I want to address some concerns I have with SCCM Compliance Reporting.
Problem 1 – NO REAL TIME REPORTING: I have expressed concerns with this first problem already. The SCCM
compliance reporting isn’t in real time. After a computer is patched and restarted, it could take a few hours to a couple of days for the computer to move from non-compliant to compliant status. This is even after forcing client communication with
SCCM. I understand SCCM is different than WSUS, but to compare the difference, I could run a command on the client and WSUS Reporting would be up-to-date in a matter of a few minutes.
Specifically, I’m running SCCM Report ‘Compliance 7 – Computers in a specific compliance state for an update group (secondary)’. This report allows me to select a SCCM software group, a collection,
and then a state (Compliance state unknown, Compliant, Non-compliant).
The impact is I cannot confirm if a system is compliant until a day or two later. This also will delay reporting to management when there is an emergency update.
Problem 2 – SCCM REPORTING IS NOT RELIABLE: I discovered this issue this morning and have two known incidents
as of now.
Incident 1: Last night, I patched SERVERX and all four updates failed (after the
restart). I then went to Windows Update and discovered the last Microsoft update successfully installed was on 3/1/2017. This means SERVERX does not have the WannaCry update installed.
The problem here is I patched this server last month and no updates returned failed. To make matters worse, I ran a Compliance 7 report (mention above) for
Servers – January & March 2017 software group and it reports SERVERX compliant even though there are updates in this group that the server are missing. For example, March 2017, Security Only Quality Update
for Windows Server 2012.
Incident 2: A developer reported having problems with his system, SERVERXXXX,
this morning. The problems were related to memory. I logged into the system to ensure enough disk space and that the system had been restarted recently. With this incident, the system hadn’t been restarted for 25 days. This was
surprising as this system wasn’t on my non-compliant report. I went to Windows Updates and confirmed multiple updates were pending restart and the 2017-05 rollup had failed. Yet, the SCCM Compliant 7 report is reporting this system compliant with
the May 2017 Software Group.
SERVERXXXXXXX
As you can see from the problems listed above, I’m concern with the trustworthy of the SCCM Reports. This leads me to some questions:
- Is the data in the SCCM database accurate and therefore SCCM reporting is the problem?
- Should we contact Microsoft for support on these two matters since the goal is to have timely and accurately reports for management?
- If the data in SCCM database is accurate, how can we confirm? And if yes, would buying the reporting software from
https://www.systemcenterdudes.com/, as you suggested this company has awesome SCCM reports, be a better solution?
