Windows/Defender Updates not deployed to SCCM server (all clients work fine!)
After battling for a few weeks with this it finally occurred to me to reach out for help, and I found this forum. So here goes… I have a relatively small environment with Windows Updates managed by SCCM. Currently, all clients are receiving updates as expected, the only client that isn’t is the Windows Server that’s hosting SCCM itself. Should I be configuring the winhttp proxy settings on that one server to point to our proxy (I have tried it and it didn’t seem to make a difference)? Without the winhttp proxy set, when I check the Windows update log, it seems to be trying the automatic proxy settings and quite rightly failing. It runs out of options and tries the user proxy as a last resort. I have checked that I can reach the URL configured in the Windows Update settings in Group Policy from the SCCM server and it works fine. Is there something I need to do differently with the SCCM server versus all the other clients? The SCCM client is installed on the SCCM server and is reporting healthy status with expected policies applied like all other managed clients in the estate. The SCCM server is in the same boundary as other servers that are receiving updates. SCCM 2503 running on Windows Server 2019. WSUS is running on the same server. The Software Update Point is configured with proxy settings. Thanks in advance!!Re-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.
How to determine what a Package ID is associated with
We have hundreds of packages, applications, software update packages, driver packages, OS images, etc. There are times I only have a package ID and I need to determine what it is. A royal pain to manually search each one of those categories in the console. Anyone have a Powershell script to find what the package ID is associated with?
Migrate from SCCM 2012 R2 SP1 to Current Branch
Hey folks I am planning to migrate my System Center 2012 R2 Configuration Manager SP1 to the most recent Current Branch of System Center 2025, because the old version is still running on an old windows server version and we need to upgrade to a new windows Server 2025 and also the most recent current branch of configuration manager. Now the documentation for upgrading Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/install/upgrade-to-configuration-manager states, that upgrading from 2012 is only supported until Current Branch 2203; from 2303 on, you can't do the upgrade anymore. But since this "Important-Warning" message isn't shown on the migration article for Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/migration/migrate-data-between-hierarchies I am wondering if this only applies to upgrading configuration Manager on the same host? Or does it also apply to the scenario where I do a side by side migration (Install latest windows server on a new VM, install latest Current Branch of Configuration Manager and then do a migration via data gathering and migration job). You would help me a lot, because I can't find official info about it and I am very concerned about not being able to do the migration from 2012 to Current Branch 2503.. :( So if it also applies to migration; I can still do migration to 2203 as described in the "migration" article with the video https://www.youtube.com/watch?v=6_0EwW-5b4E and then do an inplace upgrade from 2203 to 2503?Unified update platform (UUP) FAQ's
After a month of UUP update release, sharing best practices based on our field and feedback through multiple channels. 1. Will UUP patch work for CB 2111 and below? Our pre-req is Configuration Manager Version 2203 and above as per our release documents. For Configuration Manager Version 2111 (Lesser than this are unsupported now) to patch UUP updates for windows 11 22H2 seamlessly, enable delta download setting using client settings in ConfigMgr. When this option is set, delta download is used for all Windows update installation files, not just express installation files. 2. Please be sure to select the appropriate update classifications in your ADRs. If you have ADRs configured to auto-approve Security Updates, be sure to specify the “Security Updates” classification in your ADR settings. If you would like to take advantage of all the great features of UUP and utilize UUP feature updates to upgrade endpoint clients to Windows 11 22H2, be sure to include the “Upgrades” classification in your ADRs. This will ensure that as endpoint clients go through the OS upgrade they will receive the latest security updates as part of the upgrade and will only need to reboot once. If you do not want to utilize UUP feature updates to upgrade endpoint clients right now, you will want to exclude the “Upgrades” classification from your ADRs. Note: The feature updates will be released every month but there will be sharing of content for the old files and the new content should be only a few hundred MBs between the month releases. See Question 9 for more details on deduplication. 3. ConfigMgr + Adaptiva integrated solutions Adaptiva has released a patch for its customers to support the UUP. The public documentation can be found here: https://adaptiva.com/blog/using-unified-update-platform-with-adaptiva-onesite. Note that Adaptiva has asked customers not to enable delta download from the client settings and this is our recommendation from ConfigMgr 2203+ onwards only (which is our recommended version as well but as mentioned before for UUP to work with ConfigMgr 2111 there is a requirement to enable delta download from client settings.) 4. ConfigMgr console on Windows Server 2012 R2 cannot download the UUP Quality update fails to verify cert signature PatchDownloader.log Verifying file trust C:\Users\admin\AppData\Local\Temp\2\CAB291B.tmp.wim Software Updates Patch Downloader Authentication of file C:\Users\admin\AppData\Local\Temp\2\CAB291B.tmp.wim failed, error 0x800b0004 Software Updates Patch Downloader Attempting to delete 0 byte tmp files from previous downloads Software Updates Patch Downloader ERROR: DownloadUpdateContent() failed with hr=0x80073633 Software Updates Patch Downloader Workaround: Patch the Windows Server 2012 R2 with 2023 4B (April CU) which then fixes this issue. 5. ConfigMgr Patchdownloader component may fail to verify (*.psf files) if the UUP patches were synched before ConfigMgr 2111 version. The issue will persist even if ConfigMgr version is upgraded to ConfigMgr 2111+ if the updates were synched before ConfigMgr was on a lesser version than version 2111. Sample error in PatchDownloader.log Verifying file trust C:\WINDOWS\TEMP\CAB6062.tmp.psf Software Updates Patch Downloader Authentication of file C:\WINDOWS\TEMP\CAB6062.tmp.psf failed, error 0x800b0004 Software Updates Patch Downloader Attempting to delete 0 byte tmp files from previous downloads Software Updates Patch Downloader ERROR: DownloadUpdateContent() failed with hr=0x80073633 Software Updates Patch Downloader The below SQL query will help you identify the issue. -- Sample check for 2023-04 Cumulative Update for Windows 11 Version 22H2 for x64-based Systems (KB5025239). -- Replace the unique update id below if you are searching for a different UUP update IF EXISTS( select all SMS_CIContentFiles.CI_UniqueID,SMS_CIContentFiles.Content_ID,SMS_CIContentFiles.FileName,SMS_CIContentFiles.FileSize, SMS_CIContentFiles.IsSigned,SMS_CIContentFiles.SecuredTypeID,SMS_CIContentFiles.SourceURL from vSMS_CIContentFiles AS SMS_CIContentFiles WHERE SMS_CIContentFiles.CI_UniqueID='3157dbaf-04f5-49fc-baef-300bbd6d121a' AND FileName like '%.psf' and isSigned= 1 ) PRINT 'UUP Updates likely synched before upgrading to 2111. This will need correction, Please call Microsoft support to correct this.' ELSE PRINT 'You are not likely affected by the UUP PSF update signing issue' If you get the output of the above query as 'UUP Updates likely synched before upgrading to 2111. This will need correction, please call Microsoft support to correct this.' then likely you are affected and open a support case with Microsoft to correct the issue. 6. UUP updates installed as a part of OSD TS in "Install Software Updates" step (Fixed 2309 or later) There is a known issue that is currently investigated. The issue is the Delta Download component of CCMEXEC not starting on time and the updates timeout on the first scan, later scans are not impacted. Workaround: Add a restart step in between two install software updates steps. This will allow UUP updates to be successfully downloaded and installed in the second attempt. Resolution: Upgrade to CB 2309 and upgrade the client. This issue is addressed. 7. Does offline servicing work with UUP updates? No. Offline servicing images with UUP QU updates from the ConfigMgr console is not supported. 8. Are Delivery Optimization (DO) and Delta Download (DD) components different ? What is ConfigMgr dependency on DO? Delivery Optimization is a Windows technology to deliver content in a smart way reducing internet bandwidth owned by the Windows team and Delta Download is a component which is an http listener for requests owned by the ConfigMgr team. Delivery Optimization is a peer-to-peer distribution technology available in Windows 11 and Windows 10 that allows devices to share content, such as updates, that the devices have downloaded from Microsoft over the internet. DO is a part of the Windows OS. Delta Download is a http listener and is a component of ConfigMgr. ConfigMgr requires the DO client as it invokes the Delta download listener to download the content (as we configure the alternate content location URL in WUA policy to point to Delta Download Listener URL). The Invocation flow is WUA (Windows Update Agent) -> DO (Delivery Optimization) -> DD (Delta Download). Hence even if we don't enable DO, ConfigMgr would automatically enable DO by setting these two policies. This is visible in the UpdateDOGPO.log SetDOGPOSettings: Set Windows DO group policy to DOGroupId = DeliveryMode = group Customers should not create any GPO settings to disable these policies OR edit the registry to disable the DOSVC service or from services console. 9. Update Supersedence changing to 6 months default for new installs. How does update supersedence affect UUP scenarios? Refer the blog for the announcement details for this change. The default for expiring updates which are superseded will only change for the new installations and the existing ones will not be altered from whatever the current setting is. 10. Does ConfigMgr have deduplication of files at source and distribution points? Deduplication at the source in ConfigMgr : When PatchDownloader component downloads a file it checks if the file exists in the same share and creates a hard link for the already existing file instead of re-downloading it. Scenario 1 If the files/folders for previous UUP update source package are on the same volume but different share name, customers don't go into creating hard link path at all. Scenario 2(a) If the Package path has a common share \\machine\share but different folders inside it (which is the normal case) like \\machine\share\jan and \\machine\share\feb we go to the hard link and create the hard link for the file with the Patchdownloader.log entry Content already downloaded. Created link for ContentID Scenario 2(b) Same scenario as 2(a) but the PatchDownloader here finds the same file present in a different share first apart from being present on the same share. Here the PatchDownloader doesn't go deep and check if the file is also present on the same share and fails to create the hard link. But here it doesn't download from internet again but copies the file from the other share to this share. Log entries fail to create hard link with error 17 (which is it thinks these are different drives). Could not create hard link: \\MachineNetbios\UpdatesPackage\2302_Win11_21H2_UUP\b1e9d019-7dec-4eee-b7e4-9e8eae99d89b.1\19222DDC6156FBE5570C3A6DDF69759662F93AEE_FeatureOnDemand.wim -> \\ MachineNetbios\22-11-UUPWin11\bcb528ff-85c2-4372-8b91-20bd0c7fa1e4\19222DDC6156FBE5570C3A6DDF69759662F93AEE_FeatureOnDemand.wim. LastErr=17 Summary It is recommended to have a single share for all the UUP monthly packages \\machine\UUP and then creating folders inside it for each months. for eg.. \\machine\share\jan and \\machine\share\feb . In this case ConfigMgr will create hard links instead of downloading the actual files again. Note If you actually check the properties of the folder it will still show the size of the actual file and not hard link. Use DU.exe from sysinternals suite to find the actual size of a folder. E:\UpdatesPackage\2302_Win11_21H2_UUP>E:\DU\du.exe . DU v1.62 - Directory disk usage reporter Copyright (C) 2005-2018 Mark Russinovich Sysinternals - www.sysinternals.com Files: 14 Directories: 2 Size: 9,675,198,236 bytes Size on disk: 9,675,227,136 bytes Note To find all the hard link references to a file use the fsutil command. fsutil harlink list <full_file_path> 11. Why does ConfigMgr UUP On-Prem download a 3-5GB wim when I want to install a very small FOD/LP package? This is an issue with the size attribute on the file as we don't download the full file for FOD/LP but only the needed byte ranges. Since we download the needed byte ranges only, the size that gets displayed for the file is the cumulative size of the file till that range. Meaning if the small FOD package is around 3035627519 of the byte range in the file, we will display the size of the file as around 2.82 GB. While in actuality we only downloaded the file ranges between 3034578944-3035627519 for the 1 MB FOD package. To confirm the actual size of the file on disk you can check the properties of the file and verify the "Size on disk". 12. Deduplication at the distribution points in ConfigMgr : Distribution Points in ConfigMgr are already designed to have a SIS (Single instance storage) in the form of Content Library. So we store any file only once no matter how many packages it is present in. More on ConfigMgr Content Library design here . For more details ref the actual windows blog and Configuration blog. Thank you, The Configuration Manager teamAccess collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.Release Cadence Changes to Microsoft Configuration Manager
This article provides information about release-cadence changes for Microsoft Configuration Manager, introducing a new release cycle starting after the release of a Configuration Manager baseline version in 2303. To learn about the changes introduced in previous updates for Configuration Manager, branding, and baselines, see What's new in Configuration Manager incremental versions, Microsoft Configuration Manager FAQ, and, Baseline and update versions. As Windows is moving to a once-a-year update model, Configuration Manager will be better aligning to that cadence by moving from three to two updates a year. The next release of Microsoft Configuration Manager after 2303 will be in September 2023, version 2309. Effectively, the xx07 and xx11 updates are being merged into an xx09 update. The consolidation of updates will roll up enhancements into this release; another outcome is reducing the number of deployments customers must manage annually. Along with better alignment to the Windows cadence and reducing CM deployment management, this change will also allow Configuration Manager to have a longer development cycle to address key customer feature asks while continuing to deliver high quality updates. With this change and the longer development cycle, the Configuration Manager 2309 update will be able to address key customer asks around policy sync, software update troubleshooting, improved alerts, dashboarding, and more. Hotfix rollups and security updates will continue to be made available as necessary to address any critical bugs. Cadence Change Summary: Starting in the calendar year 2023 customers will now receive two releases of Configuration Manager, one in March (xx03), and another in September (xx09) rather than the previous release cadence of xx03, xx07, and xx11. Baseline versions can be used to install a new Configuration Manager site and hierarchy, or to upgrade from a supported version of Configuration Manager. 2303, 2403… will be baseline releases. There will be four Technical Preview (TP) releases per year. Two will be released before each production current branch release, and one of Technical Preview release would be a baseline release. (TP Baseline are 180 days evaluation) There is no change to current branch support cadence. Each current branch version remains in support for 18 months from its general availability release date. For more information, see Support for Configuration Manager current branch versions.
MECM OSD TS Application Installations fail randomly to download content.
We are experiencing a persistent and well-documented issue with MECM OSD Task Sequences where Applications randomly fail to install after the MECM client has been installed. This behavior seems to affect many environments and has been an ongoing problem for years, yet a definitive solution remains elusive. In our case, we have over 30 Applications included in the OSD Task Sequence. Despite implementing all commonly recommended mitigations—such as inserting an additional restart after the MECM client installation and including a two-minute delay before the Application install task group begins—we still encounter random failures. The issue is not limited to any specific Application; it can be any one of the 30+ Apps, and the failure to download appears to occur entirely at random. Occasionally, most of the Applications install successfully, and only one will fail, which subsequently causes the entire Task Sequence to fail with the same error. Importantly, all of these Applications install without any issues post-OSD, further confirming that the problem lies not with the Applications themselves but with the process during the Task Sequence. The randomness of which App fails also suggests an underlying process, feature, or timing issue—not an App configuration problem. We have thoroughly validated all related infrastructure settings: Boundaries and boundary groups have been triple-checked. No boundary is assigned to multiple groups. Site system assignments are correct. We are using PKI certificates and HTTPS, and the client authentication certificate is present on the device at the time of failure. The issue has been replicated across both Windows 10 and Windows 11, ruling out any specific cumulative updates or OS version anomalies. No additional language packs are being installed—only language fallback is applied via the "Apply Windows Settings" step. One suspicious observation is the lack of any reference to our local Distribution Point in the LocationServices or CAS logs during failure events. Initially, this pointed to a possible boundary misconfiguration, but after multiple checks, no issues have been identified. Unfortunately, we are unable to use the common workaround of converting Applications to Packages, due to internal policies and deployment requirements. Therefore, we need to resolve this while continuing to use Applications in the Task Sequence. Given the number of years this issue has persisted across customer environments, it's surprising there isn’t more formal guidance or documentation available to help isolate the root cause. If anyone has encountered a similar scenario or has any advanced troubleshooting tips, we would greatly appreciate your insight.Agents will install on 2 DC's but will not get configurations
Hello, I have 2 DC's that when i install the MECM agent on them, they will install but will not get the configuration files and when i open the client on the machines its missing the configurations tab and the action tab only has 2 actions. also, on the general tab of the client, the Client Certificate says "none" I know the easy answer is this is a "boundary issue" but it is not. i have other servers with the same IP address range and they have no issue getting the client fully configured. It is not a local firewall issue as i tried turning it off and got the same results. in the ccmsetup logs i am seeing this "Failed to get MDM_ConfigSetting instance, 0x80041013" can anyone please help figure out what is going on here?? thanks in advance
