Leaderboard

Introduction This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here. Note: The SCCM 1902 Current Branch media is not yet available on MSDN or VLSC. When the new baseline media is released I'll update this note. This series is broken down into the following parts:- Part 1 - Get the lab ready, configure ADDS Part 2 - Join CM01 to Domain, add users, create the Systems Management container, delegate permission Part 3 - Role and Feature installation, installation of WDS and ADK Part 4 - Configure and install SQL Server 2017 (This part) Part 5 - Configure and install SCCM 1902 Current Branch Part 6 - Post configuration You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell. Method #1 - Do it manually Method #2 - Automate it with PowerShell Downloads The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01). Scripts.zip Step 1. Install SQL Server 2017 Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator, I'd suggest you logon as the username matching your name. Method #1 - Do it manually In this section you will install SQL Server 2017 CU14 which is the latest supported version of SQL Server that is compatible with SCCM 1902 Current Branch as of 2019/4/16. For details about which versions of SQL Server are supported with different site systems in ConfigMgr, please see this page. Before starting, please configure the firewall as described in https://go.microsoft.com/fwlink/?linkid=94001 to allow access to SQL Server through the firewall. You can do this by executing the following command as local administrator on the CM01 (ConfigMgr) server. netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN After configuring the firewall, browse to the drive where the SQL Server 2017 media is, and run setup.exe. The SQL Server Installation Center wizard will appear. Click on Installation and then choose New SQL Server standalone installation or add features to an existing installation. Enter the Product Key or use the evaluation version if that's what you want to use. Note: The product key will be automatically filled in for licensed media downloaded from Microsoft Volume Licensing Service Center. Accept the EULA Make your Microsoft Update choices and review your Install rules, as long as you've opened the correct port for SQL you'll be ok and can safely ignore the Warning about the Firewall. select the SQL server instance features you need (at least Database Engine Services) and if necessary change the drive letter where you intend to install it And configure the Instance Configuration or just leave it as default Verify the Service Accounts settings and for Collation (click on the Collation tab in Server Configuration), make sure the collation is set to SQL_Latin1_General_CP1_CI_AS For Database Engine Configuration, click on Add Current User After configuring Data Directories, TempDB and Filestream settings you are ready to install Click on Install to start the installation of SQL Server 2017, and once it's completed, click Close. Next download and install the following: SQL Server 2017 Cumulative Update 14. SQL Server 2017 SSMS here. SQL Server 2017 Reporting Services. Method #2 - Automate it with PowerShell Note: Make sure your SQL Server 2017 media is in the drive specified in the script or edit the script to point to the new location of the media. The script set's the installation path pointing at D:\MSSQL if you want to install SQL somewhere else please change the variables as appropriate. To install SQL Server 2017 use the Install SQL Server 2017.ps1 script. The script will create a ConfigurationFile.ini used to automate the installation of SQL Server 2017, and after it's installed the script will download the SSMS executable (Management Studio) and install it. Then it will download Reporting Services and install it. If either of the EXE's are in the download folder, it will skip the download and just install. SQL Server no longer comes with the Management Studio or Reporting Services built in, and they are offered as separate downloads, don't worry though, my PowerShell script takes care of that for you. 1. Extract the scripts to C:\Scripts on CM01 and load the Install SQL Server 2017.ps1 script located in C:\Scripts\Part 4\CM01 2. Edit the variables [lines 17-81] as desired before running. 3. Logon as the user specified in line 20. 4. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Done ! That's it for this part, please join me in Part 5 where we Configure and Install System Center Configuration Manager 1902.

it's up now !

In March 2017 I blogged a method to allow you to forcefully upgrade your Windows 10 (or Windows 7) computers to the latest version of Windows 10 using a popup (HTA) that gives the user some form of control (5 deferrals). This was very popular and spawned different versions of the same original concept by other MVP’s and the community at large. I always wanted to update mine, but never had time, however what I have done is incorporate bug-fixes and features, and rewritten the original VBS wrapper code to PowerShell. In the next version I’ll replace the HTA with a PowerShell gui. So how about listing the features of this solution. Designed to run as required Runs before the task sequence starts Shows the user a popup with options Can run on Windows 7 or Windows 10 Allows deferrals After deferrals run out, starts a 4 hour timer If the user ignores the popup, subtracts one deferral after 8 hours Checks for Power Checks for hard disc free space Checks for Supported Model Checks for VPN Is easy to Brand with your company details Has several checks to ensure it won’t run by accident So that’s enough of the features, here’s a look at what it will look like to the end user running either Windows 10 or Windows 7. Time to upgrade In the above screenshot, the user sees the popup daily at a time that you decide eg: 11am. The user has a number of choices: Upgrade now by clicking on the box ‘my files are backed up’, and then selecting Upgrade now Upgrade later by clicking on Defer Cancel, by clicking on the X in the top corner, this will remove one deferral. Note that this verifies how many deferrals are left and if there are none left, will start the task sequence Do nothing. The popup will auto close after 8 hours and remove one deferral. Kill it with Task Manager, this will remove one deferral. If the user runs out of deferrals the 4 hour timer will start. If the user still does nothing, when the 4 hours runs out the task sequence will begin. They can of course click the checkbox and select Upgrade now to start it at any time. Branding So how can you add your branding to it ? start with the banner.png. Open it in MSPaint and replace the windowsnoob logo with your own, try and keep it to 500×65 pixels otherwise you’ll need to edit the Upgrade.HTA code also. Next, open the wrapper.ps1 in PowerShell ISE. Edit CompanyName in line 15 to suit your Company Name. Save the changes, next, open upgrade.hta in Notepad ++. Edit CompanyName in line 50 to suit your company name. edit line 395, and put your company name in Troubleshooting The popup creates 3 log files in C:\ProgramData shown below Windows10RequiredUgradeHTA.log Windows10RequiredUgradeWrapper.log Windows10RequiredUpgradeStart-Upgrade.log The process creates registry keys (and deletes them upon successful closure of the HTA before starting the task sequence). For more details about how to set this up in your environment, please see the following blogpost. I’ve updated that blogpost to include the new files and the PowerShell wrapper.ps1. Note: To download the files included, you need to be a registered member of windows-noob.com cheers niall

Thank you. Really great guide!

Introduction This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here. This series is broken down into the following parts:- Part 1 - Get the lab ready, configure ADDS Part 2 - Join CM01 to Domain, add users, create the Systems Management container, delegate permission Part 3 - Role and Feature installation, installation of WDS and ADK Part 4 - Configure and install SQL Server 2017 Part 5 - Configure and install SCCM 1902 Current Branch Part 6 - Create device collections (This part) Part 7 - Configuring discovery Part 8 - Configuring boundaries You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell. Method #1 - Do it manually Method #2 - Automate it with PowerShell Downloads The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01). Scripts.zip Step 1. Create device collections Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator In this part you'll create some device collections to prepare your lab for Servicing Windows 10, whether using WAAS (Windows As A Service) or using the Inplace Upgrade (IPU) Task Sequences built into ConfigMgr. The collections created include some based on the recently released Windows 10 version 1903. Method #1 – Do it manually You can create collections using the ConfigMgr console and clicking your way through the wizard, you'll need to add membership queries to populate the collections, and include Include or Exclude rules as appropriate. To create collections manually open the Assets and Compliance node and select Device Collections. Right click on Device Collections and choose Create Device Collection. In the wizard that appears give the collection a name, eg: All Windows 10 and limit it to another existing collection by clicking on Browse and selecting an existing collection to limit to for example All Systems. A limiting collection decides what collection members of this collection must be in first in order to appear within this collection. Next you decide how you want the collection to populate with members, the most common method of populating a collection is to use a query, so click on the Add Rule drop down box and selct Query Rule. Doing so brings up the Query Rule properties screen, give the query a suitable name such as All Windows 10. Next click on Edit Query Statement and then select Show Query Language Note: In a production environment be very careful about editing query statements on 'live' collections that have Task Sequences, Packages or Applications deployed to them, otherwise you can have unintended results by making a mistake with the query. In the Query statement properties screen, remove the current query (which basically selects EVERYTHING in your environment) and in its place, paste in a working (known good) query, for example for All Windows 10 use the following query. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where (SMS_R_System.OperatingSystemNameandVersion = 'Microsoft Windows NT Workstation 10.0' or SMS_R_System.OperatingSystemNameandVersion = 'Microsoft Windows NT Workstation 10.0 (Tablet Edition)') Click OK to close the Query Rule Properties screen. Next you can optionally adjust the membership schedule by clicking on Schedule. Click your way through the rest of the wizard, once done, the All Windows 10 collection will appear. Repeat the above process to add all your other desired collections for Windows 10 and WAAS. Method #2 – Automate it with PowerShell To automate the creation of a bunch of device collections simply run the CreateDeviceCollectionsWindows10.ps1 Powershell script by starting PowerShell ISE as an Administrator on the ConfigMgr server (CM01). awesome ! Below you can see the script has run And after refreshing the console, all the new collections (with queries added) appear. Please join me in Part 7 where we'll configure discovery.

ok well i gues i'll have to revert my lab to that step to determine what your blocker is.

Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing (this guide) you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. Next you used a PowerShell script to prepare some device collections, then you configured client settings for your enterprise and finally you'll deployed the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. As System Center Configuration Manager (current branch) is being delivered as a service now, version 1602 was made available (March 11th, 2016) and you used Updates and Servicing to do an in-place upgrade to that version as explained here. Next you learned about how to use the Upgrade task sequence to upgrade your Windows 7, Windows 8 (and 8.1) and even your Windows 10 devices to a later build of Windows 10. You then learned about the new Windows 10 servicing features which use Servicing Plans in ConfigMgr (Current Branch). Next you integrated MDT 2013 update 2. MDT integration with ConfigMgr is useful as it provides additional functionality for operating system deployment scenarios such as Offline Language Package installation or User Driven Integration (UDI). Next you learned how to deploy Language Packs offline for Windows 10. To assist with Windows 10 servicing and for applying appropriate software updates to your Windows 10 devices, you used PowerShell to add queries to the various Windows 10 collections. Next you took a deeper look at the Windows 10 Upgrade task sequence, and learned one way of dealing with potential upgrade issues. While that method will flag a problem, such as determining the system UI language doesn't match the provided media, it won't allow you to continue with the upgrade. Next you learned how to upgrade the operating system when a language pack was installed, provided that the system UI language is from a 'list' of approved languages that you intend to support. This guide will show you how to display customized messages to a user during a task sequence, and how to set an exit code which could allow you to deliberately fail an action if necessary. All that's required is a few steps to set variables, a PowerShell script, and the serviceUI.exe executable from MDT 2013 Update 2. Step 1. Create a package On your ConfigMgr server, in the sources share, create a folder called Display Custom Message and place the DisplayCustomMessage.ps1 PowerShell script available in the downloads section of this guide, in the folder. Even though you might be deploying an X64 operating system, locate, select and copy the x86 architecture version of ServiceUI.exe from the Sources\OSD\MDT\MDT2013u2\Toolkit\Tools\x86 folder into the Display Custom Message folder as shown below. In the ConfigMgr console, Software Library, select Packages and right click, choose Create Package. Fill in the following details, Choose Do not create a program and then continue through the wizard until completion. Once the package is created, right click the package and choose Distribute Content. Distribute the package to your distribution points. Step 2. Create a custom task sequence In the ConfigMgr console, in Software Library, select Operating Systems and right click on Task Sequences, choose Create Task Sequence. select Create a new custom task sequence give the task sequence a suitable name such as Display Custom Messages with exit codes continue through that wizard until completion. Step 3. Edit the task sequence Right click on the newly created task sequence and choose edit It will appear blank, click on the Add Drop down and add a New Group called Display Custom Message Create a new Set Task Sequence Variable step called Set Title with a Task Sequence Variable called Title, with a suitable value as follows: Create a new Set Task Sequence Variable step called Set Message with a Task Sequence Variable called Message, with a suitable value as follows: Create a new Set Task Sequence Variable step called Set ReturnCode with a Task Sequence Variable called ReturnCode, with a suitable positive value as follows: Click Add and choose Run Command Line, name the step Display Custom Message and paste in the following: ServiceUI.exe -process:TSProgressUI.exe %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -nologo -file DisplayCustomMessage.ps1 For Package, select the Display Custom Message package created above. Copy the entire group and paste it below the first group Edit the Set Message step as below Edit the Set ReturnCode step, and choose a value that the Options tab on the Display Custom Message step is not going to expect such as 1, this will cause the next step to fail when it returns the return code. Apply your changes and exit the Task Sequence wizard. Step 4. Deploy the task sequence Right Click on the task sequence and choose Deploy Choose a suitable collection and use a purpose of Available. Step 5. Review the capabilities On a client computer that is in the collection that the task sequence was deployed to, open Software Center and select the Display Custom Message with exit codes task sequence. choose Install and after a few moments the first popup message appears ! As the ReturnCode for the first message was set to a value we expected (0 or 3010) it did not fail the task sequence. Click OK to continue... the next message appears, note the different text, and it's hinting towards what will happen Clicking OK will produce the failure Which is OK because we were expecting it, in fact, the ReturnCode we set (1) is listed in the failure message. In a real Production task sequence however, you'd take care of failures and deal with them in a professional way, I just want you to see that we can actually set the ReturnCode via the custom message. To get more proof of that refer to the SMSTS.log file, and you can see that it's setting the ReturnCode to the value we chose result ! Summary Popping up messages to users during a task sequence is sometimes necessary, and when things go wrong, you sometimes need to fail the task sequence or set a ReturnCode to do a planned action. This guide helps you do both of those things dynamically. Related Reading Task sequence steps in System Center Configuration Manager - https://technet.micr...y/mt629396.aspx If you'd like to send a notification message to users in Intune in Azure, try the following guide. Downloads You can download a Microsoft Word copy of this guide here dated 2016/05/26 How can I display custom messages to users during a task sequence in SCCM Current Branch.zip You can download the PowerShell script used above here: DisplayCustomMessage.zip\

hi thanx for this

I've seen errors configuring the SQL Server memory when you are logged on as the wrong user, make sure you are logged on as the domain\user specified in the script, look at line 20... I think the user must be a SA to do the sql server memory change, but can't remember, please verify what user you are running this as... and i don't think domain\administrator is a SA....

That is because CM's SQL requires 8 GB of RAM for itself as a bare min. You will never get CM up with just 4 GB of ram, you will need at least 10GB

Fantastic write up! When do you sleep honestly? It's very encouraging to see on prem, sccm cloud continue to developer further and further, especially when your livelihood depends on it!

Thanks for these guides! I've "inherited" a ConfigMgr setup already in production, and I've built a lab before from Johan's Hydration Kit, but I wanted to got through building everything step-by-step to get an good grasp on everything that's going on.

Amazing documentation as always!

Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. Next you used a PowerShell script to prepare some device collections, then you configured client settings for your enterprise and finally you'll deployed the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. As System Center Configuration Manager (current branch) is being delivered as a service now, version 1602 was made available (March 11th, 2016) and you used Updates and Servicing to do an in-place upgrade to that version as explained here. Next you learned about how to use the Upgrade task sequence to upgrade your Windows 7, Windows 8 (and 8.1) and even your Windows 10 devices to a later build of Windows 10. You then learned about the new Windows 10 servicing features which use Servicing Plans in ConfigMgr (Current Branch). Next you integrated MDT 2013 update 2. MDT integration with ConfigMgr is useful as it provides additional functionality for operating system deployment scenarios such as Offline Language Package installation or User Driven Integration (UDI). Next you learned how to deploy Language Packs offline for Windows 10. To assist with Windows 10 servicing and for applying appropriate software updates to your Windows 10 devices, you used PowerShell to add queries to the various Windows 10 collections. In this post you'll take a deeper look at the Windows 10 Upgrade task sequence, and see one way of dealing with potential upgrade issues. The idea here is to keep track of any upgrade failures, capture the logs that matter, capture the computer name and hardware type. If you see repeated 'common' failures you can add those error codes to the Windows Setup compatibility scan PowerShell script. This way your users that do experience failures will not get cryptic error messages, and you'll have the logs to fix things. Step 1. Create a share to store failed upgrade log files As you'll want to keep track of potential problems, create a hidden share to store log files. On your configuration manager server, start Windows PowerShell ISE as Administrator, and run the create upgradelogs.ps1 PowerShell script available in the downloads section at the end of this guide. Step 2. Create a package On your ConfigMgr server, in the sources share, create a folder called Windows setup compatibility scan results and place the WindowsSetupCompatibilityScanResults.ps1 PowerShell script in the folder. Locate, select and copy ServiceUI.exe from the Sources\OSD\MDT\MDT2013u2\Toolkit\Tools\x86 folder as shown below. paste that into the Windows setup compatibility scan results folder. In the ConfigMgr console, Software Library, select Packages and right click, choose Create Package. Fill in the following details. Choose Do not create a program and then continue through the wizard until completion. Step 3. Distribute the package Right click the package and choose Distribute Content. Distribute the package to your distribution points. continue through that wizard until completion. Step 4. Edit the existing upgrade task sequence In a previous guide you created the Upgrade task sequence, now it's time to add additional functionality to that task sequence. In the ConfigMgr console, locate the Upgrade to Windows 10 x64 version 1511 task sequence, right click on it and choose Edit. In the Prepare for Upgrade group select the Check Readiness for Upgrade step and click on Add then select New Group, name the new group Set Variables. Create a new Set Task Sequence Variable step called Set Server as follows: Create a new Set Task Sequence Variable step called Set Share to UpgradeLogs$ as follows: Create a new Set Task Sequence Variable step called Set Domain (fill in your domain name) as follows: Create a new Set Task Sequence Variable step called Set User and enter a username that will be used to connect to the share as follows: Next create another New Group and call it Windows Setup compatibility scan Next click on Add, choose Images, then Upgrade Operating System and name the step Windows Setup compatibility scan. Select the Perform Windows Setup compatibility scan without starting upgrade option. On the Options tab, select the Continue on Error option. Click Add and choose Run Command Line, name the step Process Windows Setup compatibility results and paste in the following: ServiceUI.exe -process:TSProgressUI.exe %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -nologo -file WindowsSetupCompatibilityScanResults.ps1 For Package, select the Windows Setup compatibility scan results package created above. Create a New Group called Capture Windows Setup logs on failure On the Options tab, check if the following Variable WindowsSetupCompatibilityScan = Failed as shown below Next create a Connect To Network Folder step and populate it as below when prompted for Windows User Account enter the Password for the account you added in the Set User step Create a new Run Command Line step called xcopy WindowsSetupCompatibilityScan log file and paste in the following: cmd /c ECHO F | xcopy /Y C:\Windows\Temp\WindowsSetupCompatScan.Log Z:\%computername%\WindowsSetupCompatScan.log On the Options tab of this step, place a checkmark in Continue on error Create a new Run Command Line step called xcopy Windows Setup log files and paste in the following: cmd /c xcopy /C /Y C:\$WINDOWS.~BT\Sources\Panther\*.log Z:\%computername%\ On the Options tab of this step, place a checkmark in Continue on error Create a new Run Command Line step called xcopy SMSTS log files and paste in the following: cmd /c xcopy /C /Y C:\Windows\CCM\LOGS\SMSTSLOG\*.log Z:\%computername%\ On the Options tab of this step, place a checkmark in Continue on error Create a new Run Command Line step called xcopy XML log files and paste in the following: cmd /c xcopy /C /Y C:\$WINDOWS.~BT\Sources\Panther\*.xml Z:\%computername%\ On the Options tab of this step, place a checkmark in Continue on error Create a new Run Command Line step called del network connection and paste in the following: cmd.exe /c "net use * /del /yes" On the Upgrade Operating System group, click on the Options tab and set the variable WindowsSetupCompatibilityScan = OK Apply the changes and close the Task Sequence editor. Step 5. Review the new functionality Tip: To induce a failure you can temporarily disable the Check Readiness for Upgrade step and use a Virtual Machine with only 1.5GB of RAM. This does not meet the requirements as stated here and will cause the Windows Setup compatibility scan step to report a failure. Here are the system requirements for updating to Windows 10 (as of 2017/1/5) Once an Upgrade failure takes place you'll see something similar to the following:- after clicking OK the task sequence will jump to the end without any further communication to the end user. At this point (or whenever it's convenient) check the UpgradeLogs$ share for new content. For every failure that occurs, a folder matching the Computer Name will be created. In that folder you'll find log files and bunch of XML files, these files will help you to troubleshoot the actual failure The WindowsSetupCompatScan.log file is generated by the Windows Setup compatibility scan results script and sample content is below. Note that it contains information about what the error was (including friendly text about the error) and the date/time and hardware that it occurred on. In addition to that log file you have the smsts.log file from C:\Windows\CCM\Logs\SMSTSLOG folder and two relevant Windows setup log files called setupact.log and setuperr.log from the C:\$WINDOWS.~BT\Sources\Panther\ folder. The failure highlighted in setupact.log is shown below (clear as mud right ?) The PowerShell script converts knownerrorcodes into meaningful text that won't give your end users a heart attack. You can add your own known error codes and friendly text by editing the PowerShell script in this section: Well that's it ! job done, I hope this helps you with your Windows 10 Upgrade Task Sequences. Tip: You can use the MailLog functionality described in the Windows-noob OSD Guides book to be notified of failures in real time. Summary Sometimes things don't go according to plan and the Windows 10 Upgrade task sequence can fail for a variety of reasons. Rather than having the task sequence fail during an actual upgrade, it makes sense to run a compatibility scan first and to assess the results of that scan before attempting the actual upgrade. If the compatibility scan does fail, you can notify your users with a helpful message and the task sequence will automatically capture the data you need to troubleshoot and resolve the upgrade issue. This guide helps you achieve that goal. Related Reading Windows 10 known error codes - https://support.microsoft.com/en-us/kb/3107983 Windows Setup /Compat ScanOnly - https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/ Create a task sequence to upgrade an operating system in System Center Configuration Manager - https://technet.micr...y/mt613172.aspx Task sequence steps in System Center Configuration Manager - https://technet.micr...y/mt629396.aspx Manage operating system upgrade packages with System Center Configuration Manager - https://technet.micr...echnet.10).aspx Downloads You can download a Microsoft Word copy of this guide here dated 2016/05/14. a deeper look at the Windows 10 Upgrade task sequence.zip You can download the PowerShell scripts used above here. WindowsSetupCompatibilityScanResults.zip

I have found a workaround. I tried installing the update using the sccm manager on my windows 10 client and it worked !! I'm now on 1902. Thanks for your attention.

just make sure your Apply Driver Package step references that, as shown here.

Yes. While each deployment type has its own content ID, you must update content for each deployment type if both deployment types use the same content source.

This series is comprised of different parts, listed below. Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health (this part) In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server. In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media. In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In part 7 you installed and configured the OCSP responder role service on the web server. Now you will configure Auto Enrollment and Verify PKI health. Step 1.Configure a GPO for Auto Enrollment Logon to to the Domain Controller (DC01) as windowsnoob\Administrator. Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies. Select Certificate Services Client - Auto-Enrollment, right click and choose Properties. Change it from Not Configured to Enabled and enable the following 2 options. Renew expired certificates, update pending certificates, and remove revoked certificates Update certificate that use certificate templates As shown here. Click Apply when done, and close the Group Policy Management Editor and then close the Group Policy Management Console. Step 2. Configure AutoEnrollment for Workstation Authentication on the Issuing CA Ensure that you are logged on as windowsnoob\EntAdmin on the Issuing CA server (IssuingCA), start the Certification Authority console by entering certsrv.msc, ensure that windowsnoob Issuing CA is expanded. Right-click on Certificate Templates, then select Manage. In the Certificate Templates that appear, select Workstation Authentication. Right click it, and select Properties, click on the Security tab, select Domain Computers and ensure that AutoEnroll is selected, click Apply. Step 3. Join the Windows 10 computer to the domain Logon to Windows 10 version 1803 computer (Win101803) as Administrator, and copy the JoinDomain.ps1 script below to a folder called C:\Scripts. Open the script in PowerShell ISE as Administrator, then run Set-ExecutionPolicy to unrestricted before running the JoinDomain.ps1 PowerShell script by clicking on the Green Arrow in Windows PowerShell ISE. JoinDomain.ps1 Note: The computer will reboot by itself after joining the windowsnoob.lab.local domain. Step 4. Check PKI Health with Enterprise PKI To use the Enterprise PKI console to check PKI health, on the IssuingCA server, ensure that you are logged on as windowsnoob\entadmin. Run PKIView.msc from an administrative command prompt. Right click Enterprise PKI and then click Manage AD Containers. On the NTAuthCertificates tab, verify the windows noob Issuing CA certificate appears with a status of OK as shown below: On the AIA Container tab, verify both the windows noob Root CA and the windows noob Issuing CA certificates are present with a status of OK. On the CDP Container tab, verify that the windows noob Issuing CA has both Delta CRL and Base CRL, and that the windows noob Root CA has a Base CRL present and with a status of OK. On the Certification Authorities Container, verify that the windows noob Root CA certificate is present and with a status of OK. and finally on the Enrollment Services Container tab, verify that the windows noob Issuing CA certificate is present with a status of OK. Step 5. Configure Certificate Distribution on the Issuing CA To publish a certificate for computers in the enterprise do as follows. Logon to the IssuingCA computer as windowsnoob\EntAdmin. In the Certification Authority console (certsrv.msc), ensure that windows noob Issuing CA is expanded. Right-click Certificate Templates, select New and select Certificate Template to Issue. On the Enable Certificate Templates dialog box, select Workstation Authentication and then click OK. Step 6. verify certificate autoenrollment on the Windows 10 client To verify that autoenrollment of certificates on the Windows 10 compute do as follows. Log on to win101803.windowsnoob.lab.local as windowsnoob\Administrator. (Ensure that you switch user to log on as windowsnoob\Administrator) Click Start, type mmc and then press ENTER. Click File, and then click Add/Remove Snap-in. Click Certificates, then click Add, Select Computer Account, and then click Finish. Click OK. Expand Personal and select Certificates, if you do not see Certificates, in an Administrative Command prompt issue the following command gpupdate /force then refresh the view in the Certificates MMC. You should now see a Certificates folder and a certificate listed. This certificate was issued using AutoEnrollment which was configured above. Step 7. Verify PKI health on the issued certificate While logged on to W101803.windowsnoob.local.local as windowsnoob\Administrator, In the certificates console tree, expand Personal, click Certificates. In the details pane, right click the W101803.windowsnoob.lab.local certificate, click All Tasks, and then click Export. the Welcome to the certificate export wizard appears, click Next. Click Next at the No do not export the private key screen On the Export File Format page, click Next. [DER encoded binary X.509 (.CER) is the default selection]. in the File to Export, call it C:\Windows10 at the completing the certificate export wizard screen click Finish. you should be notified of the success of the export. Open an administrative command prompt and run the following commands: cd\ then certutil -URL C:\Windows10.cer The URL retrieval tool should appear. In the URL Retrieval Tool, select the OCSP (from AIA) option and then click Retrieve. Confirm that it shows status as Verified. In the URL Retrieval Tool, select the CRLs (from CDP) option and then click Retrieve. Confirm that it shows status as Verified. In the URL Retrieval Tool, select the Certs (from AIA) option and then click Retrieve. Confirm that it shows status as Verified. Click Exit to close URL Retrieval Tool. From the administrative command prompt run following command to thoroughly verify the certificate chain retrieval and revocation status. certutil -verify -urlfetch C:\Windows10.cer you'll see a lot of output similar to the following PS C:\> certutil -verify -urlfetch C:\Windows10.cer Issuer: CN=windows noob Issuing CA DC=windowsnoob DC=lab DC=local Name Hash(sha1): b500ca9b33a216fcc44492f25bb6e6b8bd6a5a78 Name Hash(md5): b0c8a9c15f77c9e2b7af24718ab3f3ec Subject: EMPTY (DNS Name=W101803.windowsnoob.lab.local) Name Hash(sha1): f944dcd635f9801f7ac90a407fbc479964dec024 Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0 Cert Serial Number: 1e000000057a5838e2727d5162000000000005 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local NotBefore: 7/6/2018 4:04 AM NotAfter: 7/6/2019 4:04 AM Subject: Serial: 1e000000057a5838e2727d5162000000000005 SubjectAltName: DNS Name=W101803.windowsnoob.lab.local Template: Workstation Authentication Cert: 9eae120ea27c064e609df51cacda77e286a223d6 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42 [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42 [1.0] http://pki.windows-noob.com/CertEnroll/IssuingCA.windowsnoob.lab.local_windows%20noob%20Issuing%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA.crl Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 f7d32928b44de5b419a11bac19cc56fad7d4f9ee [0.0] http://webserver.windowsnoob.lab.local/ocsp -------------------------------- CRL 05: Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local ThisUpdate: 7/3/2018 7:02 AM NextUpdate: 7/10/2018 7:22 PM CRL: 7cf12cea65a271e322dcd148dafca9890381d68c Delta CRL 07: Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local ThisUpdate: 7/5/2018 7:02 AM NextUpdate: 7/6/2018 7:22 PM CRL: b27c6e817abccb07e6d18c37c808013cc1377c1d Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=windows noob Root CA NotBefore: 6/19/2018 4:34 AM NotAfter: 6/19/2028 4:44 AM Subject: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local Serial: 5600000002ff2362e624faf00a000000000002 Template: SubCA Cert: 33daad0a6923fdbd02300d703264d13d70eedf42 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9 [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9 [1.0] http://pki.windows-noob.com/CertEnroll/ROOTCA_windows%20noob%20Root%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2 [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2 [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Root%20CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 (null) -------------------------------- CRL 02: Issuer: CN=windows noob Root CA ThisUpdate: 6/15/2018 3:12 AM NextUpdate: 6/14/2019 3:32 PM CRL: 22cafd2ae550e12401696bac4a424652050c55a2 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=windows noob Root CA NotBefore: 6/14/2018 11:03 AM NotAfter: 6/14/2038 11:13 AM Subject: CN=windows noob Root CA Serial: 3d0d623b5abd19b34640212c87d45269 Cert: 1c2e0479a69623ffddcec692d01af64996b2b6e9 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 (null) -------------------------------- Exclude leaf cert: Chain: d5f425d64a9d41434507a599da1260fdced44873 Full chain: Chain: 0c69840fda437706dd390c3d120ab496038c2564 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. PS C:\> Review the output and make sure all the chain retrieval and revocation status are successfully verified. Job done ! That's it for this mini-series about setting up PKI in a lab, thanks for joining me, I hope you completed everything successfully and have a better understanding of how PKI works and how to set it up in a lab. Next steps If you'd like to see how SCCM works with HTTPS, see below:- How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2 cheers niall.

Hi, OUR SETUP We have a SCCM 2012 server which we recently took over. Our setup consist of 13 remote sites with DP's in 6 and 32 subnets between them all. Our sites and services setup in AD has been configured correctly and very carefully due to the complication of all the subnets of various sizes (/24 /25 /26 /27 etc..) We are'nt SCCM experts by any stretch of the imagination but know infrastructure and networking well and are confident that sites and services has been setup 100% correctly. OUR FINDINGS We recently had a closer look at the SCCM server to try and improve the general performance - Takes very long to come back with anything whenever you do anything in it.(assume the SQL queries are the issue) Starting at the basics we had a look at boundaries first and found that the discovery methods are setup for site and IP address ranges. Since our sites and services are setup correctly we thought we could get rid of the IP ranges as I have read multiple articles stating that this is a very "Expensive Query" - and therefore just use sites. OUR PROBLEM The minute we remove the IP range the "remote" workstations (sites with DP's)will not run the task Sequence after PXE booting Tail end of the smsts.log file <![LOG[ Flags: 01000000]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2291"> <![LOG[ URLs : 1]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2292"> <![LOG[ SMB : ]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2293"> <![LOG[ MCS : ]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2294"> <![LOG[No static content server.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2371"> <![LOG[(LocationsList.size() + slistHttpPaths.size() + slistSMBPaths.size()) > 0, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,2427)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="resolvesource.cpp:2427"> <![LOG[FALSE, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,2000)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:2000"> <![LOG[Content location request for QAT00002:3 failed. (Code 0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tspolicy.cpp:2000"> <![LOG[hr, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,2845)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:2845"> <![LOG[Failed to resolve PackageID=QAT00002]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tspolicy.cpp:2845"> <![LOG[(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,3693)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:3693"> <![LOG[m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1439)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tsmediawizardcontrol.cpp:1439"> <![LOG[Failed to resolve selected task sequence dependencies. Code(0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tsmediawizardcontrol.cpp:1439"> <![LOG[hrReturn, HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,445)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tsmediaresolveprogresspage.cpp:445"> <![LOG[ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tsmediaresolveprogresspage.cpp:445"> <![LOG[ThreadToResolveAndExecuteTaskSequence returned code 0x80040102]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="516" file="tsmediaresolveprogresspage.cpp:221"> <![LOG[Setting wizard error: This task sequence cannot be run because the program files for QAT00002 cannot be located on a distribution point. For more information, contact your system administrator or helpdesk operator.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediawizardcontrol.cpp:1463"> <![LOG[ResolveProgressPage::OnWizardNext()]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediaresolveprogresspage.cpp:113"> <![LOG[Activating Finish Page.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediafinishpage.cpp:107"> <![LOG[Loading bitmap]LOG]!><time="11:56:30.394-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="516" file="tsmbootstrap.cpp:1303"> If we add the IP Ranges back it works. I can see the problem (highlighted) and know how to get around it but don't understand why we cannot get it to use Sites and Services correctly. We have ensured that the DP servers Boundaries and Boundary Groups are all connected Boundary Discovered and Defined correctly. Boundary Group has correct Boundary in it. Boundary Group Reference has DP server defined as Site System Server We have made sure that the packages have sync'd/copied correctly with the DP's and the sizes all match. Obviously we are missing something - Can anyone provide any further advice? And I will just say again, we have just spent two weeks documenting and going over our Sites / Subnet / AD setup to ensure we have no overlapping networks and to ensure all our subnets are defined correctly in sites and services - We really don't think the issue lies there but are open to any advice. Thank You in advance.

Recently rolled this out, some brief notes: - On a Windows 10 machine, no additional agent is required. You simply set the SCCM policy to enable Endpoint Protection (Defender) to be managed. SCCM > Administration > Client Settings > Endpoint Protection > Manage Endpoint Protection...... - On a Windows 7 machine, SCCM will automatically deploy the SCEP agent if the above policy setting is enabled. We haven't deployed to server so cant assist there, but no reason why it wouldnt work. - You'll need to setup ADR's so new definitions are downloaded every X hour, you'll also need to change you SUP sync schedule to match this frequency - All settings/configuration/exclusions etc can be done via Anti-Malware policies. SCCM > Asset and Compliance > Endpoint Protection > Antimalware policies - I found we had to manually uninstall our previous AV solution (even though SCCM has an option to remove it) else SCEP would fail to install. I had to script the removal of the old AV Take some time to flick over all the anti-malware policies, everything will become much clearer. Key thing is to make sure your definitions are regularly updated (i do mine every 8 hours), and to make sure your SUP also sync at the same time else the ADR will run against a "outdated" SUP catalog.

We followed this guide as we wanted to use PKI

nice effort but any reason why you went with an out of support version of SCCM ? 1802 is the current baseline...

Ok, I found some interesting reading at https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan 🙂

2nd question Inside the task sequence, there is an "Join Domain or Workgroup" option where you can have the device join a domain. I have never used it separately from imaging but I don't see why it wouldn't work for what you want to do. I would try to have it perform the backup, restore, then add to the new domain. keep in mind you have to have an account on the new domain so SCCM will have rights to add the device.

1st question - we have two separate task sequence. 1st at 6pm disable bitlocker restart computer request state store capture user state re-enable bitlocker 2nd at 2am request restore state restore "customize how it's restored" "we have custom .xml files" Lastly, in the Assets and Compliance section, you will see the "User State Migration" section. That is how you associate the FROM computer and the TO computer. Associate the computers / users and let the tasks run

You will need to use a sub-select query to do the not in stuff. Here is an example. https://www.enhansoft.com/blog/subselect-wql-query-to-find-pcs-that-do-not-have-either-x86-or-x64-versions-of-software-installed

We've had problems with Surface Pro 4 PXE too. Microsoft have confirmed it's a problem with the UEFI Network stack, and you need to have IPv6 enabled and routed to the PXE Server. If you just have IPv4 then it won't work. They are working on a firmware fix, which should be out in a few months.

I never got the Surface 4 to PXE boot. I didn't take it much further as we don't have very many. The later Surface Pro does PXE in exactly the same environment.

My guess--and it's just a guess. I'm assuming that since it's the client that picked up the script to run, it'll be similar to the same context that other scripts run in, when picked up by policies, like Configuration Item Scripts, or Scripts used for Detection Logic for Applications--which is NT Authority\System, of the individual device. So if you want all your Domain Computers to have rights to some remote share, you'll want to make a share, and grant (I think) "Domain Authenticated Users" both NTFS modify to that location, and that the Share also has Modify rights to Authenticated Users. I think that might work... I see you're trying to use s$... that would be an Admin share. I wouldn't use that. Make a real Share, which you can permission properly.

I manually populate that field via a script I run against my HR report monthly. The field for "managed by" requires input (whether it be via powershell, or other) to be in a specific format. I believe that the CN or username must be used. It is an odd field that does not populate with static data. For example, you will get script errors if you try to add a name to that field and the account your are trying to insert does not exist in AD. The "managed by" field must contain users who exist if you want to script.

I got it thanks. This was the link it sent me to which really didn't help( https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/deprecated/removed-and-deprecated). After I looked at the log it was pretty clear, i had a Distribution Point that was still running 2008R2 and it was causing the issue. I upgraded the server last night and now the prereq passes. I will do the upgrade tonight. Thanks

issue got resolved after solving SQL server configuration manager issues. Open a command prompt as administrator Navigate to your SQL version’s shared directory (cd <version path>): SQL 2008: C:\Program Files (x86)\Microsoft SQL Server\90\Shared\ SQL 2008 R2: C:\Program Files (x86)\Microsoft SQL Server\100\Shared\ SQL 2012: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\ SQL 2014: C:\Program Files (x86)\Microsoft SQL Server\120\Shared\ Then run the following command: mofcomp sqlmgmproviderxpsp2up.mof 1802 Upgrade successfully completed.

more than likely yes

What I ended up doing was upgrading my MDT to the 6.3.8450.1000 build (as you noted). Then, I tried my non-MDT TS...it still failed. I have no clue why. So I then recreated my entire OSD MDT TS. A few small TS tweaks and it now works with the older and the current Gen5's. For my 1803 deployment, I have the "apply operating system" ts set to "use an unattended sysprep answer file" and my unattended.xml is this: ********************************************** <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <OOBE> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> </component> </settings> </unattend> ********************************************** Then, at the bottom of the auto created group called "install" (this is where the OS is applied and such). I have a "run command line" that sets the power plan so the computer does not sleep during OSD. This cmd line is: ********************************************** PowerCfg.exe /s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c ********************************************** I apply drivers next. I integrated the HP MIK into my SCCM and now I create driver packages via that method. Seems to create smaller packages than previous when I was downloading the larger driver packs. I filter each driver pack by wmi query model. At the bottom of the drivers section, I increase the ccm cache size to 20GB using a powershell script. At the end of the OSD TS, I reset it back to 10GB. This allows larger packages to be installed during OSD. I hope this helps a bit.

We'll see if anyone else comes along and says it's working or not working For now, I am trying the solution provided by @SMoRZ3 (thank you!)

FYI, I went back to the older PE and it is still failing to install the language pack. I suspect that it's actually the updated MDT that is causing the issue. I'm testing now to verify. Edit: Confirmed that rolling back to the older MDT and the install language pack offline is working again. So, the issue is not with the ADK but rather with MDT 8450 and Windows 10 1607.

Hi! Exacly what I was thinking also. Maybe they don't distribute worldwide, maybe they start slowly deploying the update. But then I know that in the future, to be patient. 😁 Hmm, maybe I should consider to download the script and try it out for upcoming updates in the future! Thank you so much for the info, have a great day, cheers!👍

Hello, The update is not available to us either, it is slowly deployed to everyone but not at the same time. If you want to have it right now, you have to download a script that will put you in the early distribution ring. It is available here : https://gallery.technet.microsoft.com/ConfigMgr-1806-Enable-3eb4b46c I have not tested the script, I am waiting patiently ;-) I hope this will help you

Have you enabled software inventory Is software inventory Inventoring .lnk files? Is there a reason you aren't just using a configuration baseline? it is easier to do this.

Thanks for the link, and the lab is definitely very useful and better than some other ones I've seen. I'll go through it some more. It seems like there's very little info on this specific aspect available on the internet regarding CApolicy.inf. I'm probably overthinking it but don't want to get it wrong. In other examples like Brian Komars book I see he adds more info under [certsrv_server] like "CRLPeriod", "CRLPeriodUnits", etc. and was wondering if there was a reason they were excluded on yours, if they are no longer needed or are set elsewhere, or if it's just due to it being a lab environment and those are the bare minimum settings needed for CAPolicy.inf EDIT: Just so other people who have the same question, I was able to find out that the only thing the CApolicy is needed for is to overwrite the few parameters that otherwise can't be configured via Powershell/GUI. So you're probably going to find a whole array of CApolicy files that are all technically correct, production-quality, they just contain varying levels of detail, and it's actually better to set them using CERTUTIL instead of defining them in the CAPolicy.inf file.

This is perfect Niall and I appreciate you not only taking the time to reply to my question but for all you do for the community and the time you spend creating your amazing walkthroughs. I cannot comprehend sometimes how incredible your knowledge and dedication is. you rock and cheers to you as well.

are you using the User version of the MSI or the other one ?

can you attach your smsts.log file please?

This series is comprised of different parts, listed below. Part 1 - Introduction and server setup (this part) Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health Introduction Security is everywhere, and a core component of security is certificates. Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption (1). In this series of guides I will show you how to set up a 2 tier PKI hierarchy running on Windows Server 2016 and you can use this to set up your own LAB so that you can learn about PKI and later use it for related System Center Configuration Manager roles such as Co-Management (3). Note: I don't claim to be an expert on PKI and would absolutely advise you to consult with a PKI expert if you plan on setting up PKI in production. This guide is designed to help you setup your LAB, it's based on a Windows Server 2012 R2 PKI guide on Technet from here and kudos to those guys for writing it (2). The difference here is you'll be using Windows Server 2016 and you'll see more screenshots and hints to guide you through the experience. I'd highly recommend you go through this entire series at least twice, just to get a feel for how PKI works and to become familiar with the terms involved. The first time you complete this series will probably feel laborious, however the second time you do it things will start to make sense and you'll have a better understanding of why you are doing it. This series will be tough to wrap your head around especially if you are new to PKI, but take it one part at a time, one step at a time, methodically. If in any doubt, about any of the content then please ask your questions here by starting a new thread. By the end of this series of guides you'll have the following setup and running in your windowsnoob.lab.local PKI LAB. Domain Controller (Windows Server 2016) - 192.168.11.1 Issuing CA (Windows Server 2016) - 192.168.11.2 Webserver (Windows Server 2016) - 192.168.11.3 Offline Root CA (Windows Server 2016) Windows 10 (Windows 10 Enterprise, version 1803) - 192.168.11.4 (Optional) Smoothwall NAT (linux) - 192.168.11.199 and MMC based applications like this screenshot from the Enterprise Issuing CA will become familiar to you Before we start the series let's list some of the terms you'll see popping up over and over. I will try to explain them as we move through the guide. PKI - Public Key Infrastructure AIA - Authority Information Access CDP - Certificate revocation list Distribution Point CRL - Certificate Revocation List OCSP - Online certificate status protocol CA - Certificate Authority Note: I'd recommend that you snapshot (checkpoint) the Virtual Machines at the end of each part of this series, so if you make a mistake, you can always back track to a known good state. Step 1. Create the Virtual Machines I use Hyper-V for my labs, as it's a role built into Windows Server 2016 (and even Windows 10), so as long as your computer is relatively new and the hardware supports virtualization, you can use it (simply enable the role, reboot, and start using it). You should have at least 16GB of ram and 500GB of SSD storage to set this lab up comfortably. To quickly create the virtual machines I use a PowerShell script which I wrote, you can download it here. Download the script - Create HyperV VMv2.ps1 Virtual Machine Names For this LAB, please use the following naming convention for your virtual machines (note this is not the computer name but the virtual machine name). #11_DC01 #11_IssuingCA #11_RootCA #11_W10_1803 #11_Webserver #11_Smoothwall Note: The #11 prefix is simply a method I use in Hyper-V to separate my labs visually in Hyper-v manager, so #11 is one lab, and #10 is another (and so on). You don't have to use the same convention as I do, but it would make it easier for you to follow the entire series. I use the Smoothwall linux based NAT to provide Port Forwarding capability and to share internet into my various LABs. Virtual Machine Roles The Virtual Machines created will have the following functions #11_DC01 Roles: DC, DNS, LDAP CDP,AIA #11_IssuingCA Roles: Enterprise Issuing CA #11_RootCA Roles: Standalone Offline Root CA #11_W10_1803 Roles: A Windows client #11_Webserver Roles: Webserver HTTP CDP, AIA #11_Smoothwall Roles: Port Forward, Internet sharing Note: When prompted for a network switch, create a unique one (#11) for the first VM created, and use the same one for each of the other vm's (we will remove the network from the Offline Root CA). For generation type, use Gen 2. Below is how I created the virtual machines listed above. Note: After creating the virtual machines and before installing Windows Server 2016 on the Offline Root CA, you must remove the Network Card for the Offline Root CA virtual machine as it should not be connected to any network. Step 2. Install the virtual machines Install Server 2016 On DC01, RootCA, IssuingCA and Webserver, install Windows Server 2016. It's up to you how to do this, you can use an Automated MDT PowerShell script, or install them manually. To install all Windows Server 2016 on all 4 servers as WorkGroup joined computers do as follows.. Choose Windows Server 2016 Standard (Desktop Experience) Continue through the installation wizard until prompted for a password, use P@ssw0rd as the Administrator password Click Finish. And then logon using the Administrator username and password configured above. Once Windows is installed, set the IP address for each virtual machine as shown below. Note: Below are the Computer Name and IP addresses used in this guide. For the Offline Root CA, you must remove the Network card in the Hyper-V virtual machine settings. Computer Name: DC01, IP address: 192.168.11.1, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: IssuingCA, IP address: 192.168.11.2, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: Webserver, IP address: 192.168.11.3, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: RootCA, IP: <NO NETWORK> Computer Name: W101803, IP address: 192.168.11.4, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: smoothwall11, IP address: (Green, static) 192.168.11.199 (Red, DHCP internet IP) x.x.x.x Here's how you can set the IP address for DC01. And configure the Computer Name as per the list (in this example it's for the Domain Controller) Reboot when prompted. Install Windows 10 Enterprise version 1803 Install Windows 10 Enterprise, version 1803 on the remaining virtual machine (#11_W10_1803). Configure the Computer Name and IP address as specified. Leave it WorkGroup joined. Optionally install smoothwall Download and install Smoothwall Express 3.1 on the Smoothwall virtual machine to get internet into your lab. If you need a guide for that, i'll create one shortly, but basically it must be a Generation 1 virtual machine, and have 2 Legacy nics, one should be internet facing, and the other connected to the #11 hyper-v network switch. Configure it as Green & Red where Green = LAN, as shown below. and Red is set to DHCP (internet facing network card). Step 3. Configure ADDS on DC01 Now that you've installed the servers, it's time to make DC01 a domain controller, to do that we'll install Active Directory Domain Services (ADDS) and to do that we'll use this PowerShell script, simply run the script as Administrator in Windows PowerShell ISE on DC01. Download the script -Configure ADDS.ps1 After running the script, DC01 is prompted to a Domain Controller and is ready for the next part of this series. Note: Please only run this script on the DC01 virtual machine. After running the script, the Domain Controller is ready for Part 2 (configured as dc01.windowsnoob.lab.local) and internet is working (via the Smoothwall) To continue with Part 2 of this series, click here. Recommended reading (1) - https://en.wikipedia.org/wiki/Public_key_infrastructure (2) - https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx (3) - https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

there are TWO branches of SCCM, current branch (which is what you are using) and Technical Preview (which is what is in this video) Current Branch is for production environments, and Technical Preview is for labs, you cannot get TP updates in a Current Branch release

One thing i can't stand about forums is no one responding back to how they fixed their issue. I hope this helps someone down the road. I just got off the phone with support and this was their fix as well. They said it's a client side issue with certificates being corrupt. ERROR: Error. Status code 500 returned OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) Received 1231 byte response. OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) pReply != NULL, HRESULT=80004005 (e:\qfe\nts\sms\client\osdeployment\osdsmpclient\smpclient.cpp,2391) OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) SMP Root share info response is empty OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) ClientRequestToSMP::ClientRootShareRequestToSMP failed. error = (0x80004005). OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) ExecuteRootShareInfoRequest(sRootShareList), HRESULT=80004005 (e:\qfe\nts\sms\client\osdeployment\osdsmpclient\smpclient.cpp,1717) OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) ClientRequestToSMP::DoRequest failed. error = (0x80004005). OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) Request to SMP 'http://myservername.domain.com'failed with error (Code 0x80004005). Trying next SMP. OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) Sleeping for 60 seconds before next attempt to locate an SMP. OSDSMPClient 7/25/2016 4:25:28 PM 5656 (0x1618) Retry number 2 OSDSMPClient 7/25/2016 4:26:28 PM 5656 (0x1618) Microsoft's response ++ It looks like there is certificate issues while performing the restoration task. ++ Please run following command under PowerShell (As Admin ) · Remove-Item -Path ‘HKLM:\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates\*’ -force; · restart-service ccmexec Sunshine

I just reused a previous serviceUI.exe step so yes if you want to call it overly complex, you can, and yes it can be simplified, however, it does work and that's the point :-) I'll take a look at the IE shortcut suggestions, cheers

good idea, i'll put that together shortly and here it is ! http://www.windows-noob.com/forums/index.php?/topic/10905-the-windows-noob-mobile-device-management-guides-now-available-to-download/

ok great and thanks for updating the thread in case others have the same problem

Hi The problem was the fact that the SCCM 2007 agent was still installed. After uninstalling the agent I managed to take a capture, thanks for your help in this.