In this video guide, we will be performing a deep dive in the software updates feature in Microsoft SCCM. This will include client and server-side components. Some topics covered are client policy, scanning, WMI, StateMessages, StateMgr, Summarization and more!
PolicyAgent.log – Records requests for policies made by using the Data Transfer Service.
PolicyEvaluator.log – Records details about the evaluation of policies on client computers, including policies from software updates.
LocationServices.log – Records the client activity for locating management points, software update points, and distribution points.
UpdatesHandler.log – Records details about software update compliance scanning and about the download and installation of software updates on the client.
RebootCoordinator.log – Records details about the coordination of system restarts on client computers after software update installations.
WUAHandler.log – Records details about the Windows Update Agent on the client when it searches for software updates.
UpdatesStore.log – Records details about compliance status for the software updates that were assessed during the compliance scan cycle.
ScanAgent.log – Records details about scan requests for software updates, the WSUS location, and related actions.
StateMessage.log – Records details about software update state messages that are created and sent to the management point.
UpdatesDeployment.log – Records details about deployments on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.
statesys.log – Records the processing of state system messages. This log also shows the software update summarization task that run.
Helpful WMI Namespace and Classes
ROOT\ccm\Policy\Machine\ActualConfig:CCM_UpdateCIAssignment – This shows that we have the policy for the SUG Deployment ID
ROOT\ccm\ScanAgent:CCM_SUPLocationList – Shows SUP SCCM is set to use for scanning
ROOT\ccm\SoftwareUpdates\DeploymentAgent:CCM_TargetedUpdateEx1 – Shows all software updates targetting the device and the relevant information about the updates
ROOT\ccm\SoftwareUpdates\DeploymentAgent:CCM_AssignmentCompliance – Shows the different software update group deployments targetting the device and their compliance
ROOT\ccm\StateMsg:CCM_StateMsg – Shows all the state messages logged in WMI
Very nice summary and I enjoyed your showing us WMI locations for updates info.
Sometimes, updates do install correctly but the evaluation of them does not seem to be picked up and the compliance status always remains required. Any suggestions for rectifying such a problem?
I should have added that the evaluation is not picked up as compliant after the restart and the scheduled rescan. At the rescan it sees them as still required, it reinstalls them all and restarts. The logs show this happening daily once the SW Update Deployment hits it’s installation deadline. I have run Microsoft’s latest WU Troubleshooting tool to no avail. I have also tried a complete uninstall and reinstall of client. I guess I was wondering if there was any need of ‘clearing’ WMI entries for update compliance to allow it to start fresh. Otherwise, I guess they just go in the bin for an OS refresh.
Very thorough yet easy enough to understand. I like that you also include notes and links to the topics discussed. I’ve learned a ton from your videos so far. Keep up the good work!
your videos are awesome and I really learn a lot! Since this one is “already” two weeks old – any ideas when the next one will be released! Thanks in advance for creating such valuable content and keep up the good work…
Hi Justin, I’m just a little confused. I’ve watched your videos a few times and I cant’t seem to find anywhere how you configure Device Collection Groups. Only in your Deep Dive do you show a little about them and even then they are just editing the ones you have and not how to create new ones. Also, there is no mention of how we setup the client workstations to get updates. Do we do this with Active Directory GP’s? If so, can you show us a video on how to set this up? Thanks!
I’ve just gone through your videos again at a slower pace and after watching them a little more carefully I’ve managed to figure (to an extent) how they work. Thanks!
Hi, Do you know why when you apply a software update to a machine and machine has updated but when looking at the Monitoring -> “Deployment Status” -> Windows Update group
I see lot of machine under Unknown tab but they showing as
im glad finding yous pages and videos, i have a couple of questions i have an environment that i have a missing updates computers i have tried remediate it with fix update,wmi, reinstall client but at last i see on deployment logs status missing.
i deploye from primary server to 20 distribution points.
is there something that i am missing along the way?
Hi Justin here enjoying your videos and learning and understanding how sccm updates works.
i have a question maybe i want to clear, because i have an environment with a lot of computers with 5 missing updates and in fact when i check logs says me :missing update… but which the difference between not applicable or missing updates.
can you clear a little bit ?
thanks in advance and greatly appreciate your videos..
In regard to the rebootcoordinator.log file, what are if any differences in the reboots that show up in this log. I have an ongoing dialogue with a coworker explaining my theory which is, if there’s a reboot in the log pending, this shouldn’t be ignored. My coworker states only a certain reboot qualifies for consideration to get the reboot. To me this makes no sense.. I have pointed out, if a reboot is required, it is showing up in the log, it needs to be performed and it may very well be causing issues in the environment because “patches” are not getting the requisite reboot because an application is still pending a reboot. So, all reboots are relevant. Thoughts?
I'm Justin Chalfant! I'm the founder of 
Very nice summary and I enjoyed your showing us WMI locations for updates info.
Sometimes, updates do install correctly but the evaluation of them does not seem to be picked up and the compliance status always remains required. Any suggestions for rectifying such a problem?
I generally see this when a restart is needed. You would need to do a restart then the next software update scan cycle should report the results back.
I should have added that the evaluation is not picked up as compliant after the restart and the scheduled rescan. At the rescan it sees them as still required, it reinstalls them all and restarts. The logs show this happening daily once the SW Update Deployment hits it’s installation deadline. I have run Microsoft’s latest WU Troubleshooting tool to no avail. I have also tried a complete uninstall and reinstall of client. I guess I was wondering if there was any need of ‘clearing’ WMI entries for update compliance to allow it to start fresh. Otherwise, I guess they just go in the bin for an OS refresh.
That’s weird, you could try a policy reset using client center. A support case may be the best next step.
Very thorough yet easy enough to understand. I like that you also include notes and links to the topics discussed. I’ve learned a ton from your videos so far. Keep up the good work!
Hi Justin,
your videos are awesome and I really learn a lot! Since this one is “already” two weeks old – any ideas when the next one will be released! Thanks in advance for creating such valuable content and keep up the good work…
Thanks Frank
Hey Frank,
Thanks for watching and the feedback! I’m hoping to get the next video recorded Thursday or this weekend at the latest. – Justin
Hi Justin, I’m just a little confused. I’ve watched your videos a few times and I cant’t seem to find anywhere how you configure Device Collection Groups. Only in your Deep Dive do you show a little about them and even then they are just editing the ones you have and not how to create new ones. Also, there is no mention of how we setup the client workstations to get updates. Do we do this with Active Directory GP’s? If so, can you show us a video on how to set this up? Thanks!
Hmm, yeah not sure I have anything that really covers using collections and WQL queries yet. Maybe this will help? https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections
I’ve just gone through your videos again at a slower pace and after watching them a little more carefully I’ve managed to figure (to an extent) how they work. Thanks!
Fantastic article. I appreciate your attention to this subject and I learned a great deal
Hi, Do you know why when you apply a software update to a machine and machine has updated but when looking at the Monitoring -> “Deployment Status” -> Windows Update group
I see lot of machine under Unknown tab but they showing as
“Client Check passed/Active”
“Client Check passed/InActive”
“Client Check failed/Active”
They don’t go away, it takes them around 7 days. The machine are already reported to SCCM that this update is applied.
Hi Justin
im glad finding yous pages and videos, i have a couple of questions i have an environment that i have a missing updates computers i have tried remediate it with fix update,wmi, reinstall client but at last i see on deployment logs status missing.
i deploye from primary server to 20 distribution points.
is there something that i am missing along the way?
thanks in advance
I don’t have enough details to help here, unfortunately.
Hi Justin here enjoying your videos and learning and understanding how sccm updates works.
i have a question maybe i want to clear, because i have an environment with a lot of computers with 5 missing updates and in fact when i check logs says me :missing update… but which the difference between not applicable or missing updates.
can you clear a little bit ?
thanks in advance
and greatly appreciate your videos..
This should help https://patchmypc.com/how-to-view-applicability-rules-and-troubleshoot-detection-states-for-third-party-updates. It’s about third-party updates, but the update status is the same across third-party or Microsoft updates.
In regard to the rebootcoordinator.log file, what are if any differences in the reboots that show up in this log. I have an ongoing dialogue with a coworker explaining my theory which is, if there’s a reboot in the log pending, this shouldn’t be ignored. My coworker states only a certain reboot qualifies for consideration to get the reboot. To me this makes no sense.. I have pointed out, if a reboot is required, it is showing up in the log, it needs to be performed and it may very well be causing issues in the environment because “patches” are not getting the requisite reboot because an application is still pending a reboot. So, all reboots are relevant. Thoughts?