SCCM LTSB, The do NOT use, Edition

October 13, 2016 at 8:36 am in ConfigMgr by The WMI guy

Really, I can't be more clear than that, don't ever use it.


The ConfigMgr product team announced a new edition of the latest version of Configuration Manager. In line with the Windows team they decided to call this new edition LTSB. I assume because the message about Windows LTSB was clear as mud and was an excellent example of strong communication.

The LTSB version has severe limitations, both now, and in regards to future option.

The announcement blog has a page pointing to documentation which is titled
Which branch should I use?

That page contains, 1516 words, or 9699 characters. So I'll summarize it here for you.
USE Current Branch!

That's all folks.

For those of you still reading, imho, the LTSB edition is there to solve the one specific scenario in the blog post when you let your usage rights on ConfigMgr expire. It's there to solve a legal/licensing issue, and for nothing else.

It doesn't support anything new, doesn't support Windows 10 CB/CBB, has no plans for support of any new Windows 10 LTSB that hasn't been released to date. There's only the guarantee of 10 years of security updates.

Official announcement

Which branch should I use documentation

Ask the ConfigMgr product group anything on 30/06

June 16, 2016 at 6:18 pm in ConfigMgr by The WMI guy

Hi all,

The ConfigMgr product team is hosting a live Q+A  session on  for the upcoming 1606 release on 6/30 1-5 PM PST.  

 This is an AMA, Ask Me Anything,  (related to ConfigMgr), and the first in it's kind for Configuration Manager.The entire ConfigMgr engineering team is going to be live at the same time responding to questions in near real time fashion. Basically chat with the entire team.  

What can you ask?

The AMA is your opportunity to ask everyone in the room ConfigMgr related questions that have been bothering you/your customers. Everyone! At the same time! No waiting for responses over email! For 4 hours!

All features new and old, yes even those arcane SMS 4.0 questions. Bring ‘em on!

 What If I can’t make it?

Feel free to leave a question and check in later for responses.

 Will you host AMA's again?

If you guys like the format, and convince @djammer, we will host this every release. (A couple of thousand tweets should help.)

So the next one would be in 1610. 

How do I know the answers are from the team:

Look for  “TheConfigMgrTeam” as the answerer. 

Spread the word.



Kim Oppalfens aka thewmiguy


System Center – Search providers, help me help you (and myself)

March 27, 2016 at 10:40 am in ConfigMgr by The WMI guy

Hi All, Thanks for visiting,

The product documentation for System Center used to have a metatag called AppliesToProduct. This allowed Bing searches like the following

"software updates" Meta:Search.MSHAttr.appliesToProduct("System Center 2012 R2 Configuration Manager")


Which in turn allowed me to create search providers, so you don't have to recall the meta-tag search syntax, for Internet Explorer, firefox and Chrome, available here: And explained and promoted by fellow MVP Brian Mason here:

Now, how can you help, you ask?

The new ConfigMgr 1511 & 1602 documentation no longer has the tags. So we can't easily search that doc library anymore, which given the swift pace at which Configuration Manager evolves is painful.

I put in a uservoice request to bring them back on the documentation's team page, so what I'd like to ask, is to give me your vote(s) (You can give multiple votes to 1 item)to bring the item to the attention of Jeff Gilbert and the doc team.

You can find the item here, voting only takes a minute, (Happy voting, and thanks):

And if it's not too much trouble, tweet out that you supported this request from the uservoice page.



Best regards,

Kim Oppalfens


Solving the What’s new puzzles in ConfigMgr tech preview

February 17, 2016 at 11:40 am in ConfigMgr, Console Extension, Intune, RBA, SCCM by The WMI guy

Howdy y'all,


First of all, for people that don't follow my @thewmiguy twitter handle yet, shame on you. For those that do, you might have noticed that Jorgen (@ccmexec) and I fought a fierce battle over who could finish most off the different What's new scenarios in the latest ConfigMgr preview scenarios last week.

****** Spoiler alert *******

I beat him to it, but it was a photo finish kind of thing


******End of spoiler alert *****

Now, both Jorgen, and 2 other people that'll rename unnamed specifically inquired about how I finished the VPP scenario, or the app configuration scenario for that matter, as they couldn't figure out how to do that. The reason they couldn't, and my competitive advantage over Jorgen was that the tech preview lacked certain security roles that come along with these objects to allow you to access them.

Given my knowledge of AdminUI extension I found this out by looking through the xml's that define the adminui, as well as through the adminui.consolebuilder.exe. Both showed me that the UI nodes for these features were protected by security roles that didn't exist. So the first thing I did was remove the permission requirement using the adminui.consolebuilder.exe. Now, that's not the cleanest way to handle things, as that would mean everybody got to see these nodes, even people that have no business with it whatsoever. But hey, I was on a race against the clock, so gloves were off. After finishing the scenario's and posting the results, I figured out a cleaner way of getting the items lit up. In essence, all you have to do, is create the security roles, and below you'll find the SQL code to do just that.

Warning, Modifing the SQL database is still a big NONO, in production. As this issue only exists in Tech Preview 1601, you should be fine. Still might want to take a backup of your lab, as this only comes with the guarantee that there is absolutely no guarantee. Proceed at your own risk, refrigerators in close proximity to your site server might blow up, etc…..

into [dbo].[RBAC_RoleOperations]

VALUES (N'SMS0001R', 73, 810550295),

(N'SMS0002R', 73, 268435457),

(N'SMS0007R', 73, 809500689),

(N'SMS0008R', 73, 1048577),

(N'SMS0009R', 73, 810550295),

(N'SMS000ER', 73, 810550295),

(N'SMS0001R', 74, 1049623),

(N'SMS000ER', 74, 1049623);


After executing the SQL insert statement above you should be greated by the following additional entries in your Software library workspace


"The M in WMI stands for Magic"
""Everyone is an expert at something" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP

Configuration Manager telemetry / usage metrics (work in progress)

February 17, 2016 at 10:05 am in ConfigMgr by The WMI guy

Telemetry, what is it about?

Microsoft has quite a bit of information here about its new telemetry data system for SCCM here:

Below are my findings and additions to that documentation that people are inquiring about, but let me start off with the why, of it all. The new Configuration Manager comes with a brand new servicing mechanism. You should be aware by now that Windows 10 comes with a pretty high release cadence (a new Windows every 4 months). To keep up with that pace, Configuration Manager is planned to follow suit, and more or less follow that same cadence. Now, quite some people are sceptic about that increased cadence and the impact on the different products quality. To answer the challenges that come with this increased pace Microsoft plans to ship fast / fix fast, and that's were telemetry comes in.

The general idea is to find the setups and "modus operandi" that are frequently used by a large set of customers and use those in testing. Additionally, the telemetry data should prove to be a shortcut to get troubleshooting data to the product team. In other words, sharing data on the way you use the product should be in your own interest.

Sounds good, but am I supposed to just trust Microsoft in collecting data from my environment that might be privacy sensitive? Well, yes and no. Microsoft takes privacy extremely serious, and so does the Configuration Manager product team. The product team has, imho, very good reasons to make sure the data they collect isn't catalogued as privacy sensitive, as doing so would introduce them to a drastically increased involvement of both legal and auditing, as for any Microsoft service that holds privacy sensitive data. To keep the level of scrutiny they'd have to go through in check, the ConfigMgr team starts off with anonymizing the data. They do that by hashing some of the data, so that any privacy sensitive data isn't readable to them.

And that's where some of the challenges come in for customers that are privacy sensitive and/or have auditing breath down their neck. This hashed data isn't readable to them either, which worries some of them, as they don't know what they are sending out. Below I'll explain, for all the hashed values I found in telemetry results so far how you can make the data human readable alongside the hash so that you can control what the data you are sending out actually means.

Database objects involved


The telemetry table contains the names and id's of the stored procedures that are responsible for collecting the telemetry data. In the environments that I've verified this on, there are 150 stored procedures lists in the telemetry table. You can have a look at this info by running the following query


from Telemetry order
by name



The results are stored in a table called either telemetryresults or TEL_telemetryresults (There seems to be a difference between the techpreview releases and the production releases regarding the table name.) You can look at your own results by running the following query

from TEL_TelemetryResults


from TelemetryResults

depending on your environment.


Depending upon the level of data you've chosen you should see a number of rows returned. There should be one thing that catches your eye quite swiftly. As you can see in the screenshot below each row has a results column that ends with a returning hash. Which opens up the very first question, what is this hash all about?

Well this particular hash is used to correlate data between the different rows in your telemetry results so the product team can store all data coming from one customer together. Given the introduction they need a way to do that without making your company name or anything similar that could identify your environment, and hence they need to anonymize the data. Now, every Configuration Manager environment has a randomly generated hierarchyid that could be used for this purpose. But even that wasn't anoynymous enough for the Configuration Manager product team. To anonymize the data they've chosen to hash that hierarchy id using SHA256.





You can get your own hierarchy id and the accompanying hash to validate this data by running the following query:


     Declare @tenantid as

     select @TenantId = dbo.fnConvertBinaryToBase64String(dbo.fnMDMCalculateHash(CONVERT(VARBINARY(MAX), [dbo].[fnGetHierarchyID]()),

     Declare @hierarchyid as

     select @hierarchyid = [dbo].[fnGetHierarchyID]()

     select @hierarchyid, @tenantid


Stored procedures

There are a bunch of stored procedures involved in collecting the telemetry data, and most of them just generate just 1 of the rows in the telemetryresults table. You can find the stored procedures responsible for collecting data by running the following query.


distinct As
'Stored Procedures',o.*


ON =

WHERE like
and o.xtype =


If you're only interested in the ones that generate data for the telemetryresults table run the query below.

distinct As
'Stored Procedures',o.*


ON =

WHERE like
and o.xtype =
'P' and in
(select name from Telemetry)


You could subsequently analyze the stored procedures to see what it is they are collecting, but that is an elaborate exercise. As we've seen that SHA256 is the hashing mechanism of choice I've chosen to check which of these stored procedures use the SHA256 function. I've identified the stored procedures, and linked id's using this query



o.type_desc, m.definition

sys.sql_modules m

sys.objects o ON m.object_id = o.object_id

join telemetry on = Telemetry.Name

    where m.definition like
and like


This results in the following list of id's


Which in turn lets you focus on the telemeteryresults table and the rows that contain hashed information:

from TEL_TelemetryResults

where id in










Or on those that should not contain any hashed information by changing the where clause to use not in instead of in. This should allow you to quickly check whether the results column still has data you can't understand. (Should that be the case feel free to share the ID of the row and I'll happily look into it.)


Obfuscated data / data hashing and making it human readable again

The last ID '0F40B971-AAC7-4A39-8CDA-1E023C833306' contains the full schema of your Configuration Manager database as collected by the TEL_SQL_DBSCHEMA stored procedure. When you look at the stored procedure definition you'll notice that it runs the following query to collect the data:

SELECT dbo.fnConvertBinaryToBase64String(

dbo.fnMDMCalculateHash(CONVERT(VARBINARY(MAX), DS.ObjectName),
AS ObjectNameHash,

DS.ObjectVersion AS ObjectVersion,

DS.UpdatedBy AS UpdatedBy,

DS.ObjectHash As ObjectHash

FROM dbo.DBSchema DS

JOIN SC_SiteDefinition SS

ON DS.SiteNumber = SS.SiteNumber

= N''


As should be apparent, the objectnames are obfuscated in this stored procedure. Should you like to know what the obfuscated data really means you can modify the query slightly and another item in the select section of the query to include the data before it is hashed like so:


SELECT DS.ObjectName, dbo.fnConvertBinaryToBase64String(

dbo.fnMDMCalculateHash(CONVERT(VARBINARY(MAX), DS.ObjectName),
AS ObjectNameHash,

     DS.ObjectVersion AS ObjectVersion,

DS.UpdatedBy AS UpdatedBy,

DS.ObjectHash As ObjectHash

FROM dbo.DBSchema DS

JOIN SC_SiteDefinition SS

ON DS.SiteNumber = SS.SiteNumber

= N''


As you can see, all I did was include the column DS.ObjectName before it was hashed so you could see it in readable format alongside the hashed format. The reason they hash the data in this particular instance is because your're schema could contain your company name, or other privacy sensitive data. The most likely way this would end up in your schema is by including that information in the names of your custom hardware inventory classes.

This is just one of the 8 queries that might contain hashed data, but the mechanism above is repeatable for the other stored procedures. I'll add the queries needed to represent the cleartext data and the hashed variant over the next couple of days.

"The M in WMI stands for Magic"
""Everyone is an expert at something" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP

SCCM vNext updates and servicing feature!

September 24, 2015 at 1:55 pm in ConfigMgr by The WMI guy

Hi All,

Feature Explained

On the 23rd of September 2015 the ConfigMgr Product team released a blog on an update for Configuration Manager Technical Preview 3, or the new and upcoming version of SCCM, known by many as SCCM vNext. The blogpost contained roughly 321 words. (Yes I did put that in there to weasel you into going in and counting the words J)

The shortness of the blog, and it's number of words, in my opinion, doesn't do justice to the importance of this new feature called CM Updates, Updates and servicing or Easy setup, depending on who you talk to. This feature is the way forward for the product team to update the next release of Configuration Manager, and might well replace Service packs and/or CU's in the future. One of the challenges for the CM product team has always been to find the right "release vehicle". Release vehicles are a means to get updates out to the install base, and at present are usually one of these:

  • New release
  • Service pack
  • Cumulative Update
  • Web release/download

The first 2 in that list, are at least perceived as disruptive to the systems management service, while Cumulative Updates have quite different perceptions across different IT departments and companies. But there's definitely a set of IT departments that consider the CU's, and their installation disruptive as well. That means all sorts of things come into play when any of these are released, release management, a rollback plan, the change advisory board to name a few. The ambition of CM updates is to alleviate that pain through an integrated servicing mechanism much like other software that auto-updates, yet with admin approval.

Or in the words of the blog: "This update is the first to be delivered through our new "Updates and Servicing" node in the product. Moving forward, this is how you should expect to receive Technical Preview updates. When System Center Configuration Manager becomes generally available in Q4 of this calendar year, we will continue to use this same channel to provide a faster, lighter and easier update experience for new features, bug fixes, and more."

People already involved with Microsoft Intune in a Hybrid scenario will see a lot of similarities with what is called the weave feature to download mobile device management extensions and enable/install these extensions. This should not come as a surprise, as one of the driving factors behind weave was the speed with which new versions and features of IOS, Android and Windows Phone were released. The mobile device management market is rapidly growing and evolving, and needed it's own release vehicle, that release vehicle became 'Extensions for Microsoft Intune' a.k.a weave. Now, with Windows 10 entering the Windows as a service-era, with things like the current branch potentially upgrading every 10 months, Microsoft needed something similar to update general CM items, and not just mobile device management related items. The blog released yesterday was the announcement of "the very first real world public test of this mechanism!". The announcement itself lacked a bit of enthusiasm, but this is a feature that I am excited about for the future of CM.

This feature can update and deliver fixes and features for:

  • Site servers
  • SMS_Provider
  • Configuration Manager console
  • Configuration manager clients

Which should provide the necessary flexibility to update just about anything, as this allows the product team to update, the ConfigMgr File system, the Admin UI file system, the database (Data as well as new tables, views, Stored procedres,…, as WMI)

Feature documentation

The announcement itself didn't go into much detail explaining how the future worked, however did contain a link to the documentation of the Microsoft System Center Configuration Manager Technical Preview. This page contains a section on "Updates and servicing" which gives some insight into how this all operates.

Some important items in that documentation, are highlighted below, but I do encourage you to go and read the doc itself to get all the nitty gritty details

First of all, this entire process is driven by a new site system role called the cloud connection point, which replaces the Microsoft Intune connector site system role. In the current tech preview (Release 3), the cloud connection point needs to be installed on the primary site server and needs internet access. Both of these limitations are expected to be resolved in a subsequent release, and an offline procedure is planned for a future release, as mentioned in the comments section of the blog.

Other limitations: Os language must be English, and you must set your date/time format to this absolutely weird way of throwing days, months and years in some random order called MM-DD-YYYY. Not sure who ever came up with that way of noting dates, but apparently that's what we need to use. In testing and hearing experiences from others, this is the number one deal-breaker: The update process itself seems to be rock-solid, assuming you set your Date/time format accordingly.

New updates are checked for every 7 days, since the install date of the environment. According to the docs a restart of the SMS_executive service triggers the check for updates as well. I'd venture a guess that restarting the SMS_DMP_Downloader might trick it as well, which would be less disruptive. (To be tested).

Once the updates are downloaded you'll find them in Administration > Cloud Services > Updates and Services as available, you can subsequently click Install Update Pack

As a final note, just running the prerequisite checker standalone, from this same node, doesn't work in the current build. Triggering this will perform the install as well.

Feature at work – The server upgrade

  1. Step 1 would be to restart your sms_executive service if the update hasn't arrive in your Updates and Services node.
  2. The update should arrive and be in the downloading state for a while. You can monitor the download progress in the DMPDownloader.log the log should contains lines similar to:

EasySetupDownload thread is starting... $$<SMS_DMP_DOWNLOADER><09-22-2015 21:21:36.981-120><thread=4700 (0x125C)>

Download Easy setup payloads~~ $$<SMS_DMP_DOWNLOADER><09-22-2015 21:21:37.008-120><thread=4700 (0x125C)>

Get url~~ $$<SMS_DMP_DOWNLOADER><09-22-2015 21:21:37.012-120><thread=4700 (0x125C)>

Successfully write the update meta into outbox for package dcd17922-2c96-4bd7-b72d-e9159582cdf2~~ $$<SMS_DMP_DOWNLOADER><09-22-2015 21:40:36.934-120><thread=4700 (0x125C)>

  1. This particular update is somewhere between 800 and 900 Mbytes, so depending on your internet connection speed, it might take a while to download everything. In my particular experience, mumbling "patience is a virtue" over and over again had neither a positive nor negative impact on the download speed.
  2. Once downloaded you should see the update in your <CM Install Folder>\EasySetupPayLoad


  4. If the update arrive your UI should look like the 2 screenshots below, and have the update state listed as Available.

  5. Once the update's state switches to the available state, you can launch the "Install Update Pack" action from the Quick access toolbar, which provides you with the details of the CM Update and the ability to ignore prereq check warnings. (Feel free to leave this unchecked in the current build as warnings are ignored no matter what you select).

  6. Next, you need to read the License agreement, and accept them. Yes, the idea is that you read them first.

  7. Subsequently you can chose to upgrade all your clients at once, or perform testing to a pre-production collection you specify. This ties into the client updating feature that was enhanced in CM2012SP1CU1 to also support cumulative update releases as opposed to the original behavior which only supported service packs.

  8. The rest of the wizard doesn't provide you with any options to configure, find screenshots below for completeness.

  9. At this point the Administration node will list the Update in a state "installing". Depending on your environment this installation might take a while to complete.
  10. Logfiles involved during this upgrade are dmpdownloader.log, sitecomp.log and cmupdate.log and obviously the logs for prereq checking and setup which in my case are looked in the root of the c:\ drive.

  11. In the file system you'll also notice the downloaded files are being copied to a brand new folder in your site server installation called CMUStaging
  12. Upon successful installation the Monitoring\Overview\Site Servicing status should contain a status of installed
  13. And the about screen should contain a version of 1509, please note that the Console versions and Site version remain at 5.0.8299.1000


Feature at work – The admin ui upgrade

Once the server is upgraded, the next time the admin ui is opened you'll be prompted by a message asking you to upgrade your admin UI to the newest version. Much like the request to enable new extensions for Intune when they have arrived. This is a similar system and poses the same challenges, you'll have to be an administrator and have the ability to install the upgrade for this to work successfully.

  1. Again this is a fairly regular install, so you can monitor progress by following the ConfigMgrAdminUISetup and its verbose variant.



Personal observations – Notes from the field Lab

The process appears to be fairly solid in several tests I've ran, as long as you make sure you have the DateTime format set to MM-DD-YYYY, I know, it's an American thing, get over it. They'll come to their senses one day and adopt Metric, 220Volt and a sensible datetime format, and might even come up with a proper name for that sport where you're seldomly allowed to use your foot. (Don't hold your breath, for now).


If you managed to break the upgrade anyway, have a look at the troubleshooting section in the link provide in the documentation section. But it roughly comes down to

  1. Make sure you set the datetime format correctly
  2. Are you 100% positive you verified item 1
  3. Really?
  4. If you goofed up on 1-3 run the following command in SQL Management studio, after typing a full page in Word with the sentence "I am a goof!"

    EXEC spCMUSetUpdatePackageState N'dcd17922-2c96-4bd7-b72d-e9159582cdf2', 262146, N''


5 new WMI classes have surfaced that seem to be related to this feature:

  • SMS_CM_UpdateFeatures (0 Instances, 1 method (UpdateFeatureExposureStatus)
  • SMS_CM_UpdatePackageFeatures (0 Instances, 1 method (UpdateFeatureExposureStatus)
  • SMS_CM_Update_Packages (1 instance with guid of update, 2 methods (IsCurrentWorkingUpdatePackage, updatePrereqAndStateFlags)
  • SMS_CM_UpdatePackageSiteStatus (1 instance with guid of update, no methods)
  • SMS_CM_UpdatePackDetailedSiteStatus (multiple instances with different steps ranging from prereq checking to actual install steps. (State 3, appears to be success (to be validated)


5 new views where created related to the 5 WMI classes above:

  • Vsms_CM_updatefeatures
  • vSMS_CM_UpdatePackageFeatures
  • vSMS_CM_UpdatePackages
  • vSMS_CM_UpdatePackageSiteStatus
  • vSMS_CM_LatestInstalledPackageFeatures

10 Stored procedures have surfaced that appear to be related to this new servicing feature

20 new tables have surfaced that appear to be related to this new servicing feature


"The M in WMI stands for Magic"
""Everyone is an expert at something" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP

Can’t create Windows Phone deeplink deployment types due to new store URL’s

July 22, 2015 at 1:53 pm in Intune by The WMI guy

Hi All,

Problem Description:


The powershell script below returns the old url when you input the new url in the variable. The old url returned lets you create the app from the admin ui. Again, don't have a windows phone device enrolled in this environment, so can't test an actual deployment.

#This is the url you can browse to new in internet explorer

# this is the starting part of the old url, it is followed by the app name a guid

#get all links found on the new windows phone url

#cycle through all links


# find a link that starts with ms-windows-store and contains a guid behind appid=


#get the url that is a match for parsing

# get the section of the url behing the appid= and take 36 characters from that point, this gives us the guid


# take the 7th parth from the new url, this gives us the appname


#concatenate the old starting url + the appname + the guid









Early word is that the below procedure does let you create the app just fine, however installing the app would still fail. If you've tested this and actually deployed the app successfully let me know.

One for my fresh new ConfigMgr MVP colleagues, Peter van der woude signaled an issue with creating new Windows Phone deeplink deployment types.

It was signaled to the product team on Connect as well:

This is caused by the windows phone store URL using a brand new url structured like this:

whereas the old url looked something like this:

The problem with this is that adminui.appmanfoundation defines a regular expression that validates the url input.

public static Regex Winphone8DeeplinkUrlPattern;

The new url no longer satisfies the regular expression and as such the wizard doesn't let you save your dt as it inspect the content location textbox before continuing.


As this is a UI thing, as can be identified by the fact that the issue resides in adminUI.appmanfoundation, I quickly assumed that Powershell would "not suffer" from this issue.

And lo and behold, the following powershell commands will create a windows phone dt happily and add it to a previously created app with the name pswpdeeplinktest.

(You still won't be able to edit it in the UI afterwards as the validation will kick back in).

PS C:\> Add-CMDeploymentType -WinPhone8DeeplinkInstaller -InstallationFileLocation '' -ApplicationName 'pswpdeeplinktest'


Keep in mind that Powershell and/or WMI can often "workaround" adminui limitations.

Be carefull though as circumventing these limitations can be both a blessing and a curse.


"The M in WMI stands for Magic"
""Everyone is an expert at something" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP

My quest for the RDP deployment type from the ConfigMgr SDK (Part 1)

July 6, 2015 at 9:02 am in ConfigMgr by The WMI guy

Serious Windows 7 32bit software update problem

March 30, 2015 at 3:17 pm in ConfigMgr, SCCM by The WMI guy

Hi All,

A growing number of customers is contacting us about the issue going on below on their Windows 7 32 bit machines. I don't often ask people to distribute my blog information further. But quite a few customers should probably be warned for this issue.

Problem description

An issues exists at present where Windows 7 32 bit machines will reply compliant/installed on any software update they scan for, even the ones that aren't installed.

I have customers reporting updates failing to install because of this, and one where Cumulative Updates for ConfigMgr started reporting compliant without them creating a deployment for the updated client.

The problem can be seen at the client side in the Windowsupdate.log. When your log contains the following text "

GetWARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E "

You're probably another victim of this terrible issue. The concern here is that a lot of environments might be unaware they have this issue, as nothing will point it out when looking at things centrally from the Admin UI. Clients will just report compliant on all their software update deployments.

Identifying the problem in your environment

The easiest way I could come up with to identify this problem in your environment is to create a configuration item to detect it. To do this:

  1. create a script configuration item.

  2. Select All Windows 7 32 bit as the supported platform

  3. Use String as the data type

  4. Choose powershell as your script language of choice

  5. Paste the following text in the discovery script:select-string-pattern'GetWARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E'-path"$env:windir\windowsupdate.log"

  6. Add the configuration item to a Configuration baseline

  7. Deploy the configuration baseline to All Windows 7 32bit machines

  8. The report list of assets by compliance state for a given baseline is a good report to check the results.

  9. !!!! Any machines reporting compliant to this baseline have a serious issue as they won't install any software updates, yet report compliant on all !!!!


Possible workarounds

    1. Decline unneeded updates within the WSUS server (Declined updates do not get offered to clients during scans.)

      1. Unneeded updates include superseded updates, updates for products and/or classifications that are not present in the client environment, and expired updates.

      2. You can manually decline the updates within the WSUS console or use a script method . NOTE:  Always backup the WSUS database (SUSDB) prior to performing any changes like this.

      3. After declining unneeded updates, re-index the susdb, and run WSUS Server Cleanup Wizard:

  • Set user VA to 3072 MB: bcdedit /set IncreaseUserVA 3072

    1. This will free up another GB of memory in user space..

    2. This does require a restart of the machine.

    3. It’s possible some machines or applications may have problems when this setting is enabled



  1. Move wuauserv to its own SVCHost instance running following commands in elevated command prompt:

    1. Net stop wuauserv

    2. ‘sc config wuauserv type= own’

    3. Net start wuauserv

More details:

You can find the nitty gritty details and soulmates in this forum post.

Technorati Tags: SystemCenter
Tags van Technorati: SCCM,ConfigMGr

"The M in WMI stands for Magic"
""Everyone is an expert at someting" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP

Technet Library Bing search Providers are back

January 23, 2015 at 3:55 pm in CMCE, ConfigMgr, ConfigMgr by The WMI guy

Hi All,

Because I messed up my lab, the search provider buttons to install the System Center Search providers have been offline for a while.

A certain individual (Brainy dude from Minesoooota) gave me a rough time about it, so today I put in an effort to get them back online.

People that have a desire for search providers for different sections can let me know through the comments section at the bottom of this post or @thewmigy

These search providers use Bing as Google as a search engine lacks support for the Meta keyword that is used in them. Should anyone know how to use google to achieve the same thing, just let me know on twitter @thewmiguy. Likewise, if anyone wants these to use Yahoo,again, just let me know.
I put the buttons up on an Office 365 webpage as wordpress appears to be quirky when trying to use buttons in a post. S
Install instructions:
1) browse to
2) Click the button for the search provider to install and click Ok

Usage instruction IE
1) In the address bar click the arrow pointing down
2) Hover over the search providers and select the one you want to use
3) Type the search string in the address bar and press enter

Usage instructions Google Chrome
1) In the address bar type the Name you've given your search provider, press enter
2) Eg: CM12 "Software Updates"

Technorati Tags:
Tags van Technorati: ,

"The M in WMI stands for Magic"
""Everyone is an expert at someting" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP