Windows 10 1511 & SCCM CB WSUS Error – 0x80240fff

### Please review the fix – ####


I recently encountered an error on all Windows 10 version 1511 scanning against the SCCM CB lab environment for updates.


The error messages in WUAhandler.log on a Windows 10 version 1511

“OnSearchComplete – Failed to end search job. Error = 0x80240fff”

“Scan failed with error = 0x80240fff”

The Windowsupdate.log provides more information,  for 1511 you’ll need to run the PowerShell command Get-WindowsUpdatelog to generate a readable log file to get more valuable information



Opening the log it shows some error messages:

Two Swap OSUpgrades are found, Update1 = {7F016D4C-C9A6-4699-A7DA-3D86EF81843F}.201, Update2 = {83695761-2AAC-4890-B68E-94B01BAC720C}
FilterInappropriateOSUpgrade failed, hr=80240FFF
Exit code = 0x80240FFF

Now I need to identify the update ID’s shown in the error log and translate into English

Fire up SQL Management Studio on you top level site and run the following SQL query populating the update ID’s


Make sure you change the DB name to your environment

FROM [CM_LAB].[dbo].[v_UpdateInfo]

and replace the CI_UniqueID = ‘7F016D4C-C9A6-4699-A7DA-3D86EF81843F‘  value


The results are shown below, look for the title…

Now I know two updates could be the problem, considering 1607 has been available for a while and the problem only started with 1703 lets focus on that particular update

Feature update to Windows 10 Enterprise, version 1703, en-us

The following are changes made in a Lab environment, for Production Systems it is best to log a MS Support ticket.


Fire up the WSUS console and select the filter shown below


Search for the update title returned in the SQL query and choose decline

Once declined the problem machine should complete a WSUS scan

If you’re worried about declining updates from the WSUS console, you can always set them back to not approved. Once a full sync occurs with SCCM SUP (Top Level) the updates will show green again for deployment.


For returning the updates declined back to normal, locate the declined updates in the WSUS console


Right click the update and select approve

Then select not approved

And OK


This will reverse the changes made, next thing is to have the update show green in SCCM. This is the tricky part, because a full sync of WSUS is required from the top level site. Just setting a custom schedule wont achieve a full sync, you will need to change a setting for this to work.

Navigate to Administration > Site Configuration > Sites and select your top level site (the site that syncs with Microsoft) in my case its the Primary

Choose Configure Site Components > Software Update Point

I changed the setting Do not expire updates and bumped up the time limit to 4 months, I need to do this for a full sync to occur ( You can change this back once the full sync completes).


Now select the sync schedule tab and choose Custom schedule

Set this 5 minutes into the future

Click ok and open the wsyncmgr.log on the top level site server, you should start to see the updates resync back into the DB. This may take a few hours.

SCCM Console – Before




Best advice:

Log a support case with MS.



Windows 10 Version 1703 – First Run Experience

Windows 10 version 1703 just dropped into Current Branch April 11 and there is some significant changes during the first run experience to take note of. The GUI has been given a facelift!

Here is a run-through of what to expect during setup with an Enterprise edition

Most wizards remain the same until you reach the First Run Setup Wizard.

Lets start with the basics

One little gripe I have here, keyboard entry wont work when entering the letter A and scroll me up automatically. Instead I have to scroll up through every region between United States and Australia! This is not cool for us Aussies, Austrians, Argentinians you get the drift…..



Luckily in Australia we use the US keyboard layout

This is very neat, I know a lot of people that use two keyboard layouts will appreciate this. Take Japan for example.


As this PC is a Hyper V-VM it’s automatically skipped the setup a wifi network wizard.

Account (the fork in the road)

This is the most important change during the first run experience, what I enter here defines which path I want to go down specially when using a MDM solution such as Intune or using a work or school account.


Selecting the option ‘domain join instead’ asks me to enter a name to create a local account





Please note selecting the option “Or, even better, use an online account” brings me back to the first account screen


Privacy Settings

Now I’m lead to the desktop with my local account (not exactly a domain join)


Back to the old method of domain join we have all become accustomed with over the years.

Correction: Decades

Ok so that’s one path covered, now another installation and lets see where we go

For curiosity sake I chose the time and currency format to English (Australia), will this impact what we see for selecting the region?


Wohoo – Australia is selected! Kudos to the product team, that’s very clever…

Round 2

Sure is

I’m only fluent in US keyboard….


Again, network is connected

Lets not bother with selecting Domain join as we know where that goes, this time I’ll add my work account

Ah no! I entered a Microsoft personal account – computer says no, at least Windows 10 Enterprise does. Lets try again with a work account.

meraviglioso, for those of you that don’t know


I now see my company logo


MFA authentication is enabled and linked to my Microsoft Authenticator App

My authenticator app is not working so I guess I have to choose another option

I’m through

As we have an Intune MDM policy applied in our environment I’m presented with the following


Look I’m joined with Azure AD!



Intune MDM has taken over and is now deploying applications and polices to my PC.


One key thing to note is that we have automatic enrolment enabled in Azure Active Directory.