This is part 3 of a 6 part series where I talk through common issues I have seen that skew the numbers for software updates, or make it difficult to explain the results.
Once we are done, hopefully you will be able to look at the SCCM Software Update process in much the same way as Neo saw the Matrix… except you’ll actually know what is going on instead of a bunch of green 1s and 0s floating everywhere you look.
Here is the breakout of the series:
In part 1, I covered the Importance of WSUS Maintenance, AKA “The Care and Feeding of WSUS”.
In part 2, I covered Software Update Client and Scan Issues that can contribute to low compliance.
In this post, I will be covering Viewing Update Compliance in the SCCM Console, what it means, and what it doesn’t mean, and what it really means to tell you if only you listen.
In part 4, I will be covering Enforcement status of Update Deployments (which is much different than compliance).
In part 5, I will be covering How Clients Report Compliance Status, giving you a peek into the insanity of the unknown.
Finally, in part 6, I will be covering How to Unmask the Real Culprits behind your “unknown” and “non-compliant” clients.
Sometimes managing software update deployments via SCCM can be a harrowing, repetive, experience.
Last time on “Understanding Software Update Deployment Status”…..
In Part 2, we discussed the steps that take place between Microsoft releasing a new update up until the update is deployed via SCCM. We also talked about how to determine if your clients are scanning properly, and how to verify WSUS is working.
Once your deployment is active, the real action begins.
Viewing Deployment Status
In my opinion, the best place to view the status of your deployment (at least at first) is on the Monitoring Node.
In the SCCM console go to:
Monitoring -> Deployments
Select your update deployment in the top pane, and the bottom pane will populate with some information. Note the “Last Update” time. This is the last time that SCCM ran a summarization on this deployment. Any progress or issues that were encountered since that time will not be reflected here.
If you want to force a refresh of this information, click “Run Summarization” on the Ribbon. Wait a few minutes, click refresh and the “Last Update” time should change.
If you click the “View Status” link in the bottom pane and you’ll get a nice view of clients organized by deployment status.
A couple of hidden gems in this view are:
- If you Double-click on a Status in the top pane, SCCM will open the devices as a psuedo-collection, where you can dig in deeper.
- If you select a client in the bottom pane and select properties, you can get per update status for that client. This can help you determine which patch has an issue.
Behind the curtain…
Once your deployment is live, the following items take place:
- Clients receive information on which updates are being deployed as Client policy from the Management Point.This ensures that the clients will respond to your request to install any needed updates that are part of your deployment. If clients are failing to see this, it’s likely that they are offline or broken. Clients who have not yet received policy will show in the “Unknown” tab.
- When the “Available” time for the deployment is reached, SCCM clients ask SCCM for a list of distribution points where the files can be found.When this takes place, you should see clients move to the “In Progress” tab with a status of “Waiting for Content”
- The SCCM client downloads files for any updates that are “Needed” and stores them in the SCCM Client Cache.When this takes place, you should see clients move to the “In Progress” tab with a status of “Downloaded update(s)”
- When the mandatory deployment time is reached, the SCCM clients begin the process of installing any updates that are “Needed”.Clients status should change on the “In progress” tab to show the installation status.Any clients with issues encountered during installation will be present on the “Error” tab with a description of the error.
- Once the “Needed” updates are installed, SCCM clients perform another software update scan and send the latest status for each update to WSUS. SCCM again imports this information from WSUS and displays compliance status in the console.At this point, you should see the clients move to the “Compliant” tab, which is where you want them to be.
When viewing update compliance in the SCCM console, there are some things you need to keep in mind:
- SCCM Treats “Not Applicable” clients as “Compliant”
- Unless you are viewing the status of the actual Deployment, the numbers shown are the overall numbers for your site.
One of the common issues I see with software update deployment is when a deployment targets what the admin thought were all the devices that needed the update, but missed some. It can be confusing if your deployment status shows all good, but your compliance numbers show you still have some clients that need the update.
That’s all for this installment of “Viewing Update Compliance in the SCCM Console”.
Tune in next time when we will discuss the deep question: “Enforcement Status – What does it mean?”