Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff

### Please review the fix – http://www.gregorylab.com/2017/07/05/windows-10-1511-sccm-cb-wsus-error-0x80240fff-fix/ ####

 

I recently encountered an error on all Windows 10 version 1511 scanning against the SCCM CB lab environment for updates.

 

The error messages in WUAhandler.log on a Windows 10 version 1511

“OnSearchComplete – Failed to end search job. Error = 0x80240fff”

“Scan failed with error = 0x80240fff”

The Windowsupdate.log provides more information,  for 1511 you’ll need to run the PowerShell command Get-WindowsUpdatelog to generate a readable log file to get more valuable information

 

 

Opening the log it shows some error messages:

Two Swap OSUpgrades are found, Update1 = {7F016D4C-C9A6-4699-A7DA-3D86EF81843F}.201, Update2 = {83695761-2AAC-4890-B68E-94B01BAC720C}
FilterInappropriateOSUpgrade failed, hr=80240FFF
Exit code = 0x80240FFF

Now I need to identify the update ID’s shown in the error log and translate into English

Fire up SQL Management Studio on you top level site and run the following SQL query populating the update ID’s

 

Make sure you change the DB name to your environment

FROM [CM_LAB].[dbo].[v_UpdateInfo]

and replace the CI_UniqueID = ‘7F016D4C-C9A6-4699-A7DA-3D86EF81843F‘  value

 

The results are shown below, look for the title…

Now I know two updates could be the problem, considering 1607 has been available for a while and the problem only started with 1703 lets focus on that particular update

Feature update to Windows 10 Enterprise, version 1703, en-us

The following are changes made in a Lab environment, for Production Systems it is best to log a MS Support ticket.

 

Fire up the WSUS console and select the filter shown below

 

Search for the update title returned in the SQL query and choose decline

Once declined the problem machine should complete a WSUS scan

If you’re worried about declining updates from the WSUS console, you can always set them back to not approved. Once a full sync occurs with SCCM SUP (Top Level) the updates will show green again for deployment.

 

For returning the updates declined back to normal, locate the declined updates in the WSUS console

 

Right click the update and select approve

Then select not approved

And OK

 

This will reverse the changes made, next thing is to have the update show green in SCCM. This is the tricky part, because a full sync of WSUS is required from the top level site. Just setting a custom schedule wont achieve a full sync, you will need to change a setting for this to work.

Navigate to Administration > Site Configuration > Sites and select your top level site (the site that syncs with Microsoft) in my case its the Primary

Choose Configure Site Components > Software Update Point

I changed the setting Do not expire updates and bumped up the time limit to 4 months, I need to do this for a full sync to occur ( You can change this back once the full sync completes).

 

Now select the sync schedule tab and choose Custom schedule

Set this 5 minutes into the future

Click ok and open the wsyncmgr.log on the top level site server, you should start to see the updates resync back into the DB. This may take a few hours.

SCCM Console – Before

After

 

 

Best advice:

Log a support case with MS.

 

 

March, 2017 Security Monthly Quality Rollup for Windows Server – Fails to install with Configuration Manager 2012 R2 SP1

I had a customer report an issue this week trying to install MS17-006 on all 2012 R2 and 2008 R2 servers in their environment.

The WUAHandler.log file produced an error:

“User cancelled the installation”

The update then showed it had failed to install.

The maximum runtime limit set in this update was only 5 minutes

 

Changed this value to 30 minutes to be on the safe side, gave it time to marinade (just like everything with SCCM) and it installed.

Please note, the time you set here will impact the calculations of Maintenance Windows, so if you have a few updates to get through in a small amount of time be cautious and always pilot the deployment changes.

 

Azure Replication Status Report – Email Notification

Recently I was given the task to monitor the replication status of a large number of servers, I really didn’t want to be going via the classic console and clicking inside every replication group just to make sure things were rolling smoothly. It got me thinking about how I could automate this task using Azure Automation Run books.

I started digging around and came across a post where a gentleman had written a Powershell script to deliver the daily backup jobs via email. It was not exactly what I wanted so I took that script and modified it to deliver the information I required.

First step is to create a runbook in Azure

Give the runbook a useful name and choose the powershell option as the runbook type

For the runbook to create a connection you will need to add the following code at the start of your script, if you have not setup an Azure RunasAccount you can follow these instructions – Authenticate runbooks with an Azure Run As account

Be sure to populate your runas account next to $connectionName

Next Add the code below

This is the workhorse that produces the report, you will need to populate your SMTP settings

You are now ready to test the runbook works

Select Test pane

Select edit and start the test, the runbook will be queue for an automation worker to pick it up


Wait for the runbook to complete.

A new email should arrive with a table of results like below

Now you just need to publish the runbook and add a schedule

You can set the schedule for an hourly drop into your inbox or drop the results into a group inbox.