Implementing Configuration Manager 2012 R2 Cumulative Update 5

May 17, 2015 Leave a comment

As mentioned during one of my previous blog posts Microsoft has recently released Cumulative Update 5 for Configuration Manager 2012 R2. This blog post will outline how to implement this Cumulative Update and is based on the steps I followed during the implementation in my lab environment.

Note: this week Microsoft has also released Service Pack 1 for Configuration Manager 2012 R2. The logical question pops up whether to still install this Cumulative Update or immediately go for the Service Pack. Technically there are no constraints for implementing the Service Pack straight away (the CU is not a prerequisite) however my current preferred way to go is to implement the CU first. Based on experiences from the past there could always be some subtle differences, and it seems my friend Kenny already found one here as well.

Now back to implementing the CU. First step is to get the sources. The KB article also gives a full overview of the fixes and improvements in this update. As the name indicates, this update also contains all elements fixed or added in one of the previously released CU’s.

Note that this update is only applicable to Configuration Manager 2012 R2 – if you are currently still running Configuration Manager 2012 SP1 the latest available cumulative update is CU5.

The CU is applicable directly to the following components:

    • CAS
    • Primary Sites (standalone or in a hierarchy)
    • Secondary Sites
    • SMS Provider(s)
    • Console(s)

    Additionally it contains updates for the following components:

    • CAS
    • Primary Sites
    • Secondary Sites
    • SMS Provider(s)
    • Consoles
    • Clients

    The lab we are upgrading does not contain all the components listed above, a CAS and Secondary Site(s) are not present.  The SMS Provider is installed locally on the site server.

Primary site

Cumulative Updates for Configuration Manager are implemented top-down so we start with the site server of the standalone primary site. Before running the installer with elevated privileges ensure there are no more active console connections.


The Installation Wizard is started.


Click next on the Welcome page.


Accept the license terms and click Next.


Verify all prerequisite checks are successful and click Next.


Leave the default option to install the update for the console and click Next.


Leave the default option to update the site database and click Next.


Leave the default option for package creation and click Next.


Leave the default settings for the server package and click Next.


Leave the default settings for the console package and click Next.


Leave the default settings for the client packages and click Next.


Review the setup summary and click Install.


The installation begins and progress is shown. Click Next when finished.

Note: during the implementation I had noticed that the installer was hanging long time on the first step to stop the services. In this case manually stopping the WinMgmt service (net stop winmgmt from an elevated command prompt) was needed to make the installation continue.


All done! Click Finish and reboot the system.


The technical details about the installation and what is happening behind the scenes is logged the log file cm12-r2cu5-kb3054451-x64-enu.log  located in the %windir%\temp folder.

Now lets do a few verification steps to see if the update got implemented properly.

First checkpoint are the entries in Programs and Features > view installed updates:


Next is the registry in HKLM\Software\Microsoft\SMS\Setup


And a final check in the console (About Configuration Manager)


As we opted to have some packages created to support implementing the CU in our environment these should now also be visible in the console. Go to the software library and select packages. Select the Configuration Manager Updates folder and then type CU5 in the search box to quickly locate those packages.


Important: Do not forget to distribute the content of these packages to your Distribution Points!

Important (2): Do not forget to update your boot images. This can be done by selecting a boot image, right-clicking it and then selecting the action to Update Distribution Points.

Secondary Sites

If there are any Secondary Sites in your environment the next step is to implement the CU on those sites. The server update package can be used to automate this. To target the site servers a collection can be built which is populated based on the following query:

    • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
      SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "System Center 2012 R2 Configuration Manager Secondary Site Setup"


    As part of the implementation process on the site server the locally installed console was updated. Any remaining remote consoles in the environment can be updated using the console upgrade package.

    To build a collection containing the machines with the console installed the following query could be used:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM. ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center 2012 R2 Configuration Manager Console"


  • Clients

    Last but not least we also need to get the CU installed on our clients. There are multiple approaches to accomplish this; one method could be to deploy the client update packages created automatically during the implementation process.

    As there is a package per processor architecture we will also create matching collections to target our deployments. This is an example query for a collection containing all 64-bit clients with a client version not equal to CU5:
  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.ClientVersion != "5.00.7958.1601" and SMS_G_System_SYSTEM.SystemType = "X64-based PC"
    The query for the collection with 32-bit clients is identical; just replace “x64-based PC” with “x86-based PC”.

Clients with CU5 will have the following version shown on the properties tab:


Version numbers for some of the components are also updated:


That’s all for now – Until next time!


System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2 released!

May 14, 2015 Leave a comment

metrofixToday Microsoft has announced the availability of System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2.

According to the announcement on the Configuration Manager Team blog these service packs deliver full compatibility with existing features for Windows 10 deployment, upgrade, and management. Additionally there are some changes and improvements in the following areas:

  • Infrastructure: sites and hierarchies
  • Application Management
  • Content Management
  • OSD
  • Reporting
  • Hybrid setups with Configuration Manager and Microsoft Intune

Full details on what’s new can be found here.

Both service packs are available for download on the Technet Evaluation Center website.

Until next time!


Cumulative Update 5 for System Center 2012 R2 Configuration Manager released!

May 6, 2015 1 comment

metrofixIn between all the announcements and other stuff that is going on at the Ignite conference Microsoft has also released Cumulative Update 5 for System Center 2012 R2 Configuration Manager today.

This CU contains some important bug fixes and performance improvements. Read about the issues that are fixed and additional functionality this CU has to offer in KB3054451 .

Blog post with more details on how to implement this CU will follow soon.

Until next time!


ConfigMgr vNext: A first look at the core installation

May 6, 2015 Leave a comment

One of the announcements at the Ignite Conference earlier this week was the availability of the System Center Configuration Manager vNext –or should I say 2016- Technical Preview. This blog post shares the basic steps and experience of installing this Technical Preview in my lab environment.

Preparations & Prerequisites

A few steps I walked through before doing the actual installation

  1. First things first: get the installation binaries here.
  2. Second: read the required info to get you started here. There are some requirements (mainly the same as for ConfigMgr 2012) and limitations to take into account.
  3. Prepare the backend SQL database. I used SQL 2014. You will need the following features: Database Engine Services, Reporting Services Native and the Management Tools.
  4. Download the ConfigMgr Prereqs using SetupDL.exe from the installation media. The download is approximately 674Mb. Content looks identical to ConfigMgr 2012 R2 but a bit larger in size (last time I checked it was 655Mb for 2012 R2).
  5. Optionally extend the AD Schema.
  6. Install all other requirements, features and roles. As the guidelines in the preview documentation pointed towards 2012 I just used my automation scripts I had available for ConfigMgr 2012.

The installation procedure

Now on to the actual installation. In this lab environment I will install the site server, database and all roles on a single virtual server.


Launch the splash.hta from the installation sources.


Select Install.


Click Next.


The technical preview only allows installation of a standalone Primary Site. We will opt not to go for the typical installation.


Accept the license terms and click Next.


Accept more license terms and click Next again.


Select the option to use previously downloaded files and provide the path to the files. Click Next.


The downloaded prerequisite components are verified.


Provide a site code and site name. Leave the default installation folder and the option to install the console locally on the site server.


As we run the SQL backend on the same server we can leave the default options and click Next. Tip: make sure to check that the installation account has the required permission.


Leave the default options. Click Next.


Leave the default options. Click Next.


Select the option to configure the communication method on each site system role. Click Next.


Here we opted to uncheck both boxes and install the Management Point and Distribution Point later on.


This is a lab so yes we will join the CEIP. Click Next.


Review the settings summary and click Next.


A prerequisite checker is launched. Resolve any blocking items and click Begin Install.

Note: I commonly grant permissions for the site server to publish to AD through group membership. The prerequisite checker could not verify this in the past. It seems also in this new version this is still the case.


15 Minutes later the core setup is completed.


More detailed information on what is happening behind the scenes can be found in the ConfigMgrSetup log files located in the root of the system drive.

Once the basic installation was completed I added the Management Point and Distribution Point roles. The procedure for doing this is also identical to the one in Configuration Manager 2012.


To wrap up a quick look in the console at the build numbers of the Technical Preview.



For those familiar with installing the previous versions of Configuration Manager the setup experience is still pretty much the same.

That is all for now. Make sure to watch this blog for more content on vNext as I explore it further in my lab environment during the upcoming days and weeks!


Microsoft Intune: April Update brings more features

April 20, 2015 Leave a comment

Microsoft-IntuneMicrosoft is updating its Intune service this week and will be introducing an additional set of new features.

A quick overview of the new cloud only –or standalone- features that are part of this release:

  • Management of Office mobile apps (Word, Excel, and PowerPoint) for Android tablets.
  • Ability to restrict access to Exchange on-premises for Exchange ActiveSync clients on Android devices.
  • Ability to create WiFi profiles with pre-shared keys (PSK) for Android devices.
  • Ability to resolve certificate chains on Android devices without the need to deploy each intermediate certificate individually.
  • Deployment of .appx bundles to Windows Phone 8.1 devices.
  • Managed Browser app for iOS devices that controls actions that users can perform, including allow/deny access to specific websites.
  • Management of Work Folders app for iOS devices.
  • Updated Endpoint Protection agent for managing Windows PCs.
  • Ability to manage Windows Defender on Windows 10 PCs running Windows 10 Technical Preview without need for separate Microsoft Intune Endpoint Protection agent to be installed.
  • Combined Microsoft Intune Company Portal websites for PCs and mobile devices to provide a more consistent user experience across platforms.
  • Added Windows and Windows Phone Company Portal apps to the Microsoft Download Center to provide an additional option for accessing these app downloads.
  • Enhanced user interface for overview pages within Intune admin console.

Details on when the updates are taking place per service instance can be found here.

Until next time.


Categories: Microsoft Intune Tags:

Update on the ConfigMgr 2012 Update Scan Issue – Windowsupdate.log Error 8007000E

April 16, 2015 Leave a comment

Last week Kim blogged about an issue with Windows 7 and Software Updates that some of his customers had been reporting.

Kim had already outlined the issue and the symptoms, plus also provided a few workarounds which may help in resolving it. Through this post I wanted to inform you that now Microsoft has published a blog post that:

a) gives some more details on the root cause of the problem

b) outlines some possible workarounds and

c) most importantly : states a hotfix is in the pipeline which will be available in (late) Q2

You can find the full details here.

I ran into the same issue at one of my customers last week and have been working with Microsoft support to get this resolved. Below you can read some findings and experiences from the past days.

The workaround to Move wuauserv (Windows Update Agent) to its own SVCHost.exe instance did not prove to be very successful. Although we saw the scan job succeeding on a few clients at first, after a few additional scans the issue returned.

Next step was cleaning up WSUS. First we needed to verify what we could potentially clean up using the script provided by Microsoft:


To get things back on the rails in the end the only successful method was to run WSUS cleanup script to decline all superseded updates. Running the script with the –DeclineLastLevelOnly switch was not sufficient.

Important: Before running this cleanup script make sure to identify if any of the updates are still needed! It could be a superseding update has not yet been released due to your internal approval and/or release processes!

And while you are checking that also note that the script output may be misleading. Set the LastLevel column filter to False if you are actually looking for the Last Level Superseded Updates.


Running the script itself took around 15 minutes.

Note: if you are running multiple SUPS in your environment you should only run this on one SUP – the one with Windows Update set as synchronization source.

Hope it helps!


UDM: Conditional Access – Saving of Access Rules to Exchange has failed (error: A2CE0100)

March 29, 2015 Leave a comment

A few days ago we have been working on extending our hybrid demo environment. We made some changes required to demonstrate conditional access with Exchange online. Details on how we set things up will follow shortly in another post.

Once the basics were in place we implemented a policy that would block a user to access their mailbox when using an unmanaged device.

The policy was properly deployed to a collection which included my demo user, however I noticed my demo user could still sync his mail on an iPhone 5 which was not enrolled. Even after an hour or two this condition remained unchanged so something was wrong.

Initial investigation did not show anything out of the ordinary in the Configuration Manager console. However in the Intune console I noticed an entry in the Alerts node:

Saving of Access Rules to Exchange has failed

Microsoft Intune was unable to set the requested mobile device access rules or related settings in Exchange due to the following error: A2CE0100



Unfortunately the “View Troubleshooting Information” link is broken. So is the one on the top right in the console and the right-click one. As such it was hard to find any further details on this specific error.

I made a few attempts to get things working, including the following:
– Modifying the compliance policy (increasing the revision number)
– Removing and adding the user from and to the target collection
– Removing and recreating the deployment of the compliance policy

I can confirm none of the above resolves the issue. The policy still did not get applied.

In the end to get things working again what I had to do was to delete the compliance policy,  recreate it from scratch, and deploy it again.


When synching mail on the iPhone 5 a few minutes later, the policy kicked in.


Although the problem was solved and we now have a working demo scenario; in the end I have no idea what went wrong initially and how I could have been troubleshooting this in a more optimized way. Whatever it was it does not seem to resolve itself. Also the repeat count of the alert not increasing indicates the system itself does not do any retries.

I definitely see a few areas for improvement here:

  • Fixing the link to the troubleshooting information so the admin can troubleshoot properly and in a most optimized way.
  • Exposing Intune alerts to the Configuration Manager Console so the admin does not have to look in multiple locations.
  • Having the system retry the action “Saving of Access Rules” at least a few times. In case the alert repeat counter increases the admin can further look into a blocking issue. Otherwise there may have just been a glitch and the issue would have resolved itself.

If you are ever facing the same issue, I hope this article will save you some troubleshooting time!



Get every new post delivered to your Inbox.

Join 639 other followers