Collections based on Software Update Group compliance

Similar Messages

• What Changes to Software Update Group Causes Clients to Re-check Compliance

  Hello,
  I have a number of software update groups that have been deployed over the past couple of years. When Microsoft release new updates etc. some of the updates already deployed change their status e.g. an update might get marked as expired. As a result of this
  I can go from having clients reporting as being compliant to a situation where they are in an unknown state until they report back again.
  Does anyone know what changes to an update already deployed would cause clients to have to check their compliance status for that software update group?
  Thank you.
  Stephen

  If you are referring to the enforcement state, this is indeed specific to the deployment, not the group itself.
  With regards to your question - Upon a change to your deployment, your clients will receive updated policy.  On a successful evaluation of the deployment, it will re-send a state message if necessary.  Unfortunately I do not know if there are certain
  things that do not trigger a policy update (i.e. change in the name or description vs. update membership or deadline change)

• Deploying one software update group to multiple collections.

  Good Afternoon,
  We are in the process of rolling out Windows updates to our server environment.  This will be the first rollout on a mass scale. Previously, we have rolled out to about 4 collections to test.
  In a prior life, I managed deploying Windows updates using SCCM 2007. You were able to target to a deployment to a parent collection and select the option to deploy to sub-collections.
  With CM2012, we have a parent folder and our collections live inside of this folder.  My question is this, how can deploy my software update group without having to create a deployment targeted to each individual collections.  Our structure looks
  like this
  Parent Folder (Production)
  Subfolder (Monthly)
  Monthly Collections
  We have 43 monthly collections for production.  I would prefer to not have to create 43 different deployments.  Can you target the parent folder and include the collections?  I read another article where CM2012 did away with the use SubCollections,
  but I have not been able to verify that.
  Any assistance would be appreciated.
  Thank You
  Brian Dougherty

  You can still do something similar as with a top collection in CM07. In CM12 you can use the include collection. So that would mean that one collection can include multiple collections, which allows you to target only one collections. Those separate collections
  can then be used for different maintenance windows (or whatever you want to do with it).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• All Software update groups expired

   Hi,
  Please see http://social.technet.microsoft.com/Forums/en-US/39b60e34-f30a-4963-a08b-6a8e13e44b91/software-update-groups-grey-icon-with-x-?forum=configmanagersecurity
  for reference.
  We created update lists for Windows 7 with Office, automatic updates for SCEP, they all are expired (Expired icon of “http://technet.microsoft.com/en-us/library/hh848254.aspx). I don’t want them to expire. I want to make sure every new
  OS will get the latest updates + antivirus updates.
  Not sure if this is by design, an error on SCCM (http://social.technet.microsoft.com/Forums/en-US/0c13c27d-55a9-4f56-8ac0-f9053301ab0c/all-updates-in-sccm-software-updates-are-set-to-expire?forum=configmgrsum=>
  my SCUP is there) or there is some misconfiguration.
  Please advise. J.
  Jan Hoedt

  Jan,
  > *Can you help me with this mechanism, I'm not familiar with it?
  While viewing the updates that are a member of the software updates group, either sort by the "Expired" column or filter by Expired = Yex.  Select all expired updates, right click, and select 'Edit Membership".  Uncheck the checkbox for the software
  update groups you are trying to remove them from.
  > *I seem to remember there was somewhere an option that mentioned expired
  This option has to do with how long 'superseded' updates will remain available for deployment.  You can set under Administration > Site Configuration > Sites.  Right click on your site and select Configure Site Components > Software Update
  Point.  The setting is on the "Supersedence Rules" tab.
  However, Microsoft will also directly expire updates from time to time as well.  In general, this is normal and something you shouldn't worry about managing.  When the update has been expired by Microsoft, it is something you couldn't install even
  by going to Windows Update, so you shouldn't worry trying to deploy them.  Instead, deploy the current updates instead of superseded ones.
  >How can I automate this (not automatically apply but using manually which updates to use and deploy at times I choose)?
  For organizations with very simple Software Update processes, you could use an Automatic Deployment Rule to select updates based on a criteria, download the content to a deployment package, add the updates to a software update group, and create a deployment
  to a collection.  That deployment can be 'available' and not required if you plan to hand install them later.
  This documentation gives you an overview of how all the Software Update Management features work:
  http://technet.microsoft.com/en-us/library/gg682168.aspx#BKMK_DeploymentWorkflows
  And this blog post gives an example of using an ADR:
  http://blogs.technet.com/b/configmgrdogs/archive/2012/05/08/configmgr-2012-automatic-deployment-rules.aspx
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you've found a bug or want the product worked differently,
  share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

• Limit 'Specific computer' report to a Software Update Group

  I'm trying to get the SCCM 2012 report 'Compliance 5 - Specific computer' limited to an updae group rather than reporting against every applicable patch.
  In the environment I'm working in we are only interested in reporting on compliance against an agreed list of 'released' updates (we don't release all updates to our server estate). When you start reporting with the 'Compliance 1  - Overall compliance'
  we can select our 'master' software update group here and get the correct compliance status. We can then drillthrough these status into the next report, 'Compliance 7' and the update group is passed through into this report along with the collection and relevant
  status.
  However when we drillthrough to the next report, 'Compliance 5 - Specific computer', the update group is not passed through or used in this report so we get a compliance status for the specific computer against every update. I want to use the update group
  in the last report to limit what's returned here.
  Can anyone help with this? I'm lacking the SQL expertise to be able to add the relevant code to the last report.

  I think you're looking for the Compliance 3 - Update group (per update) report. In this report you can select an update group and a collection and the report will return the compliance data of that combination.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  The report 'Compliance 3..' is a summary report for each patch against a collection. This is completely different from I'm trying to achieve which is a detailed breakdown of compliance against each patch in an update group for a specific computer.

• Software Update Deployment Compliance Percentage

  I deployed a Software Update group to a collection of computers at the beginning of the week.  I've been monitoring the deployment in the SCCM console and yesterday the compliance % was up to around 25% give or take.  Now today when I look the
  compliance % has dropped back to 0%.  I have tried running the summarization multiple times with no luck.  How can I go about fixing this so I can see which machines have gotten the updates and which have not.  I appreciate any help that anyone
  can offer.  Thanks...

  Those numbers are really only about the deployment and will change when it's reevaluated. To check the compliance of the devices don't use the console as the information might be misleading and/ or misinterpreted. Instead use the reports, more specifically
  the compliance reports. For example Compliance 1 - Overall compliance can be a big help.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• I can not update a Windows Server 2008 R2 with Software Update Group in SCCM2012

  Hi all,
  I got some problems with update deployments these days.
  I try to configure SCCM2012 to update 1 Windows Server 2008 R2 (with Hyper-V / This server is in a cluster)
  Actually i've 4 other Hyper-V servers and i would like to add one more in the cluster called Hyper-V5. To do that i need that all Hyper-V servers use the same Windows Updates.
  I created a collection for my Hyper-V servers and then a Software Update Group with all needed updates (checked the list of another HV-Server).
  I did a deployment on this collection using this new Software Update Group.
  I checked the Sofwtare Center's logs on the Hyper-V5 server and i saw that synchronization has a successfull state.
  But there is no updates installed or displayed in Sofwtare Center.
  Here is some screenshots : Oh no i can't post image because ... "Body text cannot contain images or links until we are able to verify your account." waiting to be verified since months.
  Thanks for your help.

  Hi,
  Have you try to run Software Updates Scan Cycle and Software Updates Deployment Evaluation Cycle Actions on the client? Please check ScanAgent.log and PolicyAgent.log to see whether the client received the updates deployment policy.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 Software Update Group Statistcs showing wrong Asset Count

  Under Software Update Groups in the summary tab the statics section shows total asset count: 5.   I only have this group deployed to only one collection with 1 machine.
  I have a second Software Update Group in the summary tab the statics section shows total asset count: 5.   I only have this group deployed to only one collection with 3 machines.
  The two collection have only one machine in common.
  I tried to run a summarization but these numbers are not updating. 
  where does the asset count come from and how do I get it to display correctly?
  Thanks,

  The asset counts shown in the console for software groups are not specific to any collection or deployment. If you want numbers specific to a collection, you need to use reporting or a console query.
  Jason | http://blog.configmgrftw.com

• Three updates from the same Software Update Group showing as unknown, while all the others are showing as expected.

  Hi
  I have an issue from Septembers security updates where three updates from the same software update group are showing as unknown status rather than required / not required / installed etc.
  There are multiple other updates in the same update group and they are all displaying correctly with the figures I would roughly expect.
  I would have expected if something was wrong with the clients not returning software update scans that all the updates in this software update group (all deployed automatically as part of the same ADR) would show the same status of unknown, rather than just
  three of them.
  The updates in question are: KB2894842, KB2972215 & KB2977629 (First two .net 4.0 and last one IE11).
  Now these updates would largely be not required in our organisation as for the most part we use different versions so I would expect them to show as not required.
  Short of kicking off a mass software update scan cycle I don't know a) why this has happened b) if a scan cycle will fix it. Our clients scan every week and its been several weeks since the updates were deployed, that and the other updates have all reported
  back in.
  Anyone have any ideas? Its making the compliance results look quite poor :(
  Thanks
  Jonathan

  Hi,
  Is there any clue in the logs? Please review WUAHandler.log.
  What is the code you get when you run compliance report, like that in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/becda545-4a5e-4ea3-bd83-8c7026767af5/software-update-compliance-report-showing-status-unknown?forum=configmanagerdeployment

• Automate the set of patches in the software update group

  Up until now, we have been creating new software update groups for each Patch we are doing with Config Manager 2012 sp1.   For instance every weekend we are pushing out patches to workstations.   These are Windows 7, 8 and 8.1 updates.
  After synchronizing the latest software updates in COnfig manager, we pull up our saved search and highlight all the updates and add them to a software update group.   We then deploy this software update group to a device collection.
  Is there anyway to avoid this step of updating the software update group with the list of patches to go out that week.   This seems to be a manual step each time.
  Thanks
  Lance
  Thanks Lance

  More info:
  Operations and Maintenance for Software Updates in Configuration Manager
  http://technet.microsoft.com/en-us/library/gg712304.aspx#BKMK_AutoDeploy
  System Center 2012 Configuration Manager Best Practices
  http://social.technet.microsoft.com/wiki/contents/articles/11215.system-center-2012-configuration-manager-best-practices.aspx#Best_Practices_for_Software_Updates
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Downloaded additional language for software update group question

  Hi,
  We have some clients where the updates are stuck at downloading at 66% and I think it may be due to missing a language. So I went into the software update group and redownloaded it again with the additional language selected. Do I now need to do anything
  else? Do I need to re-deploy it to the collection again? Just not sure if more is required after downloading the additional language? TIA

  Correct. You can log in to any endpoint in that state and run machine policy evaluation cycle or use right click tools to do so and you should see that client download missing update.
  Additionally, you can check logs for more details on what is really going on:
  UpdatesDeployment.log UpdatesHandler.log - both in C:\Windows\CCM\Logs folder and C:\Windows\WindowsUpdate.log

• Creating software update group for required updates ?

  Hello,
  I've been trying to find an easy way to create a software update group that contains required security updates for a specific device collection but no solution yet. It is easy to get which security updates are required for that collection via SQL query or
  by using built-in report in sccm2012. The problem is, there is no way to easily create a update group to deploy from those lists. You have to add them one by one and that takes so much time. So i would be glad if someone have an answer for me?
  Best Regards,

  Thanks for your quick response. I have hundreds of required updates in the software update section. So you say deploy all of them to that collection even most of are not required for those devices. At this point it seems unreasonable to deploy so much
  unnecessary file which will increase the burden on network and devices while it also increases the risk of failures. On the other hand it is also very time consuming to add approx. 50 update one by one to update group.

• Software Update Group SQL Info

  Hi
  I'm trying to create a notification using Orchestrator when a software update group (which is created by an ADR) is created. Can anyone tell me which view to look in to find the information. I've tried several so far to no avail. If I can get the updates
  contained in this group that would be even more useful.
  Reasons for needing a notification are that customer requires all software updates to go through change control but want's to cut down administrative overhead in deploying software updates so an ADR has been created to download but not deploy them so all
  an administrator has to do is deploy the group once approved, rather than create the group, wait etc.

  Sorry I don't think this is achieving what I've asked as the xml files contain multiple scope ID's so how am I supposed to work out what corresponds to what I need? How do I even get the scope ID out of an xml within the SQL database in the first place?
  I have tried that query with the scope ID's found in the XML's and it has returned no data so I'm convinced that this is not the correct way of doing this. If you can provide the query from start to finish on how to get this information based on the creation
  date of a software update group then perhaps we can get somewhere.
  This is an xml from one of the rules:
  <AutoDeploymentRule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <DeploymentId>{f327fd31-4530-4eed-8b75-8596f10f08d7}</DeploymentId>
    <DeploymentName>Windows Server 2012 Update Deployment</DeploymentName>
    <DeploymentDescription />
    <UpdateGroupId>ScopeId_8B27AA37-A165-4666-813B-0D79BF2692E5/AuthList_a4759bfe-e7d7-4643-bef2-8779248114b5</UpdateGroupId>
    <LocaleId>1033</LocaleId>
    <UseSameDeployment>false</UseSameDeployment>
    <EnableAfterCreate>false</EnableAfterCreate>
    <NoEULAUpdates>false</NoEULAUpdates>
    <AlignWithSyncSchedule>false</AlignWithSyncSchedule>
    <ScopeIDs>
      <ScopeID>P0100001</ScopeID>
      <ScopeID>P0100002</ScopeID>
      <ScopeID>P0100003</ScopeID>
      <ScopeID>P0100004</ScopeID>
      <ScopeID>P0100005</ScopeID>
      <ScopeID>P0100006</ScopeID>
      <ScopeID>SMS00UNA</ScopeID>
    </ScopeIDs>
  </AutoDeploymentRule>

• Deployment Package vs Right-Click, Deploy directly from Software Update Groups?

  I'm not sure I understand the difference between collecting updates into a group and then just using right-click to create a deployment from within Software Update Groups?
  One thing I did notice this morning, is that if I want to distribute that content to other DPS, I have to create deployment package first? Are there other reasons for not simply deploying from within Software Update Groups?
  Thank-you

  Update Groups *group* updates together. That's it, they have no additional functionality.
  Updates can be deployed individually or as groups (in the form of Update Groups) -- it would be pretty painful to manually deploy every update individually so that's why there are update groups.
  Update Packages (I don't like calling them deployment packages even though that's what they're labeled as in the console because they have nothing to do with deployments) make update binaries available to the clients.
  Update Groups have nothing to do with Update Packages. Update Groups contain references to updates, update packages contain binaries. Deploying an update or update group assigns those updates to the client within the collection specified. Clients that have
  an update assigned that is also applicable will download the binary for the update from any available update package and install it.
  You create an update package by right-clicking on an update or update group and choosing download. The wizard offers you a choice between using an existing package or creating a new one. You cannot directly create on.
  Secondary sites have nothing to do with this process whatsoever. Clients are clients are clients regardless of where they are located. As long as they are within t he collection targeted by the deployment and they have access to the assigned update binaries
  in an update package, they will download and install the updates properly.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Modifying a Software Update Group Deployment via PowerShell

  Good Morning Guys - 
  Recently, I created numerous Software Update Group (SUG) advertisements to a variety of collections using a PowerSHell script I wrote.  It used the cmdlet "Set-CMSoftwareUpdateDeployment" which is described by Microsoft as "Modifies a
  software update deployment in Configuration Manager."  Below is the command I used for the advertisement I'm using as an example here:
  Start-CMSoftwareUpdateDeployment -SoftwareUpdateGroupName "Workstation Related - Mar 2014 Deployment" -CollectionName "Workstation Patch Management - Window #5 - 3rd Monday - Auto Restart" -DeploymentName "Workstation Patch Management - Window #5 - 3rd Monday - Auto Restart" -DeploymentType Required -VerbosityLevel OnlySuccessAndErrorMessages -TimeBasedOn UTC -DeploymentAvailableDay 2014/3/17 -DeploymentAvailableTime 5:00 -DeploymentExpireDay 2014/3/17 -DeploymentExpireTime 5:00 -UserNotification DisplaySoftwareCenterOnly -SoftwareInstallation $False -AllowRestart $False -RestartServer $False -RestartWorkstation $False -ProtectedType NoInstall -UnprotectedType NoInstall
  What I'm needing to do, though, is change many of these advertisements from "Required" to "Available" using PowerSHell again.  Since it's described as "modifies," I assumed that I could run the exact same line used to create
  the advertisement, except only change the "Required" string to "Available."  The advertisement name is the same, so I thought it would work. 
  When I ran it,  it simply created another advertisement with the same name:
  Am I doing something incorrectly when trying to modify the advertisement or is what I've trying to do even possible with this cmdlet?  If not possible, any suggestions you have as to how I could do what I'm trying to do on a large scale would be appreciated!
  Thanks!
  Ben K.

  I just tried on a required deployment:
  set-cmsoftwareupdatedeployment -softwareupdategroupname "My Group Name" -deploymentname "My deploymentname" -collectionname "my collection name" -deploymenttype "available"
  And it changed to Available. Not sure why that isn't working for you.