Software update not installed but SUG is showing compliant from SCCM

Shashi Dubey 371 Reputation points

HI Everyone,

Hope everyone is safe and sound.

I have been facing an issue with the monthly software updates where i have created a SUG consisting of 23 to 13 patches for the month of April.

From the SCCM side it shows the machine is compliant with that SUG however those patches are not installed on the machines and the machine hasn't been patched for months missing previous updates.

Upon checking the policy agent.log the policy is coming for that SUG and the update store.log shows no patches are missing and needed for that machine and it is compliant where in practicality it hasn't received any patches for months.

Can someone help me understand why a machine that hasn't been patched for months shows it doesn't need any patches and shows compliant? We have checked the product and category and everything appears to be absolutely fine with this SUG.

Hope someone's experience could help me figure out the reason behind this.

Thanking in advance.
Shashi Dubey

Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
1,008 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Amandayou-MSFT 11,056 Reputation points

    Hi @Shashi Dubey ,

    Please check if these patches are required by these machine, for example:


    And then click the tab of 'view required', we will check which client need the patch.


    If the tab of required of these patches shows 0 or not these patches, we should select appropriate update for these patches from the SUP.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Shashi Dubey 371 Reputation points

    HI Amanda,

    Thanks for the reply !!

    Yes, as checked these patches are required on the machine as when we try to install the patches manually it just gets installed without any issues. However, from the SCCM perspective scanning of some of the servers says that they don't need the patches.

    Also, the questioned server is window server 2012R2 and hasn't been patched for more than 7 months but in scanning, it just shows it doesn't need any patch.

    Hope I am not missing anything and should be able to identify where to look?

    Shashi Dubey

  3. Shashi Dubey 371 Reputation points

    HI Amandayou,

    Thanks a lot for the reply !!

    The SCCM version we are using is 2107 and we have deployed the latest client package to most of the clients and they are running with the same and latest SCCM client package.

    While checking the updatedeployment.log it clearly indicates the deployment successfully gets evaluated and IT shows the number of CI inside it. However, the actionable items appear to be showing 0.

    It's just so confusing cause we could see this for sure it had all the March month patches and clearly needs April month updates but it indicates that it doesn't need it.

    As per some of the Technet articles, we have installed the latest SSU also on the affected server but the issue remains the same.

    Shashi Dubey