SCCM 2012 Compliance 7 Customize for Total Updates Needed
I can't find single report in SCCM 2012 that lists the total count of updates needed for each computer. This really irks me and many others as this and similar info was readily available with the old WSUS console. It also takes a lot more
clicks to get the same info in SCCM (if SCCM even has it) as it did in WSUS. Anyway, I've decided to try to customize an existing report. I made a copy of "Compliance 7 - Computers in a specific compliance state for an update group (secondary)".
Try as I might, I can't get the query to work right to create a field for number of updates required for each computer. I'd really like columns for Failed/Needed/Applied but I'll start with just Needed. Why they got rid of this in SCCM reporting baffles me.
I have several SQL queries that pull this info for needed patches when run in Management Studio but I can't get them to work in a SCCM Report. Does anyone know how to do this?
Ben JohnsonWY
I'm looking at Compliance 1, 5, and 7. The closest to what I want is Compliance 7 but with a new column for "Required Updates". I have that column made but it's not populated. I have a "Required Updates" Dataset now inside this custom
report. BUT the row of info in the table (computer name, last logon, etc) only lets you select fields from Dataset0. Where I'm stuck is how get to the "Required_Updates" field from the "Required Updates" dataset to appear in Dataset0.
I've spent a big chunk of time trying to get the code from the two queries merged but I can't get it to work. The other option is to somehow get the field to appear in the row's field selection list (ie, read field from both datasets).
Oh, and when I followed your steps above, I got the report created but it throws and "error during processing" error when I run it.
Ben JohnsonWY
Similar Messages
-
Using SCCM 2012 Compliance to check if a GPO applied
Is it possible to use SCCM 2012 Compliance feature to check if a AD GPO settings applied to a Device / User collection or not?
If Yes, then how?You can do this with SCM (Security Compliance Manager), download here:
http://www.microsoft.com/en-us/download/details.aspx?id=16776
Import your GPOs to SCM some guidelines here:
http://4sysops.com/archives/microsoft-security-compliance-manager-scm-v2-part-1
Export your GPO from SCM to DCM format guides here:
http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx
Import your DCM to SCCM and off you go -
SCCM 2012 NO SP - Reporting for application deployments not up to date
Hello,
We have a problem when deploying applications with our SCCM 2012 NO SP.
The reports for the application deployments and sup deployment are not up to date.
The applications have been deployed on the clients but the information is not in sccm servers.
The reporting for the package deployment are working correctly.
Do you have an idea ?
ThanksHi,
How are things going? Please let us know if there is any progress.
Regards.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SCCM 2012 - 802.1x authentication for zero touch installation
Hi guys,
I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
What I did before:
- mount the SCCM modified WinPE image (boot.XXX99999.wim)
- integration of the KB972831 hotfix into the WinPE
- creation of a lan profile and eap profile file
- copy both files into the mounted image
- creation of new wim file
I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
net start dot3svc
=> The Wired AutoConfig service was started successfully
netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
=> The profile was added successfully on the interface Local Area connection
netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
=> Error setting user data for interface Local Area Connection. The operation is not supported.
Actually I can't post web links here. If the files are needed I can send them per mail.
What can I do to solve this problem?
Thanks!
Regards
BastianHi!
Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
I've followed those steps and it worked as a charm, even for WinPE 4.0.
If you have questions let me know.
Cheers. -
Automaitc Updates through SCCM 2012 not showing up on the updates status
Hi,
I have configured Automatic Update rule on SCCM 2012 and it works fine but on the client machine i see this.
This is the update status it shows which means updates are not being installed since long time.
But when i see the update history it shows me the latest updates installed.
Why would this happen? please suggest.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation CertifiedHi,
That is as expected as the updates are installed using SCCM and not the Windows Update Agent, if you deploy a client using SCCM OSD and install software updates using SCCM and not WSUS/Windows Update it will actually say:
"Updates were installed: Never"
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
SCCM 2012 SP1 and SCEP for Mac
Hello all,
We have SCCM 2012 SP1 with SECP installed and working well for Windows clients.
A request came to me that we have the roughly 10ct Mac computers protected by EndPoint and reporting through SCCM.
Is this possible with what I have now?
Please let me know if you have any clues for me.
Many thanks!Hi,
There is no way to push the SCCM MAC Client to a MAC Computer, you have to install it manually, threre are scripts available on blogs that can assits but still you have to run those scripts manually as well.
The System Center Endpoint Protection client for MAC is indeed a separate download on the volume licensing site, it is not managed through SCCM it is a standalone antivirus software which download it's defenition files directly from the internet. So there
is now way to manage it centrally.
I hope that answered your questions.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
SCCM 2012 "hardware inventory classes" for AppV?
Hi, I would like to get a better view what App-V application issue we have on App-V 4.6.2 in an usercentric deployment senrio
I also see that SCCM 2012 "hardware inventory classes" "Appv Client Applications" is not set and not all is activated under "Virtual Applications".
I also would like to our support to get an better view if an user call an say it dont get an App-V 4.62 required deployment.
So what "hardware inventory classes" do I need to activate to get App-V deployment /and launch status.
/SaiTechAre you saying the class exists in SCCM 2012 for you but not applied to all of your virtual applications or that there and can't be applied or that the option isn't in SCCM for you at all?
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon -
What does SCCM 2012 use its ComputerAccount$ for?
After a fresh install of SCCM 2012 SP1. Single server single site with a local SQL 2012 install.
(this is my first time setting this up 2012 and i was trying to do it textbook)
I started getting Alerts on my domain controllers.
No i have not done a client push yet but i have set up discovery.
Here is the error.
EVENT LOG
Security
EVENT TYPE
Audit Failure
SOURCE
Microsoft-Windows-Security-Auditing
CATEGORY
File Share
EVENT ID
5140
COMPUTERNAME
DC04
DATE / TIME
3/02/2014 9:52:13 am
MESSAGE
A network share object was accessed. Subject: Security ID: DOMAIN\SCCM$ Account Name: SCCM$ Account Domain: DOMAIN Logon ID: Network Information: Object
Type: File Source Address: My Sccm Server IP Source Port: 52442 Share Information: Share Name:
\\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
Got these on my 3 DC's around the same time, Since these are DC's do i have to grant the computer account domain admin access?All services in ConfigMgr run as the local System account of the server that they are on. The local System account in turn uses the computer's AD account to access any network resources. There are multiple processes within ConfigMgr that try to access
remote resources. Based on the message you have above, I would say this is coming from automatic (or manual) client push as this attempts to connect to the admin$ share.
Jason | http://blog.configmgrftw.com -
SCCM 2012 SP1 - How many servers do I need?
I'm planning a SCCM test environment using SCCM 2012 SP1 with the goal of using DCIP 3.1. DCIP 3.1 only supports up to SCCM 2012 SP1. I'm new to SCCM and I'm planning to follow Kevin Holman's ConfigMgr 2012 SP1 -QuickStart deployment Guide (Sorry, I can't
post links on the forum yet.)
I'm using a virtual environment to build this out so I can create more machines as needed.
In the guide two systems are used, DB3 and CM1 each with designated services. Could those services be safely installed on one machine instead of two? Why choose to split the SQL and Database Services, from the Primary Site Server, Management Server, and Web
Console Server?
Thank you!For a lab and most small(ish) production sites you can get away with 1 server.
John Marcum | http://myitforum.com/myitforumwp/author/johnmarcum/ -
Does SCCM 2012 R2 Secondary and DP servers really need backup?
Hello to all. I'm involved on a SCCM 2012 R2 project that will install aprox. 20 SCCM 2012 R2 servers: 1 CAS, 3 Primary, 8 Secondary and 8 DPs (just SCCM runs on all these servers). As backup is licensed by Tb and cost is a restriction, I think
that would be acceptable to backup just CAS and 3 Primary servers. If a failure happens in any Secondary or DP, they could be reinstalled and all necessary information would be replicated from the respective Primary or Secondary.
Questions:
1- Is it technically feasible?
2- If I want to run specific configuration for a site that its Secondary failed, could I run it from the respective Primary?
3- Does #2 applie to DP (if a DP fails, could I run the necessary configs./action from its respective Secondary or Primary)
Please feel free to input pros and cons so I can take the best decision.
Regards, EEOC." 2- If I want to run specific configuration for a site that its Secondary failed, could I run it from the
respective Primary?"
Just a comment regarding this design decision. Based on this sentence, it almost sounds like someone thinks you
can manage FROM a secondary. That simply doesn't happen.
I wonder... Did the person who came up with your cm12 design ever actually work with cm12 in a hierarchy (for more than
a few weeks), because based on your statements, assumptions appear to be made that cm12 hierarchy works exactly like cm07 ( or SMS 2.0 for that matter, since you couldn't manage from a secondary in cm07 nor SMS 2003 either). Having a cas and multiple
primaries will not provide the redundancy of "if one primary goes down then..." As it sounds like is being assumed is true. I think its tons riskier to have multiple primaries and a cas.
Standardize. Simplify. Automate. -
SCCM 2012 R2 Driver - Best Practices on Updating Driver Packages?
Example the new Surface Drivers were Release We are currently using September what is the best way to update the drivers? If Import it shows multiple drivers old and new... Thoughts? Blog Post?
No. You must always import drivers to be able to either one of the Apply Driver task types in a task sequence.
However, you can also run a driver installer provided by the vendor as a package because the driver installer is a generic exe that does whatever its supposed to do outside the control of ConfigMgr.
Note that although you can't use an Auto Apply Driver task in stand-alone media, you can absolutely use an Apply Driver Package in stand-alone media. In general, most folks do not rely on Auto Apply but instead rely on Apply Driver Package for multiple reason.
Jason | http://blog.configmgrftw.com | @jasonsandys -
How SCCM 2012 compliance function find unknown usb device
As we all know the SCCM get its own compliance DB and can monitor the all device information.
So my scenario is I want to set the USB device with known(permit) and unknown(still permit, but as the admin, I need to know who are using the unknown device).
Any one could give me some advice or procedure what should I do next ?
Asuka from ITECNDo you want to restrict USB drives? If yes, there is a list of recently connected USB drives available in
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
You can write a Powershell script that enumerates the subkeys there, filters out allowed USB keys (i.e. company provided encrypted ones) and puts the computer into noncompliant state if a nonapproved drive was connected.
If this is about general USB hardware, you can get the list of connected hardware with
gwmi win32_pnpentity | select Name, DeviceID
Of course, there will be thousands of different devices even in a small company, so while you could quite easily blacklist certain devices, building a whitelist will be pretty much an impossible task. -
SCCM 2012 R2 Offline Servicing with Older Updates
We use to run Windows 7 Pro 32/64 Bit but we are upgrading to Windows 7 Enterprise 64Bit for BitLocker option on our machines.
I perform offline servicing on my reference build and capture .wim image but for some reason I still have to install over 100 updates. For example it will not install Windows 7 x64 SP1 and IE10.
I performed a search of Windows Updates Released on or after April 2011, downloaded the files to a new folder/group "Old Windows 7 Updates". I perform another "Schedule Updates" on the .wim file, still does not install the older updates.
I saw a post talking about using DISM to force the older updates on the image but that fails for me as I am beginner for using DISM.
Any suggestions would be great or help!You can't inject SP1 using offline updates. You need to start with media provided by Microsoft that already has SP1 included and that will address your issues. You can easily download this from your MVLS site.
Jason | http://blog.configmgrftw.com -
SCCM 2012 with SCM - support for non-Windows?
Hello all,
As part of compliance configuration, i came across the Microsoft's Security Compliance Manager 3.0 (latest version) mainly for compliance and remediation. But after going through their docs, I feel SCM is used only on Windows OS (clients or servers).
a] Does SCM support contact with non-Microsoft vendors to import security baselines?
b] Does SCM support audit, compliance and remediation on non-windows OS devices? (clients/servers)
Any help is greatly appreciated.
thanksThis is the wrong forum to ask Security Compliance Manager based questions, it doesn't have any straight relationship with ConfigMgr. Correct forum is here: http://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
-
SCCM 2012 with SCM - support for only Windows?
Hello all,
As part of compliance configuration, i came across the Microsoft's Security Compliance Manager 3.0 (latest version) mainly for compliance and remediation. But after going through their docs, I feel SCM is used only on Windows OS (clients or servers).
a] Does SCM support contact with non-Microsoft vendors to import security baselines?
b] Does SCM support audit, compliance and remediation on non-windows OS devices? (clients/servers)
Any help is greatly appreciated.
thanksThis is the wrong forum to ask Security Compliance Manager based questions, it doesn't have any straight relationship with ConfigMgr. Correct forum is here: http://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
Maybe you are looking for
-
ITunes 64-bit and Windows 7 Ultimate 64-bit
I have a relatively new installation of Windows 7 Ultimate 64-bit and have not moved the "Music Folder" to a new location. I have moved the "My Documents" folder to a new location tho. Inside of the "My Documents" folder, I see folders named "My Albu
-
When I want to create a link to a web page in an email, I click the "link" icon and a window appears asking for the address. But simultaneously, the "edit" function and all other functions disappear from the Firefox toolbar. With no edit, how can I c
-
I would like to print out the icon and title of each of my IOS apps to another document for printing and sharing within my family. My son has my old iPod touch so I erased it so he could put whatever games he wants to play on that I used to play wit
-
How to automatically printed Posted FI documents
Any idea about how to automatically print SAP FI documents as soon as they are posted? Regards Prabin
-
I'm writing a program in VB that calls on a JAR file. It has been working great for weeks. Last night, I moved the JAR file to a new location on my machine, and it suddenly stopped working at all. I know nothing about Java. Do I need to recompile the