Signing existing OS Configuration Discovery scripts

Very simply, this is an example of how to take existing configuration item discovery scripts that are present in a given Configuration Baseline and sign each of them.  This can be useful if you are importing scripts from the SCAP extensions etc..  Depending on your configuration item source, you may have several hundred scripts to sign.

Continue reading


Random Clients fail to download content (0x80070003)

******Update July 27 2017:  I have confirmed that the below issue is addressed via: KB4035759.  Thanks to all who helped! ******

This posts outlines an issue that I am seeing in Configuration Manager starting in 1702. I currently have a call open with MS and will update the post once the issue is resolved. I am currently aware of 2 environments with the issue and am posting this in case this is also an issue for others. If you have this issue in your environment, please shoot me a message with any cases you have open so Microsoft can see the commonalities in our environments.

Steps to Reproduce:
1. Issue occurs on newly built computers (this may be for the simple fact as they are installing the most software). We have reproduced the issue on computers built with our current gold image, last December’s gold image as well as using a new task sequence and VLSC ISO. Failure rates are around 20% so a minimum of 5 computers should be built. For our tests we built 15 computers total all in the same subnet.
2. Mass add computers to software deployment collections

Continue reading

Silent Scripted PNP Driver Installation

Occasionally, you may find the need to push a new driver to computers.  Perhaps a driver is causing BSOD issues or whatever the reason.  Since DotNet does not have a direct way to do this, you are usually left with depending on the driver publisher to include an silent installation method.  In reality this rarely happens.  You definitely don’t want to run around and manually install the drivers, and tools like Configuration Manager don’t have support for post OS deployment of drivers.

Continue reading

SAPIEN Powershell Studio – Scaling form contents when resizing

Update: June Blender  kindly reached out to the experts on this and provided the following method.

The anchor property defines that that the specified edge of the object should maintain its position in relation to its parent object on that edge.

This means that an anchor set to

  • None will float proportionally to the parent object
  • Left will maintain the number of pixels between the left side of the object and the left side of the parent object
  • Right will maintain the number of pixels between the right side of the object and the right side of the parent object
  • Top  will maintain the number of pixels between the upper edge of the object and the upper edge of the parent object
  • Bottom  will maintain the number of pixels between the lower edge of the object and the lower edge of the parent object

Continue reading

ConfigMgr Client Fails to Install: Unable to Compile UpdatesAgent.mof

We’ve had a couple of computers in the past being unable to re-install the Configuration Manager client due to the error:
“Unable to compile UpdatesAgent.mof”

This error can have a couple of different causes.

As such, here are a couple of steps you can try:

1. Reinstall the Windows Update agent.
2. Uninstall any existing ConfigMgr client, stop the ccmsetup service and delete c:\windows\ccm, c:\windows\ccmsetup and c:\windows\ccmcache folders
3. Run the following commands to delete the ConfigMgr namespaces completely from WMI:

Gwmi –query “Select * from __Namespace Where Name=’sms’” –NameSpace “root\cimv2” | Remove-WmiObject
Gwmi –query “Select * from __Namespace Where Name=’ccm’” –NameSpace “root” | Remove-WmiObject
Gwmi –query “Select * from __Namespace Where Name=’smsdm’” –NameSpace “root” | Remove-WmiObject

Since #3 is quite drastic, you will want to try steps 1 and 2 first before 3. However if attempting step 3, you will want to complete both steps 2 and 3 together. After this, the ConfigMgr client should successfully install.

Hopefully this helps!

Content Library Explorer – The Legacy Package Does Not Have Exactly One Content

I recently ran into an issue, where my Primary site server was running low on disk space. This turned into a general spring cleaning of the ConfigMgr environment. As part of the cleanup process, I wanted to check the distribution points for old or stale packages.

Microsoft has provided a toolkit for cleanup operations such as this:

Part of this toolkit is the Content Library Explorer. However, after aiming this at my distribution point, I was confronted with the following error:


Not exactly an insightful message. I did however find a useful thread regarding this issue:

Using the provided script, I happily identified 3 packages that were causing issues. I simply removed the extra old folders and redistributed these. The extra folders were now gone, but the error message remained.

After doing some more digging with procmon, I identified the verification steps the content explorer appears to make as well as 3 possible different problems which could lead to the above error message.

1. More than 1 data folder exists for a given package in the datalib subfolder of the SCCMContentLib folder. (This is addressed by the script in the link above)
2. There exists an ini file in the pkglib subfolder of the SCCMContentLib folder, but the associated ini file in the datalib folder is missing.
3. There are multiple content versions listed in the ini file located in the pkglib folder.

I have written the following function to test the SCCMContentLib folder for problems. Problems that are found by this script are fixable by removing any extra folders for the given package from the DataLib folder, removing the distribution point from the package, waiting for the files to disappear and redistributing the package to the distribution point.

Function Test-DPLegacyContent{

    #Calculate child folders
    $pkgdir = join-path -path $DPFolderPath -ChildPath 'pkglib'
    $datadir = join-path -path $DPFolderPath -childpath 'datalib'
    $childdatafolders = Get-ChildItem -Directory $datadir

    ForEach($file in (get-childitem -file $pkgdir)){
        $filecontent = Get-content $file.FullName
        $expectedcontent = $filecontent.split('`n')[1].replace('=','')
        if($expectedcontent -match $file.basename){
            #legacy package
            $packageID = $file.basename
            #Check for missing INI files
            if(!(test-path (join-path $datadir -ChildPath "${expectedcontent}.ini"))){
                [pscustomobject]@{'PackageID'=$PackageID; 'Error'="Ini file missing in datalib for $packageID"}

            #Check for mismatch in folder count
            [array]$matchingFolders = [array]($childdatafolders | Where{$_.Name -match $packageID})
            $foldercount = $matchingfolders.count
            if($foldercount -ne 1){
                [pscustomobject]@{'PackageID'=$PackageID; 'Error'="$foldercount folders found"}
        #Check for multiple content versions in pkg ini
        if(($filecontent.split('`n')[2].replace('=','')) -match $file.basename){
            [pscustomobject]@{'PackageID'=$PackageID; 'Error'="Multiple package versions found in pkglib ini"}

Test-DPLegacyContent -dpfolderpath '\\DPServer\d$\SCCMContentLib\'

To use this script, simply change the dpfolderpath parameter to the path of your SCCMContentLib.

SysJam Powershell RightClick Tool – Part 6 – Getting Running ConfigMgr Jobs with Powershell

One of the key functionality improvements I wanted to include in the Sysjam Powershell RightClick tool was realtime running job monitoring. There are few tools that don’t require you to click some type of refresh button to see the running jobs.

Part 1 of providing this functionality is the using powershell jobs combined with a timer object to polling any data on a refresh cycle and updating the form. I have covered this previously here

Part 2 of this is querying WMI for the status of each running jobs…and translating this to english.

This post will concentrate on Part 2

Continue reading

SysJam Powershell RightClick Tool – Part 5 – By-Passing User Logon Requirement for a Program

Most of the time when deploying software I’ll set the program to run only with the user logged off. This is to avoid situations when the user may have an older version of the application open when they receive the advertisement. For testing however, this can be a pain….which is why I included the “ByPass User Logon Requirement (Temporary)” button in the Sysjam Powershell RightClick tool. This button sets the requirement to “None” temporarily within WMI. The next time the system does a Machine Policy refresh this setting gets overwritten.
Continue reading

Installing DotNet 3.5 on Server 2012 R2 using an offline provisioned image

Consider the following situation:

You have a custom captured wim of Windows Server 2012 R2 that was built before August 2014.
This wim has served you well, but the amount of updates required on servers built by this image means you want to update this image. In this case, you use the offline servicing SCCM feature to update your image.

You also have a task sequence which installs DotNet 3.5 offline, and you are using this task sequence with standalone media.
You use the following command to do this:
Dism /online /enable-feature /featurename:netfx3 /norestart /all /source:D:\Source\sxs
Continue reading

WSUS/SCCM – Tracking Down Updates with Failed Eula Downloads

By running the report “Troubleshooting 1 – Scan errors” you can identify some errors which may be preventing computers in your environment from properly reporting compliance for Windows Updates.

One of the errors you may see in here is -2145124301 which translates to “License terms could not be downloaded”. If there are large numbers of computers reporting this error, you may have an issue with a specific update. Continue reading

SysJam Powershell Right Click Tool – Part 1 Introduction

Late yesterday, I was able to post a copy of the SysJam powershell right click tool for Microsoft System Center Configuration Manager clients on codeplex! You can download it here
Continue reading

MSIExec – Some Installations fail when run from a Configuration Manager Task Sequence

When using MSIExec in a Configuration Manager task sequence, you may receive the following error in a verbose MSI log if your task sequence step is set to “Run this step as the following account”:

MSI (s) (8C:04) [11:15:25:812]: SECREPAIR: New Hash Database creation complete.
MSI (s) (8C:04) [11:15:25:812]: SECREPAIR: A general error running CryptAcquireContext
MSI (s) (8C:04) [11:15:25:812]: SECREPAIR: Crypt Provider not initialized. Error:-2146893788
MSI (s) (8C:04) [11:15:25:812]: SECUREREPAIR: Failed to CreateContentHash of the file: vcredist.msi: for computing its hash. Error: -2146893788
MSI (s) (8C:04) [11:15:25:812]: SECREPAIR: Failed to create hash for the install source files
MSI (s) (8C:04) [11:15:25:812]: Note: 1: 2262 2: SourceHash 3: -2147287038 
MSI (s) (8C:04) [11:15:25:812]: SECUREREPAIR: SecureRepair Failed. Error code: 80090024F54B34B8
Action start 11:15:25: ResolveSource.
MSI (s) (8C:04) [11:15:25:812]: 
The profile for the user is a temporary profile.

Continue reading

Report for Collections using Delta Discoveries (Incremental Updates)

I am not going to go into the details of using SQL reporting services….there are other blogs who discuss this much more detail than I can do justice.

Simply, I am using the following SQL query in my dataset to report this setting:

v_Collections.Flags IN (4, 6, 4100)

Continue reading

Software Update Scan fails with error 0x80004005

I ran across an issue this morning where Windows Updates were not getting deployed to a client. I checked the reports, and found that the client was not reporting any missing updates. Additionally, not updates were waiting to install in Software Center. However I knew this client was not working, simply based on the update install time stamps. The first thing I check was policy. The client appeared to have a recent policy and was getting applications and programs. The execmgr.log was also clean. Next, I was suspicious of the scan agent. When I checked the ScanAgent.log, I found the error 0x8004005. Additionally, I found the following error in the WUAHandler.log:

Failed to Add Update Source for WUAgent of type (2) and id ({C895843B-710B-41E6-AE3B-0C6DB4D52BD7}). Error = 0x80004005.
Continue reading

Waiting for Running Windows Update Scan Jobs

I’ve seen numerous places on the internet where it is suggested to do something like:

Start-Sleep -s 300

after running an extra Windows Update scan job in a task sequence (this is to work around issues where Windows Updates may still be available on a newly imaged computer which is caused by cached scan results).

Continue reading