Fix SCCM Scan Issues with Software Updates Patching | ConfigMgr

Let’s discuss how to Fix SCCM Scan Issues with Software Updates Patching. Software Update SCAN errors are a prevalent issue. In large environments, it’s tough to find out the cause of these errors. We need to work with different teams to resolve this kind of issue/s. FIX Scan Issues with Software Updates.

Introduction

In this post, I’ll take you through one of my experience, especially with Windows 2008 R2 core servers ( found it difficult to troubleshoot on Windows CORE servers).

FIX SCCM Scan Issues with Software Updates - FIX Scan Issues with Software Updates
FIX SCCM Scan Issues with Software Updates – FIX Scan Issues with Software Updates

The scan error was due to the incorrect proxy settings in the environment. System context proxy settings should be blank ( that means the internal FQDN should have direct access). In our case, the system context proxy setting was also pointing to the proxy server; hence, all the internal FQDN communications were going through the proxy server; due to that, the SCCM clients could not reach the WSUS server.

Issue

Scan agent is getting failed; hence the SCCM patching is also failing for all the Windows servers.

Patch My PC

Cause for SCCM Scan Issues with Software Updates

Proxy settings configured in the core servers create the client’s communication block to reach the WSUS server. All the communications initiated by the client to reach WSUS/SCCM server (FQDN) are getting stopped at the proxy server.

Ideally, all the internal FQDN (WSUS/SCCM server) communication should not go to/through a proxy server. In our case, all the communications are going to the proxy server and producing unexpected results.

Solution – Fix SCCM Scan Issues with Software Updates

Reset the proxy settings in the Windows 2008 core server as mentioned below.

“netsh winhttp reset proxy”
Run “netsh winhttp show proxy” command from CORE server.

Restart “Windows Update” (for windows 7 and windows 2008) service to reinitiate scanning and patching processes.

Adaptiva

General patching issue – FIX Scan Issues with Software Updates

A. Group Policy conflict

Ensure that the following three policies mentioned are not be configured from the domain level. The SCCM client will apply the policy whenever it is required.

  • a. Allow signed content from intranet Microsoft update service location.
  • b. Specify intranet Microsoft update service location
  • c. Automatic Updates Configuration

See Technet article for more details – http://go.microsoft.com/fwlink/?LinkId=94680.

B. Additional information if the above steps are not resolving the issue. The following steps will help to segregate or Identify the issue

  • On the affected machine, disable the SCCM Agent. To do this, you can run the following commands:
    Disable the Service  sc config CcmExec start= disabled
    Stop the Service  net stop CcmExec
  • Ensure that the following policy is not enforced on the system:
    User Configuration\Administrative Templates\Windows Components\Windows Update\Remove access to use all Windows Update Features
  • Check this first in the local system policy (you can pull this up using gpedit.msc – Local Group Policy Editor). After that, please run RSOP.msc and ensure that the policy is not configured either. This will give you information from domain policies too. If the policy is enabled please either remove the policy or disable it.
  • Restart the Automatic Updates service.
  • Now, from the command line, run the following command:
    Configure Proxy  proxycfg.exe –p “WSUS SERVER FQDN”

By doing this, we are configuring WinHTTP, so that server access in the upper case is also bypassed.

At this point, we need to test an update scan. Since the SMS Host Agent service is disabled and stopped, we won’t use the agent to run the scan. In this case, we would need to run a scan using the command below:

wuauclt /resetauthorization /detectnow

Check Windowsupdate.log for the outcome of the testing

How to Bypass the Proxy server for testing purposes using proxycfg utility. (More details http://msdn.microsoft.com/en-us/library/windows/desktop/ms761351(v=vs.85).aspx). Also, find the registry entries you can check for bypass list – “HKEY_LOCAL_MACHINE\  SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\.”

C. I’ve similar problem explained in the technet thread and we had taken network traces and found that internal communication to WSUS server is also going to external proxy (even though that is applicable only for internet communications).

At last, it turns out to be incorrect proxy settings in a WPAD entry in the DHCP scope (“252 WPAD” Wpad entry). As we use group policy for proxy settings, WPAD entry in the DHCP scope is not required. We removed the WPAD setting, and the problem got resolved.

I hope this helps to FIX Scan Issues with Software Updates.

Resources

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…

2 thoughts on “Fix SCCM Scan Issues with Software Updates Patching | ConfigMgr”

  1. Hi Anoop
    I have SCCM 2012 R2 in our enterprise for managing 10000 desktops. We are using SUP for patch deployment, still many machines are updating its Microsoft patches automatically from internet bypassing SCCM which creates some issues on some of our custom applications to stop working. How can we set it strictly via SCCM only?

    Reply
  2. Hi Anoop. Thank you for sharing this piece of information. Your blogs never leave with without an answer. I do however have a question. We have around 3k clients in our estate that continue to scan ESU update that was made available by Microsoft on July 30th, which was later superseded by August Monthly quality rollup. How is it possible, clients continue to scan for an older update when its newer version is already deployed. Unless there is a remote possibility and an off theory, it will only scan but never install or download the older update and how do we remediate this issue. Reinstalling the client or hard resetting the policy on all these clients will put an immense load on site as clients download the policies.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.