Groups of computers had not been patched as expected during patch cycles. In reviewing compliance reports for a sample computer, it did not show expected updates as not installed or applicable. In reviewing the default patch targets, we found that the default primary target, Windows Computers with Software Update Plug-in Installed Target, was not in place for the Windows Patch Remediation Settings policy on the Parent NS (and all children). It was the target name but had single quotes around it. We were unable to correct this by selecting the default target.

We corrected the target issue by exporting the policy, editing the ItemReference lines, and adding the correct target GUID. We then verified that it was owned by the Application Identity. We then identified that on a Child NS, multiple targets were also listed for the policy indicating a replication issue. We manually corrected this on the children and then were able to delete the extra targets. This allowed some clients to then show expected updates in compliance reports and to show updates where update distribution policies existed. We further troubleshot computers still not patching and found the scan working successfully but the data was not updating as seen in the compliance reports or the patch data classes. By forcing a full assessment scan by configuring the option in the Windows System Assessment Scan policy, compliance data was successfully updated and all systems were successfully patched as expected. We were then able to set the Windows System Assessment Scan policy to send only changes.