Limit 'Specific computer' report to a Software Update Group

Similar Messages

• Update showing up in "Compliance 5 - Specific Computer" Report even after removing the update from the Software Update before creating Group and Package

  So I've created a Software Update Group and I did NOT want anything in there dealing with Internet Explorer 11 since the organization is currently stuck at using 10 as the highest. So I made sure that Internet Explorer was NOT in the list and then I deployed
  the package. 
  After running my Overall Compliance report it shows that the systems are compliant, but when I view the "Compliance 5 - Specific Computer" I see that "Internet Explorer 11 for Windows 7 for x64-based Systems" is listed in the report. 
  This is just a testing phase right now and I have not created a WSUS like Domain level GPO. I understand that the SCCM client creates a local policy on the clients for the location of the Software Update Point (Specify
  Intranet Microsoft update service location), but the "Configure Automatic Updates" policy is set to Not Configured, which it looks like when this
  is set, the "Install updates automatically (recommended)" at 3AM is the default. 
  Is the reason why the "Internet Explorer 11 for Windows 7 for x64-based Systems" update is showing up in the list due to the fact that the "Configure
  Automatic Updates" policy is set to Not Configured
  and therefore it is still reaching out to check Windows Update online? 
  So, if I do create a Domain level GPO to Disable the "Configure
  Automatic Updates" policy, then the "Internet Explorer 11 for Windows 7 for x64-based Systems" update would not show up in the "Compliance 5 - Specific Computer" report?
  By the way, I have a Software Update Maintenance Window configured for the hours of 1AM-4AM so the 3AM default time falls within this time frame, therefore, I am assuming the SCCM 2012 client will not allow the Windows Update Agent to install the "Internet
  Explorer 11 for Windows 7 for x64-based Systems" update, even though it has detected it is "Required". 
  Thanks

  But, don't you need a Deployment Package in order to deploy the Software Update Group? The Software Update Group uses the downloaded updates contained in the Deployment Package located in, wherever the Package Source is, right?
  One more quick question that you will know right off hand, because, well, you just will I'm sure.
  No. The software update group really has nothing to do with any update packages. The update group assigns updates to clients and in turn clients use update packages to download assign and applicable updates from. There is no connection between the two though
  as the client can download an update from any available update package. Thus, it's more than possible to updates in an update package that are not in any update groups and it is also possible for an update to be in an update group without being in any update
  package.
  If the "Configure Automatic Updates" policy is set to "Not Configured" and since this keeps the 3AM Automatic Updates default, if I was to remove the Software Update Maintenance Window from being between 1AM-4AM, will the WUA agent install updates
  at 3AM, or no because the SCCM 2012 client still manages and oversees it and basically blocks that from occurring?
  No, ConfigMgr does not in any way block the WUA; however, the WUA can only autonomously install updates it downloads directly from WSUS. Thus, since there are no updates approved or downloaded in your WSUS instance, there's nothing for it to download and
  install. If you happen to actually be going into WSUS and approving updates (which you should not be doing as its unsupported), then yes, it actually would install updates -- this is outside of ConfigMgr's control though. Generally, disabling the WUA via a
  GPO is the recommended to prevent any accidental installations or reboots (as the WUA wil also check for initiate pending reboots outside of ConfigMgr).
  Lots more info in these two blog posts:
  - http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
  - http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
  Jason | http://blog.configmgrftw.com

• Updates installed but SCCM 2012 says non-compliant - Compliance 5 - Specific computer report

  Hi,
  I hope someone has an answer.
  When I use the compliance report "Compliance 5 - Specific computer report" I've noticed that some updates need to be installed, but when I check the server the updates are already installed.
  This issue occurs for several servers.
  Does anyone have an idea what could be wrong?
  Thanks in advance.
  Kind regards,
  Roberto

  Hi,
  Have you checked the status of the deployment that contains the updates need to be installed?
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to get a report on Installed Software Updates on client computers.

  Hi, I'm working with a large company who plans to deploy mac's nationwide. ARD is what we will be using for remote management of the cient systems. My question is; how to get a report on Installed Software Updates on client computers.
  Thanks in advance!

  Hi,
  Try this.
  Go to SE16 give table input as T511
  and select OPKEN   / Operation indicator field input as A and execute.
  This will give you output of wage types wich configured for deduction.

• Application to restart computer when needed after software updates

  We have a business requirement to not force a computer restart immediately after software updates have been installed. What possible solutions are there to detect if a restart is needed on the client and inform the user to restart, if nothing happens force
  a restart within a few days.

  Hi,
  Windows Update itself have this configuration. You could push the corresponding group policy to achieve it:
  Locate to the following path:
  Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update
  find No auto-restart with logged on users for scheduled automatic updates installations
  entry.
  For more detailed information, please read this tutorial:
  Windows Update and Automatic Reboots
  http://blogs.technet.com/b/mu/archive/2008/10/02/windows-update-and-automatic-reboots.aspx
  Karen Hu
  TechNet Community Support

• HT201210 I accidently unplugged my I-pad 2 from my computer during the latest software update.  My screen is stuck on the "update bar" screen.

  I accidently unplugged my I-pad 2 from my computer during the latest software update and my screen is stuck on the "apple with update bar."
  Suggestions?

  Try and force the iPad into Recovery Mode
  1. Disconnect the USB cable from the device, but leave the other end of the cable connected to your computer's USB port.
  2. Turn off the device: Press and hold the Sleep/Wake button for a few seconds until the red slider appears, then slide the slider. Wait for the device to turn off.
  3.While pressing and holding the Home button, reconnect the USB cable to the device. The device should turn on.
  4. Continue holding the Home button until you see the "Connect to iTunes" screen. When this screen appears, release the Home button. iTunes should alert you that it has detected a device in recovery mode. Click OK, and then click Restore to restore the device.
  Note: Data will be lost. You may have to repeat the above many times.

• What Changes to Software Update Group Causes Clients to Re-check Compliance

  Hello,
  I have a number of software update groups that have been deployed over the past couple of years. When Microsoft release new updates etc. some of the updates already deployed change their status e.g. an update might get marked as expired. As a result of this
  I can go from having clients reporting as being compliant to a situation where they are in an unknown state until they report back again.
  Does anyone know what changes to an update already deployed would cause clients to have to check their compliance status for that software update group?
  Thank you.
  Stephen

  If you are referring to the enforcement state, this is indeed specific to the deployment, not the group itself.
  With regards to your question - Upon a change to your deployment, your clients will receive updated policy.  On a successful evaluation of the deployment, it will re-send a state message if necessary.  Unfortunately I do not know if there are certain
  things that do not trigger a policy update (i.e. change in the name or description vs. update membership or deadline change)

• SCCM 2012 Software Update Group Statistcs showing wrong Asset Count

  Under Software Update Groups in the summary tab the statics section shows total asset count: 5.   I only have this group deployed to only one collection with 1 machine.
  I have a second Software Update Group in the summary tab the statics section shows total asset count: 5.   I only have this group deployed to only one collection with 3 machines.
  The two collection have only one machine in common.
  I tried to run a summarization but these numbers are not updating. 
  where does the asset count come from and how do I get it to display correctly?
  Thanks,

  The asset counts shown in the console for software groups are not specific to any collection or deployment. If you want numbers specific to a collection, you need to use reporting or a console query.
  Jason | http://blog.configmgrftw.com

• Automatic create Software Update Group and assign patches

  Does someone has a e.g. powershell/vbs script which does the following:
  - step 1: verify which patches are added to Windows 7 image using SCCM 2012 Offline Servicing
  - step 2: verify all downloaded and deployed patches in the SCCM 2012 environment
  - step 3: get the multi-reboot patches
  Then creates a Software Update Group and add all patches obtained in step 2 and exclude all patches obtained in step 1 and step 3..
  Then I can assign that software update group to my Reference Image task sequence and I will not ran in the currently available problems where lists are to big and software updates during the task sequence are failing :-)
  Does some likes this and want to help me with it ?
  I think it is a nice solution for the patch deployment problem during the reference image task sequence phase.

  1.  I've not written a script for that but to be plain:  why?  There's no reason you shouldnt have those patches downloaded and deployed anyway in case someone makes a computer "the old fashioned way" then joins it to the domain.
  2.  This is what ADR is for.  I've got a few runbooks to help with things like cleaning up expired patches, but you shouldn't need any script for this step specifically.
  3.  Getting multi-reboot patches someone already did for you :)  http://blogs.technet.com/b/deploymentguys/archive/2015/03/11/excluding-known-multi-reboot-updates-during-a-zti-deployment.aspx
  Basically for #3, you just replace the update task with the MDT version and put this script right in front.  Bam, done :)  As for the extra scripting to exclude downloading patches you injected with DISM (#1)... I honestly don't see a point ...
  but I could probably write something if you wanted.

• Creating software update group for required updates ?

  Hello,
  I've been trying to find an easy way to create a software update group that contains required security updates for a specific device collection but no solution yet. It is easy to get which security updates are required for that collection via SQL query or
  by using built-in report in sccm2012. The problem is, there is no way to easily create a update group to deploy from those lists. You have to add them one by one and that takes so much time. So i would be glad if someone have an answer for me?
  Best Regards,

  Thanks for your quick response. I have hundreds of required updates in the software update section. So you say deploy all of them to that collection even most of are not required for those devices. At this point it seems unreasonable to deploy so much
  unnecessary file which will increase the burden on network and devices while it also increases the risk of failures. On the other hand it is also very time consuming to add approx. 50 update one by one to update group.

• Dots in Software Update Groups names

  Hello,
  Do you know any reason why is it impossible to put a dot (".") in a name of Software Update Group? I can use dots in SUG's name created via ADR but not when I create one manually, I receive an error: "Must specify a valid name for the software
  update group".
  How can I put dots in a names for manually created SUGs?
  SCCM 5.00.7958.1000
  http://about.me/exchange12rocks

  While you might be able to create it with an ADR or with PowerShell, if the User Interface specifically prevents it from being created, its a strong bet that it isn't tested and supported by the product team.
  You're best bet is to put in feedback on Microsoft Connect asking them to allow and support it. 
  http://myitforum.com/myitforumwp/2013/12/02/giving-feedback-on-microsoft-connect-for-configmgr-2012-help-yourself-help-the-community/
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.

• SCCM 2012 R2 changing date and time for patching software update groups

  I recieve this error when changing date and time for software update group. worked fine yesterday before patches to the server were applied last night. we removed patches but still get error below. Any help would be great.
  ConfigMgr Error Object:
  instance of SMS_ExtendedStatus
  Description = "Property array AssignedCIs exceeded the max allowed";
  ErrorCode = 1078462259;
  File = "e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspupdatesassignment.cpp";
  Line = 94;
  Operation = "PutInstance";
  ParameterInfo = "";
  ProviderName = "ExtnProv";
  StatusCode = 2147749889;
  Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException
  The SMS Provider reported an error.
  Stack Trace:
  at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
  at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
  at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(IResultObject resultObject, List`1 resultObjectsPut, Boolean retainLock)
  at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(Boolean retainLock)
  at Microsoft.ConfigurationManagement.AdminConsole.DialogFramework.Forms.SmsPropertySheet.Put(ActionTrigger trigger)
  System.Management.ManagementException
  Generic failure
  Stack Trace:
  at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put(ReportProgress progressReport)
  at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObject.Put()
  at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(IResultObject resultObject, List`1 resultObjectsPut, Boolean retainLock)
  at Microsoft.ConfigurationManagement.AdminConsole.SmsDialogData.Put(Boolean retainLock)
  at Microsoft.ConfigurationManagement.AdminConsole.DialogFramework.Forms.SmsPropertySheet.Put(ActionTrigger trigger

  no it is the final version... is working today after cleaning up database... is working now...thanks
  Hello Robert,
  would you please give some more informations, as I have the same issue and don't get what you mean bye "cleaning up databases".
  Regards ooGDoo
  ooGDoo

• Collections based on Software Update Group compliance

  Hi!
  Is it possible to create a collection based on software update group compliance? This is for software update groups which are
  not deployed, they are just monitor groups (for example, groups for yearly or quarterly software update compliance).
  I would like to create a collection that lists all devices which are non-compliant in software update groups with names like "%Client Updates" - is this possible?
  The reason for this is so I can impose some stricter Compliance Settings (among some other stuff) on devices that are not compliant.
  I looked around a bit, but I could not find anything that I can use. Even Google couldn't solve my question :/

  you can try something like this:
  This collection is basically sub selected query get list of computers that do not have specific assignment enabled.
  select *  from  SMS_R_System where SMS_R_System.ResourceId not in (SELECT distinct SMS_UpdateComplianceStatus.MachineID  FROM SMS_UpdateComplianceStatus JOIN SMS_UpdateDeploymentSummary ON SMS_UpdateComplianceStatus.CI_ID = SMS_UpdateDeploymentSummary.CI_ID
  WHERE SMS_UpdateDeploymentSummary.AssignmentName like "%Client Updates%")
  Eswar Koneti | Configmgr blog:
  www.eskonr.com | Linkedin: Eswar Koneti
  | Twitter: Eskonr

• Software Update Group not created...?

  SCCM 2012 R2
  So I'm working on patching up our servers and am not sure how the Software Update Group gets created.
  I created an Automatic Deployment Rule for the group of machines I want to patch and chose to Add to an existing Software Update Group.  However, it never prompted me for what group to update.  I checked under Software Update Groups and only have
  ones from our workstations that have been in there for a while.
  Do I have to manually create the Software Update Group for the servers to use and if so, where do I do that in the Confir Manager program?
  Also, on a side note, when I view my ADRs, a couple of them say: Auto Deployment Rule results exceeded maximum number of updates.  Not sure if that's when I need to somehow break them up into Monthly groups or something like that? 
  I know there's a hard limit of updates per something but this was all originalyl configured by an external consultant so no one here is fully up to speed on all the nuances yet.
  Thanks!

  OK, so my ADRs are setup so that they all run on a certain date and then the have a 0, 7, or 14 day delay on when the patches become available so certain groups patch each weekend.  Since they all failed with the Too many patches error, I need to redo
  them.  If I make the changes and then do a "Run Now" to force them to update, will it start the 7 day delay over from when I do the Run Now or will that still go from the original date?
  And if I have the patches set to Deadline immediately, but have maintenance windows setup as Saturday 1AM - 11PM, and do not have the checkboxes checked to allow them to go outside a maintenance window, I can still do the Run Now any time and all the patches
  will then install at 1 AM on Saturday.  right?  Just don't want things to start installing in the middle of the day and mess everything up. :)
  Thanks!

• Three updates from the same Software Update Group showing as unknown, while all the others are showing as expected.

  Hi
  I have an issue from Septembers security updates where three updates from the same software update group are showing as unknown status rather than required / not required / installed etc.
  There are multiple other updates in the same update group and they are all displaying correctly with the figures I would roughly expect.
  I would have expected if something was wrong with the clients not returning software update scans that all the updates in this software update group (all deployed automatically as part of the same ADR) would show the same status of unknown, rather than just
  three of them.
  The updates in question are: KB2894842, KB2972215 & KB2977629 (First two .net 4.0 and last one IE11).
  Now these updates would largely be not required in our organisation as for the most part we use different versions so I would expect them to show as not required.
  Short of kicking off a mass software update scan cycle I don't know a) why this has happened b) if a scan cycle will fix it. Our clients scan every week and its been several weeks since the updates were deployed, that and the other updates have all reported
  back in.
  Anyone have any ideas? Its making the compliance results look quite poor :(
  Thanks
  Jonathan

  Hi,
  Is there any clue in the logs? Please review WUAHandler.log.
  What is the code you get when you run compliance report, like that in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/becda545-4a5e-4ea3-bd83-8c7026767af5/software-update-compliance-report-showing-status-unknown?forum=configmanagerdeployment