Reboot notifications

May 9, 2016


Reboot notifications , we all hate to reboot. Normally the less the better but as … an admin you want to pursuade your users into rebooting the device from time to time. Keeps it healthy and running smoothly.

Now in sccm we have several options for rebooting. In this particalur case we supress the reboot for the update deployment. So the user gets notified but not forced to reboot.

Unfortunately the result was this :


That’s odd the windows update reboot notification was not wat we wanted. If we check the notifications area we see 2 notifications : one for sccm client and one for windows update.


The setting required to modify this behavior was the following :

· System -> Windows Components -> Windows Update -> Configure Automatic Updates :Disabled

· Re-prompt for restart : Disabled.


After modification of these policies the result was better ! Just one notification.


And if the user presses the Open restart button :


Or select the restart now option :


In the software center applet you can see detailed info about which update requires a reboot.


Now the behavior is different for software installations requiring a reboot. For example this IE11 installation returns a 3010.


The user will be notified about a required reboot on the device , the settings are be configured by the sccm client settings for “Computer Restart”


The user will recieve a popup :


If ignored the restart icon will stay in the notification area.


Now according to the settings there is a permanent message shown as soon as there is only 15′ left on the clock. The color of the progress bar will change and the hide button will become unavailable.



Gino D


ZTIexecuterunbook MDT 2013 Update 1

November 20, 2015


Strange issue today , a fresh install of Orchestrator and sccm , both latest version installed. SCCM 2012 R2 SP1 CU1 and Orchestrator 2012 R2 UR7.

Combined this with the power of MDT 2013 update 1 in order to execute runbooks from a task sequence.

So far so good, I’ve had a similar setup for another customer so nothing could go wrong…

But when I run the task sequence for executing the runbook my task sequence fails and ztiexecuterunbook under MININT\SMSOSD\OSDLogs show:

Microsoft Deployment Toolkit version: 6.3.8298.1000 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

The task sequencer log is located at C:\Windows\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Orchestrator server URL = http://SERVERNAME:81/Orchestrator2012/Orchestrator.svc/Jobs ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook name = New Runbook ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runnbook ID = 444a1fd8-3168-470c-9a8f-805523de27b3 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook parameter mode = MANUAL ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter IntExchange (17ebabac-3fa0-4585-b7e4-54fb0156d650) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrComputername (c684fd8f-e6e0-44b1-b8d0-6e91f879681f) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrClusterName (5e029040-b071-4499-a04e-ad593fe5f795) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserDomain is now = *** ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserID is now = *** ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

<Message containing password has been suppressed> ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

FAILURE ( 10802 ): Unable to find job. ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

The runbook gets started on orchestrator but the task sequence fails !

So we started to do some tests and found that we could simulate the issue on another environment.

Problem turned out to be an error in the scripts of MDT2013update 1. We created 2 identical task sequences executing a simple runbook. One with MDT 2013 toolkit files and one with MDT2013 update 1 toolkit files.


MDT 2013 works fine :


Ztiexecuterunbook shows the wait for completion state.


Now for the MDT 2013 update 1 :


And ztiexecuterunbook shows:


Apparently something slipped through Quality Control 🙂


Gino D

ADR and wsus sync #RDProud

August 28, 2015



Today I had a strange issue with some ADR. As you see we have 4 ADR set ( WKS Pilot & Production and SRV Pilot & Production )


Now if we check our Software update packages we see that for August we only have one package for WKS Production. None for the rest. How come ?


Let’s verify the logging. The execution of the ADR is logged in ruleengine.log


No applicable updates found for the first ADR.


146 updates found in the latest ADR. How come ?

Solution is found in the WSUS sync log. We see that at 09:00 when the first ADR was run the catalog file was not yet synced, so it did not contain the new updates. At 11:06 however it was synced so my ADR from 11:55 found all the required updates.


Okay so we modify the Sync Schedule for WSUS each 8 hours starting at 20:00.



Gino D

Shared Config Manager infrastructure

March 10, 2015


I was recently involved in the setup of a shared management infrastructure based on system center configuration manager 2012 R2. Now this has proven to be challenging so I share some of the leassons learned :

Untrusted forests.

The following blog explaings cross forest support in config manager :

Boundary Groups.

You can use AD Sites as boundaries. The site names need to be unique but modifying an AD Site name normally has no impact.

Client Deployment.

Deployment using group policy together with a set of adm templates is an efficient deployment method. No special firewall requirements and all active machines recieve the sccm client. No discovery methods needed.

Proxy management Points.

Secondary sites with management point are not always used , some actions require the client to contact the assigned management point. See Since the clients are not in the same ad forest and ad has not been extended, they will contact their assigned management point first.

OSD and AD site boundaries

WinPE is not domain joined and will not be able to use ad site boundaries. See


Gino D

Software-update based client installation

September 15, 2014


Config manager client push installation is an easy method for gradually installing config manager clients in your environment.

Link can be found here :

Make sure you use AD extension of a set of ADM files in order to publish post installation properties for the SCCM client.

Step 1 create a policy for Specifying the Microsoft Update service location

Step 2 activate the software-update based client installation in SCCM

Overview -> Site configuration -> Sites -> Client Installation Settings

Verify in wcm.log if the config manager package was correctly publised.

Step 3 Observe the client

You can trigger the update cycle by running wuauclt /detecnow.

Then verify the windowsupdate.log

At first I noticed that no update was applicable

Now this was apparently because my test machine was in a notification license period.

So I reactivated using our kms server

And the client was available and installing

Required parameters are discovered in ADS.

Now this saves you from specifying username/password for install and opening up a bunch of RPC ports.


Update ! Make sure you do not set the Configure Automatic updates to disabled in computer policy otherwise the installation will not take place.

Config Manager Powershell 2012 R2 CU2

September 1, 2014



Recently tried to perform a fairly simple action in config manager : create a new DP and modify the required parameters. Since this would be done during SCCM Server OSD we decided to go for an orchestrator runbook using powershell. Sounds good.


However … we had some issues.


First if you attempt to run the config manager cmdlets on a machine where the console is installed you’ll notice that the new-cmsiteserversystem crashes the powershell, other commands work fine ( remote )


Hey no problem … you can use remote powershell to connect to the pss and run the script from there.


Issue 1 : enter-pssession refuses to find the psd1 file


The script refuses to load the required psd1 if we use a enter-session. We had to use a scriptblock for the execution.


Issue 2 : The script will not enter the required cm site. Drive not found exception.



Solution :


Import the required digital cert or run the cm powershell once from the pss with the correct user.




Issue 3 : We sometimes recieve a warning : The self signed certificate could not be created succesfully.



This happens during the addition of the DP role. The reason is that a specific temporary folder under the user profile does not exist so the solution is to log on to the PSS with the required user and perform the same action once in order to make sure the required folder exists.


Issue 4 : From time to time we randomly recieve an access denied error . ( without credssp )


When this happens we see the following in the powershell event viewer on the PSS.




Solution : Use the credssp parameter in order to allow double hopping. See for additional info. However as soon as we added this parameter we arrive at issue 5.


Issue 5 : powershell crashes while using new-cmsiteserversystem with credssp


So if we add the credssp parameter then we see that the remote session is in a broken state because the powershell.exe crashes when we use new-cmsiteserversystem for a non-existing site server.




If you run the cmdlet on an existing object you’ll notice that you recieve an “object allready exists” but the powershell.exe does not crash.




Bottom line : if you connect to the pss , open the cm console and run a config manager powershell prompt and execute a new-cmsiteserversystem the powershell.exe will also crash. Locally on the server.






We noticed that this issue is proper to the installation of CU2 before we did not experience this behavior.


A bug has been filed using microsoft connect for this issue. Will keep you posted.


This is the script we were using :


$ErrorActionPreference = “Stop”
$pw = convertto-securestring -AsPlainText -Force -String “xxx”
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist “xxx”,$pw
write-host “================= Starting remote ps-session ========================”
$s= new-pssession -computer server1.domain.local -name PSSSession -credential $cred -ConfigurationName Microsoft.Powershell32 -Authentication CredSSP   

$Scriptblock = {
write-host $env:COMPUTERNAME
$SCCMAdminConsolePath = Split-Path -parent $ENV:SMS_ADMIN_UI_PATH
write-host $SCCMAdminConsolePath
Import-Module “$SCCMAdminConsolePath\ConfigurationManager.psd1”
Set-location ps1:
write-host “================= Creating New site server ========================”
New-CMSiteSystemServer -ServerName “server1.domain.local” -SiteCode PS1
write-host “================= Creating new distribution point server ========================”
Add-CMDistributionPoint -SiteSystemServerName “server1.domain.local” -SiteCode “PS1” -InstallInternetServer -CertificateExpirationTimeUtc “2112/11/26 17:45:00” -MinimumFreeSpaceMB “50”
write-host “================= Adding server to boundary ========================”
Set-CMDistributionPoint -SiteCode “PS1” -SiteSystemServerName server1.domain.local  -AddBoundaryGroupName “Group1” -AllowFallbackForContent 0
write-host “================= Adding server to distribution point group ========================”
Add-CMDistributionPointToGroup -DistributionPointName server1.domain.local -DistributionPointGroupName “All Distribution Points”
write-host “================= Running scriptblock ========================”
Invoke-Command -Session $s -ScriptBlock $Scriptblock
Remove-PSSession $s

$errmsg = $Error[0]


if ($errmsg)
write-host $errmsg




UPDATE : FIX released by MS , install on Site server and consoles

Sysprep issue capture task sequence

June 17, 2014


I had a strange issue lately.

Used capture task sequence to capture a thick image and upon deployment the machine was not joined in the domain.

The task sequence for capture or deployment did not give any errors.

According to the log all went well.

However when I checked the screen while the deployment is in progress then I noticed that the mini-setup wizard did not appear.

Ok so I suspect an issue with the capture image, like the sysprep was not correctly executed. So I revert the virtual machine to snapshot and run the sysprep manually.

Bingo ! We have an issue. You can check the log file at c:\windows\system32\sysprep\panther\IE

Ok now we have something to go on. Apparently this is a “known” issue.

In order to resolve stop the Windows Media Service.

Net stop WMPnetworksvc

Before capturing the image. You can just put it in the ts.