Compliance

When software update synchronization completes at each site, a sitewide machine policy is created that allows client computers to retrieve the location of the WSUS server and to start a scan for software update compliance. When a client receives that machine policy, a compliance assessment scan is scheduled to start at a random time within the next two hours. When the scan runs, a component of the client Software Updates Agent clears the previous scan history, sends a request to find the WSUS server that should be used for the scan, and then updates the local Group Policy with the WSUS server location.

The scan request is then passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server that it just got information about, downloads a list of the software updates that have been synced with the WSUS server, and scans the client computer for the updates in the list. A component of the Software Updates Agent then sees that the scan for compliance is finished and sends a state message for each software update that had a change in compliance state since the last scan. Those state messages are then sent to the client’s management point in bulk every five minutes. The management point will then forward the state messages to the site server, where they are inserted into the site server database.

Supersedence occurs when a new software update has the same fixes as a previous update but may have fixed issues with the update and/or added new fixes. In SMS 2003, when new software updates supersede ones that had the same fixes, they may both be marked as needed when only the new one is necessary. In Configuration Manager 2012 Software Updates, you can now configure the supersedence behavior; you can either choose to expire a superseded update or choose to expire the update after a configurable number of months at the software update point. When new software updates are released that supersede others, Microsoft Update is refreshed with that information. When client computers are scanned for compliance, the new updates produce a compliance state by the client, but the older updates do not. The only time this is not the case is when a service pack contains a required update. The WUA will then return a compliance state on both, which allows admins to deploy individual updates or service packs as needed. Table  shows details on the four states of compliance for Software Updates. 

State	Description
Required	The software update is applicable to the client, which means any of the  following conditions could be true: ◆ The update has not been deployed to the client. ◆ The update has been installed, but the state of the update hasn’t been updated in the database yet. ◆ The update has been installed, but the client requires a reboot before it finishes. ◆ The update has been deployed but is not yet installed.
Not Required	The update isn’t applicable on the client.
Installed	The update is applicable on the client, and it has already been installed.
Unknown	This state usually means that the software update has been synced to the site server, but the client hasn’t been scanned for compliance for that  update.