Configuration Manager – The server cannot be deleted because it contains the following site system roles – Unable to remove Site Systems from SCCM

Unable to remove Site Systems from SCCM when Multicast Service Point has been enabled

All roles have been removed but Component server still shows


First step is to check what roles may be remaining but not showing in the console by running the powershell command


Get-CMSiteRole -SiteCode “ABC” -SiteSystemServerName “” | Select RoleName


As you can see above the SMS Multicast Service Point is showing but its not possible to remove this role via the console as the Distribution Point role has already been removed.

And of course I cannot remove the site system as not all roles are removed





Run the command in powershell

Remove-CMSiteRole -SiteCode ABC -SiteSystemServerName -RoleName “SMS Multicast Service Point”


Then restart the SMS_SITE_COMPONENET_MANAGER Service


You should now be able to remove the site system after some time once the component server is no longer showing under Servers and Site System Roles

If you still find the component server is still showing after a long wait you can remove the entry in the registry and restart the same service:

HKLM\Software\Microsoft\SMS\Components\SMS_SITE_COMPONENT_MANAGER\Component Servers\SERVERNAME


Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff – Fix

I have finally had time to test a permanent fix for the 1511 scan fail issue. Please take note this fix is performed in a lab environment and not tested in production.

While it is a fix there may be others available, please make sure you try this in pilot/dev environment before implementing in a production environment. I take no responsibility for it going wrong in production  🙂



First you need to download the latest CU for 1511 form the Microsoft Update Catalog – 


X64 – Download Here

X86 – Download Here


Once downloaded add it to your SCCM Package Share folder and proceed to package as shown below



Create a Standard program and make sure the settings reflect the below


Here is the command line – wusa.exe <Insert Package.msu>  /quiet /norestart

Example – wusa.exe windows10.0-kb4022714-x64_edf4e51111abeea65f7cbcf75755210bb6a711e3.msu /quiet /norestart





Once packaged right click the package and distribute the content to your required distribution points


Now time to deploy

You want to make sure you are deploying only to Windows 10 1511 so create a collection with the following query



Now right click your program and select deploy choosing the collection created in the above step


Its up to you what you do here but keep in mind ‘required’ will force the install,  for testing purposes I have set it to available.







Review your summary and finalise.

Now lets wait for the test machine to pick up the new advertisement in software centre



Before we start take note the error showing in wuahandler.log



Windows Update Agent Version is 10.0.10586.0



Choose Install




Verify the installation by looking for Windows Update Standalone Installer & Windows Module Installer (it may take a while) my lab machine took 40 minutes to complete.








Once completed restart the machine




Check the Windows Update Agent Version

Now run a software update scan cycle

Watch the WUHandler.log – you will now see the pc is completing its scan.

In my case there is a new warning due to the June Malicious Software Update having a problem accepting the license. I have seen this in a few environments and leads me down the next rabbit hole…..


Overall your client should now be healthy and ready to update.

I can now see the feature update for 1607

Hope this nails it once and for all!

Please feel free to comment your experiences and Ill do my best to help.

Configuration Manager Health Check Script

With the recent events (wannacry) in the last few months making sure your environment has a collection of healthy clients including the latest Windows Update Agent is crucial to surviving the threats being unleashed in the modern world. Although you may be able to produce compliance reports showing good figures >96% ( lets get real that almost impossible ) what about the clients that are not showing in your compliance report that should be present. Are you reporting against the unknown? How are you tackling those clients falling into the category?

Here is some help:

Thanks to Anders Roland there is a health script available to help take care of those pesky clients you don’t have the time to take care of yourself, or maybe have been queuing that task up for later, now you can once and for all (99.9%) of the time – nothing is ever perfect right……


Please follow Anders instructions on the implementation guide – 


I strongly recommend following the Group Policy guide found here also


Powershell Script with Arguments as a Scheduled Task










Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff

### Please review the fix – ####


I recently encountered an error on all Windows 10 version 1511 scanning against the SCCM CB lab environment for updates.


The error messages in WUAhandler.log on a Windows 10 version 1511

“OnSearchComplete – Failed to end search job. Error = 0x80240fff”

“Scan failed with error = 0x80240fff”

The Windowsupdate.log provides more information,  for 1511 you’ll need to run the PowerShell command Get-WindowsUpdatelog to generate a readable log file to get more valuable information



Opening the log it shows some error messages:

Two Swap OSUpgrades are found, Update1 = {7F016D4C-C9A6-4699-A7DA-3D86EF81843F}.201, Update2 = {83695761-2AAC-4890-B68E-94B01BAC720C}
FilterInappropriateOSUpgrade failed, hr=80240FFF
Exit code = 0x80240FFF

Now I need to identify the update ID’s shown in the error log and translate into English

Fire up SQL Management Studio on you top level site and run the following SQL query populating the update ID’s


Make sure you change the DB name to your environment

FROM [CM_LAB].[dbo].[v_UpdateInfo]

and replace the CI_UniqueID = ‘7F016D4C-C9A6-4699-A7DA-3D86EF81843F‘  value


The results are shown below, look for the title…

Now I know two updates could be the problem, considering 1607 has been available for a while and the problem only started with 1703 lets focus on that particular update

Feature update to Windows 10 Enterprise, version 1703, en-us

The following are changes made in a Lab environment, for Production Systems it is best to log a MS Support ticket.


Fire up the WSUS console and select the filter shown below


Search for the update title returned in the SQL query and choose decline

Once declined the problem machine should complete a WSUS scan

If you’re worried about declining updates from the WSUS console, you can always set them back to not approved. Once a full sync occurs with SCCM SUP (Top Level) the updates will show green again for deployment.


For returning the updates declined back to normal, locate the declined updates in the WSUS console


Right click the update and select approve

Then select not approved

And OK


This will reverse the changes made, next thing is to have the update show green in SCCM. This is the tricky part, because a full sync of WSUS is required from the top level site. Just setting a custom schedule wont achieve a full sync, you will need to change a setting for this to work.

Navigate to Administration > Site Configuration > Sites and select your top level site (the site that syncs with Microsoft) in my case its the Primary

Choose Configure Site Components > Software Update Point

I changed the setting Do not expire updates and bumped up the time limit to 4 months, I need to do this for a full sync to occur ( You can change this back once the full sync completes).


Now select the sync schedule tab and choose Custom schedule

Set this 5 minutes into the future

Click ok and open the wsyncmgr.log on the top level site server, you should start to see the updates resync back into the DB. This may take a few hours.

SCCM Console – Before




Best advice:

Log a support case with MS.



March, 2017 Security Monthly Quality Rollup for Windows Server – Fails to install with Configuration Manager 2012 R2 SP1

I had a customer report an issue this week trying to install MS17-006 on all 2012 R2 and 2008 R2 servers in their environment.

The WUAHandler.log file produced an error:

“User cancelled the installation”

The update then showed it had failed to install.

The maximum runtime limit set in this update was only 5 minutes


Changed this value to 30 minutes to be on the safe side, gave it time to marinade (just like everything with SCCM) and it installed.

Please note, the time you set here will impact the calculations of Maintenance Windows, so if you have a few updates to get through in a small amount of time be cautious and always pilot the deployment changes.


Azure Conditional Access Rules break AAD Connect setup and configuration

Today I came across an interesting issue in my lab when trying to setup and configure Azure Active Directory Connect.

Errors Message:

AAD Connect Error Message

Checking the log is no help either, it just points me to the same error

Error Message:

[ERROR] Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.


Hmm what’s this about?

Let me google that for you –

Not very helpful either.

After many painstaking searches I found reference to an issue where conditional access rules may be the root cause.

Started digging into the rule enabled.


In detail


Controls selected


I disabled the rule and hit retry in AAD Connect to check if it was the cause.





Now I’ve found part of the problem, I still needed to solve the other piece of the puzzle, after all I wanted this rule in place even it if means some compromise.

What is it inside my policy that is causing this error to appear?

Well it looks like I didn’t exclude an important account from the conditional access policy

My On-Premises Directory Sync account


Added the account to the rule and we are through


Hope this helps someone save some time when encountering this issue.


Windows 10 Version 1703 – First Run Experience

Windows 10 version 1703 just dropped into Current Branch April 11 and there is some significant changes during the first run experience to take note of. The GUI has been given a facelift!

Here is a run-through of what to expect during setup with an Enterprise edition

Most wizards remain the same until you reach the First Run Setup Wizard.

Lets start with the basics

One little gripe I have here, keyboard entry wont work when entering the letter A and scroll me up automatically. Instead I have to scroll up through every region between United States and Australia! This is not cool for us Aussies, Austrians, Argentinians you get the drift…..



Luckily in Australia we use the US keyboard layout

This is very neat, I know a lot of people that use two keyboard layouts will appreciate this. Take Japan for example.


As this PC is a Hyper V-VM it’s automatically skipped the setup a wifi network wizard.

Account (the fork in the road)

This is the most important change during the first run experience, what I enter here defines which path I want to go down specially when using a MDM solution such as Intune or using a work or school account.


Selecting the option ‘domain join instead’ asks me to enter a name to create a local account





Please note selecting the option “Or, even better, use an online account” brings me back to the first account screen


Privacy Settings

Now I’m lead to the desktop with my local account (not exactly a domain join)


Back to the old method of domain join we have all become accustomed with over the years.

Correction: Decades

Ok so that’s one path covered, now another installation and lets see where we go

For curiosity sake I chose the time and currency format to English (Australia), will this impact what we see for selecting the region?


Wohoo – Australia is selected! Kudos to the product team, that’s very clever…

Round 2

Sure is

I’m only fluent in US keyboard….


Again, network is connected

Lets not bother with selecting Domain join as we know where that goes, this time I’ll add my work account

Ah no! I entered a Microsoft personal account – computer says no, at least Windows 10 Enterprise does. Lets try again with a work account.

meraviglioso, for those of you that don’t know


I now see my company logo


MFA authentication is enabled and linked to my Microsoft Authenticator App

My authenticator app is not working so I guess I have to choose another option

I’m through

As we have an Intune MDM policy applied in our environment I’m presented with the following


Look I’m joined with Azure AD!



Intune MDM has taken over and is now deploying applications and polices to my PC.


One key thing to note is that we have automatic enrolment enabled in Azure Active Directory.

Azure Replication Status Report – Email Notification

Recently I was given the task to monitor the replication status of a large number of servers, I really didn’t want to be going via the classic console and clicking inside every replication group just to make sure things were rolling smoothly. It got me thinking about how I could automate this task using Azure Automation Run books.

I started digging around and came across a post where a gentleman had written a Powershell script to deliver the daily backup jobs via email. It was not exactly what I wanted so I took that script and modified it to deliver the information I required.

First step is to create a runbook in Azure

Give the runbook a useful name and choose the powershell option as the runbook type

For the runbook to create a connection you will need to add the following code at the start of your script, if you have not setup an Azure RunasAccount you can follow these instructions – Authenticate runbooks with an Azure Run As account

Be sure to populate your runas account next to $connectionName

Next Add the code below

This is the workhorse that produces the report, you will need to populate your SMTP settings

You are now ready to test the runbook works

Select Test pane

Select edit and start the test, the runbook will be queue for an automation worker to pick it up

Wait for the runbook to complete.

A new email should arrive with a table of results like below

Now you just need to publish the runbook and add a schedule

You can set the schedule for an hourly drop into your inbox or drop the results into a group inbox.