System Center Configuration Manager and Microsoft Intune allow IT Pros to manage PCs and mobile devices, keep software up-to-date, set configuration and security policies, and monitor system status. The database and reports in System Center 2012 Configuration Manager hold a wealth of information about the state of these devices, including hardware inventory, compliance states, software update levels and information about malware detections.

In the article below, Microsoft’s own Brad Anderson shows you how to leverage this and get even better insights into your ConfigMgr 2012 data using Microsoft Power BI:

Getting Started with SCCM & Power BI

We also have a demo of this that uses real data from the Microsoft deployment of ConfigMgr 2012 R2, SCEP 2012 R2 and Microsoft Intune where we are managing 100,000’s of PCs and 10,000’s of mobile devices. This is the dashboard every CISO in the world will want to have and use. In a single place you can now get a view of mobile device compliance with corporate policies, PC compliance with security updates, as well as malware encounters across the entire enterprise. You can get all the details about what you’ll need here:

Ignite Keynote Demo Recap: Power BI in SCCM

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

ConfigMgr 2012 R2

Reports that are started from the Administrator Console in System Center 2012 R2 Configuration Manager or from the Reporting Services website may not run as expected. Additionally, you may receive error messages that resemble the following:

The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: The specified directory service attribute or value does not exist.Details:System.Web.Services.Protocols.SoapException: The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: The specified directory service attribute or value does not exist.

For complete details as well as a resolution, please see the following:

KB3060813 - Reports don't run in System Center 2012 R2 Configuration Manager (https://support.microsoft.com/en-us/kb/3060813/)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

ConfigMgr 2012 R2

~ Meghan Stewart | Support Escalation Engineer

If you’ve reviewed the Security Bulletin Summary for May 2015, you may have noticed that some security bulletins appear to be missing from your WSUS or Configuration Manager console. If you open the Microsoft Update Catalog and put in all of the KB numbers that were published under those three bulletins, you will notice that they are all listed with MSRC Number MS15-044.

Example 1

3045171 is listed under both MS15-051 and MS15-044 but when you look the it in the Update Catalog you can see it was published under MS15-044.

Below is what you would see in your Configuration Manager console. WSUS would look similar as long as you added the MSRC Number column.

Example 2

3056819 is listed both under MS15-044 and MS15-049 but comes in as MS15-044, not MS15-049.

Why the overlap

There is a reason for this overlap. Basically, the fix was consolidated, and if you read the FAQ about the updates on each of the bulletins themselves you’ll see that they do state this:

https://technet.microsoft.com/library/security/MS15-044

Why some updates are also denoted in other bulletins released in May

Several of the update files listed in this bulletin are also denoted in other bulletins being released in May due to an overlap in the affected software. Although the different bulletins address separate security vulnerabilities, the security updates have been consolidated where possible and appropriate, hence the occurrence of some identical update files being present in multiple bulletins.

Note that identical update files shipping with multiple bulletins do not need to be installed more than once.

This update FAQ is also listed on https://technet.microsoft.com/library/security/MS15-051 and a similar one is noted in the FAQ here: https://technet.microsoft.com/en-us/library/security/ms15-049

The bottom line

So what’s the bottom line for all this? Deploy all of MS15-044 to be compliant for MS15-049 & MS15-051.

Meghan Stewart | Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on FacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2

~ Meghan Stewart | Support Escalation Engineer

Here is product support we get a lot of questions regarding how to tell if computers are protected when Microsoft Security Advisories include updates to the Certificate Trust List (CTL), which is also known as the Disallowed Certificates update. Microsoft updates the CTL for Windows to remove trust of certificates that have the potential to be used in a fraudulent manner to help protect customers. This topic can be a little confusing for administrators who want to make sure that their systems have the updated CTL and has been especially plaguing Configuration Manager and WSUS administrators. When we see a KB number, we automatically assume we can push it out with our management tools, however this is not typically the case with CTLs.

Let's look at an example of a Security Advisory for an update to the disallowed CTL (3046310) and answer some of the common questions that arise.

Question: What is a Certificate Trust List (CTL)?

Answer: A Certificate Trust List (CTL) is pretty well summed up by this MSDN article: https://msdn.microsoft.com/en-us/library/windows/desktop/aa376545(v=vs.85).aspx. This article states:

“A CryptoAPI CTL is a list of items that has been signed by a trusted entity. The list of items could be anything, such as a list of hashes of certificates, or a list of file names. In most cases, a CTL is a list of hashed certificate contexts. All the items in the list are authenticated and approved by the signing entity. The primary use of CTLs is to verify signed Messages, using the CTL as a source of trusted root certificates.”

Now, as Microsoft loves to do, we have overloaded the term to also include CTL to mean a signed list of Root Certification Authorities that should no longer be trusted, which is why most people internally call this update the Disallowed Certificates update.

Question: How do machines automatically update their CTL?

Answer: We have had the root update program since Windows XP. The way it works is that when VeriSign, Entrust or another Internet CA provider stands up a new PKI hierarchy, someone has to deploy the root certificate to your computers Trusted Root Certification Authority store before things like Internet Explorer actually start trusting certificates issued by that hierarchy. This was accomplished by the root update system. Every week your computer accesses the Windows Update site to see if there is an updated root update CAB file sitting out there. If there is, it downloads the file and adds the new roots to the computers trusted root store.

So as you can see, we had a great story for mass deployment of new root certification authority certificates to Windows clients, however what about when that root or PKI hierarchy gets compromised and should no longer be trusted? For the longest time, the Windows Operating System did not have a way to easily update millions of Windows computers so that they do not trust comprised Root Certification Authorities. We expected our customers to be PKI experts and know where to look and watch for the next compromised root. We then decided that “Heck, we should be looking out for our customers, and when an Internet Root Certification Authority gets compromised, we should help customers by coming up with a way to deploy these compromised roots so that they are no longer trusted”. This is how the Disallowed Certificates (CTL) came about.

Disallowed Certificates basically works on the same premise as the root update program. Once a day it attempts to access the Window Update site and see if the disallowed update cab file has changed. If not then it does nothing. If it has then it downloads the latest version.

The functionality for Disallowed Certificates update came in the following update:

2677070 - An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (https://support.microsoft.com/en-us/kb/2677070/)

Note that in both cases, if you deny the computer access to Windows Update site then the root update and Disallowed certificate update will constantly try to access the Windows Update site every time there is certificate chaining or revocation checking done. If you want or need to support the root update and disallowed certificate updates within environments where the computers are not allowed to connect to the internet, or you specifically do not allow your clients to access Windows Update via Firewall rules because you use WSUS for patching, we have another option. This option requires the deployment of the following update:

2813430 - An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows (https://support.microsoft.com/en-us/kb/2813430/)

This update, along with a configuration document hyperlinked within the KB article, allows for a file server UNC path to be used to host the Root Update and Disallowed certificate updates. The downside to this is that someone has to maintain these files on the file server and make sure that they are up to date constantly.

Question: How do I get Microsoft Security Advisory 3046310 into WSUS or Configuration Manager?

Answer: You don't import 3046310 unless you need to update Windows Server 2003. Note that a Security Advisory is different from a Security Bulletin (see https://technet.microsoft.com/en-us/security/advisory/).

In short, this Security Advisory is basically a notification that certificates for live.fi were added to the disallowed Certificate Trust List (CTL). This should be automatically updated by the client if they meet the following criteria:

The table above summarizes the prerequisite updates. Note that 2813430 lists the file information for Crypt32.dll.mui based on OS. This is the minimum version the file must be in order to update the disallowed CTL automatically in a disconnected environment. Similarly, 2677070 list the minimum version for Crypt32.dll.mui for Internet connected clients. The ability to update CLTs automatically was not built into the OS until Windows 8, and the disconnected client scenario was added in Windows 8.1.

For Windows Server 2003, approve 3046310 (vkroots.exe) via WSUS like any other update. This is the only OS that requires that you approve 3046310 or any other root update.

Question: My computers do not have Internet access because I am in a disconnected network. How do I verify that my admin has updated the disallowed CTL?

Answer: In the Security Advisory 3046310 we tell you how to check this. For systems not using the automatic updater of revoked certificates, in the Certificates MMC snap-in, verify that the following certificate has been added to the Untrusted Certificates folder:

Note For information on how to view certificates with the MMC Snap-in, see the MSDN article How to: View Certificates with the MMC Snap-in.

Question: I am an administrator of a disconnected network. How do I setup my environment to update the disallowed CTL?

Answer: Follow the guide at https://gallery.technet.microsoft.com/Configuring-Trusted-Roots-281be43a. It is important to note that this changes the behavior of the root update program as well. For instance, update 931125 is a general KB number for updating Root Certificates. This KB is reused each time the Root Update Program needs to deploy a new set of Root Certification Authorities. This update is used for adding new internet Root CAs automatically to Microsoft operating systems.

Special thanks to Rob Greene from our AskDSBlog for his extensive help with this article.

Meghan Stewart | Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2

~ Pramod Sathyanarayana Kashyap

Hello everyone, my name is Pramod Sathyanarayana Kashyap. I recently worked with a customer who had some questions regarding the workflow of Software Metering in System Center 2012 Configuration Manager (ConfigMgr 2012) so I thought I would go ahead and share that with all of you here as well.

The information here is from a ConfigMgr 2012 R2 environment but if you’re looking for the same thing for System Center Configuration Manager 2007 (ConfigMgr 2007) then you can find that here:

Software Metering Rules Propagation and Enforcement

Creating the Software Metering rule

To get started with ConfigMgr 2012, first we create a Software Metering rule. In our example we will create a rule for Notepad as shown below:

Tracking Policy Creation and Compilation

Clients receive the new policy once we enable the Metering Rule. It’s processed when the Software Metering cycle runs as shown here: 

As we can see, every time we create a new Software Metering rule the version of the policy (037effca-e41f-4f28-86a8-ad7481a51deb) changes. In our example, after creating a 3^rd rule for Notepad the version changes to 3.00. Below is the snippet from PolicyAgentProvider.log:

Here is what we see during this process in PolicyAgent.log:

Requesting Machine policy assignments        PolicyAgent_RequestAssignments        9/24/2014 3:49:58 AM        4772 (0x12A4)

Total 1 PolicyAssignment(s) found.        PolicyAgent_ReplyAssignments        9/24/2014 3:49:59 AM        3564 (0x0DEC)

Policy Body :<PolicyAssignment PolicyAssignmentID="{7da6c723-2d5d-4a50-8d30-53e714a2c984}">

<Policy PolicyID="{037effca-e41f-4f28-86a8-ad7481a51deb}" PolicyVersion="3.00" PolicyType="Machine">

Compiling policy '{037effca-e41f-4f28-86a8-ad7481a51deb}' version '3.00' hash

Initializing download of policy 'CCM_Policy_Policy5.PolicyID="{037effca-e41f-4f28-86a8-ad7481a51deb}",PolicySource="SMS:PR1",PolicyVersion="3.00"' from 'http://SEC.contoso.com/SMS_MP/.sms_pol?{037effca-e41f-4f28-86a8-ad7481a51deb}.3_00'        PolicyAgent_ReplyAssignments        9/24/2014 3:50:00 AM        3564 (0x0DEC)

Revoking policy '{037effca-e41f-4f28-86a8-ad7481a51deb}' version '2.00'        PolicyAgent_PolicyDownload        9/24/2014 3:50:02 AM        3792 (0x0ED0)

Deleting policy '{037effca-e41f-4f28-86a8-ad7481a51deb}' version '2.00'        PolicyAgent_PolicyDownload        9/24/2014 3:50:03 AM        3792 (0x0ED0)

Deleting policy file C:\Windows\CCM\Staging\{A56CBE49-456C-4575-ABCE-8B7C68309A71}.tmp        PolicyAgent_PolicyDownload        9/24/2014 3:50:03 AM        3792 (0x0ED0)

Recieved notification of policy download and evaluation complete for correlation guid {8CC44587-E82E-47AF-8449-BA069FF1683C}        PolicyAgent_RequestAssignments        9/24/2014 3:50:12 AM        4772 (0x12A4)

Synchronous policy assignment request with correlation guid {8CC44587-E82E-47AF-8449-BA069FF1683C} for Machine C1 completed with status 0        PolicyAgent_RequestAssignments        9/24/2014 3:50:12 AM        4772 (0x12A4)

After that we see these events in the mtrmgr.log:

Process ID 3772 is for process C:\Users\administrator\Desktop\CMTrace.exe     mtrmgr 8/29/2014 2:33:12 AM    2180 (0x0884)

Found match against RuleID PR100001   mtrmgr 8/29/2014 2:33:12 AM    4956 (0x135C)

Tracked usage for process 3772 mtrmgr 8/29/2014 2:33:12 AM    4956 (0x135C)

Check WMI Entries for the same

Next, this information is written into WMI with the help of Software Metering Storage Manager in root\ccm\SoftwareMeteringAgent. In here we have the classes shown below.

• CCM_MeteredFileInfo – Holds details of  the *.exe that is being metered.
• CCM_MeteredProductInfo – Similar information as that above.
• CCM_RecentlyUsedApps – Holds the names of the files that were run recently.
• CCM_HistoricalMeteredData – Records historical data.

Screenshots of these are included below.

This is then processed by the Software Metering Report Generator by fetching details from the Storage Manager and WMI. During this process, it transforms these files as XML and then into *.MUV.

After sending the report (as demonstrated below), it sends a request to purge the data in WMI which was already sent.

CSWMtrReportEndpoint::HandleMessage- Report Endpoint invoked.     SWMTRReportGen         8/29/2014 2:32:54 AM                2268 (0x08DC)

Generating report for usage data             SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

About to generate report header             SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

Successfully generated report header    SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

About to generate report body SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

Successfully generated report body        SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

About to generate report header             SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

Successfully generated report header    SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

MRU Refresh is 15 minutes.        SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

MRU Age limit is 90 days.              SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

CSWMtrReportEndpoint- Message ID of sent message: {D9ACA606-A6E6-4CE8-82E4-68E6DA86801B}                SWMTRReportGen         8/29/2014 2:32:54 AM    2268 (0x08DC)

This data is then sent to the MP_Relay Endpoint and then to swmproc.box for processing.  After this is done, and assuming a summarization runs on a schedule, we will be able to see all the details.

Workflow of the Software Metering Collection and Reporting

Below is the flow in an environment where we have a CAS, a Primary and a Secondary server. First the data is stored in the “C:\Windows\CCM\Metering” folder:

Then when the Software Metering cycle runs, its sends a report and is received by the MP_Relay Endpoint on the Secondary:

Next it is moved to swmproc.box on the Secondary for processing:

Now the Software Metering Processor on the Secondary adds the Usage File and then transfers it to Primary using DRS:

We can see the Sender sending the files to the Primary Site Server:

At the Primary we can see the same files being received at the Despooler:

After the completion of replication, the *.MUV file is moved to the swmprox.box on the Primary:

It is then processed by the Software Metering Processor on the Primary:

The file move can be seen here in the folders on the Primary:

Once this has been done and the maintenance tasks are run, the metering data will be available for viewing on the console:

NOTEIf you want to speed up this process you can trigger it manually, which can be useful if you’re troubleshooting a related issue. To do this, download the Configuration Manager 2012 Toolkit and install it. Once installed, look in the Server Tools folder for runmetersumm.exe. This file can be executed on the SQL instance hosting the Configuration Manager database to trigger the summarization process. The command to run is runmetersumm.exe DBName.

That’s the Software Metering workflow in a nutshell. And just for reference, below is an example of a MUX file captured during the Software Metering Workflow:

<?xml version='1.0' encoding='UTF-16'?>
<Report>
<ReportHeader>
<Identification>
<Machine>
<ClientInstalled>1</ClientInstalled>
<ClientType>1</ClientType>
<ClientID>GUID:E58CDD17-B377-49A0-9584-80224C12C827</ClientID>
<ClientVersion>5.00.7958.1000</ClientVersion>
<NetBIOSName>C1</NetBIOSName>
<CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID>
</Machine>
</Identification>
<ReportDetails>
<ReportContent>Software\x0020Metering\x0020Data</ReportContent>
<ReportType>Full</ReportType>
<Date>20141001043107.864000-420</Date>
<Version>1.0</Version>
<Format>1.0</Format>
</ReportDetails>
</ReportHeader>
<ReportBody>
<ProductInfo CompanyName="Microsoft Corporation" ProductName="System Center 2012 Configuration Manager" ProductVersion="5.00.7804.1000" ProductLanguage="0">
<SoftwareFileInfo FileDescription="Configuration Manager Trace Log Tool" FileVersion="5.00.7804.1000 (hermbld.121121-2357)" FileName="CMTrace.exe" FileSize="678480">
<HistoricalMeterData MeteredDataID="F32846B9-7846-44D4-9162-4F54D2D0A54F" UserName="CONTOSO\Administrator" StartTime="20141001042204.000000-420" EndTime="20141001043107.911000-420" Status="1"></HistoricalMeterData>
<HistoricalMeterData MeteredDataID="C0C6FE62-3793-48D2-998D-BA036F2F345C" UserName="CONTOSO\Administrator" StartTime="20141001040049.000000-420" EndTime="20141001043107.911000-420" Status="1"></HistoricalMeterData>
</SoftwareFileInfo>
</ProductInfo>
</ReportBody>
</Report>

This shows the data sent from a client after the Software Metering cycle is run.

Pramod Sathyanarayana Kashyap | Support Engineer

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2

There is a new update to the Windows Update Client available that includes the following fixes:

- This update addresses an issue in which the Windows Update Client displays an out-of-memory error during the scan operation (0x8007000E) on systems that have small amounts of physical RAM.

- General improvements are made to support upgrades to a later version of Windows.

For complete details as well as information on how to obtain and install the update, please see the following:

3050265 - Windows Update Client for Windows 7: June 2015 (https://support.microsoft.com/en-us/kb/3050265)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

~ Larry Mosley | Senior Escalation Engineer

Hi everyone, in case you weren’t already aware, a fix has been released to address the issue with ConfigMgr 2012 update scan failures causing incorrect compliance status.

The hotfix for this issue has been released under KB 3050265 (https://support.microsoft.com/en-us/kb/3050265 ) but there is some additional information I would like to address.

First, read the KB carefully! There is a lot in it, and here are some important points.

1. Windows Server Update Services (WSUS) servers servicing these clients must have the hardening patch installed (KB 2938066)

2. If you are using Configuration Manager to manage updates, the Windows Agent hotfix in 3050265 will have to be deployed as a package, application, or as a software update from ConfigMgr. Thanks to Mike Johnson for the details below:

a) Deploy via Software Update Management:  The update is published into the Microsoft Update Catalog under the “Updates” classification and will synchronize into your Configuration Manager’s top-level Software Update Point’s WSUS server that connects to Microsoft Update and can be deployed to your client machines via a software update assignment. However, if the client is in-state and getting the documented scan failure, the client will not be able to receive the deployment so you would need to use option B or C below.

b) Deploy via Software Distribution:  You can download the standalone installers from the Microsoft Download Center links noted in the article and target affected client machines with an advertisement.  We have the following document for previous Windows Update Agent releases here: 

http://blogs.technet.com/b/configmgrteam/archive/2014/07/14/how-to-install-the-windows-update-agent-on-client-computers.aspx

c) Deploy via Application Deployment:  You would need to create deployment types to check for each version of Wuaueng.dll among affected clients (x86, x64, or IA-64) as a detection method to determine installation.  For instance, for the x86 version of Wuaeng.dll, you would check if the file version is less than 7.6.7601.18847 as the noted version in the 3050265 article.

Finally, if you separated Windows Update Agent into it’s own svchost instance by following item 1 in the Workarounds section of my original post, you should configure Windows Update Agent to reside in a shared instance again using the following steps:

1.On the client, open an elevated Command Prompt and run sc config wuauserv type= share

2. Stop and then start wuauserv.

Larry Mosley | Senior Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2

When you add a driver on the Drivers tab of the properties of a boot image, the Microsoft System Center Configuration Manager console may appear to hang or stop responding while it is loading the list of drivers from the driver catalog. For example, in an environment that has 500 drivers, the console may appear to stop responding for up to 8 minutes. However, the exact number of drivers and length of delay will vary depending on system performance.

This happens in specific scenarios, so for more information on how to avoid this delay please see the following”:

KB3070057 - The Configuration Manager console appears to hang when you add a driver to a boot image (https://support.microsoft.com/en-us/kb/3070057)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

ConfigMgr 2012 R2

You may discover that the operating system requirements are not automatically selected when you add a Microsoft Application Virtualization 4.x application for Windows 8 or Windows 8.1 as a package in the System Center 2012 Configuration Manager Administrator console. If you see this, we have a work around detailed in the article below.

KB3070370 - App-V 4.x apps don't set Windows 8 deployment requirements in System Center 2012 Configuration Manager SP1 (https://support.microsoft.com/en-us/kb/3070370)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

ConfigMgr 2012 R2 App-V 4.x

Microsoft System Center Configuration Manager clients that report to a particular server or subset of servers may repeatedly become inactive. You may also notice that the clients do not send inventory information for 30 days or more and that the data in the Inventoryagent.log file is static. Additionally, the ClientIDManagerStartup.log displays repeated occurrences of the following error:

[RegTask] - Client is not registered. Sending registration request for GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3 ...
[RegTask] - Client is registered. Server assigned ClientID is GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3. Approval status 1
SetRegistrationState failed (0x80071770)
[RegTask] - Sleeping for 15360 seconds ...

For complete details regarding this problem as well as a resolution, please see the following:

KB3067633 - Configuration Manager clients become inactive and do not send inventory (https://support.microsoft.com/en-us/kb/3067633)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

ConfigMgr 2012 R2