question

noobert87 avatar image
0 Votes"
noobert87 asked saldana-msft edited

Windows 10 1909 Feature Update showing compliant when not

Hello,

Deploying the 1909 FU to my 1709 devices. I have already gone through extensive testing and piloting and this is my production rollout. Phase 1 is a very small group to get an idea of how many calls we may get to our SD - so only 1,000 devices. This update is "Available" for a week before the required deadline hits next week. I was surprised when I looked at my monitoring node and saw 33 devices as "compliant" - as they are not.

I have found servicing to be less "automated" than I originally expected. For this employer I decided to take a more modern approach and ditch my IPU TS. What I found is that I really have to babysit the FU's as they come in -- a new FU completely kills my existing deployment. Though the Article ID numbers are the same, they are a different update and the previous deployment completely quits working and I have to deploy the new FU. Not the end of the world, but it did cause some confusion for me. I had to download and deploy the latest 1909 FU for this rollout so I think it may be related but I have found nothing in the logs to indicate this.

Site version: 2006 (no hotfixes)
Client version: 5.00.9012.1020 across the board
Latest 1909 FU
All clients patched with the latest CU and SSU released for 1709

Log files have not been helpful. All impacted devices show in there ScanAgent.log that the 1909 FU was found (CScanAgent::ScanByUpdates - Found UpdateClassification 3689bdc8-b205-4af4-8d4a-a63924c5e9d5 for Update:de66498e-7ef8-4e29-b69b-ffc91e9706c0) and UpdatesDeployment.log shows "Update (Site_GUID/GUID) added to the targeted list of deployment". However, there is nothing to find for this update in the WUAHandler.log. These devices were receiving their monthly patches and still continuing to get 3rd Party Patches just fine.

The numbers for "Required" on my updates do not entirely match up either; the numbers very slightly (150-500) between 1809, 1903, 1909, 2004, and 20H2. I chalked this up to client scans.

Any thoughts or ideas on where to go from here? I guess my next, and easiest step, would be repairing clients. I was hoping to get some assistance and maybe find a root cause before doing this though. I have read that declining the updates in WSUS have fixed this similar behavior for others, but I am wanting to move forward with my pilot groups on 20H2 so not sure I want to decline any FU's right now. I also do not want to try and build a new IPU TS in the eleventh hour.

Thanks for any and all advice.





mem-cm-generalmem-cm-updates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

noobert87 avatar image
0 Votes"
noobert87 answered EduardFalos-5983 commented

@Amandayou-MSFT ,

Really appreciate all the help.

PolicyAgent.log
The device received the deployment policy shortly after it was made "Available" and I can confirm this log looks your screenshot and what is referenced at the link provided:
44448-capture.jpg



UpdatesStore.log
No reference to the update at all

Oh my gosh I cannot believe my mistake. I feel like such an idiot. We have a very small subset of devices that had received the Consumer Edition of Windows :( I am relatively new to this organization and completely forgot and most of these devices happened to find their way into my first phase of the rollout. I found out when I went to look at a compliance report to attach here.

Thank you Amanda for your assistance and I apologize that I did not catch this sooner.


capture.jpg (33.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thank you very much for the update and we're glad the problem is solved now. If you have any questions in future, we warmly welcome you to post in this forum again.

Have a nice day!

Regards,
Amanda

0 Votes 0 ·

Hi @noobert87, @Amandayou-MSFT

I have something similar in my environment. After we changed the license version from Pro N to Enterprise N through Azure license assignment, I saw how the number of devices in SCCM requiring the 20H2 feature update was decreasing (as more users were receiving the Enterprise license on their machines from Azure).

I can't find an explanation why those Enterprise machines appear as compliant now for 20H2 although they are still on 1909 version. The feature update only shows in Software center if I force switch back to the Pro N version (remove the Enterprise license from the user from Azure and do a slmgr /ato against our KMS so he can get the Pro license).

0 Votes 0 ·
Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @ noobert87,

Could we clarify that there should be more than 33 devices as compliant and installed the 1909 feature update? If yes, we could find the client which should be installed the 1909 feature update but not, and check the cause of the failure.

We could check if there is the record of feature update in the software center, if yes, is it downloaded or not? we could see UpdatesDeployment.log. If not, we could check UpdatesStore.log, it records details about compliance status for the software updates that were assessed during the compliance scan cycle. would record updates as missing if they are required. If it is not required or has been installed by client, there is no record in this log.

44001-121.png


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



121.png (107.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

noobert87 avatar image
0 Votes"
noobert87 answered

Good morning @Amandayou-MSTF !

This update does not show up as "Status=Missing" form the UpdatesStore.log - there is no mention of it there. This update was first available 11/27/20 @ 3:00pm.
44010-capture.jpg


Here is the copy/paste from UpdatesDeployment.log:

 Raising client SDK event for class CCM_SoftwareUpdate, instance CCM_SoftwareUpdate.UpdateID="Site_A5C506EA-618F-4EA7-BEFB-DF6903ED025F/SUM_de66498e-7ef8-4e29-b69b-ffc91e9706c0", actionType 12l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l
 Update (Site_A5C506EA-618F-4EA7-BEFB-DF6903ED025F/SUM_de66498e-7ef8-4e29-b69b-ffc91e9706c0) added to the targeted list of deployment ({22094D47-F7E2-421E-A95D-DC90594B5FAF})
 Update (Site_A5C506EA-618F-4EA7-BEFB-DF6903ED025F/SUM_de66498e-7ef8-4e29-b69b-ffc91e9706c0) added to the targeted list of deployment ({22094D47-F7E2-421E-A95D-DC90594B5FAF})
 Update (Site_A5C506EA-618F-4EA7-BEFB-DF6903ED025F/SUM_de66498e-7ef8-4e29-b69b-ffc91e9706c0) added to the targeted list of deployment ({22094D47-F7E2-421E-A95D-DC90594B5FAF})
 Update (Site_A5C506EA-618F-4EA7-BEFB-DF6903ED025F/SUM_de66498e-7ef8-4e29-b69b-ffc91e9706c0) added to the targeted list of deployment ({22094D47-F7E2-421E-A95D-DC90594B5FAF})

This is consistent across all the clients where the FU is "Compliant" but has not installed.

After some more investigation it seems my original post was incorrect - these devices have not installed the latest SSU/CU's for 1709. With that said, my other devices are installing the 1909 FU that are on the same patch level.

I had previously deployed the KB3012973 1909 FU (b51ee75d-% in the screenshot below) with success and the updated revision of this update (released November 2020) showed up during a SUP Sync. The previously deployed one would no longer install and thus "broke". This has happened one other time. I removed the content from my Deployment Package and re-deployed this new FU. I was hoping to decline the "old" one in WSUS but it was difficult trying to determine which was that one. Again, not sure this is related but did cause me some confusion.

44123-capture.jpg



capture.jpg (68.2 KiB)
capture.jpg (30.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi,

The previously deployed one would no longer install and thus "broke".
--> The icon with the yellow star represents a superseded software update. We could identify superseded software updates by viewing the Superseded column for the software update when it displays in the Configuration Manager console.


We may not need to decline the update in WSUS, there might be seven steps to troubleshoot the common issues, please follow this steps first:
Step 1: We could check Policyagent.log. When policy is received, the following entry is logged in PolicyAgent.log:
44321-122.png



We could check if Deployment Unique Id on the console is consistent with policy id displayed in PolicyAgent.log.


44237-1221.png

Step 2: Software update would be checked if it is required by client , kindly check UpdatesStore.log. UpdateStore.log would record updates as missing if they are required. If it is not required or has been installed by client, there is no record in this log.

Step 3: If the update is required, the content could be detected before downloading. We could refer to UpdatesDeploymentAgent.log.

Step 4: The content could be downloaded. we could refer to UpdatesHandler.log, CAS.log, and ContentTransferManager.log. Here is a screenshot about ContentTransferManager.log.

Step 5: After the download is completed, detection could be followed before installation. We could refer to UpdatesHandler.log,ScanAgent.log, UpdateStore.log, WindowsUpdate.log and WUAHandler.log.

Step 6: Software update could be installed. We could refer to Windowsupdate.log and UpdatesDeployment.log.

Step 7: After the updates are installed, Updates Deployment Agent checks whether any updates require a reboot, and then it notifies the user if client settings are configured to allow such notification. We could refer to UpdatesDeployment.log and UpdateStore.log.

Here is an article about some detailed log screenshots.
Using log files to track the software update deployment process

Thanks for your time.

Best regards,
Amanda You



122.png (30.5 KiB)
1221.png (9.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.