Let’s say that you’ve upgraded System Center Configuration Manger ConfigMgr 2012 to Configuration Manger 1511, and everything is running smoothly. Now, for the first time, you’re ready to do an in-console upgrade to Configuration Manager 1602 or any future release. Within the Configuration Manager console, you navigate to Administration > Cloud Services > Updates and Servicing node and you see nothing!
Everything up until this point has worked fine, so you review all of the verification steps. You have the service connection point role installed and configured in online mode, or you have clicked the button to Check for Updates. You waited at least 24 hours since the last upgrade. There are no apparent errors in the related log files (such as dmpdownloader.log and dmpuploader.log) that could be affecting the upgrade.
You might want to check your permissions… or more precisely, your security scope. You may think you have full administrative rights, but I have seen in numerous Configuration Manager environments that the default permissions were being used, and may not be able to upgrade unless using the account that originally installed the site.
The exact problem is that by default when a new user is created, they are given the Default security scope. However, the account which initially installed the site is given the All security scope. 99% of the time there is no difference between the two, and many administrators never notice or have a problem with it. There is one other feature that is noticeably affected by this scope: the Automatic Client Upgrade feature in the Site Settings properties is greyed out unless the user has the All security scope.
Microsoft does note a requirement that is related to this in the TechNet page Install in-console updates for System Center Configuration Manager. It says, “to view updates in the console, a user must be assigned a security role that includes the Read permission in the permission group Site, and the security scope All.”
To fix the issue you have to log on with an account that has the correct permissions and already has the security scope All. The problem is that the only account that may have this scope is the user who originally installed the site. But assuming this isn’t an obstacle, use that account and go to the Administration > Security > Administrative Users node in the console, and bring up the properties of the administrator that should be performing these upgrades. Click on the Security Scopes tab. Click the Add button, and select All Security Scopes. Apply these changes, log back in with the reconfigured account, and prepare to upgrade!