Pages

SCCM Baseline to achieve software update compliance

[Resolve software update state unknown, waiting for install, pending verification and past due expired issue]:-

In IT industry many people often asked how to increase their software update compliance and we follows many tasks to achieve the compliance however, in sometimes our task got fail to achieve the goal so that we are scolded by the higher management or by client.
As everybody knows recently we faced Wannacry Ransomeware malware attack as a result  we did many struggle to make 100% compliance of MS released patch to remediate Ransoware malware. Not only for Ransoware but also we face many issues every month after patch released.
One major issue we found that update status is unknown even the patch is required for the server or workstation then we will check Wuaagent.logscanagent.logwindowsupdate.log and etc, everything looks good but still update status is unknown. In order to achieve this I have created a compliance baseline which will check the state message in WMI and will re-send all state messages to the MP.
Open SCCM console → Asset and compliance→Compilance setting
Right click on Configuration Items and select new.
Type a configuration item name →click Next
Capture.1JPG
Select supported platforms, you can select as per your organisation requirement.
Capture2
On setting click on New
Capture3
Type a name for the setting.
On setting type, Select Script as we are going to apply a powerShell script and data type as string.
Now we will have to add two scripts (a) Discovery script – Which will evaluate on the system to find out whether the system is compliant and non-compliant and according to the result client issue will be remediate as per remediation script.
(b) Remediation script – Which will run if the system is non-compliant
Discovery Script:
$Update=Get-WmiObject -class CCM_StateMsg -namespace root\ccm\StateMsg
if($Update.topictype -eq “500” -and $Update.StateID -eq “0”)
{
return{1};
}
else{return{0}}
Remediation Script:
$newCCMUpdatesStore=New-Object -ComObject Microsoft.CCM.UpdatesStore
$newCCMUpdatesStore.RefreshServerComplianceState()
New-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinue
Write-EventLog -LogName Application -Source SyncStateScript -EventId 555 -EntryType Information -Message “Sync State ran successfully”
Capture4
Add the attached discovery script to the discovery field as shown below.
Capture5
Click on Compliance rule → Select New rule to capture output of the script as shown below.

Capture1

Click Ok to return to the previous screen and add remediation script.
Capture7
Now click Ok and then Next to complete the configuration item creation wizard.

Configuration Item has been created, now its a time to create a baseline and deploy it the target collection.
Right Click on Configuration baselines → select Create configuration baseline.
Capture9
Type a name for configuration baseline and add already created Configuration item to it.
Capture10
Capture11
Capture12
Baseline has been created , we have to deploy it to the target collections.
Capture13
Select the following options while deploying. Change the schedule if you want to trigger it asap.
Capture14
Capture15
We have now created baseline for software update compliance state which will show you whether software update is required or not required.
We knows this is not the final solution to resolve the issue, sometimes we found another issues after update deployment that software centre will be showing updates are failed to install,waiting for install,pending verification or past due will be expired state.
This is a biggest challenge for us to recover all systems from this problem therefore,I have created another baseline on following post to resolve software update failed to install,waiting for install,pending verification or past due will be expired issue.

No comments:

Post a Comment