Patch deployment report showing “Enforcement state unknown”

Question

Hello,

There are 200+ clients which are online, active and recent reporting status in the SCCM showing as “Enforcement state unknown” in the patch deployment report.

Would appreciate if you could assist how to fix issue for those client to make them compliant.

As per the scan report most of the system found with below error :

Error Status IDLast Error CodeError Description
11423-2016409966Group policy conflict
11423-2147467259Unspecified error

Below are sample logs :

UpdatesHander.log : Unable to read existing WUA Group Policy object. Error = 0x80004005.

WUAHandler.log:

Unable to find or read WUA Managed server policy. WUAHandler 6/14/2020 1:37:01 PM 244 (0x00F4)
Unable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 6/14/2020 1:37:01 PM 12492 (0x30CC)
Enabling WUA Managed server policy to use server: http://SCCMSPROD.PCSTS.com:8530 WUAHandler 6/14/2020 1:37:01 PM 12492 (0x30CC)
Failed to Add Update Source for WUAgent of type (2) and id ({06A23598-36B6-45CB-86DE-2D18BCE1F480}). Error = 0x80004005. WUAHandler 6/14/2020 1:37:01 PM 12492 (0x30CC)

 

Below are the GPO configuration since long through AD GPMC so that client not to connect direct internet and managed through SCCM :

Windows Firewall (Startup Mode: Automatic)

Task Scheduler (Startup Mode: Automatic)

Windows Update (Startup Mode: Automatic)

 

 

Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsDelivery Optimization Download Mode – Enable (Http Only)

Computer ConfigurationPoliciesAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off access to all Windows Update features – Enabled

Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsStoreTurn off the offer to update to the latest version of Windows – Enable

Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows UpdateDo not allow update deferral policies to cause scans against Windows Update – Enable

Windows Components PoliciesAdministrative Templates Allow signed updates from an intranet Microsoft update service location – Enabled

Computer ConfigurationPoliciesAdministrative TemplatesConfigure Automatic Updates – Disabled

Computer ConfigurationPoliciesAdministrative TemplatesDo not allow update deferral policies to cause scans against Windows Update – Enabled

Computer ConfigurationPoliciesAdministrative TemplatesNo auto-restart with logged on users for scheduled automatic updates installations – Enabled

solved 1
krisyada1989 2020-06-15T11:43:52+05:30 4 Answers 2321 views Beginner
1

Answers ( 4 )

  2. krisyada1989
    0
    2020-06-23T14:24:52+05:30
    Reply

    Removed all the polices however still gettting the same Error = 0x80004005,

    Scan reprot :

    Error Status ID Last Error Code Error Description
    11423 -2147467259 Unspecified error

  4. Anoop C Nair
    0
    2020-06-20T11:03:15+05:30
    Reply

    Any update or did you already resolved the issue?

  6. krisyada1989
    0
    2020-06-15T15:31:48+05:30
    Reply

    Thank you for the quick responses.. I follow the below KB article (https://social.technet.microsoft.com/Forums/systemcenter/en-US/1c1a640f-179c-4b72-bfe3-ab5d928454bf/software-update-error-0x80004005 ) and issue resolved for 2 workstation after I deleted the Registry.pol file, and did a GPUpdate /force after that.

    Would appreciate if you could have any script for the bulk system to remediation this issue ?

  8. Anoop C Nair
    1
    2020-06-15T15:12:01+05:30
    Reply

    Hello- First of all.. Thank you much for the detailed information in the question.

    The perfect way to ask a question!! Really appreciate this.

    My recommendation is to get more details from the reports to get more details about the issue. Karthick already shared a query to get these details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/patching-compliance-issue/

    The second option is to take one client and go through the troubleshooting process
    The flows which you need to check things from client side
    1. Locationservices.log – Check whether it’s able to find WSUS Path= and Distribution Point with patches
    2. WUAHandler.log to check whether scan is completed or not
    3. Updatedeployment.log – Check for deadline of the assignment and Software Updates client configuration policy, DetectJob completion received for assignment, Added update (Site_, PercentComplete, etc…
    4. Execmgr.log – Execution is complete for program Software Updates Program
    5. RebootCoordinator.log – Reboot related things
    6. Software Update Troubleshooting – https://sudheesh.azurewebsites.net/?p=34

    Best answer

Leave an answer

Sorry, you do not have permission to answer to this question .