ConfigMgr: PatchManagement

Showing posts with label PatchManagement. Show all posts

Patch Supersedence Report from SQL Query

select cir.FromCIID [New CI],
info.BulletinID [New BulletinID],
info.ArticleID [New ArticleID],
info.Title [New Title],
info.InfoURL [New InfoURL],
info.DatePosted [New DatePosted],
cir.ToCIID [SUPERSEDED CI],
info2.BulletinID [Superseded BulletinID],
info2.ArticleID [Superseded ArticleID],
info2.Title [Superseded Title],
info2.InfoURL [Superseded InfoURL],
info2.DatePosted [Superseded DatePosted]
from v_CIRelation cir
left join v_UpdateInfo info on cir.FromCIID = info.CI_ID
left join v_UpdateInfo info2 on cir.ToCIID = info2.CI_ID

where RelationType = 6

((info.ArticleID = @KBNumber) OR (info2.ArticleID = @KBNumber))

order by info.BulletinID, info.ArticleID

A consolidated Report for Patch Deployments

to get the consolidated Report for all your deployments / instead of depending on dashboard you can view this PVT Report

Source:- http://blog.coretech.dk/kea/status-report-for-software-update-deployments/

Select Deploymentname, Available, Deadline,

cast(cast(((cast([Compliant] as float) / (ISNULL([Compliant], 0) + ISNULL([Enforcement state unknown], 0) + ISNULL([Successfully installed update(s)], 0) + ISNULL([Failed to install update(s)], 0) + ISNULL([Installing update(s)], 0) + ISNULL([Waiting for another installation to complete], 0) + ISNULL([Pending system restart], 0) + ISNULL([Downloading update(s)], 0)))*100) as Numeric(10,2)) as varchar(256)) + '%' AS '%Compliant',

[Compliant],

[Enforcement state unknown],

[Successfully installed update(s)],

[Failed to install update(s)],

[Installing update(s)],

[Waiting for another installation to complete],

[Pending system restart],

[Downloading update(s)]

From

(select

a.AssignmentName as DeploymentName,

a.StartTime as Available,

a.EnforcementDeadline as Deadline,

sn.StateName as LastEnforcementState,

count(*) as NumberOfComputers

from v_CIAssignment a

join v_AssignmentState_Combined assc

on a.AssignmentID=assc.AssignmentID

join v_StateNames sn

on assc.StateType = sn.TopicType and sn.StateID=isnull(assc.StateID,0)

group by a.AssignmentName, a.StartTime, a.EnforcementDeadline,

sn.StateName) as PivotData

PIVOT

(

SUM (NumberOfComputers)

FOR LastEnforcementState IN

( [Compliant],

[Enforcement state unknown],

[Successfully installed update(s)],

[Failed to install update(s)],

[Installing update(s)],

[Waiting for another installation to complete],

[Pending system restart],

[Downloading update(s)])

) AS pvt

Software Updates Status messages

Software Updates Status messages are three major types and these are

States for deployments

States for software updates

Scan states for an update source

and each of these are again sub categorized as below.. we can see these message when we ran the software updates reports in SCCM.

States for Deployments

Client computers create state messages when evaluating software update deployments, for the compliance of deployment (whether or not the client requires one or more software updates in the deployment), and for the enforcement of a mandatory deployment.

Unlike other software updates state messages that are replicated up the hierarchy to the central site, state messages for deployments are replicated up the hierarchy to the site where the deployment was created. Software update deployment enforcement, evaluation, and compliance information will be missing from reports when they are run from a site higher in the hierarchy than where the deployment was created.

Evaluation States for a Deployment

When a new deployment is created and the client computer evaluates the assignment policy for the deployment and during the deployment reevaluation cycle, one of the following state messages is created:

Evaluation state unknown
Evaluation activated
Evaluation succeeded
Evaluation failed

Enforcement States for a Mandatory Deployment

When the deadline is reached for a mandatory deployment, client computers create state messages for the following:

Enforcement state unknown
Installing update(s)
Waiting for restart
Waiting for another installation to complete
Successfully installed update(s)
Pending system restart
Failed to install update(s)
Downloading update(s)
Downloaded update(s)
Failed to download update(s)
Waiting for maintenance window before installing

By segregating update enforcement state messages and deployment enforcement state messages, administrators can create detailed, precise, near-real-time reports for management that were previously difficult, if not impossible, to create.

Compliance States for a Deployment

Client computers report the compliance for a software update deployment by using the following state messages:

Compliance state unknown
Compliant
Non-compliant
Conflict detected

States for Software Updates

Client computers create state messages for the compliance of software updates and the enforcement of software updates in a mandatory deployment.

Compliance States for a Software Update

When client computers scan for software updates compliance, a state message with one of the following compliance states is created for each software update:

Detection state unknown
Update is not required
Update is required
Update is installed

Enforcement States for a Software Update

When the deadline is reached for a mandatory deployment, client computers create a state message for each software update in the deployment. The following software update enforcement states provide information about the software update installation:

Enforcement state unknown
Enforcement started
Enforcement waiting for content
Waiting for another installation to complete
Waiting for maintenance window before installing
Restart required before installing
General failure
Pending installation
Installing update
Pending system restart
Successfully installed update
Failed to install update
Downloading update
Downloaded update
Failed to download update

Scan States for an Update Source

When a scan is run on a client computer, a state message is created for each update source—for example, Microsoft Update or the Inventory Tool for Microsoft Updates. One of the following scan states is created:

Scan state unknown
Scan is waiting for content
Scan is running
Scan completed
Scan is pending retry
Scan failed
Scan completed with errors
SMS 2003 client

SCCM State ID’s from Client end error (Focused on Patching )

TopicType	StateID	StateName	StateDescription
300	0	Compliance state unknown	Compliance state unknown
300	1	Compliant	Compliant
300	2	Non-compliant	Non-compliant
300	3	Conflict detected	Conflict detected
301	0	Enforcement state unknown	Enforcement state unknown
301	1	Installing update(s)	Installing update(s)
301	2	Waiting for restart	Waiting for restart
301	3	Waiting for another installation to complete	Waiting for another installation to complete
301	4	Successfully installed update(s)	Successfully installed update(s)
301	5	Pending system restart	Pending system restart
301	6	Failed to install update(s)	Failed to install update(s)
301	7	Downloading update(s)	Downloading update(s)
301	8	Downloaded update(s)	Downloaded update(s)
301	9	Failed to download update(s)	Failed to download update(s)
301	10	Waiting for maintenance window before installing	Waiting for maintenance window before installing
302	0	Evaluation state unknown	Evaluation state unknown
302	1	Evaluation activated	Evaluation activated
302	2	Evaluation succeeded	Evaluation succeeded
302	3	Evaluation failed	Evaluation failed
400	0	Detection state unknown	Detection state unknown
400	1	Not Required	Not Required
400	2	Not Detected	Not Detected
400	3	Detected	Detected
401	0	Compliance state unknown	Compliance state unknown
401	1	Compliant	Compliant
401	2	Non-Compliant	Non-Compliant
401	3	Conflict Detected	Conflict Detected
401	4	Error	Error
402	0	Enforcement state unknown	Enforcement state unknown
402	1	Enforcement started	Enforcement started
402	2	Enforcement waiting for content	Enforcement waiting for content
402	3	Waiting for another installation to complete	Waiting for another installation to complete
402	4	Waiting for maintenance window before installing	Waiting for maintenance window before installing
402	5	Restart required before installing	Restart required before installing
402	6	General failure	General failure
402	7	Pending installation	Pending installation
402	8	Installing update	Installing update
402	9	Pending system restart	Pending system restart
402	10	Successfully installed update	Successfully installed update
402	11	Failed to install update	Failed to install update
402	12	Downloading update	Downloading update
402	13	Downloaded update	Downloaded update
402	14	Failed to download update	Failed to download update
500	0	Detection state unknown	Detection state unknown
500	1	Update is not required	Update is not required
500	2	Update is required	Update is required
500	3	Update is installed	Update is installed
501	0	Scan state unknown	Scan state unknown
501	1	Scan is waiting for content	Scan is waiting for content
501	2	Scan is running	Scan is running
501	3	Scan completed	Scan completed
501	4	Scan is pending retry	Scan is pending retry
501	5	Scan failed	Scan failed
501	6	Scan completed with errors	Scan completed with errors
501	7	SMS 2003 client	SMS 2003 client
800	100	Client deployment started.	Client deployment started.
800	301	Unknown client deployment failure.	Unknown client deployment failure.
800	302	Failed to create the ccmsetup service.	Failed to create the ccmsetup service.
800	303	Failed to delete the ccmsetup service.	Failed to delete the ccmsetup service.
800	304	Cannot install over embedded OS with File Based Write Filter (FBWF) enabled on system drive.	Cannot install over embedded OS with File Based Write Filter (FBWF) enabled on system drive.
800	305	Native security mode is invalid on Windows 2000.	Native security mode is invalid on Windows 2000.
800	306	Failed to start ccmsetup download process.	Failed to start ccmsetup download process.
800	307	Invalid ccmsetup command line:	Invalid ccmsetup command line:
800	308	Failed to download file over WINHTTP at address:	Failed to download file over WINHTTP at address:
800	309	Failed to download files through BITS at address:	Failed to download files through BITS at address:
800	310	Failed to install BITS version:	Failed to install BITS version:
800	311	Can't verify that prerequisite file is MS signed:	Can't verify that prerequisite file is MS signed:
800	312	Failed to copy file because disk is full.	Failed to copy file because disk is full.
800	313	Client.msi installation failed with MSI error:	Client.msi installation failed with MSI error:
800	314	Failed to load ccmsetup.xml manifest file.	Failed to load ccmsetup.xml manifest file.
800	315	Failed to obtain client certificate.	Failed to obtain client certificate.
800	316	Prerequisite file is not MS signed:	Prerequisite file is not MS signed:
800	317	A reboot is required to continue installation.	A reboot is required to continue installation.
800	318	Can't install the client on the MP because the MP and client versions don't match.	Can't install the client on the MP because the MP and client versions don't match.
800	319	The operating system or service pack is not supported.	The operating system or service pack is not supported.
800	400	Client deployment succeeded.	Client deployment succeeded.
800	500	Client assignment started.	Client assignment started.
800	601	Unknown client assignment failure.	Unknown client assignment failure.
800	602	The following site code is invalid:	The following site code is invalid:
800	603	Failed to assign to MP:	Failed to assign to MP:
800	604	Failed to discover default management point.	Failed to discover default management point.
800	605	Failed to download site signing certificate.	Failed to download site signing certificate.
800	606	Failed to auto discover site code.	Failed to auto discover site code.
800	607	Site assignment failed. Client version is higher than the site version.	Site assignment failed. Client version is higher than the site version.
800	608	Failed to get Site Version from AD and SLP.	Failed to get Site Version from AD and SLP.
800	609	Failed to get Client Version.	Failed to get Client Version.
800	700	Client assignment succeeded.	Client assignment succeeded.
1000	1	Client is successfully communicating with the Management Point	Client is successfully communicating with the Management Point
1000	2	Client is failing to communicate with the Management Point	Client is failing to communicate with the Management Point
1001	1	Client is successfully retrieving a certificate from the local certificate store	Client is successfully retrieving a certificate from the local certificate store
1001	2	Client is failing to retrieve a certificate from the local certificate store	Client is failing to retrieve a certificate from the local certificate store
1100	1	Client is not ready for Native Mode	Client is not ready for Native Mode
1100	2	Client is ready for Native Mode	Client is ready for Native Mode

Checking Patch Statuses through WMI

Normally the optimal and quickest way to determine if a patch has definitely been installed on a system is to use WMI. That's where the SCCM client primarily gets its information from to report back to its parent. There are several ways you can go about but the ways i've found to be ideal for me are described below:

Through the command prompt:

On the system which you wish to query, open up command prompt
Run "Wmic /namespace:\\root\ccm\softwareupdates\updatesstore path CCM_UpdateStatus get status, Article, Bulletin, UniqueId"
This will show you ALL updates on the particular system. I've added additional information for reference but you can always play around with what you wish to see returned.
This is best for an overview and you can quickly do a find or filter to determine a patch status if you pipe it to a txt file.

Through the Wbemtest User Interface:

Start "WBEMTEST" from a run prompt
Connect to the namespace "\\<computername>\root\ccm\softwareupdates\updatesstore
Select the Query button and using WQL, create a statement that suits your needs. Some examples are below:
1. - Searching for a Missing Patch that is for Web Components would be:
    - select * from ccm_updatestatus where status = "missing" and title like "%web%"
  - Searching for all installed patches would be:
    - select * from ccm_updatestatus where status = 'installed'

Depending on your requirements / needs, have fun! Wbemtest is very useful for quick references to WMI to determine patch statuses whenever you are suspecting the integrity of data received from SCCM due to possible sync issues.

Required Patches based on collection ID

SELECT DISTINCT
                      TOP (100) PERCENT SYS.Name0 AS [Machine Name], UCS.Status AS [Patch Status Code],
                      CASE WHEN UCS.Status = '2' THEN 'Applicable' WHEN UCS.Status = '3' THEN 'Installed' ELSE '' END AS 'Patch Status', UI.BulletinID, UI.ArticleID, UI.Title,
                      dbo.v_FullCollectionMembership.ResourceID, dbo.v_Collection.CollectionID
FROM         dbo.v_FullCollectionMembership INNER JOIN
                      dbo.v_Collection ON dbo.v_FullCollectionMembership.CollectionID = dbo.v_Collection.CollectionID INNER JOIN
                      dbo.v_R_System AS SYS LEFT OUTER JOIN
                      dbo.v_Update_ComplianceStatusAll AS UCS ON SYS.ResourceID = UCS.ResourceID INNER JOIN
                      dbo.v_UpdateInfo AS UI ON UCS.CI_ID = UI.CI_ID ON dbo.v_FullCollectionMembership.ResourceID = UCS.ResourceID
WHERE     (UCS.Status IN ('3', '2')) AND (dbo.v_Collection.CollectionID = 'CollectionID')
ORDER BY UI.ArticleID

Single system required Patch’s report from SQL

---Single system required Patch’s report from SQL

SELECT DISTINCT

SYS.Name0

AS [Machine Name], UCS.Status AS [Patch Status Code],

CASE WHEN UCS.Status = '2' THEN 'Applicable' WHEN UCS.Status = '3' THEN 'Installed' ELSE '' END AS 'Patch Status', UI.BulletinID, UI.ArticleID,

UI.Title

FROM

v_R_System AS SYS LEFT OUTER

JOIN

v_Update_ComplianceStatusAll

AS UCS ON SYS.ResourceID = UCS.ResourceID INNER
JOIN

v_UpdateInfo

AS UI ON UCS.CI_ID = UI.CI_ID

WHERE

(UCS.Status IN ('3', '2')) AND (SYS.Name0 = 'ServerName'
)

state messages for some reason is not being updated correctly Causes Updates Compliance Report Issue

run the below script to get the actual system state. this will help to report back actual compliance of patch level to SCCM Server

Option Explicit
On Error Resume Next

Call RefreshServerComplianceState

' WScript.Echo "Finished"

Sub RefreshServerComplianceState()

    ' Initialize the UpdatesStore variable.
    dim newCCMUpdatesStore
    ' Create the COM object.
    set newCCMUpdatesStore = CreateObject ("Microsoft.CCM.UpdatesStore")

    ' Refresh the server compliance state by running the RefreshServerComplianceState method.
    newCCMUpdatesStore.RefreshServerComplianceState
    ' Output success message.
'    wscript.echo "Ran RefreshServerComplianceState."

End Sub

Patching Related End to end – Collections and reports :-

Below is for a compliance report based on SQL

declare @CollectID AS varchar(8)
SET @CollectID= 'SMS0001'

declare @CollectionListID AS varchar(90)
SET @CollectionListID='ScopeId_5432f432-F885-4A98-B666-5432134122/AuthList_F15C63EA-B655-4940-A250-654323fd432'

declare @CI_ID int; select @CI_ID=CI_ID from v_ConfigurationItems where CIType_ID=9 and CI_UniqueID=@CollectionListID

declare @CollCount int, @NumClients int; select @CollCount = count(*), @NumClients=isnull(sum(cast(IsClient as int)), 0)

from v_ClientCollectionMembers ccm where ccm.CollectionID=@CollectID

select
    CollectionName=vc.Name,
    'Update List'=al.Title,
    Status=sn.StateName,
    NumberOfComputers=count(*),
    PComputers=convert(numeric(5,2), (isnull(count(*), 0)* 100.00 / isnull(nullif(@CollCount, 0), 1))),
    CollectionID=@CollectID,
    AuthListID=@CollectionListID
from v_Collection vc right join v_ClientCollectionMembers cm on vc.CollectionID=cm.CollectionID
join v_UpdateListStatus_Live cs on cs.CI_ID=@CI_ID and cs.ResourceID=cm.ResourceID
left join v_StateNames sn on sn.TopicType=300 and sn.StateID=isnull(cs.Status, 0)
left join v_AuthListInfo al on cs.CI_ID=al.CI_ID
where cm.CollectionID=@CollectID
group by vc.Name, sn.StateName, al.Title
order by sn.StateName

________________________________________________________________________________________________________________________
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
________________________________________________________________________________________________________________________
<<<<<<<---WQL based query----->>>>> systems will be automatically part of the collection with the name of "2011 Jan Updates" Deployment

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System WHERE SMS_R_System.ResourceID IN ( SELECT SMS_UpdateComplianceStatus.MachineID FROM SMS_UpdateComplianceStatus JOIN SMS_UpdateDeploymentSummary ON SMS_UpdateComplianceStatus.CI_ID = SMS_UpdateDeploymentSummary.CI_ID WHERE SMS_UpdateComplianceStatus.Status = "2" AND SMS_UpdateDeploymentSummary.AssignmentName = "2011 Jan Updates")

______________________________________________________________________________________________________________________________
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
______________________________________________________________________________________________________________________________

Patching Related End to end – Collections and reports :-

WSUS Wiki and troubleshooting WSUS

Read here on the WSUS Team Blog a nice article about troubleshooting WSUS. It references the site http://www.wsuswiki.com/.

This site was created to provide a place for the WSUS community to share information about WSUS, including troubleshooting steps and best practices. The advantages that this site provides over public news groups include:

Content on this site is edited and kept up-to-date. News group postings can get out of date, can contain incorrect information, and are often not corrected.
It is easier for readers to find information on this site than in the news group.
This site captures minor contribution from many users and both aggregates and persists them over time. This body of work grows and gets better over time whereas newsgroups just grow.
It is fun to edit pages and improve on contributions of others. You can not really do that with news groups.

It also references several troubleshooting tips for successful configuration of WSUS.

Check it out.

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: June 30, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-041 - Important
* MS10-040 - Important
* MS10-038 - Important
* MS09-040 - Important

Bulletin Information:
=====================

* MS10-041 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx
- Reason for Revision: V1.3 (June 30, 2010): Corrected the registry
key verification for Microsoft .NET Framework 3.5 and
Microsoft .NET Framework 2.0 Service Pack 2.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.3

* MS10-040 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx
- Reason for Revision: V1.1 (June 30, 2010): Added a link to
   Microsoft Knowledge Base Article 982666 under Known Issues in
   the Executive Summary to address the issue where specific
   installations of IIS fail on restart after installing this
   security update.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.1

* MS10-038 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx
- Reason for Revision: V1.2 (June 30, 2010): Added a link to
Microsoft Knowledge Base Article 2027452 under Known Issues
in the Executive Summary.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.2

* MS09-040 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx
- Reason for Revision: V1.1 (June 30, 2010): Added a link to
Microsoft Knowledge Base Article 971032 under Known Issues in
the Executive Summary.
- Originally posted: August 11, 2009
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.1

Windows Update Explained

Source as it is

http://download.microsoft.com/download/a/9/4/a94af289-a798-4143-a3f8-77004f7c2fd3/Windows%20Update%20Explained.docx

How the Software Update Service Works and Why it Matters to You

Published: September 2008

For more information, please see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx

Contents

Introduction. 1

The Problem with Keeping Computers Up to Date. 1

Windows Update to the Rescue. 2

Windows Update for Individual Computers. 2

Windows Update in Windows Vista. 2

Windows Update in Windows XP. 4

Updating Networked Computers. 6

Windows Server Update Services. 6

Customizing Windows Server Update Services. 6

How Updating Works. 7

Checking for updates. 7

Downloading updates. 7

Installing Updates. 8

Rebooting your computer. 8

Reporting. 8

When the Windows Update Client is Updated. 9

Security Protections in Windows Update. 9

Additional Resources. 10

Introduction

We’ve all heard about or even experienced the havoc that computer viruses and other malicious software can cause to PCs and computer networks. Computer hackers are constantly trying to find ways to attack networks and computers with the intent of committing fraud and other crimes. When they succeed, individuals and enterprises can lose a great deal of time and money. In spite of their high cost and the headaches they cause, many security breaches are easily avoidable. The security fixes are available, but users don’t get them installed quickly enough (or at all).

Have you ever wondered what Microsoft is doing to help? Or did you know that Microsoft® Windows® Update is an important part of the solution, but weren’t sure exactly what it does or how it works. If so, this paper is for you.

For individual PC users, this paper will help you understand how to use Windows Update to keep your PC up to date, not only to help protect it from malicious software, but to keep it functioning at its best. If you’re responsible for networked computers, this paper will help you understand how Windows Update and Windows Server® Update Services (WSUS) can help protect groups of computers.

The Problem with Keeping Computers Up to Date

With Internet usage increasing, it’s more important than ever to keep your PC protected from malicious code. Understanding this, the people at Microsoft have been hard at work to help ensure that your PC continues to function well and that your personal information is very safe. Special teams at Microsoft proactively search for security vulnerabilities in Microsoft software and provide security updates. One of those teams is the Microsoft Security Response Center (MSRC). The MSRC is on call 24 hours a day, 7 days a week and dedicated to identifying, monitoring, resolving, and responding to Microsoft software security vulnerabilities.

In addition to security updates, Microsoft provides other software updates that make your computer run better and give you a better Windows experience. For example, an update may fix an issue with a hardware device, improve the performance of your computer, or deliver improved Windows features.

Downloading and installing the latest software updates, particularly security updates, quickly and consistently on your PC is vital to maintain both its security and its proper functioning. For network administrators, applying updates on computers across your organization—small, medium, or large—is a crucial measure for keeping your systems secure and running properly. Yet doing this manually requires constant time and attention, which many people simply don’t have available for the task. There must be an easier way!

Windows Update to the Rescue

Fortunately, there is an easier way, thanks to Windows Update, a free, built-in service included with Windows. This service helps you keep your PC more secure and reliable as well as compatible with devices and applications. It provides a single location for getting updates and scheduling automatic updating.

Using Windows Update by itself, you get updates for Windows and new or updated hardware drivers. For the other Microsoft software installed on your computer, use Microsoft Update. By turning on Microsoft Update, you get all of the benefits of Windows Update, but you get security and non-security updates for your other Microsoft software, such as Microsoft Office and the Windows Live™ network of internet services. Turning on Microsoft Update is recommended for all Windows PCs. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.

Windows Update for Individual Computers

It is easy to improve the security and reliability of your PC, and take advantage of the continuous improvements Microsoft makes to Windows. Just use this four-step process:

1. Turn on Windows Update. You probably did this when you set up your new PC by selecting the option to “Help protect Windows automatically.”

2. Use the recommended settings. Windows Update is designed to work automatically and not interrupt you while you’re working on other things. Using the recommended settings, you get all of the benefits from the service, such as quick delivery of very important security updates, and you get them with fewer interruptions.

3. Turn on Microsoft Update. Microsoft Update includes updates for both Windows and other Microsoft products. This makes it easy to keep all your Microsoft software updated. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.

4. Check Windows Update periodically. You will find a list of lower priority recommended and optional updates that you can choose to download and install. These include driver updates, new product features, and so forth. These updates will keep your PC functioning smoothly.

Windows Update has slightly different settings in the Windows Vista® and Microsoft Windows XP operating systems, as described in the following sections. For more information about Windows Update and its features, see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx.

Windows Update in Windows Vista

In Windows Vista, you can configure Windows Update settings and view and install updates from Windows Update in your Control Panel. If you go to the Windows Update Web site (http://update.microsoft.com), Windows Update opens automatically.

Getting Help in Windows Vista

Windows Update Help provides complete information and procedures for using Windows Update. To open it, click the Help button in the upper-right corner of the Windows Update control panel.

Figure 1: Windows Update control panel in Windows Vista

To configure or change settings, click the Change settings link in the left navigation pane. The Change settings screen displays.

Figure 2: Change settings screen in Vista

The most secure option is Install updates automatically (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer if you don’t have time to install them personally. Nor must you worry about Windows Update slowing down your PC’s Internet connection, while it downloads updates, because it operates in the background in a way that won’t interfere with your Internet usage. For more information about how Windows Update behaves during the download and installation process, see “How Updating Works,” later in this paper.

Updates in Windows Vista

Important updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.

Recommended updates address non-critical problems and help enhance your computing experience. Examples include upgrades to Windows features and less important software updates.

Optional updates are not downloaded or installed automatically. Examples include less critical driver updates and new Windows or Microsoft software.

You can choose to have updates downloaded automatically and then install them manually, or you can choose to both download and install updates manually. In either case, Windows Update still continuously checks for updates automatically and notifies you when important or recommended updates are available. Still, the most convenient and secure option is to make both download and installation automatic.

Even if your PC is configured for automatic updating, you should periodically check that important updates have been installed and also check for Optional updates. To do to this, click the Check for updates link in the left navigation pane of the Windows Update control panel. On the screen that displays, you can review any available updates and install them.

Windows Update in Windows XP

In Windows XP, check for updates from the Windows Update Web site http://update.microsoft.com, and configure automatic updating settings from the Automatic Updates program in Control Panel, shown in the following figure.

Getting Help in Windows XP

For general Windows Update help and support go to http://update.microsoft.com and click Get help and support in the left-hand navigation pane.

To get help for the Automatic Updates program in Control Panel, click How does Automatic Updates work?

Figure 3: Automatic Updates control panel in Windows XP

The most secure option is Automatic (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer.

Updates in Windows XP

High-priority updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.

Optional updates are not downloaded or installed automatically. You need to manually view and install these updates from within Windows Update. Examples include less important software updates, drivers, updates to Windows features, and new Windows or Microsoft software.

You also don’t need to worry about Windows Update slowing down your PC’s Internet connection and computer. It is designed to operate in the background and minimize interruptions. For more information about how Windows Update behaves during the download and installation process, see “How Updating Works,” later in this paper.

You can choose to have updates downloaded automatically and then install them manually, or you can choose to both download and install updates manually. In either case, Windows Update still continuously checks for most updates automatically and notifies you when High-Priority updates are available. Still, the most convenient and secure option is to let Windows Update download and install updates automatically.

With Windows XP, you should check the Windows Update Web site regularly because many of the updates that improve your experience with Windows are not installed automatically. To view all of the available updates, first make sure you upgrade to Microsoft Update, and then click the Custom button, as shown in the following figure.

Figure 4: Windows Update Web site for Windows XP

Updating Networked Computers

Windows Update makes it easy to automatically update a home computer or small group of business computers. However, if you are managing a network of 10 or more computers, you may want to manage the update process for computers on your network. By managing the update process, you have more control over which updates are installed and when they are installed.

Windows Server Update Services

Windows Server Update Services (WSUS) is a free add-on for the Windows Server operating system to help network administrators manage updates for computers. By using WSUS with Active Directory® group policy, administrators can fully manage update settings and the distribution of updates for computers on their network. To find out more about using WSUS, go to the Windows Software Update Services (WSUS) Web site http://technet.microsoft.com/en-us/wsus/default.aspx.

Note: Microsoft also provides the System Center Family of business software for fully managing (including updates) desktop computers and servers in medium to large organizations. For more information, see http://www.microsoft.com/systemcenter/en/us/default.aspx.

Customizing Windows Server Update Services

Microsoft provides a complete, programmable, and scriptable API that network administrators and software developers can use to create custom updating behaviors for WSUS. System administrators can use the WSUS API to determine which updates apply to a computer or group of computers, download those updates, and install them with little or no user intervention. Independent software vendors and developers can integrate WSUS features into computer management or update management software to provide a seamless operating environment. For more information, see http://msdn.microsoft.com/en-us/library/bb905331.aspx.

How Updating Works

During the updating process, the Windows Update client operates in the background to download and install updates. (The Windows Update client is the Windows Update component running on your PC.) It does this automatically, according to your settings, and in a “silent” manner that doesn’t disrupt your computer usage. This section describes how Windows Update behaves during the update process.

Checking for updates

The Windows Update client on your PC checks the Windows Update server at Microsoft for the availability of new updates at random intervals, every 17 to 22 hours. The randomization ensures that the Windows Update server is not overloaded with requests for updates all at the same time. The client is very efficient in checking for new updates and searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.

When checking for updates, the Windows Update client evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office.

If the computer is not online at the time you specified to check for updates, then the Windows Update client begins checking every five hours until it successfully finds updates. If more than 30 days have gone by without successfully finding updates, the client will notify you. If you should receive such a notification, you should connect your computer to the Internet, go to the Windows Update Web site, and check for updates.

Downloading updates

Once the Windows Update client determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.

To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Background Intelligent Transfer Service (BITS) technology which downloads updates using idle bandwidth. This technology ensures that Windows Update downloads only when no other active download is in progress on the computer. This allows you to smoothly carry on day-to-day activities even while updates are being downloaded in the background.

Windows Update also supports pausing and restarting downloads. You do not have to worry if you need to shut down your computer, or if you have lost your Internet connection while an update is downloading. Once the connection is reestablished, the download will continue where it left off.

Installing Updates

When downloading is complete, depending on your Windows Update settings, the Windows Update client either installs the updates automatically, or else it notifies you of the download without performing the installation. You do not need to be logged in to your computer for Windows Update to automatically install updates.

When you install Microsoft software

When you install or reinstall a program, you must reinstall updates that came out after the installation CD or installer was created. For some programs there may be multiple updates available and some updates may require a previously released update to be installed.

When the option to automatically install updates is configured, the Windows Update client tries to install updates as they become available. For example, if updates are available when you begin shutting down your computer, it gives you the option to install the updates before shutting down the computer. Otherwise, it installs them during the time you have specified for updates to be automatically installed. The default time for updates to be automatically installed is 3:00 AM daily.

If your computer is not turned on during the scheduled time for installing updates, the Windows Update client will try to wake up the PC (if the PC was asleep), or wait for the PC to be turned on again. As soon as the PC is running again, it will install the updates.

Rebooting your computer

When the option to automatically install updates is configured, the Windows Update client, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. To reduce the number of computer restarts required, the client attempts to install as many updates as possible together. If you are using the computer, you may be given the option to postpone the restart.

Most updates can be installed automatically without any user intervention. Some updates, however, such as service packs require the user to provide explicit consent. These are not automatically installed. When you install updates manually, be sure to restart your PC if prompted to do so. Otherwise, the PC may not be updated until a restart is performed.

Reporting

The Windows Update client reports back to Microsoft regarding which updates have installed successfully and which, if any, failed to install. This helps the Windows Update team verify the quality of the updates provided by Windows Update. No personally identifiable information (PII) is sent to Microsoft or stored by Microsoft with the report. For more information, read the Windows Update privacy statement online at http://update.microsoft.com/windowsupdate/v6/vistaprivacy.aspx?ln=en-us.

The Windows Update client keeps a log of all the different actions it performed on a particular computer at %windir%\windowsupdate.log. On Windows Vista, this log is available from the Windows Update control panel.

When the Windows Update Client is Updated

From time to time, Microsoft needs to update and enhance the Windows Update service, and that includes updating the Windows Update client software on your PC. If Windows Update is configured to check for updates, it installs a newer version of the Windows Update client automatically, so that it can continue to check for updates. If Windows Update is completely turned off, the client is not updated. If the client doesn’t update automatically then it may not be able to notify you about new updates. For this reason, Windows Update always updates the client automatically before checking for other updates. Given how important it is to maintain the quality of the update service, Windows Update always updates itself when it is turned on, regardless of whether you've chosen the option to have updates automatically installed or to be notified that they are available so that you can manually install them. If you have automatic updating turned off completely, the next time you manually check for updates, you will be prompted to update the Windows Update client before installing any updates.

Security Protections in Windows Update

Windows update implements many security checks and restrictions to ensure that the security of your computer is not compromised. The most critical checks validate the authenticity and quality of the software and updates that are installed on a machine. Some of the ways in which Windows Update maintains the integrity of the updates that get installed are as follows:

1. Windows Update uses the Secure Socket Layer (SSL) protocol to send and receive information. SSL is used to encrypt the information being transferred, prevents hackers from tampering with information being transferred, and verifies that the Windows Update agent is transferring data from an authorized Microsoft server.

2. Each update is individually signed using the Secure Hashing Algorithm (SHA-1). This technology allows Windows Update to confirm that the update has been downloaded correctly and hasn’t been changed by anyone. The update signature is also compared to information in the update metadata that was previously downloaded.

3. Windows Update also checks for the certificate associated with each update. This certificate provides a means for Windows Update to validate the source of each update. Currently Windows Update will only install updates that have certificates issued by Microsoft or other providers that are trusted by Microsoft.

Windows Update has many more internal security checks and controls. For example, Windows Update ensures that any action that can make your machine less secure (like turning off Windows Update) can only be performed by an authorized administrator.

To help keep your PC more secure and reliable, it's a good idea to install new updates as soon as they're available. The easiest way to install updates is to use the Windows Update service and make sure automatic updating is turned on. Now that you know how important—and easy—it is, be sure to check your Windows Update settings today.

Additional Resources

For additional information about configuring and using Windows Update or to find a discussion group, see the Windows Update Home Page. http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx

For help and support, including solutions for top issues with using Windows Update and explanations of error messages, see the Microsoft Update Solution Center. http://support.microsoft.com/ph/6527#tab3

For information about managing Windows Update on an enterprise network, see the Update Management Tech Center.
http://technet.microsoft.com/en-us/updatemanagement/bb259683.aspx

To learn how Microsoft monitors and responds to security issues, see the Microsoft Security Response Center Web site. It offers tools such as an alert service, monthly webcast, blog, and Really Simple Syndication (RSS) feeds to help you stay current with security-related updates and information for Windows. http://www.microsoft.com/security/msrc/default.mspx

To learn about new security updates, find how-to articles and security tips, and get answers to security-related questions, see the Microsoft Security at Home Web site for the free, monthly Security Newsletter for Home Users from Microsoft. http://www.microsoft.com/protect/default.mspx

For a clearinghouse of information and links about protecting your computer, see http://www.microsoft.com/protect/computer/updates/default.mspx.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, the Security Shield logo, Windows, Windows Live, Windows Vista, Windows Server, the Windows logo, and the Windows Update Icon are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Collections based on software updates deployment status in Configuration Manager

ConfigMgr sccm patching status based collections

LastEnforcementMessageID
LastEnforcementMessageName

1 Enforcement started

3 Waiting for another installation to complete

6 General failure

8 Installing update

9 Pending system restart

10 Successfully installed update

11 Failed to install update

12 Downloading update

13 Downloaded update

So in this example we would like to use the status of reboot pending, the WQL query for the collection should look like this:

select 
    SMS_R_SYSTEM.ResourceID,
    SMS_R_SYSTEM.ResourceType,
    SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.SMSUniqueIdentifier,
    SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client 
from 
    sms_r_system AS sms_r_system    
    inner join SMS_UpdateComplianceStatus as c on c.machineid=sms_r_system.resourceid    
where    
    c.LastEnforcementMessageID = 9

It's Microsoft Patch Tuesday: June 2010

Security Patches

MS10-032/KB979559 - Important (2000, XP, 2003, Vista, 7, 2008, 2008 R2): A trio of bugs in the Windows kernel can allow the use of malformed fonts to allow escalation of privileges attacks. It would be a bit hard to sneak a font onto the system without some sort of install privileges anyways, which is why this patch can wait until your next patch cycle. 1.0MB - 4.3MB

MS10-033/KB979902 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch addresses a pair of vulnerabilities in Windows’ media subsystem which allows specially crafted media files and streaming content to execute remote code execution exploits. One of the vulnerabilities is less serious that the other, but you should patch your systems immediately all the same. Depending on your system, you may need to install up to four separate patches to address of the issues. 105KB - 4.8MB

MS10-034/KB980195 - Critical (2000, XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): This patch updates the ActiveX kill bits and fixes two bugs in ActiveX that could allow remote code execution attacks. If you allow ActiveX on your desktops (which you shouldn’t, other than for internal sites), install this immediately, otherwise, wait until your next patch cycle. 26KB - 1.0MB

MS10-035/KB982381* - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Five security holes in Internet Explorer 5, 6, 7, and 8 which can allow remote code execution attacks are fixed with this cumulative update. Some of them are rating as “Moderate” but I don’t see any specific combination of IE version and OS that does not make it “critical.” I would install this patch immediately. 3.3MB - 48.4MB

MS10-036/KB983235 - Important (Office XP, Office 2003, Office 2007): COM validation in Office has a bug which can allow remote code execution attacks. Since you should not be allowing COM to be running in Office from outside sources, this is a less risky bug than it could be. Patch your systems on the next scheduled times. 2.9 - 15.5MB

MS10-037/KB980218 - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Another font handling issue is allowing escalation of privileges attacks across all versions of Windows. Like MS10-032, this one can wait until your next regular patch period. 496KB - 1.3MB

MS10-038/KB2027452* - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007 File Formats): A whopping fourteen security bugs in the way Microsoft Office opens files are fixed with this patch. The worst can result in remote code execution attacks. Microsoft says this one is “Important” but I call it “Critical” due to the widespread use of Office, and I suggest that you patch immediately. 9.7MB - 332.8MB

MS10-039/KB980218 - Important (InfoPath 2003, InfoPath 2007, Office SharePoint Server 2007, Windows SharePoint Services 2.0): Three problems with SharePoint are fixed with this patch. The issues allow an attacker to perform a variety of attacks, including an escalation of privileges attack if a SharePoint user clicks on a malformed link in SharePoint. This is not a burning issue and the patch can wait until your usual patch time. 2.9MB - 109.3MB

desktop / server MS10-040/KB982666 - Important (Vista, 7, 2003, 2008, 2008 R2): Computers running IIS 6, 7, and 7.5 are vulnerable to a remote code execution attack that will run with full privileges when an attacker sends a malformed HTTP request. Microsoft calls this patch “Important” but I think that understates the issue for servers. I would patch servers immediately, and leave desktops for the regular path cycle. 43KB - 4.0MB

MS10-041/KB981343* - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): A problem affecting all versions of the .NET Framework’s handling of signed XML content could allow the data to be altered without being detected. This is a fairly minor issue, so this patch can wait until you do your normal patching. 123KB - 2.2MB

Configure Proxy Settings Used When Downloading Software Update Files

By default, software update files are downloaded from the Internet using the credentials of the logged-on user and the proxy settings configured for the user in Internet Explorer. The UpdDwnldCfg.exe utility is available on the Configuration Manager 2007 DVD and on every site server. It can be used to modify the server and account credentials used to access the Internet through the following components:

When running the UpdDwnldCfg.exe utility to modify the server and account credentials, the following switches can be used:

/s: Specifies the name of the firewall, proxy server, or ISA server computer, and the port number that is used when downloading software update files from the Internet.
/u: Specifies the user account that is used to connect through the firewall, proxy server, or ISA server.
/clean: Removes the server and account settings previously configured by running upddwnldcfg.exe.

Use the following procedures to modify the server and account settings used when software update files are downloaded from the Internet and to remove the settings previously configured by using the UpdDwnldCfg.exe utility.

To modify the server and account settings used when downloading software update files

On the site server, run <ConfigMgrInstallationFolder>\bin\<platform>\<language>\UpdDwnldCfg /s:<servername>:<port> /u:<username>. For example, for x86 and English (US), run <ConfigMgrInstallationFolder>\bin\i386\00000409\UpdDwnldCfg /s:MyProxy:80 /u:MyAccount.

1. When you run the UpdDwnldCfg command you are prompted to enter the password and confirmation at the command line.

2. The information you enter is stored in HKCU\Software\Microsoft\SMS\VPCache

a. It is stored on the machine you run upddwnldcfg on, not the site server

b. The fact that it is under HKCU indicates it is a per user setting and needs to be run on each machine (terminal server) and for each user who users a console.

3. This is good and bad :

a. You can have different users pointing at different proxy servers if required.

b. You can have each user using their own credentials

c. But you need to run it for each user on each machine.

Confirming Patch download credentials from the patchdownloader.log file

Updates : Superseding and Superseded Updates : Complete Story

Superseding and Superseded Updates

Typically, an update that supersedes other updates does one or more of the following:

Enhances, improves, or adds to the fix provided by one or more previously released updates.
Improves the efficiency of its update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package.
Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial update release.

Conversely, an update that is superseded by another update does the following:

Fixes a similar vulnerability in the update that supersedes it. However, the update that supersedes it might enhance the fix or modify the applicability to client computers that the superseded update provides.
Updates earlier versions or configurations of products.

On the WSUS console, the WSUS update page clearly indicates those updates that have a superseded or superseding relationship with an earlier version. The Details tab also includes "Superseded by" and "Supersedes" status information for updates, in addition to KB links containing more information about each update.

WSUS does not automatically decline superseded updates, and it is recommended that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers. These are three possible scenarios in which you might need to install a superseded update:

If a superseding update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system.
If a superseding update has more restricted applicability than the update it supersedes, which would make it inappropriate for some client computers.
If an update no longer supersedes a previously released update because of new changes. It is possible that, through changes at each release, an update no longer supersedes an update it previously superseded in an earlier version.

Expired Updates

An expired update is an update that has been invalidated by Microsoft. An expired update can also be an update that has been superseded by the release of another update (new or revised) that fixes or enhances functionality or applicability offered by the expiring update. In this case, the superseding update should be approved in place of the expired update. An update that is expired can no longer be approved for detection or installation.

Some of the sample such updates

MS10-006 superseded by KB980232
MS10-009 superseded by KB978338
MS10-015 superseded by KB979683

Deploy Office 2007 SP2 with ConfigMgr 2007

As Microsoft recently released Service Pack 2 for Office 2007 suite, it is a good idea to add the update files to the package so it it can be deploy during the installation.

So, first of all we have to download the SP2 executable file from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=b444bf18-79ea-46c6-8a81-9db49b4ab6e5&displaylang=en (see additional information bellow).

Then, using a command prompt window, extract the content of the package to a folder you can browse to.

Extract (Click the image for a larger view)

Accept EULA and click Continue.

Select a folder to extract the files to.

Browse For File

When the extraction is complete, you should have the following files:

Folder Structure

At this point, you can delete the office2007sp2-kb953195-fullfile-en-us.exe file. Copy the other 9 files to “Updates” folder from your Office 2007 source folder.

Updates folder

Now you only have to update the distribution point/s and the next time Office 2007 will install, it will apply the SP2 update during Office 2007 installation.

Applying Updates

The same steps are valid for Visio and Project 2007.

Microsoft Office Visio 2007 Service Pack 2 (SP2) can be downloaded from here: http://www.microsoft.com/downloads/details.aspx?familyid=78E36742-8BDA-471E-88E6-9B561BB06258&displaylang=en.
Microsoft Office Project 2007 Service Pack 2 (SP2) can be downloaded from here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c126fa4a-b43f-4f7e-a9d4-522e92a6cfee.

Custom Error Codes for Configuration Manager 2007

Client Custom Error Codes

Error Code	Description
CCM_ERRORCODE(0x 80040200) NAMENOTFOUND2147746304	Name not found
CCM_ERRORCODE(0x 80040201) BADNAMEFORMAT2147746305	Incorrect name format
CCM_ERRORCODE(0x 80040202) SERVICESHUTDOWN2147746306	Service is shutting down
CCM_ERRORCODE(0x 80040203) DATAEMPTY2147746307	No data supplied
CCM_ERRORCODE(0x 80040204) DATATOOLARGE2147746308	Data too large
CCM_ERRORCODE(0x 80040205) INVALIDPATH2147746309	Invalid path
CCM_ERRORCODE(0x 80040206) INVALIDFILE2147746310	Invalid file
CCM_ERRORCODE(0x 80040207) PARSE2147746311	Parsing error
CCM_ERRORCODE(0x 80040208) INVALIDCOMMAND2147746312	Invalid command
CCM_ERRORCODE(0x 80040209) DATATYPEMISMATCH2147746313	Data type mismatch
CCM_ERRORCODE(0x 80040210) INVALIDTRANSLATOR2147746320	Invalid Translator
CCM_ERRORCODE(0x 80040211) INVALIDADDRESS2147746321	Invalid Address
CCM_ERRORCODE(0x 80040212) CONTEXTCLOSED2147746322	Context is closed
CCM_ERRORCODE(0x 80040213) TIMEOUT2147746323	Timeout occurred
CCM_ERRORCODE(0x 80040214) INVALIDNAMELEN2147746324	Invalid name length
CCM_ERRORCODE(0x 80040215) ITEMNOTFOUND2147746325	Item not found
CCM_ERRORCODE(0x 80040216) INVALIDSERVICEPARAM2147746326	Invalid service parameter. The WMI file could be corrupt or there was a manual change to a site control file.
CCM_ERRORCODE(0x 80040217) DATACORRUPT2147746327	Data is corrupt
CCM_ERRORCODE(0x 80040218) INVALIDSERVICESETTING2147746328	Invalid service settings
CCM_ERRORCODE(0x 80040219) GLOBALSERVICENOTSET2147746329	Global service not set
CCM_ERRORCODE(0x 80040220) INVALIDTYPE2147746336	Invalid type
CCM_ERRORCODE(0x 80040221) INVALIDUSER2147746337	Invalid user. An operation for a user that is not logged on is in process or the user account is invalid.
CCM_ERRORCODE(0x 80040222) CANCELLED2147746338	Operation cancelled
CCM_ERRORCODE(0x 80040223) VERSIONMISMATCH2147746339	Version mismatch
CCM_ERRORCODE(0x 80040224) INVALIDMESSAGE2147746340	Invalid message
CCM_ERRORCODE(0x 80040225) INVALIDADDRESSTYPE2147746341	Invalid address type
CCM_ERRORCODE(0x 80040226) INVALIDPROTOCOL2147746342	Invalid protocol
CCM_ERRORCODE(0x 80040227) DISABLED2147746343	Functionality disabled
CCM_ERRORCODE(0x 80040228) INVALIDENDPOINT2147746344	Invalid endpoint
CCM_ERRORCODE(0x 80040229) GETCREDENTIALS2147746345	Failed to get credentials
CCM_ERRORCODE(0x 80040230) LOGONUSER2147746352	Error logging on as given credentials
CCM_ERRORCODE(0x 80040231) TRANSIENT2147746353	Transient error that could indicate a network problem.
CCM_ERRORCODE(0x 80040232) MESSAGENOTSIGNED2147746354	Message not signed
CCM_E_MESSAGENOTTRUSTED(0X 0x80040233)2147746355	Message not trusted
CCM_ERRORCODE(0x 80040234) INTERNALENDPOINT2147746356	Internal endpoint cannot receive a remote message
CCM_ERRORCODE(0x 80040235) PARSE_SYNTAX2147746357	Syntax error occurred while parsing
CCM_ERRORCODE(0x 80040236) LOWMEMORY2147746358	Low memory.
CCM_ERRORCODE(0x 80040237) REPLYMODE_INCOMPATIBLE2147746359	Reply mode incompatible
CCM_ERRORCODE(0x 80040238) PUBLIC_KEY_NOT_FOUND2147746360	Public key not found
CCM_ERRORCODE(0x 80040239) CLIENT_ID_NOT_FOUND2147746361	Client ID not found
CCM_ERRORCODE(0x 80040240) INSUFFICIENTDISKSPACE2147746368	Insufficient disk space
CCM_ERRORCODE(0x 80040241) DATABASE_CONNECT_FAILED2147746369	Failed to connect to database
CCM_ERRORCODE(0x 80040242) STORED_PROCEDURE_FAILED2147746370	Stored procedure failed
CCM_ERRORCODE(0x 80040243) PUBLIC_KEY_MISMATCH2147746371	Public key mismatch
CCM_E_BAD_HTTP_STATUS_CODE (0x 8004027E) 2147746430	Client communication from the management point failed.
CCM_E_EMPTY_CERT_STORE (0x 80040280) 2147746432	A valid certificate was not found in the certificate store.
CCM_E_NO_CERT_MATCHING_CRITERIA (0x 80040281) 2147746433	No valid certificate could be found using the specified certificate selection.
CCM_E_TOO_MANY_CERTS (0x 080040282) 2147746434	More than one valid certificate was located
CCM_E_MISSING_PRIVATEKEY (0x 080040283) 2147746435	The selected certificate does not have a corresponding private key, which is required for successful communication.
CCM_E_MISSING_SUBJECT_NAME (0x 080040284) 2147746436	The selected certificate does not have a Subject Name defined.
CCM_E_UNKNOWN_SEARCH_CRITERIA (0x 080040285) 2147746436	The certificate selection criteria syntax is invalid.
CCM_E_INVALID_SMS_AUTHORITY (0x 080040286) 2147746437	The certificate does not successfully chain to a trusted root certification authority.
CCM_E_MISSING_SITE_SIGNING_CERT (0x 080040287) 2147746438	Cannot locate the required Configuration Manager site server signing certificate for this site.
HandleRemoteSyncSend failed (0x80040309).2147746569	The 'trust failed'. This happens when the client doesn't trust data from the management point.
CForwarder_Sync::Send failed (0x80040309).2147746569	The 'trust failed'. This happens when the client doesn't trust data from the management point.
CForwarder_Base::Send failed (0x80040309).2147746569	The 'trust failed' This happens when the client doesn't trust data from the management point.
CCM_E_LOCATION_MPREFRESHCCM_ERRORCODE(0x80040300)2147746560	Client trying to refresh management point and it is empty.
CCM_E_LOCATION_NOADCCM_ERRORCODE(0x80040301)2147746561	Client is configured to only read Active Directory Domain Services and couldn't find the requested location (site assignment, management point) data.
CCM_E_LOCATION_NOTASSIGNEDCCM_ERRORCODE(0x80040302)2147746562	Client is trying to do something that requires being assigned to a site and it is not assigned. Only called from NAP when trying to refresh the management point.
CCM_E_LOCATION_INTERNALERRORCCM_ERRORCODE(0x80040303)2147746563	Internal error
CCM_E_LOCATION_BADSERVERCERTCCM_ERRORCODE(0x80040304)2147746564	Management point certification is corrupt from client's perspective, which could be due to network corruption or an attacker.
CCM_E_LOCATION_BADCLIENTCERTCCM_ERRORCODE(0x80040305)2147746565	Client certification is corrupt from site system's perspective, which could be due to network corruption or an attacker.
CCM_E_LOCATION_MPUNREACHABLECCM_ERRORCODE(0x80040306)2147746566	Client failed to connect to management point to make a location services request (MPLIST or MPKEYINFORMATION).
CCM_E_LOCATION_PROXYMPREFRESHCCM_ERRORCODE(0x80040307)2147746567	Client is trying to refresh proxy management point and it's empty. May only be called from NAP when trying to refresh the proxy management point.
CCM_E_LOCATION_LOCALMPREFRESHCCM_ERRORCODE(0x80040308)2147746568	Client is trying to refresh local management point and it's empty. Only called from NAP when trying to refresh proxy management point.
CCM_E_LOCATION_MESSAGEFAILEDCCM_ERRORCODE(0x80040309)2147746569	In most cases this indicates that the in band server authorization failed on a client, usually because the trusted root key does not match the management point certificate.

Desired Configuration Management Custom Error Codes

Error Code	Description
0x80040752 E_DCM_DOTNETMISSING	Microsoft .NET Framework 2.0 or later not installed
0x80040756 E_DCM_SDM_REPORTING_FAILED 2147747670	Client failed to report state or status.
0x80040763 E_DCM_CI_INTERNAL_FAILURE 2147747683	WMI corruption or heap corruption
0x80040764 E_DCM_SDM_INTERNAL_FAILURE	WMI corruption, memory corruption, disk corruption
0x80040765 E_DCM_SDM_CLRHOST_LAUNCH_FAILURE	Problem with client installation or.NET Framework 2.0 installation

Inventory Custom Error Codes

Error Code	Description
0x80040900	A valid WMI instance inventoried could not be added to the report. The __Path property may be undefined.

Mobile Device Management Custom Error Codes

Error Code	Description
-2147220846FFFFFFFF80040292	Unable to compute message signature for in-band authentication.
-2147220843FFFFFFFF80040295	Unable to find a valid client authentication certificate for registration.
11520	Mobile device client deployment action failed. Failed to establish ActiveSync or Mobile Device Center connection to the mobile device.
11521	Mobile device client deployment action failed. Invalid client settings file.
11522	Mobile device client deployment action failed. Error determining running directory for DmClientXfer.exe
11523	Mobile device client deployment action failed. Required ActiveSync libraries missing.
11524	Mobile device client deployment action failed. Could not determine processor type of attached mobile device.
11525	Mobile device client deployment action failed. Could not determine base operating system version of attached mobile device.
11526	Mobile device client deployment action failed. Error determining client version for the attached mobile device.
11527	Mobile device client deployment action failed. Error creating client settings .ini file.
11528	Mobile device client deployment action failed. Failed to copy files to the attached mobile device.
11529	Mobile device client deployment action failed. Failed executing the mobile device client installer program on attached mobile device.
11530	Mobile device client deployment action may have failed. Failed reading status information from the mobile device.
11540	Mobile device client deployment action failed. Error determining running directory for the mobile device client installer program.
11541	Mobile device client deployment action failed. Error executing the pre-install command line.
11542	Mobile device client deployment action failed. Error executing the post-install command line.
11550	Mobile device client installation or upgrade failed. Error during removal of the previous client.
11551	Mobile device client installation or upgrade failed. Invalid client settings file.
11552	Mobile device client installation or upgrade failed. Error installing client CAB file.
11553	Mobile device client installation or upgrade failed. Error starting client service.
11554	Mobile device client installation or upgrade failed. Error updating client settings.
11555	Device Client Deployment failed with unknown error.
11560	Mobile device client verification or repair failed. Error during removal of previous client.
11561	Mobile device client verification or repair failed. Invalid client settings file.
11562	Mobile device client verification or repair failed. Error installing client CAB file.
11563	Mobile device client verification or repair failed. Error starting client service.
11564	Mobile device client verification or repair failed. Error updating client settings.
11565	Mobile device client verification or repair failed. Error restoring required files.
11566	Mobile device client privileged certificate installation failed.
11567	Encountered unknown error installing the device client.
11568	Mobile device client setup failed to launch during install.
11570	Mobile device client removal failed. Error using unload.exe to uninstall the existing client.
11571	Mobile device client install/upgrade failed. Error enforcing new client. Mobile device rolled back to old client (if existed before).
11572	Mobile device client rollback failed during unsuccessful upgrade. Error enforcing old client.
11573	Mobile device client failed to perform post cab install actions. Device client installation failed.

Operating System Deployment Custom Error Codes

Error Code	Description
0x80040001	Could not get the client GUID
0x80040101	Network access account is not set
0x80040102	No content location returned for the given package
0x80040103	Could not access package content in the DP
0x80040104	Could not find reference program policy
0x80040105	Could not find CCM_ClientAgentConfig raw policy
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	An invalid image capture path has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Image capture path is too long
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Timeout waiting for PNP to finish initialization.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Task sequence failed in Windows PE
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	An invalid network adapter index has been specified
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Sysprep is not installed
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Sysprep is invalid
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Invalid System Partition
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Machine is joined to a domain
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	Machine is domain controller
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	A default management point has not been assigned for this site.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Certificates for the default management point are not available.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Package {0} is not available on the specified distribution points.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Invalid password for media certificate
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	The media certificate does not have an associated private key
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,6)	The certification authority's certificate has not been set for this site.

Remote Tools Custom Error Codes

Error Code	Description
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Another remote control session is already in progress. Remote Control does not support multiple concurrent remote control sessions.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Level of access allowed is set to "No Access" in the Remote Tools client agent General tab on the site server or in the Remote Control control panel applet.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Remote Control Agent was not properly installed on the client.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	No interactive session found on the client.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	Remote computer screen is locked.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,6)	Failed to create the RDP session.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,8)	Remote Tools is disabled.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,9)	Failed to launch the Remote Control Agent process.

Software Distribution Custom Error Codes

Error Code	Description
E_FAIL_EXECUTION_PENDING 0x80008001	The program cannot be run now from the client UI because : A restart is in progress. or Software Distribution is paused because of a task sequence running or Another program is currently running NOTE: This error code is only returned to the UI and is not present in status messages.
E_FAIL_DUPLICATE_REQUEST 0x80008002	The program cannot be run again from the client UI because it is already pending, an optional (initiated from the UI) run request already exists for it. NOTE: This error code is only returned to the UI and is not present in status messages.
E_SWDIST_POLICY_NOT_FOUND 0x80002004	The software distribution policy was not found.
E_FAIL_PROGRAM_DISABLED 0x80008004	The program cannot run because it is currently disabled.
E_FAIL_INVALID_POLICY 0x80008005	This error code can be returned on the client if policy cannot be found or the policy is not valid to run or cancel the requested program. NOTE: This error code is currently not sent in status messages.
E_FAIL_INVALID_PROGRAM 0x80008006	The requested program is not currently pending. This error code can be returned on the client if the user attempts to continue or cancel the program that is not currently pending. It can also be returned to the task sequence manager (TSM) when TSM requests download locations for packages that are not referenced by the currently running task sequence. NOTE: This error code is not raised in status messages by Software distribution, but could be raised by task sequence.
E_FAIL_SET_CACHEDCONTENTINUSE 0x80008008	Unable to set the CachedContentInUse flag. Failed to indicate the client cache is currently in use.
E_FAIL_WMI_ERROR 0x80008009	Failed to read data from WMI. The program could not continue because a system restart is in progress or there is already a run request for this program that requires a reboot.
E_FAIL_REQUEST_NOT_FOUND 0x80008011	Used for Task Sequence. Failed to reconnect to Task Sequence job because a request cannot be found with the given job ID. NOTE: Not sent in status message by Software Distribution, but may be used by task sequence.
E_FAIL_ACTIVE_REQUEST_NOT_FOUND 0x80008012	There is no program currently running. This error code is returned to task sequence when there is no run request that is currently running, but task sequence tries to get the currently running request.
E_FAIL_DEPENDENCY_NOT_RUN 0x80008013	This program cannot run because it depends on another program that has not run successfully before. This error code is returned to task sequence manager when a task sequence Install Software Action step cannot be run because the step has a child program which has not been run before.
E_FAIL_USER_REQUIRED 0x80008014	This error code is returned to task sequence manager when an "Install Software" step cannot be run because the software distribution program in this step is targeted to a user, requires user input or is set to run in user context
E_FAIL_SWD_NOT_PAUSED 0x80008015	Failed to notify caller that software distribution is paused because the paused state or paused cookie do not match.
E_FAIL_INVALID_HASH 0x80008017	The content hash string or hash versions are empty or incorrect in the software distribution policy or the hash verification failed.
E_FAIL_CANNOT_RUN_ON_INTERNET 0x80008018	The program cannot run at this time because the client is on the internet.
E_FAIL_EXECUTION_NONFATAL 0x80008100	A non fatal error has been encountered while attempting to run the program. The program execution will be retried if the retry count has not been exceeded.
E_FAIL_BAD_ENVIRONMENT_NONFATAL 0x80008103	A non fatal error occurred while preparing to run the program, for example when creating the program execution environment, making a network connection, impersonating the user, determining the file association information, or when attempting to launch the program. This program execution will be retried if the retry count has not been exceeded.
E_FAIL_PROGRAM_NOT_MONITORED 0x80008105	An error was encountered while getting the process information for the launched program and the program execution will not be monitored.
E_FAIL_BAD_ENVIRONMENT_FATAL 0x8000910A	A fatal error occurred while preparing to run the program, for example when creating the program execution environment, making a network connection, impersonating the user, determining the file association information, or when attempting to launch the program. This program execution will not be retried.
E_FAIL_EXECUTION_FATAL 0x80009101	A fatal error has been encountered while attempting to run the program. The program execution will not be retried.
E_FAIL_INVALID_PROGRAM_OBJECT 0x80009102	An error occurred while creating the execution context. This is error code indicates that an error was encountered while creating the internal execution context object. This is most likely not due to configuration errors, but could be because of low memory conditions, COM failures or other external errors.
E_FAIL_INVALID_CMDLINE 0x80009104	The command line for this program is invalid.
E_FAIL_NO_CONTENT 0x80009106	Failed to verify the executable file is valid or to construct the associated command line.
E_FAIL_NO_SOURCE 0x80008107	Failed to access all the provided program locations. This program may retry if the maximum retry count has not been reached.
E_INVALID_CONTENT_REQUEST_HANDLE 0x80008200	This is an internal error. No content request found with the given handle.
E_NO_SPACE_IN_CACHE 0x80008201	The content download cannot be performed because there is not enough available space in cache or the disk is full.
E_CACHE_TOO_SMALL 0x80008202	The content download cannot be performed because the total size of the client cache is smaller than the size of the requested content.
E_CACHE_IN_USE 0x80008203	The client cache is currently in use by a running program or by a download in progress.
E_NO_DP_FOUND 0x80008204	NOTE: this error code is sent at least in status message 10051. No distribution points were found for the requested content.
E_FAIL_LOCATION_REQUEST 0x80008210	Failed to get content locations.
E_FAIL_JOB_PENDING 0x80008250	The computer restart cannot be initiated because a software installation job is in progress.
E_FAIL_INACCESSIBLE_SOURCE 0x80009108	Failed to access all the provided program locations. This program will not retry.
E_FAIL_INVALID_MSI 0x80009109	Failed to verify that the given file is a valid installation package.

Software Updates Custom Error Codes

Error Code	Description
E_UPDDEPLOY_APPLY_NOT_REQUIREDCCM_ERRORCODE(0x80040708)2147747592	Software Updates Install not required.
E_MONITOR_RESUME_FAILURECCM_ERRORCODE(0x80040709)2147747593	Failed to resume the monitoring of the process.
E_INVALID_CMDLINECCM_ERRORCODE(0x8004070A)2147747594	Invalid command line
E_CREATEPROCESS_FAILURECCM_ERRORCODE(0x8004070B)2147747595	Failed to create process
E_EXECUTION_TIMEOUTCCM_ERRORCODE(0x8004070C)2147747596	Software update execution timeout
E_UPDATE_FAILED_RESULTCCM_ERRORCODE(0x8004070D)2147747597	Software update failed when attempted
E_EMPTY_COMMANDLINECCM_ERRORCODE(0x8004070E)2147747598	Empty command line specified
E_INVALID_INSTALLER_PATHCCM_ERRORCODE(0x8004070F)2147747599	Invalid updates installer path
E_COMPARE_CREATION_TIMESCCM_ERRORCODE(0x80040710)2147747600	Failed to compare process creation time.
E_DEPLOYMENT_NOT_ACTIVECCM_ERRORCODE(0x80040711)2147747601	Software updates deployment not active yet for example, start time is in future
E_UPDDEPLOY_REBOOT_REQUIREDCCM_ERRORCODE(0x80040712)2147747602	A system restart is required to complete the installation.
E_NO_DETECT_RESULTCCM_ERRORCODE(0x80040713)2147747603	Software updates detection results not received yet.
E_UPDATES_USERINSTALL_RESTART_PENDING CCM_ERRORCODE(0x80040714)2147747604	User based install not allowed as system restart is pending.
E_USERINSTALL_NO_UPDATESCCM_ERRORCODE(0x80040715)2147747605	No applicable updates specified in user install request.
E_NOINTERFACE FFFFFFFF80004002-2147467262	No such interface supported
[DCOM belly up] CAgent::CreateJob failed FFFFFFFF8007000E-2147024882	Not enough storage is available to complete this operation.
ERROR_TIMEOUT FFFFFFFF800705B4-2147023436	This operation returned because the timeout period expired.
[Scan fails on x64vista] OnSearchComplete0x80240032[WU]-2145124302	Failed to end search job [SMS] WU client failed Searching for update with error.
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED Same as -ERROR_WINHTTP_NAME_NOT_RESOLVED FFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
FFFFFFFF80040692-2147219822	Group Policy conflict
FFFFFFFF80040693-2147219821	Low WUA version
WU_E_PT_HTTP_STATUS_BAD_GATEWAYFF80244021-2145107935	Same as HTTP status 502. The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.
-939523070ERROR_OBJECT_ALREADY_EXISTS FFFFFFFFC8000402	Object already exists
[SA fail if SWD not working] createInstance failed for UpdateServiceManager FFFFFFFF80040154-2147221164	Class not registered
FFFFFFFF800705B4-2147023436	This operation returned because the timeout period expired.
ERROR_INTERNET_TIMEOUT FFFFFFFF80072EE2-2147012894	Internet timeout
ERROR_WINHTTP_CANNOT_CONNECT or ERROR_INTERNET_CANNOT_CONNECT FFFFFFFF80072EFD-2147012867	Internet cannot connect
E_INVALIDSTATE_AFTER_APPLY FFFFFFFF80040668-2147219864	Software update still detected as actionable after apply.
E_EXECUTION_TIMEOUT FFFFFFFF8004070C-2147219700	Software update execution timeout
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED - same as ERROR_WINHTTP_NAME_NOT_RESOLVEDFFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
ERROR_PATH_NOT_FOUND FFFFFFFF80070003-2147024893	The system cannot find the path specified.
ERROR_FILE_EXISTS FFFFFFFF80070050-2147024816	The file exists
ERROR_ACCESS_DENIED or E_ACCESS_DENIEDFFFFFFFF80070005-2147024891	Access denied
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED Same as ERROR_WINHTTP_NAME_NOT_RESOLVED FFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
ERROR_INAVILD_ENVIROMENT FFFFFFFF8004070D-2147219699	Software update failed when attempted.
Install Errors
-Last Install Error FF8024402C WU_E_PT_WINHTTP_NAME_NOT_RESOLVED - same as ERROR_WINHTTP_NAME_NOT_RESOLVED2145107924	The proxy server or target server name cannot be resolved.
Last Install Error FF8007066F ERROR_PATCH_NOT_APPLIED -2147023249	Can sometimes happen when Windows Installer configuration for an installed application is out of sequence for example, Windows Installer thinks it has more patches applied than is really the case (this sometimes used to happen with roaming profiles).
Last Install ErrorFF8007064 ERROR_INSTALL_FAILURE-2147023293	Generic failure code from Windows Installer installs.
Last Install ErrorFF8007F0F4 STATUS_PREREQUISITE_FAILED-2146963212	Generated by update.exe. People seem to be getting this when they try to install a Service Pack while on battery power.
Last Install ErrorFF8007F0F5 WU_E_DM_INCORRECTFILEHASH-2146963211	The WU Agent's metadata store and the policy received by ccmexec could be out of sync.
Last Install Error FF8007F0F6 ERROR INVALID PARAMETER-2146963212	Failed to start the installation of updates because update is not found
Scan Failures
Last Scan ErrorFF80244021WU_E_PT_HTTP_STATUS_BAD_GATEWAY-2145107935	Possible network connectivity issues
Last Scan ErrorFF8024001DWU_E_INVALID_UPDATE-2145124323	An update contains invalid metadata.
Last Scan ErrorFF80004002E_NOINTERFACE-2147467262	No such interface supported
Last Scan ErrorFFC8000402RECORD TOO BIG-939523070	This seems to be a recoverable error, and possibly due to many Scan Service Packages left around when the 2003 ITMU was used. This is NOT the case.
FF8024400A WU_E_PT_SOAPCLIENT_PARSE1097366519818	Needs update
Last Scan ErrorWU_E_SERVICE_STOPFF8024001E-2145124322	Operation did not complete because the service or system was being shut down.
Last Scan ErrorFF8024400DWU_E_PT_SOAP_CLIENT-2145107955	SOAP client found the message was malformed.
Last Scan ErrorFFC800042DRefreshServerUpdateInfo-939523027	WSUS unable to update software distribution folder. Scans fail.
Last Scan ErrorFF80244022WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL-2145107934	HTTP status 503. The service is temporarily overloaded.
Last Scan ErrorFF80240032WU_E_INVALID_CRITERIA-2145124302	The search criteria string was invalid.
Last Scan ErrorFF80240013WU_E_DUPLICATE_ITEM-2145124333	Failed to add file to the FileLocationList.
Last Scan ErrorFF8007041DERROR SERVICE REQUEST TIMEOUT-2147023843	The service did not respond to the start or control request in a timely fashion.
E_FAIL_POLICY_NOT_FOUNDCCM_ERRORCODE(0x80040600)2147747328	Scan Tool Policy not found
E_LOCATION_TIMEOUTCCM_ERRORCODE(0x80040602)2147747330	Out of cache space
E_SCANTOOL_POLICY_REMOVEDCCM_ERRORCODE(0x80040603)2147747331	The ScanTool Policy has been removed so cannot complete Scan Operation.
E_SCANTOOL_NOTFOUND_INJOBQUEUECCM_ERRORCODE(0x80040604)2147747332	The ScanTool was not found in the job queue.
E_FAIL_SCAN_TOOL_REMOVEDCCM_ERRORCODE(0x80040605)2147747333	Scan Tool has been Removed
E_FAIL_OFFLINE_SCAN_HISTORY_NOT_FOUNDCCM_ERRORCODE(0x80040606)2147747334	Scan Tool Policy not found
E_CONTENT_NOT_FOUNDCCM_ERRORCODE(0x80040607)2147747335	Out of cache space
E_INVALID_INSTANCE_TYPECCM_ERRORCODE(0x80040608)2147747336	Out of cache space
E_NO_SPACE_IN_CACHE0x800082012147516929	Out of cache space
E_CACHE_TOO_SMALL0x800082022147516930	Cache size is smaller than requested content's size.
Deployments Agent Specific Errors
E_UPDDEPLOY_APPLY_NOT_ALLOWED CCM_ERRORCODE(0x80040700)2147747584	Install not allowed
E_UPDDEPLOY_DOWNLOAD_NOT_ALLOWED CCM_ERRORCODE(0x80040701)2147747585	Download not allowed
E_ASSIGNMENT_POLICY_NOT_FOUNDCCM_ERRORCODE(0x80040702)2147747586	Assignment policy not available
E_ANOTHER_JOB_IN_PROGRESSCCM_ERRORCODE(0x80040703)2147747587	Only one job is allowed at a time
E_HARDREBOOT_PENDINGCCM_ERRORCODE(0x80040704)2147747588	Only one job is allowed at a time.
2147747589E_PAUSE_STATE_REQUIREDCCM_ERRORCODE(0x80040705)	Pause state required
2147747590E_NO_ACTIVE_JOBCCM_ERRORCODE(0x80040706)	No active job exists (while reconnect called).
2147747591E_JOB_ID_MISMATCHCCM_ERRORCODE(0x80040707)

-------------------
Thanks,
http://sccm07.blogspot.com/

Pages