Troubleshooting ConfigMgr

Contents
Welcome
Alerts, reporting, and queries
A log with a long line is truncated in CMTrace
Editing reports fails
Obtain error code descriptions in reports
Reports don't run as expected
Reporting stops working
rsProcessingAborted error when running reports
SQL query times out or slow console performance
Application management and software distribution
Applications not deployed to users logged on to domain controllers
Can't deploy applications to Windows 10 ARM64 devices
Changes to App-V applications aren't included
Contributor role is no longer assigned at the subscription level
Deploy Windows language packs
Deployment Type changes are deployed unexpectedly
Troubleshoot Microsoft Store for Business and Education integration
Troubleshooting tips for application deployments
Client installation and assignment
Can't install client in Windows Server 2008 SP2
Client installation error 1603
Client installation fails when BITS isn't installed
Client piloting package fails after a site expansion
Clients reinstall every five hours
Error 80041002 when installing client agent
Mac client enrollment fails
Mac client registration fails
PolicyAgentInstanceProvider warnings during client installation
Software update installations stop responding
Support for Mac, Linux and UNIX clients
There was a problem starting PolicyAgentProvider.dll
Client management
Client remains in provisioning mode after upgrade
Clients become inactive
Clients don't receive policy data
Cloud management gateway
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
Clients can't communicate with CMG
Collections
Multiple instances of the Unknown computers collection
Inventory and asset intelligence
Can't import the Sms_def.mof file
Hardware inventory fails
Remote control fails with error C000012
SMS Agent Host service doesn't restart when the WMI service resumes
Software Metering failed to start PrepDriver
Turn on the DebugLogging key
Upgrade Readiness data is downloaded continuously
Configuration Manager console
Console appears to hang when loading drivers
Internal Error 2711.LP3076
Microsoft.ConfigurationManagement has stopped working
No data in the Windows 10 servicing dashboard
Content management
Configure peer cache for Configuration Manager clients
Distribution point and content distribution
A deployment property change isn't saved
Anonymous Authentication of SMS_DP_SMSPKG$ reset to Disabled
App-V applications can't be streamed from a DP
Boot image distribution to a PXE enabled DP fails
Can't distribute deployment packages
Content distribution fails with error 80070070
Content distribution fails with IDispatch error
DPs in a neighbor boundary group are used
DP installations or upgrades take a long time
Duplicate rows in DistributionContentVersion table
Hash mismatch error downloading Contentinfo.tar
Package distribution to a remote DP fails
Windows Installer source list update fails
Troubleshoot content distribution
Content distribution overview
Components and threads for content distribution
Install and configure distribution points
Content library
Package actions in content distribution
Advanced troubleshooting tips for content distribution
Data transfer between sites
DRS performance issues after installing hotfix 3125525
Troubleshoot database replication service issues
Diagnostic
Configuration Manager diagnostics
Failed devices on client health dashboard
Discovery
lastLogonTimestamp isn't updated as expected
Endpoint Protection
An incorrect Endpoint Definition status
Clients can't update antimalware definition files
Download and install Endpoint Protection for Linux
Microsoft Network Inspection service is stopped
Out-of-date definition version and last update time
Recommended antivirus exclusions
Support policies for Azure Virtual Machines
Microsoft Deployment Toolkit (MDT)
Troubleshooting reference for MDT
Mobile device management
Call to HttpSendRequestSync failed for port 443
Communication with Intune service doesn't stop
Initialize CA Error
OS deployment
Build and capture reference image
Custom port settings aren't added to boot media
Not enough memory resources creating media
Scheduled Updates fails to unmount image
Unable to manage boot images
Configure OS deployment in System Center 2012 Configuration Manager
Manage drivers
Can't import drivers
Insufficient permissions to migrate a driver package
Signed drivers are displayed as unsigned
PXE boot
A PXE enabled DP generates many files
Advanced troubleshooting for PXE boot
Boot from a PXE server
Failed to get the encrypted PXE password
PXE boot doesn't work
Troubleshoot PXE boot
Understand PXE boot
WDS crashes due to PXE boot
WDS doesn't start on a PXE enabled remote DP
Task sequences
A client computer steals the GUID of an Unknown Computer object
Active users and groups are unexpectedly deleted
An error occurred when loading the task sequence
An in-place upgrade task sequence doesn't continue
Apply Driver Package task fails with error 80070057
Computer hangs during an OSD task sequence in debug mode
Dynamic Media can't get management point locations
Enable BitLocker task fails with error 80070057
The Capture User State task fails
Get network captures in Windows PE
No mouse cursor during an OSD task sequence
OSDResults doesn't display installed applications
Sending with winhttp failed 80072f8f
Slow task sequences with earlier client versions
Task sequence fails if software updates require multiple restarts
Task sequence fails with error 80070005
Task sequence fails with error 0x87d01004
Task sequence stops after an in-place upgrade
Task sequence stops after setup or upgrade
The debug deployment isn't displayed
Troubleshoot the Install Application task sequence step
Versions required for Windows deployment
Setup, migration, backup, and recovery
BitLocker and MBAM
MBAM 2.0 setup prerequisite checker fails
Not found error editing Update Application Catalog Tables
Site installation
A central administration site setup fails
Site system roles installation and operations
Connectivity issues when the DigiCert Global Root G2 root cert is not installed
Enable MFA for SMS Provider calls
HTTP Error 500.19
Management points fail with HTTP 500 errors
Service connection point doesn't download updates
Troubleshoot state message processing performance issues
SMS Executive service
SMS_EXECUTIVE service crashes
SQL Server settings and configuration
Can't create software update packages or applications
Error when you move a site database
Function sequence error in Smsdbmon.log
Site system installation account incorrectly used for database connection
SQL Server updates must be manually installed on secondary sites
Support policies for manual database changes
Warnings are repeatedly logged in Smsdbmon.log
Updates and servicing
Changes to built-in collections are overwritten after upgrade
Clients are automatically upgraded
Error downloading the ConfigMgr.AdminUIContent.cab file
Offline servicing a WIM image with Latest Cumulative Update fails
Site upgrade gets stuck at database update
Upgrade to System Center 2012 Configuration Manager SP1
Understand and troubleshoot Updates and Servicing
Maintenance tasks default settings
Software update management
Issues
Bad gateway error when deploying software updates
Clients don't get software updates
Different results are shown for software updates
Errors when servicing a server group
Error 0x800f0831 installing updates
.NET Framework 4.7.2 updates fail to sync
Updates aren't downloaded when an ADR runs
State messaging
Understand software update management
Software updates introduction
Software updates maintenance
Software update point installation and configuration
WSUS Configuration Manager
Track software update synchronization
Track software update compliance assessment
Track software update deployment
Troubleshoot software update management
Enable verbose logging
Troubleshoot software update management
Troubleshoot software update synchronization
Troubleshoot software update scan failures
Troubleshoot software update deployment
Windows Server Update Services (WSUS)
Decline superseded updates in WSUS
Deploy Windows Defender definition updates
Error 80244007 when WSUS client scans for updates
High network bandwidth usage
Optimize WSUS client performance
Reindex the WSUS database
The spDeleteUpdate stored procedure runs slowly
Troubleshoot issues with WSUS client agents
Troubleshoot WSUS connection failures
Troubleshoot WSUS high CPU usage
Troubleshoot WSUS synchronization and import issues
WSUS and Windows Update Agent diagnostics
WSUS best practices
WSUS client computers restart without any notification
WSUS client takes too long to finish an update scan
WSUS console crashes
WSUS maintenance guide
WSUS sync fails in Windows Server 2008 R2
WSUS synchronization fails with SoapException
A log that has a line exceeding 8000 characters is
truncated in the CMTrace log viewer
3/5/2021 • 2 minutes to read • Edit Online
This article provides workarounds for the issue that a line of a log that exceeds 8000 characters causes the log
to be truncated in the CMTrace log viewer.
Original product version: Microsoft System Center 2012 Configuration Manager
Original KB number: 2716956
Symptoms
In Microsoft System Center 2012 Configuration Manager, when you use the CMTrace log viewer to review any
log that contains a line exceeding 8000 characters, the log is truncated at that line.
Workaround
There are two workarounds to this issue. First, you can view the log file in Notepad. Viewing the log file in
Notepad will allow you to see all of the content. Second, if you prefer to view the log in CMTrace you can edit the
offending lines in Notepad (making them less than 8000 characters long) and then view the edited log in
CMTrace.
Editing reports in Configuration Manager may fail
when Internet Explorer isn't the default browser
This article provides a solution for the issue that you cannot edit reports in Microsoft System Center 2012
Configuration Manager if the default browser is not Internet Explorer.
Symptoms
When attempting to edit reports in the Administrator Console on a System Center 2012 Configuration Manager
site server, you may receive this error:
Application cannot be started. Contact the application vendor.
or
When attempting to edit reports from the Configuration Manager console installed on a client computer, the
action may fail with this error:
Cannot download the application. The application is missing required files. Contact application vendor for
assistance.
Cause
This may occur if Internet Explorer is not the default browser on the computer. Different limitations and
requirements exist depending on which version of SQL Server is being used for the site database.
Resolution
To resolve this issue, install a supported browser and set it as the default. For a list of supported browsers and
limitations for your version of SQL Server, see the following articles:
For SQL Server 2008: Planning for Browser Support
For SQL Server 2008 R2: Planning for Browser Support)
For SQL Server 2012: Planning for Reporting Services and Power View Browser Support (SSRS 2012)
More information
The following article lists the SQL Server versions that are supported by System Center 2012 Configuration
Manager:
Configurations for the SQL Server Site Database
How to obtain error code descriptions in
Configuration Manager reports
This article describes how to obtain error code descriptions in Configuration Manager reports.
Original product version: Configuration Manager
Obtain error code descriptions

Some reports that are included together with Configuration Manager display errors codes that don't contain an
error description. However, you can obtain a description by deciphering the error code. To do this, follow these
steps:
1. In the Configuration Manager console, open the report that contains the error code that you want to
decipher.
2. Convert the error code from decimal to hexadecimal. For example, if the error code is -2147012889 ,
you must convert -2147012889 to a hexadecimal value. In this case, the hexadecimal value is
FFFFFFFF80072EE7 .
3. Remove the FFFFFFFF in front of the converted error code. In this example, the error code becomes
80072EE7 .
4. Use the following information to locate the error description:
Converted error codes that begin with 80072 are typically WinHTTP error codes, such as host
not found errors. Convert the trailing four hexadecimal bytes to a decimal value. For example,
2EE7 is 12007 decimal. To view the WinHTTP error codes, see Error Messages.
For example, error code 12007 maps to the following error description:
ERROR_WINHTTP_NAME_NOT_RESOLVED 12007 The server name cannot be resolved
Converted error codes that begin with 8009 are typically CryptoAPI error codes, such as
cer tificate expired errors or CN= mismatch errors. You can use the Trace32 program to view
the error code directly when you type trace32 together with the error code. For more information
about CryptoAPI error codes and other Windows System error codes, see Error Codes.
Converted error codes that begin with 800402 or 800403 are typically Configuration Manager
error codes.
All other error codes are typically Windows error codes or third-party error codes. All Windows
error codes can be identified by using the Trace32 program and by specifying the error code, such
as 80072EE7 .
Reports don't run in System Center 2012 R2
Configuration Manager
This article fixes a problem that blocks reports from running in System Center 2012 R2 Configuration Manager.
Original product version: Microsoft System Center 2012 R2 Configuration Manager
Symptoms
Reports that are started from the Administrator Console in System Center 2012 R2 Configuration Manager or
from the Reporting Services website may not run as expected. Additionally, you may receive error messages
that resemble the following:
The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: The specified
directory service attribute or value does not exist.Details:System.Web.Services.Protocols.SoapException: The
DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: The specified directory
service attribute or value does not exist.
Cause
This problem may occur when the following conditions are true:
You have Cumulative Update 4 or a later version for System Center 2012 R2 Configuration Manager
installed.
The Report Server Service Account doesn't have Read permissions to the OU in which the user running the
report resides, or to Users or Computers container in Active Directory Domain Services (AD DS).
Resolution
To resolve this problem, grant the Report Server Service Account Read permissions to the OU in which the user
running the report resides, and to both the Users and Computers containers in AD DS.
Reporting stops working after you move a
reporting services point or enable TLS 1.2 in
This article helps you fix an issue in which Configuration Manager reporting doesn't work after you move the
reporting services point role to a new server or you enable TLS 1.2 on the site servers.
Original product version: Configuration Manager (current branch)
Symptoms
After you move the reporting services point role to a new server, or you enable TLS 1.2 on the site servers,
reporting no longer works in Configuration Manager.
The following error messages are logged in the Srsrp.log file on the reporting services point:
Successfully created srsserver SMS_SRS_REPORTING_POINT

Reporting Services URL from Registry
[https://<ServerName>.contoso.com/SCCMReportServer/ReportService2005.asmx]
SMS_SRS_REPORTING_POINT
The underlying connection was closed: An unexpected error occurred on a receive.
(!) SRS not detected as running SMS_SRS_REPORTING_POINT
Failures reported during periodic health check by the SRS Server [<ServerName>.contoso.com].
Cause
This issue occurs because the site servers and site systems don't meet the requirements that are described in
How to enable TLS 1.2.
Resolution
To fix this issue and enable TLS 1.2 in Configuration Manager, make sure that the site servers and site systems
meet the requirements that are described in How to enable TLS 1.2.
To do this, follow these steps:
1. Verify that .NET Framework is updated and has strong cryptography enabled on all relevant computers.
To do this, first determine your .NET Framework version number, and then follow these guidelines:
.NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2. No additional changes are required.
.NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows
Server 2012, the relevant updates and details are also available from Microsoft Update Catalog.
All Configuration Manager client computers and site systems should have the following registry
values set.
For 32-bit applications that are running on 32-bit systems or 64-bit applications that
are running on 64-bit systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
For 32-bit applications that are running on 64-bit systems:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
2. Verify that the SMS_Executive service is restarted after any updates are installed.
rsProcessingAborted error when you run reports in
This article helps you fix an issue in which you can't run reports for collections if you use Microsoft SQL Server
2019 in Microsoft Endpoint Configuration Manager.
Applies to: Microsoft Endpoint Configuration Manager, SQL Server 2019
Symptoms
When you run reports for collections in Microsoft Endpoint Configuration Manager, you receive the following
error messages :
An error has occurred during report processing. (rsProcessingAborted)
The EXECUTE permission was denied on the object 'fnIsCas', database 'CM_LKD', schema 'dbo'
The EXECUTE permission was denied on the object 'fnIsPrimary', database 'CM_IDR', schema 'dbo'
Refer to the following screenshot for an example of the error messages.
When this issue occurs, the following error entries are logged in the ReportingServicesService.log file on the
reporting services point:
processing!ReportServer_0-2!18fc!<Date>-<Time>:: e ERROR: Throwing
Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: ,
Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Query execution failed for dataset
'DeploymentSummary'.
---> System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'fnIsCas',
database 'CM_LKD', schema 'dbo'.
processing!ReportServer_0-2!18fc!<Date>-<Time>:: e ERROR: An exception has occurred in data set

'DeploymentSummary'. Details: Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Query
execution failed for dataset 'DeploymentSummary'.
processing!ReportServer_0-2!18fc!<Date>-<Time>:: v VERBOSE: An exception has occurred. Trying to abort

processing. Details: Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Query execution
failed for dataset 'DeploymentSummary'.
Cause
This issue occurs because of the Scalar UDF Inlining feature in SQL Server 2019. A query that uses Scalar UDF
Inlining might return an error or unexpected results. For more information, see Scalar UDF Inlining issues in SQL
Server 2019.
Resolution
To fix this issue, install KB5000642 - cumulative update 9 or a later cumulative update for SQL Server 2019.
SQL query times out or console slow on certain
Configuration Manager database queries
This article helps you fix an issue in which the Configuration Manager console is slow or the SQL query times
out for certain Configuration Manager database queries.
Original product version: SQL Server 2017 on Windows (all editions), SQL Server 2016 Enterprise, SQL Server
2016 Standard, SQL Server 2014 Enterprise, SQL Server 2014 Standard, System Center Configuration Manager
Symptoms
You experience slow Configuration Manager console performance or unusual SQL query timeouts for certain
Configuration Manager database queries in environments running SQL Server 2014, SQL Server 2016, or SQL
Server 2017 on Windows.
Cause
SQL Server Cardinality Estimation (CE) changes in SQL Server 2014, SQL Server 2016, and SQL Server 2017 on
Windows may cause performance issues with certain Configuration Manager queries in some environments.
Resolution
In affected environments, Configuration Manager may run better when the site database is configured at a
different SQL Server CE compatibility level. To identify the recommended CE level for your version of SQL
Server, refer to the following table:
REC O M M EN DED
SUP P O RT ED C O M PAT IB IL IT Y L EVEL F O R REC O M M EN DED L EVEL F O R
C O M PAT IB IL IT Y L EVEL C O N F IGURAT IO N SP EC IF IC P ERF O RM A N C E
SQ L SERVER VERSIO N VA L UES M A N A GER ISSUES
SQL Server 2017 140, 130, 120, 110 140 110
SQL Server 2016 130, 120, 110 130 110
SQL Server 2014 120, 110 110 110
Starting in Configuration Manager current branch version 1810, when the Configuration Manager database is
running on SQL Server 2016 SP1 or later versions, all queries issued by the Admin console and SMS Provider
will automatically add the USE HINT 'FORCE_LEGACY_CARDINALITY_ESTIMATION' query hint. Therefore, Admin console
performance won't be affected when you change the CE Compatibility level to 110 at the database level to
resolve performance issues. If you want to override this behavior, to have the Admin console and SMS Provider
queries use the current SQL Server CE level instead, set the UseLegacyCardinality value to 0 under the
following registry subkey on the computer that hosts the SMS Provider:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Providers
To identify what SQL Server CE compatibility level is in use for the Configuration Manager database, run the
following query:
SELECT name, compatibility_level FROM sys.databases
On SQL Server 2014 and SQL Server 2016 RTM, to identify whether using SQL Server 2012 CE (110) may
improve Configuration Manager query performance, identify a query that is running slowly and manually test
its performance at the SQL Server 2012 CE compatibility level. To do this, run the query in SQL Server
Management Studio with option (querytraceon 9481) and compare the execution time to its performance
without the flag.
Starting with SQL Server 2016 SP1, to accomplish this at the query level, add the
USE HINT 'FORCE_LEGACY_CARDINALITY_ESTIMATION' query hint instead of using trace flag 9481.
For more information about using querytraceon with trace flag 9481 at the specific-query level, see Hints
(Transact-SQL) - Query. For information about using SQL Server Profiler to identify slow queries, see SQL
Server Profiler.
See the following example of a specific-query test run at the SQL Server 2012 CE level against SQL Server 2014:
select
SMS_DeploymentSummary.ApplicationName,SMS_DeploymentSummary.AssignmentID,SMS_DeploymentSummary.CI_ID,SMS_Dep
loymentSummary.CollectionID,SMS_DeploymentSummary.CollectionName,SMS_DeploymentSummary.CreationTime,SMS_Depl
oymentSummary.DeploymentID,SMS_DeploymentSummary.DeploymentIntent,SMS_DeploymentSummary.DeploymentTime,SMS_D
eploymentSummary.DesiredConfigType,SMS_DeploymentSummary.EnforcementDeadline,SMS_DeploymentSummary.FeatureTy
pe,SMS_DeploymentSummary.ModelName,SMS_DeploymentSummary.ModificationTime,SMS_DeploymentSummary.NumberErrors
,SMS_DeploymentSummary.NumberInProgress,SMS_DeploymentSummary.NumberOther,SMS_DeploymentSummary.NumberSucces
s,SMS_DeploymentSummary.NumberTargeted,SMS_DeploymentSummary.NumberUnknown,SMS_DeploymentSummary.ObjectTypeI
D,SMS_DeploymentSummary.PackageID,SMS_DeploymentSummary.PolicyModelID,SMS_DeploymentSummary.ProgramName,SMS_
DeploymentSummary.SecuredObjectId,SMS_DeploymentSummary.SoftwareName,SMS_DeploymentSummary.SummarizationTime
,SMS_DeploymentSummary.SummaryType from fn_DeploymentSummary(1033) AS SMS_DeploymentSummary where
SMS_DeploymentSummary.DeploymentID = N'CS100012' option (querytraceon 9481)
NOTE
The query above and deployment ID CS100012 are for demonstration purposes only and will vary by environment.
If the above test indicates that performance gains can be achieved, use the following command in SQL Server
Management Studio to set the Configuration Manager database to the SQL Server 2012 CE compatibility level:
ALTER DATABASE <CM_DB>

SET COMPATIBILITY_LEVEL = 110;
GO
NOTE
In the above example, replace <CM_DB> with your Configuration Manager site database name. To change the CE
compatibility level to a different level, change the value in SET COMPATIBILITY_LEVEL .
More information
When a SQL Server instance is upgraded in-place from any earlier version of SQL Server, pre-existing databases
will keep their existing compatibility level if they are at the minimum allowed level for that new version of SQL
Server. Upgrading SQL Server with a database at a compatibility level lower than the allowed level automatically
sets the database to the lowest compatibility level allowed by the new version of SQL Server.
During upgrades or new installations of Configuration Manager, databases may be automatically configured to
use the recommended SQL Server CE compatibility version for that version of SQL Server (as shown in the table
that's mentioned in the Resolution section). If you experience performance degradation after a servicing update,
as a result of being reverted back to the default recommended CE level for your version of SQL Server, reassess
whether you may have to manually change the CE level back to 110 .
For more information about SQL Server CE compatibility levels, see ALTER DATABASE (Transact-SQL)
Compatibility Level.
Applications aren't deployed to users who are
logged on to domain controllers
This article provides a solution for an issue that applications aren't deployed to users who are logged on to
domain controllers in Configuration Manager.
Symptoms
When you deploy applications to a user collection in Configuration Manager, the applications aren't deployed to
users who are logged on to domain controllers. When this issue occurs, the following entry is logged in the
PolicyAgent.log file:
Skipping request for user policy assignments for local user <User SID>.
Additionally, you may not see any applications that are deployed to user collections in Software Center on the
domain controller.
Cause
This issue occurs because the user policies aren't retrieved on domain controllers.
Resolution
To fix this issue, update to Configuration Manager current branch version 1906.
Workaround
To work around this issue without updating, deploy applications to a device collection that contains the domain
controllers.
Applications aren't deployed to Windows 10 ARM64
devices in Configuration Manager
This article helps you resolve an issue in which applications deployed to Windows 10 devices in an earlier
version of Configuration Manager aren't deployed to Windows 10 ARM64 devices.
Symptoms
Consider the following scenario:
You have Configuration Manager current branch version 1710 or a later version that's installed in a hybrid
mobile device management (MDM) environment.
You have Windows 10 ARM64 devices that are enrolled in this environment.
An application was deployed to Windows 10 devices in an earlier version of Configuration Manager.
In this scenario, the application isn't automatically deployed to the Windows 10 ARM64 devices.
Cause
This issue occurs because Windows 10 ARM64 isn't automatically added to the list of supported operating
systems for the application.
Resolution
To fix this issue, manually update the deployment type of the application, and then redeploy the application. To
do this, follow these steps:
1. In the Configuration Manager console, go to Software Librar y > Application Management >
Applications .
2. In the Applications list, right-click the application that you want to deploy to Windows 10 ARM64
devices, and then select Proper ties .
3. Select the Deployment Types tab, select the deployment type, and then select Edit .
4. Select the Requirements tab, select the operating system requirement, and then select Edit .
5. Under Windows 10 , select All Windows 10 (ARM64) , and then select OK three times to close all
dialog boxes.
6. Select the Deployments tab, and then note the existing deployments.
7. Delete deployments to the following collections:
Device collections that include Windows 10 ARM64 devices.
User collections that include users who have Windows 10 ARM64 devices enrolled.
8. Re-create the deleted deployments.
Changes to an App-V application are not included
when you use App-V Sequencer
This article provides a workaround to solve the issue that changes to a Microsoft Application Virtualization
(App-V) application via the App-V Sequencer are not included in this application in System Center 2012
Configuration Manager.
Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft Application
Virtualization for Windows Desktops, Microsoft Application Virtualization for Remote Desktop Services
Symptoms
Consider this scenario:
You create a Microsoft App-V application.
You deploy the source for the application to a System Center 2012 Configuration Manager distribution point.
You change the application by using the App-V Sequencer.
You deploy the content for the updated application to the distribution point.
In this scenario, when users run the application, your changes are not included in the application.
Cause
This problem occurs because the App-V Sequencer saves the virtual application's SFT file (.sft) using a different
name when changes are saved for the application. For example, if your virtual application is named MyApp.sft,
the App-V Sequencer will save the changed application as MyApp_2.sft. Without manual adjustment, the
Deployment Type for the App-V application will still refer to the original SFT file name.
Workaround
To work around this problem, change the Deployment Type to refer to the current SFT file manually.
More information
Because the file name changes when you update an App-V application, Binary Delta Replication is not used to
download the updated content to the clients. Binary Delta Replication is possible only when you work with two
versions of a file that have the same name.
Contributor role is no longer assigned for a web
app at the subscription level in Azure
This article describes a change that Contributor role is no longer assigned for a web application at the
subscription level in Configuration Manager current branch version 1810 and later versions.
Summary
Starting in Configuration Manager current branch version 1810, the classic service deployment in Azure is
deprecated. When you create a cloud management gateway (CMG) by using the Azure Resource Manager
(ARM) deployment type, Contributor role assignment is limited to resource groups when the service is
deployed. Contributor role at the subscription level is no longer assigned for the web application. The web
application will have only Read permission at the subscription level.
More information
For existing CMG cloud services, Contributor role assignment remains at the subscription level. If you want to
restrict web application permissions at the subscription level, remove the Contributor role assignment at this
level only. To do this, follow these steps:
1. Open the Access control (IAM) blade for the resource group, and verify that the application has the
Contributor role assigned.
2. Open the IAM blade for the subscription, and then remove the Contributor role assignment for the
application.
NOTE
Don't delete the web app completely from the subscription. If you do that, Configuration Manager loses some
dependencies on Azure objects.
How to deploy a Windows language pack as an
application in Configuration Manager
This article describes how to deploy a Windows language pack as an application in Configuration Manager,
including logs that you can use to track the deployment.
Deploy a language pack as an application

To deploy a language pack as an application in Configuration Manager, follow these steps:
1. In Configuration Manager console, go to Software Librar y > Application management >
Applications , and then select Create Application .
2. On the General page of the Create Application Wizard , select Manually specify the application
information , and then select Next .
3. On the General Information page, specify information about the application, such as the application
name and comments, and then select Next .
4. On the Application Catalog page, specify information about how to display the application to users in
the Application Catalog, and then select Next .
5. On the Deployment Types page, select Add to open the Create Deployment Type Wizard .
6. On the General page, select Script Installer from the Type list, and then select Next .
7. On the General Information page, enter application name, and then select Next .
8. On the Content page, specify the content location, enter the following for Installation program , and
then select Next .
DISM /Online /Add-Package /PackagePath:.\
9. On the Detection Method page, select Add Clause .

10. For Detection Rule , select Registr y from the Setting Type drop-down list, select
HKEY_LOCAL_MACHINE for Hive , enter
SYSTEM\CurrentControlSet\Control\MUI\UILanguages\<language name> in Key , (for example,
SYSTEM\CurrentControlSet\Control\MUI\UILanguages\fr-FR ), and then select OK .
11. Select Next .

12. On User Experience page, select Install for system from the Installation behavior drop-down list,
specify a Logon requirement , and then select Next .
13. On the Requirements page, you can specify installation requirements by clicking Add .
The following example requires deploying the language pack on Windows 10 version 1803.
NOTE
Language packs are specific to OS versions. Therefore, for example, Windows 10 version 1803 language packs
only work in version 1803, but not other versions.
Example
a. Select Custom for Categor y , and then select Create .
b. Specify details at Create Global Condition .

c. Enter 1803 for Value , and then select OK .
14. On Summar y page, confirm the settings, and then select Next .
15. Wait for the wizard to complete, and then select Close to exit the wizard.
16. Select Next .
17. On Summar y page, confirm the settings for the application, and then select Next .
18. Wait for the wizard to complete, and then select Close to exit the wizard.
19. After the application is created successfully, deploy it to the required collections.
20. On the client device, open Software Center , select the application, and then select Install .
21. Verify that the language pack was installed successfully by running the following command from an
elevated command prompt:
DISM /online /Get-intl
The following is sample output:

Use logs to track policy and application installation
You can use the following logs to track policy and application installation:
Use PolicyAgent.log to check whether a policy is downloaded or not. In the following example,
88BF878E... is the deployment ID.
Use AppDiscover y.log to check the discovery or detection of an application on client devices.
Use AppIntentEval.log to check the current state of the application and its applicability.
Use AppEnforce.log to track application installation on the client and to check the exit code to verify that
installation completed successfully.
Use DISM.log to determine whether installation started.
Changes to the Deployment Type are deployed
unexpectedly and cannot be rolled back
This article describes a behavior that Deployment Type changes are deployed unexpectedly and can't be rolled
back in Microsoft System Center 2012 Configuration Manager.
Symptoms
Consider the following scenario in System Center 2012 Configuration Manager:
User A is an administrator who is granted the Application Editor role.
User B is an administrator who is granted the Application Deployment role.
User A creates an application and adds requirements, dependencies, and so on. Because User A is an
Application Editor, the user cannot deploy the application.
User B, as an administrator in the Application Deployment role, finds the application that User A created. User
B deploys the application for immediate installation to a collection of devices or of users.
User A makes changes to the Deployment Type for the application.
In this scenario, clients that don't already have the original Deployment Type installed will have the new
Deployment Type installed according to the configured schedule. However, you may expect that the new
Deployment Type would not be automatically deployed without additional steps being followed by User B, the
administrator in the Application Deployment role. Additionally, User B cannot roll back the changes to the
Deployment Type for the application.
The new Deployment Type doesn't automatically deploy to clients for which the original Deployment Type was
installed successfully. This is confirmed by the Detection Method logic for the Deployment Type. If the Detection
Method logic for the Deployment Type does not find that the application is installed, a reinstallation by using the
latest revision of the Deployment Type will be tried on the client. The Detection Method logic is reevaluated per
the compliance evaluation schedule that is configured in the compliance settings of the client settings that apply
to the client device. This occurs regardless of whether the Deployment Type has changed.
Status
This behavior is by design. Changes to applications and Deployment Types that are already deployed to clients
should be carefully coordinated in this scenario.
Troubleshoot the Microsoft Store for Business and
Education integration with Configuration Manager
This article provides key troubleshooting tips and fixes for some of the top issues that you may have with the
Microsoft Store for Business and Education (MSfB) integration with Configuration Manager.
For more information about using the Microsoft Store for Business and Education with Configuration Manager,
see Manage apps from the Microsoft Store for Business and Education with Configuration Manager.
Monitor
Component status
In the Configuration Manager console, go to the Monitoring workspace, expand System Status , and select the
Component Status node. Monitor status of the following components:
SMS_BUSINESS_APP_PROCESS_MANAGER
SMS_CLOUDCONNECTION
Sync status
In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices , and
select the Microsoft Store for Business node. Check the Last Sync Status column.
View synchronized apps
In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the License Information for Store Apps node.
Log files
WSfBSyncWorker.log
This log file is located on the service connection point, under \Logs in the Configuration Manager installation
directory. It records information about the communication with the cloud service. This information includes
metadata, icons, packages, and license file retrieval.
To change the log level, change the LoggingLevel value to 0 in the
HKLM\SOFTWARE\Microsoft\SMS\Tracing\SMS_CLOUDCONNECTION registry key. For more information, see Configure
logging options.
SMS_CLOUDCONNECTION.log
This log file is located on the service connection point, under \Logs in the Configuration Manager installation
directory. If the WSfBSyncWorker service isn't started, or repeatedly starts and stops, review the entries in this
log file.
NOTE
This log file is shared with other features.
BusinessAppProcessWorker.log
This log file is located on the site server for the top-level site in the hierarchy. It's under \Logs in the
Configuration Manager installation directory. It records information about the following processes:
Insert the metadata information synced by the BusinessAppProcessWorker component into the database
Process files in \InstallDir\inboxes\businessappprocess.box
SMS_BUSINESS_APP_PROCESS_MANAGER.log
This log file is located on the site server for the top-level site in the hierarchy. It's under \Logs in the
Configuration Manager installation directory. If the BusinessAppProcessWorker service isn't started, or
repeatedly starts and stops, review the entries in this log file.
Last sync failed

When the last sync status is failed, start by reviewing the following log files to identify the symptom:
WSfbSyncWorker.log
Then look at one of the following sections for common issues:
Authorization error
The secret key is invalid
Error getting application token
Content location doesn't exist or incorrect permissions
Error occurred making http request calling 'GET' method
Cannot write more bytes to the buffer
Online application download fails with 0x8024500c
Authorization error
Cause
This issue can occur if the configured Azure Active Directory (Azure AD) application doesn't have permissions to
manage the Microsoft Store for Business and Education for this tenant.
Workaround
1. Sign in as an administrator to the Microsoft Store for Business or Education portal.
2. Go to Settings , and select Management tools .
3. If the application isn't listed, select Add a management tool . Then search by name and select the Azure AD
application associated with the same ClientID as Configuration Manager.
4. If the status doesn't show Active , then select Activate in the Action section.
5. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices , and
select the Microsoft Store for Business node. Synchronize with the store, or wait for the next sync interval
to occur.
TIP
To find the ClientID in Configuration Manager:
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices , and select the
Azure Active Director y Tennts node.
2. Select the tenant that you use for the Microsoft Store for Business and Education integration.
3. In the results pane, find the matching application, and look at the Client ID column.
The secret key is invalid

Cause
This issue can occur if the secret key has expired on the Azure AD app for the Microsoft Store for Business and
Education configuration.
Resolution
Renew the secret key for the Azure AD application. For more information, see Renew secret key.
Error getting application token
Cause
This issue can occur if the connected app no longer exists in Azure AD.
Resolution
Delete and recreate the connection to the Microsoft Store for Business and Education.
select the Microsoft Store for Business node.
2. Select the existing connection.
3. Select Delete in the ribbon.
Then recreate the connection. For more information, see the following articles:
Configure Azure Services
Set up Microsoft Store for Business and Education synchronization
Content location doesn't exist or incorrect permissions
Cause
When you set up the Microsoft Store for Business and Education connection, you specify a network share for
storing synchronized content. This issue can occur if this share doesn't exist or has incorrect permissions. The
computer account for the service connection point should be the owner of this directory and any sub-
directories. If it isn't, you'll see an error similar to the following error:
Failed to download package d788cc1b-ab00-bb5f-1548-f2dfe717583b-X86-Arm for product 9WZDNCRFJ3PS\0015.

System.IO.IOException: This security ID may not be assigned as the owner of this object.
To see the location that you configured:

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Microsoft Store for Business node.
2. Select the account and open its Proper ties .
3. Switch to the Configuration tab. The Location setting shows the network path to store application
content downloaded from the Microsoft Store for Business and Education.
Workaround
1. If it doesn't already exist, create the share.
2. Check NTFS permissions on the folder, and the permissions on the network share. Grant the computer
account of the service connection point Read and Write permissions.
If you want to reconfigure the location, delete and recreate the connection with the new content location.
Error occurred making http request calling 'GET' method
Cause
This issue can occur if the sync of applications from the store took so long that the content URL expired.
Workaround
Retry the sync process
select the Microsoft Store for Business node.
2. Select the connection. In the ribbon, select Sync from Microsoft Store for Business .
With each time, it should continue further. It may take several retries depending on the following factors:
The number of offline applications
The size of the packages
The network speed
With each attempt, you should see the error fewer times. If the number of errors doesn't reduce, there's another
issue.
Cannot write more bytes to the buffer
Cause
This issue can occur if the application's package is larger than 500 MB. Configuration Manager only supports
automatic synchronization of offline applications with packages less than 500 MB.
Workaround
You can't automatically sync these apps, but you can download the content, and manually create the application:
1. Get the failing application ID from the following line in WSfbSynWorker.log :
Error(s) syncing or downloading application <ApplicationID> from the Microsoft Store for Business.
2. Sign in as an administrator to the Microsoft Store for Business or Education portal. Find the page for this
application.
TIP
The URL for the page is similar to: https://businessstore.microsoft.com/en-us/store/p/app/ApplicationID
a. Select Offline , if it isn't already selected. Then select Manage .

b. Create a separate folder on your application content share for all supported platforms.
c. Download the package to the package folder.
d. Download the encoded license file as a .bin file to the package folder.
e. Download all required frameworks to the package folder.
3. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node.
4. Create an application, manually specifying the application information.
a. Create a deployment type for each supported platform that you previously downloaded.
b. Type: Windows app package (*.appx, *.appxbundle)
c. Specify the appx/appxbundle for the actual app package, not a required dependency package.
Confirm the following details on the final Impor t Information page:
License file: Specifies the .bin file. This license file is required for offline apps.
Windows app dependencies: Verify that all of the required dependencies are downloaded for this
package.
Online application download fails with 0x8024500c
Cause
An 0x8024500c error during download is typically caused by the Do not connect to any Windows Update
Internet locations group policy that blocks Windows Update access.
Workaround
Don't enable the Do not connect to any Windows Update Internet locations group policy object.
Sync doesn't run

This section covers the following sync issues:
You manually start the sync process, but it doesn't run
The site doesn't automatically sync each day
Start by reviewing the following log files to identify the symptom:
BusinessAppProcessWorker.log
WsfbSyncWorker.log
Then look at one of the following sections for common issues:
Manual sync doesn't start
Automatic daily sync doesn't run and "shutting down # workers" error in
Manual sync doesn't start
Cause
This issue can occur if you start a sync less than 10 minutes after the previous sync. You can't sync more
frequently than every 10 minutes.
Resolution
Wait for at least 10 minutes before starting another sync.
Automatic daily sync doesn't run and "shutting down # workers" error in
Cause
This issue can occur if the SMS_BUSINESS_APP_PROCESS_MANAGER component stops the WsfbSyncWorker
thread. The error may specify either 2 or 4 workers.
Workaround
Restart the SMS_EXECUTIVE service.
If you're not able to restart that main service, stop both components with MSfB workers, and then start both:
1. Open the Windows registry on the server that runs the service connection point
2. Go to HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_EXECUTIVE\Threads\SMS_CLOUDCONNECTION
a. Set Requested Operation to Stop .

b. Refresh to verify Current State = Stopped .
3. Go to HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_EXECUTIVE\Threads\SMS_BUSINESS_APP_PROCESS_MANAGER
a. Set Requested Operation to Stop .

b. Refresh to verify Current State = Stopped .
4. In SMS_CLOUDCONNECTION , set Requested Operation to Star t .
5. In SMS_BUSINESS_APP_PROCESS_MANAGER , set Requested Operation to Star t .
Language-related issues
This section includes the following common issues:
Language selection changes aren't applied
Not all selected languages are present for all license information
Language selection changes aren't applied
Cause
This issue can occur if the language selection is cached, and isn't cleared after the property values are changed.
Workaround
To resolve this problem, restart the SMS_Executive service.
Not all selected languages are present for all license information
Cause
This issue can occur if the Microsoft Store for Business and Education application's license information doesn't
contain localized data for the specified language.
Workaround
Manually add any missing languages for created applications.
Offline applications
This section includes the following common issues:
Fail to create offline application because content can't be verified
Fail to install application created from offline license information
Fail to create offline application because content can't be verified
Cause
This issue can occur if the synchronized content for the offline application is corrupt or modified.
Workaround
Start a new sync. When the sync completes, it should verify and download any incorrect content files.
Fail to install application created from offline license information
Cause
This issue can occur if you deploy the application to a client running a version of Windows 10 earlier than
version 1511. Offline licensed apps from the Microsoft Store for Business and Education are only supported on
Windows 10 version 1511 and later.
Resolution
Install the latest version of Windows 10.
Next steps
To find additional help, see Find help for using Configuration Manager.
Troubleshooting tips for application deployments
Applies to: Configuration Manager (current branch)

Typical problems with application deployments fall into one of the following categories:
Application download failures
Application deployment compliance stuck at 0%
If you experience either of these issues, this article provides some steps you can use to troubleshoot. For more
in-depth troubleshooting, see Troubleshooting application deployment technical reference.
Download failures
Application download failures include the following problems:
The client is stuck downloading an application
The client fails to download the application content
The client gets stuck at 0% while downloading the application
The first thing to check when you experience application download failures is for missing or misconfigured
boundaries and boundary groups. For example, if the client is on the intranet and not configured for internet-
only client management, its network location must be in a configured boundary. There must also be a boundary
group assigned to this boundary for the client to download content. For more information, see Define site
boundaries and boundary groups.
If you can't configure a boundary for a client, or if a specific boundary group can't be a member of another
boundary group:
1. In the Configuration Manager console, open the properties of the Deployment Type .
2. Switch to the Content tab.
3. In the section for using a distribution point from a neighbor boundary group or the default site boundary
group, change the Deployment options to Download content from distribution point and run
locally . (By default this setting is Do not download content .)
If the client can't download the application content, make sure it's distributed to a distribution point. To verify
this configuration, use the in-console features to monitor content distribution to the distribution points. For
more information, see Monitor content you have distributed.
Compliance stuck at 0%
When the application's deployment compliance is 0%, check the deployment status for the application in the
Monitoring workspace under the Deployments node.
In Progress : The client could be stuck downloading content
Error : For more information on how to troubleshoot this problem, see the following blog post: Tips and
Tricks: How to Take Action on Assets That Report a Failed Deployment
Unknown : This status usually means that the client hasn't received policy. Manually refresh client policy
to see if the client receives it. For more information, see Initiate policy retrieval for a Configuration
Manager client.
If these actions don't resolve the issue, check the client status. There may be a deeper underlying problem with
the client. For more information, see How to monitor clients.
Next steps
Monitor applications
Deploy applications
Management tasks for applications
Troubleshooting application deployment technical reference
Installation of Configuration Manager client version
1602 to 1710 or long-term servicing branch (LSTB)
version 1606 fails in Windows Server 2008 SP2
This article provides a solution for the issue that you cannot install the Configuration Manager client current
branch versions 1602 through 1710 or LSTB version 1606 on Windows 2008 Service Pack 2 (SP2) clients.
Original product version: Configuration Manager (LTSB), Configuration Manager (current branch)
Symptoms
On some Windows 2008 SP2 clients, when you try to install the Configuration Manager client current branch
versions 1602 through 1710 or LSTB version 1606, client setup fails, and errors that resemble the following are
logged.
CCMSetup.log
MSI: Action 17:56:36: Rollback. Rolling back action:

File C:\Windows\ccmsetup\{CA4329EC-A4F5-4E5E-A9FE-EFAAE88B0D67}\client.msi installation failed. Error
text: ExitCode: 1603
ClientMSI.log
Compiling Sql CE script file: C:\Windows\CCM\StateMessageStore.sqlce into database

C:\Windows\CCM\StateMessageStore.sdf
ERROR: Failed to execute SQL statement:
DROP TABLE CCM_StateMsg;
with error (0x80040e37).
WARNING: Failed to compile
DROP TABLE CCM_StateMsg;
. Error code = 0x80040e37.
This script is marked as ignore on failure. Continue with other scripts.
Action ended 17:56:36: InstallFinalize. Return value 3.
...
MSI (s) 128 (0x80) Product: Configuration Manager Client -- Installation operation failed.
MSI (s) 128 (0x80) Windows Installer installed the product. Product Name: Configuration Manager Client.
Product Version: 5.00.8458.1000. Product Language: 1033. Installation success or error status: 1603.
Cause
This is caused by the issue in Visual C++ 2013 C runtime described in Update for Visual C++ 2013 and Visual
C++ Redistributable Package.
Resolution
To resolve this issue, manually install the updated version of Visual C++ 2013 Redistributable. After you install
the updated Visual C++ 2013 Redistributable package, reinstall the Configuration Manager client.
MSI: Configuration Manager Client is not installed
This article helps you fix an issue in which you receive error code 1603 when installing the Configuration
Manager client.
Symptoms
Attempts to install the Configuration Manager client may fail with the following error messages in the
ccmsetup.log:
MSI: Configuration Manager Client is not installed. ccmsetup 12-11-2010 16:26:12 3264 (0x0CC0)
Installation failed with error code 1603 ccmsetup 12-11-2010 16:26:12 3264 (0x0CC0)
If you check the client.msi.log, you may notice the following lines:
MSI (s) (54:74) [16:26:11:416]: Checking in-progress install: install for same configuration.
MSI (s) (54:74) [16:26:11:416]: Suspended install detected. Resuming.
Cause
This can occur if a previously failed installation of the Configuration Manager client left behind an IPI installer
file (.ipi) in the %systemroot%\installer directory on the target computer.
Resolution
Search for *.ipi files in the %systemroot%\installer directory on the target computer and temporarily move
them to a different folder. Next run the setup of the client installation again and it should complete successfully.
Configuration Manager client installation fails when
BITS is not installed
This article fixes an issue in which Configuration Manager client installation fails when Microsoft Background
Intelligent Transfer Service (BITS) isn't installed.
Symptoms
When you try to install the Microsoft System Center 2012 Configuration Manager client, the installation fails,
and the following error messages are logged in the CCMSetup.log file:
This operating system does not contain the correct version of BITS. BITS 2.5 or later is required.
Sending Fallback Status Point message, STATEID='321'.
State message with TopicType 800 and TopicId {0D94311F-CB7B-4E73-94B1-75878081111C} has been sent
to the FSPCcmSetup failed with error code 0x80004005
Cause
This problem occurs because BITS version 2.5 or a later version must be installed before you can install the
Configuration Manager client.
Resolution
To resolve this problem, first deploy the minimum required version of BITS or a later version on client
computers. After you install BITS, you must restart the client computer must be restarted. Then, you can install
the Configuration Manager client.
More information
BITS version 2.5 is required to enable throttled data transfers between the client computer and System Center
2012 Configuration Manager site systems. BITS is not automatically downloaded during client installation. Most
operating systems include BITS. However, if your operating system doesn't include BITS, you must install BITS
before you install the System Center 2012 Configuration Manager client.
For more information about the prerequisites for Configuration Manager, see Prerequisites for Windows Client
Deployment in Configuration Manager.
For a complete version history of BITS that includes all available download locations, see Background Intelligent
Transfer Service: What's New.
Client piloting package fails after a site expansion in
This article provides a solution for the issue that the Microsoft Corporation Configuration Manager Client
Piloting Package fails after performing site expansion.
Original product version: Configuration Manager (current branch - version 1511), Configuration Manager
(current branch - version 1602), Configuration Manager (current branch - version 1606), Configuration
Manager (current branch - version 1610), Configuration Manager (LTSB - version 1606)
Symptoms
You're running Configuration Manager current branch version 1511 through 1610 or Configuration Manager
LTSB version 1606.
The old primary site was being used for client piloting.
You perform a site expansion.
In this scenario, the Microsoft Corporation Configuration Manager Client Piloting Package fails. You may receive
a status message stating that Distribution Manager failed to access the source directory for Configuration
Manager Client Piloting Package content. Additionally, the Distmgr.log file contains errors indicating that
Distribution Manager cannot locate the source for PilotUpgrade and cannot process the snapshot of the
package.
Cause
This issue occurs if the PilotingUpgrade and StagingClient folders are missing from the new central
administration site.
Resolution
To work around this issue, manually create the StagingClient folder on the new central administration site, and
then create an empty file named CliUpg.acu in the Hman.box folder on the CAS. This will trigger an update of
the client packages by Hierarchy Manager.
Configuration Manager clients reinstall every five
hours and may cause an inadvertent client upgrade
This article discusses an issue in System Center 2012 Configuration Manager client and System Center 2012 R2
Configuration Manager client that could cause an inadvertent client upgrade in a Configuration Manager
current branch or long-term servicing branch (LTSB) environment.
Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft System Center
2012 R2 Configuration Manager
Summary
The Configuration Manager client installation (CCMSetup) initially fails and causes a client retry task to be
registered in Windows Task Scheduler. After the client installation succeeds, the retry task is not deleted as
expected. Therefore, the clients continue to reinstall every five hours.
In this situation, if you upgrade the Configuration Manager infrastructure to Configuration Manager current
branch or LTSB, and if you don't upgrade the Configuration Manager clients, the scheduled retry task continues
to force a client reinstallation every five hours.
The next time that CCMSetup runs, the clients find an updated management point or distribution point, and they
reinstall the client software. This upgrades the clients to Configuration Manager.
These continual upgrades occur outside the normal upgrade process that is configured by the administrator.
This includes the client piloting feature.
Symptoms
In a Microsoft System Center 2012 or System Center 2012 R2 environment, you notice the following symptoms:
Clients successfully reinstall themselves every five hours. This activity is logged in ccmsetup.log and
Windows event logs.
When you view the \Microsoft\Microsoft\ConfigurationManager folder in Task Scheduler , you find a task
that is named Configuration Manager Client Retr y Task .
Cause
This issue occurs because CCMSetup creates the client retry task in the wrong folder on the client. This prevents
CCMSetup from locating and removing the task.
The scheduled task is created in the \Microsoft\Microsoft\Configuration Manager folder instead of the
\Microsoft\Configuration Manager folder.
Workaround 1
Manually remove Configuration Manager Client Retr y Task from the \Microsoft\Microsoft\Configuration
Manager folder by using Task Scheduler .
Workaround 2
Deploy a script to remove Configuration Manager Client Retr y Task from the
\Microsoft\Microsoft\Configuration Manager folder.
Example Windows PowerShell commands to add to your script:
get-scheduledtask -taskname "Configuration Manager Client Retry Task"

unregister-scheduledtask -taskname "Configuration Manager Client Retry Task" -confirm:$false
More information
In Configuration Manager current branch version 1602 and later versions, and in LTSB version 1606, Ccmsetup
correctly removes the scheduled task after the clients are upgraded.
Installation of the Configuration Manager client
agent fails with error code 80041002
This article provides a solution for the 80041002 error when you try to install the Configuration Manager client
agent.
Symptoms
When you try to install the client agent on a System Center 2012 Configuration Manager management point
that has Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1 installed, the
installation fails. Additionally, you see the following error in the Client.msi log when verbose logging is enabled:
[DateTime ] Registering Hosting Configuration.

MSI (s) (6C!A8) [DateTime]: Closing MSIHANDLE (22022) of type 790531 for thread 936
[DateTime] @@ERR:25150
MSI (s) (6C!A8) [DateTime]: Product: Configuration Manager Client -- Error 25150. Setup was unable to
register the CCM_Service_HostingConfiguration endpoint
The error code is 80041002
MSI (s) (6C!A8) [DateTime]: Closing MSIHANDLE (22020) of type 790531 for thread 936
Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint
MSI (s) (6C:7C) [DateTime]: Closing MSIHANDLE (22018) of type 790536 for thread 1252
CustomAction CcmRegisterHostingConfiguration returned actual error code 1603
Resolution
To resolve this issue, follow these steps:
1. Uninstall the management point role.
2. Reinstall the client agent on the management point computer. To do this, perform the following steps:
a. On the site server, open an elevated command prompt.
b. Change the directory to the <Configuration Manager 2012 install location>\client directory. For
example, change the directory to D:\Program Files\Microsoft Configuration Manager\Client.
c. Run the Ccmsetup.exe /source: "D:\Program Files\Microsoft Configuration Manager\Client"
command (based on the example in the previous step).
3. Reinstall the management point role.
Mac client enrollment fails if passwords contain
special characters
This article provides a workaround to solve the issue that Mac client enrollment fails in Microsoft System Center
2012 Configuration Manager if the password has special characters.
Symptoms
The Configuration Manager CMEnroll tool fails on a Mac client computer with the following error:
Error received:Server Connection failed. HTTP Response code is 400 and reason is Bad request.
Cause
This issue can occur if the user has the special characters & and < in their domain password. CMEnroll.exe
doesn't encode the & and < special characters correctly for Mac-based clients.
Resolution
To work around this issue, have the user change the password so that it doesn't contain these special characters.
More information
For more information on Mac clients and Configuration Manager, see How to Install Clients on Mac Computers
in Configuration Manager.
Mac client registration fails in System Center 2012
Configuration Manager SP1
This article helps you fix an issue in which you can't register a Mac client in System Center 2012 Configuration
Manager Service Pack 1 (SP1).
Original product version: System Center 2012 Configuration Manager SP1
Symptoms
When you try to register a Mac client in System Center 2012 Configuration Manager SP1, the registration
process fails. When you check the MP_RegistrationManager log in this situation, you see the following error:
The certificate chain processed correctly but terminated in a root certificate not trusted per ConfigMgr CTL.
Cause
This behavior occurs if Internet Information Services (IIS) client authentication validation has passed, but the
root of the client certificate that's used by the Mac client to register is not in the management point's trusted
root certification authority (CA) list.
Resolution
To resolve this issue, update the Trusted Root Cer tification Authorities list on the Client Computer
Communication tab in the Site Proper ties dialog box to include the issuer of the public key infrastructure
(PKI) certificate. System Center 2012 Configuration Manager SP1 uses this list of trusted certificate authorities
as the basis for its trusted issuer list. For example, if Mac clients have PKI certificates that are issued by the
corporate root CA1, add or import CA1 to the list as one of the trusted issuers.
This issue is also documented at Planning for Security in Configuration Manager.
Third-par ty information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of
Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these
products.
Warnings for PolicyAgentInstanceProvider are
logged when installing the Configuration Manager
client
This article describes a by design behavior that many warning messages are logged for
PolicyAgentInstanceProvider when you install the Configuration Manager client.
Symptoms
When you install the Configuration Manager client, you may find that many warning messages for
PolicyAgentInstanceProvider are logged in the Application log. Those messages resemble the following:
Log Name: Application

Source: Microsoft-Windows-WMI
Date: datetime
Event ID: 63
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: computer_name
Description:
A provider, PolicyAgentInstanceProvider, has been registered in the Windows Management Instrumentation
namespace root\ccm\Policy\<SID> to use the LocalSystem account. This account is privileged and the
provider may cause a security violation if it does not correctly impersonate user requests.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{GUID}"
EventSourceName="WinMgmt"/>
<EventID Qualifiers="32768">63</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="datetime" />
<EventRecordID>1470</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>computer_name</Computer>
<Security UserID="UserID" />
</System>
<EventData>
<Data>PolicyAgentInstanceProvider</Data>
<Data>root\ccm\Policy\<SID></Data>
</EventData>
</Event>
Cause
These warning messages are expected. They occur because Configuration Manager is not included in the
Windows Management Instrumentation (WMI) exclusion list of providers that can run under the local system
account at the time of installation.
More information
These warning messages are expected during the installation of the Configuration Manager client and can be
safely ignored. PolicyAgentInstanceProvider is registered as safe with WMI during installation so the warning
messages should stop being logged as soon as the setup program is finished.
If the warning messages continue to be logged after the installation of the Configuration Manager client is
complete, it may be because the Configuration Manager Client Retr y Task in scheduled tasks was not
removed after the successful installation. If you continue to experience these warning messages after the
Configuration Manager client is successfully installed, deleting or disabling this task in scheduled tasks will stop
the numerous WMI warning messages from being generated.
Update installations to clients stop responding in
This article describes an issue that software update installations stop responding in Configuration Manager
current branch version 1810 and 1806.
(current branch - version 1810)
Symptoms
After you install Configuration Manager current branch version 1810 or 1806 to clients, software update
installations stop responding until the SMS Agent Host is restarted. The symptoms of this issue vary. The most
common symptoms include the following:
Folders are created in %SystemRoot%\ccmcache for the new content. However, none (or only some) of
the updates are downloaded to these folders.
DataTransferSer vice jobs are created and completed. However, ContentTransferManager logs don't
indicate that they were notified that the downloads were completed.
Software center may show that updates are being installed and that some have a pending restart. Also,
the Programs and Features > View Installed Updates item in Control Panel shows that the updates
installed completely. However, the updates never actually finish.
For Operating System Deployment (OSD) scenarios, the task sequence stops responding on the Install
Software Updates step.
This issue occurs most frequently on Windows 10, version 1709. However, other versions of Windows are also
affected.
Resolution
To resolve this issue for Configuration Manager, see Update installations stop responding or never show
completion in Configuration Manager, version 1810.
Workaround
To work around this issue for Configuration Manager current branch version 1806, restart the SMS Agent Host
service (Ccmexec.exe).
Support for Mac and Linux/UNIX clients in System
Center 2012 Configuration Manager and System
Center 2012 Endpoint Protection
Customer support for Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1) and System
Center 2012 Endpoint Protection SP1 clients differs among the various Macintosh and Linux/UNIX operating
systems. This article describes this support to help customers be aware of the differences and also of the effort
to standardize the support for both clients.
Original product version: Microsoft System Center 2012 Configuration Manager, System Center 2012 Endpoint
Protection
For the most recent information, refer to Supported Configurations for Configuration Manager.
The following information describes the supported versions of System Center 2012 Configuration Manager SP1
and System Center 2012 Endpoint Protection SP1 running on various Macintosh and Linux/UNIX operating
systems.
System Center 2012 Configuration Manager SP1

For Mac-based clients
NOTE
The client for the Macintosh operating systems is supported only on Mac computers that use an Intel 64-bit chipset.
The following operating systems are supported for the Configuration Manager client for Mac computers:
macOS X 10.7 (Lion)
macOS X 10.6 (Snow Leopard)
For Linux/UNIX -based clients
The following operating systems are supported for the Configuration Manager client for Linux/UNIX-based
computers:
Red Hat Enterprise Linux (RHEL)
Version 6 (x86 and x64)
Solaris
Version 10 (x86 and SPARC)
Version 9 (SPARC)
SUSE Linux Enterprise Server (SLES)
Version 10 SP1 (x64 and x86)
Version 9 (x86)
For more information, see Supported Configurations for Configuration Manager.
System Center 2012 Endpoint Protection SP1

For Mac-based clients
NOTE
The client for the Macintosh operating systems is supported only on Mac computers that use an Intel 64-bit chipset.
The following operating systems are supported for System Center 2012 Endpoint Protection SP1 clients for Mac
computers:
macOS X 10.8 (Mountain Lion)
macOS X 10.7 (Lion)
macOS X 10.6 (Snow Leopard)
For Linux/UNIX -based clients
The following operating systems are supported for System Center 2012 Endpoint Protection SP1 clients for
Linux/UNIX-based computer:
RedHat Enterprise Linux (RHEL): versions 6, 5, and 4 (x64 and x86)
SUSE Linux Enterprise Server (SLES): versions 11, 10, and 9 (x64 and x86)
CentOS: versions 6 and 5
Debian: versions 6 and 5
Ubuntu: versions 12.04 and 10.04
Oracle Linux: versions 6 and 5
There was a problem starting
PolicyAgentProvider.dll error when installing a
Configuration Manager client
This article helps you fix an issue where you receive the There was a problem star ting
PolicyAgentProvider.dll error when installing a Configuration Manager client.
Symptoms
When installing the Configuration Manager (ConfigMgr) client, the process fails with the following error:
There was a problem starting PolicyAgentProvider.dll The specified module could not be found
You may also see the following in ccmsetup.log after selecting OK on the error above:
MSI: Action 11:53:11: CcmRegisterWmiMofFile. Registering WMI settings

MSI: Setup failed due to unexpected circumstances
MSI: Action 13:01:48: Rollback. Rolling back action:
Installation failed with error code 1603
Cause
This can occur if the value of CWDIllegalInDllSearch in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager registry subkey is set to 0xFFFFFFFF .
Resolution
There are two resolutions to this issue:
Remove the CWDIllegalInDllSearch entry or change it to a different value.
Add the full path to the CCM folder (C:\Windows\CCM) to the environment variable PATH .
More information
CcmSetup is running the rundll32.exe PolicyAgentProvider.dll,setup_checknamespaces command when this
failure occurs.
If CWDIllegalInDllSearch is configured to 0xFFFFFFFF , rundll32.exe is unable to find the PolicyAgentProvider.dll
when running in the current working directory.
Configuration Manager client left in provisioning
mode after upgrade to Windows 10
This article solves the issue that the Configuration Manager client is left in provisioning mode after performing
an in-place upgrade to Windows 10.
Symptoms
When you use the Upgrade an operating system from upgrade package operating system task sequence
to perform an in-place upgrade to Windows 10, the Configuration Manager client may be left in provisioning
mode after the upgrade succeeds and the client restarts.
Cause
This issue can occur when you specify an OEM product key for the operating system upgrade.
Resolution
To fix this issue, only specify volume license or retail product keys for the operating system upgrade.
More information
The task sequence depends on the execution of SetupComplete.cmd by Windows to take the Configuration
Manager client out of provisioning mode. SetupComplete.cmd is disabled when you use OEM product keys. You
can check the C:\Windows\Panther\UnattendGC\Setupact.log file to determine whether SetupComplete.cmd was
executed or skipped.
To clear clients that are already stuck in provisioning mode, run the SetClientProvisioningMode method from an
elevated command prompt:
Powershell.exe Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -

ArgumentList $false
Configuration Manager clients become inactive and
don't send inventory
This article provides a solution for the issue that the Configuration Manager clients become inactive and don't
send inventory information.
Symptoms
Configuration Manager clients that report to a particular server or subset of servers may repeatedly become
inactive. You may also notice that the clients do not send inventory information for 30 days or more and that the
data in the Inventoryagent.log file is static. Additionally, the ClientIDManagerStartup.log displays repeated
occurrences of this error:
[RegTask] - Client is not registered. Sending registration request for GUID:4874BD6C-CB98-4EEB-9F4F-

721CC65B25C3 ...
[RegTask] - Client is registered. Server assigned ClientID is GUID:4874BD6C-CB98-4EEB-9F4F-
721CC65B25C3. Approval status 1
SetRegistrationState failed (0x80071770)
[RegTask] - Sleeping for 15360 seconds ...
NOTE
Error code 0x80071770 indicates that the specified file could not be encrypted.
Cause
This is a known issue in cng.sys and is related to the update that is mentioned in Microsoft security advisory:
Update to improve Windows command-line auditing: February 10, 2015.
Resolution
To solve this issue, apply either update 3023562 or update 3046049 to update your version of cng.sys. After you
apply either of these updates and restart the computer, the affected client will successfully send up a heartbeat
and update inventory data. This action will also enable the client to remain active.
Configuration Manager clients don't receive policy
data after you recover a primary site from a CAS
This article helps you fix an issue in which the Configuration Manager clients don't receive policy data after you
recover a primary site from a central administration site (CAS).
Symptoms
You're running Configuration Manager (current branch, version 1810, or a later version) in your hierarchy.
The instance of Microsoft SQL Server that's hosting the database for the primary site is lost.
You recover a primary site from a CAS on a newly installed SQL Server instance (for the primary site).
In this scenario, Configuration Manager clients don't receive policy data, and the Configurations tab in client
properties is blank (that is, baselines aren't visible). Additionally, applications and software update deployments
that were created before the recovery may not work.
Cause
This problem occurs because the Last Row Version registry entry for the Object Replication Manager and
Policy Provider has a higher value than that of the rowversion entry in the site database.
Resolution
To fix this issue, follow these steps:
1. Stop the SMS_Executive and SiteComp services on the primary site server.
2. Run the following query on the recovered primary database to obtain the current value for rowversion :
select min(rowversion) from CI_CIAssignments
3. Update the Last Row Version value at the following location to match the value that's returned from the
SQL query:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_OBJECT_REPLICATION_MANAGER\CI Assignment\Last
Row Version
4. Start the SiteComp service on the primary site server. This will start the SMS_executive service.
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
using a CMG as a cloud DP with a third-party certificate
This article describes an issue in which content can't be downloaded from a cloud management gateway (CMG)
that functions as a cloud distribution point (DP), and you receive an
WINHTTP_CALLBACK_STATUS_FL AG_CERT_CN_INVALID error message.
Symptoms
You create a CMG, and you enable the Allow CMG to function as a cloud distribution point and ser ve
content from Azure storage setting.
You use a CMG server authentication certificate from a third-party provider. The CMG service FQDN is
configured as <CMGname>.<your domain>.
In this scenario, you experience the following issues:
Existing clients can't download content from the CMG. Errors entries that resemble the following are
logged in DataTransferservice.log:
12-28-2018 16:06:39.334 DataTransferService 3544 (0xdd8) Target URL scheme is HTTPS:

https://<CMGname>.cloudapp.net:443/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX00052&cid=XXX00052&tid=GUID:<GUID>&iss=
<MPserver>.Internal.fqdn&alg=1.2.840.113549.1.1.11&st=2018-12-28T22:06:39&et=2018-12-
29T06:06:39
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
12-28-2018 16:06:39.391 DataTransferService 3544 (0xdd8)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
Client files can't be downloaded from CMG to set up new clients. Errors entries that resemble the
following are logged in Ccmsetup.log:
Found a valid online MP 'https://<CMGname>.<your

domain>.com/CCM_PROXY_MUTUALAUTH/72057594037938216'. 19/02/2019 13:49:33 ccmsetup
8548 (0x2164)
Found remote location
'https://<CMGname>.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX002B9&cid=XXX002B9' 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
The location 'https://<CMGname>.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX002B9&cid=XXX002B9' is on Azure 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
No local DP locations found but is upgrading client on the co-lcated pull DP or Client is on Internet,
continue with remote locations. 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
[CCMHTTP] ERROR:
URL=https://<CMGname>.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX002B9&cid=XXX002B9, Port=0, Options=224, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT
19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
GetDirectoryList failed with a non-recoverable failure, 0x87d00454 19/02/2019 13:49:35 ccmsetup
8548 (0x2164)
Failed to get directory list from
'https://<CMGname>.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX002B9&cid=XXX002B9'. Error 0x87d00454 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
Failed to correctly receive a WEBDAV HTTPS request.. (StatusCode at WinHttpQueryHeaders: 0) and
StatusText: '' 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
Failed to check url https://<CMGname>.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?
pid=XXX002B9&cid=XXX002B9. Error 0x80004005 19/02/2019 13:49:35 ccmsetup 8548 (0x2164)
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
19/02/2019 13:49:36 ccmsetup 8548 (0x2164)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
NOTE
WINHTTP_CALLBACK_STATUS_FL AG_CERT_CN_INVALID means that the host name in the certificate common
name is incorrect.
Cause
This issue occurs because the clients try to access the CMG cloud service by looking for the default FQDN of
<CMGname>.CloudApp.net, and this name doesn't match the actual FQDN of <CMGname>.<your domain>.
Therefore, the WINHTTP_CALLBACK_STATUS_FL AG_CERT_CN_INVALID error is reported.
NOTE
When you enable CMG as a cloud distribution point, the globally unique CMG service name that you choose must also
be a globally unique Azure storage account name. An Azure storage account name is always created under the
CloudApp.net subdomain. Because the CloudApp.net domain is owned by Microsoft, a third-party certificate provider
can't create a certificate for CloudApp.net.
Resolution
Error 403 when the Configuration Manager clients
try to communicate with CMG
This article provides the resolution to solve the 403 error that occurs when the Configuration Manager clients
try to communicate with cloud management gateway (CMG).
Symptoms
Configuration Manager clients can't communicate together with the CMG. An error message that resembles one
of the following is logged in the LocationServices.log file:
[CCMHTTP] ERROR:
URL=https://cmgsccm.contoso.com/CCM_PROXY_MUTUALAUTH/3456/SMS_MP/.sms_aut?SITESIGNCERT,
Port=443, Options=31, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode= 403 StatusText= CMGConnector_Clientcer tificaterequired
or
[CCMHTTP] ERROR:
URL=https://cmgsccm.contoso.com/CCM_PROXY_MUTUALAUTH/3456/SMS_MP/.sms_aut?SITESIGNCERT,
Port=443, Options=31, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode= 403 StatusText= CMGConnector_Forbidden
Error messages that resemble the following are logged in the SMS_Cloud_ProxyConnector.log file:
Forwarding proxy message <message ID> to URL:

https://InternalMP.contoso.com/SMS_MP/.sms_aut?SITESIGNCERT
Web exception for message <message ID>: System.Net.WebException: The remote ser ver returned an
error : (403) Forbidden .~~ at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)~~
at
Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.InternalResponseCallBac
k(IAsyncResult asynchronousResult)
Received response https://InternalMP.contoso.com/SMS_MP/.sms_aut?MPLIST2&CM1 for message <message ID>:
HTTP/1.1 403 CMGConnector_Clientcer tificaterequired
Cause
The CMG connection point requires a client authentication certificate to securely forward client requests to an
HTTPS management point. If the client authentication certificate is missing, configured incorrectly, or invalid,
status code 403 is returned.
Resolution
To fix this issue, generate a client authentication certificate for the CMG connection point.
NOTE
In the certificate, computers must have a unique value in the Subject Name or Subject Alternative Name field.
More information
For better troubleshooting, do the following:
Check the Internet Information Services (IIS) logs on the management point for more information about
the error.
In the following sample log, the 403 7 response means that the client certificate can't be found:
<Date> <Time> <IP_address_of_MP> GET /SMS_MP/.sms_aut SITESIGNCERT 443 -

<IP_address_of_CMG_connectionpoint> SMS+CCM+5.0 - 403 7 0 5573 11
Enable verbose logging for by setting the VerboseLogging registry value under
SMS_CLOUD_PROXYCONNECTOR
HKLM\SOFTWARE\MICROSOFT\SMS\SMS_CLOUD_PROXYCONNECTOR to 1 , and then restart the SMS_EXECUTIVE service.
The following is an example of SMS_Cloud_ProxyConnector.log content. It indicates that there isn't a valid
client authentication certificate to establish communication between the CMG connection point and the
management point.
Filtered cert count with digital signature: 7

Not allowed cert: <certificate>
No private key cert: <certificate>
Filtered cert count with allowed root CA: 3
Filtered cert count with private key: 3
Not client auth cert: <certificate>
Filtered cert count with client auth: 0
Maintaining connections...
Multiple instances of the Unknown computers
collection occur when you reinstall a primary site
This article provides a workaround for the issue that multiple instances of the Unknown computers collection
are shown in Microsoft System Center 2012 Configuration Manager.
Symptoms
Consider this scenario in Microsoft System Center 2012 Configuration Manager:
You install a central administration site.
You install a primary site and then uninstall the primary site.
You reinstall the primary site by using the same server name and site name.
In this scenario, you may notice multiple instances of the Unknown computers collection.
Workaround
To work around this problem, create a collection that includes all Unknown Computer objects. This method
creates a collection that contains both active and inactive objects. Then, advertise a task sequence to this
collection to make sure that it becomes associated with the inactive GUID that is being used by the Pre-Boot
Execution Environment (PXE) image.
To do this, run the following query for the collection, and then retarget advertisements to the new collection:
Select
SMS_R_UNKNOWNSYSTEM.ResourceID,SMS_R_UNKNOWNSYSTEM.ResourceType,SMS_R_UNKNOWNSYSTEM.Name,SMS_R_UNKNOWNSYSTEM
.Name,SMS_R_UNKNOWNSYSTEM.Name from SMS_R_UnknownSystem where Decommissioned = "0"
Configuration Manager Sms_def.mof file gives an
invalid data error message when you import the file
This article helps you fix a problem in which the Sms_def.mof file doesn't open when you try to import the file to
customize your hardware inventory in Microsoft System Center 2012 Configuration Manager.
Symptoms
When you try to import the Sms_def.mof file to customize your hardware inventory in System Center 2012
Configuration Manager, the file does not open. Additionally, you receive an error message that states that the file
contains invalid data.
Resolution
To resolve this problem, check the integrity of your MOF file. To do this, open a Command Prompt window, enter
the following command in the directory in which you last saved your MOF file:
mofcomp.exe -check <YourMOFName>.mof
More information
For more information about how to test your MOF file, see How to Extend the Sms_def.mof File by Using the
Windows Management Instrumentation Registry Providers.
Hardware inventory fails and the SMSexec.exe
process shows high sustained CPU utilization
This article helps you fix an issue where the hardware inventory process in Configuration Manager fails and the
SMSexec.exe process shows high sustained CPU utilization.
Symptom
When using Configuration Manager, processing of hardware inventory (.MIF files) fails and the SMSexec.exe
process shows high sustained CPU utilization. Also, MIF files backlog in the inboxes\auth\dataldr.box\process
folder:
The NextGroupKey value in the ArchitectureMap table will be unusually high (> 20,000).
The following query can be used to examine the value of the NextGroupKey :
select NextGroupKey from ArchitectureMap where ArchitectureKey = 5
If SQLTracing is enabled on the site server, you will see the following messages repeated:
SQL>>> select NextGroupKey from ArchitectureMap where ArchitectureKey = 5

SQL>>>>> Done.
SQL>>> update ArchitectureMap set NextGroupKey = NextGroupKey + 1 where ArchitectureKey = 5 and
NextGroupKey = 15080
SQL>>>>> Done.
You can enable SQLTracing by setting the following value to 1 .

On 64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Tracing\SQLEnabled
On 32-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SQLEnabled
Cause
This issue can occur if the global No count option is enabled on the SQL Server hosting the Configuration
Manager database. If this is enabled, Configuration Manager cannot get the correct rowcount value from SQL
Server, and thus it cannot complete the cycle to extend the schema.
Resolution
Disable the No count option and processing will continue normally. The No count option can be found in the
SQL Server Management Studio: Proper ties of the SQL Server > Connections > No count . It should be
unchecked.
More information
The No count option isn't enabled by default. Microsoft has not tested Configuration Manager with the SQL
Server No count global option enabled and using this option isn't supported. Regardless, you should
determine whether other applications that are using the same SQL Server require the No count setting to be
enabled before disabling it.
Remote control fails with error C000012 in System
Center 2012 Configuration Manager
This article helps you resolve an issue in which remote control fails with error C0000120 in System Center 2012
Original product version: System Center 2012 Configuration Manager
Symptoms
When attempting to use System Center 2012 Configuration Manager to remote control a system, the
connection fails. The remote control log and CmRcService.log indicate the following failure:
WT_CompleteIO failed. Network shutdown : Unknown error (Error: C0000120; Source: Unknown)
Cause
Certain User Configurations for Remote Desktop Gateway block the remote control session from successfully
connecting. The User Configuration settings are:
Enable connection through RD Gateway: Enabled
Allow users to change this setting: Enabled
Set RD Gateway authentication method: Enabled
Set RD Gateway authentication method: Use locally logged-on credentials
Set RD Gateway server address: Enabled
Set RD Gateway server address: Enter a generic fully qualified domain name (FQDN)
Resolution
To resolve this issue, either do not configure User Configuration settings for Remote Desktop Gateway
(leaving them as Not Configured as opposed to Enabled ) or specify the RDS Gateway settings as part of the
Remote Desktop Connection client user interface in the .rdp file.
The CcmExec.exe service is not automatically
restarted after the WMI service is paused and
restarted
This article provides a workaround to solve the issue that the SMS Agent Host service (CcmExec.exe) isn't
automatically restarted after the Windows Management Instrumentation (WMI) service is paused and restarted.
Symptoms
When the WMI service is paused in Configuration Manager, the SMS Agent Host service (CcmExec.exe) becomes
nonfunctional. After the WMI service is restarted, the CcmExec.exe service is not automatically restarted and
remains nonfunctional.
Cause
This problem occurs because WMI cancels all requests when it is paused and does not restart those requests
when the service is resumed or restarted.
Workaround
To work around this problem immediately, manually restart the SMS Agent Host service. The periodic client
health check will also detect that the SMS Agent Host service isn't functioning and restart the service when it
executes.
Software Metering Agent fails with the Software
Metering failed to start PrepDriver error
This article fixes an issue in which Software Metering Agent fails and the Software Metering failed to star t
PrepDriver error is logged in mtrmgr.log.
2012 R2 Configuration Manager, Configuration Manager (current branch)
Symptoms
After you install the convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1
(3125574) and the Configuration Manager client, the Software Metering Agent fails, and the following error
message is logged in the mtrmgr.log file:
Software Metering failed to start PrepDriver
Cause
This error can occur if you install rollup 3125574 before you install the Configuration Manager client software.
In that scenario, PrepDrv is not installed during the Configuration Manager client setup process.
Resolution 1
1. Uninstall rollup 3125574 and the Configuration Manager client. You can uninstall the Configuration
Manager client software from a computer by using CCMSetup.exe with the /Uninstall property. For
more information, see Uninstall the client.
2. Reinstall the Configuration Manager client software.
3. Reinstall rollup 3125574.
To verify that the installation completed successfully, check mtrmgr.log and make sure no errors are
found.
Resolution 2
Manually install PrepDrv by running the following command from a command prompt:
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\WINDOWS\CCM\prepdrv.inf

Turn on the DebugLogging key on Configuration
Manager clients and management points
This article describes how to turn on the DebugLogging key on Configuration Manager clients and management
points.
Summary
When you troubleshoot issues on Configuration Manager clients or management points, you can turn on the
DebugLogging key on the computer where the issue occurs. As a result, the actions of Ccmexec are logged. A log
of these actions can help to troubleshoot the issue. DebugLogging works the same on the Configuration
Manager clients and management points because they use the same Ccmexec framework and process name.
IMPORTANT
This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and
make sure that you understand how to restore the registry if a problem occurs. For information about how to back up,
restore, and edit the registry, see Description of the Microsoft Windows Registry.
Turn on the DebugLogging key

WARNING
If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating
system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use
Registry Editor at your own risk.
To turn on the DebugLogging key on the client or management point, follow these steps:
1. Stop the SMS Agent Host service.
2. Open Registry Editor, create the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\DebugLogging
3. Add a new value under this key:

Value name: Enabled
Value: True
DataType: REG_SZ
4. Restart the SMS Agent Host service.
NOTE
Turn on the DebugLogging key only for debugging purposes. Turn it off again when the issue is resolved by changing the
value of Enabled to False .
Upgrade Readiness data is downloaded
continuously in Configuration Manager
This article helps you resolve an issue in which the Upgrade Readiness data is downloaded continuously in
Configuration Manager, and the download interval becomes 0 minutes.
(current branch - version 1806), Configuration Manager (current branch - version 1802)
Symptoms
You integrate Upgrade Readiness with Configuration Manager to access client upgrade compatibility data in
Configuration Manager. In this scenario, you may notice that Upgrade Readiness data is downloaded
continuously. This causes many ConfigMgr.OMSUpgradeAnalytics_{date code}.OMS files to be added to the
following folder:
C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD
Also, the following entry is logged in DMPDownloader.log:
OMSUpgradeAnalyticsDownload finished~~
OMSUA: Updating LastSyncedTime registry value
OMS Upgrade Analytics Download interval is: ever y 0 minutes
Cause
The initial download interval of Upgrade Readiness data is set by the following registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_DMP_DOWNLOADER\OMSUpgradeAnalyticsDownloadInterval
By default, this registry value is set to 10080 minutes (7 days). However, the download interval automatically
decreases when the SMS_DMP_DOWNLOADER thread runs. When the interval reaches zero (0), Upgrade
Readiness data is downloaded continuously.
Resolution
Workaround
To work around this issue without updating, make sure that the following registry value is set to 10080 :
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_DMP_DOWNLOADER\OMSUpgradeAnalyticsDownloadInterval
Then, restart the SMS_Executive service or the SMS_DMP_DOWNLOADER thread.
NOTE
The download interval will continue to automatically decrease when the SMS_DMP_DOWNLOADER thread runs.
Configuration Manager console appears to hang
when you add a driver to a boot image
This article helps you resolve an issue where the Configuration Manager console appears to stop responding
while it's loading a list of drivers from the driver catalog.
Symptoms
When you add a driver on the Drivers tab of the properties of a boot image, the Configuration Manager
console may appear to hang or stop responding while it's loading the list of drivers from the driver catalog. For
example, in an environment that has 500 drivers, the console may appear to stop responding for up to 8
minutes. However, the exact number of drivers and length of delay will vary, depending on system performance.
During this time, a review of the Smsprov.log file on the site server shows that Configuration Manager is in fact
enumerating through the available drivers:
CExtUserContext::EnterThread : User=<DOMAIN\user> Sid=0x010500000:-

000000515XXXXCEBFCF270C2XXXXC3CAFFF0 Caching IWbemContextPtr=0000008DEF086000 in Process
0x1534 (5428)
Context: SMSAppName=Configuration Manager Administrator console
Context: MachineName=<siteserver.fqdn>
Context: UserName==<DOMAIN\user>
Context: ObjectLockContext=796d1f9e-3512-4fd4-ae23-11cbe5883fda
Context: ApplicationName=Microsoft.ConfigurationManagement.exe
Context: ApplicationVersion=5.0.8239.1000
Context: LocaleID=MS\0x409
Context: __ProviderArchitecture=32
Context: __RequiredArchitecture=0 (Bool)
Context: __ClientPreferredLanguages=en-US,en
Context: __CorrelationId={3ACC714D-97FE-0005-897C-CC3AFE97D001}
Context: __GroupOperationId=181360
CExtUserContext : Set ThreadLocaleID OK to: 1033
CSspClassManager::PreCallAction, dbname=CM_392
ExecQueryAsync: START select FromCIID from SMS_CIRelation where ToCIID =16777966 AND
RelationType=5
Adding Handle -346430696 to async call map
CExtProviderClassObject::DoCreateInstanceEnumAsync (SMS_CIRelation)
CSspQueryForObject :: Execute...
Execute WQL =select FromCIID from SMS_CIRelation where ToCIID =16777966 AND RelationType=5
Execute SQL =select all SMS_CIRelation.FromCIID from vSMS_CIRelation AS SMS_CIRelation where
(SMS_CIRelation.ToCIID = 16777966 AND SMS_CIRelation.RelationType = 5)
Results returned : 0 of 1
Removing Handle -346430696 from async call map
ExecQueryAsync: COMPLETE select FromCIID from SMS_CIRelation where ToCIID =16777966 AND
RelationType=5
CExtUserContext::LeaveThread : Releasing IWbemContextPtr=-284663808
Cause
This issue occurs because of the time that is required to enumerate the available drivers.
Resolution
Depending on the number of drivers and on individual system performance, the operation may eventually
complete successfully. However, to avoid the issue, consider creating additional folders to store your drivers. By
doing this, you can reduce the number of drivers that are being enumerated in a single folder view.
The following workarounds are also available:
In the Operating Systems\Drivers node, select the driver to be added, right-click the driver, select Edit ,
select Boot Images , and then specify the boot image to which the selected driver is to be added.
During import or reimport of the driver into the driver catalog, add the driver to the necessary boot image at
that time.
Add the driver to the boot image by using the Set-CMDriverBootImage Windows PowerShell cmdlet.
Use DISM to manually add the driver to the boot image.
Internal Error 2711.LP3076 occurs during installation
of the Configuration Manager console
This article provides a solution to solve the Internal Error 2711.LP3076 error that occurs when you install the
Configuration Manager console.
Symptoms
After an upgrade to Configuration Manager current branch version 1610 or a later version, installation of the
Configuration Manager console fails with this error message:
Internal Error 2711.LP3076
Cause
This problem may occur if the console is installed from either of the following locations:
\\<Sitemachine>\sms_SiteCode\cd.latest\splash.hta
\\<Sitemachine>\sms_SiteCode\cd.latest\SMSSETUP\BIN\I386.consolesetup.exe
Resolution
To work around this problem, install the Configuration Manager console from one of the following locations
instead:
<SCCMInstallation>\tools\ConsoleSetup\ConsoleSetup.exe
<SCCMInstallation>\bin\i386\ConsoleSetup.exe
For more information, see Install the Configuration Manager console.
Unhandled exception when launching the System
Center 2012 Configuration Manager SP1 Console
This article provides a solution for the Microsoft.ConfigurationManagement has stopped working error
that occurs when you try to launch the System Center 2012 Configuration Manager console.
Symptoms
When you attempt to launch the System Center 2012 Configuration Manager Service Pack 1 (SP1) console on a
machine that has the System Center 2012 Integration Pack for System Center 2012 Configuration Manager
installed, you may see the following error:
Microsoft.ConfigurationManagement has stopped working

Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: LRE420M52QQYT0KWXNWESOVVMQF5I2RH
Problem Signature 02: 5.0.7804.1000
Problem Signature 03: 50adcdf1
Problem Signature 04: System
Problem Signature 05: 4.0.30319.17929
Problem Signature 06: 4ffa5c88
Problem Signature 07: 5b0
Problem Signature 08: 19
Problem Signature 09: N3CTRYE2KN3C34SGL4ZQYRBFTE4M13NB
OS Version: 6.2.9200.2.0.0.400.8
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: dac6
Additional Information 4: dac6c2650fa14dd558bd9f448e23afd1
Read our privacy statement online: http://go.microsoft.com/fwlink/?linkid=190175
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
Cause
This issue is caused by the System Center 2012 Orchestrator Integration Pack for System Center 2012
Configuration Manager (7.0) registering two assemblies in the Global Assembly Cache (GAC).
AdminUI.WqlQueryEngine.dll (5.0.0.0)
Microsoft.ConfigurationManagement.ManagementProvider.dll (5.0.0.0)
Resolution
To solve this issue, follow the steps below:
1. Uninstall the System Center 2012 Integration Pack for System Center 2012 Configuration Manager from
Add/Remove Programs .
2. From Add/Remove Programs , right-click the System Center 2012 Configuration Manager Console and
select Repair .
3. You should now be able to successfully launch the Configuration Manager console.
4. If desired, install the System Center 2012 SP1 Integration Pack for System Center 2012 Configuration
Manager (7.1). This integration pack will not register any assemblies in the GAC.
The Windows 10 servicing dashboard shows no data
Applies to: Configuration Manager current branch version 2103
Symptoms
After you upgrade to Microsoft Endpoint Configuration Manager version 2103, the Windows 10 servicing
dashboard doesn't show any data.
Cause
The issue might occur in either of the following situations:
The service connection point is running in Offline mode.
The service connection point is running in Online mode, but it can't obtain the Admin UI content payload.
Resolution
If the service connection point is running in Offline mode, use the service connection tool to download and
import updates that include the Admin UI content payload.
If the service connection point is running in Online mode, review DmpDownloader.log for failures that occur
when accessing the payload URL. To work around the issue, follow these steps:
1. Download the ConfigMgr.AdminUIContent.cab file from https://go.microsoft.com/fwlink/?
LinkID=619849.
2. Copy the ConfigMgr.AdminUIContent.cab file to the top-level site server.
3. Rename the ConfigMgr.AdminUIContent.cab file to ConfigMgr.AdminUIContent.auc.
4. Copy the ConfigMgr.AdminUIContent.auc file to the following directory:
<Configuration Manager installation path>\inboxes\hman.box\CFD
For example, copy the file to C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD .

5. In Hman.log, you should see entries that resemble the following example:
6. Try again to open the Windows 10 servicing dashboard.

Configure peer cache for Configuration Manager
clients
Applies to: Microsoft Endpoint Configuration Manager (current branch)

Peer cache is a built-in solution for Microsoft Endpoint Configuration Manager that enables clients to share
content with other clients directly from their local cache. It extends traditional content deployment solutions,
such as distribution points. Use peer cache to help manage deployment of content to clients in remote locations.
For more information, see Peer cache for Configuration Manager clients.
Configure peer cache client settings

To enable clients to be peer cache sources, follow these steps:
1. In the Configuration Manager console, create a device collection. Determine which clients you want to
enable as peer cache sources, and add them to the collection.
2. Go to the Administration workspace, and then select the Client Settings node.
3. Select Create Custom Client Device Settings , specify a name and description, and then select the
Client Cache Settings group.
4. In the navigation pane, select Client Cache Settings , set Enable as peer cache source to Yes , and
then specify the ports.
5. Select OK to save the settings.
6. Deploy this custom client setting to the device collection that you created in step 1.
You don't have to enable peer cache clients. When you enable clients to be peer cache sources, the management
point includes them in the list of content location sources.
Changes on clients that act as peer cache sources
When the client cache setting is deployed to the device collection, you'll see the following changes on the peer
cache sources:
In the WMI class instance CCM_SuperPeerClientConfig.SiteSettingsKey=1 under
ROOT\ccm\Policy\Machine\ActualConfig :
The value of the CanBeSuperPeer property is changed to True .
The following entries are logged in CcmExec.log:
Notifying endpoint 'SuperPeerController' of 1 settings change(s).

Notifying endpoint 'SuperPeerController' of __InstanceModificationEvent settings change on object
CCM_SuperPeerClientConfig.SiteSettingsKey=1 for user 'SID'.
The following entries are logged in CAS.log:
SuperPeerController main thread has started.

SuperPeerController has started
A state message of topic type 7201 is generated. The following entries are logged in StateMessage.log:
Adding message with TopicType 7201 and TopicId Super Peer is now active to WMI
State message(State ID : 2) with TopicType 7201 and TopicId Super Peer is now active has been
recorded for SYSTEM
Change on the management point
The state message is formatted as XML, and then sent to the management point (MP_RelayEndpoint) through
CCMMessaging.
You'll see the following entry in the MP_Relay.log file:
Message Body :
<?xml version="1.0" encoding="UTF-16"?>
<Report><ReportHeader><Identification><Machine><ClientInstalled>1</ClientInstalled>
<ClientType>1</ClientType><ClientID>GUID:xxxx</ClientID><ClientVersion>5.00.9040.1015</ClientVersion>
<NetBIOSName>TestClient</NetBIOSName><CodePage>437</CodePage><SystemDefaultLCID>1033</SystemDefaultLCID>
<Priority>1</Priority></Machine></Identification></ReportDetails></ReportHeader><ReportBody><Topic ID="Super
Peer is now active" Type="7201" IDType="0" User="" UserSID=""/><State ID="2"Criticality="0"/><StateDetails
Type="1"><![CDATA[<ContentList><Content id="CAS00015" version="1" Flag="0"/></ContentList>]]></StateDetails>
<UserParameters Flags="0" Count="1"><Param>8003</Param></UserParameters></StateMessage></ReportBody>
</Report>
When the site server receives the state message, it calls the spUpdateSuperPeerStatus stored procedure to
update the following tables:
SuperPeers
SuperPeerContentMap
Configure boundary group options for peer downloads

1. In the Configuration Manager console, go to the Administration workspace, and then select Hierarchy
Configuration > Boundar y Groups .
2. Locate the boundary group that contains the peer cache clients and peer cache sources.
3. Right-click the boundary group, and then select Proper ties .
4. Select the Options tab, and then enable the Allow peer downloads in this boundar y group setting.
Example scenario
The following example is used to show how peer cache works during content deployment.
Deploy an application to the peer cache source
When an application is deployed and installed on the peer cache source, the Content Access service generates a
state message of topic type 7200. The following entry is logged in StateMessage.log:
State message(State ID : 1) with TopicType 7200 and TopicId Cache add CAS00015.1 has been recorded for
SYSTEM
The state message is sent to the management point through CCMMessaging.

When the site server receives this state message, the SuperPeerContentMap table is updated.
Deploy an application to the peer cache client
The client downloads the policy for the application. For a Required deployment, the client sends request to the
management point for content locations.
The following entries are logged in LocationServices.log:
ContentLocationRequest : <ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"

ClientInOperation="PT0M" ExcludeFileList=""><Package ID="CAS00015" Version="1"
DeploymentFlags="9223372036855313105"/><AssignedSite SiteCode="P01"/><ClientLocationInfo
LocationType="SMSPackage" DistributeOnDemand="0" UseAzure="1" AllowWUMU="0" UseInternetDP="0" AllowHTTP="1"
AllowSMB="1" AllowMulticast="1" AllowSuperPeer="1" DPTokenAuth="1"><ADSite Name="Default-First-Site-Name"/>
<Forest Name="Contoso.Com"/><Domain Name="Contoso.Com"/><IPAddresses><IPAddress SubnetAddress="192.X.X.X"
Address="192.X.X.X"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1"
DnsSuffix="abc.com" Description="Network Adapter"/></Adapters><BoundaryGroups
BoundaryGroupListRetrieveTime="2021-04-03T14:03:16.603" IsOnVPN="0"><BoundaryGroup GroupID="5"
GroupGUID="xxxx" GroupFlag="0"/><DOINCServers><DOINCServer DOINCServer="P01.Contoso.Com"/></DOINCServers>
</BoundaryGroups></ClientLocationInfo></ContentLocationRequest> LocationServices
NOTE
Because the Allow peer downloads in this boundar y group option is enabled in the boundary group,
AllowSuperPeer is set to 1 in the request. Otherwise, AllowSuperPeer is set to 0 in the request.
To use the peer cache source for content download, enable the Allow peer downloads in this boundar y group
option for each boundary group that contains the client.
The management point replies by returning the list of content locations. You can also find the list in
LocationServices.log:
Calling back with the following distribution points

Distribution Point='https://TestClient.Contoso.Com:8003/SCCM_BranchCache$/CAS00015', Locality='SUBNETPEER',
Version='9040', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="63"/>
</Capabilities>', Signature='', ForestTrust='TRUE', BlockInfo='0'
Distribution Point='http://P01.Contoso.com/SMS_DP_SMSPKG$/CAS00015', Locality='SUBNET', Version='9040',
Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>',
Signature='http://P01.Contoso.Com/SMS_DP_SMSSIG$/CAS00015', ForestTrust='TRUE', BlockInfo='0'
Distribution Point='https://P01.Contoso.Com/CCMTOKENAUTH_SMS_DP_SMSPKG$/CAS00015', Locality='SUBNET',
Version='9040', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/>
<Property Name="AuthMethod" Value="1024"/></Capabilities>',
Signature='https://P01.Contoso.Com/CCMTOKENAUTH_SMS_DP_SMSSIG$/CAS00015', ForestTrust='TRUE', BlockInfo='0'
ContentTransferManager.log also shows the content locations that include the peer cache source and
distribution points:
ContentTransferManager 4324 (0x10e4) Persisted locations for CTM job {139431E9-B106-49DC-B7A8-

543D55110DE6}:
(SUBNETPEER) https://TestClient.Contoso.Com:8003/SCCM_BranchCache$/CAS00015
(SUBNET) http://P01.Contoso.Com/SMS_DP_SMSPKG$/CAS00015
(SUBNET) https://P01.Contoso.Com/CCMTOKENAUTH_SMS_DP_SMSPKG$/CAS00015
Peer cache clients prioritize peer cache sources to download content. This precedence is shown in the following
entry in DataTransferService.log:
DTSJob {0C3B06F6-E85D-4C54-9B4F-0B316B33AA5B} created to download from

'https://TestClient.Contoso.Com:8003/SCCM_BranchCache$/CAS00015' to 'C:\windows\ccmcache\1'.
NOTE
Clients can download content from only the peer cache sources that are in their current boundary group.
If the client falls back to a neighbor boundary group for content, the management point doesn't add the peer cache
sources from the neighbor boundary group to the list of potential content source locations.
If a client is in more than one boundary group, enable the Allow peer download in this boundar y group option
in each boundary group. If this option is disabled in any boundary group, the client won't use the peer cache
optimization.
Changing a property of a deployment doesn't
appear to be saved in System Center 2012
This article provides a solution for the issue that a deployment property change doesn't appear to be saved in
Microsoft System Center 2012 Configuration Manager.
Symptoms
When modifying the Deployment options of a distribution point in the Selected Deployment Proper ties
dialog box in Microsoft System Center 2012 Configuration Manager, the property change doesn't appear to
have been saved.
Cause
This happens only when you have selected Make available to boot media and PXE in the Deployment
Settings tab of the Selected Deployment Proper ties dialog box.
Resolution
This problem is only an issue with the settings that are visible in the user interface. The change is saved correctly
in the database. You can run a custom report with a SQL query to verify your settings.
The below SQL query is an example that will show all task sequences with the Access content directly from
a distribution point when needed by the running task sequence deployment option selected.
SELECT pkg.PackageID, pkg.Name, pkg.SourceSite,

CASE WHEN (adv.RemoteClientFlags & 0x00000008) = 0 THEN 0 ELSE 1 END AS RunFromDPInFastNetwork,
CASE WHEN (adv.RemoteClientFlags & 0x00000080) = 0 THEN 0 ELSE 1 END AS RunFromDPInSlowNetwork
FROM v_Advertisement AS adv
INNER JOIN v_Package AS pkg ON pkg.PackageID = adv.PackageID AND pkg.PackageType = 4
WHERE (adv.RemoteClientFlags & 0x00000008) <> 0 OR (adv.RemoteClientFlags & 0x00000080) <> 0
IIS application folder SMS_DP_SMSPKG$
anonymous authentication settings periodically reset
to Disabled
This article fixes an issue in which IIS application folder SMS_DP_SMSPKG$ Anonymous Authentication settings
are disabled.
Original product version: System Center Configuration Manager 2007
Symptoms
After enabling Anonymous Authentication in Internet Information Server 7.5 (IIS), randomly the IIS application
folder SMS_DP_SMSPKG<Par tition>$ Anonymous Authentication settings become Disabled.
Cause
This problem can occur if System Center Configuration Manager 2007 is installed and Anonymous
Authentication is disabled in the distribution point (DP) properties.
Resolution
In the Configuration Manager console, check the distribution point configuration:
1. Go to Site Database > Site Management > Site name > Site Settings > Site Systems > Site server.
2. Right-click the distribution point, and then select Proper ties .
3. Verify whether the checkbox Allow Clients to connect Anonymously is selected. If it's unchecked, check
it.
App-V applications cannot be streamed from a
distribution point if Bypass proxy server for local
addresses is set
This article provides a solution for the issue that a Microsoft Application Virtualization (App-V) application
cannot be streamed from a distribution point in Microsoft System Center 2012 Configuration Manager.
Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft Application
Virtualization for Windows Desktops, Microsoft Application Virtualization for Remote Desktop Services
Symptoms
You have a domain that is named contoso.com.
You have a Background Intelligent Transfer Service (BITS)-enabled Microsoft System Center 2012
Configuration Manager distribution point that is named myserver.contoso.com.
The client computer has the Bypass proxy ser ver for local addresses option set.
You create a Microsoft App-V application and then configure the application to use streaming as the
distribution option.
You deploy the application, shortcuts are created, and the application is started.
In this scenario, the application cannot be streamed from the distribution point.
Cause
This problem occurs because Windows doesn't consider computer names that contain a period (.) to be local.
This behavior is by design. Because of this behavior, the client tries to access the distribution point through the
proxy server.
For more information, see Intranet site is identified as an Internet site when you use an FQDN or an IP address.
Resolution
To resolve this problem, add the Fully Qualified Domain Name (FQDN) of the distribution point to the Do not
use proxy ser ver for addresses beginning with list on the client or to the Local Address Table (LAT) on the
proxy server. In the sample scenario in the Symptoms section, you would add myserver.contoso.com.
Distribution of a boot image to a PXE enabled
distribution point fails in Configuration Manager
This article describes a behavior where you can't distribute a boot image to a PXE enabled distribution point if
the NO_SMS_ON_DRIVE.SMS file is on the partition that's used to host the content library.
Summary
Copying a boot image to a PXE enabled distribution point in System Center 2012 Configuration Manager fails if
the NO_SMS_ON_DRIVE.SMS file is placed on the same partition on which the content library is located.
The error message below is generated in the distmgr.log:
STATMSG: ID=2375 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER"

SYS=COMPUTERNAME.COM SITE=SS1 PID=2244 TID=3472 GMTDATE=Mo Aug 06 22:12:55.329 2012
ISTR0="["Display=\\computername.COM\"]MSWNET:["SMS_SITE=SS1"]\\ computername.COM \" ISTR1=""
ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404
AVAL0="["Display=\\COMPUTERNAME.COM\"]MSWNET:["SMS_SITE=SS1"]\\ computername.COM \"
SMS_DISTRIBUTION_MANAGER 07.08.2012 00:12:55 3472 (0x0D90)
User (NT AUTHORITY\SYSTEM) running application(SMS_DISTRIBUTION_MANAGER) from machine
(COMPUTERNAME.COM) is submitting SDK changes from site(SS1) SMS_DISTRIBUTION_MANAGER
07.08.2012 00:12:55 3472 (0x0D90)
RDC: Successfully created package signature file from \\?\C:\SMSPKGSIG\CAS0000F.2 to
\\COMPUTERNAME.COM\SMSSIG$\CAS0000F.2.tar SMS_DISTRIBUTION_MANAGER 07.08.2012 00:12:55
3472 (0x0D90) Setting permissions on file MSWNET:
["SMS_SITE=SS1"]\\COMPUTERNAME.COM\SMSSIG$\CAS0000F.2.tar. SMS_DISTRIBUTION_MANAGER
07.08.2012 00:12:55 3472 (0x0D90) ExpandPXEImage: CAS0000F, 16778240
SMS_DISTRIBUTION_MANAGER 07.08.2012 00:12:55 3472 (0x0D90)
CContentDefinition::GetFileProperties failed; 0x80070003 SMS_DISTRIBUTION_MANAGER 07.08.2012
00:12:55 3472 (0x0D90)
CContentDefinition::TotalFileSizes failed; 0x80070003 SMS_DISTRIBUTION_MANAGER 07.08.2012 00:12:55
3472 (0x0D90)
ExpandPXEImage failed; 0x80070003 SMS_DISTRIBUTION_MANAGER 07.08.2012 00:12:55 3472 (0x0D90)
Error occurred. Performing error cleanup prior to returning. SMS_DISTRIBUTION_MANAGER 07.08.2012
00:12:55 3472 (0x0D90)
More information
This behavior is expected if the NO_SMS_ON_DRIVE.SMS file is placed on the drive after using it to host the
content library.
To resolve the issue, remove the NO_SMS_ON_DRIVE.SMS file from the partition used to host the content
library.
Source directory does not exist error when
deployment package distribution fails
This article fixes an issue in which you can't distribute deployment packages and receive the Source director y
does not exist error.
Symptoms
You discover that content for System Center Endpoint Protection (SCEP) software updates has been removed
from active deployment packages. When you try to distribute these deployment packages, the attempt fails with
the following error:
The source directory "//name/source/Updates/SCEP/bfdc178c-6e80-47cb-b698-b34dc39b67f4" for

package "Package ID" does not exist.
Cause
This issue occurs when the update package shares the same source location with other software update
packages. When Configuration Manager performs a cleanup of orphaned folders in this situation, it doesn't
recognize that some of these folders actually belong to another active deployment.
Resolution
To resolve this problem, re-create the package in question, and make sure that you specify a unique source
location. This will prevent content folders from being removed from deployment packages.
Error 80070070 during content distribution to a
CMG or cloud DP in Configuration Manager
This article helps you fix an issue where content distribution to a cloud management gateway (CMG) or cloud
distribution point fails when the BranchCache feature is enabled.
Symptoms
When you have the BranchCache feature installed on the Configuration Manager site server, content distribution
to a CMG or cloud distribution point fails. The following error messages are logged in PkgXferMgr.log on the site
server:
About to upload files from package source directory E:\SMSPKGSIG\C0101B18~~

WARNING: Caught exception System.Runtime.InteropServices.COMException - There is not enough
space on the disk . (Exception from HRESULT: 0x80070070) ~~
Call stack:
at
Microsoft.ConfigurationManager.AzureRoles.ContentManager.BranchCacheContentInfoStreamClass.Complet
e()~~
at Microsoft.ConfigurationManager.AzureRoles.ContentManager.ContentInfoStream.Close()~~
at
Microsoft.ConfigurationManager.AzureRoles.ContentManager.CryptoUtilities.EncryptAndUploadFileAndSave
ContentInfo(String fileName, String contentInfoFullPath, CloudBlockBlob blob, EncryptionParams
encryptionParams, IsCanceledCallback isCanceledDelegate)~~
at Microsoft.ConfigurationManager.AzureRoles.ContentManager.ContentManager.RecursiveUpload(String
packageId, ContentRouter contentRouter, CloudBlobContainer container, String sourceDir, String
contentInfoDir, String relativeTargetPath, EncryptionParams encryptionParams, Int32& fileCounter)~~
at Microsoft.ConfigurationManager.AzureRoles.ContentManager.ContentManager.UploadContent(String
packageId, String contentId, String contentSource, String contentInfoPath, Boolean uploadFiles,
EncryptionParams encryptionParams, ContentRouter contentRouter, String& contentInfoFile)~~
at
Microsoft.ConfigurationManager.AzureRoles.ContentManager.ContentManager.UploadPackageToCloudWith
ContentInfo(String packageId, String contentSource, String contentInfoPath, String cloudDP, String
encryptionKey, String algName, Int32 keySize, Int32 blockSize, String& contentInfoFile)~~
Cause
When the BranchCache feature is installed on the site server, the default cache location (
%windir%\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub ) and maximum cache size (1% of the total
hard disk space) are used for the BranchCache publication cache.
This issue occurs if the BranchCache publication cache size exceeds the default maximum cache size.
To view the publication cache size, run the following command:
netsh branchcache show publicationcache
Resolution
To fix this issue, flush the content of the BranchCache publication cache by running the following command on
the site server:
netsh branchcache flush
Additionally, you can change both the default cache location and maximum cache size by running the following
commands on the site server:
netsh branchcache set publicationcache directory=<New Location>

netsh branchcache set publicationcachesize size=<New Value> percent=TRUE
For example, the following commands set the BranchCache publication cache location to
E:\BranchCache\PublicationCache and the maximum cache size to 10% of the total hard disk space:
netsh branchcache set publicationcache directory=E:\BranchCache\PublicationCache

netsh branchcache set publicationcachesize size=10 percent=TRUE
NOTE
BranchCache publication cache contains the metadata that's required for clients to take advantage of BranchCache when
they download content from the distribution point. This metadata is generated when a content item is first downloaded
from a BranchCache-enabled distribution point, and is required by successive clients to download the content item by
using BranchCache. After the publication cache is flushed, the metadata is regenerated when the distribution point
receives download requests for content items. Therefore, after you flush the publication cache, the first client to download
a unique content item won't be able to use BranchCache to download the content.
IDispatch error #3603 when you distribute content
to DPs in Configuration Manager
This article fixes an issue in which you can't distribute content to Configuration Manager distribution points and
receive IDispatch error #3603 .
Symptoms
Content distribution to distribution points in Configuration Manager fails, and the following error messages are
logged in DistMgr.log on the parent site server:
CWmiRegistry::GetStr: Failed to get string value SCFSSLPortList

CWmiRegistry::GetStr: Failed to get string value SMSSSLPortList
CWmiRegistry::GetStr: Failed to get string value SMSCWSPortList
CWmiRegistry::GetStr: Failed to get string value SMSCWSSSLPortList
CWmi::PutObject(): PutInstance() failed. - 0x80041013~
~ERROR CreateApplicationPool: Failed with error = IDispatch error #3603~
~ERROR CreateVirtualDirectory: Failed to update virtual directory SMS_DP_SMSPKG$. error = IDispatch
error #3603~
vdHelper.CreateVirtualDirectory() - Failed to CreateVirtualDirectory SMS_DP_SMSPKG$ for DP
<DP_Server_Name>. Will retry in 5 seconds~
Failed to configure IIS module, GLE - 1168
ConfigureIISModules failed to configure IIS module
~ERROR CreateVirtualDirectory: Failed to update virtual directory SMS_DP_SMSPKG$. error = IDispatch
error #3603~
Cause
This issue occurs if IIS configuration on the distribution point server is changed incorrectly, so that some
required IIS components are missing, such as the IIS 6 Metabase Compatibility and IIS 6 WMI
Compatibility components.
Resolution
To fix the issue, verify IIS configuration within Ser ver Manager , on the server that hosts the distribution point,
and make sure that all required IIS components are installed.
For more information about the prerequisites for distribution point, see Distribution point.
A distribution point in a neighbor boundary group
is used before those in the current boundary group
This article provides a solution for the issue that a distribution point (DP) in a neighbor boundary group may be
used before the DPs in the current boundary group.
Symptoms
If a Configuration Manager DP from a different boundary group is in the same IP subnet as the client, that DP is
used before the DPs in the client's current boundary group that is in a different subnet are used.
Cause
Boundary group relationships define fallback behavior that lets a Configuration Manager client expand its
search from its current boundary group to additional boundary groups when it searches for an available site
system.
The usual fallback behavior is to use DPs in the current boundary group instead of those DPs from the
neighboring and site default boundary groups.
The current boundary group is always intended to be searched first. However, if a DP from a neighboring
boundary group is in the same IP subnet that a client is in, that DP is used before the DPs that are in the client's
current boundary groups that are not in the same subnet.
Resolution
To avoid this issue and make sure that the usual fallback behavior occurs, do not define neighboring boundary
groups to be in the same subnets as the clients in the current boundary group.
References
For more information, see these articles:
Define network locations as boundaries for Configuration Manager
Define site boundaries and boundary groups for Configuration Manager
Configure boundary groups for Configuration Manager
Distribution point installations or upgrades take
longer than expected in System Center 2012
This article describes a performance issue when installing or upgrading distribution points (DPs) on
Configuration Manager sites that have many standard or pull DPs.
Original product version: Microsoft System Center 2012 Configuration Manager, System Center Configuration
Manager 2012 R2
Summary
On System Center 2012 Configuration Manager sites that have many standard or pull distribution points,
installing or upgrading all distribution points may take longer than expected. This can occur if the Distribution
Manager component cannot create additional threads for the installation or upgrade process.
Additionally, you will receive messages that resemble the following in the Distmgr.log file:
DP upgrade processing thread: No more available threads left to process any more upgrade distribution
point notification. Will wait for existing distribution point upgrades.
If you receive this message repeatedly, you can reduce the overall time that is required to complete the process
by increasing the number of processing threads.
DP upgrade thread limit

By default, Distribution Manager allocates up to five threads to install or upgrade distribution points. Each
thread has a single distribution point. The default setting is recorded in the Distmgr.log file as DP upgrade
thread limit .
DP upgrade thread limit is a Site Control File property that's represented as DPUpgradeThreadLimit in
Windows Management Instrumentation (WMI). By default, this property is not present. However, when you add
this property, you can override the predefined limit of five threads.
To increase the default limit, create DPUpgradeThreadLimit as an embedded property of the
SMS_DISTRIBUTION_MANAGER component. This is an instance of the SMS_SCI_Component class in the site namespace.
To make sure that the changes take effect, restart the SMS_Executive service on the site server after you change
this property.
NOTE
Increasing the thread limit beyond the default will put additional load on the site server. Careful planning and testing
should be completed to prevent the introduction of performance bottlenecks on the site server during the upgrade
process. A maximum of fifty threads should be sufficient for most environments.
References
How to Read and Write to the Configuration Manager Site Control File by Using WMI
How to Write a Configuration Manager Site Control File Embedded Property
Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager
Duplicate rows in the DistributionContentVersion
table after you reassign a DP in Configuration
Manager
This article provides a solution and workaround for the issue that duplicate rows are created in the
DistributionContentVersion table after you reassign the distribution point (DP) to another primary site in
(current branch - version 1806), Configuration Manager (current branch - version 1802)
Symptoms
In a Configuration Manager current branch version 1802 or later version hierarchy, you use the Reassign
Distribution Point feature to reassign a DP to another primary site. Content validation is enabled on the DP.
In this scenario, after a new content validation cycle ends, duplicate rows for each package on the DP are
generated in the DistributionContentVersion table, one for the old site and one for the new site.
This is an example of what occurs when you reassign a DP from site PS2 to site PS1.
Figure 1: Output of the DistributionContentVersion table before you reassign the DP
Figure 2: Output of the DistributionContentVersion table after you reassign the DP and a new content validation
cycle ends
After you reassign the DP, merging data into the ContentDistribution table fails. For example, when the
spRebuildContentDistribution procedure runs or the Configuration Data group is reinitialized, you receive this
error message:
Msg 8672, Level 16, State 1, Procedure spRebuildContentDistribution, Line 197 [Batch Start Line 29]
The MERGE statement attempted to UPDATE or DELETE the same row more than once. This happens when a
target row matches more than one source row. A MERGE statement cannot UPDATE/DELETE the same row
of the target table multiple times. Refine the ON clause to ensure a target row matches at most one source
row, or use the GROUP BY clause to group the source rows.
Failure scenarios include adding a new site, recovering a site, and re-initializing configuration data.
Cause
When content validation is enabled, the DistributionContentVersion table is populated with data that's reported
by content validation. When you reassign a DP from one site to another, the spMoveDistributionPoint procedure
updates DPNALPath in the DistributionContentVersion table. However, it doesn't update SiteCode .
Therefore, after the DP is reassigned to the new site and a new content validation cycle runs, there are two rows
for each package in the DistributionContentVersion table: One for the old site and one for the new site.
To determine whether you experience this issue, run this SQL query:
SELECT * FROM DistributionContentVersion DCV

LEFT JOIN DistributionPoints DP ON DP.NALPath = DCV.DPNALPath
WHERE DCV.SiteCode <> DP.SMSSiteCode
If the result isn't NULL, the issue occurs.
Resolution
To fix the issue, update to Configuration Manager version 1902.
Workaround
To work around this issue without updating, run the following SQL statements on the central administration site
or a primary site after you reassign the DP:
--Detect and fix the DistributionContentVersion duplicates after reassigning a DP to a new site
--Run this on any one site in the hierarchy (CAS or Primary) and the fix should propagate in the rest sites
through DRS
IF OBJECT_ID('tempdb..#temp') IS NOT NULL

DROP TABLE #TEMP
SELECT DCV.PkgID, DCV.DPNALPath,DP.SMSSiteCode,DCV.SiteCode

INTO #TEMP
FROM DistributionContentVersion DCV
LEFT JOIN DistributionPoints DP ON DP.NALPath = DCV.DPNALPath
WHERE DCV.SiteCode <> DP.SMSSiteCode
IF EXISTS (SELECT 1 from #TEMP)

BEGIN
PRINT 'Affected by DistributedContentVersion Duplicate PkgID, NalPath issue. Cleaning the old site
records...'
PRINT ''
DECLARE @PkgID NVARCHAR(255)
DECLARE @NALPath NVARCHAR(255)
DECLARE @ActualSiteCode NVARCHAR(3)
DECLARE @OldSiteCode NVARCHAR(3)
DECLARE DelOldSiteInfoForDistContentVersion CURSOR FOR

SELECT A.PkgID,A.DPNALPath,A.SMSSiteCode,A.SiteCode FROM #TEMP AS A
OPEN DelOldSiteInfoForDistContentVersion;
FETCH NEXT FROM DelOldSiteInfoForDistContentVersion INTO @PkgID,@NALPath,@ActualSiteCode,@OldSiteCode;
WHILE @@FETCH_STATUS = 0
BEGIN
PRINT 'Deleting the record for Package '+ @PkgID +' and NalPath '+ @NalPath + ' for the Old
SiteCode '+ @OldSiteCode
-- Delete records of DP which are for the old site
DELETE FROM DistributionContentVersion WHERE PkgID=@PkgID AND DPNALPath=@NALPath AND SiteCode =
@OldSiteCode
FETCH NEXT FROM DelOldSiteInfoForDistContentVersion INTO
@PkgID,@NALPath,@ActualSiteCode,@OldSiteCode;
END;
CLOSE DelOldSiteInfoForDistContentVersion;
DEALLOCATE DelOldSiteInfoForDistContentVersion;
END
ELSE
PRINT 'DistributionContentVersion table is Fine. Exiting...'
Hash mismatch error when clients download
Contentinfo.tar from cloud DPs that are assigned to
multiple primary sites
This article provides the steps to solve the hash mismatch error that occurs when you try to download the
Contentinfo.tar file from the cloud distribution points (DPs).
Symptoms
You have multiple cloud DPs in Configuration Manager. Each DP is assigned to a different primary site.
The DP role isn't installed on the primary site server. Or, the DP role is installed on the primary site server, but
the Enable and configure BranchCache for this Distribution Point option isn't enabled.
The BranchCache feature is installed on the primary site servers. And BranchCache is enabled on client
computers.
In this scenario, you receive hash mismatch error when clients try to download the Contentinfo.tar file from the
cloud DPs. An error entry is logged in the ContentTransferManager.log file:
CCTMJob::_ProcessContentInfo - failed to verify hash (algorithm ID = 32780, provider type = 24). Actual
value - <value1>, Computed value - <value2>
Cause
This issue occurs because the BranchCache key isn't synchronized across the primary site servers. When
Package Transfer Manager uploads the Contentinfo.tar file to the cloud DPs, the file hash is different on each
primary site because the BranchCache key is different.
Resolution
1. Run the following SQL query on the central administration site to get the BranchCache key that each
primary site should use:
SELECT * FROM SC_Properties WHERE Name = 'BranchCacheKey'
2. Run the following command on each primary site to set the BranchCache key to the value that you get
in step 1:
netsh branchcache set key passphrase="<value>"

NOTE
In this command, <value> is the result that you get in step 1.
3. Redistribute all content to the cloud DPs so that the content is uploaded by having the correct hash
values.
Package distribution to a remote distribution point
fails because of a logon failure
This article helps you work around an issue in which you can't distribute packages to a remote distribution point
(DP).
Symptoms
You configure a remote content library for the site server on another server in the same domain,
CONTOSO.COM.
You have a remote site system server as a DP that's in an untrusted domain, FABRIKAM.COM.
You select the Use another account for installing this site system option for the remote site system,
and you specify an account that has local administrative rights on that server.
In this scenario, distributing packages to the remote DP fails, and you receive the following error messages in
the PkgXferMgr.log file on the site server:
Date Time SMS_PACKAGE_TRANSFER_MANAGER 7280 (0x1c70) Found send request with ID: 26, Package:
DAL0000C, Version:1, Priority: 2, Destination: DP.FABRIKAM.COM, DPPriority: 200
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) Sending thread starting for Job: 26,
package: DAL0000C, Version: 1, Priority: 2, server: DP.FABRIKAM.COM, DPPriority: 200
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) ~"FABRIKAM\<AccountName>" user will
be used to connect to the remote DP machine "DP.FABRIKAM.COM"
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) Sending legacy content DAL0000C.1 for
package DAL0000C
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) CContentDefinition::TotalFileSizes failed;
0x8007052e
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) CSendFileAction::SendFiles failed;
0x8007052e
Date Time SMS_PACKAGE_TRANSFER_MANAGER 4892 (0x131c) CSendFileAction::SendContent failed;
0x8007052e
Additionally, event 4625 is logged on the server that hosts the content library:
Log Name: Security

Source: Microsoft-Windows-Security-Auditing
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: STORAGE.CONTOSO.COM
Description:
An account failed to log on.
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <AccountName>
Account Domain: FABRIKAM
NOTE
FABRIKAM\<AccountName> represents the Site System Installation Account for the remote DP.
Cause
This issue occurs because Configuration Manager incorrectly uses the Site System Installation Account for
the remote site system to connect to the remote content library.
Workaround
To work around this issue, follow these steps:
1. Create a local account on the server that hosts the content library.
2. Assign the new account the same name as the Site System Installation Account that is configured for the
remote site system.
3. Grant the new account access to the content library folder.
This action enables pass-through authentication to work around the distribution failure that occurs because
Configuration Manager incorrectly uses the Site System Installation Account .
If you notice error entries for Microsoft SQL Server authentication in the DistMgr.log file, follow the steps in Site
system installation account is incorrectly used for a remote site system to connect to SQL Server database to
work around the issue.
Windows Installer source list update fails when
distribution points are configured for HTTPS
This article helps you work around an issue in which Windows Installer source list doesn't update when
Configuration Manager clients communicate with distribution points by using HTTPS.
Symptom
In Microsoft System Center 2012 Configuration Manager, and later versions of the program, Windows Installer
source list update fails when clients communicate with distribution points by using HTTPS. You receive the
following error messages in SrcUpdateMgr.log on the clients:
UpdateURLWithTransportSettings(): HTTP requested but client settings prohibit it.

Failed source list update for product <product code>, error 87d00226
DoUpdateSourceListAll task failed, error code 87d00226
Source list update task failed, will be retried after 3600 seconds
Cause
This is an unsupported scenario.
Workaround
IMPORTANT
This section contains steps that tell you how to modify the registry. However, serious problems might occur if you modify
the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the
registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to
back up and restore the registry, see How to back up and restore the registry in Windows.
To work around the issue, use one of the following methods:

Use HTTP for communication from clients to distribution points if you can.
For packages, enable Copy the content in this package to a package share on distribution
points in the package properties.
For applications, add the location of the application source to the following Windows Installer source list
registry subkeys:
HKEY_CLASSES_ROOT\Installer\Products\<product code>\SourceList\Net
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\<product code>\SourceList\Net
Content distribution in Configuration Manager
This guide is intended to help administrators understand the content distribution process and serves to build a
foundation for diagnosing and resolving general content distribution related problems.
Original product version: Configuration Manager current branch, Microsoft System Center 2012 Configuration
Manager, Microsoft System Center 2012 R2 Configuration Manager
Summary
This guide is divided up into the following articles:
Distribution points installation, upgrade, and configuration
Content library in Configuration Manager
Advanced troubleshooting tips for content distribution
More Information
For more information regarding content distribution in Configuration Manager, see the following articles:
Fundamental concepts for content management in Configuration Manager
Configuration Manager Tools
You can also post a question in our Configuration Manager support forum.
Visit our blog for all the latest news, information, and tech tips on Configuration Manager.
This article helps you understand components and threads for content distribution.
The components used for content distribution

Here's a quick list of the primary components used for content distribution:
NAME C O M P O N EN T N A M E F RIEN DLY N A M E DESC RIP T IO N
Distribution Manager SMS_DISTRIBUTION_MANA DistMgr Manages content and

GER creates jobs for PkgXferMgr
Package Transfer Manager SMS_PACKAGE_TRANSFER_ PkgXferMgr Transfers packages to

MANAGER distribution points
Hierarchy Manager SMS_HIERARCHY_MANAGE Hman Processes and replicates

R changes to the site
hierarchy
Sender SMS_SENDER Sender Initiates inter-site

communications across
TCP/IP networks
Despooler SMS_DESPOOLER Despooler Processes incoming

replication files from parent
or child sites
Scheduler SMS_SCHEDULER Scheduler Creates sender jobs
Database Notification SMS_DATABASE_NOTIFICAT SmsDbMon Watches the database for

Monitor ION_MONITOR changes to certain tables
and creates files in the
inboxes of components
responsible for processing
those changes
SMS Provider SMS Provider SMSProv Windows Management

Instrumentation (WMI)
Provider that assigns read
and write access to the
database at a site
SMS DP Provider SMS DP Provider SMSDPProv Windows Management

Instrumentation (WMI)
Provider that manages
Content Library operations
on the DP
NAME C O M P O N EN T N A M E F RIEN DLY N A M E DESC RIP T IO N
SMS Agent Host SMS Agent Host CcmExec SMS Agent Host is the
client agent service that
also hosts server-side
components such as
Management Point and Pull
Distribution Point
Data Transfer Service DataTransferService DTS Data Transfer Service is a

component of CcmExec
responsible for download
files via BITS.
Distribution Manager (DistMgr) threads

Distribution Manager (DistMgr) performs a variety of operations to distribute content to the distribution points
(DPs). These operations are handled by the different types of threads, and the diagram below explains the
DistMgr thread hierarchy for the default thread configuration:
Main DistMgr thread

Log entry for identification: SMS_EXECUTIVE started SMS_DISTRIBUTION_MANAGER as thread ID 3648 (0xE40)
This thread is started by SMS_Executive on service startup. The main DistMgr thread starts the replication
processing, DP Manager, content cleanup, DP certificate monitoring, content library move, IIS config
change processing, DP reassignment and upgrade processing threads when it starts. It also starts
package processing threads on-demand when a package change occurs
In addition to managing these threads, this thread also handles changes to the Site Control File and
updates DP settings (configure DP/PXE, update registry settings, create monitoring/usage tasks on the DP,
and so on).
Replication processing thread
Log entry for identification: Starting thread for processing replication, thread ID = 0x1A14 (6676)
This thread is started by the main DistMgr thread and processes the following files in the
DistMgr.box\incoming directory:
F IL E DESC RIP T IO N
.STA Updates package status in the PkgStatus table in the

database.
.FWD Forwards the specified package to the specified

destination site by creating a mini-job to send the
package.
.DMD Distributes on-demand requests. Targets the specified

package to the specified DP.
.PUL Updates pull DP package response in the

PullDPResponse table in the DB.
NOTE
This thread is single-threaded and doesn't create more threads to process any of these files.
DP Manager thread
Log entry for identification: Starting the DP Manager thread, thread ID = 0x5D8 (1496)
This thread is started by the main DistMgr thread and processes removal of DPs when detecting a Site
Control File change. When an appropriate Site Control File change occurs, SMSDBMON drops a DPN (DP
Notification) file in DistMgr.box that's processed by this thread.
DPN files are used to notify a DP change, which involves DP removal (detected by Action = 3 in the
DistributionPoints table).
NOTE
This thread is single-threaded and doesn't create more threads to perform work.
Content cleanup thread

Log entry for identification: Starting the content cleanup thread, thread ID = 0x1604 (5636)
This thread is started by the main DistMgr thread, and runs content cleanup. It determines if content
cleanup is required by detecting orphaned content from the database. This thread uses default batch size
of 50 for the number of contents it can instruct a remote DP to delete at a time. However, this value can
be overridden by setting the following registry key:
SMS\Components\SMS_DISTRIBUTION_MANAGER\RemoteContentCleanupBatchSize
DWORD value can be between 1 and 500 .
NOTE
Do not change this value without consulting Microsoft support professional. This thread is single-threaded and
doesn't create more threads to perform work.
DP cer tificate monitoring thread

Log Entry for identification: Starting the DP cert monitoring thread, thread ID = 0x7290 (29328)
This thread is started by the main DistMgr thread. This thread processes .CER files and configures the
certificate binding in IIS when enhanced HTTP mode is enabled. This mode requires use of Configuration
Manager generated certificates in IIS.
NOTE
Content librar y move thread

Log Entry for identification: Starting the content library move thread, thread ID = 0x11D6C (73068)
This thread is started by the main DistMgr thread, and moves content library to the new location after a
.CML file is dropped in DistMgr.box .
NOTE
IIS config change processing thread

Log Entry for identification:
Starting the IIS config change processing thread, thread ID = 0x408C (16524)
This thread is started by the main DistMgr thread, and handles configuring IIS virtual directories for
standard and pull distribution points after IIS files are dropped in DistMgr.box . This thread reads the
IISConfigChangeThreadLimit Site Control File (SCF) property for SMS_DISTRIBUTION_MANAGER component to
determine the number of threads it can start for performing IIS changes simultaneously. The default
value of IISConfigChangeThreadLimit SCF Property is 50 , but it can be changed if necessary. However, if
this SCF property doesn't exist for some reason, the default value of 50 is used for
IISConfigChangeThreadLimit .
NOTE
This thread does create more threads to perform DP IIS config changes. Each worker thread handles configuration
of IIS virtual directories of a specific DP.
DP reassignment thread
Log Entry for identification: Starting the shared DP reassignment thread, thread ID = 0x9C0C (39948)
This thread is started by the main DistMgr thread, and handles DP reassignments for standard and pull
distribution points when a .DPU file is dropped in DistMgr.box . This thread reads the
SharedDPImportThreadLimit Site Control File (SCF) property for SMS_DISTRIBUTION_MANAGER component to
determine the number of threads it can start for performing DP reassignments simultaneously. The
default value of SharedDPImportThreadLimit SCF Property is 50 , but it can be changed if necessary.
However, if this SCF property doesn't exist for some reason, the default value of 50 is used for
SharedDPImportThreadLimit .
NOTE
This thread does create more threads to perform DP reassignments. Each worker thread handles reassignment of
a specific DP.
Upgrade processing thread

Log entry for identification: Starting the DP upgrade processing thread, thread ID = 0x1968 (6504)
This thread is started by the main DistMgr thread, and handles DP installations and upgrades for
standard and pull distribution points. It calls spGetDPsForUpgrade to get a list of DPs that need to be
upgraded. This thread reads the DPUpgradeThreadLimit Site Control File (SCF) property for
SMS_DISTRIBUTION_MANAGER component to determine the number of threads it can start for performing DP
Installations/Upgrades simultaneously. The default value of DPUpgradeThreadLimit SCF Property is 50 , but
it can be changed if necessary. However, if this SCF property doesn't exist for some reason, the default
value of 5 is used for DPUpgradeThreadLimit .
NOTE
This thread does create more threads to perform DP installation/upgrade work. Each worker thread handles
installation/upgrade of a specific DP.
Package processing thread

Log entry for identification:
Started package processing thread for package 'PKGID', thread ID = 0x8E8 (2280)
These threads are started by the main DistMgr thread. The number of package processing threads is
determined by the Maximum number of packages thread setting in the Software Distribution
Component Configuration properties. Each package processing thread performs the hashing of the
package content and creates a compressed copy of the content.
NOTE
Although all package processing threads run simultaneously, they are responsible for hashing and compressing
package source. There is a Critical Section around the compression, meaning only one thread can be compressing
content at a time. If a bunch of new, large packages are created and distributed, the per-package threads can
block in a chain waiting for their turn to get the compression lock.
Depending on the package actions (add/update/delete), each package processing thread also creates:
DP threads to create a Package Transfer Manager job for adding/updating content on a DP.
DP threads to instruct a remote distribution point to remove content from the content library.
The number of DP threads each package processing thread can create is determined by the Maximum
threads per package setting in the Software Distribution Component Configuration properties.
NOTE
Package processing threads are multi-threaded and each package processing thread creates more threads to
perform work. Each worker thread handles add/update/remove operations for the DPs.
Distribution Manager thread configuration

All Configuration Manager sites (including the central administration site) allow configuring the number of
threads that can be used for distributing content to the distribution points (DPs). This configuration is specific to
each site and can be accessed by right-clicking the site under the Sites node and selecting Configure Site
Components > Software Distribution . Here's a look at the default configuration:
In most cases, you would only be concerned with the Maximum number of packages and Maximum
threads per package settings.
Maximum number of packages : Specifies the maximum number of packages that ConfigMgr can send to
the DPs simultaneously. The specified value should be between 1 and 50 .
Maximum threads per package : Specifies the maximum number of threads assigned to each package
during distribution. Specified value should be between 1 and 999 .
The default configuration of Maximum number of packages=3 and Maximum threads per package=5
can also be referred to 3x5 . This is how the thread configuration will be often denoted in the workflow.
What this really means
Effect on Distribution Manager (DistMgr)
With the default thread configuration of 3x5 , DistMgr can simultaneously process three packages and use up to
five threads for each package, allowing it to use up to a total of 15 threads to perform work. Here's how this
breaks down assuming we have more than three packages that need to get distributed to more than 5 DPs:
To process each individual package, a package processing thread is spawned by the main DistMgr thread. This
package processing thread uses one out of three package processing slots from the Maximum number of
packages setting. There is a unique package processing thread per package - DistMgr does not start multiple
package processing threads for the same package. This means that three unique packages will utilize three
unique package processing threads. Each of these package processing threads can spawn up to five DP threads
to distribute the package to five DPs simultaneously.
Effect on Package Transfer Manager (PkgXferMgr)
For each PkgXferMgr job created by DistMgr, PkgXferMgr uses one thread. Thread configuration of 3x5 means
that the sending capacity for PkgXferMgr is set to 15 , which means that PkgXferMgr can't work on more than 15
jobs simultaneously, limiting it to a maximum of 15 threads.
How long a thread runs
DistMgr threads
The purpose of a DP thread is to create a job for Package Transfer Manager, which then does the actual content
copy to the DP. DP threads finish after creating the PkgXferMgr job, and as a result, the lifetime of a DP thread is
short. Due to this nature, most of the time there is no need to set up aggressive thread configuration to speed
up content distribution. Instead of setting aggressive values, look towards Choosing the right values (more
information below).
PkgXferMgr threads
For standard DPs, since PkgXferMgr threads perform the real work of sending the content, the lifetime of these
threads depends on the size of the packages. For larger packages, these threads can take a long time depending
on the package size and network speed. While these threads can take a long time to complete, the lifetime of
DistMgr threads is much shorter, which means that DistMgr can queue a large number of jobs for PkgXferMgr,
creating a backlog of jobs in the queue.
For pull DPs, PkgXferMgr threads notify the pull DP, asking the pull DP to download the content. As a result, the
lifetime of PkgXferMgr threads for pull DPs is short. PkgXferMgr does start another thread to perform pull DP
polling (based on the configured polling interval) to check on the progress of the job. However, this is also a
quick operation and these threads do have a short lifetime as well.
Choosing the right values
To determine the appropriate values for these settings, you first need to understand the Configuration Manager
hierarchy. Let's consider the following hypothetical Configuration Manager environment:
Central administration site: CS1
Primary site: PS1
Number of regular distribution points reporting to PS1: 200
Total number of packages: 1000
In this environment, the default thread configuration (3x5 ) means that if a new package needs to get distributed
to all 200 DPs, we will only process 5 DPs at a time. Once a DP thread exits, another DP thread will then spawn
and the process will continue until all the DPs are processed. This process will take some time to loop through
all 200 DPs.
To optimize this, we first need to ask a couple of questions:
1. How many packages do you foresee getting added/updated/distributed simultaneously on an average?
2. How many DPs do you have in the site? How is the network configuration between the site server and these
DPs?
Assuming the answer to the first question is 5 , and the answer to the second question is 200 with good network
connectivity, you could theoretically set Maximum number of packages to 5 and Maximum threads per
package to 200 , allowing Configuration Manager to send up to five packages to all 200 DPs simultaneously.
However, this means that when there is more than the average load we can create up to 1000 threads, which is
many threads. More threads are usually good, but not always since the work being performed also relies on
hardware and network configurations. Too many threads can sometimes cause bottlenecks and slow things
down instead of improving them.
The most important thing to remember when configuring these settings is to find a balance . For the example
above, a reasonable option would be to set the thread configuration to 5x100 (or even 5x50 depending on
hardware/network) which still allows Configuration Manager to process up to 100 DPs simultaneously for five
different packages. With these settings, the maximum number of threads that can spawn during high load will
not exceed 500.
NOTE
As a general guideline, it is recommended that the total number of threads not exceeds 750. This means you could set
the thread configuration to 3x250 , 5x150 , 10x75 and so on.
In the same hierarchy, you may run into a situation where you are bringing a new DP in the environment and
you need to distribute all 1000 packages to the DP. In this case, thread configuration of 5x100 is not going to be
effective since we can only process 5 packages at a time, and processing a 1000 packages will take a
considerable amount of time. In this scenario, you could choose to either:
Temporarily set the thread configuration to something like 50x10 that is more suitable for the current
requirement, but is not a good option in the long run considering we have 200 DPs.
Permanently set the thread configuration to something like 20x25 that provides a far better balance and will
offer similar performance in a scenario where more packages need to go to handful of DPs as well as a
scenario where a handful of packages need to go to many DPs.
IMPORTANT
There isn't a set recommendation on values for thread configuration; it varies for each environment and should be set
after understanding your environment and requirements. Always remember to find a balance !
Sender thread configuration

Each Configuration Manager site (including the central administration site and secondary sites) has one sender.
The sender manages the network connection from one site to a destination site, and can establish connections
to multiple sites at the same time. To connect to a site, the sender uses the file replication route to the site to
identify the account to use to establish the network connection. The sender also uses this account to write data
to the destination site's SMS_SITE share.
By default, sender writes data to a destination site by using multiple concurrent threads. Each concurrent thread
can transfer a different file-based object to the destination site. By default, when the sender begins to send an
object, it continues to write blocks of data for that object until the entire object is sent.
All Configuration Manager sites allow you to configure the number of threads that can be used by the Sender
component to send data concurrently to other sites. This configuration is specific to each site, and can be
accessed from the Site Proper ties under the Sites node by selecting the Sender tab. Here's a look at the
default configuration:
All sites : The maximum number of simultaneous communications allowed for this sender. The default value is
5 . These communications can be destined for different sites or all for the same site, except as restricted by the
maximum value specified in Per site .
Per site : The maximum number of simultaneous communications allowed to any single destination site. The
default value is 3 .
NOTE
When configuring the total number of concurrent sending threads to be used when communicating with other sites, the
total number of sending threads should be configured as a greater number than the threads configured for the per site
setting. If the total number of sending threads is equal to the number configured to be used per site and a receiving site
is unavailable, it could cause all sending threads to become used when attempting to communicate with the unavailable
site and prevent site-to-site communication to other sites.
What this means

The value specified under All sites defines the total number of threads that Sender can use for sending data
concurrently to other sites. Out of the total number of threads for All sites , you can allot a maximum number of
threads under Per site that can be used for sending data to any one destination site. By default, each site is
configured to use five concurrent threads, with three available for use when sending data to any one destination
site. When you increase this number, you can increase the throughput of data between sites by enabling
Configuration Manager to transfer more files at the same time. Increasing this number also increases the
demand for network bandwidth between sites.
Choose the right values
To determine appropriate values for these settings, you first need to understand the Configuration Manager
hierarchy. Let's consider the following hypothetical Configuration Manager environment:
Central administration site: CS1
Primary site: PS1
Primary site: PS2
Primary site: PS3
Primary site: PS4
In this environment, the default Sender thread configuration will allow using a total of 5 threads. Out of those 5
threads, 3 can be used for any one of the 4 destination primary sites. If an administrator sends 3 to all of these
sites, it is possible that sender will end up using three threads for one of these sites (let's say PS1), leaving only 2
threads for the remaining sites. Out of the remaining 2 threads, sender may use 1 for PS2 and the other for PS3
utilizing all five allowed threads leaving no room for sending data concurrently to PS4. At this point, Sender will
have to wait for one of the existing 5 threads to finish before it can send more data. Once an existing thread
finishes, Sender will then be able to use another thread for sending more data to the PS2/PS3/PS4 sites.
It is recommended to set aside 10 threads for each site that Sender will communicate with. In this case, the CS1
site can communicate with four other sites, which means that a Per site value of 10 for four sites will require
setting the All sites value to 40 .
NOTE
This is a general recommendation and these values may require further tweaking depending on the number of packages
a site needs to send concurrently to other sites.
Bandwidth control and threads

In Configuration Manager, you can configure a schedule and set specific throttling settings for remote
distribution points as well as for file replication routes for sites. The controls for scheduling and throttling to the
remote distribution point are similar to the settings for a standard sender address, but in this case, the settings
are used by a component called Package Transfer Manager.
For the Package Transfer Manager component (for Site Server - > DP), the throttling settings are configured in
the properties for a standard distribution point that is not on a site server.
For the Sender component (for Site Server <-> Site Server), the throttling settings are configured in the
properties of the file replication route under Hierarchy Configuration > File Replication .
NOTE
The time settings are based on the time zone from the sending site, not the distribution point.
Schedule options
To restrict data, select the time period, and then select one of the following settings for availability:
Open for all priorities : Specifies that Configuration Manager sends data to the distribution point with
no restrictions.
Allow medium and high priority : Specifies that Configuration Manager sends only medium and high
priority data to the distribution point.
Allow high priority only : Specifies that Configuration Manager sends only high priority data to the
distribution point.
Closed : Specifies that Configuration Manager does not send any data to the distribution point.
You can restrict data by priority or close the connection for selected time periods.
Rate limit options
This is used to configure rate limits to control the network bandwidth that is in use when transferring content to
the distribution point. You can choose from the following options:
Unlimited when sending to this destination : Specifies that Configuration Manager sends content to the
distribution point with no rate limit restrictions.
Pulse mode : Specifies the size of the data blocks that are sent to the distribution point. You can also specify
a time delay between sending each data block. Use this option when you must send data across a low-
bandwidth network connection to the distribution point. For example, you might have constraints to send 1
KB of data every five seconds, regardless of the speed of the link or its usage at a given time.
Limited to specified maximum transfer rates by hour : Specify this setting to have a site send data to a
distribution point by using only the percentage of time that you configure. When you use this option,
Configuration Manager does not identify the networks available bandwidth, but instead divides the time it
can send data into slices of time. Then data is sent for a short block of time, which is followed by blocks of
time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits
data for a period of time followed by an equal period of time when no data is sent. The actual size amount of
data, or size of the data block, is not managed. Instead, only the amount of time during which data is sent is
managed.
For more information on these settings, see Configuring Content Management in Configuration Manager.
How this affects Sender and PkgXferMgr threads
When bandwidth control is enabled for a site, the sender component will ignore the Sender thread configuration
for the site and will only use one thread for that site. Similarly, when bandwidth control is enabled for a DP,
PkgXferMgr will ignore the thread configuration and will only use one thread for the DP.
NOTE
This applies even when the Limit available bandwidth (%) is set to 100%.
When bandwidth control is in effect, PkgXferMgr.log will log one of these lines:
Scheduling:
~Address to DPNAME.CONTOSO.COM is currently under bandwidth control, therefore only one connection
is allowed, returning send request to the pool.
Pulse Mode:
~Addres to DPNAME.CONTOSO.COM is currently in pulse mode, therefore only one connection is allowed.
~Abandoning send request because only one connection is allowed in pulse mode.
Sender.log will show similar entries when bandwidth throttling is configured.
Distribution points installation, upgrade, and
configuration
This article describes distribution points installation, upgrade, configuration changes, removal and how these
operations work. It's important to understand these flows to properly identify and diagnose the issue.
Introduction
When troubleshooting DP installation and upgrade issues, it is important to remember that DP
installation/upgrade is performed by a thread from the DP upgrade processing thread pool. Review the DP
installation/upgrade process flow to understand how to identify the thread performing the DP
installation/upgrade and filter the DistMgr.log for the identified thread. Review the filtered DistMgr.log to
identify whether the DP installation/upgrade failed/succeeded and proceed accordingly.
When troubleshooting DP removal issues, it is important to remember that the DP removal is performed by the
DP Manager thread, which is single-threaded. This means that if multiple DPs are removed at the same time, the
DP removal will be performed one by one and can take a long time if a large number of DPs are removed.
Review the DP Removal process to understand how to identify the DP Manager thread and filter the
DistMgr.log for the identified thread.
DP installation
The DP installation involves the steps listed below. These steps cover a typical DP installation initiated from the
Configuration Manager console after the administrator has finished the DP installation wizard. Each step is
described, followed by an example of how the step can be monitored by examination of the associated log file. If
you have a problem with DP installation, the log files should show you exactly where in the process the problem
is occurring and provide vital clues to why the process is failing.
Step 1: The admin console creates an instance of the SMS_SCI_SysResUse WMI class for the new DP
After the administrator completes the DP installation wizard, the admin console creates an instance of the
SMS_SCI_SysResUse WMI class within the SMS Provider namespace. SMSProv.log shows the creation of this
instance and contains other useful entries such as the SMSAppName, MachineName, UserName,
ApplicationName, which can be helpful when investigating problems.
SMS Provider 4180 (0x1054) ~

SMS Provider 4180 (0x1054) CExtUserContext::EnterThread : User=CONTOSO\Admin Sid=<SID> Caching
IWbemContextPtr=00000000046687B0 in Process 0x540 (1344)~
SMS Provider 4180 (0x1054) Context: SMSAppName =Configuration Manager Administrator console~
SMS Provider 4180 (0x1054) Context: MachineName =PS1SITE.CONTOSO.COM~
SMS Provider 4180 (0x1054) Context: UserName =CONTOSO\Admin~
SMS Provider 4180 (0x1054) Context: ObjectLockContext=<ContextID>~
SMS Provider 4180 (0x1054) Context: ApplicationName =Microsoft.ConfigurationManagement.exe~
SMS Provider 4180 (0x1054) Context: ApplicationVersion=5.0.8355.1000~
SMS Provider 4180 (0x1054) Context: LocaleID=MS\0x409~
SMS Provider 4180 (0x1054) Context: __ProviderArchitecture=32 ~
SMS Provider 4180 (0x1054) Context: __RequiredArchitecture=0 (Bool)~
SMS Provider 4180 (0x1054) Context: __ClientPreferredLanguages=en-US,en~
SMS Provider 4180 (0x1054) Context: __CorrelationId={CorrelationID}~
SMS Provider 4180 (0x1054) Context: __GroupOperationId=170804 ~
SMS Provider 4180 (0x1054) CExtUserContext : Set ThreadLocaleID OK to: 1033~
SMS Provider 4180 (0x1054) CSspClassManager::PreCallAction, dbname=CM_PS1~
SMS Provider 4180 (0x1054) PutInstanceAsync SMS_SCI_SysResUse~
SMS Provider 4180 (0x1054) CExtProviderClassObject::DoPutInstanceInstance~
SMS Provider 4180 (0x1054) INFO: 'PS1DP1.CONTOSO.COM' is a valid FQDN.
SMS Provider 4180 (0x1054) Auditing: User CONTOSO\Admin created an instance of class
SMS_SCI_SysResUse.~
SMS Provider 4180 (0x1054) CExtUserContext::LeaveThread : Releasing IWbemContextPtr=73828272~
When this WMI instance is created, SMS Provider also inserts a row in the database:
insert into vSMS_SC_SysResUse (SiteNumber, RoleName, NALPath, NALResType) values (1, N'SMS Site System',
N'["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\', N'Windows NT Server')
Step 2(optional): SMS Provider adds the newly created DP to a boundary group if specified during the wizard
During the DP installation wizard, the administrator has the option to specify whether the new DP should be
added to an existing or a new boundary group. SMS Provider is responsible for making these changes and logs
the following entries:
SMS Provider 4180 (0x1054) AddSiteSystem~~

SMS Provider 4180 (0x1054) Adding site system ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\ to the boundary group PS1 Assignment And Content ~
SMS Provider 4180 (0x1054) Successfully added 1 servers to boundary group PS1 Assignment And
Content~
SMS Provider 4180 (0x1054) Auditing: User CONTOSO\Admin modified an instance of class
SMS_BoundaryGroup.~
SMS Provider 4180 (0x1054) CExtUserContext::LeaveThread : Releasing IWbemContextPtr=73828272~
Step 3: SMSDBMON detects a site control change and notifies HMAN to process site control file
SMSDBMON constantly monitors various tables in the database and thus detects a change to the site control file
related tables (in step 1). On receiving (denoted as RCV in the log) a change, SMSDBMON notifies the
appropriate components by dropping/sending (denoted as SND in the log) files in the component inbox. In this
case, SMSDBMON notifies HMAN to process the site control file for changes:
SMS_DATABASE_NOTIFICATION_MONITOR 2580 (0xa14) RCV: UPDATE on SiteControl for

SiteControl_AddUpd_HMAN [PS1 ][1027921]
SMS_DATABASE_NOTIFICATION_MONITOR 2580 (0xa14) SND: Dropped
E:\ConfigMgr\inboxes\HMAN.box\PS1.SCU [1027921]
Step 4: HMAN processes the site control file and processes all distribution points
HMAN wakes up to process the SCU file dropped by SMSDBMON, and then starts processing the site control
file. During this process, HMAN will look at all distribution points to determine if any DPs are new or changed.
4a : For the new DPs, HMAN detects that there is a new site system and inserts data in the DistributionPoints
table:
SMS_HIERARCHY_MANAGER 2448 (0x990) ~Processing site control file: Site PS1
SMS_HIERARCHY_MANAGER 2448 (0x990) New site system: PS1 PS1DP1.CONTOSO.COM SMS
Distribution Point
SMS_HIERARCHY_MANAGER 2448 (0x990) New site system: PS1 PS1DP1.CONTOSO.COM SMS Site System
SMS_HIERARCHY_MANAGER 2448 (0x990) ~Server Info of site PS1 has changed. Update the DPInfo table
in the database.
SMS_HIERARCHY_MANAGER 2448 (0x990) ~ Distribution Points of site PS1 have changed . Update
the DistributionPoints table in the database.
SMS_HIERARCHY_MANAGER 2448 (0x990) ~Inserted DP ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\. CRC:439BCA34,PDP:0,PullDP:0
SMS_HIERARCHY_MANAGER 2448 (0x990) SQL>>>insert DistributionPoints ( ServerName, NALPath,
ShareName, SMSSiteCode, IsPullDP, IsPeerDP, IsBITS, PreStagingAllowed, IsMulticast, AnonymousEnabled,
TokenAuthEnabled, SslState, DPType, Priority, TransferRate, DPFlags, IsProtected, DPDrive, Type,
MinFreeSpace, IsPXE, IsActive, ResponseDelay, UdaSetting, BindPolicy, SupportUnknownMachines,
CertificateType, IdentityGUID, BindExcept, PXEPassword, Action, Account, Description, DPCRC ) values (
N'PS1DP1.CONTOSO.COM', N'["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\', N'', N'PS1', 0, 0, 0, 0, 0, 0, 0, 0, 0, 200, 0, 0, 1, N'', N'Windows
NT Server', 50, 0, 0, 0, 0, 0, 0, 0, N'23a72b6c-eace-4218-929c-4c80638c031e', N'', N'', 0, N'', N'PS1 Standard
DP', N'439BCA34' )
4b : In addition to inserting a new row for the DP in the DistributionPoints table, HMAN also distributes the
default client packages to the DP:
SMS_HIERARCHY_MANAGER 2448 (0x990) Loaded client upgrade settings from DB successfully.

FullClientPackageID=CS100002, StagingClientPackageID=CS100024, ClientUpgradePackageID=CS100003,
PilotingUpgradePackageID=CS100025, ClientUpgradeAdvertisementID=CS120000,
ClientPilotingAdvertisementID=(null)
SMS_HIERARCHY_MANAGER 2448 (0x990) INFO: Successfully added client package (ID=CS100002) to DP
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\~
4c : HMAN updates the DP certificate (self-signed or PKI) information in the database by calling the
spUpdateDPCert stored procedure:
SMS_HIERARCHY_MANAGER 2448 (0x990) DP cert query: EXEC spUpdateDPCert

N'PS1DP1.CONTOSO.COM', N'23a72b6c-eace-4218-929c-4c80638c031e', ... ...
Note that for any distribution points that haven't changed, HMAN logs an entry:
SMS_HIERARCHY_MANAGER 2448 (0x990) ~Will not update DP

["Display=\\PS1SITE.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SITE.CONTOSO.COM\.
DBCRC:13639BB,NewCRC:13639BB,Action:0,PDP:0,PullDP:0
["Display=\\PS1SQL.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SQL.CONTOSO.COM\.
DBCRC:DB8F08DA,NewCRC:DB8F08DA,Action:0,PDP:0,PullDP:1
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\.
DBCRC:B65C605F,NewCRC:B65C605F,Action:0,PDP:0,PullDP:0
NOTE
If HMAN encounters a failure trying to insert or update any of the DPs, the entire transaction is rolled back and none of
the DPs are processed. If this continues, you will see issues where DPs do not get installed or DP property changes do not
take effect.
Step 5: HMAN finishes processing the site control file and raises a status message
When HMAN finishes processing the site control file, it raises a status message with ID 3306 which means
Hierarchy Manager successfully processed E:\ConfigMgr\inboxes\hman.box\PS1.SCU , which in our example
represents the site control file for site ConfigMgr Primary Site 1 (PS1):
SMS_HIERARCHY_MANAGER 2448 (0x990) STATMSG: ID=3306 SEV=I LEV=M SOURCE="SMS Server"

COMP="SMS_HIERARCHY_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=1956 TID=2448
GMTDATE=Wed May 11 18:33:34.813 2016 ISTR0="E:\ConfigMgr\inboxes\HMAN.box\PS1.SCU"
ISTR1="ConfigMgr Primary Site 1" ISTR2="PS1" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8=""
ISTR9="" NUMATTRS=0
Step 6: SMSDBMON detects a change in DistributionPoints table, and notifies DistMgr to install the DP
SMSDBMON detects a change in the DistributionPoints table (from step 4a) and instructs DistMgr to begin the
DP installation by dropping a < DPID >.INS file into the DistMgr.box folder:
SMS_DATABASE_NOTIFICATION_MONITOR RCV: INSERT on DistributionPoints for DistributionPoints_Ins [32

][1027928]
SMS_DATABASE_NOTIFICATION_MONITOR SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\32.INS
[1027928]
In this example, 32 is the distribution point ID. You can find the DP name from the DPID by running the following
SQL query against the database:
SELECT * FROM DistributionPoints WHERE DPID = 32
Step 7: DistMgr wakes up to process the INS file and starts a DP upgrade worker thread to install the DP
DistMgr wakes up to process the .INS file that was dropped by SMSDBMON. DP installations and upgrades are
handled by the main DP upgrade processing thread. To perform the DP installation, the DP upgrade processing
thread uses a thread from the DP upgrade processing thread pool which is set to use a maximum of 50 threads
by default. In the following log entries, the main DP upgrade processing thread ID is 2860, which creates a new
worker thread with ID 4788 (0x12b4) for the DP installation:
SMS_DISTRIBUTION_MANAGER 2860 (0xb2c) DP upgrade processing thread: Upgrading DP with ID 32.

Thread 0x12b4. Used 1 threads out of 50.
Next, DP processing worker thread 4788 (0x12b4) starts the installation process for DPID 32, which is our new
DP:
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~Processing 32.INS

SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~DPID 32 - NAL Path
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\ ,
ServerName = PS1DP1.CONTOSO.COM, DPDrive = , IsMulticast = 0, PXE = 0, RemoveWDS = 0
Step 8: DistMgr DP upgrade worker thread installs the DP
Here, DistMgr thread 4788 starts the actual DP installation where it completes the following:
Copies necessary files to the DP
Installs IIS (if specified during the installation wizard)
Installs MSXML and the Visual C++ Redistributable components
Installs the DP WMI Provider
Creates virtual directories and configures IIS
Updates the registry settings on the DP server
Installs the PXE Role (if configured)
Note that the log entries below are truncated to only show relevant information:
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) Installed ISAPI on PS1DP1.CONTOSO.COM, copied

E:\ConfigMgr\bin\x64\..\x64\smsfileisapi.dll to
\\PS1DP1.CONTOSO.COM\ADMIN$\system32\inetsrv\smsfileisapi.dll
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~Successfully created share SMS_DP$ on server
PS1DP1.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~OS version 6.3.9600: installed IIS on remote server
PS1DP1.CONTOSO.COM.
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) MSXML 6.0 is configured on DP PS1DP1.CONTOSO.COM
successfully
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) Run command 'C:\SMS_DP$\sms\bin\vcredist_x64.exe /q
/norestart /log "C:\SMS_DP$\sms\bin\vcredist.log"' to install VC redist
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~Successfully installed DP WMI provider on the remote
distribution point
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) Configure IIS virtual directories successfully on the
distribution point PS1DP1.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ConfigureDP
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) DP registry settings have been successfully updated on
PS1DP1.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ConfigurePXE
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) ~["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\ is a Pull DP
TIP
Once you reach step 8, it's a lot easier to monitor the installation progress by filtering the log for the worker thread ID
(4788 in this example).
Step 9 (optional): PXE Provider Role and Windows Deployment Services is installed on the DP (if enabled)
If the DP is enabled for PXE, PXE installation is initiated when ConfigurePXE is logged in DistMgr.log . At this
time, SMSDPProv.log on the distribution point will show the PXE/WDS installation progress:
CcmInstallPXE
Running: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /log "C:\SMS_DP$\sms\bin\vcredist.log"
Waiting for the completion of: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /log
"C:\SMS_DP$\sms\bin\vcredist.log"
Run completed for: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /log
Created the DP mutex key for WDS.
Finding Wimgapi.Dll
MsiEnumRelatedProducts failed
FindProduct failed; 0x80070103
Found C:\Windows\system32\wimgapi.dll
Wimgapi.dll is already installed.
Path to smsdp.dll is 'C:\SMS_DP$\sms\bin\smsdp.dll' 05-11-2016 14:36:57.000 PXE performance counters
have been initialized
Failed to open WDS service.
WDS is NOT INSTALLED
Installing WDS.
Running: ServerManagerCmd.exe -i WDS -a
Failed (2) to run: ServerManagerCmd.exe -i WDS -a
Running: PowerShell.exe -Command Import-Module ServerManager; Get-WindowsFeature WDS; Add-
WindowsFeature WDS
Waiting for the completion of: PowerShell.exe -Command Import-Module ServerManager; Get-
WindowsFeature WDS; Add-WindowsFeature WDS
Run completed for: PowerShell.exe -Command Import-Module ServerManager; Get-WindowsFeature WDS;
Add-WindowsFeature WDS
Successfully installed WDS.
Machine is running Windows Server. (NTVersion=0X603, ServicePack=0)
WDS is INSTALLED
Setting TFTP config key as: System\CurrentControlSet\Services\WDSSERVER\Providers\WDSTFTP
Configuring TFTP read filters
SetupComplete is set to 0
REMINST not set in WDS
WDS is NOT Configured
Share (REMINST) does not exist. (NetNameNotFound) (0x00000906)
GetFileSharePath failed; 0x80070906
REMINST share does not exist. Need to create it.
Enumerating drives A through Z for the NTFS drive with the most free space.
Drive 'C:' is the best drive for the SMS installation directory.
Creating REMINST share to point to: C:\RemoteInstall
Succesfully created share REMINST
Removing existing PXE related directories
Registering WDS provider: SourceDir: C:\SMS_DP$\sms\bin
Registering WDS provider: ProviderPath: C:\SMS_DP$\sms\bin\smspxe.dll
DoPxeProviderRegister 05-11-2016 14:37:10.000 PxeLoadWdsPxe
Loading wdspxe.dll from C:\Windows\system32\wdspxe.dll
wdspxe.dll is loaded
PxeProviderRegister has suceeded (0x00000000)
Disabling WDS/RIS functionality
Found privilege otifyPrivilege on service WDSServer
Found privilege SeRestorePrivilege on service WDSServer
Found privilege SeBackupPrivilege on service WDSServer
Found privilege SeSecurityPrivilege on service WDSServer
Privilege SeTakeOwnershipPrivilege NOT found service WDSServer
ChangeServiceConfig2 succeeded for WDSServer. Added privilege SeTakeOwnershipPrivilege
ChangeServiceConfig succeeded for WDSServer. StartType: 0x2
WDSServer status is 1
WDSServer is NOT STARTED
Failed to restart WDS service
Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
Waiting for the completion of: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
Run completed for: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
Machine is running Windows Server. (NTVersion=0X603, ServicePack=0)
ProcessBootImages failed; 0x80070003
CcmInstallPXE: Deleting the DP mutex key for WDS.
Installed PXE
Step 10: DP installation finishes successfully

Once the DP installation finishes successfully, the worker thread raises a status message with ID 2399 which
means 'Successfully completed the installation or upgrade of the distribution point on computer
<DPNALPath>':
SMS_DISTRIBUTION_MANAGER 4788 (0x12b4) STATMSG: ID=2399 SEV=I LEV=M SOURCE="SMS

Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=1956
TID=4788 GMTDATE=Wed May 11 18:36:58.062 2016 ISTR0="
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\"
ISTR1="PS1DP1.CONTOSO.COM" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8=""
ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\"
Step 11 (for Pull DPs only): DistMgr upgrade processing thread instructs DP WMI Provider to install pull DP
by running pulldp.msi
If the DP is configured to be a pull DP, the DistMgr upgrade processing thread starts another DP upgrade worker
thread to perform the pull DP installation. This DP upgrade worker thread instructs the SMS DP Provider to run
pulldp.msi to install the pull DP.
SMS_DISTRIBUTION_MANAGER 2188 (0x88c) Upgrading PullDP with ID 33. Thread 0x9c0. Used 1 threads
out of 50.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) ~DPID 33 - NAL Path
ServerName = PS1DP2.CONTOSO.COM, DPDrive = , IsMulticast = 0, PXE = 1, RemoveWDS = 0
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) ConfigurePullDP
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) ~NAL Path ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) For server PS1DP2.CONTOSO.COM processor architecture is
x64~
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) File
'\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\bin\pulldp.msi' is signed and trusted.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) File
'\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\bin\pulldp.msi' is signed with MS root cert.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) Installing PullDP, check
\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\logs\smsdpprov.log and
\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\logs\pulldp_install.log
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) PullDP ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\ is marked Installed
At this time, the SMSDPProv.log file on the pull DP will show that the installation of pull DP has been initiated:
2020 (0x7e4) Started process C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /l

C:\SMS_DP$\sms\logs\vcredist.log
2020 (0x7e4) Run completed for: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /l
C:\SMS_DP$\sms\logs\vcredist.log
2020 (0x7e4) Started process msiexec.exe /quiet /i C:\SMS_DP$\sms\bin\pulldp.msi /log
C:\SMS_DP$\sms\logs\pulldp_install.log
When pull DP is installed on a server which has the ConfigMgr client installed, the command used for
installation is:
4744 (0x1288) Started process E:\SMS_DP$\sms\bin\ccmsetup.exe /autoupgrade /upgradetolatest

/postinstallmsi:"E:\SMS_DP$\sms\bin\pulldp.msi;E:\SMS_DP$\sms\logs\pulldp_install.log"
Pull DP installation progress can be reviewed and monitored by looking at the MSI log file pulldp_install.log .
DP upgrade
Distribution point upgrade involves the steps listed below. These steps cover a typical DP upgrade that is
initiated after upgrading a ConfigMgr 1511 site to ConfigMgr 1602. Note that the process is similar when
installing a service pack or cumulative update on various Configuration Manager 2012 versions.
Step 1: Upgrade results in a site reset, which reinstalls DistMgr component and drops resetdps.trn file in
DistMgr.box
After the site upgrade finishes successfully, a site reset is initiated to re-install all the Configuration Manager
components. As part of this process, Site Component Manager (SiteComp) reinstalls Distribution Manager and
while reinstalling DistMgr, it creates resetdps.trn file in DistMgr.box to instruct DistMgr to upgrade all the DPs.
SMS_SITE_COMPONENT_MANAGER 4364 (0x110c) Reinstalling component

SMS_DISTRIBUTION_MANAGER...
SMS_SITE_COMPONENT_MANAGER 4364 (0x110c) Updating DistributionPoints table
SMS_SITE_COMPONENT_MANAGER 4364 (0x110c) Creating
E:\ConfigMgr\inboxes\distmgr.box\resetdps.trn file.
Step 2: DistMgr starts upgrade of all the DPs after detecting the resetdps.trn file
DistMgr starts up after reinstallation and detects the resetdps.trn file:
SMS_DISTRIBUTION_MANAGER 3048 (0xbe8) SMS_EXECUTIVE started SMS_DISTRIBUTION_MANAGER as

thread ID 4984 (0x1378).
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) Found file resetdps.trn, will upgrade all the Distribution
Points
Step 3: DistMgr upgrade processing thread starts DP upgrade worker threads to perform the DP upgrade
DistMgr upgrade processing thread starts and starts DP upgrade worker threads to upgrade all the DPs. Each of
these worker threads work simultaneously and upgrade multiple DPs at once. For DP upgrade processing, we
can start up to 50 threads by default, however this is a configurable site control value and is governed by the
DPUpgradeThreadLimit property for SMS_DISTRIBUTION_MANAGER component.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Starting the DP upgrade processing thread, thread ID =

0x7C (124)
SMS_DISTRIBUTION_MANAGER 124 (0x7c) DP upgrade processing thread: Started, will perform any
pending work then will wait for additional work.
SMS_DISTRIBUTION_MANAGER 124 (0x7c) DP upgrade processing thread: Upgrading DP with ID 1. Thread
0x13d0. Used 1 threads out of 50.
SMS_DISTRIBUTION_MANAGER 124 (0x7c) DP upgrade processing thread: Upgrading DP with ID 5. Thread
0x8c8. Used 2 threads out of 50.
SMS_DISTRIBUTION_MANAGER 124 (0x7c) DP upgrade processing thread: Upgrading DP with ID 14.
Thread 0x100c. Used 3 threads out of 50.
Each individual DP upgrade worker thread starts upgrading a distribution point. In this example, we will focus
on thread 2248 (0x8c8) which is going to upgrade DP with DPID 5:
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) ~Processing 5.INS

SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) ~DPID 5 - NAL Path
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\ ,
ServerName = PS1SYS.CONTOSO.COM, DPDrive = , IsMulticast = 0, PXE = 1, RemoveWDS = 0
Step 4: DP upgrade worker thread performs the DP Upgrade

DP upgrade worker thread performs the upgrade of the DP. This process is identical to the DP installation
process step 8.
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) Installed ISAPI on PS1SYS.CONTOSO.COM, copied

E:\ConfigMgr\bin\x64\..\x64\smsfileisapi.dll to
\\PS1SYS.CONTOSO.COM\ADMIN$\system32\inetsrv\smsfileisapi.dll
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) DP share SMS_DP$ already exist on the remote DP~
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) Install Internet server= 2
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) Skipping OS configuration for distribution point
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\. You should
install and configure IIS manually. Please ensure RDC is also enabled.
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) MSXML 6.0 is configured on DP PS1SYS.CONTOSO.COM
successfully
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) Run command 'C:\SMS_DP$\sms\bin\vcredist_x64.exe /q
/norestart /log "C:\SMS_DP$\sms\bin\vcredist.log"' to install VC redist
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) ~Successfully installed DP WMI provider on the remote
distribution point
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) Configure IIS virtual directories successfully on the
distribution point PS1SYS.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) ConfigureDP
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) DP registry settings have been successfully updated on
PS1SYS.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) ConfigurePXE
Step 5: DP upgrade worker threads resets the pull DP installation state

DP upgrade worker thread resets the installation state for the pull DP so that it can be updated. Note that this is
logged even for Standard DPs but isn't relevant for standard DPs.
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) PullDP ["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:

["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\ is marked Uninstalled
Step 6: DP Upgrade finishes successfully

Once the DP installation finishes successfully, the worker thread raises a status message with ID 2399 which
means 'Successfully completed the installation or upgrade of the distribution point on computer
<DPNALPath>'.
SMS_DISTRIBUTION_MANAGER 2248 (0x8c8) STATMSG: ID=2399 SEV=I LEV=M SOURCE="SMS Server"

COMP="SMS_DISTRIBUTION_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=3444 TID=2248
GMTDATE=Fri Apr 08 22:31:56.637 2016 ISTR0="["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\" ISTR1="PS1SYS.CONTOSO.COM" ISTR2="" ISTR3=""
ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\"
Step 7(Pull DPs only): DP worker thread starts instructs DP WMI Provider to upgrade the pull DP
After the pull DP is marked uninstalled, DP upgrade worker thread instructs DP WMI Provider to perform the
pull DP upgrade.
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) ConfigurePullDP

SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) ~NAL Path ["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\ is a Pull DP
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) For server PS1SYS.CONTOSO.COM processor architecture is
x64~
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) File
'\\PS1SYS.CONTOSO.COM\SMS_DP$\sms\bin\pulldp.msi' is signed and trusted.
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) File
'\\PS1SYS.CONTOSO.COM\SMS_DP$\sms\bin\pulldp.msi' is signed with MS root cert.
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) Installing PullDP, check
\\PS1SYS.CONTOSO.COM\SMS_DP$\sms\logs\smsdpprov.log and
\\PS1SYS.CONTOSO.COM\SMS_DP$\sms\logs\pulldp_install.log
SMS_DISTRIBUTION_MANAGER 2032 (0x7f0) PullDP ["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\ is marked Installed
At this time, the SMSDPProv.log on the pull DP will show that the installation of pull DP has been initiated:
2920 (0xb68) Started process F:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /l

F:\SMS_DP$\sms\logs\vcredist.log
2920 (0xb68) Run completed for: F:\SMS_DP$\sms\bin\vcredist_x64.exe /q /norestart /l
F:\SMS_DP$\sms\logs\vcredist.log
2920 (0xb68) Started process msiexec.exe /quiet /i F:\SMS_DP$\sms\bin\pulldp.msi /log
F:\SMS_DP$\sms\logs\pulldp_install.log
When pull DP is installed on a server which has the ConfigMgr client installed, the command used for
installation is:
4744 (0x1288) Started process E:\SMS_DP$\sms\bin\ccmsetup.exe /autoupgrade /upgradetolatest

/postinstallmsi:"E:\SMS_DP$\sms\bin\pulldp.msi;E:\SMS_DP$\sms\logs\pulldp_install.log"
Pull DP installation progress can be reviewed and monitored by looking at the MSI log file pulldp_install.log .
DP change
The following steps explain what happens when you change properties of a DP in the console. These steps cover
a scenario where DP description was modified in the DP Proper ties > General tab from PS1 Standard DP to
PS1 Standard DP - TestPropertyChange1.
Step 1: Admin console changes the instance of SMS_SCI_SysResUse WMI class for the modified DP
After the administrator modifies the DP properties, admin console updates the instance of the
SMS_SCI_SysResUse WMI class within the SMS Provider namespace for the modified DP. SMSProv.log shows:
SMS Provider 4460 (0x116c) PutInstanceAsync SMS_SCI_SysResUse~

SMS Provider 4460 (0x116c) CExtProviderClassObject::DoPutInstanceInstance~
SMS Provider 4460 (0x116c) INFO: 'PS1DP1.CONTOSO.COM' is a valid FQDN.
SMS Provider 4460 (0x116c) Auditing: User CONTOSO\Admin modified an instance of class
SMS_SCI_SysResUse.~
When this WMI instance is modified, SMS Provider also updates the database:
update vSMS_SC_SysResUse_Properties set ID = 72057594037928006, Name = N'Description', Value1 = N'PS1

Standard DP - TestPropertyChange1', Value2 = N'', Value3 = 0 where ID = 72057594037928006 and Name =
N'Description'
Step 2: SMSDBMON detects the site control change and notifies HMAN to process the site control file
SMSDBMON detects a change to the site control file related tables (step 1). On receiving (denoted as RCV in the
log) a change, SMSDBMON takes appropriate action and notifies appropriate components by dropping/sending
(denoted as SND in the log) files in the component inbox. In this case, SMSDBMON notifies HMAN to process
the site control file for changes.
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) RCV: UPDATE on Sites for Sites_AddUpd_HMAN

[PS1 ][1031575]
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) SND: Dropped
E:\ConfigMgr\inboxes\hman.box\PS1.SSU [1031575]
Step 3: HMAN processes the site control file and processes all DPs
HMAN wakes up to process the SCU file dropped by SMSDBMON, and starts processing the site control file.
During this process, HMAN will look at all distribution points and determine if any DPs are new or changed. For
more details on this step, see step 4 in DP installation.

SMS_HIERARCHY_MANAGER 4912 (0x1330) ~Server Info of site PS1 has not changed.HMAN will not
update the DPInfo table in the database.
SMS_HIERARCHY_MANAGER 4912 (0x1330) ~Distribution Points of site PS1 have changed. Update the
DistributionPoints table in the database.
SMS_HIERARCHY_MANAGER 4912 (0x1330) ~Updated DP
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\.
DBCRC:151AC30,NewCRC:5EAEB9DF,Action:0,PDP:0,PullDP:0
SMS_HIERARCHY_MANAGER 4912 (0x1330) SQL>>>update DistributionPoints set IsPullDP = 0, IsPeerDP =
0, SMSSiteCode = 'PS1', IsBITS = 0, PreStagingAllowed = 0, IsMulticast = 0, AnonymousEnabled = 0,
TokenAuthEnabled = 0, SslState = 0, DPType = 0, Priority = 200, TransferRate = 3972, DPFlags = 0,
IsProtected = 1, MinFreeSpace = 50, DPDrive = N'', IsPXE = 0, IsActive = 0, ResponseDelay = 0, UdaSetting =
0, BindPolicy = 0, SupportUnknownMachines = 0, CertificateType = 0, IdentityGUID = N'23a72b6c-eace-
4218-929c-4c80638c031e', BindExcept = N'', PXEPassword = N'', Account = N'', Description = N'PS1
Standard DP - TestPropertyChange1', DPCRC = N'5EAEB9DF', Action = 0 where NALPath =
N'["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\' ~
SMS_HIERARCHY_MANAGER 4912 (0x1330) DP cert query: EXEC spUpdateDPCert
N'PS1DP1.CONTOSO.COM', N'23a72b6c-eace-4218-929c-4c80638c031e', …
["Display=\\PS1SITE.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SITE.CONTOSO.COM\.
DBCRC:13639BB,NewCRC:13639BB,Action:0,PDP:0,PullDP:0
["Display=\\PS1SQL.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SQL.CONTOSO.COM\.
DBCRC:DB8F08DA,NewCRC:DB8F08DA,Action:0,PDP:0,PullDP:1
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\.
DBCRC:D9EAF006,NewCRC:D9EAF006,Action:0,PDP:0,PullDP:0
NOTE
If HMAN encounters a failure trying to insert or update any of the DPs, the entire transaction is rolled back and none of
the DPs gets processed. If this continues, you would see issues where DPs do not get installed, or DP property changes
do not take effect.
Step 4: HMAN finishes processing the site control file

When HMAN finishes the site control file processing, it raises a status message with ID 3306 which means
'Hierarchy Manager successfully processed E:\ConfigMgr\inboxes\hman.box\PS1.SCU ', which represented the site
control file for site ConfigMgr Primary Site 1 (PS1).

GMTDATE=Fri May 13 16:41:55.881 2016 ISTR0="E:\ConfigMgr\inboxes\hman.box\PS1.SCU"
ISTR9="" NUMATTRS=0
DP removal
The following steps explain what happens after you remove the Distribution Point role for a site system from the
console:
Step 1: Admin console deletes the instance of SMS_SCI_SysResUse WMI class for the deleted DP
After the administrator removes the Distribution Point role, admin console deletes the instance of the
SMS_SCI_SysResUse WMI class within the SMS Provider namespace for the deleted DP. SMSProv.log shows:
SMS Provider 3652 (0xe44) DeleteInstanceAsync SMS_SCI_SysResUse.FileType=2,ItemName="

["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\,SMS
Distribution Point",ItemType="System Resource Usage",SiteCode="PS1"~
SMS Provider 3652 (0xe44) Requested class =SMS_SCI_SysResUse~
SMS Provider 3652 (0xe44) CExtProviderClassObject::DoDeleteInstance~
SMS Provider 3652 (0xe44) Auditing: User CONTOSO\Admin deleted an instance of class
SMS_SCI_SysResUse.~
When this WMI instance is modified, SMS Provider also deletes the DP from the database:
delete vSMS_SC_SysResUse from vSMS_SC_SysResUse where SiteNumber = 1 and RoleName = N'SMS Distribution
Point' and NALPath = N'["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\'
Step 2: SMSDBMON detects the Site Control change and notifies HMAN to process the site control file
SMSDBMON detects a change to the site control file related tables (step 1). On receiving (denoted as RCV in the
log) a change, SMSDBMON takes appropriate action and notifies appropriate components by dropping/sending
(denoted as SND in the log) files in the component inbox. In this case, SMSDBMON notifies HMAN to process
the site control file for changes.
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) RCV: UPDATE on SiteControl for

SiteControl_AddUpd_HMAN [PS1 ][1031673]
E:\ConfigMgr\inboxes\hman.box\PS1.SCU [1031673]
Step 3: HMAN processes the site control file and marks the DP as deleted in DistributionPoints table
HMAN wakes up to process the SCU file dropped by SMSDBMON, and starts processing the site control file.
During this process, HMAN detects that the DP role was removed and marks the DP as Deleted (Action = 3) in
the DistributionPoints table, in addition to removing the DP from the SysResList table. HMAN also inserts a
row in the DPNotification table, in order to provide a DP change notification to SMSDBMON.

SMS_HIERARCHY_MANAGER 4912 (0x1330) Site system no longer in use: PS1 PS1DP2.CONTOSO.COM
SMS Distribution Point
SMS_HIERARCHY_MANAGER 4912 (0x1330) SQL>>> DELETE FROM SysResList WHERE SiteCode=N'PS1'
AND RoleName=N'SMS Distribution Point' AND
NALPath=N'["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\'
SMS_HIERARCHY_MANAGER 4912 (0x1330) ~Distribution Points of site PS1 have changed. Update the
DistributionPoints table in the database.
SMS_HIERARCHY_MANAGER 4912 (0x1330) SQL>>>update DistributionPoints set Action = 3, State = 0
where DPID = 34
SMS_HIERARCHY_MANAGER 4912 (0x1330) SQL>>>delete vSMS_SC_Address from vSMS_SC_Address
where SiteNumber = 1 and DestinationSiteCode = N'PS1DP2.CONTOSO.COM' and AddressType =
N'MS_LAN'~
SMS_HIERARCHY_MANAGER 4912 (0x1330) SQL>>>insert DPNotification (DPID, TimeKey) values (34,
GetDate())
NOTE
If HMAN encounters a failure trying to insert/update any of the DPs, the entire transaction is rolled back and none of the
DPs gets processed. If this continues, you would see issues where DPs do not get installed, or DP property changes do
not take effect.
When HMAN finishes the site control file processing, it raises status message with ID 3306:

GMTDATE=Fri May 13 17:43:17.607 2016 ISTR0="E:\ConfigMgr\inboxes\hman.box\PS1.SCU"
ISTR9="" NUMATTRS=0
Step 4: SMSDBMON notifies DistMgr that a DP has changed for required processing by dropping a DPN file
SMSDBMON detects the change in the DPNotification table and instructs DistMgr to process the DP change by
dropping a <DPID>.DPN file.
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) RCV: INSERT on DPNotification for DPNotify_ADD

[34 ][1031679]
E:\ConfigMgr\inboxes\distmgr.box\34.DPN [1031679]
Step 5: DistMgr uses the DP Manager thread to uninstall the DP

DistMgr uses the DP Manager thread to process the DP change notification and starts uninstallation of the DP.
DP Manager thread is single-threaded, so if multiple DPs are removed, DistMgr will remove them one at a time.
DP removal consists of the following steps:
Removal of DP from the database, except DistributionPoints table
Removal of PXE role (if needed)
Removal of Monitoring and Usage Scheduled tasks
Removal of PDP (if needed)
Removal of DP WMI Provider
Removal of DP files: SMS_DP$, SCCMContentLib$ and SMSDIG$ shares
This can take a long time if there's a lot of content in content library.
Removal of DP virtual directories from IIS
Removal of DP registry from the DP
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ~Created policy provider trigger for ID 34

SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ConfigurePXE
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ~["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\ is NOT a Pull DP
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Uninstalling distribution point files from server
PS1DP2.CONTOSO.COM~
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Deleting DP provider classes from server
["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Deleted provider classes on distribution point
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Uninstalling distribution point files from server
PS1DP2.CONTOSO.COM~
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ~Uninstalling DP provider from remote distribution point.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Unregistering DPProvider on server PS1DP2.CONTOSO.COM.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Removed share SMS_DP$ from server
PS1DP2.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Failed to remove SMS_DP$ directory with error 5, will try to
unload distribution point provider and try again.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Successfully unloaded provider SMSDPProvider -
root\SCCMDP
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Waiting for provider to be released by COM. Timeout is 300
seconds.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Successfully removed SMS_DP$ directory.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Removed share SCCMContentLib$ from server
PS1DP2.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Removed share SMSSIG$ from server
PS1DP2.CONTOSO.COM
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ~Completed uninstalling distribution on the remote
distribution point
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Deleting DP registry on NAL Path =
ServerName = PS1DP2.CONTOSO.COM
5a : (Pull DPs only) If the DP being removed is a pull DP, DistMgr detects that and initiates removal of the pull DP
component as well.
SMS_DISTRIBUTION_MANAGER 3848 (0xf08) ~NAL Path ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:

SMS_DISTRIBUTION_MANAGER 3848 (0xf08) Uninstalling PullDP, check
\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\logs\smsdpprov.log and
\\PS1DP2.CONTOSO.COM\SMS_DP$\sms\logs\pulldp_install.log
Finally, the DP is removed from the DistributionPoints table.

Content library in Configuration Manager
The content library is a new concept that was introduced in System Center 2012 Configuration Manager. In a
nut-shell, the content library stores all of the Configuration Manager content efficiently on the disk. The content
library optimizes disk storage to avoid redistributing a file that already exists on the distribution points.
For more information, see Understanding the Configuration Manager Content Library.
Content Library Explorer

The Content Library Explorer is included in the Configuration Manager Tools. It allows for exploration of the
content library on a specific distribution point. This tool can be used to troubleshoot issues with the content
library, as well as explore its contents. Using the tool, packages, contents, folders, and files can all be copied out
of the content library. Packages can be redistributed to the distribution point, and on remote distribution points,
packages can be validated.
Usage
ContentLibrar yExplorer.exe must be run using an account that has administrative access to the target
distribution point, and access to the WMI provider on the site server and the Configuration Manager provider. In
particular, only the RBAC roles Full Administrator and Read-Only Analyst have sufficient rights to view all
information from this tool. Other roles, such as Application Administrator , can view partial information (see
note below on disabled packages). The Read-Only Analyst can't redistribute packages from this tool.
The tool can be run from any machine, as long as it can connect to the distribution point, the primary site server,
and the Configuration Manager provider. If the distribution point is colocated with the site server, it is still
necessary to have administrative access to the site server.
When the application is started, you must enter in the fully qualified domain name (FQDN) of the target
distribution point. The application then connects to the distribution point. If the distribution point is part of a
secondary site, you will also be prompted for the FQDN of the primary site server, and the primary site code.
In the left pane, the packages distributed to this distribution point are visible. They can be expanded, and their
folder structure explored. This will match the folder structure from which the package was created. When a
folder is selected, if it contains any files, these will be listed in the right pane. Information is provided about file
name, file size, the drive it's present on, other packages that use the same file on the drive, and when the file was
last changed on the distribution point.
The application also connects to the Configuration Manager provider machine, in order to determine which
packages are distributed to the distribution point, whether or not they are actually in the distribution point's
content library. For instance, a package that is pending distribution may not yet exist in the content library. Such
a package would appear as PENDING in the tool, and no actions will be enabled for this package.
Disabled packages : Some packages are present on the distribution point but not visible in the Configuration
Manager console. These packages are marked with an asterisk (*). No actions may be done on these packages.
Other packages may also be marked with an asterisk and have actions disabled. Three primary reasons for
which might occur:
The package is the Configuration Manager client upgrade package. This would contain ccmsetup.exe .
The package is not accessible by the running user's RBAC rights. For instance, the Application Author role
cannot see driver packages in the console, so any driver packages on the distribution point will be marked.
The package is orphaned on the distribution point.
Packages can be validated by using Package > Validate on the tool strip. A package node must be selected in
the left pane, not a content or folder. The tool connects to the WMI provider on the distribution point to do this.
When the tool starts, packages that are missing one or more contents will be marked invalid. Validating the
package will reveal which contents are missing. If all contents are present but the data is corrupted, validation
will detect the corruption.
Additionally, packages can be redistributed using Package > Redistribute on the tool strip. Again, a package
node must be selected in the left pane. This requires permission to redistribute packages.
Using Edit > Copy , packages, contents, folders, and files can be copied out of the content library to a specified
folder. The content library itself can't be copied. Multiple files can be selected (using Ctrl + click or Shift + click),
but multiple folders can't.
Packages can be searched using Edit > Find Package . This will search for your query in the package name and
package ID.
Limitations
The tool cannot manipulate the content library directly in any way. Changes to the content library may result
in malfunctions.
The tool can redistribute packages, but only to the target distribution point.
When the distribution point is colocated with the site server, package data cannot be validated. Use the
Configuration Manager console. (It will still inspect to make sure that all the package contents are present,
though not necessarily intact).
Content cannot be deleted using this tool.
Content Library Transfer tool

The Content Library Transfer tool transfers content from one disk drive to another. It is designed to run on
distribution point site systems. The tool supports distribution points colocated with a site or they can be remote.
The tool is useful for the scenario when the disk drive hosting the content library becomes full. After a hard disk
is installed (or identified) with sufficient space to host the content library, ContentLibrar yTransfer.exe is used
transfer content from the old filled hard disk to the new (empty) drive.
Once the transfer is complete, content is now accessible to client computers from the new location without
admin intervention.
Usage
ContentLibrar yTransfer.exe must be run as using an account that has administrative permissions on the
distribution point site system.
Syntax
ContentLibraryTransfer.exe -SourceDrive <drive letter of source drive> -TargetDrive <drive letter of
destination drive>
Example
ContentLibraryTransfer -SourceDrive E -TargetDrive G
Limitations
The tool must run locally on the distribution point; it cannot be run from a remote machine.
The tool must run only when the distribution point is not actively being accessed by client computers. If the
tool is run while client computers are accessing the content, the content library on the destination drive may
have incomplete data or the data transfer might fail altogether leading to an unusable content library.
The tool must only run when no content is being distributed to the distribution point. If the tool is run while
content is being written to the distribution point, the content library on the destination drive may have
incomplete data or the data transfer might fail altogether leading to an unusable content library.
This article helps you understand package actions in content distribution.

Introduction
Package actions in content distribution are divided into the following:
Distribute
The first major action pertaining to content distribution is the Distribute action. This refers to the initial
distribution of a package to a distribution point. This is triggered by the Distribute Content wizard in the
Configuration Manager console. This will transfer all files in a package to the target distribution points,
excluding those which are already present in the content library of the DP as part of another package. If
the package contains any files that are already in the content library on the distribution point, those files
are shared between multiple packages.
Update
The second major action is the Update action. This is typically used when a package has been changed
and all distribution points to which it is distributed need the updated content. This is triggered with
Update Distribution Points action in the console. This will transfer the changed files to all distribution
points. Unchanged files will not be transferred. If a file is removed from the package in the updated
version, it will be deleted from the package on the distribution point (as long as no other packages that
share the file are on the DP).
Redistribute
The third major action is the Redistribute action, triggered with Redistribute in the Configuration
Manager console. This will transfer the entire content to a specific distribution point. Files will be
transferred and overwritten even if they are already present in the content library on the distribution
point. The primary purpose of the Redistribute action is to correct any inconsistencies that may exist in
the content library.
Create a package
The following steps explain the flow of events when you create a new package from the administrator console
that hasn't been distributed to any DPs yet:
Step 1: Admin console creates an instance of the SMS_PackageWMI class
After the administrator creates the package in the console, admin console creates an instance of the
SMS_Package WMI class within the SMS Provider namespace for the newly created package. SMSProv.log
shows the following:
SMS Provider 4680 (0x1248) CExtProviderClassObject::DoPutInstanceInstance~

SMS Provider 4680 (0x1248) Auditing: User CONTOSO\Admin created an instance of class SMS_Package.~
SMS Provider 816 (0x330) Processed insert instance notification for:
SMS_Package.PackageID="PackageID"~
When this WMI instance is created, SMS Provider inserts a row in the SMSPackages view in the database:
insert SMSPackages (PkgID, Name, Version, Language, Manufacturer, Description, ISVString, Hash, NewHash,
Source, SourceSite, StoredPkgPath, RefreshSchedule, LastRefresh, StoredPkgVersion, ShareName,
PreferredAddress, StorePkgFlag, ShareType, HashVersion,Architecture, ImagePath,Permission,
UseForcedDisconnect, ForcedRetryDelay, DisconnectDelay, IgnoreSchedule, Priority, PkgFlags, MIFFilename,
MIFPublisher, MIFName, MIFVersion, SourceVersion, SourceDate, SourceSize, SourceCompSize, ImageFlags,
PackageType, AlternateContentProviders, SourceLocaleID, TransformReadiness, TransformAnalysisDate,
UpdateMask, UpdateMaskEx, Action, DefaultImage) values (N'PackageID', N'Dummy1', N'',
N'',N'',N'',N'',N'',N'',N'\\CS1SITE\SOURCE\Packages\Dummy1',N'CS1',N'',N'',N'04/10/1970 06:35:00', 0,
N'',N'', 2, 1, 1, N'', N'', 15, 0, 2, 5, 0, 2, 16777216, N'',N'',N'',N'', 1, N'05/16/2016 15:22:12', 0, 0,
0, 0, N'', 1033, 0, N'1980/01/01 00:00:00', 0, 0, 2, 0)
After the row is inserted, a trigger on the view inserts a row in SMSPackages_G and SMS_Packages_L tables. This
in turn causes a trigger on the SMSPackages_G table to insert a row in PkgNotification table. The row in the
PkgNotification table is used to notify DistMgr to process the package, and this notification is provided to
DistMgr by the SMSDBMON component.
insert PkgNotification (PkgID, Priority, Type, TimeKey) values (N'PackageID', 2, 2, GetDate())
Step 2: SMSDBMON detects a change and notifies DistMgr to process the package by dropping a
<PackageID>.PKN file
SMSDBMON detects a change in the PkgNotification table, which causes it to drop a < PackageID >.PKN file
in DistMgr.box to instruct DistMgr to process the package:
SMS_DATABASE_NOTIFICATION_MONITOR 3240 (0xca8) RCV: INSERT on PkgNotification for PkgNotify_Add

[<PackageID>][850902]
SMS_DATABASE_NOTIFICATION_MONITOR 3240 (0xca8) SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\
<PackageID>.PKN [850902]
Step 3: DistMgr processes the package on the package source site

DistMgr processes the package after detecting the PKN file in DistMgr.box . DistMgr processing is performed by
multiple threads.
1. The main DistMgr thread creates a package processing thread.
Main DistMgr thread wakes up, adds the package to the package processing queue and creates a package
processing thread to process the package:
SMS_DISTRIBUTION_MANAGER 2624 (0xa40) Found package properties updated notification for

package 'PackageID'
SMS_DISTRIBUTION_MANAGER 2624 (0xa40) Adding package 'PackageID' to package processing
queue.
SMS_DISTRIBUTION_MANAGER 2624 (0xa40) ~Currently using 0 out of 3 allowed package
processing threads.
SMS_DISTRIBUTION_MANAGER 2624 (0xa40) ~Started package processing thread for package
'PackageID', thread ID = 0x16A8 (5800)
2. The package processing thread creates a package snapshot and writes content in the content library.
The package processing thread (thread ID 5800 in this case) starts processing the package and creates a
package snapshot. After creating the package snapshot, this thread also writes the package content to the
content library on the site server.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) STATMSG: ID=2300 SEV=I LEV=M SOURCE="SMS
Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=CS1SITE.CONTOSO.COM SITE=CS1
PID=1904 TID=5800 GMTDATE=Mon May 16 14:33:55.691 2016 ISTR0="Dummy1" ISTR1="
<PackageID>" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
NUMATTRS=1 AID0=400 AVAL0="<PackageID>"
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Processing package <PackageID>
(SourceVersion:1;StoredVersion:0)
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) Start adding package <PackageID>...
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~The Package Action is 2, the Update Mask is 0 and
UpdateMaskEx is 0.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~CDistributionSrcSQL::UpdateAvailableVersion
PackageID=<PackageID>, Version=1, Status=2300
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) Taking package snapshot for package <PackageID>
from source \\CS1SITE\SOURCE\Packages\Dummy1
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) The size of package <PackageID>, version 1 is
204800 KBytes
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) Writing package definition for <PackageID>
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Successfully created RDC signatures for package
PackageID version 1
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) Creating hash for algorithm 32780
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) The hash for algorithm 32780 is <HashString>
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) The RDC signature hash for algorithm 32780 is
<HashString>
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Adding these contents to the package PackageID
version 1.
PID=1904 TID=5800 GMTDATE=Mon May 16 14:34:04.611 2016 ISTR0="<PackageID>" ISTR1=""
ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1
AID0=400 AVAL0="<PackageID>"
3. The package processing thread replicates the package to other sites.

The package processing thread then replicates the package to the other sites in the hierarchy. Package
metadata information is replicated to other sites via database replication, while package files are
replicated using file replication. However, package files are only sent to a site if at least one DP in that site
is added to the package. Package files are compressed before they are sent to another site. In this case,
since no DPs are targeted, only package metadata is replicated to other sites but package files are not
replicated.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Package <PackageID> does not have a preferred

sender.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) A program for package <PackageID> has been
added or removed, therefore it needs to be replicated to all child sites.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) Package <PackageID> is new or has changed,
replicating to all applicable sites.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~CDistributionSrcSQL::UpdateAvailableVersion
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~StoredPkgVersion (1) of package <PackageID>.
StoredPkgVersion in database is 1.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~SourceVersion (1) of package <PackageID>.
SourceVersion in database is 1.
SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Adding these contents to the package <PackageID>
version 1.
4. The package processing thread exits.

The package processing thread exits after the package processing is complete and raises a status
message with ID 2301 which means 'Distribution Manager successfully processed package
<PACKAGENAME> (package ID = <PKGID>).'

SMS_DISTRIBUTION_MANAGER 5800 (0x16a8) ~Exiting package processing thread for package
<PackageID>.
Step 4: (If applicable ) DRS replicates the package to other sites

If there are other sites in the hierarchy, package metadata information is replicated to other sites via database
replication. After the package information is replicated, a row in the SMSPackages_G table is inserted which
triggers an insert in the PkgNotification table.
Step 5: (If applicable) SMSDBMON on the receiving site notifies DistMgr by dropping a <PackageID>.PKN file
On the receiving site, SMSDBMON detects a change in the PkgNotification table which causes it to drop a
< PackageID >.PKN file in DistMgr.box to instruct DistMgr to process the package:
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) RCV: INSERT on PkgNotification for

PkgNotify_Add [<PackageID> ][1035019]
SMS_DATABASE_NOTIFICATION_MONITOR 3120 (0xc30) SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\
Step 6: (If applicable ) DistMgr on the receiving site processes the package
On the receiving site, after receiving the .PKN file, DistMgr wakes up to process the package.
The main DistMgr thread adds the package to the package processing queue and creates a package
processing thread:
SMS_DISTRIBUTION_MANAGER 3648 (0xe40) Found package properties updated notification for

package '<PackageID>'
SMS_DISTRIBUTION_MANAGER 3648 (0xe40) Adding package '<PackageID>' to package processing
queue.
SMS_DISTRIBUTION_MANAGER 3648 (0xe40) ~Currently using 0 out of 3 allowed package
processing threads.
SMS_DISTRIBUTION_MANAGER 3648 (0xe40) ~Started package processing thread for package
'<PackageID>', thread ID = 0x1378 (4984)
2. The package processing thread processes the package.

In this case, there's nothing for this thread to do since no DPs have been targeted.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) STATMSG: ID=2300 SEV=I LEV=M SOURCE="SMS

Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Processing package <PackageID>
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) Start adding package <PackageID>...
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~The Package Action is 2, the Update Mask is 0 and
UpdateMaskEx is 0.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Successfully created/updated the package
<PackageID>
PID=4224 TID=4984 GMTDATE=Mon May 16 14:36:09.486 2016 ISTR0="PackageID" ISTR1=""
AID0=400 AVAL0="<PackageID>"
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Created policy provider trigger for ID <PackageID>
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Package <PackageID> does not have a preferred
sender.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~CDistributionSrcSQL::UpdateAvailableVersion
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~StoredPkgVersion (0) of package <PackageID>.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~SourceVersion (1) of package <PackageID>.
SMS_DISTRIBUTION_MANAGER 4984 (0x1378) ~Exiting package processing thread for package
<PackageID>.
Distribute a package to DP across sites

The following steps outline the flow of events when a package is distributed to a DP in the primary site but the
primary site server in question does not contain a copy of this package in the content library. This package was
created on the central administration site and as a result, the central administration site is the package source
site:
On the package source site
Step 1: The admin console adds the DP to the package by calling the AddDistributionPoints method on the SMS_PackageWMI class
After the administrator distributes the package to a DP from the console, the admin console calls the
AddDistributionPoints method of the SMS_Package class to add the specified DP to the package. SMSProv.log
SMS Provider 4616 (0x1208) Context: SMSAppName=Configuration Manager Administrator console~

SMS Provider 4616 (0x1208) ExecMethodAsync : SMS_Package.PackageID="
<PackageID>"::AddDistributionPoints~
SMS Provider 4616 (0x1208) CExtProviderClassObject::DoExecuteMethod AddDistributionPoints~
SMS Provider 4616 (0x1208) Auditing: User CONTOSO\Admin called an audited method of an instance of
class SMS_Package.~
When this method is called, SMS Provider inserts a row in PkgServers with Action set to 2 (ADD).
insert PkgServers (PkgID, NALPath, SiteCode, SiteName, SourceSite, LastRefresh, RefreshTrigger, UpdateMask,
Action) select N'PackageID', N'['Display=\\PS1SITE.CONTOSO.COM\']MSWNET:
['SMS_SITE=PS1']\\PS1SITE.CONTOSO.COM\', N'PS1', Sites.SiteName, N'CS1', N'04/10/1970 06:35:00', 0, 0, 2
from Sites where SiteCode = N'PS1'
After a row is inserted in PkgServers , SMS Provider also inserts a row in the PkgNotification table. The row in
the PkgNotification table is used to notify DistMgr to process the package, and this notification is provided to
DistMgr by the SMSDBMON component.
Step 2: SMSDBMON detects the package change and notifies DistMgr by dropping a <PackageID>.PKN file in DistMgr.box
SMSDBMON detects a change in the PkgNotification table that causes it to drop a < PackageID >.PKN file in
DistMgr.box to instruct DistMgr to process the package.
SMS_DATABASE_NOTIFICATION_MONITOR 4944 (0x1350) RCV: INSERT on PkgNotification for

SMS_DATABASE_NOTIFICATION_MONITOR 4944 (0x1350) SND: Dropped
E:\ConfigMgr\inboxes\distmgr.box\<PackageID>.PKN [850967]
Step 3: DistMgr wakes up to process the package after receiving the PKN file
1. The main DistMgr thread creates the package processing thread.
processing thread.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) Adding package '<PackageID>' to package processing

queue.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) ~Currently using 0 out of 3 allowed package
processing threads.
SMS_DISTRIBUTION_MANAGER 2496 (0x9c0) ~Started package processing thread for package
2. The package processing thread processes the package actions.

The package processing thread processes the package actions to add/update/remove the package from
the DP. In this case, the package source site is the central administration site and there are no package
actions to process because the central administration site contains no DPs. On a site where there are
package actions to process, the package processing thread creates DP threads for performing these
actions and waits for the DP threads to exit before moving on to Step 3-3.

SMS_DISTRIBUTION_MANAGER 4452 (0x1164) No action specified for the package <PackageID>,
however there may be package server changes for this package.
3. The package processing thread creates a mini-job to send the compressed copy of the package to the
destination site.
This mini-job is processed by the scheduler to create a send request for Sender to transfer the
compressed copy of the package to the destination site:
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Package <PackageID> does not have a preferred
sender.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Needs to send the compressed package for
package <PackageID> to site PS1
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Sending a copy of package <PackageID> to site
PS1
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~The reporting site of site PS1 is this site.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Use drive E for storing the compressed package.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Setting CMiniJob transfer root to E:\SMSPKG\
<PackageID>.PCK.1
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) Incremented ref count on file E:\SMSPKG\
<PackageID>.PCK.1, count = 2
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) Decremented ref count on file E:\SMSPKG\
<PackageID>.PCK.1, count = 1
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Created minijob to send compressed copy of
package <PackageID> to site PS1 . Transfer root = E:\SMSPKG\<PackageID>.PCK.1.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) The package and/or program properties for package
<PackageID> have not changed, need to determine which site(s) need updated package info.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) A distribution point has been changed at this site,
adding site PS1 to the list of sites to which we are sending package <PackageID>.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) Parent site of PS1 is CS1
4. The package processing thread exits after processing the package:
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~StoredPkgVersion (1) of package <PackageID>.

SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~SourceVersion (1) of package <PackageID>.
SMS_DISTRIBUTION_MANAGER 4452 (0x1164) ~Exiting package processing thread for
package <PackageID> .
Step 4: The scheduler component processes the mini-job created by the package processing thread and creates a send request
The scheduler component wakes up after receiving a job to transfer the compressed copy of the package, and
creates a send request for Sender so that Sender can send the compressed copy to the destination site.
SMS_SCHEDULER 5492 (0x1574) ======== Processing Jobs ========

SMS_SCHEDULER 5492 (0x1574) <Activating JOB JOBID>[Software Distribution for Dummy1, Package ID =
<PackageID>]~
SMS_SCHEDULER 5492 (0x1574) Destination site: PS1, Preferred Address: *, Priority: 2
SMS_SCHEDULER 5492 (0x1574) Instruction type: MICROSOFT|SMS|MINIJOBINSTRUCTION|PACKAGE~
SMS_SCHEDULER 5492 (0x1574) Creating instruction file:
\\CS1SITE.CONTOSO.COM\SMS_CS1\inboxes\schedule.box\tosend\JOBID.Icl~
SMS_SCHEDULER 5492 (0x1574) Transfer root: E:\SMSPKG\<PackageID>.PCK.1~
SMS_SCHEDULER 5492 (0x1574) <Updating JOB JOBID>[Software Distribution for Dummy1, Package ID =
<PackageID> ]~
SMS_SCHEDULER 5492 (0x1574) Created new send request ID: 202SQCS1 ~
The scheduler will periodically update the send requests and will log useful information about the send requests
which includes total size and remaining size:
SMS_SCHEDULER 5492 (0x1574) ====== Updating Send Request List =======

SMS_SCHEDULER 5492 (0x1574) Send Request 202SQCS1 JobID: JOBID DestSite: PS1 FinalSite: State:
Pending Status: Action: None Total size: 204864k Remaining: 204864k Heartbeat: 12:23 Start: 12:00 Finish:
12:00 Retry: SWD PkgID: <PackageID> SWD Pkg Version: 1
Step 5: The sender component starts working on the send request

The sender component processes the send request and sends the compressed copy of the package to the
destination site.
1. The main sender thread starts a sending thread which is the thread that will perform all the work for this
send request.
SMS_LAN_SENDER 6700 (0x1a2c) Found send request. ID: 202SQCS1, Dest Site: PS1~
SMS_LAN_SENDER 6700 (0x1a2c) Checking for site-specific sending capacity. Used 0 out of 3.~
SMS_LAN_SENDER 6700 (0x1a2c) ~Created sending thread (Thread ID = 1150 )
2. The sending thread processes the send request and copies the compressed package file (PCK file) to the
destination site along with the package instruction file (SNI file).
SMS_LAN_SENDER 4432 (0x1150) ~Trying the No. 1 address (out of 1)

SMS_LAN_SENDER 4432 (0x1150) ~Passed the xmit file test, use the existing connection
SMS_LAN_SENDER 4432 (0x1150) ~Package file = E:\SMSPKG\<PackageID>.PCK.1
SMS_LAN_SENDER 4432 (0x1150) ~Instruction file =
E:\ConfigMgr\inboxes\schedule.box\tosend\00000E2A.Icl
SMS_LAN_SENDER 4432 (0x1150) ~Checking for remote file
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.PCK
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.SNI
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.TMP …
SMS_LAN_SENDER 4432 (0x1150) ~Attempt to create/open the remote file
SMS_LAN_SENDER 4432 (0x1150) ~Created/opened the remote file
SMS_LAN_SENDER 4432 (0x1150) ~Sending Started [E:\SMSPKG\<PackageID>.PCK.1]
SMS_LAN_SENDER 4432 (0x1150) ~Attempt to write 1024 bytes to
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.PCK at position 0
SMS_LAN_SENDER 4432 (0x1150) ~Wrote 1024 bytes to
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.PCK at position 0 …
SMS_LAN_SENDER 4432 (0x1150) ~Attempt to write 380731 bytes to
SMS_LAN_SENDER 4432 (0x1150) ~Wrote 380731 bytes to
SMS_LAN_SENDER 4432 (0x1150) ~Sending completed [E:\SMSPKG\<PackageID>.PCK.1 ]
SMS_LAN_SENDER 4432 (0x1150) ~Finished sending SWD package <PackageID> version 1 to site
PS1 …
SMS_LAN_SENDER 4432 (0x1150) ~Sending Started
[E:\ConfigMgr\inboxes\schedule.box\tosend\00000E2A.Icl]
SMS_LAN_SENDER 4432 (0x1150) ~Sending completed
[E:\ConfigMgr\inboxes\schedule.box\tosend\00000E2A.Icl]
SMS_LAN_SENDER 4432 (0x1150) ~Finished sending SWD package <PackageID> version 1 to site
PS1 …
SMS_LAN_SENDER 4432 (0x1150) ~Renaming remote file
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.TMP to
\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.SNI
MS_LAN_SENDER 4432 (0x1150) ~Rename completed
[\\PS1SITE.CONTOSO.COM\SMS_SITE\202SQCS1.TMP]
SMS_LAN_SENDER 4432 (0x1150) ~Sending completed successfully
The sending thread copies these files to the SMS_SITE share on the receiving site.
TIP
The sender.log file continuously logs the position it's writing to. For example, the position is 209398784 in the
above log. This position is the byte offset it's writing to, and you can find how much data has been copied by
converting this value. For example, 209398784 bytes = 199.69 MB.
Step 6: The scheduler component marks the job as completed and deletes the send request
The scheduler component monitors the send requests, and after Sender has finished processing the send
request, Scheduler marks the job as complete and deletes the send request:
SMS_SCHEDULER 5492 (0x1574) ====== Checking Status of All Send Requests ======
SMS_SCHEDULER 5492 (0x1574) ~==== Checking send requests for outbox
\\CS1SITE.CONTOSO.COM\SMS_CS1\inboxes\schedule.box\outboxes\LAN.~~
SMS_SCHEDULER 5492 (0x1574) Checking send request 202SQCS1 ~
SMS_SCHEDULER 5492 (0x1574) Sending completed (13985442 bytes/sec).~
SMS_SCHEDULER 5492 (0x1574) <Updating JOB JOBID>[Software Distribution for Dummy1, Package ID =
<PackageID>]~
SMS_SCHEDULER 5492 (0x1574) Send request has successfully completed.~
SMS_SCHEDULER 5492 (0x1574) <JOB STATUS - COMPLETE> ~
SMS_SCHEDULER 5492 (0x1574) Deleting instruction file
\\CS1SITE.CONTOSO.COM\SMS_CS1\inboxes\schedule.box\tosend\00000E2A.Icl.~
SMS_SCHEDULER 5492 (0x1574) Deleting job package source [E:\SMSPKG\<PackageID>.PCK.1].~
SMS_SCHEDULER 5492 (0x1574) Deleted reference counted file E:\SMSPKG\<PackageID>.PCK.1
SMS_SCHEDULER 5492 (0x1574) Decremented ref count on file E:\SMSPKG\<PackageID>.PCK.1, count = 0
SMS_SCHEDULER 5492 (0x1574) Deleting send request with ID: 202SQCS1.~
SMS_SCHEDULER 5492 (0x1574) Deleted job JOBID.~
After this step, the sending site has no more work to do and the receiving site starts the processing of the
package.
On the destination site
Step 7: Despooler processes the PCK and SNI files
During Step 5, PCK and SNI files were copied to the SMS_SITE share on the receiving site. On each
Configuration Manager site, the \inboxes\despoolr.box\receive folder is shared as SMS_SITE . When these files
arrive in the despoolr.box\receive folder, the despooler component wakes up to process the SNI file which is an
instruction file.
1. The main despooler thread creates a despooling thread.
Main Despooler finds the instruction file and creates a despooling thread to process the instruction file:
SMS_DESPOOLER 6128 (0x17f0) ~Found ready instruction 202sqcs1.sni

SMS_DESPOOLER 6128 (0x17f0) ~Used 0 out of 3 despooling threads
SMS_DESPOOLER 6128 (0x17f0) ~Created a new despooling thread EE8
2. (Sporadically) Despooling thread sometimes fails to process instruction on first attempt and retries after
5 minutes.
The despooling thread processes the instruction file, however in many cases, the first-time despooler tries
to process an instruction file for a package it will fail with a 'package information hasn't arrived yet for
this version' message because the package metadata information hasn't yet replicated to the receiving
site. When this happens, despooler.log shows 'error code = 12' but retries this instruction after five
minutes, which is successful as the package information replicates during this time. Step 7-3 shows the
successful processing of the instruction on retry.
SMS_DESPOOLER 3816 (0xee8) ~Verifying signature for instruction

E:\ConfigMgr\inboxes\despoolr.box\receive\ds_s76nc.ist of type
MICROSOFT|SMS|MINIJOBINSTRUCTION|PACKAGE
SMS_DESPOOLER 3816 (0xee8) ~Signature checked out OK for instruction coming from site CS1,
proceed with the instruction execution.
SMS_DESPOOLER 3816 (0xee8) ~Executing instruction of type
MICROSOFT|SMS|MINIJOBINSTRUCTION|PACKAGE
SMS_DESPOOLER 3816 (0xee8) ~Received package PackageID version 1. Compressed file -
E:\SMSPKG\<PackageID>.PCK.1 as E:\ConfigMgr\inboxes\despoolr.box\receive\ds_s76nc.pkg
SMS_DESPOOLER 3816 (0xee8) ~Old package storedUNC path is .
SMS_DESPOOLER 3816 (0xee8) ~This package[<PackageID>]'s information hasn't arrived
yet for this version [1]. Retr y later ...
SMS_DESPOOLER 3816 (0xee8) ~Created retry instruction for job JOBID
SMS_DESPOOLER 3816 (0xee8) ~Despooler failed to execute the instruction, error code = 12 …
SMS_DESPOOLER 6128 (0x17f0) ~Instruction
E:\ConfigMgr\inboxes\despoolr.box\receive\ds_3kyyh.sni won't be processed till 5/16/2016 12:29:11
PM Eastern Daylight Time
If this happens, DistMgr will try to process the package, however since the compressed copy of the
package hasn't been processed and extracted into the content library, the package processing thread will
log the following and exit:
SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) ~Started package processing thread for package

'<PackageID>', thread ID = 0xAAC (2732)
SMS_DISTRIBUTION_MANAGER 2732 (0xaac) ~Processing package <PackageID>
SMS_DISTRIBUTION_MANAGER 2732 (0xaac) ~The contents for the package <PackageID>
hasn't arrived from site CS1 yet, will retr y later .
SMS_DISTRIBUTION_MANAGER 2732 (0xaac) ~All DP threads have completed for package
<PackageID> processing thread.
SMS_DISTRIBUTION_MANAGER 2732 (0xaac) ~Exiting package processing thread for package
<PackageID>.
3. The despooling thread processes the instruction and writes content to the content library.
The despooling thread processes the instruction, uncompresses the PCK file to a temp location, then
writes the content to the content library.
SMS_DESPOOLER 4072 (0xfe8) ~Received package <PackageID> version 1. Compressed file -

E:\SMSPKG\<PackageID>.PCK.1 as E:\ConfigMgr\inboxes\despoolr.box\receive\PKGj3uib.TRY
SMS_DESPOOLER 4072 (0xfe8) ~Old package storedUNC path is .
SMS_DESPOOLER 4072 (0xfe8) ~Use drive E for storing the compressed package.
SMS_DESPOOLER 4072 (0xfe8) No branch cache registry entries found.
SMS_DESPOOLER 4072 (0xfe8) Uncompressing E:\SMSPKG\<PackageID>.PCK to E:\SMSPKG\
<PackageID>.PCK.temp
SMS_DESPOOLER 4072 (0xfe8) Content Library: E:\SCCMContentLib
SMS_DESPOOLER 4072 (0xfe8) Extracting from E:\SMSPKG\<PackageID>.PCK.temp
SMS_DESPOOLER 4072 (0xfe8) Extracting package <PackageID>
SMS_DESPOOLER 4072 (0xfe8) Extracting content <PackageID>.1
SMS_DESPOOLER 4072 (0xfe8) Writing package definition for <PackageID>
SMS_DESPOOLER 4072 (0xfe8) ~Package <PackageID> (version 0) exists in the distribution source,
save the newer version (version 1).
SMS_DESPOOLER 4072 (0xfe8) ~Stored Package <PackageID>. Stored Package Version = 1
After successfully extracting the content to the content library, despooler updates StoredPkgVersion in
the SMSPackages_L table and inserts a row in the PkgNotification table so that DistMgr can be notified to
process the package.
update SMSPackages_L set StoredPkgPath = N'\\PS1SITE.CONTOSO.COM\E$\SMSPKG\<PackageID>.PCK',

StoredPkgVersion = 1, UpdateMask = 160, UpdateMaskEx = 0, Action = 1 where PkgID = N'<PackageID>'
insert PkgNotification (PkgID, Priority, Type, TimeKey) values (N'<PackageID>', 2, 1, GetDate())
4. The despooling thread updates the Type 1 row for the receiving site in PkgStatus , raises a status
message with ID 4400 and then exits.
update PkgStatus set Status = 2, UpdateTime = N'Date Time', Location =

N'\\PS1SITE.CONTOSO.COM\E$\SMSPKG\PackageID.PCK', ShareName = N'', HTTPUrl = N'', SourceVersion = 1,
Personality = 0, State = 0, SigURL = N'', SigLocation = N'' where ID = N'PackageID' and Type = 1 and
SiteCode = N'PS1' and PkgServer = N'PS1SITE.CONTOSO.COM'
SMS_DESPOOLER 4072 (0xfe8) STATMSG: ID=4400 SEV=I LEV=M SOURCE="SMS Server"

COMP="SMS_DESPOOLER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=5428 TID=4072
GMTDATE=Mon May 16 16:31:21.400 2016 ISTR0="<PackageID>"
ISTR1="\\PS1SITE.CONTOSO.COM\E$\SMSPKG\<PackageID>.PCK" ISTR2="" ISTR3="" ISTR4=""
ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="<PackageID>"
SMS_DESPOOLER 4072 (0xfe8) ~Despooler successfully executed one instruction.
Step 8: SMSDBMON notifies DistMgr to process the package

SMSDBMON detects a change in the PkgNotification table and drops a PKN file in DistMgr.box to instruct
DistMgr to process the package.

E:\ConfigMgr\inboxes\distmgr.box\<PackageID>.PKN [1035289]
Step 9: DistMgr wakes up to process the package

DistMgr wakes up after detecting the PKN file and processes the package.
processing thread.
SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) Found package properties updated notification for

SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) Adding package '<PackageID>' to package
processing queue.
SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) ~Currently using 0 out of 3 allowed package
processing threads.
'<PackageID>', thread ID = 0x93C (2364)
2. The package processing thread creates DP threads to process package actions and waits for them to exit.
The package processing thread (TID 2364 ) processes the package actions (add/update/remove) for the
DPs. In this case, the package was distributed to a DP and the package processing thread creates a DP
thread to add the package to the DP. After creating the DP thread, the package processing thread waits for
all the DP threads to exit before moving further.
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~Processing package <PackageID>

SMS_DISTRIBUTION_MANAGER 2364 (0x93c) Start updating the package <PackageID>...
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~The Package Action is 1, the Update Mask is 160 and
UpdateMaskEx is 0.
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~Use drive E for storing the compressed package.
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~Successfully created/updated the package
<PackageID> …
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) Start adding package <PackageID> to server
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\...
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~Created DP processing thread 5204 for addition
or update of package <PackageID> on server ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\ …
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~Waiting for all DP threads to complete for
package <PackageID> processing thread.
3. The DP threads create a PkgXferMgr job to transfer content to the DPs and then exits.
The DP thread (TID 5204 ) starts working on adding the package to the DP. DP threads do not copy the
package contents to the DP directly, but instead create a job for Package Transfer Manager (PkgXferMgr)
instructing it to copy the package contents to the DP. The following log entries show the DP thread
creating a PkgXferMgr job. After the job is created, the DP thread's work is done and the DP thread exits.
SMS_DISTRIBUTION_MANAGER 5204 (0x1454) DP Thread: Attempting to add or update package

<PackageID> on DP ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\
AID0=400 AVAL0="<PackageID>" AID1=404 AVAL1="
SMS_DISTRIBUTION_MANAGER 5204 (0x1454) The current user context will be used for connecting
to ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\.~
SMS_DISTRIBUTION_MANAGER 5204 (0x1454) ~Created package transfer job to send
package <PackageID> to distribution point ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\.
PID=5428 TID=5204 GMTDATE=Mon May 16 16:31:46.670 2016 ISTR0="PackageID" ISTR1="
SMS_DISTRIBUTION_MANAGER 5204 (0x1454) Performing cleanup prior to returning.
SMS_DISTRIBUTION_MANAGER 5204 (0x1454) Cancelling network connection to
\\PS1DP1.CONTOSO.COM\ADMIN$.
When the DP thread creates a PkgXferMgr job, it does so by inserting a row in DistributionJobs table.
insert into DistributionJobs (DPID,PkgID,PackageVersion,State,CreationTime,Action)

values(32,N'PackageID',1,0,N'Date Time',1)
After creating the job, the DP thread also resets the Action for the DP in the PkgServers_L table.
update PkgServers_L set UpdateMask = 0, Action = 0, RefreshTrigger = 0, LastRefresh = N'Date Time'

where PkgID = N'PackageID' and NALPath = N'["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\' and SiteCode = N'PS1' and Action <> 3
4. The package process thread exits after all DP threads exit.

After all the DP threads exit, the package processing thread exits as well:
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~DP thread for package <PackageID> with thread
handle 000000000000218C and thread ID 5204 ended.
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~All DP threads have completed for package
SMS_DISTRIBUTION_MANAGER 2364 (0x93c) ~ Exiting package processing thread for
package <PackageID>.
Step 10: SMSDBMON notifies PkgXferMgr to process the job created in step 9-3
After the PkgxferMgr job is created in step 9-3, SMSDBMON detects a change in the DistributionJobs table and
drops a PKN file in PkgTransferMgr.box to instruct PkgXferMgr to process the job:
SMS_DATABASE_NOTIFICATION_MONITOR 1792 (0x700) RCV: UPDATE on DistributionJobs for

DistributionJob_Creation [<PackageID>][1035292]
E:\ConfigMgr\inboxes\PkgTransferMgr.box\<PackageID>.PKN [1035292]
Step 11: PkgXferMgr wakes up to process the job

1. The main PkgXferMgr thread creates a sending thread to the specified DP:
SMS_PACKAGE_TRANSFER_MANAGER 5392 (0x1510) Found send request with ID: 577, Package:
<PackageID>, Version:1, Priority: 2, Destination: PS1DP1.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 5392 (0x1510) ~Created sending thread (Thread ID =
0x12EC )
2. The sending thread copies the content to the DP.

The sending thread starts copying the package contents to the DP. This process involves copying all of the
files in the package to the DP in the SMS_DP$ directory. Since the package was not redistributed to the DP,
the Redistribute action is set to 0 , which means that if a file already exists in the content library on the DP,
it does not get recopied.
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sending thread starting for Job: 577, package:
<PackageID>, Version: 1, Priority: 2, server: PS1DP1.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sent status to the distribution manager for pkg
<PackageID>, version 1, status 0 and distribution point
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sending legacy content <PackageID>.1 for
package <PackageID>
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Redistribute=0 , Related=
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sending file
'\\PS1DP1.CONTOSO.COM\SMS_DP$\73E055438D4731F41DB6C3BCB90919F60000226B330C739
42454A174D7E26533-PackageID.1.temp'
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Adding Dummy1.txt file in <PackageID>.1.
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Completed post-actions for remote DP
PS1DP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) ~Sending completed successfully
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) user(NT AUTHORITY\SYSTEM) runing
application(SMS_PACKAGE_TRANSFER_MANAGER) from machine (PS1SITE.CONTOSO.COM) is
submitting SDK changes from site(PS1)
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) ~Finished sending SWD package
<PackageID> version 1 to distribution point PS1DP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) STATMSG: ID=8200 SEV=I LEV=M
SOURCE="SMS Server" COMP="SMS_PACKAGE_TRANSFER_MANAGER"
SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=5428 TID=4844 GMTDATE=Mon May 16 16:34:27.614
2016 ISTR0="<PackageID>" ISTR1="1" ISTR2="PS1DP1.CONTOSO.COM" ISTR3="" ISTR4=""
AID1=410 AVAL1="1"
3. The sending thread sends a status message to DistMgr.

After the sending thread finishes sending the content (success/failure), it sends the status to DistMgr so
that DistMgr can process and update the status in the database. This status is sent to DistMgr by
dropping an STA file containing the package status in the DistMgr.box\incoming directory.
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sent status to the distribution manager

for pkg <PackageID>, version 1, status 3 and distribution point
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) STATMSG: ID=8210 SEV=I LEV=M
AID1=410 AVAL1="1" AID2=404 AVAL2="["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
SMS_PACKAGE_TRANSFER_MANAGER 4844 (0x12ec) Sending thread complete~
Step 12: SMS DP Provider adds the content copied in step 11-2 to the content library
During step 11-2, after copying each file, PkgXferMgr instructs the DP to add the file to the content library by
executing methods against the SMS_DistributionPoint WMI class in the SMS DP Provider namespace
(root\SCCMDP). When the content is successfully added to the content library, SMSDPProv.log shows the
following:
2996 (0xbb4) Content '<PackageID>.1' for package '<PackageID>' has been added to content library
successfully
Step 13: DistMgr processes the status message sent in step 11-3
To process the incoming STA file (sent in step 11-3), DistMgr uses the replication processing thread. This thread
wakes up to process the STA file, updates the Type 2 row in the PkgStatus tables in the database and raises a
status message with ID 2330 which means 'Distribution Manager successfully distributed package to
distribution point.'
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing incoming file

E:\ConfigMgr\inboxes\distmgr.box\INCOMING\1R7IEEHU.STA.
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing STA for regular DP
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing status update for package <PackageID>
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Successfully updated the package server status for
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\ for package
<PackageID>, Status 3
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) STATMSG: ID=2330 SEV=I LEV=M SOURCE="SMS
Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=5428
TID=6116 GMTDATE=Mon May 16 16:34:31.679 2016 ISTR0="<PackageID>" ISTR1="
["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM" ISTR2=""
ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=2 AID0=400 AVAL0="
<PackageID>" AID1=404 AVAL1="["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Successfully delete package status file
E:\ConfigMgr\inboxes\distmgr.box\INCOMING\1R7IEEHU.STA
This thread runs the following query to update the status in the database.
update PkgStatus set Status = 3, UpdateTime = N'Date Time', Location = N'MSWNET:

["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\SMSPKGC$\PackageID\', ShareName = N'', HTTPUrl =
N'http://PS1DP1.CONTOSO.COM/SMS_DP_SMSPKG$/\PackageID', SourceVersion = 1, Personality = 0, State = 0,
SigURL = N'http://PS1DP1.CONTOSO.COM/SMS_DP_SMSSIG$/\PackageID', SigLocation = N'MSWNET:
["SMS_SITE=PS1"]\\PS1DP1.CONTOSO.COM\SMSSIG$\\PackageID.1.tar' where ID = N'\PackageID' and Type = 2 and
SiteCode = N'PS1' and PkgServer = N'["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
Step 14: Package status changes are replicated to other sites via database replication
After the package status is updated in the database, it is replicated to other sites via database replication.
Distribute a package to standard DP

The following steps outline the flow of events when a package is distributed to a DP in the primary site, and this
primary site server in question already has a copy of the package in the content library:
Step 1: The administrator distributes the package to the DP. The administrator can do so from the admin
console connected directly to the primary site in question or the central administration site, or a different
primary site
After the administrator distributes the package to a DP from the console, the admin console calls the
AddDistributionPoints method of the SMS_Package class to add the specified DP to the package. SMSProv.log
SMS Provider 4416 (0x1140) Context: SMSAppName=Configuration Manager Administrator console~
SMS Provider 4416 (0x1140) ExecMethodAsync : SMS_Package.PackageID="
<PackageID>"::AddDistributionPoints~
SMS Provider 4416 (0x1140) CExtProviderClassObject::DoExecuteMethod AddDistributionPoints~
SMS Provider 4416 (0x1140) Auditing: User CONTOSO\Admin called an audited method of an instance of
class SMS_Package.~
When this method is called, SMS Provider inserts a row in PkgServers with Action set to 2 (ADD):
insert PkgServers (PkgID, NALPath, SiteCode, SiteName, SourceSite, LastRefresh, RefreshTrigger, UpdateMask,
Action) select N'<PackageID>', N'["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\', N'PS1', Sites.SiteName, N'PS1', N'04/10/1970 06:35:00', 0, 0, 2
from Sites where SiteCode = N'PS1'
insert PkgNotification (PkgID, Priority, Type, TimeKey) values (N'<PackageID>', 2, 4, GetDate())
Step 2: If the administrator distributes the package from a different primary site or the central administration
site, Database Replication Service (DRS ) replicates changes to the site in question
If the administrator distributes this package with the console connected to the central administration site or a
different primary site, DRS replicates the changes in PkgServers to other sites.
After the change is replicated to the site where the DP resides, SMSDBMON detects a change in the
PkgNotification table and drops a PKN file in DistMgr.box to instruct DistMgr to process the package:

PkgNotify_Add [<PackageID>][1035417]
SMS_DATABASE_NOTIFICATION_MONITOR 1792 (0x700) SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\

1. The main DistMgr thread starts a package processing thread.
processing thread.

processing queue.
processing threads.
'<PackageID>', thread ID = 0xB58 (2904)
2. The package processing thread creates DP threads to process package actions, then waits for them to exit.
The package processing thread (TID 2904 ) processes the package actions (add/update/remove) for the
DP. In this case, the package was added to a DP and the package processing thread creates a DP thread to
add the package to the DP. After creating the DP thread, the package processing thread waits for all the
DP threads to exit before moving further:
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) ~Processing package <PackageID>

SMS_DISTRIBUTION_MANAGER 2904 (0xb58) No action specified for the package <PackageID>,
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) Start adding package <PackageID> to server
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) ~Created DP processing thread 3792 for addition or
update of package <PackageID> on server ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\ SMS_DISTRIBUTION_MANAGER 2904 (0xb58)
~Waiting for all DP threads to complete for package <PackageID> processing thread.
3. The DP threads create a Package Transfer Manager (PkgXferMgr) job to transfer content to the DPs and
then exits.
The DP thread (TID 3792 ) starts the work of adding the package to the DP. The DP threads do not copy
the package contents to the DP directly, but instead create a job for PkgXferMgr instructing it to copy the
package contents to the DP. The following log entries show the DP thread creating a PkgXferMgr job.
After the job is created, the DP thread's work is done and the DP thread exits.
SMS_DISTRIBUTION_MANAGER 3792 (0xed0) DP Thread: Attempting to add or update package

SMS_DISTRIBUTION_MANAGER 3792 (0xed0) ~Created package transfer job to send package
<PackageID> to distribution point ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 3792 (0xed0) STATMSG: ID=2357 SEV=I LEV=M SOURCE="SMS
PID=5428 TID=3792 GMTDATE=Mon May 16 19:26:58.642 2016 ISTR0="<PackageID>" ISTR1="

values(35,N'PackageID',1,0,N'2016/05/16 15:26:58',1)
After creating the job, the DP thread also resets the Action for the DP in PkgServers_L table:
update PkgServers_L set UpdateMask = 0, Action = 0, RefreshTrigger = 0, LastRefresh = N'05/16/2016

19:26:58' where PkgID = N'PackageID' and NALPath = N'["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\' and SiteCode = N'PS1' and Action <> 3
4. The package processing thread exits after all DP threads exit.

After all of the DP threads exit, the package processing thread exits as well.
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) ~DP thread for package <PackageID> with thread
handle 0000000000002524 and thread ID 3792 ended.
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) ~All DP threads have completed for package
SMS_DISTRIBUTION_MANAGER 2904 (0xb58) ~Exiting package processing thread for package
<PackageID>.
Step 5: SMSDBMON notifies PkgXferMgr to process the job
After the PkgxferMgr job is created, SMSDBMON this time detects a change in the DistributionJobs table and
drops a PKN file in PkgTransferMgr.box to instruct PkgXferMgr to process the job:

DistributionJob_Creation [<PackageID>][1035419]
E:\ConfigMgr\inboxes\PkgTransferMgr.box\<PackageID>.PKN [1035419]

1. The main PkgXferMgr thread creates a sending thread.
The main PkgXferMgr thread creates a sending thread to send the package to the specified DP.
SMS_PACKAGE_TRANSFER_MANAGER 5392 (0x1510) Found send request with ID: 582, Package:
<PackageID>, Version:1, Priority: 2, Destination: PS1DP2.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 5392 (0x1510) ~Created sending thread (Thread ID = 0xBCC )
2. The sending thread copies content to the DP.

The sending thread (TID 3020 ) starts copying the package contents to the DP. This process involves
copying all the files in the package to the DP in the SMS_DP$ directory. Since the package was not
redistributed to the DP, the redistribute action is set to 0 , which means that if a file already exists in the
content library on the DP, it does not get re-copied.
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sending thread starting for Job: 582, package:
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sent status to the distribution manager for pkg
<PackageID>, version 1, status 0 and distribution point
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sending legacy content <PackageID>.1 for
package <PackageID>
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Redistribute=0, Related=
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sending file
42454A174D7E26533-PackageID.1.temp'
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Adding Dummy1.txt file in <PackageID>.1
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Completed post-actions for remote DP
PS1DP2.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) ~Sending completed successfully
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) ~Finished sending SWD package <PackageID>
version 1 to distribution point PS1DP2.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) STATMSG: ID=8200 SEV=I LEV=M
AID1=410 AVAL1="1"

After the sending thread finishes sending the content (success/failure), it sends the status to DistMgr so
that DistMgr can process and update the status in the database. This status is sent to DistMgr by
dropping an STA file containing the package status in the DistMgr.box\incoming directory:
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sent status to the distribution manager for pkg
PackageID, version 1, status 3 and distribution point
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) STATMSG: ID=8210 SEV=I LEV=M
AID1=410 AVAL1="1" AID2=404 AVAL2="["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_PACKAGE_TRANSFER_MANAGER 3020 (0xbcc) Sending thread complete~
Step 7: SMS DP Provider adds the content to the content library

After copying each file, PkgXferMgr instructs the DP to add the file to the content library by executing methods
against the SMS_DistributionPoint WMI class in the SMS DP Provider namespace (root\SCCMDP). When the
content is successfully added to the content Library, SMSDPProv.log shows the following:
1304 (0x518) Content '<PackageID>.1' for package '<PackageID>' has been added to content library
successfully
Step 8: DistMgr processes the status messages sent by PkgXferMgr

To process the incoming STA file (sent in step 6-3), DistMgr uses the replication processing thread. This thread
wakes up to process the STA file, updates the Type 2 row in the PkgStatus tables in the database and raises a
status message with ID 2330 which means 'Distribution Manager successfully distributed package to
distribution point.'
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing incoming file

E:\ConfigMgr\inboxes\distmgr.box\INCOMING\FV8S6B6M.STA.
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing STA for regular DP
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Processing status update for package <PackageID>
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Successfully updated the package server status for
["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\ for package
<PackageID>, Status 3
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) STATMSG: ID=2330 SEV=I LEV=M SOURCE="SMS Server"
COMP="SMS_DISTRIBUTION_MANAGER" SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=5428 TID=6116
GMTDATE=Mon May 16 19:28:16.577 2016 ISTR0="<PackageID>" ISTR1="
["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\" ISTR2=""
ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=2 AID0=400 AVAL0="
<PackageID>" AID1=404 AVAL1="["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 6116 (0x17e4) ~Successfully delete package status file
E:\ConfigMgr\inboxes\distmgr.box\INCOMING\FV8S6B6M.STA
This thread runs the following query to update the status in the database.
update PkgStatus set Status = 3, UpdateTime = N'Date Time', Location = N'MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\SMSPKGC$\\PackageID\', ShareName = N'', HTTPUrl =
N'http://PS1DP2.CONTOSO.COM/SMS_DP_SMSPKG$/\PackageID', SourceVersion = 1, Personality = 0, State = 0,
SigURL = N'http://PS1DP2.CONTOSO.COM/SMS_DP_SMSSIG$/\PackageID', SigLocation = N'MSWNET:
["SMS_SITE=PS1"]\\PS1DP2.CONTOSO.COM\SMSSIG$\\PackageID.1.tar' where ID = N'\PackageID' and Type = 2 and
SiteCode = N'PS1' and PkgServer = N'["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
Step 9: Package status changes are replicated to other sites via DRS
Distribute a package to pull DP

The following steps outline the flow of events when a Package is distributed to a pull DP in the primary site and
this primary site server in question already has a copy of the package in the content library.
Step 1: Administrator distribute the package to the DP. The administrator can do so from the admin console
connected directly to the primary site in question or the central administration site or a different Primary Site
After the administrator distributed the package to a DP from the console, console calls the
AddDistributionPoints method of the appropriate derived class of SMS_Package ( SMS_ContentPackage for
applications in the example below) class to add the specified DP to the package. SMSProv.log shows:
SMS Provider 22172 (0x569c) Context: SMSAppName=Configuration Manager Administrator console~

SMS Provider 22172 (0x569c) ExecMethodAsync :
SMS_ContentPackage.PackageID='P010000F'::AddDistributionPoints~
SMS Provider 22172 (0x569c) CExtProviderClassObject::DoExecuteMethod AddDistributionPoints~
SMS Provider 22172 (0x569c) Auditing: User CONTOSO\Admin called an audited method of an instance of
class SMS_ContentPackage.~
When this method is called, SMS Provider inserts a row in PkgServers with Action set to 2 (ADD) and a
notification is created in the PkgNotification table.
Step 2: If administrator distributes the package from a different primary site or the central administration
site, DRS replicates changes to the site in question
If the administrator distributed this package with the console connected to the central administration site or a
different primary site, DRS replicates the changes in PkgServers to other sites.
After this change is replicated to the site where the DP resides, SMSDBMON detects a change in
PkgNotification table, and drops a PKN file in DistMgr.box to instruct DistMgr to process the package.

PkgNotify_Add [P010000F ][145011]
E:\ConfigMgr\inboxes\distmgr.box\P010000F.PKN [145011]

1. Main DistMgr thread starts a Package Processing Thread.
Main DistMgr thread adds the package to the package processing queue, and creates a package
processing thread.
SMS_DISTRIBUTION_MANAGER 5292 (0x14ac) Adding package 'P010000F' to package processing
queue.
SMS_DISTRIBUTION_MANAGER 5292 (0x14ac) ~Currently using 0 out of 3 allowed package
processing threads.
SMS_DISTRIBUTION_MANAGER 5292 (0x14ac) ~Started package processing thread for package
'P010000F', thread ID = 0x2C44 (11332)
2. Package processing thread creates DP thread(s) to process package actions and waits for them to exit.
Package processing thread (TID 11332) processes the package actions (add/update/remove) for the
DP(s). In this case, the package was added to a DP and the package processing thread creates a DP thread
to add the package to the DP. After creating DP thread(s), the package processing thread waits for all the
DP threads to exit before moving further.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~Processing package P010000F

SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) No action specified for the package P010000F,
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) Start adding package P010000F to server
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\...
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~Created DP processing thread 22444 for addition
or update of package P010000F on server ["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~Waiting for all DP threads to complete for package
P010000F processing thread.
3. DP thread creates a PkgXferMgr job to transfer content to the DPs and exits.
DP thread (TID 22444) starts working on adding the package to the DP. DP threads do not copy the
package contents to the DP directly, and instead create a job for Package Transfer Manager (PkgXferMgr)
instructing it to copy the package contents to the DP. Following log entries show the DP thread creating a
PkgXferMgr job. After the job is created, DP thread's work is done and the DP thread exits.
SMS_DISTRIBUTION_MANAGER 22444 (0x57ac) DP Thread: Attempting to add or update package

P010000F on DP ["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 22444 (0x57ac) Package Server
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\ is
a PullDP.
SMS_DISTRIBUTION_MANAGER 22444 (0x57ac) ~Created package transfer job to send package
P010000F to distribution point ["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\.
SMS_DISTRIBUTION_MANAGER 22444 (0x57ac) STATMSG: ID=2357 SEV=I LEV=M SOURCE="SMS
Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=P01SITE.CONTOSO.COM SITE=P01
PID=36968 TID=22444 GMTDATE=Mon Jan 07 20:05:18.665 2019 ISTR0="P010000F" ISTR1="
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\"
AID0=400 AVAL0="P010000F" AID1=404 AVAL1="
values(8,N'P010000F',3,0,N'2019/01/07 20:05:18',1)
After creating the job, the DP thread also resets the Action for the DP in PkgServers_L table.
4. Package processing thread exits after all DP threads exit.
After all the DP threads exit, package processing thread exits as well.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~DP thread for package P010000F with thread
handle 0000000000003E2C and thread ID 22444 ended.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~All DP threads have completed for package
P010000F processing thread.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~StoredPkgVersion (3) of package P010000F.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~SourceVersion (3) of package P010000F.
SMS_DISTRIBUTION_MANAGER 11332 (0x2c44) ~Exiting package processing thread for package
P010000F.

After the PkgxferMgr job is created, SMSDBMON this time detects a change in DistributionJobs table and
drops a PKN file in PkgTransferMgr.box to instruct PkgXferMgr to process the job.

DistributionJob_Creation [P010000F ][145013]
E:\ConfigMgr\inboxes\PkgTransferMgr.box\P010000F.PKN [145013]

1. Main PkgXferMgr thread creates a pull DP sending thread to send the package to the specified DP.
SMS_PACKAGE_TRANSFER_MANAGER 32936 (0x80a8) Found send request with ID: 190, Package:
P010000F, Version:3, Priority: 2, Destination: P01PDP1.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 32936 (0x80a8) ~Created sending thread (Thread ID =
0x2B4C)
2. Pull DP sending thread sends a notification to the pull DP

Unlike a regular sending thread, pull DP sending thread (TID 11084) instructs the pull DP to start
downloading the content by sending a notification. This is done in 4 phases.
Phase 1: Pull DP sending thread checks to see if the content being distributed to the pull DP is available
on a source DP(s). If the content is not available on the source DP, the pull DP sending thread ends with
the below message in the log and raises Status Message ID 8212 which means 'This pull distribution
point has no sources from which it can download content. We will try again later.' Retries are attempted
later based on Retr y settings configured in Software Distribution Component Configuration >
Pull Distribution Point tab.
~Unable to find any source locations for one or more contents under package P0100009, for pull DP
P01PDP1.CONTOSO.COM. Notification not sent.
~ PullDP notification failed. Failure count = 1/30, Restart time = 1/10/2019 2:00:42 AM Eastern
Standard Time
STATMSG: ID=8212 SEV=I LEV=M SOURCE='SMS Server'
COMP='SMS_PACKAGE_TRANSFER_MANAGER' SYS=P01SITE.CONTOSO.COM SITE=P01 PID=2336...
Here's the query that is executed to check if content is available on a source DP:
SELECT p.SourceDPServerName FROM PullDPMap p INNER JOIN ContentDPMap c ON p.SourceDPServerName =

c.ServerName WHERE c.AccessType = 1 AND p.PullDPServerName = 'P01PDP1.CONTOSO.COM' AND c.ContentID =
'P0100009' AND c.Version = 4
Phase 2: Pull DP sending thread checks to see if the pull DP has capacity for more jobs. By default, pull
DPs can handle 50 jobs simultaneously. This is controlled by the PullDP Number Of Active Jobs SCF
property for SMS_DISTRIBUTION_MANAGER and it's not recommended to increase the capacity because it can
introduce scalability issues. If the pull DP is already working at max capacity (i.e., it has 50 running jobs),
the pull DP sending thread ends with the below message in the log and retries later based on Retr y
settings configured in Software Distribution Component Configuration > Pull Distribution Point
tab.
PullDP <DPNALPATH> has reached maximum capacity 50

PullDP has no capacity. Restart time = <timestamp>
STATMSG: ID=8211 SEV=E LEV=M SOURCE="SMS Server"
COMP="SMS_PACKAGE_TRANSFER_MANAGER" SYS=P01SITE.CONTOSO.COM SITE=P01
PID=17252 TID=4712…
Here's the query that is used to determine if pull DP is at capacity:
SELECT COUNT(*) FROM DistributionJobs job

JOIN DistributionPoints dp ON dp.DPID=job.DPID AND
dp.NALPath='["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\'
WHERE job.State in (2, 3, 4) AND (job.Action<>5) AND (ISNULL(job.SendAction, '') <> '')
Phase 3: Pull DP sending thread sends a package info bundle file which contains a metadata of the files
that need to be downloaded. This file is a <PackageID>.TZ file which generated from the package INI file
from the site servers content library and is copied to the SMS_DP$ directory on the pull DP.
SMS_PACKAGE_TRANSFER_MANAGER 11084 (0x2b4c) Pull DP Sending thread starting for Job: 190,
package: P010000F, Version: 3, Priority: 2, server: P01PDP1.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 11084 (0x2b4c) Sending package info bundle P010000F to
PullDP. ["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
Phase 4: Pull DP sending thread creates an instance of SMS_PullDPNotification class on the pull DP
within root\SCCMDP namespace, which contains the package ID, package version and an XML notification.
After creating the instance of SMS_PullDPNotification class, it executes the NotifyPullDP method in the
SMS_DistributionPoint class in the root\SCCMDP namespace which instructs the DP WMI Provider to
notify the pull DP component to start downloading the content.
SMS_PACKAGE_TRANSFER_MANAGER 11084 (0x2b4c) ~Successfully performed WMI actions on pull

DP P01PDP1.CONTOSO.COM.
SMS_PACKAGE_TRANSFER_MANAGER 11084 (0x2b4c) ~ PullDP notification sent. Attempted count =
1/30, Restart time = 1/7/2019 4:06:04 PM Eastern Standard Time
SMS_PACKAGE_TRANSFER_MANAGER 11084 (0x2b4c) Pull DP Sending thread complete~
Notification XML is generated by calling fnGetPullDPXMLNotification . Here's how a sample query that
generates the notification XML query looks like which shows that the Action is add since the content
was not redistributed:
SELECT [dbo].[fnGetPullDPXMLNotification]('P010000F', 3, 'P01PDP1.CONTOSO.COM', 2, 'add', 1,

'O:SYG:BAD:P(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;;FA;;;BA)
(A;OICIIO;GA;;;BA)', 0, 32780, '3ED23B9869F7E10E19439F11341405FF76E22022E56468DCF211475899BD2914',
'') AS Notification
The XML notification contains the content metadata along with the source DP location. Here's how a
sample XML notification looks like:
<PullDPNotification>
<PullDPPackageNotification PackageID='P010000F' Version='3' Action='redist' AllowFallback='true'
Priority='2' PackageType='content' PackageTypeID='8' PackageFlags='16777216' PackageSize='5532'
SDDL='O:SYG:BAD:P(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;;FA;;;BA)
(A;OICIIO;GA;;;BA)' HashAlgorithm='32780'
Hash='3ED23B9869F7E10E19439F11341405FF76E22022E56468DCF211475899BD2914' ExpandShare='0' ShareName=''
ShareType='1'>
<PullDPPackageContent ContentID='Content_3c9813ba-d7ab-4963-929c-36f90f479613.1'
RelatedContentID='Content_162d6f21-176e-4e4b-a620-6e94a4b9f73e.1'>
<DPLocation DPUrl='http://P01MP.CONTOSO.COM/SMS_DP_SMSPKG$/Content_3c9813ba-d7ab-4963-929c-
36f90f479613.1' Rank='1' Type='Windows NT Server' Protocol='https' />
</PullDPPackageContent>
</PullDPPackageNotification>
</PullDPNotification>
3. Pull DP sending thread updates the job so status polling can start.
Unlike a sending thread for a standard DP which deletes the job after successful completion, pull DP
sending thread updates the job in DistributionJobs table and sets the SendAction to
PullQueryResultAction after successfully sending the notification to the pull DP.
update DistributionJobs set DPID=8,SendAction = N'PullQueryResultAction', LastUpdateTime =

N'2019/01/07 21:07:14' where JobID = 194
State messages are used as the primary mechanism for distribution status reporting from the pull DP
and the distribution job remains in the database until we are notified of success/failure status of the job.
PkgXferMgr starts polling at scheduled intervals (configurable in the Software Distribution
Component Proper ties > Pull Distribution Point tab) to check whether the content has been
downloaded on the pull DP. Although the pull DP sends a state message containing the distribution
status, PkgXferMgr also performs polling as a backup mechanism to get the distribution status in case
pull DP cannot send a state message to the management point for some reason.
4. (On polling interval): Pull DP sending thread is created to poll the distribution status from the pull DP.
A new pull DP sending thread starts after Delay before polling (minutes) value specified in the
Software Distribution Component Proper ties to check the distribution status. In the below example,
it queries the pull DP and finds that the content has been installed successfully and sends a status
message to Distribution Manager.
SMS_PACKAGE_TRANSFER_MANAGER 18724 (0x4924) Pull DP Sending thread starting for Job: 194,
package: P010000F, Version: 3, Priority: 2, server: P01PDP1.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 18724 (0x4924) ~Finished sending SWD package P010000F
version 3 to distribution point P01PDP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 18724 (0x4924) Sent status to the distribution manager for
pkg P010000F, version 3, status 3 and distribution point
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\~
SMS_PACKAGE_TRANSFER_MANAGER 18724 (0x4924) STATMSG: ID=8210 SEV=I LEV=M
SYS=P01SITE.CONTOSO.COM SITE=P01 PID=36968 TID=18724 GMTDATE=Mon Jan 07
22:22:16.059 2019 ISTR0="P010000F" ISTR1="3" ISTR2="P01PDP1.CONTOSO.COM" ISTR3=""
ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=3 AID0=400
AVAL0="P010000F" AID1=410 AVAL1="3" AID2=404 AVAL2="
SMS_PACKAGE_TRANSFER_MANAGER 18724 (0x4924) Pull DP Sending thread complete~
Note that the job is deleted from the database when after receiving a success status message from the
pull DP, which causes the polling to stop.
Step 7: SMS DP Provider notifies pull DP component (CcmExec) to process the job
On execution of the NotifyPullDP method, DP WMI Provider notifies CcmExec which hosts the pull DP
component. SMSDPProv.log shows:
4688 (0x1250) Successfully notified PullDP
Step 8: Pull DP loads the job(s) from WMI

On receiving a notification, pull DP component loads the job(s) from WMI as well as validates the
<PackageID>.TZ file that was copied by PkgxferMgr.
PullDP 4404 (0x1134) CPullDPService::LoadJobsFromXML for P010000F.3

PullDP 4404 (0x1134) - P010000F.3 - XML has 1 content jobs.
PullDP 4404 (0x1134) CPullDPPkgContJob::LoadContentJobFromXML(): Set JobState = NotStarted
PullDP 4404 (0x1134) - P010000F.3 - Loaded content job {C10457F9-DE3A-4B45-878C-345919AFF97E} for
content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1 from XML...
PullDP 4404 (0x1134) CPullDPPkgJob::LoadJobFromXML() successfully loaded job for package P010000F.3,
there are 1 content jobs. ...
PullDP 4404 (0x1134) Successfully verified content info Hash E:\SMS_DP$\P010000F.tz
:3ED23B9869F7E10E19439F11341405FF76E22022E56468DCF211475899BD2914
PullDP 4404 (0x1134) CPullDPService::ExecuteJobs(). 1 jobs to do
Step 9: Pull DP creates content job(s) to download the content associated with the package
PullDP 4404 (0x1134) P010000F.3 Starting Download there are 1 content jobs.
PullDP 3812 (0xee4) Content job {C10457F9-DE3A-4B45-878C-345919AFF97E} running.
PullDP 3812 (0xee4) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 1-NotStarted)
for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1.
In the example above, the job {C10457F9-DE3A-4B45-878C-345919AFF97E} is associated with content

Content_3c9813ba-d7ab-4963-929c-36f90f479613.1. For a package with multiple content items, you would see
the number of jobs (with a unique ID) associated with the package.
PullDP 1320 (0x528) P010000A.2 Starting Download there are 2 content jobs.
PullDP 5012 (0x1394) ContentExecuteJob {55692006-DFE8-4357-86D9-9839C8BF79CF} (state: 1-
NotStarted) for package P010000A.2 content 2484568c-7aba-44ae-8557-05b61d62e70d.
PullDP 4112 (0x1010) ContentExecuteJob {7175CD81-CF67-48C9-AA22-010BF60B640E} (state: 1-
NotStarted) for package P010000A.2 content c085b4ba-8e8f-42bf-8e2d-bc1067697722.
Step 10: (If applicable ) Pull DP downloads content signature
(If applicable) Content job creates a Data Transfer Service (DTS) job to download the package signature. The
signature file is a TAR file which is downloaded from the SMSSIG$ virtual directory from the source distribution
point and contains the RDC signatures for each file in the content. The RDC signatures are used to determine if
the file content have changed and whether to download delta content or full content. This step is only applicable
for content that has changed, so you may not always see this step, and would see step 11 instead.
PullDP 3812 (0xee4) Created SignatureDownload DTS job {3C962758-7ABE-40F2-A585-E5B59E378BEA} for

package P010000F.3, content id Content_3c9813ba-d7ab-4963-929c-36f90f479613.1. JobState =
NotStarted
PullDP 3812 (0xee4) CPullDPPkgContJob::NotifyDeltaDownload. JobState = [Downloading Signature]
Content_3c9813ba-d7ab-4963-929c-36f90f479613.1 for package P010000F.3 content job id {C10457F9-
DE3A-4B45-878C-345919AFF97E}
PullDP 752 (0x2f0) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 4-
Downloading Signature) for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-
36f90f479613.1.
DataTransferSer vice.log shows the progress of the DTS job, which creates a BITS job to download the
signature file and notifies upon completion:
DataTransferService 3812 (0xee4) DTSJob {3C962758-7ABE-40F2-A585-E5B59E378BEA} created to

download from '< https://P01MP.CONTOSO.COM:443/SMS_DP_SMSSIG$ >' to
'E:\SMS_DP$\P010000F\Content_3c9813ba-d7ab-4963-929c-36f90f479613.1'.
DataTransferService 3856 (0xf10) Starting BITS download for DTS job '{3C962758-7ABE-40F2-A585-
E5B59E378BEA}'.
DataTransferService 3856 (0xf10) Starting BITS job '{43647077-986C-4727-A954-B327ECA50302}' for DTS
job '{3C962758-7ABE-40F2-A585-E5B59E378BEA}' under user 'S-1-5-18'.
DataTransferService 3856 (0xf10) Adding to BITS job: Content_3c9813ba-d7ab-4963-929c-
36f90f479613.1.tar
DataTransferService 2528 (0x9e0) DTSJob {3C962758-7ABE-40F2-A585-E5B59E378BEA} successfully
completed download.
DataTransferService 3856 (0xf10) Execute called for DTS job '{3C962758-7ABE-40F2-A585-E5B59E378BEA}'.
Current state: 'RetrievedData'.
DataTransferService 3856 (0xf10) DTSJob {3C962758-7ABE-40F2-A585-E5B59E378BEA} in state
'NotifiedComplete'.
DataTransferService 3856 (0xf10) DTS job {3C962758-7ABE-40F2-A585-E5B59E378BEA} has completed:
Pull DP receives the completion notification, and processes the signatures to determine if full or delta download
is required.
PullDP 4300 (0x10cc) DTS message for content job {C10457F9-DE3A-4B45-878C-345919AFF97E} received,
searching 1 active jobs for any containing this content job. DTS Job is {3C962758-7ABE-40F2-A585-
E5B59E378BEA}
PullDP 4300 (0x10cc) DTS succeeded message received for P010000F.3, content job {C10457F9-DE3A-
4B45-878C-345919AFF97E}, status is 0x0 :
PullDP 3856 (0xf10) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 5-Signature
Downloaded) for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1.
Step 11: Pull DP creates a DataTransferService (DTS ) job for content download
Pull DP creates a download job for the content. In this example, the content did not exist on the pull DP so a full
download DTS job is created for the package. The DTS job can be used to track the download process in the
DataTransferSer vice.log in the next step:
PullDP 4300 (0x10cc) DTS message for content job {C10457F9-DE3A-4B45-878C-345919AFF97E} received,
searching 1 active jobs for any containing this content job. DTS Job is {3C962758-7ABE-40F2-A585-
E5B59E378BEA}
PullDP 4300 (0x10cc) DTS succeeded message received for P010000F.3, content job {C10457F9-DE3A-
4B45-878C-345919AFF97E}, status is 0x0 :
PullDP 3856 (0xf10) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 5-Signature
Downloaded) for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1. ...
PullDP 3856 (0xf10) File To Download: ConfigMgrTools.msi
PullDP 3856 (0xf10) Content_3c9813ba-d7ab-4963-929c-36f90f479613.1: 0 files already exists, 1 files to
download
PullDP 3856 (0xf10) Created FullDownload(Manifest) DTS job {78635652-3D12-4A26-A51B-
D553934ECB54} for package P010000F.3, content id Content_3c9813ba-d7ab-4963-929c-36f90f479613.1,
content job id {C10457F9-DE3A-4B45-878C-345919AFF97E}.
Step 12: DTS creates a BITS job which downloads the content and sends a completion notification
DataTransferSer vice.log shows the progress of the job. With verbose logging enabled for the pull DP,
PullDP.log would show more information about the download progress as well.
DataTransferService 3856 (0xf10) DTSJob {78635652-3D12-4A26-A51B-D553934ECB54} created to

download from '<
https://P01MP.CONTOSO.COM:443/SMS_DP_SMSPKG$/Content_3c9813ba-d7ab-4963-929c-36f90f479613.1 >' to
'E:\SMS_DP$\P010000F\Content_3c9813ba-d7ab-4963-929c-36f90f479613.1\3'.
DataTransferService 3812 (0xee4) Starting BITS job '{04498466-5A8E-4A22-97F2-A66306143A20}' for DTS
job '{78635652-3D12-4A26-A51B-D553934ECB54}' under user 'S-1-5-18'.
DataTransferService 3812 (0xee4) DTSJob {78635652-3D12-4A26-A51B-D553934ECB54} in state
'DownloadingData'.
DataTransferService 752 (0x2f0) DTS job {78635652-3D12-4A26-A51B-D553934ECB54} has completed:
Step 13: Pull DP moves the content to Downloaded state

After the DTS job finishes, pull DP is notified and moves the content to Downloaded state:
PullDP 3812 (0xee4) DTS message for content job {C10457F9-DE3A-4B45-878C-345919AFF97E} received,
searching 1 active jobs for any containing this content job. DTS Job is {78635652-3D12-4A26-A51B-
D553934ECB54}
PullDP 3812 (0xee4) DTS succeeded message received for P010000F.3, content job {C10457F9-DE3A-4B45-
878C-345919AFF97E}, status is 0x0 :
PullDP 3856 (0xf10) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 9-
Downloaded) for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1.
Step 14: Content is moved to the content library and state moves to Succeeded
After the content is successfully Downloaded , pull DP then moves the content to the content library (which is
also known as Single Instance Storage). After the content is moved to the content library, the content moves to
SIApplied state followed by the Succeeded state.
PullDP 3856 (0xf10) CPullDPPkgContJob::ApplySingleInstancing(): JobState = Downloaded

PullDP 3856 (0xf10) CPullDPPkgContJob::NotifySIApplied(). JobState = SIApplied
PullDP 3812 (0xee4) Content job {C10457F9-DE3A-4B45-878C-345919AFF97E} running.
PullDP 3812 (0xee4) ContentExecuteJob {C10457F9-DE3A-4B45-878C-345919AFF97E} (state: 13-SIApplied)
for package P010000F.3 content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1.
...
PullDP 3812 (0xee4) CPullDPPkgContJob::NotifySucceeded(). Content job {C10457F9-DE3A-4B45-878C-
345919AFF97E} for package P010000F.3 and content Content_3c9813ba-d7ab-4963-929c-36f90f479613.1
has completed successfully. JobState = Succeeded
PullDP 3812 (0xee4) Notification that content job {C10457F9-DE3A-4B45-878C-345919AFF97E} for
package P010000F.3 has completed.
After each content item is added to the content library, SMSDPProv.log is also notified and reports the following:
4688 (0x1250) Content 'Content_3c9813ba-d7ab-4963-929c-36f90f479613.1' for package 'P010000F' has

been added to content library successfully
Note that there may be multiple content items associated with a single package (for example, an application
with more than a Deployment Type or a Software Update Package). For each content associated with the
package, a DTS job is created for content download and the content is moved to the content library (Succeeded
state) upon successful completion. Because of this, you may see multiple content items for a package move to
Succeeded state in the PullDP.log but the overall package status may still remain in In Progress state if other
content items that are part of the package are still be downloading.
Step 15: After all content is downloaded, package moves to 'Succeeded' state
After all the content jobs for the package have completed successfully and applied to the content library, pull DP
moves the package to Succeeded state.
PullDP 3812 (0xee4) All 1 content jobs for P010000F.3 have completed, notify of success for this pull dp job.
PullDP 3812 (0xee4) P010000F.3 has completed successfully, will clear stored content job state.
Step 16: Pull DP sends a state message to the management point (MP)
After completion of the download, a state message is sent to the management point with State ID 1 indicating
Success .
PullDP 3812 (0xee4) Report state message 0x00000001 (1) to MP for package 'P010000F.3'
PullDP 3812 (0xee4) Request was successful.
PullDP 3812 (0xee4) CPullDPResponse::ReportPackageState return value 0x00000000.
With verbose and debug logging enabled, you can see the entire message body:
PullDP 3812 (0xee4) Sending Report

PullDP 3812 (0xee4) <Report><ReportHeader><Identification><Machine>
<ClientInstalled>0</ClientInstalled><ClientType>1</ClientType><Unknown>0</Unknown><ClientID
IDType="0" IDFlag="1">925b0ab0-247b-466b-be0f-93d7cb032c87</ClientID>
<ClientVersion>5.00.0000.0000</ClientVersion>
<NetBIOSName>P01PDP1.CONTOSO.COM</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID></Machine></Identification><ReportDetails>
<ReportContent>StateMessage</ReportContent><ReportType>Full</ReportType>
<Date>20190107200618.000000+000</Date><Version>1.0</Version><Format>1.1</Format>
</ReportDetails></ReportHeader>
<ReportBody><StateMessage MessageTime="20190107200618.000000+000" SerialNumber="3"><Topic
ID="P010000F" Type="902" IDType="0"/><State ID="1" Criticality="0"/><UserParameters Flags="0"
Count="4"><Param>P010000F</Param><Param>["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\</Param><Param>{04AD1BB3-5E54-457A-9873-
DFB2E8035090}</Param><Param></Param></UserParameters></StateMessage></ReportBody>
During content download, there are intermediate state messages sent to the MP which include the download
percentage. To see all available State IDs, see Advanced troubleshooting tips for Content Distribution.
Step 17: Pull DP clears the content job state in WMI
After sending the Success state message, pull DP clears the job states for the package.
PullDP 3812 (0xee4) Clearing content job states for all 1 content jobs in package P010000F.3.
PullDP 3812 (0xee4) CPullDPService::ClearCompletedJobs(), removing 1 completed jobs.
PullDP 3812 (0xee4) Removing job for package P010000F.3 from job array and WMI.
PullDP 3812 (0xee4) Clearing content job states for all 1 content jobs in package P010000F.3.
Step 18: MP_Relay endpoint on the MP receives the state message and moves it to site server
MP_Relay endpoint on the management point processes the state message and routes the state message SMX
file to the auth\statesys.box\incoming directory on the site server. If the MP is co-located on the site server
(example below), it's directly sent to the inboxes\auth\statesys.box\incoming directory. If the MP is remote, it
moves it to \mp\outboxes\StateMsg.box directory on the MP, and MP file dispatch manager (MPFDM) moves the
file to the inboxes\auth\statesys.box\incoming directory on the site server.
MP_RelayEndpoint 25912 (0x6538) Mp Message Handler: start message processing for Relay. ----------------
-------
MP_RelayEndpoint 25912 (0x6538) Mp Message Handler: FileType=SMX
MP_RelayEndpoint 25912 (0x6538) Message Body :
<ClientType>1</ClientType><Unknown>0</Unknown><ClientID IDType="0" IDFlag="1">925b0ab0-
247b-466b-be0f-93d7cb032c87</ClientID><ClientVersion>5.00.0000.0000</ClientVersion>
</ReportDetails></ReportHeader>
<ReportBody><StateMessage MessageTime="20190107200618.000000+000" SerialNumber="3"><Topic
ID="P010000F" Type="902" IDType="0"/><State ID="1" Criticality="0"/><UserParameters Flags="0"
Count="4"><Param>P010000F</Param><Param>["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
DFB2E8035090}</Param><Param></Param></UserParameters></StateMessage></ReportBody>
</Report>
MP_RelayEndpoint 25912 (0x6538) Inv-Relay Task: Processing message body
MP_RelayEndpoint 25912 (0x6538) Relay: Outbox dir: E:\ConfigMgr\inboxes\auth\statesys.box\incoming
Note that verbose and debug logging should be enabled on the MP to see above log entries on the MP. Without
verbose and debug logs, MP_Relay.log will just log "".
Step 19: State System component on site server processes the state message into the database
After the state message SMX file arrives in the StateSys.box\incoming directory, State System component on the
site server processes the message. All state messages are processed by calling spProcessReport stored
procedure. For pull DP state messages, spProcessReport calls spProcessPullDPMessage which updates the
PullDPResponse table with the state message details.
SMS_STATE_SYSTEM 23544 (0x5bf8) CMessageProcessor - Processing file: N_6RB4OA3A.SMX

SMS_STATE_SYSTEM 23544 (0x5bf8) CMessageProcessor - the cmdline to DB exec
dbo.spProcessStateReport N'?<Report><ReportHeader><Identification><Machine>
<ClientInstalled>0</ClientInstalled><ClientType>1</ClientType><Unknown>0</Unknown><ClientID
IDType="0" IDFlag="1">925b0ab0-247b-466b-be0f-93d7cb032c87</ClientID>
</ReportDetails></ReportHeader>~~ <ReportBody><StateMessage
MessageTime="20190107200618.000000+000" SerialNumber="3"><Topic ID="P010000F" Type="902"
IDType="0"/><State ID="1" Criticality="0"/><UserParameters Flags="0" Count="4">
<Param>P010000F</Param><Param>["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:
DFB2E8035090}</Param><Param></Param></UserParameters></StateMessage></ReportBody>~~
</Report>~~'
Note that StateSys.log does not log the message body unless verbose logging for StateSys.log is enabled. To
enable verbose logging for StateSys.log , see Enable verbose logging.
Here's the excerpt from spProcessReport stored procedure which processes the pull DP state messages:
else if @TopicType=902 -- Pull Distribution Point

exec @Ret=spProcessPullDPMessage @SenderID=@SenderID, @MessageTime=@tmMessageTime, @PkgID=@TopicID,
@PkgVersion=@MessageSerialNumber, @StateID=@StateID, @P1=@P1, @P2=@P2, @P3=@P3, @P4=@P4, @P5=@P5,
@Error=@Error OUTPUT
Step 20: SMSDBMON notifies DistMgr to update the status

After PullDPResponse table is updated, SMSDBMON detects a change in the table and drops a .PUL file for
DistMgr to process, where the name of the file identifies the row that was inserted/modified.
SMS_DATABASE_NOTIFICATION_MONITOR 29748 (0x7434) RCV: INSERT on PullDPResponse for

PullDPResponse_UpdIns [72057594037928008 ][145014]
E:\ConfigMgr\inboxes\distmgr.box\incoming\72057594037928008.PUL [145014]
Step 21: DistMgr updates the distribution status

DistMgr processes the .PUL file, and retrieves the row from PullDPResponse table based on the file name and
updates the package status. After the response is processed, DistMgr deletes the processed row from the
PullDPResponse table.
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) SQL>>>select s.ID, s.PkgServer, s.SiteCode,

p.StoredPkgVersion, s.Status, r.PkgVersion, r.ActionState, r.ActionData, p.PkgFlags, p.ShareType,
CONVERT(VARCHAR(64), r.MessageTime, 127) AS MessageTime from PullDPResponse r join PkgStatus s on
r.PkgStatusID = s.PKID AND r.PkgStatusID = 72057594037928008 join SMSPackages p on s.ID = p.PkgID
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) ~Processing PullDP response P01 -
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) Package P010000F, Version 3(3), ActionState 1, PkgStatus
0, ActionData =
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) ~Successfully updated the package server status for
["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\ for
package P010000F, Status 3
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) SQL>>>DELETE FROM PullDPResponse WHERE
PkgStatusID = 72057594037928008 AND MessageTime = '2019-01-07T20:06:18'
SMS_DISTRIBUTION_MANAGER 32876 (0x806c) ~Successfully processed PullDP response file
E:\ConfigMgr\inboxes\distmgr.box\INCOMING\72057594037928008.PUL
Step 22: Database replication replicates the status change to other sites
Update a package
When you update a package, the package content is resent to all of the distribution points that the package was
distributed to. This is done by incrementing Package Source version, and only the content changes are sent to
the DPs instead of sending all of the content again.
The following steps outline the flow of events that occur when a package is updated. In this example, we will
look at the package update operation for a package that was created at a primary site and focus on process
changes specific to the package update operation.
Step 1: The admin console executes the RefreshPkgSource method against the SMS_Package WMI class in the
SMS Provider namespace
After the administrator updates the package from the console, the admin console calls the RefreshPkgSource
method of the SMS_Package class to update the package. SMSProv.log shows the following:
SMS Provider 4716 (0x126c) Context: SMSAppName=Configuration Manager Administrator console~

SMS Provider 4716 (0x126c) ExecMethodAsync : SMS_Package.PackageID="
<PackageID>"::RefreshPkgSource ~
SMS Provider 4716 (0x126c) CExtProviderClassObject::DoExecuteMethod RefreshPkgSource~
SMS Provider 4716 (0x126c) Auditing: User CONTOSO\Admin called an audited method of an instance of
class SMS_Package.~
When this method is called, SMS Provider updates SMSPackages to set Action to 1 (UPDATE) and inserts a row
in PkgNotification table.
update SMSPackages set Source = N'\\PS1SITE\SOURCE\Packages\200MB_1', StoredPkgVersion = 1, UpdateMask = 32,

UpdateMaskEx = 8388608, Action = 1 where PkgID = N'PackageID'

SMSDBMON detects a change in the PkgNotification table which causes it to drop a < PackageID >.PKN file in
DistMgr.box to instruct DistMgr to process the package:

PkgNotify_Add [<PackageID>][1036610]
SMS_DATABASE_NOTIFICATION_MONITOR 1792 (0x700) SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\
Step 3: DistMgr wakes up to process the package after receiving the PKN file
processing thread.
SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) Found package properties updated notification for

processing queue.
processing threads.
2. The package processing thread creates a package snapshot, writes content to the content library and
increments the package version.
The package processing thread (thread ID 5776 in this case) starts processing the package and creates a
package snapshot. After creating the package snapshot, this thread also writes the package content to the
content library on the site server:

SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Start updating the package <PackageID>...
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Taking package snapshot for package <PackageID>
from source \\PS1SITE\SOURCE\Packages\200MB_1
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) The size of package <PackageID>, version 2 is
204800 KBytes
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Writing package definition for <PackageID>
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Successfully created RDC signatures for package
<PackageID> version 2
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Creating hash for algorithm 32780
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) The hash for algorithm 32780 is <HashString>
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) The RDC signature hash for algorithm 32780 is
79A56464F7BAC44B3D183D5EFC1160E51F95A34FECA492AAD73BC73C8B6DBA38
PID=5428 TID=5776 GMTDATE=Tue May 17 18:31:23.782 2016 ISTR0="PS100039" ISTR1=""
AID0=400 AVAL0="PS100039"
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~The source for package PS100039 has changed or
the package source needs to be refreshed
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Adding these contents to the package PS100039
version 2.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~The Package Action is 1, the Update Mask is 32 and
UpdateMaskEx is 0.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Successfully created/updated the package
PS100039.
PID=5428 TID=5776 GMTDATE=Tue May 17 18:31:23.982 2016 ISTR0="PS100039" ISTR1=""
AID0=400 AVAL0="PS100039"
3. Package processing thread processes starts DP threads to process package actions then waits for them to
exit.
The package processing thread processes the package actions to update the package, which involves
updating the package on all the DPs where this package is distributed. Since there are package actions to
process, the package processing thread creates DP threads to perform these actions and waits for the DP
threads to exit before moving on.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Start updating package PS100039 on server

["Display=\\PS1SITE.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SITE.CONTOSO.COM\...
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Created DP processing thread 920 for addition or
update of package PS100039 on server ["Display=\\PS1SITE.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1SITE.CONTOSO.COM\
["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\...
update of package PS100039 on server ["Display=\\PS1SYS.CONTOSO.COM\"]MSWNET:
["SMS_SITE=PS1"]\\PS1SYS.CONTOSO.COM\
update of package PS100039 on server ["Display=\\PS1DP1.CONTOSO.COM\"]MSWNET:
update of package PS100039 on server ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Waiting for all DP threads to complete for package
PS100039 processing thread.
4. DP threads start and create PkgXferMgr jobs to transfer content to the DPs, then exit.
DP threads start working on creating a PkgXferMgr job to update the package on the DPs. At this point
there are four DP threads for four different DPs:
SMS_DISTRIBUTION_MANAGER 5948 (0x173c) DP Thread: Attempting to add or update package

PS100039 on DP ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 5948 (0x173c) ~Created package transfer job to send package
PS100039 to distribution point ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 5948 (0x173c) Performing cleanup prior to returning.
SMS_DISTRIBUTION_MANAGER 5948 (0x173c) Cancelling network connection to
\\PS1DP2.CONTOSO.COM\ADMIN$.

values(35,N'PS100039',2,0,N'2016/05/17 14:31:35',1)
5. (if applicable) Package processing thread creates a mini-job to send the compressed copy of the package
to other sites.
After all the DP threads finish working, the package processing thread creates a mini-job to send the
compressed copy of the package to other sites, if applicable. This mini-job is processed by Scheduler to
create a send request for Sender to transfer the compressed copy of the package to the destination site:
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~All DP threads have completed for package

PS100039 processing thread.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Package PS100039 does not have a preferred
sender.
PID=5428 TID=5776 GMTDATE=Tue May 17 18:31:44.977 2016 ISTR0="PS100039" ISTR1="PS2"
AID0=400 AVAL0="PS100039" ...
package PS100039 to site PS2
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Sending a copy of package PS100039 to site PS2
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Setting CMiniJob transfer root to
E:\SMSPKG\PS100039.DLT.1.2
package PS100039 to site PS2. Transfer root = E:\SMSPKG\PS100039.DLT.1.2. ...
package PS100039 to site SS1
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Sending a copy of package PS100039 to site SS1
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Setting CMiniJob transfer root to
E:\SMSPKG\PS100039.DLT.1.2
package PS100039 to site SS1. Transfer root = E:\SMSPKG\PS100039.DLT.1.2.
6. Package processing thread exits after processing the package:
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) Package PS100039 is new or has changed,

replicating to all applicable sites.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~CDistributionSrcSQL::UpdateAvailableVersion
PackageID=PS100039, Version=2, Status=2301
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~StoredPkgVersion (2) of package PS100039.
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~SourceVersion (2) of package PS100039.
PID=5428 TID=5776 GMTDATE=Tue May 17 18:31:45.415 2016 ISTR0="Dummy2"
ISTR1="PS100039" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
NUMATTRS=1 AID0=400 AVAL0="PS100039"
SMS_DISTRIBUTION_MANAGER 5776 (0x1690) ~Exiting package processing thread for package
PS100039.

SMSDBMON detects a change in the DistributionJobs table and drops a PKN file in PkgTransferMgr.box to
instruct PkgXferMgr to process the job:

DistributionJob_Creation [PS100039 ][1036623]
E:\ConfigMgr\inboxes\PkgTransferMgr.box\PS100039.PKN [1036623]

For standard DPs, a sending thread copies the content to the DP, and the remaining process is identical to the
process described in step 6 of Distribute a package to standard DP.
For pull DPs, a pull DP sending thread sends the notification to the pull DP to perform content download. Pull
DP then downloads the content from the source DP, and the remaining process is identical to the process
described in step 6 of Distribute a package to pull DP.
Step 6: The package status changes are replicated to other sites via DRS
Redistribute a package
When you redistribute a package to a DP, all of the package content files are re-copied to the DP even if the
content already exists in the content library on the DP.
The following steps outline the flow of events that occur when a package is redistributed to a DP. In this example,
the primary site server already has a compressed copy of the package. This process is identical to the process
outlined in Distribute a package to standard DP or Distribute a package to pull DP, so here we only look at
detailed log snippets for relevant changes.
Step 1: Administrator redistributes the package to the DP
Step 2: If Administrator redistributed the package from a different primary site or the central administration
site, DRS replicates changes to the site in question
2. The package processing thread creates DP threads to process package actions and waits for them to exit.
3. The DP threads create a PkgXferMgr job to add the package to the DPs and then exits.
The DP thread starts working on adding the package to the DP. DP threads do not copy the package
content to the DP directly, but instead creates a job for Package Transfer Manager (PkgXferMgr)
instructing it to copy the package content to the DP. The following log entries show the DP thread creating
a PkgXferMgr job. After the job is created, the DP thread's work is done and the DP thread exits.
SMS_DISTRIBUTION_MANAGER 3792 (0xed0) DP Thread: Attempting to add or update package

SMS_DISTRIBUTION_MANAGER 3792 (0xed0) ~Created package transfer job to send package
<PackageID> to distribution point ["Display=\\PS1DP2.CONTOSO.COM\"]MSWNET:
SMS_DISTRIBUTION_MANAGER 3792 (0xed0) STATMSG: ID=2357 SEV=I LEV=M SOURCE="SMS
PID=5428 TID=3792 GMTDATE=Mon May 16 19:26:58.642 2016 ISTR0="<PackageID>" ISTR1="
When the DP thread creates a PkgXferMgr job, it does so by inserting a row in the DistributionJobs
table. For redistributing a package, Action is set to 2 .
values(32,N'CS100026',1,0,N'2016/05/16 16:03:49',2)
4. The package processing thread exits after all DP threads exit.

1. The main PkgXferMgr thread creates a sending thread.
2. The sending thread or pull DP sending thread processes the job.
Standard DP:
Sending thread starts copying the package contents to the DP. This process involves copying all the files
in the package to the DP in the SMS_DP$ directory. Since the package was redistributed, PkgXferMgr
shows that Redistribute is set to 1 , which means that all the files will get re-copied to the DP even if
they already exist in the content library on the DP.
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Sending thread starting for Job: 583, package:
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Sent status to the distribution manager for
pkg <PackageID>, version 1, status 0 and distribution point
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Performing preactions package <PackageID>,
Distribution point PS1DP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Sending legacy content <PackageID>.1 for
package <PackageID>
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Redistribute=1 , Related=
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Sending file
42454A174D7E26533-<PackageID>.1.temp'
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Sending Started
[E:\SCCMContentLib\FileLib\73E0\73E055438D4731F41DB6C3BCB90919F60000226B330C7394245
4A174D7E26533]
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Attempt to write 983040 bytes to
\\PS1DP1.CONTOSO.COM\SMS_DP$\73E055438D4731F41DB6C3BCB90919F60000226B330C7394
2454A174D7E26533-<PackageID>.1.temp at position 208732160
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Wrote 983040 bytes to
\\PS1DP1.CONTOSO.COM\SMS_DP$\73E055438D4731F41DB6C3BCB90919F60000226B330C7394
2454A174D7E26533-<PackageID>.1.temp at position 208732160 in 344 ticks
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Sending completed
[E:\SCCMContentLib\FileLib\73E0\73E055438D4731F41DB6C3BCB90919F60000226B330C7394245
4A174D7E26533]
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) Completed post-actions for remote DP
PS1DP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Sending completed successfully
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) ~Finished sending SWD package
<PackageID> version 1 to distribution point PS1DP1.CONTOSO.COM
SMS_PACKAGE_TRANSFER_MANAGER 5272 (0x1498) STATMSG: ID=8200 SEV=I LEV=M
AID1=410 AVAL1="1"
Pull DP:
Pull DP sending thread sends a notification to the pull DP to start downloading the content. Since the
package was redistributed, the generated notification XML shows that Action is set to redist , which
means that all the files will get re-downloaded by the pull DP even if they already exist in the content
library on the pull DP.
Here's how a sample query that generates the notification XML query looks like showing that the Action
is redist since the content was redistributed:
SELECT [dbo].[fnGetPullDPXMLNotification]('P010000F', 3, 'P01PDP1.CONTOSO.COM', 2, 'redist', 1,

'O:SYG:BAD:P(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;;FA;;;BA)
(A;OICIIO;GA;;;BA)', 0, 32780, '3ED23B9869F7E10E19439F11341405FF76E22022E56468DCF211475899BD2914',
'') AS Notification
On receiving a notification for a redistribute action, PullDP.log will show that all content will get
redownloaded even if some/all of the content may exist in the content library.
PullDP 3676 (0xe5c) Content_3c9813ba-d7ab-4963-929c-36f90f479613.1: redistribute/redownload

all files
After this is done, the remaining process is similar to the process described in step 6 of Distribute a
package to pull DP.
Step 7: SMS DP Provider adds the content to the content library
Step 8: DistMgr processes the status messages sent by PkgXferMgr
Step 9: Package status changes are replicated to other sites via DRS
This article discusses how to troubleshoot common content distribution issues.

Sample problem
For this example, let's say that you distributed a package to a distribution point but the package is in either a
Failed or In Progress state for the DP.
1. First, review DistMgr.log on the site (primary/secondary) where the DP resides.
a. Look for ~Processing package entries in the log and identify the package processing thread for the
package ID in question. Filter DistMgr.log for the thread ID you identified. Review step 4 in Distribute a
package to standard DP to see log excerpts.
b. Review the filtered log and check if a DP thread was created for the DP in question. Filter DistMgr.log
for the thread ID to make this easier.
c. Review the filtered log and check whether a PkgXferMgr job was created.
2. Review PkgXferMgr.log on the site (primary/secondary) where the DP resides.
a. Look for Found send request with ID entries in the log and identify the sending thread for the affected
DP/package combination. Filter PkgXferMgr.log for the thread ID identified. Review step 6 in
Distribute a package to standard DP to see log excerpts.
b. Review the filtered log to see if the content was successfully transferred to the DP or if there was an
error.
3. For Standard DPs, PkgXferMgr copies the content file(s) to the DP, it instructs the DP WMI Provider to add
the file to the content library by calling WMI methods. Review SMSDPProv.log on the DP to ensure that
content was added to the content library. Review step 7 in Distribute a package to standard DP to see log
excerpts.
For pull DPs, PkgXferMgr notifies pull DP to initiate the content download. Review steps 8-16 in
Distribute a package to pull DP to understand the flow and review PullDP.log and
DataTransferSer vice.log to ensure content was downloaded successfully.
4. For standard DPs, PkgXferMgr sends a status message to DistMgr. Review DistMgr.log to verify if the
status message was processed successfully. Review step 8 in Distribute a package to standard DP to see
log excerpts.
For pull DPs, pull DP sends a state message to indicate success. Review steps 16-22 in Distribute a
package to pull DP to understand the flow and review the relevant logs to ensure state message is
processed successfully.
5. If multiple sites are involved, ensure that database replication is working and the database links between
relevant sites are active.
Common DistMgr issues

DistMgr.log shows the following entry for the package ID in question:
SMS_DISTRIBUTION_MANAGER 2732 (0xaac) ~The contents for the package \<PackageID> hasn't arrived from
site CS1 yet, will retry later.
This usually happens temporarily while the content is in transit from one site to another. Review the
Sender/Despooler logs to ensure that there are no issues with site communications. If you see errors
during site to site communication (Scheduler -> Sender -> Despooler ), focus on resolving those
errors before troubleshooting the above message in DistMgr.log . Review Distribute a package to DP
across sites to understand the log flow.
If there are no errors, it may be necessary to force the parent site to resend the package to the affected
site. See Resend compressed copy of a package to a site for more information.
DistMgr.log may show that it's busy processing other packages and is using all the available threads for
package processing.
SMS_DISTRIBUTION_MANAGER 4824 (0x12d8) ~Currently using 3 out of 3 allowed package processing

threads.
If you see this, review the current package processing threads in DistMgr.log to see if they are stuck. You
can also review the Package Processing Queue and Packages Being Processed registry values
under the following registry key to see how many packages are currently in the Processing Queue:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_DISTRIBUTION_MANAGER
If the Packages Being Processed values do not change and are stuck over a long period of time, it is
possible that DistMgr is hung/stuck. If this happens, capture a process dump of SMSExec.exe for review.
If there are many packages in the queue but the queue is moving, it may be necessary to review and
change the thread configuration.
DistMgr.log does not process the incoming PKN files, and as a result packages are not being processed.
This is resulting in a backlog of PKN files in the DistMgr inbox.
PKN files are processed by the main DistMgr thread so in these cases it's helpful to identify the main
DistMgr thread ID by looking for the SMS_EXECUTIVE started SMS_DISTRIBUTION_MANAGER log entry,
then filter the DistMgr.log for the thread ID identified.
In most cases, this issue occurs when the main DistMgr thread is making a WMI call to a remote DP but
WMI on the DP is not responding, causing DistMgr to wait for it indefinitely. Filtering the DistMgr.log for
the main DistMgr thread can provide clues about the DP it's trying to communicate with. Once identified,
check if the DP is responding and WMI is functional on the DP. If necessary, reboot the DP to see if that
helps.
If the filtered DistMgr.log doesn't provide any clues, capture a process dump of SMSExec.exe while in
problem state for review.
Common PkgXferMgr issues

PkgXferMgr.log shows an error while adding files to the content library on the DP:
SMS_PACKAGE_TRANSFER_MANAGER 5744 (0x1670) ~Sending completed
[D:\SCCMContentLib\FileLib\B53B\B53B6F96ECC3FB2AF59D02C84A2D31434904BACF2F9C90D80107B6602860BCFD]
SMS_PACKAGE_TRANSFER_MANAGER 5744 (0x1670) ~ExecStaticMethod failed (80041001)
SMS_DistributionPoint, AddFile
SMS_PACKAGE_TRANSFER_MANAGER 5744 (0x1670) CSendFileAction::AddFile failed; 0x80041001
SMS_PACKAGE_TRANSFER_MANAGER 5744 (0x1670) ~Deleting remote file
\\DPNAME.CONTOSO.COM\SMS_DP$\Content_b034813c-bc60-4a16-b471-7a0dc3d9662b.1-
B53B6F96ECC3FB2AF59D02C84A2D31434904BACF2F9C90D80107B6602860BCFD
SMS_PACKAGE_TRANSFER_MANAGER 5744 (0x1670) ~ Sending failed. Failure count = 1, Restart time =
12/4/2014 6:14:27 AM Eastern Standard Time
After PkgXferMgr copies the content file to the DP, it executes WMI methods to instruct the remote DP to
add the file to the content library. If the remote DP fails to add the file to the content library, you will see a
generic WMI error (0x80041001 = WBEM_E_FAILED ) in PkgXferMgr.log .
When this happens, it is necessary to review SMSDPProv.log on the DP to identify the reason that the
DP failed to add the file to the content library. If you see File/Path not found errors in
SMSDPProv.log , you would need to capture a Process Monitor trace to determine the reason for failure.
PkgXferMgr.log shows that only one connection is allowed to the DP:
SMS_PACKAGE_TRANSFER_MANAGER 21216 (0x52e0) ~Address to DPNAME.CONTOSO.COM is currently under

bandwidth control, therefore only one connection is allowed, returning send request to the pool.
or
SMS_PACKAGE_TRANSFER_MANAGER 21216 (0x52e0) ~Address to DPNAME.CONTOSO.COM is currently in pulse

mode, therefore only one connection is allowed.
If PkgXferMgr.log shows that 'only one connection is allowed' to the DP, it means that the DP is
configured for bandwidth throttling. If this is the case, PkgXferMgr can only use one thread for the DP,
and as a result only send one package to the DP at a time. See Bandwidth control and threads for more
information.
PkgXferMgr.log shows the address is closed:
SMS_PACKAGE_TRANSFER_MANAGER 7156 (0x1BF4) Address is closed for priority 2 jobs, stop

sending[E:\SCCMContentLib\FileLib\2F08\2F0819F959E788CF843F42E9CA7B44E258B8B4BA37BB63902DB39ACF747BE7
DA]
SMS_PACKAGE_TRANSFER_MANAGER 7156 (0x1BF4) Deleting remote file \\DPNAME.CONTOSO.COM\SMS_DP$\
<PackageID>.6-2F0819F959E788CF843F42E9CA7B44E258B8B4BA37BB63902DB39ACF747BE7DA
SMS_PACKAGE_TRANSFER_MANAGER 7156 (0x1BF4) CSendFileAction::SendFiles failed; 0x80004005
SMS_PACKAGE_TRANSFER_MANAGER 7156 (0x1BF4) Sending failed. Failure count = 1, Restart time =
3/15/2016 8:30:08 AM Mountain Daylight Time
If you see this in the log, it means that the DP is under bandwidth control and the address to the DP
closed while content transfer was in progress. In the example above, the DP schedule was configured for
Allow high priority only during 8:00AM to 10:00AM. As a result, PkgXferMgr stopped sending content at
8:00AM and marked the package/DP in a failed state.
PkgXferMgr.log shows multiple threads starting at the same time for the same job:
SMS_PACKAGE_TRANSFER_MANAGER 8360 (0x20a8) Sending thread starting for Job: 12771, package:
<PackageID>, Version: 8, Priority: 2, server: DPNAME.CONTOSO.COM, DPPriority: 200
SMS_PACKAGE_TRANSFER_MANAGER 10752 (0x2a00) Sending thread starting for Job: 12771, package:
SMS_PACKAGE_TRANSFER_MANAGER 12208 (0x2fb0) Sending thread starting for Job: 12771, package:
SMS_PACKAGE_TRANSFER_MANAGER 4244 (0x1094) Sending thread starting for Job: 12771, package:
SMS_PACKAGE_TRANSFER_MANAGER 8348 (0x209c) Sending thread starting for Job: 12771, package:
Typically, PkgXferMgr uses one thread for a job, but if it uses multiple threads for the same job, the
content transfer may start failing because of error 0x80070020 (ERROR_SHARING_VIOL ATION) .
This happens if the site server and the site database servers are in different time zones. The solution here
is to ensure that the site server and site database servers have the same time zone set.
Common pull DP issues

PkgXferMgr.log shows that the Pull DP is at capacity and no more jobs are sent to the pull DP:
SMS_PACKAGE_TRANSFER_MANAGER 4712 (0x1268) PullDP ["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:

["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\ has reached maximum capacity 50
SMS_PACKAGE_TRANSFER_MANAGER 4712 (0x1268) ~ PullDP has no capacity. Restart time = 1/10/2019 1:16:33
PM Eastern Standard Time
PkgXferMgr runs the following query to check how many jobs are currently in an unfinished state on the
pull DP. If the query returns more than 50 jobs, it will not send any more jobs to the pull DP.
SELECT COUNT(*) FROM DistributionJobs job

JOIN DistributionPoints dp ON dp.DPID=job.DPID AND
dp.NALPath='["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\'
WHERE job.State in (2, 3, 4) AND (job.Action<>5) AND (ISNULL(job.SendAction, '') <> '')
These jobs are removed from the DistributionJobs table when pull DP sends a Success state message
or when the status polling stops (based on configured values). To see the jobs on the pull DP, you can use
wbemtest or WMI Explorer to review the instance count for SMS_PullDPNotification class. You can also
review the instances of ROOT\SCCMDP:SMS_PullDPState WMI class on the pull DP to identify packages that
are in a Failed state and review PullDP.log as well as DataTransferSer vice.log to investigate the
failures.
SignatureDownload job on pull DP fails with HTTP 404 error.
Created SignatureDownload DTS job {JOBID} for package C010000D.28, content id ContentID.
JobState = NotStarted
DTS error message received for C010000D.28, content job {JOBID}, 0x80070002 : BITS error: 'HTTP
status 404: The requested URL does not exist on the server.
This is a known issue because the signature files are not present on a Source DP that is colocated on a
site server. This issue only occurs when the distribution action is not redist .
To work around this issue, use one of the following methods:
Redistribute the package (redistributing the package does not require downloading signatures since
full content is downloaded).
Configure the pull DP to use a source DP that is not colocated on the site server.
DataTransferSer vice.log shows 0x800706D9 when trying to download content from the source DP:
DataTransferService 4864 (0x1300) CDTSJob::HandleErrors: DTS Job '{5285F8B3-C426-4882-85F2-

AD5331DD4179}' BITS Job '{D53BA625-24AA-41FA-A357-6EB1B7D7E701}' under user 'S-1-5-18' OldErrorCount
29 NewErrorCount 30 ErrorCode
0x800706D9 means that there are no more endpoints available from the endpoint mapper. This issue
may occur due to RPC port allocation failures caused by firewall. It can also occur when Windows
Firewall service is disabled.
Check to see if there is a firewall between the site server and the affected server and find out if RPC ports
are open. You can also capture a Network Trace (from the pull DP as well as the source DP server) while
reproducing the error for review.
Pull DP shows that it has a large number of jobs but the jobs are not getting processed.
In some instances (normally after installation of a new pull DP when all content is sent to the pull DP), too
many job failures on the pull DP can end up stalled processing of the jobs. Although most of these issues
are fixed in the recent releases of the product (Configuration Manager version 1810), some
environmental factors can result in pull DP not processing jobs. When this happens, you would likely see
thousands of DTS jobs in ROOT\ccm\DataTransferService:CCM_DTS_JobEx WMI class and ~50 (or more) BITS
jobs in Failed state. In this scenario, it can be beneficial to remove all the job-specific items from WMI on
the pull DP and distribute the content again to the pull DP in a controlled manner and investigate failures.
To remove all the job-specific items from WMI on the Pull DP, you can use the below PowerShell script
(review the script comments for help):
Reset-PullDPState.ps1
<#
.SYNOPSIS
Resets the state of the Pull DP and deletes data from various WMI classes related to Pull DP. You
need to run this script as Administrator.
.DESCRIPTION
This script deletes the data from following WMI classes:
- CCM_DTS_JobEx
- CCM_DTS_JobItemEx
- SMS_PullDPState
- SMS_PullDPContentState
- SMS_PullDPNotification (optional)
The script also checks and reports the count of BITS Jobs.
.PARAMETER ComputerName
(Optional) Name of the Pull DP. You can leave this blank for local machine.
.PARAMETER DeletePullDPNotifications
(Optional) Use this switch if you want to delete the job notifications from SMS_PullDPNotification
class.
.PARAMETER KeepBITSJobs
(Optional) Use this switch if you don't want the script to delete ALL BITS Jobs. If this switch is
not used, ALL BITS jobs are deleted (even the ones that are not created by ConfigMgr)
.PARAMETER NotifyPullDP
(Optional) Use this switch if you want the script to execute NotifyPullDP method against
SMS_DistributionPoint class. This is only useful when there aren't a lot of notifications in WMI and
-DeletePullDPNotifications switch was not used.
.PARAMETER WhatIf
(Optional) Use this switch to see how many instances will be deleted.
(Optional) Use this switch to see how many instances will be deleted.
.EXAMPLE
Reset-PullDPState -WhatIf
This command checks how many Pull PD jobs will get deleted when running the script
.EXAMPLE
Reset-PullDPState
This command resets the Pull DP related WMI classes except the Pull DP job Notification XML's
.EXAMPLE
Reset-PullDPState -DeletePullDPNotifications
This command resets the Pull DP related WMI classes along with the Pull DP job Notification XML's. If
you do this, you would need to distribute/redistribute these packages to the Pull DP again.
.NOTES
07/28/2016 - Version 1.0 - Initial Version of the script
01/09/2019 - Version 2.0 - Added batch size for instance removal to prevent WMI Quota issues. Also
added removal of BITS jobs (can be disabled by using -KeepBITSJobs switch) and restart of CcmExec
service.
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false)]
[string]$ComputerName = $env:COMPUTERNAME,
[switch]$DeletePullDPNotifications,
[switch]$KeepBITSJobs,
[switch]$NotifyPullDP,
[switch]$WhatIf
)
$LogFile = Join-Path (Split-Path $SCRIPT:MyInvocation.MyCommand.Path -Parent) "Reset-PullDPState.log"

$ErrorActionPreference = "SilentlyContinue"
Function Write-Log {
Param(
[string] $text,
[switch] $NoWriteHost,
[switch] $IsErrorMessage,
[switch] $IsWarning,
[switch] $WhatIfMode
)
$timestamp = Get-Date -Format "MM-dd-yyyy HH:mm:ss"

"$timestamp $text" | Out-File -FilePath $LogFile -Append
if ($WhatIfMode) {
Write-Host $text -ForegroundColor Yellow
return
}
if (-not $NoWriteHost) {
if ($IsErrorMessage) {
Write-Host $text -ForegroundColor Red
}
elseif ($IsWarning) {
Write-Host $text -ForegroundColor Yellow
}
else {
Write-Host $text -ForegroundColor Cyan
}
}
}
Function Delete-WmiInstances {
Param(
[string] $Namespace,
[string] $ClassName,
[string] $Filter = $null,
[string] $Property1,
[string] $Property2 = "",
[string] $Property3 = "",
[int] $BatchSize = 10000
)
$success = 0
$totalfailed = 0
$counter = 0
$total = 0
Write-Host ""
Write-Log "$ClassName - Connecting to WMI Class on $ComputerName"
do {
if ($Filter -eq $null) {

$Instances = Get-WmiObject -ComputerName $ComputerName -Namespace $Namespace -Class
$ClassName -ErrorVariable WmiError -ErrorAction SilentlyContinue | Select -First $BatchSize
}
else {
$Instances = Get-WmiObject -ComputerName $ComputerName -Namespace $Namespace -Class
$ClassName -Filter $Filter -ErrorVariable WmiError -ErrorAction SilentlyContinue | Select -First
$BatchSize
}
if ($WmiError.Count -ne 0) {
Write-Log " Failed to connect. Error: $($WmiError[0].Exception.Message)" -
IsErrorMessage
$WmiError.Clear()
return
}
$currentfailed = 0
$current = ($Instances | Measure-Object).Count
if ($current -gt 0) {$script:serviceRestartRequired = $true}
if ($WhatIf) { break }
if ($current -ne $null -and $current -gt 0) {

Write-Log " Found $total total instances (Batch size $BatchSize)"
foreach($instance in $Instances) {
$instanceText = "$Property1 $($instance.$Property1)"
if ($Property2 -ne "") {

$instanceText += ", $Property2 $($instance.$Property2)"
}
if ($Property3 -ne "") {

$instanceText += ", $Property3 $($instance.$Property3)"
}
Write-Log " Deleting instance for $instanceText" -NoWriteHost

$counter += 1
$percentComplete = "{0:N2}" -f (($counter/$total) * 100)

Write-Progress -Activity "Deleting instances from $ClassName" -Status "Deleting
instance #$counter/$total - $instanceText" -PercentComplete $percentComplete -CurrentOperation
instance #$counter/$total - $instanceText" -PercentComplete $percentComplete -CurrentOperation
"$($percentComplete)% complete"
Remove-WmiObject -InputObject $instance -ErrorVariable DeleteError -ErrorAction

SilentlyContinue
if ($DeleteError.Count -ne 0) {
Write-Log " Failed to delete instance. Error:
$($DeleteError[0].Exception.Message)" -NoWriteHost -IsErrorMessage
$DeleteError.Clear()
$currentfailed += 1
}
else {
$success += 1
}
}
$totalfailed += $currentfailed
if ($currentfailed -eq $current) {

# Every instance in current batch failed. Break to avoid infinite while loop
break
}
}
} while (($Instances | Measure-Object).Count -ne 0)
if ($WhatIf) {
if ($total -eq $BatchSize) {
Write-Log " (What-If Mode) Found more than $BatchSize instances which will be deleted"
-WhatIfMode
}
else {
Write-Log " (What-If Mode) $total instances will be deleted" -WhatIfMode
}
}
else {
if ($total -gt 0) {
# $totalfailed is likely not the accurate count here as it could include duplicate
failures due to batching
Write-Log " Deleted $success instances. Failed to delete $totalfailed instances."
}
else {
Write-Log " Found 0 instances."
}
}
}
Function Check-BITSJobs {
$DisplayName = "BITS Jobs"
Write-Host ""
Write-Log "$DisplayName - Gettting jobs on $ComputerName"
Import-Module BitsTransfer
$Instances = Get-BitsTransfer -AllUsers -Verbose -ErrorVariable BitsError -ErrorAction
SilentlyContinue | Where-Object {$_.DisplayName -eq 'CCMDTS Job'}
if ($BitsError.Count -ne 0) {
Write-Log " $DisplayName - Failed to get jobs. Error: $($BitsError[0].Exception.Message)"
-IsErrorMessage
$BitsError.Clear()
}
else {
$total = ($Instances | Measure-Object).Count
Write-Log " $DisplayName - Found $total jobs"
if ($KeepBITSJobs) {
Write-Log " BITS Jobs will not be removed because KeepBITSJobs is true." -WhatIfMode
}
else {
else {
if ($WhatIf) {
Write-Log " (What-If Mode) ALL BITS jobs will be removed since KeepBITSJobs is NOT
specified." -WhatIfMode
}
else {
if ($total -gt 0) {
Write-Log " Removing ALL jobs since KeepBITSJobs is NOT specified."
Remove-BITSJobs
}
else {
Write-Log " There are no jobs to delete."
}
}
}
}
}
Function Remove-BITSJobs {
try {
Stop-Service BITS
Rename-Item "$($env:ALLUSERSPROFILE)\Microsoft\Network\Downloader" -NewName
"Downloader.OLD.$([Guid]::NewGuid().Guid.Substring(0,8))"
Start-Service BITS
$script:serviceRestartRequired = $true
Write-Log " Removed ALL BITS Jobs successfully."
} catch {
Write-Log " Failed to delete the BITS jobs."
Write-Log " If necessary, run 'bitsadmin /reset /allusers' command under SYSTEM account
(using psexec.exe) to delete the BITS Jobs."
Write-Log " Additionally, you can delete these jobs by stopping BITS service, renaming
%allusersprofile%\Microsoft\Network\Downloader folder, and starting BITS service."
}
}
Function Restart-CcmExec {
$DisplayName = "SMS Agent Host"
Write-Host ""
Write-Log "$DisplayName - Checking if service restart is required."
if ($script:serviceRestartRequired) {
if ($WhatIf) {
Write-Log " (What-If Mode) Service Restart will be required." -WhatIfMode
if ($NotifyPullDP) {
Write-Log " (What-If Mode) NotifyPullDP method will be executed." -WhatIfMode
}
else {
Write-Log " (What-If Mode) NotifyPullDP method will NOT be executed because -
NotifyPullDP switch was NOT used." -WhatIfMode
}
return
}
try {
Write-Host ""
Write-Log "### Restarting CCMEXEC service... ###"
Restart-Service CcmExec
Write-Log "### Success! ###"
} catch {
Write-Log "### ERROR! Restart CcmExec Manually in order to recreate BITS jobs for content
transfer! ###"
}
if (-not $DeletePullDPNotifications -and $NotifyPullDP) {

# Only do this if notifications were not deleted. If they were deleted, NotifyPullDP will
not do anything.
try {
try {
Write-Host ""
Write-Log "### Invoking NotifyPullDP WMI method against the SMS_DistributionPoint
class in $DPNamespace."
Invoke-WmiMethod -Namespace root\SCCMDP -Class SMS_DistributionPoint -Name
NotifyPullDP | Out-Null
Write-Log "### Success! ###"
} catch {
Write-Log "### ERROR! Failed to invoke NotifyPullDP method! You can use wbemtest or
WMI Explorer to invoke the method manually. ###"
}
}
else {
if (-not $NotifyPullDP) {
Write-Log "### Skipped invoking NotifyPullDP WMI method because -NotifyPullDP was NOT
specified" -IsWarning
Write-Log "### You can use wbemtest or WMI Explorer to invoke the method manually, if
necessary. ###"
}
if ($DeletePullDPNotifications) {
Write-Log "### Skipped invoking NotifyPullDP WMI method because -
DeletePullDPNotifications was specified" -IsWarning
Write-Log "### Executing NotifyPullDP when there are no notifications does not do
anything." -IsWarning
}
}
}
else {
Write-Log " Service Restart is NOT required. " -WhatIfMode
if ($NotifyPullDP) {
Write-Log " NotifyPullDP method skipped. " -WhatIfMode
}
}
}
Write-Host ""
Write-Log "### Script Started ###"
$script:serviceRestartRequired = $false
if ($WhatIf) {
Write-Host ""
Write-Log "*** Running in What-If Mode" -WhatIfMode
}
$DPNamespace = "root\SCCMDP"
$DTSNamespace = "root\CCM\DataTransferService"
Delete-WmiInstances -Namespace $DTSNamespace -ClassName "CCM_DTS_JobEx" -Filter "NotifyEndpoint like

'%PullDP%'" -Property1 "ID"
Delete-WmiInstances -Namespace $DTSNamespace -ClassName "CCM_DTS_JobItemEx" -Property1 "JobID"
Delete-WmiInstances -Namespace $DPNamespace -ClassName "SMS_PullDPState" -Property1 "PackageID" -
Property2 "PackageVersion" -Property3 "PackageState"
Delete-WmiInstances -Namespace $DPNamespace -ClassName "SMS_PullDPContentState" -Property1
"PackageKey" -Property2 "ContentId" -Property3 "ContentState"
if ($DeletePullDPNotifications) {
Delete-WmiInstances -Namespace $DPNamespace -ClassName "SMS_PullDPNotification" -Property1
"PackageID" -Property2 "PackageVersion"
}
else {
Write-Host ""
Write-Log "SMS_PullDPNotification - Connecting to WMI Class on $ComputerName"
$temp = Get-WmiObject -ComputerName $ComputerName -Namespace $DPNamespace -Class

"SMS_PullDPNotification" -ErrorVariable WmiError -ErrorAction SilentlyContinue
if ($WmiError.Count -ne 0) {
Write-Log " SMS_PullDPNotification - Failed to connect. Error:
Write-Log " SMS_PullDPNotification - Failed to connect. Error:
$($WmiError[0].Exception.Message)" -IsErrorMessage
$WmiError.Clear()
}
else {
Write-Log " Found $(($temp | Measure-Object).Count) instances."
Write-Log " Skipped because DeletePullDPNotifications switch was NOT used." -IsWarning
}
}
if ($ComputerName -eq $env:COMPUTERNAME) {

Check-BITSJobs
}
else {
Write-Host ""
Write-Log "BITS Jobs"
Write-Log " Skipped because script is running against a remote computer." -IsWarning
}
Restart-CcmExec
Write-Host ""
Write-Log "### Script Ended ###"
Write-Host "### Check $LogFile for more details. ###" -ForegroundColor Cyan
#if (-not $WhatIf -and $serviceRestartRequired) {Write-Log "### Please restart the WMI service (which
also restarts CcmExec). ###" -IsWarning}
Write-Host ""
Content shows Installed on the pull DP but URL and URLSubPath for the pull DP is not populated in
ContentDPMap , which causes issues with packages having SMB Access enabled.
When the pull DP has the content successfully installed, it sends a state message that contains the data
necessary to update the URL/URLSubPath values in ContentDPMap . This happens when the pull DP
response is processed. Review steps 16-22 in Distribute a package to pull DP to understand the flow and
review the relevant logs to investigate why the state message is not getting processed. Most likely cause
for this issue is either a backlog of state messages in the \MP\outboxes\StateMsg.box on the management
point or MPFDM failing to copy files to the site server due to permission issues.
Missing content files in content library

There are times when you would notice content missing from the content library. This could happen due to
previous content distribution issues or someone/something accidentally deleting files from the content library.
To confirm that the content is missing from the content library, identify an affected package and track the
package content from PkgLib to FileLib .
Once you confirm that the required content for a Package is missing in the Content Library, see Resend
compressed copy of a package to a site for information on how to re-populate the content.
Generic issues
The DistMgr or PkgXferMgr log shows a file/path not found error:
SMS_PACKAGE_TRANSFER_MANAGER 3776 (0xec0) CContentDefinition::TotalFileSizes failed; 0x80070003

SMS_PACKAGE_TRANSFER_MANAGER 3776 (0xec0) Sending content 000f8a0a-825c-457b-a15b-57ade145a09b for
package \<PackageID>
SMS_PACKAGE_TRANSFER_MANAGER 3776 (0xec0) CSendFileAction::SendFiles failed; 0x80070003
SMS_PACKAGE_TRANSFER_MANAGER 3776 (0xec0) CSendFileAction::SendContent failed; 0x80070003
SMS_PACKAGE_TRANSFER_MANAGER 648 (0x288) Sent status to the distribution manager for pkg <PackageID>,
version 14, status 4 and distribution point ["Display=\\DPNAME.CONTOSO.COM\"]MSWNET:
["SMS_SITE=S01"]\\DPNAME.CONTOSO.COM\~
or
SMS_PACKAGE_TRANSFER_MANAGER 11228 (0x2bdc) Sending legacy content P0100053.2 for package <PackageID>
SMS_PACKAGE_TRANSFER_MANAGER 11228 (0x2bdc) CContentDefinition::TotalFileSizes failed; 0x80070003
SMS_PACKAGE_TRANSFER_MANAGER 11228 (0x2bdc) CSendFileAction::SendFiles failed; 0x80070003
Common error codes: 0x80070002 , 0x80070003 .

For file/path not found errors, the problem is likely due to the fact that the content library on the site
server is missing content files for the package. As a result, PkgXferMgr is not able to send the files to the
DP.
In these cases, you can identify the content ID from the log and track the content from PkgLib to
FileLib to ensure that the files exist. You can also use Content Library Explorer to check if the package
content files are available in the content library, however Content Library Explorer can take some time to
load and it may be easier to manually track the content from PkgLib to FileLib . Alternatively, you can
capture a Process Monitor trace to verify if the necessary files are missing from the content library on the
site server.
If the site that is missing content in the content library is the package source site, it is necessary to update
the package to increment the Package Source version so that DistMgr takes a snapshot of the content
from the package source directory again and re-populates the missing content.
If the site missing the content in the content library is different from the package source site, you can
force the package source site to resend the compressed copy of the package to the affected site. See
Resend compressed copy of a package to a site for more information.
DistMgr/PkgXferMgr log shows a network error:
SMS_DISTRIBUTION_MANAGER 5112 (0x13f8) Failed to make a network connection to

\\DPNAME.CONTOSO.COM\ADMIN$ (0x35).~
SMS_DISTRIBUTION_MANAGER 5112 (0x13f8) ~Cannot establish connection to
["Display=\\DPNAME.CONTOSO.COM\"]MSWNET:["SMS_SITE=PS1"]\\DPNAME.CONTOSO.COM\. Error = 53
SMS_DISTRIBUTION_MANAGER 5112 (0x13f8) Error occurred. Performing error cleanup prior to returning.
Common error codes: 2 , 3 , 53 , 64 .

For network related errors, review the log and identify the server you're trying to communicate with
when you get the error. Once identified, test the following:
1. Can you ping the affected SERVERNAME using the FQDN/NetBIOS/IP address?
2. Can you access \\SERVERNAME\admin$ share using the FQDN/NetBIOS/IP address using the
SYSTEM account from the site server?
3. Can you access \\SERVERNAME\admin$ share using the FQDN/NetBIOS/IP address using the logged
in user's account from the site server?
4. Is there a firewall between the site server and the affected server? Are relevant ports (RPC/SMB)
open?
If the above tests are successful, capture a network trace (from the site server as well as the affected
server) while reproducing the error for review.
DistMgr/PkgXferMgr log shows an access denied error:
SMS_DISTRIBUTION_MANAGER 7076 (0x1ba4) Taking package snapshot for package <PackageID> from
source \\PS1SITE\PKGSOURCE\DummyPackage
SMS_DISTRIBUTION_MANAGER 7076 (0x1ba4) ~The source directory \\PS1SITE\PKGSOURCE\DummyPackage
doesn't exist or the SMS service cannot access it, Win32 last error = 5
SMS_DISTRIBUTION_MANAGER 7076 (0x1ba4) ~Failed to take snapshot of package <PackageID>
Common error codes: 5 , 0x80070005 .

For permissions related errors, review the log and identify the path you're trying to access when you get
the error. Once identified, test the following:
1. Can you ping the affected SERVERNAME if the path is a UNC path?
2. Does the site server computer account have permissions to access the path?
3. Can you access the affected path using the FQDN/NetBIOS/IP address when using the SYSTEM
account from the site server?
4. Can you access the affected path using the FQDN/NetBIOS/IP address when using the logged in user's
account from the site server?
5. Is there a firewall between the site server and the affected server? Are relevant ports (RPC/SMB)
open?
If the above tests are successful, capture a Process Monitor trace from the site server while reproducing
the error for review.
DistMgr/PkgXferMgr look for content in the \bin\x64\FileLib directory instead of the actual content
library location.
This is due to a known issue in the Content Library Transfer tool.
Advanced troubleshooting tips for content
distribution
This article provides some advanced troubleshooting tips to help you identify and solve content distribution
issues.
Enable verbose logging

PkgXferMgr.log
For Package Transfer Manager, verbose logging provides more information in the log about content copy
process, file hashes, and job scheduling. Verbose logging can be enabled by setting the following registry
value to 0 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SMS_PACKAGE_TRANSFER_MANAGER\LoggingLevel
For Package Transfer Manager, debug logging provides more information about the content copy process.
Debug logging can be enabled by setting the following registry value to 1 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SMS_PACKAGE_TRANSFER_MANAGER\DebugLogging
NOTE
These registry change(s) do not require a restart of SMS_Executive service.
Client logs (includes pull DP and management point logs)

Verbose logging can be enabled by setting the following registry value to 0 :
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogLevel
Debug logging can be enabled by setting the following registry value as REG_SZ with value True :
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\DebugLogging\Enabled
The CCM log size can be increased to 5M by setting the following registry value to 5242880 (decimal)
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogMaxSize
Additionally, you can edit the DWORD value for the following registry value to increase the number of
history log files to be retained:
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogMaxHistory
NOTE
These registry change(s) require a restart of SMS Agent Host service.
StateSys.log
Verbose logging for StateSys.log can be enabled by setting the following registry value to 1 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_STATE_SYSTEM\Verbose logging
NOTE
This registry key change does not require a restart of SMS_Executive service.
(Global - site server only) SQL queries

To get information about SQL queries executed by ConfigMgr components, SQL tracing can be enabled
by setting the following registry value to 1 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SqlEnabled
This registry value adds SQL trace logging for all site server logs. This should only be done temporarily
while troubleshooting, and should be disabled after getting the relevant logs.
NOTE
This registry change does not require a restart of SMS_Executive service.
(Global - site server only) Enable log archiving

There are occasions when the issue does not reproduce on demand and while waiting for the issue to
reproduce, there's a risk of logs rolling over. In these situations, enabling log archiving can be useful as it
allows you to have more historical logs. This is only relevant for site server logs.
Log archiving can be enabled by setting the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\ArchiveEnabled =1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\ArchivePath = <ArchiveLocation>
After enabling log archiving, ConfigMgr will archive the rolled over logs to the <ArchiveLocation>, and
will keep 10 copies of each log.
To increase the number of copies maintained for a specific component when log archiving is enabled, set
the following registry value to 20 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\COMPONENT_NAME\LogMaxHistory
NOTE
These registry change(s) require a restart of SMS_Executive service.
(Per log - site server only) Increase log file size

To increase log file size for an individual log to 50 MB, set the component-specific registry value to
52428800 (decimal):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\COMPONENT_NAME\MaxFileSize
NOTE
This registry change requires a restart of SMS_Executive service.
Resend compressed copy of a package to a site
When a package is first distributed to a site, DistMgr sends a compressed copy of the package to the site. After
the package is extracted in the content library on the site, the local copy of the content is used to send the
package to DPs as long as the same package version is being distributed to the DPs in the site.
There are a few occasions where it's necessary to force a site to resend the compressed copy of a package to a
specified site. Most notably, this is required when:
1. Content is missing from content library ( PkgLib , DataLib , or FileLib ) on a primary or secondary site
server itself.
2. DistMgr.log consistently complains about the content not having arrived from the parent site (for example:
'The contents for the package CS100026 hasn't arrived from site CS1 yet, will retry later').
In most cases, the message 'The contents for the package CS100026 hasn't arrived from site CS1 yet, will retry
later' is logged temporarily while the package content is in transit. When you see this message, review the
Sender/Despooler logs to ensure that there are no issues with site communications. Review Distribute a package
to DP across sites to understand the log flow.
How does DistMgr know if the current site has a copy of the package installed
DistMgr checks if there is a Type 1 row in PkgStatus for the package for the package version in question. If
there is a Type 1 row for the site with Status = Installed , the local copy of the package content is used to send
to the DPs. If there is no Type 1 row in PkgStatus , it means that the package content is not yet installed on the
site server.
Does redistribute package to DP colocated on the site server cause the compressed copy of the package to
get resent
No. Redistributing the package relies on the site already having the package content in the package source
directory. If the package was sent to the site at some point and marked as Installed , then a redistribute action
on the DP colocated on the site server doesn't do anything as DistMgr thinks that the content is already installed
and the following line will be logged in DistMgr.log :
The distribution point is on the siteserver and the package is a content type package. There is nothing to be
copied over.
What if the content is missing in the content library on the package source site
If the content is missing in the content library on the package source site, then resetting the SourceVersion will
not help. The only way to repopulate the missing content is to update the package. Updating the package causes
the package source site to take a package snapshot from the package source location and write the content to
the content library.
How do I force the package source site to resend the compressed copy of the package to a specific site
After confirming that the package source site has the required content, it's possible to force the package source
site to resend the package PCK file to a specific site by setting SourceVersion to 0 for the Type 1 row in
PkgStatus for the affected site. This row can be identified by running the following SQL query on the package
source site's database after replacing the PACKAGEID and SITECODE of the desired package and site:
SELECT * FROM PkgStatus WHERE Type = 1 AND ID = 'PACKAGEID' AND SiteCode = 'SITECODE'
After confirming that this query returns a unique and correct row, running the below query will reset
SourceVersion for this row to 0:
UPDATE PkgStatus SET SourceVersion = 0 WHERE Type = 1 AND ID = 'PACKAGEID' AND SiteCode = 'SITECODE'
After resetting the SourceVersion to 0 for the Type 1 row, redistributing the package to any DP in the affected
site will force the package source site to resend the compressed copy of the package to the affected site.
NOTE
It is very important to run the above query on the site that owns the package, i.e., the package source site.
Relevant tables for content distribution

SMSPackages - Contains a list of all packages
Interesting columns:
C O L UM N VA L UES
Action 0 - NONE
1 - UPDATE
2 - ADD
3 - DELETE
4 - VALIDATE
5 - CANCEL
PackageType 0 - Regular Package

3 - Driver Package
4 - Task Sequence
5 - Software Updates Package
6 - Device Settings Package
7 - Virtual App Package
8 - Content Package (Application)
257 - Operating System Image
258 - Boot Image
259 - OS Installation Package
260 - VHD Package
PkgServers - Contains a list of all the packages along with the DPs they are currently targeted to.
C O L UM N VA L UES
Action 0 - NONE
1 - UPDATE
2 - ADD
3 - DELETE
4 - VALIDATE
5 - CANCEL
PkgStatus - Contains a list of the current package status for each package for each DP.
C O L UM N VA L UES
Type 1 - SITE (MASTER)

2 - DP (COPY)
Type 1 rows are created for each site the package is

targeted to. PkgServer for this row is the site server
FQDN.
Type 2 rows are created for each DP the package is

targeted to. PkgServer is the DP NALPATH.
Status 0 - NONE
1 - SENT
2 - RECEIVED
3 - INSTALLED
4 - RETRY
5 - FAILED
6 - REMOVED
7 - PENDING REMOVE (Not Used)
8 - REMOVE FAILED
9 - RETRY REMOVE
DistributionJobs - Contains a list of Package Transfer Manager Jobs along with their current state.
C O L UM N VA L UES
Action 0 - NONE
1 - UPDATE
2 - ADD
3 - DELETE
4 - VALIDATE
5 - CANCEL
State 0 - PENDING
1 - READY
2 - STARTED
3 - INPROGRESS
4 - PENDING RESTART
5 - COMPLETE
6 - FAILED
7 - CANCELED
8 - SUSPENDED
DistributionPoints - Contains a list of all the distribution points.

C O L UM N VA L UES
C O L UM N VA L UES
Action 0 - NONE
1 - UPDATE
2 - ADD
3 - DELETE
4 - VALIDATE
5 - CANCEL
PullDPResponse - Temporarily contains the package status response sent from the pull DPs. DistMgr
processes the response and updates PkgStatus .
C O L UM N VA L UES
ActionState 1 - SUCCESS
2 - WARNING
4 - ERROR
8 - DOWNLOAD STARTED
16 - DOWNLOAD IN PROGRESS
32 - DOWNLOADED
64 - CANCELED
128 - CANCELLATION REQUESTED
PkgNotification - Notification table monitored by SMSDBMON to trigger DistMgr to process a package.

Type column defines the type of package notification. Rows in this table are removed after SMSDBMON
triggers DistMgr.
C O L UM N VA L UES
Type 0 - UNKNOWN
1 - PACKAGE
2 - PROGRAM
4 - PACKAGE SERVER (DP)
8 - PACKAGE ACCESS ACCOUNT
15 - ALL
Pull DP state messages - List of state message IDs raised by pull DP

C O L UM N VA L UES
State ID 1 - SUCCESS
2 - WARNING
4 - FAILURE
8 - DOWNLOAD STARTED
16 - DOWNLOAD IN PROGRESS
32 - DOWNLOADED
64 - CANCELED
Sample State Message Report:
<Report>
<ReportHeader>
<Identification>
<Machine>
<ClientInstalled>0</ClientInstalled>
<ClientType>1</ClientType>
<Unknown>0</Unknown>
<ClientID IDType="0" IDFlag="1">925b0ab0-247b-466b-be0f-93d7cb032c87</ClientID>
<NetBIOSName>P01PDP1.CONTOSO.COM</NetBIOSName>
<CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID>
</Machine>
</Identification>
<ReportDetails>
<ReportContent>StateMessage</ReportContent>
<ReportType>Full</ReportType>
<Date>20190107200618.000000+000</Date>
<Version>1.0</Version>
<Format>1.1</Format>
</ReportDetails>
</ReportHeader>
<ReportBody>
<StateMessage MessageTime="20190107200618.000000+000" SerialNumber="3">
<Topic ID="P010000F" Type="902" IDType="0"/>
<State ID="1" Criticality="0"/>
<UserParameters Flags="0" Count="4">
<Param>P010000F</Param>
<Param>["Display=\\P01PDP1.CONTOSO.COM\"]MSWNET:["SMS_SITE=P01"]\\P01PDP1.CONTOSO.COM\
</Param>
<Param>{04AD1BB3-5E54-457A-9873-DFB2E8035090}</Param>
<Param/>
</UserParameters>
</StateMessage>
</ReportBody>
</Report>
Useful SQL queries

Here are some SQL queries that may be helpful when troubleshooting various content distribution related
issues.
Package/DP status queries
All Failed packages/DPs
SELECT distinct DPSD.DPName, DPSD.PackageID, SP.Name, DPSD.MessageState, DPSD.LastStatusTime,

DPSD.SiteCode
FROM vSMS_DPStatusDetails DPSD
JOIN SMSPackages_All SP ON DPSD.PackageID = SP.PkgID
WHERE MessageState = 4
All In Progress packages/DPs

DPSD.SiteCode
All Success packages/DPs

DPSD.SiteCode
All package/DPs in In Progress state for more than three days

DPSD.SiteCode
WHERE DPSD.LastStatusTime < DATEAdd(dd,-3,GETDate())
AND MessageState = 2
All package/DPs in Failed state for more than three days

DPSD.SiteCode
WHERE DPSD.LastStatusTime < DATEAdd(dd,-3,GETDate())
AND MessageState = 4
Count of all states
SELECT MessageState,
COUNT(MessageState) AS [Count]
FROM vSMS_DPStatusDetails
WHERE PackageID <> ''
GROUP BY MessageState
Counts of package states per DP
SELECT DPName,
CASE
WHEN MessageState = 1 THEN 'Success'
WHEN MessageState = 2 THEN 'InProgress'
WHEN MessageState = 4 THEN 'Failed'
END AS [State],
WHERE PackageID <> ''
AND DPName = 'PS1DP1.CONTOSO.COM'
GROUP BY DPName, MessageState
ORDER BY DPName
State of all DPs for a given package

SELECT DPName,
CASE
END AS [State]
WHERE PackageID = '<PackageID>'
GROUP BY DPName, MessageState
ORDER BY State
Count of DP states per package
SELECT
CASE
END AS [State],
WHERE PackageID = '<PackageID>'
GROUP BY MessageState
Package/DP current state
SELECT distinct DPSD.DPName, DPSD.PackageID, SP.Name, DPSD.LastStatusTime, DPSD.SiteCode,

DPSD.MessageState,
CASE
END AS [State]
WHERE DPName = 'PS1DP1.CONTOSO.COM'
AND DPSD.PackageID = '<PackageID>'
Finding orphaned DP references

The query below can be used to identify if there are any orphaned rows left in the database for a DP that is no
longer in the environment. There could be orphaned rows if the DP was not removed properly.
DECLARE @DPName NVARCHAR(100)

SET @DPName = 'PS1DP.CONTOSO.COM'
SELECT * FROM ContentDPMap WHERE ServerName = @DPName
SELECT * FROM DistributionPoints WHERE ServerName = @DPName
SELECT * FROM DPInfo WHERE ServerName = @DPName
SELECT * FROM PkgServers_G WHERE NALPath like '%' + @DPName + '%'
SELECT * FROM PkgServers_L WHERE NALPath like '%' + @DPName + '%'
SELECT * FROM PkgStatus_G WHERE PkgServer like '%' + @DPName + '%'
SELECT * FROM PkgStatus_L WHERE PkgServer like '%' + @DPName + '%'
SELECT * FROM SysResList WHERE RoleName = 'SMS Distribution Point' AND ServerName = @DPName
SELECT * FROM SC_SysResUse WHERE NALPath like '%' + @DPName + '%' AND RoleTypeID = 3
Similar query for a specific DP in a specific site:

DECLARE @DPName NVARCHAR(100)
DECLARE @DPSiteCode NVARCHAR(3)
SET @DPName = 'DPNAME.CONTOSO.COM'
SET @DPSiteCode = 'PS1'
SELECT * FROM ContentDPMap WHERE ServerName = @DPName AND SiteCode = @DPSiteCode

SELECT * FROM DistributionPoints WHERE ServerName = @DPName AND SMSSiteCode = @DPSiteCode
SELECT * FROM DPInfo WHERE ServerName = @DPName AND SiteCode = @DPSiteCode
SELECT * FROM PkgServers_L WHERE NALPath like '%' + @DPName + '%' AND SiteCode = @DPSiteCode
SELECT * FROM PkgServers_G WHERE NALPath like '%' + @DPName + '%' AND SiteCode = @DPSiteCode
SELECT * FROM PkgStatus_L WHERE PkgServer like '%' + @DPName + '%' AND SiteCode = @DPSiteCode
SELECT * FROM PkgStatus_G WHERE PkgServer like '%' + @DPName + '%' AND SiteCode = @DPSiteCode
SELECT * FROM SysResList WHERE RoleName = 'SMS Distribution Point' AND ServerName = @DPName AND SiteCode =
@DPSiteCode
SELECT * FROM SC_SysResUse WHERE NALPath like '%' + @DPName + '%SMS_SITE=' + @DPSiteCode + '%' AND
RoleTypeID = 3
Site Control File (SCF ) properties

SCF properties for DistMgr for current site
SELECT SD.SiteCode, SC.ComponentName, SCP.Name, SCP.Value1, SCP.Value2, SCP.Value3

FROM SC_Component SC
JOIN SC_SiteDefinition SD ON SD.SiteNumber = SC.SiteNumber
JOIN SC_Component_Property SCP ON SCP.ComponentID = SC.ID
WHERE SD.SiteCode = dbo.fnGetSiteCode() AND SC.ComponentName = 'SMS_DISTRIBUTION_MANAGER'
SCF properties for a DP
SELECT SRU.RoleName, SRU.ServerName, SRUP.* FROM vSMS_SC_SysResUse SRU

JOIN vSMS_SC_SysResUse_Properties SRUP ON SRU.ID = SRUP.ID
WHERE SRU.RoleName = 'SMS Distribution Point'
AND SRU.ServerName = 'PS1DP1.CONTOSO.COM'
Packages containing specified software update

List all packages containing the given update Unique ID.
SELECT distinct UI.ArticleID, CI.CI_UniqueID, CP.PkgID, P.Name FROM v_UpdateInfo UI

JOIN v_ConfigurationItems CI ON UI.CI_ID = CI.CI_ID
JOIN v_CIContents_All CIC ON CI.CI_ID = CIC.CI_ID
JOIN CI_ContentPackages CP ON CP.Content_ID = CIC.Content_ID
JOIN v_Package P ON CP.PkgID = P.PackageID
WHERE CI.CI_UniqueID = '<UniqueID>'
Configuration Manager DRS performance issue
after you install hotfix 3125525
This article provides a solution for the Configuration Manager Database Replication Service (DRS) performance
issues that occur after you install hotfix 3125525.
Original product version: Configuration Manager (current branch), Microsoft System Center 2012 R2
Configuration Manager， Microsoft System Center 2012 Configuration Manager
Symptom
After you install hotfix 3125525, you experience the following performance issues when you use Configuration
Manager DRS:
Messages are processed very slowly, for example, less than 1,000 messages are processed in an hour.
If it takes more than 30 minutes (by default) to process a message, the replication link may become
degraded.
The average CPU time for SQL Server change tracking is 2.7 to 4 seconds.
NOTE
Hotfix 3125525 is included in the following SQL Server cumulative updates:
Cumulative Update 13 for SQL Server 2014
Cumulative Update 6 for SQL Server 2014 Service Pack 1
Cumulative Update 1 for SQL Server 2012 Service Pack 3
Resolution
To fix the issue, install the latest Cumulative Update for your SQL Server version:
SQ L SERVER VERSIO N T H E L AT EST C UM UL AT IVE UP DAT E
SQL Server 2012 Service Pack 3 Download the latest cumulative update
SQL Server 2014 RTM Download the latest cumulative update
SQL Server 2016 RTM Download the latest cumulative update or Install SQL Server
2016 Service Pack 1
More information
For more information about the fixes for this issue, see the following articles:
CPU usage increases significantly when you execute queries that contain CHANGETABLE functions in SQL
Server 2012 Service Pack 3
FIX: Queries that use CHANGETABLE use much more CPU in SQL Server 2014 SP1 or in SQL Server 2016
Troubleshoot database replication service issues in
This guide helps administrators diagnose and resolve database replication service (DRS) problems in
Original product version: Microsoft Endpoint Configuration Manager (current branch), Microsoft System
Center 2012 R2 Configuration Manager, Microsoft System Center 2012 Configuration Manager
When you experience a DRS problem in Configuration Manager, the beginning investigative phase is the most
critical point. Any type of change or fix should be made only after careful study and understanding of the
problem at hand.
Get started
Start by gathering information related to the history of the problem. Many times DRS problems can ultimately
be traced back to a recent change made in the environment. Keep in mind that you should not focus solely on
Configuration Manager, as changes to Windows or SQL Server can cause DRS problems as well. Having a clear
understanding of any recent changes in the environment can provide important clues as to the source of the
problem.
Once you've investigated environmental changes and made sure that your updates are in order, the next step is
to run the Replication Link Analyzer (RLA). To launch RLA, open the Monitoring workspace and select the
Database Replication node, then right-click the link that is having a problem and select Replication Link
Analyzer , as shown in the following example:
NOTE
RLA runs within the context of whomever launches it from the console, so be sure that the account you use has
administrative privileges on both SQL Server and site servers.
RLA will check the following on both sites:

The SMS service is running.
SMS Replication Configuration Monitor component is running.
Ports required for SQL Server replication are enabled.
SQL Server version is supported.
Network is available between the two sites.
There's enough space for the SQL Server database.
SQL Server Broker service configuration exists.
SQL Server Broker service certificate exists.
Known errors in SQL Server log files.
Whether the replication queues are disabled.
Time is in sync.
Is the transmission of data stuck?
Does a key conflict exist?
If RLS finds known problems, it will offer to fix them for you. The RLA output report is also straightforward. It
tells you what it checked and what rules were run in addition to whether they passed or failed. Here is an
example:
Get details with SPDiagDRS

If Replication Link Analyzer can't detect and resolve the problem, run SPDiagDRS and see if it can offer any clues
to what may be failing.
To run SPDiagDRS , open SQL Server Management Studio and connect to the two servers on each side of the link
having the problem. On each CM_xxx database, run the Exec SPDiagDRS command.
The following is a breakdown of the various SPDiagDRS sections and some common places to look for problems.
A simple search for error messages and codes found here often guides you to the source of the problem.
Section 1
SiteStatus : This tells us whether the site is replicating or not. Anything other than ACTIVE is not good.
Cer tificateThumbprint : The thumbprint of the certificate used for authentication that contains the site's
public key (local DB trusts remote DB).
Section 2
IncomingMessageInQueue : This tells us the incoming backlog that a site has. If the backlog is high due
to the number of sites reporting to it, you may see the links going to a degraded or failed state because
the heartbeat synchronizations are not processed in time.
OutgoingMessageInQueue : This tells us the backlog that has yet to clear as we wait for the sites to
receive the messages. This generally fluctuates, however if it continues to grow then this can represent a
problem. Further troubleshooting should be performed to determine which site is not getting the
messages.
Section 3
This is simply the detailed view of the Initialization Detail in the console.
Section 4
This is the detailed view of Replication Detail in the console. It provides more information about the flow
between each replication group.
Section 5
This section has some important and useful information about the sites we are connecting to. In this example we
are on primary site server 002, and 001 is the central administration site. If we had a secondary site under 002,
it would be shown here. On a central administration site, all primary sites would be reflected but not the
secondary sites.
Primary site 002 example:
Central administration site 001 example:
Section 6
This provides the general information of the sites in the hierarchy, the SiteServerName and DBServer names, as
well as the status and version. You can see here that a different primary site (003) is showing as being in
Maintenance Mode . On working systems, Section 6 should be identical between the central administration
site and all primary sites in the hierarchy.
Section 7
The bottom two sections contain detailed information on the heartbeat or LastSentStatus for each group as
well as conversationIDs and so on, and the built-in replication options configured for each group.
Check RCMCtrl.log for errors

Next you will want to check RCMCtrl.log on each site for errors, as this will often provide valuable clues
regarding the source of the problem. For example, you may find that replication is in a Failed state for a site and
that replication hasn't occurred for some time. In this scenario, you may find that RCMCtrl.log contains entries
similar to the following:
7/4/2016 1:25:36 PM: ReplicationLinkAnalysis Information: 1 : Completed replication link analysis thread.
7/4/2016 1:25:37 PM: ReplicationLinkAnalysis Error : 1 : Unable to find SiteCode or SiteNumber
7/4/2016 1:25:37 PM: ReplicationLinkAnalysis Error: 1 :
Microsoft.ConfigurationManager.ManagedBase.LocalServerDataNotFoundException: Unable to find
SiteCode or SiteNumber
at Microsoft.ConfigurationManager.ManagedBase.SiteData.Refresh()
at Microsoft.ConfigurationManager.ReplicationLinkAnalyzer.ReplicationLinkAnalysisEngine.Initialize()
at
Microsoft.ConfigurationManager.ReplicationLinkAnalyzer.ReplicationLinkAnalysisEngine.RunRulesInBackgro
und(Object sender, DoWorkEventArgs e)
at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
If you see entries similar to these, make sure that the SMS Executive and the Site Component Manager
services are running on the site in question. If not, this may be why replication is in a Failed state. If not running,
start the SMS Executive and/or Site Component Manager services manually and troubleshoot the services
if they fail to start.
Another example of an error you might find in RCMCtrl.log is the following:
07/04/2016 12:33:34 PM 6352 (0x18D0)CSqlBCP::ReadRowCount: Can't open file [F:\Program

Files\Microsoft Configuration
Manager\inboxes\rcm.box\GUID\INSTALLED_EXECUTABLE_DATA.bcp.rowcount].
SMS_REPLICATION_CONFIGURATION_MONITOR
07/04/2016 12:33:34 PM 6352 (0x18D0) CSqlBCP::DRS_Init_BCPIN: ReadRowCount failed.
07/04/2016 12:33:34 PM 6352 (0x18D0)*** DRS_Init_BCPIN() failed
07/04/2016 12:33:34 PM 6352 (0x18D0) CBulkInsert::DRS_Init_BCPIN : Failed to BCP in
07/04/2016 12:33:34 PM 6352 (0x18D0) BCP in result is 2147500037.
07/04/2016 12:33:34 PM 6352 (0x18D0) ERROR: Failed to BCP in for table
INSTALLED_EXECUTABLE_DATA with error code 2147500037 .
07/04/2016 12:33:34 PM 6352 (0x18D0) ERROR: Failed to apply BCP for all articles in publication
Hardware_Inventory_7. SMS_REPLICATION_CONFIGURATION_MONITOR
07/04/2016 12:33:34 PM 6352 (0x18D0) Will try to apply BCP files again on next run.
What's happening here is that while the .CAB file sent from the parent was unpacked by the despooler, the space
on the drive was exhausted, so it was only able to uncompress some of the files. If you view despool.log, it will
have a 2147024784 failure that refers to insufficient disk space. To resolve this type of issue, free up disk space
on the drive.
Check for BCP problems

If you still haven't found the source of the problem, it could be that the replication process was interrupted
because the bulk copy program (BCP) was going too slow.
Is sender throttled to this site and perhaps this is slowing down the BCP transfer?
To verify, open the console and go to Administration > Over view > Hierarchy Configuration > File
Replication , then right-click the site that would be sending the data. Verify that the schedule availability is set to
Open for all Priorities , and that Rate Limits is set to Unlimited to this Site .
If things are working but the data set from the BCP process is large and taking a long time to send, you can
increase the number of sender threads to speed things up. The defaults are listed below. If your sender log is
consistently advising no more threads available or Using 5 or 5 or Using 3 of 3 , this is a good indication
that you may want to increase the sender threads.
NOTE
If increased, the setting takes effect in real time with no restart of anything required.
Also if you have a rate limit set to Limited to specified maximum transfer rates by hour (as shown
below), Configuration Manager will only use one sender thread at a time when transferring to that site
regardless of what the number of sender threads are set to. The default setting of Unlimited When Sending
to this destination will use all the configured sender threads.
More information
For more information about DRS, see the following articles:
DRS Initialization In Configuration Manager 2012
Planning for Communications in Configuration Manage
Database replication
[SDP 3][5ee487a8-b2ed-4bc8-80ea-457f9b683c77]
System Center Configuration Manager diagnostic
This diagnostic package is designed to collect information used to troubleshoot most System Center 2012
Configuration Manager and Configuration Manager current branch issues.
Original product version: Microsoft System Center 2012 Configuration Manager, Configuration Manager
(current branch)
Configuration Manager client

DESC RIP T IO N F IL E N A M E
Summary of information gathered about the Configuration {ComputerName}__CMClient_Summary.txt

Manager client
Application enforcement status {ComputerName}_CMClient_AppHistory.txt
Configuration Manager client cache information {ComputerName}_CMClient_CacheInfo.txt
Configuration Manager client file version list {ComputerName}_CMClient_FileVersions.txt
Configuration Manager client inventory version information {ComputerName}_CMClient_InventoryVersions.txt
Software distribution execution history {ComputerName}_CMClient_ExecutionHistory.txt
State Messages from CCM_StateMsg WMI class {ComputerName}_CMClient_StateMessages.txt
Update Status from CCM_UpdateStatus WMI class {ComputerName}_CMClient_CCMUpdateStatus.txt
Configuration Manager logs

SQL Server error logs {ComputerName}_Logs_SQLError.zip
Configuration Manager client, site server, and site system {ComputerName}_Logs_ConfigMgr.zip

logs
Windows logs (CBS, Temp, WindowsUpdate, and so on) and {ComputerName}_Logs_Windows+OSD.zip

Configuration Manager OSD-related logs (SMSTS, INF,
Panther, DISM, UDI, Netsetup and so on)
Configuration Manager site database
Summary of information gathered about the SQL Server and {ComputerName}__CMServer_Summary.txt

Configuration Manager site database.
Blocked transactions, sp_who2 output and active Snapshot {ComputerName}_SQL_Transactions.txt

transactions.
Configuration Manager maintenance tasks. {ComputerName}_SQL_CMDBInfo.txt
Configuration Manager site control file for the current Site. {ComputerName}_SQL_SiteControlFile.xml.txt
DRS replication troubleshooting information {ComputerName}_SQL_DRSData.zip
List of Configuration Manager site systems and distribution {ComputerName}_SQL_SiteSystems.txt

points from SysResList and DistributionPoints tables.
Results of the configuration checks performed against the {ComputerName}_SQL_ConfigCompliance.txt

site database.
Software update point synchronization status. {ComputerName}_SQL_SUPSync.txt
SQL Server version, security role members, and database {ComputerName}_SQL_Basic.txt

information.
Top stored procedure calls by CPU, elapsed time, and so on. {ComputerName}_SQL_TopQueries.txt
Update servicing troubleshooting information {ComputerName}_SQL_UpdateServicing.zip
Configuration Manager site server

Summary of information gathered about the Configuration {ComputerName}__CMServer_Summary.txt

Manager site server
Boundaries configured in Configuration Manager {ComputerName}_CMServer_Boundaries.txt
Configuration Manager hierarchy information {ComputerName}_CMServer_Hierarchy.txt
Configuration Manager site server file versions {ComputerName}_CMServer_FileVersions.txt
Directory listing of RCM.box inbox {ComputerName}_CMServer_RCMFileList.txt
SMS_Executive service thread status from registry {ComputerName}_CMServer_SMSExecThreads.txt
SPN information for the site database {ComputerName}_CMServer_SQLSPN.txt

Custom uploads
Compressed copy of file specified by user {ComputerName}_filename.zip
General information
Summary of information gathered about the operating {ComputerName}__OS_Summary.txt

system
List of running tasks {ComputerName}_OS_TaskList.txt
Basic system information including machine name, service resultreport.xml

pack, computer model, and processor name and speed
Environment variables {ComputerName}_OS_EnvironmentVariables.txt
Event logs for last 14 days (Application, System, and {ComputerName}_OS_EventLogs.zip

Security)
List of installed certificates (Computer and User stores) {ComputerName}_OS_Certificates.txt
List of installed services {ComputerName}_OS_Services.txt
List of installed updates and hotfixes installed {ComputerName}_Hotfixes.*
List of user rights (privileges) using showpriv.exe tool {ComputerName}_UserRights.txt
Reboot pending flag from Windows Update, CBS, ConfigMgr {ComputerName}_OS_RebootPending.txt

client, and so on
Resultant set of Group Policies {ComputerName}_OS_GPResult.*
System information {ComputerName}_OS_MSInfo.nfo
SystemInfo output {ComputerName}_OS_SysInfo.txt
WMI quota configuration and loaded providers {ComputerName}_OS_WMIProviderConfig.txt
IIS information
IIS configuration information {ComputerName}_IISConfiguration.zip
IIS logs (last 5 days) {ComputerName}_Logs_IIS.zip

Virtual directory list and configuration {ComputerName}_IIS_VDirInfo.txt
Networking basic information

Summary of networking information collected {ComputerName}__NET_Summary.txt
Active BITS jobs {ComputerName}_OS_BITSTransfers.txt
Basic SMB configuration information, such as output of {ComputerName}_OS_SMB-Info.txt

net.exe subcommands, such as net share , net sessions
, net use , net accounts , net config
Basic TCP/IP and networking configuration information, such {ComputerName}_OS_TCPIP-Info.txt

as TCP/IP registry key and outputs from ipconfig ,
netstat , nbtstat and netsh commands
Enabled Windows Firewall rules {ComputerName}_OS_EnabledFirewallRules.txt
Proxy configuration {ComputerName}_OS_ProxyInfo.txt
Registry keys
HKEY_CURRENT_USER\Software\Policies {ComputerName}_RegistryKey_HKCUPolicies.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM {ComputerName}_RegistryKey_CCM.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE {ComputerName}_RegistryKey_DCOM.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS {ComputerName}_RegistryKey_SMS.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Update {ComputerName}_RegistryKey_WSUS.txt
Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu {ComputerName}_RegistryKey_Uninstall.txt
rrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Policies {ComputerName}_RegistryKey_HKLMPolicies.txt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {ComputerName}_RegistryKey_Services.txt
Server manager and server roles information

List of roles and features installed on server media (Windows resultreport.xml

Server 2008 R2 and later versions)
Windows Update Agent information

Windows Update Agent version, service security descriptors {ComputerName}__WUA_Summary.txt

and registry settings.
File list in SoftwareDistribution directory {ComputerName}_WUA_FileList.txt
File version of Windows Update Agent related EXE/DLL files {ComputerName}_WUA_FileVersions.txt
WSUS server information

Summary of WSUS server information collected. {ComputerName}__WSUS_Summary.txt
File list of WSUS content directory (only collected with WSUS {ComputerName}_WSUS_FileList_ContentDir.txt
diagnostics)
File list of WSUS installation directory (only collected with {ComputerName}_WSUS_FileList_InstallDir.txt

WSUS diagnostics)
File versions of EXE/DLL files in WSUS installation directory {ComputerName}_WSUS_FileVersions.txt

(only collected with WSUS diagnostics)
List of approved updates (not collected for WSUS 4.0) {ComputerName}_WSUS_ApprovedUpdates.xml
WSUS basic information (not collected for WSUS 4.0) {ComputerName}_WSUS_BasicInfo.txt
WSUS logs {ComputerName}_Logs_WSUS.zip
WSUS setup logs (if available) {ComputerName}_Logs_WSUSSetup.zip
Detect symptoms
In addition to collecting the information, this diagnostic package can detect one or more of the following
symptoms:
Configuration Manager database: Database owner is not set to SA.
Configuration Manager database: User Access mode is not set to MULTI_USER .
Configuration Manager database: Database is marked as READ_ONLY .
Configuration Manager database: Database is not ONLINE .
Configuration Manager database: Recovery Model is not set to SIMPLE .
Configuration Manager database: SQL Server Broker is disabled.
Configuration Manager database: Recursive triggers are disabled.
Configuration Manager database: Trustworthy property is disabled.
Configuration Manager database: Honor Broker Priority is set to False .
Configuration Manager database: Snapshot Isolation State is set to False .
Configuration Manager database: Read Committed Snapshot is set to False .
Configuration Manager database: Nested triggers are disabled.
Configuration Manager database: SQL Server change tracking backlog.
Configuration Manager database: DBSchemaChangeHistory Excessive Growth.
root\CCM WMI namespace connection failure.
%ServiceName% service is stopped.
%ServiceName% service is disabled.
Configuration Manager client is in provisioning mode.
References
Information about Microsoft Automated Troubleshooting Services and Support Diagnostic Platform
Some devices are reported as failed on the client
health dashboard
Starting in version 1902 of Configuration Manager current branch, the client health dashboard is available to
assess the health of Configuration Manager clients in your environment. This article describes an issue in which
some devices are unexpectedly reported as Failure on the Status Messages bar of the Scenario Health bar
chart. This article also provides some insights into the internals and calculations of the Scenario Health bar
chart.
Applies to: Configuration Manager (current branch)
Symptoms
In the Scenario Health bar chart of the client health dashboard, some devices are unexpectedly reported as
Failure on the Status Messages bar. The corresponding information is also reflected on the Combined (Any)
bar.
Cause
A Configuration Manager client sends a status message in the following scenarios:
You run a legacy software distribution, such as a classic package, on the client.
Something is changed or broken on the client. For example, a software inventory isn't completed within the
time-out period.
If you use only the Modern Software Distribution technologies, and you deploy software updates, no status
message will be sent, and the last status message timestamp will not be updated in the database.
NOTE
Hidden legacy package deployments, such as Configuration Manager Client Upgrade packages, might update the last
status message timestamp.
Workaround
You can deploy a dummy legacy package (such as the cmd /c echo command) to an affected client to generate a
constant status message flow. Then, a status message timestamp will be updated regularly, and the client will be
reported as Success on the Status Messages bar. Alternatively, you can ignore or hide the Status Messages
bar.
More information
The client health dashboard displays the summarized client health information. To view client information in the
Configuration Manager console, administrators can add the relevant columns (such as Policy Request or
Status Message ) or check the Client Activity section of the client.
By default, the health information is summarized on a site server one time per day. In the Client Status
Settings Proper ties dialog box on the Client Activity site, administrators can also configure the settings to
monitor client status. If the recent status message was created within the past seven days, that client is
considered to be active at Monitoring > Over view > Client Status > Client Activity .
In Configuration Manager, administrators can use a maintenance task (Delete Aged Status Messages) to delete
status messages that are older than 30 days (by default), as configured in status filter rules.
The SQL Stored Procedure ( spGetClientHealthDashboard ) calculates the Success and Failure status for
individual clients, as follows:
If the timestamp of the recent status message is less than seven days old, or there is no status message, the
client is reported as Success .
If the timestamp of the recent status message is more than seven days old, and the status message is not
deleted, the client is reported as Failure .
NOTE
This algorithm is also applicable to other bars. However, there is no cleanup mechanism for inventory timestamps.
By default, the client health dashboard displays the health information of clients that were online during the
previous three days.
See also
MMS: ConfigMgr State and Status Messages
Third-par ty contact disclaimer
Microsoft provides third-party contact information to help you find additional information about this topic. This
contact information may change without notice. Microsoft does not guarantee the accuracy of third-party
contact information.
The lastLogonTimestamp attribute in System Center
2012 Configuration Manager may not be accurate
This article describes a by design behavior that the lastLogonTimestamp attribute may not be updated as
expected in Configuration Manager.
Symptoms
Consider the following scenario in System Center 2012 Configuration Manager:
Active Directory User Discovery is enabled in Configuration Manager.
You use the lastLogonTimestamp attribute to determine the last logon for a user.
In this scenario, the exact time at which a particular user last logged on may not be accurate.
Cause
This behavior occurs because the design and default configuration of Active Directory may result in the value of
the lastLogonTimestamp attribute being updated only when the current value in Active Directory is 9 to 14 days
older than the time of logon.
References
For more information about the lastLogonTimestamp attribute, see the following articles:
Last-Logon-Timestamp attribute
"The LastLogonTimeStamp Attribute" - "What it was designed for and how it works"
v_GS_AntimalwareHealthStatus view reports
incorrect Endpoint Definition status in Configuration
Manager 2012
This article helps you work around an issue in which the v_GS_AntimalwareHealthStatus view reports an
incorrect Endpoint Definition status in Configuration Manager.
Original product version: Microsoft System Center 2012 R2 Configuration Manager, System Center 2012
Endpoint Protection, System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Configuration
Manager
Symptom
The Endpoint Protection view v_GS_AntimalwareHealthStatus reports an incorrect Endpoint Definition status
based on the AntivirusSignatureUpdateDateTime value in versions of Configuration Manager that are older than
Configuration Manager current branch version 1511.
Cause
This is a known bug that's fixed in Configuration Manager current branch version 1511 (and later versions). This
bug prevents some of the information typically found in state messages for Endpoint Protection from being
displayed in this view.
Workaround
To work around this issue, run the following query as an alternative way to gather the information:
declare @USERSIDS as varchar(64)='Disabled'

select distinct b.Name, (a.SignatureUpTo1DayOld) AS SignatureUpTo1DayOld
, (a.SignatureUpTo3DaysOld) AS SignatureUpTo3DaysOld
, (a.SignatureUpTo7DaysOld) AS SignatureUpTo7DaysOld
, (a.SignatureOlderThan7Days) AS SignatureOlderThan7Days
, (a.NoSignature) AS NoSignature
, a.EpInstalled
from fn_rbac_EndpointProtectionStatus(@UserSIDs) AS a
inner join fn_rbac_FullCollectionMembership_valid(@UserSIDs) AS b on b.ResourceID = a.ResourceID
where b.CollectionID='SMS00001'
and a.EpInstalled = 1
and b.ResourceType <> 2
Clients don't update with the latest antimalware
definition files after the Endpoint Protection point
role is installed
This article introduces a workaround for the issue that clients are not updated with the latest antimalware
definition files after you install the Endpoint Protection point site system role in Configuration Manager.
Symptoms
You install the Endpoint Protection point site system role in Configuration Manager and set the Manage
Endpoint Protection client on client computers setting to True on the Endpoint Protection page. In this
scenario, client computers are not updated with the latest antimalware definition files.
Cause
This problem occurs because the Disable alternate sources (such as Microsoft Windows Update,
Microsoft Windows Ser ver Update Ser vices, or UNC shares) for the initial definition update on
client computers option is set to True which is the default setting.
Workaround
To work around this problem, set the Disable alternate sources (such as Microsoft Windows Update,
Microsoft Windows Ser ver Update Ser vices, or UNC shares) for the initial definition update on
client computers option to False . After you change this setting, the clients can download and install
antimalware definition file updates immediately after installation as long as the client has access to one of the
sources that hosts the files.
How to download and install System Center 2012
Endpoint Protection for Linux
This article introduces how to download and install Microsoft System Center 2012 Endpoint Protection for
Linux.
Original product version: System Center 2012 Endpoint Protection for Linux
Download and install System Center 2012 Endpoint Protection for

Linux
NOTE
System Center 2012 Endpoint Protection for Linux is part of Core Cal and will be available on the Volume Licensing
Site or together with the purchase of System Center 2012.
The commands in these steps may vary in each distribution.
1. Download the System Center 2012 Endpoint Protection for Linux installation package.
NOTE
System Center 2012 Endpoint Protection for Linux is distributed as a binary file. The file name for the installation
package varies according to the distribution for which it is designed. For example, the Scep.i386.deb.bin file is
intended for Debian distributions, the Scep.i386.rpm.bin file is intended for RedHat and SUSE distributions, and the
Scep.i386.tgz.bin file is intended for other Linux distributions.
2. Run the installation package. To do this, type the following command, and then press Enter.
sh ./file_name
The placeholder file_name represents the name of the file that you downloaded in step 1.
3. After the installation is complete, verify that the main System Center 2012 Endpoint Protection for Linux
services is running. To do this, type the following command, and then press Enter:
ps -C scep_daemon
4. Verify that a message is returned that resembles the following:
PID TTY TIME CMD

2226 ? 00:00:00 scep_daemon
2229 ? 00:00:00 scep_daemon
NOTE
At least two System Center 2012 Endpoint Protection for Linux daemon processes run in the background. The
first PID is the process and threads manager. The second PID is the System Center 2012 Endpoint Protection for
Linux scanning process.
Microsoft Network Inspection service started by
Configuration Manager may be stopped by AD
Group Policy
This article describes a by-design behavior where the Microsoft Network Inspection service may be stopped by
Active Directory Group Policy.
Symptoms
A Microsoft System Center 2012 Configuration Manager administrator sets the Enable protection against
network-based exploits option to True and then deploys the policy to a collection of devices. This option is
part of the real-time protection item on the Antimalware tab for the Microsoft Forefront Endpoint
Protection (FEP) policies in the Configuration Manager console.
Then, the Configuration Manager client sets the start of the Microsoft Network Inspection service to
Automatic on all devices in the target collection.
An Active Directory administrator configures Group Policy to set the start for the Microsoft Network
Inspection service to Disabled .
In this scenario, when the Group Policy settings are applied, the Microsoft Network Inspection service is stopped,
and the start of the service is set to Disabled . When the Configuration Manager client evaluates client health
and determines that the service is disabled, it remediates the problem by setting the start of the service to
Automatic and starts the service again. However, the service soon stops again because the service is stopped
by the Active Directory Group Policy.
Status
This behavior is by design. Group Policy settings to disable services should be carefully evaluated together with
the Configuration Manager group or the System Center 2012 Endpoint Protection group to make sure that
these settings don't disable services for required functionalities.
Configuration Manager console displays out-of-date
Endpoint Protection Definition version and last
update time
This article provides a solution for the issue that Configuration Manager console displays out-of-date Endpoint
Protection Definition version and last update time while the clients have the latest version of definition installed.
Symptoms
When you use Endpoint Protection together with Configuration Manager, you experience the following issues:
In the Configuration Manager console, you open the Assets and Compliance workspace under the
Devices node. In that workspace, you notice that the Endpoint Protection Definition Last Version and
Endpoint Protection Last Update Time columns display out-of-date values for some devices. However,
the clients show that they have the latest versions applied.
Topic type 1901 (State_Topictype_Ep_Am_Health) isn't logged in StateMessage.log on the clients.
The following error messages are logged in ExternalEventAgent.log on the clients:
PARSE XML to get the query String SELECT * FROM MSFT_MPComputerStatus

...
Execute all initialization actions for policy change from CCM_ExternalEventConfig.
Could not open the registr y key
SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusState
Message\SyncStatus with error 0x80070002 .
SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusState
Message with error 0x80070002 .
Failed to load previous values of Differentiation criteria ComputerStatusStateMessage with error
0x80070002.
SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\InfectionStatusStateM
essage\SyncStatus with error 0x80070002 .
SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\InfectionStatusStateM
essage with error 0x80070002 .
Failed to load previous values of Differentiation criteria InfectionStatusStateMessage with error 0x80070002.
Additionally, the following registry keys don't exist on the client:

HKLM\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusStateMessage
HKLM\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\InfectionStatusStateMessage
Cause
This issue occurs because the instance of the MSFT_MpComputerStatus class doesn't exist in the
root\Microsoft\ProtectionManagement namespace. The client queries this instance to populate the related
registry keys.
Resolution
To fix the issue, run the following command on the affected client computers to re-register the
ProtectionManagement provider:
Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path

<path of ProtectionManagement.dll> -Impersonation True -HostingModel LocalServiceHost -SupportWQL -
ForceUpdate
NOTE
In this command, <path of ProtectionManagement.dll> is the placeholder for the path of ProtectionManagement.dll. For
example:
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\ProtectionManagement.dll
After you run this command, the following conditions are true:
The instance of MSFT_MpComputerStatus is populated in the root\Microsoft\ProtectionManagement namespace.
Topic type 1901 is logged in StateMessage.log.
The affected values in the Configuration Manager console are updated.
More information
Windows Defender logs can help you identify the root cause of this issue. For example, the following log snippet
indicates the presence of a different antivirus solution:
2019-09-04T08:00:11.166Z [Mini-filter] Denied access to file: \ProgramData\Microsoft\Windows

Defender\Platform\4.18.1907.4-0\Powershell\MSFT_MpComputerStatus.cdxml , from process
'\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint
Protection \14.0.3929.1200.105\Bin\ccSvcHst.exe' (PID: 3408)
To collect diagnostic logs for Windows Defender, follow the steps in Collect Update Compliance diagnostic data
for Windows Defender AV Assessment.
products.
Recommended antivirus exclusions for
Configuration Manager site servers, site systems,
and clients
This article contains recommendations that may help an administrator determine the cause of potential
instability on a computer that's running a supported version of Configuration Manager site servers, site
systems, and clients when it's used together with antivirus software.
Summary
We recommend you temporarily apply these procedures to evaluate a system. If your system performance or
stability is improved by the recommendations that are made in this article, contact your vendor for instructions
or an updated version of the antivirus software.
IMPORTANT
This article contains information that shows how to help lower security settings or how to temporarily turn off security
features on a computer. You can make these changes to understand the nature of a specific problem. Before you make
these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your
particular environment.
Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems,
and clients.
Possible symptoms include:
Remote site system components aren't installed. SiteComp.log, Distmgr.log, hman.log, or other
Configuration Manager log files may contain errors such as error 80070005.
The Configuration Manager client cannot be installed through client push.
Client inventory information is inaccurate, missing, or out-of-date.
Backlogs occur in the Install_Directory\Inboxes folders on site servers.
Backlogs occur in the Install_Directory\MP\Outboxes subfolders on management points (MP).
Software Center isn't populated by deployed software on client systems, or doesn't start. Also, the
CCMRepair.log file may contain an error similar to the following example:
Database verification failed with result: 0x80004005 but DB: C:\Windows\CCM\filename.sdf could be
opened, skipping DB repair.
Software that is deployed to clients cannot be installed.

Compliance data for software deployments is inaccurate.
Exclusions
We recommend that you add the following real-time protection exclusions to prevent these problems.
Default installation folders
F O L DER PAT H
Configuration Manager installation folder %ProgramFiles%\Microsoft Configuration Manager
MP installation folder %ProgramFiles%\SMS_CCM
Client installation folder %Windir%\CCM
Folder exclusions for site servers

ConfigMgr installation folder\Inboxes
ConfigMgr installation folder\Logs
ConfigMgr installation folder\EasySetupPayload
ContentLib_drive\SCCMContentLib
NOTE
If you have a remote content library, this folder isn't on the site server. For more information, see Configure a
remote content library for the site server.
Folder exclusions for site systems

Management points
MP installation folder\ServiceData
Either of the following folders:
ConfigMgr installation folder\MP\OUTBOXES
Installation drive\SMS\MP\OUTBOXES
Distribution points
Client installation folder\ServiceData
ContentLib_drive\SMS_DP$
ContentLib_drive\SMSPKGDrive_Letter$
ContentLib_drive\SMSPKG
ContentLib_drive\SMSPKGSIG
ContentLib_drive\SMSSIG$
Site database servers
How to choose antivirus software to run on computers that are running SQL Server
Folder exclusions for clients
Client installation folder\*.sdf
Client installation folder\ServiceData
C:\Windows\CCMCache
C:\Windows\CCMSetup
Client installation folder\Logs
C:\Windows\Setup\Scripts
C:\Windows\SMSTSPostUpgrade
File exclusions for MPs
POL00000.pol in MP installation folder\PolReqStaging
Don't scan outgoing files on MPs
Most antivirus software has an option to scan files that are copied to a remote location (outgoing files).
This option should be disabled on management points.
For Windows Defender, the policy name is Configure monitoring for incoming and outgoing file
and program activity . And it should be set to Scan only incoming files .
For more information, see Enable and configure Windows Defender Antivirus always-on protection in
Group Policy.
Process exclusions
Process exclusions are necessary only if aggressive antivirus programs consider Configuration Manager
executables (.exe) to be high-risk processes.
ConfigMgr installation folder\bin\x64\Smsexec.exe
Either of the following executables:
Client installation folder\Ccmexec.exe
MP installation folder\Ccmexec.exe
Client installation folder\RemCtrl\CmRcService.exe (client-side)
ConfigMgr installation folder\bin\x64\Sitecomp.exe
ConfigMgr installation folder\bin\x64\Smswriter.exe
ConfigMgr installation folder\bin\x64\Smssqlbkup.exe, or SMS_SQLFQDN\bin\x64\Smssqlbkup.exe
ConfigMgr installation folder\bin\x64\Cmupdate.exe
Client installation folder\Ccmrepair.exe (client-side)
%windir%\CCMSetup\Ccmsetup.exe (client-side)
%windir%\CCMSetup\autoupgrade\Ccmsetup*.exe (client-side)
NOTE
Starting in Configuration Manager current branch version 1910, this file name has been changed to Ccmsetup.
<Packageid>.<PackageVersion>.exe.
References
Configuration Manager Current Branch Antivirus Exclusions
Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and
Boot Images
How to choose antivirus software to run on computers that are running SQL Server
Virus scanning recommendations for Enterprise computers that are running currently supported versions of
Windows
System Center 2012 Configuration Manager and
System Center 2012 Endpoint Protection support for
Azure Virtual Machines
This article introduces the support policy for Microsoft System Center 2012 Configuration Manager and System
Center 2012 Endpoint Protection to manage server software in the Microsoft Azure Virtual Machine
environment (infrastructure-as-a-service).
Original product version: Microsoft System Center 2012 Configuration Manager, System Center 2012 Endpoint
Protection
Supported scenarios and features

System Center 2012 Configuration Manager Service Pack 1 (SP1) or later versions and System Center 2012
Endpoint Protection SP1 or later versions support two specific scenarios to manage server software in the
Microsoft Azure Virtual Machine environment.
The following table lists the scenarios and supported Configuration Manager features in each scenario.
SUP P O RT ED SC EN A RIO S SUP P O RT ED C O N F IGURAT IO N M A N A GER F EAT URES
Use an existing on-premises Configuration Manager For Windows Server:

infrastructure to manage Azure Virtual Machines that are Application Management
running Windows Server or Linux. Compliance Settings
Endpoint Protection
Inventory - Software, Hardware, and Asset
Intelligence
Network Access Protection
Software Updates Deployment
Software Metering
Remote Control
Reporting
For Linux:
Software Distribution
Endpoint Protection
Inventory - Hardware, Software
Reporting
SUP P O RT ED SC EN A RIO S SUP P O RT ED C O N F IGURAT IO N M A N A GER F EAT URES
Set up a single stand-alone primary site in the Azure Virtual For Windows Server:
Machine environment to manage Azure Virtual Machines Application Management
that are running Windows Server or Linux in the same Compliance Settings
virtual network. Endpoint Protection
Inventory - Software, Hardware, and Asset
The all-in-one, stand-alone primary site is a single Azure Intelligence
Virtual Machine that runs all required site system roles and
Software Updates Deployment
Microsoft SQL Server locally without using any remote site
systems or roles. Software Metering
Remote Control
Reporting
For Linux:
Software Distribution
Endpoint Protection
Inventory - Hardware, Software
Reporting
The following Linux distributions are endorsed for Microsoft Azure Virtual Machines in the supported scenarios:
Canonical Ubuntu 12.04
OpenLogic CentOS 6.3
SUSE Linux Enterprise Server 11 SP2
NOTE
The Linux-based virtual machines must be running version 1.0.0.4648 or later versions of the Linux client for
References
For more information about the endorsed Linux distributions for Azure Virtual Machines, see Endorsed Linux
distributions on Azure.
For more information about supported Microsoft server software in the Azure Virtual Machine environment,
see Microsoft server software support for Microsoft Azure Virtual Machines.
products.
Troubleshooting Reference for the Microsoft
Deployment Toolkit
The deployment of operating systems and applications as well as the migration of user state can be a
challenging endeavor, even when you are equipped with appropriate tools and guidance. This reference, which is
part of Microsoft® Deployment Toolkit (MDT) 2013, provides information on current known issues, possible
workarounds for those issues, and troubleshooting guidance.
NOTE
In this document, Windows applies to the Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows
Server 2012, and Windows Server 2008 R2 operating systems unless otherwise noted. MDT does not support ARM
processor–based versions of Windows. Similarly, MDT refers to MDT 2013 unless otherwise stated.
NOTE
The Microsoft Diagnostics and Recovery Toolset (DaRT) contains powerful tools for recovering and troubleshooting client
computers that do not start or have become unstable. You can use DaRT to determine the cause of a crash, restore lost
files, and so on. You can also use DaRT as a troubleshooting tool when developing and deploying a Windows operating
system. For example, if a built image fails to start correctly, you can start the client computer containing the image by
using ERD Commander—a diagnostic environment. Then, you can explore the client computer's hard disk, view the event
log, remove updates, change operating system settings, and so on. DaRT is part of the Microsoft Desktop Optimization
Pack for Software Assurance. For more information, see Diagnostics and Recovery Toolset 10.
Understanding Logs
Before effective troubleshooting of MDT can begin, you must have a clear understanding of the many .log files
used during an operating system deployment. When you know which log files to research for what failure
condition and at what time, issues that were once mysterious and difficult to understand may become clear and
understandable.
The MDT log file format is designed to be read by CMTrace. Use this tool whenever possible to read the log files,
because it makes finding errors much easier.
The rest of this section details the log files created during deployment as well as during Windows Setup. This
section also provides examples of when to use the files for troubleshooting.
MDT Logs
Each MDT script automatically creates log files when running. The names of these log files match the name of
the script—for example, ZTIGather.wsf creates a log file named ZTIGather.log. Each script also updates a common
master log file (BDD.log) that aggregates the contents of the log files that MDT scripts create. MDT log files
reside in C:\MININT\SMSOSD\OSDLOGS during the deployment process. Depending on the type of deployment
being conducted, the log files are moved at the completion of the deployment to either %WINDIR%\SMSOSD or
%WINDIR%\TEMP\SMSOSD. For Lite Touch Installation (LTI) deployments, the logs start in
C:\MININT\SMSOSD\OSDLogs. They end up in %WINDIR%\TEMP\DeploymentLogs when the task sequence
processing is complete.
MDT creates the following log files:
BDD.log . This is the aggregated MDT log file that is copied to a network location at the end of the
deployment if you specify the SLShare property in the Customsettings.ini file.
LiteTouch.log . This file is created during LTI deployments. It resides in
%WINDIR%\TEMP\DeploymentLogs unless you specify the /debug:true option.
Scriptname*.log . This file is created by each MDT script. Scriptname represents the name of the script in
question.
SMSTS.log . This file is created by the Task Sequencer and describes all Task Sequencer transactions.
Depending on the deployment scenario, it may reside in %TEMP%, %WINDIR%\System32\ccm\logs, or
C:\_SMSTaskSequence, or C:\SMSTSLog.
Wizard.log . The deployment wizards create and update this file.
WPEinit.log . This file is created during the Windows PE initialization process and is useful for
troubleshooting errors encountered while starting Windows PE.
DeploymentWorkbench_ id .log . This log file is created in the %temp% folder when you specify a
/debug when starting the Deployment Workbench.
Configuration Manager Operating System Deployment Logs
For information about which operating system deployment log files created by Microsoft System Center 2012
R2 Configuration Manager, see Technical Reference for Log Files in Configuration Manager.
When running the Windows User State Migration Tool (USMT), MDT automatically adds the logging options to
save the USMT log files to the MDT log file locations. The log files and when they are created are as follows:
USMTEstimate.log . Created when estimating the USMT requirements
USMTCapture.log . Created by the USMT when capturing data
USMTRestore.log . Created by the USMT when restoring data
The ZeroTouchInstallation.vbs script automatically scans the USMT progress log files for errors and
warnings. The script generates event ID 41010 to Microsoft System Center Operations Manager with the
following summary (where usmt_type is ESTIMATE , SCANSTATE , or LOADSTATE ; error_count is the
total number of errors found; and warning_count is the total number of warnings found):
ZTI USMT <usmt_type> reported <error_count> errors and <warning_count> warnings
If the error count is greater than 0, this event is an Error type. If the warning count is greater than 0 with no
errors, then the event is a Warning type. Otherwise, the event is an Informational type.
Identifying Error Codes

Table 1 lists the error codes that the MDT scripts create and provides a description of each error code. These
error codes are recorded in the BDD.log file.
Table 1. Error Codes and Their Description
ERRO R C O DE DESC RIP T IO N
5201 A connection to the deployment share could not be made.

The deployment will not proceed.


5206 The Deployment Wizard was canceled or did not complete

successfully. The deployment will not proceed.

5208 DeploymentType is not set. Must set some value for

SkipWizard .
5208 Unable to find the SMS Task Sequencer. The deployment will
not proceed.
5400 Create object: Set class_instance = New class_name
5490 Create MSXML2.DOMDocument.
5495 Create MSXML2.DOMDocument.ParseErr.ErrCode.
5496 LoadControlFile.FindFile: ConfigFile
5601 Verify OS guid: %OSGUID% exists.
5602 Open XML with OSGUID: %OSGUID%.
5610 Verify file.
5630 Verify file: ImagePath.
5640 Verify file: ImagePath.
5641 FindFile: ImageX.exe.
5643 Find BootSect.exe.
5650 Verify directory: SourcePath.
5651 Verify directory: SourcePath\Platform.
5652 FindFile: bootsect.exe.
6001 Verify drive.
6002 Verify drive.
6010 Test for TSGUID.

6020 Robocopy returned value: Value.
6021 Robocopy returned value: Value.
6101 Check for file: DeployCab.
6102 Expand Sysprep files from DEPLOY.CAB.
6111 Run Sysprep.exe.
6121 Run Sysprep.
6191 Test for CloneTag in registry to verify Sysprep completed.
6192 Test for SystemSetupInProgress in registry to verify

Sysprep completed.
6401 Authorized DHCP server.
6501 Computer backup not possible, no network path

(BackupShare , BackupDir ) specified.
6502 ERROR - Unable to locate IMAGEX, unable to perform

backup.
6601 GetObject(... root/wmi:BCDStore).
6602 BCD.OpenStore (BCDStore).
6701 Configured protectors.
6702 Moved boot files.
6703 Create BDE partition.
6704 Defragment drive.
6705 Shrink drive.
6706 Testing for more than 1 partition.
6707 Create boot files.
6708 Encrypt the disk.
6709 Connect to MicrosoftVolumeEncryption WMI provider.
6710 Encrypting the disk.
6711 ProtectKeyWithTPM .
6712 ProtectKeyWithTPMAndPIN.
6713 ProtectKeyWithTPMAndStar tupKey .
6714 Save external key to file.
6715 Protect with external key.
6716 Save external key to file.
6717 Protect key with numerical password.
6718 GetKeyProtectorNumberialP@ssword.
6718 Save password to file.
6719 Open PasswordFile.
6720 Encrypt the drive.
6721 Open DiskPartFile.
6722 Create partition.
6723 Get existing BDE drive.
6724 Open DiskPartFile.
6727 Attempt to open DiskPartFile.
6729 Create text file DiskPartFile.
6730 Execute cmd /c DISKPART.EXE /s DiskPar tFile >>

LogPath \ZTIMarkActive_diskpar t.log 2>&1
6731 Find bcdboot.exe.
6732 Connect to Microsoft TPM provider.
6733 Get a TPM instance in the provider class.
6734 Get TPM instance.
6735 Check to see if TPM is enabled.
6736 Check to see if TPM is activated.
6737 Check to see if TPM is owned.
6738 Check to see if TPM ownership is allowed.

6741 Check to see if TPM is owned and ownership is allowed.
6741 TPM Owner Password set
6742 TPM Owner P@ssword set to AdminP@ssword .
6743 Set TPM Owner P@ssword to value.
6745 Check TPM owner.
6746 Check for endorsement key pair.
6748 Check to see if TPM ownership is allowed.
6749 Convert owner p@ssword to owner authorization.
6750 Create endorsement key pair.
6751 Change owner authorization.
6752 Run Cmd .
6753 Validate TPM.
6754 Get BDE instance.
6755 Protect key with TPM.
6756 Check for removable media to configure.

ProtectKeyWithTpmAndStar tupKey .
6757 Protect key with TPM and startup key.
6758 Look for BDE pin.
6759 Protect key with TPM and Pin.
6760 Find removable media for BDEKeyLocation .
6761 Protect with external key.
6762 Recovery P@ssword being saved to PasswordFile.

6764 Configure BitLocker policy.
7000 Unable to locate ZTIConfigure.xml; aborting.
7001 Looking for unattend AnswerFile.
7100 ERROR - This script should only run in the full OS.
7101 ERROR - Not enough values supplied for generating

DCPromo answer file.
7102 ERROR - Mandatory properties for creating a new replica DC

were not specified.
7103 ERROR - Mandatory properties for creating a new child

domain were not specified.
7104 ERROR - Mandatory properties for creating a new forest

were not specified.
7105 ERROR - Mandatory properties for creating a new forest

were not specified.
7200 Unable to configure DHCP server because the service is not

installed.
7201 Unable to read the scope details; GetScopeDetails()

failed.
7202 Not enough values specified for scope creation.
7203 Not enough values provided to set the IP range for this
scope.
7204 No value specified for scope exclusion range.
7300 Unable to issue DNS commands.
7700 Not a New Computer scenario; exiting disk partition.
7701 Disk is not large enough for System and BDE partitions,
Required = 1.5 GB.
7702 Disk is not large enough for System and WinRE partitions,
Required = 10 GB.
7703 DeployRoot is on disk # DiskIndex. Running an OEM

Scenario: Skip.
7704 Running an OEM Scenario: Skip.

7704 Extended and logical partitions are not allowed with

BitLocker.
7712 Verify Drive/Volume Drive is present. Format.
7900 FindFile: Microsoft.BDD.PnpEnum.exe.
7901 AllDrivers.Exists("GUID ").
7904 AllDrivers.Exists("GUID ").
9200 FindFile(PkgMgr.exe).
9601 ERROR - ZTITatoo state restore task should be running in

the full OS; aborting.
9701 Nonzero return code from USMT estimate, rc = Error.
9702 User state capture not possible; insufficient local space and
no network path (UDShare, UDDir) specified.
9703 Nonzero return code from USMT capture, rc = Error.
9704 No valid command line option was specified.
9801 ERROR - Attempting to deploy a client operating system to

a machine running a server operating system.
9802 ERROR - Attempting to deploy a server operating system to

a machine running a client operating system.
9803 ERROR - Machine is not authorized for upgrading

(OSInstall=OSInstall); aborting.
9804 ERROR - Memory MB of memory is insufficient. At least

Memory MB of memory is required.
9805 ERROR - Processor speed of ProcessorSpeed MHz is

insufficient. At least a ProcessorSpeed MHz processor is
required.
9806 ERROR - insufficient space is available on Drive. An additional

Size MB is required.
9807 ERROR - insufficient space is available on Drive. An additional

Size MB is required.
9901 The ZTIWindowsUpdate script should not run in Windows

PE.
9902 ZTIWindowsUpdate has run and failed too many times.

Count = Count.
9903 Unexpected issue installing the updated Windows Update

Agent, rc = Error.
9904 Failed to create object: Microsoft.Update.Session .
9905 Failed to create object: Microsoft.Update.UpdateColl.
9906 Critical file File was not found; aborting.
10000 Create object: Set oLTICleanup = New LTICleanup .
10201 Unable to Join Domain Domain. Stop installation.
10203 FindFile(LTISuspend.wsf).
10204 Run Program LTISuspend.
41024 Run ImageX.
52012 All the wizard parameters are not set.
Listing 1 provides an excerpt from a log file that illustrates how to find the error code. In this excerpt, the error
code reported is 5001.
Listing 1. Excerpt from an SMSTS.log file that contains error code 5001
.
.
.
The operating system installation failed. Please contact your system administrator for assistance.
The action "Zero Touch Installation - Validation" failed with exit code 5001
.
.
.
Converting Error Codes

Many error codes presented in the log files seem cryptic and difficult to correlate to an actual error condition.
However, the following process demonstrates how to convert an error code and obtain meaningful information
that may assist in problem resolution.
Problem : An image capture fails with error code 0x80070040.
Possible Solution 1 : The error code presented is in hexadecimal format that you need to convert to decimal
format. To do this, you need a scientific calculator, and the calculator included with Windows operating systems
is well suited to this task.
To conver t an error code
1. Click Star t , and then point to All Programs . Point to Accessories , and then click Calculator .
2. From the View menu, click Scientific .
3. Select Hex , and then enter the last four digits of the code—in this case, 0040 , as shown in Figure 1.
Figure 1. Error conversion
Figure 1. Error conversion
Notice that leading zeros are not displayed while the calculator is in Hexadecimal mode.
4. Select Dec .
The hexadecimal value 40 is converted to a decimal value of 64.
5. Open a Command Prompt window, type NET HELPMSG 64 , and then press ENTER.
The NET HELPMSG command translates the numerical error code into meaningful text. In the case of
the error code provided here, it translates to "The specified network name is no longer available."
This information indicates that a networking problem may exist on the target computer or between the
target computer and the server on which the deployment share resides. These problems might include
network drivers not being installed properly or a mismatch in speed and duplex settings.
Review of Sample Logs
MDT creates log files that you can use to troubleshoot problems in the MDT deployment process. The following
sections provide examples of how to use the MDT log files to troubleshoot the deployment process:
Problems that relate to failures accessing the MDT database (MDT DB), as described in Failure to Access the
Database
Failure to Access the Database
Problem: An error occurs while running a deployment that used a CustomSettings.ini file containing numerous
sections and specifying, with the Priority property, the priority of each section to be processed. BDD.log
contains the following error messages:
ERROR - Opening Record Set (Error Number = -2147217911) (Error Description: The SELECT
permission was denied on the object 'ComputerAdministrators', database 'AdminDB', schema 'dbo'.)
ADO error: The SELECT permission was denied on the object 'ComputerAdministrators', database
'AdminDB', schema 'dbo'. (Error #-2147217911; Source: Microsoft OLE DB Provider for SQL Server;
SQL State: 42000; NativeError: 229
ERROR - Unhandled error returned by ZTIGather: Object required (424)

NOTE
For clarity, the log file contents above have been represented as they appear while being viewed using CMTrace.
Possible Solution: The issue, as pointed out on the first line of the log file sample, is that permission to access
the database was denied. Therefore, the script cannot establish a secure connection to the database, possibly
because a user ID and password were not available. As a result, database access was attempted using the
computer account. The easiest way to work around this issue is to grant everyone Read access to the database.
Troubleshooting
Prior to embarking on in-depth troubleshooting processes, review the following items and ensure that any
associated requirements have been met:
Installation issues can result if all software and hardware prerequisites have not been met.
Application Installation
Review the problems and solutions for application installation issues:
Installation source files that are blocked for security reasons as described in Blocked Executables
Loss of network connectivity as described in Lost Network Connections
Installation error 30029 while installing the 2007 Microsoft Office system or related files as described in
The 2007 Microsoft Office System
Blocked Executables
Problem: If installation source files are downloaded from the Internet, it is likely that they will be marked with
one or more NTFS file system data streams. For more information about NTFS data streams, see File Streams.
The existence of NTFS file system data streams might cause an Open File – Security Warning prompt to be
displayed. The installation will not proceed until you click Run at the prompt.
Figure 2 shows, you can view NTFS file system data streams using the More command and the Streams utility.
Figure 2. NTFS data streams

Figure 2. NTFS data streams
Possible Solution 1: Right-click the installation source file, and then click Proper ties . Click Unblock , and then
click OK to remove the NTFS file system data streams from the file. Repeat this process for each installation
source file that is blocked by the existence of one or more NTFS file system data streams.
Possible Solution 2: Use the Streams utility, as REF _Ref308173670 \h Figure 2 shows, to remove the NTFS
file system data streams from the installation source file. The Streams utility can remove NTFS file system data
streams from one or more files or folders at once.
Lost Network Connections
Problem: An installation may fail if it installs device drivers or alters device and network configurations. These
changes may result in a lapse in network connectivity that causes the installation to fail.
Possible Solution: Implement the ZTICacheUtil.vbs script to enable download and execution for the
installation. This script is designed to tweak the advertisement to enable download and execute. The download
uses Background Intelligent Transfer Service (BITS) if the Configuration Manager distribution point is Web-
based Distributed Authoring and Versioning and BITS enabled. At the same time, it modifies Configuration
Manager to run the ZTICache.vbs script first, which makes sure the program does not delete itself during the
deployment process.
The 2007 Microsoft Office System
Problem: While deploying the 2007 Office system and including a Windows Installer patch (MSP) file, the
installation may fail with error code 30029.
Further investigation in the ZTIApplications.log shows the following messages:
About to run command:

\\Server\Deployment$\Tools\X86\bddrun.exe
\\Server\Share\Microsoft\Office\2007\Professional\setup.exe /adminfile
\\Server\Share\Microsoft\Office\2007\Professional\file.msp
ZTI Heartbeat: command has been running for 12 minutes (process ID 1600) Return code from
command = 30029
Application Microsoft Office 2007 Professional returned an unexpected return code: 30029
Possible Solution 1: Relocate the MSP file to the Updates directory, and then run setup.exe without
specifying the /adminfile option. For more information about deploying updates during the installation,
see Deploying the 2007 Office system.
Possible Solution 2: Verify that the MSP file does not have the Suppress modal check box selected.
For more information about configuring this setting, see Overview of 2007 Office System Deployment.
AutoLogon
Review the problems and solutions for automatic logon issues:
Interruption of the LTI and Zero Touch Installation (ZTI) deployment processes because of logon security
banners as described in Logon Security Banners
Interruption of the LTI and ZTI deployment processes because of prompts for user credentials as
described in Prompted for User Credentials
Logon Security Banners
Problem: MDT task sequences are processed during an interactive user session, which requires that the target
computer be allowed to log on automatically using a specified administrative account. If a Group Policy object
(GPO) is in place that enforces a logon security banner, this automatic logon will not be allowed to proceed,
because the security banner halts the logon process while it waits for a user to accept the stated policy.
Possible Solution: Be sure that the GPO is applied to specific organizational units (OUs) and not included in
the default domain GPO. When you add computers to the domain, specify that they be added to an OU that is
not affected by a GPO that enforces a logon security banner. In the Task Sequence Editor, include as one of the
last task sequence steps a script that relocates the computer account to the desired OU.
NOTE
If you are reusing existing Active Directory® Domain Services (AD DS) accounts, ensure that prior to deploying to the
target computer you have relocated the target computer's account to an OU that is not affected by the GPO that
enforces the security logon banner.
Prompted for User Credentials

Problem: You created an image of a computer that was joined to the domain. While deploying the new image
to a target computer, the deployment process halts, because auto-logon does not occur and the user is
prompted to enter appropriate credentials. The deployment process resumes when the credentials are provided
and the user is logged on.
Possible Solution: When capturing images, the source computer should not be joined to a domain. If the
computer was joined to a domain, join the computer to a workgroup, re-capture the image, and attempt the
deployment to a target computer to determine whether the issue is resolved.
BIOS
Problem: While deploying to a target computer that is equipped with Intel vPro technology, the deployment
may end with a stop error. Even though all updated drivers have been included as out-of-box drivers in the
Deployment Workbench, the target computer does not start.
Possible Solution: Review the settings in the target computer's basic input/output system (BIOS) to determine
whether the default Serial Advanced Technology Attachment mode is configured as Advanced Host Controller
Interface (AHCI). Unfortunately, certain Windows operating systems do not support AHCI by default.
Database Problems
Review database-related problems and solutions:
Errors generated as a result of improperly configured firewalls on database server as described in
Blocked SQL Server Browser Requests
Errors generated as a result of broken connections with the database server as described in Named Pipe
Connections
Blocked SQL Server Browser Requests
Problem: During the MDT deployment process, information can be retrieved from Microsoft SQL Server®
databases. However, errors might be generated that relate to an improperly configured firewall on the database
server.
Possible Solution: The Windows Firewall in Windows Server helps prevent unauthorized access to computer
resources. However, if the firewall is configured incorrectly, attempts to connect to a SQL Server instance may be
blocked. To access an instance of SQL Server that is behind the firewall, configure the firewall on the computer
that is running SQL Server. For more information on configuring firewall ports for SQL Server, see Configure the
Windows Firewall to Allow SQL Server Access.
Named Pipe Connections
Problem: During the MDT deployment process, information can be retrieved from SQL Server databases.
However, errors might be generated that relate to broken SQL Server connections. These can be caused by not
enabling named pipe connections in Microsoft SQL Server.
Possible Solution: To resolve these problems, enable named pipes in SQL Server. Also, specify the SQLShare
property, which it is required when making a connection to an external database using named pipes. When
connecting using named pipes, use integrated security to make the connection to the database. In the case of LTI
deployments, the user account that you specify makes the connection to the database. For ZTI deployments that
use Configuration Manager, the network access account connects to the database. Because Windows PE has no
security context by default, you must make a network connection to the database server to establish a security
context for the user who will be making the connection.
The network share that the SQLShare property specifies provides a means to connect to the server to gain a
proper security context. You must have Read access to the share. When the connection is made, you can then
establish the named pipe connection to the database. The SQLShare property is not needed and should not be
used when making a TCP/IP connection to the database.
Enable named pipe connections by performing the following tasks based on the version of SQL Server you are
using:
Enable named pipe connections for SQL Server 2008 R2 as described in Enable Named Pipe Connections
in SQL Server 2008 R2.
Enable named pipe connections for SQL Server 2005 as described in Enable Named Pipe Connections in
SQL Server 2005.
En a b l e N a m e d P i p e C o n n e c t i o n s i n SQ L Se r v e r 2 0 0 8 R 2
To enable named pipe connections in SQL Server 2008 R2, perform the following steps:
1. On the computer running SQL Server 2008 R2 that hosts the database to be queried, click Star t , and
then point to All Programs . Point to Microsoft SQL Ser ver 2008 R2 , and then click SQL Ser ver
Management Studio .
2. In the Microsoft SQL Ser ver Management Studio console, in the Object Explorer, right-click
sql_ser ver_name , and then click Proper ties (where sql_server_name is the name of the computer
running SQL Server to be configured).
3. The Server Properties - sql_ser ver_name dialog box is displayed.
4. In the Ser ver Proper ties - sql_ser ver_name dialog box, in Select a page , click Connections .
5. On the Connections page, ensure the Allow remote connections to this ser ver check box is
selected and then click OK .
6. Close the Microsoft SQL Server Management Studio console.
7. On the computer running SQL Server 2008 R2 that hosts the database to be queried, click Star t , and
then point to All Programs . Point to Microsoft SQL Ser ver 2008 R2 , point to Configuration Tools ,
and then click SQL Ser ver Configuration Manager .
8. In the Sql Ser ver Configuration Manager console, go to SQL Server Configuration Manager (Local) /
SQL Server Network Configuration / Protocols for sql_instance (where sql_instance in the name of the
SQL Server instance to be configured).
9. In the details pane, right-click Named Pipes , and then click Enable .
The Warning dialog box appears indicating that the changes will be saved but will not take effect until the
service is stopped and restarted.
10. In the Warning dialog box, click OK .
11. In the Sql Ser ver Configuration Manager console, go to SQL Server Configuration Manager (Local) /
SQL Server Services.
12. In the details pane, right-click SQL Ser ver*(sql_instance) , and then click *Restart (where sql_instance
in the name of the SQL Server instance that you configured in step 2).
The SQL Server Configuration Manager progress bar is displayed that shows the status of restarting the
services. After the service restarts, the progress bar closes.
13. Close the SQL Server Configuration Manager console.
For additional information, How to enable remote connections in SQL Server 2008.
En a b l e N a m e d P i p e C o n n e c t i o n s i n SQ L Se r v e r 2 0 0 5
To enable named pipe connections in SQL Server 2005, perform the following steps:
1. On the computer running SQL Server 2005 that hosts the database to be queried, click Star t , and then
point to All Programs . Point to Microsoft SQL Ser ver 2005 , point to Configuration Tools , and then
click SQL Ser ver Surface Area Configuration .
2. In the SQL Ser ver 2005 Surface Area Configuration dialog box, click Surface Area Configuration
for Ser vices and Connections .
3. In the Surface Area Configuration for Ser vices and Connections – ser ver_name dialog box
(where server_name is the name of the computer running SQL Server 2005), in Select a component
and then configure its ser vices and connections , go to MSSQLSERVER\Database Engine, and then
click Remote Connections .
4. Click Local and remote connections , click Using both TCP/IP and named pipes , and then click
Apply .
5. In the Surface Area Configuration for Ser vices and Connections – ser ver_name dialog box
(where server_name is the name of the computer running SQL Server 2005), in Select a component
and then configure its ser vices and connections , go to MSSQLSERVER\Database Engine, and then
click Ser vice .
6. Click Stop .
The MSSQLSERVER service stops.
7. Click Star t .
The MSSQLSERVER service starts.
8. Click OK .
9. Close SQL Server 2005 Surface Area Configuration.
For additional information, see the Microsoft Support article How to configure SQL Server 2005 to allow
remote connections
Deployment Scripts
Review MDT-related problems and solutions:
Prompted for user credentials and may receive error 0x80070035 as described in Credentials_script
Error message "Wuredist.cab not found" appears as described in ZTIWindowsUpdate
Credentials_script
Problem: During the last start-up of a newly deployed computer, the user is prompted to provide user
credentials and may receive error 0x80070035, which indicates that the network path was not found.
Possible Solution: Be sure that the WIM file does not include a MININT or _SMSTaskSequence folder. To delete
these folders, first use the ImageX utility to mount the WIM file, and then delete the folders.
NOTE
If an Access Denied error occurs when you attempt to delete the folders from the WIM file, open a Command Prompt
window, switch to the root of the image contained in the WIM file, and then run RD MININT and RD
_SMSTaskSequence .
ZTIWindowsUpdate
Problem: If you use the ZTIWindowsUpdate.wsf script to apply software updates during deployment, note that
this script may communicate directly with the Microsoft Update website to download and install the required
Windows Update Agent binaries, scan for applicable software updates, download the binaries for the applicable
software updates, and then install the downloaded binaries. This process requires that your networking
infrastructure be configured to allow the target computer to gain access to the Microsoft Update website.
If the deployment share does not contain the Windows Update Agent installation files and the target computer
does not have appropriate Internet access, error "wuredist.cab not found" is reported in the
ZTIWindowsUpdate.log and BDD.log files.
Possible Solution: Follow the steps outlined in the section, "ZTIWindowsUpdate.wsf", in the MDT document
Toolkit Reference.
Deployment Shares
Review deployment share–related problems and solutions:
Updating WIM files fails when updating a deployment share as described in Failure to Update WIM Files.
Failure to Update WIM Files
In a "simple" environment:
MDT typically picks up WIMGAPI.DLL from C:\Windows\system32 (always in the path). The version of this
WIMGAPI.DLL must match the version (build) of the operating system.
On a 64-bit operating system, MDT always uses the x64 WIMGAPI.DLL file; only that file should be in the
system PATH. On a 32-bit operating system, MDT always uses the x86 WIMGAPI.DLL file; only that file
should be in the system PATH. (Other products, such as Configuration Manager, use the 32-bit version of
WIMGAPI.DLL, even on a 64-bit operating system, but they manage and install that version.)
Problem: When attempting to update a deployment share, the user will be informed that the mounting
of one or more .wim files did not succeed.
Possible Solution: Open a Command Prompt window and run where WIMGAPI.DLL . For the first
entry in the list (the first location found by searching the path), ensure that the Version property
matches the build of the Windows Assessment and Deployment Kit (Windows ADK) that is installed. Also
ensure that the property matches the operating system build number.
The Windows Deployment Wizard
Review Windows Deployment Wizard–related problems and solutions:
Windows Deployment Wizard pages are displayed even when LTI is configured to skip the wizard pages as
described in Wizard Pages Are Not Skipped.
Wizard Pages Are Not Skipped
Problem: A wizard page is displayed even though the MDT DB or CustomSettings.ini file specify that the wizard
should be skipped.
Possible Solution: To properly skip a wizard page, include all properties that would be specified on that wizard
page where appropriate in the MDT DB or CustomSettings.ini file along with appropriate values. If a property is
configured improperly for a skipped wizard page, that page will be shown. For more information about which
properties are required to ensure that a wizard page is skipped, see the section, "Providing Properties for
Skipped Deployment Wizard Pages", in the MDT document Toolkit Reference.
Disks and Partitioning
Review disk partitioning problems and solutions:
BitLocker® Drive Encryption issues as described in BitLocker Drive Encryption
Disk partitioning errors as described in Disk Partitioning Errors
Failures during Refresh Computer deployment scenarios caused by logical or dynamic disks as described
in Support for Logical and Dynamic Disks
BitLocker Drive Encryption
Deploying BitLocker requires a specific configuration for proper deployment. The following potential problems
may be related to the configuration of the target computer:
In ZTI and UDI deployments, the ZTIBde.wsf Script Fails with the Error "Unable to open registry key
'HKEY_CURRENT_USER\Control Panel\International\LocaleName' for reading", as described in ZTIBde.wsf
Script Fails with the Error "Unable to open registry key 'HKEY_CURRENT_USER\Control
Panel\International\LocaleName' for reading".
USB devices, CD drives, DVD drives, or other removable media devices on the target computer that
appear as multiple drive letters, as described in Devices Appear as Multiple Drive Letters
Shrinking drive C on the target computer to provide sufficient unallocated disk space as described in
Problems with Shrinking Disks
Z T I B d e .w sf Sc r i p t F a i l s w i t h t h e Er r o r " U n a b l e t o o p e n r e g i st r y k e y ' H K E Y _ C U R R E N T _ U SE R \ C o n t r o l P a n e l \ I n t e r n a t i o n a l \ L o c a l e N a m e' fo r
r eadi n g"
Problem: While trying to deploy BitLocker on the target computer in ZTI or UDI, the ZTIBde.wsf script fails with
the error "Unable to open registry key 'HKEY_CURRENT_USER\Control Panel\International\LocaleName' for
reading."
Possible Solution: Specify the locale in the UILanguage property. In ZTI and UDI, the ZTIBde.wsf script runs in
the system control, so a full user profile is not loaded. When the ZTIBde.wsf script tries to read the locale
information it is not in the registry, because the registry (user profile) is not fully loaded. As a workaround,
specify the locale in the UILanguage property.
Devi c es A ppear as Mu l t i pl e Dr i ve Let t er s
Problem: Some devices can appear as multiple logical drive letters, depending on how they are partitioned. In
some cases, they can emulate a 1.44-megabyte (MB) floppy disk drive and a memory storage drive. Therefore,
Windows may assign the same device drive letters A and B for floppy disk emulation and F for the memory
storage drive. By default, MDT scripts use the lowest drive letter (in this example, A).
Possible Solution: Override the default setting on the Specify the BitLocker recover y details page in the
Windows Deployment Wizard. The Windows Deployment Wizard summary page displays a warning to inform
the user which drive letter was selected to store BitLocker recovery information. In addition, the BDD.log and
ZTIBDE.log files record the removable media devices detected and which device was selected to store the
BitLocker recovery information.
P r o b l e m s w i t h Sh r i n k i n g D i sk s
Problem: Not enough unallocated disk space exists on the target computer to enable BitLocker. To deploy
BitLocker on a target computer, at least 2 gigabytes (GB) of unallocated disk space is required to create the
system volume. The system volume is the volume that contains the hardware-specific files needed to load
Windows after the BIOS has booted the computer.
Possible Solution 1: On existing computers, use the Diskpart tool to shrink drive C so that the system volume
can be created. In some instances, though, the Diskpart tool may not be able to shrink drive C sufficiently to
provide 2 GB of unallocated disk space, possibly because of fragmented disk space within drive C.
One possible solution to this problem is to defragment drive C. To do so, perform the following steps:
1. Run the Diskpart shrink querymax command to identify the maximum amount of disk space that can be
unallocated.
2. If the value returned in step 1 is less than 2 GB, clean drive C of any unnecessary files, and then
defragment it.
3. Run the Diskpart shrink querymax command again to verify that more than 2 GB of disk space can be
unallocated.
4. If the value returned in step 3 is still less than 2 GB, perform one of the following tasks:
Defragment drive C multiple times to ensure that it is fully optimized.
Back up the data on drive C, delete the existing partition, create a new partition, and then restore
the data to the new partition.
Possible Solution 2: The ZTIBDE.wsf script runs the Disk Preparation Tool (bdehdcfg.exe) and
configures the system volume partition size to 2 GB by default. You can customize the ZTIBDE.wsf script
to change the default, if necessary. However, modifying the MDT scripts is not recommended.
Support for Logical and Dynamic Disks
Problem: When performing a Refresh Computer deployment scenario, the deployment process may fail when
deploying to a target computer that is using logical drives or dynamic disks.
Possible Solution: MDT does not support deploying operating systems to logical drives or dynamic disks.
Domain Join
Problem: During deployment, you use the Windows Deployment Wizard to provide all the necessary
information for the target computer, including credentials, domain join information, and static IP configuration.
When Setup finishes, you can see that the system has not joined the domain and is still in a workgroup.
Possible Solution: An LTI deployment of MDT configures the static IP information after the operating system is
up and running. If the target computer is located on a network segment that does not have Dynamic Host
Configuration Protocol (DHCP), an automated domain join specified in Unattend.xml will fail when no DHCP is
present.
Configure Unattend.xml to join a workgroup. Then, use the built-in Recover from Domain task sequence step
to add a step in the task sequence to join the domain after the static IP has been applied.
Driver Installation
To ensure the best possible user experience, installation of hardware devices and software drivers should run as
seamlessly as possible, with little or no user intervention. Microsoft provides tools and guidelines to help create
installation packages that meet this goal. For general information about driver installation, see Device and Driver
Installation.
Review device driver installation–related problems and solutions:
Problems that occur when using $OEM$ mass storage drivers with MDT as described in Combine $OEM$
Mass Storage Drivers with MDT Mass Storage Logic
Troubleshooting device driver installation issues using the SetupAPI.log as described in Troubleshoot
Device Installation with SetupAPI.log
Troubleshoot Device Installation with SetupAPI.log
The white paper Troubleshooting Device Installation with the SetupAPI Log File provides information about
debugging Windows device installation. Specifically, the paper provides guidelines for driver developers and
testers to interpret the SetupAPI log file.
One of the most useful log files for debugging purposes is the SetupAPI.log file. This plain-text file maintains the
information that SetupAPI records about device installation, service pack installation, and update installation.
Specifically, the file maintains a record of device and driver changes as well as major system changes beginning
from the most recent Windows installation. This paper focuses on using the SetupAPI log file to troubleshoot
device installation; it does not describe the log file sections that are associated with service pack and update
installations.
New Computer Deployments
Review the problems and solutions for New Computer deployment scenarios:
Problems starting the deployment process using Pre-Boot Execution Environment (PXE) boot as described in
PXE Boot
PXE Boot
In brief, the PXE protocol operates as follows: The client computer initiates the protocol by broadcasting a DHCP
Discover packet containing an extension that identifies the request as coming from a client computer that
implements the PXE protocol. Assuming that a boot server implementing this extended protocol is available, the
boot server sends an offer containing the IP address of the server that will service the client. The client uses
Trivial File Transfer Protocol to download the executable file from the boot server. Finally, the client computer
runs the downloaded bootstrap program.
The initial phase of this protocol piggybacks on a subset of the DHCP messages to enable the client to discover a
boot server (that is, a server that delivers executable files for new computer setup). The client computer may use
the opportunity to obtain an IP address (which is the expected behavior) but is not required to do so.
The second phase of this protocol takes place between the client computer and a boot server and uses the DHCP
message format as a convenient format for communication. This second phase is otherwise unrelated to the
standard DHCP services. The next few pages outline the step-by-step process during PXE client computer
initialization.
Review the following solutions for PXE boot issues:
Disable Windows PE logging to SetupAPI.log as described in Disable Windows PE Logging in Windows
Deployment Services.
Ensure that DHCP is configured properly as described in Ensure the Proper DHCP Configuration.
Improve the response times for assigning IP addresses to PXE client computers as described in Improve
PXE IP Address Assignment Response Time.
D i sa b l e W i n d o w s P E L o g g i n g i n W i n d o w s D e p l o y m e n t Se r v i c e s
The first procedure recommended is to make sure that logging to setupapi.log has been disabled.
En su r e t h e P r o p e r D H C P C o n fi g u r a t i o n
Depending on the router models in use, the specific router configuration of DHCP broadcast forwarding may be
supported to either a subnet (or router interface) or a specific host. If the DHCP servers and the computer
running Windows Deployment Services are separate computers, ensure that the routers that forward DHCP
broadcasts are designed so that both the DHCP and Windows Deployment Services servers receive the client
broadcasts; otherwise, the client computer does not receive a reply to its remote boot request.
Is there a router between the client computer and the remote installation server that is not allowing the DHCP-
based requests or responses through? When the Windows Deployment Services client computer and the
Windows Deployment Services server are on separate subnets, configure the router between the two systems
to forward DHCP packets to the Windows Deployment Services server. This arrangement is necessary, because
Windows Deployment Services client computers discover a Windows Deployment Services server by using a
DHCP broadcast message. Without DHCP forwarding set up on a router, the client computers' DHCP broadcasts
do not reach the Windows Deployment Services server. This DHCP forwarding process is sometimes referred to
as DHCP Proxy or IP Helper Address in router configuration manuals. Refer to the router instructions for more
information about setting up DHCP forwarding on a specific router.
I m p r o v e P X E I P A d d r e ss A ssi g n m e n t R e sp o n se T i m e
Check the following elements if it is taking a long time (15–20 seconds) for the PXE client computer to retrieve
an IP address:
Are the network adapter on the target computer and the switch or router set to the same speed
(automatic, duplex, full, and so on)
Is the IP address for the Windows Deployment Services server in the IP Helper file on the router through
which the connection is made? If the list of IP addresses in the IP Helper file is long, can you move the
address for the Windows Deployment Services server near the top
Restarting the Deployment Process
Problem: While testing and troubleshooting a new or modified task sequence, you may need to restart the
target computer so that the deployment process can start over from the beginning. Unexpected results may
occur, because MDT keeps track of its progress by writing data to the hard disk; any restart of the target
computer has MDT resume where it left off at the previous restart.
Possible Solution: To allow the deployment process to restart from the beginning, delete the C:\MININT and
C:\_SMSTaskSequence folders prior to restarting the target computer.
Sysprep
Review Sysprep-related problems and solutions:
The target computer is not appearing in the correct AD DS OU as described in The Computer Account Is in
the Wrong OU.
The Computer Account Is in the Wrong OU
Problem: The target computer is properly joined to the domain, but the computer account is in the wrong OU.
Possible Solution 1: If an account pre-exists for the target computer, the account will remain in its original OU.
To move the account to the specified OU, add a task sequence step that uses an automation tool, such as a
Microsoft Visual Basic® Scripting Edition, to move the account.
Possible Solution 2: Verify that the specified OU is in the correct format and that it exists. The correct OU
format should be OU=Reception,OU=NYC,DC=Woodgrovebank,DC=com .
Problem: The error message shown in REF _Ref308174600 \h Figure 3 is displayed when you attempt to create
a Configuration Manager PXE service point using the Create self-signed PXE cer tificate option.
Figure SEQ Figure \* ARABIC 3. PXE service point error

Figure SEQ Figure \* ARABIC 3. PXE ser vice point error
Possible Solution: If a PXE service point previously existed on the server you are configuring, the PXE service
point may not have deleted the self-created certificates when you uninstalled it. Delete the PXE certificate folder
from C:\Documents and Settings\user_name\Application Data\Microsoft\Crypto\RSA, where user_name is the
name of the user performing the current configuration or who performed the previous configuration. The New
Site Role Wizard in the Configuration Manager console should successfully finish when you have deleted the
folder.
Task Sequences
Review task sequence–related problems and solutions:
Task sequence does not finish successfully or has unpredictable behavior as described in The Task
Sequence Does Not Finish Successfully.
Original equipment manufacturer (OEM) task sequences in LTI are listed on boot images with the
opposite processor architecture as described in The OEM Task Sequence Incorrectly Appears for a Boot
Image Created for a Different Processor Architecture.
The Windows Deployment Wizard displays the error message "Bad Task Sequence Item (Invalid OS
GUID)" as described in Bad Task Sequence Item (Invalid OS GUID) Message in the Windows Deployment
Wizard.
While configuring a network connection name, the message "Please enter a valid name for the network
adapter" is displayed as described in Apply Network Settings.
Problems that may occur as a result of improper configuration of continue on error configuration
settings for task sequence steps as described in Use Continue on Error.
The Task Sequence Does Not Finish Successfully
Problem: Task sequence may not finish successfully or has unpredictable behavior.
Possible Solution: The Install Operating System task sequence step (for LTI) or the Apply Operating
System Image task sequence step (for UDI and ZTI) may have been modified after the creation of the task
sequence step can lead to unpredictable results. For example, if a task sequence was created to deploy a 32-bit
Windows 8.1 image, and then later the Install Operating System task sequence step or the Apply
Operating System Image task sequence step was changed to reference a 64-bit Windows 8.1 image, the task
sequence may not run successfully.
It is recommended that a new task sequence is created to deploy a different operating system image.
The OEM Task Sequence Incorrectly Appears for a Boot Image Created for a Different Processor Architecture
Problem: A task sequence based on a LTI OEM task sequence template is showing up for a boot image with a
different processor architecture. For example, an OEM task sequence that deploys a 64-bit operation system is
showing on a 32-bit boot image.
Possible Solution: This is expected behavior as OEM task sequences in LTI are not considered to be "platform-
specific" will always be listed, regardless of the processor architecture of the boot image.
Bad Task Sequence Item (Invalid OS GUID) Message in the Windows Deployment Wizard
Problem: When running the Windows Deployment Wizard, the wizard displays the error message "Bad Task
Sequence Item (Invalid OS GUID)." The operating system is listed in the OperatingSystem.xml file; however, the
operating system is not displayed in the Deployment Workbench.
Possible Solution: The original operating system source has two or more WIM files associated. A SKU that is
associated with a task sequence is deleted; however, other SKUs for the operating system source still exist. When
the task sequence that references the deleted SKU is selected on the Select a task sequence to execute on
this computer wizard page in the Windows Deployment Wizard, the error message "Bad Task Sequence Item
(Invalid OS GUID)" is displayed after you click Next on the wizard page.
To resolve this problem, perform one of the following tasks:
Remove all SKUs from the operating system source. The Windows Deployment Wizard behaves normally,
and the error message is not displayed.
Change the task sequence to use a different operating system image.
Apply Network Settings
Problem: When configuring the network connection name in the Deployment Workbench, a validation error
prompts you with the message, "Please enter a valid name for the network adapter."
Possible Solution: Remove any spaces and invalid characters from the specified connection name.
Use Continue on Error
If a MDT task sequence is configured not to continue on error and that task sequence returns an error, all
remaining task sequences in that task sequence group are skipped. However, the remaining task sequence
groups are processed. Consider the following:
Two task sequence groups have been created, and either group contains more than one task sequence step:
Group A
Step A
Step B
Group B
Step A
Step B
If Group A\Step A is configured not to continue on error, then Group A\Step B will not be processed.
However, all task sequence steps in Group B will be processed.
The User State Migration Tool
Review USMT-related problems and solutions:
Shortcuts that point to documents stored in network shared folders may not be restored properly as
described in Missing Desktop Shortcuts.
Missing Desktop Shortcuts
Problem: While using USMT to migrate user data, shortcuts that point to network documents may not be
restored. The shortcuts are captured during Scanstate; however, they are never restored to the target computer
during Loadstate.
Possible Solution: Edit the MigUser.xml file and comment out the following line:
Original:
<include> filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
Modified:
<include> 
Windows Imaging Format Files

Review WIM-related problems and solutions:
LTI and ZTI deployments fail with WIM file errors in the BDD.log file as described in Corrupt WIM File.
Corrupt WIM File
Problem: When deploying an image, the deployment fails with the following entries in the BDD.log file:
The image \\Server\Deployment$\Operating Systems\Windows\version1.wim was not applied successfully

by ImageX, rc = 2
LTIApply COMPLETED. Return Value = 2
ZTI ERROR - Non-zero return code by LTIApply, rc = 2
Investigate the issue by mounting the WIM file using ImageX results in the error, "The data is invalid."
Further investigation shows that the date stamp of the .wim file is many years before the current date. It
is possible that another process, such as a virus scanner, was holding the .wim file open after it was
previously closed at the conclusion of a Read or Write process.
Possible Solution: Restore the .wim file from backup media.
Windows PE
Review Windows PE–related problems and solutions:
The LTI or ZTI deployment process is not initiated because of insufficient RAM or wireless network
adapters as described in Deployment Process Not Initiated—Limited RAM or Wireless Network Adapter.
The LTI or ZTI deployment process is not initiated because of missing Windows PE components as
described in Deployment Process Not Initiated—Missing Components.
The LTI or ZTI deployment process is not initiated because of missing or incorrect device drivers as
described in Deployment Process Not Initiated—Missing or Incorrect Drivers.
Deployment Process Not Initiated—Limited RAM or Wireless Network Adapter
Problem: When deploying an image to certain target computers, Windows PE starts, runs wpeinit , opens a
Command Prompt window but does not actually start the deployment process. Troubleshooting the problem by
mapping a network drive from the target computer indicates that the network adapter drivers are not loaded.
Possible Solution 1: The Deployment Wizard is not starting, because there is insufficient RAM. Verify that the
target computer has at least 512 MB of RAM and that no shared video memory consumes more than 64 MB of
the 512 MB.
The versions of Windows PE that MDT supports are unable to run on a target computer that has less than 512
MB of RAM.
Possible Solution 2: Do not include the wireless drivers in the Windows PE image.
Deployment Process Not Initiated—Missing Components
Problem: When troubleshooting a failed deployment, a review of the BDD.log file lists the following entry:
ERROR - Unable to create ADODB.Connection object, impossible to query SQL Server: ActiveX component
can't create object (429).
Possible Solution: This error may indicate that the Windows PE image was not created using MDT. If you are
using Configuration Manager, do not use one of the existing Windows PE images that Configuration Manager
created; instead, create an image using the Import Microsoft Deployment Task Sequence Wizard.
NOTE
The Windows PE images that Configuration Manager creates contain components that support scripting, XML, and
Windows Management Instrumentation (WMI), but they do not contain components that support Microsoft ActiveX®
Data Objects (ADO).
Deployment Process Not Initiated—Missing or Incorrect Drivers

Problem: When deploying to certain target computers, Windows PE starts, runs wpeinit , opens a Command
Prompt window, but does not actually start the deployment process. Troubleshooting by mapping a network
drive from the target computer indicates that the network adapter drivers are not loaded. A review of the
SetupAPI.log file located in X:\Windows\System32\Inf indicates that Windows PE generates errors when it is
configuring the network adapter, one of which is, "This driver is not meant for this platform." The drivers in the
Out-of-Box Drivers list have been injected into the image.
Possible Solution: It is possible that Windows PE is having a driver conflict with another driver. When
configuring the settings for the Windows PE image in the Deployment Workbench, create a Windows PE drivers
group that contains only network adapter and storage drivers, and then configure the deployment share to use
only the Windows PE driver group.
Deployment Process Flow Charts

This section provides two sets of MDT flow charts: one for LTI deployments and one for ZTI deployments with
Configuration Manager. Each flow chart illustrates the tasks run during that deployment type.
Familiarize yourself with the deployment process flow charts by:
Reviewing the LTI deployment process flowcharts as described in LTI Deployment Process Flowcharts
Reviewing the ZTI deployment process flowcharts as described in ZTI Deployment Process Flowcharts
LTI Deployment Process Flowcharts
Flow charts are provided for the following phases:
Validation (Figure 4)
State Capture (Figure 5 and Figure 6)
Preinstall (Figure 7, Figure 8, and Figure 9)
Install (Figure 10)
Postinstall (Figure 11 and Figure 12)
State Restore (Figure 13, Figure 14, Figure 15, and Figure 16)
Figure 4. Flow chart for the Validation Phase

Figure 4. Flow char t for the Validation Phase
Figure 5. Flow chart for the State Capture Phase (1 of 2)
Figure 5. Flow char t for the State Capture Phase (1 of 2)
Figure 6. Flow chart for the State Capture Phase (2 of 2)
Figure 6. Flow char t for the State Capture Phase (2 of 2)
Figure 7. Flow chart for the Preinstall Phase (1 of 3)
Figure 7. Flow char t for the Preinstall Phase (1 of 3)
Figure 10. Flow chart for the Install Phase
Figure 10. Flow char t for the Install Phase
Figure 11. Flow chart for the Postinstall Phase (1 of 2)

Figure 11. Flow char t for the Postinstall Phase (1 of 2)
Figure 12 Flow chart for the Postinstall Phase (2 of 2)
Figure 12 Flow char t for the Postinstall Phase (2 of 2)
Figure 13. Flow chart for the State Restore Phase (1 of 4)
Figure 13. Flow char t for the State Restore Phase (1 of 4)
ZTI Deployment Process Flowcharts
Flow charts are provided for the following phases of ZTI deployment with Configuration Manager:
Initialization (Figure 17)
Validation (Figure 18)
State Capture (Figure 19)
Preinstall (Figure 20)
Install (Figure 21)
Postinstall (Figure 22)
State Restore (Figure 23 and Figure 24)
Capture (Figure 25)
Figure 17. Flow chart for the Initialization Phase
Figure 17. Flow char t for the Initialization Phase
Figure 18. Flow chart for the Validation Phase
Figure 18. Flow char t for the Validation Phase
Figure 19. Flow chart for the State Capture Phase
Figure 19. Flow char t for the State Capture Phase
Figure 20. Flow chart for the Preinstall Phase
Figure 20. Flow char t for the Preinstall Phase
Figure 21. Flow chart for the Install Phase
Figure 21. Flow char t for the Install Phase
Figure 22. Flow chart for the Postinstall Phase
Figure 22. Flow char t for the Postinstall Phase
Figure 25. Flow chart for the Capture Phase
Figure 25. Flow char t for the Capture Phase
Microsoft Support
Microsoft provides Premier and Professional level support for Microsoft Deployment Toolkit.
Professional level support: https://support.microsoft.com/
Premier level support: https://premier.microsoft.com/
NOTE
When contacting support, be clear that the issue is with MDT and the specific version.
Mobile device management installation errors on
management point
This article provides a solution for the error that occurs when you try to enable a mobile device on a
management point in Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1).
Original product version: Microsoft System Center 2012 Configuration Manager Service Pack 1
Symptoms
When you attempt to enable a mobile device on a management point enabled for mobile devices in System
Center 2012 Configuration Manager SP1, you may see this error in the mpcontrol.log:
Call to HttpSendRequestSync failed for port 443 with status code 401, text: Unauthorized
Cause
This issue can occur if the .NET Framework 4 is installed on the server before IIS is enabled.
Resolution
To resolve this issue, follow the steps below:
1. Open a command prompt with administrative privileges.
2. Run the following command:
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i -enable
More information
For more information, see ASP.NET IIS Registration Tool (Aspnet_regiis.exe).
The .NET Framework 4 can be installed side-by-side with previous versions of the .NET Framework on a single
computer. If IIS was previously enabled on the computer, the setup process for the .NET Framework
automatically registers ASP.NET 4 with IIS. However, if you install the .NET Framework 4 before you enable IIS,
you must run the ASP.NET IIS Registration tool in order to register the .NET Framework with IIS and create
application pools that use the .NET Framework 4.
For more information, see Prerequisites for Site System Roles.
Removing the Intune subscription in Configuration
Manager doesn't stop communication with Intune
service
This article helps you resolve an issue in which communication with the Microsoft Intune service isn't stopped
as expected after removing the Intune subscription.
Symptoms
In Configuration Manager current branch versions 1602 and 1606, you delete the Intune subscription from a
site by using the Configuration Manager console. After you do this, the CloudDMP replication group remains
enabled, and CloudUserSync continues to try to license users. Additionally, the following message is logged in
the Cloudusersync.log file:
HasIntuneSubscription: Site has no Intune subscription
However, if there is telemetry remaining to be sent, the service connection point tries to send it every hour. Each
time, Intune forcibly closes the connection, which causes the following error to be logged in the
dmpuploader.log file:
ERROR: UploadTelemetryData exception:

[Microsoft.Management.Services.Common.ServiceTooBusyException
Workaround
To work around this issue, set the following registry key:
REGIST RY SUB K EY DW O RD N A M E DW O RD VA L UE
UploadInterval
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_DMP_UPLOADER 7fffffff
This setting makes the uploader sleep for 4,000 years. However, it will still try to upload every time that the
DmpUploader service is restarted.
Initialize CA Error when editing a device enrollment
profile in Configuration Manager 1902
This article helps you resolve an issue where you can't edit a device enrollment profile in Configuration Manager
current branch version 1902 and get Initialize CA Error .
Original product version: Configuration Manager (current branch - version 1902)
Symptoms
Consider the following scenario in Configuration Manager:
You enable the following option in the management point properties to configure at least one
management point for managing modern devices:
Allow mobile devices and Mac computers to use this management point
In the Configuration Manager console, you go to Administration > Client Settings > Enrollment , and
then select Set Profile under User Settings > Enrollment profile .
You select an enrollment profile, and then select Edit Selected .
In this scenario, the following error message window opens:
Initialize CA Error
The message contains the following detail information:
System.ArgumentException
Controls created on one thread cannot be parented to a control on a different thread.
Stack Trace:
at System.Windows.Forms.Control.ControlCollection.Add(Control value)
at System.Windows.Forms.Form.ControlCollection.Add(Control value)
at Microsoft.ConfigurationManagement.AdminConsole.ControlsInspector.SetInvalidControl(Control
control, String errorMessage)
at Microsoft.ConfigurationManagement.AdminConsole.ControlsInspector.SetInvalidControl(Control
control)
at Microsoft.ConfigurationManagement.AdminConsole.ControlsInspector.EvaluateControl(Control control)
at Microsoft.ConfigurationManagement.AdminConsole.ControlsInspector.InspectAll()
at
Microsoft.ConfigurationManagement.AdminConsole.DeviceManagement.Enrollment.CreateEnrollmentProfil
eDialog.AddItemToListViewCAServers(String name, String fqdn, DataTable certTemplates)
at Microsoft.ConfigurationManagement.AdminConsole.DeviceManagement.Enrollment.
CreateEnrollmentProfileDialog.InitializationWorker_DoWork(Object sender, DoWorkEventArgs e)
at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
Cause
This is a known issue in Configuration Manager current branch, version 1902.
Resolution
Workaround
To work around this issue without updating, delete the enrollment profile, and then create a new profile.
Custom port settings aren't added to boot media in
This article describes an issue in which custom port settings aren't added to boot media in System Center 2012
R2 Configuration Manager and later versions.
Original product version: Microsoft System Center 2012 R2 Configuration Manager, Configuration Manager
(current branch)
Symptoms
Boot media that is created at a central administration site (CAS) server in a System Center 2012 R2
Configuration Manager and later versions hierarchy will not contain the custom client communication port
numbers of a child site. This occurs with dynamic or site-based media. However, this occurs only when the
media is created on a site that has port numbers that are different from the port numbers of the site on which
the client will be deployed.
Errors that resemble the following will be recorded in the Smsts.log file on the destination computer. Notice that
the port reference will continue to read :80 instead of the custom port that was previously defined for the site.
CLibSMSMessageWinHttpTransport::Send: URL: 2012-SP1.corp.contoso.com:80 GET /SMS_MP/.sms_aut?

MPLOCATION&ir=192.168.1.1&ip=192.168.1.0
Error. Status code 404 returned
Boot media contains custom port information only for the site at which the media was created. For a site that
has different port settings, client computers will not connect to the management point for that site. Media that is
created at a stand-alone site is not affected and contains custom port information.
More information
For more information about how to customize client port settings and boot images, see the following articles:
How to Configure Client Communication Port Numbers in Configuration Manager
How to Deploy Operating Systems by Using Media in Configuration Manager
Not enough memory resources error when you
create standalone or prestaged media in
This article fixes an issue in which you receive the Not enough memor y resources error when you create
standalone or prestaged media in Configuration Manager.
Symptoms
In Configuration Manager, you use the Create Task Sequence Media Wizard to create standalone or prestaged
media that contain a large system image. When you try to create the media, you receive the following error
message:
Media creation failed with error message: 'Not enough memory resources are available to process this
command.'
Refer to CreateTsMedia.log file to find more details.
Additionally, the following error entries are logged in CreateTSMedia.log:
Capturing volume <Temp_Dir>\_tsmedia_<#>\stage

WIM has entered capture phase for <#> items
Unable to load volume image 1 (0x80070008)
Error setting WIM image header info
Closing image file \\<Path_to_OS_WIM>\<OS>.wim Error writing volume by image writer
Deleting output files
Error executing first single pass
Failed to create media (0x80070008)
CreateTsMedia failed with error 0x80070008, details=''
CreateMedia.exe finished with error code 80070008
Cause
CreateMedia.exe is a 32-bit executable that's used to create media in Configuration Manager. If the media
contains a large system image, CreateMedia.exe may exceed the 2 GB memory limit and generate the error that
is mentioned in the Symptoms section.
Resolution
1. If Microsoft Visual Studio isn't already available in your environment, download and install Visual Studio.
Select the Desktop development with C++ workload when you install Visual Studio.
NOTE
We recommend that you install Visual Studio on a client computer instead of on a site server.
2. Copy the CreateMedia.exe file to the computer that has Visual Studio installed. You can locate the
CreateMedia.exe file on the site server under the <ConfigMgr_Install_Directory>\AdminConsole\bin\i386
folder.
3. On the computer that has Visual Studio installed, open the Developer Command Prompt as an elevated
Command Prompt window.
4. In the Developer Command Prompt, go to the directory where the CreateMedia.exe file is located, and
then run the following command to check whether CreateMedia.exe can handle addresses that are larger
than 2 GB:
dumpbin.exe /headers CreateMedia.exe
For more information about the /HEADERS DUMPBIN option, see /HEADERS.
If you see the following result under FILE HEADER VALUES , go to step 6:
Application can handle large (>2GB) addresses
Otherwise, go to step 5.
5. In the Developer Command Prompt, run the following command to enable Createmedia.exe to handle
addresses that are larger than 2 GB:
editbin.exe /largeaddressaware createmedia.exe
For more information about the /LARGEADDRESSAWARE EDITBIN option, see /LARGEADDRESSAWARE.
6. On the site server, create a backup of the
<ConfigMgr_Install_Directory>\AdminConsole\bin\i386\CreateMedia.exe file.
7. Copy the modified version of CreateMedia.exe from the computer that has Visual Studio installed to the
<ConfigMgr_Install_Directory>\AdminConsole\bin\i386 folder on the site server.
8. If there's a central administration site and multiple primary sites in your environment, repeat steps 6 and
7 on all site servers so that you can create media from any site server.
9. Create the standalone or prestaged media by using the Create Task Sequence Media Wizard.
NOTE
If you install an update or hotfix on the site server after you make these changes, CreateMedia.exe may be replaced. If
this occurs, the replacement will have the default behavior and will not be able to handle large addresses. In this case,
follow these steps again for the new instance of CreateMedia.exe.
Scheduled Updates fails if Configuration Manager
SMS Provider server is on Windows Server 2012 R2
or Windows Server 2012
This article fixes an issue in which Scheduled Updates fails with error 0x800700a1 in Configuration Manager.
Symptoms
Assume that SMS Provider is installed on a Windows Server 2012 R2-based server or a Windows Server 2012-
based server. When you try to use Scheduled Updates (offline servicing) in Configuration Manager current
branch on a captured custom Windows 10 WIM image, Scheduled Updates fails to unmount the image.
In OfflineServicingMgr.log, you find the following error messages:
SMS_OFFLINE_SERVICING_MANAGER UnMounting Image (Commit Changes = 1)...

SMS_OFFLINE_SERVICING_MANAGER WIM::UnMountWIMImage returned code 0x800700a1~
SMS_OFFLINE_SERVICING_MANAGER UnMountImage returned code 0x800700a1~
SMS_OFFLINE_SERVICING_MANAGER Image UnMount failed with error 161
SMS_OFFLINE_SERVICING_MANAGER STATMSG: ID=7913 SEV=E LEV=M SOURCE="SMS Server"
COMP="SMS_OFFLINE_SERVICING_MANAGER" SYS=<SMS_Provider_Server> SITE=<Site_Code> PID=
<PID> TID=<TID> GMTDATE=<Date_Time> ISTR0="<OS_Image_Package_ID>" ISTR1="<Image_Index>"
ISTR2="<Temporary_Image_Mount_Directory>" ISTR3="161" ISTR4="" ISTR5="" ISTR6="" ISTR7=""
ISTR8="" ISTR9="" NUMATTRS=0
SMS_OFFLINE_SERVICING_MANAGER Completed processing image package <OS_Image_Package_ID>.
Status = Failed
SMS_OFFLINE_SERVICING_MANAGER Updated history for image package <OS_Image_Package_ID> in the
database
SMS_OFFLINE_SERVICING_MANAGER Schedule processing failed
In DISM.log, you find the following additional error messages:
DISM DISM WIM Provider: PID=<PID> [GetFileStorageTierClass:(80) -> StorageTiering not supported] (null)
(HRESULT=0x0) - CWimManager::WimProviderMsgLogCallback
[<PID>] [0x800700a1] ImageRecaptureDirectory:(141): The specified path is invalid.
[<PID>] [0x800700a1] WIMCommitImageHandle:(1417): The specified path is invalid.
DISM DISM WIM Provider: PID=<PID> TID=<TID>
onecore\base\ntsetup\opktools\dism\providers\wimprovider\dll\wimimage.cpp:194 -
CWimImage::Save(hr:0x800700a1)
DISM DISM WIM Provider: PID=<PID> TID=<TID> "Could not commit changes during unmount." -
CWimImage::Unmount(hr:0x800700a1)
DISM DISM Imaging Provider: PID=<PID> TID=<TID>
onecore\base\ntsetup\opktools\dism\providers\imagingprovider\dll\genericimagingmanager.cpp:1082 -
CGenericImagingManager::InternalCmdUnmount(hr:0x800700a1)
DISM DISM Imaging Provider: PID=<PID> TID=<TID>
onecore\base\ntsetup\opktools\dism\providers\imagingprovider\dll\genericimagingmanager.cpp:536 -
CGenericImagingManager::ExecuteCmdLine(hr:0x800700a1)
Error 0x800700a1 is mentioned as follows:
Error Code: 0xA1 (161)

Error Name: ERROR_BAD_PATHNAME
Error Source: Windows
Error Message: The specified path is invalid.
Cause
This issue will occur if the custom Windows 10 WIM image contains reparse points and was captured by using a
version of the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1803 or a later version.
A change was made to the Windows 10, version 1803 ADK to support reparse points in Windows 10 WIM
images. This change causes older operating systems, such as Windows Server 2012 R2 or Windows Server
2012, to fail when you unmount a Windows 10 WIM image that has reparse points. The issue will occur only if
the image was captured by using the Windows 10, version 1803 ADK or a newer version because those versions
of the ADK are the ones that added support for reparse points. Windows Server 2012 R2 and Windows Server
2012 do not have support for the new reparse points that are found in Windows 10. Therefore, it generates the
ERROR_BAD_PATHNAME/The specified path is invalid error message. This is intentional behavior and is a
limitation of Windows Server 2012 R2 and Window Server 2012.
NOTE
Although the SMS Provider is usually installed on the same server as the site server, it may not always be installed in that
manner. Additionally, the SMS Provider may be installed on multiple servers. When you check for the issue, make sure to
check whether the servers that host the SMS Provider is Windows Server 2012 or Windows Server 2012 R2. For more
information about how to do this, see Plan for the SMS Provider - Location.
Workaround
To work around this limitation in Windows Server 2012 and Windows Server 2012 R2, use one of the following
methods:
Upgrade the server that hosts the SMS Provider to Windows Server 2016 or a later version. Windows
Server 2016 and later versions of Windows Server support Windows 10 reparse points.
Move the SMS Provider to a server that's running Windows Server 2016 or a later version. This server
can be a separate server from the site server. Make sure that the appropriate ADK is installed on the new
server. For compatible and supported versions of the ADK, see the Windows 10 ADK.
For more information about how to move the SMS Provider and determine which servers host the SMS
Provider, see Locations.
Recapture the custom image without the application that uses reparse points. Instead, install the
application that uses reparse points during the task sequence that deploys the image. The offending app
that has reparse points can be discovered by using the Sysinternals tools Process Monitor (ProcMon)
when the issue occurs. ProcMon is available to download from Process Monitor v3.53. An example of an
application that uses reparse points is Office 365.
If you are capturing a Windows 10, version 1709 image or an earlier version, use the 1709 ADK instead.
Specifically, use DISM.exe from the 1709 ADK. The capture may have to be done manually outside
Configuration Manager because of the ADK requirement of a newer version of the ADK for Configuration
Manager. (See the Windows 10 ADK about ADK compatibility and supportability.)
NOTE
This method isn't recommend for Windows 10, version 1803 or a later version of Windows images because
capturing images should be done by using versions of DISM that are the same or later than the Windows version
that is being captured.
Cleaning up after a failure

Because Scheduled Updates was unable to correctly unmount the WIM image when this issue occurred, you
may have to manually unmount the OS WIM image and clean up the temporary directories that were left
behind by Scheduled Update after it failed. Until the temporary directories are cleaned up, additional attempts to
run Scheduled Updates on OS WIM images may fail, including on OS WIM images that don't have reparse
points.
The temporary directory that is used by Configuration Manager for Scheduled Updates will be located at the
root of one of the drives on the server and will be called ConfigMgr_OfflineImageSer vicing . The mounted
image will be in a subdirectory under this directory. For example, if the temporary directory is on the D drive,
the path of the mounted image would be D:\ConfigMgr_OfflineImageServicing\
<OS_Image_Package_ID>\ImageMountDir.
NOTE
In this path, OS_Image_Package_ID is the package ID of the OS WIM that's being serviced.
You have to manually unmount the image by using DISM.exe and the /discard option. For example, if the
package ID for the OS WIM image was CAS00123, the command-line command to unmount the image would
be as follows:
Dism.exe /unmount-image /mountdir:D:\ConfigMgr_OfflineImageServicing\CAS00123\ImageMountDir /discard
This will discard any changes that are made to the OS WIM image, including any updates that were added to the
image. However, trying to use the /commit option will cause the original error to occur again. Therefore, to
correctly clean up, the only option is to discard the changes that are made to the image. As soon as the OS WIM
image is correctly unmounted, you can delete the whole ConfigMgr_OfflineImageSer vicing folder.
For more information about DISM.exe and how to unmount OS WIM images, see Unmounting an image.
Error when managing boot images in Configuration
Manager
This article fixes an issue in which you can't manager boot images in Configuration Manager if the WIMMount
service is corrupted, misconfigured, or missing.
Configuration Manager, Microsoft System Center 2012 Configuration Manager
Symptoms
In an environment that has Windows Assessment and Deployment Kit (ADK) installed and up-to-date on the
server that hosts the SMS Provider, you can't manage boot images by using Configuration Manager. This
includes the following actions:
Update boot images on distribution points.
Import new boot images.
Create new boot images by using the Microsoft Deployment Toolkit (MDT) wizard.
Modify boot images, such as to add drivers.
In this scenario, the following error is logged in the SMSProv.log file on the SMS Provider server:
SMS Provider ExecMethodAsync : SMS_BootImagePackage.PackageID="

<Boot_Image_Package_ID>"::RefreshPkgSource~
SMS Provider Requested class =SMS_BootImagePackage~
SMS Provider Requested num keys =1~
SMS Provider IExtClassManager::ValidateAuthenticationLevel...
SMS Provider CExtProviderClassObject::DoExecuteMethod RefreshPkgSource~
SMS Provider Loaded wimgapi.dll version 10.0.16299.15 from location 'C:\Program Files (x86)\Windows
Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimgapi.dll'
SMS Provider WIM index is 1.
SMS Provider Image language ID 1033 and en-US~
SMS Provider Loaded the image from \\<Boot_Image_Path>\boot.wim
SMS Provider Temporary path for WIM file is C:\Windows\TEMP\BootImages\{<Random_GUID>}\temp.
SMS Provider Loaded the image index 1.
SMS Provider ERROR> failed to mount wim file, err=-1052638943~
SMS Provider ~*~*~..\sspbootimagepackage.cpp(5198) : Failed to inject OSD binaries into mounted WIM
file (often happens if unsigned drivers are inserted into x64 boot image)~*~*~
SMS Provider ~*~*~Failed to inject OSD binaries into mounted WIM file (often happens if unsigned drivers
are inserted into x64 boot image) ~*~*~
When you manually run DISM.exe on the SMS Provider server, the following error is logged in the DISM.log file:
DISM DISM.EXE: Successfully registered commands for the provider: Compatibility Manager.
[10780] [0x8007007b] OpenFilterPort:(408): The filename, directory name, or volume label syntax is
incorrect.
[10780] [0x8007007b] FltCommVerifyFilterPresent:(502): The filename, directory name, or volume label
syntax is incorrect.
[10780] [0x8007007b] WIMMountImageHandle:(1089): The filename, directory name, or volume label
syntax is incorrect.
[10780] [0x80070002] StateStoreRemoveMountedImage:(1030): The system cannot find the file specified.
[10780] [0x80070002] WIMMountImageHandle:(1331): The system cannot find the file specified.
DISM DISM WIM Provider: PID=10780 TID=1096 "Failed to mount the image." -
CWimImageInfo::Mount(hr:0x8007007b)
DISM DISM WIM Provider: PID=10780 TID=1096
onecore\base\ntsetup\opktools\dism\providers\wimprovider\dll\wimmanager.cpp:2684 -
CWimManager::InternalOpMount(hr:0x8007007b)
CWimManager::InternalCmdMount(hr:0x8007007b)
DISM DISM WIM Provider: PID=10780 TID=1096 "Error executing command" -
CWimManager::InternalExecuteCmd(hr:0x8007007b)
CWimManager::ExecuteCmdLine(hr:0x8007007b)
NOTE
Using Process Monitor when you manually run DISM can't identify which file or directory can't be found.
Cause
This issue occurs if the WIMMount service is corrupted, misconfigured, or missing on the SMS Provider server.
To verify, check the following registry entry on the server that hosts the SMS Provider:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WIMMount\ImagePath
The value of this entry should be the location of the Wimmount.sys file, which is under the installation directory
of Windows ADK.
NOTE
The server that hosts the SMS provider may not be the central administration site or primary site server. If there are
multiple servers that host the SMS Provider, make sure that you check this registry entry on all SMS Provider servers.
To find the servers that host the SMS Provider at a site, follow these steps:
1. In the Configuration Manager console, go to Administration > Over view > Site Configuration > Sites .
2. Right-click the site, and then select Proper ties .
3. On the General tab, find the servers that are listed under SMS Provider location .
Resolution
To fix the issue, follow these steps to reinstall the WIMMount service:
1. On the server that hosts the SMS Provider, go to the location where Windows ADK is installed. For
example, the default path of Windows ADK 10 is
C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64 .
2. Go to the DISM folder, and then run the following command:
WimMountAdkSetupAmd64.exe /Install
Configure operating system deployment in System
Center 2012 Configuration Manager
Most support issues that affect operating system deployment (OSD) in System Center 2012 Configuration
Manager stem from product misconfigurations. Although there are no simple guidelines to implement
something as powerful and complex as OSD, this article describes the step-by-step process for configuring
System Center 2012 Configuration Manager (ConfigMgr 2012) to capture an existing Windows image. This
article also guides you through creating a client package and task sequence to deploy and install that image.
Introduction
This article assumes that you have an existing environment that has a Configuration Manager 2012 site installed
and also a primary site that's running Configuration Manager 2012. These steps can also be used together with
a stand-alone primary site that is running Configuration Manager 2012. Additionally, this article requires that
the Network Access Account and Boundaries are configured correctly, and that ConfigMgr client agents are
installed on the clients.
Overview of the technology
OSD provides System Center 2012 Configuration Manager administrative users a tool to create operating
system images that can be deployed both to computers that are managed by Configuration Manager and to
unmanaged computers. You can do this by using bootable media, such as a CD set, DVD, or USB flash drives. A
description of each component of the OSD process can be found in Introduction to Operating System
Deployment in Configuration Manager.
Prerequisites
TA SK DETA IL ED ST EP S
Prerequisites This article assumes you have an existing environment with

a Configuration Manager 2012 site installed as well as a
primary site running Configuration Manager 2012. These
steps can also be used with a standalone primary site
running Configuration Manager 2012. Further, this article
requires that the Network Access Account and Boundaries
are properly configured and that ConfigMgr client agents
are installed on the clients.
Computers used in this exercise GTRCM12CAS (ConfigMgr 2012 central administration site
(CAS) server)
GTRCM12PRI1 (ConfigMgr 2012 primary site server)
GTRCM12WIN7B (ConfigMgr 2012 client)
GTRCMXP01 (ConfigMgr 2012 client)
Configure the components

In this section, we will install the Windows Deployment Services (WDS) role on GTRCM12PRI1 and then share a
folder. We will configure a distribution point (DP) to respond to incoming PXE requests, and then we will copy
x86 and x64 boot images to it.
Complete the following steps on the primary site server

(GTRCM12PRI1)
Open an elevated command prompt 1. On the Star t menu, point to All Programs , point to
Accessories , and then point to Command Prompt . Right-
click it and select Run as administrator from the shortcut
menu.
Share folder Flats as Sources 2. Run the

net share Sources=C:\Flats /Grant:System,Full
/Grant:Administrators,Full
command to grant System and local admin permission to
the Sources share.
Log off GTRCM12PRI1
Complete the following tasks on the CAS (GTRCM12CAS)
Start the Configuration Manager Console 1. On the Star t menu, point to All Programs , point to
Microsoft System Center , point to Configuration
Manager 2012 , and then select ConfigMgr Console .
2. Switch to the Administration Overview page. Expand Site

Configuration > Ser vers and Site System Roles . Select
the primary site server (GTRCM12PRI1). Look for
Distribution point located in the Site System Roles area,
then right-click it and select Proper ties from the menu.
3. On the PXE tab, select Enable PXE suppor t for clients,

Allow this distribution point to respond to incoming
PXE requests , and Enable unknown computer
suppor t .
Configure the image properties 4. Move to the Software librar y Over view page. Expand
Operating Systems and then Boot Images . Select Boot
image (x64) . Right-click it and select Proper ties from the
shortcut menu. On the Data Source tab, enable Deploy
this boot image from PXE ser vice point , and then
select Apply .
Complete the wizard to update the boot image. Repeat

these steps for Boot image (x86) .
Copy both boot images to your DP on GTRCM12PRI1 5. Select both boot images, and then select Distribute
Content from the bar at the top. Be sure you select the
primary site server (GTRCM12PRI1) as the destination.
Optional Monitor the distmgr.log file on GTRCM12PRI1. Notice that

PXE configuration occurs when the first boot image has been
copied to the DP.
Create a custom task sequence to capture an image

Here we will create a custom task sequence to capture an image from a client named GTRCM12WIN7B. After a
successful capture, we will then use this image to reinstall a second client (GTRCM12XP1) with Windows 7.
Complete the following task on the CAS (GTRCM12CAS)
Note The System Center Configuration Manager

Console window appears and displays the Administration
Overview page.
2. In the navigation pane, select Software Librar y . Expand

Operating Systems and then select Task Sequences .
Select Create Task Sequence from the bar at the top.
Create a custom task sequence 1. Select Create a new custom task sequence .
2. Name it Capture Reference Computer , select Boot

Image (x86) , and then finish the wizard.
3. Right-click Capture Reference Computer and select

Edit from the shortcut menu.
4. Select Add and select New Group . Name it Capture

Image .
5. Add the following three steps from Images underneath

your Capture Image group as shown in the following
screenshot.
Prepare ConfigMgr Client for Capture

Prepare Windows for Capture
Capture Operating System Image

6. Theoretically, we could use the task sequence to do the

capture now. However, we should first make sure the target
is not part of a domain. If it is, we will add a step to move
the target computer to a workgroup.
NOTE
Systems that are part of a domain cannot be captured and
your task sequence will fail!
7. Add another group, and name it Domain membership

check.
8. Use the following WMI query to verify domain

membership on the Options page.
SELECT * from Win32_ComputerSystem WHERE Workgroup

= NULL
Run the test, which should return an instance count of 1.

This means that the current system (in our case the CAS
named GTRCM12CAS) is member of a domain.
9. Add a final step to join the system to a workgroup.
NOTE
The target system will restart after executing this task.
Create a device collection 1. Select the Assets and Compliance workspace. In the
navigation pane, select Device Collections . Select Create
Device Collection from the bar at the top.
2. Name it Capture Image .

3. Add the reference computer (here it is the client

GTRCM12WIN7B) as direct member, and then finish the
wizard.
Deploy your task sequence to the new collection. 1. Right-click your new collection and select Deploy > Task
Sequence from the shortcut menu. Click through the
wizard and finish it.
Log on to the reference computer (GTRCM12WIN7B) and 1. Log on to GTRCM12WIN7B.

run the task sequence
Confirm and run the task sequence.
Create a configuration manager client package

In this exercise, we will create a Configuration Manager client package to use during operating system
installations.
NOTE
The System Center Configuration Manager Console window
appears to display the Administration Overview page.
Create a package from Definition 2. In the navigation pane, select Software Librar y . Expand
Application Management , and then select Packages .
Select Create Package from Definition from the bar at
the top.
3. Select Configuration Manager Client Upgrade 5.0
4. Select Always obtain files source files from a source

folder .
5. Specify the appropriate client source location. Here we will

use \\GTRCM12PRI1\sms_pr1\Client as our source location.
Complete the wizard, and then distribute the content to

your distribution points.
Create a task sequence to install your image

In this exercise, we will create a task sequence to install our new image to a client named GTRCM12XP1.
NOTE
The System Center Configuration Manager Console window
appears to display the Administration Overview page.
Add your Operating System image 2. In the navigation pane, select Software Librar y . Expand
Operating Systems and select Operating System
Images . Select Add Operating System Image from the
bar at the top.
3. Select the capture folder on the primary site server (here

it is \\GTRCM12PRI1\sources\mycapture.wim) as the data
source. This is where we previously captured our image.
4. Name your image, then complete the wizard and

distribute it to your distribution points.
Create a new task sequence to install your image 1. In the navigation pane, select Software Librar y . Expand
Operating Systems and select Task Sequences . Select
Create Task Sequence from the bar at the top.
2. Select Install an existing image package .

3. Name your task sequence, and then select your Boot

Image (x86 ).
Tip: In this case, you can use either your x86 or x64 boot
image. We aren't running an architecture-based setup.exe

like we do when using an Operating System Install package.
4. Select your image, and then provide the administrator

password used for that image.
5. Select Join a domain , and provide an appropriate

domain account and password. This account should have
domain join and reset computer passwords
permissions.
Warning: Never use a domain admin account to do this

in production environments! You just need domain join
permissions and the right to reset computer passwords.
6. Select your Configuration Manager client package, and

then provide your FSP as an installation parameter. Here, we
will use our primary site server (FSP=GTRCM12PRI1).
7. Clear the This action will capture the user specific

settings check box.
Tip: Capture network settings will ensure that our
custom network settings are reapplied during deployment.
Don't install updates or software, and then complete the

wizard.
Create a new device collection 1. Select the Assets and Compliance workspace. In the
navigation pane, select Device Collections . Select Create
Device Collection from the bar at the top.
2. Name the collection as Windows 7 Enterprise x64 .
3. Add our target computer (in this case GTRCM12XP1) as a

direct member.
Distribute the task sequence to this collection 1. Right-click your new collection, and then select Deploy >
Task Sequence from the shortcut menu. Click through the
wizard, and then finish.
Run the task sequence on GTRCM12XP1 to install the 1. Log on to GTRCM12XP1, and then run the new task
operating system image. sequence to install your new operating system.
OSD task sequences known issues

You cannot stage a Windows PE 3.1 boot image to a Windows XP-based computer in Configuration Manager
Task sequence fails in Configuration Manager if software updates require multiple restarts
FIX: Task sequence to install an operating system doesn't run when you use custom port settings in System
Center Configuration Manager 2012 SP1
An update is available for the "Operating System Deployment" feature of Configuration Manager
The above and a number of other issues with task sequences are addressed in Description of Cumulative Update
1 for System Center 2012 R2 Configuration Manager.
Can't import drivers into Configuration Manager
This article fixes an issue in which you can't import drivers into Configuration Manager.
Symptoms
An administrator tries to import drivers into Configuration Manager.
The site server is running Windows Server 2008 R2.
The drivers are signed.
In this scenario, you may receive the following error message:
Error: Some driver(s) cannot be imported successfully. See following details.

Error: Failed to import the following drivers:
<Driver> - The selected driver is not applicable to any supported platforms.
When you view the Configuration Manager logs, you see the following errors:
DriverCatalog.log
\\<UNC_Path_To_Driver>\<Driver>.inf is not applicable to any supported platforms.

Driver is not applicable to any supported platforms. Code 0x80070661
SMSAdminUI.log
System.Management.ManagementException\r\nGeneric failure \r\n at

System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
at System.Management.ManagementObject.InvokeMethod(String methodName, ManagementBaseObject
inParameters, InvokeMethodOptions options)
at
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.Execut
eMethod(String methodClass, String methodName, Dictionary`2 methodParameters, Boolean
traceParameters)\r\nManagementException details:
instance of SMS_ExtendedStatus
{
Description = "Driver is not applicable to any supported platforms.";
ErrorCode = 1633;
File = "e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspdriverci.cpp";
Line = 712;
Operation = "ExecMethod";
ParameterInfo = "SMS_Driver";
ProviderName = "WinMgmt";
StatusCode = 2147749889;
};
SMSProv.log
~*~*~e:\nts_sccm_release\sms\siteserver\sdk_provider\smsprov\sspdriverci.cpp(712) : Driver is not

applicable to any supported platforms.~*~*~
~*~*~Driver is not applicable to any supported platforms. ~*~*~
When you view the Setupapi.app.log file in the C:\Windows\inf directory, you see the following error:
>>> [SetupVerifyInfFile - \\<UNC_Path_To_Driver>\<Driver>.inf]

>>> Section start <Date> <Time>
cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
! sig: Verifying file against specific (valid) catalog failed! (0xe0000244)
! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a
different version of Windows, and may not be compatible with this version.
! sig: Verifying file against specific (valid) catalog failed! (0xe0000244)
! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a
different version of Windows, and may not be compatible with this version.
<<< Section end <Date> <Time>
<<< [Exit status: FAILURE(0xe0000244)]
Cause
Some drivers are signed by a newer signing method that's not recognized or natively supported by Windows
Server 2008 R2. Therefore, these drivers cannot be imported into Configuration Manager if the site server is
Windows Server 2008 R2.
Resolution
To resolve the problem, install one or both of the following hotfixes on the site server that's experiencing the
problem:
2837108 You cannot import a Windows 8 signed driver on a Windows Server 2008 R2-based WDS server
2921916 The "Untrusted publisher" dialog box appears when you install a driver in Windows 7 or Windows
Server 2008 R2
NOTE
Hotfix 2837108 will resolve the issue even if WDS is not installed on the site server.
These hotfixes will add the necessary support to Windows Server 2008 R2 to natively recognize the newer signing
methods.
To fully fix the problem, restart the site server after you install hotfix 2837108 or hotfix 2921916. Do this even if
the installation process does not prompt you to restart.
After you install hotfix 2837108 or hotfix 2921916 and then restart the server, any affected driver that's already
in the Configuration Manager console will have to be removed and then reimported.
More information
Surface Pro 3 drivers are an example of drivers that exhibit this problem. Because Surface Pro 3 drivers are
signed by the newer signing method, they are affected by this issue. You may be able to import them into
Configuration Manager when the site server is running Windows Server 2008 R2, but they will be displayed as
unsigned until either hotfix 2837108 or hotfix 2921916 is installed on the site server.
If you are able to import the drivers but they are displayed as unsigned, see Signed drivers are displayed as
unsigned in Configuration Manager.
Migrating a driver package fails with the SCCM
Provider is missing read, write, or delete privilege
error
This article helps you resolve an issue where you can't migrate a driver package due to missing privileges for
the driver package source path.
Symptoms
While attempting to migrate a System Center Configuration Manager 2007 driver package to System Center
2012 Configuration Manager, the action fails and the following error is shown in the migmctrl.log file:
SCCM Provider is missing read, write, or delete privilege for the driver package source path
Cause
This problem can occur if the Configuration Manager Provider system has insufficient permissions on the driver
package source path (NTFS or Share permissions).
Resolution
Grant the Configuration Manager Provider system full control permissions on the driver package source path.
More information
During migration, the error is only shown for driver packages because Migration Manager needs to process
some content in the source path, so it fails during the migration itself. If you migrate a regular software package,
it succeeds no matter whether the destination site has access to the source path or not, but later,
SMS_DISTRIBUTION_MANAGER (distmgr.log) which starts up to process this package fails due to insufficient
permissions on the package source path.
For more information, see How to Manage the Driver Catalog in Configuration Manager.
Signed drivers are displayed as unsigned in
This article provides a solution for the issue that signed drivers are shown as unsigned in Configuration
Manager.
Symptoms
An administrator tries to import drivers into Configuration Manager.
The site server is running Windows Server 2008 R2.
The drivers are signed.
In this scenario, the drivers may be imported successfully, but they may be displayed as unsigned in the
Configuration Manager console. You can see this through either of the following methods:
Navigate to the Software Librar y > Operating Systems > Drivers node in the Configuration Manager
console. When the Signed and Signed By columns are added, the Signed column for the imported drivers
displays No , and the Signed By column is blank.
When you inspect the properties of the imported drivers in the Software Librar y > Operating Systems >
Drivers node of the Configuration Manager console, the Digital signer field in the General tab displays
Unsigned .
The Configuration Manager logs do not reveal any errors. However, when you view the Setupapi.app.log file in
the C:\Windows\inf directory , you'll see this error:
>>> [SetupVerifyInfFile - \\<UNC_Path_To_Driver>\<Driver>.inf]

>>> Section start <Date> <Time>
cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
! sig: Verifying file against specific (valid) catalog failed! (0x80096002)
! sig: Error 0x80096002: The certificate for the signer of the message is invalid or not found.
! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b0100)
! sig: Error 0x800b0100: No signature was present in the subject.
<<< Section end <Date> <Time>
<<< [Exit status: FAILURE(0x800b0100)]
Cause
Some drivers are signed by a newer signing method that is not recognized or natively supported by Windows
Server 2008 R2. Therefore, these drivers cannot be imported into Configuration Manager if the site server is
running Windows Server 2008 R2.
Resolution
To resolve the problem, install one or both of the following updates on the site server that's experiencing the
problem:
KB 2837108 You cannot import a Windows 8 signed driver on a Windows Server 2008 R2-based WDS
server
KB 2921916 The "Untrusted publisher" dialog box appears when you install a driver in Windows 7 or
Windows Server 2008 R2
NOTE
Hotfix 2837108 will resolve the issue even if WDS is not installed on the site server.
These hotfixes will add the necessary support to Windows Server 2008 R2 to natively recognize the newer signing
methods.
To fully fix the problem, restart the site server after you install KB 2837108 or KB 2921916 even if the
installation process does not prompt you to restart.
After you install KB 2837108 or KB 2921916 and then restart the server, any affected driver that's already in the
Configuration Manager console will have to be removed and then reimported.
More information
Surface Pro 3 drivers are an example of drivers that exhibit this problem. Because Surface Pro 3 drivers are
signed by the newer signing method, they are affected by this issue. You may be able to import them into
Configuration Manager when the site server is running Windows Server 2008 R2, but they will be displayed as
unsigned until either KB 2837108 or KB 2921916 is installed on the site server.
If you cannot import the drivers at all, see Can't import drivers into Configuration Manager.
A PXE enabled distribution point that uses a self-
signed certificate generates many files
This article provides a solution for the issue that a PXE enabled distribution point (DP) generates many files if it
uses a self-signed certificate in System Center 2012 Configuration Manager.
Symptoms
A PXE enabled DP will generate a number of files under C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 for each
PXE request that it services on the network. This issue occurs whether the device sending the PXE request has a
task sequence deployed to it or not. The generation of files will continue and may consume available hard disk
space.
Cause
This issue occurs whenever a self-signed certificate is used for the DP.
Resolution
To work around this problem, request a CA issued certificate for the PXE enabled DP and specify the PFX file
under the properties of the DP. Step-by-step instructions on how to do create the PFX file are available in
Deploying the Client Certificate for Distribution Points.
Advanced troubleshooting for PXE boot issues in
This article provides advance troubleshooting techniques to help administrators diagnose and resolve PXE boot
failures in Configuration Manager.
Introduction
For essential information about how PXE works, see the companion article Understand PXE boot in ConfigMgr.
The solutions that are provided in Troubleshooting PXE boot issues in Configuration Manager section can
resolve most issues that affect PXE boot.
If you can't resolve your PXE boot issue by using IP Helpers or reinstalling PXE, try the following troubleshooting
steps.
Special consideration when co-hosting DHCP and WDS on the same

server
When Dynamic Host Configuration Protocol (DHCP) and WDS are co-hosted on the same computer, WDS
requires a special configuration to listen on a specific port. This configuration is outlined in Windows
Deployment Service and Dynamic Host Configuration Protocol (DHCP). According to this article, you must
complete the following actions if WDS and DHCP are co-hosted on the same server:
1. Set the UseDHCPPorts value to 0 in the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE
2. Run the following WDS command:
WDSUTIL /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes
This recommendation requires that you configure WDS to run the WDSUTIL command. This recommendation
conflicts with the best practice not to configure WDS when you install a ConfigMgr PXE-enabled DP. However,
you can configure the two settings that are specified in the WDSUTIL command ( UseDHCPPorts and
DHCPOption60 ) by using alternative methods that don't require the WDSUTIL command. This way you don't have
to configure WDS.
To configure these settings without having WDS enabled, follow these guidelines:
The UseDHCPPorts switch for WDSUTIL is actually the equivalent of setting the UseDHCPPorts registry key
to a value of 0 in the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE
Using the UseDHCPPorts switch isn't necessary if the registry key is manually set. If WDS wasn't installed,
this registry key may not exist.
The DHCPOption60 switch configures an option for the DHCP service, not for the WDS service. Instead of
using WDSUTIL to set this DHCP option, you can use an equivalent DHCP command to set the same
option. To do it, use the netsh command, as described in Configuring DHCP for Remote Boot Services.
To configure the WDS options according to these guidelines, close any DHCP consoles that are open, and
then run the following commands at an elevated command prompt:
netsh dhcp server \\<DHCP_server_machine_name> add optiondef 60 PXEClient String 0 comment=PXE

support
netsh dhcp server \\<DHCP_server_machine_name> set optionvalue 60 STRING PXEClient
These commands set up and enable DHCP Option 60 on a DHCP server. After you run these commands, if
an option that is named Unknown is displayed instead of 060 PXE Client in the DHCP console, restart the
server so that these settings can take effect. After the restart, the option should be displayed correctly.
This issue usually occurs only if a DHCP console was left open when the two commands were run.
If DHCP is ever moved to another server and removed from the server that's hosting WDS, these steps should
be reversed. Follow these steps on the WDS server:
1. Run the following command at an elevated command prompt:
REG ADD HKLM\SYSTEM\CurrentControlSet\services\WDSServer\Providers\WDSPXE /v UseDHCPPorts /t

REG_DWORD /d 1 /f
2. Run the following commands at an elevated command prompt:
netsh dhcp server \\<DHCP_server_machine_name> delete optionvalue 60
netsh dhcp server \\<DHCP_server_machine_name> delete optiondef 60 PXEClient
NOTE
The first of these commands disables DHCP option 60. The second command removes DHCP option 60
completely.
Troubleshooting DHCP Discovery

Before you start to troubleshoot the initial DHCP discovery stage of the PXE booting process, consider the
following points:
In SMSPXE.log, you should see the MAC address or the DHCPREQUEST of the device that you're trying to
start. If you don't see that, a router configuration issue might exist between the client and the DP.
Don't use DHCP options 60, 66, or 67. It isn't suppor ted .
Test whether the device can start when it's plugged into a switch on the same subnet as the PXE-enabled DP.
If it can, the issue likely involves the router configuration.
Make sure that the DHCP (67 and 68), TFTP (69), and BINL (4011) ports are open between the client
computer, the DHCP server, and the PXE DP.
At this stage, there are no logs to refer to. A PXE error code is usually displayed if the PXE boot process fails
before WinPE starts. Here are examples of the error messages that you might see:
PXE-E51: No DHCP or proxyDHCP offers were received.
PXE-E52: proxyDHCP offers were received. No DHCP offers were received.
PXE-E53: No boot filename received.
PXE-E55: proxyDHCP service did not reply to request on port 4011.
PXE-E77 bad or missing discovery server list.
PXE-E78: Could not locate boot server.
Although it helps narrow the focus of troubleshooting, you might still have to capture a network trace of the
issue by using a network monitoring tool, such as Netmon or WireShark. The network monitoring tool must be
installed on both the PXE-enabled DP and a computer that's connected to a mirrored port on the switch. For
more information about how to configure mirrored ports, refer to the manual provided by the manufacturer of
the specific switch or routing device.
The typical procedure is to start the network traces on both the DP and the computer that's connected to the
mirrored port. Try to start the device through PXE. Then, stop the trace, and save it for further analysis.
Here is a sample trace of a DHCP conversation that was captured from the PXE-enabled DP:
You can see that the initial DHCPDISCOVER by the PXE client is followed by a DHCPOFFER from the DHCP
server and the PXE DP. The request from the client (0.0.0.0) is made and then acknowledged by the DHCP server
(10.238.0.14). After the PXE client has an IP address (10.238.0.3), it sends a request to the PXE DP (10.238.0.2).
That DP then acknowledges the request by returning the network boot program details.
Capture a simultaneous network trace on the client and the DP to determine whether the conversation is
occurring as expected. Follow these guidelines:
Make sure that the DHCP services are running and available.
Verify that the WDS service is running on the DP.
Make sure that no firewalls are blocking the DHCP ports between the server and the client.
Verify that the client computer can start when it is on the same subnet as the DP.
Make sure that IP Helpers are configured correctly if the client computer is starting from a different subnet
than the one that the DP is in.
Troubleshooting TFTP Transfer

If the error on PXE boot refers to TFTP, you may be unable to transfer the boot files. The following are examples
of the error messages that you may receive:
PXE-E32: TFTP open timeout
PXE-E35: TFTP read timeout
PXE-E36: Error received from TFTP server
PXE-E3F: TFTP packet size is invalid
PXE-E3B: TFTP Error - File not Found
PXE-T04: Access Violation
A good way to troubleshoot these errors is to monitor the network by using Netmon or Wireshark. Below is an
example of the data captured from a PXE client when a TFTP Open time-out occurs.
Here the client is sending read requests for the Wdsnbp.com file, but it isn't receiving a response. It indicates that
something is preventing the acknowledgment from being received by the client. Here's what the data should
look like.
In this situation, you can try the following troubleshooting methods:

Reduce the block size on the PXE-enabled DP, see KB 975710.
Verify that the WDS service is started on the DP.
Make sure that the TFTP port is open between the client computer and the DP.
Verify that the permissions on the REMINST share and folder are correct.
Check the WDS logs for other TFTP errors.
Verify that the RemoteInstall\SMSBoot\x86 and RemoteInstall\SMSBoot\x64 folders contain the following
files:
Make sure that the fonts exist in SMSBoot\Fonts folder:
Make sure that the Boot.sdi file exists in the RemoteInstall\SMSBoot folder:
Windows PE startup issues - drivers

The most common issues that occur during this phase are driver-related. Overall, the latest version of Windows
PE (WinPE) contains most network and mass storage drivers. Sometimes a required driver isn't included. So it
must be imported into the boot WIM. The following guidelines apply to this process:
Import only the drivers that you need for the boot image.
Consider adding only NIC or mass storage drivers. Other drivers aren't required.
The SMSTS.log file (located in <SystemDrive>:\Windows\temp\SMSTS) is the most useful resource to
troubleshoot these issues. (Remember to enable the command prompt during startup so that you can examine
this file.) If you don't see a log entry that has a valid IP address and resembles the following entry, you're
probably experiencing a driver issue:
SMSTS.log
Found network adapter "Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)" with IP Address <IP address>
To verify this situation, press F8, and then run IPCONFIG at the command prompt to determine whether the NIC
is recognized and has a valid IP address.
WIM Files
Also make sure that both x86 and x64 boot images exist on the DP. You can see the WIMs in the following
directory, they'll also be in the content library:
C:\RemoteInstall\SMSImages\<PackageID>
Make sure that Deploy this boot image from the PXE-enabled distribution point is set in the properties
of the boot images.
Configuration Manager Policy issues
Another common issue that affects PXE boot involves Task Sequence deployments. In the following example, the
Task Sequence is deployed to an unknown computer, but it's already in the database. The first symptom is that
the PXE boot is aborted.
Upon further investigation, you notice the following entry in the SMSPXE log:
SMSPXE.log
Client lookup reply: <ClientIDReply><Identification Unknown="0" ItemKey="16777299" ServerName=""><Machine>
<ClientID/><NetbiosName/></Machine></Identification></ClientIDReply>
MP_LookupDevice succeeded: 16777299 1 16777299 1 0
00:15:5D:00:19:CA, 32E5B71A-B626-4A4B-902E-7F94AD38B5B3: device is in the database.
Client boot action reply: <ClientIDReply><Identification Unknown="0" ItemKey="16777299" ServerName="">
<Machine><ClientID/><NetbiosName/></Machine></Identification><PXEBootAction LastPXEAdvertisementID=""
LastPXEAdvertisementTime="" OfferID="" OfferIDTime="" PkgID="" PackageVersion="" packagePath=""
BootImageID="" Mandatory=""/></ClientIDReply>
Client Identity:
00:15:5D:00:19:CA, 32E5B71A-B626-4A4B-902E-7F94AD38B5B3: SMSID= OfferID=, PackageID=, PackageVersion=,
BootImageID=, PackagePath=, Mandatory=0
00:15:5D:00:19:CA, 32E5B71A-B626-4A4B-902E-7F94AD38B5B3: no advertisements found
00:15:5D:00:19:CA, 32E5B71A-B626-4A4B-902E-7F94AD38B5B3: No boot action. Aborted.
00:15:5D:00:19:CA, 32E5B71A-B626-4A4B-902E-7F94AD38B5B3: Not serviced.
You can see in this entry that when the NBS stored procedures ran, they found no available policy. So the boot
action was aborted. The reverse can also be true. That is, when a computer is unknown but the Task Sequence is
deployed to a collection of known computers.
You can try the following troubleshooting steps:
Verify that the computer that you try to restart exists in a collection that's targeted for a Task Sequence
deployment.
Make sure that you've checked the Enable unknown computer suppor t PXE setting on the DP.
If you are deploying the Task Sequence to unknown computers, verify that the computers don't already exist
in the database.
Need more help

For more help to resolve this issue, see our TechNet support forum or contact Microsoft Support.
products.
How to boot from a PXE server that's on a different
network
This article describes how to boot from a PXE server on a different network.
PXE boot process

Generally, a client computer boots from the network by using the PXE protocol according to the following
process. It involves three parties, the DHCP server, the PXE server, and the client:
1. The client computer broadcasts a DHCP packet that asks for the address of the DHCP and PXE servers.
2. The DHCP server responds, sending a broadcast packet that tells the client it's an address server.
3. The PXE server responds to the client and reports that it's a boot server.
4. The client sends a request to the DHCP server to ask for the IP address.
5. The DHCP server sends the IP address to the client.
6. The client sends a request to the PXE server to ask for the path to the Network Boot Program (NBP).
7. The PXE server responds, sending the NBP path.
8. The client downloads and runs the NBP.
After this process, the basic PXE boot is completed, but there will be more interaction between the client and the
PXE server. It's controlled by the NBP implementation. For example, the Windows Deployment Services (WDS)
NBP implementation will require the path of a custom boot file ( pxeboot.com or bootmgfw.efi ). The
implementation will download and run the custom boot file. Then, the Windows Imaging Format (WIM) file and
other files that Windows PE needs will be downloaded.
The eight steps mentioned earlier usually work if the client and the servers are on the same network. When the
client and servers are on different networks, the recommended method to make sure the client can boot from
the network without using DHCP options is to configure the routers.
Recommended method - IP helper

The routers must be able to route the client requests from the network of the client to the network of the DHCP
server. One such simple router rule is the IP helper . The helper just tells the router to forward the DHCP
requests to the known IP address of the DHP server.
For PXE requests, you just need to configure the routers to forward the client request to the PXE server, just like
you do with the DHCP server. Locate your router, find the DHCP IP helper entry, and add another entry that
looks exactly like the first one but uses the IP address of the PXE server. For more information, see the blog post
You want to PXE Boot? Don't use DHCP options.
Besides, you can add an IP helper entry for each PXE server. In a load-balancing scenario (multiple PXE servers),
PXE servers can be up or down in a group, and you don't have to do any extra configuration. In diverse
environments (Windows, Linux, and Router PXE servers all coexisting), the different PXE servers can selectively
respond to the clients that they recognize.
Problematic scenarios
To configure the DHCP server to respond to PXE requests, you might try to add PXE options to the DHCP replies.
It results in the client always downloading the network boot file (as specified in the DHCP reply) and running it.
It's problematic in some UEFI setting scenarios. The client may not try to boot from the hard drive after the client
was configured to start from a network boot. But the network boot failed, for example, there's no task sequence
deployment for the client. It's also problematic for mixed-OS environments. Your Linux computer would be
instructed by the DHCP server to download and run the Windows network boot program.
So, letting the DHCP server masquerade as a PXE server doesn't work as expected in some scenarios. The true
PXE server decides whether it will respond and serve a network boot file. In the Configuration Manager case, the
server will only respond if there's a task sequence deployed to the client.
Certificate isn't updated on a PXE-enabled
distribution point and multiple error entries are
logged
This article provides a solution for the Failed to get the encr ypted PXE password error message in
Distmgr.log after you update the certificate of a distribution point (DP) that's used for PXE boot.
Symptoms
After you update the certificate of a DP that's used for PXE boot, the updated certificate doesn't seem to be used.
When you restart Windows Deployment Services (WDS) on the PXE-enabled DP, the following error entries are
logged in the SMSPXE.log file:
Begin validation of Certificate [Thumbprint <Old_Cert_Thumbprint>] issued to '<DP Server>'

Certificate [<Old_Cert_Thumbprint>] issued to '<DP_Server>' has expired.
Completed validation of Certificate [<Old_Cert_Thumbprint>] issued to '<DP Server>'
reply has no message header marker
Failed to send status message (80004005)
Unsuccessful in sending status message. 80004005.
PXE::MP_ReportStatus failed; 0x80070490
Certificate not valid.
A required cer tificate is not within its validity period when verifying against the current
system clock or the timestamp in the signed file. (Error : 800B0101; Source: Windows)
Failed to validate PXEClientKey certificate.
PXE Provider failed to read configuration parameters.
A required certificate is not within its validity period when verifying against the current system clock or the
timestamp in the signed file. (Error: 800B0101; Source: Windows)
NOTE
The certificate thumbprint in SMSPXE.log belongs to the previous certificate that has expired. To check a certificate
thumbprint, double-click the certificate, select the Details tab, and then check the value of the Thumbprint field.
Additionally, the following entry is not logged in the Distmgr.log file on the parent site server:
DP registry settings have been successfully updated on <DP_Server>
NOTE
This log entry would indicate that the new certificate is updated in the registry of the DP.
Instead, the following error entry is logged in Distmgr.log:

In this scenario, you observe the following conditions:

The certificate is updated on the General tab in the DP Proper ties dialog box.
The following entry is logged in the Hman.log file on the parent site server:
DP cert query: EXEC spUpdateDPCert N'<DP_Server>', N'<data>', 0x, <Cert_Info_Blob>
NOTE
This entry indicates that the spUpdateDPCer t SQL Server stored procedure has run to update the certificate in
the database.
The certificate is updated in the database.

In the Configuration Manager console, the new certificate is displayed under Administration >
Over view > Security > Cer tificates .
Cause
In most cases, this issue occurs if a PXE password is specified in the properties of the DP, and the parent site is
moved to another server or is recovered from a backup on a rebuilt server.
In this case, the machine keys have changed between the old instance of the site and the new instance of the
site. The machine keys from the original site are required to correctly decrypt the PXE password. Because the
machine keys from the original site are no longer available, the PXE password can't be decrypted and set. If a
PXE password is specified, the PXE password must be reset before the new certificate can be set in the registry of
the DP.
For more information, see Post-recovery tasks.
Resolution
1. Temporarily disable the PXE password on the affected DP.
In the DP Proper ties dialog box, select the PXE tab, and then clear the Require a password when
computers use PXE check box.
2. Verify that the certificate is updated. To do this, check whether the following entry is logged in Distmgr.log
DP registry settings have been successfully updated on <DP_Server>
3. Restart WDS on the DP, verify that the certificate thumbprint in SMSPXE.log belongs to the updated
certificate, and that no error entry is logged in SMSPXE.log.
4. Re-enable the PXE password on the DP.
In the DP Proper ties dialog box, select the PXE tab, select the Require a password when computers
use PXE check box, and then enter the password.
After you follow these steps, the new machine keys on the site server will be used to encrypt the PXE password,
and you won't see the following error entry in Distmgr.log:
PXE boot doesn't work because a self-signed
certificate isn't created
This article helps you fix an issue in which the Preboot Execution Environment (PXE) boot doesn't work in
Configuration Manager if a self-signed certificate isn't created.
Symptoms
When you try to start a computer through the PXE boot by using Configuration Manager, the PXE boot process
doesn't work.
When this problem occurs, the following error entry is logged in the SMSPXE log on the PXE-enabled
distribution point (DP) when you start Windows Deployment Services (WDS):
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was
provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_ReportStatus failed; 0x80092002
SMSPXE PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
SMSPXE PXE::MP_LookupDevice failed; 0x80092002
SMSPXE PXE Provider failed to initialize MP connection.
SMSPXE PXE::CPolicyProvider::InitializeMPConnection failed; 0x80092002
Additionally, the SMSPXE.log file includes the following error entries when you try to run a PXE boot:
SMSPXE PXE Provider failed to process message.
SMSPXE PXE Provider failed to process message.
If you try to fix the problem by re-creating the self-signed certificate in the properties of the DP by changing the
date or time of the self-signed certificate, the certificate isn't re-created.
NOTE
You can view certificates for the DP in the Configuration Manager console under Administration > Security >
Cer tificates .
When you re-create the self-signed certificate for a DP, the Star t Date value should be approximately the time
when the date and time values were changed for the certificate in the DP properties.
When this problem occurs, the CertMgr.log file includes the following error entries:
SMS_CERTIFICATE_MANAGER ~Found notification file C:\Program Files\Microsoft Configuration

Manager\inboxes\certmgr.box\5_<DP_FQDN>.CMN
SMS_CERTIFICATE_MANAGER Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~
SMS_CERTIFICATE_MANAGER Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~
SMS_CERTIFICATE_MANAGER Cannot get copy of security registry key on server (<DP_FQDN>)
(0x80070005)
SMS_CERTIFICATE_MANAGER Failed to get the copy of Security registry key on server <DP_FQDN>
(0x80070005)
SMS_CERTIFICATE_MANAGER Cancelling network connection to \\<DP_FQDN>\ADMIN$.
SMS_CERTIFICATE_MANAGER Cancelling network connection to \\<DP_FQDN>\ADMIN$.
Cause
This issue occurs if the IssuingCertificateList registry key is missing from the following registry subkey on
the DP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
NOTE
The registry key value could also be missing on the management point.
Resolution
To fix the issue, copy the IssuingCertificateList registry key value from the following registry subkey on the
management point:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
Then, copy this value to the same registry key on the DP. To do this, you can run the following command at an
elevated command prompt on the DP:
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d

<Value_From_MP> /f
NOTE
In this command, replace <Value_From_MP> with the value that you got from the management point (without the angle
brackets).
If the registry key value is also missing on the management point, open SQL Server Management Studio on the
primary site, and then run the following query against the primary site database:
SELECT SD.SiteCode, SC.ComponentName, SCP.Name, SCP.Value1, SCP.Value2, SCP.Value3 FROM SC_Component SC

JOIN SC_SiteDefinition SD ON SD.SiteNumber = SC.SiteNumber
JOIN SC_Component_Property SCP ON SCP.ComponentID = SC.ID
WHERE SCP.Name = 'IssuingCertificateList'
IMPORTANT
The value in the Value1 column must be copied to the registry on both the DP and the management point.
Copy the value in the Value1 column, and then run the following command at an elevated command prompt
on both the DP and management point:
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d
<Value_from_DB> /f
NOTE
In this command, replace <Value_from_DB> with the value that you copied from the primary site database (without the
angle brackets).
You may want to check the CertMgr.log file to see whether additional DPs are affected. If they are, run the
REG.exe command on the additional DPs.
Troubleshooting PXE boot issues in Configuration
Manager
This article helps administrators diagnose and resolve PXE boot failures in Configuration Manager.
IMPORTANT
For home users: This article is only intended for technical support agents and IT professionals. If you're looking for help
with a problem, please ask the Microsoft Community.
Original product version: Configuration Manager (current branch), Microsoft System Center 2012
Configuration Manager, Microsoft System Center 2012 R2 Configuration Manager
Introduction
For essential information about how PXE works, see the companion article Understand PXE boot in ConfigMgr.
Before you start to troubleshoot on the PXE Service Point, we recommend that you try the following solutions. If
solution 1 works for you, you don't need to go to solution 2. These solutions resolve most problems that affect
PXE boot.
Solution 1: Verify IP Helpers

IP Helpers aren't required if all of the following components are on the same subnet or VLAN:
The DHCP server
The client computer
The ConfigMgr server that's running Windows Deployment Services (WDS)
The PXE-enabled Distribution Point (DP)
IP Helpers must be configured on the routers if any of the components listed above are on separate subnets or
VLANs. It's usually the case in most environments.
This process varies and depends on the router hardware manufacturer. For a general overview of the process,
see Configuring Your Router to Forward Broadcasts. For more information about how to correctly configure IP
Helpers on your routers, contact the manufacturer of the router.
IP Helpers are necessary because the PXE request generated by the client computer is a broadcast that doesn't
travel outside the local subnet or VLAN. If the DHCP server or the WDS/PXE-enabled DP isn't on the same
subnet or VLAN as the client computer, they won't see or hear the PXE request broadcast from the client.
Therefore, the servers won't respond to the PXE request. To have the PXE request broadcast travel between
subnets or VLANs, the PXE request broadcast must be forwarded by the router to DHCP and WDS/PXE Service
Point servers so that they can correctly respond to the client's PXE request.
Using DHCP options isn't recommended
DHCP options can be problematic and might not work reliably or consistently. Also, using DHCP options to
control PXE requests in Configuration Manager is not suppor ted by Microsoft .
The recommended and supported method for PXE booting client computers on remote subnets is to use IP
Helpers.
For more information about DHCP options that aren't recommended or supported, see the following articles:
You want to PXE Boot? Don't use DHCP Options
Configure at least one distribution point to accept PXE requests
Verify that DHCP options 60, 66, and 67 aren't configured
IMPORTANT
Before you continue, it's imperative that you verify both the following conditions:
The routers have IP Helpers configured.
The DHCP server does not have DHCP Options 60, 66, or 67 configured.
If both these criteria aren't met, the PXE Service Point will experience problems. When you check DHCP options,
make sure that you check the options at both the server and scope levels.
In certain instances, configuring DHCP options 60, 66, and 67 may make the PXE boot process appear to
proceed further along than it did before these options were configured. However, in most cases, the process is
actually proceeding along an incorrect path.
IMPORTANT
The only exception in which a DHCP option must be used is if DHCP and WDS reside on the same server. In this situation,
only DHCP Option 60 has to be set. DHCP Options 66 and 67 should still not be set in this scenario. For more
information, see Advanced troubleshooting for PXE boot issues in Configuration Manager.
Solution 2: Reinstall PXE (use only if Solution 1 didn't resolve the

issue)
In many cases, errors that occur during installation or configuration are the cause of PXE boot issues. They can
be difficult and time-consuming to pinpoint. In many cases, reinstalling PXE and starting over can be the most
effective and least time-consuming solution. To do it, follow these steps:
1. On the DP, clear the Enable PXE checkbox. When you're prompted to remove the Windows Deployment
service, select Yes .
2. Verify that PXE was uninstalled. Use Distmgr.log for DPs on site servers. Use Smsdpprov.log for a
standalone DP.
IMPORTANT
Do not proceed until you verify that PXE is fully uninstalled.
3. In Server Manager, verify that WDS is uninstalled. If WDS is uninstalled, there should be a pending
restart.
4. Restart the server.
5. Locate and delete the RemoteInstall folder.
6. Change the date on the self-signed certificate in the properties of PXE DP. Wait for the new certificate to
be created. It isn't applicable if the DP is HTTPS.
7. Add the PXE point again by selecting the check box in DP properties. Monitor through Distrmgr.log if the
DP is on the site server. Or monitor through Smsdpprov.log for a standalone DP. Verify that the DP was
installed.
8. Verify that a new RemoteInstall folder was created.
9. Verify that at least one x64 boot image and one x86 boot image is distributed to the DP. For each boot
image that's distributed to the PXE DP and that will be used for PXE boot, make sure that the PXE option is
enabled for each boot image. BIOS PCs or UEFI PCs in Legacy mode require an x86 boot image even if all
PCs in the environment are x64.
10. Verify that the WDS service was started.
11. Navigate to the RemoteInstall folder, and verify the following SMS folders were created:
SMSBoot
SMSImages
SMSTemp
SMSTEmpBootFiles
12. Navigate to the SMSImages folder, and verify that all the boot images that were distributed to the PXE DP
are listed here. Boot images are listed by Package ID.
13. Navigate to the SMSBoot folder, and verify that both the x86 and x64 folders are populated with files.
14. Try a PXE boot.
Need more help

For more help with troubleshooting PXE boot issues, see Advanced troubleshooting for PXE boot issues in
For more help to resolve this issue, see our TechNet support forum or contact Microsoft Support.
products.
Understand PXE boot in Configuration Manager
This article describes basic processes of Preboot Execution Environment (PXE) boot in Configuration Manager,
how they work, and how they interoperate with each other.
Introduction
Preboot Execution Environment (PXE) boot in System Center 2012 Configuration Manager (ConfigMgr 2012 or
ConfigMgr 2012 R2) and later versions enables administrators to easily access the Windows Preinstallation
Environment (WinPE) across the network via PXE. PXE is an industry standard created by Intel that provides pre-
boot services within the devices firmware that enables devices to download network boot programs to client
computers.
Configuration Manager relies on the Windows Deployment Services (WDS) server role via the WDS PXE
provider. In ConfigMgr 2012 and later versions, the SMS PXE provider (SMSPXE) registers with the WDS service
and supplies the logic for the PXE client requests.
Before troubleshooting PXE-related problems in Configuration Manager, it's important to understand the basic
processes involved, how they work and how they interoperate with each other.
In all instances in this document, we are using System Center 2012 Configuration Manager R2 Cumulative
Update 2 (ConfigMgr 2012 R2 CU2) and a remote site system installed on Windows Server 2012 with the
Distribution Point (DP) role installed.
PXE service point installation

We will first look at the processes involved in the installation of the SMSPXE provider.
Installation is initiated by selecting the Enable PXE suppor t for clients option on the PXE tab in Distribution
point proper ties . When PXE support is enabled, an instance of SMS_SCI_SysResUse class is created.
SMSProv.log
PutInstanceAsync SMS_SCI_SysResUseSMS Provider04/09/2014 11:30:131552 (0x0610)
CExtProviderClassObject::DoPutInstanceInstanceSMS Provider04/09/2014 11:30:131552 (0x0610)
INFO: 'RemoteDp.contoso.com' is a valid FQDN.SMS Provider04/09/2014 11:30:131552 (0x0610)
In the WMI namespace Root\SMS\Site_RR2 (where RR2 is the site code of the site), the SMS_SCI_SYSResUse class
contains all the site systems roles on the primary site server. You can run the following query in WBEMTEST to
identify all the DPs on that site server:
SELECT * FROM SMS_SCI_SysResUse WHERE rolename like 'SMS Distribution Point'
Changing the properties of these roles via the SDK will alter the site control file and configure the DP. The IsPXE
property name is a member of the props property and is set to 1 when the DP is PXE enabled.
The SMS Database Monitor component detects the change to the DPNotificaiton and DistributionPoints
tables and drops files in distmgr.box:
Smsdbmon.log
RCV:UPDATE on SiteControl for SiteControl_AddUpd_HMAN [RR2 ][19604]
RCV: UPDATE on SiteControl for SiteControl_AddUpd_SiteCtrl [RR2 ][19605]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\RR2.SCU [19604]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\sitectrl.box\RR2.CT0 [19605]
RCV: UPDATE on Sites for Sites_Interop_Update_HMAN [RR2 ][19606]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\RR2.ITC [19606]
RCV: UPDATE on DistributionPoints for DP_Properties_Upd [15 ][19607]
RCV: INSERT on PkgNotification for PkgNotify_Add [RR200002 ][19608]
RCV: INSERT on PkgNotification for PkgNotify_Add [RR200003 ][19609]
RCV: INSERT on DPNotification for DPNotify_ADD [15 ][19610]
RCV: UPDATE on SiteControlNotification for SiteCtrlNot_Add_DDM [RR2 ][19611]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\distmgr.box\15.NOT [19607]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\distmgr.box\RR200002.PKN [19608]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\distmgr.box\RR200003.PKN [19609]
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\distmgr.box\15.DPN [19610]
Site Control Notification.
The Distribution Manager component on the primary site server then initiates the configuration of the remote
DP:
ConfigureDPSMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)

IISPortsList in the SCF is "80".SMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
ISSSLPortsList in the SCF is "443".SMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
IISWebSiteName in the SCF is "".SMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
IISSSLState in the SCF is 448.SMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
DP registry settings have been successfully updated on RemoteDp.contoso.com
SMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
ConfigurePXESMS_DISTRIBUTION_MANAGER04/09/2014 11:30:263776 (0x0EC0)
In the SMS DP Provider log on the remote DP, we can see the following information about the PXE installation,
where initially the PxeInstalled registry key isn't found:
Smsdpprov.log
[66C][Thu 09/04/2014 11:30:28]:CcmInstallPXE
[66C][Thu 09/04/2014 11:30:28]:RegQueryValueExW failed for Software\Microsoft\SMS\DP, PxeInstalled
[66C][Thu 09/04/2014 11:30:28]:RegReadDWord failed; 0x80070002
The Visual C++ Redistributable is installed:
Smsdpprov.log
[66C][Thu 09/04/2014 11:30:28]:Running: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /log
[66C][Thu 09/04/2014 11:30:28]:Waiting for the completion of: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /log
[66C][Thu 09/04/2014 11:30:39]:Run completed for: C:\SMS_DP$\sms\bin\vcredist_x64.exe /q /log
WDS is installed:
Smsdpprov.log
[66C][Thu 09/04/2014 11:30:39]:Created the DP mutex key for WDS.
[66C][Thu 09/04/2014 11:30:39]:Failed to open WDS service.
[66C][Thu 09/04/2014 11:30:39]:WDS is NOT INSTALLED
[66C][Thu 09/04/2014 11:30:39]:Installing WDS.
[66C][Thu 09/04/2014 11:30:39]:Running: ServerManagerCmd.exe -i WDS -a
[66C][Thu 09/04/2014 11:30:39]:Failed (2) to run: ServerManagerCmd.exe -i WDS -a
[66C][Thu 09/04/2014 11:30:39]:Running: PowerShell.exe -Command Import-Module ServerManager; Get-
[66C][Thu 09/04/2014 11:30:39]:Waiting for the completion of: PowerShell.exe -Command Import-Module
ServerManager; Get-WindowsFeature WDS; Add-WindowsFeature WDS
[66C][Thu 09/04/2014 11:31:35]:Run completed for: PowerShell.exe -Command Import-Module ServerManager; Get-
[66C][Thu 09/04/2014 11:31:35]:Successfully installed WDS.
TFTP read filters are configured:
Smsdpprov.log
[66C][Thu 09/04/2014 11:31:35]:Setting TFTP config key as:
System\CurrentControlSet\Services\WDSSERVER\Providers\WDSTFTP
[66C][Thu 09/04/2014 11:31:35]:Configuring TFTP read filters
[66C][Thu 09/04/2014 11:31:35]:SetupComplete is set to 0
The REMINST share is created and WDS is configured:
Smsdpprov.log
[66C][Thu 09/04/2014 11:31:35]:RegQueryValueExW failed for Software\Microsoft\Windows\CurrentVersion\Setup,
REMINST
[66C][Thu 09/04/2014 11:31:35]:RegReadDWord failed; 0x80070002
[66C][Thu 09/04/2014 11:31:35]:REMINST not set in WDS
[66C][Thu 09/04/2014 11:31:35]:WDS is NOT Configured
[66C][Thu 09/04/2014 11:31:35]:Share (REMINST) does not exist. (NetNameNotFound) (0x00000906)
[66C][Thu 09/04/2014 11:31:35]:GetFileSharePath failed; 0x80070906
[66C][Thu 09/04/2014 11:31:35]:REMINST share does not exist. Need to create it.
[66C][Thu 09/04/2014 11:31:35]:Enumerating drives A through Z for the NTFS drive with the most free space.
[66C][Thu 09/04/2014 11:31:37]:Drive 'C:\' is the best drive for the SMS installation directory.
[66C][Thu 09/04/2014 11:31:37]:Creating REMINST share to point to: C:\RemoteInstall
[66C][Thu 09/04/2014 11:31:37]:Succesfully created share REMINST
[66C][Thu 09/04/2014 11:31:37]:Removing existing PXE related directories
[66C][Thu 09/04/2014 11:31:37]:Registering WDS provider: SourceDir: C:\SMS_DP$\sms\bin
[66C][Thu 09/04/2014 11:31:37]:Registering WDS provider: ProviderPath: C:\SMS_DP$\sms\bin\smspxe.dll
[66C][Thu 09/04/2014 11:31:37]:DoPxeProviderRegister
[66C][Thu 09/04/2014 11:31:37]:PxeLoadWdsPxe
[66C][Thu 09/04/2014 11:31:37]:Loading wdspxe.dll from C:\Windows\system32\wdspxe.dll
[66C][Thu 09/04/2014 11:31:37]:wdspxe.dll is loaded
[66C][Thu 09/04/2014 11:31:37]:PxeProviderRegister has suceeded (0x00000000)
[66C][Thu 09/04/2014 11:31:37]:Disabling WDS/RIS functionality
[66C][Thu 09/04/2014 11:31:39]:WDSServer status is 1
[66C][Thu 09/04/2014 11:31:39]:WDSServer is NOT STARTED
[66C][Thu 09/04/2014 11:31:39]:Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
[66C][Thu 09/04/2014 11:31:39]:Waiting for the completion of: WDSUTIL.exe /Initialize-Server
/REMINST:"C:\RemoteInstall"
[66C][Thu 09/04/2014 11:31:50]:Run completed for: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
[66C][Thu 09/04/2014 11:31:50]:CcmInstallPXE: Deleting the DP mutex key for WDS.
[66C][Thu 09/04/2014 11:31:50]:Installed PXE
[66C][Thu 09/04/2014 11:32:03]:CcmInstallPXE
[66C][Thu 09/04/2014 11:32:03]:PXE provider is already installed.
[66C][Thu 09/04/2014 11:32:03]:Installed PXE
On the remote DP, we can now see the following values added in HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\DP :
NOTE
PxeInstalled and IsPXE are set to 1 .
If we look at the remote DP's file system, there is a new login C:\SMS_DP$\sms\logs :
SMSPXE.log
Machine is running Windows Longhorn. (NTVersion=0X602, ServicePack=0)
Cannot read the registry value of MACIgnoreListFile (00000000)
MAC Ignore List Filename in registry is empty
Begin validation of Certificate [Thumbprint B64B9DAF9BFB76A99DC050C21E33B3489643D111] issued to 'e728f6ce-
29a6-4ac3-974e-ba3dc855d9a4'
Completed validation of Certificate [Thumbprint B64B9DAF9BFB76A99DC050C21E33B3489643D111] issued to
'e728f6ce-29a6-4ac3-974e-ba3dc855d9a4'
The Distribution Point should now be PXE-enabled and ready to accept incoming requests.
Add boot images to a PXE-enabled DP

Whenever a new PXE-enabled distribution point is configured, there are additional steps that need to be
completed to enable full functionality. One of these is that you must distribute the x86 and x64 boot images to
the new PXE-enabled DP.
To do this, navigate to Software Librar y > Operating Systems > Boot Images > Boot Image (x86) , and
then right-click and select Distribute Content > Add the Boot Image to the PXE enabled DP . Repeat this
process for Boot Image (x64) .
Once this is done, Distribution Manager will start processing the request and initiate the distribution to the
remote DP:
DistMgr.log
Found notification for package 'RR200004'Used 0 out of 30 allowed processing threads.
Starting package processing thread, thread ID = 0x152C (5420)
Start adding package to server ["Display=\\RemoteDp.contoso.com\"]MSWNET:
["SMS_SITE=RR2"]\\RemoteDp.contoso.com\...
Attempting to add or update a package on a distribution point.
Successfully made a network connection to \\RemoteDp.contoso.com\ADMIN$.
CreateSignatureShare, connecting to DP
Signature share exists on distribution point path \\RemoteDp.contoso.com\SMSSIG$
Share SMSPKGC$ exists on distribution point \\RemoteDp.contoso.com\SMSPKGC$
Checking configuration of IIS virtual directories on DP ["Display=\\RemoteDp.contoso.com\"]MSWNET:
["SMS_SITE=RR2"]\\RemoteDp.contoso.com\
Creating, reading or updating IIS registry key for a distribution point.
Virtual Directory SMS_DP_SMSSIG$ for the physical path C:\SMSSIG$ already exists.
Created package transfer job to send package RR200004 to distribution point
["Display=\\RemoteDp.contoso.com\"]MSWNET:["SMS_SITE=RR2"]\\RemoteDp.contoso.com\.
StoredPkgVersion (9) of package RR200004. StoredPkgVersion in database is 9.
SourceVersion (9) of package RR200004. SourceVersion in database is 9.
Package Transfer Manager (the DP is remote) then initiates sending of the content:
PkgXferMgr.log
DeleteJobNotificationFiles deleted 1 *.PKN file(s) this cycle.
Found send request with ID: 105, Package: RR200004, Version:9, Priority: 2, Destination:
REMOTEDP.CONTOSO.COM, DPPriority: 200
Created sending thread (Thread ID = 0x1140)
Sending thread starting for Job: 105, package: RR200004, Version: 9, Priority: 2, server:
REMOTEDP.CONTOSO.COM, DPPriority: 200
Sending legacy content RR200004.9 for package RR200004
Finished sending SWD package RR200004 version 9 to distribution point REMOTEDP.CONTOSO.COM
Sent status to the distribution manager for pkg RR200004, version 9, status 3 and distribution point
["Display=\\RemoteDp.contoso.com\"]MSWNET:["SMS_SITE=RR2"]\\RemoteDp.contoso.com\
StateTable::CState::Handle - (8210:1 2014-09-10 13:19:12.087+00:00) >> (8203:3 2013-11-26
15:43:48.108+00:00)
Successfully send state change notification 7F6041B0-3EE2-427F-AB72-B89610A6331C
Sending thread complete
SMS Distribution Point Provider then deploys the WIM to the remote install directory:
Smsdpprov.log
[468][Wed 09/10/2014 14:09:59]:A DP usage gathering task has been registered successfully
[99C][Wed 09/10/2014 14:19:07]:Content 'RR200004.9' for package 'RR200004' has been added to content library
successfully
[99C][Wed 09/10/2014 14:19:07]:Expanding
C:\SCCMContentLib\FileLib\E8A1\E8A136A1348B4CFE97334D0F65934845F2B4675D0B7D925AB830378F4ECF39B9 from package
RR200004
[99C][Wed 09/10/2014 14:19:07]:Finding Wimgapi.Dll
[99C][Wed 09/10/2014 14:19:07]:Found C:\Windows\system32\wimgapi.dll
[99C][Wed 09/10/2014 14:19:07]:Expanding RR200004 to C:\RemoteInstall\SMSImages
SMSPXE discovers the new image:
SMSPXE.log
Found new image RR200004
PXE::CBootImageManager::QueryWIMInfo
Loaded C:\Windows\system32\wimgapi.dll
Opening image file C:\RemoteInstall\SMSImages\RR200004\boot.RR200004.wim
Found Image file: C:\RemoteInstall\SMSImages\RR200004\boot.RR200004.wim
PackageID: RR200004
ProductName: Microsoft® Windows® Operating System
Architecture: 0
Description: Microsoft Windows PE (x86)
Version:
Creator:
SystemDir: WINDOWS
Closing image file C:\RemoteInstall\SMSImages\RR200004\boot.RR200004.wim
PXE::CBootImageManager::InstallBootFilesForImage
Temporary path to copy extract files from: C:\RemoteInstall\SMSTempBootFiles\RR200004.
Make sure that these boot images are configured to deploy from the PXE-enabled DP. Right-click the boot image
and select Proper ties > Data Source , and then select Deploy this boot image from the PXE-enabled
distribution point .
The PXE boot process

The example boot process described here involves three machines: The DHCP server, the PXE-enabled DP, and
the client (an x64 BIOS computer). All are located on the same subnet.
NOTE
You must make sure that the DHCP (67 and 68), TFTP (69) and BINL (4011) ports are open between the client computer,
the DHCP server and the PXE enabled DP.
In the PXE boot process, the client must first acquire TCP/IP parameters and the location of the TFTP boot server.
Once a device is powered on and completes the POST, it begins the PXE boot process (prompted via the boot
selection menu).
1. The first thing the PXE firmware does is sending a DHCPDISCOVER (a UDP packet) broadcast to get
TCP/IP details. This includes a list of parameter requests, and below is a sample network trace with the
parameter list from a DHCPDISCOVER packet:
The PXE client then identifies the vendor and machine-specific information so that it can request the
location and file name of the appropriate boot image file.
2. The DHCP server and the PXE-enabled DP then send a DHCPOFFER to the client containing all of the
relevant TCP/IP parameters.
In the example DHCP offer below, it doesn't contain the server name or boot file information because this
is the offer from the DHCP server rather than the PXE enabled DP.
3. The client then replies with a DHCPREQUEST once it has selected a DHCPOFFER . This contains the IP
address from the offer that was selected.
4. The DHCP server responds to the DHCPREQUEST with a DHCPACK that contains the same details as
the DHCPOFFER . The server host name and the boot file name are not provided here:
5. At this point, we still don't have the boot file information, however now the client has an IP address. Next,
the PXE client sends a new DHCPREQUEST to the PXE-enabled DP after receiving a DHCPOFFER from
the earlier DHCPDISCOVER broadcast.
6. The PXE-enabled DP sends a DHCPACK that contains the BootFileName location and the WDS network
boot program (NBP).
Downloading the boot files
1. After the DHCP conversation completes, the client will start the TFTP session with a read request:
The server responds with the tsize and then the blksize. The client will then transfer the file from the
server.
NOTE
The size of these blocks is the blksize, and in this case it's set to 1456 bytes. The blksize is configurable on
Windows Server 2008 and later versions. See Operating system deployment over a network by using WDS fails in
Windows Server 2008 and in Windows Server 2008 R2.
Here we can see the end of the DHCP conversation and the start of the TFTP transfer:
When the WDS network boot program (NBP) has been transferred to the client computer, it will be
executed. In our example, it starts by downloading wdsnbp.com . The NBP dictates whether the client can
boot from the network, whether the client must press F12 to initiate the boot and which boot image the
client will receive.
NBPs are both architecture and firmware specific (BIOS or UEFI). On BIOS computers, the NBP is a 16-bit
real-mode application, therefore it's possible to use the same NBP for both x86-based and x64-based
operating systems.
In our case (an x64 BIOS machine), the NBP is located in the following directory on the PXE enabled DP:
\\remotedp\c$\RemoteInstall\SMSBoot\x64
The files perform the following functions:

PXEboot.com - x86 and x64 BIOS: Requires the end user to press F12 for PXE boot to continue (this
is the default NBP).
PXEboot.n12 - x86 and x64 BIOS: Immediately begins PXE boot (doesn't require pressing F12 on
the client).
AbortPXE.com - x86 and x64 BIOS: Allows the device to immediately begin booting by using the
next boot device specified in the BIOS. This allows for devices that should not be booting using PXE
to immediately begin their secondary boot process without waiting for a timeout.
Bootmgfw.efi - x64 UEFI and IA64 UEFI: The EFI version of PXEboot.com or PXEboot.n12 (in EFI, the
choice of whether or not to PXE boot is handled within the EFI shell and not by the NBP).
Bootmgfw.efi is the equivalent of combining the functionality of PXEboot.com , PXEboot.n12 ,
abortpxe.com and bootmgr.exe .
wdsnbp.com - x86 and x64 BIOS: A special NBP developed for use by Windows Deployment
Services that serves the following general purposes:
Architecture detection
Pending devices scenarios
Wdsmgfw.efi - x64 UEFI and IA64 UEFI: A special NBP developed for use by Windows Deployment
Services that serves the following general purposes:
Handles prompting the user to press a key to continue PXE boot
Pending devices scenarios
2. The NBP downloads the operating system loader and the boot files via TFTP, which include the following:
smsboot\x64\pxeboot.com
smsboot\x64\bootmgr.exe
\SMSBoot\Fonts\wgl4_boot.ttf
\SMSBoot\boot.sdi
\SMSImages\RR200004\boot.RR200004.wim
3. A RAMDISK is created using these files and the WinPE WIM file in memory.
4. The client boots from the RAMDISK.
WinPE boot
Once WinPE has booted, the TS boot shell is initiated from the SMS folder that's included in the WinPE image
(this folder is injected into the boot WIM when it's imported into Configuration Manager). You can see this
process logged in SMSTS.log that's located under X:\Windows\Temp\SMSTS\ .
TIP
To access this login WinPE, enable the command prompt on the boot image. To do this, right-click Boot Image >
Proper ties > Customization , and then check Enable command suppor t (testing only) . You can then access the
command prompt by pressing F8 in WinPE.
Here is the initial TS boot shell process:
SMSTS.log
========================[ TSBootShell.exe ]========================
Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL'
Debug shell is enabled
Waiting for PNP initialization...
RAM Disk Boot Path: NET(0)\SMSIMAGES\RR200004\BOOT.RR200004.WIM
Booted from network (PXE)
Network(PXE) path: X:\sms\data\
Found config path X:\sms\data\
This is not a fixed non usb disk
Booting from removable media, not restoring bootloaders on hard drive
X:\sms\data\WinPE does not exist.
X:\_SmsTsWinPE\WinPE does not exist.
Executing command line: wpeinit.exe -winpe
The command completed successfully.
Starting DNS client service.
Executing command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:X:\sms\data\
The command completed successfully.
Followed by the Task Sequence Manager boot strap:
SMSTS.log
========================[ TSMBootStrap.exe ]========================
Command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:X:\sms\data\
Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL'
Succeeded loading resource DLL 'X:\sms\bin\i386\TSRESNLC.DLL'
Current OS version is 6.2.9200.0
Adding SMS bin folder "X:\sms\bin\i386" to the system environment PATH
PXE Boot with Root = X:\
Executing from PXE in WinPE
Loading TsPxe.dll from X:\sms\bin\i386\TsPxe.dll
Once TSPXE is loaded, it downloads the TS variables using TFTP:

SMSTS.log
TsPxe.dll loaded
Device has PXE booted
Variable Path: \SMSTemp\2014.09.05.18.20.31.0001.{0C616323-A027-41B0-A215-057AF4F1E361}.boot.var
Succesfully added firewall rule for Tftp
Executing: X:\sms\bin\i386\smstftp.exe -i 10.238.0.2 get \SMSTemp\2014.09.05.18.20.31.0001.{0C616323-A027-
41B0-A215-057AF4F1E361}.boot.var X:\sms\data\variables.dat
Executing command line: "X:\sms\bin\i386\smstftp.exe" -i 10.238.0.2 get \SMSTemp\2014.09.05.18.20.31.0001.
{0C616323-A027-41B0-A215-057AF4F1E361}.boot.var X:\sms\data\variables.dat
Process completed with exit code 0
Succesfully removed firewall rule for Tftp
Successfully downloaded pxe variable file.
Loading Media Variables from "X:\sms\data\variables.dat"

Found network adapter "Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)" with IP Address 10.238.0.3.
Loading variables from the Task Sequencing Removable Media.
Succeeded loading resource DLL "X:\sms\bin\i386\1033\TSRES.DLL"
Setting SMSTSMP TS environment variable

Setting _SMSMediaGuid TS environment variable
Setting _SMSTSBootMediaPackageID TS environment variable
Setting _SMSTSHTTPPort TS environment variable
Setting _SMSTSHTTPSPort TS environment variable
Setting _SMSTSIISSSLState TS environment variable
Setting _SMSTSLaunchMode TS environment variable
Setting _SMSTSMediaPFX TS environment variable
Setting _SMSTSPublicRootKey TS environment variable
Setting _SMSTSRootCACerts TS environment variable
Setting _SMSTSSiteCode TS environment variable
Setting _SMSTSSiteSigningCertificate TS environment variable
Setting _SMSTSUseFirstCert TS environment variable
Setting _SMSTSx64UnknownMachineGUID TS environment variable
Setting _SMSTSx86UnknownMachineGUID TS environment variable
At this point, TSPXE locates the Management Point (MP) and downloads policy before presenting the user
interface for the user to select the optional Task Sequence:
SMSTS.log
site=RR2, MP=<http://ConfigMgrR2.CONTOSO.COM>, ports: http=80,https=443
certificates are received from MP.
CLibSMSMessageWinHttpTransport::Send: URL: ConfigMgrR2.CONTOSO.COM:80 CCM_POST /ccm_system/request
Request was successful.
Downloading policy from <http://ConfigMgrR2.CONTOSO.COM>.
Retrieving Policy Assignments:
Processing Policy Assignment {7898f153-a6de-43e9-98c3-ca5cc61483b0}.
Processing Policy Assignment {fba19677-0e9b-490d-b601-07e247979bd4}.
Processing Policy Assignment {6306ca4c-e7ed-4cf5-8419-af9b1695a909}.
Processing Policy Assignment {05a027ff-e9cf-4fa1-8bd8-4565481061e2}.
Processing Policy Assignment {b3c991f6-9f83-43c3-875c-f60c4492d278}.
...
Successfully read 152 policy assignments.
Lastly, the collection and machine variables are downloaded and the Welcome Page is activated:
SMSTS.log
Retrieving collection variable policy.
Found 0 collection variables.
Retrieving machine variable policy.
Downloading policy body {01000053}-{RR2}.
Response ID: {01000053}-{RR2}
Reading Policy Body.
Parsing Policy Body.
Found 0 machine variables.
Setting collection variables in the task sequencing environment.
Setting machine variables in the task sequencing environment.
Running Wizard in Interactive mode
Activating Welcome Page.
Loading bitmap
More Information
For more information about troubleshooting PXE boot issues, see the following articles:
Troubleshooting PXE boot issues
Advanced troubleshooting for PXE boot issues in Configuration Manager.
Configuration Manager PXE boot causes Windows
Deployment Services to crash
This article provides workarounds to solve the Windows Deployment Services (WDS) crash that is caused by
Pre-Boot Execution Environment (PXE) boot in a Configuration Manager environment.
Symptoms
You use a Pre-Boot Execution Environment (PXE) distribution point to perform PXE boots. In this situation, the
operation first appears to work successfully, but then the process stops running. When you examine the server
on which the PXE distribution point and WDS are installed, you discover that WDS has crashed.
Restarting WDS on the server doesn't resolve the issue. When you restart both the Windows Management
Instrumentation and WDS, or when you restart the server itself, it may temporarily resolve the problem.
However, the issue eventually recurs, and WDS crashes again.
If you try to reproduce the issue by continuing to perform PXE boots, you discover that although the issue may
occur frequently, it cannot be reproduced on a consistent basis. The crash behavior occurs randomly.
Cause
This issue may occur in environments where there are redundant backup routers. If IP Helpers for PXE (DHCP
relays) are positioned on both the primary and backup routers, it may cause a situation where two duplicate PXE
request packets are sent to WDS: the original PXE request by the primary router and a duplicate PXE request by
the backup, redundant router.
If the timing is just right, the duplicate PXE request may overwrite some of the information in WDS from the
original PXE request. This issue causes information in WDS for the PXE request to become corrupted, and then
WDS crashes.
Workaround
To work around the issue, use one of these methods:
Disable the PXE IP Helpers in the backup, redundant router so that duplicate PXE requests are not sent.
For more information about PXE IP Helpers, see Configuring your router to forward broadcasts.
Configure the Configuration Manager WDS provider to be single-threaded instead of multithreaded. This
configuration will limit WDS processing of PXE requests to one at a time and will prevent the second,
duplicate PXE request from conflicting with the original request. To configure the Configuration Manager
WDS provider for single-threading, create the NumberOfThreads registry key with a DWORD value of 1 in
the following location:
Configuration Manager 2012 DP/WDS server: HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\DP
Doing this configuration does not typically affect server performance for PXE requests except in
environments where a large number of PXE requests are performed on a consistent basis. In these
environments, we recommend that you use the first workaround.
WDS doesn't start on a PXE enabled remote
distribution point in Configuration Manager
This article fixes an issue in which Windows Deployment Services (WDS) doesn't start on a PXE enabled remote
distribution point in Configuration Manager.
Symptoms
After enabling the PXE feature of a remote Configuration Manager distribution point (DP), Windows Deployment
Services (WDS) and PXE install correctly, however WDS never starts. Attempting to manually start WDS via the
Services console results in the following error message:
Windows could not start the Windows Deployment Services Server on Local Computer. For more
information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, or
refer to service-specific error code -1056505588.
Looking at the Application System event log on a 64-bit server reveals the following error messages:

Source: SideBySide
Date: <Date><Time>
Event ID: 33
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <Remote_DP_Server>
Description:
Activation context generation failed for "C:\SMS_DP$\sms\bin\smspxe.dll". Dependent Assembly
Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",v
ersion="9.0.30729.4148" could not be found. Please use sxstrace.exe for detailed diagnosis.

Source: WDSPXE
Date: <Date><Time>
Event ID: 259
Task Category: WDSPXE
Level: Error
Keywords: Classic
User: N/A
Description:
An error occurred while trying to load the module from C:\SMS_DP$\sms\bin\smspxe.dll for provider
SMSPXE. If the provider is marked as critical, the Windows Deployment Services server will be shutdown.
Source: WDSPXE
Date: <Date><Time>
Event ID: 264
Level: Error
Keywords: Classic
User: N/A
Description:
An error occurred while trying to initialize provider SMSPXE. Since the provider isn't marked as critical, the
Windows Deployment Services server will remain started.
Error Information: 0x36B1

Source: WDSPXE
Date: <Date><Time>
Event ID: 268
Level: Error
Keywords: Classic
User: N/A
Description:
All registered providers failed to initialize. Please review the Event Log for specific error messages for each
provider. Windows Deployment Server will be shutdown.

Source: WDSServer
Date: <Date><Time>
Event ID: 513
Task Category: WDSServer
Level: Error
Keywords: Classic
User: N/A
Description:
An error occurred while trying to initialize provider WDSPXE from C:\Windows\system32\wdspxe.dll.
Windows Deployment Services server will be shutdown.
Error Information: 0xC107010C

Source: WDSServer
Date: <Date><Time>
Event ID: 257
Task Category: WDSServer
Level: Error
Keywords: Classic
User: N/A
Description:
An error occurred while trying to start the Windows Deployment Services server.
Error Information: 0xC107010C
Cause
This issue can occur when a dependent component, Microsoft.VC90.CRT , is not available. This component is
normally available via a DLL installed by Microsoft Visual C++ 2008 Redistributable. Microsoft Visual C++ 2008
Redistributable is normally installed during the Configuration Manager client install via the install file
vcredist_x86.exe or vcredist_x64.exe . If the Configuration Manager client has not been installed on the
server hosting the PXE enabled remote DP, the Microsoft Visual C++ 2008 Redistributable will also not have
been installed and Microsoft.VC90.CRT will not be available.
NOTE
Microsoft Visual C++ 2008 Redistributable is a common install for many different software install packages. It may be
installed on the server even if the Configuration Manager client is not installed on the server.
Resolution
To resolve the problem, install the Configuration Manager client on the server hosting the PXE enabled remote
DP.
If the PXE enabled remote DP server is not going to also be a Configuration Manager client and therefore the
Configuration Manager client install is not desired, Microsoft Visual C++ 2008 Redistributable can be installed
separately on the server by manually running either vcredist_x86.exe (32-bit Windows) or vcredist_x64.exe
(64-bit Windows) from the Configuration Manager client install files. These install files can be found in the client
install directory on the parent primary site server under the following paths:
vcredist_x86.exe: <Configuration Manager_2012_Install_Directory>\Client\i386
vcredist_x64.exe: <Configuration Manager_2012_Install_Directory>\Client\x64
Once the Microsoft Visual C++ 2008 Redistributable has been installed via the Configuration Manager client
install or a manual install, manually start WDS via the Services console. WDS should subsequently be able to
start automatically.
A client computer can steal the Configuration
Manager GUID of an Unknown Computer object
during imaging
This article provides the information to solve the issue that the Configuration Manager Unique Identifier (GUID)
of an Unknown Computer object is taken by a client computer that's being imaged.
Symptoms
Configuration Manager current branch version 1702 included a new feature that lets you use the Previous
button to retry a failed task sequence in the Task Sequence Wizard when it runs on Microsoft Windows
Preinstallation Environment (Windows PE).
For more information about this feature, see Return to previous page when a task sequence fails.
This feature introduced the following issue:
When the Previous button is selected, the client PC that's being imaged can steal the Configuration Manager
Unique Identifier (GUID) of the Unknown Computer object that's being used (either the x64 Unknown
Computer or the x86 Unknown Computer ).
This issue was fixed in Update rollup for Configuration Manager current branch, version 1702.
This issue is also fixed in all subsequent versions of Configuration Manager current branch.
However, starting in Configuration Manager current branch version 1702, unknown computers that are started
from media or preboot execution environment (PXE) may not find task sequences that are targeted to them. In
this scenario, the following error message is logged in the SMSTS.log:
There are no task sequences available to this computer. Please ensure you have at least one task sequence
advertised to this computer.
Unspecified error (Error: 80004005; Source: Windows)
This issue may occur if the Previous button on the Select a task sequence to run page is selected on the
unknown computer.
This issue is also fixed in all subsequent versions of Configuration Manager current branch.
Despite applying the update rollup in Configuration Manager current branch version 1702 or upgrading to a
later version of Configuration Manager, the issue still occurs.
Cause
This issue may continue to occur because the fix in the update rollup for Configuration Manager current branch
version 1702 and later Configuration Manager current branch versions prevents the issue from occurring only
going forward. It doesn't fix the issue if the issue currently exists in the environment.
Therefore, the issue can continue to occur in Configuration Manager current branch version 1702 or newer even
after the version 1702 update rollup or a later version is applied. This is true unless the following steps are
taken:
Update the boot images on distribution points.
Recreate the boot media by using the updated images.
Correctly clean the client PC that stole the GUID.
Resolution
WARNING
Do not try to fix this issue by recreating the Unknown Computer objects. This doesn't correctly fix the issue, and it doesn't
prevent the issue from reoccurring going forward. Additionally, there are known issues that occur in environments that
have multiple Unknown Computer objects for a single site. If you have previously tried to resolve this issue by recreating
the Unknown Computer objects, see Remove duplicate Unknown Computer objects.
To resolve this issue and prevent it from returning in the environment, follow these steps:
1. Update all boot images in the environment. To do this, right-click the images in the Configuration
Manager console, and then select Update Distribution Points . This puts the updated Configuration
Manager binaries that contain the fix into the boot image. For more information, see Update distribution
points with the boot image.
2. If you use media in the environment, recreate all media in the environment after you update all boot
images on the distribution points. This makes sure that the updated boot images that have the fix are in
the media that's being used in the environment.
To prevent media that has old boot images from being used, the certificates for those boot images can be
blocked in the Configuration Manager console under the Administration > Security > Cer tificates
node. To make sure that the issue doesn't recur, we recommend that you block all certificates for all media
created before the boot images were updated in step 1. The date on which the media was created is
displayed in the Star t Date column.
For more information about how to create media, see Create task sequence media.
3. The client computer that stole the GUID must be cleaned correctly.
To correctly clean the client that stole the GUID, follow these steps:
1. Identify the computer that acquired the GUID. To do this, examine the properties of the Unknown
Computer object (usually x64 Unknown Computer ), note the value of Configuration Manager
Unique Identifier , and then run a query in the Configuration Manager console to identify the computer
object that has the same GUID. You can do all these steps from the console. You do not have to go into the
SQL Server database to do this.
2. After you identify the computer that acquired the stolen GUID, remotely connect to that computer, and
then completely clean the Configuration Manager client. This involves more than simply uninstalling the
client. Instead, you must follow steps 3-7.
3. On the client computer, under C:\Windows\CCMSetup , run the CCMSetup.exe /uninstall command at an
elevated command prompt.
4. Monitor Task Manager until CCMSetup finishes running. Double-check the ccmsetup.log file to make
sure that the client was uninstalled correctly.
5. On the client computer, delete the following directories:
C:\Windows\CCM
C:\Windows\CCMSetup
NOTE
To fully delete these directories, you may have to restart the computer.
6. On the client computer, delete the following registry keys (if they exist):
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM
HKEY_LOCAL_MACHINE\Software\Microsoft\CCMSetup
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS
7. On the client computer, delete the C:\Windows\SMSCFG.ini file.
8. On the client computer, delete all certificates under the SMS > Cer tificates node in the Cer tificates
console for the Computer account . To do this, follow these steps:
a. Run MMC.exe at an elevated command prompt.
b. On the File menu, select Add/Remove Snap-in .
c. Select Cer tificates , and then select Add .
d. Select Computer account and then select Next .
e. Select Local computer and then select Finish .
f. Select OK .
g. Navigate to Cer tificates > SMS > Cer tificates .
h. In the results pane, right-click each certificate listed under the Cer tificates > SMS > Cer tificates
node, and then select Delete . Repeat this step until all certificates are deleted.
i. Close the Cer tificates console.
9. Delete the record of the offending computer from the Configuration Manager console. Again, you do not
have to go into the SQL Server database to do this. You can delete the record from the Configuration
Manager console. Make sure that you do this after you complete steps 1-8. Doing this first may cause the
record to be recreated if the client reports are backed up before they are fully cleaned.
10. Reinstall the Configuration Manager client on the offending client computer.
Remove duplicate Unknown Computer objects

If the Unknown Computer objects have been recreated at the site when you tried to fix the problem, the extra
Unknown Computer objects should be deleted. To accomplish this, all of the current Unknown Computer objects
should be deleted for the affected site followed by creating a brand new set of Unknown Computer objects for
the site. Deleting Unknown Computer objects can be completed only from the SQL Server database. It cannot be
done from the Configuration Manager console.
NOTE
It's acceptable to have multiple Unknown Computer objects if there are multiple primary sites. However, each site should
have only one Unknown Computer object per architecture. For example, there should be only one x64 object that's
labeled x64 Unknown Computer and only one x86 object that's labeled x86 Unknown Computer .
To delete the extra Unknown Computer objects, follow these steps:
1. Make sure you have a current and valid backup of the Configuration Manager site by using the built-in
Backup maintenance task.
2. Open the Configuration Manager console. If there are multiple primary sites, we recommend that you
open a Configuration Manager console that's connected to the central administration site.
3. In the Configuration Manager console, go to Assets and Compliance > Over view > Device
Collections .
4. Double-click the All Unknown Computers collection.
5. In the results pane, sort the objects in the All Unknown Computers collection by selecting the Site
Code column.
6. Note whether there are multiple x64 Unknown Computer objects or x86 Unknown Computer
objects for any individual site.
7. If there are multiple x64 Unknown Computer objects or x86 Unknown Computer objects for any
individual site, right-click the columns in the results pane, and add Resource ID to the list of columns.
8. Determine the Resource ID value for each x64 Unknown Computer object and each x86 Unknown
Computer object for any one site. Make sure to note the resource ID for all of the Unknown Computer
objects even if only one of the Unknown Computer objects is duplicated.
9. After you determine the Resource IDs of the Unknown Computer objects for a site, the x64 Unknown
Computer objects and the x86 Unknown Computer objects for the site can be deleted.
10. Open SQL Ser ver Management Studio , and then connect to the database for the site that hosts the
extra Unknown Computer objects.
11. Expand the Databases node, and select the Configuration Manager database (usually CM_Site_Code ).
12. On the toolbar, select New Quer y .
13. Make sure that the correct database is selected in the drop-down menu to the left of the Execute button
on the toolbar.
14. In the query pane, run the following SQL query:
SELECT C.CollectionID, C.SiteID, C.CollectionName, CM.MachineID, CM.Name FROM Collections C JOIN

CollectionMembers CM ON C.SiteID = CM.SiteID JOIN UnknownSystem_DISC USD ON USD.ItemKey =
CM.MachineID
This query displays all the collections that all the Unknown Computer objects belong to. Use this query to
determine which collections the Unknown Computer objects are members of. Make a note of this
information so that when the new set of Unknown Computer objects are created, they can be added back
to the appropriate collections. The Resource ID is listed in the MachineID column.
SELECT * FROM UnknownSystem_DISC WHERE ItemKey IN ('Resource_ID_1','Resource_ID_2', 'Resource_ID_3')
In this query, Resource_ID_x is the Resource ID of each of the Unknown Computer objects for the site, as
determined in step 9. For example, if the Resource IDs are 2046820354 and 2046820355 , the query
would be as follows:
SELECT * FROM UnknownSystem_DISC WHERE ItemKey IN ('2046820354','2046820355')
16. Verify that the records that are returned by the query in step 15 are correct. If they are, then run the
following query to delete the records:
DELETE FROM UnknownSystem_DISC WHERE ItemKey IN ('Resource_ID_1','Resource_ID_2', 'Resource_ID_3')
In this query, Resource_ID_x is the Resource ID of each of the Unknown Computer objects for the site, as
determined in step 9. For example, if the Resource IDs are 2046820354 and 2046820355 , the delete
query would be as follows:
DELETE FROM UnknownSystem_DISC WHERE ItemKey IN ('2046820354', '2046820355')
NOTE
Remember to delete all of the Unknown Computer objects for the affected site, both x64 and x86, even if only one
of them was duplicated.
17. Follow the section Recreate Unknown Computer objects in case of accidental deletion to create new
Unknown Computer objects for the affected site.
18. Return to the Configuration Manager console, and then go to Assets and Compliance > Over view >
Device Collections .
19. Right-click the All Unknown Computers collection, and then select Update Membership .
20. Wait a few minutes, and then select Refresh . Verify that only one x64 Unknown Computer object or
x86 Unknown Computer object exists for each site. If the objects do not display, wait a few more
minutes and try again.
21. Once the new Unknown Computer objects appear, add them back to the appropriate collections as
determined in step 14.
22. Repeat steps 10-21 for all additional primary sites, as necessary.
Recreate Unknown Computer objects in case of accidental deletion

If, for whatever reason, all Unknown Computer objects are accidentally deleted for any one site that uses this
process, they can be recreated by using the following steps. These steps should be taken only if there are no
Unknown Computer objects for a site. If only one of the two Unknown Computer objects exists at a site, delete
the one remaining Unknown Computer object by using the steps in the Remove duplicate Unknown Computer
objects section of this article, and then follow these steps:
1. Sign in to the primary site server that the Unknown Computer objects are missing from.
2. At an elevated command prompt, run the following command:
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_DISCOVERY_DATA_MANAGER" /v CreatedUnknownDDR

/t REG_DWORD /d 0 /f
After this registry key value is updated, the Unknown Computer objects should be automatically recreated soon
afterward. You can check the progress of the creation of the Unknown Computer objects in the DDM.log file on
the primary site server.
To speed up the recreation of the Unknown Computer records, restart the SMS_DISCOVERY_DATA_MANAGER thread by
following these steps:
1. Open the Configuration Manager console on the primary site from which the Unknown Computer
objects are missing, and then go to Monitoring > Over view > System Status > Component Status .
2. On the toolbar, select Star t > Configuration Manager Ser vice Manager .
3. In Configuration Manager Ser vice Manager , expand the node under the site code and then select
Components .
4. In the results pane, right-click SMS_DISCOVERY_DATA_MANAGER and select Quer y . The thread
should display as Running .
5. Right-click SMS_DISCOVERY_DATA_MANAGER , and then click Stop .
6. Right-click SMS_DISCOVERY_DATA_MANAGER , and then click Quer y .
NOTE
The thread should display as Stopped .
7. Right-click SMS_DISCOVERY_DATA_MANAGER , and then click Star t .

8. Right-click SMS_DISCOVERY_DATA_MANAGER , and then click Quer y .
NOTE
The thread should display as Running .
9. Close the Configuration Manager Ser vice Manager window.

The Unknown Computer objects should be automatically recreated soon. You can check the progress of this
process in the DDM.log file on the primary site server.
Active users and groups are unexpectedly deleted
by the Delete Aged Discovery Data task in
This article helps you fix an issue in which some active users and groups are unexpectedly deleted by the Delete
Aged Discover y Data task in Configuration Manager.
Original product version: Configuration Manager (current branch), Configuration Manager (current branch -
version 1906), Configuration Manager (current branch - version 1902)
Symptoms
In a Configuration Manager current branch, version 1910, 1906, or 1902 environment, you use Active Directory
User Discovery and Active Directory Group Discovery to discover users and groups. You also set up the Delete
Aged Discover y Data task to delete aged discovery data.
In this scenario, some active users and groups are unexpectedly deleted by the Delete Aged Discover y Data
task.
Cause
The Delete Aged Discover y Data task uses the sp_GetAgedDiscoveryItems stored procedure to identify aged
items. Active users and groups that aren't changed within the indicated time in the task are considered to be
inactive. Therefore, the task deletes the items.
Resolution
For Configuration Manager current branch, version 1910
This problem is fixed if you update to the globally available release of Configuration Manager current branch
version 1910 from Update for Microsoft Endpoint Configuration Manager version 1910, early update ring.
Otherwise, follow The Delete Aged Discovery Data task incorrectly removes active records in Configuration
Manager to fix the problem.
For Configuration Manager current branch, version 1906 and 1902
To fix this problem, run the following TSQL query against the site database on the central administration site and
primary sites.
NOTE
Before you run the TSQL query in your production environment, we recommend that you test it in a test environment
and back up your site databases.
IF EXISTS( SELECT 1 FROM Sites WHERE SiteType in (4,2) AND SiteCode = dbo.fnGetSiteCode() AND (BuildNumber
>=8790 AND BuildNumber <8913) )
AND NOT EXISTS (SELECT 1 FROM CM_UpdatePackages where FullVersion = '5.00.8913.1012' and State = '196612')
BEGIN
DECLARE @query as nvarchar(MAX);
SET @query = 'ALTER PROCEDURE sp_GetAgedDiscoveryItems @cutoffDate varchar(100), @discArchKey int as

begin
set nocount on
declare @siteRangeStart int

declare @siteRangeEnd int
set @siteRangeStart = dbo.fnGetSiteRangeStart()
set @siteRangeEnd = dbo.fnGetSiteRangeEnd()
declare @isReservedRangedSite int

select @isReservedRangedSite = isnull(Value3, 0) from SC_SiteDefinition_Property where SiteNumber =
dbo.fnGetSiteNUmber() and Name = N''ReplicatesReservedRanges''
if @discArchKey = 4 or @discArchKey = 3 -- user/security group

begin
-- user site number is 123, unknown system is 122 and max site number is 128
-- so special range is 123*16777216 to 128*16777216-1
select DiscArchKey, ItemKey
from DiscItemAgents dia
where ((ItemKey between @siteRangeStart and @siteRangeEnd) or ((ItemKey between 2063597568 and
2147483647) and @isReservedRangedSite = 1))
group by dia.ItemKey, dia.DiscArchKey
-- for agents honoring DueForAgeOut flag, Aged = aged for all agents on all sites
having sum(cast(isnull(dia.DueForAgeOut, 0) AS int)) = count(dia.ItemKey) and dia.DiscArchKey =
@discArchKey
end
else if @discArchKey = 5 -- non-mobile devices
begin
select dia.DiscArchKey, dia.ItemKey
from DiscItemAgents dia inner join System_DISC sd on dia.ItemKey = sd.ItemKey
where ((dia.ItemKey between @siteRangeStart and @siteRangeEnd) or ((dia.ItemKey between 2063597568
and 2147483647) and @isReservedRangedSite = 1))
group by dia.ItemKey, dia.DiscArchKey, sd.Client_Type0
having max(AgentTime) <= @cutoffDate and dia.DiscArchKey = @discArchKey and isnull(sd.Client_Type0,
1) = 1
end
else -- other archs
begin
select DiscArchKey, ItemKey
from DiscItemAgents dia
where ((ItemKey between @siteRangeStart and @siteRangeEnd) or ((ItemKey between 2063597568 and
2147483647) and @isReservedRangedSite = 1))
group by dia.ItemKey, dia.DiscArchKey
having max(AgentTime) <= @cutoffDate and dia.DiscArchKey = @discArchKey
end
end'
EXECUTE sp_executesql @query
END
ELSE
PRINT 'This script is not applicable on this site or database. Applicable on CAS\PRI on version running 1902
and 1906 only.'
when you create an MDT task sequence
This article helps you fix an issue where you receive the An error occurred when loading the task
sequence error when you create a Microsoft Deployment Toolkit (MDT) task sequence in Configuration
Manager.
Symptoms
After selecting the Finish button when attempting to create an MDT task sequence, the task sequence may fail
to create with the following error:
The TaskSequenceProvider.log file may also show errors similar to the following:
Failed to load class properties and qualifiers for class BDD_UsePackage in task sequence. 0x80041002
(2147749890) TaskSequenceProvider
Failed to load node Use Toolkit Package from XML into WMI 0x80041002 (2147749890)
TaskSequenceProvider
Failed to load children steps for node "Execute Task Sequence" from XML 0x80041002 (2147749890)
TaskSequenceProvider
Failed to load children steps for node "" from XML 0x80041002 (2147749890) TaskSequenceProvider
Failed to load XML for the task sequence into WMI 0x80041002 (2147749890) TaskSequenceProvider
Cause
This error can occur if the MDT Windows Management Instrumentation (WMI) classes are not properly
registered.
Resolution
To resolve this issue, follow the steps below:
1. Close all of your remote and local Configuration Manager admin console sessions.
2. Log on to your Configuration Manager server, in Microsoft Deployment Toolkit, select Configure
ConfigMgr Integration .
3. In the Configure ConfigMgr Integration wizard, select Remove the MDT console extensions for
System Center Configuration Manager , click Next , then click Finish .
4. Rerun Configure ConfigMgr Integration , select Install the MDT extensions for Configuration
Manager , click Next , then click Finish .
Once you do the steps, try creating the task sequence again. It should now complete successfully.
More information
This error occurs because the BDD_* WMI classes have not been correctly registered under the
\root\SMS\site_<sitecode> namespace in WMI.
A Configuration Manager in-place upgrade task
sequence doesn't continue after a Windows 10 in-
place upgrade rollback
This article helps you fix an issue in which a Configuration Manager in-place upgrade task sequence doesn't
continue after a Windows 10 in-place upgrade rollback.
Symptoms
When a Windows 10 in-place upgrade rollback occurs during a Configuration Manager in-place upgrade task
sequence, the task sequence doesn't continue after the rollback finishes. In this scenario, you notice the
following issues when you examine log files on an affected device:
If you use Configuration Manager current branch version 1902 or an earlier version, and the
/postrollbackcontext system option isn't manually specified:
The C:\$Windows.~BT\Sources\Rollback\setupact.log file shows that the SetupRollback.cmd script

was started by Windows Setup after the rollback finished:
MOUPG SetupManager::ExecuteRollbackScripts: Running rollback script:

[C:\$WINDOWS.~BT\Sources\Scripts\setuprollback.cmd]
MOUPG SetupManager::ExecuteRollbackScripts: Rollback script
[C:\$WINDOWS.~BT\Sources\Scripts\setuprollback.cmd] returned: [0x0]
The SetupRollback.cmd script is responsible for resuming the task sequence after the rollback
finishes. The C:\Windows\SetupRollback.log file shows that the SetupRollback.cmd script did
resume the task sequence. However, the task sequence later exited and returned error code -
2147024891:
<Day> <Date>-<Time> Entering setuprollback.cmd

<Day> <Date>-<Time> Setting env var _SMSTSSetupRollback=TRUE
<Day> <Date>-<Time> Setting registry to resume task sequence after reboot
<Day> <Date>-<Time> Running C:\WINDOWS\CCM\\TSMBootstrap.exe to resume task
sequence
...
<Day> <Date>-<Time> ERRORLEVEL = -2147024891
<Day> <Date>-<Time> TSMBootstrap did not request reboot, resetting registry
<Day> <Date>-<Time> Exiting setuprollback.cmd
Error code -2147024891 means Access Denied .

The Smsts.log file logs the following error message at around the same time that the
SetupRollback.log file shows that the task sequence exited:
TSManager Error Task Sequence Manager failed to execute task sequence. Code 0x80070005
Error code 80070005 also means Access Denied .

The Smsts.log file may also contain the following additional entries that include error code
80070005:
TSManager g_TSManager.Run(), HRESULT=80070005

TSManager hMap != 0, HRESULT=80070005
TSManager m_pGlobalScope->open(), HRESULT=80070005
TSManager hMap != 0, HRESULT=80070005
TSManager m_pGlobalScope->open(), HRESULT=80070005
TSManager this->open(), HRESULT=80070005
TSManager sMp.empty()==false, HRESULT=80004005
The log entries that contain error code 80070005 may be repeated in Smsts.log.
Not all previous log entries occurred as soon as the rollback finished. Instead, the entries occurred
when someone first logged in to the device after the rollback finished.
The Smsts.log file shows that the /postrollbackcontext system option wasn't used in the Windows
Setup command line that's used to start the in-place upgrade by the task sequence:
OSDUpgradeWindows Executing command line: "C:\_SMSTaskSequence\Packages\

<Package_ID>\SETUP.EXE" /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe
"C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback
"C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd" /DynamicUpdate Disable with
options (0, 0)
If you deploy Windows 10, version 1903 or 1809, and the /postrollbackcontext system option is
specified manually (in Configuration Manager current branch version 1902 or an earlier version) or
automatically (in Configuration Manager current branch version 1906 or a later version):
The Smsts.log file shows that the Windows Setup command line contains the
/postrollbackcontext system option:
OSDUpgradeWindows Executing command line: "C:\_SMSTaskSequence\Packages\

<Package_ID>\SETUP.EXE" /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe
"C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback
"C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd" /DynamicUpdate Disable
/postrollbackcontext system with options (0, 0)
However, the last log entries in Smsts.log are from the timeframe before the rollback occurred.
There are no log entries from the timeframe after the rollback finished.
The C:\$WINDOWS.~BT\Sources\Rollback\setupact.log file contains no entries that indicate that the
SetupRollback.cmd script was ever started.
The C:\Windows\SetupRollback.log file doesn't exist.
Cause
This issue occurs for the following reasons:
A task sequence is resumed after a rollback through the SetupRollback.cmd script that's initiated by the
/PostRollback option of Windows 10 Setup. However, in Windows 10 versions earlier than 1803, the
script runs only when the first user logs on post-upgrade and runs by using the rights of the first logged-
in user. This behavior causes the following problems:
The task sequence won't automatically continue as soon as the rollback finishes. It continues only
when a user tries to log on.
Task sequences must run in system context to work correctly. When a task sequence continues after a
user logs on, it runs in user context instead of system context. Even if the user has administrator rights,
the task sequence fails and returns an Access Denied error message.
The /PostRollbackContext option is available in Windows 10, version 1803 and later versions. This option
allows you to specify whether the SetupRollback.cmd script runs in the context of the System account or
the account of the signed in user. When the /postrollbackcontext option is set to system , the
SetupRollback.cmd script runs as soon as the rollback finishes without waiting for a user to log on, and it
runs in the context of the System account.
However, the /postrollbackcontext system option isn't automatically added to the Windows Setup
command line in Configuration Manager current branch version 1902 or an earlier version. If you don't
manually add the /postrollbackcontext system option, the SetupRollback.cmd script still runs in user
context even if your Windows 10 version is 1803 or a later version.
An issue in Windows 10, version 1903 and 1809 prevents the /postrollbackcontext system option from
working. In these two versions of Windows 10, the SetupRollback.cmd script never runs if the
/postrollbackcontext system option is specified.
Resolution
To fix the issue, update to the following versions of Configuration Manager and Windows 10:
Configuration Manager current branch, version 1906 or a later version
Windows 10, version 1909 or a later version
To fix the issue without updating to Configuration Manager current branch version 1906 and Windows 10
version 1909, follow these steps:
1. If your Windows 10 version is earlier than 1803, update to Windows 10 version 1803 or a later version.
Because the SetupRollback.cmd script can't run in system context in Windows 10 versions earlier than
1803, it's not possible to start and continue a Configuration Manager task sequence correctly after an in-
place upgrade rollback occurs.
2. If you use Configuration Manager current branch version 1902 or an earlier version, add the
/postrollbackcontext system option to the Windows Setup command line through the task sequence
variable OSDSetupAdditionalUpgradeOptions . To do this, add a Set Task Sequence Variable step before
the Upgrade Operating System step, set the task sequence variable to
OSDSetupAdditionalUpgradeOptions , and then set the value to /postrollbackcontext system .
NOTE
Starting in Configuration Manager current branch version 1906, the /postrollbackcontext system option is
automatically added during the Upgrade Operating System step. After you update to Configuration Manager
current branch version 1906 or a later version, remove the Set Task Sequence Variable step that sets the
OSDSetupAdditionalUpgradeOptions variable to /postrollbackcontext system .
3. If your Windows 10 version is 1903 or 1809, update the Windows Setup source files by using one of the
following methods:
In the Upgrade Operating System step of the task sequence, select Dynamically update
Windows Setup with Windows Update and Override policy and use default Microsoft
Update . These options enable the setup to do dynamic update operations, such as download and
apply updates to the Windows Setup source files during the Upgrade Operating System step.
NOTE
This method requires that clients have Internet access to the public Microsoft Update site during the task
sequence.
Download the updated ISO files of Windows 10, version 1903 or 1809 that are dated August 2019
or later. After you download the ISO files, update the Operating System Upgrade Package . To
do this, delete all files in the package source location, mount the updated ISO files, copy the files
from the mounted ISO to the package source location, and then update the package files on
distribution points by using the Update Distribution Points action.
Download the dynamic update for Windows 10, version 1903 or 1809 that's dated August 2019 or
later from Microsoft Update Catalog. After you download the dynamic update, extract the content
from the CAB file and copy the extracted files to the Sources folder of the Operating System
Upgrade Package to overwrite existing files. Then. update the package files on distribution points
by using the Update Distribution Points action.
References
Windows Setup Command-Line Options - /PostRollback
Task sequence variable - OSDSetupAdditionalUpgradeOptions
The Apply Driver Package task fails with 80070057
in Configuration Manager
This article fixes an issue in which the Apply Driver Package task fails and error 80070057 is logged in
SMSTS.log.
Symptom
After you upgrade to Configuration Manager current branch version 1706 or a later version, the Apply Driver
Package task fails, and the following error is logged in SMSTS.log:
TSManager Set command line: osddriverclient.exe /install:<Driver_Package_ID>

/unsigned:%OSDAllowUnsignedDriver% /recurse:%OSDRecurse%
TSManager Start executing the command line: osddriverclient.exe /install:<Driver_Package_ID>
TSManager !----------------------------------------------------------------!
TSManager Expand a string: WinPE
TSManager Executing command line: osddriverclient.exe /install:<Driver_Package_ID>
OSDDriverClient ==================[ OSDDriverClient.exe ]====================
OSDDriverClient Command line: "osddriverclient.exe" /install:<Driver_Package_ID> /unsigned:true
/recurse:%OSDRecurse%
OSDDriverClient FALSE, HRESULT=80070057
(e:\nts_sccm_release\sms\client\osdeployment\osddriverclient\osddriverclient.cpp,197)
OSDDriverClient Argument 3 is invalid.
OSDDriverClient ParseArguments( argc, argv, eDriverOperation, sPackageId, pBootCriticalInfo,
bAllowUnsigned, bBestMatch ), HRESULT=80070057
(e:\nts_sccm_release\sms\client\osdeployment\osddriverclient\osddriverclient.cpp,341)
OSDDriverClient Failed to pass arguments. Code 0x80070057
OSDDriverClient Exiting with return code 0x80070057
TSManager Process completed with exit code 2147942487
TSManager !----------------------------------------------------------------!
TSManager Failed to run the action: Apply Driver Package. This is usually caused by a problem with the
program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact
Microsoft Support Services for further assistance.
The parameter is incorrect. (Error: 80070057; Source: Windows)
Cause
The new Install driver package via running DISM with recurse option feature in the Apply Driver
Package task is introduced in Configuration Manager current branch version 1706. If the existing boot images
aren't updated to the new Configuration Manager binaries, this option isn't recognized. Therefore, error
80070057 is returned.
Resolution
To fix the issue, follow these steps to update the boot images:
1. In the Configuration Manager console, select Software Librar y .
2. In the Software Library workspace, expand Operating Systems , and then select Boot Images .
3. Right-click the boot image that you want to update, and then select Update Distribution Points .
4. Repeat step 3 for all boot images that were previously distributed.
Computer hangs at the Just a moment screen in a
debug deployment of an OSD task sequence
This article fixes an issue in which a computer appears to hang during an OSD task sequence running in debug
mode.
Symptoms
You run a debug deployment of an Operating System Deployment (OSD) task sequence that deploys Windows
10 in Configuration Manager. After the task sequence restarts out of WinPE and into the full OS, the device
hangs for a long time at the Just a moment screen during Windows Setup.
Cause
This issue typically occurs if the Step option of the task sequence debugger is used from the Setup Windows
and ConfigMgr task or if a break point is set after the Setup Windows and ConfigMgr task.
After Windows Setup is completed, the OSD task sequence is restarted by using the SetupComplete.cmd script.
Current versions of Windows 10 hide programs and do not interactively display them when they are started
through the SetupComplete.cmd script. This behavior causes anything that the task sequence tries to display to
be hidden instead. This includes the task sequence debugger and any task sequence progress bars.
In this situation, the task sequence does continue, and the debugger does start. However, the debugger is hidden
and cannot be seen. Only the Just a moment screen is visible. This makes it appear as though Windows Setup
is still running.
After the first restart after SetupComplete.cmd initially runs, programs are shown interactively and are no
longer hidden. At this point, the task sequence debugger and progress bars are visibly displayed.
Resolution
To resolve the issue, follow these steps:
1. Add a Restar t Computer task immediately after the Setup Windows and ConfigMgr task. Make sure
that the Restar t Computer task is set to the The currently installed default operating system
option.
2. Set any necessary break points by following these guidelines:
Do not set a break point on the Restar t Computer task that you added in step 1. Instead, set break
points after the Restar t Computer task, as appropriate.
Do not use the Step option in the task sequence debugger at the Setup Windows and ConfigMgr
task. Instead, set a break point to the task after the Restar t Computer task, and then select the Run
option when you're ready to continue.
References
For more information about the task sequence debugger, see Debug a task sequence. For more information
about the SetupComplete.cmd script file, see Add a Custom Script to Windows Setup.
Dynamic Media can't get management point
locations when Task Sequence Wizard runs in
Windows PE
This article fixes an issue in which Dynamic Media in Configuration Manager cannot get management point
locations when the Task Sequence Wizard runs in Microsoft Windows Preinstallation Environment (Windows
PE).
Symptoms
You use Dynamic Media in Configuration Manager. When the Task Sequence Wizard first starts in Windows PE,
the initial communication to the management point to sync the time settings is successful, as shown in the
following SMSTS.log entry:
TSMBootstrap Getting MP time information

TSMBootstrap Set authenticator in transport
TSMBootstrap Requesting client identity
TSMBootstrap Setting message signatures.
TSMBootstrap Setting the authenticator.
TSMBootstrap CLibSMSMessageWinHttpTransport::Send: URL:MP_ServerCCM_POST /ccm_system/request
TSMBootstrap Request was successful.
However, the later request to the management point to get location information fails, as shown in the following
SMSTS.log entry:
TSMBootstrap IP: 192.168.0.100 192.168.0.0

TSMBootstrap CLibSMSMessageWinHttpTransport::Send: URL: MP_Server GET /SMS_MP/.sms_aut?
MPLOCATION&ir=192.168.0.100&ip=192.168.0.0
TSMBootstrap Error. Status code 500 returned
TSMBootstrap XML parsing error at line 1 char 11: DTD is prohibited.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
TSMBootstrap bSuccess == ((VARIANT_BOOL)-1), HRESULT=80004005
(e:\CM1706_RTM\sms\common\inc\ccmxml.h,1151)
TSMBootstrap oXMLDoc.loadFromXML( sReply.c_str()), HRESULT=80004005
(e:\cm1706_rtm\sms\framework\osdmessaging\libsmsmessaging.cpp,5767)
TSMBootstrap Error loading from XML
TSMBootstrap CCM::SMSMessaging::CLibSMSMPLocation::RequestMPLocation failed; 0x80004005
TSMBootstrap MPLocation.RequestMPLocation (szTrustedRootKey, sIPSubnets.c_str(), sIPAddresses.c_str(),
httpS, http), HRESULT=80004005
(e:\cm1706_rtm\sms\framework\osdmessaging\libsmsmessaging.cpp,10164)
TSMBootstrap CCM::SMSMessaging::GetMPLocations failed; 0x80004005
TSMBootstrap Failed to query MP_Server for MP location
NOTE
The IP addresses in the first line of this log entry are the IP addresses of the client computer and its subnet.
If multiple management points are defined in the Dynamic Media, the same failure occurs regardless of which
management point Configuration Manager tries to communicate with. If you try to use the same URL in a
browser, as in the following example, this also causes a 500 error:
http://MP_Ser ver/SMS_MP/.sms_aut?MPLOCATION&ir=192.168.15.100&ip=192.168.0.0
The Internet Information Services (IIS) logs on the management point do not reveal a matching 500 error entry.
Instead, a 200 success entry is displayed. If you enable Failed Request Tracing in IIS for the 500 error
message, you find the following error message:
CALL_ISAPI_EXTENSION DllName="MP_Install_Directory\getauth.dll"
MODULE_SET_RESPONSE_ERROR_STATUS
Warning ModuleName="IsapiModule", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="500",
HttpReason="Internal Server Error", HttpSubStatus="0", ErrorCode="The operation completed successfully.
(0x0)", ConfigExceptionInfo=""
For more information about how to enable failed request tracing in IIS for 500 error messages, see the
Troubleshooting Failed Requests Using Tracing in IIS 8.5.
The MP_GetAuth.log file on the management point shows the following error entry that was logged when the
client made the request that's recorded in the SMSTS.log:
MP_GetAuth_ISAPI MP GA Number of MPs in the Site = <Number_Of_MPs_At_Site>

MP_GetAuth_ISAPI MP GA: Actual Auth Reply Body :
<MPList><XML_List_Of_MPs_At_Site></MPList>
MP_GetAuth_ISAPI MP GA: GetAuthSendResponseHeaders: Sending response 200 OK
MP_GetAuth_ISAPI MP GA: GetAuthDoneWithSession: ServerSupportFunction() returned 0x0
MP_GetAuth_ISAPI MP GA: HttpExtensionProc:GetAuthProcessRequest() returned 1
MP_GetAuth_ISAPI MP GA: Query String Before Decode : MPLOCATION&ir= 192.168.0.100&ip=192.168.0.0
MP_GetAuth_ISAPI MP GA: Query String After Decode : MPLOCATION&ir= 192.168.0.100&ip=192.168.0.0
MP_GetAuth_ISAPI MP GA: Auth Request Type is MPLOCATION&ir= 192.168.0.100&ip=192.168.0.0
MP_GetAuth_ISAPI No more rows.
MP_GetAuth_ISAPI No more rows.
MP_GetAuth_ISAPI Formatted string exceeded max buffer size. Result is truncated.
MP_GetAuth_ISAPI m_docReply.LoadFromString (String (bstrMPLocationXML), false), HRESULT=8000ffff
(e:\nts_sccm_release\sms\mp\isapi\getauth\getauth.cpp,994)
MP_GetAuth_ISAPI hr, HRESULT=8000ffff (e:\nts_sccm_release\sms\mp\isapi\getauth\getauth.cpp,2124)
MP_GetAuth_ISAPI AuthRequest.ProcessGETRequest(), HRESULT=8000ffff
(e:\nts_sccm_release\sms\mp\isapi\getauth\getauth.cpp,98)
MP_GetAuth_ISAPI MP GA: GetAuthSendResponseHeaders: Sending response 500 Internal Server Error
MP_GetAuth_ISAPI MP GA: GetAuthDoneWithSession: ServerSupportFunction() returned 0x0
MP_GetAuth_ISAPI MP GA: HttpExtensionProc:GetAuthProcessRequest() returned 4
The issue doesn't occur for site-based media or the Preboot Execution Environment (PXE) through Configuration
Manager. However, the issue can occur if you use third-party PXE solutions that can use Dynamic Media.
Cause
This issue occurs because there are multiple Unknown Computer objects for a specific website, and that site has
several management points. This causes many results to be returned when MPLOCATION is called and the
GetMPLocationForIPSubnet stored procedure runs.
To run GetMPLocationForIPSubnet manually on the server that's running SQL Server through SQL Management
Studio, run the following query:
exec GetMPLocationForIPSubnet N'192.168.0.0'
In this scenario. this command returns several hundred rows. This large number of rows exceeds the maximum
buffer size. This, in turn, causes the 500 error message and also causes MPLOCATION to fail.
Resolution
All sites should have only one Unknown Computer object per architecture. For example, there should be only
one x64 object that's labeled x64 Unknown Computer and only one x86 object that's labeled x86 Unknown
Computer . If a site has more than one Unknown Computer object per architecture, the extra Unknown
Computer objects should be deleted. Deleting extra Unknown Computer objects can be done only from the SQL
Server database. It cannot be done from the Configuration Manager console.
NOTE
Creating extra Unknown Computer objects to prevent the client computers from stealing the GUID of the Unknown
Computer objects is not the correct method to fix this issue. For the correct method, see A client computer can steal the
Configuration Manager GUID of an Unknown Computer object during imaging.
To delete the extra Unknown Computer objects, follow these steps:

1. Make sure you have a current and valid backup of the Configuration Manager site by using the built-in
Backup maintenance task.
2. Open the Configuration Manager console. If there are multiple primary sites, we recommend that you
open a Configuration Manager console that's connected to the central administration site.
3. In the Configuration Manager console, go to Assets and Compliance > Over view > Device
Collections .
4. Double-click the All Unknown Computers collection.
5. In the results pane, sort the objects in the All Unknown Computers collection by selecting the Site
Code column.
6. Note whether there are multiple x64 Unknown Computer objects or x86 Unknown Computer
objects for any individual site.
7. If there are multiple x64 Unknown Computer objects or x86 Unknown Computer objects for any
individual site, right-click the columns in the results pane, and add Resource ID to the list of columns.
8. Determine the lowest Resource ID value for each x64 Unknown Computer object or each x86
Unknown Computer object for any one site. In most cases, for the first Primary site in an environment,
the resource IDs for the original Unknown Computer objects for the sites will be 2046820352 (x86
Unknown Computer ) and 2046820353 (x64 Unknown Computer ).
9. After you determine the lowest Resource ID , all other x64 Unknown Computer objects or x86
Unknown Computer objects for any site can be deleted. Note all the Resource IDs that can be deleted
and which site they belong to.
10. Open SQL Ser ver Management Studio , and then connect to the database for the site that hosts the
extra Unknown Computer objects.
11. Expand the Databases node, and select the Configuration Manager database (usually CM_Site_Code ).
12. On the toolbar, select New Quer y .
13. Make sure that the correct database is selected in the drop-down menu to the left of the Execute button
on the toolbar.
SELECT C.CollectionID, C.SiteID, C.CollectionName, CM.MachineID, CM.Name FROM Collections C

JOIN CollectionMembers CM ON C.SiteID = CM.SiteID
JOIN UnknownSystem_DISC USD ON USD.ItemKey = CM.MachineID
This query displays all the Collections that all the Unknown Computer objects belong to. Use this query
to determine which collections the Unknown Computer objects that are being kept have to be added to.
This should be based on the memberships of the Unknown Computer objects that are being deleted. The
Resource ID is listed in the MachineID column.
SELECT * FROM UnknownSystem_DISC WHERE ItemKey IN ('Extra_Resource_ID_1','Extra_Resource_ID_2',

'Extra_Resource_ID_3')
In this query, Extra_Resource_ID_x is the Resource ID of each of the extra Unknown Computer objects, as
determined in step 9. For example, if the extra Resource IDs are 2046820354 and 2046820355 , the
query would be as follows:
SELECT * FROM UnknownSystem_DISC WHERE ItemKey IN ('2046820354','2046820355 ')
16. Verify that the records that are returned by the query in step 15 are correct. If they are, then run the
following query to delete the records:
DELETE FROM UnknownSystem_DISC WHERE ItemKey IN ('Extra_Resource_ID_1','Extra_Resource_ID_2',

'Extra_Resource_ID_3')
In this query, Extra_Resource_ID_x is the Resource ID of each of the extra Unknown Computer objects, as
determined in step 9. For example, if the extra Resource IDs are 2046820354 and 2046820355 , the
delete query would be as follows:
DELETE FROM UnknownSystem_DISC WHERE ItemKey IN ('2046820354', '2046820355')
17. Wait a few minutes, return to the Configuration Manager console, and then go to Assets and
Compliance > Over view > Device Collections .
18. Right-click the All Unknown Computers collection, and then select Update Membership .
19. Wait a few minutes, and then select Refresh . Verify that only one x 64 Unknown Computer object or
x86 Unknown Computer object exists for each site.
20. Repeat steps 10-19 for all additional primary sites, as necessary.
Recreate Unknown Computer objects in case of accidental deletion
For whatever reason, if all Unknown Computer objects are accidentally deleted for any one site that uses this
process, they can be re-created by using the following steps. These steps should be taken only if there are no
Unknown Computer objects for a site. If only one of the two Unknown Computer objects exist at a site, delete
the one remaining Unknown Computer object by using the steps in Resolution, and then follow the steps in
Recreate Unknown Computer objects in case of accidental deletion.
The Unknown Computer objects should be automatically re-created soon. You can check the progress of this
process in the DDM.log on the primary site server.
Enable BitLocker task fails with error 80070057 in
This article fixes an issue in which the Enable BitLocker task fails with error 80070057 in Configuration
Manager.
Symptoms
After you upgrade to Configuration Manager current branch version 1806, the Enable BitLocker task fails, and
you receive the following error message in the Smsts.log file:
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False

Initialized COM OSDBitLocker
Command line for extension .exe is "%1" %* OSDBitLocker
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False
FALSE, HRESULT=80070057 (..\main.cpp,238) OSDBitLocker 3580 (0x0DFC)
Invalid command line argument '/full' OSDBitLocker 3580 (0x0DFC)
ProcessCommandLine( argInfo ), HRESULT=80070057 (..\main.cpp,366) OSDBitLocker 3580 (0x0DFC)
Process completed with exit code 2147942487 TSManager 3364 (0x0D24)
Failed to run the action: Enable BitLocker. This is usually caused by a problem with the program. Please check
the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services
for further assistance.
The parameter is incorrect.
Cause
This issue is caused by an update in Configuration Manager current branch version 1806. The Enable
BitLocker and Pre-Provision BitLocker actions require newer versions of OSDBitLocker.exe and
OSDOfflineBitlocker.exe that are included in boot image version 5.00.8592.1008 and the Configuration Manager
current branch version 1806 client package.
Resolution
To fix this issue, update the boot image to version 5.00.8592.1008, and use the Configuration Manager current
branch version 1806 client package in the task sequence.
Failures with the Capture User State task or task
sequence when using System Center 2012
This article helps you fix an issue where Capture User State task or task sequence fails when you do a hard-
link migration in System Center 2012 Configuration Manager.
Symptoms
When doing hard-link migrations in System Center 2012 Configuration Manager, the User State Migration
Toolkit (USMT) state store becomes much bigger than expected and potentially causes disk space problems. This
also potentially causes the Capture User State task and task sequence to fail.
Cause
The Capture User State task of System Center 2012 Configuration Manager has the ability to set the USMT
option of /efs to either skip or copyraw via the option Skip Files that use the Encr ypting File System
(EFS) . However there is no option to set it to hardlink . Without the ability to change the efs option to
hardlink , a hard-link to the EFS file is not created and instead a full copy of the file is created.
Resolution
Manually run USMT's scanstate.exe via a Run Command Line task that points to the USMT 4 package and
provides a customized command line. An example command line using task sequence variables that does a
hard-link migration with the efs option set to hardlink would be:
.\%PROCESSOR_ARCHITECTURE%\scanstate.exe %OSDStateStorePath% /o /localonly /c /efs:hardlink /v:5
/l:%_SMSTSLogPath%\scanstate.log /progress:%_SMSTSLogPath%\scanstateprogress.log
/i:.\%PROCESSOR_ARCHITECTURE%\migdocs.xml /i:.\%PROCESSOR_ARCHITECTURE%\migapp.xml /hardlink /nocompress
%OSDMigrateAdditionalCaptureOptions%
How to get network captures from a task sequence
in Windows PE
This article provides the steps to get network captures from a task sequence in Windows Preinstallation
Environment (Windows PE).
Original product version: Microsoft System Center 2012 R2 Configuration Manager, Configuration Manager
(current branch)
Summary
Microsoft Support sometimes asks customers to capture a network trace when a Configuration Manager task
sequence fails and returns a network error. Usually, we request that you capture a network trace by configuring
port mirroring on the LAN switch or you capture a network trace on a Virtual Machine (VM) host, if the issue
can be reproduced by a VM.
It's difficult to capture a network trace in Windows PE, as the Netsh command doesn't support tracing in
Windows PE. Additionally, you can't bind to any network adapter if you just copy and then run the Network
Monitor command in Windows PE.
Capture a network trace in Windows PE

1. Extract the Microsoft Network Monitor setup file to a local folder, and then extract the Netmon.msi by
using Msiexec.exe.
2. In the extracted files, find the Network Monitor driver files Netnm3.inf and Nm3.sys.
)
3. Mount the boot image source file and inject the driver Netnm3.inf into it. Be aware that the image file is
the original source image, not the file that has a package ID.
4. Copy the Microsoft Network Monitor 3 folder from the extracted Network Monitor files to the
<Image_MountDir> folder. The Microsoft Network Monitor 3 folder contains all the executables (.exe)
that are needed to install and run Network Monitor 3.4.
5. Copy Nm3.sys to the following folders. Only the SYSTEM account has write permission. Therefore, you
have to use Psexec.exe to start a command prompt with SYSTEM context.
<Image MountDir>\Windows\System32\drivers
<Image
MountDir>\Windows\System32\DriverStore\FileRepository\netnm3.inf_amd64_ddce99a12d11c79a
6. Unmount and then commit the Windows PE image. Add the boot image in the Configuration Manager
console or update distribution point if you're editing an existing boot image.
7. Start the computer from PXE or boot media. After the boot image is loaded, press F8 and execute the
following commands in the Microsoft Network Monitor 3 folder. The first command will bind the
Network Monitor driver to the network adapter.
You can now create a new trace file and start capturing. The parsers aren't available. However, you can save the
trace after the issue is reproduced and the trace can be analyzed on another computer.
No mouse cursor appears during a Configuration
Manager OSD task sequence

This article fixes an issue in which no mouse cursor appears during a Configuration Manager OS deployment
(OSD) task sequence.
Symptoms
You're running a Configuration Manager OSD task sequence that deploys Windows 10. During the Setup
Windows and ConfigMgr task, the device restarts out of Windows PE and into the newly installed Windows
system. If you then open a Command Prompt window by pressing F8, no mouse cursor appears. This issue
continues to occur for the rest of the task sequence. After the task sequence finishes, the mouse cursor appears.
Cause
This issue is caused by a design change in Windows 10 in which the mouse cursor is suppressed during
Windows Setup. Because Configuration Manager OSD task sequences run entirely within Windows Setup in the
newly installed Windows system, the mouse cursor is suppressed during this phase of the task sequence.
Resolution
To resolve this issue, change the policy that suppresses the mouse cursor during Windows Setup by default. This
is easily accomplished by changing the registry key value that's associated with the policy. The registry key value
is located in the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
VA L UE N A M E VA L UE T Y P E VA L UES
EnableCursorSuppression REG_DWORD 1 = Enabled: Mouse cursor is

suppressed (default)
0 = Disabled: Mouse cursor is not

suppressed
To make sure that the mouse cursor is available throughout the task sequence, set this registry key during the
Windows PE portion of the task sequence to the offline Windows system. This can be done at any point between
the Apply Operating System and Setup Windows and ConfigMgr tasks.
To make this change, use the following method to manually set the task sequence:
1. In the Configuration Manager console under Software Librar y > Operating Systems > Task
Sequences , navigate to the affected task sequence.
2. Right-click the affected task sequence, and select Edit .
3. In the affected task sequence, select the Apply Operating System task.
4. Add a new group immediately after the Apply Operating System task. To do this, open the Add menu,
and select New Group .
5. Select the newly created group, and rename it to Correct Missing Mouse Cursor .
**
6. Under the Correct Missing Mouse Cursor group, add a Run Command Line task. To do this, open
the Add menu, and then select General > Run Command Line .
7. Select the newly created Run Command Line task, and specify the following values:
Name: Load Registr y SOFTWARE Hive
Command line command:
reg.exe load HKLM\Temp %OSDTargetSystemDrive%\Windows\system32\config\software
8. Immediately after the Load Registr y SOFTWARE Hive task, add another Run Command Line task.
To do this, open the Add menu, and select General > Run Command Line .
Name: Disable Suppressed Mouse Cursor
reg.exe add "HKLM\Temp\Microsoft\Windows\CurrentVersion\Policies\System" /v
EnableCursorSuppression /t REG_DWORD /d 0 /f
10. Immediately after the Disable Suppressed Mouse Cursor task, add another Run Command Line
task. To do this, open the Add menu, and select General > Run Command Line .
Name: Unmount Registr y SOFTWARE Hive
reg.exe unload HKLM\Temp
12. Select the last task in the task sequence.
The last task in the task sequence may differ from the one that's shown in the screenshot.
13. Add a Run Command Line task. To do this, open the Add menu, and then select General > Run
Command Line . This should add the Run Command Line task as the last task in the task sequence.
14. Select the newly created Run Command Line task and specify the following values:
Name: Reset Mouse Suppression to Default
Command Line:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v
EnableCursorSuppression /t REG_DWORD /d 1 /f
15. Select the OK or Apply button to save the task sequence.

NOTE
For step 13, the last task that's selected does not necessarily have to be the absolute last task in the task sequence.
However, it should be located toward the end of the task sequence.
For MDT task sequences, steps 13-15 should be performed two times: One time at the end of the State Restore
group, and again at the end of the Gather Logs and StateStore on Failure group. Additionally, on the Options
tab of the the Reset Mouse Suppression to Default task that's added to the end of the Gather Logs and
StateStore on Failure group, the Continue on error option should be selected.
Steps 12-14 restore the EnableCursorSuppression policy to its default value in Windows. Although it's not required
for the solution to work, we recommend that you reset the EnableCursorSuppression policy to its default value. This
will make sure that there are no unusual consequences in Windows after the task sequence finishes changing the
policy from its default value.
OSDResults doesn't display applications installed by
a UDI task sequence in Configuration Manager
This article fixes an issue in which applications installed by a Configuration Manager User-Driven Installation
(UDI) task sequence aren't displayed in the Deployment Complete dialog box.
Symptoms
You create a Microsoft Deployment Toolkit (MDT) integrated UDI task sequence in Configuration Manager
current branch version 1806 or a later version. In the task sequence, users can select the applications to install at
deployment time. After the task sequence runs, OSDResults doesn't display the packages or applications that
were installed by the UDI wizard.
When this issue occurs, the following error messages are logged in SMSTS.log:
TSManager Executing command line: smsswd.exe /run: cscript.exe //nologo

"%deployroot%\Scripts\OSD_BaseVariables.vbs"
InstallSoftware ===================== [ smsswd.exe ] =======================
InstallSoftware PackageID = ''
InstallSoftware BaseVar = '', ContinueOnError=''
InstallSoftware ProgramName is logged, to ensure it not shown in log set 'OSDDoNotLogCommand' task
sequence variable to 'True'
InstallSoftware ProgramName = 'cscript.exe //nologo
"C:\_SMSTaskSequence\WDPackage\Scripts\OSD_BaseVariables.vbs"'
InstallSoftware SwdAction = '0001'
InstallSoftware Command line for extension .exe is "%1" %*
InstallSoftware Set command line: Run command line
InstallSoftware Working dir 'not set'
InstallSoftware Executing command line: Run command line
InstallSoftware Process completed with exit code 200
InstallSoftware --------------------------------
InstallSoftware Initializing Objects
InstallSoftware
InstallSoftware Extracting TS Base Variable
InstallSoftware
InstallSoftware Reading OSD variable: [_SMSTSTaskSequence]
InstallSoftware Loading XML from variable string content...
InstallSoftware Using XPATH to query for [BaseVariableName]
InstallSoftware Failed to read XPATH query value, or value is empty.
InstallSoftware Exiting with [200]
InstallSoftware Command line cscript.exe //nologo
"C:\_SMSTaskSequence\WDPackage\Scripts\OSD_BaseVariables.vbs" returned 200
TSManager !------------------------------------------------------------------!
TSManager Failed to run the action: Parse Base Variable.
The code segment cannot be greater than or equal to 64K. (Error: 000000C8; Source: Windows)
Cause
This issue occurs under one of the following conditions:
In the task sequence, the dynamic Install Application step runs before the dynamic Install Package
step.
The dynamic Install Package step must run before the dynamic Install Application step.
In the task sequence, a static Install Package or static Install Application step runs before the dynamic
Install Package and dynamic Install Application steps.
All static Install Package and static Install Application steps must run after the dynamic Install
Package and dynamic Install Application steps.
When the tasks in the task sequence aren't run in the proper order, the OSD_BaseVariables.vbs MDT script can't
populate the necessary registry values. The script runs during the Parse Base Variables action and is
responsible for populating registry values that are used by OSDResults. The script parses the task sequence XML
in a predefined order looking for the base variables in the dynamic Install Package and dynamic Install
Application steps. When either of the conditions occur, OSD_BaseVariables.vbs can't read the base variables
correctly.
NOTE
In the MDT UDI task sequence, the dynamic Install Package step is displayed as Install Software .
A dynamic Install Package or dynamic Install Application step installs packages or applications by using a dynamic
variable list. Otherwise, we call it a static Install Package or static Install Application step.
Resolution
To fix the issue, in the task sequence:
1. Make sure that the dynamic Install Package (displayed as Install Software ) step is placed before the
dynamic Install Application step.
2. Make sure that all static Install Package and static Install Application steps are placed after the dynamic
Install Package (displayed as Install Software ) and dynamic Install Application steps.
NOTE
By default, the dynamic Install Application step is under the Install Applications group. When you change the
order of the steps, don't remove the dynamic Install Application step from the group, and make sure that the
original order of steps in the group is preserved.
Also, make sure that the Install Applications group is placed after the dynamic Install Package (displayed as
Install Software ) step, but before any static Install Package or static Install Application steps.
Sending with winhttp failed 80072f8f error in
Smsts.log during OS deployment by using bootable
or prestaged media
This article helps you fix an issue in which the Task Sequence Wizard returns error 80004005 and Smsts.log logs
the Sending with winhttp failed; 80072f8f error during an OS deployment that uses bootable or prestaged
media.
Symptoms
You create bootable media or prestaged media in Configuration Manager. When the media is used to start the
destination computer, the Task Sequence Wizard gets stuck at the Retrieving policy for this computer step
for about 90 seconds, then returns the following error message:
Failed to Run Task Sequence

An error occurred while retrieving policy for this computer (0x80004005). For more information, contact
your system administrator or helpdesk operator.
The following error messages are logged in X:\Windows\Temp\SMSTSLog\smsts.log on the computer when the
task sequence engine first tries to contact the management point to sync the time information:
TSMBootstrap Current time info:

TSMBootstrap Getting MP time information
TSMBootstrap Requesting client identity
TSMBootstrap Setting the authenticator.
TSMBootstrap CLibSMSMessageWinHttpTransport::Send: WinHttpOpenRequest - URL: <MP>:443
CCM_POST /ccm_system_AltAuth/request
TSMBootstrap SSL, using authenticator in request.
TSMBootstrap In SSL, but with no client cert.
TSMBootstrap [TSMESSAGING] AsyncCallback():
-----------------------------------------------------------------
TSMBootstrap [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
Encountered
TSMBootstrap [TSMESSAGING] : dwStatusInformationLength is 4
TSMBootstrap [TSMESSAGING] : *lpvStatusInformation is 0x8
TSMBootstrap [TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
-----------------------------------------------------------------
TSMBootstrap Error. Received 0x80072f8f from WinHttpSendRequest.
TSMBootstrap Sending with winhttp failed; 80072f8f. retrying.
TSMBootstrap Retrying and Ignoring date security failures.
-----------------------------------------------------------------
TSMBootstrap [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
Encountered
TSMBootstrap [TSMESSAGING] : dwStatusInformationLength is 4
TSMBootstrap [TSMESSAGING] : *lpvStatusInformation is 0x8
TSMBootstrap [TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
-----------------------------------------------------------------
TSMBootstrap hr, HRESULT=80072f8f
TSMBootstrap Sending with winhttp failed; 80072f8f
After the initial error, the task sequence engine tries an additional four times to contact the management point,
and experiences an increasing pause between each attempt. However, all attempts fail and return the same error
messages before some final error messages are returned, as follows:
If the media is configured as dynamic media, the following final error messages are logged in Smsts.log:
TSMBootstrap Send (pReply, nReplySize), HRESULT=80072f8f

TSMBootstrap failed to send the request
TSMBootstrap DoRequest (sReply, true), HRESULT=80072f8f
TSMBootstrap Failed to get client identity (80072f8f)
TSMBootstrap ClientIdentity.RequestClientIdentity (), HRESULT=80072f8f
TSMBootstrap failed to request for client
TSMBootstrap SyncTimeWithMP() failed. 80072f8f.
TSMBootstrap Failed to get time information from MP: https://<MP> .
TSMBootstrap MpCnt > 0, HRESULT=80004005
TSMBootstrap QueryMPLocator: no valid MP locations are received
TSMBootstrap TSMBootstrapUtil::QueryMPLocator ( true, sSMSTSLocationMPs.c_str(),
sMediaPfx.c_str(), sMediaGuid.c_str(), sAuthenticator.c_str(), sEnterpriseCert.c_str(),
sServerCerts.c_str(), nHttpPort, nHttpsPort, bUseCRL, m_bWinPE, httpS, http, accessibleMpCnt),
HRESULT=80004005
TSMBootstrap Failed to query Management Point locator
TSMBootstrap Exiting TSMediaWizardControl::GetPolicy.
TSMBootstrap pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005
TSMBootstrap Setting wizard error: An error occurred while retrieving policy for this computer
(0x80004005). For more information, contact your system administrator or helpdesk operator.
If the media is configured as site-based, the following final error messages are logged in Smsts.log:
TSMBootstrap Send (pReply, nReplySize), HRESULT=80072f8f

TSMBootstrap failed to send the request
TSMBootstrap DoRequest (sReply, true), HRESULT=80072f8f
TSMBootstrap Failed to get client identity (80072f8f)
TSMBootstrap ClientIdentity.RequestClientIdentity (), HRESULT=80072f8f
TSMBootstrap failed to request for client
TSMBootstrap SyncTimeWithMP() failed. 80072f8f.
TSMBootstrap Failed to get time information from MP: https://<MP> .
TSMBootstrap sMP.length() > 0, HRESULT=80004005
TSMBootstrap TSMBootstrapUtil::SelectMP ( sSMSTSMP.c_str(), sMediaPfx.c_str(), sMediaGuid.c_str(),
sAuthenticator.c_str(), sEnterpriseCert.c_str(), sServerCerts.c_str(), nHttpPort, nHttpsPort, bUseCRL,
m_bWinPE, sSiteCode, sAssignedSiteCode, sMP, sCertificates, sX86UnknownMachineGUID,
sX64UnknownMachineGUID), HRESULT=80004005
TSMBootstrap Failed to select MP
TSMBootstrap Exiting TSMediaWizardControl::GetPolicy.
TSMBootstrap pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005
TSMBootstrap Setting wizard error: An error occurred while retrieving policy for this computer
(0x80004005). For more information, contact your system administrator or helpdesk operator.
The following detail information applies to error 80072F8F:
Error Code: 0x80072F8F (2147954575)

Error Name: WININET_E_DECODING_FAILED
Error Message: Content decoding has failed
Cause
This issue occurs if the following conditions are true:
You use PKI in your Configuration Manager environment.
You create the bootable media or prestaged media at the central administration site.
You configure your management points to use HTTPS.
If you use PKI in your Configuration Manager environment, the root certificate authority (CA) is specified at the
primary site but not at the central administration site. Because the central administration site doesn't have the
root CA information, the created media doesn't contain the root CA information. Therefore, requests that are
sent to an HTTPS-enabled management point fail without the root CA information.
Resolution
To fix the issue, create the bootable media or prestaged media at a primary site instead of at the central
administration site.
More information
For media that will be used across multiple sites, configure the media as dynamic media. You can create dynamic
media at any site. You are not limited to creating it at the central administration site.
A task sequence is slow if the client in the media or
in the boot image is earlier than the site version
This article provides a solution for the issue that task sequence execution is slow if the Configuration Manager
client in the media or in the boot image is earlier than the site version.
Symptoms
You have a Configuration Manager current branch version 1810 or a later environment.
You have production clients on a version of Configuration Manager earlier than version 1810.
When you use PXE boot or task sequence media to install the Windows operating system, you may see
significant delays in the overall runtime for the task sequence.
You have an HTTPS hierarchy.
In this scenario, when you examine the smsts.log file, you receive this error message:
Setting Media Certificate.

CLibSMSMessageWinHttpTransport::Send: WinHttpOpenRequest - URL: DPServerFQDN:443 PROPFIND
/CCMTOKENAUTH_SMS_DP_SMSPKG$/PKGID
401 - Unsuccessful with anonymous access. Retrying with context credentials.
SendResourceRequest() failed. 80190191
Cause
This issue occurs because of a new token feature that is automatically activated in Configuration Manager
current branch version 1810 and later versions.
If the client has an older version installed, it won't have code to decode the token and will fail on calling
CCMTOKENAUTH_SMS_DP_SMSPKG$ .
Clients eventually will fall back to NOCERT_SMS_DP_SMSPKG$ after several retries.

For each package, this delay can cause around 1 to 4 minutes additional time, so the total time that's spent on
the task sequence execution will be larger.
Resolution for PXE boot

1. Update the client at the Setup Windows and Configuration Manager tasks to the version 1810 client.
If you use the default Configuration Manager client package, make sure the client is promoted to the
latest version.
2. Update the boot image by updating it on the Configuration Manager distribution point and make sure
the version is greater than or equal to Configuration Manager, version 1810.
Resolution for Media boot
1. Update the client at the Setup Windows and Configuration Manager tasks to the version 1810 client.
If you use the default Configuration Manager client package, make sure the client is promoted to the
latest version.
2. Update the boot image by updating it on the Configuration Manager distribution point and make sure
the version is greater than or equal to Configuration Manager, version 1810.
3. Update the boot media so that it contains the updated boot image.
Task sequence fails in Configuration Manager if
software updates require multiple restarts
This article provides the information to solve the issue that the Task Sequence environment not found error
occurs when using a Configuration Manager task sequence.
Summary
The issue is fixed in Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 2 and
System Center 2012 R2 Configuration Manager Service Pack 1, and in Configuration Manager current branch
version 1602.
A new optional task sequence variable, SMSTSWaitForSecondReboot , is available to better control client behavior
when a software update installation requires two restarts.
For more information, see the Software updates management/operating system deployment section in
Description of Cumulative Update 3 for Configuration Manager.
For Configuration Manager current branch, see Task sequence variables.
Symptoms
Assume that a Configuration Manager task sequence that uses the Install Software Updates step installs a
software update that triggers multiple restarts after the task sequence successfully runs the Install Software
Updates task. In this situation, the task sequence can fail and generate the following error message:
Task Sequence environment not found
NOTE
You can avoid this issue in Configuration Manager by using the new Retr y option in the Install Software Updates task
sequence step.
Cause
The first restart that is initiated by the software update is controlled by the task sequence. However, the second
restart request is initiated by a Windows component (typically, Component-Based Servicing) and is not
controlled by the task sequence. Therefore, the task sequence execution state is not saved before the restart
because the second restart is not controlled by the task sequence. When the task sequence resumes after the
second restart, no state is available to continue successfully.
Resolution
To resolve this issue, we recommend that you apply any updates that require dual restarts by using the usual
software updates feature of Configuration Manager instead of using task sequences. The following software
updates were reported to require multiple restarts.
3126446 MS16-017: Description of the security update for Remote Desktop display driver: February 9, 2016
3096053 September 2015 servicing stack update for Windows 8 and Windows Server 2012
3075222 MS15-082: Description of the security update for RDP in Windows: August 11, 2015
3067904 MS15-082: Description of the security update for Windows RDP: July 14, 2015
3069762 MS15-067: Description of the security update for Windows RDP: July 14, 2015
3003729 April 2015 servicing stack update for Windows 8 and Windows Server 2012
3035017 MS15-030: Description of the security update for Remote Desktop protocol: March 10, 2015
3039976 MS15-030: Vulnerability in Remote Desktop protocol could allow denial of service: March 10, 2015
3036493 MS15-030: Description of the security update for Remote Desktop protocol: March 10, 2015
3003743 MS14-074: Vulnerability in Remote Desktop Protocol could allow security feature bypass:
November 11, 2014
2984976 RDP 8.0 update for restricted administration on Windows 7 or Windows Server 2008 R2
2981685 Security updates cannot be installed if BitLocker is not installed on your computer
2966034 Description of the security update for Remote Desktop Security Release for Windows 8.1 systems
that do not have the 2919355 update installed: June 10, 2014
2965788 MS14-030: Description of the security update for Remote Desktop Security Release for Windows:
June 10, 2014
2920189 Description of the update rollup of revoked noncompliant UEFI modules: May 13, 2014
2862330 MS13-081: Description of the security update for USB drivers: October 8, 2013
2871777 A servicing stack update is available for Windows RT, Windows 8, and Windows Server 2012:
September 2013
2871690 Microsoft security advisory: Update to revoke noncompliant UEFI boot loader modules
2821895 A servicing stack update is available for Windows RT and Windows 8: June 2013
2771431 A servicing stack update is available for Windows 8 and Windows Server 2012
2545698 Text in some core fonts appears blurred in Internet Explorer 9 on a computer that is running
Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
2529073 Binary files in some USB drivers are not updated after you install Windows 7 SP1 or Windows
Server 2008 R2 SP1
More information
Because this second restart is not controlled by the task sequence, no execution state is saved before the restart.
When the task sequence resumes after the restart, no state is available to continue successfully. Additionally, the
following message may be logged to the Smsts.log file when you experience this issue:
!sVolumeID.empty(), HRESULT=80004005
!sTSMDataPath.empty(), HRESULT=80070002
TS::Utility::GetTSMDataPath( sDataDir ), HRESULT=80070002
Failed to set log directory. Some execution history may be lost.
The system cannot find the file specified. (Error: 80070002; Source: Windows)
Executing task sequence
!sVolumeID.empty(), HRESULT=80004005
!sTSMDataPath.empty(), HRESULT=80070002
Task Sequence environment not found
Also, clients that are running release versions that are earlier than Microsoft System Center 2012 Configuration
Manager Service Pack 1 may contain the following log entry:
Task sequence completed in Windows PE.
The client computer may also be stuck in provisioning mode after the task sequence fails. To determine whether
the computer is in provisioning mode, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec registry
subkey.
ProvisioningMode should be set to false . If it is set to true , use one of the following methods to take the client
out of provisioning mode:
Use the Windows Management Instrumentation (WMI) method SetClientProvisioningMode to take the
client out of provisioning mode correctly. The easiest way to do this is to run the following Windows
PowerShell command:
Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList

$false
Or, run the following command at an elevated command prompt:
powershell Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -

ArgumentList $false
Reinstall the client.
IMPORTANT
Do not try to fix the client by changing the value of ProvisioningMode to false . This action will not fully take the client
out of provisioning mode.
Configuration Manager OSD task sequence fails
with error code 80070005
This article fixes an issue in which an OSD task sequence fails during the Setup Windows and ConfigMgr
step.
Symptoms
A Configuration Manager OSD task sequence fails during the Setup Windows and ConfigMgr step when the
step still runs in Windows PE.
The following error messages are logged in the X:\windows\temp\smstslog\smsts.log file:
OSDSetupWindows Installing hook to 'C:\WINDOWS'

OSDSetupWindows Command line for extension .EXE is "%1" %*
OSDSetupWindows Set command line: "X:\sms\bin\x64\OSDSETUPHOOK.EXE" "/install:C:\WINDOWS"
/version:10.0
OSDSetupWindows Executing command line: "X:\sms\bin\x64\OSDSETUPHOOK.EXE"
"/install:C:\WINDOWS" /version:10.0
OSDSetupHook Installing OSD setup hook
OSDSetupHook !shCmdFile.null(), HRESULT=80070005 (..\vistasetuphook.cpp,96)
OSDSetupHook Failed to install the setup hook. Permissions on the requested may be configured incorrectly.
Access is denied. (Error: 80070005; Source: Windows)
OSDSetupHook pHook->install(sWindowsDir), HRESULT=80070005 (..\osdsetuphook.cpp,385)
OSDSetupHook Failed to install OSD setup hook (0x80070005)
OSDSetupWindows Process completed with exit code 2147942405
OSDSetupWindows exitCode, HRESULT=80070005 (setupwindows.cpp,785)
OSDSetupWindows Install setup hook failed with error code (80070005).
OSDSetupWindows this->installSetupHook(), HRESULT=80070005 (setupwindows.cpp,452)
OSDSetupWindows Failed to install setup hook (80070005)
OSDSetupWindows setup.run(), HRESULT=80070005 (setupwindows.cpp,1650)
OSDSetupWindows Exiting with code 0x80070005
TSManager !-----------------------------------------------------------------------!
TSManager Failed to run the action: Setup Windows and ConfigMgr. Permissions on the requested may be
configured incorrectly.
Access is denied. (Error: 80070005; Source: Windows)
Here's the detail information about error code 80070005 (2147942405):
Error Code: 0x80070005 (2147942405)

Error Name: E_ACCESSDENIED
Error Message: General access denied error
Cause
This issue occurs if a custom SetupComplete.cmd file is specified. OSD task sequences use the
SetupComplete.cmd file to continue the task sequence after Windows Setup finishes. If a custom
SetupComplete.cmd file is specified, the task sequence can't install its own SetupComplete.cmd file. And it
returns the Access is denied error. So custom SetupComplete.cmd files aren't allowed with Configuration
Manager OSD task sequences.
A custom SetupComplete.cmd file may be specified in one of the following ways:
It's copied to the appropriate location in a task (usually a Run Command Line task) between the Apply
Operating System and Setup Windows and ConfigMgr tasks. Below is an example of the command
line in a Run Command Line task:
cmd.exe /c copy SetupComplete.cmd %OSDTargetSystemDrive%\Windows\Setup\Scripts
It's included as part of a custom OS WIM file.

The SetupComplete.cmd file is located in the %WINDIR%\Setup\Scripts folder, in either the offline OS or the OS
WIM image.
For more information about the SetupComplete.cmd file, see Add a Custom Script to Windows Setup.
Resolution
To fix this issue, remove the custom SetupComplete.cmd file. In most cases, any actions being taken in the
custom SetupComplete.cmd file can instead be moved as tasks in the task sequence.
Depending on how the custom SetupComplete.cmd file is specified, use one of the following methods to
remove the file:
If it's specified in a Run Command Line task between the Apply Operating System and Setup
Windows and ConfigMgr tasks, remove the Run Command Line task from the task sequence.
If it's part of a custom OS image, add a Run Command Line task between the Apply Operating
System and Setup Windows and ConfigMgr tasks. In the command line of the Run Command Line
task, enter the following command to delete the custom SetupComplete.cmd file:
cmd.exe /c del SetupComplete.cmd %OSDTargetSystemDrive%\Windows\Setup\Scripts /F /Q
Task sequence fails when using stand-alone media in
This article helps you resolve a problem in which task sequence fails to install applications with error
0x87d01004 when using a stand-alone media in System Center 2012 Configuration Manager.
Symptoms
In System Center 2012 Configuration Manager, task sequence execution fails when using a stand-alone media
(USB flash drive or CD/DVD). The task sequence fails to install applications, and the SMSTS.log contains an error
similar to the following:
Failed to invoke Execution Manager to Install Software for PackageID='CAS0002C' ProgramID='setup'

AdvertID='{00A2B6FB-8E61-47B6-9702-BBDEAD7FBE8A}'hr=0x87d01004
Items in italics above are based on the environment so will not be consistent but the hr code (in bold) will be.
Cause
This problem occurs because the Software Distribution Agent isn't enabled since the client hasn't yet received
policy.
Resolution
To resolve the issue and enable the Software Distribution Agent, add the following Run Command Line step
earlier in the task sequence, before any Install Package steps:
WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE
ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local",
PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE
Configuration Manager task sequence doesn't
continue after an in-place upgrade to Windows 10
This article fixes an issue in which the task sequence in Configuration Manager doesn't continue after an in-
place upgrade from Window 7 or Windows 8.1 to Windows 10.
Symptoms
You run the Windows 10 in-place upgrade task sequence in Configuration Manager to upgrade the operating
system on the computer. If you upgrade from Windows 7 or Windows 8.1 to Windows 10, the task sequence
doesn't continue after the in-place upgrade completes. Additionally, when you examine the smsts.log file, you
find the following entries logged:
TSManager Start to compile TS policy

TSManager spPolicyNamespace.Open(pszNamespace, true), HRESULT=8004100e (..\utils.cpp,3450)
TSManager Failed to open WMI Namespace 'root\ccm\policy\defaultmachine\requestedconfig'. WMI
Repository may be corrupted
Invalid namespace (Error: 8004100E; Source: WMI)
TSManager End TS policy compilation
TSManager CompileXMLPolicy(c_szRequestedConfigNS, sPolicyID, sPolicyVersion, c_szTSPolicySource,
sPolicyRuleID, sPolicyData), HRESULT=8004100e (..\utils.cpp,3680)
TSManager CompilePolicy(sPolicyXml, sInstanceList), HRESULT=8004100e (..\utils.cpp,3710)
TSManager TS::Utility::CompileConfigPolicyEx(m_bNoSMSClient || m_bInWinPE || STADALONE_MODE ==
m_StartupMode || bProvMode), HRESULT=8004100e (tsmanager.cpp,1568)
TSManager Error compiling client config policies. code 8004100E
TSManager Task Sequence Manager could not initialize Task Sequence Environment. code 8004100E
TSManager hr = InitializeEnvironment(), HRESULT=8004100e (tsmanager.cpp,1244)
TSManager Task sequence execution failed with error code 8004100E
Cause
This issue can occur if Windows Management Framework (WMF) 5.1 was already installed on the OS (Windows
7 or Windows 8.1) when the in-place upgrade task sequence started.
WMF 5.1 installs a Windows 10 version of the WMIMigrationPlugin.dll file in the
C:\Windows\System32\migration directory. This DLL is responsible for migrating the WMI repository during the
in-place upgrade. However, the Windows 10 version of the WMIMigrationPlugin.dll file is incompatible with
Windows 7 and Windows 8.1. Therefore, the migration of the WMI repository fails during the in-place upgrade.
This results in the WMI repository becoming corrupted, and the task sequence can't continue in the new
(Windows 10) OS.
Resolution
This issue is fixed by the latest Windows 7 cumulative update. If the latest Windows 7 cumulative update is
installed after WMF 5.1 is installed, the cumulative update correctly replaces WMIMigrationPlugin.dll with a
Windows 7-compatible version. However, if WMF 5.1 is installed after the last Windows 7 cumulative update is
installed, the issue will still occur. The issue will then get corrected when the next Windows 7 cumulative update
is installed.
IMPORTANT
There is currently no fix for this issue in the Windows 8.1 cumulative updates.
For Windows 7 scenarios where WMF 5.1 was installed after the last cumulative update and for all Windows 8.1
scenarios, or just to make sure that a correct version of WMIMigrationPlugin.dll is installed before you run an
in-place upgrade in Windows 7 or Windows 8.1, tasks can be added to the task sequence to remediate the issue.
A download of the exported task sequence that contains the steps that should be added to the in-place upgrade
task sequence in Configuration Manager is available.
Download the WMF Fix Exported Task Sequence now
For information about how to download Microsoft support files, see How to obtain Microsoft support files from
online services.
After the task sequence is downloaded, import the WMF Fix - Win7 x64 & Win8.1 x64 (1).zip file into your
Configuration Manager environment. Copy the steps from the converted task sequence, and then paste the
steps immediately above the Upgrade Operating System task in your in-place upgrade task sequence.
For more information about how to import task sequences, see Process to import task sequences.
IMPORTANT
These steps only prevent the issue on devices going forward. These steps don't fix any devices that have experienced this
issue. For devices that have experienced this issue, we recommend that you completely reimage the device to fix the WMI
corruption.
Virus scan claim

Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the
date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized
changes to it.
An OSD task sequence doesn't continue after
Windows Setup or an in-place upgrade finishes
Original product version: Configuration Manager (current branch), System Center Configuration Manager
2012 R2
This article fixes an issue in which a task sequence doesn't continue after Windows Setup or an in-place upgrade
finishes if an OEM product key is used during Windows deployment.
Symptoms
When you run an OS deployment task sequence in Configuration Manager, you experience the following issues:
A Refresh or New Computer task sequence doesn't continue after Windows Setup finishes during the
Setup Windows and ConfigMgr step.
The following entry is logged in the %windir%\panther\unattendGC\Setupact.log file:
[windeploy.exe] OEM license detected, will not run SetupComplete.cmd
An In-Place Upgrade task sequence doesn't continue after the in-place upgrade finishes during the
Upgrade Operating System step.
The following is logged in the %windir%\panther\unattendGC\Setupact.log file:
[windeploy.exe] Client OS detected: 1

[windeploy.exe] OEM Licensing detected: 1
[windeploy.exe] EnterpriseS or Enterprise or EnterpriseSN or EnterpriseN edition detected: 0
[windeploy.exe] Client OS edition and OEM license detected and no enterprise edition detected, will
not run SetupComplete.cmd
[windeploy.exe] Not allowed to run the Setupcomplete.cmd, will not run SetupComplete.cmd
These issues usually occur when you deploy a nonenterprise edition of Windows, such as Windows Professional
edition, Windows Embedded, or Windows IoT.
Cause
These issues occur because an OEM product key is used during Windows deployment. When an OEM product
key is used, Setupcomplete.cmd is disabled. This behavior occurs in both Windows 8.1 and Windows 10. See
the following information from Windows Deployment Issues:
[September 2012] Changes in Out-Of-Box (OOBE) Experience
Oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that
end-users reach Star t as quickly as possible. If you have any tools or services that use this infrastructure,
these must be changed to tasks that occur after the OOBE.
SetupComplete.cmd is a custom script that runs during or after the Windows Setup process. It contains
commands to restart the Configuration Manager task sequence after Windows Setup finishes. When
SetupComplete.cmd is disabled, the task sequence can't continue after Windows Setup finishes.
Resolution
To fix the issue, specify the KMS client setup keys in the locations where the OEM product key is specified for the
version of Windows that you want to deploy. For example, specify the KMS client setup key in the Apply
Windows Settings or the Upgrade Operating System step.
If the OEM product key must be used, follow these steps in addition to specifying the KMS client setup key:
1. Add a Run Command Line step after the Setup Windows and ConfigMgr step in a Refresh or New
Computer task sequence, or after the Upgrade Operating System step in an In-Place Upgrade task
sequence.
2. In the Run Command Line step, use changepk.exe or slmgr.vbs to specify the OEM key in Command line .
If the OEM key in the BIOS or firmware of the device must be used, run the following PowerShell command to
get the key:
Get-CIMInstance SoftwareLicensingService | Select -ExpandProperty OA3xOriginalProductKey
OEM product key locations

The OEM product key can be specified in the following locations:
In a Refresh or New Computer task sequence:
In the Apply Windows Settings step.
In a custom answer file (Unattend.xml). This file is usually specified in the Apply Operating System
step.
Through variables such as OSDProductKey or ProductKey (in an MDT-integrated task sequence).
In an In-Place Upgrade task sequence:
In the Upgrade Operating System step.
Through the OSDSetupAdditionalUpgradeOptions variable by using the /PKey command line option.
The OEM product key can also be obtained automatically by Windows Setup from the BIOS or firmware of the
device. In this case, the following entry is logged in the %windir%\panther\Setupact.log file:
MOUPG ProductKey: Product key found in Digital Marker.

MOUPG ProductKey: Validating Product Key for Image.
SPValidateProductKey: Calling PidGenX
MOUPG ProductKey: Product key using pkey edition = [Professional].
MOUPG ProductKey: Matching Install Wim For Exact Editions
MOUPG ProductKey: Matching Install Wim.
MOUPG ProductKey: Matched Professional with Professional
MOUPG ProductKey: Matching Install Wim: Found [1] matching images.
MOUPG ProductKey: Extracting Eula
MOUPG ProductKey: Product key was successfully validated.
MOUPG ProductKey: Product EditionID = Professional
MOUPG ProductKey: Product InstallChannel = OEM
MOUPG ProductKey: Eula = C:\$WINDOWS.~BT\Sources\Panther\<file>.tmp
MOUPG ProductKey: Valid product key found = [TRUE].
Debug deployment for a task sequence isn't
displayed in Configuration Manager
This article helps you resolve an issue where the debug deployment for a task sequence isn't displayed in
Symptoms
A non-debug deployment for a Configuration Manager task sequence is deployed to a device.
The device sees the non-debug deployment for the task sequence. This can be either in Software Center or
when starting up from PXE/media.
A new debug deployment for the same task sequence is deployed to the same device.
In this scenario, the debug deployment for the task sequence is not displayed. Instead, only the original non-
debug deployment for the task sequence is displayed.
Cause
This behavior is by design. Only one deployment for any individual task sequence can be seen on a device at
one time.
Typically, the oldest deployment is the one that is displayed. If the non-debug deployment for the task sequence
is created first, only that deployment is displayed. If the reverse occurs and the debug deployment is created
first, only the debug deployment is displayed.
Resolution
To resolve the issue, use one of the following methods:
In any collection that's the target of additional non-debug deployments for the task sequence, remove the
device that the debug deployment has to run on.
Create a copy of the task sequence that has to be debugged, and then target the copy to the device as a
debug deployment.
Set the variable TSDebugMode to TRUE on a collection that the device is a member of.
NOTE
This enables debug mode for all task sequences that are targeted to that collection and to all devices in that
collection.
Set the variable TSDebugMode to TRUE directly on the computer object for the device.
NOTE
This enables debug mode for all task sequences that are targeted to the device.
Delete any deployments for the task sequence that were created before the debug deployment for the
task sequence.
NOTE
This deletes any history for those deployments. If this action is not desired, use one of the other methods to
resolve the issue.
When you use one of the solutions that uses the TSDebugMode variable, you don't have to also create a debug
deployment for the task sequence that is targeted to the device. A non-debug deployment is sufficient.
More information
For more information about how to enable debugging for task sequences, see Debug a task sequence.
Troubleshoot the Install Application task sequence
step in Configuration Manager
This guide helps you understand the Install Application task sequence step and troubleshoot common
problems that may occur. This guide assumes that the Configuration Manager environment has already been
installed and configured.
The Install Application task sequence step installs applications as part of the overall task sequence. This step can
install a set of specified applications, or a set of applications that are specified by a dynamic list of task sequence
variables. When this step is run, the application installation begins immediately without waiting for a policy
polling interval.
Overview
The Install Application step described in this article covers a single application install task. It can also be used
to troubleshoot the installation of multiple applications based on a list.
When the Install Application step runs, the application checks the applicability of the requirement rules and
detection method on the deployment types of the application. Based on the results of this check, the application
installs the applicable deployment type. If a deployment type contains dependencies, the dependent deployment
type is evaluated and installed as part of the Install Application step.
NOTE
Application dependencies aren't supported for stand-alone media.
Step 1: Task Sequence Manager parses the task sequence XML and
begins the Install Application task
Application installations in a task sequence have a lot in common with application installations outside of a task
sequence. They both use Configuration Manager compliance settings. But they don't function exactly the same.
There are more components involved due to the nature of running a task sequence.
As the task sequence progresses, it maintains the status of tasks and the associated execution status using task
sequence environment variables. These built-in variables provide information about the environment where the
task sequence is running. The values for these variables are available throughout the whole task sequence.
These built-in variables are initialized before the Install Application step runs in the task sequence.
1. Task Sequence Manager sets the following global environment variables for the next instruction:
_SMSTSCurrentActionName to Install Application
_SMSTSNexInstructionPointer to the Instruction Pointer assigned to this task
The following entries are logged in SMSTS.log:
01-13-2016 17:56:35.510 TSManager 2176 (0x880) Start executing an instruction. Instructionname:

Install Application. Instruction pointer: 32
01-13-2016 17:56:35.510 TSManager 2176 (0x880) Set a global environment variable
_SMSTSCurrentActionName=Install Application
01-13-2016 17:56:35.510 TSManager 2176 (0x880) Set a global environment variable
_SMSTSNextInstructionPointer=32
2. Task Sequence Manager then saves the execution state of the task sequence and the environment
(TSEnv.dat) to the local hard disk, as seen in SMSTS.log:
01-13-2016 17:56:35.510 TSManager 2176 (0x880) Successfully save execution state and
environment to local hard disk
3. Task Sequence Manager starts the execution of the next instruction in the sequence, based on the
execution history of the previous instruction and the next instruction pointer:
01-13-2016 17:56:35.510 TSManager 2176 (0x880) Start executing an instruction. Instructionname:

Install Application. Instruction pointer: 32
4. Task Sequence Manager then sets local default variables for applications:
01-13-201617:56:35.510 TSManager 2176 (0x880) Set a local default variable OSDApp0Description

01-13-201617:56:35.510 TSManager 2176 (0x880) Set a local default variable
OSDApp0DisplayName
01-13-201617:56:35.510 TSManager 2176 (0x880) Set a local default variable OSDApp0Name
01-13-201617:56:35.510 TSManager 2176 (0x880) Set a local default variable OSDAppCount
01-13-201617:56:35.525 TSManager 2176 (0x880) Set a global environment variable
_SMSTSLogPath=C:\WINDOWS\CCM\Logs\SMSTSLog
5. Task Sequence Manager sets the command line for the application install (smsappinstall.exe) based on
the task sequence XML policy that it has parsed, and begins executing it by calling smsappinstall.exe. The
following entry is logged in SMSTS.log:
01-13-2016 17:56:35.525 TSManager 2176 (0x880) Executing command line:

smsappinstall.exe/app:ScopeId_GUID/Application_GUID/basevar: /continueOnError:False
At this point the Install Application task (smsappinstall.exe) begins to install the application, although the
command line to run the installation won't happen for some time yet. All the necessary information must be
acquired first.
Troubleshoot step 1
Based on the flow and execution of the task sequence, it's unlikely that a failure occurs during this step of the
Install Application process. At this point, Task Sequence Manager has successfully parsed the task sequence
XML and set an instruction pointer for the current task. Also, the policy for the task sequence is downloaded
when the task sequence begins. The results are returned to the task sequence. They are stored in the task
sequence environment using variables that are saved on disk as TSEnv.dat.
Here are some items to consider when investigating these issues. There may be an additional piece of
information uncovered that can be used for troubleshooting the error condition.
TIP
The policy body for the task sequence selected is downloaded from the database at the beginning of the task sequence
and stored within the Task Sequence Environment using variables.
MP_GetPolicywill log this activity. To find this request in the MP_GetPolicy log, search for the Deployment ID
or Task Sequence ID .
01-13-2016 17:32:54.579 MP_GetPolicy_ISAPI 12688 (0x3190) MP GP: Query String Before Decode:
MEH20009-MEH0000A-6F6BCC28.15_00
01-13-2016 17:32:54.579 MP_GetPolicy_ISAPI 12688 (0x3190) MP GP: ID : MEH20009-MEH0000A-
6F6BCC28
01-13-2016 17:32:54.579 MP_GetPolicy_ISAPI 12688 (0x3190) MP GP: Initializing request from client
GUID:ClientGUID.
The following stored procedure is executed to retrieve the policy body:

exec MP_GetPolicyBodyAfterAuthorization
The results of the policy body request are returned to the machine and saved in the task sequence environment
(TSEnv.dat). The policy body for the task sequence and all its dependent policies are stored using variables. Task
Sequence Manager will log a large portion of what it's reading from the environment.
Step 2: The Install Application component evaluates the task

sequence policy and stores it in WMI
During this step, the Install Application component evaluates the task sequence policy and stores it in WMI.
The application checks the applicability of the requirement rules and detection method on the deployment types
of the application. CIStore and CIStateStore are used to evaluate the applicability and state of the
Configuration Items (CIs) and the Configuration Data Content associated with the application and
deployment type. The result is that the CIs will be marked for download.
1. Install Application parses the command line and identifies the application name. The following entries
are logged in SMSTS.log:
01-13-2016 17:56:35.572 InstallApplication 1608 (0x648) Application Names:

01-13-2016 17:56:35.572 InstallApplication 1608 (0x648) 'ScopeId_GUID/Application_GUID'
2. Install Application sets variables for the application. The following entries are logged in SMSTS.log:
01-13-2016 17:56:35.666 InstallApplication 1608 (0x648) Setting TSEnv variable

'SMSTSAppPolicyEvaluationJobID__ScopeId_GUID/Application_GUID'=''
'SMSTSInstallApplicationJobID__ScopeId_GUID/Application_GUID'=''
3. It then looks for policy scope ID. The following entry is logged in SMSTS.log:
01-13-2016 17:56:35.666 InstallApplication 1608 (0x648) Retrieving value from TSEnv for
'_SMSTSPolicy_ScopeId_GUID/Application_GUID
4. Now it looks for and retrieves the value of the application policy from the task sequence environment
(TSEnv.dat). The following entry is logged in SMSTS.log:
01-13-2016 17:56:35.666 InstallApplication 1608 (0x648) Found App policy
modelname:ScopeId_GUID/RequiredApplication_GUID and CIversion:10
5. Install Application then decompresses the policy. The following entries are logged in SMSTS.log:
01-13-2016 17:56:35.666 InstallApplication 1608 (0x648) Found App policy

modelname:ScopeId_GUID/RequiredApplication_GUID and CIversion:10
01-13-2016 17:56:35.682 InstallApplication 1608 (0x648) ::DecompressBuffer(65536)
01-13-2016 17:56:35.682 InstallApplication 1608 (0x648) Decompression (zlib) succeeded: original
size 145382, uncompressed size 1238794.
6. The policies are stored in WMI by the Install Application component in the
root\ccm\policy\actualconfig namespace. The following entries are logged in SMSTS.log:
01-13-2016 17:56:36.119 InstallApplication 1608 (0x648) Locked ActualConfig successfully

01-13-2016 17:56:36.150 InstallApplication 1608 (0x648) New/Changed ActualConfig policy
instance(s) : 6
01-13-2016 17:56:36.150 InstallApplication 1608 (0x648) [1] Added/updated setting
'ccm_applicationciassignment:assignmentid=dep-meh20009-scopeid_GUID/application_GUID'.
'ccm_civersioninfo:modelname=scopeid_GUID/application_GUID:version=10'.
'ccm_civersioninfo:modelname=scopeid_GUID/deploymenttype_GUID:version=6'.
'ccm_civersioninfo:modelname=scopeid_GUID/requiredapplication_GUID:version=10'.
'ccm_civersioninfo:modelname=windows/all_windows_client_server:version=1'.
'ccm_scheduler_scheduledmessage:scheduledmessageid=dep-meh20009-
scopeid_GUID/application_GUID'.
01-13-2016 17:56:36.150 InstallApplication 1608 (0x648) Unlocked ActualConfig successfully
01-13-2016 17:56:36.150 InstallApplication 1608 (0x648) Raising event:
instance of CCM_PolicyAgent_SettingsEvaluationComplete
{
ClientID = "GUID:ClientGUID";
DateTime = "20160113225636.150000+000";
PolicyNamespace = " \\\\.\\root\\ccm\\policy\\machine\\actualconfig ";
ProcessID = 1392; ThreadID = 1608;
};
7. Policy Agent Provider then processes the change in the actualconfig policy namespace. The following
entries are logged in PolicyAgentProvider.log:
01-13-2016 17:56:36.150 PolicyAgentProvider 2424 (0x978) [000000B205C423A8] 1 settings

change(s) detected.
01-13-2016 17:56:36.182 PolicyAgentProvider 2424 (0x978) [000000B205C423A8] Queued worker
to process these 1 settings change(s)
01-13-2016 17:56:36.182 PolicyAgentProvider 2420 (0x974) --- Processing 1 settings change(s).
01-13-2016 17:56:36.182 PolicyAgentProvider 2420 (0x974) --- [1] __InstanceCreationEvent settings
change on object CCM_ApplicationCIAssignment.AssignmentID="DEP-MEH20009-
ScopeId_GUID/Application_GUID".
01-13-2016 17:56:36.182 PolicyAgentProvider 2420 (0x974) --- Begin Indicating 1 settings change(s).
01-13-2016 17:56:36.182 PolicyAgentProvider 2420 (0x974) --- Completed Indicating 1 settings
change(s).
8. DCMAgent processes the change and begins to evaluate the CIs for the application install. The following
entry is logged in DCMAgent.log:
01-13-2016 17:56:36.197 DCMAgent 2608 (0xa30) DCMAgent::ProcessAssignmentChange.
9. Policy Agent then updates the Configuration Item info in the CI Store. The following entries are logged in
CIStore.log:
01-13-2016 17:56:36.260 CIStore 2608 (0xa30) CCIStore::ProcessCITargetEvent -

CIScopeId_GUID/Application_GUID:10 will be targeted for SYSTEM
01-13-2016 17:56:36.275 CIStore 2608 (0xa30) CCIStore::ProcessCITargetEvent - CI
ScopeId_GUID/DeploymentType_GUID:6 will be targeted for SYSTEM
10. The state of the application CI is added for the download, then the states of any associated application
deployment type CIs are checked by the CIStateStore . Any CIs marked as not found are added for
download.
In CIStore.log:
01-13-2016 17:56:36.275 CIStore 2608 (0xa30) CCIStoreTargetedCIDownloader::AddCI - CI

Modelname:ScopeId_GUID/Application_GUID Version:10 has been added for download
In CIStateStore.log:
01-13-2016 17:56:36.322 CIStateStore 2608 (0xa30) CCIStateTransition::ExtractStateDetails - CI

ModelName ScopeId_GUID/DeploymentType_GUID, version 6 not found in store.
In CIStore.log:
01-13-2016 17:56:36.369 CIStore 2608 (0xa30) CCIStoreTargetedCIDownloader::AddCI - CI

Modelname:ScopeId_GUID/DeploymentType_GUID Version:6 has been added for download
Now the DCM agent will start its job to evaluate the application policies and begin acquiring the necessary
information from the database.
Troubleshoot step 2
This step is often where the error surfaces, but rarely where the error occurs. The Install Application
component is the top-level process for installing the application. Any error from the list of components it
invokes would roll back up to it. The actual cause of the failure is most likely in a subsequent step. The failure is
reported back to the Install Application task, which then returns a failure with a generic error code. Usually it's
the reason that most Install Application tasks return the following error:
InstallApplication 296 (0x128) App install failed.

InstallApplication 296 (0x128) Install application action failed: 'APP NAME HERE'. Error Code 0x80004005
Here's a list of the most common errors that are returned to the Install Application task:
FA IL URE T Y P E W H AT TO C H EC K
SMSTS.log shows one of the following errors: The error indicates that the machine can't communicate with
InstallApplication 2740 (0xab4) Policy Evaluation the management point (MP). Confirm whether you're using
failed, hr=0x87d00269 a custom website for the MP. If so, review How to Create the
Required management point not found (Error: Custom Website in Internet Information Services (IIS).
87D00269) Ensure that a copy of the default document (default.htm)
has been placed in the root folder that hosts the website.
Also ensure that HTTP redirection isn't enabled on the
default website.
SMSTS.log shows the following error: Ensure that you have the latest updates for Configuration
InstallApplication 3248 (0xcb0) Policy Evaluation failed, Manager installed.
hr=0x80004005
SMSTS.log shows the following error: Ensure that you've installed the latest version of ConfigMgr
Install Static Applications failed, hr=0x87d00267 2012 R2 SP1.
SMSTS.log shows the following error: Review KB3007095 and ensure that you're up to date.
Execution status received: 24 (Application download failed) Ensure that you have the latest updates for Configuration
Manager installed.
SMSTS.log shows the following error: Review CCMExec.log to confirm that SMS Agent Host is
Install application action failed: 'APP NAME HERE'. Error started without error.
Code 0x80004005'
Step 3: DCM Agent manages acquisition of the Configuration Items

from the site database
In the previous step, the CIs were marked for download. The DCM agent uses CI Agent to begin acquiring the
Configuration Items and Configuration Data Content (SDM package) from the database. The following
information is included:
Application Properties
Application Manifest
Deployment Type Properties
Deployment Type Manifest
Application Intent Policies for Compliance
The acquisition of this information doesn't happen all at once. The DCM agent uses the following client-side
components at different times to do this work:
CI Agent
CI Downloader
CIStore
Data Transfer Service
Content Transfer Manager
All of this information is requested from the database through the management point. The requests and
responses can be monitored by using the MP_GetSDMPackage.log file.
Full order of MP_GetSDMDocument execution and Data Transfer Service download for each App Install task:
1. App PROPERTIES: Results have basic App CI info. Name only.
2. App MANIFEST: Links Policy Platform CI Documents with the Application CI.
3. App Intent Policy: Desired State of the Application, required.
4. App MANIFEST again. Note the different HASH. This time the results have extended information, such as WMI
namespaces for the CI Manifests, App DT CI References.
5. App PROPERTIES again. Note the different HASH. This time the results include extended and custom
properties, Publisher, release date, icons, and so on.
6. App DT PROPERTIES. Results include description, estimated install time, post install behavior, and so on.
7. App DT MANIFEST. Results include extended information, WMI namespaces for the CI Manifests.
8. App policy. Results include Policy Platform MOF to be compiled client side with Desired State, App Properties,
and App DT Properties.
9. App DT Policy is compressed. Unable to decompress.
TIP
Each component involved in the process will create a job, with a Job ID that can be used to track the progress. DCM
Agent is always the first in the process. When you troubleshoot, note the Job ID for each component as you review the
logs. Then follow the Job ID.
Below is an example of the request and download of only the Application PROPERTIES and MANIFEST (steps 1
and 2 from above).
1. DCM Agent job ID. In DCMAgent.log:
01-13-201617:56:36.979 DCMAgent 1568(0x620) CDCMAgentJobMgr::StartJob - Starting DCM

Agent job{ID}
2. DCM Agent creates a job for CI Agent. In DCMAgent.log:
01-13-2016 17:56:37.088 DCMAgent 2768 (0xad0) DCMAgentJob({ID}):

CDCMAgent::InitiateCIAgentJob - Starting CI Agent Job {ID} for target: machine. Refer to this CI agent
job ID in ciagent.log for more details
3. CIDownloader creates a job. In CIDownloader.log:
01-13-2016 17:56:37.166 CIDownloader 2728 (0xaa8) CIDownloaderJob({ID}): SetFailureCondition -

Job will fail immediately on error
4. DCM Agent is tracking the progress via its own job. In DCMAgent.log:
01-13-2016 17:56:37.182 DCMAgent 2768 (0xad0) DCMAgentJob({ID}):

CDCMAgentJob::HandleEvent(Event=NotifyProgress, CurrentState=Evaluating)
5. CIDownloader calculates the scope of the CI, which starts a check of the CI Store. In CIDownloader.log:
01-13-2016 17:56:37.182 CIDownloader 2728 (0xaa8) [Calculate Scope] - Adding CI

Modelname:ScopeId_GUID/RequiredApplication_GUID Version:10 to Scoped CIs List of root
Modelname:ScopeId_GUID/RequiredApplication_GUID Version:10
In CIStore.log:
01-13-201617:56:37.182 CIStore 2728(0xaa8) CCIStore::GetTargetedCIReference invoked for

CIScopeId_GUID/RequiredApplication_GUID:10targeted to SYSTEM
6. The CI is queried in CI State Store and not found. In CIStateStore.log:
01-13-201617:56:37.197 CIStateStore 2728(0xaa8) CCIStateTransition::ExtractStateDetails -

CIModelNameScopeId_GUID/RequiredApplication_GUID,version 10 not found in store.
7. Since the CI isn't found, it's added to the CIDownloader job. In CIDownloader.log:
01-13-201617:56:37.213 CIDownloader 2728(0xaa8) CIDownloaderJob({ID}): CI with

ModelNameScopeId_GUID/RequiredApplication_GUID,Version 10. Model:(null) added to job.
8. CI Agent now starts the CIDownloader job to download the CIs. In CIAgent.log:
01-13-201617:56:37.229 CIAgent 2728(0xaa8) CIAgentJob({ID}):Started CIDownloadJob({ID})
9. The CIDownloader job transitions to the Downloading Packages phase and adds the source files for the
CIs to the request. At this point, Packages refers to the SDM package, not content (binaries). In
CIDownloader.log:
01-13-201617:56:37.229 CIDownloader 2728(0xaa8) CIDownloaderJob({ID}): DownloadPackages

01-13-201617:56:37.229 CIDownloader 2728(0xaa8) --Source file:.sms_dcm?
Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/MANIFEST&Hash=HashStri
ng&Compression=zlib
01-13-201617:56:37.229 CIDownloader 2728(0xaa8) --Source file:.sms_dcm?
Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/PROPERTIES&Hash=HashS
tring&Compression=zlib
10. CIDownloader calls into Data Transfer Service to request the manifest and properties for the application,
and the Application Deployment Type. In DataTransferService.log:
01-13-201617:56:37.275 DataTransferService 2728(0xaa8) Added(source=.sms_dcm?

Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/PROPERTIES&Hash=HashString&Co
mpression=zlib,dest={JobID}_2.zip)pair from manifest.
01-13-201617:56:37.275 DataTransferService 2728(0xaa8) Added(source=.sms_dcm?
Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/MANIFEST&Hash=HashString&Com
pression=zlib,dest={JobID}_1.zip)pair from manifest.
11. Data Transfer Service calls into the MP_GetSDMPacakge ISAPI on the management point, which in turn
requests the SDM package information from the database by triggering a SQL stored procedure. In SQL
Server Profiler:
exec MP_GetSdmDocument
N'ScopeId_GUID/RequiredApplication_GUID/10/PROPERTIES',N'HashString',N'1',N'1'
exec MP_GetSdmDocument
N'ScopeId_GUID/RequiredApplication_GUID/10/MANIFEST',N'HashString',N'1',N'1'
12. Data Transfer Service starts a Background Intelligence Service (BITS) job and adds the path to the job
once the response is received. And begins downloading the data. In DataTransferService.log:
01-13-201617:56:37.432 DataTransferService 2316(0x90c) Starting BITS job'{ID}' for DTS job'{ID}'

under user 'SID'.
01-13-201617:56:37.479 DataTransferService 2316(0x90c) BITSHelper: Full source path to be
transferred =
http://PS1.contoso.com:80/SMS_MP/.sms_dcm?
Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/PROPERTIES&Hash=HashString&Compression=zlib
01-13-201617:56:37.479 DataTransferService 2316(0x90c) Adding to BITS job:{ID}_2.zip
01-13-201617:56:37.479 DataTransferService 2316(0x90c) BITSHelper: Full source path to be
transferred=
http://PS1.contoso.com:80/SMS_MP/.sms_dcm?
Id&DocumentId=ScopeId_GUID/RequiredApplication_GUID/10/MANIFEST&Hash=HashString&Compression=zlib
01-13-201617:56:37.479 DataTransferService 2316 (0x90c) Adding to BITS job: {ID}_1.zip
13. Monitor DataTransferService.log for the completion of the SDM package download. Search for lines
similar to below:
Configuration Item #1
01-13-2016 17:56:37.588 DataTransferService 2748 (0xabc) Job: {ID}, Total Files: 2, Transferred Files:
2, Total Bytes: 1160, Transferred Bytes: 1160
01-13-2016 17:56:37.588 DataTransferService 2748 (0xabc) DTSJob {ID} successfully completed
download.
01-13-2016 17:56:37.791 DataTransferService 1568 (0x620) Job: {ID}, Total Files: 3, Transferred Files:
01-13-2016 17:56:37.791 DataTransferService 1568 (0x620) DTSJob {ID} successfully completed
download.
download.
01-13-2016 17:56:38.104 DataTransferService 1568 (0x620) DTSJob {ID} successfully completed
download.
Troubleshoot step 3
In step 3 to step 6, multiple components work together. Jobs are created locally to evaluate the existence of the
CIs via CI Store (CCMStore.sdf). Or the CIs are marked as not found . Many issues can potentially arise during
the next phase of this step:
DataTransferService uses BITS and HTTP communication with the MP to request the CIs and download them.
Possible causes include:
Bad data in the database. For example, it returns corrupted CI or SDM Package Data, out-of-date versions, and
so on.
WMI issues when accessing policy namespaces locally on the machine that executes the task sequence.
Failure when communicating with the MP or the database.
BITS jobs failures.
Network-related errors, downloads, and so on.
IIS issues with SMS_MP vDir (SMS_CCM\SMS_MP folder).
Evaluation errors after install.
Examine the following log files to identify where this process is failing:
CIDownloader.log
DCMAgent.log
CIStore.log
CIStateStore.log
DataTransferService.log
Step 4: CI Agent processes the CIs and saves them locally in

CCMStore.sdf
After the Data Transfer Service job finishes downloading all of the CIs referenced by Application Install ,
CIDownloader will check the hash of the CIs, decompress them, and then persist them in CI Store. This process is
done for each of the CIs associated with the application.
The following process will occur for any CI that has a relationship with the application being installed during this
task. Merging the logs will help track the progress of each. Follow the Job IDs.
1. Individually, after each CI is completely downloaded, Data Transfer Service marks the job complete and
CIDownloader confirms the hash.
In DataTransferService.log:
download.
01-13-2016 17:56:37.604 DataTransferService 2316 (0x90c) DTSJob {ID} in state 'NotifiedComplete'.
In CIDownloader.log:
01-13-2016 17:56:37.619 CIDownloader 2768 (0xad0)

::DecompressFile(C:\WINDOWS\CCM\CIDownloader\Staging}_1.zip,65536,C:\WINDOWS\CCM\CIDo
wnloader\Staging{JobID}_1.xml)
01-13-2016 17:56:37.619 CIDownloader 2768 (0xad0) VerifyCIDocumentHash - Preparing to verify
hash for CI document ScopeId_GUID/RequiredApplication_GUID/10/MANIFEST
01-13-2016 17:56:37.619 CIDownloader 2768 (0xad0)
::DecompressFile(C:\WINDOWS\CCM\CIDownloader\Staging{JobID}_2.zip,65536,C:\WINDOWS\CCM\
CIDownloader\Staging{JobID}_2.xml)
01-13-2016 17:56:37.619 CIDownloader 2768 (0xad0) VerifyCIDocumentHash - Preparing to verify
hash for CI document ScopeId_GUID/RequiredApplication_GUID/10/PROPERTIES
2. After CIDownloader acquires all the CIs from the management point, it will call back into CI Agent and
begin persisting the CIs. In CIAgent.log:
01-13-2016 17:56:38.119 CIAgent 2768 (0xad0) CIAgentJob({ID}): CAgentJob::NotifyComplete -

CIDownloader callback
01-13-2016 17:56:38.119 CIAgent 2728 (0xaa8) CIAgentJob({ID}):
CAgentJob::HandleEvent(Event=Transition, CurrentState=PersistingCIModels)
01-13-2016 17:56:38.119 CIAgent 2728 (0xaa8) CIAgentJob({ID}): PersistCIModels
3. CIDownloader will persist the CIs into the CI Digest Store. In CIDownloader.log:
01-13-2016 17:56:38.119 CIDownloader 2728 (0xaa8) CCIDigestStore::PersistIntegratedCIDefinitions

01-13-2016 17:56:38.182 CIDownloader 2728 (0xaa8) DCM::LanternUtils::StoreModelDocument
01-13-2016 17:56:38.385 CIDownloader 2728 (0xaa8) DCM::LanternUtils::StoreModelDocument
succeeded
- Lantern model document compiled to WMI.
- Creating file
C:\WINDOWS\CCM\CIDownloader\DigestStore\321EC9594015C9F9E6780EB4FEC210A78BEC119CB
44ADE46A94C5F5B26F47948.xml
- Creating file
C:\WINDOWS\CCM\CIDownloader\DigestStore\B7BE90F13A8B7B3BD870B8DC5D0DF3E8378137B3
85988C2037A5C94EF21E4BCB.xml
- Dcm Digest persisted to CIDigestStore.
4. CIDownloader completes persisting of the CIs and marks its job complete. In CIDownloader.log:

- Dcm Digest persisted to CIDigestStore.
01-13-2016 17:56:38.463 CIDownloader 2728 (0xaa8) CCIDownloader::CompleteJob for job {ID}.
5. CI Agent checks the CI Store for the CIs needed by the Application Install process. CI Store returns the
appropriate values. In CIAgent.log:
01-13-2016 17:56:38.479 CIAgent 2728 (0xaa8) CCIInfo::AddDepedentCI for ModelName:

ScopeId_GUID/Application_GUID Version: 10
01-13-2016 17:56:38.479 CIStore 2728 (0xaa8) CCIStore::GetCIEx - Requested CI ModelName
ScopeId_GUID/Application_GUID, Version 10 returned from [Store]
01-13-2016 17:56:38.479 CIStore 2728 (0xaa8) Found property (DisplayName) value but only with
fallback to US English: ConfigMgr 2012 Toolkit R2
01-13-2016 17:56:38.510 CIAgent 2728 (0xaa8) CCIInfo::AddDepedentCI for ModelName:
ScopeId_GUID/DeploymentType_GUID Version: 6
01-13-2016 17:56:38.510 CIStore 2728 (0xaa8) CCIStore::GetCIEx - Requested CI ModelName
ScopeId_GUID/DeploymentType_GUID, Version 6 returned from [Store]
01-13-2016 17:56:38.510 CIStore 2728 (0xaa8) Found property (DisplayName) value but only with
fallback to default: ConfigMgr 2012 Toolkit R2 - Windows Installer (*.msi file)
Next, CI Agent will perform further processing by invoking the SDM model. SDM packages link together CIs and
provide further information about the configuration that will be implemented. Part of this process also binds the
CIs to policies using the Microsoft Policy Platform.
Troubleshoot step 4
To troubleshoot issues during this step, see Troubleshoot step 3.
Step 5: CI Agent performs further processing of CIs using the SDM

model
At this point, the necessary CIs have been acquired, and SDM package data has been downloaded. CI Agent will
perform the following processes:
invoke SDMMethod to bind the CIs to their Policy Platform/Lantern Policies stored in WMI, located at
root\Microsoft\PolicyPlatform\Documents\Local .
evaluate their applicability
ultimately mark them as Available for Enforcement before cleaning up its jobs
In CIAgent.log:
01-13-2016 17:56:38.510 CIAgent 2728 (0xaa8) CIAgentJob({ID}): TransitionState(From=PersistingCIModels,

To=InvokingSdmMethod) for Event=Transition
1. CI Agent begins enactment and evaluation for the application CIs. In CIAgent.log:
01-13-2016 17:56:38.541 CIAgent 2316 (0x90c) CIAgentJob({ID}): StartEnactment - CI -

ScopeId_GUID/RequiredApplication_GUID
01-13-2016 17:56:38.541 CIAgent 2316 (0x90c) CIAgentJob({ID}): Evaluation for CI
'ScopeId_GUID/RequiredApplication_GUID.10'is required.
2. CI Agent invokes the Policy Platform Client and binds the policies by invoking the Microsoft Policy
Platform. In CIAgent.log:
01-13-2016 17:56:38.541 CIAgent 2316 (0x90c) CIAgentJob({ID}): Evaluation for CI

'ScopeId_GUID/RequiredApplication_GUID.10'is required.
01-13-2016 17:56:38.541 CIAgent 2316 (0x90c) CIAgentJob({ID}): StartEnactment - Attempting to
invoke Policy Platform Client
01-13-2016 17:56:38.885 CIAgent 2316 (0x90c) DCM::LanternUtils::ScopeAndBindPolicies -
[ScopedPolicies] ScopeId_GUID_Application_GUID_Platform_PolicyDocument
[ScopedPolicies] ScopeId_GUID_Application_GUID_Configuration_PolicyDocument
3. CI Agent completes the enactment. In CIAgent.log:

[ScopedPolicies] ScopeId_GUID_DeploymentType_GUID_Discovery_PolicyDocument
01-13-2016 17:56:39.619 CIAgent 2768 (0xad0) CIAgentJob({ID}): Invocation succeeded for policy
platform job ID
01-13-2016 17:56:39.619 CIAgent 2316 (0x90c) Lantern job:ID succeeded.
01-13-2016 17:56:39.619 CIAgent 2768 (0xad0) CIAgentJob({ID}): ReportMethodInvocation ::
Enactment succeeded
4. CI Agent now transitions its job to downloading CIs, and then immediately transitions its state again, this
time to enforcing CIs. In CIAgent.log:
01-13-2016 17:56:39.963 CIAgent 2768 (0xad0) CIAgentJob({ID}):

TransitionState(From=StateDownloadingContents, To=StateEnforcingCIs) for Event=Transition
CAgentJob::HandleEvent(Event=CITaskComplete, CurrentState=StateEnforcingCIs)
5. CI Agent will check one more time to ensure that the application isn't already installed. DCM Agent marks
the CI as Available for Enforcement , and then reports that state.
In CIAgent.log:

CAgentJob::HandleEvent(Event=Transition, CurrentState=StateEnforcingCIs)
In DCMAgent.log:
01-13-2016 17:56:39.979 DCMAgent 1844 (0x734) CAppMgmtSDK::GetEvaluationState

ScopeId_GUID/RequiredApplication_GUID.10 = AvailableForEnforcement
In CIAgent.log:

CAgentJob::HandleEvent(Event=Transition, CurrentState=StateEnforcementReporting)
6. The CIs have been evaluated, downloaded, decompressed, persisted and then evaluated again. CI Agent
and DCM Agent clean up the jobs they created to do all that work.
In CIAgent.log:
01-13-2016 17:56:40.072 CIAgent 2356 (0x934) Internal Request to delete CIAgent job {ID}
In DCMAgent.log:
01-13-2016 17:56:40.088 DCMAgent 2728 (0xaa8) DCMAgentJob({ID}):

CDCMAgentJob::HandleEvent(Event=Transition, CurrentState=Success)
In CIAgent.log:
01-13-2016 17:56:40.104 CIAgent 2356 (0x934) CIAgentJob({ID}): Job complete. Exiting event pump.
In DCMAgent.log:
01-13-2016 17:56:40.104 DCMAgent 2728 (0xaa8) CDCMAgentJobMgr::DeleteJob - Request to

delete DCM Agent job {ID}
01-13-2016 17:56:40.135 DCMAgent 2728 (0xaa8) DCMAgentJob({ID}): QueueDebug - Executing
Event.
01-13-2016 17:56:40.104 DCMAgent 2728 (0xaa8) Job complete. Exiting event pump.
Troubleshoot step 5
Step 6: DCM Agent confirms that all CIs are present and flags content
for download
Install Application will now call back into the SDK to install the application. It creates a new job for DCM
Agent, which in turn creates a job for CI Agent and all components it uses. The same process will occur, where CI
Agent uses the components to ensure that all the CIs have been downloaded, evaluated, and persisted. The
result of this step is that the content (binaries) for the Application Install process will be marked for download.
1. Install Application invokes the App Management SDK (DCM Agent) to install the application. In
InstallApplication.log:
01-13-2016 17:56:40.119 InstallApplication 1608 (0x648) Invoking App Management SDK to install
application
01-13-2016 17:56:40.135 InstallApplication 1608 (0x648) Installing application
'ScopeId_GUID/RequiredApplication_GUID' has started. Please refer to DCMAgent.log for the details
on this job. JobID='{ID}'
2. DCM Agent creates a new job for CI Agent.

In DCMAgent.log:
01-13-2016 17:56:40.135 DCMAgent 2356 (0x934) DCMAgentJob({ID}):

CDCMAgent::InitiateCIAgentJob - Starting CI Agent Job {ID} for target: machine. Refer to this CI agent
job ID in ciagent.log for more details
In CIAgent.log:
01-13-2016 17:56:40.135 CIAgent 2356 (0x934) CIAgentJob({ID}): [LeakTest] AgentJob created
3. This new CI Agent job goes into the Waiting for Assigned CIs state right away. Then it immediately
transitions to downloading CIs.
In CIAgent.log:

CAgentJob::HandleEvent(Event=Transition, CurrentState=WaitingForAssignedCI)
CAgentJob::HandleEvent(Event=DownloadCIs, CurrentState=WaitingForAssignedCI)
CAgentJob::HandleEvent(Event=Transition, CurrentState=DownloadingCIs)
4. CIDownloader creates a job to handle the download and checks if the CIs are present. In
CIDownloader.log:
01-13-2016 17:56:40.135 CIDownloader 2768 (0xad0) CIDownloaderJob({ID}): SetFailureCondition -

Job will fail immediately on error
5. CIDownloader reports to CI Agent that all the CIs for the application are present in the store. In
CIDownloader.log:
01-13-2016 17:56:40.166 CIDownloader 2768 (0xad0) CDownloadPayloadInfo::AddCI - CI with

ModelName ScopeId_GUID/Application_GUID, Version 10 is already available.
6. The CI for the application, application DT, and requirements have already been downloaded. CI Agent logs
that nothing is to be downloaded. Then it moves on to persisting the CI models.
In CIAgent.log:
01-13-2016 17:56:40.182 CIAgent 2768 (0xad0) CIAgentJob({ID}): Nothing to be downloaded.

01-13-2016 17:56:40.182 CIAgent 2316 (0x90c) CIAgentJob({ID}):
CAgentJob::HandleEvent(Event=Transition, CurrentState=PersistingCIModels)
7. CI Agent invokes the SDM method again. Only this time it will flag that the binaries (install.msi) haven't
been downloaded. In CIAgent.log:
01-13-2016 17:56:40.213 CIAgent 2316 (0x90c) CIAgentJob({ID}): CI

ScopeId_GUID/DeploymentType_GUID:6 (ConfigMgr 2012 Toolkit R2 - Windows Installer (*.msi file))
targeted to (Dependant of policy CI ScopeId_GUID/RequiredApplication_GUID:10) is in scope for
evaluation.
CAgentJob::HandleEvent(Event=Transition, CurrentState=InvokingSdmMethod)
8. CI Agent starts enactment again, calls into Microsoft Policy Platform, and confirms that the CIs are bound
to policies.
In CIAgent.log:
01-13-2016 17:56:40.244 CIAgent 2728 (0xaa8) CIAgentJob({ID}): StartEnactment - CI -

ScopeId_GUID/RequiredApplication_GUID
01-13-2016 17:56:40.244 CIAgent 2728 (0xaa8) CIAgentJob({ID}): StartEnactment - Attempting to
invoke Policy Platform Client
Enactment succeeded
Obtained lantern reports
9. At this point, CI Agent marks both the application and application DT as Available and Applicable , as
well as that they will be installed.
In CIAgent.log:
01-13-2016 17:56:40.369 CIAgent 2768 (0xad0) CIAgentJob({ID}):State - Reporting (scan):: AppModel

- ScopeId_GUID/Application_GUID:10 - State = NotInstalled ResolvedState = Available Applicability =
Applicable ConfigureState= NotNeeded
01-13-2016 17:56:40.385 CIAgent 2768 (0xad0) CIAgentJob({ID}):State - Reporting (scan)::
Deployment Type - ScopeId_GUID/DeploymentType_GUID:6 - State = NotInstalled ResolvedState =
Available Applicability = Applicable ConfigureState= NotNeeded
01-13-2016 17:56:40.463 CIAgent 2728 (0xaa8) Job({ID}): CI ModelName
ScopeId_GUID/Application_GUID version 10 will be INSTALLED. :
Task(ScopeId_GUID/RequiredApplication_GUID.10.ContentDownload)
01-13-2016 17:56:40.463 CIAgent 2728 (0xaa8) Job({ID}): CI ModelName
ScopeId_GUID/DeploymentType_GUID version 6 will be INSTALLED. :
Task(ScopeId_GUID/Application_GUID.10.ContentDownload)
10. Now CI Agent will begin downloading the binaries for the application Install. In CIAgent.log:

CAgentJob::HandleEvent(Event=Transition, CurrentState=StateDownloadingContents)
01-13-2016 17:56:40.417 CIAgent 2728 (0xaa8) CIAgentJob({ID}): DownloadBinaryContents
01-13-2016 17:56:40.417 CIAgent 2728 (0xaa8) {ID} - Initiating ContentDownload tasks.
01-13-2016 17:56:40.463 CIAgent 2728 (0xaa8) Job({ID}) : Successfully initialized :
Task(ScopeId_GUID/DeploymentType_GUID.6.ContentDownload)
01-13-2016 17:56:40.463 CIAgent 2728 (0xaa8) Job({ID}) : Successfully initialized :
Task(ScopeId_GUID/Application_GUID.10.ContentDownload)
The complicated part is now over. Now we move on to download the binaries.
Troubleshoot step 6
Step 7: Content for the Application Install task is downloaded using

the standard content request/response process
To download the content for the installation, standard content request processes are used. The components
involved on the client side are:
Location Services
Content Access (CAS)
Content Transfer Manager
Data Transfer Manager
On the server side, the components involved include:
MP_Location
MP_GetDPInfoContent
IIS on the distribution point (DP) where the content will be accessed from.
1. Content Access (CAS) will access the information about the content request from WMI. In CAS.log:
01-13-2016 17:56:40.572 ContentAccess 2728 (0xaa8) CContentAccessService::Initialize

01-13-2016 17:56:40.572 ContentAccess 2728 (0xaa8) CDownloadManager::InitializeFromWmi
01-13-2016 17:56:40.572 ContentAccess 2728 (0xaa8) ===== CacheManager: Initializing cache
state from Wmi. =====
01-13-2016 17:56:40.588 ContentAccess 2728 (0xaa8) Loading cache configuration from Wmi.
01-13-2016 17:56:42.166 ContentAccess 2728 (0xaa8) CacheManager: Getting cached content
information for Content_GUID.1.
2. Content Transfer Manager creates and sends the Content Location Request. In
ContentTransferManager.log:
01-13-2016 17:56:42.432 ContentTransferManager 2768 (0xad0) Attempting to create Location

Request for PackageID='PackageID' and Version='1'
01-13-2016 17:56:42.448 ContentTransferManager 2768 (0xad0) Attempting to send Location
Request for PackageID='Content_GUID'
01-13-2016 17:56:42.448 ContentTransferManager 2728 (0xaa8) Created CTM job {ID} for user SID
01-13-2016 17:56:42.448 ContentTransferManager 2768 (0xad0) ContentLocationRequest :
<ContentLocationRequest SchemaVersion="1.00" ExcludeFileList=""><Package
ID="UID:Content_GUID" Version="1"/><AssignedSite SiteCode="MEH"/><ClientLocationInfo
LocationType="SMSUpdate" DistributeOnDemand="0" UseAzure="0" AllowWUMU="0"
UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1"
AllowSMB="0" AllowMulticast="0"><ADSite Name="Default-First-Site-Name"/><Forest
Name="contoso.com"/><Domain Name="contoso.com"/><IPAddresses><IPAddress
SubnetAddress="10.10.25.128" Address="10.10.25.130"/><IPAddress
SubnetAddress="10.10.25.128" Address="10.10.25.166"/></IPAddresses></ClientLocationInfo>
</ContentLocationRequest>
01-13-2016 17:56:42.463 ContentTransferManager 2768 (0xad0) Created and Sent Location Request
'{ID}' for package Content_GUID
01-13-2016 17:56:42.463 ContentTransferManager 2768 (0xad0) CTM job {ID} entered phase
CCM_DOWNLOADSTATUS_DOWNLOADING_DATA
3. MP_Location receives the request and processes it by executing a stored procedure in the database. Either
MP_GetDPInfoProtected or MP_GetDPInfoUnprotected .
TIP
MP_GetContentDPInfoProtected is called when the client falls within a boundary group that has a protected DP.
Protected DPs are the ones that don't allow fallback. MP_GetContentDPInfoUnprotected is called when the client
doesn't fall within a boundary group that has a protected DP.
In MP_Location.log:
01-13-2016 17:56:42.516 MP_LocationManager 4044 (0xfcc) MP_GetContentDPInfoProtected

(UID:Content_GUID,1,MEH,<ServerNameList>
<ServerName>PS1DP.CONTOSO.COM</ServerName>
</ServerNameList>,SMSUpdate,00000000,contoso.com,contoso.com,<ClientLocationInfo
LocationType="SMSUpdate" DistributeOnDemand="0" UseAzure="0" AllowWUMU="0"
UseProtected="0" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1"
AllowSMB="0" AllowMulticast="0"><ADSite Name="DEFAULT-FIRST-SITE-NAME"/><Forest
Name="contoso.com"/><Domain Name="contoso.com"/><IPAddresses><IPAddress
SubnetAddress="10.10.25.128" Address="10.10.25.130"/><IPAddress
SubnetAddress="10.10.25.128" Address="10.10.25.166"/></IPAddresses></ClientLocationInfo>)
4. MP_Location sends the response that includes the list of available distribution points where the binaries
can be downloaded. In MP_Location.log:
01-13-2016 17:56:42.523 MP_LocationManager 4044 (0xfcc) MP LM: Reply message body:

<ContentLocationReply SchemaVersion="1.00" ContentFlags="200960" HashAlgorithm="32780"
AlgorithmPreference="4" Hash="HashString" ExcludeFileListHash="" RelatedContentID="">
<ContentInfo PackageFlags="32"><ContentHashValues><Hash Algorithm="32780"
HashString="HashString" HashPreference="4"/></ContentHashValues></ContentInfo><Sites>
<Site><MPSite SiteCode="MEH" MasterSiteCode="MEH" SiteLocality="LOCAL"
IISPreferedPort="80" IISSSLPreferedPort="443"/><LocationRecords><LocationRecord><URL
Name=" http://PS1DP.contoso.com/SMS_DP_SMSPKG$/Content_GUID.1 " Signature="
http://PS1DP.contoso.com/SMS_DP_SMSSIG$/Content_63fbf078-1815-4e37-9614-b60ce7947805.1.tar "/>
<ADSite Name="Default-First-Site-Name"/><IPSubnets><IPSubnet Address="10.10.25.128"/>
<IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>8239</Version><Capabilities
SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
<ServerRemoteName>PS1DP.contoso.com</ServerRemoteName><DPType>SERVER</DPType>
<Windows Trust="1"/><Locality>LOCAL</Locality></LocationRecord></LocationRecords></Site>
<Site><MPSite SiteCode="MEH" MasterSiteCode="MEH" SiteLocality="LOCAL"/>
<LocationRecords/></Site></Sites><RelatedContentIDs/></ContentLocationReply>
5. The response is received by Location Services on the client. In LocationServices.log:
01-13-2016 17:56:42.510 LocationServices 2752 (0xac0) ContentLocationReply :

<ContentLocationReply SchemaVersion="1.00" ContentFlags="200960" HashAlgorithm="32780"
AlgorithmPreference="4"
Hash="6FB054E0532351D888291FF52F74E0085940AEA90EC85A5B999B6CFBE94663FC"
ExcludeFileListHash="" RelatedContentID=""><ContentInfo PackageFlags="32">
<ContentHashValues><Hash Algorithm="32780"
HashString="6FB054E0532351D888291FF52F74E0085940AEA90EC85A5B999B6CFBE94663FC"
HashPreference="4"/></ContentHashValues></ContentInfo><Sites><Site><MPSite
SiteCode="MEH" MasterSiteCode="MEH" SiteLocality="LOCAL" IISPreferedPort="80"
IISSSLPreferedPort="443"/><LocationRecords><LocationRecord><URL Name="
http://PS1DP.contoso.com/SMS_DP_SMSPKG$/Content_63fbf078-1815-4e37-9614-b60ce7947805.1 "
Signature="
http://PS1DP.contoso.com/SMS_DP_SMSSIG$/Content_63fbf078-1815-4e37-9614-b60ce7947805.1.tar "/>
<ADSite Name="Default-First-Site-Name"/><IPSubnets><IPSubnet Address="10.10.25.128"/>
<IPSubnet Address=""/></IPSubnets><Metric Value=""/><Version>8239</Version><Capabilities
SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
<ServerRemoteName>PS1DP.contoso.com</ServerRemoteName><DPType>SERVER</DPType>
<Windows Trust="1"/><Locality>LOCAL</Locality></LocationRecord></LocationRecords></Site>
<Site><MPSite SiteCode="MEH" MasterSiteCode="MEH" SiteLocality="LOCAL"/>
<LocationRecords/></Site></Sites><RelatedContentIDs/></ContentLocationReply>
6. Location Services parses the reply to get the distribution point list that it sends to Content Transfer
Manager. In LocationServices.log:
01-13-2016 17:56:42.526 LocationServices 2752 (0xac0) Distribution Point='

http://PS1DP.contoso.com/SMS_DP_SMSPKG$/Content_GUID.1 ', Locality='LOCAL', DPType='SERVER',
Version='8239', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="SSLState"
Value="0"/></Capabilities>', Signature='
http://PS1DP.contoso.com/SMS_DP_SMSSIG$/Content_GUID.1.tar ', ForestTrust='TRUE',
7. Content Transfer Manager persists the location for the job it has created for downloading the binaries. In
01-13-2016 17:56:42.526 ContentTransferManager 2752 (0xac0) Persisted locations for CTM job {ID}:
(LOCAL) http://PS1DP.contoso.com/SMS_DP_SMSPKG$/Content_GUID.1
8. Content Transfer Manager then creates a job for Data Transfer Service to download the binaries. In
01-13-2016 17:56:42.541 ContentTransferManager 2752 (0xac0) CTM job {ID} (corresponding DTS
job {ID}) started download from ' http://PS1DP.contoso.com/SMS_DP_SMSPKG$/Content_GUID.1 ' for full
content download.
9. Data Transfer Service builds the job with the URL and starts a BITS job to do the download. In
DataTransferService.log:
01-13-2016 17:56:42.541 DataTransferService 2752 (0xac0) Sending PROPFIND request using URL
http://PS1DP.contoso.com:80/SMS_DP_SMSPKG$/Content_GUID.1
01-13-2016 17:56:42.557 DataTransferService 2752 (0xac0) UpdateURLWithTransportSettings():
NEW URL - http://ps1dp.contoso.com:80/SMS_DP_SMSPKG$/Content_GUID.1/sccm?/ConfigMgrTools.msi
01-13-2016 17:56:42.573 DataTransferService 2752 (0xac0) Starting BITS download for DTS job '{ID}'.
01-13-2016 17:56:42.573 DataTransferService 2752 (0xac0) BITSHelper: Full source path to be
transferred = http://PS1DP.contoso.com:80/SMS_DP_SMSPKG$/Content_GUID.1/sccm?/ConfigMgrTools.msi
10. Data Transfer Service completes the download and marks the job successful. In DataTransferService.log:
01-13-2016 17:56:42.885 DataTransferService 2752 (0xac0) DTSJob {ID} in state 'NotifiedComplete'.
01-13-2016 17:56:42.885 DataTransferService 2752 (0xac0) DTS job {ID} has completed: Status :
SUCCESS,
11. Content Transfer Manager then cleans up the DTS job, and CAS begins verifying the hash of the
downloaded binaries.
In ContentTransferManager.log:
01-13-2016 17:56:42.901 ContentTransferManager 2728 (0xaa8) CCTMJob::_Cleanup(JobID={ID}) -

Cancelling DTS job with provider <default>
01-13-2016 17:56:42.901 ContentAccess 2348 (0x92c) Using hash from LS Content Information:
HashString
In CAS.log:
01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) Computed hash: HashString

01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) Success hash verification with hash algorithm
= 32780, preference : 4
12. Content Access then maps the content to the CCM cache where the downloaded binaries are now stored.
In CAS.log:
01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) Saved Content ID Mapping Content_GUID.1,

C:\WINDOWS\ccmcache\1
01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) CacheManager: ADD new cache entry for
id:Content_GUID Version : 1 Size : 5532K RefCount:1 LastRef Minutes : 0 State : ACTIVE PinDuration : 0
Location : C:\WINDOWS\ccmcache\1
01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) Created a New Cache Item at location
C:\WINDOWS\ccmcache\1 for 1.Content_GUID Size 5532 KB bytes
01-13-2016 17:56:42.948 ContentAccess 2348 (0x92c) Download succeeded for download request
{GUID}
13. CI State Store updates CIEnforcementState of the CIs to Download Content Success . CI Agent then
picks back up and begins enforcing the CIs. In CIAgent.log:

TransitionState(From=StateDownloadingContents, To=StateEnforcingCIs) for Event=Transition
01-13-2016 17:56:43.041 CIAgent 2728 (0xaa8) CIAgentJob({ID}): EnforceCIs
01-13-2016 17:56:43.041 CIAgent 2728 (0xaa8) {ID} - Initiating Enforce tasks.
01-13-2016 17:56:43.073 CIAgent 2728 (0xaa8) Job({ID}) : Performing :
Task(ScopeId_GUID/RequiredApplication_GUID.10.Enforce)
Task(ScopeId_GUID/Application_GUID.10.Enforce)
Task(ScopeId_GUID/DeploymentType_GUID.6.Enforce)
Troubleshoot step 7
At this point in the task sequence, we have requested and downloaded content several times. It was
accomplished using the standard content request/response procedures. These procedures are used in standard
software/application installs outside of a task sequence. Because the task sequence has already used these
procedures successfully, there's a low probability of them failing during this task. However, if problems arise
with content location requests or access, examine the following log files to gain clues as to where the process is
failing:
CIAgent.log
CAS.log
ContentTransferManager.log
DataTransferService.log
LocationServices.log
MP_Location.log
Step 8: Application Deployment Type is enforced by executing the

command line
Now comes the work of enforcing the installation of the application. It will use the standard Application Install
components and flow:
AppDiscovery
AppEnforce
1. AppDiscovery discovers the application and its properties. In AppDiscovery.log:
ActionType - Install,Max execute time = 120 minutes for AppDT "ConfigMgr 2012 Toolkit R2 -
Windows Installer (*.msi file)" [ScopeId_GUID/DeploymentType_GUID], Revision - 6
2. AppEnforce begins the install enforcement by performing detection of the Application Deployment Type.
For an MSI, it uses the product code to check whether it's already installed. Assuming that the detection
state is Not Discovered , the installation will proceed. In AppEnforce.log:
01-13-2016 17:56:43.104 AppEnforce 2216 (0x8a8) +++ Starting Install enforcement for App DT
"ConfigMgr 2012 Toolkit R2 - Windows Installer (*.msi file)" ApplicationDeliveryType -
ScopeId_GUID/DeploymentType_GUID, Revision - 6, ContentPath - C:\WINDOWS\ccmcache\1,
Execution Context - Any
01-13-2016 17:56:44.666 AppEnforce 2216 (0x8a8) +++ Application not discovered. [AppDT Id:
ScopeId_GUID/DeploymentType_GUID, Revision: 6]
3. Now AppEnforce will prepare the enforcement environment by parsing the command line and other
install parameters, then prepares the working directory and executes the command line.
In AppEnforce.log:
01-13-2016 17:56:44.682 AppEnforce 2216 (0x8a8) App enforcement environment:

Context: Machine
Command line: msiexec /i "ConfigMgrTools.msi" /q /L*V "C:\Windows\CCM\Logs\MSI_install.log"
Allow user interaction: No
UI mode: 0
User token: null
Session Id: 4294967295
Content path: C:\WINDOWS\ccmcache\1
Working directory:
01-13-2016 17:56:44.682 AppEnforce 2216 (0x8a8) Prepared working directory:
C:\WINDOWS\ccmcache\1
01-13-2016 17:56:44.713 AppEnforce 2216 (0x8a8) Parsed CmdLine:
msiexec /i "ConfigMgrTools.msi" /q /L*V "C:\Windows\CCM\Logs\MSI_install.log"
01-13-2016 17:56:44.713 AppEnforce 2216 (0x8a8) Found executable file msiexec with complete
path C:\WINDOWS\system32\msiexec.exe
01-13-2016 17:56:45.666 AppEnforce 2216 (0x8a8) Executing Command line:
"C:\WINDOWS\system32\msiexec.exe" /i "ConfigMgrTools.msi" /q /L*V
"C:\Windows\CCM\Logs\MSI_install.log" /qn
with system context
01-13-2016 17:56:44.729 AppEnforce 2216 (0x8a8) Parsed CmdLine:
01-13-2016 17:56:45.666 AppEnforce 2216 (0x8a8) Executing Command line:
with system context
4. At this point, assuming there's logging for the MSI installation, msiexec.exe takes over and does the
installation. In MSI Logging.log:
=== Verbose logging started: 1/13/2016 17:56:45 Build type: SHIP UNICODE 5.00.9600.00 Calling
process: C:\WINDOWS\system32\msiexec.exe ===
5. Once the installation is complete, msiexec.exe will send the return code to Install Application . Install
Application will set the necessary task sequence environment variables indicating success, then report
the successful install back to AppEnforce .
In AppEnforce.log:
MSI (c) (BC:EC) [17:56:47:604]: MainEngineThread is returning 0

01-13-2016 17:56:47.979 InstallApplication 1384 (0x568) NotifyProgress received: 1 (Application is
installed successfully)
01-13-2016 17:56:48.010 InstallApplication 1608 (0x648) Installation job completed with exit code
0x00000000
01-13-2016 17:56:48.010 InstallApplication 1608 (0x648) Execution status received: 1 (Application is
installed successfully)
'_TSAppInstallStatus'='Success'
'SMSTSInstallApplicationJobID__ScopeId_GUID/Application_GUID'=''
01-13-2016 17:56:48.010 InstallApplication 1608 (0x648) Step 2 out of 2 complete
01-13-2016 17:56:48.010 InstallApplication 1608 (0x648) Sending success status message
6. AppEnforce matches the success code to the table specified in the Return Codes tab in the properties of
the Application Deployment Type. It then performs detection again and marks the install enforcement
complete.
In AppEnforce.log:
01-13-2016 17:56:47.620 AppEnforce 2216 (0x8a8) Looking for exit code 0 in exit codes table...
01-13-2016 17:56:47.620 AppEnforce 2216 (0x8a8) Found a match in the success exit codes.
01-13-2016 17:56:47.620 AppEnforce 2216 (0x8a8) Matched exit code 0 to a Success entry in exit
codes table.
01-13-2016 17:56:47.620 AppEnforce 2216 (0x8a8) Performing detection of app deployment type
ConfigMgr 2012 Toolkit R2 - Windows Installer (.msi file)(ScopeId_GUID/DeploymentType_GUID,
revision 6) for system.
01-13-2016 17:56:47.635 AppEnforce 2216 (0x8a8) +++ Discovered application [AppDT Id:
ScopeId_GUID/DeploymentType_GUID, Revision: 6]
01-13-2016 17:56:47.635 AppEnforce 2216 (0x8a8) ++++++ App enforcement completed (4
seconds) for App DT "ConfigMgr 2012 Toolkit R2 - Windows Installer (.msi file)"
[ScopeId_GUID/DeploymentType_GUID], Revision: 6, User SID: ] ++++++
Troubleshoot step 8
The applications that are installed must meet the following criteria:
The application must be a deployment type of Windows Installer or Script installer. Windows app package (
.appx file) deployment types aren't supported.
It must run under the local system account and not the user account.
It mustn't interact with the desktop. The program must run silently or in an unattended mode.
It mustn't initiate a restart on its own. The application must request a restart by using the standard restart
code (a 3010 exit code). It ensures that the task sequence step will handle the restart correctly. If the
application returns a 3010 exit code, the underlying task sequence engine performs the restart. After the
restart, the task sequence automatically continues.
To gather more information about the source of the failure, examine the MSI log. The following article provides
more information about MSI log troubleshooting:
Read a Deployment Tool MSI Log
The following article includes product-specific information, and some general MSI log troubleshooting tips:
Troubleshooting Office installation failures
For more information about common MSI installer errors, see MsiExec.exe and InstMsi.exe Error Messages.
Step 9: The application is detected as installed and Enforcement State

is reported back to Task Sequence Manager
At this time, CI Agent has been checking with CI State Store for the Enforcement State of the CIs. DCM Agent has
been doing the same as well, monitoring the progress and logging it to DCMAgent.log.
1. The installation is complete, and detection has marked it as installed. CI State Store will detect that the
state of an existing CI has changed from Enforcing to EnforcementSuccess .
01-13-2016 17:56:47.667 CIStateStore 2728 (0xaa8) An existing CI state is changed

01-13-2016 17:56:47.667 CIStateStore 2728 (0xaa8) [ScopeId_GUID/DeploymentType_GUID:6]
CIEnforceState changed: Enforcing --> EnforcementSuccess
01-13-2016 17:56:47.729 CIStateStore 2348 (0x92c) An existing CI state is changed
01-13-2016 17:56:47.776 CIStateStore 2728 (0xaa8) [ScopeId_GUID/RequiredApplication_GUID:10]
CIEnforceState changed: Enforcing --> EnforcementSuccess
2. Once it receives this new enforcement state from CI State Store, CI Agent will mark its jobs complete and
transition to reporting the enforcement state. In CIAgent.log:
01-13-2016 17:56:47.823 CIAgent 2348 (0x92c) JobTaskHelper - Initiating next task if needed
01-13-2016 17:56:47.823 CIAgent 2348 (0x92c) Job({ID}): Already Completed :
Task(ScopeId_GUID/DeploymentType_GUID.6.Enforce)
Task(ScopeId_GUID/Application_GUID.10.Enforce)
Task(ScopeId_GUID/RequiredApplication_GUID.10.Enforce)
CAgentJob::HandleEvent(Event=Transition, CurrentState=StateEnforcementReporting)
3. Enforcement reporting involves checking CI State Store for the compliance state of the application CI.
Once it's set to compliant, CI Agent will transition to Completed and clean up its job.
01-13-2016 17:56:47.932 CIStateStore 2316 (0x90c) [ScopeId_GUID/RequiredApplication_GUID:10]

CIState changed: NonCompliant --> Compliant
In CIAgent.log:

CAgentJob::HandleEvent(Event=Transition, CurrentState=Completed)
CAgentJob::HandleEvent(Event=Transition, CurrentState=Completed)
01-13-2016 17:56:47.963 CIAgent 2728 (0xaa8) CIAgentJob({ID}): Deleting CIAgent Job
01-13-2016 17:56:47.963 CIAgent 2728 (0xaa8) Deleted CIAgent job {ID}
4. DCM Agent passes the success notification back to the Install Application (smsappinstall.exe) process
and DCM Agent cleans up its job.
In DCMAgent.log:
01-13-2016 17:56:47.979 DCMAgent 1384 (0x568) CAppMgmtSDK::GetEvaluationState

ScopeId_GUID/RequiredApplication_GUID.10 = Enforced
01-13-2016 17:56:47.979 DCMAgent 2316 (0x90c) DCMAgentJob({ID}):
CDCMAgentJob::HandleEvent(Event=NotifyProgress, CurrentState=Success)
01-13-2016 17:56:47.979 InstallApplication 1608 (0x648) Received job completion notification from
DCM Agent
01-13-2016 17:56:47.995 DCMAgent 2348 (0x92c) CDCMAgentJobMgr::DeleteJob - Request to
delete DCM Agent job {ID}
5. Lastly, the exit code is returned back to Task Sequence Manager. Task Sequence Manager updates the
appropriate task sequence environment variables, and resumes the next task in the sequence. In
SMSTS.log:
01-13-2016 17:56:48.073 TSManager 2176 (0x880) Process completed with exit code 0
01-13-2016 17:56:48.073 TSManager 2176 (0x880) Successfully completed the action (Install
Application) with the exit win32 code 0
More information
For troubleshooting purposes, it's considered a best practice to create and use a duplicate copy of your
production task sequence. The task sequence may need to be modified to include more data gathering tasks.
And you may need to deploy the task sequence to a test machine.
Deployments that have problems will typically report errors in the Monitoring workspace. You can see these
errors when you select Deployments > Error . For more information about how to troubleshoot these errors,
see the following article:
Tips and Tricks: How to Take Action on Assets That Report a Failed Deployment in System Center 2012
For more information about task sequence steps, see Task sequence steps.
Which version of Configuration Manager to deploy
a particular version of Windows
This article provides an overview of the versions of Configuration Manager that are required to deploy
particular versions of Windows.
Summary
You can use Operating System Deployment (OSD) to deploy the Windows operating system and to upgrade to a
newer version. However, depending on the version of Windows that you want to deploy, you may have to first
upgrade the Configuration Manager version that you're using.
Required Configuration Manager version to deploy a particular

Windows version
The following table provides details about which version of Configuration Manager you need in order to deploy
a particular version of Windows.
VERSIO N O F W IN DO W S B EIN G DEP LO Y ED VERSIO N O F C O N F IGURAT IO N M A N A GER REQ UIRED
Windows 8 System Center 2012 SP1 Configuration Manager or later
Windows 8.1 System Center 2012 R2 Configuration Manager or System

Center 2012 SP1 CU3 Configuration Manager*
* CU3 (Cumulative Update 3) requires additional configuration considerations. For information about CU3
considerations, see How to customize Windows PE boot images to use in Configuration Manager.
For more information about operating system deployment prerequisites, see Prerequisites for deploying
operating systems in Configuration Manager.
References
Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
Windows PowerShell Requirements for System Center 2012 R2
MBAM 2.0 Setup fails with Error retrieving
Configuration Manager Server role settings
This article provides a solution for the issue that Microsoft BitLocker Administration and Monitoring (MBAM)
prerequisite checker fails when you run the MBAM 2.0 Setup in System Center 2012 Configuration Manager.
Original product version: BitLocker Administration and Monitoring 2.0, Microsoft System Center 2012
Symptoms
If you run MBAM 2.0 Setup on a System Center 2012 Configuration Manager (ConfigMgr) server, the MBAM
prerequisite checker fails with this error message:
Error retrieving Configuration Manager server role settings for 'Reporting Services Point' role
Cause
If you have a Configuration Manager topology that includes the Central Administration Site (CAS) role, the
Primary Site role or the Secondary Site role, MBAM 2.0 requires that the Reporting Service Point role be
installed on the Configuration Manager server that has the CAS role installed.
Resolution
To resolve this issue, perform the following steps:
1. Install the Reporting Service Point role on the Configuration Manager server that has the CAS role.
For more information, see the following articles:
Supported Configurations for Configuration Manager
Install Sites and Create a Hierarchy for Configuration Manager
2. Make sure that the account used to execute MBAM 2.0 setup on the Configuration Manager server has
the correct permissions on the server. For more information, see Planning to Deploy MBAM with
More information
When MBAM 2.0 is installed in Configuration Manager Integration topology, MBAM 2.0 prerequisites perform
the following checks:
Check ConfigMgr connectivity
Check ConfigMgr version
Check ConfigMgr user permissions
Check that the ConfigMgr server is considered a primary site system
Check that the ConfigMgr server has the Desired Configuration Management (DCM) agent enabled
Check that the ConfigMgr server has the Hardware Inventory agent enabled
Check that ConfigMgr has SQL Server Reporting Services (SSRS) integration enabled
Check SSRS user permissions
Checking if any ConfigMgr objects are already installed.
For more information, see Using MBAM with Configuration Manager.
Not found error when you try to edit Update
Application Catalog Tables
This article helps you work around an issue in which you receive Not found error when you try to edit the
Update Application Catalog Tables maintenance task.
Symptoms
You are running Configuration Manager current branch, version 2002.
You try to edit the Update Application Catalog Tables maintenance task by using the following steps:
1. In the Configuration Manager console, you go to Administration > Site Configuration > Sites .
2. You select the site that has the maintenance task that you want to set up, and select the Maintenance
Tasks tab in the details pane.
3. You right-click the Update Application Catalog Tables maintenance task, and then you select Edit .
In this scenario, you receive the following error message:
Not found
-------------------------------
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException Not found
, property = DeviceName
Stack Trace:
at
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item
(String name)
at
Microsoft.ConfigurationManagement.AdminConsole.SiteMaintenance.TaskGeneral.InitializePageControl()
at Microsoft.ConfigurationManagement.AdminConsole.SmsPropertyPage.OnInitialize()
-------------------------------
Workaround
To work around this issue, edit the maintenance task by using the following steps instead:
1. In the Configuration Manager console, go to Administration > Site Configuration > Sites .
2. Select the site.
3. On the Home tab, in the Settings group, select Site Maintenance .
4. Select the Update Application Catalog Tables maintenance task, and then select Edit .
For more information about how to configure maintenance tasks, see Set up maintenance tasks.
Attaching a central administration site to a stand-
alone primary site fails when two-factor
authentication is enabled
This article helps you fix an issue in which a central administration site setup fails when you expand a stand-
alone primary site.
Symptom
You have a Configuration Manager current branch version 1810 stand-alone primary site. Two-factor
authentication is enabled in the hierarchy settings.
When you try to expand the stand-alone primary site by installing a central administration site, the central
administration site setup fails. The following errors are logged in the ConfigMgrSetup.log file:
Configuration Manager Setup INFO: Updating primary site's site control file in CAS's database.
Configuration Manager Setup *** insert into vSMS_SC_GlobalProperty (SiteNumber, PropertyName, Value1,
Value2, Value3) values (1, N'{3B1F3900-A186-11d0-BDA9-00A0C909FDD7} Authentication', N'', N'',
0)~;select convert(BIGINT, SCOPE_IDENTITY())
Configuration Manager Setup *** [42000][50000][Microsoft][SQL Server Native Client 11.0][SQL
Server]Cannot insert Authentication property vSMS_SC_GlobalProperty in this context :
tr_vSMS_SC_GlobalProperty_ins
Cause
This issue occurs because the Authentication global property can only be replicated by using the Data
Replication Service (DRS). If the global property is updated directly without using DRS, the
tr_vSMS_SC_GlobalProperty_ins trigger raises the error.
Resolution
To fix this issue, update the stand-alone primary site to Update Rollup 2 for Configuration Manager version
1810 or Configuration Manager version 1902, and then reattach the central administration site.
Workaround
To work around this issue in Configuration Manager current branch version 1810:
1. Change the authentication level to disable two-factor authentication:
a. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
b. Select Hierarchy Settings in the ribbon.
c. Switch to the Authentication tab.
d. Select an authentication level other than Windows Hello for Business authentication , and then
select OK .
2. To delete the Authentication property, run the following SQL query on the primary site database:
DELETE p
FROM SC_GlobalProperty p
INNER JOIN SC_GlobalProperty_Property gp ON p.ID = gp.GlobalPropertyID AND gp.Name=N'{3B1F3900-A186-
11d0-BDA9-00A0C909FDD7} Authentication'
3. Reattach the central administration site.

Connectivity issues if the DigiCert Global Root G2
root certificate is not installed
Symptoms
You experience connectivity issues on a Microsoft Endpoint Configuration Manager service connection point
role. When these issues occur, you experience either of the following symptoms:
During uploads or syncs to Configuration Manager cloud services, you receive the following status
message IDs that indicate a communications failure:
9605: DMP_UPLOADER_UPLOAD_FAILED
9607: DMP_UPLOADER_UPLOAD_EXCEPTION
The following error entry is logged in the Configuration Manager logs:
Failed to check and load ser vice signing cer tificate. System.ArgumentException: Fail to
build chain
Cause
This issue can occur if any of the following conditions are true:
The automatic root certificate mechanism is disabled.
The DigiCer t Global Root G2 root certificate isn’t installed.
The intermediate certificates aren’t installed in the Intermediate Cer tification Authorities store.
Your environment allows outbound calls to only specific Cer tificate Revocation List (CRL) downloads or
Online Cer tificate Status Protocol (OCSP) verification locations.
Resolution
Install the latest root certificates. The root certificates may not automatically install if you’re running a
disconnected environment, or if the necessary internet endpoints are blocked.
Disconnected environments
Update trusted root certificates and disallowed Cer tificate Trust Lists (CTLs) within disconnected
environments.
Within disconnected environments, administrators must set up either a file share or a web server to host the
files internally. Group Policy settings are also updated so that the clients and servers use the internal file share or
web server instead of the internet location.
Systems that are running within disconnected environments have to have the new roots added to the Trusted
Root Cer tification Authorities store, and have the intermediates added to the Intermediate Cer tification
Authorities store.
You can consider your environment to be disconnected if either of the following conditions is true:
Direct access to Windows Update is blocked.
The auto update mechanism for both trusted and untrusted CTLs is disabled.
For information about how to facilitate the distribution of trusted or untrusted certificates for disconnected
environments, see Configure Trusted Roots and Disallowed Certificates.
Internet endpoints
If you have an environment in which rules are set to allow outbound calls to only specific Cer tificate
Revocation List (CRL) downloads, or Online Cer tificate Status Protocol (OCSP) verification locations,
you must allow the following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://ctldl.windowsupdate.com
https://mscrl.microsoft.com
https://crl.microsoft.com
https://oneocsp.microsoft.com
http://ocsp.msocsp.com
More Information
Microsoft maintains the list of root certificates that are distributed by the Windows Root Cer tificate
Program , on the program website.
For more information about the Windows Root Cer tificate Program and the list of certification authorities
(CAs) who are members, see Release notes - Microsoft Trusted Root Certificate Program.
Root certificate update mechanisms are available in different versions of Windows. This includes the automatic
root update mechanisms.
For more information about how to update the root certificate list in different versions of Windows, see
Configure Trusted Roots and Disallowed Certificates.
By default, the automatic root update mechanism is enabled in different versions of Windows. However, if this
mechanism is disabled, and the service connection point server doesn’t have the DigiCer t Global Root G2
root certificate installed, connectivity issues with Configuration Manager cloud services may occur. The
Configuration Manager on premises hierarchy may no longer be able to access the Microsoft
Configuration Manager cloud services and other such resources.
For more information, see Azure TLS certificate changes and Azure IoT TLS: Changes are coming.
Next steps
For additional information about connectivity requirements and troubleshooting for Configuration Manager ,
see the following items:
Internet endpoint requirements for Configuration Manager
Troubleshooting update and servicing issues for Configuration Manager
Enable multi-factor authentication for SMS Provider
calls
Starting in Configuration Manager current branch version 1702, you can enable multi-factor authentication
(MFA) for Systems Management Server (SMS) Provider calls to prevent unauthorized administrative accesses.
How to enable MFA for SMS Provider calls

IMPORTANT
You must be a member of the Full Administrator role that has access to the All scope to set and change MFA setting for
SMS Provider calls.
To enable MFA, follow these steps:

1. Open WBEMTEST.
2. Connect to the Configuration Manager primary site namespace root\sms\site_<site code> . Then, select
Execute Method .
3. In the Object Path field, enter sms_site , and then select OK .

4. In Method list, select SetAuthenticationLevel , and then select Edit In Parameters .
5. Edit the AuthenticationLevel and ExceptionList properties, and then select Save Object .
NOTE
Both AuthenticationLevel and ExceptionList are global properties that are used on all primary sites.
Edit the AuthenticationLevel property.

Refer to the following table to set the value of AuthenticationLevel .
VA L UE DESC RIP T IO N
0 This is the default value. For this value, a second

layer of authentication isn't required. Everyone can
make SMS Provider calls based on their role-based
access.
10 For this level, users who are logged on by using a

PIN or smart card can make SMS Provider calls if
they have the appropriate permissions to access the
respective provider.
20 For this level, users who are logged on by using a

PIN can make provider calls if they have the
appropriate permissions to access the respective
provider.
Edit the ExceptionList property.
You can bypass MFA for users in the ExceptionList , such as service accounts. Add the UserSID or
SecurityGroupSID to the ExceptionList . To determine the SIDs, see Well-Known SID Structures.
NOTE
Users in the ExceptionList can't call the SetAuthenticationLevel method.
6. select Execute! , and then select Dismiss .

Management points stop responding to HTTP
requests with error 500.19
This article provides the steps to solve the issue that HTTP Error 500.19 error occurs when you try to connect
to a management point list address by using a web browser.
Symptom
Configuration Manager management points stop responding to client requests. When you use a web browser to
connect to the management point list address ( http://<ServerName>/sms_mp/.sms_aut?mplist ), you receive this
error message:
HTTP Error 500.19 - Internal Server Error
This error message is also logged in the IIS log on the management point computer during client requests.
Cause
This issue occurs if the WSUS server role was previously installed on the management point computer. When
the WSUS server role was installed, it installed the XPress compression schema module (suscomp.dll) that
loaded in every application pool in IIS. If the 32-bit version of suscomp.dll is loaded in an application pool that
runs in 64-bit mode, you experience this issue.
Resolution
1. Locate %windir%\system32\inetsrv\config .
2. Open the applicationHost.config file in Notepad.
3. Look for an entry like this:
<scheme name="xpress" doStaticCompression="false" doDynamicCompression="true"

dll="C:\Windows\system32\inetsrv\suscomp.dll" staticCompressionLevel="10"
dynamicCompressionLevel="0" />
4. Remove the XPress compression schema by running the following command from an elevated command
prompt:
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-

[name='xpress']
5. Verify that the compression schema is removed from the applicationHost.config file, and then save the
file.
6. Run the following command from an elevated command prompt:
iisreset
Configuration Manager management points fail
after the Client Health Evaluation task runs
This article describes an issue in which Configuration Manager management points fail and return HTTP 500
errors.
Symptoms
Microsoft System Center 2012 Configuration Manager management points that are collocated with the client
fail daily by returning HTTP 500 errors to calling clients. This problem occurs after the Client Health
Evaluation task runs and reinstalls the client. In this situation, the CCMEval.log file contains entries that
resemble the following:
Loading manifest file: C:\Program Files\SMS_CCM\CcmEval.xml

Successfully loaded ccmeval manifest file.
Begin evaluating client health rules.
Successfully retrieved all client health checks.
Evaluating health check rule {4AB7D77D-3BB0-4EAB-BEFD-7C0F7DA10296} : Verify WMI service exists.
Evaluating health check rule {518C0699-03F8-4F38-85C4-4D319EAEFC05} : Verify/Remediate WMI service
startup type.
Evaluating health check rule {7F4B6E15-2221-455B-9615-93C379E470D5} : Verify/Remediate WMI service
status.
Evaluating health check rule {A81778B5-9A1E-4A52-9C6E-6939CEFAA118} : WMI Repository Integrity Test.
Windows has an improper shutdown before the latest start up at 20121218093732.000000-000
Evaluating health check rule {14E6774A-1795-4E09-B17D-B6F36A124205} : WMI Repository Read/Write
Test.
Failed to delete class 'CIM_ClassDeletion' (80041002)
Failed to delete class 'CIM_ClassCreation' (80041002)
Failed to delete class 'CIM_ClassModification' (80041002)
Failed to delete class 'CIM_ClassIndication' (80041002)
Failed to delete class 'CIM_InstCreation' (80041002)
Failed to delete class 'CIM_InstModification' (80041002)
Failed to delete class 'CIM_InstDeletion' (80041002)
Failed to delete class 'CIM_InstIndication' (80041002)
Failed to delete class 'CIM_Indication' (80041002)
Failed to delete class 'MSFT_ExtendedStatus' (80041002)
Failed to delete class 'MSFT_WmiError' (80041002)
Failed to delete class 'CIM_Error' (80041002)
Fail to delete namespace (root\cimv2\ccm2) (0x80041002)
Checking WMI repository for feature General failed
WMI check failed
Windows has an improper shutdown before the latest start up at 20121218093732.000000-000
Stopped the service 'ccmexec' successfully
Stopped dependent services for service 'winmgmt' successfully
Stopped the service 'winmgmt' successfully
Attempting to launch repository repair.
Attempting to remediate client or client prerequisite installation.
Client or client prerequisite installation remediation succeeded.
Failed to delete class 'CIM_ClassDeletion' (80041002)
Failed to delete class 'CIM_ClassCreation' (80041002)
Failed to delete class 'CIM_ClassModification' (80041002)
Failed to delete class 'CIM_ClassIndication' (80041002)
Failed to delete class 'CIM_InstCreation' (80041002)
Failed to delete class 'CIM_InstModification' (80041002)
Failed to delete class 'CIM_InstDeletion' (80041002)
Failed to delete class 'CIM_InstIndication' (80041002)
Failed to delete class 'CIM_Indication' (80041002)
Failed to delete class 'MSFT_ExtendedStatus' (80041002)
Failed to delete class 'MSFT_WmiError' (80041002)
Failed to delete class 'CIM_Error' (80041002)
Fail to delete namespace (root\cimv2\ccm2) (0x80041002)
Checking WMI repository for feature General failed
WMI check failed
Result: Remediation Failed, ResultCode: 304, ResultType: 202, ResultDetail:
root\cimv2\ccm2#CCMEVALPARAMSEP#20121218093732.000000-000*
Cause
This issue may occur if Windows Management Framework 3.0 (described in KB 2506143) has been installed in
your System Center 2012 Configuration Manager RTM environment. The System Center 2012 Configuration
Manager RTM client is incompatible with Windows Management Framework 3.0. During the daily Client
Health Evaluation , CCMEval.exe mistakenly finds the WMI repository to be corrupted. Therefore, CCMEval.exe
requests a rebuild and then reinstalls the client. The rebuild of the repository by CCMEval causes loss of
management point-specific information, methods, and more from WMI. This causes the management point to
fail.
System Center 2012 Configuration Manager Service Pack 1 (SP1) provides official support for Windows
Management Framework 3.0. Therefore, System Center 2012 Configuration Manager SP1 is not affected by this
issue.
Resolution
To resolve this issue, apply System Center 2012 Configuration Manager SP1 to your environment. For System
Center 2012 Configuration Manager RTM environments, you can work around the issue by setting the following
registry value to True on the affected clients:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmEval\NotifyOnly
When this registry value is set to True , the client still runs the evaluation task daily and then incorrectly reports
that the WMI repository is corrupted. However, it does not request the repository rebuild or the daily client
reinstallation.
If the management point is already failing because of the evaluation that is being run, you must uninstall and
then reinstall the management point to make sure that it is back online. To do this, follow these steps:
1. Under Ser vers and Site System Roles , select the server that is hosting the failing management point.
2. Right-click the management point role, and then select Remove Role .
3. Monitor the MPSetup.log on the management point server to make sure that the removal is complete.
4. Right-click the same server, and then select Add Site System Roles .
5. In the wizard, select the management point role, and then monitor the MPSetup.log on the management
point server to make sure that the reinstallation is complete.
Configuration Manager service connection point
doesn't download updates
This article helps you fix an issue where a service connection point doesn't download updates. This issue occurs
when the Baltimore CyberTrust Root certificate is missing, expired, or corrupted.
Original product version: Configuration Manager (current branch), Microsoft Intune
Symptoms
A service connection point that's running in a Configuration Manager current branch environment doesn't
download updates, and entries that resemble the following are logged in DMPDownloader.log:
Download manifest.cab SMS_DMP_DOWNLOADER 8/2/2016 2:20:24 PM 7568 (0x1D90)

WARNING: Failed to download easy setup payload with exception: The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel. SMS_DMP_DOWNLOADER 8/2/2016
2:20:25 PM 10760 (0x2A08)
WARNING: Retry in the next polling cycle SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)
You may also notice client connectivity issues when you use Microsoft Intune.
Cause
The service connection point uses the Intune service when it connects to http://go.Microsoft.com or
https://manage.Microsoft.com. If the Baltimore CyberTrust Root certificate is missing, expired, or corrupted, the
Intune connection attempt is rejected.
Resolution
This is a known issue for Intune, as documented in Connectivity issues may occur when the Baltimore
CyberTrust root certificate is not installed. However, this update is no longer displayed on the Microsoft Update
Catalog.
As a workaround, you can export the certificate from the certificate authority in your environment.
After you've obtained the certificate, you must import it. To import the certificate, follow these steps:
1. Open a command prompt with administrative rights (run as Administrator).
2. Run the mmc command.
3. On the File menu, select Add/Remove Snap-in .
4. Select Cer tificates , and then select Add .
5. Select Computer Account , and then select Next .
6. Select Local Computer , select Finish , and then select OK .
7. In the console tree, expand Cer tificates > Trusted Root Cer tificate Authorities > Cer tificates .
8. Right-click Cer tificates , and then select Impor t .
9. Import the Baltimore CyberTrust Root certificate.
10. Restart the computer.
You should now see an entry for Baltimore CyberTrust Root under Trusted Root Cer tificate Authority :
More information
The Intune Connector experiences connectivity issues if the Baltimore CyberTrust Root certificate is not installed,
is expired, or is corrupted on the computer that's using Intune.
For more information about this issue, see Connectivity issues may occur when the Baltimore CyberTrust root
certificate is not installed.
Troubleshoot state message processing
performance issues
Applies to: Configuration Manager

State messaging is one of the most important reporting mechanisms in Configuration Manager. It's responsible
for application and update deployment statistics, and many other flows.
In this article, we focus on the SMS_STATE_SYSTEM component (also referred to as StateSys) that processes the
incoming state messages and updates the database.
For more information about the state messaging system, see Description of state messaging in Configuration
Manager.
Symptoms
A Configuration Manager administrator notices a significant delay in reporting Software Update compliance and
application deployment. In this situation, the
<Configuration Manager Installation Directory>\Inboxes\auth\statesys.box\incoming folder contains a large
number of files. For example, there are millions of files.
Here's a sample output when you filter the InboxMon.log file by StateSys :
06-11-2021 08:53:35.276 SMS_INBOX_MONITOR 8972 (0X230C) FILE COUNT FOR DIRECTORY F:\PROGRAM
FILES\MICROSOFT CONFIGURATION MANAGER\INBOXES\AUTH\STATESYS.BOX\INCOMING\HIGH IS 13360.~
FILES\MICROSOFT CONFIGURATION MANAGER\INBOXES\AUTH\STATESYS.BOX\INCOMING\LOW IS 347.~
FILES\MICROSOFT CONFIGURATION MANAGER\INBOXES\AUTH\STATESYS.BOX\INCOMING IS 1087076.~
The number of files might continue to grow, or it might decrease too slowly for the files to be processed within a
reasonable time frame. This issue might occur after a long server outage or a large-scale deployment.
Cause
The incoming files are plain text XML files that usually have a file name extension of .smx or .smw . These files
contain the client ID (known as SMS GUID) and payload. Typically, every file contains multiple messages. It's
because a client will batch the messages before it sends them (the default is 15 minutes).
StateSys is designed to pick up files in batches, parse XML files, and update the database. When it updates the
database, it runs some SQL stored procedures and CLR assemblies that are provided by Configuration Manager.
Therefore, it mainly depends on the SQL Server back-end performance. When SQL Server is saturated with
other tasks for a long time, this condition can cause status messages to accumulate.
At the same time, StateSys has some designs that may prevent it from catching up with a backlog of nearly
millions of files:
Files are processed in alphabetical order, but not in "first in first out (FIFO)" order. Because the management
point generates random names for the files, new messages might be processed before old messages.
StateSys is resilient to this situation.
Each message contains a sequence number. StateSys maintains a list of missing ranges that are stored in the
SR_MissingRanges table. When a missing range becomes older than two days (default), StateSys issues a
resynchronization for the client. The resynchronization causes the client to send a large XML file that goes to
the same queue as all other messages. If new status messages are always processed two days earlier than
old messages, this condition can become a vicious cycle for some clients and cause frequent
resynchronization.
Resolution
To troubleshoot the performance issue, follow these steps:
1. Identify and eliminate the issue that causes the backlog.
If the issue is a massive deployment, disable the deployment temporarily, or reconsider the deployment
strategy. For example, if you deploy a software update group of 1,000 updates, it might generate
enforcement state messages for each update, each state (by default), each client, and the entire group.
This can create millions of state messages.
If the issue is poor SQL Server performance, work with your database administrator to resolve the issue.
If there are many files that can't be processed, investigate the root cause first.
2. Establish a Configuration Manager performance baseline to understand the usual processing rate of your
environment. Particular performance counters for StateSys include "Message Records Processed/min"
and "Message File Records PreProcessed/min." Typically, these average tens of thousands. If there are no
files to be processed, both counters will decrease to 0.
If your usual processing rate isn't enough to handle the backlog, go to the next step.
3. Change the internal settings of the SMS_STATE_SYSTEM component.
WARNING
Serious problems might occur if you change these settings incorrectly. Microsoft can't guarantee that these
problems can be solved, and doesn't support this scenario. Modify the settings at your own risk. We recommend
that you restore these settings after you resolve the backlog.
You must have at least Configuration Manager infrastructure administrator permissions to be able to
modify these settings.
a. Use the Windows Management Instrumentation Tester tool (Wbemtest) to connect to the SMS
Provider. Select Connect , enter the site server under Namespace , and then select Connect . Enter
root\SMS\site_<site code> for a local connection, or enter
\\MachineName\root\SMS\site_<site code> for a remote connection.
b. Select Quer y , enter the following query, and then select Apply :
SELECT * FROM SMS_SCI_COMPONENT WHERE ITEMNAME = 'SMS_STATE_SYSTEM|SMS SITE SERVER'
This query returns the list of Configuration Manager sites that have the SMS_STATE_SYSTEM
component installed.
c. Double-click the site whose settings you want to change, and then double-click Props from the list
of properties of the <site>/StateSys instance.
d. To see the list of embedded properties of this instance, select View Embedded .
e. Double-click each embedded property to check the property name and value. Look for the
property that has the name Loader Threads and the value 4 .
f. Double-click Value , increase the value to 16 . Select Save Proper ty , and then select Save Object .
g. Look for another embedded property that has the name Min Missing Message Age and the
value 2,880 (minutes).
h. Double-click Value , and increase the value to 10,080 (seven days) to prevent unnecessary
resynchronization. Select Save Proper ty , and then select Save Object .
i. In the Proper ty Editor dialog of Props , select Save Proper ty .
j. In the Object Editor dialog of the StateSys instance, select Save Object .
k. Close Wbemtest.
l. Use Configuration Manager Service Manager to stop and then restart the SMS_STATE_SYSTEM
component.
After the SMS_STATE_SYSTEM component is restarted, the new settings are logged in StateSys.log,
as follows.
08-24-2021 21:24:16.574 SMS_STATE_SYSTEM 19380 (0X4BB4) USING THE FOLLOWING
CONFIGURATION PROPERTIES FROM THE SITEF CONTROL FILE:
08-24-2021 21:24:16.575 SMS_STATE_SYSTEM 19380 (0X4BB4) SITE CODE
CB1
08-24-2021 21:24:16.575 SMS_STATE_SYSTEM 19380 (0X4BB4) PARENT SITE CODE
08-24-2021 21:24:16.576 SMS_STATE_SYSTEM 19380 (0X4BB4) LOADER THREADS
16
08-24-2021 21:24:16.576 SMS_STATE_SYSTEM 19380 (0X4BB4) INBOX POLLING INTERVAL
(SECS) 900
08-24-2021 21:24:16.577 SMS_STATE_SYSTEM 19380 (0X4BB4) LOADER CHUNK SIZE (KB)
256
08-24-2021 21:24:16.578 SMS_STATE_SYSTEM 19380 (0X4BB4) MAX CHUNKS FETCHED
100
08-24-2021 21:24:16.578 SMS_STATE_SYSTEM 19380 (0X4BB4) VERBOSE LOGGING
NO
08-24-2021 21:24:16.579 SMS_STATE_SYSTEM 19380 (0X4BB4) MIN RESYNC PERIOD (HOURS)
72
08-24-2021 21:24:16.579 SMS_STATE_SYSTEM 19380 (0X4BB4) RESYNC CHECK INTERVAL (MIN)
15
08-24-2021 21:24:16.580 SMS_STATE_SYSTEM 19380 (0X4BB4) MIN MISSING MESSAGE AGE
(MIN) 10880
08-24-2021 21:24:16.581 SMS_STATE_SYSTEM 19380 (0X4BB4) HEARTBEAT MESSAGE INTERVAL
(MIN) 60
08-24-2021 21:24:16.581 SMS_STATE_SYSTEM 19380 (0X4BB4) === STATESYS HAS BEEN
SUCCESSFULLY INITIALIZED. ===
m. Monitor the processing rate improvement through performance counters and SQL Server CPU
load. If the CPU load continues to exceed 80 percent, consider reducing the Loader Threads value
to avoid saturating other Configuration Manager activities. Conversely, if you see an increase in
the processing speed at almost no CPU cost, increase the number of threads.
More information
Microsoft Premier Services provides the following proactive deliveries:
On-demand Assessment for Configuration Manager
Microsoft Endpoint Configuration Manager: Troubleshooting Infrastructure
Contact the Customer Success Account Manager (CSAM) for your Premier Support contract to plan these
engagements.
SMS_EXECUTIVE service crashes when a SQL
Server certificate can't be found
This article helps you work around an issue in which the SMS_EXECUTIVE service crashes when the SQL Server
certificate can't be found in the certificate store.
Symptoms
The SMS_EXECUTIVE service silently crashes when the SQL Server certificate can't be found in the certificate
store. This issue occurs repeatedly and affects Configuration Manager current branch versions 1602 and 1606.
The issue is fixed in Configuration Manager current branch versions 1610.
Workaround
To work around this issue, use the following PowerShell cmdlet to create a self-signed certificate. Then, specify
the provider to import the certificate into the local computer store of the Configuration Manager server.
New-SelfSignedCertificate -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -Subject
"CN=AUCOLO-SCCM.contoso.com" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -KeyAlgorithm RSA -
KeyLength 2048 -DnsName "AUCOLO-SCCM.contoso.com" -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-
Date).AddMonths(120) -KeyExportPolicy "Exportable"
certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx Self-signed-new5.pfx-
Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -Subject "CN=AUCOLO-SCCM.contoso.com" -
TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -KeyAlgorithm RSA -KeyLength 2048 -DnsName "AUCOLO-
SCCM.contoso.com" -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(120) -
KeyExportPolicy "Exportable"
certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx Self-signed-new5.pfx
Replace the Subject and DnsName parameters with the right values in the cmdlet.
NOTE
This cmdlet must be run on a Windows 10-based computer, as the parameters are supported only in Windows 10.
Can't create a software update package or
application after moving the site database
This article provides a solution for the issue that you cannot create a software update group, software update
package, or application after you move the Configuration Manager SQL Server site database.
Symptoms
After you move the Configuration Manager SQL Server site database to a different drive, and then you try to
create a software update group, software update package, or application, the operation fails, and these log
entries are logged in the SMSProv.log file:
*** *** Unknown SQL Error! SMS Provider 14-03-2012 07:56:47 2016 (0x07E0)
*~*~*** Unknown SQL Error! ThreadID : 2016 , DbError: 50000 , Sev: 16~*~* SMS Provider 14-03-2012
07:56:47 2016 (0x07E0)
*** [24000][0][Microsoft][SQL Server Native Client 10.0]Invalid cursor state SMS Provider 14-03-2012
07:56:48 2016 (0x07E0)
*~*~[24000][0][Microsoft][SQL Server Native Client 10.0]Invalid cursor state *** Unknown SQL Error!
ThreadID : 2016 , DbError: 0 , Sev: 0~*~* SMS Provider 14-03-2012 07:56:48 2016 (0x07E0)
SQL Server Profiler provides the following additional details:
An error occurred in the Microsoft .NET Framework while trying to load assembly id 65539. The server may
be running out of resources, or the assembly may not be trusted with PERMISSION_SET =
EXTERNAL_ACCESS or UNSAFE. Run the query again, or check documentation to see how to solve the
assembly trust issues. For more information about this error:
System.IO.FileLoadException: Could not load file or assembly 'cryptoutility, Version=5.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An error relating to security occurred.
(Exception from HRESULT: 0x8013150A)
System.IO.FileLoadException:
at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence
assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound,
Boolean forIntrospection)
at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity,
StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity,
StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.Load(String assemblyString)
Cause
This problem may occur if the SQL Server site database MDF and LDF files are moved to a different drive. For
example, this problem may occur if the Configuration Manager site database is created on
C:\Program files\MSSQL server\data , and then the MDF and LDF files are moved to D:\CM2012DB to save space.
NOTE
This is a supported SQL Server operation. For more information, see Move a Database Using Detach and Attach
(Transact-SQL).
This problem occurs because the TRUSTWORTHY database property of the site database that is set to ON by
default is reset to OFF when you detach and reattach the database. When the database is not configured to have
the property set to ON , <ConfigMgr_Install>\bin\x64\CryptoUtility.dll fails to load into SQL Server, and you
receive the invalid cursor state error message that is mentioned in the Symptoms section.
Resolution
To resolve this problem, follow these steps:
1. Manually reset the property to ON by running this command against your Configuration Manager
database:
ALTER DATABASE <ConfigMgr DB>

SET TRUSTWORTHY ON
2. Make sure that the database that was moved is owned by the SA account.
3. Make sure that the Isolation Level value is set to READ_COMMITTED_SNAPSHOT . To check this value,
run this command:
DBCC USEROPTIONS
4. If the Isolation Level value is set to anything other than READ COMMITTED SNAPSHOT , run the
following commands in the given order:

SET ALLOW_SNAPSHOT_ISOLATION ON

SET READ_COMMITTED_SNAPSHOT ON
NOTE
You may have to change the SQL Server database to Single User mode before you run the commands in step 4. For more
information about how to detach and attach a database in SQL Server, see Database Detach and Attach (SQL Server).
More information
An iDNA (Time Travel) trace of the SQL Server process shows the following exception:
Number of exceptions of this type: 3

Exception MethodTable: 000007fef2524e30
Exception object: 0000000201027798
Exception type: System.IO.FileLoadException
Message: Could not load file or assembly 'cryptoutility, Version=5.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An error relating to security occurred.
(Exception from HRESULT: 0x8013150A)
InnerException: <none>
StackTrace (generated):
SP IP Function
00000000204F8DC0 0000000000000001
System.Reflection.Assembly._nLoad(System.Reflection.AssemblyName, System.String,
System.Security.Policy.Evidence, System.Reflection.Assembly, System.Threading.StackCrawlMark ByRef,
Boolean, Boolean)
00000000204F8DC0 000007FEF23DBF61
System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence,
System.Threading.StackCrawlMark ByRef, Boolean)
00000000204F8E50 000007FEF23DC127 System.Reflection.Assembly.InternalLoad(System.String,
System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)
00000000204F8EB0 000007FEF2443A54 System.Reflection.Assembly.Load(System.String)
00000000204F8EF0 000007FF002D9FF7
System.Data.SqlServer.Internal.SqlAppDomain.LoadRawAssembly(Char*, Int32, IntPtr ByRef,
System.Data.SqlServer.Internal.EClrReturnCode ByRef
Failed to find folder or Failed to find file error when
you move a site database
This article provides a workaround to solve the Failed to find folder or Failed to find file error when you try
to move a site database.
Symptoms
When you do site maintenance to move a Configuration Manager site database to a new standalone instance of
Microsoft SQL Server, or to a new SQL Server AlwaysOn availability group, the Configuration Manager setup
process fails and generates error messages that resemble the following in the ConfigMgrSetup.log.
Error message 1
INFO: SQL Connection succeeded. Connection: SMS ACCESS, Type: Secure

INFO: SQL Server Native Client: SQLNCLI11 version:<11.0.2100.60>
ERROR: Failed to find folder of SQL Server assembly setup msi.
Error message 2
ERROR: SQL Connection failed. Connection: SMS ACCESS, Type: Secure

ERROR: Failed to get SQL Server connection.
INFO: SQL Server Native Client: SQLNCLI11 version:<11.2.5641.0>
ERROR: Failed to find file: c:\temp\redist\msxml6_x64.msi.
Cause
This problem can occur if Configuration Manager cannot find the required files. Typically this is because of an
invalid registry key value for the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Setup\External File Directory
Workaround
To work around this problem, use Setupdl.exe to download the required files to a locally accessible folder. The
version of Setupdl.exe that you use must match the version of the site so that the correct files are downloaded.
Setupdl.exe will automatically update the registry value to have the new, correct download path.
A site-matching version of Setupdl.exe can be found in the cd.latest folder in the following location on the site
server:
<InstallationDrive>:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64\setupdl.exe
For environments where the site servers cannot access the Internet, you can run Setupdl.exe from an Internet-
connected system, copy the required files to the site server, then manually update the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Setup\External File Directory subkey.
More information
Microsoft is researching this problem and will post more information in this article as it becomes available.
Function sequence error repeatedly logged in
Smsdbmon.log in Configuration Manager current
branch version 1902
This article describes an issue in which the Function sequence error entry is repeatedly logged in
Smsdbmon.log in Configuration Manager current branch version 1902.
Symptoms
After you install or update to Configuration Manager current branch version 1902, the following error entry is
repeatedly logged in the Smsdbmon.log file:
SMS_DATABASE_NOTIFICATION_MONITOR *** exec dbo.spGetChangeNotifications

SMS_DATABASE_NOTIFICATION_MONITOR *** [HY010][0][Microsoft][ODBC Driver Manager] Function
sequence error
Resolution
More information
This error message can be safely ignored.
Site system installation account is incorrectly used
for a remote site system to connect to SQL Server
database
This article provides a workaround for the issue that the site system installation account is incorrectly used to
update the SQL Server database for a remote site server.
Symptoms
You install Configuration Manager together with a remote Microsoft SQL Server in the same domain as the
site server.
You have a remote site system that is in an untrusted domain (a perimeter network, also known as DMZ,
demilitarized zone, and screened subnet).
You select the Use another account for installing this site system option for the remote site system,
and you specify an account that has local administrative rights on that server.
You deploy roles to the remote site system such as the Distribution Point role.
In this scenario, Configuration Manager may incorrectly try to use the site system installation account that is
configured for the remote site server to update the SQL Server database. When this occurs, the update fails, and
the following messages are logged.
In the remote SQL Server log:
MSSQLSERVER,18452,Logon,Login failed. The login is from an untrusted domain and cannot be used with
Windows authentication. [CLIENT: primary_site_server_IP_address]
In Distrmg.log:
[28000][18452][Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an

untrusted domain and cannot be used with Windows authentication.
Failed to connect to the SQL Server. Cannot save the package status to the data source...
Resolution
Workaround
To work around this issue without updating, on the SQL Server, create a local account that has the same name as
the site system installation account that is configured for the remote site server, and grant the account access to
the Configuration Managers database. Then, pass through authentication works around Configuration
Manager's use of the site system installation account.
SQL Server cumulative updates must be manually
installed on secondary sites that use SQL Server
Express
This article describes that SQL Server cumulative updates must be manually installed on secondary System
Center 2012 Configuration Manager sites that use SQL Server Express.
System Center 2012 Configuration Manager

The original RTM version of System Center 2012 Configuration Manager installs SQL Server Express 2008 R2
Service Pack 1 (SP1) when you deploy a new secondary site. The minimum supported SQL Server version is
Cumulative Update 4 for SQL Server 2008 R2 SP1. You must manually install Cumulative Update 4 for SQL
Server 2008 R2 SP1 on the new secondary site after the site is installed.
For more information about Cumulative Update 4 for SQL Server 2008 R2 SP1, see (Cumulative update
package 4 for SQL Server 2008 R2 Service Pack 1).

While the RTM version of System Center 2012 Configuration Manager requires Cumulative Update 4 for SQL
Server 2008 R2 SP1, System Center 2012 Configuration Manager SP1 requires Cumulative Update 6 for SQL
Server 2008 R2 SP1 (or SQL Server 2008 R2 SP2).
If you attempt to upgrade a secondary site to SP1 from the primary console and the SQL version on the
secondary site is not at the proper level, the UI will indicate that prerequisite checks failed and suggest checking
the ConfigMgrPrereq.log on the primary site. The log will show something similar to the following:
<01-04-2013 16:25:14> INFO: Check Sql version on secondary site.

<01-04-2013 16:25:28> INFO: RemoteCheckSqlVersion result:9
<01-04-2013 16:25:28> secondary.contoso.com; SQL Server version; Error; Configuration Manager sites
require a supported SQL Server version with required hotfixes for site database operations to succeed.
Before Setup can continue, you must install a supported version of SQL Server on the specified site
database server. For more information, see http://go.microsoft.com/fwlink/p/?LinkID=232936.
If you wish to upgrade to System Center 2012 Configuration Manager SP1 on these secondary sites, you must
first manually upgrade SQL on your secondary sites to Cumulative Update package 6 for SQL Server 2008 R2
SP1 (or SQL Server 2008 R2 SP2) before beginning the Configuration Manager SP1 upgrade process.
For more information about Cumulative Update 6 for SQL Server 2008 R2 SP1, see Cumulative update package
6 for SQL Server 2008 R2 Service Pack 1.
For more information about SQL Server 2008 R2 SP2, see SQL Server 2008 R2 Service Pack 2.
Support policies for manual database changes in a
Configuration Manager environment
This article describes Microsoft support policies for changes that are made to the site database (SQL Server
database) in Configuration Manager (all versions).
Original product version: Microsoft System Center 2012 R2 Configuration Manager, Microsoft System Center
2012 Configuration Manager, Configuration Manager (current branch)
Support policies for manual database changes

Additions or changes that are made to the schema, structure, views, or objects in the site database are not
supported if they are made outside the Software Development Kit (SDK) or the Configuration Manager product.
This includes changes that are made under the guidance of Microsoft Customer Support, Microsoft Consulting
Services, or other partner organizations to help troubleshoot problems or performance issues.
In this context, not suppor ted is defined as follows:
Changes are made at your own risk. The Configuration Manager product team doesn't offer testing of
database changes.
Updates or upgrades to the product may revert your changes.
Servicing support is not available for issues that are caused by custom changes to the database. Servicing
support is defined as requests for out-of-band (hotfix or cumulative update) changes that are made to
resolve problems or alter the product design.
This definition doesn't prevent you from contacting Microsoft Customer Support, and it doesn't automatically
exempt the whole environment from support. Changes that are made by using the guidance of official
documentation are supported. However, such changes are not guaranteed to persist after updates or upgrades
are applied.
NOTE
Microsoft Customer Support cannot build, rebuild, troubleshoot, or maintain custom changes to the database. When you
contact Support, you may be asked to revert the changes to resolve a problem. Additionally, you may be asked to
reproduce the same problem independent of those changes to help Support agents escalate your case and work toward a
resolution.
Because of the diverse nature of Configuration Manager installations, some unsupported changes (such as
adding a new index) are still desirable to optimize performance for a given environment. We recommend that
you test such changes thoroughly in your environment to make sure that they meet your business needs and do
not introduce unintended side effects. Remember that these changes may be reverted during an update or
upgrade of the product.
If you believe that product changes that you have made in your environment would be appropriate to include in
a future version of the product, we encourage you to submit the details to the Microsoft Endpoint Configuration
Manager Feedback site.
Unable to send update on component warnings are
repeatedly logged in Smsdbmon.log
This article fixes an issue in which Smsdbmon.log repeatedly reports warnings for multiple triggers, such as
Unable to send update on component PolicyTargetEvalNotify_iud .
Symptoms
After you update to Configuration Manager current branch version 1810, one or more of the following warning
messages are repeatedly logged in Smsdbmon.log:
WARNING: Unable to send update on component PolicyTargetEvalNotify_iud
WARNING: Unable to send update on component PolicyTargetEvalNotify_ColMember_iu
WARNING: Unable to send update on component PolicyAssignmentChg_Notify_iu
WARNING: Unable to send update on component PolicyTargetEvalNotify_iud_upd
Because of the backlog in the TableChangeNotifications table generated by these triggers, you may experience
issues such as slow content distribution.
Cause
During the setup of Configuration Manager current branch version 1810, the following triggers are removed:
SMSDBMON_Collections_L_PolicyTargetEvalNotify_iud_ins
SMSDBMON_Collection_MemberChg_Notif_PolicyTargetEvalNotify_ColMember_iu_ins
SMSDBMON_PolicyAssignmentChg_Notify_PolicyAssignmentChg_Notify_iu_ins
SMSDBMON_Collections_L_PolicyTargetEvalNotify_iud_upd
In some cases, the SMS_EXCUTIVE (SMSExec.exe) starts during the setup. When this occurs, the SMS DB Monitor
(SMSDBMon.exe) re-creates the triggers using the values from the cached registry key located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Triggers\<SiteCode> .
To verify that this is the issue, compare the time that the update starts in CMUpdate.log and the time that
SMSExec starts in the System event log to determine whether SMSExec starts after the setup runs.
You can also identify when the SMSDBMON component starts and stops by running the following query:
select * from StatusMessages where Component = 'SMS_DATABASE_NOTIFICATION_MONITOR' and MessageID in (500,

501, 502, 503, 504) order by Time DESC
Resolution
Workaround
To work around this issue in Configuration Manager current branch version 1810:
1. Run the registry editor, locate the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Triggers\<SiteCode of the affected site> registry key, and
then determine whether the following registry values exist:
PolicyTargetEvalNotify_iud
PolicyTargetEvalNotify_ColMember_iu
PolicyAssignmentChg_Notify_iu
2. If the values exist, delete them.

3. To drop the triggers from the database, run the following SQL statements on the site database that
experiences this issue:
IF OBJECT_ID('tempdb..#temp') IS NOT NULL

DROP TABLE #temp
select name
INTO #temp
from sys.objects where type = 'TR' and name in
('SMSDBMON_Collections_L_PolicyTargetEvalNotify_iud_ins',
'SMSDBMON_Collection_MemberChg_Notif_PolicyTargetEvalNotify_ColMember_iu_ins',
'SMSDBMON_PolicyAssignmentChg_Notify_PolicyAssignmentChg_Notify_iu_ins','SMSDBMON_Collections_L_Polic
yTargetEvalNotify_iud_upd')
IF Exists (select 1 from #temp)
BEGIN
declare @name NVARCHAR(255)
declare @sql NVARCHAR(255)
DECLARE DELETE_OLD_TRIGGERS CURSOR FOR
SELECT A.Name FROM #temp AS A
OPEN DELETE_OLD_TRIGGERS;
FETCH NEXT FROM DELETE_OLD_TRIGGERS INTO @name;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @sql = 'DROP TRIGGER ' + @name;
EXECUTE(@SQL);
FETCH NEXT FROM DELETE_OLD_TRIGGERS INTO @name;
END;
CLOSE DELETE_OLD_TRIGGERS;
DEALLOCATE DELETE_OLD_TRIGGERS;
END
4. To clean the TableChangeNotifications table, run the following SQL statements:
WHILE 1=1
BEGIN
DELETE TOP(1000) FROM TableChangeNotifications
WHERE ((Component = 'PolicyTargetEvalNotify_iud' AND TableName = 'Collections_L') OR
(Component = 'PolicyTargetEvalNotify_ColMember_iu' AND TableName =
'Collection_MemberChg_Notif') OR
(Component = 'PolicyAssignmentChg_Notify_iu' AND TableName =
'PolicyAssignmentChg_Notify') OR
(Component = 'PolicyTargetEvalNotify_iud_upd' AND TableName = 'Collections_L'))
IF @@ROWCOUNT <= 0
BREAK;
END
Changes to built-in collections are overwritten when
you upgrade to System Center 2012 Configuration
Manager SP1
This article provides a workaround for the issue that built-in collections that are changed in Microsoft System
Center 2012 Configuration Manager are reset to the default settings when you upgrade to System Center 2012
Configuration Manager Service Pack 1 (SP1).
Symptoms
You have System Center 2012 Configuration Manager installed.
You change one or more of the built-in collections.
You try to upgrade to System Center 2012 Configuration Manager SP1.
In this scenario, you receive the following warning message during the prerequisites check:
One or more of the built-in collections has been modified. If you ignore this warning, these modifications
will be overwritten by Configuration Manager setup.
If you proceed with the upgrade, the built-in collections are reset to the default settings during the upgrade
process.
Cause
This issue occurs because built-in collections are read-only and cannot be changed in System Center 2012
Configuration Manager SP1.
NOTE
In System Center 2012 Configuration Manager, some built-in collections can be changed by administrators.
Workaround
To work around the issue, copy the changed built-in collections before you upgrade to System Center 2012
Configuration Manager SP1, and then re-create the deployment after the upgrade process is complete.
Clients are automatically upgraded after you
update to System Center 2012 R2 Configuration
Manager SP1 CU1
This article provides a workaround to an issue in which clients are automatically upgraded after you update to
System Center 2012 R2 Configuration Manager Service Pack 1 (SP1) CU1.
Symptom
After an upgrade to System Center 2012 R2 Configuration Manager SP1 CU1, Configuration Manager clients
are automatically upgraded to the SP1 client version.
Cause
This is a known issue in which the Configuration Manager Client Retry Task is created under
Microsoft\Microsoft\Configuration Manager in Task Scheduler . After it's installed, the Configuration Manager
client cannot delete the scheduled task that was created in this location. Therefore, the client is scheduled to be
reinstalled every 5 hours.
Workaround
To work around this issue, delete the scheduled task that is created under Microsoft\Microsoft\Configuration
Manager in Task Scheduler .
Error when downloading the
ConfigMgr.AdminUIContent.cab file by using the
SMS_DMP_DOWNLOADER component or the
service connection tool
When you use service connection point online mode or ServiceConnectionTool.exe to download updates in
Configuration Manager, you receive an AdminUIContentDownload error.
Symptoms
When you have the service connection point set to online mode, you may notice that no new
Configuration Manager releases appear in the console. And the following error message is logged in the
DmpDownloader.log file:
Redirected to URL https://configmgrbits.azureedge.net/adminuicontent/ConfigMgr.AdminUIContent.cab

~~
Got fwdlink and recreating the httprequest/response~~
ERROR: Failed to download Admin UI content payload with exception: The underlying connection was
closed: An unexpected error occurred on a send.~~
Failed to call AdminUIContentDownload. error = Error -2146233079~
You have the service connection point set to offline mode. You use the service connection tool
(ServiceConnectionTool.exe) to download and import updates in Configuration Manager. A similar error
message is logged in the ServiceConnectionTool.log file:
ERROR:AdminUIContentDownloadDownload:DownloadManifestCab exception: The underlying

connection was closed: An unexpected error occurred on a send. There may be an issue with internet
connection or the download link.
Cause
This issue occurs because TLS 1.2 isn't enabled for the .NET Framework on the computer that's running the
online service connection point or service connection tool. TLS 1.2 is required to download the .cab file.
Resolution
On the computer that runs the online service connection point or service connection tool, enable TLS 1.2.
In particular, if .NET Framework updates are installed, set the following registry values, and then restart the
computer:
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Values:
SystemDefaultTlsVersions = DWORD:00000001
SchUseStrongCrypto = DWORD:00000001
Workaround
If you use the service connection tool, manually download the ConfigMgr.AdminUIContent.cab file from
https://go.microsoft.com/fwlink/?LinkID=619849. Save the file to the folder that's specified by the
-updatepackdest parameter when you run the serviceconnectiontool.exe command. Then, rename the
ConfigMgr.AdminUIContent.cab file to ConfigMgr.AdminUIContent.auc .
Error 0x80004001 "Applicability check not
supported" when offline servicing a WIM image
with the Latest Cumulative Update
Symptoms
You use Microsoft Endpoint Configuration Manager current branch together with the latest ADK to do offline
servicing on a .wim file by using the Latest Cumulative Update (LCU) for Windows 10. To do the servicing, you
select an available operating system image in the Configuration Manager console from the \Software
Library\Overview\Operating Systems\Operating System Images folder.
In this scenario, offline servicing fails and generates an error.
For example:
You import the "Windows 10 20H2 (updated Feb 2021)" .wim file.
You do offline servicing on this .wim file by using "2021-03 Cumulative Update for Windows 10 Version
20H2 for x64-based Systems" (KB 5000802).
The following error entry is logged in the OfflineServicingMgr log:
GetUpdateApplicability returned code 0x80004001~

Applicability State = APPLICABILITY_CHECK_NOT_SUPPORTED, Update Binary =
C:\ConfigMgr_OfflineImageServicing\73676b06-20a9-48a6-89c7-7646d20ce44f\Windows10.0-KB5000802-
x64.cab.
Cause
This problem occurs only if you do offline servicing for one of the affected Windows versions in combination
with any of the listed LCUs.
Affected Windows versions:
Windows 10 21H1
Windows 10 20H2
Windows 10 20H1
Windows 10 2004
Used together with the following LCUs:
2021-06 Cumulative Update for Windows 10
NOTE
This problem does not occur if you do offline servicing by using an earlier version LCU (such as "2021-02
Cumulative Update for Windows 10”).
Resolution
The issue is resolved in current Windows 10 releases.
We recommend that you use one of the following Windows versions to do offline servicing:
Windows 10 21H1 (updated June 2021) or a later version
Windows 10 20H2 (updated May 2021) or a later version
Windows 10 20H1 (updated May 2021) or a later version
Windows 10 2004 (updated May 2021) or a later version
The issue is resolved in any .wim image that is on Build 985 (or a later build). Make sure that you use the
appropriate build level by using an already updated image, such as Windows 10 21H1 (updated June 2021), or a
later version. Alternatively, update your custom .wim image (one time) to Build 985 (or a later build) by using
the workaround in the next section.
You can use the dism command to query the current build number of a .wim image.
Query example
The following example shows how to query the current build number. The number will be listed as Ser vicePack
Build : XY . Make sure that you adjust the paths and the /index:XY value per your system requirements.
dism /Get-WimInfo /WimFile:"D:\temp\W10 20H2 (updated May-2021)\w10-20H2-install.wim" /index:3
Workaround
1. Download the LCU that you want to manually apply from the Microsoft Update Catalog. In the example that's
described in the "Symptoms" section, the LCU is KB 5000802.
2. Use the dism command to manually apply the LCU to the WIM image.
Workaround example
The following example illustrates the recommended workaround. Make sure that you adjust the paths and the
/index:XY value per your system requirements.
mkdir D:\_Mount
"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe"
/mount-wim /wimfile:"D:\temp\W10 20H2 (updated Feb-2021)\w10-20H2-install.wim" /mountdir:D:\_Mount /index:3
/image:D:\_Mount /add-package /packagepath:"D:\temp\2021-03 Cumulative Update for Windows 10 Version 20H2
for x64-based Systems (KB5000802)\AMD64-all-windows10.0-kb5000802-
x64_f1da84b3bfa1c402d98dfb3815b1f81d7dceb001.msu"
/Image:"D:\_Mount" /Cleanup-Image /StartComponentCleanup /ResetBase
/unmount-wim /mountdir:D:\_Mount /commit
rmdir /Q /S D:\_Mount
Additional information
A .wim file might contain multiple Windows editions, such as Windows 10 Education or Windows 10 Enterprise.
You can query the .wim file by using the /index parameter to get the version information.
Example 1: dism /Get-WimInfo /WimFile:"D:\temp\W10 20H2 (updated Feb-2021)\w10-20H2-install.wim" /index:3
Example 2: dism /Get-WimInfo /WimFile:"D:\temp\W10 20H2 (updated Feb-2021)\w10-20H2-install.wim" /index:1

Configuration Manager upgrade gets stuck at
Upgrade ConfigMgr Database
This article fixes an issue in which Configuration Manager upgrade gets stuck at the Upgrade ConfigMgr
Database step.
Symptoms
When you upgrade a Configuration Manager site, the upgrade gets stuck at the Upgrade ConfigMgr
Database step for more than one hour.
In this scenario, one of the following messages is the last log entries in CMUpdate.log, and the messages were
logged more than an hour ago:
CONFIGURATION_MANAGER_UPDATE is currently blocked in database by another session [<Application

Name>][session_id=<Session_ID>]
INFO: Creating reporting views.

SQL MESSAGE: sp_RenewCollectionViews - Creating collection views.
INFO: Executing DropForeignKeys

INFO: Drop DBMon triggers
Additionally, you may experience high memory usage and SQL Server may appear unresponsive.
Cause
This issue occurs if the database update queries are blocked by applications that communicate with the
Configuration Manager database.
Resolution
To fix the issue, follow these steps:
1. Identify the application that blocks the Configuration Manager database upgrade by running the
following SQL query:
select
req.session_id
,req.blocking_session_id
,req.last_wait_type
,req.wait_type
,req.wait_resource
,case when req.statement_end_offset > 0 then SUBSTRING(convert(nvarchar(max), t.text),
req.statement_start_offset/2, (req.statement_end_offset-req.statement_start_offset)/2)
else NULL end as currentstatement
,t.text
from sys.dm_exec_sessions s
inner join sys.dm_exec_requests req on s.Session_id=req.session_id
cross apply sys.dm_exec_sql_text(sql_handle) t
where program_name='CONFIGURATION_MANAGER_UPDATE'
OR req.session_id=<Session_ID>
NOTE
<Session_ID> is the session ID that's logged in CMUpdate.log.
2. Based on the returned application name, do one of the following:

If the returned application name is System Center Configuration Manager , then the issue is
likely caused by Software Center requests from the management points to retrieve the
information about available user-targeted applications.
In this case, stop the SMS Agent Host ser vice (CcmExec.exe) on the management points.
NOTE
This issue is fixed in Configuration Manager current branch version 1906.
If the returned application name is SMS Provider , review the SMSProv.log file to identify whether
the Administration Console or scripts are using the SMS Provider.
If this is the case, close the Administration Console or stop the scripts.
If the returned application name is a third-party application or service, review the application
owner, or stop the application or service temporarily.
More information
Starting in Configuration Manager current branch version 1906, you can monitor the database upgrade when
you apply a Configuration Manager update.
How to upgrade System Center 2012 Configuration
Manager to SP1
This article provides steps to upgrade System Center 2012 Configuration Manager to System Center 2012
Configuration Manager Service Pack 1 (SP1).
Introduction
Upgrading a prerelease version of System Center 2012 Configuration Manager SP1 to System Center 2012
Configuration Manager SP1 isn't supported. If you have a prerelease version of System Center 2012
Configuration Manager SP1 installed, uninstall that version before you install System Center 2012
Configuration Manager SP1. For more information, see Release Notes for System Center 2012 Configuration
Manager Service Pack 1.
If your Configuration Manager deployment consists of a hierarchy of sites, upgrade the sites from the top of the
hierarchy. That is, upgrade the sites in the following order:
1. Central administration site
2. Primary site
3. Secondary site
NOTE
You can upgrade the secondary site by using the Configuration Manager console.
Step 1: Review the upgrade checklist

For more information about upgrade planning and the Configuration Manager SP1 upgrade checklist, see
Planning to Upgrade System Center 2012 Configuration Manager.
Step 2: Uninstall Windows Automated Installation Kit (AIK)

We recommend that you uninstall Windows AIK. This is because Windows Assessment and Deployment Kit
(ADK) and Windows AIK should not coexist on the same computer.
Step 3: Download and install Windows ADK

You must download and install Windows ADK before you run the System Center 2012 Configuration Manager
SP1 setup. Windows ADK must be installed on the site server and on any server that is running the SMS
Provider.
To download Windows ADK, go to Download and install the Windows ADK.
When you run the Windows ADK setup, select the following features:
Deployment Tools
Windows Preinstallation Environment (Windows PE)
User State Migration Tool (USMT)
NOTE
These features are needed to pass the System Center 2012 Configuration Manager SP1 prerequisite check.
Step 4: Download and install Windows Management Framework 3.0

System Center 2012 Configuration Manager SP1 requires Windows PowerShell 3.0. If you are not running
Windows Server 2012, you must download and install Windows Management Framework (WMF) 3.0.
Step 5: Make sure that your version of Microsoft SQL Server is

supported
Make sure that you have the appropriate SQL Server Service Pack or cumulative update installed. For more
information about SQL Server versions that are supported by System Center 2012 Configuration Manager, see
Supported Configurations for Configuration Manager.
NOTE
SQL Server 2012 SP1 is supported.
Step 6: Install System Center 2012 Configuration Manager SP1

Run the System Center 2012 Configuration Manager SP1 setup, and make sure that you select the upgrade
option to upgrade the site.
Understand and troubleshoot Updates and
Servicing in Configuration Manager
This article helps administrators understand the Updates and Ser ving node in Configuration Manager
(current branch). It can also help you troubleshoot common issues that you may meet during the process.
Configuration Manager synchronizes with the Microsoft cloud service to get updates that apply to your
infrastructure and version. You can install these updates from within the Configuration Manager console.
To view and manage the updates, make sure that you have the required permissions. Then navigate to
Administration > Cloud Ser vices > Updates and Ser vicing in the Configuration Manager console. For
more information, see Install in-console updates for Configuration Manager.
List of primary components used for Updates and Servicing

NAME C O M P O N EN T N A M E F RIEN DLY N A M E B IN A RY DESC RIP T IO N
Configuration CONFIGURATION_M CMUpdate CMUpdate.exe Service that installs

Manager Update ANAGER_UPDATE update
Distribution Manager SMS_DISTRIBUTION_ DistMgr Distmgr.dll Manages content

MANAGER and creates jobs for
PkgXferMgr
Hierarchy Manager SMS_HIERARCHY_M Hman HMAN.dll Creates, checks,

ANAGER processes, and
replicates updates to
the site hierarchy
Sender SMS_SENDER Sender Sender.dll Starts inter-site

communications
across TCP/IP
networks
Despooler SMS_DESPOOLER Despooler Despool.dll Processes incoming

replication files from
parent or child sites
Scheduler SMS_SCHEDULER Scheduler Schedule.dll Creates sender jobs

NAME C O M P O N EN T N A M E F RIEN DLY N A M E B IN A RY DESC RIP T IO N
Database Notification SMS_DATABASE_NOT SmsDbMon Smsdbmon.dll Watches the

Monitor IFICATION_MONITO database for changes
R to certain tables, and
creates files in the
inboxes of
components that are
responsible for
processing those
changes
DMP Download SMS_DMP_DOWNLO DmpDownloader Dmpdownloader.dll Responsible for

ADER downloading new
servicing updates to
top-level site server
SMS Provider SMS Provider SMSProv Smsprov.dll Windows

Management
Instrumentation
(WMI) Provider that
assigns Read and
Write access to the
Configuration
Manager database at
a site
Downloading updates
The service connection point is responsible for downloading updates that apply to your Configuration Manager
infrastructure. In online mode, it automatically checks for updates every 24 hours. And it downloads available
new updates for your current infrastructure and product version to make them available in the Configuration
Manager console. When your service connection point is in offline mode, use the service connection tool to
manually sync with the Microsoft cloud.
The following steps explain the flow in which an online service connection point downloads in-console updates:
Step 1: Service connection point checks every 24 hours for available updates - DMPDownloader is used to
download manifest cab
Every 24 hours, the service connection point (SCP) downloads ConfigMgr.Update.Manifest.cab, and copies it to
the inboxes\hman.box\CFD folder. The manifest identifies whether there's a new update or hotfix available for
download. The following entries are logged in DMPDownloader.log:
Download manifest.cab
Redirected to URL https://download.microsoft.com/download/5/2/C/52C5F0D5-2095-4227-BBA4-
D3205D9B9714/ConfigMgr.Update.Manifest.cab
Got fwd link and recreating the httprequest/response
File 'C:\Program Files\Microsoft Configuration Manager\EasySetupPayload\ConfigMgr.Update.Manifest.cab'
is signed and trusted.
Signing root cert's thumbprint: cdd4eeae6000ac7f40c3802c171e30148030c072
Finished calling verify manifest
Manifest.cab was successfully moved to the connector outbox
Step 2: Hierarchy Manager (Hman) checks for the download signature, extracts the manifest, and then
processes the manifest and checks applicability of the packages
1. SMSDBMon drops a blank file (<SiteCode>.SCU) to
C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box . It triggers Hman to start processing,
as follows:
STATMSG: ID=3306 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_HIERARCHY_MANAGER"

SYS=PrimarySiteMG.MGLAB.com SITE=MG1 PID=2168 TID=4888 GMTDATE=Wed Dec 21
16:15:08.957 2016 ISTR0="C:\Program Files\Microsoft Configuration
Manager\inboxes\hman.box\CAS.SCU"
2. Hman checks for the download signature, extracts the manifest, and then processes the manifest and
checks applicability of the packages. The following entries are logged in Hman.log:
File 'C:\Program Files\Microsoft Configuration

Manager\inboxes\hman.box\CFD\ConfigMgr.Update.Manifest.CAB' is signed and trusted.
Signing root cert's thumbprint: cdd4eeae6000ac7f40c3802c171e30148030c072
Extracting file C:\Program Files\Microsoft Configuration
Manager\inboxes\hman.box\CFD\ConfigMgr.Update.Manifest.CAB to C:\Program Files\Microsoft
Configuration Manager\CMUStaging\
Extracted C:\Program Files\Microsoft Configuration Manager\CMUStaging\Manifest.xml
Processing Configuration Manager Update manifest file C:\Program Files\Microsoft Configuration
Manager\CMUStaging\manifest.xml
C:\Program Files\Microsoft Configuration Manager\CMUStaging\ApplicabilityChecks\CM1610-
KB3209501_AppCheck_10AA8BA0.sql has hash value
SHA256:EB2C2D2E27EA0ACE8D4B6E4806FD2698BDE472427F28E60FB969A11BC5D811AB
Configuration Manager Update (PackageGuid=10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C) is
applicable
If a package isn't applicable, the following entries are logged in Hman.log:
C:\Program Files\Microsoft Configuration Manager\CMUStaging\ApplicabilityChecks\CM1610-

KB3211925_AppCheck_9390F966.sql has hash value
SHA256:048DA8137C249AAD11340A855FF7E0E8568F5325FED5F503C4D9C329E73AD464
SQL MESSAGE: - Not a 1610 FR2 build, skip this hotfix
Configuration Manager Update (PackageGuid=9390F966-F1D0-42B8-BDC1-8853883E704A) is not
applicable and should be filtered.
Hman runs ApplicabilityCheck SQL queries from the database. When you enable SQL logging, you can
see each query run against the database. To run this process manually, follow these steps:
a. Download the cab file, and extract it to your local computer.
b. To manually download the cab file, go to
https://download.microsoft.com/download/5/2/C/52C5F0D5-2095-4227-BBA4-
D3205D9B9714/ConfigMgr.Update.Manifest.cab.
c. Use 7-zip or a similar tool to extract the cab file.
d. After the file is extracted, you can see all the update GUIDs of every update that has been released
so far. Each GUID is unique.
e. Go to the ApplicabilityChecks folder.
NOTE
This folder contains SQL queries to run against the site server database to determine which update is
applicable and which one is installed. For example, the Applicability_1602Release_public.sql file.
f. After each query runs, it updates State and Flag in the CM_UpdatePackages table. The value of
State shows the current state of the package.
Step 3: DMPdownloader downloads the payload and redistributable files
If the update is applicable, DMPdownloader downloads the payload and redistributable files by using
Setupdl.exe. The following entries are logged:
INFO: setupdl.exe: Start Configuration Manager Setup

INFO: Downloading files to \\CAS.Contoso.com\EasySetupPayload\c63b412d-7c4b-4c0d-be8c-
18fb35b2ff79\redist
INFO: Downloading component manifest...
INFO: Downloading http://go.microsoft.com/fwlink/?LinkID=746984 as ConfigMgr.LN.Manifest.cab
No proxy information is specified. Connect without proxy.
INFO: WinHttpQueryHeaders() in Download() returned OK (200)
INFO: Downloading http://go.microsoft.com/fwlink/?LinkID=746986 as ConfigMgr.Manifest.cab
INFO: Extracted file C:\windows\TEMP\ConfigMgr.LN.Manifest.xml
INFO: File will be downloaded from http://go.microsoft.com/fwlink/?LinkID=808179 .
After the update is successfully downloaded, the following entries are logged in ConfigMgrSetup.log:
INFO: File hash check successfully for DeviceClient_WinCE7.0_X86.CAB

INFO: setupdl.exe: Finish
To download the redistributable file, DMPDownloader reads from the Manifest.xml file that is located in the
<InstallDir>\Bin\x64 folder. For example:
<RedistManifestVersion>201702</RedistManifestVersion>
<Redist ManifestUrl=http://go.microsoft.com/fwlink/?LinkID=841450"/>
<LanguagePack ManifestUrl="http://go.microsoft.com/fwlink/?LinkID=841442"/>
You can manually download redistributable files by using the following command:
setupdl.exe /RedistUrl http://go.microsoft.com/fwlink/?LinkID=841450 /LnManifestUrl

http://go.microsoft.com/fwlink/?LinkID=841442 /RedistVersion 201702 /NoUI "C:\temp\redist"
Step 4: DMPDownloader puts a CMU file into the service connection point outbox
If the outbox has a remote role, it's located at MP\OUTBOXES\MCM.box .
If the outbox is on the site server, it's located at inboxes\hman.box\ForwardingMsg .
The file displacement manager (FDM) moves the .CMU file from the service connection point outbox to
inboxes\hman.box\ForwardingMsg for the site server. This notification file marks that the update package is
available to be installed.
If you haven't configured your hierarchy to have a Microsoft Intune subscription, the following entry is logged in
Hman.log:
Validate CMU file C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\e8e74b72-

504a-4202-9167-8749c223d2a5.CMU with no intune subscription.
If you've configured a subscription, the package is processed and no log entry is created.
Step 5: Admin console is updated with applicable updates for your environment
The Configuration Manager Admin console shows applicable updates as available. It can be verified by checking
the State column in the CM_UpdatePackages table. The following state types show an update as available within
the console:
APPLICABILITY_SUCCESS = 327682
APPLICABILITY_HIDE = 393213
APPLICABILITY_NA = 393214
Available = 262146
Consider the following relevant folders:
%Program Files%\Microsoft Configuration Manager\CMUStaging
This folder contains ConfigMgr manifest cab (for example:

D3205D9B9714/ConfigMgr.Update.Manifest.cab) that is downloaded and extracted by Hman .
%Program Files%\Microsoft Configuration Manager\EasySetupPayload
This folder contains the actual installation files for an update. There's no Setup.exe file. Instead, an
Install.map file is used for installing.
%Program Files%\Microsoft Configuration Manager\CMUClient
This folder contains the latest client installation files. The files are copied directly from the
EasySetupPayload folder. They will become a package that's named Configuration Manager Client
Package and that gets replicated to all child primary sites.
Troubleshoot downloading issues

Collect the following data before you start troubleshooting:
Hman.log
DMPDownloader.log
Files inside each subfolder of Hman.box
Output of the following SQL queries:
select * from CM_UpdatePackages

select * from CM_UpdatePackageSiteStatus
Output of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_DMP_DOWNLOADER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\AIUS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_DMP_CONNECTOR
When an update is stuck at Downloading in the console, check DMPDownloader.log to see whether the service
connection point is now downloading files. For connection issues, check whether the Internet access
requirements are met.
Download failures may occur during the following phases:
Downloading the manifest cab.
You can test by using the direct download link in Internet Explorer to get the output. For example, use:
D3205D9B9714/ConfigMgr.Update.Manifest.cab
Downloading the actual Easy Setup package.
You can test by using the direct download link in Internet Explorer to get the output. For example, use:
http://download.microsoft.com/download/E/3/A/E3A89E8D-F1F4-4AAA-BF2F-1C157142894B/609F1263-04E0-49A8-
940B-09E0E34DE2D2.cab
You can replace the package GUID in the sample URLs by using the GUID that is returned by the following SQL
query:
select * from CM_Updatepackages
Issue 1: Failed to download easy setup payload with exception: The remote server returned an error: (400)
Bad Request
The following error is logged in DMPDownloader.log:
WARNING: Failed to download easy setup payload with exception: The remote server returned an error:
(400) Bad Request.

1. Check the ProxyName value of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\AIUS registry subkey.
2. Verify the current proxy configuration by running the following commands:
netsh winhttp show proxy
netsh winhttp show proxy source=ie
3. Check the bypass list, and make sure that *.microsoft.com and *.windowsupdate.com are added to
the bypass list. Otherwise, run the following command:
netsh winhttp set proxy proxy-server="ProxyServerName" bypass-list="*.microsoft.com",

"*.windowsupdate.com"
4. Restart the SMS Executive Service (SMSExec).

5. If the issue persists, reinstall the Service Connection Point role.
Issue 2: Failed to download Admin UI content payload with exception: The underlying connection was closed
ERROR: Failed to download Admin UI content payload with exception: The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel.
...
The remote certificate is invalid according to the validation procedure.
To fix this issue, enter the following URL in Internet Explorer, and check whether it can be downloaded:
http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30
-x86.exe
If the file can't be downloaded, check the firewall to make sure that it doesn't block the connection. TCP port 443
and 80 must be exempted from the following source and destination:
Source = SiteServer or proxy server (if proxy is used)
Destination = windowsupdate.com and microsoft.com
Issue 3: Failed to call AdminUIContentDownload. error = [error code: -2147467261, error message: Invalid
pointer]
Failed to call AdminUIContentDownload. error = [error code: -2147467261, error message: Invalid pointer]
To fix this issue, use the resolution for Issue 1.

Issue 4: Failed to call Initialize. error = [error code: -2147467261, error message: Invalid pointer]
Failed to call Initialize. error = [error code: -2147467261, error message: Invalid pointer].
To fix this issue, check whether the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_DMP_CONNECT registry subkey

exists. If it doesn't, create the subkey. Then, delete all files in the Hman.box\CFD folder, and restart the SMS
Executive Service (SMSExec).
Before you install an update

Review the following steps before you install updates from within the Configuration Manager console.
Step 1: Review the update checklist
Review the following applicable update checklist for actions to take before you start the update:
Checklist for installing update 2002
Upgrade to Configuration Manager current branch
Step 2: Test the database upgrade
Because of changes that are introduced in Configuration Manager, testing the database upgrade is no longer a
required or recommend step if the following conditions are true:
Your database isn't suspect.
Your database isn't modified by customizations that aren't explicitly supported by Configuration Manager.
If you upgrade to Configuration Manager from an older product, such as System Center 2012 Configuration
Manager, we still recommend that you test database upgrades.
For more information, see Test the database upgrade when installing an update.
Step 3: Run the prerequisite checker before you install an update
Before you install an update, consider running the prerequisite check for that update. For more information, see
Before you install an in-console update.
Update replication
The following steps explain the flow for an in-console update in which the installation replicates to other sites:
Step 1: The process starts at the central administration site or standalone primary site
The process starts when the administrator selects Install to start the update installation or runs a prerequisite
check.
Step 2: Hierarchy manager (Hman) creates or updates the package by using the shared folder \\
[servername ]\EasySetupPayload as the source
1. CM_UpdatePackages_UPD_HMAN begins the process and SMSDBMON drops the file to wake up Hman to
begin processing. The following entries are logged in Smsdbmon.log:
RCV: UPDATE on CM_UpdatePackages for CM_UpdatePackages_UPD_HMAN [2 ]

SMS_DATABASE_NOTIFICATION_MONITOR
Modified trigger definition for Hierarchy Manager[CM_UpdatePackages_UPD_HMAN]: table
CM_UpdatePackages(State) on update, file ESC in dir C:\Program Files\Microsoft Configuration
Manager\inboxes\hman.box\CFD\
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\2.ESC
2. Hman runs the following query to check which update was selected to install:
SELECT TOP 1 convert(NVARCHAR(40), PackageGuid) FROM CM_UpdatePackages WHERE State=2
The following entries are logged in Hman.log:
INFO: 2.ESC file was found. Easy setup package needs to be updated.
Get update package 10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C,
\SiteServerFQDN\EasySetupPayLoad\10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C
3. If the package hash is the same for the downloaded package, the following entry is logged:
Easy setup source folder hash is not changed. Skip updating.
Otherwise, the following entries are logged:
INFO: Successfully requested package CAS10001 to be updated from its source.

Info: Updated package CAS10001 and SMS_DISTRIBUTION_MANAGER will replicate the content to all
the site servers except the secondary sites. The content will be stored in the content library on the site
servers. Check distmgr.log for replication status.
There's an inbox trigger for HMAN that is invoked when it sees a file in the Hman.box\CFD folder. Verify that this
trigger exists. To do so, examine the following registry subkey on the site server (CFD is the new inbox that's
introduced in version 1511):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Triggers\<SiteServer>\CM_UpdatePackages_UPD_HMAN
Value Name and Data:

Filter - (State = 2 or State = 196612) and UPDATE(State)
Target Ser vice - Hierarchy Manager (CFD)
Step 3: Within the site database, the EasySetupSettings table is updated to have the PackageID of the update
The following entries are logged:
Get update package 10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C,

\\SiteServerFQDN\EasySetupPayLoad\10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C
Updating easy setup settings with EXEC sp_UpdateEasySetupSettings
N'CAS10001','2',N'561BE7B704CA99A8DB6697886E75BD7C4812324D0A637708E863EC9DF97EFB94'
You can find the PackageID value of the update by running one of the following SQL queries:
Select * from EasySetupSettings

Select PkgID from SMSPackages where name = 'Configuration Manager Easy Setup Package'
SMSDBMon drops <PackageGUID>.CME in Hman.box\CFD to keep HMAN busy so that other files aren't
processed. The following entry is logged in the Smsdbmon.log:
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\10AA8BA0-

04D4-4FE3-BC21-F1874BC8C88C.CME
Step 4: Distribution manager (Distmgr) copies the update files from \\[servername ]\EasySetupPayLoad to the
content library folder ContentLib on the central administration site or standalone primary site server
computer
The following entries are logged in Distmgr.log:
Found package properties updated notification for package 'CAS10001'

Info: package 'CAS10001' is set to replicate to site servers only.
Taking package snapshot for package CAS10001 from source
\\SiteServerFQDN\EasySetupPayLoad\10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C
You can filter Distmgr.log for the thread ID to check the status. To get the thread ID, examine the Package
Processing Queue value of the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_DISTRIBUTION_MANAGER registry key.
Step 5: Distribution manager creates a mini job to replicate content to child primary sites (if applicable )
Setting CMiniJob transfer root to C:\SMSPKG\CAS10001.PCK.1

Created minijob to send compressed copy of package CAS10001 to site MG1. Transfer root =
C:\SMSPKG\CAS10001 .PCK.1
Step 6: Scheduler schedules a file replication job to transfer the content to child primary sites
The following entries are logged in Scheduler.log:
1 jobs found in memory, 10 jobs found in job source.
~Instruction file = C:\Program Files\Microsoft Configuration
Manager\inboxes\schedule.box\tosend\00000391.Idb
<Updating JOB 00000391> [Software Distribution for Configuration Manager Easy Setup Package, Package
ID = CAS10001]~
<JOB STATUS - COMPLETE>~
Step 7: Sender manages the transfer of the update to all child primary sites (if applicable )
The following entries are logged in Sender.log:
~Package file = C:\SMSPKG\CAS10001.DLT.5.6

~Sending Started [C:\SMSPKG\CAS10001.DLT.5.6]
~Finished sending SWD package CAS10001 version 6 to site PRI
~Sending completed successfully
Step 8: The replication process continues at the primary site. After the sender completes the transfer of the
update to the child primary site, the site server wakes up to begin processing the update

ID = CAS10001]~
Step 9: Despooler moves the content file into the ContentLib content library folder on the primary site
server computer
The following entries are logged in Despool.log:
Received package MG100006 version 1. Compressed file - C:\SMSPKG\CAS10001.PCK.1 as C:\Program

Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive\ds_r7or9.pkg
Content Library: C:\SCCMContentLib
Extracting from C:\SMSPKG\CAS10001.PCK.temp
Extracting package CAS10001
Extracting content CAS10001.1
Writing package definition for CAS10001
Package CAS10001 (version 0) exists in the distribution source, save the newer version (version 1).
Stored Package CAS10001. Stored Package Version = 1
Step 10: Distribution Manager marks the process for the package as successful

Adding package 'CAS10001' to package processing queue.
Started package processing thread for package 'CAS10001',
Start updating the package CAS10001...
Successfully created/updated the package CAS10001
Then, a notification file is created for Configuration Manager Update at child primary sites:
Created notification file (10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C.CMI) for

CONFIGURATION_MANAGER_UPDATE
Troubleshoot replication issues

General troubleshooting steps:
Step 1: Check the history and current status of the package in question
Determine the PackageGUID of the package in question. To do so, run the following SQL queries:
select * from EasySetupSettings

select SourceVersion, StoredPkgVersion from SMSPackages where PkgID in (select packageid from
EasySetupSettings)
Run the following SQL queries, and then review the State column for the PackageGUID in question:

select * from CM_UpdatePackages_Hist order by RecordTime desc
Step 2: Review relevant logs for central administration site and relevant primary sites
Review the following logs:
Hman.log or Hman.lo_
CMUpdate.log or CMUpdate.lo_
Distmgr.log or Distmgr.lo_
Sender.log or Sender.lo_
Scheduler.log or Scheduler.lo_
Step 3: Determine whether the package was successfully copied into the SCCMContentLib folder on central
administration site and relevant primary sites
To do so, compare the following folders:
\\<Service Connection Point>\EasySetupPayloader\<PackageGUID>
SCCMContentLib\DataLib\<PackageGUID> (on the site servers)
Step 4: Retry content replication for EasySetup package
To do so, follow these steps:
1. Open WBEMTEST.
2. Connect to root\sms\site_<SiteCode> , and select Execute Method .
3. Enter SMS_CM_UpdatePackages in Object Path , and select OK .
4. Select Retr yContentReplication from Method , and select Edit in Parameters .
5. Select the ForceRetr y property, and select Edit Proper ty .
6. In Value , select Not Null , and enter 1.
7. Select Save Proper ty > Save Object .
8. Select Execute! .
9. Review Distmgr.log to check whether the package replicates successfully.
Issue 1: Error "Failed to calculate hash SMS_HIERARCHY_MANAGER"
Symptom
You receive an error message that resembles the following example in Hman.log:
Get update package 91406B1D-7C14-42D8-A68B-484BE5C5E9B8, \\

<SiteServer>\EasySetupPayLoad\91406B1D-7C14-42D8-A68B-484BE5C5E9B8
SMS_HIERARCHY_MANAGER 12/19/2016 5:15:34 PM 13688 (0x3578)
Failed to calculate hash SMS_HIERARCHY_MANAGER 12/19/2016 5:15:34 PM 13688 (0x3578)
In this case, you can't access the \\<SiteServer>\EasySetupPayLoad folder.

Resolution
To fix this issue, make sure that the EasySetupPayLoad folder is shared on the site server.
Prerequisite check
The following steps explain the process of extracting the update to run prerequisite checks before installing
updates at a central administration site or primary sites.
Step 1: Notification
After you select the update package and select Run prerequisite check , the following entries are logged in
Ssmsdbmon.log:
RCV: UPDATE on CM_UpdatePackages for CM_UpdatePackages_UPD_HMAN [2 ][1009663]

Modified trigger definition for Hierarchy Manager (CFD)[CM_UpdatePackages_UPD_HMAN]: table
CM_UpdatePackages(State) on update, file ESC in dir C:\Program Files\Microsoft Configuration Manager
\inboxes\hman.box\CFD\
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\2.ESC [1009663]
After SMSDBMON drops the 2.ESC file in Hman.box\CFD , an inbox trigger for HMAN is invoked. To verify the
trigger, check the following registry subkey on the site server (CFD is the new inbox that's introduced in version
1511):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Triggers\<SiteServer>\CM_UpdatePackages_UPD_HMAN
Value Name and Data:

Filter - (State = 2 OR State = 196612) AND UPDATE(State)
Target Ser vice - Hierarchy Manager (CFD)
Step 2: Preparation
Hman gets the packageGUID that was downloaded through manifest and updates the EasySetupSettings table.
Get update package 79FB5420-BB10-44FF-81BA-7BB53D4EE22F, \\CAS\EasySetupPayLoad\79FB5420-

BB10-44FF-81BA-7BB53D4EE22F
Updating easy setup settings with EXEC sp_UpdateEasySetupSettings N'CAS00008','6',N''
To find the PackageID value of the update, run the following SQL query:
select PkgID from smspackages where name = 'Configuration Manager Easy Setup Package'
SMSDBMon drops <PackageGUID>.CME in Hman.box\CFD to keep Hman busy so that other files aren't
processed. The following entry is logged in Smsdbmon.log:
SND: Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\79FB5420-
BB10-44FF-81BA-7BB53D4EE22F.CME
Step 3: Replication
HMAN invokes Distmgr to replicate packages to all child primary sites. Consider that the Easy Setup package
doesn't replicate to secondary sites or distribution points.
The following entry is logged in Hman.log:
Info: Updated package CAS00008 and SMS_DISTRIBUTION_MANAGER will replicate the content to all the
site servers except the secondary sites. The content will be stored in the content library on the site servers.
Check distmgr.log for replication status.
SMSDBmon drops a .pkn file to notify Distmgr to start replication. The following entries are logged:
Dropped C:\Program Files\Microsoft Configuration Manager\inboxes\distmgr.box\CAS00008.PKN

[1009665]
Adding package 'CAS00008' to package processing queue.
~Started package processing thread for package 'CAS00008', thread ID = 0x16E8 (5864)
You can filter Distmgr.log by using the thread ID to check the status. To find the queue, examine the Package
Processing Queue value of the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_DISTRIBUTION_MANAGER
Distmgr creates a mini job for the sender to send the compressed package to child primary sites. The following
entries are logged in Distmgr.log:
Taking package snapshot for package CAS00008 from source \\CAS\EasySetupPayLoad\79FB5420-BB10-

44FF-81BA-7BB53D4EE22F
~Use drive C for storing the compressed package.
~Successfully created/updated the package CAS00008
~Sending a copy of package CAS00008 to site PRI
~Use drive C for storing the compressed package.
~Setting CMiniJob transfer root to C:\SMSPKG\CAS00008.DLT.5.6
~Created minijob to send compressed copy of package CAS00008 to site PRI. Transfer root =
C:\SMSPKG\CAS00008.DLT.5.6.
DistMgr notifies Scheduler to schedule a job to send the compressed package. The following entries are logged
in Scheduler.log:

ID = CAS00008]~
The following entries are logged in Sender.log:
~Package file = C:\SMSPKG\CAS00008.DLT.5.6

~Sending Started [C:\SMSPKG\CAS00008.DLT.5.6]
~Finished sending SWD package CAS00008 version 6 to site PRI
~Sending completed successfully
Metadata and settings for the package are also updated to child primary sites by using the CMUpdates
replication group. The following tables are updated:
UPDATE on SMSPackages_G for SMS_Package_ins_upd_SMSProv [CAS00008 ][1009664]

INSERT on PkgNotification for PkgNotify_Add [CAS00008 ][1009665]
INSERT on CM_UpdatePackageSiteStatus for CM_UpdatePackageSiteStatus_INS_UPD_HMAN [79FB5420-
BB10-44FF-81BA-7BB53D4EE22F ][1009666]
INSERT on CM_UpdatePackageSiteStatus for CM_UpdatePackageSiteStatus_INS_UPD_HMAN [79FB5420-
BB10-44FF-81BA-7BB53D4EE22F ][1009667]
The following entries are logged in Despool.log at child primary sites:
~Package CAS00008 (version 6) exists in the distribution source, save the newer version (version 7).
~Stored Package CAS00008. Stored Package Version = 7
Removed older package version CAS00008.6.
A notification file is then created. The following entry is logged in Hman.log at child primary sites:
Created notification file (79FB5420-BB10-44FF-81BA-7BB53D4EE22F.CMI) for

The following entry is logged in Smsdbmon.log:
UPDATE on SMSPackages_G for SMS_Package_ins_upd_SMSProv [CAS00008 ][1009664]
Unlike the Easy Setup package, client upgrade packages are replicated to all child primary sites, secondary sites,
and DPs. Here's a sample log entry:
Loaded client upgrade settings from DB successfully. FullClientPackageID=CAS00001,

StagingClientPackageID=CAS00012, ClientUpgradePackageID=CAS00002,
PilotingUpgradePackageID=CAS00013, ClientUpgradeAdvertisementID=CAS20000,
ClientPilotingAdvertisementID=(null)
INFO: Detected the full client package (ID=CAS00001)~
Step 4: Replication and prerequisites check on child primary sites

In Hman.log at the top-level site, the following line is repeated:
Successfully checking Site server readiness for update.
It means that the spCMUProcessUpdateReadiness procedure is running and checking the following tables for
readiness:
SELECT PackageGuid FROM EasySetupSetting

SELECT flag, State FROM CM_UpdatePackages
Select * from CM_UpdateReadiness
Select * from CM_UpdateReadinesssite
This procedure is responsible for notifying the database that the update is installed and ready for primary sites.
Continue to monitor Despool.log and Distmgr.log to see whether the replication succeeds.
Step 5: Prerequisite check finishes
After replication on primary sites finishes, DistMgr is notified of the successful update of the package.
The following entry is logged in CMUpdate.log:
Content replication succeeded. Start extracting the package to run prereq check...
And the following entries are logged in Distmgr.log:
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER"

SYS=CAS SITE=CAS PID=12812 TID=5864 ISTR0="Configuration Manager Easy Setup Package"
ISTR1="CAS00008" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
NUMATTRS=1 AID0=400 AVAL0="CAS00008"
~Exiting package processing thread for package CAS00008.
Hman creates <PackageGUID>.CMI file under CMUpdate inbox. The following entries are logged:
Created notification file (79FB5420-BB10-44FF-81BA-7BB53D4EE22F.CMI) for

INFO: setup type: 8, top level: 1.
In the log, top level: 1 means that it's the top-level site.
The following entry is logged in Hman.log:
Prereq check passed. Setup will not continue since it is prereq only.
CMUpdatethen takes control of the process and starts running the update. The following entry is logged in
CMUpdate.log:
update package content 79FB5420-BB10-44FF-81BA-7BB53D4EE22F has been expanded to folder \\?

\C:\Program Files\Microsoft Configuration Manager\CMUStaging\79FB5420-BB10-44FF-81BA-
7BB53D4EE22F\
Troubleshoot prerequisite check issues

IMPORTANT
Don't delete anything from the database. Before you modify the State value in the database, make sure that you
understand the state.
What you have to know before you start:

Prerequisite check for the Easy Setup package is different from media installation.
During prerequisite check, various checks are done, including (but not limited to) the following ones:
Whether the site is a top-level site
Whether the site is in interop mode
Whether replication for Easy Setup, Client Upgrade, and Client Pilot package succeeded
Whether DRS is active
Prerequisite check usually doesn't occur for most updates. It occurs only on major upgrades, such as to
version 1610, 1606, or 1602.
When you troubleshoot issues during prerequisite check, collect the results of the following SQL queries from
the central administration site and all primary sites:
Select PackageGuid, State, Flag from CM_updatepackages

Select PackageGUID, SiteNumber, Name, State, SiteStatus, RecoveryCount from CM_UpdatePackageSiteStatus a
inner join serverdata b on a.SiteNumber = b.ID
Select * from CM_UpdatePackagePrereqStatus where PackageGUID = 'GUID of the package to be installed'
Select * from CM_UpdateReadiness
Select * from CM_UpdateReadinessSite
Select * from EasySetupSettings
Check the version of the Easy Setup package, and match it to the version of Distmgr and the Smspackages table.
Refer to the prerequisite check process, and determine the step in which the process gets stuck. Also, look for
specific status messages that indicate the issue to fix.
Installing updates
The following steps explain the process in which a site starts installing updates.
Step 1: Check site server readiness to make sure that site server is ready to apply update
The following entries are logged in Hman.log:
Successfully checking Site server readiness for update.

INFO: Waiting for CONFIGURATION_MANAGER_SERVICE to be ready to apply update: 10AA8BA0-04D4-
4FE3-BC21-F1874BC8C88C
C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-04D4-4FE3-BC21-
F1874BC8C88C\SMSSetup\update.map has hash value
SHA256:A19A48371F031C5E93CD8850E59E24DAE1217E1B37C7A74D98A92F053B5381FB
Successfully validated file C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-
04D4-4FE3-BC21-F1874BC8C88C\SMSSetup\update.map
Successfully read file C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-04D4-
4FE3-BC21-F1874BC8C88C\SMSSetup\update.map
Step 2: The Configuration Manager Update service is stopped and then updated to the newer version. Then,
the service is restarted to begin upgrade
Detected change in update.map for component CONFIGURATION_MANAGER_UPDATE. It will be updated

first.
Successfully copied file from C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-
04D4-4FE3-BC21-F1874BC8C88C\SMSSetup\bin\x64\cmupdate.exe to C:\Program Files\Microsoft
Configuration Manager\bin\x64\cmupdate.exe
INFO: Starting service CONFIGURATION_MANAGER_UPDATE
Step 3: Extract the update package and verify redistributable packages

The following entries are logged in CMUpdate.log:
Checking if the CMU Staging folder already has the content extracted.
Creating hash for algorithm 32780
Staging folder has hash =
8CF9F066B452F35EE723DD2016E99392C1433B2287EDEA8BA8635D22E32E9C84
Staging folder (\\?\C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-04D4-4FE3-
BC21-F1874BC8C88C) has hash
561BE7B704CA99A8DB6697886E75BD7C4812324D0A637708E863EC9DF97EFB94 which does not match
hash from content library
8CF9F066B452F35EE723DD2016E99392C1433B2287EDEA8BA8635D22E32E9C84
Delete folder \\?\C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-04D4-4FE3-
BC21-F1874BC8C88C\ returned 0. Extracting the content from content library...
update package content 10AA8BA0-04D4-4FE3-BC21-F1874BC8C88C has been expanded to folder \\?
\C:\Program Files\Microsoft Configuration Manager\CMUStaging\10AA8BA0-04D4-4FE3-BC21-
F1874BC8C88C\
Step 4: Configuration Manager services are stopped and installation begins

Here are the detailed steps. Log entries can be found in CMUpdate.log.
Verify that Configuration Manager Update service is updated.
Check Service Window to make sure that the update can be applied.
Turn off SQL Server Service Broker.
Stop Configuration Manager Services.
Unload WMI provider.
Delete SMSDBMON triggers.
Save site control settings.
Upgrade the Configuration Manager database.
Update SQL registry.
Update RCM registry.
Install files, language packs, components, and controls.
Upgrade site control settings.
Configure SQL Server Service Broker.
Start WMI, and install services.
Update the site table.
Update Admin console binaries.
Turn on SQL Server Service Broker.
Step 5: Post installation task runs and update installation is marked as successful
Here are the detailed steps:
1. Verify that SMS_Executive service is installed.
2. Verify that the SMSDBMon component is installed.
3. Verify that the SMSHman component is installed.
4. Verify that the RCM component is installed.
5. Monitor replication initialization.
6. Update Configuration Manager client preproduction package.
7. Update client folder on the site server.
8. Update Configuration Manager client package.
9. Turn on features that are specified in the upgrade wizard. Then reopen the console to display the features.
NOTE
Update.map contains the list of updates and files to be replaced and added. To review the list of files, open update.map
in Notepad.
Install.map contains the list of steps that the installation process runs. It serves as a workflow for Cmupdate.exe that
provides the steps and parameters to run in order.
For major upgrades, check ConfigMgrSetup.log for details.
For minor upgrades, check CMUpdate.log for details.
Troubleshoot installation issues

When an update gets stuck in the Installing state in the console, it may be caused by one of the following
reasons:
A top-level site is installing the update. In this case, check CMUpdate.log for details.
Content Replication hasn't finished. In this case, check DistMgr.log and Sender.log by using the PackageID
value.
The child primary site is still installing the update.
Installation can't start because of errors in CMUpdate .
In this case, review CMUpdate.log. Because CMUpdate is single threaded, you can look for the thread ID,
and then filter the log by using the thread ID.
If the error is related to permissions, verify the permissions.
If the error shows a script or table failure, collect more logs, such as SQL Server logs, and then find the
relevant table.
Issue 1: Failed to open file \\?\C:\Program Files\Microsoft Configuration
Manager\CMUStaging\ApplicabilityChecks\CM1606-KB3184153_AppCheck.sql for reading. Code
0x80070003
Symptom
You receive an error message that resembles the following example in CMUpdate.log:
Failed to open file "\\?\C:\Program Files\Microsoft Configuration

Manager\CMUStaging\ApplicabilityChecks\CM1606-KB3184153_AppCheck.sql" for reading. Code
0x80070003
Resolution
To fix this issue, check whether the file exists. If not, delete the CMUStaging folder, and restart Smsexec. If the
files aren't downloaded, reinstall the Service Connection Point role to start downloading.
Issue 2: Error in verifying the trust of file \\?\C:\Program Files\Microsoft Configuration
Manager\CMUStaging\79FB5420-BB10-44FF -81BA -7BB53D4EE22F\SMSSetup\update.map.cab
Symptom
You receive an error that resembles the following example in CMUpdate.log:
update package content 79FB5420-BB10-44FF-81BA-7BB53D4EE22F has been expanded to folder \\?

\C:\Program Files\Microsoft Configuration Manager\CMUStaging\79FB5420-BB10-44FF-81BA-
7BB53D4EE22F\
Error in verifying the trust of file '\\?\C:\Program Files\Microsoft Configuration
Manager\CMUStaging\79FB5420-BB10-44FF-81BA-7BB53D4EE22F\SMSSetup\update.map.cab'.
Cause
This issue occurs because the files aren't downloaded correctly.
Resolution
1. Stop Smsexec.
2. Delete the Easy Setup package and the CMUStaging folder.
3. Restart Smsexec.
4. Uninstall the Service Connection Point role, and then reinstall the role.
Issue 3: Console gets stuck displaying Downloading
Symptom
This issue occurs even if CMUpdate.log shows that the installation fails.
Resolution
1. Restart the SMS Executive service (Smsexec).
2. Run the Update reset tool.
Issue 4: Content replication fails
If there's a failure during content replication, retry the replication by running the following command:
WMIC /namespace:\\root\sms\site_<site code> path SMS_CM_UpdatePackages WHERE PackageGuid="PackageGUID" CALL

RetryContentReplication 1 /NOINTERACTIVE
It tells HMan to start a package notification and update thread in DistMgr to start replicating the content again.
Consider that it changes the package version and copies the content to all child primary sites again.
Issue 5: Update is installed on central administration site and primary sites, but console still displays Installing
When a primary site completes the installation, it drops a state message for sites and server data tables. It
changes the actual state of site in sites table, but it doesn't change the status in CM tables. A global replication
group that's named CMUpdates is used to replicate changes to all sites. By default, CMUpdates has 1 minute of
sync time.
To find which tables are replicated, run the following SQL queries:
select * from ReplicationData where ReplicationGroup = 'CMUpdates'

select * from ArticleData where ReplicationID in (select ID from ReplicationData where ReplicationGroup =
'CMUpdates')
To get the status of Initialization of CMUpdates , run the following SQL query:
select * from RCM_DrsInitializationTracking where ReplicationGroup = 'CMUpdates'
If the returned value of status is less than 6 or 7, initialization is still pending. In this case, you may have to
troubleshoot DRS replication issues.
Retry installation of a failed update in console
To do so, see Retry installation of a failed update.
Complete list of state codes

The following are the state codes and the states that they represent:
UNKNOWN = 0x0
ENABLED = 0x2
DOWNLOAD_IN_PROGRESS = 262145
DOWNLOAD_SUCCESS = 262146
DOWNLOAD_FAILED = 327679
APPLICABILITY_CHECKING = 327681
APPLICABILITY_SUCCESS = 327682
APPLICABILITY_HIDE = 393213
APPLICABILITY_NA = 393214
APPLICABILITY_FAILED = 393215
CONTENT_REPLICATING = 65537
CONTENT_REPLICATION_SUCCESS = 65538
CONTENT_REPLICATION_FAILED = 131071
PREREQ_IN_PROGRESS = 131073
PREREQ_SUCCESS = 131074
PREREQ_WARNING = 131075
PREREQ_ERROR = 196607
INSTALL_IN_PROGRESS = 196609
INSTALL_WAITING_SERVICE_WINDOW = 196610
INSTALL_WAITING_PARENT = 196611
INSTALL_SUCCESS = 196612
INSTALL_PENDING_REBOOT = 196613
INSTALL_FAILED = 262143
INSTALL_CMU_VALIDATING = 196614
INSTALL_CMU_STOPPED = 196615
INSTALL_CMU_INSTALLFILES = 196616
INSTALL_CMU_STARTED = 196617
INSTALL_CMU_SUCCESS = 196618
INSTALL_WAITING_CMU = 196619
INSTALL_CMU_FAILED = 262142
INSTALL_INSTALLFILES = 196620
INSTALL_UPGRADESITECTRLIMAGE = 196621
INSTALL_CONFIGURESERVICEBROKER = 196622
INSTALL_INSTALLSYSTEM = 196623
INSTALL_CONSOLE = 196624
INSTALL_INSTALLBASESERVICES = 196625
INSTALL_UPDATE_SITES = 196626
INSTALL_SSB_ACTIVATION_ON = 196627
INSTALL_UPGRADEDATABASE = 196628
INSTALL_UPDATEADMINCONSOLE = 196629
Useful SQL queries
Check the overall state:
The following are some values from the State column and the states that they represent:
327681 = APPLICABILITY_CHECKING
262146 = DOWNLOAD_SUCCESS
2 = ENABLED
When Flag = 1, it means prerequisite check only. When Flag = 2, it means continue installation.
65537 = CONTENT_REPLICATING
65538 = CONTENT_REPLICATION_SUCCESS
196609 = INSTALL_IN_PROGRESS
196612 = INSTALL_SUCCESS
Check the state per site:
select * from CM_UpdatePackageSiteStatus
Check the overall state history:
select * from CM_UpdatePackages_Hist order by RecordTime desc
Check the state history per site:
select * from CM_UpdatePackageSiteStatus_HIST order by RecordTime desc
Check the server readiness:
select * from CM_UpdateReadiness
Check the Configuration_Manager_Update service readiness:
select * from CM_UpdateReadinessSite
Check current software distribution package used for update:
select * from EasySetupSettings
Check the content version of the package stored in content library:
select SourceVersion, StoredPkgVersion, * from SMSPackages where PkgID in (select packageid from
EasySetupSettings)
Hman decides what to install:
SELECT TOP 1 convert(NVARCHAR(40), PackageGuid) FROM CM_UpdatePackages WHERE State=2
Determine how Hman gets Easy Setup settings:
SELECT TOP 1 PackageID,PackageVersion,PackageHash FROM EasySetupSettings
Hman checks the site server that is ready for upgrade:
Stored procedure spCMUCheckSiteServerReadyForUpdate

if (EXISTS (SELECT * FROM EasySetupSettings WHERE PackageGuid = @packageGuid))
BEGIN
SELECT @readyParent = Flag FROM CM_UpdateReadiness
WHERE SiteNumber = dbo.fnGetSiteNumber() AND PackageGuid = @packageGuid
SELECT @cmuUpdated = Flag FROM CM_UpdateReadinessSite
WHERE SiteNumber = dbo.fnGetSiteNumber() AND PackageGuid = @packageGuid
END
Hman returns package updates that are in progress:
SELECT @flag = ISNULL(Flag, 0), @state = ss.State, @redistVersion = ISNULL(oa.RedistVersion, N''),

@pubFlag = ISNULL(oa.PublisherFlags, 2)
FROM CM_UpdatePackages oa
INNER JOIN CM_UpdatePackageSiteStatus ss ON oa.PackageGuid = ss.PackageGuid AND ss.SiteNumber =
dbo.fnGetSiteNumber()
WHERE oa.State IN (
65538, -- CONTENT_REPLICATION_SUCCESS = 0x00010002
131073, -- PREREQ_IN_PROGRESS = 0x00020001
131074, -- PREREQ_SUCCESS = 0x00020002
196609, -- INSTALL_IN_PROGRESS = 0x00030001
196610, -- INSTALL_WAITING_SERVICE_WINDOW = 0x00030002
196611, -- INSTALL_WAITING_PARENT = 0x00030003
196619, -- INSTALL_WAITING_CMU = 0x0003000B
131075 -- PREREQ_WARNING = 0x00020003
)
AND oa.PackageGuid = @packageGuid
Check Configuration Manager update history:

See ConfigMgr Update History TSQL Query.
Check Configuration Manager build numbers that are mapped by using build release names:
See ConfigMgr Build Numbers mapped with Build Release Names and Update types.
Tips
Don't manually clean up the EasySetupPayload folder for the Configuration Manager update that is being
downloaded or processed.
Don't manually clean up the CMUStaging folder without verifying the correct state and content library for the
Easy Setup package.
Restore the Configuration Manager database and Configuration Manager site server if there's an error in
CMUpdate . Fix the issue, and retry installation.
Don't reinstall Service Connection Point if an update is in process.
Don't use files from cd.latest to install a standalone primary site.
Don't use cd.latest to upgrade a site that's running version 1511, or sites that are running 2012 R2 SP1 or
earlier versions.
Don't manually clean up any Cm_Update* tables.
Don't restart the CMUpdate service during installation.
Don't keep the CMUStaging\<GUID> folder open during the installation.
Enable verbose trace logging
To enable SQL trace logging, set the value to 1 under the
SQLEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing registry key.
To increase log file size and number of copies maintained, increase the value of MaxFileSize and LogMaxHistory
under the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\CONFIGURATION_MANAGER_UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SMS_HIERARCHY_MANAGER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SMS_DMP_DOWNLOADER
Capture a Process Monitor trace

Use Process Monitor to capture a process monitor trace.
Capture WinHTTP logs
For more information, see Capturing WinHTTP Logs.
References
For more information about Updates and Servicing in Configuration Manager, see the following articles:
Install in-console updates for Configuration Manager
Walking through an upgrade from Microsoft ConfigMgr 1511 to ConfigMgr 1602
Visit our blog for tech tips and all the latest news and information about Configuration Manager.
Maintenance tasks default settings in Configuration
Manager
This article introduces the default settings for the maintenance tasks in Configuration Manager.
Summary
This table lists the default settings for the maintenance tasks in Microsoft System Center 2012 Configuration
Manager and System Center 2012 R2 Configuration Manager.
C EN T RA L
M A IN T EN A N A DM IN IST RA P RIM A RY SEC O N DA RY
C E TA SK T IO N SIT E SIT E #O F DAY S DAY S T IM E SIT E
Backup Site Ã Ø Not available Every day 02:00-05:00 Not available

Server
Check Ã Ã Not available Saturday 0:00-05:00 Not available

Application
Title with
Inventory
Information
Clear Install Not available Ø 21 Sunday 00:00-05:00 Not available

Flag
Delete Aged Not available Ã 30 Saturday 00:00-05:00 Not available

Application
Request Data
Delete Aged Ã Ã 7 Every day 00:00-05:00 Not available

Client
Operations

Client
Presence
History
C EN T RA L

Collected Files

Computer
Association
Data

Delete
Detection
Data

Distribution
Point Usage
Data
(available only
in Microsoft
System
Center 2012
R2)

Device Wipe
Record
Delete Aged Not available Ã Not available Saturday 00:00-05:00 Not available
Devices
Managed by
the Exchange
Server
Connector

Discovery
Data

Endpoint
Protection
Health Status
History Data
C EN T RA L

Enrolled
Devices

Inventory
History
Delete Aged Ã Ã 30 Every day 00:00-05:00 Ã

Log Data
Delete Aged Not available Ã 10 Every day 00:00-05:00 Not available

Notification
Task History

Replication
Summary
Data

Replication
Tracking Data
Delete Aged Not available Ã 5 Every day 00:00-05:00 Not available

Software
Metering
Data
Delete Aged Not available Ã 270 Sunday 00:00-05:00 Not available

Software
Metering
Summary
Data
Delete Aged Ã Ã Not available Everyday 00:00-05:00 Not available

Status
Messages

Threat Data
C EN T RA L

Unknown
Computers

User Device
Affinity Data
Delete Not available Ø 90 Saturday 00:00-05:00 Not available

Inactive Client
Discovery
Data
Delete Ã Ã 30 Every day 00:00-05:00 Not available

Obsolete
Alerts
Delete Not available Ø 7 Saturday 00:00-05:00 Not available

Obsolete
Client
Discovery
Data
Delete Ã Ã 30 Saturday 00:00-05:00 Not available

Obsolete
Forest
Discovery
Sites and
Subnets
Delete Not available Ã 60 Every day 00:00-05:00 Not available

Unused
Application
Revisions
Evaluate Not available Ã 42 Saturday 00:00-05:00 Not available

Provisioned
AMT
Computer
Certificates
Monitor Keys Ã Ã Not available Sunday 00:00-05:00 Not available

C EN T RA L
Rebuild Ø Ø Not available Sunday 00:00-05:00 Ø

Indexes
Summarize Not available Ã Not available Every day 00:00-05:00 Not available
Installed
Software Data
Summarize Not available Ã Not available Every day 00:00-05:00 Not available
Software
Metering File
Usage Data
Summarize Not available Ã Not available Everyday 00:00-05:00 Not available

Software
Metering
Monthly
Usage Data
Update Ã Ã Not available Not available Every 1,380 Not available

Application minutes
Catalog
Tables
K EY : Ã = B Y DEFA ULT, EN A B L ED Ø = B Y DEFA ULT, N OT EN A B L ED
References
For more information about maintenance tasks in System Center 2012 R2 Configuration Manager, see Planning
for Maintenance Tasks for Configuration Manager.
Bad gateway error when deploying software
updates in System Center 2012 Configuration
Manager
This article provides a solution for the issue that a Bad gateway error occurs when you try to deploy software
updates in Microsoft System Center 2012 Configuration Manager.
Symptoms
You use Forefront Threat Management Gateway as a Web Proxy Auto-Discovery Protocol (WPAD) server that
provides proxy an autoconfiguration script file (Wpad.dat) to client computers.
You update the WPAD server to add proxy exception entries.
In this scenario, when you use System Center 2012 Configuration Manager to deploy software updates in the
enterprise, you receive an error message that resembles the following:
Http: Response, HTTP/1.1, Status: Bad gateway, URL: http://Exception_URL/ClientWebService/client.asmx
Cause
This problem occurs because of a case-sensitive issue in the Wpad.dat file. The entries in the Wpad.dat file must
be in lowercase. The proxy exception checks in the script file (Wpad.dat) that Threat Management Gateway
provides works only if the destination URL (This URL is determined for the proxy server) is passed to the WPAD
server in lowercase.
Resolution
To resolve this problem, enable the ConvertUrlToLowerCase property to allow for URLs that are in lowercase and
that are passed to the routing script. By default, this property is disabled.
To enable the ConvertUrlToLowerCase property, follow these steps:
1. Back up the Threat Management Gateway settings.
2. In Notepad, create a file that is named TMG_ConvertUrlToLowerCase.vbs.
3. Copy and paste the following script to the file:
'
' set wpad script to lowercase its input url - for Internal network
'
set fpc = CreateObject("FPC.ROOT")
set net_internal = fpc.GetContainingArray().NetworkConfiguration.Networks("Internal")
set wpad = net_internal.ClientConfig.Browser.AutoScript
wpad.ConvertUrlToLowerCase = -1
wpad.save
4. Save and close the file.

5. Open a command prompt with administrative permissions, and run the
cscript TMG_ConvertUrlToLowerCase.vbs command.
6. Make sure that you wait a long enough time to sync with Forefront Threat Management Gateway
Enterprise Management Server (EMS).
Configuration Manager clients don't get software
updates
This article fixes an issue in which Configuration Manager clients can't get updates from the software update
point.
Symptom
After installing Configuration Manager current branch version 1702, you may see the following symptoms:
Newly installed clients are unable to get updates from the software update point. This can also occur if the
software update point is moved to a different server after installation of version 1702. With verbose client
logging enabled, the LocationServices.log file contains an empty value for the WSUSLocationReply entry.
Some computers show in the console as Unknown State .
Cause
Beginning with Configuration Manager current branch version 1702, clients use boundary groups to find a new
software update point, and to fallback and find a new software update point if their current one is no longer
accessible. If you install a new site that runs version 1702 or later, you must assign software update points to a
boundary group before clients can find and use them.
Resolution
Add the server running the software update point to the default site boundary group for the clients. You can add
individual software update points to different boundary groups to control which servers a client can find. For
more information, see software update points.
To add the software update point to the boundary group, follow these steps:
1. Create a boundary group if none exists, and add all the client machines to the boundary group with the
software update point as the site server.
2. Run Machine Policy Retrieval & Evaluation Cycle on the Configuration Manager.
3. Check the LocationServices.log on a client machine to confirm the client can connect to the Windows Server
Update Services (WSUS) server.
NOTE
After doing this, you may experience some temporary timeouts if a large number of clients attempts to connect to the
WSUS server. This can also cause high CPU usage on the WSUS server. As the clients connect CPU usage should return to
normal. If the high CPU usage persists after all clients are connected, see Troubleshoot high CPU usage on a WSUS server.
Different results are shown for software updates
when using saved searches in non-English versions
of Configuration Manager
This article provides a solution for the issue that search in a non-English version of System Center 2012
Configuration Manager displays different results of updates.
Symptoms
When you save the search criteria for All Software Updates in the Software Librar y workspace in the
English version of Microsoft System Center 2012 Configuration Manager, using the saved search in a non-
English version of Configuration Manager displays different results for the updates.
Workaround
To work around this problem, save the search criteria in the Software Librar y workspace in the non-English
version of Configuration Manager. Do this for each language version of Configuration Manager that you
maintain.
Clients send multiple Topic ID 611 state messages
when you service a server group on a child primary
site
This article helps you work around an issue in which clients send multiple Topic ID 611 state messages when
you try to service a server group on a child primary site in Configuration Manager.
Original product version: Configuration Manager (current branch), Configuration Manager (Long-Term
Servicing Branch)
Symptoms
In Configuration Manager, you experience errors when you try to service a server group (cluster patching) on a
child primary site that has a remote management point. Error messages that resemble the following are logged
in the MP_ClientID.log file:
CMPDBConnection::ExecuteSQL(): ICommandText::Execute() failed with 0x80040E09

MPDB ERROR - EXTENDED INFORMATION
MPDB Method : ExecuteSP()
MPDB Method HRESULT : 0x80040E09
Error Description : The EXECUTE permission was denied on the object 'spGetLockState', database
'<dbname>', schema 'dbo'.
Additionally, clients may send multiple Topic ID 611, Type 611 state messages (.smx files).This causes a
backlog in state message processing.
NOTE
This problem was listed as resolved in Update Rollup 1 for Configuration Manager current branch, version 1606. However,
the problem was not completely fixed.
Cause
When the current Service a server group feature is enabled, the required Execute permissions for remote
management points aren't applied correctly to the spGetLockState stored procedure.
Workaround 1
Disable the Service a server group feature if you don't use it.
Workaround 2
Manually grant Execute rights for the management points to the spGetLockState stored procedure by using the
following SQL script:
IF OBJECT_ID(N'spGetLockState') IS NOT NULL AND dbo.fnIsPrimary() = 1
BEGIN
GRANT EXECUTE ON [spGetLockState] TO [smsdbrole_MP]
END
Error 0x800f0831 when you install an update
This article fixes an issue in which you receive error 0x800f0831 when you install a cumulative update.
Original product version: Configuration Manager (current branch), Windows Server Update Services
Symptom
When you try to install a Windows update, especially a cumulative update, you receive the following error
message in WindowsUpdate.log:
FATAL: CBS called Error with 0x800f0831
This issue is more likely to occur when there is no access to Microsoft Update.
Additionally, you receive error messages that resemble the following in CBS.log:
Store corruption, manifest missing for package: <Missing_Package>

Failed to resolve package <Missing_Package> [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
Mark store corruption flag because of package: <Missing_Package> [HRESULT = 0x800f0831 -
CBS_E_STORE_CORRUPTION]
Failed to resolve package [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
Failed to get next package to re-evaluate [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
Failed to execute execution chain. [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
Failed to process single phase execution. [HRESULT = 0x800f0831 - CBS_E_STORE_CORRUPTION]
WER: Generating failure report for package:<Failed_Package> status: 0x800f0831, failure source: Execute,
start state: Staged, target state: Installed, client id: DISM Package Manager Provider
NOTE
<Failed_Package> represents the package that can't be installed. <Missing_Package> represents the package for which
the manifest is missing.
Cause
This issue occurs because the update that can't be installed requires the manifest of a previous update package.
Resolution
1. Go to Microsoft Update Catalog.
2. In the Search box, enter the package ID of the <Missing_Package>.
3. Download the package and then install it.
4. Reinstall the <Failed_Package>.
August 2019 .NET Framework 4.7.2 updates fail to
synchronize in Configuration Manager
This article describes an issue in which .NET Framework 4.7.2 updates that were released in August 2019 fail to
synchronize in Configuration Manager.
Symptoms
The synchronization of the following updates that were released in August 2019 between Configuration
Manager (ConfigMgr) and Windows Server Update Service (WSUS) fails:
Microsoft .NET Framework 4.7.2 for Windows Server 2012 for x64 (KB4054542)
Microsoft .NET Framework 4.7.2 for Windows Server 2008 R2 for x64 (KB4054530)
Microsoft .NET Framework 4.7.2 for Windows 7 for x64 (KB4054530)
Microsoft .NET Framework 4.7.2 for Windows 7 (KB4054530)
Microsoft .NET Framework 4.7.2 for Windows Server 2012 R2 for x64 (KB4054566)
You may see entries resembling the following in the WSyncMgr.log:
08-14-2019 08:37:30.102 Synchronizing update 7155376c-87e9-4f55-80f1-0d7c64eb8b5d - Microsoft

.NET Framework 4.7.2 for Windows 7 (KB4054530)
08-14-2019 08:37:30.421 *** declare @rc int, @errxml xml, @errmsg nvarchar(max); EXEC @rc=sp_SetupCI
16916014, default, @errxml output, @errmsg output; select @rc, @errxml, @errmsg
08-14-2019 08:37:30.421 *** [25000][266][Microsoft][SQL Server Native Client 11.0][SQL Server]
Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT
statements. Previous count = 1, current count = 0 . : sp_SetupCI
08-14-2019 08:37:30.422 *** declare @rc int, @errxml xml, @errmsg nvarchar(max); EXEC @rc=sp_SetupCI
16916014, default, @errxml output, @errmsg output; select @rc, @errxml, @errmsg
08-14-2019 08:37:30.423 *** [42000][50000][Microsoft][SQL Server Native Client 11.0][SQL Server]
ERROR 2627, Level 14, State 1, Procedure tr_vCI_ContentFiles_upd, Line 17, Message: Violation of
UNIQUE KEY constraint 'CI_Files_AK'. Cannot inser t duplicate key in object 'dbo.CI_Files'. The
duplicate key value is (SHA1:A1C5F3C6AC7519F692791960092C07C745C48481, windows6.1-kb4019990-
x86.cab, 0xc591f16ff97c9725c03e10528996d059f3dd936f). : spRethrowError
08-14-2019 08:37:30.426 Failed to sync update 7155376c-87e9-4f55-80f1-0d7c64eb8b5d. Error : Failed
to save update 9f6cfa34-72f4-4fe6-9131-5fb03d1af361. CCISource error: -1. Source:
Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.UpdatesManager.UpdatesManagerClas
s.DefineUpdate
Cause
This intermittent issue only occurs if the update is revised and the SourceURL already present in Configuration
Manager metadata is changed. This causes a violation of a unique key constraint. Not all customers will
encounter this issue.
Resolution
This issue only occurs in Configuration Manager current branch version 1810 and later versions. The Microsoft
.NET team is working to expire these updates and will republish them soon. This article will be revised when the
updates are republished. The subsequent synchronization should complete successfully.
If the listed updates aren't required in your environment, you can decline them in WSUS to prevent them
from synchronizing to Configuration Manager.
If you need these updates and cannot wait for the republishing, you can manually download and distribute
them using software distribution.
NOTE
This issue only affects the updates that are listed in this article and does not block synchronization of other updates.
Updates aren't downloaded when you run an ADR
Applies to: Configuration Manager current branch, versions 1910, 2002, 2006, and 2010
Symptoms
You use an automatic deployment rule (ADR) to deploy software updates. However, the updates aren't
downloaded when you run the ADR. Additionally, you receive the following error messages in the
Patchdownloader.log file:
Failed to create temp file with GetTempFileName() at temp location C:\Windows\TEMP\, error 80 Software
Updates Patch Downloader
ERROR: DownloadUpdateContent() failed with hr=0x80070050 Software Updates Patch Downloader
When this problem occurs, the c:\windows\temp directory contains more than 65,535 0-byte .tmp files.
Cause
This problem is caused by an issue in the following Microsoft Endpoint Configuration Manager updates:
Office updates fail to download in Configuration Manager current branch, version 1910
Office updates fail to download in Configuration Manager current branch, version 2002
Update Rollup for Microsoft Endpoint Configuration Manager version 2006
The .tmp files are created but not removed. This problem occurs if the number of .tmp files exceeds 65,535.
Resolution
This problem is fixed in Update Rollup for Microsoft Endpoint Configuration Manager current branch, version
2010.
The fix will be included in Configuration Manager current branch, version 2103.
To fix the problem in Configuration Manager current branch, versions 1910, 2002, and 2006, delete the .tmp
files in c:\windows\temp, and then rerun the ADR.
Description of state messaging in Configuration
Manager
This article describes the state messaging system in Configuration Manager.

Understanding state messaging

State messaging in Configuration Manager is a mechanism that reflects a client condition at a certain point in
time. Status messages, by contrast, work to help administrators track the workflow of data through various
Configuration Manager components.
A status message viewer is built right into the console so that status messages can be viewed and tracked.
There's no equivalent viewer for state messages. The result of state messages is seen in:
reports
various data in the console, such as the number of systems that have to be updated
client logs
State messages contain concise information about conditions in-place on the client. The state messaging system
is used by specific components of Configuration Manager, including:
software updates
desired configuration management
network access protection
Critical software update data relies on the state messaging system in Configuration Manager. Understanding
state messaging will become even more important in future versions of Configuration Manager as more
components take advantage of it.
The following diagram provides a good description of how the state messaging system works.
The green box represents the state messaging system. The components inside the box are components that feed
information to the system.
When state messages are received, two things occur:
1. State messages are stored in the Windows Management Instrumentation (WMI) provider.
2. The state system scrapes WMI on a 15-minute cycle (default) for any state messages that haven't been sent,
and then forwards them to the management point. The cycle period can be changed.
In the diagram, the client installation piece is shown separately for clarity. During the client installation, the
management point is located and targeted for state messages. State messages about the client installation are
forwarded to the fallback status point (FSP) (if it's configured) under one of the following conditions:
The management point isn't reached.
The management point is down for some reason.
For everything else, traffic goes directly to the management point.
State messages that arrive at the management point are processed into the .smx files by the MP Relay
component, and put into the auth\statesys.box\incoming folder on the site server. Then, they're processed into
the database to complete the workflow.
Digging deeper
We have to make sure that verbose logging is enabled for:
the client
the management point
the state messaging components on the site server
To set verbose or debug logging on a Configuration Manager client or management point, edit or create the
following registry entries:
REGIST RY SUB K EY DW O RD N A M E VA L UE DATA
LogLevel
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/CCM/Logging/@Global 0
KEY_LOCAL_MACHINE/SOFTWARE Enabled True

/Microsoft/CCM/Logging/DebugLogging
On the site server, edit the following registry entry to enable verbose logging, and then restart the
SMS_Executive service (or the state system component):
Verbose Logging
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/SMS/Components/SMS_STATE_SYSTEM 1
Tracing SQL commands requires that SQL tracing is enabled for Configuration Manager components. But not
much useful data can be obtained directly from the tracing. It's true even if Profiler is enabled. So we'll examine
the Updatesdeployment.log and Statemessage.log files on the client. By interpreting the state messages in these
logs, we can get a clear picture of what's occurring at the various steps in the process.
Before we examine log code examples, we have to understand the state message format. The state message
itself consists of several parts, including Topic Type and State Message ID . At some locations in the logs, the
Topic Type seems to already be interpreted for you.
You won't always see Topic Type and State Message ID together in the same log. One type of data without
the other doesn't really help you determine what's needed. However, even if you have both Topic Type and
State Message ID , the information isn't helpful unless you can interpret it.
The following chart can help you to interpret the combination of TopicType and StateID to obtain meaningful
data.
select * from v_StateNames
NOTE
The following chart includes the 300, 400, and 500 series Topic Type codes.
State messaging data

TO P IC T Y P E STAT EID STAT EN A M E
300 0 Compliance state unknown
300 1 Compliant
300 2 Non-compliant
300 3 Conflict detected
301 0 Enforcement state unknown
301 1 Installing update(s)

301 2 Waiting for restart
301 3 Waiting for another installation to

complete
301 4 Successfully installed update(s)
301 5 Pending system restart
301 6 Failed to install update(s)
301 7 Downloading update(s)
301 8 Downloaded update(s)
301 9 Failed to download update(s)
301 10 Waiting for maintenance window

before installing
301 11 Waiting for third-party orchestrator to

initiate installation
302 0 Evaluation state unknown
302 1 Evaluation activated
302 2 Evaluation succeeded
302 3 Evaluation failed
400 0 Detection state unknown
400 1 Not Required
400 2 Not Detected
400 3 Detected
401 0 Compliance state unknown
401 1 Compliant
401 2 Non-Compliant
401 3 Conflict Detected
401 4 Error
401 5 Not Applicable

401 6 Not Detected
401 7 Enforced
402 0 Enforcement state unknown
402 1 Enforcement started
402 2 Enforcement waiting for content
402 3 Waiting for another installation to

complete
402 4 Waiting for maintenance window

before installing
402 5 Restart required before installing
402 6 General failure
402 7 Pending installation
402 8 Installing update
402 9 Pending system restart
402 10 Successfully installed update
402 11 Failed to install update
402 12 Downloading update
402 13 Downloaded update
402 14 Failed to download update
500 0 Detection state unknown
500 1 Update is not required
500 2 Update is required
500 3 Update is installed
501 0 Scan state unknown
501 1 Scan is waiting for catalog location
501 2 Scan is running

501 3 Scan completed
501 4 Scan is pending retry
501 5 Scan failed
501 6 Scan completed with errors
For more information, see State messages in Configuration Manager.

The following example aligns and compares the Updatesdeployment.log and Statemessage.log files. Make sure
that the logs refer to the same state message by aligning the same TopicID (green text). It clearly indicates that
the two logs are referring to the same state message. The TopicType is shown in light blue text. Notice that one
log might show the actual number that can be interpreted from the State messaging data chart. The other might
show a generic value (already interpreted). The State Message ID ( StateId ) is shown in purple text.
By combining the TopicType and State Message ID ( StateId ) from the chart, you can track exactly what's
occurring in the logs. In this example, these code examples show the following information:
Update evaluation
The result of the evaluation
The update being downloaded
The update being installed
A pending system restart
It's just one example of how state messages are sent into the state system.
State messaging data flow

The following image is an actual example of how state messaging data makes its way to the management point
and is processed to the database.
This example uses a test client. It starts by forcing the client to scrape WMI for all state messaging information,
and then sends that information to the management point on its next polling cycle.
In WMI, state messages are stored in the root\ccm\statemsg namespace. In that namespace, there are two
classes of interest: CCM_StateMsg_SerialNum and CCM_StateMsg .
The CCM_StateMsg_SerialNum class is used to record the last serial number that's used for a state message. Every
state message has a unique serial number, similar to the hardware inventory. In this manner, the site server can
keep track of whether it's missing any state messages from the system. It's important because missing state
messages may cause incomplete or inaccurate state reporting.
The CCM_StateMsg class contains the state messages themselves. In the class instance, you can find all the state
messages that are recorded.
If you open one of these messages, you'll find the details of the state message and some data that we previously
discussed, as shown in the following example.
We can resend the data to the management point, and track its progress by using the following resync scripts.
RefreshServerComplianceState()
Sub RefreshServerComplianceState()
dim newCCMUpdatesStore
set newCCMUpdatesStore = CreateObject ("Microsoft.CCM.UpdatesStore")
newCCMUpdatesStore.RefreshServerComplianceState
wscript.echo "Ran RefreshServerComplianceState."
End Sub
$UpdatesStore = New-Object -ComObject Microsoft.CCM.UpdatesStore

$UpdatesStore.RefreshServerComplianceState()
This script can be found on the web in various locations. It uses the Configuration Manager SDK to cause the
client to resend its data to the management point.
Typically, a Visual Basic script (VBScript) is run by using cscript . Notice that the script may fail if you try to run
it yourself. The problem is that Configuration Manager is a 32-bit application that's running on a 64-bit server.
The default version of cscript is the 64-bit version and generally works fine with any VBScript. However, in this
case, the call that's being made requires the 32-bit version of cscript that you must run out of the syswow64
folder.
When the next state message polling cycle occurs, all state messages are sent to the management point.
In the Statemessage.log file, you can see that the state message information is pulled, formatted into XML, and
then sent to the management point. The state message information should resemble the following example:
<![LOG[StateMessage body: <?xml version="1.0" encoding="UTF-16"?>

<ClientType>1</ClientType><ClientID>GUID:GUID</ClientID>
<ClientVersion>client_version_number</ClientVersion><NetBIOSName>name</NetBIOSName>
<CodePage>437</CodePage>
<ReportContent>State Message Data</ReportContent>
<ReportType>Full</ReportType><Date>date</Date><Version>1.0</Version><Format>1.0</Format>
</ReportDetails></ReportHeader><ReportBody><StateMessage MessageTime="time"
SerialNumber="serial_number"><Topic ID="21e49ac6-a273-4a61-9794-eb675bc743e5" Type="500"
IDType="3"/><State ID="2" Criticality="0"/><UserParameters Flags="0" Count="1">
<Param>102</Param></UserParameters></StateMessageserParameters></StateMessage>
</ReportBody></Report>
]LOG<![LOG[CStateMsgManager::GetSignEncyptMode]LOG]!><time="time" date="date"
component="StateMessage" context="" type="1" thread="3592" file="statemsg.cpp:1820">
<![LOG[Successfully for warded State Messages to the management point ]LOG]!><time="time"
date="date" component="StateMessage" context="" type="1" thread="3592" file="statemsg.cpp:1527">
NOTE
This example is truncated to a single state message because of the size of the XML file.
Although the Statemessage.log file records that the messages are dispatched to the management point, the state
messaging system doesn't actually move data to the management point. In the following example, you can see
that CCMMessaging does this operation. There's more that go on behind the scenes at this point. However, it's
sufficient to know that CCMMessaging sends the data to the management point (in this case, the MP_Relay
component).
<![LOG[OutgoingMessage(Queue='mp_mp_relay endpoint', ID={A9E7A07D-223D-4F5D-93D5-

15AF5B72E05C}): Delivered successfully to host 'host_name'.]LOG]!>
When the data arrives for processing at MP_Relay , it's processed and translated to the .smx file format, and
then put into the auth\statesys.box\incoming folder.
Inv-Relay Task: Processing message body

Relay: FileType= SMX
Relay: Outbox dir: C:\Program Files (x86)\Microsoft Configuration
Manager\inboxes\auth\statesys.box\incoming
Relay: Received 0 attachments
Relay: 0 of 0 attachments successfully processed
Inv-Relay: Task completed successfully
In the auth\statesys.box\incoming folder, you can see the .smx files being processed. Typically, you won't see
them here. But if the files remain in this folder, you need to investigate what the messages are and why they
aren't being processed. If you find an .smx file, you can open it by using a text editor such as Notepad to see the
details. However, the formatting of the file may be unreadable, as in the following example:
If you rename the .smx file by adding the .xml extension so that the file is named file_name.smx.xml, and then
you double-click the new file name, the XML file is opened in Internet Explorer and is much easier to read.
The following image is an example of an XML file opened in Internet Explorer. The details of the computer and
state message are highlighted. It contains the information that we've previously discussed, combined with the
unique State Message ID value.
NOTE
If you rename these files, first copy them to a different folder so that you don't affect the Statesys.box folder.
Finally, the state messages must be processed into the database. In the Statesys.log file, you can see such
messages similar to the following example:
Found new state messages to process, starting processing thread
Thread "State Message Processing Thread #0" id:5076 started
CMessageProcessor - Detected parent site 'site_name'
CMessageProcessor - Processing file: mdlbp169.SMW
CMessageProcessor - Processed 1 records with 0 invalid records.
CMessageProcessor - Successfully replicated file "mdlbp169.SMW" to parent site site_name.
CMessageProcessor - Processed 1 message files in this batch, with 0 bad files.
Thread "State Message Processing Thread #0" id:5076 terminated normally
The database processing component can be made visible by enabling SQL tracing, but it doesn't help much. We
must use the SQL profiler instead. The profiler gives us a hint of what's occurring behind the scenes, but not
completely. Several SQL stored procedures are responsible for processing state messages. Besides, several
tables in the database store the state messaging data. The stored procedures that do state message processing
generally start with the name spProcess . There are many of such procedures.
The site server tracks state messages as they arrive, so it can flag any missing messages and periodically request
a resync when necessary. State messages are important. You don't want to miss any.
As state messages arrive, the unique ID is read and stored in the database. As processing continues, the data is
regularly updated. If a gap is detected, that data is flagged and stored as missing state messages in the
SR_MissingMessageRanges table. Ideally, this table will be empty. However, in production, you may see data in the
table. This table helps track state messages that require a resync.
The site control file is located in the database. To obtain the specific settings for STATE_MESSAGE_SYSTEM , run the
following query on a primary or CAS site:
select * from SC_Component_Property where ComponentID in (select ID from SC_Component where ComponentName
like 'SMS_STATE_SYSTEM') and sitenumber in (select SiteNumber from SC_SiteDefinition where Sitecode =
(Select ThisSiteCode from SMSData))
STATE_MESSAGE_SYSTEM settings
NAME VA L UE1 VA L UE2 VA L UE3
Heartbeat Msg Interval 60
Inbox Polling Interval 900
Loader Chunk Size 256
Loader Threads 4
Max Chunks Fetched 100
Min Missing Message Age 2880
Resync Check Interval 15
Retry Config REG_SZ <Config><Retry 0

PatternID="0"
RetryQueue="0">7200,288
00,86400</Retry>
</Config>
NOTE
Resync Check Inter val is set to 60 minutes. This is the schedule for checking systems that require state message
resyncs.
Min Missing Message Age is set to 2880 . This is how long a message must be missing before a resync is
requested.
Software updates in Configuration Manager
Original product version: Configuration Manager (current branch), Microsoft System Center 2012
Configuration Manager, Microsoft System Center 2012 R2 Configuration Manager
Software updates in Configuration Manager provide a set of tools and resources that can help manage the
complex task of tracking and applying software updates to client computers in the enterprise. An effective
software update management process is necessary to maintain operational efficiency, overcome security issues,
and maintain the stability of the network infrastructure. Because of the changing nature of technology and the
continual appearance of new security threats, effective software update management requires consistent and
continual attention.
Summary
Software updates synchronization in Configuration Manager uses Microsoft Update to retrieve software updates
metadata. The top-level site synchronizes with Microsoft Update on a predetermined schedule or when you
manually start synchronization from the Configuration Manager console. When Configuration Manager finishes
software updates synchronization at the top-level site, software updates synchronization starts at child sites if
they exist. When synchronization is complete at each primary site or secondary site, a site-wide policy is created
that provides client computers with the location of the software update points.
After the client receives the policy, the client starts a scan for software updates compliance and writes the
information to Windows Management Instrumentation (WMI). The compliance information is then sent to the
management point. From there, the information is sent to the site server. For each software update, a state
message is created that contains the compliance state for the update. The state messages are sent in bulk to the
management point and then to the site server. There, the compliance state is inserted into the site database. The
compliance state for software updates is displayed in the Configuration Manager console. For more information
about compliance assessment, see Software updates compliance assessment.
When you deploy software updates or when an automatic deployment rule runs and deploys software updates,
a deployment assignment policy is added to the machine policy for the site. The software updates are
downloaded from the download location, the Internet, or network shared folder, to the package source. The
software updates are copied from the package source to the content library on the site server, and then copied
to the content library on the distribution point. For more information about software update deployment, see
Software update deployment process.
References
For more information about understanding, maintaining, and troubleshooting the software update process, see
the following resources:
Track the software update deployment process
Troubleshoot software update synchronization
Troubleshoot software update scan failures
Troubleshoot software update deployments
Software updates maintenance in Configuration
Manager
This article describes the maintenance processes for software updates. It also provides suggestions for how
Configuration Manager administrators can maintain optimal performance of the WSUS database.
For more information about software updates in Configuration Manager, see Software updates introduction.
Expired updates
As part of the ongoing update revision process, some updates in the Microsoft Update Catalog are expired. This
issue typically occurs when a newer version of the update is available. However, in rare cases, Microsoft may
discover a problem with an update and therefore expire it. During software updates synchronization, these
expired updates are marked as Expired in the Configuration Manager console. This expired status is indicated
by a dimmed icon next to the update. These expired updates are automatically cleaned up from the
Configuration Manager database on a regular schedule. The WSUS Synchronization Manager component
removes expired updates only if the following conditions are true:
The update is not referenced in an update assignment.
The update is older than the value of Updates Cleanup Age . (By default, this value is seven days.)
WSUS Synchronization Manager at the top-level Configuration Manager site checks every hour for updates that
must be removed, and it removes expired updates if they match the criteria in the previous list. When WSUS
Synchronization Manager deletes expired updates, you can see the following entries in the WSyncMgr.log file:
Deleting old expired updates... SMS_WSUS_SYNC_MANAGER

Deleted 100 expired updates SMS_WSUS_SYNC_MANAGER
...
Deleted 2995 expired updates total SMS_WSUS_SYNC_MANAGER
Content cleanup
As expired updates are removed, content for those expired updates may become orphaned. WSUS
Synchronization Manager also cleans up this orphaned content. As part of the content cleanup, WSUS
Synchronization Manager analyzes the packages that are owned by the current site, finds content that is no
longer referenced, and removes that content from the package source directory. By default, content is removed
only if it has been orphaned for more than one day.
If any content is removed, the cleanup process also updates the package so that the updated content is sent to
the distribution points (DPs). When WSUS Synchronization Manager removes orphaned content, you can see
the following entries in the WSyncMgr.log file:
Deleting orphaned content for package CS100006 (EPDefinitions) from source <PackageSource>
SMS_WSUS_SYNC_MANAGER
Deleting orphaned content folder \\<PackageSource>\51b6db15-6938-4b37-9fa8-caf513e13930...
...
...
Deleting orphaned content folder \\<PackageSource>\526b6a85-a62c-4d54-bc0d-b3409223b0df...
Deleted 12 orphaned content folders in package CS100006 (EPDefinitions) SMS_WSUS_SYNC_MANAGER
Refreshing package CS100006 (EPDefinitions) SMS_WSUS_SYNC_MANAGER
For more information about the cleanup of expired updates and content, see Software Update Content Cleanup
in System Center 2012 Configuration Manager.
WSUS server maintenance

To maintain optimal performance of the WSUS database, we recommend that you routinely run the WSUS
Cleanup Wizard tasks on the WSUS database (SUSDB) and also reindex the WSUS database on each WSUS
computer that is hosting a Software Update Point role in the Configuration Manager environment. When you
run WSUS Cleanup Wizard actions in a multilevel hierarchy, run the cleanup process on the lowest tier of the
WSUS chain first and then move up to the next tier to run the Cleanup Wizard tasks. You must continue on up
the hierarchy until you reach the top-tier WSUS computer. You can run this WSUS maintenance routine at the
same time on multiple servers in the same tier.
Although reindexing can be done in any order on any WSUS computer's SUSDB, we recommend that you run
the cleanup and reindexing on each WSUS computer by running the reindex process first and then run the
Cleanup Wizard tasks. If you tune the performance of the SUSDB first through reindexing, the Cleanup Wizard
tasks will finish more quickly.
For more information about WSUS maintenance, see Perform WSUS maintenance.
For more information about WSUS cleanup behavior and log entries in Configuration Manager (current branch),
see Software updates maintenance.
Software update point installation and configuration

The software update point is required on the central administration site and on the primary sites to enable
software updates compliance assessment and to deploy software updates to clients.
Track software update point installation

When software update point site system role is installed, an instance of the SMS_SCI_SysResUse class is created,
and entries that resemble the following are logged in SMSProv.log:
PutInstanceAsync SMS_SCI_SysResUse SMS Provider

CExtProviderClassObject::DoPutInstanceInstance SMS Provider
INFO: 'PR1SITE.CONTOSO.COM' is a valid FQDN. SMS Provider
Site Component Manager then detects the change in site control information and initiates the installation of the
software update point site system role. Entries that resemble the following are logged in SiteComp.log:
Parsed the master site control file, serial number 3559422579. SMS_SITE_COMPONENT_MANAGER
Synchronizing server table and polling servers as needed... SMS_SITE_COMPONENT_MANAGER
Synchronizing component server PR1SITE.CONTOSO.COM... SMS_SITE_COMPONENT_MANAGER
Installing component SMS_WSUS_CONTROL_MANAGER... SMS_SITE_COMPONENT_MANAGER
NFO: 'PR1SITE.CONTOSO.COM' is a valid FQDN. SMS_SITE_COMPONENT_MANAGER
Creating registry keys Operations Management\SMS Server Role\SMS Software Update Point on server
PR1SITE.CONTOSO.COM. SMS_SITE_COMPONENT_MANAGER
Updated WSUS Configuration for PR1SITE.CONTOSO.COM. SMS_SITE_COMPONENT_MANAGER
The component is being installed on the site server, no files need to be installed in the "E:\ConfigMgr"
directory because the files are already there. SMS_SITE_COMPONENT_MANAGER
All files installed. SMS_SITE_COMPONENT_MANAGER
Starting bootstrap operations... SMS_SITE_COMPONENT_MANAGER
Installed service SMS_SERVER_BOOTSTRAP_PR1SITE. SMS_SITE_COMPONENT_MANAGER
Starting service SMS_SERVER_BOOTSTRAP_PR1SITE with command-line arguments "PR1 E:\ConfigMgr
/install E:\ConfigMgr\bin\x64\rolesetup.exe SMSWSUS "... SMS_SITE_COMPONENT_MANAGER
When the role installation is started by Site Component Manager, SUPSetup.log is created and the following are
logged:
<02/09/14 22:53:28>
====================================================================
<02/09/14 22:53:28> SMSWSUS Setup Started....
<02/09/14 22:53:28> Parameters: E:\ConfigMgr\bin\x64\rolesetup.exe /install /siteserver:PR1SITE
SMSWSUS 0
<02/09/14 22:53:28> Installing Pre Reqs for SMSWSUS
<02/09/14 22:53:28> ======== Installing Pre Reqs for Role SMSWSUS ========
<02/09/14 22:53:28> Found 1 Pre Reqs for Role SMSWSUS
<02/09/14 22:53:28> Pre Req SqlNativeClient found.
<02/09/14 22:53:28> SqlNativeClient already installed (Product Code: {D411E9C9-CE62-4DBF-9D92-
4CB22B750ED5}). Would not install again.
<02/09/14 22:53:28> Pre Req SqlNativeClient is already installed. Skipping it.
<02/09/14 22:53:28> ======== Completed Installation of Pre Reqs for Role SMSWSUS ========
<02/09/14 22:53:28> Installing the SMSWSUS
<02/09/14 22:53:28> Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 +
KB2734608)
<02/09/14 22:53:28> Checking runtime v2.0.50727...
<02/09/14 22:53:28> Did not find supported version of assembly Microsoft.UpdateServices.Administration.
<02/09/14 22:53:28> Checking runtime v4.0.30319...
<02/09/14 22:53:28> Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0,
file version 6.2.9200.16384
<02/09/14 22:53:28> Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file
version 6.2.9200.16384
<02/09/14 22:53:28> Supported WSUS version found
<02/09/14 22:53:28> Supported WSUS Server version (6.2.9200.16384) is installed.
<02/09/14 22:53:28> CTool::RegisterManagedBinary: run command line:
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" "E:\ConfigMgr\bin\x64\wsusmsp.dll"
<02/09/14 22:53:44> CTool::RegisterManagedBinary: Registered E:\ConfigMgr\bin\x64\wsusmsp.dll
successfully
<02/09/14 22:53:44> Registered DLL E:\ConfigMgr\bin\x64\wsusmsp.dll
<02/09/14 22:53:44> Installation was successful.
<02/09/14 22:53:44> ~RoleSetup().
After the role is installed, Site Component Manager removes the bootstrap service that's created to perform the
installation, the following are logged in SiteComp.log:
"E:\ConfigMgr\bin\x64\rolesetup.exe /install /siteserver:PR1SITE.CONTOSO.COM" executed successfully on

server PR1SITE.CONTOSO.COM. SMS_SITE_COMPONENT_MANAGER
Bootstrap operation successful. SMS_SITE_COMPONENT_MANAGER
Deinstalled service SMS_SERVER_BOOTSTRAP_PR1SITE. SMS_SITE_COMPONENT_MANAGER
Bootstrap operations completed. SMS_SITE_COMPONENT_MANAGER
Configure proxy setting for the software update point

When there is a proxy server between the WSUS server and the upstream update source, the proxy settings
must be configured for the site system as well as the software update point role. The proxy server settings are
site system specific, which means that all site system roles use the proxy server settings that you specify. For
more information, see Accounts used in Configuration Manager.
Check proxy configuration on a computer
To review the proxy configuration for the logged-on user, run the following command:
netsh winhttp show proxy
To review the proxy configuration for the SYSTEM account, open a command prompt by running the
following command:
psexec -s -i cmd
In the Command Prompt window, run whoami to confirm that the command window is running under
the System account.
Run the netsh winhttp show proxy command and review the proxy configuration for the System account.
You can also start Internet Explorer from this command window, and review the proxy configured in
Internet Explorer. In some cases you may have to clear the Automatically Detect Settings check box,
and set the correct proxy.
To force WinHTTP to use proxy configuration from Internet Explorer, run the following command:
netsh winhttp import proxy source =ie
For more information about Netsh commands, see Netsh Commands for Windows Hypertext Transfer Protocol
(WINHTTP).
Configure the proxy settings for the Site System
1. In the Configuration Manager console, go to Administration > Site Configuration > Ser vers and Site
System Roles , select the <SiteSystemName> on the right pane.
2. In the bottom pane, right-click Site System , and then click Proper ties .
3. Select the Proxy tab, specify the proxy server name, port, and credentials (if required).
Configure the proxy settings for the software update point
System Roles , select <SiteSystemName> on the right pane.
2. In the bottom pane, right-click Software Update Point , and then click Proper ties .
3. Select the Proxy and Account Settings tab, and select Use a proxy ser ver when synchronizing
software updates .
4. (Optional) To configure automatic deployment rules (ADRs) to use a proxy server, select the Proxy And
Account Settings tab, and then select Use a proxy ser ver when downloading content by using
automatic deployment rules .
Verify proxy settings in the WSUS console
1. Open the WSUS console.
2. Select Options in the tree pane, and then select Update Source and Proxy Ser ver in the display pane.
3. Select the Proxy Ser ver tab. Verify that the proxy settings match the settings configured for the software
update point in Configuration Manager. If the settings don't match, check WCM.log on the site server.
For more information, see Proxy server settings.
Configure the WSUS Server Connection Account for the software

update point
If the software update point is remote from the site server, and if the site server computer account doesn't have
permissions to connect to the WSUS server, you must specify a WSUS Server Connection Account that
Configuration Manager can use to connect to the WSUS server.
This account is used by WCM and WSyncMgr. It must be a local administrator on the computer where WSUS is
installed. Additionally, the account must be part of the local WSUS Administrators group. For more information,
see Accounts used in Configuration Manager.
To configure the WSUS Server Connection Account for the software update point:
System Roles , select <SiteSystemName> on the right pane.
2. In the bottom pane, right-click Software Update Point , and then click Proper ties .
3. On the Proxy And Account Settings tab, specify the connection account under WSUS Ser ver
Connection Account .
References
Install and configure a software update point
Synchronize software updates
Configure classifications and products to synchronize
WSUS Configuration Manager configures the
WSUS server

Windows Server Update Services (WSUS) Configuration Manager connects to the WSUS server once every
hour and configures the WSUS server with the settings that are defined for the software update point in the
Configuration Manager console.
How it works
WSUS Configuration Manager uses the WSUS APIs to connect to the WSUS server. The WSUS Administration
console must be installed on the Configuration Manager site server, because the WSUS Administration console
installs the APIs that are used to connect to the WSUS server.
The following are logged in WCM.log:
Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
SMS_WSUS_CONFIGURATION_MANAGER
Checking runtime v2.0.50727... SMS_WSUS_CONFIGURATION_MANAGER
Did not find supported version of assembly Microsoft.UpdateServices.Administration.
Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER
Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version
6.2.9200.16384 SMS_WSUS_CONFIGURATION_MANAGER
Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.2.9200.16384
Supported WSUS version found SMS_WSUS_CONFIGURATION_MANAGER
If the products or classifications defined for the software update point are modified, SMS Provider makes
changes in the appropriate CI_* tables in the database. For example, when a product is selected for
synchronization, SMS Provider updates rows in the CI_CategoryInstances and CI_UpdateCategorySubscription
tables.
SMS Database Monitor monitors these tables for changes. When an update is detected, SMS Database Monitor
drops a CSB file in the WSUSMgr.box folder notifying WCM to update the WSUS server configuration. The
following are logged in SMSDBMon.log:
RCV: UPDATE on CI_CategoryInstances for CategoryNotify_iud [177 ][14252 ]

RCV: UPDATE on CI_UpdateCategorySubscription for SubNotify_iu_WCM [177 ][14253 ]
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box \177 .CTN [14252 ]
SND: Dropped E:\ConfigMgr\inboxes\WSUSMgr.box \177 .CSB [14253 ]
WCM then wakes up and connects to the WSUS server to make sure that it is configured with the options
defined in the Configuration Manager console. The following are logged in WCM.log:
File notification triggered WCM Inbox. SMS_WSUS_CONFIGURATION_MANAGER

Setting new configuration state to 4 (WSUS_CONFIG_SUBSCRIPTION_PENDING)
Attempting connection to WSUS server: CE1SITE.CONTOSO.COM, port: 8530, useSSL: False
Successfully connected to server: CE1SITE.CONTOSO.COM, port: 8530, useSSL: False
Subscribed Update Categories <?xml version="1.0" ?>~~<Categories>~~ <Category
Id="Product:a105a108-7c9b-4518-bbbe- 73f0fe30012b"><![CDATA[Windows Server 2012]]>
</Category>~~ <Category Id="Product:fdfe8200-9d98-44ba-a12a- 772282bf60ef"><![CDATA[Windows
Server 2008 R2]]></Category>~~ <Category Id="UpdateClassification:0fa1201d-4330- 4fa8-8ae9-
b877473b6441"><![CDATA[Security Updates]]></Category>~~ <Category
Id="UpdateClassification:28bc880e-0592- 4cbf-8f95-c79b17911d5f"><![CDATA[Update Rollups]]>
</Category>~~ <Category Id="UpdateClassification:cd5ffd1e-e932- 4e3a-bf74-18bf0b1bbd83"><!
[CDATA[Updates]]></Category>~~ <Category Id="UpdateClassification:e6cf1350-c01b-414d- a61f-
263d14d133b4"><![CDATA[Critical Updates]]></Category>~~</Categories>
Configuration successful. Will wait for 1 minute for any subscription or proxy changes
Setting new configuration state to 2 (WSUS_CONFIG_SUCCESS) SMS_WSUS_CONFIGURATION_MANAGER
Using WSUS APIs to connect to the WSUS server works by connecting to the ApiRemoting30 virtual directory on
the WSUS website. Therefore, it's important that you specify the correct port configuration when you install the
software update point role.

Software updates synchronization in Configuration Manager connects to Microsoft Update to retrieve software
updates metadata.
The top-level site (central administration site or stand-alone primary site) synchronizes with Microsoft Update
on a schedule or when you manually start synchronization from the Configuration Manager console. When
Configuration Manager finishes software updates synchronization at the top-level site, software updates
synchronization starts at child sites, if they exist. When synchronization is complete at each primary site or
secondary site, a site-wide policy is created that provides to client computers the location of the software update
points.
Synchronization on central administration site or standalone primary

site
The software updates synchronization process at the top-level site contacts Microsoft Update and retrieves
software update metadata that meets the criteria specified in the Software Update Point Component properties.
This criteria is specified only at the top-level site. At the top-level site you can specify a synchronization source
other than Microsoft Update, such as an existing Windows Server Update Services (WSUS) computer that's not
in the Configuration Manager hierarchy.
The synchronization process at the top-level site performs the following steps:
Step 1: Software updates synchronization starts either manually or on a schedule
When synchronization is initiated on a schedule, WSUS Synchronization Manager (WSyncMgr) wakes up on the
configured schedule and initiates synchronization. The following are logged in WSyncMgr.log:
Wakeup for scheduled regular sync SMS_WSUS_SYNC_MANAGER

Starting Sync SMS_WSUS_SYNC_MANAGER
Performing sync on regular schedule SMS_WSUS_SYNC_MANAGER
When synchronization is initiated manually from the console, WSyncMgr is notified to initiate a sync by
executing the SyncNow method in the SMS_SoftwareUpdate WMI class. This method updates the
Update_SyncStatus table in the site database and sets the value of SyncNow to SELF . This triggers SMS Database
Notification Monitor (SMSDBMON) to place a SELF.SYN file in WSyncMgr.box, and this awakens WSyncMgr and
initiates synchronization.
The following is logged in SMSProv.log:
ExecMethodAsync : SMS_SoftwareUpdate::SyncNow SMS Provider
In SQL Server Profiler trace:
update Update_SyncStatus set SyncNow = 'SELF' where SiteCode = dbo.fnGetSiteCode()

update Update_SyncStatus set SyncNow = null where SiteCode = dbo.fnGetSiteCode()
In SMSDBMON.log:
RCV: UPDATE on Update_SyncStatus for SyncNotif_WSyncMgr [SELF][47788]
SND: Dropped E:\ConfigMgr\inboxes\WSyncMgr.box\SELF.SYN [47788]
In WSyncMgr.log:
Wakeup by inbox drop SMS_WSUS_SYNC_MANAGER

Found local sync request file SMS_WSUS_SYNC_MANAGER
Performing sync on local request SMS_WSUS_SYNC_MANAGER
WSyncMgr then reads the list of software update points (SUPs) from the site control file (SCF). WSyncMgr first
synchronizes the SUP that was installed as the first SUP in the site and then synchronizes the remaining SUPs.
All additional SUPs are configured as replicas of the first SUP. The following are logged in WsyncMgr.log:
Read SUPs from SCF for CS1SITE.CONTOSO.COM SMS_WSUS_SYNC_MANAGER

Found 1 SUPs SMS_WSUS_SYNC_MANAGER
Found active SUP CS1SITE.CONTOSO.COM from SCF File. SMS_WSUS_SYNC_MANAGER
When synchronization starts (either on schedule or manually), WSyncMgr creates status message ID 6701 to
indicate that the WSUS synchronization has started. The following are logged in WsyncMgr.log:
STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=

<SERVERFQDN> SITE=CS1 PID=432 TID=3404 GMTDATE=Thu Jan 16 18:53:52.608 2014 ISTR0=""
ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
TIP
To manually initiate a delta site wide synchronization, you can create a zero KB file named SELF.SYN in the
Program Files\Microsoft Configuration Manager\Inboxes\WSyncMgr.box directory on the central administration site
or standalone primary site server. Similarly, to initiate a full site wide synchronization, you can create a zero KB file named
FULL.SYN in the same location.
Step 2: WSUS Synchronization Manager sends a request to WSUS running on the software update point to
start synchronization with Microsoft Update
The first phase of the synchronization process is to synchronize the WSUS server with Microsoft Update.
WSyncMgr instructs the WSUS computer to start a synchronization with Microsoft Update and creates status
message ID 6704 (WSUS Synchronization in progress. Current phase: Synchronizing WSUS Server). The
following are logged in WsyncMgr.log:

Synchronizing WSUS server cs1site.contoso.com ... SMS_WSUS_SYNC_MANAGER
sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER
In SoftwareDistribution.log:
2014-01-16 18:53:54.231 UTC Change w3wp.58 AdminDataAccess.StartSubscriptionManually
Synchronization manually started
2014-01-16 18:53:56.168 UTC Info WsusService.15 EventLogEventReporter.ReportEvent
EventId=382,Type=Information,Category=Synchronization,Message=A manual synchronization was
started.
Step 3: WSUS synchronizes software update metadata from Microsoft Update. Any changes are inserted or
updated in the WSUS database
WSUS starts synchronizing with Microsoft Update, and WSyncMgr begins monitoring synchronization progress.
The following are logged in WsyncMgr.log:
sync: WSUS synchronizing categories SMS_WSUS_SYNC_MANAGER

sync: WSUS synchronizing updates SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates, processed 122 out of 130 items (93%), ETA in 00:00:03
sync: WSUS synchronizing updates, processed 130 out of 130 items (100%) SMS_WSUS_SYNC_MANAGER
The following entries in the log files indicate that WSUS has finished synchronizing with Microsoft Update:
In SoftwareDistribution.log:
2014-01-16 18:55:05.166 UTC Info WsusService.15 EventLogEventReporter.ReportEvent

EventId=384,Type=Information,Category=Synchronization,Message=Synchronization completed
successfully.
2014-01-16 18:55:06.307 UTC Info WsusService.31
CatalogSyncAgent.SetSubscriptionStateWithRetry Firing event SyncFinish...
In WSyncMgr.log:
Done synchronizing WSUS Server <SERVERFQDN> SMS_WSUS_SYNC_MANAGER

Sleeping 2 more minutes for WSUS server sync results to become available
Set content version of update source {C2D17964-BBDD-4339-B9F3-12D7205B39CC} for site CS1 to
33 SMS_WSUS_SYNC_MANAGER
Step 4: WSUS Synchronization Manager synchronizes the software updates metadata

After WSUS has finished synchronization, WSUS Synchronization Manager synchronizes the software updates
metadata. This is done from the WSUS database to the Configuration Manager database, and any changes after
the last synchronization are inserted or updated in the site database. The software updates metadata is stored in
the site database as a configuration item.
The second phase of the synchronization process is to synchronize the software update metadata from the
WSUS database to the Configuration Manager database. At this point, WSyncMgr creates status message ID
6705 (WSUS Synchronization in progress. Current phase: Synchronizing site database).

Synchronizing SMS database with WSUS server <SERVERFQDN> ... SMS_WSUS_SYNC_MANAGER
WSyncMgr reads categories and updates from the WSUS database and inserts or updates the Configuration
Manager database. Software update metadata for each update is stored in the site database as a configuration
item (CI).
sync: SMS synchronizing categories SMS_WSUS_SYNC_MANAGER

...<log entries truncated>...
sync: SMS synchronizing categories, processed 223 out of 223 items (100%) SMS_WSUS_SYNC_MANAGER
sync: SMS synchronizing updates SMS_WSUS_SYNC_MANAGER
Synchronizing update af5eb87e-cdd6-40bf-984f-5d0630406de8 - Definition Update for Microsoft Endpoint
Protection - KB2461484 (Definition 1.165.1945.0) SMS_WSUS_SYNC_MANAGER
sync: SMS synchronizing updates, processed 5 out of 5 items (100%) SMS_WSUS_SYNC_MANAGER
Done synchronizing SMS with WSUS Server cs1site.contoso.com SMS_WSUS_SYNC_MANAGER
Set content version of update source {C2D17964-BBDD-4339-B9F3-12D7205B39CC} for site CS1 to 34
After synchronization of the site database is complete, if any changes were made to the site database, the
content version of the update source is updated in the database. After synchronization finishes successfully,
WSyncMgr creates status message ID 6702 (WSUS Synchronization done). The following are logged in
WsyncMgr.log:

<SERVEFRFQDN> SITE=CS1 PID=432 TID=3404 GMTDATE=Thu Jan 16 18:57:46.304 2014 ISTR0=""
Sync succeeded. Setting sync alert to canceled state on site CS1 SMS_WSUS_SYNC_MANAGER
Updated 130 items in SMS database, new update source content version is 34
Sync time: 0d00h03m53s SMS_WSUS_SYNC_MANAGER
Step 5: WSUS Synchronization Manager sends requests one at a time to the WSUS component running on
other SUPs on the site
The WSUS computers on the other SUPs are configured as replicas of the WSUS installation running on the
default SUP for the site.
Synchronizing replica WSUS servers SMS_WSUS_SYNC_MANAGER

STATMSG: ID=6706 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER"
SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=1840 TID=2832 GMTDATE=Thu Jan 16 19:17:13.575 2014
ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9=""
NUMATTRS=0 SMS_WSUS_SYNC_MANAGER
Synchronizing WSUS server ps1sys.contoso.com ... SMS_WSUS_SYNC_MANAGER
sync: Starting Replica WSUS synchronization SMS_WSUS_SYNC_MANAGER
sync: Replica WSUS synchronizing other items SMS_WSUS_SYNC_MANAGER
sync: Replica WSUS synchronizing other items, processed 4 out of 4 items (100%)
Done synchronizing WSUS Server ps1sys.contoso.com SMS_WSUS_SYNC_MANAGER
Step 6: WSUS Synchronization Manager sends a synchronization request to all child sites
Sync notifications are sent to all child sites to instruct them to start synchronization. These notifications are sent
through file replication and not database replication. The following are logged in WsyncMgr.log:
Sending sync notification to child site(s): PS1, PS2 SMS_WSUS_SYNC_MANAGER

SQL Replication type has not been set for E:\ConfigMgr\inboxes\WSyncMgr.box\outbox\CS1.SYN,
replicating to (PS1, PS2), inbox: E:\ConfigMgr\inboxes\replmgr.box SMS_WSUS_SYNC_MANAGER
Step 7: The software updates configuration items are sent to child sites by using database replication
Synchronization on child primary site and secondary sites

During the software update synchronization process on the top-level site, the software update configuration
items are replicated to child sites by using database replication. At the end of the process, the top-level site
sends a synchronization request to the child site, and the child site then starts the WSUS synchronization
process. Because the software update metadata (configuration items) from the site database is replicated to the
primary sites through database replication, the synchronization process on the child primary and secondary
sites consists of only the WSUS synchronization phase.
The synchronization process on a child primary site or secondary site performs the following steps:
Step 1: WSUS Synchronization Manager receives a synchronization request from the top-level site
When the sync notification that's sent by the parent site arrives in the WSyncMgr.box folder through file
replication, WSyncMgr wakes up and starts synchronization. The following are logged in WsyncMgr.log:
Wakeup by inbox drop SMS_WSUS_SYNC_MANAGER

Found parent sync notification file CS1.SYN. SMS_WSUS_SYNC_MANAGER
Performing sync on parent request SMS_WSUS_SYNC_MANAGER
WSyncMgr then reads the list of SUPs from the site control file (SCF). WSyncMgr will first synchronize the SUP
that was installed as the first SUP in the site and then synchronize all remaining SUPs. All additional SUPs are
configured as replicas of the first SUP. The following are logged in WsyncMgr.log:
Read SUPs from SCF for PS1SITE.CONTOSO.COM SMS_WSUS_SYNC_MANAGER

Found 2 SUPs SMS_WSUS_SYNC_MANAGER
Found active SUP PS1SITE.CONTOSO.COM from SCF File. SMS_WSUS_SYNC_MANAGER
Found active SUP PS1SYS.CONTOSO.COM from SCF File. SMS_WSUS_SYNC_MANAGER
Step 2: Software updates synchronization begins


Synchronizing WSUS server PS1SITE.CONTOSO.COM SMS_WSUS_SYNC_MANAGER
Step 3: WSUS Synchronization Manager makes a request to WSUS running on the first SUP to start
synchronization

Synchronizing WSUS server ps1site.contoso.com ... SMS_WSUS_SYNC_MANAGER
Step 4: WSUS running on the SUP on the child site synchronizes software updates metadata from WSUS
running on the SUP on the parent site
sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER

sync: WSUS synchronizing categories SMS_WSUS_SYNC_MANAGER
sync: WSUS synchronizing updates SMS_WSUS_SYNC_MANAGER
Done synchronizing WSUS Server ps1site.contoso.com SMS_WSUS_SYNC_MANAGER
Sleeping 2 more minutes for WSUS server sync results to become available SMS_WSUS_SYNC_MANAGER
Set content version of update source {C2D17964-BBDD-4339-B9F3-12D7205B39CC} for site PS1 to 34
Step 5: (For Configuration Manager with no service pack only) WSUS Synchronization Manager starts the
synchronization process for WSUS running on the remote site system
When there is a remote Internet-based SUP, WSUS Synchronization Manager starts the synchronization process
for WSUS running on the remote site system.
Step 6: (For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration
Manager only) WSUS Synchronization Manager sends requests one at a time to WSUS running on other
SUPs (including Internet-based SUPs) at the site
The WSUS servers on the other SUPs are configured as replicas of WSUS running on the default SUP at the site.
WSyncMgr then creates status message ID 6706 (WSUS Synchronization in progress. Current phase:
Synchronizing Internet-facing WSUS server). Even though the SUP may not be Internet-based, the status
message will still be 6706.
Synchronizing replica WSUS servers SMS_WSUS_SYNC_MANAGER

Synchronizing WSUS server ps1sys.contoso.com ... SMS_WSUS_SYNC_MANAGER
sync: Starting Replica WSUS synchronization SMS_WSUS_SYNC_MANAGER
sync: Replica WSUS synchronizing other items SMS_WSUS_SYNC_MANAGER
sync: Replica WSUS synchronizing other items, processed 4 out of 4 items (100%)
Done synchronizing WSUS Server ps1sys.contoso.com SMS_WSUS_SYNC_MANAGER
Step 7: When synchronization has finished successfully, WSUS Synchronization Manager creates status
message 6702

Sync succeeded. Setting sync alert to canceled state on site PS1 SMS_WSUS_SYNC_MANAGER
Successfully synced site with parent CS1, version 34 SMS_WSUS_SYNC_MANAGER
Sync time: 0d00h02m57s SMS_WSUS_SYNC_MANAGER
Step 8: From a primary site, WSUS Synchronization Manager sends a synchronization request to any child
secondary sites
The secondary site starts the software updates synchronization with the parent primary site. The secondary
site's SUP is configured as a replica of WSUS running on the parent site.
The following is logged in WsyncMgr.log:
Sending sync notification to child site(s): SS1 SMS_WSUS_SYNC_MANAGER


Before you can deploy software updates to clients, the clients must run a software updates compliance scan. We
recommend that you allow enough time for clients to complete the scan and report compliance results so that
you can review the compliance results and deploy only the updates that are required on the clients.
When the software update point (SUP) is installed and synchronized, a site-wide machine policy is created that
informs client computers that Configuration Manager Software Updates was enabled for the site. When a client
receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two
hours. When the scan is started, a Software Updates Client Agent process clears the scan history, submits a
request to find the Windows Server Update Services (WSUS) server that should be used for the scan, and
updates the local Group Policy with the WSUS location.
For an overview of the compliance assessment process, see Software updates compliance assessment.
Software update scan policy

Before a client can try to scan for updates, it needs the UpdateSource policy. This policy is created on the site
server after a successful synchronization of the SUP. This section discusses how this policy is created by the
following process:
Step 1: After a successful synchronization, WSyncMgr updates the Content Version and Last Sync Time in the
database
After a successful synchronization on a primary site, WSyncMgr updates Last Sync Time and Content
Version in the database for the SUP. This is done by executing the spProcessSUMSyncStateMessage stored
procedure. In the following sample SQL Server Profiler trace, this stored procedure is executed to update the
content version to 36:
declare @Error int; exec spProcessSUMSyncStateMessage N'2014-01-17 17:59:54', N'PS1', N'{C2D17964-

BBDD-4339-B9F3-12D7205B39CC}', 1, 0, '36', @Error output, N'PS1SITE.CONTOSO.COM'
Step 2: SMSDBMON gets triggered and drops a .STN file in policypv.box

spProcessSUMSyncStateMessage updates the Update_SyncStatus table with the new Content Version and Sync
Time. This update to the Update_SyncStatus table triggers SMSDBMON to drop a
<UpdateSource_UniqueID>.STN file (STN stands for Scan Tool Notification) in policypv.box to indicate a change
in the scan tool definition. The following are logged in SMSDBMON.log:
RCV: UPDATE on Update_SyncStatus for UpdSyncStatus_iu [{C2D17964-BBDD-4339-B9F3-12D7205B39CC}]

[46680] SMS_DATABASE_NOTIFICATION_MONITOR
SND: Dropped E:\ConfigMgr\inboxes\policypv.box{C2D17964-BBDD-4339-B9F3-12D7205B39CC}.STN
(non-zero) [46680] SMS_DATABASE_NOTIFICATION_MONITOR
Step 3: Policy Provider creates or updates the UpdateSource policy in the database
The <UpdateSource_UniqueID>.STN file notifies Policy Provider that it should wake up and update the
UpdateSource policy in the database.
The following are logged in PolicyPv.log:
Found {C2D17964-BBDD-4339-B9F3-12D7205B39CC}.STN SMS_POLICY_PROVIDER
Added Scan Tool ID {C2D17964-BBDD-4339-B9F3-12D7205B39CC} SMS_POLICY_PROVIDER
Adding to delete list: E:\ConfigMgr\inboxes\policypv.box{C2D17964-BBDD-4339-B9F3-
12D7205B39CC}.STN SMS_POLICY_PROVIDER
select PolicyID , PolicyAssignmentID, SourceCRC, PADBID from SettingsPolicy where SourceID = N'PS1'
and SourceType = N'UpdateSource'
select Version from Policy where PolicyID = N'{d0855677-b0a6-4e33-9bd5-7b0d06f0a2be }'
IF EXISTS (select PolicyID from Policy where PolicyID = N'{d0855677-b0a6-4e33-9bd5-7b0d06f0a2be}')
update Policy set Version = N'40.00' where PolicyID = N'{d0855677-b0a6-4e33-9bd5-7b0d06f0a2be}' ELSE
insert Policy (PolicyID, Version) values (N'{d0855677- b0a6-4e33-9bd5-7b0d06f0a2be}', N'40.00')
exec sp_describe_undeclared_parameters N'UPDATE Policy SET Body = @P1 where PolicyID =
N''{d0855677-b0a6-4e33-9bd5- 7b0d06f0a2be}'''
IF EXISTS (select PADBID from PolicyAssignment where PADBID = 16777218) update PolicyAssignment set
Version = N'40.00', InProcess = 1 , BodyHash = null where PADBID = 16777218 ELSE insert
PolicyAssignment (PolicyAssignmentID, PADBID, Version, PolicyID) values (N'{375c8020-3cae-4736-89ca-
ccf1ce6e3709}', 16777218, N'40.00', N'{d0855677-b0a6-4e33-9bd5-7b0d06f0a2be}')
exec sp_describe_undeclared_parameters N'UPDATE PolicyAssignment SET Body = @P1 where PADBID =
16777218'
update PolicyAssignment set InProcess = 0, BodySignature = N'<BodySignatureTruncated>',
TombstoneBodySignature = N'<TombstoneBodySignatureTruncated>', HashAlgOID =
N'1.2.840.113549.1.1.11', HashAlgId = 32780, BodyHash = N'<BodyHashTruncated>', TombstoneBodyHash
= N'<TombstoneBodyHashTruncated>' where PADBID = 16777218
To see this policy in the database, run the following query:
SELECT CONVERT(XML, Body, 1), * FROM Policy WHERE PolicyID = (SELECT PolicyID FROM SettingsPolicy WHERE
SourceType = 'UpdateSource')
This policy contains the content version of the update server which is used to find the location of the WSUS
computer that the client can scan against. After this policy is created or updated in the database, the clients get
the new or updated UpdateSource policy during the next policy evaluation cycle.
Step 4: Policy is downloaded and evaluated on the client
The following are logged in PolicyAgent.log on the client:
Successfully initiated download of policy 'CCM_Policy_Policy5.PolicyID="{d0855677-b0a6-4e33-9bd5-

7b0d06f0a2be }",PolicySource="SMS:PS1",PolicyVersion="40.00"' PolicyAgent_ReplyAssignments
Policy 'CCM_Policy_Policy5.PolicyID="{d0855677-b0a6-4e33-9bd5-
7b0d06f0a2be}",PolicyVersion="40.00",PolicySource="SMS:PS1"' successfully compiled
PolicyAgent_PolicyDownload
In PolicyEvaluator.log on the client:
Updating policy CCM_Policy_Policy5.PolicyID="{d0855677-b0a6-4e33-9bd5-

7b0d06f0a2be}",PolicySource="SMS:PS1",PolicyVersion="40.00" PolicyAgent_PolicyEvaluator
Applied policy CCM_Policy_Policy5.PolicyID="{d0855677-b0a6-4e33-9bd5-
7b0d06f0a2be}",PolicySource="SMS:PS1",PolicyVersion="40.00" PolicyAgent_PolicyEvaluator
Policy state for [CCM_Policy_Policy5.PolicyID="{d0855677-b0a6-4e33-9bd5-
7b0d06f0a2be}",PolicyVersion="40.00",PolicySource="SMS:PS1"] is currently [Active]
PolicyAgent_PolicyEvaluator
To find the PolicyID of the UpdateSource policy on a client, run the following WQL query:
Namespace: ROOT\ccm\Policy\Machine\RequestedConfig
Query: SELECT * FROM CCM_Policy_Policy5 WHERE PolicyCategory = 'UpdateSource'
Once this policy is compiled on the client, the UpdateSource information is stored in the following WMI Class:
Namespace: ROOT\ccm\Policy\Machine\ActualConfig
Class: CCM_UpdateSource
TIP
If you compare the instance of CCM_UpdateSource class on the client with the XML body retrieved from the policy table,
you will notice that the content of the XML looks identical to the instance.
Step 5: Scan Agent is notified that the UpdateSource policy is updated

The following are logged in ScanAgent.log on the client:
Inside CScanAgent::Notify() ScanAgent

CScanAgent::OnPolicyChange- Policy InstanceModificationEvent notification received ScanAgent
WSUS server location

After the client receives the UpdateSource policy, it's ready to run a scan for software updates compliance. At
this point, the client locates the WSUS computer with the content version specified in the policy. This process is
very similar to the way that the client finds the location of a distribution point for a specific package and version.
Step 1: Scan Agent creates a scan request based on the available policy
The following are logged in ScanAgent.log:
CScanAgent::ScanByUpdates- Policy available for UpdateSourceID={C2D17964-BBDD-4339-B9F3-

12D7205B39CC} ContentVersion=38 ScanAgent
CScanAgent::ScanByUpdates- Added Policy to final ScanRequest List UpdateSourceID={C2D17964-BBDD-
4339-B9F3-12D7205B39CC}, Policy-ContentVersion=38, Required-ContentVersion=38 ScanAgent
Step 2: Scan Agent sends a request for the WSUS location to Location Services
Scan Agent now requests the WSUS location from Location Services and waits for a response. In this example,
the location request ID is {C2BB9710-C548-49D0-9DF8-5F9CFC5F3862}. The following are logged in
ScanAgent.log:
Inside CScanAgent::ProcessScanRequest() ScanAgent

CScanJobManager::Scan- entered ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::Initialize- entered ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::Scan- entered ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::RequestLocations- entered ScanAgent
- - - - - -Requesting WSUS Server Locations from LS for {C2D17964-BBDD-4339-B9F3-12D7205B39CC}
version 38 ScanAgent
- - - - - -Location Request ID = {C2BB9710-C548-49D0-9DF8-5F9CFC5F3862} ScanAgent
CScanAgentCache::PersistInstanceInCache- Persisted Instance CCM_ScanJobInstance ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): - - - - - -Locations requested for ScanJobID=
{4CD06388-D509-46E4-8C00-75909EDD9EE8} (LocationRequestID={C2BB9710-C548-49D0-9DF8-
5F9CFC5F3862}), will process the scan request once locations are available. ScanAgent
Each scan job is stored in WMI in the CCM_ScanJobInstance class:
Namespace: root\CCM\ScanAgent
Class: CCM_ScanJobInstance
Step 3: Location Services sends the location request to the management point
Location Services creates a location request and sends it to the management point. The package ID for a WSUS
location request is the UpdateSource unique ID. The following are logged in LocationServices.log:
CCCMWSUSLocation::GetLocationsAsyncEx LocationServices
Attempting to persist WSUS location request for ContentID='{C2D17964-BBDD-4339-B9F3-
12D7205B39CC}' and ContentVersion='38' LocationServices
Persisted WSUS location request LocationServices
Attempting to send WSUS Location Request for ContentID='{C2D17964-BBDD-4339-B9F3-
12D7205B39CC}' LocationServices
WSUSLocationRequest : <WSUSLocationRequest SchemaVersion="1.00"><Content ID="{C2D17964-BBDD-
4339-B9F3- 12D7205B39CC}" Version="38"/><AssignedSite SiteCode="PS1"/><ClientLocationInfo
OnInternet="0"><ADSite Name="CM12-R2- PS1"/><Forest Name="CONTOSO.COM"/><Domain
Name="CONTOSO.COM"/><IPAddresses><IPAddress SubnetAddress="192.168.2.0"
Address="192.168.2.62"/></IPAddresses></ClientLocationInfo></WSUSLocationRequest>
LocationServices
Created and Sent Location Request '{C2BB9710-C548-49D0-9DF8-5F9CFC5F3862}' for package
{C2D17964-BBDD-4339-B9F3- 12D7205B39CC} LocationServices
Step 4: CCM Messaging sends the location request message to the management point
The following are logged in CcmMessaging.log:
Sending async message '{76453CC6-76BA-4B68-BE30-BA70754570BB}' to outgoing queue 'mp:

[http]mp_locationmanager' CcmMessaging
Sending outgoing message '{76453CC6-76BA-4B68-BE30-BA70754570BB}'. Flags 0x200, sender account
empty CcmMessaging
Step 5: The management point parses the request, obtains the WSUS location from the database, and sends
a response
The management point parses this request and calls the MP_GetWSUSServerLocations stored procedure to get the
WSUS locations from the database. The following are logged in MP_Location.log:
MP LM: Message Body : <WSUSLocationRequest SchemaVersion="1.00"><Content ID="{C2D17964-BBDD-

4339-B9F3- 12D7205B39CC}" Version="38"/><AssignedSite SiteCode="PS1"/><ClientLocationInfo
OnInternet="0"><ADSite Name="CM12-R2- PS1"/><Forest Name="CONTOSO.COM"/><Domain
Name="CONTOSO.COM"/><IPAddresses><IPAddress SubnetAddress="192.168.2.0"
Address="192.168.2.62"/></IPAddresses></ClientLocationInfo></WSUSLocationRequest>
MP_LocationManager
MP LM: calling MP_GetWSUSServerLocations MP_LocationManager

exec MP_GetMPSitesFromAssignedSite N'PS1'
exec MP_GetSiteInfoUnified N'<ClientLocationInfo OnInternet="0"><ADSite Name="CM12-R2-PS1"/>
<Forest Name="CONTOSO.COM"/><Domain Name="CONTOSO.COM"/><IPAddresses><IPAddress
SubnetAddress="192.168.2.0" Address="192.168.2.62"/></IPAddresses></ClientLocationInfo>'
exec MP_GetWSUSServerLocations N'{C2D17964-BBDD-4339-B9F3-
12D7205B39CC}',N'38',N'PS1',N'PS1',N'0',N'CONTOSO.COM'
After getting the results from the stored procedure, the management point sends a response to the client. The
following is logged in MP_Location.log:
MP LM: Reply message body:

<WSUSLocationReply SchemaVersion="1.00"><Sites><Site><MPSite SiteCode="PS1"/>
<LocationRecords><LocationRecord WSUSURL=" http://PS1SITE.CONTOSO.COM:8530 "
ServerName="PS1SITE.CONTOSO.COM" Version="38"/><LocationRecord WSUSURL="
https://PS1SYS.CONTOSO.COM:8531 " ServerName="PS1SYS.CONTOSO.COM" Version="38"/>
</LocationRecords></Site></Sites></WSUSLocationReply> MP_LocationManager
Step 6: CCM Messaging receives the response and sends it back to Location Services
The CcmMessaging.log file on the client shows that a reply was received. This message was delivered to
Location Services:
Message '{76453CC6-76BA-4B68-BE30-BA70754570BB}' got reply '{8E6D05EF-B77F-4AD0-AF64-

1C6F3069A29C}' to local endpoint queue 'LS_ReplyLocations' CcmMessaging
OutgoingMessage(Queue='mp_[http]mp_locationmanager', ID={76453CC6-76BA-4B68-BE30-
BA70754570BB}): Delivered successfully to host 'PS1SYS.CONTOSO.COM'. CcmMessaging
Message '{8E6D05EF-B77F-4AD0-AF64-1C6F3069A29C}' delivered to endpoint 'LS_ReplyLocations'
CcmMessaging
Step 7: Location Services parses the response and sends the location back to Scan Agent
The following are logged in LocationServices.log:
Processing Location reply message LocationServices 1/20/2014 12:18:09 PM

WSUSLocationReply : <WSUSLocationReply SchemaVersion="1.00"><Sites><Site><MPSite
SiteCode="PS1"/><LocationRecords><LocationRecord WSUSURL=" http://PS1SITE.CONTOSO.COM:8530 "
ServerName="PS1SITE.CONTOSO.COM" Version="38"/><LocationRecord WSUSURL="
https://PS1SYS.CONTOSO.COM:8531 " ServerName="PS1SYS.CONTOSO.COM" Version="38"/>
</LocationRecords></Site></Sites></WSUSLocationReply> LocationServices
Calling back with the following WSUS locations LocationServices
WSUS Path=' http://PS1SITE.CONTOSO.COM:8530 ', Server='PS1SITE.CONTOSO.COM', Version='38'
LocationServices
WSUS Path=' https://PS1SYS.CONTOSO.COM:8531 ', Server='PS1SYS.CONTOSO.COM', Version='38'
LocationServices
Calling back with locations for WSUS request {C2BB9710-C548-49D0-9DF8-5F9CFC5F3862}
LocationServices
Step 8: Scan Agent notifies WUAHandler to add the update source to the registry
Scan Agent now has the policy and the update source location with the appropriate content version. The
following are logged in ScanAgent.log:
*****WSUSLocationUpdate received for location request guid={C2BB9710-C548-49D0-9DF8-

5F9CFC5F3862} ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::OnLocationUpdate- Received
Location= http://PS1SITE.CONTOSO.COM:8530 , Version=38 ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::Execute- Adding UpdateSource=
{C2D17964-BBDD-4339-B9F3-12D7205B39CC}, ContentType=2, ContentLocation=
http://PS1SITE.CONTOSO.COM:8530 , ContentVersion=38 ScanAgent
Scan Agent notifies WUAHandler to add the update source. WUAHandler adds the update source to the registry
and initiates a Group Policy refresh (if the client is in domain) to see whether Group Policy overrides the update
server that we just added. The following are logged in WUAHandler.log on a new client showing a new update
source being added:
Its a WSUS Update Source type ({C2D17964-BBDD-4339-B9F3-12D7205B39CC}), adding it. WUAHandler

Its a completely new WSUS Update Source. WUAHandler
Enabling WUA Managed server policy to use server: http://PS1SITE.CONTOSO.COM:8530 WUAHandler
Policy refresh forced. WUAHandler
Waiting for 2 mins for Group Policy to notify of WUA policy change... WUAHandler
Waiting for 30 secs for policy to take effect on WU Agent. WUAHandler
Added Update Source ({C2D17964-BBDD-4339-B9F3-12D7205B39CC}) of content type: 2 WUAHandler
During this time, the Windows Update Agent sees a WSUS configuration change. The following are logged in
WindowsUpdate.log:
2014-01-20 12:18:11:520 968 9d0 Agent * WSUS server: http://PS1SITE.CONTOSO.COM:8530 (Changed)

2014-01-20 12:18:11:520 968 9d0 Agent * WSUS status server: http://PS1SITE.CONTOSO.COM:8530
(Changed)
2014-01-20 12:18:11:520 968 9d0 AU Sus server changed through policy.
The following registry keys are checked and set:
REGIST RY SUB K EY VA L UE N A M E TYPE DATA
WUServer REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate The full WSUS server URL
including the port. For
example,
http://PS1Site.Contoso.com:8530
WUStatusServer REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate The full WSUS server URL
example,
UseWUServer REG_DWORD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU 0x1
For an existing client, we could expect to see the following in WUAHandler.log to denote when content version
has incremented:
Its a WSUS Update Source type ({C2D17964-BBDD-4339-B9F3-12D7205B39CC}), adding it. WUAHandler

WSUS update source already exists, it has increased version to 38. WUAHandler
Step 9: Scan Agent initiates the scan

After the update source is successfully added, Scan Agent raises a state message and initiates the scan. The
following are logged in ScanAgent.log:
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): Raised UpdateSource ({C2D17964-BBDD-4339-

B9F3-12D7205B39CC}) state message successfully. StateId = 2 ScanAgent
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::Execute - successfully requested Scan,
ScanType=1 ScanAgent
Software update scan on clients

After the update source policy and the update source location are available, Scan Agent initiates the scan.
Software update scan is actually performed by the Windows Update Agent. However, the Configuration
Manager client interacts with the Windows Update Agent to perform a scan and obtain the scan results. This
interaction is handled by the Windows Update Agent Handler (WUAHandler) component, which communicates
with the Windows Update Agent.
Step 1: Scan Agent requests the scan and WUAHandler initiates the scan
Scan Agent requests the scan from WUAHandler, which uses the Windows Update Agent API to request a
software update scan from the Windows Update Agent. The following is logged in ScanAgent.log:
ScanJob({4CD06388-D509-46E4-8C00-75909EDD9EE8}): CScanJob::Execute - successfully requested Scan,

ScanType=1 ScanAgent
The following are logged in WUAHandler.log:
Scan results will include superseded updates only when they are superseded by service packs and definition
updates. WUAHandler
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND
Type='Driver') WUAHandler
Running single-call scan of updates. WUAHandler
Async searching of updates using WUAgent started. WUAHandler
Step 2: Windows Update Agent (WUA ) starts the scan against the WSUS computer
Windows Update Agent starts a scan after receiving a request from the Configuration Manager client (CcmExec).
Because the Windows Update Server value was already set to the SUP server, this scan is performed against the
WSUS server that has the SUP role installed. The following are logged in WindowsUpdate.log:
2014-01-20 12:18:42:694 3856 708 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]
2014-01-20 12:18:42:752 3856 708 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-01-20 12:18:47:511 968 f58 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server
URL = http://PS1SITE.CONTOSO.COM:8530/ClientWebService/client.asmx
2014-01-20 12:18:48:662 968 f58 Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2014-01-20 12:18:48:662 968 f58 Agent * Include potentially superseded updates
2014-01-20 12:18:48:662 968 f58 Agent * Online = Yes; Ignore download priority = Yes
2014-01-20 12:18:48:662 968 f58 Agent * Criteria = "(DeploymentAction=* AND Type='Software') OR
(DeploymentAction=* AND Type='Driver')"
2014-01-20 12:18:48:662 968 f58 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
Managed
2014-01-20 12:18:48:662 968 f58 Agent * Search Scope = {Machine}
Windows Update Agent now scans against the WSUS server and reports the results to CcmExec (specifically
WUAHandler). The following are logged in WindowsUpdate.log:
2014-01-20 12:18:49:175 968 f58 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server
URL = http://PS1SITE.CONTOSO.COM:8530/ClientWebService/client.asmx
2014-01-20 12:18:52:680 968 f58 Agent * Added update {4AE85C00-0EAA-4BE0-B81B-
DBD7053D5FAE}.104 tosearch result
2014-01-20 12:18:52:683 968 f58 Agent * Added update {57260DFE-227C-45E3-9FFC-
2FC77A67F95A}.104 to search result
2014-01-20 12:18:52:694 968 f58 Agent * Found 163 updates and 70 categories in search; evaluated appl.
rules of 622 out of 1150 deployed entities
2014-01-20 12:18:52:745 968 f58 Agent ** END ** Agent: Finding updates [CallerId = CcmExec]
2014-01-20 12:18:52:755 3856 708 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
2014-01-20 12:18:53:137 3856 708 COMAPI - Updates found = 163
2014-01-20 12:18:53:137 3856 708 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]
Step 3: WUAHandler receives the results from the Windows Update Agent and marks the scan as complete
Async searching completed. WUAHandler

Finished searching for everything in single call. WUAHandler
Step 4: WUAHandler parses the scan results

WUAHandler then parses the results, which include the applicability state for each update. As part of this
process, superseded updates are pruned out. The following are logged in WUAHandler.log:
Pruning: update id (70f4f236-0248-4e84-b472-292913576fa1) is superseded by (726b7201-862a-4fde-

9b12-f36b38323a6f). WUAHandler
...
Update (Installed): Security Update for Windows 7 for x64-based Systems (KB2584146) (4ae85c00-0eaa-
4be0-b81b-dbd7053d5fae, 104) WUAHandler
Update (Missing): Security Update for Windows 7 for x64-based Systems (KB2862152) (505fda07-b4f3-
45fb-83d9-8642554e2773, 200) WUAHandler
...
Successfully completed scan. WUAHandler
Step 5: Update store records the status and raises a state message for each update in WMI
Once the scan results are available, these results are stored in the updates store. Update store records the
current state of each update and creates a state message for each update. These state messages are forwarded
to the site server in bulk at the end of the status message reporting cycle (which is 15 minutes, by default).
UpdatesStore.log showing state for missing update (KB2862152) being recorded and a state message being
raised:
Processing update status from update (505fda07-b4f3-45fb-83d9-8642554e2773) with ProductID =

0fa1201d-4330-4fa8-8ae9- b877473b6441 UpdatesStore
Update status from update (505fda07-b4f3-45fb-83d9-8642554e2773) hasn't been reported before,
creating new instance. UpdatesStore
Successfully raised state message for update (505fda07-b4f3-45fb-83d9-8642554e2773) with state
(Missing). UpdatesStore
Successfully added WMI instance of update status (505fda07-b4f3-45fb-83d9-8642554e2773).
UpdatesStore
StateMessage.log showing state message being recorded with State ID 2 (missing):

Adding message with TopicType 500 and TopicId 505fda07-b4f3-45fb-83d9-8642554e2773 to WMI
StateMessage
State message(State ID : 2) with TopicType 500 and TopicId 505fda07-b4f3-45fb-83d9-8642554e2773 has
been recorded for SYSTEM StateMessage
For each update, an instance of the CCM_UpdateStatus class is created or updated, and this stores the current
status of the update. The CCM_UpdateStatus class is located in the ROOT\CCM\SoftwareUpdates\UpdatesStore
namespace.
Similarly, an instance of the CCM_StateMsg class is created or updated, and this stores the current state of the
update. The CCM_StateMsg class is located in the ROOT\CCM\StateMsg namespace.
Step 6: State messages are sent to the management point

As mentioned earlier, state messages are sent to the management point based on the state message reporting
cycle schedule, which is configured to 15 minutes by default. Once a state message is sent to the management
point, the MessageSent property for the state message instance in the CCM_StateMsg class is set to True .
In StateMessage.log:
StateMessage body: <XML Report Body Truncated> StateMessage

Successfully forwarded State Messages to the MP StateMessage
The following is how the state message body looks like for our update. Normally this XML body is too large for
the log and is truncated in CMTrace. However, you can see the whole XML body in Notepad.
StateMessage body: <?xml version="1.0" encoding="UTF-16"?>

<ClientType>1</ClientType><ClientID>GUID: A1006D0E-CF56-41D1-A006-6330EFC39381</ClientID>
<ClientVersion>5.00.7958.1000</ClientVersion><NetBIOSName>PS1WIN7X64</NetBIOSName>
<CodePage>437</CodePage><SystemDefaultLCID>1033</SystemDefaultLCID><Priority>5</Priority>
</Machine></Identification><ReportDetails><ReportContent>State Message Data</ReportContent>
<ReportType>Full</ReportType><Date>20140120194656.903000+000</Date><Version>1.0</Version>
<Format>1.0</Format></ReportDetails></ReportHeader><ReportBody><StateMessage
MessageTime="20140120171855.573000+000" SerialNumber="232"><Topic ID="505fda07-b4f3-45fb-
83d9-8642554e2773" Type="500" IDType="3" User="" UserSID=""/><State ID="2" Criticality="0"/>
<UserParameters Flags="0" Count="1"><Param>200</Param></UserParameters></StateMessage>
</ReportBody></Report> StateMessage
State message processing flow

We now know how a state message is recorded and the WMI location where these state messages are stored.
We also know that unsent state messages on a client are sent to the management point every 15 minutes by
default, per the state message reporting cycle. This schedule can be modified in the State Messaging of the
custom or default client settings.
Although StateMessage.log reports Successfully for warded State Messages to the MP , the State Message
component isn't actually sending these messages itself. All messages sent and received from the management
point are handled by the CCM Messaging component on the client. CCM Messaging is the actual component
that communicates with the management point for sending and receiving data. The management point has
various queues defined to handle different kinds of incoming traffic. For state messages, the queue that handles
this traffic is the MP_RelayEndpoint queue.
Step 1: The State Message component starts sending messages to the management point
In StateMessage.log:
StateMessage body: <?xml version="1.0" encoding="UTF-16"?> <Report><ReportHeader><Identification>

<Machine><ClientInstalled>1</ClientInstalled><ClientType>1</ClientType><ClientID>GUID: A1006D0E-
CF56-41D1-A006-6330EFC39381</ClientID><ClientVersion>5.00.7958.1000</ClientVersion>
<NetBIOSName>PS1WIN7X64</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>5</Priority></Machine></Identification>
<ReportDetails><ReportContent>State Message Data</ReportContent><ReportType>Full</ReportType>
</ReportDetails></ReportHeader><ReportBody><StateMessage
</ReportBody></Report> StateMessage
Step 2: CCM Messaging sends a message containing the state message XML body to the management point
CCM Messaging sends a message to the MP_RelayEndpoint queue successfully. This message doesn't have a
reply, unlike the one we noticed earlier in the WSUS Location Request section where the message with the
Location Request received a reply.
In CcmMessaging.log:
Sending async message '{95F79010-D0EB-49A6-8A1E-3897883105F2}' to outgoing queue

'mp:mp_relayendpoint' CcmMessaging
Sending outgoing message '{95F79010-D0EB-49A6-8A1E-3897883105F2}'. Flags 0x200, sender account
empty CcmMessaging
POST: Host=PS1SYS.CONTOSO.COM, Path=/ccm_system/request, Port=443, Protocol=https, Flags=512,
Options=480 CcmMessaging
Message '{95F79010-D0EB-49A6-8A1E-3897883105F2}' doesn't have reply CcmMessaging
OutgoingMessage(Queue='mp_mp_relayendpoint', ID={95F79010-D0EB-49A6-8A1E-3897883105F2}):
Delivered successfully to host 'PS1SYS.CONTOSO.COM'. CcmMessaging
Step 3: The message is received on the management point, and then MP_Relay processes the message and
creates an SMX file
As all messages are sent using HTTP/HTTPS and are received by IIS. In this example, this request is made to the
CCM_System virtual directory.
In IIS log:
192.168.2.12 CCM_POST /ccm_system/request - 443 - 192.168.2.62 ccmhttp - 200 0 0 542 31
Once the message is received successfully on the management point, the MP_Relay component processes this
message, converts the message into an SMX file, and moves the SMX file to the appropriate location depending
on whether the management point is colocated on the site server or not.
On a remote management point: \SMS\mp\outboxes\StateMsg.box
On a management point colocated on the site server: \inboxes\auth\StateSys.box\incoming
In MP_Relay.log on a management point co-located on the site server:
Mp Message Handler: start message processing for Relay----------------------- MP_RelayEndpoint

Mp Message Handler: FileType=SMX MP_RelayEndpoint
Message Body : <XML Body Truncated> MP_RelayEndpoint
Relay: Outbox dir: E:\ConfigMgr\inboxes\auth\statesys.box\incoming MP_RelayEndpoint
Priority in the message = 5 MP_RelayEndpoint
State Priority Directory = E:\ConfigMgr\inboxes\auth\statesys.box\incoming MP_RelayEndpoint
Inv-Relay: Task completed successfully MP_RelayEndpoint
In MP_Relay.log on a remote management point:
Mp Message Handler: start message processing for Relay------------------------------ MP_RelayEndpoint

Mp Message Handler: FileType=SMX MP_RelayEndpoint
Message Body :
<?xml version="1.0" encoding="UTF-16"?>
</ReportBody></Report> MP_RelayEndpoint
Inv-Relay Task: Processing message body MP_RelayEndpoint
Relay: Outbox dir: C:\SMS\mp\outboxes\StateMsg.box MP_RelayEndpoint
Priority in the message = 5 MP_RelayEndpoint
State Priority Directory = C:\SMS\mp\outboxes\StateMsg.box MP_RelayEndpoint
Inv-Relay: Task completed successfully MP_RelayEndpoint
The XML body looks identical to what's logged in StateMessage.log on the client.
Step 4: MP File Dispatch Manager sends the SMX file to the site server (only when the management point
isn't colocated on-site server)
When the management point is remote to the site server, after the file arrives in outboxes\StateMsg.box, MP File
Dispatch Manager (MPFDM) is responsible for moving these files to the StateMsg.box inbox on the site server.
When the management point is colocated on the site server, these files are moved directly to the appropriate
Inbox folder, so MPFDM isn't involved.
In MPFDM.log on a remote management point:
Moved file C:\SMS\MP\OUTBOXES\statemsg.box\TAZGYTSJ.SMX to

\\PS1SITE.CONTOSO.COM\SMS_PS1\inboxes\auth\statesys.box\incoming\TAZGYTSJ.SMX
SMS_MP_FILE_DISPATCH_MANAGER
For MPFDM to move the files to the appropriate inbox, the remote management point must be able to access
the registry of the site server to determine the Inbox source locations. Therefore, the Remote Registry service
must be running, and Registry Access should not be blocked by Group Policy. MPFDM determines the Inbox
locations by accessing the following registry key on the site server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Inbox Source
Step 5: StateSys component on the site server processes the state message to the database
After the file arrives in \inboxes\auth\StateSys.box on the site server, the State System Manager (StateSys)
component wakes up and processes the SMX file(s).
In StateSys.log with verbose logging enabled:
Inbox notification triggered, pause for 10 seconds...... SMS_STATE_SYSTEM

Found new state messages to process, starting processing thread SMS_STATE_SYSTEM
Thread "State Message Processing Thread #0" id:4316 started SMS_STATE_SYSTEM
total chucks loaded (1) SMS_STATE_SYSTEM
CMessageProcessor - Processing file: YCE2H3VD.SMX SMS_STATE_SYSTEM
CMessageProcessor - Processed 1 records with 0 invalid records. SMS_STATE_SYSTEM
CMessageProcessor - Processed 1 message files in this batch, with 0 bad files. SMS_STATE_SYSTEM
Thread "State Message Processing Thread #0" id:4316 terminated normally SMS_STATE_SYSTEM
In StateSys.log without verbose logging enabled:

Found new state messages to process, starting processing thread SMS_STATE_SYSTEM
Thread "State Message Processing Thread #0" id:1988 started SMS_STATE_SYSTEM
Thread "State Message Processing Thread #0" id:1988 terminated normally SMS_STATE_SYSTEM
The StateSys.log file doesn't log the file name unless verbose logging is enabled for State System Manager.
The SMX file that's moved to the StateSys.box folder contains the message body XML. When StateSys processes
this file, it calls the spProcessStateReport stored procedure and passes this XML body on to the stored
procedure as a parameter.
exec dbo.spProcessStateReport N'<?xml version="1.0" encoding="UTF-16"?>

</ReportBody></Report>'
spProcessStateReport is a CLR stored procedure, and the CLR definition has the logic to determine the type of
state message being processed. Depending on the type of state message, it processes the state message
appropriately and inserts the data in the database.
You can find friendly names of all state message Topic Types and IDs by querying the SR_StateNames table
with the following command:
SELECT * FROM SR_StateNames
Software update summarization

Before software update compliance data can be presented in the console or reports, the software update
compliance data must be summarized. This is necessary because the console and reports usually display only
summarized data. The State System component on the site server performs the software update summarization
along with summarization for other components, such as applications, DCM deployments and client health. You
can find information about all the summarization tasks that State System performs by querying the
vSR_SummaryTasks view in the Configuration Manager database. State System runs these tasks on a configured
schedule and logs detail about each task in StateSys.log:
Started task '<TaskName>' SMS_STATE_SYSTEM

Task '<TaskName>' completed successfully after running for 15 seconds, with status 8. SMS_STATE_SYSTEM
For most of these tasks, the status logged by StateSys.log isn't an error code. Instead, it's the number of rows
returned by the appropriate SQL Server stored procedure that performs the summarization.
Summarization tasks specific to software updates are:
SUM Assignment Compliance Evaluator
Summarizes state messages for all software update group assignments (deployments). This task runs
every hour by default. It can be initiated manually for a specific deployment in Configuration Manager
console > Monitoring > Deployments , right-click the deployment, and then click Run
Summarization .
SUM Update Group Status Summarizer
Summarizes status of Update Groups. This task runs every hour by default. It can be initiated manually
for a specific Update Group in Configuration Manager console > Software Librar y > Software
Updates > Software Update Groups , right-click the update group, and then click Run
Summarization .
You can also change the schedule of this task by right-clicking Software Update Groups or by selecting
Schedule Summarization in the ribbon.
SUM Update Status Summarizer
Summarizes status of updates for all clients. This task runs every hour by default. It can be initiated
manually in Configuration Manager console > Software Librar y > Software Updates , then click Run
Summarization . You can also change the default schedule by selecting Schedule Summarization .
SUM Migrate Update Status
Migrates update status internally within the database. This task runs every 24 hours by default. It can't be
initiated manually from the Configuration Manager console.
SUM Delete Aged Status
Deletes aged status from software update specific tables in the database. This task runs every 24 hours
by default. It can't be initiated manually from the Configuration Manager console.
Software update point switching

In System Center 2012 Configuration Manager SP1 and later versions, a site can have multiple SUPs. This
provides fault tolerance for situations when a SUP becomes unavailable. For more information about SUPs'
failover and switching, see the following articles:
Software Update Points in Configuration Manager Service Pack 1
Software update point switching
Track the software update deployment process in
This article describes how to track the deployment of software updates in Configuration Manager by using log
files.
Summary
When you deploy software updates in Configuration Manager, you typically add the updates to a software
update group and then deploy the software update group to clients. When you create the deployment, the
update policy is sent to client computers. And the update content files are downloaded from a distribution point
to the local cache on the client computer. The updates are then available for installation on the client. In the
following section, we examine this process in detail and show how the process can be tracked by using log files.
This information may be helpful when you're trying to identify and resolve problems in the software update
process.
NOTE
The log snippets provided in this article apply to Configuration Manager 2012 and 2012 R2. Log entries for other
Configuration Manager versions may be different.
Create a software update group

When you create a software update group in the Configuration Manager console, an instance of the
SMS_AuthorizationList class is created. This instance contains information about the software update group, and
it has relationships with the software updates in the software update group.
The following are logged in SMSProv.log:
CSspClassManager::PreCallAction, dbname=CM_PS1 SMS Provider

PutInstanceAsync SMS_AuthorizationList SMS Provider
Updating SDM content definition. SMS Provider
Try to sync permission table : Declare @Ids RBAC_Object_Type;insert into @Ids (ObjectKey, ObjectTypeID)
values (N'ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-EF76-43F6-ACC4-
80749AB8D90A',34);exec spRBAC_SyncPermissions @ObjectIds=@Ids,@RoleIDs=N'',@AdminIDs=N'' SMS Provider
Successfully synced permission table SMS Provider
Auditing: User CONTOSO\Admin created an instance of class SMS_AuthorizationList. SMS Provider
As part of the software update group creation process, SMSProv inserts data in appropriate CI_ tables, including:
CI_ConfigurationItems
CI_ConfigurationItemRelations
CI_ConfigurationItemRElations_Flat
CI_DocumentStore
CI_CIDocuments
CI_LocalizedProperties
SMSDBMON monitors when data is inserted into these tables and drops CI Notification (CIN) files in
objmgr.box. The following are logged in SMSDBMon.log:
RCV: INSERT on CI_ConfigurationItems for CINotify_iud [16777264 ][60216]

RCV: UPDATE on CI_ConfigurationItems for CINotify_iud [16777264 ][60217]
RCV: INSERT on CI_ConfigurationItemRelations_Flat for CI_ConfigurationItemRelations_Flat_From_iud [16777264
][60218] SMS_DATABASE_NOTIFICATION_MONITOR
RCV: INSERT on RBAC_ChangeNotification for Rbac_Sync_ChangeNotification [363 ][60226]
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box\16777264.CIN [60225] SMS_DATABASE_NOTIFICATION_MONITOR
SND: Dropped E:\ConfigMgr\inboxes\hman.box\363.RBC [60226] SMS_DATABASE_NOTIFICATION_MONITOR
Object Replication Manager wakes up when files are dropped in objmgr.box and processes the software update
group. The following are logged in ObjReplMgr.log:
File notification triggered. SMS_OBJECT_REPLICATION_MANAGER

+++Begin processing changed CIN objects SMS_OBJECT_REPLICATION_MANAGER
***** Processing AuthorizationList ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-EF76-43F6-
ACC4- 80749AB8D90A ***** SMS_OBJECT_REPLICATION_MANAGER
Deleting notification file E:\ConfigMgr\inboxes\objmgr.box\16777264.CIN
SMS_OBJECT_REPLICATION_MANAGER
+++Begin collecting targeting information for Affected CIs SMS_OBJECT_REPLICATION_MANAGER
+++Completed collecting targeting information for Affected CIs SMS_OBJECT_REPLICATION_MANAGER
Affected CIs (1): 16777264 SMS_OBJECT_REPLICATION_MANAGER
CI 16777264 is NOT Targeted SMS_OBJECT_REPLICATION_MANAGER
Successfully processed AuthorizationList ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-
EF76-43F6-ACC4-80749AB8D90A SMS_OBJECT_REPLICATION_MANAGER
Set last row version for Configuration Item to 0x0000000000296047 SMS_OBJECT_REPLICATION_MANAGER
The changes to the CI_* tables are then replicated to the child sites through database replication. This operation
allows the software update group to show up on the child site.
Software update groups are configuration items (CIs) themselves, and the CI Type ID for software update
groups is 9 . You can view the software update groups by running the following SQL query:
SELECT * FROM vSMS_ConfigurationItems WHERE CIType_ID = 9
To see the relationships from a software update group CI to the software update CIs, run the following SQL
query:
SELECT CIR.* FROM CI_ConfigurationItemRelations CIR
JOIN CI_ConfigurationItems CI ON CIR.FromCI_ID = CI.CI_ID
WHERE CI.CIType_ID = 9
Manually create a deployment for software update group

When a deployment for a software update group is created, an instance of the SMS_UpdateGroupAssignment class
is created. The instance contains information about the deployment. The following are logged in SMSProv.log:
PutInstanceAsync SMS_UpdateGroupAssignment SMS Provider

Auditing: User CONTOSO\Admin created an instance of class SMS_UpdateGroupAssignment. SMS Provider
Updates are then downloaded to the specified package source directory by the Software Updates Patch
Downloader component. The following are logged in PatchDownloader.log in %TEMP% directory:
Trying to connect to the root\SMS namespace on the PS1SITE.CONTOSO.COM machine. Software Updates Patch
Downloader
Connected to \\PS1SITE.CONTOSO.COM\root\SMS Software Updates Patch Downloader
Trying to connect to the \\\PS1SITE.CONTOSO.COM\root\sms\site_PS1 namespace on the PS1SITE.CONTOSO.COM
machine. Software Updates Patch Downloader
Connected to \\PS1SITE.CONTOSO.COM\root\sms\site_PS1 Software Updates Patch Downloader
Download destination = \\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1.1\windows6.1-
kb2807986-x86.cab . Software Updates Patch Downloader
Contentsource =
http://wsus.ds.download.windowsupdate.com/msdownload/update/software/secu/2013/02/windows6.1-kb2807986-
x86_83d5bb38d8c50d924f3dcd024b20fe33afbd9d14.cab. Software Updates Patch Downloader
Downloading content for ContentID = 471, FileName = windows6.1-kb2807986-x86.cab. Software Updates Patch
Downloader
Download http://wsus.ds.download.windowsupdate.com/msdownload/update/software/secu/2013/02/windows6.1-
kb2807986-x86_83d5bb38d8c50d924f3dcd024b20fe33afbd9d14.cab to
C:\Users\Admin\AppData\Local\Temp\2\CABBA79.tmp returns 0 Software Updates Patch Downloader
Successfully moved C:\Users\Admin\AppData\Local\Temp\2\CABBA79.tmp to
\\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7- 455a-a51b-aaeca7b7d7e1.1\windows6.1-kb2807986-x86.cab
Software Updates Patch Downloader
Renaming \\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1.1 to
\\\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1 Software Updates Patch Downloader
Successfully moved \\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1.1 to
\\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1 Software Updates Patch Downloader
After the updates are downloaded, SMS Provider adds each update to the specified package. The following are
logged in SMSProv.log:
Requested class =SMS_SoftwareUpdatesPackage SMS Provider
Requested num keys =1 SMS Provider
CExtProviderClassObject::DoExecuteMethod AddUpdateContent SMS Provider
*** SspPackageInst::AddUpdateContent *** SMS Provider
CObjectLock::UserHasLock: ********** User CONTOSO\Admin has lock for object
SMS_SoftwareUpdatesPackage.PackageID="PS100001" with LockID: DCE6F1B5-1EE8-47CB-85A7-3027E51119A7 **********
SMS Provider
CObjectLock::ReleaseLock: ********** User CONTOSO\Admin has released lock for object
SMS_SoftwareUpdatesPackage.PackageID="PS100001" with LockID: DCE6F1B5-1EE8-47CB-85A7-3027E51119A7 **********
SMS Provider
SspPackageInst::AddContent() called for these ContentIDs - {471} SMS Provider
SspPackageInst::AddContent() called with these CIContentSourcePath - {"\\PS1SITE\SOURCE\Updates\Win7"}
SMS Provider
RefreshDPs value is FALSE. DP(s) will not be updated at the end of the operation SMS Provider
These Contents will be added to Software Updates Package - PS100001 with PackageSource -
\\PS1SITE\SOURCE\Updates\Win7 SMS Provider
Adding Content with ID 471, UniqueID d09e9a92-20e7-455a-a51b-aaeca7b7d7e1 and ContentSource
\\PS1SITE\SOURCE\Updates\Win7 to the Package SMS Provider
ContentFileName = windows6.1-kb2807986-x86.cab, SourceURL =
http://wsus.ds.download.windowsupdate.com/msdownload/update/software/secu/2013/02/windows6.1-kb2807986-
x86_83d5bb38d8c50d924f3dcd024b20fe33afbd9d14.cab, ImportPath = , ContentFileHash =
SHA1:83D5BB38D8C50D924F3DCD024B20FE33AFBD9D14 SMS Provider
File Source = \\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1\windows6.1-kb2807986-
x86.cab SMS Provider
File Destination = \\PS1SITE\SOURCE\Updates\Win7\d09e9a92-20e7-455a-a51b-aaeca7b7d7e1 SMS Provider
CExtUserContext::LeaveThread : Releasing IWbemContextPtr=57376560 SMS Provider
After all the updates are added to the package, SMS Provider updates the package and logs the following
entries:
CExtUserContext::EnterThread : User=CONTOSO\Admin
Sid=0x01050000000000051500000068830AA65AAB72A155BCE9324F040000 Caching IWbemContextPtr=00000000036B7E50 in
Process 0xc68 (3176) SMS Provider
Context: SMSAppName=Configuration Manager Administrator console SMS Provider
Context: MachineName=PS1SITE.CONTOSO.COM SMS Provider
Context: UserName=CONTOSO\Admin SMS Provider
Context: ObjectLockContext=c00c315d-b15d-4b0e-9844-017205cc2443 SMS Provider
Context: ApplicationName=Microsoft.ConfigurationManagement.exe SMS Provider
Context: ApplicationVersion=5.0.7958.1000 SMS Provider
Context: LocaleID=MS\0x409 SMS Provider
Context: __ProviderArchitecture=32 SMS Provider
Context: __RequiredArchitecture=0 (Bool) SMS Provider
Context: __ClientPreferredLanguages=en-US,en SMS Provider
Context: __GroupOperationId=755382 SMS Provider
Context: __WBEM_CLIENT_AUTHENTICATION_LEVEL=6 SMS Provider
CExtUserContext : Set ThreadLocaleID OK to: 1033 SMS Provider
CSspClassManager::PreCallAction, dbname=CM_PS1 SMS Provider
ExecMethodAsync : SMS_SoftwareUpdatesPackage.PackageID="PS100001"::RefreshPkgSource SMS Provider
Requested class =SMS_SoftwareUpdatesPackage SMS Provider
Requested num keys =1 SMS Provider
CExtProviderClassObject::DoExecuteMethod RefreshPkgSource SMS Provider
Auditing: User CONTOSO\Admin called an audited method of an instance of class SMS_SoftwareUpdatesPackage.
SMS Provider
CExtUserContext::LeaveThread : Releasing IWbemContextPtr=57376336 SMS Provider
When the update group assignment is created, SMS Provider inserts information about the assignment in the
CI_Assignments table. This triggers SMSDBMON, which notifies Object Replication Manager to process the
update group assignment by dropping a .CIA file in objmgr.box. The following are logged in SMSDBMON.log:
RCV: INSERT on CI_CIAssignments for CIAssignmentNotify_iu [16777222 ][60916]
RCV: INSERT on CrpChange_Notify for CrpChange_Notify_ins [14 ][60917] SMS_DATABASE_NOTIFICATION_MONITOR
RCV: UPDATE on CI_CIAssignments for CIAssignmentNotify_iu [16777222 ][60920]
RCV: UPDATE on CI_AssignmentTargetedCIs for CI_AssignmentTargetedCIs_CIAMGR [16777222 ][60921]
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box\16777222.CIA [60916] SMS_DATABASE_NOTIFICATION_MONITOR
SND: Dropped E:\ConfigMgr\inboxes\policypv.box\policytargeteval\14.CRP [60917]
RCV: INSERT on PolicyAssignmentChg_Notify for PolicyAssignmentChg_Notify_iu [16786995 ][60929]
SND: Dropped E:\ConfigMgr\inboxes\policypv.box\policytargeteval\16786995.PAC [60929]
RCV: INSERT on PkgNotification for PkgNotify_Add [PS100001 ][60930] SMS_DATABASE_NOTIFICATION_MONITOR
SND: Dropped E:\ConfigMgr\inboxes\distmgr.box\PS100001.PKN [60930] SMS_DATABASE_NOTIFICATION_MONITOR
RCV: UPDATE on PolicyAssignmentChg_Notify for PolicyAssignmentChg_Notify_iu [16786995 ][60932]
After Object Replication Manager detects the CIA file in objmgr.box, it processes the file and creates the policy
for the software update assignment. The following are logged in ObjMgr.log:
+++Begin processing changed CIA objects SMS_OBJECT_REPLICATION_MANAGER
***** Processing Update Group Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745} *****
Deleting notification file E:\ConfigMgr\inboxes\objmgr.box\16777222.CIA SMS_OBJECT_REPLICATION_MANAGER
CI Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745} has 3 Targeted CI(s) SMS_OBJECT_REPLICATION_MANAGER
PolicyID {3ACE84D4-7B2A-4D86-81AF-07E2AC255745} PolicyVersion 1.00 PolicyHash
SHA256:63BAFA808F969849B40B2B727B49BC5093B965782716DDE3490528681CF27ACC SMS_OBJECT_REPLICATION_MANAGER
Notifying policy provider about changes in policy content/targeting SMS_OBJECT_REPLICATION_MANAGER
Successfully created policy for CI Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745}
Successfully updated Policy Targeting for CI Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745}
No file trigger for E:\ConfigMgr\inboxes\objmgr.box\16777222.CIV - status
2 SMS_OBJECT_REPLICATION_MANAGER
Assigned CIs: [ 16777264 ] SMS_OBJECT_REPLICATION_MANAGER
Begin processing Assigned CI: [16777264] SMS_OBJECT_REPLICATION_MANAGER
Creating VersionInfo policy for CI 16777264 SMS_OBJECT_REPLICATION_MANAGER
Creating VersionInfo policy ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-EF76-43F6-ACC4-
80749AB8D90A/VI SMS_OBJECT_REPLICATION_MANAGER
16777264 Referenced CIs: [ 929 930 1041 1042 1132 1133 ] SMS_OBJECT_REPLICATION_MANAGER
VersionInfo policy for CI 16777264 is Machine type SMS_OBJECT_REPLICATION_MANAGER
PolicyID ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-EF76-43F6-ACC4-80749AB8D90A/VI
PolicyVersion 1.00 PolicyHash SHA256:6EFE96F3D67773CA965EC67EC60B602FC78242509A096FCF44C2D5FDD5B2FC76
Updated dependent policy references to CIA {3ACE84D4-7B2A-4D86-81AF-07E2AC255745}
STATMSG: ID=5800 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_OBJECT_REPLICATION_MANAGER"
SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=5404 TID=3380 GMTDATE=Thu Jan 23 20:31:38.889 2014 ISTR0="Microsoft
Software Updates - 2014-01-23 03:30:52 PM" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7=""
ISTR8="" ISTR9="" NUMATTRS=1 AID0=414 AVAL0="{3ACE84D4-7B2A-4D86-81AF-07E2AC255745}"
Successfully updated CRCs for CI Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745}
Successfully processed Update Group Assignment {3ACE84D4-7B2A-4D86-81AF-07E2AC255745}
Set last row version for CI Assignment to 0x0000000000296628 SMS_OBJECT_REPLICATION_MANAGER
After being notified by the Object Replication Manager, Policy Provider updates the policy for the
clients. The following are logged in PolicyPv.log:
File notification triggered. SMS_POLICY_PROVIDER
Found 14.CRP SMS_POLICY_PROVIDER
Adding to delete list: E:\ConfigMgr\inboxes\policypv.box\policytargeteval\14.CRP SMS_POLICY_PROVIDER
Processing any pending PolicyAssignmentChg_Notify SMS_POLICY_PROVIDER
Updating ResPolicyMap SMS_POLICY_PROVIDER
Policy or Policy Target Change Event triggered. SMS_POLICY_PROVIDER
Building Collection Change List from Collection Member Notification files SMS_POLICY_PROVIDER
--Handle PolicyAssignment Resigning SMS_POLICY_PROVIDER

Completed batch with beginning PADBID = 16786995 ending PADBID = 16786996. SMS_POLICY_PROVIDER
--Process Policy Changes SMS_POLICY_PROVIDER

Found some Policy changes, returning New LastRowversion=0x000000000029662B SMS_POLICY_PROVIDER
Processing Updated Policies SMS_POLICY_PROVIDER
Building Collection Change List from New and Targeting Changed Policies SMS_POLICY_PROVIDER
--Update Policy Targeting Map SMS_POLICY_PROVIDER

**** Evaluating Collection 14 for targeting changes **** SMS_POLICY_PROVIDER
Advanced client policy changes detected for collection 14, ** 5 Added & 0 Deleted ***.
SMS_POLICY_PROVIDER
--Process Policy Targeting Map SMS_POLICY_PROVIDER

**** Process notification table to update resultant targeting table **** SMS_POLICY_PROVIDER
SQL Server Profiler covering the entire process displays the following entries:
insert into CI_CIAssignments (AssignmentAction, Description, AssignmentName, DesiredConfigType,
DisableMomAlerts, DPLocality, AssignmentEnabled, EnforcementDeadline, EvaluationSchedule, ExpirationTime,
LimitStateMessageVerbosity, LogComplianceToWinEvent, NonComplianceCriticality, NotifyUser,
OverrideServiceWindows, PersistOnWriteFilterDevices, RaiseMomAlertsOnFailure, RandomizationEnabled,
RebootOutsideOfServiceWindows, SendDetailedNonComplianceStatus, StartTime, StateMessagePriority,
StateMessageVerbosity, SuppressReboot, UseBranchCache, UseGMTTimes, UserUIExperience, WoLEnabled,
TargetCollectionID, LocaleID, Assignment_UniqueID, SourceSite, LastModifiedBy, AssignmentType, CreationTime,
LastModificationTime, IsTombstoned) values (2, N'', N'Microsoft Software Updates - 2014-01-23 03:30:52 PM',
1, 0, 16, 1,
'01/30/2014 15:30:00', null, null, 1, 0, null, 1, 0, 1, 0, null, 0, 0, '01/23/2014 15:31:00', 5, 5, 0, 1, 0,
1, 0, 14, 1033, N'{3ACE84D4-7B2A-
4D86-81AF-07E2AC255745}', N'PS1', N'CONTOSO\Admin', 5, '01/23/2014 20:31:31', '01/23/2014 20:31:31', 0)
insert into CI_AssignmentTargetedGroups (CI_ID, AssignmentID) values (16777264, 16777222)
insert into CI_ContentPackages (Content_ID, ContentSubFolder, ContentVersion, Content_UniqueID,

MinPackageVersion,PkgID) VALUES ('471', N'd09e9a92-20e7-455a-a51b-aaeca7b7d7e1', '1', N'd09e9a92-20e7-455a-
a51b-aaeca7b7d7e1', '0', N'PS100001')
insert Policy(Version, PolicyHash, PolicyFlags, PolicyPriority, DeviceVersion, PolicyID)

values(N'1.00', N'SHA256:63BAFA808F969849B40B2B727B49BC5093B965782716DDE3490528681CF27ACC', 16592, 25,
N'''', N'{3ACE84D4-7B2A-4D86-81AF-07E2AC255745}')
insert PolicyAssignment(PolicyAssignmentID, PADBID, Version, PolicyID, IsTombstoned, LastUpdateTime)

values(N'{8d9ba949-d038-4c09-a0cc-af3f07c39d71}', 16786995, N'1.00', N'{3ACE84D4-7B2A-4D86-81AF-
07E2AC255745}', 0,
GetUTCDate())
DECLARE @AssignedCIs TABLE(CI_ID INT)

BEGIN
INSERT INTO @AssignedCIs
SELECT DISTINCT ATG.CI_ID FROM CI_AssignmentTargetedGroups ATG
INNER JOIN vCI_CIAssignments CIA ON CIA.AssignmentID = ATG.AssignmentID
WHERE CIA.Assignment_UniqueID = '{3ACE84D4-7B2A-4D86-81AF-07E2AC255745}'
IF @@ROWCOUNT = 0
BEGIN
INSERT INTO @AssignedCIs
SELECT DISTINCT ATCI.CI_ID FROM vCI_AssignmentTargetedCIs_Actual ATCI
INNER JOIN vCI_CIAssignments CIA ON CIA.AssignmentID = ATCI.AssignmentID
WHERE CIA.Assignment_UniqueID = '{3ACE84D4-7B2A-4D86-81AF-07E2AC255745}'
END
END
SELECT DISTINCT CI_ID FROM @AssignedCIs
insert Policy(Version, PolicyHash, PolicyFlags, PolicyPriority, DeviceVersion, PolicyID)

values(N'1.00', N'SHA256:6EFE96F3D67773CA965EC67EC60B602FC78242509A096FCF44C2D5FDD5B2FC76', 208, 25, N'''',
N'ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_9D013E6D-EF76-43F6-ACC4-80749AB8D90A/VI')
UPDATE Policy SET DeviceBody = NULL where PolicyID='ScopeId_FC8FCC38-4BB1-4245-92F5-

9CE841775019/AuthList_9D013E6D- EF76-43F6-ACC4-80749AB8D90A/VI'
insert PolicyAssignment(PolicyAssignmentID, PADBID, Version, PolicyID, IsTombstoned, LastUpdateTime)

values(N'{64ed94a2-ff08-42a7-9e42-b292409c79e8}', 16786996, N'1.00', N'ScopeId_FC8FCC38-4BB1-4245-92F5-
9CE841775019/AuthList_9D013E6D-EF76-43F6-ACC4-80749AB8D90A/VI', 0, GetUTCDate())
insert CI_AssignmentCRCs (AssignmentID, AssignmentCRC, PolicyCRC, ComplianceCRC) values (16777222,

N'7a2e8acd', N'c10ba7c5', N'5aeb49f4')
insert into CI_ContentPackages (Content_ID, ContentSubFolder, ContentVersion, Content_UniqueID,

MinPackageVersion,PkgID) VALUES ('534', N'de62f3b3-615b-4800-b6ba-51d7c826dd08', '1', N'de62f3b3-615b-4800-
b6ba-51d7c826dd08', '0', N'PS100001')
Create a deployment by using an automatic deployment rule

Automatic deployment rule (ADR) execution is triggered manually, per a schedule or after software update
synchronization is completed. The Rule Engine component evaluates the rule. If any software updates match the
defined criteria, the Rule Engine will:
download the updates
create a software update group
create a software update group assignment
The following example shows the process of software update group and deployment creation:
RuleEngine.log shows beginning of rule processing:
Found notification file E:\ConfigMgr\inboxes\RuleEngine.box\1.RUL SMS_RULE_ENGINE

RuleSchedulerThred: Change in Rules Object Signalled. SMS_RULE_ENGINE
Constructing Rule 1 using Auto Deployment Rule Factory SMS_RULE_ENGINE
Populating Rule Skeleton SMS_RULE_ENGINE
Populating Criterion Skeleton SMS_RULE_ENGINE
Populating Action Skeleton SMS_RULE_ENGINE
Populating Action Skeleton SMS_RULE_ENGINE
CRuleHandler: Need to Process 1 rules SMS_RULE_ENGINE
RuleEngine.log shows rule processing and query to run to find updates that match the defined criteria:
CRuleHandler: Processing Rule with ID:1, Name:ADR_Test. SMS_RULE_ENGINE

Evaluating Update Criteria for AutoDeployment Rule 1 SMS_RULE_ENGINE
Evaluating Update Criteria... SMS_RULE_ENGINE
Rule Criteria is: <UpdateXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" Name="SMS_SoftwareUpdate" LocaleId="1033">
<UpdateXMLDescriptionItems><UpdateXMLDescriptionItem PropertyName="_Product" UIPropertyName=""><MatchRules>
<string>'Product:a38c835c-2950-4e87-86cc- 6911a52c34a3'</string></MatchRules></UpdateXMLDescriptionItem>
<UpdateXMLDescriptionItem PropertyName="IsSuperseded" UIPropertyName=""><MatchRules><string>false</string>
</MatchRules></UpdateXMLDescriptionItem><UpdateXMLDescriptionIte m PropertyName="_UpdateClassification"
UIPropertyName=""><MatchRules><string>'UpdateClassification:e0789628-ce08-4437- be74-2495b842f43b'</string>
</MatchRules></UpdateXMLDescriptionItem></UpdateXMLDescriptionItems></UpdateXML> SMS_RULE_ENGINE
Inserting PropertyName:_Product, PropertyValue:'Product:a38c835c-2950-4e87-86cc-6911a52c34a3'
SMS_RULE_ENGINE
Inserting PropertyName:IsSuperseded, PropertyValue:false SMS_RULE_ENGINE
Inserting PropertyName:_UpdateClassification, PropertyValue:'UpdateClassification:e0789628-ce08-4437-be74-
2495b842f43b' SMS_RULE_ENGINE
Query to run is: select CI_ID from dbo.fn_ListUpdateCIs(1033) ci~where IsExpired=0~ and (IsSuperseded=0)~
and (CI_ID in (select CI_ID from v_CICategories_All where CategoryInstance_UniqueID in (N'Product:a38c835c-
2950-4e87-86cc-6911a52c34a3')))~ and (CI_ID in (select CI_ID from v_CICategories_All where
CategoryInstance_UniqueID in (N'UpdateClassification:e0789628-ce08-4437- be74-2495b842f43b')))
SMS_RULE_ENGINE
Rule resulted in a total of 1 updates SMS_RULE_ENGINE
Evaluation Resultant XML is: <EvaluationResultXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DefinitionUpdates/><CI_IDs><CI_ID>4514</CI_ID></CI_IDs>
</EvaluationResultXML> SMS_RULE_ENGINE
Download is started for actionable updates:

Enforcing Content Download Action SMS_RULE_ENGINE
Download Rule Action XML is: <ContentActionXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><PackageID>CS100006</PackageID><ContentLocales>
<Locale>Locale:9</Locale ><Locale>Locale:0</Locale></ContentLocales><ContentSources><Source Name="Internet"
Order="1"/><Source Name="WSUS" Order="2"/><Source Name="UNC" Order="3" Location=""/></ContentSources>
</ContentActionXML> SMS_RULE_ENGINE
Criteria Filter Result XML is: <EvaluationResultXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DefinitionUpdates/><CI_IDs><CI_ID>4514</CI_ID></CI_IDs> </EvaluationResultXML> SMS_RULE_ENGINE
1 update(s) need to be downloaded in package "CS100006" (\\CS1SITE\SOURCE\Updates\EPDefinitions)
SMS_RULE_ENGINE
List of update(s) which match the content rule criteria = {4514} SMS_RULE_ENGINE
Downloading contents (count = 34) for UpdateID 4514 SMS_RULE_ENGINE
List of update content(s) which match the content rule criteria =
{737,738,739,740,741,742,2182,2183,2184,2185,2186,2187,2188,2189,3047,3048,3187,3188,3189,3190,3191,3192,354
5,3546,3547 ,3548,3549,3550,3551,3552,3553,3554,3555,3556} SMS_RULE_ENGINE
Contents 737 is already present in the package "CS100006". Skipping download. SMS_RULE_ENGINE
Contents 738 is already present in the package "CS100006". Skipping download. S MS_RULE_ENGINE
1 of 1 updates are downloaded and will be added to the Deployment. SMS_RULE_ENGINE
RuleEngine.log shows creation of update group and deployment:
We need to create a new UpdateGroup/Deployment SMS_RULE_ENGINE

Associated Update Group: ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_4d3480d5-de12-4864-b872-
187479e2b381 with RBAC Scope SMS00UNA SMS_RULE_ENGINE
The following examples illustrate the update group creation process:

In SMSDBMON.log:
RCV: INSERT on CI_ConfigurationItems for CINotify_iud [16777275 ][66146]

...
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box\16777275.CIN [66148]
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box\16777275.CIN [66149]
In ObjReplMgr.log:

***** Processing AuthorizationList ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_4d3480d5-de12-4864-
b872-187479e2b381 ***** SMS_OBJECT_REPLICATION_MANAGER
Deleting notification file E:\ConfigMgr\inboxes\objmgr.box\16777275.CIN SMS_OBJECT_REPLICATION_MANAGER
Added CI with CI_ID=4514 to the deployment SMS_OBJECT_REPLICATION_MANAGER
Created file trigger for E:\ConfigMgr\inboxes\objmgr.box\16777228.CIA
Created file trigger for E:\ConfigMgr\inboxes\objmgr.box\16777228.CIV
Successfully processed AuthorizationList ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_4d3480d5-
de12-4864-b872- 187479e2b381 SMS_OBJECT_REPLICATION_MANAGER
Set last row version for Configuration Item to 0x0000000000487EA9 SMS_OBJECT_REPLICATION_MANAGER
The following example shows the deployment creation process:

In SMSDBMON.log:
RCV: INSERT on CI_CIAssignments for CIAssignmentNotify_iu [16777228 ][66190]
SND: Dropped E:\ConfigMgr\inboxes\objmgr.box\16777228.CIA [66190]
In ObjReplMgr.log:
+++Begin processing changed CIA objects SMS_OBJECT_REPLICATION_MANAGER

***** Processing Update Group Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d} *****
Deleting notification file E:\ConfigMgr\inboxes\objmgr.box\16777228.CIA SMS_OBJECT_REPLICATION_MANAGER
CI Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d} has 1 Targeted CI(s) SMS_OBJECT_REPLICATION_MANAGER
PolicyID {2ba787b6-4ee9-4b33-b0ff-8663d181c84d} PolicyVersion 1.00 PolicyHash
SHA256:0C6D50CBFB36750CCA381B61E014A6C55D821001487C824F9112DAA1C64BAD32 SMS_OBJECT_REPLICATION_MANAGER
Successfully created policy for CI Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d}
Successfully updated Policy Targeting for CI Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d}
Found file trigger for E:\ConfigMgr\inboxes\objmgr.box\16777228.CIV SMS_OBJECT_REPLICATION_MANAGER
Assigned CIs: [ 16777275 ] SMS_OBJECT_REPLICATION_MANAGER
Begin processing Assigned CI: [16777275] SMS_OBJECT_REPLICATION_MANAGER
Creating VersionInfo policy for CI 16777275 SMS_OBJECT_REPLICATION_MANAGER
Creating VersionInfo policy ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_4d3480d5-de12-4864-b872-
187479e2b381/VI SMS_OBJECT_REPLICATION_MANAGER
16777275 Referenced CIs: [ 1395 1396 1397 1398 1399 1400 1401 3013 3014 3015 3016 3017 3018 3019 3020 3021
3959 3960 3961 4112 4113 4114 4115 4116 4117 4118 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512
4513 4514 ] SMS_OBJECT_REPLICATION_MANAGER
VersionInfo policy for CI 16777275 is Machine type SMS_OBJECT_REPLICATION_MANAGER
PolicyID ScopeId_FC8FCC38-4BB1-4245-92F5-9CE841775019/AuthList_4d3480d5-de12-4864-b872-187479e2b381/VI
PolicyVersion 1.00 PolicyHash SHA256:01BECBBF2B3EE56BD5B0742A04404C1C895A4C87B6915D55078AB157FEBA1E0F
Updated dependent policy references to CIA {2ba787b6-4ee9-4b33-b0ff-8663d181c84d}
STATMSG: ID=5800 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_OBJECT_REPLICATION_MANAGER"
SYS=PS1SITE.CONTOSO.COM SITE=PS1 PID=6176 TID=6868 GMTDATE=Thu Feb 06 20:09:17.989 2014 ISTR0="ADR_Test"
ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=414 AVAL0="
{2ba787b6-4ee9-4b33- b0ff-8663d181c84d}" SMS_OBJECT_REPLICATION_MANAGER
Successfully updated CRCs for CI Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d}
Successfully processed Update Group Assignment {2ba787b6-4ee9-4b33-b0ff-8663d181c84d}
Set last row version for CI Assignment to 0x0000000000487EB6 SMS_OBJECT_REPLICATION_MANAGER
+++Completed processing changed CIA objects SMS_OBJECT_REPLICATION_MANAGER
The following example shows the Policy creation process:

In SMSDBMON.log:
RCV: INSERT on CrpChange_Notify for CrpChange_Notify_ins [15 ][66199] SMS_DATABASE_NOTIFICATION_MONITOR
RCV: INSERT on RBAC_ChangeNotification for Rbac_Sync_ChangeNotification [399 ][66200]
SND: Dropped E:\ConfigMgr\inboxes\policypv.box\policytargeteval\15.CRP [66199]
SND: Dropped E:\ConfigMgr\inboxes\hman.box\399.RBC [66200] SMS_DATABASE_NOTIFICATION_MONITOR
RCV: UPDATE on PolicyAssignmentChg_Notify for PolicyAssignmentChg_Notify_iu [16787957 ][66203]
In PolicyPv.log:
--Process Collection Changes SMS_POLICY_PROVIDER

Building Collection Change List from Collection Change Notification files SMS_POLICY_PROVIDER
--Process Collection Member Changes SMS_POLICY_PROVIDER

Building Collection Change List from Collection Member Notification files SMS_POLICY_PROVIDER
--Handle PolicyAssignment Resigning SMS_POLICY_PROVIDER

Found the certificate that matches the SHA1 hash. SMS_POLICY_PROVIDER
Completed batch with beginning PADBID = 16787957 ending PADBID = 16787958. SMS_POLICY_PROVIDER
--Process Policy Changes SMS_POLICY_PROVIDER

Found some Policy changes, returning New LastRowversion=0x0000000000487EB7 SMS_POLICY_PROVIDER
Processing Updated Policies SMS_POLICY_PROVIDER
Building Collection Change List from New and Targeting Changed Policies SMS_POLICY_PROVIDER
--Update Policy Targeting Map SMS_POLICY_PROVIDER

**** Evaluating Collection 15 for targeting changes **** SMS_POLICY_PROVIDER
--Process Policy Targeting Map SMS_POLICY_PROVIDER

**** Process notification table to update resultant targeting table **** SMS_POLICY_PROVIDER
--Process Targeting and Collection Membership changes SMS_POLICY_PROVIDER

Updating Policy Map SMS_POLICY_PROVIDER
--UpdateMDMUserTargetingForUser SMS_POLICY_PROVIDER
Start Update MDM User Targeting For User SMS_POLICY_PROVIDER
--UpdatePolicyMapForPA SMS_POLICY_PROVIDER
Found 16787957.PAC SMS_POLICY_PROVIDER
Adding to delete list:
E:\ConfigMgr\inboxes\policypv.box\policytargeteval\16787957.PAC SMS_POLICY_PROVIDER
Updating ResPolicyMap SMS_POLICY_PROVIDER
RuleEngine.log shows completion of rule processing:
CRuleHandler: Rule 1 Successfully Applied! SMS_RULE_ENGINE

Updated Success Information for Rule: 1 SMS_RULE_ENGINE
Deployment evaluation and update installation on clients

After the deployment and the deployment policy have been created on the server, clients receive the policy on
the next policy evaluation cycle. Before you review the deployment evaluation process, it's important to find the
Deployment Unique ID of the deployment. To find the Deployment Unique ID, add the Deployment Unique ID
column in the console. For the deployment in the following example, the Deployment Unique ID is
{B040D195-8FA8-48D3-953F-17E878DAB23D}.
1. Policy Agent receives the policy on manual policy retrieval or on schedule. When policy is received, the
following are logged in PolicyAgent.log:
Initializing download of policy 'CCM_Policy_Policy5.PolicyID="{B040D195-8FA8-48D3-953F-

17E878DAB23D}",PolicySource="SMS:PR1",PolicyVersion="1.00"' from
'http://PR1SITE.CONTOSO.COM/SMS_MP/.sms_pol?{B040D195-8FA8-48D3-953F-
17E878DAB23D}.SHA256:0EE489DB3036BE80BB43676340249A254278BEBDDD80B6004C11FF10F12BC9D6'
PolicyAgent_ReplyAssignments
Download of policy CCM_Policy_Policy5.PolicyID="{B040D195-8FA8-48D3-953F-
17E878DAB23D}",PolicySource="SMS:PR1",PolicyVersion="1.00" completed (DTS Job ID: {D53DAB18-ED97-
4373-A3BE-3FBA5DB3C6C6}) PolicyAgent_PolicyDownload
The following are logged in PolicyEvaluator.log:
Initializing download of policy 'CCM_Policy_Policy5.PolicyID="{B040D195-8FA8-48D3-953F-

17E878DAB23D}",PolicySource="SMS:PR1",PolicyVersion="1.00"' from
'http://PR1SITE.CONTOSO.COM/SMS_MP/.sms_pol?{B040D195-8FA8-48D3-953F-
17E878DAB23D}.SHA256:0EE489DB3036BE80BB43676340249A254278BEBDDD80B6004C11FF10F12BC9D6'
PolicyAgent_ReplyAssignments
Download of policy CCM_Policy_Policy5.PolicyID="{B040D195-8FA8-48D3-953F-
17E878DAB23D}",PolicySource="SMS:PR1",PolicyVersion="1.00" completed (DTS Job ID: {D53DAB18-ED97-
4373-A3BE-3FBA5DB3C6C6}) PolicyAgent_PolicyDownload
After the policy is evaluated, the scheduler for the deadline is evaluated. This operation is done by the
Scheduler component. In this example, deadline randomization is disabled in Computer Agent client
settings. So the deployment evaluation is started on deadline and without randomization. Here's what we
see in the Scheduler.log file:
Initialized trigger ("3E692B0000080000") for schedule 'Machine/DEADLINE:{B040D195-8FA8-48D3-953F-

17E878DAB23D}':
Conditions=1 with deadline 4320 minutes
Allow randomization override=1
HasMissedOccurrence=FALSE
ScheduleLoadedTime="02/09/2014 19:05:947"
LastFireTime="00/00/00 00:00:00"
CurrentTime="02/09/2014 19:05:947" Scheduler
Processing trigger '3E692B0000080000' for scheduler 'Machine/DEADLINE:{B040D195-8FA8-48D3-953F-
17E878DAB23D}'. MaxRandomDelay = 120, MissedOccur = 0, RandomizeEvenIfMissed = 1,
PreventRandomizationInducedMisses = 0 Scheduler
Randomization is disabled in client settings and this schedule is set to honor client setting.
Scheduler
SMSTrigger '3E692B0000080000' for scheduler 'Machine/DEADLINE:{B040D195-8FA8-48D3-953F-17E878DAB23D}'
will fire at 02/09/2014 07:15:00 PM without randomization. Scheduler
2. At the scheduled deadline, Scheduler notifies the Updates Deployment Agent to start the deployment
evaluation process, as shown in Scheduler.log:
Sending message for schedule 'Machine/DEADLINE:{B040D195-8FA8-48D3-953F-17E878DAB23D}' (Target:

'direct:UpdatesDeploymentAgent', Name: '') Scheduler
SMSTrigger '3E692B0000080000' (Schedule ID: 'Machine/DEADLINE:{B040D195-8FA8-48D3-953F-
17E878DAB23D}', Message Name: '', Target: 'direct:UpdatesDeploymentAgent') will never fire again.
Scheduler
In UpdatesDeployment.log:
Message received: '<?xml version='1.0' ?>

<CIAssignmentMessage MessageType='EnforcementDeadline'>
<AssignmentID>{B040D195-8FA8-48D3-953F-17E878DAB23D}</AssignmentID>
</CIAssignmentMessage>' UpdatesDeploymentAgent
Updates Deployment Agent starts the deployment evaluation process by requesting a software update
scan. The scan ensures that the deployed updates are still applicable. In UpdatesDeployment.log:
Assignment {B040D195-8FA8-48D3-953F-17E878DAB23D} has total CI = 3 UpdatesDeploymentAgent

Deadline received for assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D}) UpdatesDeploymentAgent
Detection job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}) started for assignment ({B040D195-8FA8-48D3-
953F-17E878DAB23D}) UpdatesDeploymentAgent
In UpdatesHandler.log:
Successfully initiated scan for job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}). UpdatesHandler

Scan completion received for job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}). UpdatesHandler
Initial scan completed for the job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}). UpdatesHandler
Evaluating status of the updates for the job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}).
UpdatesHandler
CompleteJob - Job ({99ADA372-0738-44E4-9C4D-EBA30F23E9FD}) removed from job manager list.
UpdatesHandler
3. At this point, the scan request is handled by Scan Agent component. Scan Agent calls WUAHandler to
perform a scan and then hands the results back to Updates Handler and Updates Deployment Agent. For
more information about the scan process, see Software update scan on clients.
After the scan is completed, Updates Deployment Agent is notified. Here's what we see in
UpdatesDeployment.log:
DetectJob completion received for assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D})

UpdatesDeploymentAgent
Making updates available for assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D})
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_e06056e3-0199-4c68-8ac3-bdddff356a0a) Name
(Security Update for Windows Server 2008 R2 x64 Edition (KB2698365)) ArticleID (2698365) added to the
targeted list of deployment ({B040D195-8FA8-48D3-953F-17E878DAB23D}) UpdatesDeploymentAgent
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_ada7cf51-66b0-4a00-b37b-68d569d6ff8b) Name
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_3cbcf577-5139-49b8-afe8-620af5c52f95) Name
4. Updates Deployment Agent raises state messages for the deployment to update the current Evaluation
and Compliance state. Here's what we see in UpdatesDeployment.log:
Raised assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D}) state message successfully. TopicType =

Evaluate, StateId = 2, StateName = ASSIGNMENT_EVALUATE_SUCCESS UpdatesDeploymentAgent
Compliance, Signature = 5e176837, IsCompliant = False UpdatesDeploymentAgent
Updates Deployment Agent now starts a job to download the software update files from the distribution
point. Here's what we see in UpdatesDeployment.log:
DownloadCIContents Job ({C531FD04-FADA-4F75-A399-EEA2D3EDB56C}) started for assignment ({B040D195-
8FA8-48D3-953F-17E878DAB23D}) UpdatesDeploymentAgent
Progress received for assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D}) UpdatesDeploymentAgent
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_e06056e3-0199-4c68-8ac3-bdddff356a0a) Progress:
Status = ciStateDownloading, PercentComplete = 0, Result = 0x0 UpdatesDeploymentAgent
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_ada7cf51-66b0-4a00-b37b-68d569d6ff8b) Progress:
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_3cbcf577-5139-49b8-afe8-620af5c52f95) Progress:
We can also see in UpdatesHandler.log:
Initiating download for the job ({C531FD04-FADA-4F75-A399-EEA2D3EDB56C}). UpdatesHandler

Update Id = 3cbcf577-5139-49b8-afe8-620af5c52f95, State = StateDownloading, Result = 0x0
UpdatesHandler
Update Id = ada7cf51-66b0-4a00-b37b-68d569d6ff8b, State = StateDownloading, Result = 0x0
UpdatesHandler
Update Id = e06056e3-0199-4c68-8ac3-bdddff356a0a, State = StateDownloading, Result = 0x0
UpdatesHandler
Timeout Options: Priority = 2, DPLocality = 1048578, Location = 604800, Download = 864000,
PerDPInactivity = 0, TotalInactivityTimeout = 0, bUseBranchCache = True, bPersistOnWriteFilterDevices
= True, bOverrideServiceWindow = False UpdatesHandler
5. Updates Handler starts the download request from Content Access service for the three actionable
updates that are listed above. The download job is started for the child update in the bundle and the
Content ID is logged.
In UpdatesHandler.log
Bundle update (3cbcf577-5139-49b8-afe8-620af5c52f95) is requesting download from child updates for

action (INSTALL) UpdatesHandler
Content Text = <Content ContentId="fbb5724a-aa0f-47f9-908a-47068fd8ad6f" Version="1"><FileContent
Name="windows6.1-kb2705219-v2-x64.cab" Hash="8E8E0175D46B5A8D52C4856FA3D282FAA12ACD63"
HashAlgorithm="SHA1" Size="199093"/></Content>
Bundle update (ada7cf51-66b0-4a00-b37b-68d569d6ff8b) is requesting download from child updates for
Content Text = <Content ContentId="3e9b1132-9ccd-439d-b32a-5cefd19735d1" Version="1"><FileContent
Name="windows6.1-kb2712808-x64.cab" Hash="060B60401B3DE3DCE053A68C65E9EB050874EB80"
Bundle update (e06056e3-0199-4c68-8ac3-bdddff356a0a) is requesting download from child updates for
Content Text = <Content ContentId="d2a9ee23-9cab-4843-b040-e2da1cc167e9" Version="1"><FileContent
Name="windows6.1-kb2698365-x64.cab" Hash="BF20BB36FC73C0D1F53EA1E635B8AA46C71D7B1F"
Content Access service starts a download job for each update and creates a Content Transfer Manager
(CTM) job. A CTM job is created for each update separately, and CAS.log entries resemble the following
for each update:
Requesting content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1, size(KB) 0, under context System with
priority Medium ContentAccess
Created and initialized a DownloadContentRequest ContentAccess
Target location for content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1 is C:\Windows\ccmcache\1
ContentAccess
CDownloadManager::RequestDownload fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1.System ContentAccess
Submitted CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249} to download Content fbb5724a-aa0f-47f9-908a-
47068fd8ad6f.1 under context System ContentAccess
Successfully created download request {856FA4CA-D02A-4E2C-841E-841ED3C7EC01} for content fbb5724a-
aa0f-47f9-908a-47068fd8ad6f.1 ContentAccess
Created and submitted a new Content Request for fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1.System
ContentAccess
6. Content Transfer Manager starts working on the download job. It first requests the location for the
content that must be downloaded. This location request is handled by Location Services. Location
Services sends the location request to the management point, obtains the location response, and then
hands it back to the Content Transfer Manager. Here's what we see in ContentTransferManager.log:
Starting CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249}. ContentTransferManager

CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA
ContentTransferManager
Queued location request '{C56C01F2-2388-4710-BF3B-A526DB40E35F}' for CTM job '{E0452CF4-5B04-4A1A-
B8EB-10B11B063249}'. ContentTransferManager
CCTMJob::EvaluateState(JobID={E0452CF4-5B04-4A1A-B8EB-10B11B063249}, State=RequestedLocations)
We can also see in LocationServices.log:
Created filter for LS request {C56C01F2-2388-4710-BF3B-A526DB40E35F}. LocationServices

ContentLocationReply : <ContentLocationReply SchemaVersion="1.00"><ContentInfo PackageFlags="0">
<ContentHashValues/></ContentInfo><Sites><Site><MPSite SiteCode="PR1" MasterSiteCode="PR1"
SiteLocality="LOCAL" IISPreferedPort="80" IISSSLPreferedPort="443"/><LocationRecords><LocationRecord>
<URL Name="<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-47068fd8ad6f>"
Signature="<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSSIG$/fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1.tar>"/>
<ADSite Name="Default-First-Site-Name"/><IPSubnets><IPSubnet Address="192.168.10.0"/><IPSubnet
Address=""/></IPSubnets><Metric Value=""/><Version>7958</Version><Capabilities SchemaVersion="1.0">
<Property Name="SSLState" Value="0"/></Capabilities>
<ServerRemoteName>PR1SITE.CONTOSO.COM</ServerRemoteName><DPType>SERVER</DPType><Windows Trust="1"/>
<Locality>LOCAL</Locality></LocationRecord></LocationRecords></Site></Sites><RelatedContentIDs/>
</ContentLocationReply> LocationServices
Distribution Point='<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-
47068fd8ad6f>', Locality='LOCAL', DPType='SERVER', Version='7958', Capabilities='<Capabilities
SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>',
Signature='<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSSIG$/fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1.tar>',
ForestTrust='TRUE', LocationServices
Calling back with locations for location request {C56C01F2-2388-4710-BF3B-A526DB40E35F}
LocationServices
Content Transfer Manager receives the distribution point location for the requested content and starts a
Data Transfer Service job to start the download of the update. Here's what we see in
CCTMJob::UpdateLocations({E0452CF4-5B04-4A1A-B8EB-10B11B063249}) ContentTransferManager
CTM_NotifyLocationUpdate ContentTransferManager
Persisted location '<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-
47068fd8ad6f>', Order 0, for CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249} ContentTransferManager
Persisted locations for CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249}:
(LOCAL) '<http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-47068fd8ad6f>'
CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249} (corresponding DTS job {594E9A72-43D1-48D1-A639-
D18DF7D286A2}) started download from 'http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-
908a-47068fd8ad6f' for full content download. ContentTransferManager
CCTMJob::EvaluateState(JobID={E0452CF4-5B04-4A1A-B8EB-10B11B063249}, State=DownloadingData)
CTM job {E0452CF4-5B04-4A1A-B8EB-10B11B063249} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA
In CAS.log:
Location update from CTM for content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1 and request {856FA4CA-
D02A-4E2C-841E-841ED3C7EC01} ContentAccess
Download location found 0 - <http://PR1SITE.CONTOSO.COM/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-
47068fd8ad6f> ContentAccess
Download request only, ignoring location update ContentAccess
Download started for content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1 ContentAccess
At this point, Data Transfer Service creates a BITS job to download the file and then monitors the
download progress as noted in DataTransferService.log:
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} created to download from
'http://PR1SITE.CONTOSO.COM:80/SMS_DP_SMSPKG$/fbb5724a-aa0f-47f9-908a-47068fd8ad6f' to
'C:\Windows\ccmcache\1'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'DownloadingManifest'. DataTransferService
CDTSJob::ProcessManifestCallback - processing manifest for job '{594E9A72-43D1-48D1-A639-
D18DF7D286A2}'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'RetrievedManifest'. DataTransferService
Execute called for DTS job '{594E9A72-43D1-48D1-A639-D18DF7D286A2}'. Current state:
'RetrievedManifest'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'PendingDownload'. DataTransferService
Starting BITS download for DTS job '{594E9A72-43D1-48D1-A639-D18DF7D286A2}'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} set BITS job to use default credentials.
DataTransferService
Starting BITS job '{38E74FCB-4397-4CA9-94AE-BDD49F550EC9}' for DTS job '{594E9A72-43D1-48D1-A639-
D18DF7D286A2}' under user 'S-1-5-18'. DataTransferService
DTS::SetCustomHeadersOnBITSJob - setting custom headers on DTS job '{594E9A72-43D1-48D1-A639-
D18DF7D286A2}':
<none> DataTransferService
DTS::AddTransportSecurityOptionsToBITSJob - Removing security info from DTS job '{594E9A72-43D1-48D1-
A639-D18DF7D286A2}'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'DownloadingData'. DataTransferService
Job: {594E9A72-43D1-48D1-A639-D18DF7D286A2}, Total Files: 1, Transferred Files: 0, Total Bytes:
199093, Transferred Bytes: 5760 DataTransferService
CDTSJob::JobTransferred : DTS Job ID='{594E9A72-43D1-48D1-A639-D18DF7D286A2}' BITS Job ID='{38E74FCB-
4397-4CA9-94AE-BDD49F550EC9}' DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'RetrievedData'. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} successfully completed download. DataTransferService
BITS job '{38E74FCB-4397-4CA9-94AE-BDD49F550EC9}' is not found. The BITS job may have completed
already. DataTransferService
CBITSDownloadMonitor(DTSJobID={594E9A72-43D1-48D1-A639-D18DF7D286A2}, BITSJobID={38E74FCB-4397-4CA9-
94AE-BDD49F550EC9}) ignoring cancelled object. DataTransferService
DTSJob {594E9A72-43D1-48D1-A639-D18DF7D286A2} in state 'NotifiedComplete'. DataTransferService
DTS job {594E9A72-43D1-48D1-A639-D18DF7D286A2} has completed:
Status : SUCCESS,
Start time : 02/09/2014 19:15:05,
Completion time : 02/09/2014 19:15:12,
Elapsed time : 7 seconds DataTransferService
7. After the download is complete, CTM and Content Access service are notified, and they mark the
download jobs as completed. Content Access service performs a hash verification of the downloaded
content to verify the integrity of the downloaded file. This process occurs for each file, although the
following example involves a single update being downloaded. Here's what we see in
CCTMJob::EvaluateState(JobID={E0452CF4-5B04-4A1A-B8EB-10B11B063249}, State=Success)
CCTMJob::EvaluateState(JobID={E0452CF4-5B04-4A1A-B8EB-10B11B063249}, State=Complete)
In CAS.log:
Download completed for content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1 under context System
ContentAccess
The hash we are verifying is SDMPackage:<Content ContentId="fbb5724a-aa0f-47f9-908a-47068fd8ad6f"
Version="1"><FileContent Name="windows6.1-kb2705219-v2-x64.cab"
Hash="8E8E0175D46B5A8D52C4856FA3D282FAA12ACD63" HashAlgorithm="SHA1" Size="199093"/></Content>
ContentAccess
CContentAccessService::NotifyDownloadComplete Start Content Hashing ContentAccess
Hashing file c:\windows\ccmcache\1\windows6.1-kb2705219-v2-x64.cab ContentAccess
Hash matches ContentAccess 2/9/2014 7:15:12 PM 3532 (0x0DCC)
Hash verification succeeded for content fbb5724a-aa0f-47f9-908a-47068fd8ad6f.1 downloaded under
context System ContentAccess
Then Updates Deployment Agent raises a state message to update the current enforcement state and
then starts the installation of the update. We see the following message in UpdatesDeployment.log:

Enforce, StateId = 8, StateName = ASSIGNMENT_ENFORCE_ADVANCE_DOWNLOAD_SUCCESS
Starting install for assignment ({B040D195-8FA8-48D3-953F-17E878DAB23D}) UpdatesDeploymentAgent
ApplyCIs - JobId = {CEE4AA3A-DE7B-4D9F-8949-E421BBBF2993} UpdatesDeploymentAgent
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_3cbcf577-5139-49b8-afe8-620af5c52f95) Progress:
Status = ciStateWaitInstall, PercentComplete = 0, DownloadSize = 0, Result = 0x0
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_ada7cf51-66b0-4a00-b37b-68d569d6ff8b) Progress:
Update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_e06056e3-0199-4c68-8ac3-bdddff356a0a) Progress:
We also see this entry in UpdatesHandler.log:
Job {CEE4AA3A-DE7B-4D9F-8949-E421BBBF2993} is starting execution UpdatesHandler

CDeploymentJob::InstallUpdatesInBatch - Batch or non-batch install is not in progress for the job
({CEE4AA3A-DE7B-4D9F-8949-E421BBBF2993}). So allowing install.. UpdatesHandler
Update (3cbcf577-5139-49b8-afe8-620af5c52f95) added to the installation batch UpdatesHandler
Update (ada7cf51-66b0-4a00-b37b-68d569d6ff8b) added to the installation batch UpdatesHandler
Update (e06056e3-0199-4c68-8ac3-bdddff356a0a) added to the installation batch UpdatesHandler
Got execute info for (3) updates UpdatesHandler
Updates installation started as batch UpdatesHandler
8. Windows Update Agent Handler then copies the downloaded binaries to the Windows Update Agent
cache (C:\Windows\SoftwareDistribution\Download) directory and instructs Windows Update Agent to
start the installation process. Here's what we see in WUAHandler.log:
Adding file to list for CopyToCache(): C:\Windows\ccmcache\1\windows6.1-kb2705219-v2-x64.cab
WUAHandler
CopyToCache() for update (fbb5724a-aa0f-47f9-908a-47068fd8ad6f) completed successfully WUAHandler
Adding file to list for CopyToCache(): C:\Windows\ccmcache\2\windows6.1-kb2712808-x64.cab
WUAHandler
CopyToCache() for update (3e9b1132-9ccd-439d-b32a-5cefd19735d1) completed successfully WUAHandler
Adding file to list for CopyToCache(): C:\Windows\ccmcache\3\windows6.1-kb2698365-x64.cab
WUAHandler
CopyToCache() for update (d2a9ee23-9cab-4843-b040-e2da1cc167e9) completed successfully WUAHandler
Update(s) downloaded to WUA file cache, starting installation. WUAHandler
Async installation of updates started. WUAHandler
Update 1 (3cbcf577-5139-49b8-afe8-620af5c52f95) finished installing (0x00000000), Reboot Required?
Yes WUAHandler
Update 2 (ada7cf51-66b0-4a00-b37b-68d569d6ff8b) finished installing (0x00000000), Reboot Required?
Yes WUAHandler
Update 3 (e06056e3-0199-4c68-8ac3-bdddff356a0a) finished installing (0x00000000), Reboot Required?
Yes WUAHandler
Async install completed. WUAHandler
Installation of updates completed. WUAHandler
We also see the following entries in WindowsUpdate.log:
2014-02-09 19:15:26:130 800 ed0 Agent ** START ** Agent: Installing updates [CallerId = CcmExec]
2014-02-09 19:15:26:130 800 ed0 Agent * Updates to install = 3
2014-02-09 19:15:26:254 1048 84c Handler Starting install of CBS update FBB5724A-AA0F-47F9-908A-
47068FD8AD6F
2014-02-09 19:15:29:218 1048 84c Handler Completed install of CBS update with type=3,
requiresReboot=1, installerError=0, hr=0x0
2014-02-09 19:15:29:265 1048 84c Handler Starting install of CBS update 3E9B1132-9CCD-439D-B32A-
5CEFD19735D1
2014-02-09 19:15:30:451 1048 84c Handler Starting install of CBS update D2A9EE23-9CAB-4843-B040-
E2DA1CC167E9
2014-02-09 19:15:39:327 788 9f8 COMAPI - Reboot required = Yes
2014-02-09 19:15:39:327 788 9f8 COMAPI -- END -- COMAPI: Install [ClientId = CcmExec]
9. After the updates are installed, Updates Deployment Agent checks whether any updates require a reboot.
Then, it notifies the user if client settings are configured to allow such notifications. Here's what we see in
No installations in pipeline, notify reboot. NotifyUI = True UpdatesDeploymentAgent

Notify reboot with deadline = Sunday, Feb 09, 2014. - 19:15:39, Ignore reboot Window = False,
NotifyUI = True UpdatesDeploymentAgent
Enforce, StateId = 5, StateName = ASSIGNMENT_ENFORCE_PENDING_REBOOT UpdatesDeploymentAgent
10. After the computer restarts, a post-reboot detection scan is started for the deployment. The scan verifies
that updates are installed and raises state messages for the update and deployment to indicate that
updates are installed and that enforcement was successful. Here's what we see in
CTargetedUpdatesManager::DetectRebootPendingUpdates - Total Pending reboot updates = 3
Initiated detect for pending reboot updates after system restart - JobId = {53F4851F-7E63-4C7E-952D-
78345039FFFC} UpdatesDeploymentAgent
CUpdatesJob({53F4851F-7E63-4C7E-952D-78345039FFFC}): Job completion received.
CUpdatesJob({53F4851F-7E63-4C7E-952D-78345039FFFC}): Detect after reboot job completed with result =
0x0 UpdatesDeploymentAgent
Raised update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_e06056e3-0199-4c68-8ac3-bdddff356a0a)
enforcement state message successfully. StateId = 10, StateName = CI_ENFORCEMENT_SUCCESSFULL
Raised update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_ada7cf51-66b0-4a00-b37b-68d569d6ff8b)
Raised update (Site_D3A5F7EA-25D4-4C6B-B47C-C74997522A76/SUM_3cbcf577-5139-49b8-afe8-620af5c52f95)
Compliance, Signature = 5e176837, IsCompliant = True UpdatesDeploymentAgent
Enforce, StateId = 4, StateName = ASSIGNMENT_ENFORCE_SUCCESS UpdatesDeploymentAgent
At this point, the software updates deployment has been downloaded and successfully installed on the
client, and the process is complete.
State message reporting

Throughout the deployment phase, multiple state messages are raised to indicate the current state of the
updates and the deployment itself. After these state messages are raised, they're processed in the way that's
described in State messaging data flow.
Enable verbose logging and configure SQL Server
Profiler for troubleshooting

In Configuration Manager, client and site server components record process information in individual log files.
You can use the information in these log files to help you troubleshoot issues that might occur.
Enable verbose and debug logging on the client and management

point
Verbose logging can be enabled by creating the following registry value as REG_DWORD with value
0x0 :
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogLevel
Debug logging can be enabled by creating the following registry value as REG_SZ with a value of True :
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\DebugLogging\Enabled
The CCM log size can be increased to 5 MB by setting the following registry value as REG_DWORD with
a value of 5242880 (decimal):
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogMaxSize
You can edit the REG_DWORD value for the following registry value to increase the number of history
log files to be retained:
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\Logging\@GLOBAL\LogMaxHistory
NOTE
Restart the SMS Agent Host service to enable the changes. On the management point, you may have to restart IIS-
related services for verbose logging to take effect for some logs.
Enable verbose logging for the state system component on the site
server
To enable verbose logging for State System (StateSys), set the REG_DWORD value for the following registry
value to 1 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_STATE_SYSTEM\Verbose logging
NOTE
This registry key change doesn't require a restart of the SMS_Executive service or the SMS_STATE_SYSTEM thread.
Enable verbose logging for WSUS Synchronization Manager

(WSYNCMGR)
To enable verbose logging for WsyncMgr.log, create or modify the following registry value on the site server
and set the REG_DWORD value to 4 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SMS_WSUS_SYNC_MANAGER\LogLevel
Enable SQL tracing for Configuration Manager logs

To enable SQL tracing, set the REG_DWORD value for the following registry value to 1 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\SqlEnabled
NOTE
This registry change doesn't require a restart of the SMS_Executive service. This registry value adds SQL trace logging
for all site server logs. This should only be done temporarily while troubleshooting, and should be disabled after getting
the relevant logs.
Enable verbose logging for Windows Update Agent

To enable verbose logging, create the following registry subkey with two values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
VA L UE N A M E VA L UE T Y P E VA L UE DATA
Flags REG_DWORD 00000007
Level REG_DWORD 00000004
This subkey turns on an extended tracing to the %systemroot%\Windowsupdate.log file, it also turns on an
extended tracing to any attached debuggers.
NOTE
Extended verbose logging can be enabled by setting the value of Flags to 17 instead of 7. However, it will significantly
increase the size of WindowsUpdate.log.
Configure SQL Server Profiler to troubleshoot WSUS location request

issues
In some circumstances, you may need to use SQL Server Profiler to find the call to the
MP_GetWSUSServerLocation stored procedure and see what parameters are passed.
To do this, configure the SQL Server Profiler as shown in the following screenshot:
Configure SQL Server Profiler to view state message processing
To do this, configure the SQL Server Profiler as shown in the following screenshot:
Troubleshoot software update management in
This article helps you troubleshoot the software update management process in Configuration Manager. It
includes client software update scanning, synchronization issues, and detection problems with specific updates.
Original product version: Configuration Manager (current branch), System Center 2012 R2 Configuration
Manager, System Center 2012 Configuration Manager
Scope your issue

This guide assumes that a software update point has already been installed and configured. For more
information about configuring software updates in Configuration Manager, see Prepare for software updates
management.
Before you start troubleshooting, it's important to emphasize that, the better you understand the problem you're
experiencing, the quicker and easier it will be for you to fix it. Whether you're tasked with fixing a problem that
you are experiencing, or a problem reported to you by someone in your organization, take a moment and
answer the following questions:
1. What specifically isn't working and/or what is your goal?
2. What is the frequency or pattern for the issue? Is the problem still happening?
3. How did you become aware that the problem exists?
4. Has it ever worked? If so, when did it stop? Was anything changed in the environment right before it stopped
working?
5. What percentage of clients are affected?
6. What has been done already (if anything) to try to fix it?
7. Know the exact version of the client and the version of the server. Are these systems up to date?
8. What do affected clients have in common? For example, same subnet, AD site, domain, physical location, site,
site system.
Knowing and understanding the answers to these questions will put you on the best path for a quick and easy
resolution to whatever problem you're experiencing.
If you know the specific area within the software update management process that you'd like to troubleshoot,
select it below. Start with client software update scanning if unsure and we'll walk through the entire process
from beginning to end.
Client software update scanning
WSUS to Microsoft Update synchronization
Installation, supersedence, or detection issues with specific updates
Client software update scanning

The client scan process is outlined in the following steps. Confirm each step to properly establish where the
issue is.
Step 1: The client sends a WSUS location request to the management point
The first thing the client does is set the WSUS server that will be its update source for software update scans.
That process is detailed below.
1. When the Configuration Manager client needs to process a software update scan, Scan Agent creates a
scan request based on the available policy as noted in ScanAgent.log:
CScanAgent::ScanByUpdates- Policy available for UpdateSourceID={SourceID}

ContentVersion=38
CScanAgent::ScanByUpdates- Added Policy to final ScanRequest List UpdateSourceID={SourceID}, Policy-
ContentVersion=38, Required-ContentVersion=38
2. Scan Agent now sends a WSUS location request to Location Services as noted in ScanAgent.log:
Inside CScanAgent::ProcessScanRequest()
CScanJobManager::Scan- entered
ScanJob({JobID}): CScanJob::Initialize- entered
ScanJob({JobID}): CScanJob::Scan- entered
ScanJob({JobID}): CScanJob::RequestLocations- entered
- - - - - -Requesting WSUS Server Locations from LS for {WSUSLocationID} version 38
- - - - - -Location Request ID = {LocationRequestID}
CScanAgentCache::PersistInstanceInCache- Persisted Instance CCM_ScanJobInstance
ScanJob({JobID}): - - - - - -Locations requested for ScanJobID={JobID} (LocationRequestID=
{LocationRequestID}), will process the scan request once locations are available.
TIP
Each scan job is stored in WMI in the CCM_ScanJobInstance class:
Namespace: root\CCM\ScanAgent Class: CCM_ScanJobInstance
3. Location Services creates a location request and sends it to the management point. The package ID for a
WSUS location request is the update source unique ID. In LocationServices.log:
CCCMWSUSLocation::GetLocationsAsyncEx
Attempting to persist WSUS location request for ContentID='{ContentID}' and ContentVersion='38'
Persisted WSUS location request LocationServices
Attempting to send WSUS Location Request for ContentID='{ContentID}'
WSUSLocationRequest : <WSUSLocationRequest SchemaVersion="1.00"><Content ID="{ContentID}"
Version="38"/><AssignedSite SiteCode="PS1"/><ClientLocationInfo OnInternet="0"><ADSite Name="CM12-
R2PS1"/><Forest Name="CONTOSO.COM"/><Domain Name="CONTOSO.COM"/><IPAddresses><IPAddress
</WSUSLocationRequest>
Created and Sent Location Request '{LocationRequestID}' for package {ContentID}
4. CCM Messaging sends the location request message to the management point. In CcmMessaging.log:
Sending async message '{Message}' to outgoing queue 'mp:[http]mp_locationmanager'

Sending outgoing message '{Message}'. Flags 0x200, sender account empty
5. The management point parses this request and calls the MP_GetWSUSServerLocations stored procedure to
get the WSUS locations from the database. In MP_Location.log:
MP LM: Message Body : \<WSUSLocationRequest SchemaVersion="1.00"><Content ID="{ContentID}"
Version="38"/><AssignedSite SiteCode="PS1"/><ClientLocationInfo OnInternet="0"><ADSite Name="CM12-
R2PS1"/><Forest Name="CONTOSO.COM"/><Domain Name="CONTOSO.COM"/><IPAddresses><IPAddress
</WSUSLocationRequest> MP_LocationManager
MP LM: calling MP_GetWSUSServerLocations
In SQL Server Profiler:
exec MP_GetMPSitesFromAssignedSite N'PS1'

exec MP_GetSiteInfoUnified N'<ClientLocationInfo OnInternet="0"><ADSite Name="CM12-R2-PS1"/><Forest
Name="CONTOSO.COM"/><Domain Name="CONTOSO.COM"/><IPAddresses><IPAddress SubnetAddress="192.168.2.0"
Address="192.168.2.62"/></IPAddresses></ClientLocationInfo>'
exec MP_GetWSUSServerLocations N'{WSUSServerLocationsID}',N'38',N'PS1',N'PS1',N'0',N'CONTOSO.COM'
6. After getting the results from the stored procedure, the management point sends a response to the client.
In MP_Location.log:
MP LM: Reply message body: <WSUSLocationReply SchemaVersion="1.00"><Sites><Site><MPSite

SiteCode="PS1"/><LocationRecords><LocationRecord WSUSURL="http://PS1SITE.CONTOSO.COM:8530"
ServerName="PS1SITE.CONTOSO.COM" Version="38"/><LocationRecord
WSUSURL="https://PS1SYS.CONTOSO.COM:8531" ServerName="PS1SYS.CONTOSO.COM" Version="38"/>
</LocationRecords></Site></Sites></WSUSLocationReply>
7. CCM Messaging receives the response and sends it back to Location Services. In CcmMessaging.log:
Message '{Message1}' got reply '{Message2}' to local endpoint queue 'LS_ReplyLocations'

OutgoingMessage(Queue='mp_[http]mp_locationmanager', ID={*Message1*}):
Delivered successfully to host 'PS1SYS.CONTOSO.COM'.
Message '{Message2}' delivered to endpoint 'LS_ReplyLocations'
8. Location Services parses the response and sends the location back to Scan Agent. In LocationServices.log:
Processing Location reply message LocationServices

WSUSLocationReply : <WSUSLocationReply SchemaVersion="1.00"><Sites><Site><MPSite SiteCode="PS1"/>
<LocationRecords><LocationRecord WSUSURL="http://PS1SITE.CONTOSO.COM:8530"
ServerName="PS1SITE.CONTOSO.COM" Version="38"/><LocationRecord
WSUSURL="https://PS1SYS.CONTOSO.COM:8531" ServerName="PS1SYS.CONTOSO.COM" Version="38"/>
</LocationRecords></Site></Sites></WSUSLocationReply>
Calling back with the following WSUS locations
WSUS Path='http://PS1SITE.CONTOSO.COM:8530', Server='PS1SITE.CONTOSO.COM', Version='38'
WSUS Path='https://PS1SYS.CONTOSO.COM:8531', Server='PS1SYS.CONTOSO.COM', Version='38'
Calling back with locations for WSUS request {WSUSLocationID}
9. Scan Agent now has the policy and the update source location with the appropriate content version. In
ScanAgent.log:
*****WSUSLocationUpdate received for location request guid={LocationGUID}

ScanJob({JobID}): CScanJob::OnLocationUpdate- Received
Location=<http://PS1SITE.CONTOSO.COM:8530>, Version=38
ScanJob({JobID}): CScanJob::Execute- Adding UpdateSource={SourceID}, ContentType=2, ContentLocation=
<http://PS1SITE.CONTOSO.COM:8530>, ContentVersion=38
10. Scan Agent notifies WUAHandler to add the update source. WUAHandler adds the update source to the
registry. It initiates a Group Policy refresh if the client is in domain to see whether Group Policy overrides
the update server that's added. The following entries are logged in WUAHandler.log showing a new
Update Source being added:
Its a WSUS Update Source type ({WSUSUpdateSource}), adding it

Its a completely new WSUS Update Source
Enabling WUA Managed server policy to use server: <http://PS1SITE.CONTOSO.COM:8530>
Policy refresh forced
Waiting for 2 mins for Group Policy to notify of WUA policy change
Waiting for 30 secs for policy to take effect on WU Agent.
Added Update Source ({UpdateSource}) of content type: 2
During this time, the Windows Update Agent sees a WSUS configuration change. In WindowsUpdate.log:
* WSUS server: <http://PS1SITE.CONTOSO.COM:8530> (Changed)

* WSUS status server: <http://PS1SITE.CONTOSO.COM:8530> (Changed)
Sus server changed through policy.
The following registry keys are checked and set:
REGIST RY SUB K EY VA L UE N A M E TYPE DATA
REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate
WUServer The full WSUS server URL
example, <
>
WUStatusServer REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdateThe full WSUS server URL
example, <
>
REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer
For an existing client, we could expect to see the following message in WUAHandler.log to denote when
content version has incremented:
Its a WSUS Update Source type ({WSUSUpdateSource}), adding it.

WSUS update source already exists, it has increased version to 38.
11. After the update source is successfully added, Scan Agent raises a state message and starts the scan. In
ScanAgent.log:
ScanJob({JobID}): Raised UpdateSource ({UpdateSource}) state message successfully. StateId = 2

ScanJob({JobID}): CScanJob::Execute - successfully requested Scan, ScanType=1
Troubleshoot issues in step 1
ISSUES W H AT TO C H EC K
ScanAgent.log shows no policy available for an update Check the Enable software updates on clients setting.
source and no WUAHandler.log exists or no current activity
within WUAHandler.log
ISSUES W H AT TO C H EC K
Scan Agent or Location Services doesn't receive the WSUS Is a software update point (SUP) role installed for
server location the site?
If not, install and configure a software update
point and monitor SUPSetup.log for progress.
For more information, see Install and configure a
software update point.
If a SUP role is installed, is it configured and
synchronizing?
Check WCM.log, WSUSCtrl.log, and
WSyncMgr.log for errors.
select * from WSUSServerLocations
select * from Update_SyncStatus
Client receives the WSUS location but fails to configure the Did Group Policy refresh respond within the 2-minute
WSUS registry keys timeout per WUAHandler.log? If so, does WUAHandler
denote Group policy settings were over written by
a higher authority (Domain Controller) ?
For more information, see Group Policy overrides the
correct WSUS configuration information.
For more information about software update scan failures troubleshooting, see Troubleshoot software update
scan failures.
Step 2: Scan Agent requests the scan and WUAHandler starts the scan
After the client has identified and set the WSUS server that will be its update source for software update scans,
Scan Agent requests the scan from WUAHandler that uses the Windows Update Agent API to request a software
update scan from the Windows Update Agent. A scan may result from:
A scheduled or manual software update scan
A scheduled or manual software updated deployment re-evaluation
A deployment that becomes active
The scan triggers an evaluation. In ScanAgent.log:
ScanJob({JobID}): CScanJob::Execute - successfully requested Scan, ScanType=1
Scan results will include superseded updates only when they're superseded by service packs and definition
updates. In WUAHandler.log:
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')

Running single-call scan of updates.
Async searching of updates using WUAgent started.
TIP
Review WUAHandler.log after a software update scan to see if any new entries occur. If no new entries occur, it indicates
that no SUP is returned by the management point.
Many issues with software update scan can be caused by one of the following reasons:
Missing or corrupted files or registry keys.
Component registration issues.
To fix such issues, see Scan failures due to missing or corrupted components.
There's a known issue that a 32-bit Windows 7 ConfigMgr 2012 R2 client requesting an update scan fails to
return scan results to Configuration Manager. It causes the client to report incorrect compliance status and the
updates fail to install when Configuration Manager requests the update cycle. However, if you use the Windows
Update control panel applet, the updates usually install fine. When you're experiencing this problem, you receive
a message similar to the following one in WindowsUpdate.log:
WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E
It's a memory allocation issue, 64-bit Windows 7 computers won't see this error since their address space is
effectively unlimited. However, they'll exhibit high memory and high CPU usage, possibly affecting performance.
X86 clients will also exhibit high memory usage (usually around 1.2 GB to 1.4 GB).
To fix this issue, apply Windows Update Client for Windows 7: June 2015.
When troubleshooting scan failures, check the WUAHandler.log and WindowsUpdate.log files. WUAHandler
simply reports what Windows Update Agent reported. So, the error in WUAHandler would be the same error
that was reported by the Windows Update Agent itself. More information about the error can be found in
WindowsUpdate.log. To understand how to read WindowsUpdate.log, see Windows Update log files.
Your best source of information will come from the logs and the error codes they contain. For more information
about the error codes, see Windows Update common errors and mitigation.
Step 3: Windows Update Agent (WUA ) starts the scan against the WSUS computer
Windows Update Agent starts a scan after receiving a request from the Configuration Manager client (CcmExec).
If these registry values are correctly set to a WSUS computer that's a valid SUP for the site through a local policy,
you should see a COM API search request from the Configuration Manager client (ClientId = CcmExec). In
WindowsUpdate.log:
COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]

COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec] PT + ServiceId = {ServiceID}, Server URL =
<http://PS1.CONTOSO.COM:8530/ClientWebService/client.asmx>
Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
Agent * Include potentially superseded updates
Agent * Online = Yes; Ignore download priority = Yes
Agent * Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')"
Agent * ServiceID = {ServiceID} Managed
Agent * Search Scope = {Machine}
PT + ServiceId = {ServiceID}, Server URL = <http://PS1.CONTOSO.COM:8530/ClientWebService/client.asmx>

Agent * Added update {4AE85C00-0EAA-4BE0-B81B-DBD7053D5FAE}.104 to search result
Agent * Added update {57260DFE-227C-45E3-9FFC-2FC77A67F95A}.104 to search result
Agent * Found 163 updates and 70 categories in search; evaluated appl. rules of 622 out of 1150 deployed
entities
Agent ** END ** Agent: Finding updates [CallerId = CcmExec]
COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
COMAPI - Updates found = 163
COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]

During a scan, the Windows Update Agent needs to communicate with the ClientWebService and
SimpleAuthWebServicevirtual directories on the WSUS computer to perform a scan. If the client can't
communicate with the WSUS computer, the scan will fail. This issue can happen for many reasons, including:
Proxy related issues
To fix these issues, see Scan failures due to proxy-related issues.
For more information about proxy servers, see the following articles:
How the Windows Update client determines which proxy server to use to connect to the Windows
Update Web site
DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery
HTTP timeout errors
To troubleshoot HTTP timeout errors, first review the Internet Information Services (IIS) logs on the WSUS
computer to confirm that the errors are actually being returned from WSUS. If the WSUS computer isn't
returning the error, the issue is likely with an intermediate firewall or proxy.
If the WSUS computer is returning the error, verify connectivity with the WSUS computer. Here are the
steps:
1. To confirm that the client is connecting to the correct WSUS server, find the URL of the WSUS
computer used by the Windows Update Agent client. This URL can be found by checking the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry subkey or by
viewing the WindowsUpdate.log file.
Common reasons that the WSUS assignment may be incorrect include:
Group Policy conflicts
The addition of a SUP to a secondary site after initial client installation
NOTE
Active Directory Group Policy may override the local WSUS policy.
The software updates feature automatically configures a local Group Policy setting for the
Configuration Manager client so that it's configured with the software update point source location
and port number. Both the server name and port number are required for the client to find the
If an Active Directory Group Policy setting is applied to computers for software update point client
installation, it overrides the local Group Policy setting. If the value of the setting defined in the
Active Directory Group Policy is different from the one set by Configuration Manager, the scan will
fail on the client because it can't locate the correct WSUS computer. In this situation,
WUAHandler.log will show the following message:
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server <
http://server > and Policy ENABLED
The software update point for client installation and software updates must be the same server.
And it must be specified in the Active Directory Group Policy setting with the correct name format
and port information. For example, it would be < http://server1.contoso.com:80 > if the software
update point was using the default website.
2. If the server URL is correct, access the server using a URL similar to the following one to verify
connectivity between the client and the WSUS computer:
< http://SUPSERVER.CONTOSO.COM:8530/Selfupdate/wuident.cab >
To check whether the client can access the ClientWebService virtual directory, try accessing a URL
similar to this one:
< http://SUPSERVER.CONTOSO.COM:8530/ClientWebService/wusserverversion.xml >
To check whether the client can access the SimpleAuthWebService , try accessing a URL similar to
this one:
< http://SUPSERVER.CONTOSO.COM:8530/SimpleAuthWebService/SimpleAuth.asmx >
If any of these URLs fail, some of the possible reasons include:
Name resolution issues on the client. Verify that you can resolve the FQDN of the WSUS
computer.
Proxy configuration issues.
Other network-related connectivity issues.
Port configuration problems, so it's a good idea to verify that the port settings are correct.
WSUS can be configured to use any of the following ports: 80, 443 or 8530, 8531.
For clients to communicate with the WSUS computer, the appropriate ports must be
allowed on the firewall on the WSUS computer. Port settings are configured when the
software update point site system role is created. These port settings must be the same as
the port settings used by the WSUS website. Otherwise, WSUS Synchronization Manager
will fail to connect to WSUS running on the software update point to request
synchronization. The following procedures provide information about how to verify the
port settings used by WSUS and the software update point.
a. Determine the WSUS port settings used in IIS 7.0 and later versions.
b. Determine the WSUS port settings in IIS 6.0.
c. Configure ports for the software update point.
d. Verify port connectivity
To check port connectivity from the client, run the following command:
telnet SUPSERVER.CONTOSO.COM <portnumber>
For example, run the following command if the port is 8530:
telnet SUPSERVER.CONTOSO.COM 8530
If the port isn't accessible, telnet will return an error that resembles the following
one:
Could not open connection to the host, on port <PortNumber>
This error suggests that the firewall rules aren't configured to allow communication
for the WSUS computer. This error can also suggest that an intermediate network
device is blocking that port. To verify, try the same test from a client on the same
local subnet. If it works, the computers are configured correctly. However, a router or
firewall between segments is blocking the port and causing the failure.
IIS availability problems.
a. On the WSUS computer, open Internet Information Ser vices (IIS) Manager .
b. Expand Sites , right-click the website for the WSUS computer, and then click Edit
Bindings .
c. In the Site Bindings dialog box, the HTTP and HTTPS port values are displayed in the
Por t column.
d. On the WSUS server, open Internet Information Ser vices (IIS) Manager .
e. Expand Web Sites , right-click the website for the WSUS computer, then click
Proper ties .
f. Click the Web Site tab. The HTTP port setting is displayed in TCP por t and the HTTPS
port setting is displayed in SSL por t .
g. In the Configuration Manager console, go to Administration > Site Configuration >
Ser vers and Site System Roles , then click the <SiteSystemName> right-hand pane.
h. In the bottom pane, right-click Software Update Point and then click Proper ties .
i. Go to the General tab, specify or verify the WSUS configuration port numbers.
Authentication errors
It's typically indicated when the scan fails with authentication errors 0x80244017 (HTTP Status 401) or
0x80244018 (HTTP Status 403).
First, confirm the correct WinHTTP proxy settings using the following commands:
On Windows Vista or later versions: netsh winhttp show proxy
On Windows XP: proxycfg.exe
If the proxy settings are correct, verify connectivity with the WSUS computer by completing the steps in
HTTP timeout errors . Also review the IIS logs on the WSUS computer to confirm that the HTTP errors
are being returned from WSUS. If the WSUS computer isn't returning the error, the issue is likely with an
intermediate firewall or proxy.
Cer tificate problems
Certificate problems are indicated by error code 0x80072F0C that means "A certificate is required to
complete client authentication". To fix this issue, see Scan fails with error 0x80072f0c.
Step 4: WUAHandler receives results from Windows Update Agent and marks the scan as complete
Async searching completed.

Finished searching for everything in single call.

Problems here should be addressed the same way as scan failures in step 3.
As mentioned earlier in this guide, when troubleshooting scan failures, check the WUAHandler.log and
WindowsUpdate.log files. WUAHandler simply reports what Windows Update Agent reported. So the error in
WUAHandler would be the same error that was reported by the Windows Update Agent itself. More information
about the error could be found in WindowsUpdate.log. To understand how to read WindowsUpdate.log, see
Windows Update log files.
There are many reasons why a software update scan might fail. It could be caused by one of the issues
mentioned earlier, or a communication or firewall issue between the client and the software update point
computer. Your best source of information will come from the logs and the error codes they contain. For more
information about the error codes, see Windows Update common errors and mitigation.
Step 5: WUAHandler parses the scan results
WUAHandler then parses the results, which include the applicability state for each update. As part of this
process, superseded updates are pruned out. The applicability state is checked for all updates that align to the
criteria submitted by CCMExec to the Windows Update Agent. The important thing to understand here is that
you should see applicability results for updates whether those updates are in a deployment or not.
The following entries are logged in WUAHandler.log:
> Pruning: update id (70f4f236-0248-4e84-b472-292913576fa1) is superseded by (726b7201-862a-4fde-9b12-

f36b38323a6f).
> ...
> Update (Installed): Security Update for Windows 7 for x64-based Systems (KB2584146) (4ae85c00-0eaa-4be0-
b81b-dbd7053d5fae, 104)
> Update (Missing): Security Update for Windows 7 for x64-based Systems (KB2862152) (505fda07-b4f3-45fb-
83d9-8642554e2773, 200)
> ...
> Successfully completed scan.

Problems can be addressed the same way as scan failures in step 3.
Generally speaking, there are many reasons why a software update scan might fail. It could be caused by one of
the issues mentioned earlier, or by a communication or firewall issue between the client and the software update
point computer. Your best source of information will come from the logs and the error codes they contain. As a
reference, see Windows Update common errors and mitigation.
Step 6: Update store records the status and raises a state message for each update in WMI
Once the scan results are available, these results are stored in the updates store. Update store records the
current state of each update and creates a state message for each update. These state messages are forwarded
to the site server in bulk at the end of the status message reporting cycle (which is minutes, by default). We only
send a state message under the following circumstances:
A previous state message has never been sent for an update (log entry: hasn't been repor ted before,
creating new instance ).
The applicability state for an update has changed since the last state message was submitted.
UpdatesStore.log showing state for missing update (KB2862152) being recorded and a state message being
raised:
Processing update status from update (505fda07-b4f3-45fb-83d9-8642554e2773) with ProductID = 0fa1201d-4330-

4fa8-8ae9b877473b6441
Update status from update (505fda07-b4f3-45fb-83d9-8642554e2773) hasn't been reported before, creating new
instance.
Successfully raised state message for update (505fda07-b4f3-45fb-83d9-8642554e2773) with state (Missing).
Successfully added WMI instance of update status (505fda07-b4f3-45fb-83d9-8642554e2773).
StateMessage.log showing state messaged being recorded with State ID 2 (missing):

Adding message with TopicType 500 and TopicId 505fda07-b4f3-45fb-83d9-8642554e2773 to WMI
State message(State ID : 2) with TopicType 500 and TopicId 505fda07-b4f3-45fb-83d9-8642554e2773 has been
recorded for SYSTEM
TIP
For each update, an instance of the CCM_UpdateStatus class is created or updated, and it stores the current status of the
update. The CCM_UpdateStatus class is located in the ROOT\CCM\SoftwareUpdates\UpdatesStore namespace.

Problems here should be addressed the same way as scan failures in step 3.
Step 7: State messages are sent to the management point
When WUAHandler successfully receives the results from the Windows Update Agent, it marks the scan as
complete and logs the following message in WUAHandler.log:
Async searching completed. WUAHandler

Finished searching for everything in single call

Problems here should be addressed the same way as scan failures in step 3, although failures at this stage will
likely be surfaced in the WindowsUpdate.log file specifically. To understand how to read WindowsUpdate.log,
see Windows Update log files.
WSUS to Microsoft Update synchronization

WSUS synchronizing with Microsoft Update is outlined in the following steps. Confirm each step to properly
establish where the issue is.
Step 1: Synchronization starts through a scheduled or manual request
When a synchronization is triggered, we expect to see the following messages within the WSUS server's
SoftwareDistribution.log:
For manual sync:
Changew3wp.6AdminDataAccess.StartSubscriptionManuallySynchronization manually started
Info WsusService.27EventLogEventReporter.ReportEvent
EventId=382,Type=Information,Category=Synchronization,Message=A manual synchronization was started.
For scheduled synch:
InfoWsusService.10EventLogEventReporter.ReportEvent
EventId=381,Type=Information,Category=Synchronization,Message=A scheduled synchronization was started.
Troubleshoot a manual sync in step 1

1. Confirm that the WSUS service is running. If a manual synchronization has started but stays at 0%, it's
because that the WSUS service (Update Ser vices on WSUS 3.x; WSUSSer vice on Windows Server
2012 and later versions) is in a stopped state.
2. Reset the WSUS console MMC cache by following these steps:
a. Close the WSUS console.
b. Stop the WSUS service (Update Ser vices on WSUS 3.x; WSUS Ser vice on Windows Server 2012
and later versions).
c. Browse to %appdata%\Microsoft\mmc .
d. Rename wsus to wsus_bak .
e. Start the WSUS service.
f. Open the WSUS console and try another manual synchronization.
Troubleshoot a scheduled sync in step 1
1. Try a manual synchronization from the WSUS console.
2. If a manual synchronization works fine, check the scheduled synchronization settings.
Step 2: WSUS spawns a connection to Microsoft Update (MU )
After a synchronization starts, the WSUS server attempts to make an HTTP connection through WinHTTP.
Consider the following factors when troubleshooting the connection:
WSUS <=winhttp=> Network entities <=> Internet
Does a network entity (proxy, firewall, security filter, and so on) exist between the WSUS host machine and
the Internet?
If a proxy exists and the WSUS server is required to use the proxy, is the proxy configured within the proper
WSUS settings?
Troubleshoot a manual sync in step 2
1. Confirm that the WSUS service is running. If a manual synchronization has started but it stays at 0%, it's
because the WSUS service (Update Ser vices on WSUS 3.x; WSUS Ser vice on Windows Server 2012
and later versions) is in a stopped state.
2. Reset the WSUS console MMC cache by completing the following steps:
a. Close the WSUS console.
b. Stop the WSUS service (Update Ser vices on WSUS 3.x; WSUS Ser vice on Windows Server 2012
and later versions).
c. Browse to %appdata%\Microsoft\mmc .
d. Rename wsus to wsus_bak .
e. Start the WSUS service.
f. Open the WSUS console and try another manual synchronization.
Troubleshoot a scheduled sync in step 2
1. Try a manual synchronization from the WSUS console.
2. If a manual synchronization works fine, check the scheduled synchronization settings.
Step 3: The WSUS computer receives product and classification information from Microsoft Update and any
subscribed metadata
After WSUS receives product and classification information and any subscribed metadata from Microsoft
Update, the WSUS synchronization is complete.

Deployment issues that occur with specific updates can be broken into the areas below. When you begin
troubleshooting, consider the following components associated with these areas.
A REA S IN STA L L AT IO N SUP ERSEDEN C E DET EC T IO N
Components WUA Update metadata WUA

Update Installer Update metadata
(Component-Based Update Installer
Servicing (CBS), MSI) (CBS, MSI)
CCMExec
Installation issues
What is the installer (CBS, MSI, other)?
CBS
For updates that apply to Windows Vista and later versions, CBS is used to handle the installation.
1. Gather the CBS log ( %Windir%\Logs\Cbs\Cbs.log ) and perform an initial review to gain insight into the cause
of the failure. Troubleshooting installation-based issues through CBS logs is beyond the scope of this guide.
For more information, see Fix Windows corruption errors by using the DISM or System Update Readiness
tool.
2. Does the update install successfully as a logged on user? If so, does it fail only when it's installed under the
System context? In this case, focus on troubleshooting the manual installation failure under the System
context.
MSI (Windows Installer)
For non-Windows software updates, MSI is used to handle the installation.
1. Gather and review the default MSI logs for the update. Check the associated KB article for the update for
any known issues or FAQ.
2. Enable Windows Installer logging and reproduce the failure.
When reviewing the resulting logs, check for return value 3 within the log and the lines preceding that
entry for insight into the failure.
3. Check whether the same update fails to install manually under the local system context. To do so, use the
same installation switches that failed during the software update deployment.
If it fails, test the installation as the logged on user with the same installation switches. Check if it's an
issue with installing under local system. If it works, you can then focus the issue on how to properly
install the update using the local system context. It may require checking for administrative deployment
guidance within the KB for the update or online.
Supersedence issues
Attempt to isolate the issue that relates to supersedence by using the following questions:
1. For questions about how to control when Configuration Manager expires an update, see Supersedence rules.
2. If an update has been expired by Configuration Manager, Microsoft recommends that the latest superseding
update be deployed. If you still need to deploy the expired updates, they can be deployed outside a software
update deployment through software distribution or application management.
3. For questions related specifically to the supersedence logic of an update, first review the KB article for the
update for further information. You can also review supersedence within the Microsoft Update Catalog,
WSUS console, or the Configuration Manager console.
Detection issues
Determine compliance state per update on a client
1. Review the update KB article for known issues with the update.
2. Run the Software Updates Scan Cycle action on the Configuration Manager client.
3. Review UpdatesStore.log and WindowsUpdate.log.
Troubleshoot update applicability
1. Check if any prerequisites are missing using the KB article for the update. For example, does the update
require the application or OS being patched to a specific service pack level?
2. Confirm that the Unique Update ID of the update in question matches what is deployed. For example, is the
update in question a 32-bit update but is targeted to a 64-bit host?
More information
For more information about how to configure software updates in Configuration Manager, see the following
articles:
Plan for software updates in Configuration Manager
How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster
How to Enable CRL Checking for Software Updates
You can also post a question in our Configuration Manager support forum for security, updates, and compliance
here.
Troubleshoot software update synchronization in
This article helps you diagnose and resolve some common issues with software update synchronization in
We'll begin by asking if the prerequisites for software update synchronization are met. If you met the
prerequisites but still face the issue, we'll take you through a series of steps to resolve your issue.
Verify the Prerequisites

The first step in troubleshooting synchronization issues is to verify that the following prerequisites are met:
Verify that Prerequisites for software updates in Configuration Manager are met.
When you install the software update point on a remote site system server, the WSUS Administration
console must be installed on the site server.
Verify that WSUS running on a software update point isn't configured to be a replica.
To verify it, open the WSUS console on the software update point. Select Options in the console tree
pane, and then select Update Source and Proxy Ser ver in the display pane.
Verify that the Update Ser vices service is running on the WSUS server.
Verify that the Default website or WSUS Administration website is running on the WSUS server.
Check the Update Source settings in WSUS

Check the Update Source settings in the WSUS console on the software update point site system server. These
settings are set automatically by WSUS Configuration Manager (WCM). If these settings don't match, review
WCM.log.
To check the update source settings in WSUS, open the WSUS console on the software update point site system
server. Select Options in the console tree pane, and then select Update Source and Proxy Ser ver in the
display pane.
Verify that the following settings are configured correctly:
Synchronize from Microsoft Update
Generally, this setting should be selected when you're in the WSUS console on the software update point
for the top-level site. Starting with Configuration Manager 2012 SP1, you can specify an existing WSUS
server as the upstream synchronization source location for the top-level site. If you've specified an
existing WSUS server as the upstream source location, then this setting shouldn't be selected.
Synchronize from another Windows Ser ver Update Ser vices ser ver
Generally, this setting should be selected when you're in the WSUS console for:
Software update points for top-level site if an upstream source location is specified instead of
Microsoft Update.
Software update points for a primary site.
Other software update points installed in the primary site.
Internet-based software update points.
Software update points for a secondary site.
Ser ver name : It should be the fully qualified domain name (FQDN) of the upstream update source.
For the first software update point in the primary site, it should be the software update point for the
parent site.
For other software update points in the site, it should be the first software update point on the same
site.
For an Internet-based software update point, it should be the first software update point on the same
site.
Por t number : It should be the port number for the upstream WSUS server. To determine the port
number on the upstream WSUS server, see Determine the port settings used by WSUS and the software
update point.
Use SSL when synchronizing update information : When the software update point is in HTTPS
mode, this setting must be selected. When using Secure Sockets Layer (SSL) for software updates, several
requirements apply. For more information, see Check SSL configuration.
This ser ver is a replica of the upstream ser ver : Never select this setting on the software update
point for the top-level site or the first software update point for the primary site. This setting should be
selected on:
Internet-based software update points
Other software update points for the primary site.
Software update points for a secondary site
Synchronization fails because of authentication and proxy issues

WSUS Configuration Manager configures the WSUS server once every hour. It does so to ensure that the
settings configured in WSUS match the setting specified in the Configuration Manager console.
If WCM fails to configure the WSUS server properly, synchronization attempts can fail with an error similar to
the following screenshot:
You'll also find the following error in the WsyncMgr.log file on the site server (located in \Logs ):
Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details. Source:
CWSyncMgr::DoSync
Sync failed. Will retry in 60 minutes
Synchronization may fail because of authentication or proxy issues. When this issue occurs, you'll see an error
similar to the following error in the WCM.log file:
System.Net.WebException: The request failed with HTTP status 502
The error may not always be HTTP status 502, and may in fact be one of the following errors:
HTTP Status 401 Unauthorized
HTTP Status 403 Forbidden
HTTP Status 407 Proxy Authentication Required
HTTP Status 502 Proxy Error
No connection could be made because the target machine actively refused it
Authentication failed because the remote party has closed the transport stream
To troubleshoot authentication or proxy issues, follow these steps:
1. Verify that the Update Ser vices service is running on the WSUS server.
2. Verify that the Default website or WSUS Administration website is running on the WSUS server.
3. Verify that the fully qualified domain name (FQDN) for the software update point site system server is
correct and accessible from the site server.
4. If the software update point is remote from the site server, verify that you can connect to the WSUS server
from the site server. For more information, see Check connectivity from the site server to the WSUS server.
5. Check the port settings configured for the software update point. Verify that they're the same as the port
settings configured for the website used by WSUS running on the software update point. For more
information, see Determine the port settings used by WSUS and the software update point.
6. Verify that the proxy and account settings are correctly configured for the software update point. For more
information, see Configure proxy setting for the software update point.
7. Verify that the software update point connection account is configured (if necessary). And verify that it has
permissions to connect to the WSUS server. For more information, see Configure the WSUS Server
Connection Account for the software update point.
8. Verify that the permissions on the ApiRemoting30 virtual directory are set correctly in IIS. When WSUS
Synchronization Manager starts synchronization, the computer and Administrator accounts must have
access to the ApiRemoting30 virtual directory under the WSUS website in IIS. To check permissions on the
ApiRemoting30 virtual directory:
a. On the WSUS server, open IIS Manager.
b. Expand Sites , expand the website for the WSUS server, right-click the ApiRemoting30 virtual directory,
and then select Edit Permissions .
9. If the software update point is configured for SSL (HTTPS), verify that WSUS is correctly configured for SSL.
For more information, see Check SSL configuration.
10. Review WSUSCtrl.log for errors. For more information, see WSUS Control Manager reports an error.
Synchronization fails because of web service issues

Synchronization may be failing because of issues with the web service. When this issue occurs, you'll see an
error similar to the following errors in the WCM.log file:
To troubleshoot web service issues, follow these steps:

1. Verify that the Update Ser vices service is running on the WSUS server.
3. Check the port settings configured for the software update point. Verify that they're the same as the port
settings configured for the website used by WSUS running on the software update point. For more
information, see Determine the port settings used by WSUS and the software update point.
4. Review WSUSCtrl.log for errors. For more information, see WSUS Control Manager reports an error.
Synchronization fails because of SSL issues

If you're using SSL, verify the following settings:
Verify that the certificate configured for the WSUS website is configured with the correct FQDN. If the
certificate doesn't have the correct FQDN, see Add a subject alternative name to a secure LDAP certificate.
Verify that the certificate hasn't expired.
Verify that WSUS is correctly configured for SSL. For more information, see Check SSL configuration.
Synchronization fails because of issues with the EULA

Synchronization issues can often be traced back to issues relating to the End User Licensing Agreement (EULA).
To verify whether it's your issue, follow these steps:
1. Review the SoftwareDistribution.log file on the WSUS server to find out why the EULAs aren't getting
downloaded. Look for .txt in the log to find relevant entries.
2. Verify that the firewall is configured to allow communication with Microsoft Update. For more
information, see Connection from the WSUS server to the Internet.
3. Verify the proxy server settings.
4. Run the following command from a Command Prompt to have WSUS download the missing content
again, including EULAs:
%ProgramFiles%\Update Services\Tools\wsusutil.exe reset
Synchronization fails because of errors communicating with Microsoft

Update
When this issue occurs, you usually receive the following errors:
A connection attempt failed because the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond.
0x80072EFE - The connection with the server was terminated abnormally
To troubleshoot this issue, follow these steps:

1. Verify that the WSUS server can connect to the Internet.
2. Verify that the firewall is configured to allow communication with Microsoft Update. For more information,
see Connection from the WSUS server to the Internet.
3. Verify the proxy server settings.
WSUS Control Manager reports an error

Unlike WCM and WSyncMgr, WSUS Control Manager (WSUSCtrl) resides on the software update point (SUP)
itself. If SUP is remote, WSUSCtrl.log will be present on the SUP instead of on the site server. WSUS Control
Manager periodically checks WSUS to make sure WSUS components are healthy. If WSUS components are
unhealthy, WCM and WSyncMgr can't communicate with WSUS. In most cases, errors in WCM.log resemble the
errors in WsyncMgr.log. However, an exception could be when the SUP is remote from the site server. If WSUS
components are healthy, WSUSCtrl.log on the remote SUP doesn't report any errors. However, if the site server
can't connect to the WSUS server remotely, you'll see errors in WCM.log and/or WSyncMgr.log even though
WSUS itself is healthy.
To check whether WSUS is functioning as expected, run the following command on the WSUS server. Then
review the Application log in Event Viewer for errors:
%ProgramFiles%\Update Services\Tools\wsusutil.exe checkhealth
Check connectivity from the site server to the WSUS server

If the WSUS server is remote from the site server, the WSUS Administration console must be installed on the
site server. The console installs the required APIs that are used by Configuration Manager to connect to the
WSUS server. To test whether Configuration Manager can connect to the WSUS server, use the locally installed
WSUS Administration console.
To connect to the remote WSUS server by using the WSUS Administration console, follow these steps:
1. Start the WSUS Administration console.
2. Right-click Update Ser vices in the tree view, and select Connect to Ser ver .
3. Specify the Ser ver Name and Por t Number of the remote WSUS server, and then select Connect . Make
sure that you specify the FQDN of the WSUS server and the correct port number.
WSUS connection failures

For more information, see Troubleshoot WSUS connection failures.
More information
For more information about software update synchronization process, see Software updates synchronization.
You can also post a question in our Configuration Manager support forum for security, updates, and
compliance here.
Troubleshoot software update scan failures in
This article describes how to troubleshoot software update scan failures in Configuration Manager.
Summary
There are several reasons that a software update scan could fail. Most problems involve communication or
firewall issues between the client and the software update point computer. We describe some of the most
common error conditions and their associated resolutions and troubleshooting tips here. For more information
about Windows Update common errors, see Windows Update common errors and mitigation.
When you troubleshoot software update scan failures, focus on the WUAHandler.log and WindowsUpdate.log
files. WUAHandler just reports what the Windows Update Agent reported. So the error in the WUAHandler.log
file would be the same error that was reported by the Windows Update Agent itself. Most information about the
error will likely be found in the WindowsUpdate.log file. For more information about how to read the
WindowsUpdate.log file, see Windows Update log files.
Scan failures due to missing or corrupted components

Errors 0x80245003, 0x80070514, 0x8DDD0018, 0x80246008, 0x80200013, 0x80004015, 0x800A0046,
0x800A01AD, 0x80070424, 0x800B0100, and 0x80248011 are caused by missing or corrupted components.
Several issues can be caused by missing or corrupted files or registry keys, component registrations, and so on.
A good place to start is to run the Windows Update Troubleshooter to detect and fix these issues automatically.
It's also a good idea to make sure that you're running the latest version of the Windows Update Agent.
If running the Windows Update Troubleshooter doesn't fix the problem, reset the Windows Update Agent data
store on the client by following these steps:
1. Stop the Windows Update service by running the following command:
net stop wuauserv
2. Rename the C:\Windows\SoftwareDistribution folder to C:\Windows\SoftwareDistribution.old .

3. Start the Windows Update service by running the following command:
net start wuauserv
4. Start a software update scan cycle.

Scan failures due to proxy-related issues
Errors 0x80244021, 0x8024401B, 0x80240030, and 0x8024402C are caused by proxy-related issues.
Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update
Agent uses WinHTTP to scan for available updates. When there's a proxy server between the client and the
WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate
with WSUS by using the computer's FQDN.
For proxy issues, WindowsUpdate.log may report errors that resemble the following ones:
0x80244021 or HTTP Error 502 - Bad gateway
0x8024401B or HTTP Error 407 - Proxy Authentication Required
0x80240030 - The format of the proxy list was invalid
0x8024402C - The proxy server or target server name cannot be resolved
In most cases, you can bypass the proxy for local addresses because the WSUS computer is located within the
intranet. But if the client is connected to the Internet, you must make sure that the proxy server is configured to
enable that communication.
To view WinHTTP proxy settings, run one of the following commands:
On Windows XP: proxycfg.exe
On Windows Vista and later versions: netsh winhttp show proxy
Proxy settings that are configured in Internet Explorer are part of the WinINET proxy settings. WinHTTP proxy
settings aren't necessarily the same as the proxy settings that are configured in Internet Explorer. However, if the
proxy settings are set correctly in Internet Explorer, you can import the proxy configuration from Internet
Explorer. To import proxy configuration from Internet Explorer, run one of the following commands:
On Windows XP: proxycfg.exe -u
On Windows Vista and later versions: netsh winhttp import proxy source =ie
For more information, see How the Windows Update client determines which proxy server to use to connect to
the Windows Update website.
Scan failures related to HTTP time-out or authentication

Errors: 0x80072ee2, 0x8024401C, 0x80244023, or 0x80244017 (HTTP Status 401), 0x80244018 (HTTP Status
403)
Verify connectivity with the WSUS computer. During a scan, the Windows Update Agent must communicate with
the ClientWebService and SimpleAuthWebService virtual directories on the WSUS computer to run a scan. If the
client can't communicate with the WSUS computer, the scan fails. This issue can occur for several reasons,
including:
port configuration
proxy configuration
firewall issues
network connectivity
First, find the URL of the WSUS computer by checking the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Try to access the URL to verify connectivity between the client and the WSUS computer. For example, the URL
you use should resemble the following URL:
http://SUPSERVER.CONTOSO.COM:8530/Selfupdate/wuident.cab
Then check whether the client can access the ClientWebService virtual directory. The URL should resemble the
following URL:
http://SUPSERVER.CONTOSO.COM:8530/ClientWebService/wusserverversion.xml
Finally, check whether the client can access the SimpleAuthWebService virtual directory. The URL should resemble
the following URL: http://SUPSERVER.CONTOSO.COM:8530/SimpleAuthWebService/SimpleAuth.asmx
If these tests are successful, review the Internet Information Services (IIS) logs on the WSUS computer to
confirm that the HTTP errors are being returned from WSUS. If the WSUS computer doesn't return the error, the
issue is probably with an intermediate firewall or proxy.
If any of these tests fails, check for name resolution issues on the client. Verify that you can resolve the FQDN of
the WSUS computer.
Also verify the proxy settings on the client to make sure that they are configured correctly. For more
information, see the Scan failures due to proxy-related issues section.
Finally, verify that the WSUS ports can be accessed. WSUS can be configured to use any of the following ports:
80
443
8530
8531
For clients to communicate with the WSUS computer, the appropriate ports must be enabled on any firewall
between the client and the WSUS computer.
Determine the port settings used by WSUS and the software update point
Port settings are configured when the software update point site system role is created. These port settings
must be the same as the port settings that are used by the WSUS website. Otherwise, WSUS Synchronization
Manager won't connect to the WSUS computer that's running on the software update point to request
synchronization. The following procedures show how to verify the port settings that are used by WSUS and the
Determine the WSUS port settings in IIS 6.0
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Web Sites , right-click the website for the WSUS server, and then select Proper ties .
3. Select the Web Site tab.
4. The HTTP port setting is displayed in TCP por t , and the HTTPS port setting is displayed in SSL por t .
Determine the WSUS port settings in IIS 7.0 and later versions
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Sites , right-click the website for the WSUS server, and then select Edit Bindings .
3. In the Site Bindings dialog box, the HTTP and HTTPS port values are displayed in the Por t column.
Verify and configure ports for the software update point
System Roles , and then select <SiteSystemName> in the right pane.
2. In the bottom pane, right-click Software Update Point and then click Proper ties .
3. On the General tab, specify or verify the WSUS configuration port numbers.
After the ports are verified and configured correctly, you should check port connectivity from the client by
running the following command:
telnet SUPSERVER.CONTOSO.COM <PortNumber>
If the port is inaccessible, telnet returns an error that resembles the following.
Could not open connection to the host, on port <PortNumber>
This error suggests that firewall rules must be configured to enable communication for the WSUS Server ports.
Scan fails with error 0x80072f0c

Error 0x80072f0c translates to A cer tificate is required to complete client authentication . This error
should occur only if the WSUS computer is configured to use SSL. As part of the SSL configuration, WSUS
virtual directories must be configured to use SSL, and they must be set to ignore client certificates. If the WSUS
website or any of the virtual directories that were mentioned previously are configured incorrectly to Accept or
Require client certificates, you receive this error.
Check SSL configuration
When the site is configured in HTTPS only mode, the software update point is automatically configured to use
SSL. When the site is in HTTPS or HTTP mode, you can choose whether to configure the software update point
to use SSL. When the software update point is configured to use SSL, the WSUS computer must also be
explicitly configured to use SSL. Before you configure SSL, you should review the certificate requirements. And
make sure that a server authentication certificate is installed on the software update point server.
Verify that the software update point is configured for SSL
1. On the Configuration Manager console, go to Administration > Site Configuration > Ser vers and Site
System Roles , and then select <SiteSystemName> in the right pane.
2. In the bottom pane, right-click Software Update Point , and then select Proper ties .
3. On the General tab, verify that the following option is enabled:
Require SSL communication to the WSUS Ser ver
Verify that the WSUS computer is configured for SSL
1. Open the WSUS console on the software update point for the site.
2. In the console tree pane, select Options .
3. In the display pane, select Update Source and Proxy Ser ver .
4. Verify that the Use SSL when synchronizing update information option is selected.
Add the server authentication certificate to the WSUS Administration website
1. On the WSUS computer, start Internet Information Services (IIS) Manager.
2. Expand Sites , right-click Default Web Site or the WSUS Administration website if WSUS is configured to
use a custom website, and then select Edit Bindings .
3. Select the HTTPS entry, and then select Edit .
4. In the Edit Site Binding dialog box, select the server authentication certificate, and then select OK .
5. In the Edit Site Binding dialog box, select OK , and then select Close .
6. Exit IIS Manager.
IMPORTANT
Make sure that the FQDN that is specified in the Site System properties matches the FQDN that is specified in the
certificate. If the software update point accepts connections from the intranet only, the Subject Name or Subject
Alternative Name must contain the intranet FQDN. When the software update point accepts client connections from
the Internet only, the certificate must still contain both the Internet FQDN and the intranet FQDN, because WCM and
WSyncMgr still use the intranet FQDN to connect to the software update point. If the software update point accepts
connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified
by using the ampersand (&) symbol delimiter between the two names.
Verify that SSL is configured on the WSUS computer

For more information, see Configure SSL on the WSUS server.
IMPORTANT
You cannot configure the whole WSUS website to require SSL, because then all traffic to the WSUS site would have to be
encrypted. WSUS encrypts update metadata only. If a computer tries to retrieve update files on the HTTPS port, the
transfer will fail.
Group Policy overrides the correct WSUS configuration information

The Software Updates feature automatically configures a local Group Policy setting for the Configuration
Manager client, so that it's configured to use the software update point source location and port number. Both
the server name and the port number are required for the client to find the software update point.
If an Active Directory Group Policy setting is applied to computers for software update point client installation, it
overrides the local Group Policy setting. Unless the value of the setting that's defined in Group Policy is identical
to the one that's being set by Configuration Manager (server name and port), the Configuration Manager
software update scan will fail on the client. In this case, the WUAHandler.log file shows the following entry:
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server
and Policy ENABLED
To fix this issue, the software update point for client installation and software updates must be the same server.
And it must be specified in the Active Directory Group Policy setting by using the correct name format and port
information. For example, if the software update point was using the default website, the software update point
would be http://server1.contoso.com:80 .
Clients can't find the WSUS server location

1. To understand how clients obtain the WSUS server location, see WSUS server location. And review the client
and management point logs.
2. Enable verbose and debug logging on the client and management point.
3. Verify that there are no communication errors in CcmMessaging.log on the client.
4. If the management point returns an empty WSUS location response, there may be a mismatch in the Content
Version of WSUS. It could be a result of failed synchronization. To find the Content Version of the software
update point, in Configuration Manager console, select Monitoring > Software Update Point
Synchronization Status .
5. Review the data in CI_UpdateSources , WSUSServerLocations and Update_SyncStatus tables, verify that the
Update Source Unique ID and Content Version match across these tables.
Compliance results unknown
1. Review the PolicyAgent.log file on the client to verify that the client is receiving policies.
2. Verify that software update synchronization is successful on the software update point. If synchronization
fails, troubleshoot synchronization issues.
3. If the WUAHandler.log file doesn't exist and isn't created after you start a scan cycle, the issue most likely
occurs because of one of the following reasons:
The software update scan policy isn't available
Clients can't find the WSUS server location
4. Verify that there are no communication errors in the CcmMessaging.log file on the client.
5. If the scan is successful, the client should send state messages to the management point to indicate the
update status. To understand how state messages processing works, see state message processing flow.
Other issues
For more information, see Troubleshoot client software update scanning.
Troubleshoot software update deployments in
This article describes how to troubleshoot software update deployments that don't run successfully.
Summary
When you deploy software updates in Configuration Manager, you typically add the updates to a software
update group. Then deploy the software update group to clients. When you create the deployment, the update
policy is sent to client computers. The update content files are downloaded from a distribution point to the local
cache on the client computer. The updates are then available for installation on the client. Normally this process
is completed successfully with little effort. However, issues may sometimes arise that cause update deployment
to fail. We cover the two most common failure scenarios and provide troubleshooting suggestions for each.
When software update deployment fails, the problem generally falls into one of two categories:
Updates fail to download.
You experience unexpected reboots, or updates are installed outside a maintenance window.
Updates fail to download

1. When updates don't get downloaded to the client, first check the CAS.log, ContentTransferManager.log,
and DataTransferService.log files for errors. To learn about how updates are downloaded, see Track the
software update deployment process in Configuration Manager
2. Verify that the client is in the appropriate boundary associated with the boundary group for the
distribution point. For more information about boundary groups, see Configuring boundaries and
boundary groups in Configuration Manager.
3. Check the Software Update Package status and verify that the updates are downloaded and installed on
the distribution points. If the content isn't installed on the distribution point that's associated with the
client's boundary group, check whether fallback for content location must be enabled. For more
information, see What is fallback and what does it mean?.
4. If the client receives the download location but fails to download content, try to download the content
manually by accessing the URL for the content. You can find the URL by reviewing
DataTransferServices.log.

1. Check to see whether the scan failed during the deployment evaluation. For more information about scan
failures, see Troubleshoot software update scan failures in Configuration Manager.
2. Review WUAHandler.log and WindowsUpdate.log to find the errors received during update installation.
3. To rule out an installation issue with the update itself, manually install the update or install it from Microsoft
Update (if possible). See whether the update installation is successful.
4. Most .NET Framework update failures are caused by corrupted .NET Framework installations. In these cases,
try to manually install the update. If the installation process fails, see Fix Windows Update errors.
For more information, see Installation, supersedence, or detection issues with specific updates.
You experience unexpected reboots, or updates are installed outside

a maintenance window
If possible, enable verbose and debug logging if the issue can be reproduced.
1. Review the ServiceWindowManager.log file on the client, and identify the service windows that are
available.
ServiceWindowManager.log contains information about maintenance windows and their start and end
time. This information can be very useful when you troubleshoot issues related to software update
installation on clients.
To find a list of available maintenance windows (service windows) on a client, open
ServiceWindowManager.log, and search for the Refreshing Ser vice Windows string. Immediately
following this line, you'll see a list of the applicable service windows on the computer, as in the following
example:
Refreshing Service Windows..... ServiceWindowManager

Populating instance of ServiceWindow with ID=7cb56688-692f-4fae-b398-0e3ff4413adb,
ScheduleString=02C159C0381A200002C159C0381B200002C159C0381C200002C159C0381D200002C159C0381E2000,
Type=6 ServiceWindowManager
This is a one shot Service Window that has already finished. ServiceWindowManager
Duration for the Service Window is Total days: 0, hours: 00, mins: 00, secs: 00 ServiceWindowManager
Populating instance of ServiceWindow with ID=90a5f436-364c-48c7-8dc7-c5014abcbea8,
ScheduleString=00084AC028592000, Type=6 ServiceWindowManager
StartTime is 02/09/14 00:00:00 ServiceWindowManager
Populating instance of ServiceWindow with ID=45dca355-3249-4845-b8aa-72d0e604548e,
ScheduleString=02C24AC0381C2000, Type=6 ServiceWindowManager
Populating instance of ServiceWindow with ID=87e4759c-2884-45e6-9261-c33ba53f596c,
ScheduleString=02C24AC0381D2000, Type=6 ServiceWindowManager
Populating instance of ServiceWindow with ID={1E957DDD-0A26-434C-952A-586F3E31E319},
ScheduleString=00302B0018192000, Type=1 ServiceWindowManager
Populating instance of ServiceWindow with ID=36da6950-3d1e-4027-be0e-7b16a4daee7e,
ScheduleString=02C24AC0101E2000, Type=6 ServiceWindowManager
Populating instance of ServiceWindow with ID=028bfbc0-7120-4081-a268-0e664a92ac4a,
ScheduleString=00074AC0005F2000, Type=6 ServiceWindowManager
Populating instance of ServiceWindow with ID=49fd80be-ac4b-4877-974d-ecd09958926d,
ScheduleString=02C24AC0381B2000, Type=6 ServiceWindowManager
Populating instance of ServiceWindow with ID=ad27b0ca-8c74-43c7-8200-1f601880bd75,
ScheduleString=02C24AC0381A2000, Type=6 ServiceWindowManager
Generally, service windows with IDs containing all lowercase alpha-numeric characters are non-business
hour (NBH) maintenance windows. They're based on business hours configured in Software Center.
However, service windows with IDs containing all uppercase alpha-numeric characters are maintenance
windows defined for the collection in the Configuration Manager console. In the example, all service
windows are non-business hour windows, except the one with ID 1E957DDD-0A26-434C-952A-
586F3E31E319. This window is a maintenance window defined for the collection that holds the client.
2. Review the UpdatesDeployment.log file. Locate the following line to check whether the deployment was
set to ignore the maintenance window:
Notify reboot with deadline = Sunday, Feb 09, 2014. - 21:30:17, Ignore reboot Window = True, NotifyUI
= True
3. Review the MaintenanceCoordinator.log file. Locate the following line to check whether the deployment
was set to ignore the maintenance window. A value of 1 for swoverride means that the ignore
maintenance window setting is enabled.
RequestPersistence(id=Update download job, persist=1, swoverride=1, swType=4, pendingWFDisable=0,

deadline=1)
4. Review the SCNotify.log file, and look for the following lines to check whether the user clicked the restart
notification to initiate a restart:
ConfirmRestartDialog: User chose to restart/logoff.

(Microsoft.SoftwareCenter.Client.Pages.ConfirmRestartDialog at ButtonRestart_Click)
ConfirmRestartDialog: user is allowed to restart
(Microsoft.SoftwareCenter.Client.Pages.ConfirmRestartDialog at ButtonRestart_Click)
The user is allowed to restart the computer. Initiating restart.
(Microsoft.SoftwareCenter.Client.Data.WmiDataConnector at RestartComputer)
5. View the deployment properties in the Configuration Manager console to check whether the deployment
is set to override maintenance windows. If the deployment isn't set to override maintenance windows, but
the client logs suggest that the deployment did override maintenance windows, review the audit status
messages to check whether the deployment was modified by someone.
To review audit status messages, navigate to Configuration Manager console > Monitoring > System
Status > Status Message Queries . Right-click All Status Messages , click Show Messages , select
the timeframe, and then click OK .
In the Configuration Manager Status Message Viewer window, navigate to View > Filter , and then
filter for Message ID = 30197 . If the deployment was modified, you'll see a status message that
resembles the following one:
Severity Type Site code Date / Time System Component Message ID Description
Information Audit PR1 2/9/2014 11:57:49 PM PR1SITE.CONTOSO.COM Microsoft.ConfigurationManagement.exe
30197 User "DOMAIN\User" modified updates assignment 4 ({BAFB1BDB-7A6C-4DCF-9866-6C22DF92346A}).
PowerShell script to decline superseded updates in
WSUS
If you are using standalone Windows Server Update Services (WSUS) servers or an older version of
Configuration Manager, you can manually decline superseded updates by using the WSUS console. Or you can
run the following PowerShell script. For common questions about WSUS maintenance for Configuration
Manager environments, see the complete guide to WSUS and Configuration Manager SUP maintenance.
# ===============================================
# Script to decline superseded updates in WSUS.
# ===============================================
# We recommend that you run the script together with the -SkipDecline switch to see how many superseded
updates are in WSUS. Also, you should MAKE A BACKUP OF THE SUSDB before you decline the updates.
# Parameters:
# $UpdateServer = Specify WSUS server name.

# $UseSSL = Specify whether WSUS server is configured to use SSL.
# $Port = Specify WSUS server port.
# $SkipDecline = Specify this to do a test run and get a summary of how many superseded updates
we have.
# $DeclineLastLevelOnly = Specify whether to decline all superseded updates or only last level
superseded updates.
# $ExclusionPeriod = Specify the number of days between today and the release date for which the
superseded updates must not be declined. For example, if you want to keep superseded updates that were
published within the last two months, specify a value of 60 (days).
# Supersedence chain could have multiple updates.

# For example, Update1 supersedes Update2. Update2 supersedes Update3. In this scenario, the Last Level in
the supersedence chain is Update3.
# To decline only the last level updates in the supersedence chain, specify the -DeclineLastLevelOnly
switch.
# Usage:
# =======
# To do a test run against WSUS Server without SSL

# Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -Port 8530 -SkipDecline
# To do a test run against WSUS Server using SSL

# Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8531 -SkipDecline
# To decline all superseded updates on the WSUS Server using SSL

# Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8531
# To decline only Last Level superseded updates on the WSUS Server using SSL
# Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8531 -DeclineLastLevelOnly
# To decline all superseded updates on the WSUS Server using SSL but keep superseded updates that were
published within the last two months (60 days)
# Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8531 -ExclusionPeriod 60
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1)]
[string] $UpdateServer,
[Parameter(Mandatory=$False)]
[switch] $UseSSL,
[Parameter(Mandatory=$True, Position=2)]
$Port,
[switch] $SkipDecline,
[switch] $DeclineLastLevelOnly,
[int] $ExclusionPeriod = 0
)
Write-Host ""
if ($SkipDecline -and $DeclineLastLevelOnly) {

Write-Host "Using SkipDecline and DeclineLastLevelOnly switches together is not allowed."
Write-Host ""
return
}
$outPath = Split-Path $script:MyInvocation.MyCommand.Path

$outSupersededList = Join-Path $outPath "SupersededUpdates.csv"
$outSupersededListBackup = Join-Path $outPath "SupersededUpdatesBackup.csv"
"UpdateID, RevisionNumber, Title, KBArticle, SecurityBulletin, LastLevel" | Out-File $outSupersededList
try {
if ($UseSSL) {
Write-Host "Connecting to WSUS server $UpdateServer on Port $Port using SSL... " -NoNewLine
} Else {
Write-Host "Connecting to WSUS server $UpdateServer on Port $Port... " -NoNewLine
}
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($UpdateServer, $UseSSL,
$Port);
}
catch [System.Exception]
{
Write-Host "Failed to connect."
Write-Host "Error:" $_.Exception.Message
Write-Host "Please make sure that WSUS Admin Console is installed on this machine"
Write-Host ""
$wsus = $null
}
if ($wsus -eq $null) { return }
Write-Host "Connected."
$countAllUpdates = 0
$countSupersededAll = 0
$countSupersededLastLevel = 0
$countSupersededExclusionPeriod = 0
$countSupersededLastLevelExclusionPeriod = 0
$countDeclined = 0
Write-Host "Getting a list of all updates... " -NoNewLine
try {
$allUpdates = $wsus.GetUpdates()
}
{
Write-Host "Failed to get updates."
Write-Host "Error:" $_.Exception.Message
Write-Host "If this operation timed out, please decline the superseded updates from the WSUS Console
Write-Host "If this operation timed out, please decline the superseded updates from the WSUS Console
manually."
Write-Host ""
return
}
Write-Host "Done"
Write-Host "Parsing the list of updates... " -NoNewLine

foreach($update in $allUpdates) {
$countAllUpdates++
if ($update.IsDeclined) {
$countDeclined++
}
if (!$update.IsDeclined -and $update.IsSuperseded) {

$countSupersededAll++
if (!$update.HasSupersededUpdates) {
$countSupersededLastLevel++
}
if ($update.CreationDate -lt (get-date).AddDays(-$ExclusionPeriod)) {

$countSupersededExclusionPeriod++
if (!$update.HasSupersededUpdates) {
$countSupersededLastLevelExclusionPeriod++
}
}
"$($update.Id.UpdateId.Guid), $($update.Id.RevisionNumber), $($update.Title),

$($update.KnowledgeBaseArticles), $($update.SecurityBulletins), $($update.HasSupersededUpdates)" | Out-File
$outSupersededList -Append
}
}
Write-Host "Done."
Write-Host "List of superseded updates: $outSupersededList"
Write-Host ""
Write-Host "Summary:"
Write-Host "========"
Write-Host "All Updates =" $countAllUpdates

Write-Host "Any except Declined =" ($countAllUpdates - $countDeclined)
Write-Host "All Superseded Updates =" $countSupersededAll
Write-Host " Superseded Updates (Intermediate) =" ($countSupersededAll - $countSupersededLastLevel)
Write-Host " Superseded Updates (Last Level) =" $countSupersededLastLevel
Write-Host " Superseded Updates (Older than $ExclusionPeriod days) =" $countSupersededExclusionPeriod
Write-Host " Superseded Updates (Last Level Older than $ExclusionPeriod days) ="
$countSupersededLastLevelExclusionPeriod
Write-Host ""
$i = 0
if (!$SkipDecline) {
Write-Host "SkipDecline flag is set to $SkipDecline. Continuing with declining updates"

$updatesDeclined = 0
if ($DeclineLastLevelOnly) {
Write-Host " DeclineLastLevel is set to True. Only declining last level superseded updates."
foreach ($update in $allUpdates) {
if (!$update.IsDeclined -and $update.IsSuperseded -and !$update.HasSupersededUpdates) {

$i++
$percentComplete = "{0:N2}" -f (($updatesDeclined/$countSupersededLastLevelExclusionPeriod)
$percentComplete = "{0:N2}" -f (($updatesDeclined/$countSupersededLastLevelExclusionPeriod)
* 100)
Write-Progress -Activity "Declining Updates" -Status "Declining update
#$i/$countSupersededLastLevelExclusionPeriod - $($update.Id.UpdateId.Guid)" -PercentComplete
$percentComplete -CurrentOperation "$($percentComplete)% complete"
try
{
$update.Decline()
$updatesDeclined++
}
{
Write-Host "Failed to decline update $($update.Id.UpdateId.Guid). Error:"
$_.Exception.Message
}
}
}
}
}
else {
Write-Host " DeclineLastLevel is set to False. Declining all superseded updates."
foreach ($update in $allUpdates) {
if (!$update.IsDeclined -and $update.IsSuperseded) {

$i++
$percentComplete = "{0:N2}" -f (($updatesDeclined/$countSupersededAll) * 100)
Write-Progress -Activity "Declining Updates" -Status "Declining update
#$i/$countSupersededAll - $($update.Id.UpdateId.Guid)" -PercentComplete $percentComplete -CurrentOperation
"$($percentComplete)% complete"
try
{
$update.Decline()
$updatesDeclined++
}
{
Write-Host "Failed to decline update $($update.Id.UpdateId.Guid). Error:"
$_.Exception.Message
}
}
}
}
Write-Host " Declined $updatesDeclined updates."

if ($updatesDeclined -ne 0) {
Copy-Item -Path $outSupersededList -Destination $outSupersededListBackup -Force
Write-Host " Backed up list of superseded updates to $outSupersededListBackup"
}
}
else {
Write-Host "SkipDecline flag is set to $SkipDecline. Skipped declining updates"
}
Write-Host ""
Write-Host "Done"
Write-Host ""
Use WSUS to deploy definition updates to
computers that are running Windows Defender
This article describes how to use Microsoft Windows Server Update Services (WSUS) to deploy definition
updates to computers that are running Microsoft Windows Defender.
Original product version: Windows Server Update Services
Deploy Windows Defender definition updates

To do this, follow these steps:
1. Open the WSUS Administrator console, and then select Options at the bottom of the console tree.
2. Select Products and Classifications and verify that the Windows Defender check box is selected
under the Products tab.
3. Verify that the Definition Updates check box is selected under the Classifications tab, and then select
OK .
4. Optional: approve the updates by using an automatic approval rule. To do this, follow these steps:
a. At the bottom of the console tree, select Options .
b. Select Automatic Approvals .
c. Under step 1, select New Rule..., and then select the When an update is in a specific
classification check box and the When an update is in a specific product check box.
d. Under step 2, select Any classification > Definition Updates , then click OK .
e. Next, select Any product and clear the All Products check box, then scroll down and select
Windows Defender , afterward select OK .
5. At the bottom of the console tree, select Synchronizations .
6. On the action pane on the left, select Synchronize now .
7. At the top of the console tree, select Updates .
8. Approve any Windows Defender updates that WSUS should deploy.
Error 80244007 when a WSUS client scans for
updates
This article helps you fix an issue where you receive the [80244007] SyncUpdates_WithRecover y failed
error when a WSUS client scans for updates.
Original product version: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012
Symptom
You use WSUS to deploy software updates to computers in your organization. When a WSUS client computer
scans for updates on the WSUS server, you see the following error message in the WindowsUpdate.log file on
the client computer:
WS error: <detail><ErrorCode>InvalidParameters</ErrorCode>
<Message>parameters.InstalledNonLeafUpdateIDs</Message><ID>GUID</ID><Method>
http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"</Method></detail>"
*FAILED\* [80244007] SyncUpdates_WithRecovery failed
Additionally, the following exception is logged in the SoftwareDistribution.log file on the WSUS server:
ThrowException: actor = http://WSUSServerName:8530/ClientWebService/client.asmxs, ID=GUID,

ErrorCode=InvalidParameters, Message=parameters.InstalledNonLeafUpdateIDs, Client=Client_ID
Cause
This issue occurs when the number of updates to be synchronized exceeds the maximum number of installed
prerequisites that a WSUS client can pass to SyncUpdates .
Resolution
To fix the issue, follow these steps on the WSUS server:
1. Open an elevated Command Prompt window, and then go to the following location:
%programfiles%\Update Services\WebServices\ClientWebService
2. Type the following commands, and press Enter after each command:
takeown /f web.config
icacls web.config /grant administrator:(F)
notepad.exe web.config
3. Locate the following line in web.config:

<add key="maxInstalledPrerequisites" value="400"/>
4. Change the value from 400 to 800 .

5. Save the web.config file.
6. Run IISReset .
Unexpected high network bandwidth consumption
when clients scan for updates from local WSUS
server
This article helps you fix an issue in which unexpectedly high network bandwidth consumption occurs when
clients scan for updates from the local Windows Server Update Services (WSUS) server.
Original product version: Windows 8.1, Windows 10
Symptoms
Microsoft System Center Configuration Manager customers report high network bandwidth usage for
environments that employ WSUS. Some instances of the behavior started on February 13, 2018, and some
started on March 13, 2018.
Affected operating systems are Windows 10 (all builds), and Windows 8.1. Customers report remarkably high-
bandwidth usage on the WSUS TCP port.
Cause
The Microsoft Compatibility Appraiser, which is used for Windows Analytics, is querying Windows Update agent
in such a way that the Appraiser causes the Update Agent to discard part of its cache of update metadata. When
a scan is next run for updates by Configuration Manager or Automatic Updates, or when the user selects Check
for Updates , the metadata for these updates is downloaded from WSUS again.
Resolution
To fix the issue, install the following updates, as applicable.
W IN DO W S VERSIO N W IN DO W S UP DAT E
Windows 10, version 1803 September 20, 2018-KB4458469 (OS Build 17134.319)
Windows 10, version 1703 October 18, 2018-KB4462939 (OS Build 15063.1418)
Windows 8.1 October 18, 2018-KB4462921 (Preview of Monthly Rollup)
Mitigation
Determine whether clients are using an affected version of the Microsoft Compatibility Appraiser. Check the
modified date for the following binaries that are located in C:\Windows\System32 , and verify that they are from
February 2018 or a later date:
CompatTelRunner.exe
Appraiser.dll
The Windows Appraiser is run through the scheduled task in Task Schedulers > Task Scheduler Librar y >
Microsoft > Windows > Application Experience > Microsoft Compatibility Appraiser .
We have issued an update that limits how often the Appraiser runs the Windows Update query that causes this
problem. This should help reduce bandwidth usage, although it may not fully eliminate higher-than-normal
usage.
To receive the change, your clients must be able to access both of the following addresses:
settings-win.data.microsoft.com
adl.windows.com
You can determine whether clients received this update by checking the value for the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser:
LastAttemptedRunDataVersion
The following values indicate that the client has received the update.
O P ERAT IN G SY ST EM VERSIO N C L IEN T UP DAT E VA L UE
Windows 10, version 1709 1704 or 1752
Windows 10, version 1703 1799
Windows 8.1 1799
LastAttemptedRunDataVersion is updated when CompatTelRunner.exe is executed. This generally runs daily as

part of the Microsoft Compatibility Appraiser scheduled task. However, it can be run manually without
arguments:
C:\Windows\System32>CompatTelRunner.exe
NOTE
This value varies between operating systems.
If clients are blocked from reaching these addresses, you have to unblock them.
Newer versions of CompatTelRunner.exe and Appraiser.dll

The following Windows updates use newer versions of CompatTelRunner.exe and Appraiser.dll that implement
less frequent scanning. This avoids the need to unblock the URLs to obtain this update.
July 11, 2018
W IN DO W S VERSIO N W IN DO W S UP DAT E
Windows 10, version 1709 June 21, 2018-KB4284822 (OS Build 16299.522)
Windows 8.1 Compatibility update for keeping Windows up-to-date in

Windows 8.1
General guidance on optimizing WSUS client
performance
This article provides general guidelines for optimizing Microsoft Windows Server Update Services (WSUS)
client performance.
Summary
After deploying a WSUS server, you may experience the following performance issues on clients:
You may experience prolonged high CPU utilization when you scan for updates or when you install updates.
The scans fail.
This article provides general guidelines for optimizing the performance of the clients and for fixing the issue if
the scans ultimately fail. However, keep in mind that a scan is still a CPU-intensive operation. The Svchost.exe
process contains the Automatic Updates service. When you perform a scan, the Svchost.exe process can cause
CPU usage to reach 100 percent for a certain period of time. For example, Microsoft Office updates use
Windows Installer, and when Microsoft Office updates are detected, these updates can contribute to 100 percent
CPU utilization for a short period of time.
Read this article entirety before attempting any procedure contained here.
Run the WSUS Server Cleanup Wizard

Update scan performance can also be affected by the number of updates the client needs to evaluate. The WSUS
Server Cleanup Wizard will help to remove redundant updates and optimize the performance for both the
WSUS server and the clients. To run the WSUS Server Cleanup Wizard, follow the steps below:
1. In the WSUS administration console, select Options > Ser ver Cleanup Wizard .
2. By default, this wizard will remove unneeded content and any computers that have not contacted the server
for 30 days or more. Select all possible options, and then select Next .
3. The wizard will begin the cleanup process and will present a summary of its work when it's finished. Select
Finish to complete the process.
For more information, see Using the Server Cleanup Wizard.
Check custom WSUS admin scripts

If you are using a script to approve updates, be cautious that you don't approve expired and declined updates.
These updates are set to be expired by Microsoft and are never approved for install. Reactivating these updates
may cause update scan failures on the clients.
We recommend avoid using Any for approval state when enumerating updates. Instead, use a combination of
other ApprovedState values. For example, the following PowerShell code will restrict the update search result to
updates that are approved with the latest revision and not approved updates, which are safe to approve:
$updateScope.ApprovedStates =
[Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved -bor
[Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved foreach($update in
$wsus.GetUpdates($updateScope)) { #Approve the update $update.Approve($updateaction,$targetgroup) }
For more details, check following WSUS SDK documentation:

UpdateScope.ApprovedStates Property
ApprovedStates Enumeration
Reset Windows Update components

If the performance issue happens on only a few of clients, you can try resetting the Windows Update component
on these clients and see if the problem is resolved. Refer to the following article for details steps and tools:
Windows Update - additional resources
NOTE
Aggressive mode of the script (or step 4 of the above article) should only be run as the last possible resort. Performing
that step or running the script in Aggressive mode will wipe the datastore on the local computer, completely erasing all of
the user's settings, update history, and local cache. This can prove to be very troublesome especially for a system
administrator, since there is no way to know what updates were previously installed on the machine after wiping the
datastore.
If the client computer is running Windows 7, it's recommended that you run the built-in troubleshooter instead
of following the steps outlined in the above article. This troubleshooter performs steps similar to the above
article, but is non-destructive and might be a bit more effective.
To run this troubleshooter, follow the steps below:
1. Open the Windows Update troubleshooter by selecting the Star t > Control Panel .
2. Select Find and fix problems .
3. Under System and Security , select Fix problems with Windows Update .
If you're prompted for an administrator password or confirmation, type the password or provide confirmation,
then allow the troubleshooter to complete.
The performance of large WSUS deployments will degrade over time if the WSUS database isn't maintained
properly. The T-SQL script in this article can be run by SQL Server administrators to reindex and defragment
WSUS databases. It shouldn't be used on WSUS 2.0 databases.
T-SQL script
This script does basic maintenance tasks on SUSDB:
Identifies indexes that are fragmented, and defragments them. For certain tables, a fill factor is set to improve
insert performance.
Updates potentially out-of-date table statistics.
USE SUSDB;
GO
SET NOCOUNT ON;
-- Rebuild or reorganize indexes based on their fragmentation levels

DECLARE @work_to_do TABLE (
objectid int
, indexid int
, pagedensity float
, fragmentation float
, numrows int
)
DECLARE @objectid int;

DECLARE @indexid int;
DECLARE @schemaname nvarchar(130);
DECLARE @objectname nvarchar(130);
DECLARE @indexname nvarchar(130);
DECLARE @numrows int
DECLARE @density float;
DECLARE @fragmentation float;
DECLARE @command nvarchar(4000);
DECLARE @fillfactorset bit
DECLARE @numpages int
-- Select indexes that need to be defragmented based on the following

-- * Page density is low
-- * External fragmentation is high in relation to index size
PRINT 'Estimating fragmentation: Begin. ' + convert(nvarchar, getdate(), 121)
INSERT @work_to_do
SELECT
f.object_id
, index_id
, avg_page_space_used_in_percent
, avg_fragmentation_in_percent
, record_count
FROM
sys.dm_db_index_physical_stats (DB_ID(), NULL, NULL , NULL, 'SAMPLED') AS f
WHERE
(f.avg_page_space_used_in_percent < 85.0 and f.avg_page_space_used_in_percent/100.0 * page_count <
page_count - 1)
or (f.page_count > 50 and f.avg_fragmentation_in_percent > 15.0)
or (f.page_count > 10 and f.avg_fragmentation_in_percent > 80.0)
PRINT 'Number of indexes to rebuild: ' + cast(@@ROWCOUNT as nvarchar(20))

PRINT 'Number of indexes to rebuild: ' + cast(@@ROWCOUNT as nvarchar(20))
PRINT 'Estimating fragmentation: End. ' + convert(nvarchar, getdate(), 121)
SELECT @numpages = sum(ps.used_page_count)

FROM
@work_to_do AS fi
INNER JOIN sys.indexes AS i ON fi.objectid = i.object_id and fi.indexid = i.index_id
INNER JOIN sys.dm_db_partition_stats AS ps on i.object_id = ps.object_id and i.index_id = ps.index_id
-- Declare the cursor for the list of indexes to be processed.

DECLARE curIndexes CURSOR FOR SELECT * FROM @work_to_do
-- Open the cursor.

OPEN curIndexes
-- Loop through the indexes

WHILE (1=1)
BEGIN
FETCH NEXT FROM curIndexes
INTO @objectid, @indexid, @density, @fragmentation, @numrows;
IF @@FETCH_STATUS < 0 BREAK;
SELECT
@objectname = QUOTENAME(o.name)
, @schemaname = QUOTENAME(s.name)
FROM
sys.objects AS o
INNER JOIN sys.schemas as s ON s.schema_id = o.schema_id
WHERE
o.object_id = @objectid;
SELECT
@indexname = QUOTENAME(name)
, @fillfactorset = CASE fill_factor WHEN 0 THEN 0 ELSE 1 END
FROM
sys.indexes
WHERE
object_id = @objectid AND index_id = @indexid;
IF ((@density BETWEEN 75.0 AND 85.0) AND @fillfactorset = 1) OR (@fragmentation < 30.0)
SET @command = N'ALTER INDEX ' + @indexname + N' ON ' + @schemaname + N'.' + @objectname + N'
REORGANIZE';
ELSE IF @numrows >= 5000 AND @fillfactorset = 0
REBUILD WITH (FILLFACTOR = 90)';
ELSE
REBUILD';
PRINT convert(nvarchar, getdate(), 121) + N' Executing: ' + @command;
EXEC (@command);
PRINT convert(nvarchar, getdate(), 121) + N' Done.';
END
-- Close and deallocate the cursor.

CLOSE curIndexes;
DEALLOCATE curIndexes;
IF EXISTS (SELECT * FROM @work_to_do)

BEGIN
PRINT 'Estimated number of pages in fragmented indexes: ' + cast(@numpages as nvarchar(20))
SELECT @numpages = @numpages - sum(ps.used_page_count)
FROM
@work_to_do AS fi
INNER JOIN sys.indexes AS i ON fi.objectid = i.object_id and fi.indexid = i.index_id
INNER JOIN sys.dm_db_partition_stats AS ps on i.object_id = ps.object_id and i.index_id =
ps.index_id
PRINT 'Estimated number of pages freed: ' + cast(@numpages as nvarchar(20))

PRINT 'Estimated number of pages freed: ' + cast(@numpages as nvarchar(20))
END
GO
--Update all statistics

PRINT 'Updating all statistics.' + convert(nvarchar, getdate(), 121)
EXEC sp_updatestats
PRINT 'Done updating statistics.' + convert(nvarchar, getdate(), 121)
GO
The spDeleteUpdate stored procedure runs slowly
When the spDeleteUpdate stored procedure runs, it may take tens of seconds for it to delete a single update.
When you use spDeleteUpdate to delete hundreds or thousands of updates during Windows Server Update
Services (WSUS) maintenance, it may take days to finish.
Cause
The slow performance occurs because a primary key isn't set on a temporary table that's created by
spDeleteUpdate .
Resolution
To fix the issue, run the following SQL script against the WSUS database (SUSDB) on every affected WSUS
server. This script sets a primary key on the @revisionList temporary table.
USE [SUSDB]
GO
/****** Object: StoredProcedure [dbo].[spDeleteUpdate] Script Date: 11/2/2020 8:55:02 AM ******/

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[spDeleteUpdate]

@localUpdateID int
AS
SET NOCOUNT ON
BEGIN TRANSACTION
SAVE TRANSACTION DeleteUpdate
DECLARE @retcode INT
DECLARE @revisionID INT
DECLARE @revisionList TABLE(RevisionID INT PRIMARY KEY)
INSERT INTO @revisionList (RevisionID)
SELECT r.RevisionID FROM dbo.tbRevision r
WHERE r.LocalUpdateID = @localUpdateID
IF EXISTS (SELECT b.RevisionID FROM dbo.tbBundleDependency b WHERE b.BundledRevisionID IN (SELECT RevisionID
FROM @revisionList))
OR EXISTS (SELECT p.RevisionID FROM dbo.tbPrerequisiteDependency p WHERE p.PrerequisiteRevisionID IN
(SELECT RevisionID FROM @revisionList))
BEGIN
RAISERROR('spDeleteUpdate got error: cannot delete update as it is still referenced by other update(s)',
16, -1)
ROLLBACK TRANSACTION DeleteUpdate
COMMIT TRANSACTION
RETURN(1)
END
SELECT DISTINCT b.BundledRevisionID FROM dbo.tbBundleDependency b
INNER JOIN dbo.tbRevision r ON r.RevisionID = b.RevisionID
INNER JOIN dbo.tbProperty p ON p.RevisionID = b.BundledRevisionID
WHERE r.LocalUpdateID = @localUpdateID
AND p.ExplicitlyDeployable = 0
IF EXISTS (SELECT IsLocallyPublished FROM dbo.tbUpdate WHERE LocalUpdateID = @localUpdateID AND
IsLocallyPublished = 1)
IsLocallyPublished = 1)
BEGIN
SELECT DISTINCT pd.PrerequisiteRevisionID FROM dbo.tbPrerequisiteDependency pd
INNER JOIN dbo.tbUpdate u ON pd.PrerequisiteLocalUpdateID = u.LocalUpdateID
INNER JOIN dbo.tbProperty p ON pd.PrerequisiteRevisionID = p.RevisionID
WHERE u.IsLocallyPublished = 1 AND p.UpdateType = 'Category'
END
DECLARE #cur CURSOR LOCAL FAST_FORWARD FOR
SELECT t.RevisionID FROM @revisionList t ORDER BY t.RevisionID DESC
OPEN #cur
FETCH #cur INTO @revisionID
WHILE (@@ERROR=0 AND @@FETCH_STATUS=0)
BEGIN
IF EXISTS (SELECT b.RevisionID FROM dbo.tbBundleDependency b WHERE b.BundledRevisionID = @revisionID
AND b.RevisionID NOT IN (SELECT RevisionID FROM @revisionList))
OR EXISTS (SELECT p.RevisionID FROM dbo.tbPrerequisiteDependency p WHERE p.PrerequisiteRevisionID =
@revisionID
AND p.RevisionID NOT IN (SELECT RevisionID FROM @revisionList))
BEGIN
DELETE FROM @revisionList WHERE RevisionID = @revisionID
IF (@@ERROR <> 0)
BEGIN
RAISERROR('Deleting disqualified revision from temp table failed', 16, -1)
GOTO Error
END
END
FETCH NEXT FROM #cur INTO @revisionID
END
IF (@@ERROR <> 0)
BEGIN
RAISERROR('Fetching a cursor to value a revision', 16, -1)
GOTO Error
END
CLOSE #cur
DEALLOCATE #cur
DECLARE #cur CURSOR LOCAL FAST_FORWARD FOR
SELECT t.RevisionID FROM @revisionList t ORDER BY t.RevisionID DESC
OPEN #cur
FETCH #cur INTO @revisionID
WHILE (@@ERROR=0 AND @@FETCH_STATUS=0)
BEGIN
EXEC @retcode = dbo.spDeleteRevision @revisionID
IF @@ERROR <> 0 OR @retcode <> 0
BEGIN
RAISERROR('spDeleteUpdate got error from spDeleteRevision', 16, -1)
GOTO Error
END
FETCH NEXT FROM #cur INTO @revisionID
END
IF (@@ERROR <> 0)
BEGIN
RAISERROR('Fetching a cursor to delete a revision', 16, -1)
GOTO Error
END
CLOSE #cur
DEALLOCATE #cur
COMMIT TRANSACTION
RETURN(0)
Error:
CLOSE #cur
DEALLOCATE #cur
IF (@@TRANCOUNT > 0)
BEGIN
ROLLBACK TRANSACTION DeleteUpdate
COMMIT TRANSACTION
END
RETURN(1)
GO
Troubleshoot issues with WSUS client agents
This article helps you diagnose and resolve issues with the Windows Server Update Services (WSUS) client
agents.
When you experience issues with the WSUS client agents, they can manifest themselves in many ways. Some
common problems are listed here:
It could be an issue with the client settings for Group Policy.
It could be an issue with BITS.
It could be an issue with the WSUS agent service.
It could be related to a network issue that prevents the client from reaching the server.
It could be an issue with the Automatic Update Agent Store.
It could be an issue in which clients have duplicate WSUS client IDs caused by disk cloning.
Verify that the client is configured correctly

When you troubleshoot issues with a WSUS client agent, first make sure the client is properly configured. Make
sure the proper Active Directory Group Policy is being received by the client, and the details of the WSUS server
are present. You can do so by running the following command:
GPRESULT /V > GPRESULT.TXT
Open the text file in Notepad and find the name of your WSUS policy. For example, if your WSUS policy is
named WSUS , you can find it in the GPRESULT.TXT file within the Computer Settings section under the
Applied Group Policy Objects heading. Below is an example:
Applied Group Policy Objects

-----------------------------
Default Domain Policy
WSUS
Local Group Policy
If the WSUS settings aren't present, possible causes include:

The system doesn't have the Group Policy from the domain.
The Group Policy isn't targeted to the client system.
To fix this issue, ensure that the Group Policy is successfully updated on each client, and that the WSUS setting is
properly configured.
To update the Group Policy on the client, run GPUpdate /force from a Command Prompt.
For more information about configuring Group Policy for WSUS clients, see Configure Automatic Updates by
Using Group Policy.
Check for issues relating to BITS

Background Intelligent Transfer Service (BITS) is the service used by WSUS to download updates from Microsoft
Update to the main WSUS server, and from WSUS servers to their clients. Some download issues may be
caused by problems with BITS on the server or client computers. When you troubleshoot download problems,
you should ensure that BITS is running properly on all affected computers.
The BITS service must run under the LocalSystem account by default. To configure the service to run under the
correct account, follow these steps:
1. Open a Command Prompt and run the following command:
sc config bits obj= LocalSystem
A space must occur between obj= and LocalSystem . If successful, you should receive the following
output:
[SC] ChangeServiceConfig SUCCESS
2. Stop and restart BITS.

To view the BITS service status, open a Command Prompt and run the following command:
sc query bits
If BITS is running, you should see the following output:
SERVICE_NAME: bits
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 4 RUNNING
If BITS isn't running, you'll see the following output:
SERVICE_NAME: bits
STATE: 1 STOPPED
Usually it's possible to resolve BITS issues by stopping the service and restarting it. To stop and restart the BITS
service, run the following commands from a Command Prompt:
sc stop bits
sc start bits
NOTE
You must be logged on as a local administrator to stop and restart BITS.
BITS fails to start

If the BITS service fails to start, look in the event log for any BITS-related error. You can use the following table to
diagnose the cause of these errors.
ERRO R N A M E ERRO R C O DE DESC RIP T IO N
ERROR_SERVICE_DOES_NOT_EXIST 0x80070424 See the section on repairing the BITS

configuration below.
ERROR_SERVICE_NOT_IN_EXE 0x8007043B BITS isn't listed as one of the services

in the netsvcs svchost group
ERROR_SERVICE_DISABLED 0x80070422 BITS has been disabled. Enable the

BITS service.
ERROR_SERVICE_DEPENDENCY_DELET 0x80070433, 0x8007042c A service appearing in the BITS service

ED dependency list cannot be started.
ERROR_SERVICE_DEPENDENCY_FAIL Make sure the dependency list for the
BITS service is correct:
Windows Vista: RpcSs, EventSystem
(also http.sys and LanManWorkstation
when peer caching is enabled)
Windows Ser ver 2003: Rpcss,
EventSystem
Windows XP: Rpcss
Windows 2000: Rpcss, SENS, Wmi
ERROR_PATH_NOT_FOUND 0x80070003 Pre-Windows Vista:

%ALLUSERSPROFILE%\Microsoft\Netw
ork doesn't exist
ERROR_FILE_NOT_FOUND 0x80070002 The Parameters key is missing.

Ensure that the following keys and
values exist:
HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ServiceD
= %SystemRoot%\System32\qmgr.dll
REGDB_E_CLASSNOTREG, 0x80040154, 0x80040206 BITS for Windows 2000 is dependent

EVENT_E_INTERNALERROR on SENS and EventSystem services. If
the COM+ catalog is corrupted, BITS
may fail with this error code.
BITS jobs are failing

If the client is properly configured to receive updates, BITS is configured correctly, and BITS appears to start and
run properly, you may be experiencing an issue where BITS jobs themselves are failing. To verify it, look in the
event log for any BITS-related errors. You can use the following table to diagnose the cause of these errors.
E_INVALIDARG 0x80070057 An incorrect proxy server name was

specified in the user's Internet Explorer
proxy settings. This error is also seen
when credentials are supplied for
authentication schemes that aren't
NTLM/Negotiate, but the user name or
password is null. Change the user's
Internet Explorer proxy settings to be a
valid proxy server. Or change the
credentials not to be NULL user
name/password for schemes other
than NTLM/Negotiate.
ERROR_WINHTTP_NAME_NOT_RESOL 0x80072ee7 The server/proxy could not be resolved

VED by BITS. Internet Explorer on the same
machine in the context of the job
owner would see the same problem.
Try downloading the same file via the
web browser using the context of the
job owner.
ERROR_HTTP_INVALID_SERVER_RESPO 0x80072f78 It's a transient error and the job will

NSE continue downloading.
BG_E_INSUFFICIENT_RANGE_SUPPORT 0x80200013 BITS uses range headers in HTTP

requests to request parts of a file. If
the server or proxy server doesn't
understand range requests and
returns the full file instead of the
requested range, BITS puts the job into
the ERROR state with this error.
Capture the network traffic during the
error and examine if HTTP GET
requests with Range header are
getting valid responses. Check proxy
servers to ensure that they are
configured correctly to support Range
requests.
BG_E_MISSING_FILE_SIZE 0x80200011 When BITS sends a HEAD request and

the server/proxy doesn't return
Content-Length header in the
response, BITS puts the job in ERROR
state with this error. Check the proxy
server and WSUS server to ensure that
they are configured correctly. Some
versions of the Apache 2.0 proxy
server are known to exhibit this
behavior.
BG_E_HTTP_ERROR_403 0x80190193 When the server returns HTTP 403

response in any of the requests, BITS
puts the job in ERROR state with this
error code. HTTP 403 corresponds to
Forbidden: Access is denied . Check
access permissions for the account
running the job.
ERROR_NOT_LOGGED_ON 0x800704dd The SENS service isn't receiving user

logon notifications. BITS (version 2.0
and later) depends on logon
notifications from Service Control
Manager, which in turn depends on
the SENS service. Ensure that the SENS
service is started and running
correctly.
Repair a corrupted BITS configuration

To repair corrupted BITS service configuration, you can enter the BITS service configuration manually.
NOTE
This action should only be taken in circumstances where all other troubleshooting attempts have failed. You must be an
administrator to modify the BITS configuration.
To repair a corrupted BITS configuration, follow these steps:

1. Open a Command Prompt.
2. Enter the following commands, press ENTER after you type each command:
sc config bits binpath= "%systemroot%\system32\svchost.exe –k netsvcs"

sc config bits depend= RpcSs EventSystem
sc config bits start= delayed-auto
sc config bits type= interact
sc config bits error= normal
sc config bits obj= LocalSystem
sc privs bits privileges=
SeCreateGlobalPrivilege/SeImpersonatePrivilege/SeTcbPrivilege/SeAssignPrimaryTokenPrivilege/SeIncreat
eQuotaPrivilege
sc sidtype bits type= unrestricted
sc failure bits reset= 86400 actions=restart/60000/restart/120000
3. Stop and restart BITS.
Issues with the WSUS agent service

Make sure that the Windows Update service can start successfully.
To view the current status of the Windows Update service, open a Command Prompt and run the following
command:
sc query wuauserv
If WUAUSERV is running, you should see the following output:
SERVICE_NAME: wuauserv
STATE: 4 RUNNING
If WUAUSERV isn't running, you see the following output:
SERVICE_NAME: wuauserv
STATE: 1 STOPPED
Verify that you can start the WUAUSERV service successfully. You must be logged on as a local administrator to
stop and restart WUAUSERV.
To start the WUAUSERV service, run the following commands from a Command Prompt:
sc start wuauserv
If the client agent fails to start and run properly, check the Windows Update Agent version. If the agent isn't up
to date, update the Windows Update Agent to the latest version.
You can also reset Windows Update components.
After you run the fix or update the agent, run wuauclt /detectnow . Check windowsupdate.log to make sure
there's no issues.
Make sure the WSUS server is reachable from the client

Make sure that you can access the URL http://<WSUSSERVER:port>/iuident.cab and download the file without
errors.
If the WSUS server is unreachable from the client, the most likely causes include:
There's a name resolution issue on the client.
There's a network-related issue, such as a proxy configuration issue.
Use standard troubleshooting procedures to verify name resolution is working on the network. If name
resolution is working, the next step is to check for proxy issues. Check windowsupdate.log (C:\windows) to see if
there are any proxy related errors. You can run the proxycfg command to check the WinHTTP proxy settings.
If there are proxy errors, go to Internet Explorer > Tools > Connections > L AN Settings , configure the correct
proxy, and then make sure you can access the WSUS URL specified.
Once done, you can copy these user proxy settings to the WinHTTP proxy settings by using the proxycfg -u
command. After the proxy settings are specified, run wuauclt /detectnow from a Command Prompt and check
windowsupdate.log for errors.
Rebuild the Automatic Update Agent Store

When there are issues downloading updates and there are errors relating to the software distribution store,
complete the following steps on the client:
Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.
Rename the software distribution folder (for example, C:\Windows\SoftwareDistribution).
Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.
From a Command Prompt, run wuauclt /resetauthorization /detectnow .
From a Command Prompt, run wuauclt /reportnow .
Check for clients with the same SUSclient ID

You may experience an issue where only one WSUS client appears in the console. Or you may notice that out of
a group of clients, only one appears in the console at a time but the exact one that does appear may change over
time. This issue can happen when systems are imaged and the clients end up having the same SUSclientID .
For those clients that aren't working properly because of the same SUSclientID , complete the following steps:
Stop the Automatic Updates service by running sc stop wuauserv from a Command Prompt.
Delete the SUSclientID registry key from the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
Restart the Automatic Update service by running sc start wuauserv from a Command Prompt.
From a Command Prompt, run wuauclt /resetauthorization /detectnow .
From a Command Prompt, run wuauclt /reportnow .
How to troubleshoot WSUS connection failures
This article introduces several procedures for troubleshooting Windows Server Update Service (WSUS)
connection failures.
NOTE
Home users : This article is intended only for technical support agents and IT professionals. If you're looking for help with
a problem, ask the Microsoft Community.

Verify the prerequisites

If you are using WSUS 3.0 SP2 on Windows Server 2008 R2, you must have update 4039929 or a later-
version update package installed on the WSUS server.
To verify the server version, follow these steps:
1. Open the WSUS console.
2. Click the server name.
3. Locate the version number under Over view > Connection > Ser ver Version .
4. Check whether the version is 3.2.7600.283 or a later version.
If you are using WSUS on Windows Server 2012 or a later version, you must have one of the following
Security Quality Monthly Rollups or a later-version rollup installed on the WSUS server:
Windows Server 2012 - KB4039873
Windows Server 2012 R2 - KB4039871
Windows Server 2016 - KB4039396
NOTE
If you're using Configuration Manager and the software update point is installed on a remote site system server, the
WSUS Administration Console must be installed on the site server. For WSUS 3.0 SP2, KB 4039929 or a later update must
also be installed on the WSUS Administration console. After you install 4039929 (remotely or locally), a server restart is
required. After the restart, check whether the issue persists.
Troubleshoot connection failures

To troubleshoot connection failures, follow these steps:
1. Verify that the Update Ser vices service and the World Wide Web Publishing Ser vice are running on
the WSUS server.
3. Review the IIS logs for the WSUS Administration website ( c:\inetpub\logfiles ), and check for errors.
Code definitions
The following table defines common error codes. For more information about HTTP status code in IIS, see The
HTTP status code in IIS 7 and later versions.
ID EXP L A N AT IO N
200 Success
206 Continuation: OK
401 Authorization: OK if followed by 200
403 Access failure: Certificate issues or incorrect IIS configuration.
404 Not found: Missing Virtual directory or IIS configuration
500 Service not available
503 Busy: This can be caused by a WSUS application pool

memory issue or just too many client connections. To fix the
issue, increase the WSUS Application Pool Private memory
limit to 4-8 GB. Some environments may require more than
8 GB; adjust this setting as needed. See Configure an
Application Pool to Recycle after Reaching Maximum Used
Memory (IIS 7).
NOTE
Accessing most WSUS URLs in a browser will return a 403 error.
503 errors in IIS may be accompanied by xxxx2ee2 errors in the c:\windows\windowsupdate.log file on clients.
To resolve 503 IIS errors, a client time-out, or a large number of roundtrip errors, see The complete guide to
WSUS and Configuration Manager SUP maintenance.
If a client's IP address doesn't appear in the IIS logs, verify that the client is set to connect to the correct WSUS
server. This situation may also occur because of network blocking or because the server logs a special error.
On the WSUS server, check the C:\windows\system32\logfiles\httperr logs for errors.
On the client, check the following registry subkey to determine whether the correct FQDN of the WSUS
server is set:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
NOTE
For Configuration Manager clients, check the ccm\logs\locationservices.log file for a WSUS entry to verify that the
client is getting the correct server URL. You may have to force the Configuration Manager client to run another scan by
using the Software Updates Scan Cycle from the agent in order for the service to log this entry.
Troubleshoot high CPU usage on a WSUS server
This article introduces several procedures for troubleshooting high CPU usage in Windows Server Update
Service (WSUS).
NOTE
Home users : This article is intended only for technical support agents and IT professionals. If you're looking for help with
a problem, ask the Microsoft Community.

High CPU usage can occur if the WSUS database (SUSDB) is not clean. After the server runs for a while, there
can be too many updates for the WSUS server to provide to the clients.
In this situation, if a failure occurs or a new WSUS server is installed or an unrelated issue prevents clients from
scanning for a few days, all the clients might start scanning and continue to scan constantly and never actually
complete a scan or install updates.
To fix the issue, you have to clean up the WSUS server and decline superseded updates. Follow the steps in the
order below as a monthly cleanup routine. However, if you are troubleshooting high CPU issues, we recommend
that you do step 4 first and then step 3. You should defer steps 1 and 2 until the CPU usage level decreases.
Step 1: Back up the WSUS database

Backing up the WSUS database can improve the performance slightly.
Step 2: Run the WSUS Server Cleanup Wizard

Running the WSUS Server Cleanup Wizard can improve database performance. However, it does not reduce the
number of updates that the clients are scanning. Additionally, it can take many hours or days for the wizard to
run without necessarily resolving the issue.
Step 3: Reindex the WSUS database

Reindexing the WSUS database can improve database performance if it's fragmented. To do this, run the
following commands.
1. Update the statistics by using the FULLSCAN option.
Use <dbname>
Go
Exec sp_msforeachtable 'update statistics ? with fullscan'
Go
2. Rebuild the indexes.

Use <dbname>
Go
Exec sp_msforeachtable 'DBCC DBREINDEX (''?'')'
Go
Step 4: Decline superseded updates

Declining superseded updates immediately reduces the number of updates that are being scanned.
To decline superseded updates or perform any WSUS actions in a situation where the WSUS application pool
recycles too quickly, you can first stop the clients from connecting to the WSUS application pool. To do this,
connect to the WSUS server by using the WSUS console, and then synchronize the WSUS server with the
upstream server and with Configuration Manager (if it is used). If you are using Configuration Manager, it's
important to synchronize to the latest version of the update in the Configuration Manager console so that
clients will see that WSUS has current and valid updates.
To disconnect the clients, use one of the following methods.
Method 1: Create a test application pool
1. Right-click Application pools in the Internet Information Ser vices (IIS) Manager area, and then
select Add Application Pool to create a test application pool.
2. Select Client web ser vice > Manage application > Advanced settings , and then change the
application pool to the test application pool that you created.
Method 2: Change the port for the WSUS website
1. Select WSUS Administration Web Site > Edit Bindings .
2. Change the WSUS console to connect to the new port, run the script, and synchronize with USS.
NOTE
This method will cause syncing with Configuration Manager to fail.
Method 3: Use Firewall rules to block all client IP addresses or allow only USS and site server incoming
connections
After the clients are disconnected from the WSUS server, you can run the PowerShell script by using the
-skipdecline (and -exclusion period, if necessary) parameters to determine the total number of superseded
updates that can be declined. Then, run the script again by using -skipdecline to actually decline the updates.
In extreme cases in which the PowerShell script can't run because of timeouts, you can add the supersedence
column to the WSUS console when all updates are displayed, and then decline the updates manually by
following these steps:
1. Open the Windows Update Services Microsoft Management Console (MMC).
2. Select the All Updates view. To do it, set the display to show the Approval status of Any except Declined
with a status of Any , and then click Refresh .
3. Right-click the column headers, and then select Supersedence .
4. Left-click the Supersedence column to sort by supersedence.
5. Select and decline the superseded updates.
The performance issue can normally be resolved after the valid update is reduced to fewer than 7,000
connections (but fewer than 5,000 is preferred). You might have to restrict connections to the WSUS
administration website for a few days to let the clients complete all scans. We also recommend that you reindex
the database after you decline superseded updates. If you're using Configuration Manager, also perform a sync
between WSUS and Configuration Manager while the clients are not connecting.
After you complete these steps, you should limit connections if the CPU usage is still too high. To do this, follow
these steps:
1. Open Internet Information Ser vices (IIS) Manager > WSUS Administration Web Site >
Manage web site > Advanced settings > Limits > Maximum concurrent connections .
2. Set the value to 50 or 100 .
3. Monitor the W3Wp process in Task Manager and the total CPU on the server.
4. Open Task Manager > Resource Monitor , and note the PID for the WSUS application pool. If you are
unsure which w3wp process is running the WSUS application pool, you can use Appcmd (Method 2) to
identify the PID easily.
By default, the PID should change only one time every 29 hours. If it changes more often, your connection limit
may be too high for the current CPU and memory setting for the WSUS application pool.
Monitor for stable w3wp memory and stable overall CPU use of less than 90 percent. As the steady state CPU
and memory use decrease, you can slowly increase connection limits to the WSUS administration website.
Depending on what kind of situation you are in, the memory usage may take several days to return to a stable
state. Increasing the connection limits might need to occur in small increments and over the course of several
days.
Reference
High CPU/High Memory in WSUS following Update Tuesdays
Troubleshoot WSUS synchronization and import
issues
Applies to: Windows Server Update Services

Starting in July 2020, users have experienced WSUS synchronization and import problems with the Windows
Update (WU) or Microsoft Update (MU) endpoints.
This article describes how to troubleshoot some common problems. You can use some of these troubleshooting
techniques (such as network captures) for many other issues, too.
Endpoints
Currently WSUS uses the following endpoints to synchronize metadata:
https://sws.update.microsoft.com
Most WSUS servers should synchronize with this new endpoint. Starting from July 2020, this endpoint
accepts only Transport Layer Security (TLS) 1.2 connections. And some ciphers were disabled.
https://sws1.update.microsoft.com
This old endpoint will be decommissioned eventually. For more information, see End of synchronization
for WSUS 3.0 SP2. This endpoint supports TLS 1.2, TLS 1.1, and TLS 1.0 connections.
https://fe2.update.microsoft.com
This old endpoint is decommissioned, connections to it will fail.
When you experience WSUS synchronization or manual import problems, first check which endpoint you're
synchronizing with:
1. Open an elevated PowerShell Command Prompt window on the WSUS server.
2. To find the current synchronization endpoint, run the following PowerShell script:
$server = Get-WsusServer
$config = $server.GetConfiguration()
# Check current settings before you change them
$config.MUUrl
Windows Server 2012 and later versions should be configured to use the https://sws.update.microsoft.com
endpoint. If you're still using https://sws1.update.microsoft.com or https://fe2.update.microsoft.com, change to
the new endpoint by following the steps in WSUS synchronization fails with SoapException. If necessary,
troubleshoot connection issues with the https://sws.update.microsoft.com endpoint.
Issue 1: Manual import fails, but synchronization succeeds

Many users import updates into WSUS manually, and some updates must be imported manually. For example,
preview updates that are released in the third and fourth weeks of the month must be manually imported.
Starting at the end of July 2020, you might have found you can't manually import updates.
However, some WSUS servers can still import updates successfully. And the usual synchronization with WU and
MU continues to work.
This issue occurs on WSUS servers that are running Windows Server 2012, Windows Server 2012 R2, Windows
Server 2016, or Windows Server 2019.
Troubleshoot issue 1
1. Run the PowerShell script in Endpoints to determine which endpoints the WSUS servers use. You'll
probably find that working servers are communicating with https://fe2.update.microsoft.com or
https://sws1.update.microsoft.com, and failing servers are communicating with
https://sws.update.microsoft.com.
2. Check the %Program Files%\Update Services\LogFiles\SoftwareDistribution.log file for errors when you
manually import updates. Look for errors that resemble the following example:
ProcessWebServiceProxyException found Exception was WebException. Action: Retry. Exception Details:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
-- End of inner exception stack trace ---
...
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
The following message in the error indicates that the WSUS server tried to connect with WU/MU by using TLS,
but WU/MU closed the connection:
An existing connection was forcibly closed by the remote host.
The following screenshot shows a network capture of the connection attempt.
In the network capture, frame 874 is the Client Hello packet that uses TLS 1.0. Frame 877 is the server response.
The response includes the ACK (A) and RST (R) flags. Because the https://sws.update.microsoft.com endpoint
supports only TLS 1.2 connections, it denies the connection, and issues a reset response.
Resolution for issue 1
This issue occurs because WSUS import functionality can't use TLS 1.2.
To fix this issue, use one of the following methods:
Configure .NET Framework to use TLS 1.2 by using registry keys.
To set the registry keys, see Configure for strong cryptography. Restart the server after you set the
registry keys.
Create or update the w3wp.exe.config file to enable TLS 1.2.
NOTE
This change will apply to all w3wp.exe instances that are created, regardless of whether they are for WSUS.
W3wp.exe uses TLS 1.2 if the remote side supports this version. If TLS 1.1 and TLS 1.0 are enabled, W3wp.exe
negotiates these protocols if the target site doesn't support TLS 1.2.
If the %SystemRoot%\system32\inetsrv\w3wp.exe.config file doesn't exist, follow these steps:

1. Create a new file that's named W3wp.exe.config in the %SystemRoot%\system32\inetsrv folder.
2. Open the file in a text editor, such as Notepad.
3. Add the following lines to the file, and then save the file:
<?xml version="1.0" encoding="utf-8"?>

<configuration>
<runtime>
<AppContextSwitchOverrides
value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime>
</configuration>
If the %SystemRoot%\system32\inetsrv\w3wp.exe.config file already exists, follow these steps:

1. Open the file in Notepad, or another text editor.
2. Add the following lines immediately under the <configuration> element, and then save the file:
<runtime>
<AppContextSwitchOverrides
value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime>
After you create or update the W3wp.exe.config file, open an elevated Command Prompt window, and
then run iisreset to restart all worker processes. Test whether manual import now works.
Issue 2: Manual import fails after you disable TLS 1.1 or TLS 1.0
TLS 1.1 and TLS 1.0 are being phased out because they're considered insecure. After you disable these protocols,
you can no longer import updates. However, synchronization continues to work.
WSUS logs which SSL/TLS versions are enabled when it starts. To determine the SSL/TLS versions, follow these
steps:
1. Restart the WSUS service.
2. Run iisreset at an elevated command prompt to force WSUS to go through the startup sequence.
3. Open the WSUS console, and connect to the server.
4. Open %Program Files%\Update Services\LogFiles\SoftwareDistribution.log , look for entries that start at
SCHANNEL Protocol . You should see entries that resemble the following example:
SCHANNEL Protocol 'TLS 1.0' disabled

SCHANNEL Protocols subkey for 'TLS 1.2' not found. Protocol is enabled
These entries show that TLS 1.1 and TLS 1.0 are disabled, and TLS 1.2 is enabled.
If the import process fails, SoftwareDistribution.log logs the following error entry:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. --
-> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not
possess a common algorithm
In the network capture, frames 1518-1520 show the three-way handshake (SYN, SYN ACK, ACK) between the
client and server. Frame 1536 is an ACK FIN packet from the WSUS server.
WSUS closes the connection, because all protocols it knows how to use for import (SSL3, TLS 1.0, TLS 1.1) are
disabled and it can't use TLS 1.2.
This issue is similar to issue 1, in which WSUS import can't use TLS 1.2. To fix this issue, use Resolution for issue
1.
Issue 3: Synchronization fails on Windows Server 2012 and Windows

Server 2012 R2 WSUS servers that apply only security-only updates
Windows Server 2012 and Windows Server 2012 R2 servicing contain the following update tracks:
A security-only update, which isn't cumulative. It contains only security fixes. For example, June 9, 2020—
KB4561673 (Security-only update).
A Monthly Rollup, which is cumulative. It contains all security fixes from the security-only update, and also
contains non-security fixes. For example, June 9, 2020—KB4561666 (Monthly Rollup).
WSUS on Windows Server 2012 and Windows Server 2012 R2 can't use TLS 1.2 for synchronization unless one
of the following Monthly Rollups or a later Monthly Rollup is installed:
June 27, 2017—KB4022721 (Preview of Monthly Rollup) for Windows Server 2012
June 27, 2017—KB4022720 (Preview of Monthly Rollup) for Windows Server 2012 R2
The change that enables WSUS to use TLS 1.2 is a non-security fix, it's included only in the Monthly Rollups.
Some users opt to install only the security-only updates and never install the Monthly Rollups. Therefore, their
WSUS servers don't have the update that enables TLS 1.2 installed. After the https://sws.update.microsoft.com
endpoint is changed to accept only TLS 1.2 connections, these WSUS servers can no longer synchronize with the
endpoint. This issue also occurs on a freshly installed Windows Server 2012 or Windows Server 2012 R2 WSUS
server that hasn't installed any Monthly Rollups.
If the WSUS server has the correct updates installed, WSUS will log which SSL/TLS versions are enabled when it
starts. Follow these steps on the WSUS server:
1. Restart the WSUS service.
2. Run iisreset from an elevated command prompt to force WSUS to go through the startup sequence.
3. Open the WSUS console, and connect to the server.
4. Open %Program Files%\Update Services\LogFiles\SoftwareDistribution.log , search for entries that start
with SCHANNEL Protocol . You should see entries that resemble the following example:

SCHANNEL Protocols subkey for 'TLS 1.2' not found. Protocol is enabled
If you can't find these entries, it means the update that enables TLS 1.2 isn't installed.
When synchronization fails, SoftwareDistribution.log logs the following error message:
WebServiceCommunicationHelper.ProcessWebServiceProxyException ProcessWebServiceProxyException found

Exception was WebException. Action: Retry. Exception Details: System.Net.WebException: The underlying
connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read
data from the transport connection: An existing connection was forcibly closed by the remote host. --->
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at
System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
In the network capture, frame 95 is the Client Hello packet that uses TLS 1.0. Frame 96 is the RST packet from
https://sws.update.microsoft.com. Because the endpoint supports only TLS 1.2 connections, it denies the
connection, and then issues a reset response. The WSUS server will try several times before it gives up.
Therefore, this sequence is repeated.
To fix this issue, install the latest Monthly Rollup for Windows Server 2012 or Windows Server 2012 R2. Also
apply Resolution for issue 1 to prevent the manual import failure.
Issue 4: Synchronization fails after July 2020 if WSUS is integrated

with Configuration Manager
Many WSUS installations are integrated with Microsoft Endpoint Configuration Manager software update points
(SUPs). After July 2020, you may experience synchronization failures if Configuration Manager is configured to
synchronize Surface drivers.
When this issue occurs, entries that resemble the following example are logged in Wsyncmgr.log:
Calling ImportUpdateFromCatalogSite for driver update GUIDs

Generic exception : ImportUpdateFromCatalogSite failed. Arg = 001d4517-c586-4bb1-9e66-ed6ff8e8d34f. Error
=The underlying connection was closed: An unexpected error occurred on a receive.
Generic exception : ImportUpdateFromCatalogSite failed. Arg = 0037641d-bb9b-4530-9568-11e413223106. Error
=The underlying connection was closed: An unexpected error occurred on a receive.
Also, the %Program Files\Update Services\LogFiles\SoftwareDistribution.log file logs the following errors:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. --
-> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not
possess a common algorithm
These errors indicate that the connection was closed. This issue occurs because Configuration Manager uses the
WSUS import functionality. Therefore, it has the same limitations.
To fix this issue, use Resolution for issue 1.
Issue 5: Synchronization fails after July 2020 because of limited

ciphers
You may disable various ciphers to secure TLS connections. Starting from July 2020, your WSUS servers can no
longer synchronize with WU/MU. Also, when https://sws.update.microsoft.com is changed to accept only TLS 1.2
connections, some ciphers are removed.
The %Program Files\Update Services\LogFiles\SoftwareDistribution.log file logs the following errors when
synchronizing:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. --->
System.IO.IOException: Unable to read data from the transport connection: An existing connection was
forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was
forcibly closed by the remote host
However, these entries aren't useful to determine whether you have a cipher problem.
In this situation, use a network capture, or check the applied Group Policy Objects (GPOs). To check the applied
GPOs, run the following command at an elevated command prompt:
gpresult /scope computer /h GPReport.html
Open GPReport.html in a browser.
Search for SSL Cipher Suite Order , and the SSL Cipher Suites setting. Usually this setting isn't configured. If
it's configured, the issue may occur because there's no common cipher with WU/MU.
As of August 2020, https://sws.update.microsoft.com supports the following ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
NOTE
This list will change over time because ciphers will gradually grow weaker as technology improves.
If the GPO is applied, and it doesn't specify one of these ciphers, communication with WU/MU fails.
The following screenshot shows a network capture.
In the network capture, frame 400 is the Client Hello packet that uses TLS 1.2. The frame detail shows which
ciphers were sent by the client. Frame 404 is the RST packet from https://sws.update.microsoft.com. Because
there's no common cipher, the synchronization fails.
1. Use the output of gpresult to determine the GPO that specifies the SSL Cipher Suite Order, and then
remove the GPO. Or change it to include ciphers that are supported by https://sws.update.microsoft.com.
For Windows Server 2016 and Windows Server 2019, include one of the following ciphers:
For Windows Server 2012 and 2012 R2, include one of the following ciphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
2. If the ciphers aren't set by GPO, locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
Add one of the required ciphers to the Functions value of the registry key.
3. Restart the WSUS server.
To prevent manual import failures, also apply Resolution for issue 1.
A successful connection
The following screenshots show a successful connection when a Windows Server 2016 WSUS server
synchronizes updates.
In the network capture, frame 191 is the Client Hello packet that uses TLS 1.2. The frame detail shows which
ciphers were sent by the client. Frame 195 is the Server Hello packet from the endpoint. The TLSCipherSuite
that's chosen by WU is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. The server certificate is also sent in the
Server Hello packet.
Additional connection setup occurs in frames 196-203. The data transfer by the application (WSUS) and the
https://sws.update.microsoft.com endpoint then begins in frame 207.
A note about proxy servers

If you use a proxy server, the network capture will look different. The WSUS server connects to the proxy, and
you may see a CONNECT request with the destination https://sws.update.microsoft.com,
https://sws1.update.microsoft.com, or https://fe2.update.microsoft.com. WSUS will issue a Client Hello packet
with the ciphers it supports. If the connection isn't successful because of wrong TLS version, or if there is no
common cipher, you may or may not see an RST packet. Proxies tend to return an FIN to the client to indicate the
end of the connection. But this might not be true for every proxy server. Some proxy servers send an RST
packet, or something else.
When you use a proxy, you have to know the IP address of the internal interface of the proxy server, because
WSUS isn't communicating directly with the WU endpoints. If you can't get the IP address of the proxy server,
search the network capture for CONNECT requests, and search for the URL of the Windows Update endpoint.
References
WSUS Synchronization fails with SoapException
How to enable TLS 1.2 on the site servers and remote site systems
TLS registry settings
[SDP3][721e15b6-76f5-43d0-a435-191d3474a359]
Windows Server Update Services and Windows
Update Agent diagnostics
This diagnostic package is designed to collect information used to troubleshoot most Windows Update issues.
Custom uploads
Compressed copy of file specified by user {ComputerName}_filename.zip
General information
Summary of information gathered about the operating {ComputerName}__OS_Summary.txt

system
List of running tasks {ComputerName}_OS_TaskList.txt
Basic system information including machine name, service resultreport.xml

pack, computer model, and processor name and speed
Environment variables {ComputerName}_OS_EnvironmentVariables.txt
Event logs for last 14 days (Application, System, and {ComputerName}_OS_EventLogs.zip

Security)
List of installed certificates (Computer and User stores) {ComputerName}_OS_Certificates.txt
List of installed services {ComputerName}_OS_Services.txt
List of installed updates and hotfixes installed {ComputerName}_Hotfixes.*
List of user rights (privileges) using showpriv.exe tool {ComputerName}_UserRights.txt
Reboot pending flag from Windows Update, CBS, ConfigMgr {ComputerName}_OS_RebootPending.txt

Client, and so on
Resultant set of Group Policies {ComputerName}_OS_GPResult.*

System information {ComputerName}_OS_MSInfo.nfo
SystemInfo output {ComputerName}_OS_SysInfo.txt
WMI quota configuration and loaded providers. {ComputerName}_OS_WMIProviderConfig.txt
IIS information
IIS configuration information {ComputerName}_IISConfiguration.zip
IIS logs (last 5 days) {ComputerName}_Logs_IIS.zip
Virtual directory list and configuration {ComputerName}_IIS_VDirInfo.txt
Networking basic information

Summary of networking information collected {ComputerName}__NET_Summary.txt
Active BITS jobs {ComputerName}_OS_BITSTransfers.txt
Basic SMB configuration information, such as output of {ComputerName}_OS_SMB-Info.txt

net.exe subcommands, such as net share , net sessions
, net use , net accounts , net config
Basic TCP/IP and networking configuration information, such {ComputerName}_OS_TCPIP-Info.txt

as TCP/IP registry key and outputs from ipconfig ,
netstat , nbtstat , and netsh commands
Enabled Windows Firewall rules {ComputerName}_OS_EnabledFirewallRules.txt
Proxy configuration {ComputerName}_OS_ProxyInfo.txt
Registry keys
HKEY_CURRENT_USER\Software\Policies {ComputerName}_RegistryKey_HKCUPolicies.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\CCM {ComputerName}_RegistryKey_CCM.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE {ComputerName}_RegistryKey_DCOM.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS {ComputerName}_RegistryKey_SMS.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Update {ComputerName}_RegistryKey_WSUS.txt
Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu {ComputerName}_RegistryKey_Uninstall.txt
rrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Policies {ComputerName}_RegistryKey_HKLMPolicies.txt
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {ComputerName}_RegistryKey_Services.txt
Robust Office inventory scan output

File containing a list of all installed applications of the {ComputerName}_ROIScan.log

supported Office families.
File containing a list of all installed applications of the {ComputerName}_ROIScan.zip

supported Office families.
Server manager and server roles information

List of roles and features installed on server media (Windows resultreport.xml

Server 2008 R2 and later versions)
Windows Update Agent information

Windows Update Agent version, service security descriptors, {ComputerName}__WUA_Summary.txt

and registry settings.
File list in SoftwareDistribution directory {ComputerName}_WUA_FileList.txt
File version of Windows Update Agent related EXE/DLL files {ComputerName}_WUA_FileVersions.txt
WSUS database information

Database version and security information {ComputerName}_SQL_Basic.txt
Dead deployments {ComputerName}_SQL_DeadDeployments.txt
Output of tbConfiguration tables {ComputerName}_SQL_SUSDBConfig.txt
Output of tbSchema tables {ComputerName}_SQL_SUSDBSchema.txt
WSUS server information

Summary of WSUS server information collected. {ComputerName}__WSUS_Summary.txt
File list of WSUS content directory (only collected with WSUS {ComputerName}_WSUS_FileList_ContentDir.txt
diagnostics)
File list of WSUS installation directory (only collected with {ComputerName}_WSUS_FileList_InstallDir.txt

WSUS Diagnostics)
File versions of EXE/DLL files in WSUS installation directory {ComputerName}_WSUS_FileVersions.txt

(only collected with WSUS diagnostics)
List of approved updates (Not collected for WSUS 4.0) {ComputerName}_WSUS_ApprovedUpdates.xml
WSUS basic information {ComputerName}_WSUS_BasicInfo.txt
WSUS logs {ComputerName}_Logs_WSUS.zip
WSUS setup logs (if available) {ComputerName}_Logs_WSUSSetup.zip
References
Information about Microsoft Automated Troubleshooting Services and Support Diagnostic Platform
Windows Server Update Services best practices
This article provides tips for avoiding configurations that experience poor performance because of design or
configuration limitations in WSUS.
Original product version: Configuration Manager (current branch), Windows Server Update Services
Capacity limits
Although WSUS can support 100,000 clients per server (150,000 clients when you use Configuration Manager),
we don't recommend approaching this limit.
Instead, consider using a configuration of 2-4 servers sharing the same SQL Server database. This way you have
safety in numbers. If one server goes down, it won't immediately spoil your weekend because no client can
update while you must be updated against the latest zero-day exploit.
The shared database scenario also prevents a scan storm.
A scan storm can occur when many clients change WSUS servers and the servers don't share a database. WSUS
tracks activity in the database, so that both know what has changed since a client last scanned and will only send
metadata that's updated since then.
If clients change to a different WSUS server that uses a different database, they must do a full scan. A full scan
can cause large metadata transfers. Transfers of greater than 1 GB per client may occur in these scenarios,
especially if the WSUS server isn't maintained correctly. It can generate enough load to cause errors when
clients communicate with a WSUS instance. And clients retry repeatedly in this case.
Sharing a database means when a client switches to another WSUS instance that uses the same DB, the scan
penalty isn't incurred. The load increases aren't the large penalty you pay for switching databases.
Configuration Manager client scans put more demand on WSUS than the stand-alone Automatic Updates.
Configuration Manager, because it includes compliance checking, requests scans with criteria that will return all
updates that are in any status except declined.
When the Automatic Updates Agent scans, or you select Check for Updates in Control Panel, the agent sends
criteria to retrieve only those updates Approved for Install. The metadata returned will usually be less than when
the scan is initiated by Configuration Manager. The Update Agent does cache the data, and the next scan
requests will return the data from the client cache.
Disable recycling and configure memory limits

WSUS implements an internal cache that retrieves the update metadata from the database. This operation is
expensive and very memory intensive. It can cause the IIS application pool that hosts WSUS (known as
WSUSPool) to recycle when WSUSPool overruns the default private and virtual memory limits.
When the pool recycles, the cache is removed and must be rebuilt. It isn't a large problem when clients are
undergoing delta scans. But if you end up in a scan storm scenario, the pool will recycle constantly. And clients
will receive errors when you make scan requests, such as HTTP 503 errors.
We recommend that you increase the default Queue Length , and disable both the Virtual and Private Memory
Limit by setting them to 0 . IIS implements an automatic recycling of the application pool every 29 hours, Ping,
and Idle Time-outs, all which should be disabled. These settings are found in IIS Manager > Application
Pools > choose WsusPool and then click the Advanced Settings link in the right side pane of IIS manager.
Here's a summary of recommended changes, and a related screenshot. For more information, see Plan for
software updates in Configuration Manager.
SET T IN G N A M E VA L UE
Queue Length 2000 (up from default of 1000)
Idle Time-out (minutes) 0 (down from the default of 20)
Ping Enabled False (from default of True)
Private Memory Limit (KB) 0 (unlimited, up from the default of 1,843,200 KB)
Regular Time Interval (minutes) 0 (to prevent a recycle, and modified from the default of
1740)
In an environment that has around 17,000 updates cached, more than 24 GB of memory may be needed as the
cache is built until it stabilizes (at around 14 GB).
Check whether compression is enabled (if you want to conserve

bandwidth)
WSUS uses a compression type calls Xpress encoding. It implements compression on update metadata, and can
result in significant bandwidth savings.
Xpress encoding is enabled in IIS ApplicationHost.config with this line under the <httpCompression> element and
a registry setting:
ApplicationHost.Config
<scheme name="xpress" doStaticCompression="false" doDynamicCompression="true"

dll="C:\Program Files\Update Services\WebServices\suscomp.dll" staticCompressionLevel="10"
dynamicCompressionLevel="0" />
Registr y key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\IIsDynamicCompression
If both aren't present, it can be enabled by running this command and then restarting the WsusPool application
pool in IIS.
cscript "%programfiles%\update services\setup\DynamicCompression.vbs" /enable "%programfiles%\Update

Services\WebServices\suscomp.dll"
Xpress encoding will add some CPU overhead, and can be disabled if bandwidth isn't a concern, but CPU usage
is. The following command will turn it off.
cscript "%programfiles%\update services\setup\DynamicCompression.vbs" /disable
Configure products and categories

When you configure WSUS, choose only the products and categories that you plan to deploy. You can always
synchronize categories and products that you must have later. Adding them when you don't plan to deploy them
increases metadata size and overhead on the WSUS servers.
Disable Itanium updates and other unnecessary updates

It shouldn't be an issue for much longer, because Windows Server 2008 R2 was the last version to support
Itanium. But it bears mentioning.
Customize and use this script in your environment to decline Itanium architecture updates. The script can also
decline updates that contain Preview or Beta in the update title.
It leads to the WSUS console being more responsive, but doesn't affect the client scan.
Decline superseded updates and run maintenance

One of the most important things that you can do to help WSUS run better. Keeping updates around that are
superseded longer than needed (for example, after you're no longer deploying them) is the leading cause of
WSUS performance problems. It's ok to keep them around if you're still deploying them. Remove them after
you're done with them.
For information about declining superseded updates and other WSUS maintenance items, see the Complete
guide to Microsoft WSUS and Configuration Manager SUP maintenance article.
WSUS with SSL setup

By default, WSUS isn't configured to use SSL for client communication. The first post-install step should be to
configured SSL on WSUS to make sure security between server-client communications.
You must take one the following actions:
Create a self-signed certificate. It isn't ideal because every client would have to trust this certificate.
Obtain one from a third-party certificate provider.
Obtain one from your internal certificate infrastructure.
Your certificate must have the short server name, FQDN, and SAN names (aliases) that it goes by.
After you have the certificate installed, upgrade the Group Policy (or Client Configuration settings for software
updates in Configuration Manager) to use the address and SSL port of the WSUS server. The port is typically
8531 or 443.
For example, configure GPO Specify intranet Microsoft update ser vice location to <
https://wsus.contoso.com:8531 >.
To get started, see Secure WSUS with the Secure Sockets Layer Protocol.
Configure Antivirus Exclusions

Antivirus scans
Microsoft Anti-Virus Exclusion List
About Cumulative Updates and Monthly Rollups

You may see the terms Monthly Rollups and Cumulative Update used for Windows OS updates. They may
be used interchangeably. Rollups refer to the updates published for Windows 7, Windows 8.1, Windows Server
2008 R2, and Windows Server 2012 R2 that are only partly cumulative.
For more information, see the following blog posts:
Simplified servicing for Windows 7 and Windows 8.1: the latest improvements
More on Windows 7 and Windows 8.1 servicing changes
With Windows 10 and Windows Server 2016, the updates were cumulative from the beginning:
Windows 10 update servicing cadence
Cumulative means that: you install the release version of the OS, and only have to apply the latest Cumulative
Update to be fully patched. For the older operating systems, we don't have such updates yet, although it's the
direction we're heading in.
For Windows 7 and Windows 8.1, it means that after you install the latest monthly rollup, more updates will still
be needed. Here's an example for Windows 7 and Windows Server 2008 R2 on what it takes to have an almost
fully patched system.
The following table contains the list of Windows Monthly Rollups and Cumulative Updates. You can also find
them by searching for Windows <version> update Histor y .
W IN DO W S VERSIO N UP DAT E
Windows 7 SP1 and Windows Server 2008 R2 SP1 Windows 7 SP1 and Windows Server 2008 R2 SP1 update
history
Windows 8.1 and Windows Server 2012 R2 Windows 8.1 and Windows Server 2012 R2 update history
Windows 10 and Windows Server 2016 Windows 10 and Windows Server update history
Windows Server 2019 Windows 10 and Windows Server 2019 update history
Another point to consider is that not all updates are published so that they sync automatically to WSUS. For
example, C and D week Cumulative Updates are preview updates and won't synchronize to WSUS, but must be
manually imported instead. See the Monthly quality updates section of Windows 10 update servicing
cadence.
Using PowerShell to connect to a WSUS server
Here's just a code example to get you started with PowerShell and the WSUS API. It can be executed where the
WSUS Administration Console is installed.
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$WSUSServer = 'WSUS'
# This is your WSUS Server Name
$Port = 8530
# This is 8531 when SSL is enabled
$UseSSL = $False
#This is $True when SSL is enabled
Try
{
$Wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$UseSSL,$Port)
}
Catch
{
Write-Warning "$($WSUSServer)<$($Port)>: $($_)"
Break
}
References
SUS Blog
WSUS Product Team Blog
The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance
How does Windows Update work?
Introduction to WSUS and PowerShell
Use PowerShell to Perform Basic Administrative Tasks on WSUS
Approve or Decline WSUS Updates by Using PowerShell
Use PowerShell to Find Missing Updates on WSUS Client Computers
Get Windows Update Status Information by Using PowerShell
Introduction to PoshWSUS, a Free PowerShell Module to Manage WSUS
Use the Free PoshWSUS PowerShell Module for WSUS Administrative Work
Download resources and applications for Windows, SharePoint, Office, and other products
PowerShell UI used for auditing and installing updates from WSUS to local and remote systems
PowerShell module to manage Windows Server Update Services (WSUS)
WSUS client computers restart automatically
without any notification when updates are installed
on the client computers
This article provides a solution to an issue in which Windows Server Update Services (WSUS) client computers
restart automatically without any notification when updates are installed on the client computers.
Symptoms
You use a Microsoft Windows Server Update Services server to deploy updates on WSUS client computers.
A time deadline is set on the WSUS server for the updates to be installed on the WSUS client computers.
The updates are installed on the WSUS client computers when the time deadline expires that is set on the
WSUS server.
In this scenario, the WSUS client computers restart automatically without any notification even though the
WSUS client computers are configured not to restart automatically without a notification.
Cause
This issue occurs because the updates that are deployed on the WSUS client computers require that Windows
Installer 3.1 is present on the WSUS client computers.
If Windows Installer 3.1 is not present on the WSUS client computers, Windows Installer 3.1 is downloaded from
the WSUS server and installed on the WSUS client computers, regardless of the WSUS server approval status.
Installation of Windows Installer 3.1 on the WSUS client computers causes the WSUS client computers to restart
because a restart is required for Windows Installer 3.1 to function correctly.
Resolution
WARNING
Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method.
Make sure that you back up the registry before you modify it. These problems might require that you reinstall the
operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To resolve this issue, follow these steps on the WSUS client computers:
1. Select Star t , select Run , type regedit , and then select OK .
2. Locate and then select the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
3. In the details pane, right-click NoAutoRebootWithLoggedOnUsers , and then select Modify .

4. Type 1 in the Value data box, and then select OK .
5. Exit Registry Editor.
6. Restart the WSUS client computers.
A WSUS client takes longer than expected to finish
an update scan
This article helps you fix an issue where a Microsoft Windows Server Update Services (WSUS) client computer
takes longer than expected to finish a scan to determine whether an update applies to the client computer.
Symptoms
A WSUS client computer is connected to a WSUS or Configuration Manager Software Update Services (SUP)
server.
The WSUS client computer runs a scan to determine whether an update applies to the client computer.
In this scenario, the WSUS client computer takes longer than expected to finish the scan. For example, the scan
may take hours or days to finish. Additionally, you experience the following problems on the WSUS client
computer:
Task Manager indicates high CPU usage for the Svchost.exe process.
You cannot stop the Svchost.exe process.
Cause
This problem occurs if you don't decline expired definition updates or expired malicious software (also known as
malware) updates on the WSUS or SUP server.
Resolution
To resolve this problem, set the option to approve update revisions on the WSUS or SUP server automatically.
Also, set the option to decline expired updates on the server.
1. In the WSUS administration console, click Options , and then click Automatic Approvals .
2. On the Advanced tab, make sure that both Automatically approve new revisions of approved
updates and Automatically decline updates when a new revision causes them to expire are
selected.
3. Click OK .
More information
By default, the Automatically approve new revisions of approved updates and Automatically decline
updates when a new revision causes them to expire options are selected. If you decide not to approve the
update revisions automatically, the WSUS server will use the older update revision. In this case, you must
manually approve the update revision.
NOTE
A revision is an update version that has changed. For example, the update version may have expired or the update
version may have applicability rules that have updated.
The default settings for the Automatically approve new revisions of approved updates and
Automatically decline updates when a new revision causes them to expire options let you maintain
good performance on the WSUS network. If you don't want expired updates to be automatically declined, you
can manually decline them. However, make sure that you do this periodically.
It's recommended that you run the server clean-up wizard regularly. For more information, see General
guidance on optimizing WSUS client performance.
Troubleshoot stuck client computers

To resolve an issue in which a client computer stops responding during an update scan, follow these steps:
1. On the affected client computer, set the startup type for the Automatic Updates service (Wuauserv) to
Disabled .
2. Restart the computer.
3. Delete the %Windir%\SoftwareDistribution folder.
4. Set the startup type for the Automatic Updates service to Automatic , and then start the Automatic
Updates service.
The Windows Server Update Services console
crashes when browsing for updates
This article helps you fix an issue where the Windows Server Update Services (WSUS) console crashes because
of the corrupted application cache.
Symptoms
The WSUS console crashes when browsing for updates and displays the following error message:
An unexpected error occurred.

click reset server node to try to connect to the server again
Event Type: Error

Event Source: Windows Server Update Services
Event Category: None
Event ID: 7053
Date:
Time:
User: N/A
Computer:
Description: The WSUS administration console has encountered an unexpected error. This may be a transient
error; try restarting the administration console.
Cause
This can occur if the application cache is corrupted.
Resolution
To resolve this issue, delete the WSUS application cache from the location below:
C:\Documents and Settings\<user profile>\application data\microsoft\mmc
where <user profile> is the currently logged in user profile.

The complete guide to WSUS and Configuration
Manager SUP maintenance
This article addresses some common questions about WSUS maintenance for Configuration Manager
environments.
Original product version: Windows Servers, Windows Server Update Services, Configuration Manager
Introduction
Questions are often along the lines of How should I properly run this maintenance in a Configuration
Manager environment , or How often should I run this maintenance . It's not uncommon for
conscientious Configuration Manager administrators to be unaware that WSUS maintenance should be run at
all. Most of us just set up WSUS servers because it's a prerequisite for a software update point (SUP). Once the
SUP is set up, we close the WSUS console and pretend it doesn't exist. Unfortunately, it can be problematic for
Configuration Manager clients, and the overall performance of the WSUS/SUP server.
With the understanding that this maintenance needs to be done, you're wondering what maintenance you need
to do and how often you need to be doing it. The answer is that you should perform monthly maintenance.
Maintenance is easy and doesn't take long for WSUS servers that have been well maintained from the start.
However, if it has been some time since WSUS maintenance was done, the cleanup may be more difficult or time
consuming the first time. It will be much easier or faster in subsequent months.
Maintain WSUS while supporting Configuration Manager current

branch version 1906 and later versions
If you are using Configuration Manager current branch version 1906 or later versions, we recommend that you
enable the WSUS Maintenance options in the software update point configuration at the top-level site to
automate the cleanup procedures after each synchronization. It would effectively handle all cleanup operations
described in this article, except backup and reindexing of WSUS database. You should still automate backup of
WSUS database along with reindexing of the WSUS database on a schedule.
For more information about software update maintenance in Configuration Manager, see Software updates
maintenance.
Important considerations
NOTE
If you are utilizing the maintenance features that have been added in Configuration Manager, version 1906, you don't
need to consider these items since Configuration Manager handles the cleanup after each synchronization.
1. Before you start the maintenance process, read all of the information and instructions in this article.
2. When using WSUS along with downstream servers, WSUS servers are added from the top down, but
should be removed from the bottom up. When syncing or adding updates, they go to the upstream
WSUS server first, then replicate down to the downstream servers. When performing a cleanup and
removing items from WSUS servers, you should start at the bottom of the hierarchy.
3. WSUS maintenance can be performed simultaneously on multiple servers in the same tier. When doing
so, ensure that one tier is done before moving onto the next one. The cleanup and reindex steps
described below should be run on all WSUS servers, regardless of whether they are a replica WSUS
server or not. For more information about determining if a WSUS server is a replica, see Decline
superseded updates.
4. Ensure that SUPs don't sync during the maintenance process, as it may cause a loss of some work already
done. Check the SUP sync schedule and temporarily set it to manual during this process.
5. If you have multiple SUPs of the primary site or central administration sit (CAS) which don't share the
SUSDB, consider the WSUS server that syncs with the first SUP on the site as residing in a tier below the
site. For example, my CAS site has two SUPs:
The one named New syncs with Microsoft Update, it would be my top tier (Tier1).
The server named 2012 syncs with New , and it would be considered in the second tier. It can be
cleaned up at the same time I would do all my other Tier2 servers, such as my primary site's single
SUP.
Perform WSUS maintenance

The basic steps necessary for proper WSUS maintenance include:
1. Back up the WSUS database
2. Create custom indexes
3. Reindex the WSUS database
4. Decline superseded updates
5. Run the WSUS Server Cleanup Wizard
Back up the WSUS database
Back up the WSUS database (SUSDB) by using the desired method. For more information, see Create a Full
Database Backup.
Create custom indexes
This process is optional but recommended, it greatly improves performance during subsequent cleanup
operations.
If you are using Configuration Manager current branch version 1906 or a later version, we recommend that you
use Configuration Manager to create the indexes. To create the indexes, configure the Add non-clustered
indexes to the WSUS database option in the software update point configuration for the top-most site.
If you use an older version of Configuration Manager or standalone WSUS servers, follow these steps to create
custom indexes in the SUSDB database. For each SUSDB, it's a one-time process.
1. Make sure that you have a backup of the SUSDB database.
2. Use SQL Management Studio to connect to the SUSDB database, in the same manner as described in the
Reindex the WSUS database section.
3. Run the following script against SUSDB, to create two custom indexes:
-- Create custom index in tbLocalizedPropertyForRevision
USE [SUSDB]
CREATE NONCLUSTERED INDEX [nclLocalizedPropertyID] ON [dbo].[tbLocalizedPropertyForRevision]

(
[LocalizedPropertyID] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, SORT_IN_TEMPDB = OFF, DROP_EXISTING = OFF,
ONLINE = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
-- Create custom index in tbRevisionSupersedesUpdate

CREATE NONCLUSTERED INDEX [nclSupercededUpdateID] ON [dbo].[tbRevisionSupersedesUpdate]
(
[SupersededUpdateID] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, SORT_IN_TEMPDB = OFF, DROP_EXISTING = OFF,
ONLINE = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
If custom indexes have been previously created, running the script again results in an error similar to the
following one:
Msg 1913, Level 16, State 1, Line 4

The operation failed because an index or statistics with name 'nclLocalizedPropertyID' already exists
on table 'dbo.tbLocalizedPropertyForRevision'.

To reindex the WSUS database (SUSDB), use the Reindex the WSUS Database T-SQL script.
The steps to connect to SUSDB and perform the reindex differ, depending on whether SUSDB is running in SQL
Server or Windows Internal Database (WID). To determine where SUSDB is running, check value of the
SQLServerName registry entry on the WSUS server located at the
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup subkey.
If the value contains just the server name or server\instance, SUSDB is running on a SQL Server. If the value
includes the string ##SSEE or ##WID in it, SUSDB is running in WID, as shown:
If SUSDB was installed on WID

If SUSDB was installed on WID, SQL Server Management Studio Express must be installed locally to run the
reindex script. Here's an easy way to determine which version of SQL Server Management Studio Express to
install:
For Windows Server 2012 or later versions:
Go to C:\Windows\WID\Log and find the error log that contains the version number.
Look up the version number in How to determine the version, edition and update level of SQL
Server and its components. This value tells you what Service Pack (SP) level that WID is running.
Include the SP level when searching the Microsoft Download Center for SQL Server Management
Studio Express.
For Windows Server 2008 R2 or previous versions:
Go to C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\LOG and open up the last error log with Notepad. At
the top, there will be a version number (for example 9.00.4035.00 x64). Look up the version number in
How to determine the version, edition and update level of SQL Server and its components. This
version number tells you what Service Pack level it's running. Include the SP level when searching the
Microsoft Download Center for SQL Server Management Studio Express.
After installing SQL Server Management Studio Express, launch it, and enter the server name to connect to:
If the OS is Windows Server 2012 or later versions, use \\.\pipe\MICROSOFT##WID\tsql\query .
If the OS is older than Windows Server 2012, enter \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query .
For WID, if errors similar to the following occur when attempting to connect to SUSDB using SQL Server
Management Studio (SSMS), try launching SSMS using the Run as administrator option.
If SUSDB was installed on SQL Server

If SUSDB was installed on full SQL Server, launch SQL Server Management Studio and enter the name of the
server (and instance if needed) when prompted.
TIP
Alternatively, a utility called sqlcmd can be used to run the reindex script. For more information, see Reindex the WSUS
Database.
Running the script

To run the script in either SQL Server Management Studio or SQL Server Management Studio Express, select
New Quer y , paste the script in the window, and then select Execute . When it's finished, a Quer y executed
successfully message will be displayed in the status bar. And the Results pane will contain messages related to
what indexes were rebuilt.
Decline superseded updates

Decline superseded updates in the WSUS server to help clients scan more efficiently. Before declining updates,
ensure that the superseding updates are deployed, and that superseded ones are no longer needed.
Configuration Manager includes a separate cleanup, which allows it to expire superseded updates based on
specified criteria. For more information, see the following articles:
Supersedence rules
WSUS cleanup behavior starting in version 1810
The following SQL query can be run against the SUSDB database, to quickly determine the number of
superseded updates. If the number of superseded updates is higher than 1500, it can cause various software
update related issues on both the server and client sides.
-- Find the number of superseded updates

Select COUNT(UpdateID) from vwMinimalUpdate where IsSuperseded=1 and Declined=0
If you are using Configuration Manager current branch version 1906 or a later version, we recommend that you
automatically decline the superseded updates by enabling the Decline expired updates in WSUS according
to supersedence rules option in the software update point configuration for the top-most site.
When you use this option, you can see how many updates were declined by reviewing the WsyncMgr.log file
after the synchronization process finishes. If you use this option, you don't need to use the script described later
in this section (either by manually running it or by setting up as task to run it on a schedule).
If you are using standalone WSUS servers or an older version of configuration Manager, you can manually
decline superseded updates by using the WSUS console. Or you can run this PowerShell script. Then, copy and
save the script as a Decline-SupersededUpdatesWithExclusionPeriod.ps1 script file.
NOTE
This script is provided as is. It should be fully tested in a lab before you use it in production. Microsoft makes no
guarantees regarding the use of this script in any way. Always run the script with the -SkipDecline parameter first, to
get a summary of how many superseded updates will be declined.
If Configuration Manager is set to Immediately expire superseded updates (see below), the PowerShell
script can be used to decline all superseded updates. It should be done on all autonomous WSUS servers in the
Configuration Manager/WSUS hierarchy.
You don't need to run the PowerShell script on WSUS servers that are set as replicas, such as secondary site
SUPs. To determine whether a WSUS server is a replica, check the Update Source settings.
If updates are not configured to be immediately expired in Configuration Manager, the PowerShell script must
be run with an exclusion period that matches the Configuration Manager setting for number of days to expire
superseded updates. In this case, it would be 60 days since SUP component properties are configured to wait
two months before expiring superseded updates:
The following command lines illustrate the various ways that the PowerShell script can be run (if the script is
being run on the WSUS server, LOCALHOST can be used in place of the actual SERVERNAME ):
Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 –SkipDecline
Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 –ExclusionPeriod 60
Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530
Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8531
Running the script with a -SkipDecline and -ExclusionPeriod 60 to gather information about updates on the
WSUS server, and how many updates could be declined:
Running the script with -ExclusionPeriod 60 , to decline superseded updates older than 60 days:
The output and progress indicators are displayed while the script is running. Note the
SupersededUpdates.csv file, which will contain a list of all updates that are declined by the script:
NOTE
If issues occur when attempting to use the above PowerShell script to decline superseded updates, see the section
Running the Decline-SupersededUpdatesWithExclusionPeriod.ps1 script times out when connecting to the WSUS server,
or a 401 error occurs while running for troubleshooting steps.
After superseded updates have been declined, for best performance, SUSDB should be reindexed again. For
related information, see Reindex the WSUS database.
Run the WSUS Server Cleanup Wizard
WSUS Server Cleanup Wizard provides options to clean up the following items:
Unused updates and update revisions (also known as Obsolete updates)
Computers not contacting the server
Unneeded update files
Expired updates
Superseded updates
In a Configuration Manager environment, Computers not contacting the ser ver and Unneeded update
files options are not relevant because Configuration Manager manages software update content and devices,
unless either the Create all WSUS repor ting events or Create only WSUS status repor ting events
options are selected under Software Update Sync Settings . If you have one of these options configured, you
should consider automating the WSUS Server Cleanup to perform cleanup of these two options.
If you are using Configuration Manager current branch version 1906 or a later version, enabling the Decline
expired updates in WSUS according to supersedence rules option handles declining of Expired
updates and Superseded updates based on the supersedence rules that are specified in Configuration
Manager. Enabling the Remove obsolete updates from the WSUS database option in Configuration
Manager current branch version 1906 handles the cleanup of Unused updates and update revisions
(Obsolete updates). It's recommended to enable these options in the software update point configuration on the
top-level site to allow Configuration Manager to clean up the WSUS database.
If you've never cleaned up obsolete updates from WSUS database before, this task may time out. You can review
WsyncMgr.log for more information, and manually run the SQL script that is specified in HELP! My WSUS has
been running for years without ever having maintenance done and the cleanup wizard keeps timing out once,
which would allow subsequent attempts from Configuration Manager to run successfully. For more information
about WSUS cleanup and maintenance in Configuration Manager, see the docs.
For standalone WSUS servers, or if you are using an older version of Configuration Manager, it is recommended
that you run the WSUS Cleanup wizard periodically. If the WSUS Server Cleanup Wizard has never been run and
the WSUS has been in production for a while, the cleanup may time out. In that case, reindex with step 2 and
step 3 first, then run the cleanup with only the Unused updates and update revisions option checked.
If you have never run WSUS Cleanup wizard, running the cleanup with Unused updates and update
revisions may require a few passes. If it times out, run it again until it completes, and then run each of the other
options one at a time. Lastly make a full pass with all options checked. If timeouts continue to occur, see the SQL
Server alternative in HELP! My WSUS has been running for years without ever having maintenance done and
the cleanup wizard keeps timing out. It may take multiple hours or days for the Server Cleanup Wizard or SQL
alternative to run through completion.
The WSUS Server Cleanup Wizard runs from the WSUS console. It is located under Options , as shown here:
For more information, see Use the Server Cleanup Wizard.

After it reports the number of items it has removed, the cleanup finishes. If you do not see this information
returned on your WSUS server, it is safe to assume that the cleanup timed out. In that case, you will need to start
it again or use the SQL alternative.
After superseded updates have been declined, for best performance, SUSDB should be reindexed again. See the
Reindex the WSUS database section for related information.
Troubleshooting
HELP! My WSUS has been running for years without ever having maintenance done and the cleanup wizard
keeps timing out!
There are two different options here:
1. Reinstall WSUS with a fresh database. There are a number of caveats related to this, including length of
initial sync, and full client scans against SUSDB, versus differential scans.
2. Ensure you have a backup of the SUSDB database, then run a reindex. When that completes, run the
following script in SQL Server Management Studio or SQL Server Management Studio Express. After it
finishes, follow all of the above instructions for running maintenance. This last step is necessary because
the spDeleteUpdate stored procedure only removes unused updates and update revisions.
NOTE
Before you run the script, follow the steps in The spDeleteUpdate stored procedure runs slowly to improve the
performance of the execution of spDeleteUpdate .
DECLARE @var1 INT

DECLARE @msg nvarchar(100)
CREATE TABLE #results (Col1 INT)

INSERT INTO #results(Col1) EXEC spGetObsoleteUpdatesToCleanup
DECLARE WC Cursor
FOR
SELECT Col1 FROM #results
OPEN WC
FETCH NEXT FROM WC
INTO @var1
WHILE (@@FETCH_STATUS > -1)
BEGIN SET @msg = 'Deleting' + CONVERT(varchar(10), @var1)
RAISERROR(@msg,0,1) WITH NOWAIT EXEC spDeleteUpdate @localUpdateID=@var1
FETCH NEXT FROM WC INTO @var1 END
CLOSE WC
DEALLOCATE WC
DROP TABLE #results
Running the Decline -SupersededUpdatesWithExclusionPeriod.ps1 script times out when connecting to the
WSUS server, or a 401 error occurs while running
If errors occur when you attempt to use the PowerShell script to decline superseded updates, an alternative SQL
script can be run against SUDB.
1. If Configuration Manager is used along with WSUS, check Software Update Point Component
Proper ties > Supersedence Rules to see how quickly superseded updates expire, such as immediately
or after X months. Make a note of this setting.
2. If you haven't backed up the SUSDB database, do so before proceeding further.
3. Use SQL Server Management Studio to connect to SUSDB.
4. Run the following query. The number 90 in the line that includes DECLARE @thresholdDays INT = 90
should correspond with the Supersedence Rules from step 1 of this procedure, and the correct number
of days that aligns with the number of months that is configured in Supersedence Rules . If this is set to
expire immediately, the value in the SQL query for @thresholdDays should be set to zero.
-- Decline superseded updates in SUSDB; alternative to Decline-
SupersededUpdatesWithExclusionPeriod.ps1
DECLARE @thresholdDays INT = 90 -- Specify the number of days between today and the release date for
which the superseded updates must not be declined (i.e., updates older than 90 days). This should
match configuration of supersedence rules in SUP component properties, if ConfigMgr is being used
with WSUS.
DECLARE @testRun BIT = 0 -- Set this to 1 to test without declining anything.
-- There shouldn't be any need to modify anything after this line.
DECLARE @uid UNIQUEIDENTIFIER

DECLARE @title NVARCHAR(500)
DECLARE @date DATETIME
DECLARE @userName NVARCHAR(100) = SYSTEM_USER
DECLARE @count INT = 0
DECLARE DU CURSOR FOR

SELECT MU.UpdateID, U.DefaultTitle, U.CreationDate FROM vwMinimalUpdate MU
JOIN PUBLIC_VIEWS.vUpdate U ON MU.UpdateID = U.UpdateId
WHERE MU.IsSuperseded = 1 AND MU.Declined = 0 AND MU.IsLatestRevision = 1
AND MU.CreationDate < DATEADD(dd,-@thresholdDays,GETDATE())
ORDER BY MU.CreationDate
PRINT 'Declining superseded updates older than ' + CONVERT(NVARCHAR(5), @thresholdDays) + ' days.' +
CHAR(10)
OPEN DU
FETCH NEXT FROM DU INTO @uid, @title, @date
WHILE (@@FETCH_STATUS > - 1)
BEGIN
SET @count = @count + 1
PRINT 'Declining update ' + CONVERT(NVARCHAR(50), @uid) + ' (Creation Date ' +
CONVERT(NVARCHAR(50), @date) + ') - ' + @title + ' ...'
IF @testRun = 0
EXEC spDeclineUpdate @updateID = @uid, @adminName = @userName, @failIfReplica = 1
FETCH NEXT FROM DU INTO @uid, @title, @date
END
CLOSE DU
DEALLOCATE DU
PRINT CHAR(10) + 'Attempted to decline ' + CONVERT(NVARCHAR(10), @count) + ' updates.'
5. To check progress, monitor the Messages tab in the Results pane.

What if I find out I needed one of the updates that I declined?
If you decide you need one of these declined updates in Configuration Manager, you can get it back in WSUS by
right-clicking the update, and selecting Approve . Change the approval to Not Approved , and then resync the
SUP to bring the update back in.
If the update is no longer in WSUS, it can be imported from the Microsoft Update Catalog, if it hasn't been
expired or removed from the catalog.
Automating WSUS maintenance

NOTE
If you are using Configuration Manager version1906 or a later version, automate the cleanup procedures by enabling the
WSUS Maintenance options in the software update point configuration of the top-level site. These options handle all
cleanup operations that are performed by the WSUS Server Cleanup Wizard. However, you should still automatically back
up and reindex the WSUS database on a schedule.
WSUS maintenance tasks can be automated, assuming that a few requirements are met first.
1. If you have never run WSUS cleanup, you need to do the first two cleanups manually. Your second
manual cleanup should be run 30 days from your first since it takes 30 days for some updates and
update revisions to age out. There are specific reasons for why you don't want to automate until after
your second cleanup. Your first cleanup will probably run longer than normal. So you can't judge how
long this maintenance will normally take. The second cleanup is a much better indicator of what is normal
for your machines. This is important because you need to figure out about how long each step takes as a
baseline (I also like to add about 30-minutes wiggle room) so that you can determine the timing for your
schedule.
2. If you have downstream WSUS servers, you will need to perform maintenance on them first, and then do
the upstream servers.
3. To schedule the reindex of the SUSDB, you will need a full version of SQL Server. Windows Internal
Database (WID) doesn't have the capability of scheduling a maintenance task though SQL Server
Management Studio Express. That said, in cases where WID is used you can use the Task Scheduler with
SQLCMD mentioned earlier. If you go this route, it's important that you don't sync your WSUS
servers/SUPs during this maintenance period! If you do, it's possible your downstream servers will just
end up resyncing all of the updates you just attempted to clean out. I schedule this overnight before my
AM sync, so I have time to check on it before my sync runs.
Needed/helpful links:
Reindex the WSUS Database
Agent XPs Server Configuration Option
Weekend Scripter: Use the Windows Task Scheduler to Run a Windows PowerShell Script
WSUS cleanup script
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")`
| out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates = $true
$cleanupScope.CleanupObsoleteUpdates = $true
$cleanupScope.CompressUpdates = $true
#$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager();
$cleanupManager.PerformCleanup($cleanupScope);
Setting up the WSUS Cleanup task in Task Scheduler
NOTE
As mentioned previously, if you are using Configuration Manager current branch version 1906 or a later version,
automate the cleanup procedures by enabling the WSUS Maintenance options in the software update point
configuration of the top-level site. For standalone WSUS servers or older versions of Configuration Manager, you can
continue to use the following steps.
The Weekend Scripter blog post mentioned in the previous section contains basic directions and
troubleshooting for this step. However, I'll walk you through the process in the following steps.
1. Open Task Scheduler and select Create a Task . On the General tab, set the name of the task, the user
that you want to run the PowerShell script as (most people use a service account). Select Run whether a
user is logged on or not , and then add a description if you wish.
2. Under the Actions tab, add a new action and specify the program/script you want to run. In this case, we
need to use PowerShell and point it to the PS1 file we want it to run. You can use the WSUS Cleanup
script. This script performs cleanup options that Configuration Manager current branch version 1906
doesn't do. You can uncomment them if you are using standalone WSUS or an older version of
Configuration Manager. If you would like a log, you can modify the last line of the script as follows:
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;
# $cleanupScope.DeclineSupersededUpdates = $true # Performed by CM1906
# $cleanupScope.DeclineExpiredUpdates = $true # Performed by CM1906
# $cleanupScope.CleanupObsoleteUpdates = $true # Performed by CM1906
$cleanupScope.CompressUpdates = $true
$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager();
$cleanupManager.PerformCleanup($cleanupScope) | Out-File C:\WSUS\WsusClean.txt;
You'll get an FYI/warning in Task Scheduler when you save. You can ignore this warning.
3. On the Triggers tab, set your schedule for once a month or on any schedule you want. Again, you must
ensure that you don't sync your WSUS during the entire cleanup and reindex time.
4. Set any other conditions or settings you would like to tweak as well. When you save the task, you may be
prompted for credentials of the Run As user.
5. You can also use these steps to configure the Decline-SupersededUpdatesWithExclusionPeriod.ps1 script
to run every three months. I usually set this script to run before the other cleanup steps, but only after I
have run it manually and ensured it completed successfully. I run at 12:00 AM on the first Sunday every
three months.
Setting up the SUSDB reindex for WID using SQLCMD and Task Scheduler
1. Save the Reindex the WSUS database script as a .sql file (for example, SUSDBMaint.sql).
2. Create a basic task and give it a name:
3. Schedule this task to start about 30 minutes after you expect your cleanup to finish running. My cleanup
is running at 1:00 AM every first Sunday. It takes about 30 minutes to run and I am going to give it
another 30 minutes before starting my reindex. It means I would schedule this task for every first Sunday
at 2:00 AM, as shown here:
4. Select the action to Star t a program . In the Program/script box, type the following command. The file
specified after the -i parameter is the path to the SQL script you saved in step 1. The file specified after
the -o parameter is where you would like the log to be placed. Here's an example:
"C:\Program Files\Microsoft SQL Server\110\Tools\Binn\SQLCMD.exe" -S
\\.\pipe\Microsoft##WID\tsql\query -i C:\WSUS\SUSDBMaint.sql -o c:\WSUS\reindexout.txt
5. You'll get a warning, similar to the one you got when creating the cleanup task. Select Yes to accept the
arguments, and then select Finish to apply:
6. You can test the script by forcing it to run and reviewing the log for errors. If you run into issues, the log
will tell you why. Usually if it fails, the account running the task doesn't have appropriate permissions or
the WID service isn't started.
Setting up a basic Scheduled Maintenance Task in SQL for non-WID SUSDBs
NOTE
You must be a sysadmin in SQL Server to create or manage maintenance plans.
1. Open SQL Ser ver Management Studio and connect to your WSUS instance. Expand Management ,
right-click Maintenance Plans , and then select New Maintenance Plan . Give your plan a name.
2. Select subplan1 and then ensure your Toolbox is in context:
3. Drag and drop the task Execute T-SQL Statement Task :

4. Right-click it and select Edit . Copy and paste the WSUS reindex script, and then select OK :
5. Schedule this task to run about 30 minutes after you expect your cleanup to finish running. My cleanup is
running at 1:00 AM every first Sunday. It takes about 30 minutes to run, and I am going to give it another
30 minutes before starting reindex. It means I would schedule this task to run every first Sunday at 2:00
AM.
6. While creating the maintenance plan, consider adding a backup of the SUSDB into the plan as well. I
usually back up first, then reindex. It may add more time to the schedule.
Putting it all together
When running it in a hierarchy, the WSUS cleanup run should be done from the bottom of the hierarchy up.
However, when using the script to decline superseded updates, the run should be done from the top down.
Declining superseded updates is really a type of addition to an update rather than a removal. You're actually
adding a type of approval in this case.
Since a sync can't be done during the actual cleanup, it's suggested to schedule/complete all tasks overnight.
Then check on their completion via the logging the following morning, before the next scheduled sync. If
something failed, maintenance can be rescheduled for the next night, once the underlying issue is identified and
resolved.
These tasks may run faster or slower depending on the environment, and timing of the schedule should reflect
that. Hopefully they are faster since my lab environment tends to be a bit slower than a normal production
environment. I am a bit aggressive on the timing of the decline scripts. If Tier2 overlaps Tier3 by a few minutes,
it will not cause a problem because my sync isn't scheduled to run.
Not syncing keeps the declines from accidentally flowing into my Tier3 replica WSUS servers from Tier2. I did
give myself extra time between the Tier3 decline and the Tier3 cleanup since I definitely want to make sure the
decline script finishes before running my cleanup.
It brings up a common question: Since I'm not syncing, why shouldn't I run all of the cleanups and reindexes at
the same time?
The answer is that you probably could, but I wouldn't. If my coworker across the globe needs to run a sync, with
this schedule I would minimize the risk of orphaned updates in WSUS. And I can schedule it to rerun to
completion the next night.
T IM E T IER TA SK S
12:00 AM Tier1-Decline
1:00 AM Tier3 WSUS Cleanup
2:00 AM Tier3 Reindex Tier2 WSUS Cleanup
3:00 AM Tier1-Cleanup Tier2 Reindex
4:00 AM Tier1 Reindex
NOTE
If you're using Configuration Manager current branch version 1906 or a later version to perform WSUS Maintenance,
Configuration Manager performs the cleanup after synchronization using the top-down approach. In this scenario, you
can schedule the WSUS database backup and reindexing jobs to run before the configured sync schedule without
worrying about any of the other steps, because Configuration Manager will handle everything else.
For more information about SUP maintenance in Configuration Manager, see the following articles:
Software updates maintenance
Software updates maintenance in Configuration Manager
WSUS doesn't sync with Microsoft on Windows
Server 2008 R2 servers because of a certificate error
This article helps you fix an issue in which Windows Server Update Services (WSUS) doesn't sync with Microsoft
on a Windows Server 2008 R2 server because of a certificate error 800B0109.
Original product version: Windows Server Update Services 3.0 Service Pack 2
Symptoms
When you initiate a sync from WSUS to Microsoft, the WSUS sync fails on a Windows Server 2008 R2 server
and logs the following error entry in the SoftwareDistribution.log file:
The given certificate chain has not Microsoft Root CA signed root (800B0109)
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
If you are using Configuration Manager, the sync will fail, logging the following error in WSYNCMGR.log:
Sync Failed: USSCommunicationError: WebException: The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel
Cause
This problem occurs because the WSUS application on the server is not SHA2-compliant. We recently changed
the signing process to sign by using SHA2 only.
Resolution
To fix this problem, download and install Update for Windows Server 2008 R2 for x64-based Systems
(KB4484071) that was released on November 12, 2019.
You can check the following logs for the installation progress:
%temp%
MWusCa.log
MWusSetup.log
Prerequisites
To install this update, the user must sign in as sysadmin to the SQL Server instance that runs the SUSDB
database.
Restart requirement
No reboot is required after installing this update.
WSUS synchronization fails with SoapException
This article helps you fix an issue where Windows Server Update Services (WSUS) synchronization fails because
of a decommissioned endpoint.
Original product version: WSUS - All versions, Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012
Symptoms
WSUS synchronization fails, and you receive the following error message:
SoapException: Fault occurred

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message,
WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetUpdateData(Cookie
cookie, UpdateIdentity[] updateIds)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[]
updateIds, List`1 allMetadata, List`1 allFileUrls, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List`1
neededUpdates, List`1 allMetadata, List`1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.Cat
Additionally, an error message that resembles the following is logged in the WSUS log file (
%ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log ) on the WSUS server:
<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor =
https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method =
"http://www.microsoft.com/SoftwareDistribution/GetUpdateData", ID=<ID>, ErrorCode=InternalServerError,
Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.Internal.WebServiceCommunicationHelper.
ProcessWebServiceProxyException(SoapHttpClientProtocol& webServiceObject, Exception exceptionInfo)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.WebserviceGetUpdateData(UpdateIdentity[]
updateIds, List\1 allMetadata, List\1 allFileUrls, List\`1& updatesWithSecureFileData, Boolean isForConfig)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetUpdateDataInChunksAndImport(List\1
neededUpdates, List\1 allMetadata, List\1 allFileUrls, Boolean isConfigData)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.GetAndSaveUpdateMetadata(List\1 updates)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback
callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback,
Object state, Boolean preserveSyncCtx)
Object state)
at System.Threading.ThreadHelper.ThreadStart()
<Date> <Time> Error WsusService.25 SoapUtilities.LogException USS ThrowException: Actor =
https://fe2.update.microsoft.com/v6/ServerSyncWebService/ServerSyncWebService.asmx, Method =
"http://www.microsoft.com/SoftwareDistribution/GetUpdateData", ID=\<ID>, ErrorCode=InternalServerError,
Message=
at Microsoft.UpdateServices.Internal.SoapUtilities.LogException(SoapException e)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.CatalogSyncThreadProcess()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback
callback, Object state, Boolean preserveSyncCtx)
Object state, Boolean preserveSyncCtx)
Object state)
at System.Threading.ThreadHelper.ThreadStart()
Cause
This issue occurs if the WSUS servers are configured to use the old synchronization endpoint,
https://fe2.update.microsoft.com/v6 . This endpoint was fully decommissioned and is no longer reachable
after July 8, 2019.
Resolution
To fix the issue, change the synchronization endpoint in WSUS configuration to
https://sws.update.microsoft.com .
To do this, follow these steps on the topmost WSUS server that connects directly to Microsoft Update, such as
the root WSUS server in a WSUS hierarchy:
1. Close all WSUS consoles.
2. At an elevated PowerShell command prompt, run the following PowerShell scripts.
NOTE
Don't run the scripts on a WSUS server that's not the topmost server. If the server isn't connected to the Internet,
synchronization may fail.
For WSUS version 3.x:

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$server = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$config.MUUrl
$config.RedirectorChangeNumber
# Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
$config.MUUrl = "https://sws.update.microsoft.com"
$config.RedirectorChangeNumber = 4002
$config.Save();
iisreset
Restart-Service *Wsus* -v
WSUS servers that are running Windows Server 2008 (without the latest update) or earlier versions may
be using the https://update.microsoft.com/v6 or https://www.update.microsoft.com
synchronization endpoints. Because these versions of Windows don't support SHA256 certificate
authentication, use the following settings in the PowerShell scripts:
$config.MUUrl = " https://sws1.update.microsoft.com"

For WSUS on Windows Ser ver 2012 and later versions:
$server = Get-WsusServer
$config.MUUrl
$config.RedirectorChangeNumber
# Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
$config.MUUrl = "https://sws.update.microsoft.com"
$config.Save()
iisreset
Restart-Service *Wsus* -v
3. Verify that WSUS synchronization succeeds.
More information
For more information about how to run PowerShell scripts, see What is PowerShell?.

Troubleshooting ConfigMgr

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Troubleshooting ConfigMgr

Uploaded by

Copyright:

Available Formats

Contents

Application cannot be started. Contact the application vendor.

Obtain error code descriptions

ERROR_WINHTTP_NAME_NOT_RESOLVED 12007 The server name cannot be resolved

Successfully created srsserver SMS_SRS_REPORTING_POINT

For 32-bit applications that are running on 64-bit systems:

An error has occurred during report processing. (rsProcessingAborted)

Refer to the following screenshot for an example of the error messages.

processing!ReportServer_0-2!18fc!<Date>-<Time>:: e ERROR: An exception has occurred in data set

processing!ReportServer_0-2!18fc!<Date>-<Time>:: v VERBOSE: An exception has occurred. Trying to abort

SQL Server 2017 140, 130, 120, 110 140 110

SQL Server 2016 130, 120, 110 130 110

SQL Server 2014 120, 110 110 110

SELECT name, compatibility_level FROM sys.databases

ALTER DATABASE <CM_DB>

Deploy a language pack as an application

9. On the Detection Method page, select Add Clause .

11. Select Next .

b. Specify details at Create Global Condition .

DISM /online /Get-intl

The following is sample output:

Last sync failed

The secret key is invalid

Failed to download package d788cc1b-ab00-bb5f-1548-f2dfe717583b-X86-Arm for product 9WZDNCRFJ3PS\0015.

To see the location that you configured:

a. Select Offline , if it isn't already selected. Then select Manage .

Sync doesn't run

a. Set Requested Operation to Stop .

a. Set Requested Operation to Stop .

Applies to: Configuration Manager (current branch)

MSI: Action 17:56:36: Rollback. Rolling back action:

Compiling Sql CE script file: C:\Windows\CCM\StateMessageStore.sqlce into database

get-scheduledtask -taskname "Configuration Manager Client Retry Task"

[DateTime ] Registering Hosting Configuration.

Log Name: Application

System Center 2012 Configuration Manager SP1

System Center 2012 Endpoint Protection SP1

MSI: Action 11:53:11: CcmRegisterWmiMofFile. Registering WMI settings

Powershell.exe Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -

[RegTask] - Client is not registered. Sending registration request for GUID:4874BD6C-CB98-4EEB-9F4F-

select min(rowversion) from CI_CIAssignments

12-28-2018 16:06:39.334 DataTransferService 3544 (0xdd8) Target URL scheme is HTTPS:

Found a valid online MP 'https://<CMGname>.<your

Forwarding proxy message <message ID> to URL:

<Date> <Time> <IP_address_of_MP> GET /SMS_MP/.sms_aut SITESIGNCERT 443 -

Filtered cert count with digital signature: 7

mofcomp.exe -check <YourMOFName>.mof

select NextGroupKey from ArchitectureMap where ArchitectureKey = 5

SQL>>> select NextGroupKey from ArchitectureMap where ArchitectureKey = 5

You can enable SQLTracing by setting the following value to 1 .

Software Metering failed to start PrepDriver

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\WINDOWS\CCM\prepdrv.inf

Turn on the DebugLogging key

3. Add a new value under this key:

Also, the following entry is logged in DMPDownloader.log:

Then, restart the SMS_Executive service or the SMS_DMP_DOWNLOADER thread.

CExtUserContext::EnterThread : User=<DOMAIN\user> Sid=0x010500000:-

Internal Error 2711.LP3076

Microsoft.ConfigurationManagement has stopped working

Applies to: Configuration Manager current branch version 2103

For example, copy the file to C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD .

6. Try again to open the Windows 10 servicing dashboard.

Applies to: Microsoft Endpoint Configuration Manager (current branch)

Configure peer cache client settings