ConfigMgr 2012 Update Scan Fails and Shows Incorrect Compliance

I ran into this a few months ago, however I am still seeing a few issues even after sending a script out to resolve it.  I figured I’d write a quick blog to show everyone what I did to resolve the issue.  It’s also important to note that the SCCM 2012 R2 SP1 update is also supposed to help with this.


After deploying a new software update group, I immediately notice that about 1500 workstations showed as “compliant”.  How can this be since I haven’t even deployed any patches?  At first I thought maybe Windows Update was turned on somehow by mistake?  Nope.

After troubleshooting I found this in the WindowsUpdate.log file, which is located in the Windows directory.

WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

It seemed that the clients were failing to scan against the WSUS patch repository.


The Fix:

It’s important to note that the bug only seemed to affect x86 Windows 7 clients.  It appears this bug was a memory leak in the Windows Update service.

I wrote the following script and sent it out to all x86 Windows 7 workstations.

@echo off

net stop wuauserv
Sc config wuauserv type= own
cd c:\windows
ren SoftwareDistribution SoftwareDistribution.old
net start wuauserv

start /wait wusa.exe Windows6.1-KB2728379-x86.msu /quiet /norestart


KB2728379 can be downloaded from here:

You also may want to go through your WSUS console and decline any superseded update, and unselect any outdated operating systems like XP, Office 2003, Server 2003, etc.  This makes the payload of WSUS to clients smaller as it doesn’t need to worry about these old outdated OS’s.  It’s also worth noting that I saw this behavior in both SCCM 2007 and 2012.  This makes sense, since it’s technically a Windows Update service/WSUS bug, which SCCM piggybacks off

Posted in SCCM 2007, SCCM 2012, WSUS | Tagged , , , | Leave a comment