All Activity

@anyweb please share the 2007 sp2 files with me too 😔

When comparing OS deployment bare metal task sequence times between Windows 11 24H2 and Windows 10 22H2 I could see that 24H2 was considerably slower even though the task sequences were almost identical other than the OS being laid down on the device. I did a timing comparison and noticed two things in particularly that were taking considerably longer on the 24H2 device: 1) reboot tasks 2) time to finish up the task sequence work after the last step. For reboot tasks, I can see that the delay is between these two events in the SMSTS.log log: Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace and Policy verification done within the OSDSetupHook component. On the Windows 10 device the time between those log entries was 1 second, but on Windows 11 24H2 those log entries vary, but it's usually around 2 minutes. At the end of the task sequence, after executing the last task, following The task execution engine successfully completed the current task sequence step smsts.log entry to when the smsts.log stops being written to, it takes 14 seconds for the Windows 10 device, but it takes 4:29 seconds for the Windows 11 device. The delays are similar, between these two events in SMSTS.log (see attached screen shot): End Task Sequence policy cleanup and Policy evaluation initiated within the TSManager component. Any reason policy work should take considerably longer on Win11 24H2? Any suggestions on where I can look to see as to why it's taking such a longer time to deal with policy work in 24H2? Is this a Win11 24H2 issue, a ConfigMan issue, or ConfigMan configuration issue? I am welcome to entertain any thoughts or suggestions folks have. Anyone else seeing this issue in their environment? Environment details: CM 2503 (5.0.9135.1000) without KB33177653 or KB34503790 installed. Windows 11 = 24H2 customized reference image built from August 2025 ISO. ADK = 21H2 (10.1.22000.1).

Create a cert template from existing working template from your CA and name it "XXXXX.INF" on the ca - copy to server that needs the cert SAVE IT WITH THE SERVER NAME. MAKE SURE IT'S AN .INF FILE. Create the REQ from the INF on the local server Open the INF file and replace the server template has “XXXXXX” for server name, replace with the with the server name you are working on. - open CMD as admin, navigate to where you put the XXXXX.INF example below Example: CMD.exe --> C:\temp\Certificate>certreq -new yourservername.inf yourservername.req Copy the XXXXX.req File to your Primary CA, now you want to submita new request. Open the Certification Authority console Click start type in CA and Certificate Authority should appear “Run as Admin” Right-click the CA → All Tasks > Submit a new request Select the XXXXX.req file and save it as a .CER file Example XXXXX.cer Now copy the XXXXX.cer file back to the server that needs it, and import it to the Computer\Personal Store. Trying running your ccmsetup.exe /install /mp blah blah blah I would try to get networks to open up ports to the CA from all subnet in that domain and ports that SCCM needs to communicate with. ports needed Kerberos 464 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services - Destination : DC LDAP 389 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services - Destination: DC Service: LDAP (network port tcp/389) LDAP 636 Certificate Enrollment Web Services Domain Controllers (DC) Allow Source Certificate Enrollment Web Services Service: LDAP (network port tcp/636) DCOM/RPC Random port above port 1023 · Certificate Enrollment Web Services CA Allow Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us HTTPS 443 All clients requesting certs Certificate Enrollment Web Services Allow CERT INF Example Below: Example: [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=XXXXX, OU=XXX, O=XXX, L=STATE, S=CITY, C=US" <----needs hostname - no fqdn of server you need KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=XXXXX.company.com" <---needs FQDN 2.5.29.37 = "{text}" _continue_ = "1.3.6.1.5.5.7.3.2" ; Client Authentication [RequestAttributes] CertificateTemplate = ConfigMgrClientCertificate DisableExtensionsList = "2.5.29.31,1.3.6.1.5.5.7.1.1" Hope this helps!

You and me both, the SW is 18 years old and nothing is supported anymore. Even 2012 is 13+ year old now and nothing is supported either. It just doesn't make any sense.

I wan't testing in homelab how to deploy windows xp and windows 7 with programs. I build at home a retro server farm just for learning old network system's. Thank u if u supporting me with sccm 2007 prerequisites files. My favorite windows server's is:windows server 2003; 2008; and 2008 R2 only.

i'm curious, why are you guys installing such an old unsupported version of SCCM like this today anyway, can you please enlighten me ?

I sent pm to you too. Thank you for help.

Thanks sir for your Revert. i have tried the script.whole client went wrong. i have tried again few steps more. This strange think i only noticed in Dell Latitude 5520 1. Uninstall SCCM_Client and install again.

it looks to me like the update is failing on your clients, have you tried troubleshooting that ? I don't think this is an SCCM problem but a client problem. I asked copilot what it thought about the error given above and it came up with this script which does the following:... Renames Spupdsvc.exe to prevent interference. Stops Windows Update services. Renames update cache folders (SoftwareDistribution and Catroot2). Restarts update services. Runs sfc /scannow to fix system file corruption. Runs DISM /RestoreHealth to repair the Windows image. Prompts you to manually download KB5063875 if needed. Right-click the .bat file and choose "Run as administrator". Let it complete all steps (may take several minutes). Restart your PC and try installing the update again. fix_update_error_0x8024000B.bat

I asked copilot, and here's the summary of it's answer: For a 12 TB upload to Azure Blob Storage, your main costs will be: Storage tier cost (Hot: $220/month, Cool: $122/month, Archive: $24.50/month) Write operations (~$9–$22 depending on tier) No cost for uploading (data ingress)

We are planning to transfer a large amount (12TB) of data from AWS S3 to Azure Blob storage. There are close to 60million objects to deal with and we are planning to use a tool <product name removed> for the same. Before proceeding, we want to estimate the transfer cost. Are there any 'write costs' to Azure blobs? We are aware of egress cost from AWS S3, but to calculate the complete end-to-end cost, we need to understand are there are any write operation costs during the transfer

.

SCCM Software Updates - KB5063875 In software Centre 2025-08 Cumulative Updates for Windows 11 Version 22H2 for x64 (KB5063875) is keep on installing and system is restarting again and again. It is happening to few devices only Control Panel - system updates View Can any one help

Hi sir, i am Looking a script for Repair option in xxxx.Exe file.

Thanks for the reply, and yes that's the case, due to which i am unable to use the database configured in it and SUP

this is odd, so are you saying that in Windows File Explorer that you cannot browse the D:\ drive at all ? if that's not what you mean then please explain what "when accessed directly from the system" means.

I am facing an issue with our SCCM environment. Please find the details below: SCCM Version: 2403 License Model: 3-year subscription (renewable yearly) License Renewal: Expired last year. I renewed my license last month. However, since my previous environment is in production, I did not proceed with setting up a new environment. Issue Summary: The D: drive on our SCCM server, which is configured for both the SCCM database and SUP, is showing “Access is denied” when accessed directly from the system. The same D: drive works normally when connected to another workstation. Attempts to take ownership of the drive result in the same “Access is denied” error. This issue is isolated to the SCCM server only. Impact: High – as the D: drive hosts both the database and SUP, no updates are currently being distributed to clients. Troubleshooting Performed: Verified drive connectivity. Attempted to reassign ownership of the drive → failed with “Access is denied.” Tested drive functionality on another workstation → works without issues. Could anyone investigate and advise on the root cause and next steps?

What I want in my TS, is to run my PS and it should display it in my Collection as Value and can see there the Result. Have you any Idea how I can realize it?

when you create a custom variable in the collection, you assign a value to it, eg: CheckOutput = 100 In your task sequence, you CHECK for the value of the CheckOutput variable and act accordingly. For example you can have a step or group that checks if CheckOutput = 100 and if so it runs, if not, it does not run that step or group. Does that make sense ?

Introduction In the previous post I showed you what happens when a user or admin reset’s Windows after the August 2025 cumulative update (KB5063875) , basically the reset fails (rolls back). That problem can be fixed by applying an out of band update which can be deployed manually or automatically to affected clients. In this post I’ve once again teamed up with my buddy Paul to automate fixing this reset problem using Windows Autopatch in Microsoft Intune. It has a feature to Expedite updates. We’ve both tested this in our separate labs and are happy to share the results with you so that you too, can fix this in an automated way using Windows Autopatch. Expediting updates As the name sounds, this allows us to expedite (rush) updates to an Entra ID group containing our target computers, and this method can be used to get Quality Updates including Out of band updates to your devices via Windows Autopatch. There are some prerequisites, listed below: Devices meet the prerequisites for Windows Autopatch. Devices installed the update described in KB4023057 – Update for Windows 10 Update Service components (or a newer version). To verify that your devices meet the prerequisites for receiving an expedited update, use the Readiness test for expediting updates. Let’s create our Expedite updates policy. In Intune, browse to Devices, Windows Updates and select Quality Updates. In the Create + drop down, select Expedite policy. Give the policy a suitable name and description. In the Select the quality update you would like to expedite, select the 08/26/2025 D Update for Windows 10 and later option. If you are wondering what the D Update and B Security Updates are, here’s an explanation. B updates Released on the second Tuesday of each month (commonly called Patch Tuesday). These are the mandatory, cumulative updates that include security fixes and sometimes reliability improvements. D updates Released on the fourth week of the month (usually the preview releases). These are optional, non-security preview updates. They contain fixes and improvements that will roll into the next month’s B update. to summarize… B = Security & required (Patch Tuesday) D = Optional preview (late month, contains fixes but no new security fixes) So, as we already have deployed the August Cumulative update that would be the B update. We definitely need the fixes (out of band) that came after that and that would be the contained in the D updates. Finally, if a reboot is required (and it is required), decide on how many days before it’s enforced, so we’ll set it to 0 days. After clicking Next, select the group(s) you want to target with these out of band updates. Don’t worry about the fact that there’s no devices in that group yet, we’ll add them as needed later. Click Next and the policy is created. Finally, when you are ready to test this add one or more devices to the target Entra Id groups. After the device gets the policy, and as long as there are no policy conflicts your end users should be notified about the pending restart. After the restart is completed, you can verify Windows update settings, and view the history. The latest OOB (Out of band) update should be installed and as it’s also cumulative it will contain the fix to allow Windows reset to work again. Job done! Summary While this ability to expedite updates in Windows Autopatch is welcome, it’s far from perfect. There are several problems, which we’ll list here: Speed of delivery. The blurb from Microsoft claims the following, highlighted below But in several VM’s where myself and Paul tested, the expedited update arrived in an anything but their claimed speed. In reality, the update took several hours to approx one day and numerous syncs on the clients and in the Intune console before we saw the popup. On some vm’s we are still waiting for the magic to happen even though all the prerequisites are in place. Update: We got a reply from Peter Braune on Twitter, who stated the following, it may help you if you are going down this path. We actually had to create a policy via settings catalog “Automatically receive optional updates”, to get this update rolling out to clients. Once the policy was in place the update was installed immediately. Downside, preview updates being rolled out automatically too. Lack of ability to target a specific hotfix. You you can only choose between B or D updates and hope that they include the fix you need. What we really wanted was to be able to specficially install KB5066189, but that’s not possible currently with this method via the console. Lack luster reporting. If you want to see what’s happening with your expedited update in real time then you are out of luck. Of the several machines we targeted the reporting suggested nothing was wrong, which in a way was true because nothing was happening. And that’s the problem, how can you quickly determine whether your hotfix is applied or not to these target devices ? Policy conflicts. After enabling Expedited updates, you might end up troubleshooting policy conflicts on your target devices if your tenant has had the following installed. Windows Autopatch – Office Update Configuration – Expedited (Expedited updates for CVE-2023-23397). Hopefully Microsoft is listening and will improve this service going forward. That’s it from us, see you in the next one.

Hi, I have Power Shell script a want to run in simply Task Sequence. the script should be output to file or to a output to a task sequence variable. my Collection What I want, it should show the result or the output of my PS script here on the Collection. Is there any way to do that? Regards

Just for Clarity, you are looking for a PowerShell script to update each application with a Repair option? What have you tried so far? what is not working for you?

most of Most of my applications are in .ExE