Client computers show up in Unknown tab in Deployment status after updates deployment

One of the most common issues you ever come across is that client computers stay in Unknown tab in Deployment status in SCCM console. There are several reasons for this:

• The client computer is turned off
• The client computer is considered inactive by SCCM, though it is running actually as you observed
• The client computer has an issue with updates scanning

The last probability is most seen. Recently I ran into such an issue caused by problematic updates scanning.

ScanAgent.log shows the following messages.

03-21-2022 16:43:40.123    ScanAgent    2928 (0xb70)    ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJob::OnScanComplete -Scan Failed with Error=0x80240437
03-21-2022 16:43:40.139    ScanAgent    2928 (0xb70)    ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80240437

0x80240437 means –

Error Code:	0x80240437 (2149844023)
Error Name:	WU_E_PT_SECURITY_VERIFICATION_FAILURE
Error Source:	Windows Update Agent
Error Message:	There was a problem authorizing with the service.

This error code points out that the client has a communication security issue with the software update point. Looks like the client was rejected by the software update point server.

LocationServices.log reveals the wsus server it was trying to connecting to.

03-21-2022 16:43:35.295    LocationServices    2928 (0xb70)    Calling back with the following WSUS locations
03-21-2022 16:43:35.295    LocationServices    2928 (0xb70)    WSUS Path='https://contososup.test.lab:8531', Server='contososup.test.lab', Version='4241', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'

As you can see, the client was connecting to contososup.test.lab at port 8531. Testing the communication between the client and the software update point with TNC contososup.test.lab -Port 8531. All was good.

Then I captured two network trace files while triggering a Software Update Scan cycle from Configuration Manager client UI. The two network traces show the following interesting behaviour.

Client –

Server –

The client and server could establish TCP 3 handshake but failed with TLS 1.2 connection. At that moment, I suspected the server might not support TLS 1.2. However, SoftwareDistribution.log from the software update point server proved me wrong. The logs says TLS 1.2 is indeed enabled.

03-22-2022 03:07:45.477    CommonDataAccess.SetSecureChannelProtocols    6 (0x6)    SCHANNEL Protocol 'TLS 1.2' enabled

Remoting into the software update point server, I verified TLS 1.2 with IIS Crypto, a good free tool to check TLS settings.

What else to check? I launched WSUS console on the software update point server and caught sight of the following!

WSUS server was actually using port 8530 instead of 8531. Why the client was trying to connect at 8531? I went back to the client computer and check its wsus settings in the registry, which has the same information found in LocationServices.log.

WUServer:	https://contososup.test.lab:8531
WUStatusServer:	https://contososup.test.lab:8531

As you know, SCCM sets local group policy to define WSUS settings. Is there something wrong about software update point role? With that thought, I went back to SCCM console and examined the software update point role settings. Voila, there is the answer: Require SSL communication to the WSUS server option is checked.

SOLUTION

1. Go to SCCM console
2. Navigate to the Software Update Point
3. Right click on it and then on Properties
4. Select General tab
5. Uncheck Require SSL communication to the WSUS server

References

• https://www.nartac.com/Products/IISCrypto/
• https://docs.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl

Get updates deployment status from SCCM site database

Sometimes, you may need to retrieve updates deployment status from the site database. Here are some example queries that can helpful to you in some scenarios.

Get deployment status of updates in a deployment

-- Replace {873BFE1F-C688-4E61-9447-1E943ECFEF05} with the actual deployment ID
declare @DEPLOYMENTID nvarchar(max) = '{873BFE1F-C688-4E61-9447-1E943ECFEF05}'

select
vRS.name0 as ComputerName,
vUPI.Title as UpdateTitle,
vUPI.ArticleID,
vUPI.CI_UniqueID as UpdateID,
vCIA.CollectionID,
vCIA.AssignmentName as DeploymentName,
@DEPLOYMENTID as DeploymentID,
vCIA.AssignmentID,
vCIA.AssignmentName,
vCIA.CollectionName,
vSN.StateName as LastEnforcementState,
vASC.StateTime
from v_CIAssignment vCIA
join v_CIAssignmentToCI vCIA2CI ON vCIA2CI.AssignmentID = vCIA.AssignmentID
join v_UpdateInfo vUPI ON vUPI.CI_ID = vCIA2CI.CI_ID
join v_AssignmentState_Combined vASC on vCIA.AssignmentID=vASC.AssignmentID
join v_StateNames vSN on vASC.StateType = vSN.TopicType and vSN.StateID=isnull(vASC.StateID,0)
join v_R_System vrs on vRS.ResourceID=vASC.ResourceID
where vCIA.Assignment_UniqueID = @DEPLOYMENTID
order by ComputerName

Get deployment status of a specific update in a deployment

-- Replace 16777217 with an UserID from v_users that has full administrator rights
declare @UserSIDs nvarchar(max) = 16777217
-- Replace {873BFE1F-C688-4E61-9447-1E943ECFEF05} with the actual deployment ID
declare @DEPLOYMENTID nvarchar(max) = '{873BFE1F-C688-4E61-9447-1E943ECFEF05}'
-- Replace b3fb7000-1397-452f-81d3-4e9515450bfc with the actual deployment ID
declare @UPDATEID nvarchar(max) = 'b3fb7000-1397-452f-81d3-4e9515450bfc'
declare @UPDATETITLE nvarchar(max) select @UPDATETITLE=TITLE from v_UpdateInfo where CI_UniqueID = @UPDATEID
declare @ASSIGNID int = (select AssignmentID from fn_rbac_CIAssignment(@UserSIDs) where Assignment_UniqueID = @DEPLOYMENTID)
declare @LOCALUPDATEID int = (select CI_ID from fn_rbac_UpdateCIs(@UserSIDs) where CI_UniqueID=@UPDATEID)

select
uc.ResourceID,
m.Name0 as ComputerName0,
m.User_Domain0+'\'+m.User_Name0 as LastLoggedOnUser,
asite.SMS_Assigned_Sites0 as AssignedSite,
m.Client_Version0 as ClientVersion,
sn.StateName as Status,
isnull(uc.EnforcementSource, 0) as EnforcementState,
nullif(uc.LastEnforcementStatusMsgID&0x0000FFFF, 0) as ErrorStatusID,
nullif(uc.LastErrorCode, 0) as LastErrorCode,
@UPDATETITLE as UpdateTitle,
@UPDATEID as UniqueUpdateID,
uc.StateType*10000+uc.StateID as StateID,
statusinfo.MessageName as ErrorStatusName
from v_UpdateState_Combined uc
join v_CIAssignmentTargetedMachines ast on ast.ResourceID=uc.ResourceID and ast.AssignmentID=@ASSIGNID
join fn_rbac_CIAssignmentToCI(@UserSIDs) aci on aci.CI_ID = uc.CI_ID and aci.AssignmentID = @ASSIGNID
left join fn_rbac_StateNames(@UserSIDs) sn on sn.TopicType = uc.StateType and sn.StateID = uc.StateID
join fn_rbac_R_System(@UserSIDs) m on m.ResourceID=uc.ResourceID and isnull(m.Obsolete0,0)=0
left join v_RA_System_SMSAssignedSites asite on m.ResourceID = asite.ResourceID
left join fn_rbac_AdvertisementStatusInformation(@UserSIDs) statusinfo on statusinfo.MessageID=nullif(uc.LastEnforcementStatusMsgID&0x0000FFFF, 0)
where uc.CI_ID=@LOCALUPDATEID
order by m.Name0

Alternatively, use the following one. Pick the latest entry order by StateTime column in descending order.

-- Replace 16836015 with the actual CI_ID value
select * from v_UpdateState_Combined as vUPC join SR_StateNames as SRS
on vUPC.StateType = SRS.TopicType and vUPC.StateID = SRS.StateID
where CI_ID = 16836015;

CI_ID can be retrieved by  running the following in CM PowerShell (Connect via Windows PowerShell from sccm console)-

Get-CMSoftwareUpdate -Name "2020-01 Update for Windows 10 Version 1909 for x64-based Systems (KB4497165)" | Select-Object -Property CI_ID