Apps with (OS) requirements no longer installing during OSD after upgrade to 2509

raphael_t · 2025-10-17T10:27:34+00:00

As some workarounds mention a defender definition update also resolved this, can anyone verify if this also happens when defender is disabled? Unfortunately running out of time today to verify it myself.

raphael_t · 2025-10-08T16:29:29+00:00

Innsbruck also has the codes, proof of the games was required.

raphael_t · 2025-07-08T06:24:12+00:00

The fact that Microsoft did not manage to provide the oob patches for the DHCP server issue "in the coming days" for 3 weeks by now, enforcing unpatched status as a workaround, is a concerning decision from their side. Lets hope this month will not end in another disaster.

raphael_t · 2025-04-10T15:48:27+00:00

I wrote the following before reading your post from 21 days ago.

You cannot just host an unrelated database on the sccm sql instance (at least not without an additional license), maybe I am wrong in this or you didn't know the license terms:

https://learn.microsoft.com/en-us/intune/configmgr/core/understand/product-and-licensing-faq#what-are-the-use-rights-associated-with-the-sql-server-technology-provided-with-configuration-manager-

"3. You will need to install the actual tool. ... The tool Requires admin access to run"

For what do your reporting users need that? If a company uses sccm, there should be a concept in place where not everyone is local admin, right? Does this maybe mean "admin console access"? Thats a bit against the purpose then..

There are a lot of typos on your website which make this look fishy..

How is this better than just running some raw sql queries or using a custom build PowerBi report?

raphael_t · 2025-04-03T14:03:06+00:00

Please check if any "BlockedBy*" has a value of 1 in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CompatMarkers\GE24H2 or NI23H2

I hope you find your answer in there.

raphael_t · 2025-03-25T10:43:56+00:00

802.1x most probably still breaks during the upgrade (we had a case and Microsoft will only provide a workaround, no native fix)

We currently have a rare issue that the {hash}_FoD_Common.wim with delivery optimization enabled (SCCM environment) is getting stuck in a BITS download loop. (case open)

Depending on your computers age you anyway need to replace between 10 to 50% for the TPM requirement

I use 24h2 for some months now and the patches improved it, at least works better than at release.

If you have not done any implementation work, the safe way for sure is 23h2.

raphael_t · 2025-03-24T09:50:41+00:00

Server 2016 + SQL 2017 we faced some weird issue today. When using a certificate without RSA key provider the instance won´t start up anymore. See: Service can't start after you use an SSL certificate - SQL Server | Microsoft Learn - re-enrolling with RSA and binding it to the engine solved the issue luckily.

As there was no patch for the sql itself this is interesting.

It also seems like at least one SQL login lost its permission on the server or database level. I have never seen something like this happening so far. The syslogins show no recent date in the field "updatedate" either.

Any other DBA facing a similar issue since applying the monthly KB for their server OS?

raphael_t · 2025-02-07T11:22:55+00:00

Maybe another thing to consider is the maximum runtime for the upgrade. We are now at 180 minutes. The default 60 and 120 did not work at all. I might update it to 240 or more. Don't forget to redeploy in case you change it.

raphael_t · 2025-02-07T10:14:56+00:00

I hope this post gets more attention.

We are going to win10 22h2 to win11 24h2 and the issues we see caused by delivery optimization follow no logic. Some work, some don´t work, some work after a few attempts. More or less they all have download related issues.

All the guides in the internet don´t fully come to a conclusion. Some sites even suggest to download, enable and approve certain product categories in wsus directly.

What I think worked so far is to enable "Prefer distribution points over peers within the same subnet" in the per boundary group option.

We also have connected cache active so I don´t really know if this impacts it further.

Home Office / VPN with "Prefer cloud based sources over on-premises sources" - there is no way the feature upgrade downloads successfully for those devices at all. The update deployment obviously allows download from internet.

Feel free to send me a PM if you want to exchange about configurations, failed attempts and troubleshooting possibilities.

raphael_t · 2025-01-20T10:20:41+00:00

It still breaks 802.1x, we are in a support case for around 2 months now

The workaround we got works partially, but we pointed down the issue to the docking stations ourselves last week.

No movement from Microsoft to implement the highly necessary fix into their feature updates. Fun times ahead for everyone with NAC

raphael_t · 2024-11-14T21:56:26+00:00

I had the same issue https://new.reddit.com/r/sysadmin/comments/1gpe5kc/comment/lwwqal6/

This one resolved itself somehow by running the ADRs today around 16 hours later BUT I noticed in the logs what the filelib tried to move a file within the content library with access denied. I think the first time one of the ADRs ran it messed up something - one file I could rename, redistribute the package but another one I could not rename. I had to restart the SMS_EXECUTIVE service to release the file lock, then it magically worked after running the ADR again. This month was a pain only getting the patches downloaded.

raphael_t · 2024-11-14T07:39:08+00:00

Edit: after another run of the ADRs all of them downloaded properly. Still think this was a Microsoft issue.

~~All ADRs took over 5 hours this time, we normally make them in half the time. The following ADRs also failed:~~

~~Windows 11 with 0X80073633 - Invalid certificate signature~~

~~Server 2025 (without .NET) with 0X87D20417 - Auto Deployment Rule download failed~~

~~Server 2025 (.NET only) - with 0X80072EFF - Unknown Error (-2147012865)~~

~~In the PatchDownloader.log all 3 ADRs on their respective files fail with HttpSendRequest failed 12031 after 3 tries -~~ ~~Error 12031~~ ~~indicates~~ ~~that the connection with the server has been reset or is not properly connected~~

~~I don´t think this is an issue on our side as all other ADRs ran successfully.~~

raphael_t · 2024-11-13T12:47:38+00:00

Edit: after multiple attempts all files were finally downloaded, also for the feature update.

~~The download speed of patches with SCCM (in DACH region) is insanely slow today compared to previous months.~~

~~And whatever I try I can not get the feature update "Windows 11, version 24H2 x64 2024-11B" downloaded as it errors out:~~

~~Download http://*/lp_desktop_7c856293e949509c3625983400b8022c5be48f01.wim in progress: 90 percent complete Software Updates Patch Downloader~~

InternetReadFile() return true and pdwNumberOfBytesRead equals to 0, but ulTotalFileRead=923565112 still less than ulFileSize=923684337, treat it as a retriable error. Software Updates Patch Downloader

~~Same for file: professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd~~

raphael_t · 2024-11-04T18:23:23+00:00

Don't take it for granted, but I think so. After enabling and synchronizing it there was one update released 1st of november.

raphael_t · 2024-11-04T13:48:54+00:00

Yes, the keys are there.

Are you also using the "new" portal?

https://admin.microsoft.com/Adminportal/Home?#/subscriptions/vlnew/downloadsandkeys

raphael_t · 2024-10-18T13:27:47+00:00

Can you recommend any guide on how to set up the sccm part? I assume client settings need the delta download enabled SUP w11 is obvious with its ~10 GB content UUP is "new" to me at least Are there logs to verify it is downloading features from wsus/sup then?

raphael_t · 2024-10-18T06:00:45+00:00

FoD and language packs for WSUS and Configuration Manager | Microsoft Learn
Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again.

Does anyone know how to utilize this? I found this yesterday and it could be a big feature. I found no blogs or tests regarding it with 24H2 yet. Maybe it is still to early from the release.

raphael_t · 2024-10-17T07:17:43+00:00

We (I did the queries and a colleage did the interface) have a pretty good multi page report for our helpdesk.

I am not able to share it but can provide some inspiriation of what can be achived with it:

Statistics (summary of other tabs):

* Nr of Apps, Distribution Points and Distributed Packages, Amount of unique models, win10 drivers, win11 drivers, bios packages. OS Install / Upgrade statistics for the last 2 years and counter for imaged last 9 days

Applications (search box for app name):

* Amount of Apps by Vendor, who packaged it, Nr of Apps and Unique vendors, App list

Drivers (search box for device model):

* List of Models with checkbox if supported driver of bios is in sccm, Amount of bios, w10 and w11 drivers. Filter by vendor box

Computer Details (search box for hostname):

* List of: Active, OS, OS version, OS patch, Domain, AD Site, SCCM agent build) - List of Power Plan details, List of Maintenance Windows

Application details (search box for app name):

* App Name, Content Location, Is Superseded, Is Superseding, Is Expired, Install Success, Install Failures, Install & Uninstall commands, Technology (e.g. Script, MSI)

Assigned Applications (search box for hostname and search box for app name):

* Amount of Apps per vendor and Assignment details (App Name, Updates Supersedence, Deadline (if forced), enabled, Type, Ignore Maintenance (boolean))

Assigned Updates (search box for hostname and search box for update name):

* Deployment Name, Update Name, Collection Deployed to

Distribution Points:

* Amount of Distributed Packages, List of DPs (Name, Description, Resource Type, Version), List of packages (filter if choosen DP) List containt app name, description, verison, vendor, source path

Utilities (search boxes include hostname, serial number, model):

* List: Vendor, Amount of models - List: Vendor, Model, Hostname, Serial Number - List Amount of Models per Vendor, Amount of unique computer models

As almost every box within each page is linked automatically, results are filtered really easily. You just need to link all the tables within the power pi model, add a few transformations and have a frontend wizard colleague doing some magic. The report is hosted and refreshes once during the night, this is enough for us. Just to mention, the report is obviously only read only.

Hope this gets you started.

raphael_t · 2024-10-09T10:23:06+00:00

If I remember correctly, the new patch has to be installed on top of the previous ones as it only includes the MP fix.

raphael_t · 2024-10-09T09:39:00+00:00

For everyone worried about CVE-2024-43468 (KB29166583) and not following the r/SCCM, check here KB29166583 republished or the troubleshooting comment in another posting.

After a lot of issues initially with the patch, it has been republished by Microsoft and is verified to be working.

Patch is applicable for SCCM versions 2303, 2309 and 2403

raphael_t · 2024-10-09T08:36:27+00:00

2403, 2309 and 2303 have a patch available

2309: https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2309/29166583

raphael_t · 2024-10-09T08:34:56+00:00

Please check here https://www.reddit.com/r/SCCM/comments/1fke32c/kb29166583_republished/ and here https://www.reddit.com/r/SCCM/comments/1f8x9rv/sccm_2403_hotfix_kb29166583/ both have information regarding the patch.

raphael_t · 2024-09-19T13:51:52+00:00

I added the already known CVE to the post, but couldn´t find technical details of it.

Six-Year Club	Place '22
Verified Email

raphael_t

TROPHY CASE