NEW Monthly Patches deployed falsely reporting as compliant

[Ashish Kumar]

Hi Guys/Gals,

I was wondering if somebody could please advise or point to some direction as we are having issue with our servers falsely reporting as compliant after every Monthly Patches have been deployed. We have logged call with Microsoft and no solutions have been provided still.
Its only happening for Servers(2016 & 2008) and not Windows 10 machines.
We are using SCCM 2012 R2, ConfigMGR version 2006, console version: 5.1806.1074.1500 and Site version: 5.0.9012.1000

If any more info is required please let me know. Thanks.

 

[Garth]

Honestly if you have an open call with MS, I would NOT try anything suggested with a forum as it will/can/might affect what the MS tech as trying to troubleshoot.

 

[Ashish Kumar]

Honestly if you have an open call with MS, I would NOT try anything suggested with a forum as it will/can/might affect what the MS tech as trying to troubleshoot.

Thanks but the issue here is that the tickets been opened with them for more than 2 months and no solution to be found.

 

[Garth]

Thanks but the issue here is that the tickets been opened with them for more than 2 months and no solution to be found.

So talk to your TAM and get them escalated. It is a bad idea to work on things in a forum and also work on them with MS.

 

[derekhansell]

Hi Guys/Gals,

I was wondering if somebody could please advise or point to some direction as we are having issue with our servers falsely reporting as compliant after every Monthly Patches have been deployed. We have logged call with Microsoft and no solutions have been provided still.
Its only happening for Servers(2016 & 2008) and not Windows 10 machines.
We are using SCCM 2012 R2, ConfigMGR version 2006, console version: 5.1806.1074.1500 and Site version: 5.0.9012.1000

If any more info is required please let me know. Thanks.

Ashish,

I just went through the pain you're experiencing. Any time I thought a Software Update should have been installed, and it wasn't, and MECM reported the device as compliant, without fail, the server was missing a pre-requisite update.

Firstly, you need to know that in MECM Compliant != Up-to-date. It means that the Software Update Deployment Evaluation Cycle is reporting back to MECM that all updates deployed to the client that can be installed are installed.

Secondly, I misunderstood Cumulative Updates (CUs) and a Security Rollup Updates, and that even these updates, despite their name, have pre-requisites.

Thirdly, I'd assumed SUP automatically detects pre-reqs for a Software Update and installs them. It does not. Even if it has them in the database and they're downloaded. You must find out what the pre-reqs are for any given Software Update using Microsoft's documentation and ensure they're deployed to your clients. In a lot of cases this is due to a missing Servicing Stack Update (SSU), but it could be that you're missing anything from a .NET Framework Version, to another pre-requisite Cumulative Update, or in the case of Server 2008 R2/Win 7 boxes, an update that preps them for Extended Security Updates (ESUs).

I only recently started patching Servers using MECM and this has been a huge pain point for me. One thing I did to mitigate this problem was filter under All Software Updates for any update that has a Required greater than or equal to '1', and including those in my deployments as a way to catch up after many years of updates not being cared for correctly due to a lack of bandwidth.

If you're just starting this process you may have a long road ahead of you that will take time and effort to resolve, including a lot of babysitting and research to get the environment to a good baseline where Software Updates will start reliably installing as expected during their maintenance windows and your environment will actually be up-to-date.

GOOD LUCK!