r/SCCM

We're in the middle of migrating our imaging over from MDT to Config Manager and I've mostly got the hang of it, but there are some things I'd still like to mirror in our new environment.

I don't think there's any native way, but does anyone have suggestions on how to save the smsts.log files to the Config Manager server instead of local on the client? With MDT there was a concurrent log being saved to the server that we could access during the deployment process, but so far I've only been able to grab the logs client side. I'd like to be able to save the logs locally though, as not all of our imaging is hands on.

Thanks!

Hi all I would like to knowbif changing drive letter would affect my dp contents.

I have set the dp content to be store on drive D and currently it's full

Does below step affect my dp contents or is it the properly way of migrating into new driver ?

My set upncurrently is i have disk1 = c drive and D driver

1. changing exsisting the latter of driver D to drive letter to F

2. inject new disk 2 and set the driver latter (D)

3. using contents transfer manager tool to transfer (1: driver F ) to (2 :Driver D)

4. merge (1) to existing driver C

Hi everyone,

I’m running into a strange issue with one of our SCCM Management Points and hoping someone here has seen this before.

From time to time, the Management Point shows 0 MB in the Site Status, even though everything seems to be working fine. After restarting the server, it goes back to normal and shows the correct value again.

https://preview.redd.it/fwavsmns8awg1.png?width=1382&format=png&auto=webp&s=d8d523a928240c50f7d00b62f47fed2366b417ea

A few details:

• This issue is happening only on one MP
• We have another Management Point in the same environment with no issues at all
• No obvious errors in Site Status (everything shows OK)
• The issue is intermittent and not tied to a specific action
• Restart temporarily fixes it

What I’m trying to understand:

• Is this just a UI/reporting glitch or something deeper?
• Could it be related to WMI, disk reporting, or SMS services?
• Any specific logs I should focus on for this behavior?

If anyone has faced something similar or can point me in the right direction, I’d really appreciate it.

Thanks!

Hi,

I saw in web report autopilot is available but I can't find it in the admin console. Is it a way bringing it in a wql query?

Thanks,

im using content transfer library tool to move conten of its dp.

however i used the tool but the SMS_DP$ wont move to the new drive.
any workarounds?

I’m able to manually download update packages from the Microsoft Update Catalog without any issues. However, when using ADR the updates fail to download and result in errors.

Is there a difference in network paths or behavior between manual downloads and ADR-based downloads? Is this expected by design?

We start to notice random failure with compliant items and software applications that used the SMS_DCM = "All_x64_Windows_11_and_higher_Clients" rule the client used to determine the OS version when determine applicability. We are on client version 5.00.9141.1011

I took a while do understand that client were all failing the download part of the document CI

the MP had the document as this call would work :
'https://SERVER/SMS\_MP/.sms\_dcm?Id&DocumentId=Windows/All\_x64\_Windows\_11\_and\_higher\_Clients/PROPERTIES'

but the client uses a hash in this manner :
'https://SERVER/SMS\_MP/.sms\_dcm?Id&DocumentId=Windows/All\_x64\_Windows\_11\_and\_higher\_Clients/PROPERTIES&Hash=4137DC6565554E9104738B34603A9C118A4E615C57ADEA859471A34F6377E350'

During my troubleshooting process I forced a policy reset to force all of the client logs to show full activity and low and behold after the ([wmiclass]'ROOT\ccm:SMS_Client').ResetPolicy(1)

the client now download the CI document for "All_x64_Windows_11_and_higher_Clients" with a different hash and URL now works ! Problem solved.

So I have only used ([wmiclass]'ROOT\ccm:SMS_Client').ResetPolicy(1) while troubleshooting, now I am wondering if we should run this proactively once on month to avoid strange issue as this one.

Hi,

I am pretty sure this is a known SCCM feature and was discussed very often.

In our environment starting our OSD Task Sequence (285 KB) from the software center takes around 15 minutes to start. Starting it from PXE it is immediately.

Any idea what we can do about it? Normal application and updates run fine, it is just the TSs.

I read something about WMI and maybe AntiVirus, but not really sure about it how I can check it.

Any ideas about it?

I am trying to get UI++ working.

Should I be able to run v3.0.3.0 from a cmd window in Windows 11 and have it do something? It runs, reads my config file but never shows anything. running it with /? does nothing either

It looks like a powerful tool but I can't get it to work :(

Hi,

Trying to integrate Hybrid Autopilot and one of the last pieces of the puzzle is having Intune install ConfigMgr.

I uploaded CCMSetup.msi from my i386 folder as a LOB app.

After the device finishes pre-provisioning, I have the user sign in. (by the way, can I sign in with a service account first to do this or does it matter who the assigned user on Intune is) I then have to manually change the device name to match our records.

I then go to Company Portal and install the LOB app.

It successfully installs, but it is missing all of our applications, and gives me an error. I noticed that the Client Certificate in ConfigMgr Properties says NONE compared to Self-Signed. Everything else, like the management point/co-management (enabled), Site Code are all good.

What am I doing wrong, I have been struggling for the past few weeks trying to simply install ConfigMgr.

I am trying to push the Adobe Acrobat / Adobe Acrobat Reader 26.001.21431 update with Patch My PC and I am having devices report compliant in MECM when they are not. For example I have a device with Adobe Acrobat (64-Bit) version 24.005.20320 installed but it shows as compliant. In the UpdatesDeployment.log I can see the Acrobat updates are discovered but they do not get installed.

Hey, I really need someone to point me in the right direction to resolve this issue...

We upgraded the OS from Server 2016 to Server 2022

The problem I am seeing was Critical errors against Management Points on all the Site Servers

So I have removed the MP role, removed IIS, restarted server, installed IIS, installed MP role, restarted server

The MPSetup.log file suggests it installed fine.

However the Management Point role under Site Status is still showing Critical

The mpcontrol.log file shows repeated errors:

https://preview.redd.it/gkvjlvx9aqvg1.png?width=1909&format=png&auto=webp&s=a012864c2f04961db12e5ff495c68f943abad157

IIS is showing it is binded to the correct cert

Hey guys,

I’m working on a POC for updating password‑protected Dell BIOS via an SCCM package, wrapped with PSADT, and I’m trying to understand the what are my options to pass an encrypted BIOS password to a Dell bios update tool.

What I found that could be used to update a Dell BIOS:

• Dell Command Update (DCU) can pass an encrypted BIOS password, but I’m not sure if that’s the only supported method.
• BIOSPassword.exe from "Dell Client Integration Pack"
• The standard exe you get, when downloading a dell BIOS update

I didn't do a lot of Dell management in the past, so I would like to check with the community what tools can handle a Dell BIOS update, where it's password protected.
If DCU is my only option, is there a way to block users from manually doing a driver update/BIOS update scan? So that I could just use the cli tool? (I have a mixed environment, where not all machines have Internet)

P.S.

I already have a process using a Task Sequence, but this POC needs to use PSADT.

I am working to get BIOS's updated to prepare for the Secure Boot (2023) certificate updates. I already use Modern Driver Management so I setup Modern BIOS Management and got it working using a task sequence that kicks off in Windows. But I am unsure how to handle rebooting at the end. Currently the TS finishes silently and thats it, then if I manually reboot the device it kicks off the firmware update just after POST.

I have read that if the machine waits to long or has bad timing with policy updates or settings being reapplied you can end up with Bitlocker being re-enabled before the reboot to install the new BIOS. Then you have a bunch of machines that need to have their recovery key entered.

We do not have a specific after hours maintenance window and half of our devices are laptops so they wouldn't be ready for a maintenance window anyways. I was thinking about trying to turn it into a Application install so I could have better options for reboots that the user can delay for a while.

WHY is Adobe so @#$$%(@#$* moronic?

I want to kill EVERY version of Reader out there and replace it with the shiny new version that fixes their zero-day... 32 bit, 64 bit, doesn't matter, and it's driving me mad.

How are you supposed to do this? Pretend I'm 5. :) I need help.

Hello,

I am trying to find a way to apply a specific driver set to computers by matching their models with a WMI query. The issue is I am not sure if WMI queries still work since Windows 11 25H2 has dropped WMI as a built-in component. Does anyone know if the WMI filtering for apply driver step in task sequence still works? I am just not sure if WinPE still support WMI queries.

The link above is for one version, but the story is the same for everything else, including Windows 10 (LTSB/ESU) and Windows Server.

In a _very_ specific scenario, users are going to get a BitLocker recovery prompt after updating. If this is not you, then you are fine:

1. BitLocker is enabled on the OS drive.
2. The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
5. The device is not already running the 2023-signed Windows Boot Manager.

There's a workaround: change the GPO and then disable and reenable BitLocker. Not trivial, you're going to need to script and deploy that.

You can also apply a Known Issue Rollback (KIR) so it won't happen in the first place.

In _both_ cases, you have to apply this before the update is installed. If users get hit, they will need the BL key. Only once though, should be fine after that.

Currently working on fully moving away from SCCM over to Intune. I already have a script being deployed via Intune to start the un-install of the Agent, and been slowly cleaning up those computers in SCCM. What I am trying to figure out is the best way to handle servers, since they can't be onboarded and managed via Intune.

My current setup is as follows:

• SCCM Agent installed on each server
• Microsoft Defender shows the devices Onboarded
• Intune shows the server listed twice. One Managed by ConfigMgr the other managed by MDE.
• Domain Controllers are also Onboarded but only showing up in Intune as Managed by MDE.
• During monthly updates, we manually update them since its only about 70 servers. However, Defender Antivirus updates are automatically installed (see more info below)

Other then un-installing the SCCM agent, are there any other steps that need to be taken?

Regarding the Defender updates, I am still currently running an ADR for Endpoint Protection for both my Workstations and Servers, however since all Workloads are moved to Intune I am unsure if those updates are going through SCCM or Intune. The registry key DefinitionUpdateFileSharesSources is blank, so I am hoping that disabling that ADR will have zero impact.

Any feedback would be appreciated.

Thank you for your assistance.

Hi

I have a new site set up.

ADRs are set to run and download what is required only.

I have PMPC implemented. The deployment packages don't total more than 20Gb.

But the WSUSContent folder is at 268Gb, even with monthly runs of the WSUS Cleanup Wizard and the clean-up options enabled for the Software Update Point.

If I go into the WSUS console > Options > Automatic Approvals.
There is an entry "Default Automatic Approval Rule", un-ticked. If I click edit, I can see:

https://preview.redd.it/tlid4woaxdvg1.png?width=1020&format=png&auto=webp&s=9d54ab19ab397886d03c9b57193ad3ecad57229a

https://preview.redd.it/bd8te51dxdvg1.png?width=471&format=png&auto=webp&s=26036154842d8e2dcc8f1ae7e094ab0374464bdc

Are these settings correct?

And wow can I clean up the WSUSContent folder?

Cheers.

Hi guys

Trying to install Claude AI using the msix and works 50% of the time for some reason seems the ones getting failures get the error 0x80073d28 .. not too sure what this error is has anyone seen this before?