able to add the relevant code to the last report.

  I think you're looking for the Compliance 3 - Update group (per update) report. In this report you can select an update group and a collection and the report will return the compliance data of that combination.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  The report 'Compliance 3..' is a summary report for each patch against a collection. This is completely different from I'm trying to achieve which is a detailed breakdown of compliance against each patch in an update group for a specific computer.