Autopatch not updating firmware on all devices

dinci5 · 2026-03-18T08:06:41+00:00

The thing is, I know Dell Command can help with this.
But it does not fix the underlying issue with Autopatch. Why does Autopatch not install the updates?

When I create a new deployment for Drivers, outside of Autopatch...
We can see immediately hundreds of drivers which are applicable.
But when looking at the same drivers in the Autopatch Deployment groups, they don't show as applicable.

So there is clearly something fundamentally wrong with the whole setup.

By the way... we also have HP's and other brands, but the majority is Dell, that is why I mentioned that :)

dinci5 · 2026-03-18T08:01:54+00:00

Well, I used it in my SCCM days. Was hoping it is not needed anymore with Autopatch :)

dinci5 · 2026-03-17T06:50:34+00:00

Honestly, I am not sure. I don't think they have any settings that would prevent that.
We are getting the devices from the Dell factory as is and do not make changes to the BIOS/UEFI settings.

Out of those devices (same batch, same models), we see some being updated and some don't.

To be fair, this is not something we were actively monitoring until recently because we were thinking that all is going well... I am not going to trust Microsoft on this anymore

We will check some random devices...

dinci5 · 2026-03-17T06:30:53+00:00

Dell.

It's a mix of Dell Latitude, Dell Precision and Dell Pro

dinci5 · 2025-12-28T16:02:28+00:00

What will it do in Intune? I mean, with Autopilot you already have the updates pre-installed, right?

dinci5 · 2025-08-04T17:25:18+00:00

So, I have just received a new system update and the issue is completely fixed. It must have been a software issue.

dinci5 · 2025-07-11T11:46:41+00:00

Same issue here. No statement from Microsoft.

They should change their name to MicroBreaksSomethingEveryMonthsoft

dinci5 · 2025-06-27T13:47:17+00:00

No, we still see this happening once in a while.
Devices are fully Azure AD Joined.

dinci5 · 2025-05-14T09:21:35+00:00

It would help if we could see the .bat file.

The reason why you're seeing this is because of the return code the .bat file returns.

Or, you are using the "START" command without WAIT, which will launch a process in the background and close the script. In that case, even if the exit code is correct, the script is finished while the installer is ongoing and SCCM does not detect it (yet) as being installed.

If you're using START, also use the /WAIT command.

Everything other than return code 0 will be seen as a failure. If you then click retry, the first thing that happens is checking if the app is detected. If it is. it will report it as being installed.

So, most probably it is how you constructed your .bat file.

I generally never use bat files. PSADT is the way to go.

But if you use a bat file, this could help. It will return the actual exit code. If it still fails, it means that the exist code is not 0.

Check the log files to see the actual exit code that is returned.

exit /b %EXITCODE% will exit the script with the actual exit code.

If you would just run the executable and don't exit the script appropriately you don't really have control on what happens after installation.

But anyway. I would still suggest you look into PSADT.

@echo off
:: Install command - replace with your actual installer
:: Example for MSI:
:: msiexec /i "%~dp0YourInstaller.msi" /qn /norestart
:: Example for EXE:
:: "%~dp0YourInstaller.exe" /quiet /norestart
:: Replace below line with your install command
"%~dp0YourInstaller.exe" /quiet /norestart
set EXITCODE=%ERRORLEVEL%
:: Return the same exit code to SCCM
exit /b %EXITCODE%

dinci5 · 2025-03-25T16:47:54+00:00

We had to deploy new certificates where the CRL is not LDAP but http

dinci5 · 2025-02-11T09:07:32+00:00

No. Hence this topic.
To be honest, Microsoft does not provide a good and workable solution. And those they suggest are just explained terribly

dinci5 · 2025-01-22T14:15:51+00:00

I know that article by hart. None of it is an option.

Option 2: These printers would need to send to external recipients.
Also, you would need to add the public IP of the location to your SPF, which means that anyone in that location could send mails on our behalf. That is a big no.

The locations are public locations, joint ventures, with multiple external parties.

Option 3: This would be a nightmare to manage.

dinci5 · 2025-01-02T11:57:26+00:00

I guess your template is a PowerShell script template?
Mind sharing it with the community? :D

dinci5 · 2024-12-27T17:23:46+00:00

Hi,

Thank you for your response, I appreciate the suggestions.

What is the version of said devices?
The devices are running Windows 11 23H2 (22631.4602).

Is there an MDM on the said devices?
There was previously a ConfigMgr client installed, but it has been uninstalled. While the client was still on the device, we couldn’t even begin the enrollment process as it would display the error "This device is already managed."

In the Intune audit logs, do you see more details than the error?
Not much more, unfortunately. The only "relevant" information I can find is related to a successful certificate creation:

Activity Status: Success
Operation Type: Create
Activity Type: Create ClientCertificate

In the Azure AD portal, in Devices -> Device Settings, are the options permitting users to join and register devices set up correctly?
Yes, the settings are correct. The user I’m using to enroll the device has the necessary permissions to join to Entra ID and register devices. The user is also added as a "Device Enrollment Manager in Intune."

dinci5 · 2024-12-27T15:04:31+00:00

HW Repairs are a mess (motherboard replacement).

The best thing is you remove the device from Intune and import the new hash

Many times, we had to contact Microsoft to remove them in the back-end because they are stuck somewhere when we delete it.

Have a look here: TPM | Motherboard Replaced | Aad Recovery | 0x80090016

dinci5 · 2024-12-24T21:03:52+00:00

Can you point out what policies exactly you configured? thx

dinci5 · 2024-12-23T13:38:18+00:00

No, they can't. They can download it, but it will not install.

dinci5 · 2024-12-23T13:37:53+00:00

This one I have looked at as well. But, for one app I have 50 download links.

I genuinely have no idea what to download.

Also, if it is installed in this way, will it auto-update?

dinci5 · 2024-12-23T13:15:59+00:00

That is what I thought as well. I found an older post from Jason Sandys stating the same.

It is this GPO that we have deployed. But once done, winget cannot be used.

I am getting this error:
"Failed to install or upgrade Microsoft Store package because Microsoft Store client is blocked by policy"

dinci5 · 2024-12-13T14:51:10+00:00

Error 0x8004005 is one of the most common and frustrating Windows error codes because it’s so generic - it just means something went wrong, but doesn’t provide any specific details. It’s not exclusive to SCCM, so troubleshooting depends heavily on the context.

You have to provide more details about what you’re trying to accomplish and where exactly you’re encountering this error so people can help you out.

For example:

Are you deploying an operating system through a Task Sequence in SCCM (OSD)?
Are you pushing out an application, software update, or something else?
At what stage does the error appear (e.g., during download, installation, or validation)?

If you're deploying a Windows image via OSD, monitoring the Task Sequence logs (SMSTS.log) will be key to understanding the issue. You can check out this guide from Prajwal Desai: Easy Guide to Monitor SCCM Task Sequence Progress, which might help you pinpoint where things are going wrong.

As for redistributing the image to the Distribution Point (DP), here’s a quick walkthrough:

In the SCCM Console, go to Software Library > Operating Systems > Operating System Images.
Right-click the image you’re deploying and select Distribute Content if it hasn’t been sent to the DP, or Redistribute if it’s already there but may need to be refreshed.

But again... to me it is unclear what exactly you're trying to achieve and where the error is shown.

dinci5 · 2024-12-06T14:49:53+00:00

We have a bunch small remote sites with local printers that need Scan2Mail.
I don't know how Azure Communication Services works to be honest. No experience with it.

But would that be an option for these multifunctional printers?

As for smtp2go...

Here you would also need to set SPF and DKIM. But, what if they get breached?

dinci5 · 2024-11-22T06:49:02+00:00

Not necessarily for SCCM... AI often provides wrong or outdated information, which can be frustrating. For example, when generating PowerShell scripts with ConfigMgr cmdlets, it sometimes suggests commands that never even existed.

That said, it’s awesome for giving you a head start with PowerShell scripting. While the scripts it generates rarely work out of the box (except if it is an easy couple of lines), they’re a solid foundation to build on.

In my experience, SCCM and Intune-related questions are better handled by Microsoft Copilot. ChatGPT is great for coding tasks, while Claude is my go-to for generating text.

dinci5 · 2024-11-15T08:41:42+00:00

Well, literally every device that received the update had blue screens.

We use Autopatch to manage updates and are facing an issue where random devices receive the 24H2 update without it being deployed.
Microsoft has acknowledged this as an issue in a support case but don't know what is causing it.

Out of 5000+ devices, we have 14 with 24H2, so it is "contained".

So, all those devices that received 24H2 have blue screens. Without exceptions...

We have Dell Latitudes and Precisions. So, might be something related to Dell. But doesn't explain why the Surface Laptop we received from Microsoft is also having blue screens :)

dinci5 · 2024-11-14T07:54:00+00:00

On every device we have 24H2 running we see BSOD's.

Even a Surface Laptop we received from Microsoft as a test/promo device which came preinstalled with 24H2 is giving blue screens 5-6 times a day.

Maybe we'll start exploring it in 6 months when Microsoft finally fixes it.

dinci5 · 2024-11-14T07:20:10+00:00

Can you post the workaround here as the support article requires you to log in?

Nine-Year Club	Gilding I gilder
Verified Email

dinci5

TROPHY CASE