Cleanup #ConfigMgr Software Update Groups via PowerShell

We use Automatic Deployment Rules (ADR) for Security Updates, other updates, Defender updates and 3rd party Software Update Catalogs. Since all these updates need to be tested through our internal rings, we use the option ‘Create a new Software Update Group’. So, if the ADR detects added updates it creates a new Software Update Group […]

‘Trend Micro Deep Security Agent’ prevents #ConfigMgr SMS_PROVIDERS component from updating

The Configuration Manager current branch (CMCB) shows every 60 minutes errors for SMS_PROVIDERS. It goes: Message ID 1018: Site Component Manager is reinstalling this component on this site system Message ID 1090: Site Component Manager could not stop the winmgmt service on site system Message ID 1020: Site Component Manager failed to reinstall this component […]

#WindowsInsider For Business cannot update to 18262.1000 and stuck in older Skip-ahead- or Fast-ring due to Settings app crash

The 18252 release notes confirm an older skip-ahead reported bug is now in Fast-ring: Settings app is crashing when invoking actions on certain pages. This includes “Check online for updates from Microsoft Update”. Since this option does not have any schedule and can be triggered only manually, your Insiders for Business cannot update to the […]

Windows 10 cumulative updates, categorized as ‘Updates’, do not show up in Configuration Manager / WSUS

We are using Configuration Manager current branch to update the existing Windows 10 machines with quality updates. All Configuration Manager Components are running on ‘Server 2016’ + KB4284833. The error is reproducible in CMCB 1802, 1802 + KB4339794 or TP 1806.2. Windows 10 cumulative updates categorized as ‘Updates’ are not imported in to Configuration Manager […]

Windows 10 1709/1804 Inbox App language

If you use Windows 10 language packs, the sources in the MultiLang-iso-files do not contain language updates for the Inbox Apps. In general, they should be updated by a scheduled task (Microsoft -> Windows -> Windows Update -> Automatic App Update), but this task requires the Store app to be accessible and the machine to […]

Deploy Intel microcode updates published by Microsoft via Configuration Manager

Microsoft published the Intel microcode update for Windows 10 1709 as a standalone update (KB4090007), so it is not showing up in WSUS. However, it can be deployed as an application: wusa.exe “windows10.0-kb4090007-x64_7063a0b6a38e2a648aa1d77570503f7062360c9d.msu” /quiet /norestart But, even if the current version 1.003 is already supporting more CPU models as version 1.001, it doesn’t cover all […]

Intel Management Engine vulnerability INTEL-SA-00086 and how to detect vulnerable systems in Configuration Manager

Intel published a new vulnerability on 11/20/17 around Intel® Management Engine (ME): INTEL-SA-00086 causing Elevation of Privilege (EoP), Remote Code Execution (RCE) or Denial of Service (DoS). Intel published also a detection tool to run on clients. The detection tool is creating registry values about the vulnerability state of a client. To check the status […]

Detect Microsoft ADV170012 vulnerable machines via Configuration Manager

Microsoft published yesterday a security advisory (ADV170012 -Vulnerability in TPM could allow Security Feature Bypass), that shows a key generation weakness in Infineon’s TPM chip firmware. To solve the issue we first have to update the firmware of all vulnerable machines, so we have to identify them. As always, ‘Configuration Manager – Hardware Inventory’ can […]