SCCM Third Party Patching

Currently a Pre-Release feature with 1806, Third Party Patch management is finally on it’s way!!

Here is a great video from Patch My PC covering the new feature.

SCCM OSD PXE problems with USB Adapters

A rather annoying issue I have come across with PXE imaging on PC’s with a USB adapter is a conflict with duplicate MAC as the adapter itself has a MAC address and does not pass through from the PC itself. If you look into the SMSPXE.log this will reveal the issue

Manage duplicate hardware identifiers

Providing a list of hardware identifiers that Configuration Manager ignores for the purpose of PXE boot and client registration, helps to address two common issues.

  1. Many new devices, like the Surface Pro 3, do not include an onboard Ethernet port. Technicians use a USB-to-Ethernet adapter to establish a wired connection for purposes of operating system deployment. However, these adapters are often shared due to cost and general usability. Because the MAC address of this adapter is used to identify the device, reusing the adapter becomes problematic without additional administrator actions between each deployment. To reuse the adapter in this scenario, exclude its MAC address.
  2. While the SMBIOS attribute should be unique, some specialty hardware devices have duplicate identifiers. Exclude this duplicate identifier and rely on the unique MAC address of each device.

To add hardware identifiers for Configuration Manager to ignore

  1. In the Configuration Manager console, go to Administration > Overview > Site Configuration > Sites.
  2. On the Home tab, in the Sites group, choose Hierarchy Settings.
  3. On the Client Approval and Conflicting Records tab, choose Add in the Duplicate hardware identifiers section to add new hardware identifiers.

SCCM Cannot Disable Peer-Cache

SCCM peer cache was introduced in 1610 as a pre-release future and eventually made it into production.

As there was quite limited documentation around the feature at the time, there have been several eager admins who have likely  enabled this without understanding how it works and the consequences.


After disabling the feature in client settings, clients started to remove from the Super Peers list however not all.

To check the Super Peers list you will need go to the SQL database your SCCM instance is hosted on.

Select * from SuperPeers


The symptoms you will are slow OS deployement, slow applications download (Downloading stuck 0% for a while) from Software Center, or even when deploying updates.

CAS.log reported a long download locations list before the SCCM was even considered, so the server still reports these sources as active peer cache clients.


DataTransferService.log then reports a bunch of errors, because the feature is disabled on clients and content can’t be reached, then the client waits a bunch of seconds and proceeds with the next download location.


During OS deployment I noticed that placing a computer on the same subnet as the SCCM distribution point, it is considered first in the list, so the issue is … work-arounded?



I didn’t understand at first if this was BranchCache or PeerCache related. I tried a lot of things: re-enabling the feature then disable it again, changed my boundaries and boundary groups so that they are managed by IP address range, removed the “Allow clients to share content[…]” from applications (which is BranchCache related).

This is the exact case. Read it, because this is gold. Even the introduction and myth-busting about BranchCache and PeerCache is worth a read.

The setting is disabled on computers, but the site server is not aware. Apparently there’s an issue when the client sends back a state message stating  to the site server, I’m not a superpeer, remove me from the list.

Verifying the WMI informations on a “guilty” computer (one of those appearing in CAS.LOG) with WMI Explorer


The setting is consistent with the deployed client settings. So the computer knows.

Let’s see if the client is in the “SuperPeers” table on the DB

Select * from System_DISC where Name0 like ‘ComputerName_still_in_Superpeer_list’

get the ItemKey from there, and

Select * from SuperPeers where ResourceID = ‘ItemKey’



So the client is still a SuperPeer for SCCM, and the same ResourceID also appears in SuperPeerContentMap for every application or package it is (was) able to distribute.

Select * from SuperPeerContentMap where ResourceID = ‘ItemKey’


So, how do we get rid of this data (which is now complete garbage, since I disabled the setting globally) ?

The Fix

As always make a backup of your database before running these commands. This will delete all the table information for Peer Cache information.

delete from SuperPeerContentMap

delete from SuperPeers

Test again from your clients to verify that everything now works!

GPO Backup and Email of GPO Modifications

Recently I wrote a Powershell script that backs up Group Policies and also sends an email of Group Policies modified within a specified time.  Works well setup on a scheduled task to take care of GPO Backups.

Download Here: GPO_Backup_1.2

The following fields can be modified to suite your requirements

$BUlocation = "C:\GPOBackups" #where the GPOs Backups will be located
$BUresults = "Backup-results.txt" #name of the ouput file (for reference)
$days = 15 #number days old bacups to be auto deleted
$dc = "domaincontroller" #hostname of the DC for backing up
$SMTPserver = "" #SMTP server name
$SendTo = "" #Send email to this address

Also for the email sent you can change how long to capture the modifications

eg. 24 Hours

$body = Get-GPOModifications -Hours 24

eg. 7 Days

$body = Get-GPOModifications -Days 7

Hope you find this one useful 🙂

Error sending DAV request. HTTP code 500 (HTTP Error 500.19 – Internal Server Error)

From a client they were not able to download any content, after investigation the DataTransferService.log I could see the following error

Error sending DAV request. HTTP code 500, status 'Internal Server Error'   DataTransferService       24/08/2017 8:21:17 AM       3972 (0x0F84)

GetDirectoryList_HTTP('http://SERVERNAME:80/SMS_DP_SMSPKG$/f4e4ea5d-49ad-423a-9cac-cea869e6e1d7') failed with code 0x87d0027e.      DataTransferService       24/08/2017 8:20:47 AM  28624 (0x6FD0)

After browsing to the server http://localhost/SMS_DP_SMSSIG$ it would return a HTTP Error 500.19 – Internal Server Error.

As WSUS was previously installed on this sever it was the culprit behind it. I had a look at the ApplicationHost.config file and noticed that suscomp.dll was still installed by WSUS even though it had been removed.

To verify that suscomp.dll is configured

  1. Go to C:\windows\system32\inetsrv\config and locate the ApplicationHost.config file
  2. Open it with notepad and look for the following lines below
    scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true”
    dll=”C:\Windows\system32\inetsrv\suscomp.dll” staticCompressionLevel=”10″
    dynamicCompressionLevel=”0″ />


  • The following command needs to be run to disable the suscomp.dll that was installed when the WSUS server role was installed.From an elevated command prompt running the following.
    %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']
  •  If you need to re-enable this just change it slightly and run this command.
     %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /+[name='xpress',doStaticCompression='false',dll='%windir%\system32\inetsrv\suscomp.dll']

Software Metering Reports not working for new Rules

I came across an issue today  that when I created some new software metering rules that no data was being reported back and the reports were empty.

After a quick search the recommendation is to delete the RULECHG.RTA file from the “%installdir%\Microsoft Configuration Manager\inboxes\” inbox, however I found that this file did not exist. Rather I had a lot of RT4, RT6 &  RT18 files.

To fix what I had done was remove the rules I created,  remove those files from the inbox (copy to a temp folder). Create the rules again and check the reports.

It seems the rules were actually effective as data was being collected however no data was showing, since putting the fix in above the data now shows.

SCCM 1702 Upgrade – What to be aware of!

SCCM 1702 is now available under the current branch model. There are some new features that come along with this but also some items to be aware of.

What is be being dropped?

  • SQL Server 2008 R2, for site database servers. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008 R2, for site system servers and most site system roles. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
    Beginning with version 1702, this operating system is not supported for site servers or most site system roles, however versions prior to 1702 continue to support its use. This operating system does remain supported for the state migration point and distribution point site system role (including pull-distribution points, and for PXE and multicast) until deprecation of this support is announced, or this operating system’s extended support period expires.
  • Windows Server 2008, for site system servers and most site system roles.
    This operating system is not supported for site servers or site system roles with the exception of the distribution point and pull-distribution point. You can continue to use this operating system as a distribution point until deprecation of this support is announced, or this operating system’s extended support period expires
  • Windows XP Embedded, as a client operating system. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

Be sure to read this extensively:

What is coming?

  • Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline
  • Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update
  • Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files
  • Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system.

As per any upgrade, make sure you check everything and what is supported. Make sure to run the Pre-Req first to start your planning.

SCCM – Server OS upgrade from 2008R2 to 2012R2

I recently completed an OS upgrade of my environment from 2008R2 to 2012R2 on a CAS>Primary Hierarchy. I found the documentation a bit limiting especially post install as without a doubt there are some issues you are bound to run into. So what is a good way going about the process? I broke this up into 3 main steps

  1.  Prepare the OS Drive by cleaning up data (a Windows.Old Directory is stored post upgrade that consumes a lot of space)
  2. The OS upgrade itself. (If using a VM, Snapshot!)
  3. Post upgrade Tasks and remediation

1. Preparation

  • Check Disk space of OS Drive
  • Delete old log files in inetpub.
  • Install desktop experience so that you get the Disk cleanup utility to use post upgrade.
  • If using a static IP, take note of these details as the upgrade will change to DHCP
  • Uninstall WSUS 3.0 SP2
  • Remove the Software Update Point Role from SCCM
  • Stop the SCCM site using Presinst.exe /StopSite (Stopping the CAS server will stop the whole hierarchy)
  • Create a snapshot here if you have a VM

2. OS Upgrade

Just like any OS upgrade, however you are doing it. In this case with a VM the ISO was mounted the the in place upgrade was kicked off.


3. Post upgrade:

  • Ensure the Windows Deployment Service is started and running for the following site system roles (this service is stopped during upgrade):
    • Site server
    • Management point
    • Application Catalog web service point
    • Application Catalog website point
    • Ensure the Windows Process Activationand WWW/W3svc services are enabled, set for automatic start, and running for the following site system roles (these services are disabled during upgrade):
  • Site server
  • Management point
  • Application Catalog web service point
  • Application Catalog website point

Ensure each server that hosts a site system role continues to meet all of perquisites for site system roles that run on that server. For example, you might need to reinstall BITS, WSUS, or configure specific settings for IIS.

Below are the common issues I came across and the fix for each.

Application Catalog does not connect

After upgrading SCCM OS the application server config point stopped working. This is due to .Net 4.5

Cannot connect to the application server error message below.

When looking in the Site Component node, I could see that the SMS_AWEBSVC_CONTROL_MANAGER possess a warning sign which was in fact a several error notifications with the following description:

After installing .Net framework 4.5.2,  rebooting the server I still had that same error message.

Again, browsing to  http://localhost/CMApplicationCatalogSvc/applicationofferService.svc resulted in providing me a lead to an error in a line (which can be a result of one of my troubleshooting steps before writing these words) fixing a line in the file: “C:\Program Files\SMS_CCM\CMApplicationCatalogSvc\Web.config”


<add prefix=”HTTP://SCCM.U-BTech.COM:80“/></baseAddressPrefixFilters>


<baseAddressPrefixFilters><add prefix=”HTTP://SCCM.U-BTech.COM:80″/></baseAddressPrefixFilters>

And performing IISReset was the last piece in that puzzle that fortunatly solved the problem.

Console not working Remotely

Post upgrade the WMI permissions get overwritten thus the console does not work remotely any longer.

On the site server launch wmimgmt.msc console.

Then browse to root / SMS and root / SMS / site_[site name]. Add the SMS Admins local group back to both of these, and make sure they have Execute Methods, Provider Write, Enable Account, and Remote Enable allowed.


WSUS High CPU/Memory Usage

I also had multiple issues with WSUS 4.0 post upgrade. Most importantly was to patch the OS so that it is current. Also had to apply the steps in my post below to resolve the issue.

IIS w3wp.exe 100% CPU, WSUS and SCCM

Happy Upgrading!!

Weekly News – Microsoft Ignite – Windows Feature Update Size

So this week I am at Microsoft Ignite, only the start of day 2 at the moment but already some useful information. I will add more as the week goes on.

So apart from the heavy talk of cloud, the Desktop Track has some good news. A big focus seems to be around Windows Feature updates and how these will be managed going forward.

At the moment feature packs are huge, the ISO around 3.5GB and SCCM/WSUS deployments using ESD are about 1GB less. They plan to get this even smaller using something called a differential update which allows the client to only download what is required. This somewhat ties into express updates that were just released. The downside of this is that your WSUS/SCCM update point will need a much larger storage repository, these updates will take up to 5 times the storage of what you have now with WSUS so you will need weigh up whether the advantage of smaller updates to clients is worth the extra storage on your WSUS server and also your DP’s.


IIS w3wp.exe 100% CPU, WSUS and SCCM

Update (29/08/2017) :

Microsoft have released a patch for each WSUS version to resolve this issue. If you still run into issues please try the troubleshooting steps below in the original post.

Original Post:

A rather unique issue I came across recently in an environment was with the IIS Worker process w3wp.exe using 100% CPU.

With over 1500 clients you will see the WSUS IIS worker process start to use larger amounts of memory, and what happens when the default memory limit is hit, the CPU on the worker process will max out causing issues and stops WSUS from working.

The way to view the worker processes and current resource utilization is to go to IIS Manager, select the server name and open Worker Processes.

You will see here the utilization.  Make sure you check WCM.log and WSUSCtrl.log for any errors as well.

The recommendation usually is just to increase from the default limit 1843200 to a larger amount such as 4GB 4194304 however I found this didn’t resolve the issue. It is best to set it as so that it has access to the largest amount required.   This alone does not always fix the issue.

See the full  list of instructions below of what to change.

  1. On your WSUS Server, launch the IIS Manager
  2. Open Application Pools
  3. Right click ‘WsusPool’ and select ‘Advanced Settings…’
  4. To support the maximum SCCM Software Update Point clients, change ‘Queue Length’ from the default 1,000 to 25,000
  5. Change ‘”Service Unavailable” Response Type’ from the default HttpLevel to TcpLevel
  6. Change ‘Failure Interval (minutes) from the default 5 to 30
  7. Change ‘Maximum Failures’ from the default 5 to 60
  8. Click ‘OK’ to save the App Pool changes
  9. Open Services.Msc
  10. Restart the  World Wide Web Publishing Service 

The pool will use a large amount of memory initially but will start to settle. In this example it consumed around 11GB of RAM and now hovers around 1.0 GB.

Limit the number of inbound connections to WSUS

Reducing the number of allowed connections will cause clients to receive 503 errors (service not available), but they will retry. If the performance counter Web Services | Current Connections for the website on which WSUS is hosted has more than 1000 connections, complete this step:

  • Open IIS Manager for the WSUS server.
  • Expand <Server name> and then Sites.
  • Select the site hosting WSUS.
    • If you aren’t sure, expand each site and look for the ClientWebService directory underneath it – that is the WSUS site the clients use.
  • With the site selected, click the Limits link in the toolbar on the right side.
  • Check the option Limit number of connections and change it to 1000 (or even smaller).
  • Click Ok to save the changes.
  • From an elevated command prompt, run IISReset to restart IIS.

Increase the ASP.NET timeout

  • Make a copy of \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
  • Open \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
  • Find the element “<httpRunTime”. It will look like this (in an unmodified web.config):
<httpRuntime maxRequestLength="4096" />
  • Modify httpRunTime by adding an executionTimeout attribute:
<httpRuntime maxRequestLength="4096" executionTimeout="3600" />
  • Save the web.config to a different location and copy the modified one into the directory.
  • From an elevated command prompt, run IISReset to restart IIS.

If you are running WSUS 3.0 SP2 on Server 2008R2 ensure you have installed:

  • KB2720211
  • KB2734608

If you are running WSUS 4.0 on Server 2012R2 ensure you have installed:

  • KB2919442
  • KB2919355
  • KB3095113
  • KB3159706

This will bring you from version 6.3.9600.16384 to 6.3.9600.18324

Others as well to try if you are still getting issues for 2012 WSUS 4.0

  • KB2919355
  • KB3048824-v2

For WSUS 4.0 make sure you enable ESD for Windows 10 Servicing after installing the above updates

Open CMD as Administrator and run:
“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing
Then finally restart the WSUS Services

If you are running this on VMware, ensure you have VMTools installed as it will impact the performance greatly. 

If it is still not working then you are best to start from scratch, remove WSUS, delete your WSUS files, Database, Wsus IIS Site and Worker Process. Ensure your OS is patched, Install WSUS then install the KB’s above. You will probably still need to modify the worker process as well. Restart your server and initiate a sync.

Happy Troubleshooting!

Additional Information available here