SCCM 2012 R2 CU3 + Endpoint Protection. I am seeing an increasing number of clients reporting out of date Forefront definitions. Spent a bit of time checking and this seems to be a known problem - in Windowsupdate.log seeing

ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

There are a few threads on this which seem to indicate this to be nothing to do with SCCM but a WSUS error that MS are writing a fix for. However from what I read this is not going to be available until June/July 2015

I have written a batch file as so as recommended in this thread

http://blogs.technet.com/b/configurationmgr/archive/2015/04/15/support-tip-configmgr-2012-update-scan-fails-and-causes-incorrect-compliance-status.aspx

sc config wuauserv type= own
bcdedit /set increaseuserVA 3072

Followed by a reboot

I am finding that with a lot of coaxing i.e. 2-3 or more reboots, software scan cycle, software deployment evaluation cycle that most eventually update but some will not and I've ended up rebuilding PCs

Therefore trying to work out the best course of action to keep the estate compliant

Is there any merit in trying to deal with the WSUS database? - you could in theory completely delete it, reinstall and setup SCCM all over again. I'd be loath to do all this unless it has a real benefit. Going through the WSUS Server Cleanup Wizard didn't remove anything as I assuming SCCM 2012 R2 does most of it for you these days

So looking for advice

Hello,

Did you see this discussion?

Some Clients Not Updating. Reporting "Compliant." hr=8007000E Error in WindowsUpdate.log

There might be a fix released. You can open a support case to get a workaround on this.

 Going through the WSUS Server Cleanup Wizard didn't remove anything as I assuming SCCM 2012 R2 does most of it for you these days

No, it does not. You must regularly run the Cleanup Wizard to keep the metadata up to date.

And, further to Rolf's excellent recommendation, you must do more than just run the SCW - you must manage your declines in WSUS (or else suffer the problems we did, as described in the thread Rolf has cited).

WSUS is *not* a database-zero-maintenance product. (so we learned, the hard way)

Thanks for the replies. My confusion is the WSUS maintenance wizard removed zero updates

We then followed http://blog.coretech.dk/kea/house-of-cardsthe-configmgr-software-update-point-and-wsus/

and ran PowerShell script per the article

Get-WsusServer | Invoke-WsusServerCleanup CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

it removed 1323 obsolete updates and compressed 2801

After doing this we ran re-indexing script from MS Gallery https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61

and this re-indexed the database. All looking good now. Less issues with clients