software update management

11 Topics

Windows/Defender Updates not deployed to SCCM server (all clients work fine!)
After battling for a few weeks with this it finally occurred to me to reach out for help, and I found this forum. So here goes… I have a relatively small environment with Windows Updates managed by SCCM. Currently, all clients are receiving updates as expected, the only client that isn’t is the Windows Server that’s hosting SCCM itself. Should I be configuring the winhttp proxy settings on that one server to point to our proxy (I have tried it and it didn’t seem to make a difference)? Without the winhttp proxy set, when I check the Windows update log, it seems to be trying the automatic proxy settings and quite rightly failing. It runs out of options and tries the user proxy as a last resort. I have checked that I can reach the URL configured in the Windows Update settings in Group Policy from the SCCM server and it works fine. Is there something I need to do differently with the SCCM server versus all the other clients? The SCCM client is installed on the SCCM server and is reporting healthy status with expected policies applied like all other managed clients in the estate. The SCCM server is in the same boundary as other servers that are receiving updates. SCCM 2503 running on Windows Server 2019. WSUS is running on the same server. The Software Update Point is configured with proxy settings. Thanks in advance!!
dbyers80
Sep 02, 2025 Place Configuration Manager
57Views
0likes
1Comment
Re-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.
ComputerHabit
Aug 21, 2025 Place Configuration Manager
43Views
0likes
0Comments
SCCM Server fails Windows 11 24H2 upgrade package download
SCCM Server 2403 fails Windows 11 24H2 upgrade package download (both 2024-09B and 2024-10B). Running MP, DP, Site and WSUS database, several other roles on the same Windows Server 2022 VM. Running SUP/Wsus on another dedicated VM in the same subnet. When running ADR, GUI shows error message: 0x87d20417 ADR rule download failed When downloading the updates manually to new deployment package, error message: Failed to download content id 666666666 Cannot create a file when that file already exists Here is a sample from Patchdownloader.log file: Downloading content for ContentID = 18696696, FileName = professional_en-us.esd. Software Updates Patch Downloader 09.10.2024 13:26:50 11808 (0x2E20) Proxy is enabled for download, using registry settings or defaults. Software Updates Patch Downloader 09.10.2024 13:26:50 11808 (0x2E20) Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-" Software Updates Patch Downloader 09.10.2024 13:26:50 8052 (0x1F74) Download file size : 553783259 bytes Software Updates Patch Downloader 09.10.2024 13:26:50 8052 (0x1F74) Download https://learn.microsoft.com/en-us/answers/questions/2101157/sccm-server-fails-windows-11-24h2-upgrade-package?page=1&orderby=Helpful&comment=answer-1859698 in progress: 10 percent complete Software Updates Patch Downloader 09.10.2024 13:26:51 8052 (0x1F74) ....... Download https://learn.microsoft.com/en-us/answers/questions/2101157/sccm-server-fails-windows-11-24h2-upgrade-package?page=1&orderby=Helpful&comment=answer-1859698 in progress: 90 percent complete Software Updates Patch Downloader 09.10.2024 13:27:00 8052 (0x1F74) InternetReadFile() return true and pdwNumberOfBytesRead equals to 0, but ulTotalFileRead=553703152 still less than ulFileSize=553783259, treat it as a retriable error. Software Updates Patch Downloader 09.10.2024 13:27:01 8052 (0x1F74) InternetQueryDataAvailable return code = 183 - Can still retry for 3 times. Will retry in 10 seconds. Software Updates Patch Downloader 09.10.2024 13:27:01 8052 (0x1F74) the same kind of error is logged for several other files related to the upgrade package, but not all. Downloading using Edge browser on the same machine directly from url "[http://dl.delivery.mp.microsoft.com/filestreamingservice/files/75ac9ad5-f29b-4e95-af3f-8a321bd39b92/public/professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd]" works fine, so it should not be a connectivity issue. Downloading Windows 11 23H2 upgrade package works fine. Has anybody else faced the same issue?
RNalivaika
Oct 15, 2024 Place Configuration Manager
547Views
0likes
0Comments
Management point in another domain (no-trust)
Hi folks, we have a situation where we would need to install a MP, DP and WSUS on a server that is in another domain to manage client that are in that domain. I was planning of installing the roles using a service account, import the CA cert from that domain in the Site server. Will there be any issues? I was reading about the communication between the sites roles and I also notice that the site server have to talk with a domain controller and the management point also have to talk with a DC. Which DC are we talking about and why it should talk with them. Does the MP in the other domain will try to reach the DC in the same domain? Does the site server will try to talk with the DC in the other domain? I know it's a strange one but it is the only way I manage to get to reduce the cost and be able to managed PCs that are on the other domain. Thanks! Mathieu
Solved
Mathieu_Desjardins
Apr 18, 2024 Place Configuration Manager
1.2KViews
0likes
2Comments
Microsoft Patching is not working until User logon to the newly imaged device
Hi All, I have a customer that they have two separate SCCM and WSUS environments in the same domain and they use SCCM for OS imaging and WSUS for patch updates. The problem is end user hast to logon to the device after imaging the OS using SCCM to kick start the patching process from WSUS. My client's understanding is that it should work without user logon to the device since GPO targeted to all authenticated users. Please also note that the computer objects and other settings are working without any issues. I would appreciate if anyone come across such a behavior and there is any workaround that we can do kick start the patching regardless of user login or is this behavior by design? Thanks, Dilan
dilanmic
Jun 13, 2023 Place Configuration Manager
591Views
0likes
0Comments
upgrade windows 10 with task sequence
I upgrade old version of windows 10 on my computers with sccm task sequence sucessfully and it reboot the computer alone. I want to notify the user before the reboot and define a countdown before the restart with of course the possibility of restarting it immediately if the user wants it. How can i do it ?
Bily06
Jun 01, 2023 Place Configuration Manager
973Views
0likes
1Comment
Latest CU for server 2008 are not seen as missing.
Hi all, I am getting a strange issue where cumulative updates for server 2008 SP2 (both x86 and x64) and 2008 R2 are not seen as missing by Endpoint Manager. I have followed all the ESU requirements, tried to install every single updates to be compliant for the ESU and all updates where not applicable (already installed). When I am installing updates by hand, they are installing without any complaint. I do not know where to look at and the problem is that they are showing compliant in report because the updates are not seen, but when a scan from Nessus is done, the result is that all my server 2008 and 2008 R2 are missing tones of patches. All ideas on where to start investigating are welcome. Thank you! Mathieu
Mathieu Desjardins
Oct 06, 2021 Place Configuration Manager
707Views
0likes
2Comments
Collocating SQL or remote SQL
Hi All Wanted to bounce my thoughts with fellow members. I am about to embark on a mini project for a customer. It's for a small experiment and a new network and infrastructure environment will be created on-premises. Unfortunately for this piece of work cloud is not an option. So a Virtualisation environment, SAN, networking, firewalls will all be procured. I need to build MECM to help deploy a gold image to approx. 100 workstations, there are 2 variances of laptops I need to consider. As its an experiment it also not going to grow. I also need to ensure patching is configured for both clients and the small server estate being built. So my thoughts are to build a new VM with MECM 2006 with the SUP role for WSUS and then use the OSD techniques with TS to build the Windows 10 image using PXE. They will be building a SQL server to host a database for a third party application. My question is as its such a small environment should I put SQL on the same standalone server which will host the Primary site MECM server and SUP or it is doing a lot already and I should move the SQL stuff to a remote SQL rather than collocate? From reading the docs I understand some considerations need to be taken into account to host both WSUS and ConfigMgr DBs within SQL (difference instances?) but because the environment will be so small my personal preference would be to keep it on same box, easier for me to deploy and easier for the customer to manage. The security of the environment is high due to the nature of the customer. What would others recommend and what would your approach be? Many thanks
Solved
isotonic_uk
Aug 25, 2020 Place Configuration Manager
1KViews
0likes
2Comments
Problem with Signing Certificate for WSUS
Hello, I am in the process of standing up a new ConfigMgr 1910 on Server 2019. My WSUS server is remote and I have SSL working between the site server and the SUP. I am able to see and deploy MS updates in the CM console. However CM is not creating the signing certificate. I have tried to load the certificate manually using SCUP but receive the following error. I have tried removing the SUP and the uninstalling and reinstalling WSUS on the remote server as well I have tried to install the certificate on WSUS before configuring SSL and after and receive the same error. I have also observed that the WSUS keystore is missing from the certificates console. I am unable to find any errors in the logs. Any help would be great! Patrick
pfitchie
Mar 06, 2020 Place Configuration Manager
2.5KViews
0likes
1Comment
WSUS Sync Failing
Within the last hour or so I have carried up a cleanup of our WSUS and reindexed the database as per this article https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/ Once complete I re-enable the SUP schedule and WSUS has not been able to Sync since. Our SCCM Version is 1702 with the hotfix, hosted on a Server 2012r2 system. WSUS content is within a SQL database. WCM.log; "System.Net.WebException: The request failed with HTTP status 403: Target service not allowed.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)" WsusCtrl.log does not seem to indicate any proxy related errors; "No changes - local WSUS Server Proxy settings are correctly configured as Proxy Name ####### and Proxy Port ##"
Deleted
Feb 23, 2018 Place Configuration Manager
17KViews
0likes
9Comments