October security #updates causing #SCOM 2012 R2 console #crash

Microsoft releasd last week two new updates during the newly announced servicing model.

This updates, named”October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)” and “October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331)” causing the System Center Operation Manager Console crashing when tying to use the Windows Computers view.


Currently there is no other way as removing the update from your management servers where the SCOM console is installed.

Let me know if you have a better solution!


ConfigMgr 1606 – Configure Office 365 Client Agent Settings(Configuration Manager Current Branch)

Hi reader,

The newest Version of System Center Configuration Manager Current Branch (1606) is rolling out these days with a lot of new features and opportunities.

As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update.

Beginning in Configuration Manager version 1606, you can use the Configuration Manager client setting to manage the Office 365 client agent. Configure your Client Settings \ Software Updates Settings. There you can find now a new option called “Enable management of the Office 365 Client Agent“.


After you configure this setting and deploy Office 365 updates, the Configuration Manager client agent communicates with the Office 365 client agent to download Office 365 updates from a distribution point and install them. Configuration Manager takes inventory of Office 365 ProPlus Client settings.

Find more details on TechNet: https://technet.microsoft.com/en-us/library/mt741983.aspx

Configuration Manager 1602- backup your CD.Latest folder

Today I got a support case where I had to restore my first ConfigMgr Current Branch 1602.

No prob, we do have a nice SQL DB backup of the ConfigMgr database.

Let’s do the following:

  1. Close all consoles
  2. Stop all SMS Services (will also be done by the recovery wizard)
  3. Start the setup.exe from the CD.Latest (“Your Install Directory”\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64)

But here I got stock. The “Recovery Site” option was greyed out. Of course I tried different ways to start the splash.hta or the setup.exe using admin rights. No way. The option was never available.


During research I found that the Site Maintenance job in ConfigMgr is also creating a folder called CD.Latest. But the customer did never activate the Site Maintenance job as they use a third party backup solution to backup the SQL Databases.

However, I configured the Site Maintenance Task and started the SMS_SITE_BACKUP service. This was creating the CD.Latest folder under my backup folder.


With this version of the setup.exe file could restore the database .

What we did:

–          Stopped all services
–          Detached the no longer needed CM_”SiteCode” database from the SQL Server using the SQL Server Management Studio
–          Restored the good database from Sunday (used the SQL option “override existing files”)
–          Started CD.Latest from the newly created backup folder (F:\Backup\W01Backup\CD.Latest)
–          Used “Site Database that has manually recovered” as we restored it in SQL



Please be aware of a very important change required to your backup strategy in Configuration Manager 1511, 1602 (and later). As you know regular upgrades will be available for the product (every 4 months or so) and you will be able to upgrade using update packages in the “Updates and Servicing” node of the Administration > Cloud Services workspace.

–          Make sure you enable the “Site Maintenance” Job for the site.
–          Backup the Backup folder as this will allow you to restore the ConfigMgr 1602 server in case of a bare metal restore

This folder will be required when you are recovering a failed site so it must be included in a backup strategy. Note that the built in backup maintenance task will back up this folder automatically. Also note that there is no point in backing up this folder once. It must be ongoing because, when upgrades are installed, Configuration Manager also updates the CD.Latest folder with the current files.

Find more informations on TechNet:


Hyper-V error during RDS VDI collection creation

For a RDS VDI test environment we decided to use an internal switch on the Hyper-V server. This is not working.

As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a VDI collection:



Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned

This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.

Conclusion: You have to configure an external switch which is connected to a physical LAN cable. DHCP is enough but of course you can also set a static IP on the NIC.

Issue removing old SQL Server from ConfigMgr

Situation before migration:

1x Primary Site ConfigMgr 2012 R2 no CU (OS Win 2008 R2) – no OS upgrade Support (*)
2x Secondary Sites 2012 R2 no CU
1x SQL Server 2008 R2 SP2 no CU
2’500 Clients worldwide


1 Primary Site Current Branch 1511
New OS Windows Server 2012 R2
1 local installed SQL Server
no more Secondary Sites
several DP’s around the world

Most of the things went smoothly but at one point for now we stuck. We’re not able to remove the old remote SQL Server. The Server still appears in the Site System Roles and if we try to remove the Site Database server role (remove is not greyed out) we recieve the error: “The Server cannot be deleted because it contains the following roles:”


We also tried to change the reg keys under SMS_Site_Componets_Manager\Multisite Componet Server\”Name of remote SQL”\Deinstallation Start Time\ set to 1.




Run the following Query in SQL Management Studio in order to find and replace the orphaned relationships.

Change with the corresponding names in < > and run against the SCCM DB :


use CM_<sitecode>
declare @ServerName varchar(15)
set @ServerName=’<orphanFQDN>

delete from statusmessages where machinename=@ServerName
delete from Summarizer_Components where MachineName like ‘%’+@ServerName+’%’
delete from summarizer_sitesystem where sitesystem like ‘%’+@ServerName+’%’
delete from statusmessageinsstrs where insstrvalue like ‘%’+@ServerName+’%’
delete from sysreslist where servername=@ServerName
delete from sc_sysresuse where nalpath like ‘%’+@ServerName+’%’


After that, reboot the Primary Site. This will remove the server from your Management Console and ConfigMgr Database.

ConfigMgr CB 1602 no supports OS Upgrade from 2008 R2 to 2012 R2. Make sure you uninstall WSUS first.


Cheers, Al






ConfigMgr 1511 MP Troubleshooting – HTTP test request failed, status code is 403. “Forbidden” – Managing MAC OSx

I have recently faced following issue “HTTP test request failed, status code is 403. “Forbidden” ” on Management Point and was not Abel to connect MAC OSx Devices to the MP. To fix this issue, I followed the below steps and maybe you can do so.


We have HTTPS enabled on the Management Point for managing MAC OSx Clients and it is still not able authenticate. Due to this it is reporting this error.

The MPControl.log is reporting following error:
“Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” “HTTP test request failed, status code is 403. ‘Forbidden”



Look at the IIS Log files under your inetpub folder for more details of the error. The log files are located under  (C or D drive)  \inetpub\logs\Logfiles\W3SVC1

As you see in the below highlighted line error code 403 13, which indicates an issue with Client Certificate Revocation (CRL) Check on IIS.


To fix this issue disable the Revocation check. Client Certificate Revocation is enabled by default. We need to delete all existing bindings on IIS and readd them again. The easiest way to do this is using the netsh command.

  1. Run the below command line and make a note of the details
    netsh http show sslcert
  2. Delete existing SSL bindings
    netsh http delete sslcert ipport=
  3. Readd SSL binding and disable CRL check
    netsh (enter)
    http add sslcert ipport= certhash= 6cfa619aa7cb9eed29d1ccb0ec783ee40d20281c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}  certstorename=My  verifyclientcertrevocation=disable
  4. Run “netsh http show sslcert” again to check the status of the CRL check
  5. Check the mpcontrol.log. The error is gone.

Tray again to connect your MAC OSx ConfigMgr Client to your ConfigMgr Primary Site Server. You should now be able to connect. Your MAC will also appear in the ConfigMgr console.


Connection to ConfigMgr established:


Now manage your MAC under “Devices” in the ConfigMgr Console:


Use this as a workaround if you’re not able to publish the CRL for your Site Servers.

Enjoy ConfigMgr!


House of cards – new WSUS Option in ConfigMgr 1511

In the past we used the guide from Kent Agerlund (MVP) for cleaning up the WSUS Database in ConfigMgr, also called the house of cards! This guide is still very popular and of course necessary for having a correct configured WSUS Server. As Kent mentioned, you should do the cleanup task every Monday morning before you start any other work :-)!

But now we got a new option in ConfigMgr 1511 when we setup the Software Update Point. This will allow ConfigMgr to cleanup the WSUS Database and remove any obsolet updates from the WSUS DB.


To enable and run the WSUS cleanup job

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.

  2. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.

  3. Click the Supersedence Rules tab, select Run WSUS cleanup wizard, and then click OK.

Thanks to the MS Product Team to integrate this feature in future ConfigMgr versions!