Create configuration Item to resolve past due will be expired,Waiting for install and pending verification software update deployment issues.
Open SCCM console → Asset and compliance → Compliance settings→ right click on Configuration items and Create New configuration Item.
Click Next and add supported platforms as per your requirements.
Click Next → on settings page click on new to define a new setting.
Now Add Discovery script and remediation script.
Discovery script will provide return code 1 if there is any pending updates.
Remediation script will remediate if Discovery script returns 1.
Discovery Script:-
$wmicheck=$null
$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinue
if ($wmicheck)
{
# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates
$TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$approvedUpdates= ($TargetedUpdates |Measure-Object).count
$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count
$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).count
if ($pendingpatches -gt 0)
{
Return(1)
}
else {Return(0) }
}
$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinue
if ($wmicheck)
{
# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates
$TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$approvedUpdates= ($TargetedUpdates |Measure-Object).count
$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count
$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).count
if ($pendingpatches -gt 0)
{
Return(1)
}
else {Return(0) }
}
Remediation Script:-
#Resolve past due expired and pending verification issue for software update deployment.#Resolve past due expired and pending verification issue for software update deployment.
$wmicheck=$null$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinueNew-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinueif ($wmicheck){# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates $TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0$approvedUpdates= ($TargetedUpdates |Measure-Object).count$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).countif ($pendingpatches -gt 0) { try { $MissingUpdatesReformatted = @($TargetedUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}}) # The following is the invoke of the CCM_SoftwareUpdatesManager.InstallUpdates with our found updates $InstallReturn = Invoke-WmiMethod -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk Write-EventLog -LogName Application -Source SyncStateScript -EventId 666 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,initiated $pendingpatches patches for install” } catch {Write-EventLog -LogName Application -Source SyncStateScript -EventId 667 -EntryType Information -Message “pending patches – $pendingpatches but unable to install them ,please check Further” }}else {Write-EventLog -LogName Application -Source SyncStateScript -EventId 668 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,Compliant” }}
$wmicheck=$null$wmicheck =Get-WmiObject -namespace root\cimv2 -Class Win32_BIOS -ErrorAction SilentlyContinueNew-EventLog -LogName Application -Source SyncStateScript -ErrorAction SilentlyContinueif ($wmicheck){# Get list of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK for missing updates $TargetedUpdates= Get-WmiObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0$approvedUpdates= ($TargetedUpdates |Measure-Object).count$pendingpatches=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -ne 8} |Measure-Object).count$rebootpending=($TargetedUpdates |Where-Object {$TargetedUpdates.EvaluationState -eq 8} |Measure-Object).countif ($pendingpatches -gt 0) { try { $MissingUpdatesReformatted = @($TargetedUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}}) # The following is the invoke of the CCM_SoftwareUpdatesManager.InstallUpdates with our found updates $InstallReturn = Invoke-WmiMethod -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk Write-EventLog -LogName Application -Source SyncStateScript -EventId 666 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,initiated $pendingpatches patches for install” } catch {Write-EventLog -LogName Application -Source SyncStateScript -EventId 667 -EntryType Information -Message “pending patches – $pendingpatches but unable to install them ,please check Further” }}else {Write-EventLog -LogName Application -Source SyncStateScript -EventId 668 -EntryType Information -Message “Targeted Patches :$approvedUpdates,Pending patches:$pendingpatches,Reboot Pending patches :$rebootpending,Compliant” }}
First add Discovery script as shown below.
Click on Compliance rules and define new rule to fetch return code of the discovery script and remediate through remediation script according to the return code defined in the compliance rule.
Add remediation script.
Click Ok and Then Next to finish the wizard.
Now Create a Confguration baseline and add the already created configuration item to it.
Now click ok and complete baseline creation.
Right click on created baseline and select deploy.
It has been tested and working fine in my current organisation. If you have any doubt or need help then please comment.
If you don’t want to follow this process then there is an another method to achieve the compliance is to deploying directly the attached remediation script to the affected machines.
Thanks for reading.
No comments:
Post a Comment