Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc...
Let’s learn about Intune Decrypt Files Protected by WIP Policy. Windows Information Protection (WIP) is Microsoft’s accidental Data Leakage protection solution. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about the Decrypt Files Protected Intune SCCM WIP Policy.
Certificates Details – Intune/SCCM WIP Policies – Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.
We may need to go through the migration process towards modern management. This happened during one of the user migrations, and it didn’t go well. The user’s files were encrypted with the WIP policy. The user unenrolled and reenrolled his Windows 10 device as part of troubleshooting.
Intune Decrypt Files Protected by WIP Policy – Fig.1
Issue Statement – Personal Files Encrypted with WIP Policy – Intune Decrypt Files Protected by WIP Policy
Access to the protected files was revoked during troubleshooting and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the WIP certificate still locks the protected files.
How to Decrypt WIP-Protected Files
To decrypt the protected files, you need to import the PFX file to the computer where you want to perform the decryption process. You must be very careful because of the private keys in your DRA. The PFX file can be used to decrypt any WIP file.
The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.
Import EFSDRA.pfx
Intune Decrypt Files Protected by WIP Policy – Fig.2
Double-click on the EFSDRA.PFX file to start the certificate import wizard. This wizard helps import the certificate to the user’s machine. Make sure you select Store Location as a Current user.
Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, which you must enter to proceed with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”
Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.
Confirm whether the certificate or private key PFX file is imported successfully to the certificate store—certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.
Intune Decrypt Files Protected by WIP Policy – Fig.3
2. Cipher /d Command to Decrypt the Files
Confirm the private file is imported into the machine’s certificate store. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.
C:>cipher /d “SCCM Intune.docx”
Decrypting files in C:\WINDOWS\system32\
SCCM Intune.docx [OK]
1 file(s) [or directories(s)] within 1 directories(s) were decrypted.
Troubleshooting – Check the WIP Logs
WIP troubleshooting can be done through Windows event logs. Navigate to Application and Services LogsMicrosoftWindows, click EDP-Audit-Regular, and click EDP-Audit-TCB.
Check the WIP Logs
EDP-Audit-TCB
Intune Decrypt Files Protected by WIP Policy – Table 1
Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
<EventID>101</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000889787810</Keywords>
<TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
<EventRecordID>15</EventRecordID>
<Correlation />
<Execution ProcessID="876" ThreadID="11836" />
<Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
<Computer>Anoop-Surface-Book</Computer>
<Security UserID="" />
</System>
Intune Decrypt Files Protected by WIP Policy – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Microsoft SCCM team released the latest production version 1710 of SCCM/ConfigMgr. The version is published as an opt-in option. This SCCM 1710 production version release won’t show automatically in your SCCM console.
This release is called the Fast Ring production release of SCCM 1710. This post will see “SCCM 1710 New Features Overview Plus Upgrade Guide.”
Before upgrading, it would be interesting to check out the differences between the 1706 and 1710 versions. I have a video post titled “Differences Between SCCM ConfigMgr CB 1710 and 1706.”
SCCM/ConfigMgr CB 1710 production update is applicable only for the SCCM CB 1610 and later. For example, if your SCCM environment is running with the SCCM CB 1606 version, this 1710 version won’t be visible to your environment.
To access the SCCM CB 1710 production version, you need to upgrade from 1606 to 1610. Once you have completed that upgrade and are in the 1610 version of SCCM CB, you can update it to the 1710 version.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide – Fig.1
How to Get the Opt-in Version of SCCM 1710?
The SCCM 1710 update will be rolled out globally in the coming weeks and will be automatically downloaded. Once this update is rolled out globally, you don’t need to run the PowerShell script. Moreover, when it is ready to install, SCCM admins will be notified from the “Updates and Servicing” node.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide – Fig.2
New Features of SCCM 1710 Production Version
The SCCM CB 1710 Production version has 7 pre-release features and 20 Release Features. The video tutorial provides more details about the upgrade and new features.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide – Fig.3
SCCM CB 1710 Software center can have your organization logo and other branding options without an Intune subscription, which is very useful for organizations. To configure these branding options, navigate to client settings, open custom client Policy settings, and click on the software center.
Peer cache is not pre-release feature
Cloud DP supports Azure Govt Cloud
Co-Management
Identify the devices that require a restart and restart using the client notification channel.
Improvements in Run Script option – Security Scope, Real-time monitoring, and parameter
Software Center 250×250 icon
OSD – Parent-Child nested Task Sequence
Software Center – Enterprise Branding
Software Update – Surface Driver Update is no longer a pre-release feature
Telemetry level setting in Client settings
Limited support for Cryptography: Next Generation (CNG) certificates
Exploit Guard policies
Windows Defender Application Guard policy
Device Guard policy changes
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide – Fig.4
SCCM Software Center Branding without Intune subscription
The software center has many more granular options to collect the Windows 10 telemetry data from SCCM client machines. This option is available under the Windows Analytics tab in the SCCM software center.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide – Fig.5
What is New in SCCM 1710 Scripts Options?
The above two points are improvements in SCCM 1710 script options. You can scope the scripts in and out depending on your requirements.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
This post and video tutorial will cover the SCCM CB preview 1711 upgrade and new features. This is not a production version of SCCM CB.
Hence, we are not supposed to install this version in production environments. SCCM CB 1711 is the preview version and should be installed only in a lab environment.
The preview version does not allow us to install CAS and secondary servers, and the prerequisite for installing the SCCM CB 1711 preview version has not changed.
The SCCM CB update and servicing process are the same as before. Once the latest version of the preview is released, the update will be available in the SCCM console.
The SCCM CB preview version is similar to the Windows Insiders program, which helps SCCM admins test the new SCCM CB features. Before installing this technical preview, you can review the limitations of the SCCM CB version.
Configuration Manager SCCM CB Preview 1711 Upgrade New Features ConfigMgr
When all features from a technical preview release are available in the minimum supported version of the current branch details or that preview version is removed from the following table, shown in the screenshot below.
Configuration Manager SCCM CB Preview 1711 Upgrade New Features ConfigMgr – Fig.1
How to Create an SCCM CB Preview Version Lab Environment?
Have you installed an SCCM CB preview version? If not, you can download the latest baseline version of ConfigMgr SCCM CB Technical Preview. One version of the SCCM preview has a maximum validity of only 3 months (90 days).
Configuration Manager SCCM CB Preview 1711 Upgrade New Features ConfigMgr – Fig.2
New Features of SCCM CB 1711 Preview Version
Following are the three highlighted features of the SCCM CB 1711 preview version. But, Ronni has blogged about another exciting feature in his blog post. More details about that “SCCM: Enable Desktop Clients as PXE Servers.”
Improvements to run task sequence step
Allow user interaction when installing an application
New compliance policies for Windows 10
Nesting of Task Sequence In the task sequence editor, click Add, select General, and click Run Task Sequence. Click Browse to choose the child task sequence.
Allow user interaction when installing an application. You can allow an end-user to interact with an application installation while running the task sequence.
During the task sequence progress, the application installation interface appears on the target end-user device. The task sequence progress pauses until the end-user completes the application installation workflow.
New compliance policy options for Windows 10: You can check whether the Firewall software is enabled on Windows 10 machines. If not enabled, you can block access to company resources. You can also check whether UAC is enabled on Windows machines.
If not enabled, you can block access to company resources. Defender verification is also possible via Windows 10 compliance policies through the SCCM console.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s learn how to set up SCCM Azure AD User Discovery ConfigMgr. The Azure Active Directory user discovery feature was added to SCCM in 1706 and later versions.
Azure AD user discovery helps deploy applications to Azure AD users. It enables the deployment of apps to AAD users in a co-management scenario.
Azure AD User Discovery can be configured from the Administration workspace – Cloud Management. This post will see “Video Tutorial on How to Setup SCCM Azure AD User Discovery.”
SCCM Azure AD user discovery involves discovering specific users from Azure AD. The details of these users will be stored in SCCM DB.
How to Setup SCCM Azure AD User Discovery ConfigMgr – Video 1
What is SCCM Azure AD User Discovery?
This provides deeper visibility of Azure AD user properties, which SCCM could use to target Azure AD users’ applications.
Where are Azure AD User Discovery Configurations?
In the SCCM console, navigate through Administration- Cloud Services – Azure Services – Cloud Management. You don’t have to use the Azure portal to create server and client applications.
Instead, the following SCCM Azure service Wizard helps create apps in Azure and schedule the Azure AD User Discovery configurations.
How to Setup SCCM Azure AD User Discovery ConfigMgr – Fig.1
How Do You Create Azure Server and Client Apps from the SCCM Console?
As part of the Azure AD user discovery process, we must create connectivity between the on-prem SCCM CB server and Azure AD. This is done through Azure server-side and client-side applications (more details in the section below). We can create these apps using the Azure Services Wizard in the SCCM console.
We need to create Azure Apps using Azure AD admin credentials. Once successfully authenticatedwith Azure AD, SCCM helps you create the two apps mentioned in the screenshot below.
Creating applications is straightforward, as seen in the video tutorial. Enter the Application Name, Home Page URL, and APP ID URI—any URL is OK. You don’t want a proper working URL; any URL will be OK. The secret critical Validity period is one year, and the Azure AD admin account signs in.
Azure AD tenant names will automatically populate when you authenticate with Azure AD. It would help to have an internet connection on the SCCM console’s server.
How Do You Configure Azure AD User Discovery Settings?
Unlike SCCM Active Directory discovery, configuring SCCM Azure AD user discovery does not allow you to select a particular OU. Instead, the discovery runs for the entire tenant.
The Azure Services Wizard offers the option to Enable Azure AD discovery settings. Configure the settings to discover resources in Azure AD. When the resources are discovered, SCCM CB creates records in its Database. The SCCM Azure AD user discovery Schedule has two options.
The default settings for complete Azure AD user discovery occur every 7 days. The delta discovery interval is 5 minutes. Delta discovery finds resources in Azure AD that have been new or modified since the last discovery cycle.
Full Azure AD User Discovery
Delta Azure AD User Discovery
Permission Required for SCCM Azure AD User Discovery
We have created two Azure apps (Server and Client) in the Azure App Registration blade. Select the server application and client application – click on Settings and select the Required Permission button.
Click on Grant Permissions to provide SCCM access to discover the Azure AD users. Repeat the same steps for the Client application.
How to Setup SCCM Azure AD User Discovery ConfigMgr – Fig.2
Troubleshooting – SCCM Azure AD User Discovery – Issues
SMS_AZUREAD_DISCOVERY_AGENT.log is where you can trace the details of Azure AD User Discovery.
Full Azure AD User Discovery Sync – Details
Full discovery sync details of Azure AD user discovery are recorded in the log file called SMS_AZUREAD_DISCOVERY_AGENT.log.
Initializing Task Execution Manager instance as SMS_AZUREAD_DISCOVERY_AGENT. $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.056-330><thread=4184 (0x1058)> Starting component SMS_AZUREAD_DISCOVERY_AGENT~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.165-330><thread=4184 (0x1058)> Component SMS_AZUREAD_DISCOVERY_AGENT started successfully.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.712-330><thread=4184 (0x1058)> Azure AD Discovery Worker starts.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.353-330><thread=4204 (0x106C)> Subscribing to Registry Hive: LocalMachine, KeyPath: SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_AZUREAD_DISCOVERY_AGENT, FilterType: ValueChange, WatchSubTree: False~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.369-330><thread=4204 (0x106C)> Registry Watcher started~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)> Successfully subscribed listener to registry key.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)> AAD sync manager for cloud service ID=16777217 started. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.541-330><thread=4204 (0x106C)> Full sync for cloud service ID=16777217 will start immediately. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.604-330><thread=4204 (0x106C)> Graph API version changed to 1.6~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.510-330><thread=4204 (0x106C)> Query batch size changed to 100~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.526-330><thread=4204 (0x106C)> Max Json length changed to 33554432~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.572-330><thread=4204 (0x106C)> AAD full sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:46.416-330><thread=4204 (0x106C)> ERROR: Sync request failed. Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Service returned error. Check
Delta Azure AD User Discovery sync – Details
Let’s find out more details from the log files SMS_AZUREAD_DISCOVERY_AGENT.log.
INFO: UDX was written for user TESTSyc@anoopc.onmicrosoft.com - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\___mrxm4stp.UDX at 06-11-2017 16:10:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.412-330><thread=2552 (0x9F8)>
Successfully published UDX for Azure Active Directory users.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.453-330><thread=2552 (0x9F8)>
Total AAD Users Found: 1. Total AAD User Record Created: 1~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.536-330><thread=2552 (0x9F8)>
AAD delta sync completed successfully at 16:10:11. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.612-330><thread=2552 (0x9F8)>
Next DELTA sync for cloud service 16777217 will start at 11/06/2017 16:15:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.665-330><thread=2552 (0x9F8)>
AAD delta sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.763-330><thread=2552 (0x9F8)>
Successfully acquired access token for server app. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.866-330><thread=2552 (0x9F8)>
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager. It’s a great experience to work with the Microsoft SCCM product group and fellow MVPs to brainstorm and enhance SCCM/ConfigMgr. Microsoft MVP Summit 2017 is special for SCCM MVPs because ConfigMgr reached its 25th anniversary.
SMS’s (the previous version of SCCM) device management journey started in 1992. This post will give us more details about the “25 Years ConfigMgr and Special Microsoft MVP Summit at Redmond.”
I started working with SMS 2003 back in 2005, which was the early stages of my IT career. I enjoyed my career as an SCCM admin, which changed my life.
SCCM has evolved over the years, and so has my career. I switched cities and jobs, but not the product I love.
25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager
It’s a great experience working very closely with the SCCM product group (developers) and understanding their side of the story. The SCCM product team is developing new, exciting features and getting ready for the next SCCM CB preview release. Loads of innovations are also planned for the SCCM CB 1802 release.
25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager – Fig.1
This is my third trip to Redmond, and it’s always exciting to learn more about the insides of SCCM products. It was also great to participate in brainstorming sessions with the SCCM product group. The SCCM product team is always ready to listen to MVPs’ real-world challenges and provide solutions for those challenges.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes a
Windows 10 Upgrade Using SCCM Task Sequence. In the previous post, I explained how to Create a Windows 10 1709 Upgrade Task Sequence in SCCM CB.
I didn’t provide details about distributing the Windows 10 1709 content to DPs, Deploying the Task Sequence, or describing the end-user experience of this type of upgrade.
In this post, we will experience the Windows 10 1709 upgrade using the SCCM Task Sequence in video form. The SCCM admin should ensure that the Windows 10 1709 upgrade package is distributed to all the required DPs and that all the contents referenced in the task sequence are replicated to DPs.
We can start the content distribution from the Windows 10 1709 upgrade task sequence. Right-click on the Task Sequence and click on Distribute Content. This action will initiate the content distribution of all the pending packages.
Learn How to Windows 10 1709 Upgrade Using SCCM Task Sequence– Windows 10 Upgrade Using SCCM Task Sequence
Ensure all the referenced packages in the task sequence are successfully replicated to your DPs. Otherwise, the Windows 10 1709 upgrade will fail.
Windows 10 Upgrade Using SCCM Task Sequence – Video 1
SCCM CB Server Side Preparation for Windows 10 1709 Upgrade – Distribute Required Contents to DPs
Once the content of all the required applications, packages, and OS upgrade packages have been replicated to DPs, then we can create a deployment. The Task Sequence should be deployed to your environment’s required Windows 10 machines.
Windows 10 Upgrade Using SCCM Task Sequence – Fig.1
Deploy the Task Sequence to Windows 10 1703 Machines
But, don’t deploy the Windows 10 upgrade task sequence to all the Windows 10 1703 machines. The upgrade should be a phase-wise approach. Initially, we should deploy this upgrade task sequence to a couple of Windows 10 machines.
Once those two deployments are successful, we can deploy the task sequence to the next set of test devices. In my opinion, we should start the Windows 10 upgrade deployment as “Available.” The optional task sequence empowers users to upgrade their machines to 1709 whenever they want to.
Windows 10 Upgrade Using SCCM Task Sequence – Fig.2
Windows 10 Client-Side Experience of Upgrade Process
Windows 10 1709 upgrade task sequence will be available in the Software Center. We have created the Windows 10 1709 upgrade task sequence as an optional deployment.
The user must open the Software Center and start the upgrade process. As the video shows, this can be done by clicking on the “Install” button.
Windows 10 Client-Side Experience of Upgrade Process
Software Center
Operating Systems
Windows 10 Enterprise Upgrade
Windows 10 Upgrade Using SCCM Task Sequence – Table 1
Windows 10 Upgrade Using SCCM Task Sequence – Fig.3
All the task sequence steps explained in my previous post are performed as part of the Windows 10 1709 upgrade. The SCCM Windows 10 1709 Upgrade Task Sequence provides more details about the steps.
Windows 10 Upgrade Using SCCM Task Sequence – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s try to fix the SCCM Update Download Issue using the Update Reset Tool. Have you faced the SCCM CB update getting stuck in the “Downloading” state?
I have seen SCCM CB updates get stuck in the downloading stage. However, in most scenarios, a service restart resolves this issue. This post will see “CM Update Reset Tool Fixes SCCM CB Update Download Issue.”
The other issue I encountered was that the REDIST prerequisite files were not getting downloaded. I could see errors related to the REDIST file download in the ConfigMgrSetup.log. I was getting the error: I failed to download Redist, as discussed in the following section of the post.
Beginning with version 1706, SCCM primary sites and CAS include the Configuration Manager Update Reset Tool and CMUpdateReset.exe. The tool is used to fix issues when in-console updates have problems downloading or replicating. The device is found in the \cd.latest\SMSSETUP\TOOLS folder of the site server.
Issue Statement – SCCM CB Update Stuck in Downloading State– FIX SCCM Update Download Issue with Update Reset Tool
Let’s check the Issue Statement here. The SCCM CB Update is Stuck in Downloading state, and I’m trying to find a solution to fix the issue.
I checked the size of the folder C:\Program Files\Microsoft Configuration Manager\EasySetupPayload. And the size was over 1 GB. I tried to restart the SMS Executive service a couple of times without any luck.
DMPDownloader.log
Let’s quickly check the log files to understand the FIX SCCM Update Download Issue.
ERROR: HasIntuneSubscription has failed to run query fn_HasIntuneSubscription with following exception : System.Data.SqlClient.SqlException (0x80131904): Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was – [Pre-Login] initialization=4997; handshake=15872; —> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out~~ at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity ERROR: Failed to download redist for c410f586-cf7a-4279-b963-139606fc25be with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=855656 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=855641 /RedistVersion 201710 /NoUI “\\SCCMTP1.INTUNE.COM\EasySetupPayload\c410f586-cf7a-4279-b963-139606fc25be\redist”
What is a CMUpdateReset.exe Tool?CM Update Reset Tool
CMUpdateReset.exe is the Configuration Manager Update and Reset Tool. Microsoft provides this free tool for SCCM customers. It is part of the CD’s Latest folder and Tools folder.
The CM Update Reset Tool is a command-line tool that should be run from the topmost server in the SCCM hierarchy. This tool helps SCCM admins fix issues when SCCM CB in-console updates have problems downloading or replicating.
The CM Update Reset tool is in the following folder \cd.latest\SMSSETUP\TOOLS. We should run this tool from CAS or a standalone primary SQL server. More details Video Tutorial to Fix SCCM CB updates stuck in Downloading.
FIX SCCM Update Download Issue with Update Reset Tool – Video 1
Prerequisites – FIX SCCM Update Download Issue with CM Update Reset Tool
The account you use to run the tool (CM Update Reset Tool) requires the following permissions:
Read and Write permissions to the site database of the central administration site and each primary site in your hierarchy. To set these permissions, you can add the user account as a member of the db_datawriter and db_datareaderfixed database roles on the Configuration Manager database of each site. The tool does not interact with secondary sites.
Local Administrator on the top-level site of your hierarchy.
Local Administrator on the computer that hosts the service connection point.
The tool (CM Update Reset Tool) must be run on the top-level site of the hierarchy. When you run the tool, use command-line parameters to specify.
CM Update Reset Tool
The SQL Server is at the top-tier site of the hierarchy.
From where can you run this Configuration Manager Update, Reset Tool?
CAS/SQL server
standalone primary/SQL server
The SCCM download reset tool (CMUpdateReset.exe) must be run on the hierarchy’s top-level site (CAS or standalone primary). When you run the tool, use the CM Update Reset tool command-line parameters to specify:
The CAS/Primary SQL Server at the top-tier site of the hierarchy
The CAS/Primary site database name at the top-tier site
The GUID of the update package you want to reset
What are the SCCM Update Reset Options?
There are two options to fix SCCM Updates and Servicing Issues using the CMUpdateReset.exe tool.
Reset an update and restart the download
Force deletion of the problematic update package
What is the Use Case for the CM Update Reset Tool?
Let’s understand the scenarios in which you must use the CM Update Reset Tool to fix the SCCM Update Download issue.
The update has been stuck in a downloading state for more than an hour
The update is stuck, and the EasySetupPayload folder size is not increasing at all
Update package replication to SCCM child primary sites are stuck for a long time
Update package replication to the child primary server has failed
If you want to reset an update with download problems, you can run the following command from the topmost SQL server.
In the background, the tool will reset some SQL table entries to remove the update entry from the console. But this action won’t delete the folders and files in C:\Program Files\Microsoft Configuration Manager\ EasySetupPayload.
The above command didn’t resolve my issue in the scenario explained in this post. When I ran the command, the update of SCCM CB 1710 was removed from the SCCM console. I restarted the SMS Executive service, and the update appeared again in the console. However, it was again stuck in the downloading stage.
SCCM Update Reset Force Delete Option
Once the above command line doesn’t resolve the download or replication issue, we must force delete the updates. This is an extreme scenario; you want to force the deletion of the problematic update package.
High-Level Process of CMUpdateReset.EXE -FDELETE
Let’s discuss the High-Level Process of CMUpdateReset.EXE -FDELETE. The list below helps you to show it.
Add all activities stored in the CM_UpdatePackageSiteStatus_HIST table
Delete the Package distribution list for update package
Delete the update package from the EasySetupSettings table
Delete the update package from the cm_updatepackageSiteStatus table
Delete the update package from the CM_UpdatePackage_MonitoringStatus table
Delete update package from cm_updatepackages table
Verify the table entries for the package are deleted from CM_UpdatePackage_MonitoringStatus
Delete the CAB files from \SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\ folder
Delete the folders from \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\ folder
Another Example – In a typical scenario, you want to reset an update with download problems. Your SQL Servers FQDN is server1.htmd.com; the site database is CM_MEM and the package GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run: CMUpdateReset.exe -S server1.htmd.com -D CM_MEM -P 61F16B3C-F1F6-4F9F-8647-2A524B0C802C
Results of Command Line
FIX SCCM Update Download Issue with Update Reset Tool results are given below.
C:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\TOOLS\CMUpdateReset>CMUpdateReset.exe -FDELETE -S SCCMTP1.Intune.com -D CM_TP1 -P c410f586-cf7a-4279-b963-139606fc25be [Warning] You can use this tool when an in-console update has not yet installed and is in a failed state. A failed state can mean the update download remains in progress but is stuck and taking an excessively long time, perhaps hours longer than your historical expectations for update packages of similar size. It can also be a failure to replicate the update to child primary sites. When you run the tool, it runs against the update that you specify. If the package is in pre-installation state, it will delete it. If package is in replicating state, it will reinitiate replication. Are you sure you want to run the tool? Enter Y for Yes and N for No. Y Running CMUpdateReset.exe tool ... Verified that the SQL server FQDN belongs to the top level site. Verified that the site servers run version 1606 or later. Verified that replication is active. Package is in pre-installation state. Attempting to clean up the package. Verified that the service connection point is installed on the top level site. Verified that the account has permission to service connection point share. Verified that the account has permission to the inboxes\hman.box folder. Service SMS_EXECUTIVE is Running on machine SCCMTP1.Intune.com. Verified that service SMS_EXECUTIVE is running on machine SCCMTP1.Intune.com. Service CONFIGURATION_MANAGER_UPDATE is Running on machine SCCMTP1.Intune.com. Verified that service CONFIGURATION_MANAGER_UPDATE is running on machine SCCMTP1.Intune.com. Verified that the package is not in post-replication state for all the child sites (if any). Marking package in the package distribution list as deleted. (0 row(s) affected.) Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Marked package in the package distribution list as deleted. Deleting update package c410f586-cf7a-4279-b963-139606fc25be from EasySetupSettings table on site server SCCMTP1.Intune.com. (0 row(s) affected.) Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Update package is deleted from EasySetupSettings table. Deleting update package c410f586-cf7a-4279-b963-139606fc25be from cm_updatepackageSiteStatus table on site server SCCMTP1.Intune.com. (0 row(s) affected.) Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Update package is deleted from cm_updatepackageSiteStatus table. Deleting update package c410f586-cf7a-4279-b963-139606fc25be from CM_UpdatePackage_MonitoringStatus table on site server SCCMTP1.Intune.com. (0 row(s) affected.) Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Update package is deleted from cm_updatepackageSiteStatus table. Deleting update package c410f586-cf7a-4279-b963-139606fc25be from cm_updatepackages table on site server SCCMTP1.Intune.com. (1 row(s) affected.) Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Update package is deleted from CM_UpdatePackage_MonitoringStatus table. Verifying whether the table entries for package c410f586-cf7a-4279-b963-139606fc25be is deleted on site server SCCMTP1.Intune.com. Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.cab. Deleted \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.cab. Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\c410f586-cf7a-4279-b963-139606fc25be.cab. \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\c410f586-cf7a-4279-b963-139606fc25be.cab does not exist to delete. Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\ConfigMgr.Update.Manifest.cab \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\ConfigMgr.Update.Manifest.cab does not exist to delete. Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be. Deleted \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be. Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) Deleting cmupdate notifications. Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking. (1 row(s) affected.) [Success]Successfully ran the CMUpdateReset.exe tool. If the tool deleted the package (check Updates and Servicing to see if the package is listed), you must restart the SMS_EXECUTIVE service on the top level site. Or, use Check for Update in console to redownload the package. If the package is reinitiating replication or installation, DO NOT restart the SMS_EXECUTIVE service. You can use the flowchart at (https://docs.microsoft.com/sccm/core/servers/manage/update-replication-flowchart) to troubleshoot additional issues..
Success – SCCM CB Update Downloaded
After running the tool, I restarted the SMS Executive service. The updated entry for SCCM 1710 has been created and is ready in the “Available to Download” state. I started the download, and it finished downloading the update. Now, the update state is “Ready to Install.”
Log Entries of Successful Completion of SCCM CB Update Download
Let’s discuss the Log Entries of Successful Completion of SCCM CB Update Download.
EasySetupDownloadSinglePackage finishes downloading c410f586-cf7a-4279-b963-139606fc25be. Successfully Dropped the state message 13 Generating state message: 13 for package c410f586-cf7a-4279-b963-139606fc25be Generating state message: 13 for package c410f586-cf7a-4279-b963-139606fc25be~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.480-330><thread=5984 (0x1760)> Write the state message in C:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\high\___CMUvx2u44jq.SMX~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.500-330><thread=5984 (0x1760)> Successfully Dropped the state message 13~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.533-330><thread=5984 (0x1760)> EasySetupDownloadSinglePackage finishes downloading c410f586-cf7a-4279-b963-139606fc25be. ~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.557-330><thread=5984 (0x1760)> Get Easy Setup installed Packages to delete payload~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.577-330><thread=5984 (0x1760)>
SCCM Update Download Issues Not Fixed by CM Update Reset Tool?
What if the CM Update Reset Tool doesn’t fix SCCM Update Download Issues? The following are the steps to download SCCM updates. If the command-line tool CMUpdateReset.exe doesn’t help fix it, what next?
You can check this download status from the SCCM monitoring workspace. More details are in the log file ConfigMgrSetup.log.
Process update package
Download the updated package cab file
Extract update package payload
Download redist
Report package as downloaded
FIX SCCM CB Download Stuck at REDIST Prerequisite Files
In my scenario, REDIST prerequisite files were not getting downloaded. I could see errors related to the REDIST file download in the ConfigMgrSetup.log. If you have problems downloading redist files, then ConfigMgrSetup.log is the best place to get to the root of the issue.
Once the prerequisite files are downloaded then, copy those files to D:\Program Files \Microsoft Configuration Manager\EasySetupPayload\<Update PackageGUID >\Redist folder.
I don’t recommend doing this in your production environment. Thanks to Robert Marshall’s tip, which helped me to resolve the issue. I have mentioned this in the tweet.
The above section of the post “CMUpdateReset.exe Tool Fixes SCCM CB Update Download Issue” has more details. But it didn’t work for me this time. I was getting the following error in the DMPDownloader.log.
I struggle to download the SCCM CB version in my test lab. I have gone through my previous posts to fix the download issue.
ERROR: Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=860262 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=860266 /RedistVersion 201712 /NoUI “\SCCMTP1.INTUNE.COM\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed\redist”
Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed.
I could see the actual download of the SCCM update had happened on the following path “D:\Program Files\Microsoft Configuration Manager\EasySetupPayload“.
But the status does not change from Downloading to Ready to Install. The fix for the SCCM Redist download issue has been explained below.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
