PowerShell – Refresh SCCM Updates Compliance

Here’s a quick post since I haven’t posted in a while.

Some of you SCCM users will run into circumstances where a system should be compliant with your current update deployment.  However, it doesn’t report properly in the report server within SCCM.

The “old” SMS way to do that was a common VBscript:  http://msdn.microsoft.com/en-us/library/cc146437.aspx

Ah, VBscript.  Well now, let’s do that in PowerShell!  This is so simple and only takes two lines.

You can easily do this using System Center Orchestrator as well.  Just combine the Execute PowerShell Script IP with the Configuration Manager IP for 2012 and you’re all set.  Just get collection members and then run this against each member of the collection.

Here’s the PowerShell way:

$SCCMUpdatesStore = New-Object -ComObject Microsoft.CCM.UpdatesStore
$SCCMUpdatesStore.RefreshServerComplianceState()

Voila!

(just remember to run as “Administrator”)

SCCM 2012 Client Deployment – SCEP Installation Craziness

I just finished an SCCM 2012 deployment and began upgrading all of the systems from the 2007 client to the new SCCM 2012 client.

First batch of 30 or so went fine.  Then, all of a sudden, a good sized handful (about 40 servers) failed to install SCEP.

Basically, no errors.  The only thing I saw was an entry in the \\<machinename>\admin$\ccm\logs\EndpointProtectionAgent.log was the following message:

“Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.”

The closest I came to seeing an example of my issue was explained here:

http://social.technet.microsoft.com/Forums/en-US/configmanagersecurity/thread/872a5efc-8544-449a-8eda-777d606ac07b/

So, why not try that? It didn’t exactly fit my problem. In my case, the systems were both 2003 R2 and 2008 R2. So, I gave it a try. Won’t hurt.

Unfortunately, it didn’t work.

I’ve had stranger things happen, so I got to thinking, why not create the key and see what happens. Here’s what I did:

  • Uninstalled SCCM “ccmsetup.exe /uninstall”
  • Create the key “HKLM\Software\Microsoft\Microsoft Security Client”
  • Reinstall the SCCM client from the console

\
VOILA! The SCEP client installs just fine.

I’ve tried just creating the key and re-installing the agent, but that doesn’t seem to work.

Just as an FYI, I originally wrote this post on the 01/07/2013. The next day, I added a package, no files, with the command line:
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Security Client"

I deployed that to a direct membership collection.

Within just a few minutes, the SCEP client installed on it’s own. So, I found it wasn’t necessary to uninstall the SCCM client.

Try either method. See what works. We noticed this does not always work on Windows 7 workstations.