SCCM Admins

 

SCCM Workstation Patching

·       Every month 2^nd Tuesday Microsoft will release the patches for operating systems and Microsoft products.

·       All patch details metadata will sync in WSUS. Then it will sync into SCCM via SUP.

·       Once the sync completed, we will create a Software update group based on our criteria (What are the OS and Microsoft products). Then we will download the patches.

·       Once the patches downloaded, we will distribute the Software update package to Distribution points.

·       We will raise the UAT change request for Monthly patching. Once the change approved, we will start the deployment on UAT device collection.

·       We will drop a mail to the respective counterparts from the client. Based on the feedback we will proceed with the production deployment.

·       For production deployment we will raise another set of change requests and once the change approved will start the deployment batch-wise.  And provide the patching compliance report.

SCCM Workstation Patching Issues:

We may experience 3 types of issues.

1.       WSUS sync Issues

2.       WSUS Scan Issues

3.       Update installation Issues

1. WSUS sync Issues:

WSUS (Metadata)                         SCCM PS

Logs:

1.       WSUSSynchmgr.log – Synchronisation status

2.       WCM.log – Configuration stats (WSUS server, SUP, and primary site)

3.       WSUSCtrl.log – WSUS and SUP Health

Checks:

1)      Internet connection in servers, WSUS account Permissions, proxy settings and firewall settings.

2)      In SCCM console daily we will monitor the WSUS_SYNC_MANAGER – component Healthy or not

3)      Port configuration – Update source permissions

4)      WWW and Update services running or not

5)      WSUS account should have Sysadmin role

6)      If we get http error 503, check Application pool in IIS is in running state or not and increase provide memory in the advance settings.

7)      If SUP installed in remote server check connectivity.

8)      If we use SSL – need to check certificates are active or expired

9)      Review IIS logs in c:\Inetpup\logfiles

 

 

2. WSUS Scan Issues: (End User Machine and PS)

SCCM clients must run a software updates compliance scan. We recommend that you allow enough time for clients to complete the scan and report compliance results so that you can review the compliance results and deploy only the updates that are required on the clients.

When Scan not happening for compliance client side.

Logs:

1.       WUAHandler.log

2.       WindowsUpdate.log

3.       Verify the LocationServices.log to which WSUS server machine connecting

Troubleshooting/Issues:

1.       Check Windows update service running or not

2.       Check machine for any pending reboot

3.       Stop Windows update service and rename “c:\Windows\Softwaredistribution” folder, then start the update service.

4.       Check you have active intranet connection

5.       Check Any proxy settings - on the client if any proxy settings configured

6.       Verify connectivity of client with WSUS server while scanning happened.

7.       Check Port configuration in client computer

Telnet (WSUSServername):8530

8.       No communication error ccmmessaging.log

9.       Finally, the maintenance window have more time than software update installation time.

 

3. Update installation Issues (End User Device side):

              Once any software update deployment happens below log files need to check.

Logs:

1.       PolicyAgent.log – Any new policies applied on device

2.       UpdateDeployment.log – Any applicable patches deployed on the device

3.       UpdateStore.log – Application installation status we can see in this log

4.       CAS.log – We can see download status of required patches

5.       UpdateHandler.log – We can see installation process of each patch

6.       RebootCoordinater.log – Any pending or required restart of the device.

Resetting SCCM Agent if patch installation fails

From time to time, a ticket will be created in regards to System Patches failing in an SCCM environment. To fix this, there are really only two major steps:

 

1.       Rename the C:\Windows\SoftwareDistribution folder to SoftwareDistribution.old (stop Windows Update service before renaming, then restart the service).

2.       Rename C:\Windows\System32\catroot2 to catroot2.old (stop the Cryptography service before renaming, then restart the service).

After this is done, run these actions from the configuration manager:

 

1.       Discovery Data Collection Cycle

2.       Software Updates Deployment Evaluation Cycle

3.       Software Updates Scan Cycle

The procedure above has taken care of the issue pretty reliably. If the updates still don’t install properly, you may have to download the specific updates and install them manually.