SCCM software update install error 0x8007139F
While trying to install the monthly September patch Tuesday updates, e.g. 2025-09 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5065426) (26100.6584) and 2025-09 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 24H2 for x64 (KB5064401) would often fail on many machines with error code 0x8007139F. Every single time this would happen, the update will always install on a retry. That's if the issue happened at all, but it happened on around 60% of the endpoints this month in the test deployment group. It appeared to happen to both updates. Based on the error description, it states that the group. or resource is not in the correct state to perform the requested operation. I couldn't find any documentation of this issue for other people using SCCM. I already tried resetting windows update components, running sfc /scannow, and the DISM restore image command which all completed successfully, but nothing has fixed the issue so far. Any help would be greatly appreciated.
Enable Windows 10 Extended Security Update
Hi All, We are managing our Windows 10 workstation fleet using SCCM, with activation handled via KMS. Since we have not yet transitioned to Windows 11, we’ve purchased ESU licenses. Microsoft provides detailed guidance on activating ESU through various methods — including Intune, phone, Internet, and the Volume Activation Management Tool (VMAT) for clients without Internet access — which is very helpful. https://learn.microsoft.com/en-us/windows/whats-new/enable-extended-security-updates Does anyone know the best method to enable ESU for enterprise workstations using SCCM/KMS, or through any alternative approach? Thank you in advance.Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.
MECM OSD TS Application Installations fail randomly to download content.
We are experiencing a persistent and well-documented issue with MECM OSD Task Sequences where Applications randomly fail to install after the MECM client has been installed. This behavior seems to affect many environments and has been an ongoing problem for years, yet a definitive solution remains elusive. In our case, we have over 30 Applications included in the OSD Task Sequence. Despite implementing all commonly recommended mitigations—such as inserting an additional restart after the MECM client installation and including a two-minute delay before the Application install task group begins—we still encounter random failures. The issue is not limited to any specific Application; it can be any one of the 30+ Apps, and the failure to download appears to occur entirely at random. Occasionally, most of the Applications install successfully, and only one will fail, which subsequently causes the entire Task Sequence to fail with the same error. Importantly, all of these Applications install without any issues post-OSD, further confirming that the problem lies not with the Applications themselves but with the process during the Task Sequence. The randomness of which App fails also suggests an underlying process, feature, or timing issue—not an App configuration problem. We have thoroughly validated all related infrastructure settings: Boundaries and boundary groups have been triple-checked. No boundary is assigned to multiple groups. Site system assignments are correct. We are using PKI certificates and HTTPS, and the client authentication certificate is present on the device at the time of failure. The issue has been replicated across both Windows 10 and Windows 11, ruling out any specific cumulative updates or OS version anomalies. No additional language packs are being installed—only language fallback is applied via the "Apply Windows Settings" step. One suspicious observation is the lack of any reference to our local Distribution Point in the LocationServices or CAS logs during failure events. Initially, this pointed to a possible boundary misconfiguration, but after multiple checks, no issues have been identified. Unfortunately, we are unable to use the common workaround of converting Applications to Packages, due to internal policies and deployment requirements. Therefore, we need to resolve this while continuing to use Applications in the Task Sequence. Given the number of years this issue has persisted across customer environments, it's surprising there isn’t more formal guidance or documentation available to help isolate the root cause. If anyone has encountered a similar scenario or has any advanced troubleshooting tips, we would greatly appreciate your insight.
Software Center Restart Loop
Hi, i have to devices that are stuck on reboot loop. the computer restarts then the restart count down starts again over and over. the computers are running the latest Windows 11 Build and they have the latest CM Client (5.00.9132.1011). i have done the normal troubleshooting process like CM Client repair, uninstall CM client and delete CCM, CCMSetup folders then install the client. run update evalution from CM Console and from the client. the only solution that i am left with is reinstall the whole system but that something i would do if there is no way out any input is appreciatedInstallations via InTunes failing but work from SCCM
We have pretty much completed our migration from using SCCM to InTune (IT). However, we are encountering a few apps which hang at certain points during the installation. These have worked 100% falwlessly through SCCM and indeed, if we revive the SCCM deployment, we can install via that route. I strongly suspect that IT is handling output (STDOUT?) differently than SCCM does, wherein the installer is trying to display a screen but cannot and so just hangs indefinitely. Aside from the above return-to-using-SCCM work-around, we have occasionally resorted to repackaging the offending installer but this obviously introduces a delay in getting apps deployed to our user-base. Is there some flag we can set when adding apps to IT that we're somehow not seeing, or some other configuration we set - maybe at the client-level - to bypass this behaviour? If you feel like experimenting, grab the Innorix Agent installer which is one that's causing us grief presently.
Windows Defender AntiVirus with Intune
Hello Windows Defender antivirus is enabled with Intune(Co-managed deployment) Antivirus policy, Our organization normally had Symantec and did not use Defender. However the below is showing in Virus and Threat Protection. Basic settings are used in the policy: Allow Archive Scanning Allowed. Scans the archive files. Allow Behavior Monitoring Allowed. Turns on real-time behavior monitoring. Allow Cloud Protection Allowed. Turns on Cloud Protection. Allow Email Scanning Not allowed. Turns off email scanning. Allow Full Scan On Mapped Network Drives Not allowed. Disables scanning on mapped network drives. Allow Full Scan Removable Drive Scanning Allowed. Scans removable drives. Allow scanning of all downloaded files and attachments Allowed. Allow Realtime Monitoring Allowed. Turns on and runs the real-time monitoring service. Allow Scanning Network Files Not allowed. Turns off scanning of network files. Allow Script Scanning Allowed. Allow User UI Access Allowed. Lets users access UI. Avg CPU Load Factor 50 Check For Signatures Before Running Scan Enabled Cloud Block Level High Cloud Extended Timeout 50 Days To Retain Cleaned Malware 0 Disable Catchup Full Scan Disabled Disable Catchup Quick Scan Disabled Enable Low CPU Priority Disabled Enable Network Protection Enabled (block mode) PUA Protection PUA Protection on. Detected items are blocked. They will show in history along with other threats. Real Time Scan Direction Monitor all files (bi-directional). Scan Parameter Quick scan Schedule Quick Scan Time 720 Schedule Scan Day Monday Signature Update Interval 4 Submit Samples Consent Send safe samples automatically.HAADJ with Intune Co-Management
Hello, -I have HAADJ tenant with Intune Co-Management. -AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated). -Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO. -They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed. -Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. https://www.burgerhout.org/the-bitlocker-haadj-nightmare/ Question(s): 1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested. 2-After testing Recovery key is stored in Intune but not stored in the below location https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials) 3-Devies in Azure under the following URL https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId/Devices -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?SCCM / MECM Metering - Could not get a SQL connection to database
I have an SCCM infrastructure with a Site Server and a separate database server. I am running the .\\runmetersumm.exe CM\_XX0 tool (I filled XX0 with the name of my database) on the database server but I am getting the error: Could not get a SQL connection to database: CM\_XX0. I am not able to see any errors in the swmproc.log, sinvproc.log, and smsdbmon.log logs. Can you please help me?
