STEP BY STEP GUIDE FOR PATCHING SCCM MANAGED WINDOWS CLIENT DEVICES

- For remediating patching on SCCM Managed client computers 4 Important Steps : 1. Scanning of devices 2. Reviewing Logs to see patch status 3. Remediation to deploy Patches 4. Patches are deployed as per logs, however reporting is showing as non compliant Additional info on : - Manual Patch deployment - Possibility of why issues being reported. - Software Center Error Codes & description -------------------------------------------------------------------------------------------- STEP 1: Scanning of devices: - Check WUA Handler log if scanning is failing - Complete detail on WUAHandler.log & fix is linked to registry.pol - check date , rename or delete registry.pol file & run gpupdate /force & run software update eval cycle & scan cycle. - Complete troubleshooting video on scanning issue https://youtu.be/4ntGsLCu-7E STEP 2: Reviewing Logs to see patch status: - Check updatestore.log for that particular KB we will see if missing or existing by taking note of unique ID. - Review more logs based on unique id Updatedeployment.log, updatehandler.log, updatestore.log, WUAHandler.log, windowsupdate.log may give us good clue on errors. - To review Windowsupdatelog Powershell -- get-windowsupdatelog Logs will have entry like: - ASSIGNMENT_EVALUATE_SUCCESS, ASSIGNMENT_ENFORCE_FAILED or any other message like Failed to attach update to the automation wrapper = 0x87D00215. - If seen as finished installing (0x000000000), means patches are installed. - No pending patches available as of now, kindly find the log details. ![LOG[EnumerateUpdates for action (UpdateActionInstall) – Total actionable updates = 0]LOG]! time=”05:02:16.837-60”date=”02-16-2022” component=”UpdatesDeploymentAgent” context=”” type=”1” thread=”27904” file=updatesmanager.cpp:1826” STEP 3: Remediation to deploy Patches: - Caused by some update files becoming corrupt while being downloaded. If this happens you can delete or rename the folder & it will be recreated in same location. - Couple of placed observed one in software distribution & ccmcache - Renaming Folders - Softwaredistribution folder located in C:\windows\ - If ccmcache, can rename ccmcache folder or specific subfolder if aware - Catroot2 folder located in C:\windows\System32 - By default it will not allow as services are running in backend . Stop Windows update service Service name: wuauserv . Stop Cryptographic Services Service name: CryptSvc . Stop Background Intelligent Transfer Service name: bits . Stop Windows Installer Services Service name: msiserver - Post service stopped rename folder . Sometimes few services auto start so you will need to disable it. . Once folders are renamed restart / enable above 4 services & also check status of SMS Agent host service . If windows installer services is giving error while starting check to Unregister and re-register Windows Installer by following command . Msiexec /unregister . Msiexec /regserver - Reboot system & check . Initiate “Software Update Scan Cycle” and “Software Updates deployment evaluation cycle” from configuration manager applet . Review logs - If patches still fail to deploy, there can be windows issue . Sfc/scannow (this is System File Checker) . Windows Update troubleshooter can be accessed thru settings STEP 4: Patches are deployed as per logs, however reporting is showing as non compliant. - We need client to resend its data to the MP. It’s a convenient way to force some state messages up. . Powershell query . $UpdateStore = New-Object –ComObject Microsoft.CCM.updateStore . $UpdateStore.RefreshServerComplianceState() . This command will help to update / refresh compliance state on SCCM - Sitecode change - Reinstall Client -------------------------------------------------------------------------------------- Possibility of why issues being reported: - Offline or Inactive client – bring it back to network - Device not in use – its retired from AD or SCCM - Pending Reboot - Low Disk space – housekeeping of HDD / upgrade HDD size - Download Corrupt - SCCM Client Corrupted - If client not updating recent date client repair / reinstall - GPO issue ------------------------------------------------------------------------------------- Follow Below platforms to get updates: Blog Website: https://mecmworld.blogspot.com Twitter : https://twitter.com/YagneshMalaviya Linked In : https://www.linkedin.com/in/yagnesh-malaviya Facebook: https://www.facebook.com/mecmworld Instagram : https://www.instagram.com/mecm_world Email ID: [email protected] If you would like to share your troubleshooting fix or knowledge on MECM, you are most welcome to share your interest in email. Will look forward to collaborate & share knowledge.