Pages

WSUS Installation Error Code with Solution

Below are some of the error code with the solution to fix them to make sure our machines are getting patched, will keep updating the error with solution.

Update install error - 0x80070308:-
Solution:-
1. Connect to remote computer CMD
"C:\My Documents\SCCM Tools\PSTools\PsExec.exe" \\MachineName cmd
2. run below commands
REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONENTS
REG DELETE HKLM\COMPONENTS /V PendingRequired /f
3. Run the scan cycles.
_________________________________________________

Get list of Patches installed on remote Computer using Powershell:-
Get-Hotfix -computername MachineName | Select HotfixID, Description, InstalledOn | Sort-Object InstalledOn
__________________________________________________
Update install error - 0X80070543

Solution:-
1) Click Start, click Run, type dcomcnfg.exe, and then click OK.
2) Click OK if you receive the UAC prompt.
3) In the console tree, expand Component Services, and then expand Computers.
4) Right-click My Computer, then click Properties.
5) Click the Default Properties tab.
6) Select Connect in the Default Authentication Level set to Connect.
7) Select Indentify in the Default Impersonation Level list.
8) Click OK, and then click Yes to confirm the selection.
9) Close Component Services console."
or
Add the below registry remotely on the machine.
REG ADD HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d 2 /f
___________________________________________________

When you find WSUS Server is set to NULL in Windowsupdate.log File perform the below steps to fix the issue
WSUS Server :<NULL>
Solution Add below registry by connecting to registry remotely or with Pxeexec.
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://SUPSERVERNAME:8530 /f
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://SUPSERVERNAME:8530 /f
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 1 /f

Create configuration Item for Software Update installation

Create configuration Item to resolve past due will be expired,Waiting for install and pending verification software update deployment issues.
Open SCCM console → Asset and compliance → Compliance settings→ right click on Configuration items and Create New configuration Item.
Capture1
Click Next and add supported platforms as per your requirements.
Capture2
Click Next → on settings page click on new to define a new setting.
Capture3
Capture4
Now Add Discovery script and remediation script.
Discovery script will provide return code 1 if there is any pending updates.
Remediation script will remediate if Discovery script returns 1.
Discovery Script:-
$wmicheck=$null
$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinue
if ($wmicheck)
{
# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates
$TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$approvedUpdates= ($TargetedUpdates |Measure-Object).count
$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count
$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).count
if ($pendingpatches -gt 0)
{
Return(1)
}
else {Return(0) }
}
Remediation Script:-
#Resolve past due expired and pending verification issue for software update deployment.#Resolve past due expired and pending verification issue for software update deployment.
$wmicheck=$null$wmicheck =Get-WmiObject  -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinueNew-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinueif ($wmicheck){# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates $TargetedUpdates= Get-WmiObject  -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0$approvedUpdates= ($TargetedUpdates |Measure-Object).count$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).countif ($pendingpatches -gt 0) {  try { $MissingUpdatesReformatted = @($TargetedUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})  # The following is the invoke of the CCM_SoftwareUpdatesManager.InstallUpdates with our found updates  $InstallReturn = Invoke-WmiMethod  -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk     Write-EventLog -LogName Application -Source SyncStateScript -EventId 666 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,initiated $pendingpatches patches for install”  } catch {Write-EventLog -LogName Application -Source SyncStateScript -EventId 667 -EntryType Information -Message “pending patches – $pendingpatches but unable to install them ,please check Further”  }}else {Write-EventLog -LogName Application -Source SyncStateScript -EventId 668 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,Compliant”  }}
First add Discovery script as shown below.
Capture5
Click on Compliance rules and define new rule to fetch return code of the discovery script and remediate through remediation script according to the return code defined in the compliance rule.
Capture2


Add remediation script.
Capture8
Capture9
Click Ok and Then Next to finish the wizard.
Now Create a Confguration baseline and add the already created configuration item to it.
Capture9
Capture10
Capture11
Now click ok and complete baseline creation.
Right click on created baseline and select deploy.
Capture13
Capture15
It has been tested and working fine in my current organisation. If you have any doubt or need help then please comment.
If you don’t want to follow this process then there is an another method to achieve the compliance is to  deploying directly the attached remediation script to the affected machines.
Thanks for reading.

SCCM Baseline to achieve software update compliance

[Resolve software update state unknown, waiting for install, pending verification and past due expired issue]:-

In IT industry many people often asked how to increase their software update compliance and we follows many tasks to achieve the compliance however, in sometimes our task got fail to achieve the goal so that we are scolded by the higher management or by client.
As everybody knows recently we faced Wannacry Ransomeware malware attack as a result  we did many struggle to make 100% compliance of MS released patch to remediate Ransoware malware. Not only for Ransoware but also we face many issues every month after patch released.
One major issue we found that update status is unknown even the patch is required for the server or workstation then we will check Wuaagent.logscanagent.logwindowsupdate.log and etc, everything looks good but still update status is unknown. In order to achieve this I have created a compliance baseline which will check the state message in WMI and will re-send all state messages to the MP.
Open SCCM console → Asset and compliance→Compilance setting
Right click on Configuration Items and select new.
Type a configuration item name →click Next
Capture.1JPG
Select supported platforms, you can select as per your organisation requirement.
Capture2
On setting click on New
Capture3
Type a name for the setting.
On setting type, Select Script as we are going to apply a powerShell script and data type as string.
Now we will have to add two scripts (a) Discovery script – Which will evaluate on the system to find out whether the system is compliant and non-compliant and according to the result client issue will be remediate as per remediation script.
(b) Remediation script – Which will run if the system is non-compliant
Discovery Script:
$Update=Get-WmiObject -class CCM_StateMsg -namespace root\ccm\StateMsg
if($Update.topictype -eq “500” -and $Update.StateID -eq “0”)
{
return{1};
}
else{return{0}}
Remediation Script:
$newCCMUpdatesStore=New-Object -ComObject Microsoft.CCM.UpdatesStore
$newCCMUpdatesStore.RefreshServerComplianceState()
New-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinue
Write-EventLog -LogName Application -Source SyncStateScript -EventId 555 -EntryType Information -Message “Sync State ran successfully”
Capture4
Add the attached discovery script to the discovery field as shown below.
Capture5
Click on Compliance rule → Select New rule to capture output of the script as shown below.

Capture1

Click Ok to return to the previous screen and add remediation script.
Capture7
Now click Ok and then Next to complete the configuration item creation wizard.

Configuration Item has been created, now its a time to create a baseline and deploy it the target collection.
Right Click on Configuration baselines → select Create configuration baseline.
Capture9
Type a name for configuration baseline and add already created Configuration item to it.
Capture10
Capture11
Capture12
Baseline has been created , we have to deploy it to the target collections.
Capture13
Select the following options while deploying. Change the schedule if you want to trigger it asap.
Capture14
Capture15
We have now created baseline for software update compliance state which will show you whether software update is required or not required.
We knows this is not the final solution to resolve the issue, sometimes we found another issues after update deployment that software centre will be showing updates are failed to install,waiting for install,pending verification or past due will be expired state.
This is a biggest challenge for us to recover all systems from this problem therefore,I have created another baseline on following post to resolve software update failed to install,waiting for install,pending verification or past due will be expired issue.