Once I started getting a handle on deploying updates with Configuration Manager my mind quickly moved to proving that it actually worked. How could I prove to myself and management that the solution I was putting together actually improved our patch compliance. I had started similar work in our previous management tool and had gotten far enough to know that we weren’t in great shape.
Configuration Manager has a bunch of built-in reporting so I started sifting through it trying to understand what was there. I was left … disappointed. The built-in compliance reports are all at the individual Software Update Group level. While useful that’s not what I was looking for. So my first inclination was to look to see what custom reports or dashboards existed in the Configuration Manager community. There’s quite a few of them and range from those that are freely available:
- Garry Simmons: Software Update Compliance Dashboard
- Simon Broullard: Software Update Groups Compliance Dashboard Revisited
- SCConfigMgr: Patch Compliance Reporting in Configuration Manager with PowerBI
to those that are not free but are from from ‘names you can trust’:
- System Center Dudes: Software Update Reports
- CT Global: Insight Analytics
- Enhansoft: Enhansoft Reporting
Despite all of that being available I still wanted to build my own. In part because I suffer from the ‘Not Built Here’ syndrome as much as the next person but because I always … always … want to know how things work. While it’s hard to justify the labor cost it takes to build a custom dashboard there’s no other way to truly understand how reporting works. There will be a follow-up post to this one talking about the lessons I learned along the way but this post is intended to share the fruits of that labor.
What Does This Dashboard Do?
The focus of this dashboard is to report compliance across all devices in the organization. For my purposes I’m defining compliance as having all deployed and applicable updates installed within 14 days of their deadline. In order to make that feasible these reports work on the update deployment (or assignment) level. A device is considered unknown if any deployment status is unknown. If there are no unknown but one or more of the assignments is not compliant then the device is not compliant. If and only if all deployments are compliant is the device considered compliant.
This is intended to be the top-level report that acts as the dashboard. This is the report that tells you and your management how good or bad things are. There’s multiple datasets and charts that allow you to breakdown the top level Workstation vs Server split into sub groups. On the workstation side we do it by departments (Campus vs Retail Locations) and for servers I split out servers that have a ‘never’ maintenance window and are patched manually. All of the charts and legends are drill-downs to the Overall Compliance – Devices report. Each dataset and chart is limited using a parameter listing the name of a collection. Therefore you will want to modify the default values for the CollName parameters as well as the Days parameter if you define compliance differently.
Overall Compliance – Devices
This report is the first drill-down report from the Overall Compliance report. For devices in the selected state and collection it will list the status of each deployment as well as evaluation and error details. This report isn’t meant to be ran directly but if you do for some reason you will want to change the default values for the CollID and Days parameters.
Compliance for A Specific Computer
This is the bottom level detail report focused on a single client. There’s a chart showing the device’s overall compliance as well as some relevant details about that client. When entered from the Overall Compliance – Devices report the update list will only include those with the drilled-into status. This report is also useful as a stand-alone report so you may want to modify the UpdateState and Days parameters.
Compliance Overview – Latest Cumulative Update
I released and blogged about this report last week: Compliance Report for Latest Cumulative Updates. I’m including it here for completeness and because I have updated it to be more interactive.
Software Updates – Computers with Failures
This report will list all devices in the selected collection that have reported errors. By default it is sorted so that the clients with the highest error counts appear first. You can expand each device to list the updates that failed and details about that failure. This is a good report to give your lower level admins or technicians. Document common errors that you can’t otherwise automate (ex. disk space) and have them go forth and remediate.
Software Updates – Updates with Failures
This report is the same data as the previous report but grouped by update rather than device. This allows you quickly see which updates are failing most often in your environment.
Installing the Reports
You can search online for far better instructions than I’m prepared to give here for how to import the reports. If you’re too lazy to search but not too lazy to try and work off poor instructions, here’s what you need to do.
- Navigate to the SSRS reports page on your Reporting Services Point server (ex. http://RSPSERVER.domain.com/reports)
- Create a folder and upload the report files one at a time.
- Edit the report in Report Builder.
- Change the Data Source to your SSRS server’s data source.
- Edit the header images to reference your top-level report folder by replacing ### with your site code.
- Edit the parameters discussed above as desired.
- Save the report.
- Thinks about the life choices you’ve made that have lead to this point.