Microsoft Security | Intune | Configuration Manager | Other
Other Configuration Manager-related features and issues
Are the clients not installing the updates or not evaluating the updated assignments?
SCCM: Software Updates: Automatic Deployment Rules
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 15%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Roberto
646
Reputation points
Hello.
I setup a couple of ADRs.
They run successfully and correctly update SUGs and DPs.
Problem is that clients don't get the updates even though they are in the relevant collection.
Can somebody help me debug and fix this?
Thank you and best regards.
Microsoft Security | Intune | Configuration Manager | Other
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Rahul Jindal 11,511 Reputation points2021-04-01T12:49:03.783+00:00 -
Roberto 646 Reputation points
2021-04-01T13:12:46.907+00:00 Not installing. I tell that because I just distributed another package (sw package, not an update) to the same collection and the client got the update.
What log files should I be looking into? -
Rahul Jindal 11,511 Reputation points
2021-04-01T13:19:50.727+00:00 Then you should check whether the devices are receiving the policies for your SUG assignments. I would start by checking the deployment status report first and see what's going on there.
-
Roberto 646 Reputation points
2021-04-01T14:56:22.99+00:00 The logs show a problem in AddUpdateSource.
Please see the attached image.
Thank you.
Roberto -
Rahul Jindal 11,511 Reputation points
2021-04-01T15:14:47.467+00:00 You seem to have a GPO conflict. Either match the WSUS server name in the policy or get rid of the GPO completely. Let ConfigMgr handle the SUP policies.
Sign in to comment -
7 additional answers
Sort by: Most helpful
-
Roberto 646 Reputation points
2021-04-07T09:04:58.27+00:00 Hi @Amandayou-MSFT
Hi @Kalyan Sundar
Hi @Rahul JindalThe situation now is as follows:
Clients get the updates included in one UG (Windows 10), but still have the following problems:- Clients also get other updates not included in any UGs but present in "All Software Updates"
- Seems that Endpoint Protection don't get any updates
Maybe what I include in the "Endpoint Protection" UG and on WSUS is not what clients need to update their security?
What do I need to put on the Endpoint Protection UG for updating the security intelligence and definitions on clients?
Any more hints?
Thank you and best regards.
Roberto-
Roberto 646 Reputation points
2021-04-08T12:48:59.843+00:00 Problem 2 is solved. As I suspected, Windows 10 clients appear to need Windows defender updates and not Enpoint Protection updates.
Problem 1 is still unresolved.
Sign in to comment -
Roberto 646 Reputation points
2021-04-08T12:53:30.66+00:00 Hi @Amandayou-MSFT
Hi @Kalyan Sundar
Hi @Rahul JindalNow that in "All Software Updates" are present the Windows Defender updates, the client somehow gets them even though these updates are not in any UG. That's good because something works, but very bad because any client can get anything it finds on the WSUS. I don't want that. Client must not take any update directly from WSUS, but only SCCM ADRs puts in UGs for them.
How to do I fix that? I want that clients only take what is in UGs associated with collections that includes those clients.
Thank you and best regards.
Roberto-
Rahul Jindal 11,511 Reputation points
2021-04-08T14:20:40.463+00:00 Clients will not get the policy assignments for updates unless deployed explicitly. Check the updatedeployment.log to validate all the assignments. You can run a report or query the sql db v_CIassignments if that is easier for you.
Sign in to comment -
-
Roberto 646 Reputation points
2021-04-22T13:16:53.61+00:00 Hi @Amandayou-MSFT
Hi @Kalyan Sundar
Hi @Rahul JindalSorry I'm late in answering, but had to work on other tasks.
Problem is not fixed because clients gets any update they want directly from WSUS and not only what is in UGs.
For now I disabled the sync on a schedule of SUP and now clients don't get any update anymore. I will go back to work on this later on, after lessons and exams will be over because I don't want to risk hundreds of clients again go BSOD during exams because of updates like the recent kb5000808.
I will anyways Accept answer from @Rahul Jindal as he helped me find the conflicting GPO and debugging the problem.
One more question though:
When I configure Software Update Point Component Properties, I see in Sync Settings: "Synchronize from Microsoft Update". Does that refers to SCCM or WSUS? I believe WSUS, because everything I set here I usually find it later in WSUS, but I'd like your opinion.Thank you and best regards.
Roberto-
Rahul Jindal 11,511 Reputation points
2021-04-22T13:57:19.283+00:00 SCCM through SUP uses WSUS to sync updates. The normal configuration setting is to allow synchronization from Microsoft Update servers.
As for your issue where clients are getting updates outside the SUG assignments, that shouldn't happen if you are using SUP to manage updates. How are you sure that clients are installing updates outside the SUGs? Where are you checking?
-
Roberto 646 Reputation points
2021-05-06T15:16:20.367+00:00 Directly on the clients, I see the updates installed.
-
Rahul Jindal 11,511 Reputation points
2021-05-06T19:15:24.697+00:00 Again, where are you checking? Directly in the updates history?
Sign in to comment -