SCCM Compliance Reporting Unreliable RRS feed

  • Question

  • I want to address some concerns I have with SCCM Compliance Reporting.

    Problem 1 – NO REAL TIME REPORTING:  I have expressed concerns with this first problem already.  The SCCM compliance reporting isn’t in real time.  After a computer is patched and restarted, it could take a few hours to a couple of days for the computer to move from non-compliant to compliant status.  This is even after forcing client communication with SCCM.  I understand SCCM is different than WSUS, but to compare the difference, I could run a command on the client and WSUS Reporting would be up-to-date in a matter of a few minutes. 

    Specifically, I’m running SCCM Report ‘Compliance 7 – Computers in a specific compliance state for an update group (secondary)’.  This report allows me to select a SCCM software group, a collection, and then a state (Compliance state unknown, Compliant, Non-compliant). 

    The impact is I cannot confirm if a system is compliant until a day or two later.  This also will delay reporting to management when there is an emergency update.

    Problem 2 – SCCM REPORTING IS NOT RELIABLE:  I discovered this issue this morning and have two known incidents as of now. 

    Incident 1:  Last night, I patched SERVERX and all four updates failed (after the restart).  I then went to Windows Update and discovered the last Microsoft update successfully installed was on 3/1/2017.  This means SERVERX does not have the WannaCry update installed. 

    The problem here is I patched this server last month and no updates returned failed.  To make matters worse, I ran a Compliance 7 report (mention above) for Servers – January & March 2017 software group and it reports SERVERX compliant even though there are updates in this group that the server are missing.  For example, March 2017, Security Only Quality Update for Windows Server 2012.

    Incident 2:  A developer reported having problems with his system, SERVERXXXX, this morning.  The problems were related to memory.  I logged into  the system to ensure enough disk space and that the system had been restarted recently.  With this incident, the system hadn’t been restarted for 25 days.  This was surprising as this system wasn’t on my non-compliant report.  I went to Windows Updates and confirmed multiple updates were pending restart and the 2017-05 rollup had failed.  Yet, the SCCM Compliant 7 report is reporting this system compliant with the May 2017 Software Group. 


    As you can see from the problems listed above, I’m concern with the trustworthy of the SCCM Reports.  This leads me to some questions:

    1. Is the data in the SCCM database accurate and therefore SCCM reporting is the problem?

    1. Should we contact Microsoft for support on these two matters since the goal is to have timely and accurately reports for management?

    1. If the data in SCCM database is accurate, how can we confirm?  And if yes, would buying the reporting software from https://www.systemcenterdudes.com/, as you suggested this company has awesome SCCM reports, be a better solution?
    Thursday, June 8, 2017 4:23 PM


All replies

  • 1) Reporting and CM use the exact same database therefore it is impossible for the two to be out of sync.

    2) Since you have a trust issue then you should contact MSW to put your mind at eases.

    3) The data with CM database will be based on what the client have sent to the db. You are welcome to buy report and keep in mind that there are other companies or create you own reports.

    Garth Jones

    Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

    Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased

    • Proposed as answer by Kamala kannan.c Friday, June 9, 2017 3:31 PM
    • Marked as answer by Hola IT GUY Monday, June 12, 2017 5:24 PM
    Thursday, June 8, 2017 4:46 PM
  • The compliance is based on the WSUS and sccm uses the same for better management, if you feel its different then i i would say it as an assumption for the scan or compliance status, it might be down to the server windows update agent scan..

    Kamala kannan.c| Please remember to click “Mark as Answer” or Vote as Helpful if its helpful for you. |Disclaimer: This posting is provided with no warranties and confers no rights

    Friday, June 9, 2017 3:32 PM
  • Thanks all for the replies. This was an email I received from a concerned new user to SCCM from 10 years with WSUS.

    I showed him the ES reports and those are real time.

    As for his perceived Unreliability, I think this was due to client side issues with WU components.

    Friday, June 9, 2017 5:06 PM
  • https://gallery.technet.microsoft.com/Workstation-Patch-9f52a143?redir=0


    Check these two for a better compliance improvements on the client and server side.

    Kamala kannan.c| Please remember to click “Mark as Answer” or Vote as Helpful if its helpful for you. |Disclaimer: This posting is provided with no warranties and confers no rights

    Monday, June 12, 2017 1:36 PM
  • ES - stands for what?
    Thursday, October 11, 2018 11:26 PM