ConfigMgr 2012 Update Scan Fails and Shows Incorrect Compliance

I ran into this a few months ago, however I am still seeing a few issues even after sending a script out to resolve it.  I figured I’d write a quick blog to show everyone what I did to resolve the issue.  It’s also important to note that the SCCM 2012 R2 SP1 update is also supposed to help with this.


After deploying a new software update group, I immediately notice that about 1500 workstations showed as “compliant”.  How can this be since I haven’t even deployed any patches?  At first I thought maybe Windows Update was turned on somehow by mistake?  Nope.

After troubleshooting I found this in the WindowsUpdate.log file, which is located in the Windows directory.

WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

It seemed that the clients were failing to scan against the WSUS patch repository.


The Fix:

It’s important to note that the bug only seemed to affect x86 Windows 7 clients.  It appears this bug was a memory leak in the Windows Update service.

I wrote the following script and sent it out to all x86 Windows 7 workstations.

@echo off

net stop wuauserv
Sc config wuauserv type= own
cd c:\windows
ren SoftwareDistribution SoftwareDistribution.old
net start wuauserv

start /wait wusa.exe Windows6.1-KB2728379-x86.msu /quiet /norestart


KB2728379 can be downloaded from here:

You also may want to go through your WSUS console and decline any superseded update, and unselect any outdated operating systems like XP, Office 2003, Server 2003, etc.  This makes the payload of WSUS to clients smaller as it doesn’t need to worry about these old outdated OS’s.  It’s also worth noting that I saw this behavior in both SCCM 2007 and 2012.  This makes sense, since it’s technically a Windows Update service/WSUS bug, which SCCM piggybacks off

Posted in SCCM 2007, SCCM 2012, WSUS | Tagged , , , | Leave a comment

MP has rejected a policy request from GUID xx-xx-xx-xxxx because it was not approved

Quick little tip on SCCM 2007 – if you see the following messages in your SMS_MP_CONTROL_MANAGER component of the SCCM server, here’s the fix.

MP has rejected a policy request from GUID:XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX because it was not approved. The operating system reported error 2147942405: Access is denied.


SOLUTION:  Open SQL Management Studio and run the following query on your SMS database:

select SMS_Unique_Identifier0, Name0 from V_R_System where SMS_Unique_Identifier0 = ‘GUID:XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’

This will show you your problem client.  You can then follow the standard processes for approving a client – most easily right clicking after searching in the collections, and approving.  Some times this may work and a re-install of the SCCM client may be necessary.  Hope this helps.

Posted in SCCM 2007 | Tagged , , | Leave a comment