Patch deployment with status "Enforcement state unknown"

Similar Messages

• Software Updates Deployment Evaluation Cycle Enforcement state unknown

  Hi All,
  I have an issue were I deployed software updates to a collection that have a maintenance window of 5 hours. The next day when I checked the deployments tab it show the updates as 75% compliant with 3 Servers failed to install updates as no further maintenance
  windows were planned.
  I then check the deployments tab 2 days later and it still showed 75% compliant but all the servers were in the unknown Client
  check passed/Active
  Is this because I have no further maintenance windows please advise and if not how can I resolve this thanks 

  You should not use the deployments node in the console to check for software updates compliancy. The reason is because it shows the status of the deployment and not of the installation of the updates. For example if the updates are installed, the deployment
  will show compliant, but when the next re-evaluation of the deployment fails, the deployment will show as failed, while the updates are actually still installed. So always use the reports to check for compliancy.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Enforcement State Unknown but updates visible on clients?

  Hi all. A strange issue has just appeared in one of our environments with software update deployments. It would appear the report "Enforcement States for a Deployment" is stuck showing clients as "Enforcement State Unknown".
  The clients can see updates no problem at all, so functionally I have no issue. Updates are available and install correctly, but my issue is my deployments are now completely blind in that I have no status updates at all - 4+ days now and the status
  hasn't changed. I can't see any issue on the client side - StateMessage.log indicates it can successfully forward messages.
  Weirdly, this issue only seems to be affecting Software Update Deployments as software distribution reports are updating their statuses as expected.
  I've checked inboxes for blacklogs and can't see anything too out-of-the-ordinary, and I've also tried the "force state refresh" VBS that's doing the rounds on these boards. I've even tried reinstalling the client and recreating the deployments, but all
  these actions have me believe the issue is with my SCCM server only.
  Can anyone help me?
  EDIT - The plot thickens somewhat. The report "Evaluation states for a deployment" has just changed to "Evaluation Succeeded", but  "Enforcement States for a Deployment" remains at "Enforcement State Unknown". HELP!

  I think, you need to take a pause and analyse the log files to verify that everything is gng well.
  The below blog posts would help you in doing that,
  http://blogs.technet.com/b/configurationmgr/archive/2010/11/04/information-on-the-configmgr-2007-client-side-process-for-software-updates.aspx
  http://blogs.technet.com/b/sudheesn/archive/2010/11/10/troubleshooting-sccm-part-iii-software-updates.aspx
  Anoop C Nair -
  @anoopmannur
  MY BLOG:
   http://anoopmannur.wordpress.com
  User Group:
   ConfigMgr Professionals
  This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Adding new Updates makes Reports show compliance status as "Enforcement state unknown". Old updates are still installing though.

  Hi, Just wondering if anyone has seen this before and resolved it?
  Basically, 2012 Software Updates have been working fine for over a year. Last months Patch Tuesday updates were fine too.
  However, this week I added a new update to a Software Update Group/deployment. This update did not deploy, and when I run a report, I get "Enforcement state unknown" for ALL clients in the collection. This happens to any deployment I amend. And
  also if I create a new update group and new deployment - same thing - "enforcement status unknown".
  However, updates previous to this week continue to download and install fine for all deployments. Deployments which I have not changed appear to continue to report correctly (unknown, compliant, pending system restart, etc).
  In the SCCM console for Software Updates, the "required" and "installed" figures are still showing correctly.
  Custom software packages continue to download and install too.
  All servers have sufficient disk space. Most collections dont have maintenance windows, and the deadlines are correct.
  Not sure what this could be, a problem with the Management Point? But I can see any errors in the "monitoring" view on the server. The client log files like "wuahandler.log" and "windowsUpdate.log" appear fine also, no obvious
  errors.
  I cant see any evidence of a group policy conflict. The WSUS entry is still correct in the local group policy (GPEDIT.MSC/admin template/windows comp/ windows update).
  Any ideas here? Thanks

  There were absolutely no errors in WUAhandler.log on existing machines - all looked normal, which baffled me. Machines with newly installed SCCM client only had machine and user policy update, so could not check for Software Updates.
  However, I through web searches, I found a solution on another discussion here:
  https://social.technet.microsoft.com/Forums/en-US/1cefa9e0-a7f9-48d1-83b9-34d2293bab64/sccm-2012-r2-problem-with-device-deployment-user-deployments-ok?forum=configmanagerapps
  Basically the issue was described as a "corrupt PADBID in the database". A SQL query code detects if the issue is present, and another SQL code fixes the issue.
  What lead me to this fix was searching for this error in "CCMEXEC.LOG" online: "System task 'PolicyEvaluator_Unlock' returned error code 0x8000ffff".

• Enforcement State Unknown issue in SCCM 2012 Patch management report.

  Software updates are installed on machine. All updates shown in updates history, but machine not reporting back as Complaint. It showing in Enforcement State Unknown. Please help to resolve the issue.

  Hi,
  Have you tried to "Run Summarization" while right click the software update group?
  If it still shows unknown, please check StateMessage.log on a client that updates show unknown to see whether the state messages have been forwarded successfully.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Patch Deployment with Grid Control

  Hello *,
  i tried to move a patch to a 9i database. My grid-control is installed on a laptop with w2k and is running fine. The patch should be deployed to another laptop with an installed 9.2.0.4 database. The job is starting and creates the new directory and subdirectory on the target host but then the job failed with the following message.
  java.net.NoRouteToHostException: No route to host: connect
  I found nothing in metalink, so where is the problem?
  Greetz
  Ulli

  I think this is a windows related problem. It's not so easy to transfer files to a windows workstation, ftp normally does not work, unless a ftp server is running. The formal explanation of this error says, the target host cannot be reached because of router or firewall problems, but this may be misleading in this case. If you have a support contract (hopefully), you should open a TAR.

• Enforcement states for a deployment report status is not refresh..

  Enforcement states for a deployment report status is not refresh.
  We have deployed patches by software update and monitoring status by checking report
  Enforcement states for a deployment. We have observed status difference in report and in actual PC. Status of One PC is
  Downloaded update in report  but actually that patch was
  installed on PC.
  why this difference and what is the solution to solve this.

  Hi Garth - I don't recreate the SU group. I recreate the deployment from
  the SU group.
  The SU Group contains all deployed updates and the deployment is a "catch-up" and targets a collection of all clients on the particular platform ie. Server 2008 R2. It's a mandatory deployment and I've set it to report "all messages" as opposed to the default
  "success and failure".
  There's no particular SU that are showing ESU. It's the client that shows ESU via the report "Enforcement States for a Deploymennt", and it's only ever the clients that were "Pending System Restart" previously that change to "Enforcement State
  Unknown". The software centre on these clients all know they're pending restart, and if the pending restart is performed on the client it will then change to "Compliant", but it never changes from ESU while its real state is "Pending Restart".
  Hopefully that clarifies the scenario.
  Like I said, I have a workaround, but I'd like to eliminate this behaviour on all my SCCM 2012 instances which are all affected.

• State messages during patch deployment

  Hi,
  We see many clients failed to install Microsoft Updates and the below status message are seen in enforcement status report. 
  downloaded update
  downloading update
  enforcement state unknown
  failed to downlaod update
  waiting for another installation to complete
  Please let me know what are the best practice to troubleshoot the above mentioned status messages.
  Regards,
  Boopathi S 

  Take a look at HKLM\software\microsoft\SMS\Mobile Client\Reboot Managent.  On occasion the jobcounter value does not get reset properly.  See KB970635.
  If I can tell that the SCCM client is currently not doing anything, stop the client, reset it to zero, start the client.  That will kick off things that are waiting for...something.
  Or it could be something else. :)
  

• Enforcement States for multiple deployment ID's

  I would like to have a report for the enforcement states of multiple deployment ID's. I have tried manipulating the default "States 1 - Enforcement states for a deployment" to have multiple default values but have not succeeded in getting
  the report to run.
  In our Software Updates we have multiple collections targeting specific groups of computers and then we have specific update groups within specific date ranges deployed to those collections. In some cases I have multiple deployments targeting the same collection
  and thus the want to have a single report for the enforcement status of multiple deployment ID's.
  Unfortunatley my level of SQL reporting is minimal, does anyone have knowledge of a report or query to use multiple deployment ID's for returning the enforcement states?

  Hi,
  You may have a look on the following blog, hope this could help you edit your report.
  http://blogs.msdn.com/b/steverac/archive/2013/01/13/modifying-a-report-to-merge-software-update-deployments-with-updates-delivered-through-standard-software-distribution.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• CMPControlManager::PublishInDNS: DnsReplaceRecordsInSet() failed with status 9005 in MPControl.log and MP is showing in critical state

  CMPControlManager::PublishInDNS: DnsReplaceRecordsInSet() failed with status 9005  error message in mpcontrol.log  and management point showing critical state in Monitoring-Site status
  Please help to resolve the same.

  Based on this thread ---> http://social.technet.microsoft.com/Forums/systemcenter/en-US/f66a8f0f-31df-49b1-b385-450c522aac0f/cmpcontrolmanagerpublishindns-dnsreplacerecordsinset-failed-with-status-9005-getting-this?forum=configmgrinventory
  a possible workaround is:
  1. Start DNS
  2. Navigate to following DNS SRV record: _mssms_mp_<SMS_SiteCode>._tcp.AD_FQDN
  3. Right click on this record; and add all MP Machines Account and provide Full Control permissions on this DNS SRV Record.
  4. Restart "SMS_EXECUTIVE" service on all MPs
  You will then see that each MP will successfully register each DNS SRV records successfully.

• How can a session have an ACTIVE status with a WAITING state

  Hi all,
  I would like to know the difference between status and state of a session ?
  The documentation says :
  for status ACTIVE : Session currently executing SQL
  for state WAITING : The session is currently waiting...
  How can a session execute a SQL statement and be waiting at the same time ?
  Regards,
  fcjunic.

  Hi fcjunic,
  It's really not paradoxical, once you understand the definition of the terms.
  First, we have V$SESSION.STATUS, which can be ACTIVE or INACTIVE. A session is ACTIVE if it's in a database call. So, think of this from the client side point of view. A session does a parse call, or an execute call, or a fetch call, etc. For the duration of that call, till control returns back to the client, that session is said to be ACTIVE.
  From the time the calls returns, till the time of the next call, the session is INACTIVE.
  Next, we have V$SESSION.STATE. This is probably more useful to think of from the server process point of view. This refers to whether the server process is currently running, i.e. on the CPU, or WAITING, i.e., waiting on a resource. Possible values for this column are WAITING, WAITED KNOWN TIME, WAITED SHORT TIME, and WAITED UNKNOWN TIME. Of those possibilities, a session is only actually waiting if STATE is WAITING. All the other values mean that it's no longer waiting, but is running on CPU.
  A session w/ STATUS of INACTIVE, will always be in STATE of WAITING, waiting on the 'SQL*NET message from client' wait. So, in that case, it means the server process is waiting around for work to do. It's in between calls, so, STATUS is INACTIVE, and it's waiting on that network port, to receive the next call from the client.
  An example of a session that's ACTIVE and has STATE of WAITING, would be a session that's, for example, doing a full table scan. So, it's got lots of data to read from disk. While the session waits for the read from disk to complete, the session waits on 'db file scattered read'.
  Finally, for completeness, the difference between the different possible values of the STATE column. I already covered WAITING. If a session is not waiting, it's now on CPU, and it previously waited. If so, it either waited more than 10 ms, in which case it will report WAITED KNOWN TIME, or less than 10 ms, in which case it reports WAITED SHORT TIME, or timed_statistics is false, in which case this column will always be WAITED UNKNOWN TIME. Also, it's important to pay attention to this column, when trying to interpret the WAIT_TIME and SECONDS_IN_WAIT columns.
  See here:
  http://download.oracle.com/docs/cd/E11882_01/server.112/e10820/dynviews_3016.htm#REFRN30223
  for more information.
  Hope that helps,
  -Mark

• Reprocess Bdoc with status I04 (Intermediate state)

  Hi All,
  I have problems to reprocess Bdoc's with status I04 (Intermediate state).
  In a batchprogram I created businesstransactions. But when a central blockade was set on the businessparter, no businesstransaction appear.
  In the SM13 I have Update-errors (SAPSQL_ARRAY_INSERT_DUPREC).
  In the SMW01 I have Bdoc's (BUS_TRANS_MSG) with status I04.
  I'm having problems to reprocess the Bdoc's.
  After uncheck all central blockades, the reprocess of the bdoc failed.
  After changing the status of the Bdoc from I04 to I01, the bdoc will be reprocessed (green), but the data in the Bdoc will not be written to the database (CDB).
  What could be a solution to reprocess the Bdoc's with an update of the CDB (and the businesstransaction appear)?
  Thanks!

  Hi G. van Doom,
  You got a system error: <b>SAPSQL_ARRAY_INSERT_DUPREC</b>, this means that the running process tried to insert to the DB a records that is already existing. Hence it raised this system error.
  Reprocessing the BDoc won't solve the issue since you will again try to insert record that already exist.
  I would suggest you to maybe check the <b>task</b> you set in the BDoc from your batchprogram, if the records was already existing then you should rather do an update, by using Task = 1. Therefore you must have a logic in your program which can find if the record exist or not in order to set the appropriate task.
  Task:
  1 - Update
  2 - Insert
  3 - Delete
  Hopping this help.
  Sincerely,
  Alain Gauthier

• MacBook won't print PDF files, it states The process "pstopdffilter" stopped unexpectedly with status 1

  Question: MacBooK won't print PDF files, after selecting print it states; The process "pstopdffilter" stopped unexpectedly with status 1. I am currently using a HP Deskjet 4400 series printer and it works fine with all our other lap top computers. Thanks for any help.

  The pictwpstops filter on OS X machines, converts the job to straight Postscript before the normal CUPS filters get it.
  If the Adobe APPs have a choice of what kind of PS to send, like Binary or ASCII, try toggling that setting to the opposite of what it is.
  Though, if a reboot fixed it then likely the problem was a remporary bit flip, which may or may not happen again.

• Handling of pending reboot, exclusive updates for patch management with SCCM 2012

  Hello,
  Planning to use SCCM 2012, I would like to understand how smart is SCCM 2012 when dealing with specific patch management situation.
  Assuming I have the following:
  - A given server to be patched is missing a lot of updates, several being mutually exclusive. This typical case will require several reboot / patching to properly obtain a server fully up to date.
  - A given server to be patched is in pending reboot state because the local admin installed new software and has not restarted the server yet as requested
  - Those servers have configured maintenance windows of 2 hours during each night. I scheduled a deployment of missing patches authorizing restart.
  --> when the maintenance window will be reached:
  - will the server first be restarted to clean the pending reboot ?
  - will the the server be patched / restarted several times as required to fully meet the updates to be deployed.
  Another scenario on workstation side:
  - can I enforce deployment of updates at a given time, do not automatically restart the workstation during patch deployment, but after deployment schedule a mandatory restart with a countdown if there is a pending reboot... From end-user perspective, it
  would have the following behavior. For instance:
  - patches are automatically installed on Monday at 10 AM
  - as soon as deployment is done, warning message is displayed to ask users to reboot
  - then user has up to 48h to restart his computer by himself. If he does not do it, it will be automatically done after countdown expires.
  --> Can such a scenario be managed by SCCM 2012 ?
  Regards.

  Hi,
  I have a related question about deploying Microsoft Security Updates to workstations via SCCM 2012.  Is there a way to deploy the MS updates to workstations and only suppress reboots for machines with users logged on or locked?  There seems to
  be only 2 different options for reboots, Suppress them all or don't suppress them at all.  We would like SCCM to reboot the machines that are logged off, but suppress the reboot for those that are logged on, while at the same time, provide the user with
  a notification that their machine needs to be rebooted (at their convenience). 
  We've tried applying the Domain GPO "No auto-restart with logged on users for scheduled automatic updates installations" (Enabled) and "Configure Automatic Updates" (Disabled), but the logged on/locked machines still receive the restart countdown with no
  option to postpone or delay.
  This is a show stopper for us since we have an environment where we are absolutely not allowed to reboot a logged on machine.
  For a little background, we are coming from SMS 2003 and the Distribute Software Updates (ITMU) way of deploying MS Updates, where we could always set the program to run "Only when no user is logged on".
  Please tell me there is a way to achieve our desired result.
  Thanks,
  Dan 

• Enforcement State Codes in SCCM 2012

  What does Enforcementstate code '5006' ,'5002'... means in vAppdeploymentErrorstatus view  ? Is there are  views/tables where the Enforcementstate descriptions are present.With these code how can i find the description for the error? or Is there
  any other way to find the error description which happened during deployment from the SCCM DB ?Pls Help. I'm new to SCCM.

  Hi,
  You could have a look on the Enforcement State Message ID table in the following blog.
  http://blogs.technet.com/b/systemcentervnext/archive/2014/05/31/welchen-status-hat-meine-softwareverteilung-microsoft-system-center-2012-r2-configuration-manager-statusinformationen-verstehen-und-nutzen.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.