Collection query - software update compliance status

Similar Messages

• Software Update Compliance Status Showing Wrong

  Greetings,
  When reviewing software updates in the Software Library I noticed that one of them seems to be "stuck" with old information. It is showing the summarization results from a time in the past where it was correct, however it is no longer correct but
  it will not update to show the correct states.
  In short an update is showing as INSTALLED on several clients where it is clearly not installed.  I have verified the WindowsUpdate.log file with debug/verbose logging and on each client it reports as well that it is not installed. 
  Not sure how an update gets "stuck" on its states, but if there was a way to "reset" and update and have it place all the clients back in unknown and then allow for all the clients to refresh that would be great. Because no amount for
  forcing the scans and summarizations seems to make the update unstuck.

  No they are also wrong, I checked the DB tables and views which match the UI and Reports. Which is why I call it being "stuck" in an old state. The endpoints are running scans and their results are correct however either they are not getting up to the
  server or they are and the server is ignoring them.  The only odd thing is the other updates are correct. This could be meaningless because they were correct at the time the others got stuck with wrong info. So they all may actually be stuck in the old
  state.

• How can you see Software Update compliance breakdown by Client?

  I want to see a view in the Software Library that breaks down by client what is shown in the "All Software Updates" node.
  Basically, with SCCM 2012 you can see all the software updates and there compliance summary which is nice, however I can't find a way to see a detailed version of this that breaks this all down by client.  
  For example if I have a Software Update that is Required on 5, Not Required on 3, Installed on 4, and Unknown on 2 clients I want to know which specific clients make up those numbers. I want to know which clients are required, which are not required, which
  are already installed and which are unknown.
  There doesn't seem to be a view like this in SCCM 2012 and its very odd that it doesn't provide this look into the data.
  Am I missing something, can someone point me to the way to see this data quickly.

  I am aware of that view however that is just mapping the state number to a name for several different "TopicTypes". And the one you are point to is actually not for Software Updates Scan Status. The TopicType for a Clients Update Scans is 500,
  which has 0-3 only. 0 is supposed to be Unknown, 1 not-required, 2 required, and 3 installed.
  They set the status for an endpoint/update for 2 and 3 but I have several Unknown, and Not-Required and they don't write those rows to the database if they are in that state. 
  It seems when they are gathering data from the client the summarize everything, and one keep the specific rows for clients if they are required or installed, and they don't create a row for the other states. From some digging it looks like they stored this
  data in 2007, but dropped in in 2012.  
  Maybe it is to conserve space or something I don't know but its stupid. It would be nice if there was a hidden setting that would enable it to store these rows as the database is set to collect them, they just don't.
  FYI...
  For WMI Queries you can use SMS_StateInformation which maps to the v_StateNames.

• Software Updates Compliance Report for Specific Computer - DatePosted

  Hello, I am using the default report to know the Software updates compliance state for a specific computer. The business requirement is to get date the software update has been posted in the same report. So the report should contain columns as follows:
  Title
  Update Class
  Bulletin ID
  Date Released/Date Posted 
  Article ID
  Vendor
  Approved
  Installed
  Is Required
  Unique Up[date ID
  The default report shows up all the columns except the date posted. Please help me with a query with which we can get date released with all the other columns.
  Appreciate your help!
  Thanks

  Hi,
  Please refer to the link below:
  Troubleshooting SCCM Software Update Deployment Package distribution due to missing directories
  http://blogs.technet.com/b/ken_brumfield/archive/2013/01/10/troubleshooting-sccm-software-update-deployment-package-distribution-due-to-missing-directories.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• [Solved partially] Sql query for updates compliance

  Hello
  I'm trying (with no success) to translate the "Software+Updates+-+A+Compliance%2fCompliance+1+-+Overall+compliance" report into a sql query that must run for a specific
  Software update group and for a specific Collection ID.
  The expected result should be like the report it self, I mean 3 lines with Kpi (pourcentage).
  The main query in this report is : 
  select
  CollectionID=@CollID,
  Status=sn.StateName,
  cs.NumberOfComputers,
  PComputers=convert(float, isnull(cs.NumberOfComputers, 0)*100.00) / isnull(nullif(cs.NumTotal, 0), 1),
  AuthListID=@AuthListID
  from (select CI_ID, NumTotal, [0]=NumUnknown, [1]=NumPresent+NumNotApplicable, [2]=NumMissing
  from fn_rbac_UpdateSummaryPerCollection(@UserSIDs)
  where CI_ID=@CI_ID and CollectionID=@CollID
  ) cnt
  unpivot (NumberOfComputers for [Status] in ([0], [1], [2])) cs
  left join fn_rbac_StateNames(@UserSIDs) sn on sn.TopicType=300 and sn.StateID=cs.Status
  where cs.NumberOfComputers>0
  order by cs.NumberOfComputers desc
  I have no clue on how to replace or use fr_rbac view when run outside a report.
  Can you please help me ?
  Thanks

  Hi,
  Glad to hear that and thank you for your sharing.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Software Updates Compliance Report issue

  Hi all,
  I came across a weird behavior in built-in reports and I am looking for a fix or explanation.
  I am trying to use "Software Updates - A Compliance" category -> "Compliance 4 - Updates by vendor month year" report, but when I choose the desired collection (All Servers) and keep the rest as "All values" (as I want to
  list everything), report shows only 12 pages of results. By this I can't see all as the report is truncated. If I specify year, I get results which are not listed in "All values". I can get the list of updates by selecting each year separately and
  export them, but...
  Can someone explain why the report shows incomplete results and only 12 pages?
  Thanks in advance!
  Arnie

  I looked at the SQL Query what is been used in the SSRS Report .seems like the name all values misleading here.
  as per the declaration of these input variables,the all values means ,Null or empty.
  If at all,you need to get all KB information from very long date as you mean ,get all the values,then you should really modify the query.
  SQL is mainly doing the filter based on the following (apart from joins):
  (@FromDate is null or ci.DateRevised>=@FromDate and ci.DateRevised<@ToDate)
                and (@VendorID=0 or @VendorID=ven.CategoryInstanceID) 
                and (@ClassID=0 or @ClassID=cls.CategoryInstanceID)
                and (@ProductID=0 or @ProductID=prd.CategoryInstanceID)
              order by ci.DateRevised desc
  for Ex: If you select vendor as 'All Values' ,means nothing, implies vendor is blank. You can try selecting the vendor as All Values and you get the KB information for only with vendor as Null.
  declare @VendorID int = case when @Vendor='' then 0 else (select CategoryInstanceID from v_CategoryInfo where CategoryTypeName='Company' and CategoryInstanceName IN (@Vendor)) end
  from the above vendor select statement, you must supply some value to it either Microsoft,adobe or local publisher else ,the declare statement treat the vendor value as blank .
  Next ,Year :
  declare @FromDate datetime = case when @Year!='' then convert(datetime, @Year+'-'+case when @MonthNumber!='' then @MonthNumber else '01' end+'-01', 20) end
  for year and month,you should select the value otherwise,you get the information with null values or so.
  Same goes for Month ,product ,Update Class.
  declare @ToDate datetime = case when @Year!='' then dateadd(month, case when @MonthNumber!='' then 1 else 12 end, @FromDate) end
  declare @ProductID int = case when @Product='' then 0 else (select CategoryInstanceID from fn_rbac_CategoryInfo(@lcid, @UserSIDs) where CategoryTypeName='Product' and CategoryInstanceName=@Product) end
  declare @ClassID int = case when @UpdateClass='' then 0 else (select CategoryInstanceID from fn_rbac_CategoryInfo(@lcid, @UserSIDs) where CategoryTypeName='UpdateClassification' and CategoryInstanceName=@UpdateClass) end
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• Need help to check the software update deployment status before restart the VM

  Hello,
  I'm just trying to automate the windows patch deployment for several VM's, I build the entire logic like below,
          Deploy software update --> wait for sometime-->Restart --> Check deployment status(collection = iscomplaint) -->stop
  I know here I'm missing the logic of not checking the patch deployment status before restarting, Can someone help here plz?
  Regards,
  Julie

  Hello
  you can configure a loop for your Activity " Get deployment status(filtered the collection name " until status is succeeded, failed with an embedded loop: http://technet.microsoft.com/en-us/library/hh403826.aspx
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu

• Software Update Monitoring Status

  Hi,
  We have deployed a software update group to a small device collection consisting of 2 machines as a test.  We noticed that when looking at the deploy status of the software update group, it seems to want to show us data as it relates to all of server
  and desktop machines that have active clients.   It would seem like if we deploy the software update group to a device collection that has 2 machines, then the status would be relative to those 2 machines.
  screen shots are shown below.
  Am I looking at this wrong?
  Thanks Lance

  If you are not satisfy with Matteo reply, you can create a deployment report based on collection and Update title, like below.
  SELECT DISTINCT(sys.Name0) AS [Computer Name],
  UCS.Status AS [Patch Status Code],
  UI.BulletinID AS [Bulletin ID],
  UI.Articleid AS [Article ID],
  UI.Title AS [Title],
  UI.Description AS [Description],
  CASE 
  WHEN UCS.Status='2' THEN 'Applicable'
  WHEN UCS.Status='3' THEN 'Installed'
  ELSE '' END AS 'Patch Status'
  FROM v_R_System SYS
  LEFT JOIN v_Update_ComplianceStatusAll UCS ON SYS.ResourceID=UCS.ResourceID
  INNER JOIN v_UpdateInfo UI ON UCS.CI_ID=UI.CI_ID
  WHERE UCS.Status in('2','3')  and UI.Title like '%Security Update for Windows 7 for x64-based Systems (KB2926765)%' 
  and sys.Name0 in(select name0 from v_FullCollectionMembership where CollectionID='SMS00001')
  ORDER BY UCS.Status

• Software Updates - Compliance Report Discrepency - Updates Listed in Report that aren't part of the deployment

  I will try to explain this as clearly as I can.  I've been unsuccessful in trying to search for this exact problem.  I've not yet called support on this as it's not critical.
  I recently began to see a problem in that our compliance reports showed two servers as compliance status unknown for an extended period of time.  I made sure they had the most current version of
  the WUA, I re-installed the SCCM agent, I manually applied patches using windows update directly on the machine.  I've tried running the "RefreshSererComplinaceState" vbscript.  However, the same issue persisted.  I also noticed that
  the number of servers listing as compliant and non-compliant remained relatively the same between deployments of
  windows updates.
  I began to research the compliance report "Compliance 1 - Overall Compliance".  I began to see that there were updates listed in the report which do not correspond to updates which are
  members of the deployment.
  Example, The following patch "Update for Windows Server 2008 R2 x64 Edition (KB2800095)" I currently don't have as a member of any of my deployment packages.  It's not a member of any
  of my update groups.  Yet, it's consistently being reported in the list of updates in that update group.  That's one of several like that.  It's not something I've encountered before.
  Is there a way to reset my updates list on the server side the next time I get ready to do updates?

  Hi,
  Here is a good blog discussed the issue:
  http://damatisystemcenter.com/2013/07/21/sccm-client-unknown-status-what-could-be/
  In the meantime, please check UpdatesHandler.log on the client which status show unknown.

• Software Update Compliance Report in SCCM 2012

  Hi Everyone,
  My question is in sccm 2007 we generate the  compliance report based on update list without downloading the patches just adding the same to update list, However the update list is being replaced by update group in sccm 2012, How can we achieve the same
  in sccm 2012 or do we need to build the custom report if yes please let me know.
  Thanks In Advanced
  ashu Maheshwari

  Because of the retrograde reporting for WSUS data in SCCM, I have the "send info to WSUS" checked on the SUP so I can view data in the old WSUS console. By comparing what computers need how many patches and using the reports in SCCM, you can see massive
  discrepancies in both how many computers need patches and how many patches each computer needs. For example, WSUS will say ComputerA needs 10 patches and SCCM will say it needs 6, or whatever. As far as these two points go, WSUS is far more accurate. 
  I first noticed this months ago.
  I think this is not a matter of how the SCCM queries are written, but because SCCM is far more flaky than WSUS. To me, WSUS is like a good reliable run of the mile car and SCCM is like a race car--powerful but finicky and persnickety. It's harder to get
  clients to fully check in with SCCM. SCCM can do lots but my biggest gripes with it are:
  1) Clients especially flaky and persnickety, one tiny thing gets out of whack and it won't work
  2) WSUS is far more accurate in reporting what patches are needed
  3) For WSUS reporting, they took a lot of WSUS-related/patch reporting out of SCCM, towit you can't get the info you used to be able to get without writing a custom report. This is why you can easily find code samples on the net. And along that point I still
  can't get report builder to work and I don't have another report tool available to me. I know the SQL code samples I have work because I can run the queries in Mgmt Studio.
  Ben JohnsonWY

• Collections based on Software Update Group compliance

  Hi!
  Is it possible to create a collection based on software update group compliance? This is for software update groups which are
  not deployed, they are just monitor groups (for example, groups for yearly or quarterly software update compliance).
  I would like to create a collection that lists all devices which are non-compliant in software update groups with names like "%Client Updates" - is this possible?
  The reason for this is so I can impose some stricter Compliance Settings (among some other stuff) on devices that are not compliant.
  I looked around a bit, but I could not find anything that I can use. Even Google couldn't solve my question :/

  you can try something like this:
  This collection is basically sub selected query get list of computers that do not have specific assignment enabled.
  select *  from  SMS_R_System where SMS_R_System.ResourceId not in (SELECT distinct SMS_UpdateComplianceStatus.MachineID  FROM SMS_UpdateComplianceStatus JOIN SMS_UpdateDeploymentSummary ON SMS_UpdateComplianceStatus.CI_ID = SMS_UpdateDeploymentSummary.CI_ID
  WHERE SMS_UpdateDeploymentSummary.AssignmentName like "%Client Updates%")
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• Query for Software Updates Reports Install Date for only Some of the Installed Updates

  We use the following query to retrieve a list of software updates for a specific collection and software update group.  There are many cases where the installation status of a software update is 'installed' but there is no corresponding 'install
  date'.  Can anyone tell me why?
  declare   @AuthListLocalID as int
  declare @CollID as varchar(8)
  Select @CollID=CollectionID
  from v_Collection
  WHERE CollectionID='ZSV0000A'
  select @AuthListLocalID=CI_ID from   v_AuthListInfo
  where    CI_UniqueID='ScopeId_EAD5EB80-CC39-4EA2-B08F-A45BB84F1D76/AuthList_4DEAD110-5740-495E-8BD8-467A55C50A0C'
  select
  rs.Name0 as ServerName,
  catinfo.CategoryInstanceName as Vendor,
  catinfo2.CategoryInstanceName as   UpdateClassification,
  ui.BulletinID as BulletinID,
  ui.ArticleID as ArticleID,
  Case ui.Severity WHEN 10 THEN 'Critical' WHEN 8 THEN 'Important' ELSE LTRIM(ui.Severity) END as Rating,
  ui.Title as Title,            
  Targeted=(case when ctm.ResourceID is not   null then '*' else '' end),
  Installed=(case when css.Status=3 then   '*' else '' end),
  IsRequired=(case when css.Status=2 then   '*' else '' end),
  Deadline=cdl.Deadline,            
  CAST(CASE   IsNull(AddRem.InstallDate0,CAST('1/1/1900' as smalldatetime)) WHEN   CAST('1/1/1900' as smalldatetime) THEN AddRem64.InstallDate0 ELSE   AddRem.InstallDate0 END as Date) as 'Install Date',
  ui.InfoURL as InformationURL
  from v_UpdateComplianceStatus css
  inner join v_UpdateInfo ui on   ui.CI_ID=css.CI_ID
  inner join v_CIRelation cir 
  on ui.CI_ID=css.CI_ID and cir.ToCIID =   ui.CI_ID -- add this
  inner join v_CICategories_All catall on   catall.CI_ID=ui.CI_ID 
  inner join v_CategoryInfo catinfo on   catall.CategoryInstance_UniqueID = catinfo.CategoryInstance_UniqueID and   catinfo.CategoryTypeName='Company' 
  inner join v_CICategories_All catall2 on   catall2.CI_ID=ui.CI_ID 
  inner join v_CategoryInfo catinfo2 on   catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID
  and   catinfo2.CategoryTypeName='UpdateClassification'
  left outer join v_CITargetedMachines ctm   on ctm.CI_ID=css.CI_ID
  and ctm.ResourceID = css.ResourceID
  left outer join v_GS_ADD_REMOVE_PROGRAMS   AddRem on css.ResourceID = AddRem.ResourceID and ui.Title =   AddRem.DisplayName0
  left outer join   v_GS_ADD_REMOVE_PROGRAMS_64 AddRem64 on css.ResourceID = AddRem64.ResourceID   and ui.Title = AddRem64.DisplayName0
  left outer join (select atc.CI_ID
  ,CreationTime=min(a.CreationTime)
  ,ExpirationTime=min(a.ExpirationTime)
  ,StartTime=min(a.StartTime)
  ,EnforcementDeadLine=min(a.EnforcementDeadLine)
  ,LastModificationTime=min(a.LastModificationTime)
  ,Deadline=min(a.EnforcementDeadline)
  from v_CIAssignment a
  inner join v_CIAssignmentToCI atc on   atc.AssignmentID=a.AssignmentID
  group by atc.CI_ID) cdl  
  on cdl.CI_ID=css.CI_ID
  left outer join v_R_System rs ON   css.ResourceID=rs.ResourceID
  where    css.ResourceID in (
  Select vc.ResourceID
  FROM v_FullCollectionMembership vc
  WHERE vc.CollectionID=@CollID)
  and cir.FromCIID=@AuthListLocalID
  and cir.RelationType=1  
  order by
  catinfo.CategoryInstanceName
  , catinfo2.CategoryInstanceName
  , ui.ArticleID

  Hi Mate,
  Its really difficult to do get the installed date of the patches as there is no table available in SCCM  DB to pull this info i had a requirement in the past but i was unable to do had done it via work around.
  This can be done after editing of sms_def.mof file or else using the power-shell script in windows server 2008 where the powershell is a feature by default.
  H/W inventory: 
  For the 2000 servers this has to be installed but if we enable this its mentioned it may utilize upto 100 % of the Memory during the h/w inventory you can check that in your SMS_DEF.MOF  -
  QuickFixEngineering you can see the warning.uickFixEngineering
  http://support.microsoft.com/kb/279225/en-us
  Powershell script:
  http://msmvps.com/blogs/richardsiddaway/archive/2011/10/23/1760058.aspx
  the warning for the quick fix engineering is not there on 2012 but there on 2007 hope the info help you to achieve your output.
  Kamala kannan.c| Please remember to click “Mark as Answer” or Vote as Helpful if its helpful for you. |Disclaimer: This posting is provided with no warranties and confers no rights

• Best practice in getting compliance rates of Software Update Deployments

  Hi,
  Would like to ask around on how others generate reports about software update deployment compliance. What do you use to get this report? Are there best practices for gathering software update compliance reports?

  There is not really a best-practice on reports that you need to use for compliancy on software updates. One of the reports I often use to check the compliancy is
  Compliance 1 - Overall compliance as it provides a good overview of a specific collection for an update group. For more details you can use
  Compliance 3 - Update group (per update).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Software Updates deployment remains at unknown status

  I have a curious issue where the deployment summarization is showing all required clients as "Client check passed" but they never progress and further. If I drill down into the to updates with the software update group they appear to of deployed?
  This is only effecting this one deployment there is nothing wrong with the clients it only appears to be the reporting mechanism?
  Any help appreciated.
  SCCM Deployment Technician

  Unknown means ,either that the client system did not complete the software  update scan or the site server did not receive the software update scan status from the client .You should check the logs (wuahandler.log--scan status , ,updatesdeployment.log--deployment
  ,updatestore.log--what is missing and what is installed) for further troubleshooting. you may also required to refresh the compliance state ,script avilable here https://msdn.microsoft.com/en-us/library/cc146437.aspx?f=255&MSPPError=-2147217396
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• Software Updates Deployment Evaluation Cycle Enforcement state unknown

  Hi All,
  I have an issue were I deployed software updates to a collection that have a maintenance window of 5 hours. The next day when I checked the deployments tab it show the updates as 75% compliant with 3 Servers failed to install updates as no further maintenance
  windows were planned.
  I then check the deployments tab 2 days later and it still showed 75% compliant but all the servers were in the unknown Client
  check passed/Active
  Is this because I have no further maintenance windows please advise and if not how can I resolve this thanks 

  You should not use the deployments node in the console to check for software updates compliancy. The reason is because it shows the status of the deployment and not of the installation of the updates. For example if the updates are installed, the deployment
  will show compliant, but when the next re-evaluation of the deployment fails, the deployment will show as failed, while the updates are actually still installed. So always use the reports to check for compliancy.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude