What is the difference between Update Deployment (Assignment) and Update (individual) compliance reporting ?
Consider a deployment containing 100 updates. Now each of these 100 updates will have their own compliance state on the machine and the Deployment you can say is a collective compliance of each of them. Meaning that until all of the updates within the deployment are not deemed compliant, the Deployment itself is not compliant.
How do they look in console?
So here take an Example of a Software Update group ‘Endpoint’ having a few definition updates and I have targeted the same to a collection.
Here is where you can see the Deployment compliance.
And here is where you the see the individual updates in the deployment with their compliance.
Now an important distinction to make here is that, the individual updates Compliance are available to us in the All Software Updates view and you don’t have to create an Update Group or Deploy it.
How does that happen?
Note that Client machines scan against the WSUS regularly on schedule and once the fresh updates are synced they get scanned for whether it is required or not on that machine and it stored in the WMI and they send the state message to the Server.
So at the time of the creation of the deployment the individual compliance at that time is already known to us. Though here on console it just shows the numbers, you can actually go to the Software Updates Scan report to find the actual machines names for a given update.
Now it is important to clear this point here that the number you see for individual updates here is not related only to the machines in the deployment but all the client in the infra which have sent the compliance for this individual update. So suppose you have 1000 client in hierarchy-
And you deployed this update to a collection of 10 machines, the numbers for individual updates here will come from all the 1000 machines. Like already mentioned that this Scan is not related to the deployment. If you want to narrow it down only for a collection you might want to use the software update reports.
Now suppose if the deployment is targeted and it finds only 3 are required to it and it installs 2 and fails to install 1. Then as a result the 2 updates which got installed correctly will change their individual compliance and even though the deployment itself will remain Non-Compliant.
Where are they stored on the Client machines?
The individual update status can be easily obtained from Client WMI if you know its CI_UniqueID (From console)
One more important side node about the CCM_UpdateStatus class here. Note that this class will only contain the updates which are either Missing OR Installed on the client machine. Also this class is not related to the deployment at all.
Now have a look at the Deployment or Assignment compliance on Client WMI –
Now here the GUID is the actual Deployment Unique GUID that you can obtain from the console. You can see the Deployment is itself marked as IsCompliant here on the client.
Now also try to understand what a signature is here (highlighted in green)
Now every time a deployment is modified its CRC changes, and that is when it asks the client to send the compliance again for this new changed deployment. So that is how we track it.
Now you can see it exactly matches the Signature in client WMI, If this doesn’t match you know that the client did not even get the changed policy for the deployment.
And this can help narrow the actual troubleshooting for compliance to troubleshooting policy.
What are the different types of state messages generated for the Assignment and the Individual updates ?
There are three types –
Evaluation Message – Happens when the deployment is evaluated on the client.
Enforcement Message – Happens when the deadline generally hits.
Compliance Message – Changes after the updates are installed from Non-Compliant to Compliant.
On top of these all the above are generated for each CI (Update) and Deployment. Needless to say the one for deployment depends on the individual CIs in it so even one CI getting into a bad state will cause the state of the deployment to be that way. E.g: One CI is the deployment being not compliant will cause the whole deployment to non-compliant.
So even the TopicType for the state messages are different for the Assignment Compliance and Individual CI compliance.
For Assignment Compliance –
Evaluation Message – Topic Type 302
Enforcement Message – Topic Type 301
Compliance Message – Topic Type 300.
And for the individual CIs it is –
Evaluation Message – Topic Type 400
Enforcement Message – Topic Type 402
Compliance Message – Topic Type 401.
Coming to the Database, where are they stored when sent from the client?
For the Assignment or the deployment the place is CI_AssignmentStatus table
It has columns for all the three types of messages for the deployment which will be updated once received respectively.
It uses AssignmentID (which can be obtained from CI_CIAssignments)
So we can see all the three types of messages come to the same table and we have different section for Compliance, Enforcement and Evaluation here.
Also types if there are enforcement errors etc and their codes should be visible here.
Now what is Enforcement Type Unknown ?
Generally the client never sends anything like that. These state simply mean the Server has not received any Enforcement message for the deployment (Hence LastEnforcementMessageID is NULL). It could be many reasons – Backlogs, Client <->MP issues etc. So if the Assignment is not Compliant (If it is already compliant we don’t enforce) and we don’t have the LastEnforcementMessage for the deployment then that would be deemed as Enforcement Unknown.
For the Individual Update CIs the place is Update_ComplianceStatus. All the above explanation should be valid for them as well.
select * from fn_ListUpdateComplianceStatus(1033)
Some keys to understand what message type or column value means what for Apps/Update CIs
Compliance State -------> 1 = Compliant, 2 = Non Compliant, 4 = Error, 6 = Partial Compliance Enforcement State -----> 1000-1999 = Success, 2000-2999 = In Progress, 3000-3999 = Requirements Not Met, 4000-4999 = Unknown, 5000-5999 = Error
What if the client is showing the correct values in the WMI but the server seems to be missing it ?
For Eg. Enforcement state of a deployment is “Waiting for a restart” on a client but Server has not updated it?
This could happen if somehow the state message lost or if there were issues while processing the same on server. So we can ask it to resent the same again.
Note that Assignment compliance is not the same as the individual updates compliance, there are other scripts to resend the updates compliance but those topic types are different.
For this one, from the table we know EnforcementMessage category for Deployment compliance is TopicType 301. And taking the same deployment GUID {F9FAF641-7786-40F3-B074-E4CD4A35D233} as an example.
Here is a sample script to make the MessageSent to FALSE so it will resend the message in the next state message cycle.
[bool]$f= $false Get-WmiObject -namespace "rootCCMStateMsg" -query "select * from CCM_StateMsg where TopicID = '{F9FAF641-7786-40F3-B074-E4CD4A35D233}' AND TopicType = 301" | Set-WmiInstance -Arguments @{MessageSent = $f} Write-output "Resent the Assignment Compliance to the MP for the client"
Hope it helps!
Umair Khan
Support Escalation Engineer | Microsoft System Center Configuration Manager
Disclaimer: This posting is provided "AS IS" with no warranties and confers no rights.
