Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff – Fix

I have finally had time to test a permanent fix for the 1511 scan fail issue. Please take note this fix is performed in a lab environment and not tested in production.

While it is a fix there may be others available, please make sure you try this in pilot/dev environment before implementing in a production environment. I take no responsibility for it going wrong in production  🙂

 

 

First you need to download the latest CU for 1511 form the Microsoft Update Catalog –

http://www.catalog.update.microsoft.com/Search.aspx?q=4022714 

 

X64 – Download Here

X86 – Download Here

 

Once downloaded add it to your SCCM Package Share folder and proceed to package as shown below

 

 

Create a Standard program and make sure the settings reflect the below

 

Here is the command line – wusa.exe <Insert Package.msu>  /quiet /norestart

Example – wusa.exe windows10.0-kb4022714-x64_edf4e51111abeea65f7cbcf75755210bb6a711e3.msu /quiet /norestart

 

 

 

 

Once packaged right click the package and distribute the content to your required distribution points

 

Now time to deploy

You want to make sure you are deploying only to Windows 10 1511 so create a collection with the following query

 

 

Now right click your program and select deploy choosing the collection created in the above step

 

Its up to you what you do here but keep in mind ‘required’ will force the install,  for testing purposes I have set it to available.

 

 

 

 

 

 

Review your summary and finalise.

Now lets wait for the test machine to pick up the new advertisement in software centre

 

 

Before we start take note the error showing in wuahandler.log

 

 

Windows Update Agent Version is 10.0.10586.0

 

 

Choose Install

 

 

 

Verify the installation by looking for Windows Update Standalone Installer & Windows Module Installer (it may take a while) my lab machine took 40 minutes to complete.

 

 

 

 

 

 

 

Once completed restart the machine

 

 

 

Check the Windows Update Agent Version

Now run a software update scan cycle

Watch the WUHandler.log – you will now see the pc is completing its scan.

In my case there is a new warning due to the June Malicious Software Update having a problem accepting the license. I have seen this in a few environments and leads me down the next rabbit hole…..

 

Overall your client should now be healthy and ready to update.

I can now see the feature update for 1607

Hope this nails it once and for all!

Please feel free to comment your experiences and Ill do my best to help.

Configuration Manager Health Check Script

With the recent events (wannacry) in the last few months making sure your environment has a collection of healthy clients including the latest Windows Update Agent is crucial to surviving the threats being unleashed in the modern world. Although you may be able to produce compliance reports showing good figures >96% ( lets get real that almost impossible ) what about the clients that are not showing in your compliance report that should be present. Are you reporting against the unknown? How are you tackling those clients falling into the category?

Here is some help:

Thanks to Anders Roland there is a health script available to help take care of those pesky clients you don’t have the time to take care of yourself, or maybe have been queuing that task up for later, now you can once and for all (99.9%) of the time – nothing is ever perfect right……

 

Please follow Anders instructions on the implementation guide –

https://www.andersrodland.com/configmgr-client-health/ 

 

I strongly recommend following the Group Policy guide found here also

 

Powershell Script with Arguments as a Scheduled Task

 

 

 

 

 

 

 

 

 

Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff

### Please review the fix – http://www.gregorylab.com/2017/07/05/windows-10-1511-sccm-cb-wsus-error-0x80240fff-fix/ ####

 

I recently encountered an error on all Windows 10 version 1511 scanning against the SCCM CB lab environment for updates.

 

The error messages in WUAhandler.log on a Windows 10 version 1511

“OnSearchComplete – Failed to end search job. Error = 0x80240fff”

“Scan failed with error = 0x80240fff”

The Windowsupdate.log provides more information,  for 1511 you’ll need to run the PowerShell command Get-WindowsUpdatelog to generate a readable log file to get more valuable information

 

 

Opening the log it shows some error messages:

Two Swap OSUpgrades are found, Update1 = {7F016D4C-C9A6-4699-A7DA-3D86EF81843F}.201, Update2 = {83695761-2AAC-4890-B68E-94B01BAC720C}
FilterInappropriateOSUpgrade failed, hr=80240FFF
Exit code = 0x80240FFF

Now I need to identify the update ID’s shown in the error log and translate into English

Fire up SQL Management Studio on you top level site and run the following SQL query populating the update ID’s

 

Make sure you change the DB name to your environment

FROM [CM_LAB].[dbo].[v_UpdateInfo]

and replace the CI_UniqueID = ‘7F016D4C-C9A6-4699-A7DA-3D86EF81843F‘  value

 

The results are shown below, look for the title…

Now I know two updates could be the problem, considering 1607 has been available for a while and the problem only started with 1703 lets focus on that particular update

Feature update to Windows 10 Enterprise, version 1703, en-us

The following are changes made in a Lab environment, for Production Systems it is best to log a MS Support ticket.

 

Fire up the WSUS console and select the filter shown below

 

Search for the update title returned in the SQL query and choose decline

Once declined the problem machine should complete a WSUS scan

If you’re worried about declining updates from the WSUS console, you can always set them back to not approved. Once a full sync occurs with SCCM SUP (Top Level) the updates will show green again for deployment.

 

For returning the updates declined back to normal, locate the declined updates in the WSUS console

 

Right click the update and select approve

Then select not approved

And OK

 

This will reverse the changes made, next thing is to have the update show green in SCCM. This is the tricky part, because a full sync of WSUS is required from the top level site. Just setting a custom schedule wont achieve a full sync, you will need to change a setting for this to work.

Navigate to Administration > Site Configuration > Sites and select your top level site (the site that syncs with Microsoft) in my case its the Primary

Choose Configure Site Components > Software Update Point

I changed the setting Do not expire updates and bumped up the time limit to 4 months, I need to do this for a full sync to occur ( You can change this back once the full sync completes).

 

Now select the sync schedule tab and choose Custom schedule

Set this 5 minutes into the future

Click ok and open the wsyncmgr.log on the top level site server, you should start to see the updates resync back into the DB. This may take a few hours.

SCCM Console – Before

After

 

 

Best advice:

Log a support case with MS.