STEP BY STEP GUIDE FOR PATCHING SCCM MANAGED WINDOWS CLIENT DEVICES

- For remediating patching on SCCM Managed client computers

4 Important Steps :
1. Scanning of devices
2. Reviewing Logs to see patch status
3. Remediation to deploy Patches
4. Patches are deployed as per logs, however reporting is showing as non compliant

Additional info on :
- Manual Patch deployment
- Possibility of why issues being reported.
- Software Center Error Codes & description

--------------------------------------------------------------------------------------------

STEP 1: Scanning of devices:
- Check WUA Handler log if scanning is failing

STEP 2: Reviewing Logs to see patch status:
- To review Windowsupdatelog
Powershell -- get-windowsupdatelog

Logs will have entry like:
- ASSIGNMENT_EVALUATE_SUCCESS, ASSIGNMENT_ENFORCE_FAILED or any other message like Failed to attach update to the automation wrapper = 0x87D00215.
- If seen as finished installing (0x000000000), means patches are installed.
- No pending patches available as of now, kindly find the log details.

STEP 3: Remediation to deploy Patches:
- Caused by some update files becoming corrupt while being downloaded. If this happens you can delete or rename the folder & it will be recreated in same location.
- Couple of placed observed one in software distribution & ccmcache
- Renaming Folders
- Softwaredistribution folder located in C:\windows\
- If ccmcache, can rename ccmcache folder or specific subfolder if aware
- Catroot2 folder located in C:\windows\System32
- By default it will not allow as services are running in backend
. Stop Windows update service Service name: wuauserv
. Stop Cryptographic Services Service name: CryptSvc
. Stop Background Intelligent Transfer Service name: bits
. Stop Windows Installer Services Service name: msiserver
- Post service stopped rename folder
. Sometimes few services auto start so you will need to disable it.
. Once folders are renamed restart / enable above 4 services & also check status of SMS Agent host service
. If windows installer services is giving error while starting check to Unregister and re-register Windows Installer by following command
. Msiexec /unregister
. Msiexec /regserver
- Reboot system & check
. Initiate “Software Update Scan Cycle” and “Software Updates deployment evaluation cycle” from configuration manager applet
. Review logs
- If patches still fail to deploy, there can be windows issue
. Sfc/scannow (this is System File Checker)
. Windows Update troubleshooter can be accessed thru settings

STEP 4: Patches are deployed as per logs, however reporting is showing as non compliant.
- We need client to resend its data to the MP. It’s a convenient way to force some state messages up.
. Powershell query
. $UpdateStore = New-Object –ComObject Microsoft.CCM.updateStore
. $UpdateStore.RefreshServerComplianceState()
. This command will help to update / refresh compliance state on SCCM
- Sitecode change
- Reinstall Client
--------------------------------------------------------------------------------------
Possibility of why issues being reported:
- Offline or Inactive client – bring it back to network
- Device not in use – its retired from AD or SCCM
- Pending Reboot
- Low Disk space – housekeeping of HDD / upgrade HDD size
- Download Corrupt
- SCCM Client Corrupted
- If client not updating recent date client repair / reinstall
- GPO issue
-------------------------------------------------------------------------------------
Follow Below platforms to get updates:

If you would like to share your troubleshooting fix or knowledge on MECM, you are most welcome to share your interest in email. Will look forward to collaborate & share knowledge.