Software Updates Compliance

[Gorilla]

Please correct any misunderstandings here:

 

Software Update Compliance Scanning is via the Software Updates Client Agent and can be evoked manually or automatically. Manual scans can be called from the client or remotely. Automatic scans, when they occur, and how you can monitor their progress are what I'd like to capture in this thread.

 

Your automatic scanning interval is set in the Software Updates Client Agent Properties on the General tab.

 

I *believe* scans also happen immediately after a scheduled deployment finishes. Can someone corroborate whether a compliance scan occurs in relation to a deployment, and at what point please?

 

I rely on the Scan 1 - Last Scan States By Collection report. When it indicates a scan is currently running, is there a log file or method I could use on the client that is running a scan to monitor its progress? I want to figure out what's occurring during a scan and how long it takes a particular client to conduct one. Is there a better way to monitor scan states?

 

My understanding is that scanning is done by the client but triggered or scheduled and involves reporting back to SUP via IIS. So scanning issues might only be a reporting issue which could be IIS and not indicative of a client failing to scan. Is there a file in the outbox (?) or somewhere on the client that one could verify a clients' scan results if reporting is suspect?

 

Do I have anything wrong there and can anyone build on this?

 

 

Thanks!

[anyweb]

I think this page on Technet has some good info about software update compliance scans, i've bolded and italicised parts for your benefit

 

in particular this part

 

Scan for Software Updates Compliance Process

When the active software update point is installed and synchronized, a site-wide machine policy is created that informs client computers that the Configuration Manager 2007 software updates feature has been enabled for the site. When a client computer receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours. When the scan is initiated, a component of the Software Updates Client Agent clears the scan history, submits a request to find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS server location.

 

and then there is this bit

 

Prior to downloading update files: When a client computer receives an assignment policy for a new mandatory deployment, the software update files are downloaded to the local cache. Prior to downloading the update files, a scan is initiated to verify that the update is still required.

 

and there are several more references to when a scan is initiated, it's all in the link above.

 

the following log(s) might be of use in this case

 

 

PolicyEvaluator.log - Provides information about the process for evaluating policies on client computers, including policies from software updates.

 

ScanAgent.log - Provides information about the scan requests for software updates, what tool is requested for the scan, the WSUS location, and so on.

 

smscliUI.log - Provides information about the Configuration Manager Control Panel user interactions, such as initiating a Software Updates Scan Cycle from the Configuration Manager Properties dialog box, opening the Program Download Monitor, and so on.

 

UpdatesHandler.log - Provides information about software update compliance scanning and about the download and installation of software updates on the client.

 

UpdatesStore.log - Provides information about the compliance status for the software updates that were assessed during the compliance scan cycle.

 

does this help ?

 

cheers

niall

[Gorilla]

does this help ?

 

YES! The obviously named ScanAgent.log is perfect. Unrelated to scanning, I also use the WUAHandler.log as it let's me know the status of updates being installed and such.

 

I also verified a scan does happen after a deployment.

 

I am very interested in caching behavior and the Technet article handled that as well. I suspected and am happy to learn that it does verify an update is still needed before downloading files to the cache. Does it only pre-cache for mandatory deployments? I have server admins who need to manually install updates and I'd like to alleviate them of having to wait for the download. Any methods for making an update available but not mandatory and having the files in the client cache ahead of time?

 

Thanks Niall. This saved me some digging time. I've added this information to my knowledgebase.

[Gorilla]

I rely (should I - is there a better way?) on the Search Folders' Installed / Required / Not Required columns to add updates to my monthly security Update List.

 

I am failing to comprehend when and how it is updated. I just took one client, did a Software Update scan, watched it finish in the logs, then ran the Compliance 6 - Specific Computer report and saw that it requires some of the new updates. I did the same for my SCCM server. Same results.

 

However when I am in the Search Folder and want to add only the updates required by a client to the appropriate update list, all the new ones are listed under the Unknown column.

 

So I ran a client Software Scan sync on one client and one server.

Checked the logs to ensure it finished.

Ran the Compliance 6 report and saw that some of these new updates are seen as required.

 

So here are my questions:

 

1) How do I get the Search Folder pane to update the compliance columns? What triggers that normally?

2) Is there a silver bullet for figuring out which new updates to add to your update lists if these columns aren't populated?

3) Is there a way to remotely trigger an entire collection to scan for software compliance? I can do it per DDR using Client Center right click functionality, but the update scan isn't available on a collection.

 

Based on the reports I'm running, it does seem that I can find out in a very convoluted round-about way which updates are required by my different architecture's. I find the search folder columns invaluable in making decisions on which updates to add to which update lists each month. And I would have thought they look at the same table and data that the reports are looking at, but apparently I'm still missing some of the magic.

 

Since the reports know, I believe my compliance scans are happening. So my guess is this is just about Question #1 and the other two can be ignored if that's the case and there's a way for me to update those with the data the DB obviously has.

 

I'm reluctant to add the Required value to my search folders until I see and understand when that will manifest in conjunction with syncs and scans. I created one to test and even though SCCM scanned and knows it needs some updates, it doesn't list these as required in the Search Folder.

 

Thanks for any and all assistance.

 

-Kelly

[Gorilla]

Hold steady...I just found the Home Page Summarization feature. Waiting for statesys.log to report it's complete, then hopefully a refresh and an updated to my process is all that's needed!

 

Will report back, hopefully soon. How long can this take? LOL

[Gorilla]

Bah no joy. Statesys.log reported:

 

Found new state messages to process, starting processing thread SMS_STATE_SYSTEM 8/11/2010 11:00:30 AM 7916 (0x1EEC)

Thread "State Message Processing Thread #0" id:6668 started SMS_STATE_SYSTEM 8/11/2010 11:00:30 AM 6668 (0x1A0C)

Thread "State Message Processing Thread #0" id:6668 terminated normally SMS_STATE_SYSTEM 8/11/2010 11:00:30 AM 6668 (0x1A0C)

CThreadMgr::ThreadTerminating - All threads have stopped running SMS_STATE_SYSTEM 8/11/2010 11:00:30 AM 6668 (0x1A0C)

 

I then refreshed the home page sumamrization and all updates since MS10-46 show as Unknown still.

 

I'm relying on this article a bit: http://technet.microsoft.com/en-us/library/bb632932.aspx

 

Any report that relies on Update Lists can't help me since I use the Search Folder, which seems predicated on the Home Page summarization, to decide what to add to the update list. So if I can't rely on reports that need accurate update lists, and I can't tickle the Summary page to be accurate, I am at a loss for a graceful method.

 

For now I'm going to create an ad hoc update list out of the new updates purely to run a report and see what I need to approve. This is a lot more work then I use to do with WSUS alone, and while I see a lot of long term benefit to the SCCM-way, this kind of funkiness is disarming.

 

So I'm open to ideas.

[Gorilla]

Okay my trials and tribulations shall shine for posterity.

 

It worked! First time so wasn't sure what to look for. Here's what a successful statelog.sys summarization looks like (append to above):

 

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:01:057: summarizing status for CI 58630 SMS_STATE_SYSTEM

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:01:057: summarizing status for CI 58632 SMS_STATE_SYSTEM

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:01:073: summarizing status for CI 58641 SMS_STATE_SYSTEM

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:01:073: summarizing status for CI 58648 SMS_STATE_SYSTEM

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:01:073: summarizing status for CI 58657 SMS_STATE_SYSTEM

SQL MESSAGE: spTask_SUM_UpdateStatusSummarizer - 11:05:26:730: spTask_SUM_UpdateStatusSummarizer done SMS_STATE_SYSTEM

Task 'SUM Update Status Summarizer' completed successfully after running for 735 seconds, with status 20703. SMS_STATE_SYSTEM

 

It took 13.5 minutes to complete. Upon Refreshing VIOLA!

 

I'm going to chug some coffee and do a jig. Oh then I'm going to secure my clients. :>)

[anyweb]

thanks for posting the info so others may learn !

cheers

niall

[Scott]

 

3) Is there a way to remotely trigger an entire collection to scan for software compliance? I can do it per DDR using Client Center right click functionality, but the update scan isn't available on a collection.

 

 

 

Have a look for some of the right click Tools, we have a set that will enable you to trigger any of the client actions for all of the machines in a collection. I think it was one of the sets from MYITforum,