ConfigMgr Content Source Path migration

No Gravatar

Several ConfigMgr scenarios require that the content Source Path be changed.  This typically includes migrating to a new ConfigMgr environment (2007 to 2012, 2012 to Current Branch, etc.), and simply moving the source content to a new location such as a DFS Share or low-speed NAS device.

Updating the Source Path can be done manually via the ConfigMgr console.  For Packages, Software Update Deployment Packages, Drivers, Driver Packages, Operating System Images, Operating System Upgrade Packages, Boot Images, and Virtual Hard Disks, just add the Pkg Source Path or Package Source Path column to the console view to review the paths, then edit the object’s Source Folder in the Data Source tab.

However, for Applications, you’ll have to step through each Deployment Type on each Application, view the properties and modify the Content Location in the Content tab.

This is all painfully slow if you have more then a handful to deal with.  So, automate it!

image image

The community has developed at least 5 solutions to this including

CoreTech and Nickalaj have the slickest solutions.  Sometimes a GUI gives the visual feedback you need to be confident in the final outcome.

158_1 image

Either of these two tools should effectively handle the changes.  As a bonus, both will actually copy the content files from the old to the new path.  Awesome!

Happy migrating!

September 28, 2016

Posted In: ConfigMgr 2012, Scripting


Azure AD Join error code 80180026

No Gravatar

When attempting to join Azure AD you are presented with the message “contact your system administrator with the error code 80180026


Something went wrong.  Confirm you are using the correct sign-in information and that your organization uses this feature.  You can try to do this again or contact your system administrator with the error code 80180026.  Try again.

keep reading at

September 7, 2016

Posted In: Microsoft Intune

Tags: ,

Azure AD join error code 8018000a

No Gravatar

Recently when attempting to perform an Azure AD Join with a Windows 10 v1511 computer I got the following error:

Something went wrong.  The device is already enrolled.  You can contact your system administrator with the error code 8018000a.


That didn’t make sense because I had recently disjoined the computer from Azure AD.  I could find no reference to the object in the Azure portal either.

Keep reading at

August 27, 2016

Posted In: Microsoft Azure


Recovering from BCD error 0xC000000D with BitLocker and Hyper-V

No Gravatar

I recently had a nasty issue with my seriously awesome laptop (Lenovo ThinkPad P50 with a Samsung 950 Pro NVMe n.2 SSD).  After a full shutdown (hold Shift when shutting down Windows 10) on the next power on I got a BitLocker recovery prompt.

That’s happened before, so I just powered off and back on like I’ve always done.  However, this time I was greeted with a foreboding BCD error:


Keep reading at

August 12, 2016

Posted In: Windows 10

Using a Task Sequence Secret Value when changing a local password

No Gravatar

At one time it became routine to manage Windows local account passwords with a Group Policy Preference.  However, some time ago the process was was discovered to have a significant venerability and Microsoft released security bulletin MS14-025 to address the issue.  But Microsoft didn’t fix the vulnerability.  Instead they removed the ability for GPP to save user names and passwords in Local Users and Groups, Drive Maps, Scheduled Tasks, Services, and Data Sources.

There are many options to handle managing local account passwords including:

  • MS14-025 includes a lengthy PowerShell script which will reach-out to remote computers to change the password and log the change in a central text file
  • Microsoft Local Administrator Password Solution (LAPS) is a great free solution which should be seriously considered
  • ConfigMgr (SCCM / Microsoft System Center Configuration Manager) deployment
  • a dozen other options not listed here

While discussing the ConfigMgr options with a few colleagues we came up with the following:

  • Application or Package deployment with a script which has an embedded password or uses a password formula / calculation
  • A Compliance Setting and Baseline with a script a script which has an embedded password or uses a password formula / calculation
  • A Task Sequence deployment with a script which has an embedded password

I’ve created a Compliance Setting and Baseline for a customer in a situation where they had ConfigMgr clients on workgroups and joined to domains which they could not manage.  This worked really well for them.  The embedded script used a simple Base64 conversion to obfuscate the password and the password was not exposed on the command line, but there was no actual encryption.

Turning to the Task Sequence discussion option, a suggestion was made to call NET USER from a Run Command action.  This sounded easy.  Too easy.  Besides, wouldn’t the command including the password be exposed in SMSTS.log?  Not if a “Secret Value” Task Sequence Variable is used!

Follow these steps in configuring a Task Sequence:

Set a Task Sequence Variable named “ADMPW” or similar, enter the clear text value, then enable the “Secret value” check box.

Select OK to save/close the variable properties, then look at it again and notice that the value is quite different than what you’ve typed.  It’s encrypted!


Now, call the NET USER command line with the variable

NET USER administrator %ADMPW%


Reviewing the SMSTS.log helps validate that the password is not exposed.


The log only shows “Action command line: smsswd.exe /run: net user administrator %ADMPW%”

The ConfigMgr Task Sequence using a “Secret Value” Variable can be an effective method of changing local account password.

June 21, 2016

Posted In: ConfigMgr 2012

Tags: ,

ConfigMgr fails to distribute a package… failed to create instance of IRdcLibrary

No Gravatar

Awhile back I had an issue distributing a new Package in ConfigMgr (SCCM).  There didn’t seem to be anything unique about the package, it just didn’t want to process.  Digging into the SMS Distribution Manager log (distmgr.log), I noticed a number of errors about the file not being found, couldn’t be added, can’t create a snapshot,etc.  The IRdcLibrary keyword is the real clue.

After reinstalling the Windows feature Remote Differential Compression, Distribution Manager started working again.

Start adding package P010017D...
The Package Action is 2, the Update Mask is 268435456 and UpdateMaskEx is 0.
CDistributionSrcSQL::UpdateAvailableVersion PackageID=P010017D, Version=1, Status=2300
Taking package snapshot for package P010017D from source \\CM01\PackageSource\updates\2016\\CM01\PackageSource\updates\2016
failed to create instance of IRdcLibrary    SMS_DISTRIBUTION_MANAGER
CreateRdcSignature failed; 0x80040154   SMS_DISTRIBUTION_MANAGER
CreateSignature failed    SMS_DISTRIBUTION_MANAGER
CreateRdcFileSignatureW failed; 0x80040154        SMS_DISTRIBUTION_MANAGER
CFileLibrary::AddFile failed; 0x80040154  SMS_DISTRIBUTION_MANAGER
CFileLibrary::AddFile failed; 0x80040154  SMS_DISTRIBUTION_MANAGER
CContentDefinition::AddFile failed; 0x80040154   SMS_DISTRIBUTION_MANAGER
Failed to add the file. Please check if this file exists. Error 0x80040154               SMS_DISTRIBUTION_MANAGER
SnapshotPackage() failed. Error = 0x80040154      SMS_DISTRIBUTION_MANAGER
STATMSG: ID=2361 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SITE=P01 PID=6244 TID=4488 GMTDATE=Fri Apr 15 14:06:24.604 2016 ISTR0="\\CM01\PackageSource\updates\2016" ISTR1="Test" ISTR2="P010017D" ISTR3="30" ISTR4="22" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="P010017D"         SMS_DISTRIBUTION_MANAGER  4/15/2016 9:06:24 AM    4488 (0x1188)
Failed to take snapshot of package P010017D
CDistributionSrcSQL::UpdateAvailableVersion PackageID=P010017D, Version=1, Status=2302
STATMSG: ID=2302 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SITE=P01 PID=6244 TID=4488 GMTDATE=Fri Apr 15 14:06:24.616 2016 ISTR0="Test" ISTR1="P010017D" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="P010017D"         SMS_DISTRIBUTION_MANAGER  4/15/2016 9:06:24 AM    4488 (0x1188)
Failed to process package P010017D after 3 retries, will retry 22 more times
Exiting package processing thread.            SMS_DISTRIBUTION_MANAGER

June 20, 2016

Posted In: ConfigMgr 2012

Tags: ,

SSRS Error 401.3 Access is denied

No Gravatar

So, you’ve been denied!  It’s OK.  It happens to the best of us.

If you are lucky enough be gifted with this message take a look at the NTFS rights of the SQL Server Reporting Services instance which will likely be a folder like C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services.  Granting the appropriate AD group read & execute rights may solve the problem.


Server Error in ‘/Reports’ Application.

Access is denied.

Description: An error occurred while accessing the resources required to serve this request.  You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists).  Ask the Web server’s administrator to give you access.

Thanks to Mike and Jerry for pointing me in the right direction.  After carefully reading the error, it is quite obvious isn’t it.

June 20, 2016

Posted In: SQL Reporting

Tags: , , ,

Downgrading SQL from Enterprise Edition to Standard for ConfigMgr

No Gravatar

At a recent client engagement we discovered that Microsoft SQL Server Enterprise edition was installed on the ConfigMgr Primary Site Server.  Technically this is not a problem, but it is only needed if you expect to have more than 50,000 clients*.  As this environment wasn’t anywhere close to the limit so there was no need to pay the extra licensing cost of Enterprise edition (Standard edition comes with the ConfigMgr licenses).


These steps are largely based on the Jonathan Kehayias approach as documented by Brady Upton at MSSQLTips.

Steps for SQL Enterprise to Standard downgrade

  • On each database verify that no Enterprise features are utilized (SELECT * FROM sys.dm_db_persisted_sku_features)

select ‘Master’ as [Database], * from [master].[sys].[dm_db_persisted_sku_features]

select ‘Model’ as [Database], * from Model.[sys].[dm_db_persisted_sku_features]

select ‘msdb’ as [Database], * from msdb.[sys].[dm_db_persisted_sku_features]

select ‘tempdb’ as [Database], * from tempdb.[sys].[dm_db_persisted_sku_features]

select ‘CM_P01’ as [Database], * from CM_P01.[sys].[dm_db_persisted_sku_features]

select ‘SUSDB’ as [Database], * from SUSDB.[sys].[dm_db_persisted_sku_features]

select ‘ReportServer’ as [Database], * from ReportServer.[sys].[dm_db_persisted_sku_features]

select ‘ReportServerTempDB’ as [Database], * from ReportServerTempDB.[sys].[dm_db_persisted_sku_features]

  • Document databases, security, maintenance plans, and jobs
  • Verify the SQL version number and ensure install files are available (SELECT @@VERSION)
  • Stop and disable backup software
  • Stop ConfigMgr, IIS, and Windows Update services (set to disabled if desired)
  • Backup databases (system and user)
  • Stop SQL services
  • Copy the master, model and msdb database files (.mdf and .ldf) to another location
  • Uninstall SQL Enterprise instance (all features)
    • The Shared tools do not have to be uninstalled; however, if they are not then reporting the SQL edition in the future will be confusing
  • Reboot
  • Install new SQL Standard instance as required by ConfigMgr being sure to keep the same instance name and file/folder paths.
    • Review the Required and Optional configurations for SQL server (64-bit, SQL_Latin1_General_CP1_CI_AS, Database Engine, Windows Authentication, min/max Memory, nested triggers, CLR integration, static TCP ports, etc.)
    • If the original SQL ConfigurationFile.ini is still around, installing based on this file can make all of the configurations fool proof.
  • Patch SQL to the same version as before
  • Verify the SQL version and edition (SELECT @@VERSION)
  • Stop SQL Server and copy/restore the system databases
  • Configure Trace flags (see section below)
  • Start SQL server and verify databases, security, and jobs are as before
    • If login fails, use PSEXEC to start SQL Management Studio as the SYSTEM account, then recreate any SQL Logins needed
  • Enable common language runtime (CLR) integration (sp_configure ‘clr enabled’,1; reconfigure)
  • Enable and start IIS, and Windows Update services… verify WSUS is working
  • Enable and start ConfigMgr services
  • Verify event Viewer and ConfigMgr logs and monitoring to ensure ConfigMgr is healthy
  • Re-enable and start backup software



SQL Trace Logs

Using this method is simple and easy, but there is one additional thing to keep in mind… SQL Trace flags (thanks Allen for pointing this out).  When installing SQL, trace flags are not enabled / added by default; this is taken care of by the ConfigMgr installation.  Since we are not doing a ConfigMgr installation or a site reset, etc. these options need to be added manually.

  • Open SQL Server Configuration Manager
  • Navigate to SQL Server Services -> SQL Server… -> Properties
  • Add "-T8295"
  • Add "-T4199"
  • Apply, stand on one foot, OK, Close


Executing DBCC TRACEON (4199,-1) and DBCC TRACEON (8295,-1) in SQL Server Management Studio will enable these flags as seen by executing DBCC TRACESTATUS (-1).  However, this only affects the current session and they need to be added as startup flags.


SQL and ConfigMgr References

Additional / Related References

April 20, 2016

Posted In: Uncategorized

ConfigMgr Status Message Viewer MFC120u.dll Missing Error

No Gravatar


When the ConfigMgr Admin Console version 2012 SP2 (or 2012 R2 SP1) is installed and the ConfigMgr client is not updated on the same computer you could see an error like the one below.


statview.exe – System Error

The program can’t start because mfc12u.dll is missing from your computer. Try reinstalling the program to fix this problem.


StatView is the utility that displays ConfigMgr status messages and is typically initiated from the console by navigating to

  • Monitoring \ Overview\ System Status \ Site Status
  • OR Monitoring \ Overview\ System Status \ Status Message Queries

StatView.exe requires Microsoft Visual C++ and ConfigMgr 2012 SP2 now uses VC++ 2013 which is not installed as part of the Console.


To resolve the issue, install Microsoft Visual C++ 2013 Redistributable (x86) which can be found at \client\i386\vcredist_x86.exe">\client\i386\vcredist_x86.exe">\\PrimarySiteServer\SMS_<SiteCode>\client\i386\vcredist_x86.exe.  Notice that the x86 version is required even if you are running Windows x64.  This is because StatView is a 32-bit application.


This will install and register mfc12u.dll and other files which should resolve the issue.


You can verify the installation in Programs and Features (Add/Remove Programs) as shown below.


Microsoft Visual C++ Redistributable (x86)…


Problem. Solved.

September 24, 2015

Posted In: Uncategorized


ConfigMgr Reporting Services Point with complex SQL

No Gravatar

In a new ConfigMgr 2012 R2 SP1 environment the Reporting Services point was proving a bit challenging to install.  After setting all of the required permission it was finally happy. 

Required Permissions

On the SQL Server Reporting Services server, an account (in this case a domain user "functional" or "service" account) needed the following:

  • Membership in the server’s local Administrators group
  • SSRS Site Settings -> System Administrator, System User
  • SSRS Folder Settings on the root folder -> Browser, Content Manager, My Reports, Publisher, Report Builder

Scenario Details

This ConfigMgr environment has a complex configuration with 3 different SQL servers in play.

  • Server1: ConfigMgr Primary Site server
  • Server2: server running SQL Server Database Engine role and configured as the ConfigMgr Site Database server
  • Server3: server running SQL Server Reporting Services role
  • Server4: server running SQL Server Database Engine role with only the ReportServer database

With Server1 (ConfigMgr) and Server2 (SQL DB) configured and most functionality working (software deployment, software update deployment, OS deployment, inventory, etc.) it was time to install Reporting Services point.  We created a new ConfigMgr Site Server for Server3 using a domain user account.  However, when attempting to install the Reporting Services point the following error was encountered:


  • Unable to locate any configured SRS instances on the server.  Verify SRS is installed, accessible, and correctly configured.
  • The "Reporting Services server instance" is blank.


We knew that SSRS was installed, configured, and working as there were two other applications already using the SRS instance in a production capacity.

We verified the domain user account could actually access the SSRS website from Server1 (the ConfigMgr server) and discovered

  • the account was a member of the local Administrators group
  • the account had System Administrator rights to the SSRS Site
  • the account could not see any existing reports or report folders and the following message displayed: "User ‘<domain>\<userID>’ does not have required permissions.  Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed."

As the screen shot shows, UAC was actually disabled already.


Once the domain user account was given rights to the root folder, the Reporting Services point role could see the Reporting Services server instance the the role installed without issue.


After the role installed, ConfigMgr reset its own permissions to give the domain user account only "ConfigMgr Report Users, ConfigMgr report Administrators" roles.


Also, the logs for the Reporting Services point are on the SSRS server (Server3 in this case), and located at C:\SMS\logs

August 27, 2015

Posted In: Uncategorized