Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done in the year 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...
Let’s learn about Intune Decrypt Files Protected by WIP Policy . Windows Information Protection (WIP) is an accidental Data Leakage protection solution from Microsoft. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about Decrypt Files Protected Intune SCCM WIP Policy.
Certificates Details – Intune/SCCM WIP Policies
Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.
Issue Statement – Personal Files Encrypted with WIP Policy
We may need to go through the migration process in the journey towards modern management. This has happened during one of the user migrations, and it didn’t go well. And the user’s files got encrypted with the WIP policy. The user un-enrolled and re-enrolled his Windows 10 device as part of troubleshooting.
Access to the protected files got revoked during the troubleshooting process, and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the protected files still stay locked by the WIP certificate.
How to Decrypt WIP Protected Files
To decrypt the protected files – you need to import the PFX file to the computer where you want to perform the decryption process. You need to be very careful because of the private keys in your DRA.PFX file can be used to decrypt any WIP file.
The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.
Import EFSDRA.pfx
Intune Decrypt Files Protected by WIP Policy 2
Double click on EFSDRA.PFX file to start the certificate import wizard. This wizard helps to import the certificate on to user’s machine. Make sure you select Store Location as a Current user.
Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, and you need to enter the password to proceed further with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”
Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.
Confirm whether the certificate or private key PFX file is imported successfully to the certificate store. Certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.
Intune Decrypt Files Protected by WIP Policy 3
2. Cipher /d command to Decrypt the Files
C:>cipher /d “SCCM Intune.docx”
Decrypting files in C:\WINDOWS\system32\
SCCM Intune.docx [OK]
1 file(s) [or directories(s)] within 1 directories(s) were decrypted.
Confirm the private file is imported into the certificate store of a machine. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.
Troubleshooting – Check the WIP Logs
WIP troubleshooting can be done through Windows event logs. Navigate via Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.
Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
<EventID>101</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000889787810</Keywords>
<TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
<EventRecordID>15</EventRecordID>
<Correlation />
<Execution ProcessID="876" ThreadID="11836" />
<Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
<Computer>Anoop-Surface-Book</Computer>
<Security UserID="" />
</System>
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Microsoft SCCM team released the latest production version 1710 of SCCM/ConfigMgr. The version is published as an opt-in option. This SCCM 1710 production version release won’t show automatically in your SCCM console.
This release is called Fast Ring production release of SCCM 1710. In this post, we will see “SCCM 1710 New Features Overview Plus Upgrade Guide.”
It would be interesting to check out the difference between the 1706 and 1710 versions before upgrading. I have a video post, “Differences Between SCCM ConfigMgr CB 1710 and 1706.”
SCCM/ConfigMgr CB 1710 production update is applicable only for the SCCM CB 1610 and later. For example, if your SCCM environment is running with the SCCM CB 1606 version, this 1710 version won’t be visible to your environment.
To get into SCCM CB 1710 production version, you need to upgrade from 1606 to 1610. Once that upgrade is done, and you are in the 1610 version of SCCM CB, you will be able to update it to the 1710 version of SCCM CB.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide 1
How to Get the Opt-in version of SCCM 1710?
SCCM 1710 update is rolled out globally in the coming weeks, and it will be automatically downloaded. You don’t need to run the PowerShell script once this update is rolled out globally. Moreover, SCCM admins will be notified when it is ready to install from the “Updates and Servicing” node.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide 2
New Features of SCCM 1710 Production Version
There are 7 pre-release features for SCCM CB 1710 Production version. And there are 20 Release Features for SCCM 1710 Production version. More details about the upgrade and new features are in the video tutorial.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide 3
Peer cache is not pre-release feature
Cloud DP supports Azure Govt Cloud
Co-Management
Identify the devices that require a restart and restart using the client notification channel.
Improvements in Run Script option – Security Scope, Real-time monitoring, and parameter
Software Center 250×250 icon
OSD – Parent-Child nested Task Sequence
Software Center – Enterprise Branding
Software Update – Surface Driver Update is no longer a pre-release feature
Telemetry level setting in Client settings
Limited support for Cryptography: Next Generation (CNG) certificates
Exploit Guard policies
Windows Defender Application Guard policy
Device Guard policy changes
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide 4
SCCM Software Center Branding without Intune subscription
SCCM CB 1710 Software center can have your organization logo and other branding option without Intune subscription. This is very useful for organizations.
Navigate to client settings and open custom client Policy settings, and click on the software center to configure these branding options.
The software center has many more granular options to collect the Windows 10 telemetry data from SCCM client machines. This option is available under the Windows Analytics tab in the SCCM software center.
Video Tutorial SCCM 1710 New Features Overview Plus Upgrade Guide 5
What is new in SCCM 1710 Scripts options?
Security scope option for Run Script
Graphical representation of Run Script Results
The above two points are the improvements in SCCM 1710 script options. You choose to scope in and out the scripts depending on requirement.
Another interesting feature released as part 1710 production version is real-time graphical output for the Run Script option.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
This post and video tutorial will cover the SCCM CB preview 1711 upgrade and new features. This is not a production version of SCCM CB.
Hence, we are not supposed to install this version in production environments. SCCM CB 1711 is the preview version and should be installed only in a lab environment.
What is the Importance of SCCM Preview Releases?
SCCM CB preview version is similar to the Windows insiders program, which helps SCCM admins test the new SCCM CB features. Before installing this version of the technical preview, you can go through the limitations of the SCCM CB version.
We can’t install CAS and secondary servers with the preview version. The prerequisite for installing SCCM CB 1711 preview version is not changed.
Configuration Manager SCCM CB Preview 1711 Upgrade New Features ConfigMgr
How to Create SCCM CB Preview Version Lab Environment?
Have you installed an SCCM CB preview version? If not, you can download the latest baseline version ofConfigMgr SCCM CBTechnical Preview. One version of SCCM preview has a maximum validity of only 3 months (90 days).
How to Upgrade to the latest version of SCCM CB Preview?
The SCCM CB update and servicing process are same as before. Once the latest version of the preview is released, the update will be available in the SCCM console.
The update will automatically get downloaded to your server. Right-click on the update and select “Install Update Pack” to start the upgrade process.
Following are the three highlighted features of SCCM CB 1711 preview version. But, Ronni has blogged about another exciting feature in his blog post. More details about that “SCCM: Enable Desktop Clients as PXE Servers.”
Improvements to run task sequence step
Allow user interaction when installing an application
New compliance policies for Windows 10
Nesting of Task Sequence In the task sequence editor, click Add, select General, and click Run Task Sequence. Click Browse to choose the child task sequence.
Allow user interaction when installing an application. You can allow an end-user to interact with an application installation while running the task sequence.
The application installation interface appears on the target end-user device during task sequence progress. The task sequence progress pauses until the end-user completes the application installation workflow.
New compliance policy options for Windows 10 You can check whether the Firewall software is enabled on Windows 10 machines or not. If not enabled, you can block the access to company resources. You can also check whether UAC is enabled on Windows machines.
If not enabled, you can block access to company resources. Defender verification is also possible via Windows 10 compliance policies through the SCCM console.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Let’s learn How to set up SCCM Azure AD User Discovery | ConfigMgr. The Azure Active Directory user discovery feature is added to SCCM from1706 and later versions.
Azure AD user discovery helps to deploy applications to Azure AD users. Azure AD user discovery enables deployment apps to AAD users in a co-management scenario.
Azure AD User Discovery can be configured from the Administration workspace – Cloud Management. In this post, we will see “Video Tutorial on How to Setup SCCM Azure AD User Discovery.”
Video – How to Setup SCCM Azure AD User Discovery | ConfigMgr
Let’s go through the video walkthrough of the Azure AD user discovery setup in SCCM.
How to Setup SCCM Azure AD User Discovery | ConfigMgr
What is SCCM Azure AD User Discovery?
SCCM Azure AD user discovery is the process of discovering the specific users from Azure AD. The details of discovered users from Azure AD will be stored in SCCM DB.
This provides deeper visibility of Azure AD user properties. And SCCM would be able to use this visibility to target applications to Azure AD Users.
Where are Azure AD User Discovery Configurations?
In the SCCM console, navigate through Administration- Cloud Services – Azure Services – Cloud Management. You don’t have to go through the Azure portal and create server and client applications.
Rather, the following SCCM Azure service Wizard helps create apps in Azure and schedule the Azure AD User Discovery configurations.
How to Setup SCCM Azure AD User Discovery | ConfigMgr
How to Create Azure Server and Client Apps from the SCCM console?
As part of the Azure AD user discovery process, we need to create connectivity between the on-prem SCCM CB server and Azure AD.
This is done through Azure server-side and client-side applications (more details in the below section). We can create these apps using Azure Services Wizard in the SCCM console.
We need to create Azure Apps using Azure AD admin credentials. Once you have successfully authenticated with Azure AD, SCCM helps us make those two apps mentioned in the following screenshot.
Creating applications is a straightforward process, as seen in the video tutorial. Enter Application Name. Home Page URL and APP ID URI – Any URL is fine. You don’t want a proper working URL; rather, any URL will be ok. The secret key Validity period is 1 year, and the Azure AD admin account signs in.
Azure AD tenant names will automatically populate when you authenticate with Azure AD. It would help if you had an internet connection on the SCCM console’s server.
How to Configure Azure AD User Discovery Settings?
Unlike SCCM Active Directory discovery, there is no option to select particular OU while configuring SCCM Azure AD user discovery. The Azure AD user discovery will run for the entire tenant.
There is an option to Enable Azure AD discovery settings in Azure ServicesWizard. Configure the settings to discover resources in the Azure AD. When the resources are discovered, SCCM CB creates records in its Database.
There are two options for the SCCM Azure AD user discovery Schedule.
Full Azure AD User Discovery
Delta Azure AD User Discovery
The default settings of full Azure AD user discovery occur every 7 days. Delta discovery interval is 5 minutes. Delta discovery finds resources in Azure AD that have been new or modified since the last discovery cycle.
Permission Required for SCCM Azure AD User Discovery
We have created two Azure apps (Server and Client) in the Azure App Registration blade. Select the server application and client application – click on Settings and select the Required Permission button.
Click on Grant Permissions to provide access to SCCM for discovering the Azure AD users. The same steps should be repeated for the Client application.
How to Setup SCCM Azure AD User Discovery | ConfigMgr
Troubleshooting – SCCM Azure AD User Discovery – Issues
SMS_AZUREAD_DISCOVERY_AGENT.log is where you can trace the details of Azure AD User Discovery.
Full Azure AD User Discovery Sync – Details
Full discovery sync details of Azure AD user discovery are recorded in the log file called SMS_AZUREAD_DISCOVERY_AGENT.log.
Initializing Task Execution Manager instance as SMS_AZUREAD_DISCOVERY_AGENT. $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.056-330><thread=4184 (0x1058)>
Starting component SMS_AZUREAD_DISCOVERY_AGENT~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.165-330><thread=4184 (0x1058)>
Component SMS_AZUREAD_DISCOVERY_AGENT started successfully.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:22.712-330><thread=4184 (0x1058)>
Azure AD Discovery Worker starts.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.353-330><thread=4204 (0x106C)>
Subscribing to Registry Hive: LocalMachine, KeyPath: SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_AZUREAD_DISCOVERY_AGENT, FilterType: ValueChange, WatchSubTree: False~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.369-330><thread=4204 (0x106C)>
Registry Watcher started~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
Successfully subscribed listener to registry key.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:27.385-330><thread=4204 (0x106C)>
AAD sync manager for cloud service ID=16777217 started. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.541-330><thread=4204 (0x106C)>
Full sync for cloud service ID=16777217 will start immediately. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:44.604-330><thread=4204 (0x106C)>
Graph API version changed to 1.6~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.510-330><thread=4204 (0x106C)>
Query batch size changed to 100~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.526-330><thread=4204 (0x106C)>
Max Json length changed to 33554432~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:45.572-330><thread=4204 (0x106C)>
AAD full sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-13-2017 10:24:46.416-330><thread=4204 (0x106C)>
ERROR: Sync request failed. Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Service returned error. Check
Delta Azure AD User Discovery sync – Details
Let’s find out more details from the log files SMS_AZUREAD_DISCOVERY_AGENT.log.
INFO: UDX was written for user [email protected] - C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\___mrxm4stp.UDX at 06-11-2017 16:10:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.412-330><thread=2552 (0x9F8)>
Successfully published UDX for Azure Active Directory users.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.453-330><thread=2552 (0x9F8)>
Total AAD Users Found: 1. Total AAD User Record Created: 1~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.536-330><thread=2552 (0x9F8)>
AAD delta sync completed successfully at 16:10:11. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.612-330><thread=2552 (0x9F8)>
Next DELTA sync for cloud service 16777217 will start at 11/06/2017 16:15:11.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:10:11.665-330><thread=2552 (0x9F8)>
AAD delta sync initialized for tenant 67bb8c6d-7266-4faa-a290-5edd572c2210, with server app 7f81b297-e94e-4767-b44a-b0a191f32989.~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.763-330><thread=2552 (0x9F8)>
Successfully acquired access token for server app. ~~ $<SMS_AZUREAD_DISCOVERY_AGENT><11-06-2017 16:15:11.866-330><thread=2552 (0x9F8)>
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
It’s a great experience to work with the Microsoft SCCM product group and fellow MVPs to brainstorm and enhance SCCM/ConfigMgr. Microsoft MVP summit 2017 is special for SCCM MVPs because ConfigMgr reached its 25th anniversary.
The device management journey of SMS (the previous version of SCCM) started back in 1992. In this post, we will see more details about “25 Years ConfigMgr and Special Microsoft MVP Summit at Redmond.”
I started working with SMS 2003 back in 2005, which was the early stages of my IT career. I enjoyed my career as an SCCM admin, which changed my life.
SCCM evolved through the years, and so has my career. I switched cities and jobs but not the product which I love 😉
25 Years ConfigMgr
It’s a great experience working very closely with the SCCM product group (developers) and understanding their side of the story.
New exciting features are getting cooked by SCCM product team, and they are getting ready for the next SCCM CB preview release. Also, loads of innovations are planned for SCCM CB 1802 release.
This is my third trip to Redmond, and it’s always exciting to get to know more about the insides of SCCM products.
Also, great to be part of brainstorming sessions with SCCM product group. SCCM product team is always ready to listen to the real-world challenges from MVPs. And provide solutions for those challenges.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Windows 10 Upgrade Using SCCM Task Sequence. In the previous post, I explained about Creating Windows 10 1709 Upgrade Task Sequence in SCCM CB.
I didn’t provide the details about distributing the Windows 10 1709 content to DPs, Deployment of Task Sequence, and end-user experience of this type of upgrade.
In this post, we will have a video experience of the windows 10 1709 upgrade using the SCCM Task Sequence.
SCCM CB Server Side Preparation for Windows 10 1709 Upgrade
Distribute Required Contents to DPs
SCCM admin should make sure all the Windows 10 1709 upgrade package is distributed to all the required DPs. Also, we need to make sure all the contents referenced in the task sequence should be replicated to DPs.
We can start the content distribution from Windows 10 1709 upgrade task sequence. Right-click on the Task Sequence and click on Distribute Content. This action will initiate the content distribution of all the pending packages.
Ensure that all the referenced packages in the task sequence are successfully replicated to your DPs. Otherwise, the Windows 10 1709 upgrade will fail.
Deploy the Task Sequence to Windows 10 1703 Machines
Once the content of all the required applications, packages, and OS upgrade packages have been replicated to DPs, then we can create a deployment. The Task Sequence should be deployed to all the required Windows 10 machines in your environment.
But, don’t deploy the Windows 10 upgrade task sequence to all the Windows 10 1703 machines. The upgrade should be a phase-wise approach. Initially, we should deploy this upgrade task sequence to a couple of Windows 10 machines.
Once those two deployments are successful, we can deploy the task sequence to the next set of test devices.
In my opinion, we should start the Windows 10 upgrade deployment as “Available”. The optional task sequence empowers users to upgrade their machines to 1709 whenever they want to perform the upgrade.
Right-click on the Task Sequence and click on the “Deploy” option.
Windows 10 Client-Side Experience of Upgrade Process
Windows 10 1709 upgrade task sequence will be available in Software Center. We have created Windows 10 1709 upgrade task sequence as an optional deployment.
The user will have to open the Software Center and start the upgrade process. This can be done by clicking on the “Install” button, as you can see in the video.
Windows 10 Upgrade Using SCCM Task Sequence 3
All the task sequence steps explained in my previous post are performed as part of the Windows 10 1709 upgrade. More details about the steps are available in SCCM Windows 10 1709 Upgrade Task Sequence.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Let’s try to FIX SCCM Update Download Issue with Update Reset Tool. Have you faced SCCM CB update getting stuck in the “Downloading” state?
I have seen SCCM CB updates are getting stuck in downloading stage. But, in most of the scenarios, a service restart resolves this issue. In this post, we will see “CM Update Reset Tool Fixes SCCM CB Update Download Issue.”
The other issue I encountered is REDIST prerequisite files were not getting downloaded. I could see errors related to the REDIST file download in the ConfigMgrSetup.log. I was getting the Error: Failed to download redist as discussed in the following section of the post.
Beginning with version 1706, SCCM primary sites and CAS include the Configuration Manager Update Reset Tool and CMUpdateReset.exe. The use of the tool is to fix issues when in-console updates have problems downloading or replicating. The device is found in the \cd.latest\SMSSETUP\TOOLS folder of the site server.
Issue Statement – SCCM CB Update Stuck in Downloading state
Let’s check the Issue Statement here. The SCCM CB Update is Stuck in Downloading state, and I’m trying to find the solution to fix the issue.
I checked the size of the folder C:\Program Files\Microsoft Configuration Manager\EasySetupPayload. And the size was over 1 GB. I tried to restart the SMS Executive service couple of times without any luck.
DMPDownloader.log
Let’s quickly check the log files to understand the FIX SCCM Update Download Issue.
ERROR: HasIntuneSubscription has failed to run query fn_HasIntuneSubscription with following exception : System.Data.SqlClient.SqlException (0x80131904): Connection Timeout Expired.
The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time.
The duration spent while attempting to connect to this server was – [Pre-Login] initialization=4997; handshake=15872; —> System.ComponentModel.Win32Exception (0x80004005):
The wait operation timed out~~ at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity
ERROR: Failed to download redist for c410f586-cf7a-4279-b963-139606fc25be with command /RedistUrl
http://go.microsoft.com/fwlink/?LinkID=855656 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=855641 /RedistVersion 201710 /NoUI “\\SCCMTP1.INTUNE.COM\EasySetupPayload\c410f586-cf7a-4279-b963-139606fc25be\redist”
What is a CMUpdateReset.exe tool?CM Update Reset Tool
CMUpdateReset.exe is the Configuration Manager Update, Reset Tool. This is the free tool provided by Microsoft for SCCM customers. This tool is part of the CD. Latest folder and Tools folder.
The CM Update Reset Tool is a command-line tool that should be run from the topmost server in the SCCM hierarchy.
This is the tool to help SCCM admins to fix issues when SCCM CB in-console updates have problems downloading or replicating.
The CM Update Reset tool is in the following folder \cd.latest\SMSSETUP\TOOLS. We should run this tool from CAS or a standalone primary SQL server.
More details Video Tutorial to Fix SCCM CB updates stuck in Downloading
FIX SCCM Update Download Issue with Update Reset Tool
Prerequisites – FIX SCCM Update Download Issue with CM Update Reset Tool
The account you use to run the tool (CM Update Reset Tool) requires the following permissions:
Read and Write permissions to the site database of the central administration site and each primary site in your hierarchy. To set these permissions, you can add the user account as a member of the db_datawriter and db_datareaderfixed database roles on the Configuration Manager database of each site. The tool does not interact with secondary sites.
Local Administrator on the top-level site of your hierarchy.
Local Administrator on the computer that hosts the service connection point.
The tool (CM Update Reset Tool) must be run on the top-level site of the hierarchy.
When you run the tool, use command-line parameters to specify:
The SQL Server is at the top-tier site of the hierarchy.
From where can you run this Configuration Manager Update, Reset Tool?
CAS/SQL server
standalone primary/SQL server
The SCCM download reset tool (CMUpdateReset.exe) must be run on the top-level site (CAS or standalone primary) of the hierarchy. When you run the tool, use the CM Update Reset tool command-line parameters to specify:
The CAS/Primary SQL Server at the top-tier site of the hierarchy
The CAS/Primary site database name at the top-tier site
The GUID of the update package you want to reset
What are the SCCM Update Reset Options?
There are two options to fix SCCM Updates and Servicing Issues using the CMUpdateReset.exe tool.
Reset an update and restart the download
Force deletion of the problematic update package
What is the Use Case for CM Update Reset Tool?
Let’s understand the scenarios where you have to use CM Update Reset Tool to FIX the SCCM Update Download issue.
The update is stuck in downloading state for more than an hour
The update is stuck, and the EasySetupPayload folder size is not increasing at all
Update package replication to SCCM child primary sites are stuck for a long time
Update package replication to child primary server is failed
FIX SCCM Update Download Issue with Update Reset Tool
First Try – SCCM Update Reset
If you want to reset an update with download problems, you can run the following command from the topmost SQL server.
In the background, the tool will reset some SQL table entries to remove the update entry from the console. But, this action won’t delete the folders and files in C:\Program Files\Microsoft Configuration Manager\ EasySetupPayload.
The above command didn’t resolve my issue in the scenario explained in this post. I ran the command, and the update of SCCM CB 1710 got removed from the SCCM console.
Restarted the SMS Executive service, and the update came back in the console. But, the update was again stuck in downloading stage.
SCCM Update Reset Force Delete Option
Once the above command line doesn’t resolve the download or replication issue, we need to force delete the updates. This is an extreme scenario; you want to force deletion of the problematic update package.
High-Level Process of CMUpdateReset.EXE -FDELETE
Add all activities stored in CM_UpdatePackageSiteStatus_HIST table
Delete Package distribution list for update package
Delete update package from EasySetupSettings table
Delete update package from cm_updatepackageSiteStatus table
Delete update package from CM_UpdatePackage_MonitoringStatus table
Delete update package from cm_updatepackages table
Verify the table entries for package is deleted from CM_UpdatePackage_MonitoringStatus
Delete the CAB files from \SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\ folder
Delete the folders from \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\ folder
FIX SCCM Update Download Issue with Update Reset Tool
CM Update Reset Tool Command Line
CM Update Reset Tool command line to FIX SCCM Update Download Issue.
Parameter
Description
-S <FQDN of the SQL Server of your top-tier site>
Required Specify the FQDN of the SQL Server that hosts the site database for the top-tier site of your hierarchy.
-D <Database name>
Required Specify the name of the database at the top-tier site.
-P <Package GUID>
Required Specify the GUID for the update package you want to reset.
-I <SQL Server instance name>
Optional Identify the instance of SQL Server that hosts the site database.
-FDELETE
Optional Force deletion of a successfully downloaded update package.
CM Update Reset Tool Command Line FIX SCCM Update Download Issue with Update Reset Tool
Another Example – In a typical scenario, you want to reset an update that has download problems. Your SQL Servers FQDN is server1.htmd.com, the site database is CM_MEM, and the package GUID is 61F16B3C-F1F6-4F9F-8647-2A524B0C802C. You run: CMUpdateReset.exe -S server1.htmd.com -D CM_MEM -P 61F16B3C-F1F6-4F9F-8647-2A524B0C802C
Results of Command Line
FIX SCCM Update Download Issue with Update Reset Tool results are given below.
C:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\TOOLS\CMUpdateReset>CMUpdateReset.exe -FDELETE -S SCCMTP1.Intune.com -D CM_TP1 -P c410f586-cf7a-4279-b963-139606fc25be
[Warning]
You can use this tool when an in-console update has not yet installed and is in a failed state. A failed state can mean the update download remains in progress but is stuck and taking an excessively long time, perhaps hours longer than your historical expectations for update packages of similar size. It can also be a failure to replicate the update to child primary sites. When you run the tool, it runs against the update that you specify. If the package is in pre-installation state, it will delete it. If package is in replicating state, it will reinitiate replication. Are you sure you want to run the tool? Enter Y for Yes and N for No.
Y
Running CMUpdateReset.exe tool ...
Verified that the SQL server FQDN belongs to the top level site.
Verified that the site servers run version 1606 or later.
Verified that replication is active.
Package is in pre-installation state. Attempting to clean up the package.
Verified that the service connection point is installed on the top level site.
Verified that the account has permission to service connection point share.
Verified that the account has permission to the inboxes\hman.box folder.
Service SMS_EXECUTIVE is Running on machine SCCMTP1.Intune.com.
Verified that service SMS_EXECUTIVE is running on machine SCCMTP1.Intune.com.
Service CONFIGURATION_MANAGER_UPDATE is Running on machine SCCMTP1.Intune.com.
Verified that service CONFIGURATION_MANAGER_UPDATE is running on machine SCCMTP1.Intune.com.
Verified that the package is not in post-replication state for all the child sites (if any).
Marking package in the package distribution list as deleted.
(0 row(s) affected.)
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Marked package in the package distribution list as deleted.
Deleting update package c410f586-cf7a-4279-b963-139606fc25be from EasySetupSettings table on site server SCCMTP1.Intune.com.
(0 row(s) affected.)
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Update package is deleted from EasySetupSettings table.
Deleting update package c410f586-cf7a-4279-b963-139606fc25be from cm_updatepackageSiteStatus table on site server SCCMTP1.Intune.com.
(0 row(s) affected.)
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Update package is deleted from cm_updatepackageSiteStatus table.
Deleting update package c410f586-cf7a-4279-b963-139606fc25be from CM_UpdatePackage_MonitoringStatus table on site server SCCMTP1.Intune.com.
(0 row(s) affected.)
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Update package is deleted from cm_updatepackageSiteStatus table.
Deleting update package c410f586-cf7a-4279-b963-139606fc25be from cm_updatepackages table on site server SCCMTP1.Intune.com.
(1 row(s) affected.)
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Update package is deleted from CM_UpdatePackage_MonitoringStatus table.
Verifying whether the table entries for package c410f586-cf7a-4279-b963-139606fc25be is deleted on site server SCCMTP1.Intune.com.
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.cab.
Deleted \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.cab.
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\c410f586-cf7a-4279-b963-139606fc25be.cab.
\\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\c410f586-cf7a-4279-b963-139606fc25be.cab does not exist to delete.
Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\ConfigMgr.Update.Manifest.cab
\\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\Offline\ConfigMgr.Update.Manifest.cab does not exist to delete.
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Deleting \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.
Deleted \\SCCMTP1.Intune.com\sms_TP1\EasySetupPayLoad\c410f586-cf7a-4279-b963-139606fc25be.
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
Deleting cmupdate notifications.
Adding entry in CM_UpdatePackageSiteStatus_HIST for history tracking.
(1 row(s) affected.)
[Success]Successfully ran the CMUpdateReset.exe tool. If the tool deleted the package (check Updates and Servicing to see if the package is listed), you must restart the SMS_EXECUTIVE service on the top level site. Or, use Check for Update in console to redownload the package.
If the package is reinitiating replication or installation, DO NOT restart the SMS_EXECUTIVE service. You can use the flowchart at (https://docs.microsoft.com/sccm/core/servers/manage/update-replication-flowchart) to troubleshoot additional issues..
Success – SCCM CB Update Downloaded
After running the tool, I restarted the SMS Executive service. The updated entry for SCCM 1710 has been created, and it was ready “Available to Download” state.
I started the download, and it finished downloading the update. Now the update state is “Ready to Install.”
Log entries of Successful completion of SCCM CB update Download
EasySetupDownloadSinglePackage finishes downloading c410f586-cf7a-4279-b963-139606fc25be.
Successfully Dropped the state message 13
Generating state message: 13 for package c410f586-cf7a-4279-b963-139606fc25be
Generating state message: 13 for package c410f586-cf7a-4279-b963-139606fc25be~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.480-330><thread=5984 (0x1760)>
Write the state message in C:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\high\___CMUvx2u44jq.SMX~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.500-330><thread=5984 (0x1760)>
Successfully Dropped the state message 13~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.533-330><thread=5984 (0x1760)>
EasySetupDownloadSinglePackage finishes downloading c410f586-cf7a-4279-b963-139606fc25be. ~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.557-330><thread=5984 (0x1760)>
Get Easy Setup installed Packages to delete payload~~ $<SMS_DMP_DOWNLOADER><11-05-2017 11:40:30.577-330><thread=5984 (0x1760)>
SCCM Update Download Issues is Not Fixed by CM Update Reset Tool?
What if SCCM Update Download Issues are not Fixed by CM Update Reset Tool?? The following are the steps to download SCCM updates. The command-line tool CMUpdateReset.exe didn’t help to fix it; what next?
You can check this download status from the SCCM monitoring workspace. More details are in the log file ConfigMgrSetup.log.
Process update package
Download the updated package cab file
Extract update package payload
Download redist
Report package as downloaded
FIX SCCM CB Download Stuck at REDIST prerequisite files
In my scenario, REDIST prerequisite files were not getting downloaded. I could see errors related to the REDIST file download in the ConfigMgrSetup.log. If you have problems downloading redist files, then, ConfigMgrSetup.log is the best place to get the root of the issue.
Once the prerequisite files are downloaded then, copy those files to D:\Program Files \Microsoft Configuration Manager\EasySetupPayload\<Update PackageGUID >\Redist folder.
I don’t recommend doing this in your production environment. Thanks to Robert Marshall’s tip, which helped me to resolve the issue. I have mentioned this in the tweet
The above section of the post “CMUpdateReset.exe Tool Fixes SCCM CB Update Download Issue” has more details. But it didn’t work for me this time. I was getting the following error in the DMPDownloader.log.
I struggle to complete the download of the SCCM CB version in my test lab. I had gone through my previous posts to fix the download issue.
ERROR: Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=860262 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=860266 /RedistVersion 201712 /NoUI “\SCCMTP1.INTUNE.COM\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed\redist”
Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed.
I could see the actual download of the SCCM update had happened on the following path “D:\Program Files\Microsoft Configuration Manager\EasySetupPayload”.
But the status is not changing from Downloading to Ready to Install. The fix Fix to the SCCM Redist download issue has been explained below.
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
