Software Update Compliance Dashboard – Part 1
I created this blog due to the responses I’ve received from my previous blog (http://blogs.technet.com/b/gary_simmons_mcs/archive/2013/12/09/creating-a-custom-report-for-system-center-2012-r2-configuration-manager-part-1.aspx) on creating custom SSRS dashboard for Configuration Manager. I used a Software Update dashboard just as an example but it seems there is a lot of interest in Software Update dashboards.
Reporting on Software Updates can be tricky because depending on the organization different people or groups may want to see numbers in different ways. Executives or Senior Management may just want to know if they are “good” and look at percentages while mid-level management may want to know what part of their enterprise is good. Security groups tend to want to know what updates are missing while looking at trending data, System Administrators want to know what systems are missing updates and CM Administrator’s what to know how the updates are being managed.
The default Software Update reports are based off of Software Update Groups (SUG) and collections that need to be managed. It’s good for the System\CM Administrators but usually requires someone creating custom charts either in Excel or PowerPoint to brief on the Software Update posture to security or management. Additionally, they don’t give a quick timeline view on when updates were released or allow for trend analysis.
This blog describes a Software Update Compliance dashboard with Security in mind. It is formatted in a way that should appease management while giving detailed information to administrators managing the systems or deployments. It doesn’t rely on SUG’s, collections, or unmanaged systems and allows CM Administrators to deploy updates however they choose.
Software Update Compliance Dashboard – Part 2
The Software Update Compliance dashboard is broken into three main sections; Assets, Software Update Information, and Compliance separated between servers and workstations.
By default, the dashboard displays information for each operating system within a 12 month period starting from the month the report was run on. You can change the default behavior by modifying the @StartDate or just change the Start Date after the report has run.
Each report allows the type (Category) of update to be filtered on. By default, each report has Security Updates defined. You can change the default behavior by modifying the @Category parameter.
The software update information is gathered from each managed system. A managed system is defined as a non-obsolete client that has performed its software update scan within the last 14 days. The number of days is defined with the @DaysScanned parameter.
A couple things to note are the exclusions of Windows XP, Vista, and Windows 8. The results seen in this dashboard include all applicable updates for the devices. There isn't a method to include or exclude specific updates to the report.
Section 1 – Assets
The top of the dashboard sets the stage for each chart as it displays the number of systems that are being reported on for each operating system.
It is very important to understand that unmanaged systems will not be reflected in the dashboard. All compliance and applicable data seen in the dashboard is derived from the v_Update_ComplianceStatus view from systems that have performed a successful scan within the defined parameter.
This means that all the system objects that can be seen in the Configuration Manager console aren’t being reported on since it is very common to have outdated information in the CM Database.
The Operating System value is pulled from Operating_System_Name_and0 column in the v_r_system view. This information is populated from AD discovery so the dashboard isn’t dependent on hardware inventory to complete. The issue with the Operating_System_Name_and0 view is that it isn’t a friendly name for non-technical people so it is translated in each SQL query. This means that “Microsoft Windows NT Workstation 6.3 (Tablet Edition)” and “Microsoft Windows NT Workstation 6.3” are converted to “Windows 8.1”. Also “Microsoft Windows NT Server 6.3” and “Microsoft Windows NT Advanced Server 6.3” are converted to “Windows Server 2012 R2” since the applicable patches are the same and it just makes it easier to understand.
In the Assets section it is possible to click Servers or Workstations to drill down into the systems that make up the numbers.
Section 2 – Software Update Information
The Software Update Information section shows the number of applicable software updates that were released or revised during the 12 month reporting period. It also shows the compliance for updates released that month.
Each chart has a link to a sub report that will display more detailed software update information.
Section 3 – Compliance
This section is separated between Servers and Workstations with four different charts; Overall Compliance, Systems missing a certain amount of updates, Operating System Compliance, and Operating Systems missing at least 1 update.
The Servers link will run a sub report showing more detailed information regarding server operating systems.
Sub Reports - Part 3
The Software Update Compliance dashboard contains links to sub reports that allow you to drill down into specific information.
The orange arrows indicate the path in which the sub reports are linked.
The Software Update Compliance – Assets sub report displays the systems where the Last Software Update scan falls within the managed parameter @DaysScanned.
Software Update Information
The Software Update Compliance – Software Update Information sub report shows information pertaining to software updates that are applicable to managed systems within a period of time, operating system, and type of Software Update.
The Software Update Compliance – System Information sub report shows information on each managed system. The report can be filtered within a period of time, by operating system, and by the type of software update.
I've attached a zip file containing 4 .rdl files to this blog. To install the dashboard create a folder in the SSRS home page called Software Updates Compliance and place each .rdl file in it. Modify each report with your data source. For each sub report right click the text box with the hyperlink then select Text Box Properties.
Click Action then change the link to the report to have your site code in it. for example, Change /ConfigMgr_SIM/Software Updates - A Compliance/Compliance 5 - Specific computer to /ConfigMgr_SI1/Software Updates - A Compliance/Compliance 5 - Specific computer
If you place the .rdl files anywhere else you'll need to change the link locations for the sub reports.
This dashboard is still being developed so if you plan on using it make sure to validate the accuracy of it in your environment. I have not tested updates imported with System Center Updates Publisher however, it should work with those updates.
When time permits, I plan on updating the dashboard to allow each bar in the charts clickable to a sub report. I also plan on capturing the data to a separate database to allow for trend analysis or comparisons between different time periods.
28 Jan 2015 - v1.1
Updates to the Dashboard
Most Column charts are clickable and link to a sub report
Added parameter for the group of missing updates
Added a Filter to limit the results based on a computer name
Modified the dataset to display systems that didn’t have a top user
Modified the Chassis column to display the chassis number
Changed Chassis type 3 from Server to Desktop
Modified the dataset to correctly display if a system is a VM
Added a Filter to limit the results based on a computer name
5 Aug 2015 - v1.2
- Added support for Windows 10
- Removed support for Server 2003
- Included Version number in footer