SCCM ConfigMgr How to Resolve Scan issues in Software Updates Patching

1

Software Update SCAN errors are very common issue. In large environments, it’s very difficult to find out the cause of these errors. We need to work with different teams to resolve this kind of issue/s. In this post, I’ll take you through one of my experience, especially with Windows 2008 R2 core servers ( found it difficult to troubleshoot on Windows 2008 CORE servers).

SCCM ConfigMgr How to Resolve Scan issues in Software Updates Patching 1

The scan error was due to the incorrect proxy settings in the environment. System context proxy settings should be blank ( that means the internal FQDN should have direct access). In our case system context proxy setting was also pointing to the proxy server hence all the internal FQDN communications were going through proxy server due to that the SCCM clients were not able to reach WSUS server.

Windows 2008 R2 Core server patching issue

Issue

Scan agent is getting failed hence the SCCM patching is also getting failed for all the Windows 2008 R2 servers.

Cause

Proxy settings configured in the core servers is creating the communication block for client to reach WSUS server. All the communications initiated by client to reach WSUS/SCCM server (FQDN) are getting stopped at the proxy server.

Ideally, all the internal FQDN (WSUS/SCCM server) communication should not go to/through proxy server. In our case all the communications are going to proxy server and producing unexpected results.

Solution

Reset the proxy settings in the Windows 2008 core server as mentioned in the below.

“netsh winhttp reset proxy”

Run “netsh winhttp show proxy” command from CORE server.

Restart “Windows Update” (for windows 7 and windows 2008) service to reinitiate scanning and patching processes.

General patching issue

A. Group Policy conflict

Ensure that the following three policies mentioned are not be configured from domain level. The SCCM client will apply the policy whenever it is required.

a. Allow signed content from intranet Microsoft update service location.

b. Specify intranet Microsoft update service location

c. Automatic Updates Configuration

See Technet article for more details – http://go.microsoft.com/fwlink/?LinkId=94680.

B. Additional information if above steps are not resolving the issue. Following steps will help to segregate or Identify the issue

1. On the affected machine, disable the SCCM Agent. To do this, you can run the following commands:
Disable the Service  sc config CcmExec start= disabled
Stop the Service  net stop CcmExec

2. Ensure that the following policy is not enforced on the system:
User Configuration\Administrative Templates\Windows Components\Windows Update\Remove access to use all Windows Update Features

Check this first in the local system policy (you can pull this up using gpedit.msc – Local Group Policy Editor). After that, please run RSOP.msc and ensure that the policy is not configured either. This will give you information from domain policies too. If the policy is enabled please either remove the policy or disable it.

3. Restart the Automatic Updates service.

4. Now, from the command line, run the following command:
Configure Proxy  proxycfg.exe –p “WSUS SERVER FQDN”

By doing this, we are configuring WinHTTP so that server access in upper case is also bypassed.

At this point, we need to test an update scan. Since the SMS Host Agent service is disabled and stopped, we won’t be able to use the agent to run the scan. In this case, we would need to run a scan using the command below:

wuauclt /resetauthorization /detectnow

Check Windowsupdate.log for the outcome of the testing

How to Bypass Proxy server for testing purpose using proxycfg untility. (More details http://msdn.microsoft.com/en-us/library/windows/desktop/ms761351(v=vs.85).aspx). Also find the registry entries you can check for bypass list – “HKEY_LOCAL_MACHINE\  SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\” .

C. I’ve similar problem explained in the technet thread and we had taken network traces and found that internal communication to WSUS server is also going to external proxy (even though that is applicable only for internet communications).

At last it turns out to be incorrect proxy settings in a WPAD entry in the DHCP scope (“252 WPAD” Wpad entry). As we are using group policy for proxy setting, WPAD entry in the the DHCP scope is not required. We removed the WPAD setting and the problem got resolved.

Hope this helps !!

1 COMMENT

  1. Hi Anoop
    I have SCCM 2012 R2 in our enterprise for managing 10000 desktops. We are using SUP for patch deployment, still many machines are updating its Microsoft patches automatically from internet bypassing SCCM which creates some issues on some of our custom applications to stop working. How can we set it strictly via SCCM only?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.