SCCM DCM Inventory for Installed Windows Hotfixes

Posted on October 20, 2010 Updated on October 20, 2010

Here’s the situation, you need to deploy hotfix KB2434932 for Windows 7, so you download and package the hotfix.  (Side note, this is because hotfixes for Windows which must be manually downloaded in order to deploy them do not show up in the WSUS catalog for deployment using SCCM Software Updates)  However, after deployment to a few test computers, you discover that Windows updates are no longer registered within the Add Remove Programs inventory.  So what do you do?  Turn to DCM for help doing the inventory for you!

This is precisely the challenge that I faced today.  Here’s how I used DCM to inventory Windows 7 installed hotfixes.

First, create the CI

1. In your SCCM console, navigate to Computer Management > Desired Configuration Management
2. Create a new “General Configuration Item”.  Name it “KB2434932” and tag it as “WMI”
3. On the “Settings” wizard page, create a new “WQL Query” setting.  Configure the following
   • Name = “WMI QFE”
   • Namespace = “root\cimv2”
   • Class = “Win32_QuickFixEngineering”
   • Property = “HotFixID”
   • WQL query Where clause = “HotFixID = ‘KB2434932′”
     
4. Click on the Validation tab and change the severity to “Information – no Windows event message” then click OK to close the dialog box.
   Note: this change is optional
   
5. On wizard page “Applicability”, select the specified platforms for Win7
6. Complete the wizard

Second, create the baseline

1. Create a new Configuration Baseline named “WMI QFE KB2434932”
2. On the wizard page “Set Configuration Baseline Rules”, select option “These applications and general configuration items…”, then find and select the CI created above. 
   
3. Complete the wizard

Third, assign the baseline to a collection on a schedule

1. Select the create baseline within the console and run action “Assign to a Collection”.  In the wizard, on page “Choose Collection” select the systems you wish to target. 
   Note: that I’ve selected a collection only containing test systems for now.  If your DCM inventory works, then it will be safer to deploy in production.
   
2. On the Set Schedule wizard page, define a short schedule (such as 15 minutes) for quicker testing.
3. Complete the wizard

Finally, create a collection which contains computers that do not comply to the baseline

1. Select the baseline in the console
2. Select action Create New Collection > Non-Compliant Systems
3. Complete the wizard as you see fit

Voila, now you have a collection to target for your package/advertisement.  The only catch is that the collection won’t have any computers within the collection, so you’ll need to force a machine policy update on those computers so that they know they have the baseline to run the DCM inventory.  You can use web report “Compliance details for a configuration baseline” to monitor when those computer have completed the inventory.  Once they appear as “Non-Compliant” in column “Action Compliance State”, then you can update the collection membership to populate the collection with members.