Category Archives: IT Pro

Case of the Unexplained: Using PsKill to troubleshoot failed ConfigMgr update download

Every once in a while, I run unto a bit of bad luck downloading a new version of ConfigMgr technical preview. I can’t say I’ve ever had this exact problem happen to me in production, but I *know* it’s happened several times in my technical preview lab.

When a new update is available in the console, it will get stuck on downloading:

Console showing CM update is downloading

Console showing CM update is downloading.

One of the first troubleshooting steps you can do is restart the SMS_Executive service. If that doesn’t work then I like to stop/start the SMS_Executive service and empty the contents of the EasySetupPayload folder (found in the ConfigMgr install directory). But what happens when you can’t stop the service? This is where I have that “sometimes this happens, but only in this particular environment” problem. I can’t stop the service 🙁

The service is stuck in “stopping” and I can’t fix it at this point without some help from PsKill

I know this isn’t a limitation of a ConfigMgr environment because I can go to my “prod” (Current Branch) site server and stop that service quite easily. My first go-to at that point is to just reboot the site server. It’s a lab, and that’s a fairly benign and extremely useful troubleshooting tool to have available. I don’t know of too many places that are typically very happy for you to reboot production servers whenver you run into issues 🙂

After the site server came back from the reboot, I saw that I was still plagued with the same issue: the download is stuck and I can’t do anything to the service. At this point, I’m not exactly as happy to throw in another reboot as a troubleshooting step.

Einstein quote

I’m guilty of this probably more often than I should admit.

Now, the ConfigMgr team has published an update reset tool which I could have used, but it meant I needed to go find the TechNet article and remember how to run the tool (it’s really simple, and you can get more info at the bottom of this post).

The super fast way, to get to the bottom of the problem is to use PsKill. You can get the latest version of it from

I opened a command window as admin (note: I was already in PowerShell, but it’s not necessary to use PowerShell to run the tool. I was simply using PowerShell to try to stop the service first) and used the following syntax .\pskill.exe -t smsexec.

It’s not required to run the tool from PowerShell, I was simply using PowerShell to attempt to stop the SMS_Exec service

Once smsexec.exe was stopped, I could go into the EasySetupPayload folder and delete the update. At that point, I could restart the service, and I saw the download was pretty happy. Now I’m running the install.

How did I know to kill the smsexec process? If you go to properties on the service (from Services (msc) you get the path to the exe <install location>\Microsoft Configuration Manager\bin\x64\smsexec.exe. You can accomplish the same thing in Task Manager from the Services tab. Just right click the service and pick “go to details”- it takes you to the running process in the details tab.

By the way, if you want to use the Update Reset tool that the ConfigMgr team published, follow this link for more info: You need the package GUID, your site database name at the toplevel, the FQDN of the toplevel SQL server. The tool is located  If SQL is on the same box as your primary, then lucky you, you already know the FQDN and database 🙂 However, I’ve walked into plenty of environments where I wasn’t the one who architected the setup and documentation either doesn’t exist or wasn’t transferred. What typically goes hand in hand with that scenario is that opening a ticket to even get any info about the remote SQL (yuck, but I get why some companies do it) takes exponentially longer than running pskill would take.


Troubleshooting Intune Error 80180014

young business woman and futuristic graphical user interface concept, Internet of Things, Information Communication Technology, Heads up display, abstract mixed media

This lady is a professional and probably knows more about Intune than I ever will.

I ran into an unexpected issue when enrolling a new device. I kept getting the following error message, “Your organization does not support this version of Windows. (0x80180014).

Screenshot of error code

Can’t enroll due to error 80180014

I did a quick search to find out that the error code means the platform isn’t supported. The recommendation was to upgrade the OS. (See: )

Screenshot of Microsoft Docs translating the error code and recommending to upgrade

Documentation recommends upgrading.

I wasn’t too sure this was really an accurate error, or even solid remediation advice. I felt like Intune was trolling me with a “have you tried turning it off and on again” bit of help. The device in question was running Windows 10 v1703. I tried again on a device running Windows 10 v1709 expecting success this time. Instead I was greeted with the same error code.

This time I went to the event log on the device to see what I could glean from there. In event log, under Applications and Services – Microsoft – AAD – Operations, there were plenty of fun errors and warnings. Take this one for example:

A warning message in the event log stating that the text associated with the error message couldn't be found.

The text associated with this error code could not be found.

There were a few other cryptic errors as well. Then I stumbled across one that started to point me to believe there was something wrong with my tenant.

Error message stating I might have tried to authenticate to the wrong tenant

“You might have sent your authentication request to the wrong tenant.”

At this point, I turned to my tenant to review settings. As far as I could tell, everything was ok. I reached out to Jan-Ketil Skanke for a sanity check. We reviewed my settings together. Turns out my tenant was blocking (all) device enrollment for some reason. Here’s where it becomes super obvious that I’m an Intune noob 🙂 Also a good time to point out that there’s nothing at first glance on this page that would suggest you should click the text you see to uncover more settings #ImJustSaying.

A view of enrollment restrictions in Intune

They couldn’t put an arrow or a “click here” type indicator that there may be more settings to drill into? (Spoiler alert: if you actually hover over an item you can tell if it is expandable) #IntuneNoobProblems

Screenshot showing settings expanded in Intune

OK, so it miiiiight be my fault.

I enabled Windows devices and waited a few minutes. I returned to both Windows devices and tried to enroll again. This time with success!

OneDrive Woes in the Win10 AU

I have a *workaround* for anybody experiencing One Drive crashing in the Windows 10 AU (1607). What I’m doing isn’t a sustainable practice if you’ve got the error across a large environment.

Not so shiny error in the event log!

Not so shiny error in the event log! Faulting application name: OneDrive.exe

Event Name: SkyDriveClientError

Event Name: SkyDriveClientError

My environment:
-Bare metal deployment of AU
-Domain Joined
-The domain account logging in is not an administrator account, although when signing in with an admin account, the problem persists.

I did my homework:
-There are no GPOs blocking MS accounts or One Drive – it works in Windows7, Windows 8.1, and Win10 1511.
-McAfee Enterprise: see above – it works in other environments, we’ve got nothing configured that would interfere.
-Firewall/QoS/etc: see above – nothing that would prevent the app from running.
-Obtained media from VLSC and imported into MDT – zero customization done here.

After doing a lot of reading, I’m kind of relieved I’m not the only person with the issue, a lot of you are having it. The only workaround I ever saw posted was to roll back to 1511 or check EMET settings. Neither applies here because I did a bare metal deployment and we aren’t using EMET.

So, if I can’t rollback, what can I do?
I decided to add a Microsoft account (not the same one I was using for One Drive mind you) as a user on the PC. I didn’t make it administrator, just a regular user. BAM! One Drive works. That MS account had ~20GB data I was able to sync. Time to test on the domain account – and what do you know? Now it works and is happily syncing 200GB data.

Edit: I’m told by Sandy that in an upgrade scenario if you’re having the issue you can delete HKLM\Software\Policies\Microsoft\Windows\OneDrive

#SQLSunday – Find Device Collections and Collection Membership

I try to use the ConfigMgr console as little as possible these days (long story).  So, here’s a SHINY and FUN thing you can do in SQL!

Want to know what device collection an endpoint belongs to?

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Here's the collections my MDT server currently belongs to.

Here’s all the collections my MDT server currently belongs to in this environment.

Alternatively, want to return all the rows?

select * from v_FullCollectionMembership
where name =’MDT01′

And the most useful I’ve found from that view for reports is:

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Very SHINY columns are returned when running this query!

Very SHINY columns are returned when running this query!

OSD – HP Driver Tips

Working on certifying drivers for some older model HPs in the shop. My options are:

1. Use Mikael Nystrom’s PowerShell is King – Export drivers from Windows good stuff if you have a box already configured how you want and it’s not Windows 7

(do a get-command export* and you'll see you can't use export-windowsdriver in Win 7)

(do a get-command export* and you’ll see you can’t use export-windowsdriver in Win 7)

Good Windows 7 Options:

2.  If you get stuck installing a driver as an application, check in Program Files/Program Files (x86) for the unpacked files to see if an .inf was dropped there.  Be careful pulling the .inf file as some of the softpaqs need the software stack to work properly (see method 4 below for this scenario).

Found the driver for bluetooth in this folder in Program Files (x86)

Found the driver for Bluetooth for a ZBook in this folder in Program Files (x86)

3. If HP, I generally find the majority of the unpacked files in c:\swsetup and then I search Program Files.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

4.  Another HP trick is to use the HP Softpaq Download Manager.  Once you load up the model you want, you can right click on any of the given drivers to get the fly out menu and select cva file.  If it exists, it will give you install + silent install instructions for those pesky drivers that need to be installed as applications.

Using HPSDM to get the driver package and install instructions.

Using HPSDM to get the driver package and install instructions.

Install instructions are in a cva that you open with notepad - then scroll to the install section.

Install instructions are in a cva that you open with notepad – then scroll to the install section.

A fun tip about the cva file is if you know the softpaq number, you can just find it in this URL  (this only works if there is actually a cva – not everything has one – but better than nothing, right??)

SQL Report: Unused Applications SCCM

This post is inspired by System Center Dudes post on auto uninstalling unused apps in your environment. It also has the same requirements (aka have Software Metering working in your environment if you want actual usage stats vs is this thing installed or not.)

Disclaimer: I’m non-technical so these SQL queries come without warranty.  The good news is it’s only reads, so you’re not destroying anything 🙂

System Center Dudes post uses WQL to create device collections that allow you to gather info on specific installed applications and also to be able to uninstall a specific application if it hasn’t been used within a certain time frame (120 days is good enough for me!) it’s an awesome idea, but I simply want to report on the presence of software and said usage to help management decide if we should buy the same amount of licenses for a specific software at renewal time.

Here’s what I came up with:

--Specific Product Installed
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_GS_INSTALLED_SOFTWARE on v_GS_INSTALLED_SOFTWARE.ResourceID = v_r_system.ResourceID
v_GS_INSTALLED_SOFTWARE.ProductName0 like 'Stata%'

--Usage count Last 120 Days
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_MonthlyUsageSummary
on v_R_System.ResourceID = v_MonthlyUsageSummary.ResourceID
inner join v_MeteredFiles
on v_MonthlyUsageSummary.FileID = v_MeteredFiles.MeteredFileID
v_MeteredFiles.ProductName like 'Stata%' AND DATEDIFF (day, v_MonthlyUsageSummary.LastUsage, GetDate()) < 120

Find text using PowerShell

I totally broke the setup of a non ConfigMgr system that I’ve been tasked with setting up.

Oops, I did something wrong!

Oops, I did something wrong!

Some how, in some way, I hard coded the TEST SQL server/database rather than the PROD SQL server/database into a config file.  The bigger problem was that this is a system I had never heard of  until a few days ago, so my only hope was combing through logs to find my error.

Log files always have the answer ;)

Log files always have the answer 😉

Once I found it, I started clicking through the install directory only to see there were too many config files and folders to know where to start.  I had two options, open every file or find it in PowerShell.

Here’s what I came up with to find what I was looking for:
dir "C:\program files\Ami FP Test" -I *.* -R | select-string SQLTEST
Sure enough, here’s the very config file where I made the mistake.

PowerShell is KING!

PowerShell is KING!

Found my mistake!

Found my mistake!

Hey, Scripting Guy has a more “pretty” and correct way of using this same method and you should read it.  But if you’re new to PowerShell, I want you to know that if it works, it doesn’t have to be pretty.  Use what works as your base to learn better ways to do things.

Add a Serial Number to your NUC

As an Intel NUC owner, you might have noticed that your NUC doesn’t come with the serial number hard-coded into the BIOS:

NUC with no Serial Number

NUC with no Serial Number

You can actually do this yourself with the Intel Integrator Toolkit.  The site says support ended for it and it would be taken down in 2015, but here we are mid 2016 and it’s still available :).  You get a list of client OS’s that support it but I installed it on Server 2016 TP 5 with no issues.

When you launch the application, you get a dialog box giving you some options.  As you can see, you could run this from another PC entirely (but don’t – you need to be present to accept the config changes).  If you’re running it from your NUC however, you can walk the wizard below to customize the BIOS and get right to it. (NOTE: You must have an active internet connection!)

Menu showing configuration options when you launch the tool.

Since I’ve picked to customize locally, the toolkit gives me a lot of options as you can see below.

Intel Integrator Toolkit

Lots of customization options!

In the SMBIOS menu, I simply input a value.  I had the Serial Number from an old HP laptop I happened to have written down handy so I input that as the value . Just kidding, I picked Beaker.  The toolkit allows you to paste in values, so you could create your own custom Serial Numbers and import them.

When you’ve finished your customization, you simply select “Save BIOS” from the ribbon.  This will install the BIOS and add all your custom configurations.

Save BIOSTime to make it happen!

YOU CANNOT DO THIS REMOTE – YOU NEED TO HAVE A KEYBOARD ATTACHED TO ACCEPT THE CONFIGURATION CHANGE (and a monitor to read the message, or just remember to press 9 on the keyboard).  Don’t say I didn’t warn you 🙂

Be ready to press 9 to accept the change

Be ready to press 9 to accept the change

When the configuration is complete and you sign in again, you’re greeted with a dialog box from the toolkit letting you know your change was successful.

Woohoo, you did it!

Woohoo, you did it!

And of course, you can validate in PowerShell too!

PowerShell is King! And your Intel NUC has a Serial Number!

PowerShell is King! And your Intel NUC has a Serial Number!



Another important feature to customize is the display image.  I opted for a picture of Beaker because he’s my hero.

changing images






Office 365 Advice!

Today I was a guest on On The Air a live tech talk show put on by Spiceworks.  In the episode we talked about deploying Office 365 and played Servers and Sysadmins (a super fun IT version of the popular Dungeons and Dragons RPG).  If you haven’t already seen it, here’s the link to the episode.


I wanted to also make sure to give some professional advice aside from the silliness on the show (but for real, I had a good time) so I have come up with some basic advice for getting started on your own.

Also, be sure to check out the EMS book by Kent Agerlund and Peter Daalmans.  It’s due to hit Amazon in May and will walk you through a full setup using both cloud and hybrid options.  I will post the link as soon as the book is available for purchase.

Preparing for Office 365 Migration:




Microsoft Online Services Sign-In Assistant for IT Professionals Beta


Azure AD cmdlets


Enable Script Execution (Admin PoSH)

Set-ExecutionPolicy -ExecutionPolicy Unrestricted


Get to know service descriptions – pick what’s best for your organization and understand what you’re signing up for – it would be better to sign up for too much than not enough service.


Office 365 Deployment Guide – advice on deployment models –these are my requirements – here’s the model that works best for me.

Deployment Readiness Toolkit – environment prechecker

Office 365 admin resource center

Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit – troubleshoot config issues

Know your network or get to know your network admins – bring whiskey!

The slowest connection to Office 365 is going to be from your gateway to ISP and then ISP to Office 365 data center (if your ISP isn’t part of the Internet Backbone)

Think about how users will be accessing services like OWA/ActiveSync and also how much data do you have to migrate to the cloud (think Exchange S4B and SharePoint)

Get to know your organization’s QoS settings (this is where the whiskey comes in handy!)

Office 365 Community site

Learning PowerShell for Office 365:

Simply put, you’re going to use PowerShell for automation and management.

Many of the administrative tasks can be performed through the admin center UI, some tasks are difficult to do without PowerShell and some tasks can be performed only with PowerShell.

Get to know/use PowerShell ISE because the complexity of PowerShell is reduced in ISE basically, you don’t have to memorize every single command ISE is pretty smart.

Pro tip: ALWAYS run as admin

It is a good idea to have a test tenant with a few users so you can test your PowerShell scripts. Alternatively, you can use your production tenant with test users. In both scenarios, the test users most likely will have to be assigned Office 365 licenses, at least during script testing. Microsoft does not provide free test tenants or free test user licenses.


Real-World Challenges (that I have seen):

Not understanding licensing or really not being ready to push users to the cloud because your legacy AD needs some love.  Take some time to review for stale accounts and clean them up before you migrate – it will save some pain on the other side.

Qos for Skype for Business – packet loss can really impact voice meetings so make sure you’re aware of/reviewing your organization’s QoS.  Really this isn’t just a step for review for S4B, but this is one area that’s really not going to play nice if you aren’t prepared properly.

UPN – vs.

Perficient has a really good blog post about the topic.

Not understanding the design/implementation of your legacy environment– if you want a seamless user experience, you need to understand how and why things are setup the way they are in your legacy environment.  From SharePoint layout and permissions to user vs equipment mailboxes in Exchange.  Some things you did in your legacy environment are now charged as per user license in your new environment.

Not testing – either with a test tenant or test users in production – you need to understand the impact of your changes!

Understand that in Exchange, some legacy features/resources won’t be available in the cloud.  So if a user connects to another mailbox or resource, it also needs to be available in the cloud.  We saw this with Public Folders and equipment mailboxes that were setup as user mailboxes.

Upgrade your 2012 R2 SP1 ConfigMgr environment to 1602 #LikeABoss

Yesterday I went from CM 2012 R2 SP1 CU whatever to CM 1602.



It’s a really simple process, but if you haven’t done any kind of CM site upgrades before, maybe you feel a bit overwhelmed.  To get started to need to do two things.  The first being verify you have a backup.  If you don’t know how to do this, check out Steve Thompsons blog.

Next, go to your VLSC and download the required media.  (Note: I was already running a fully patched version of SQL Server 2014, so I didn’t need to download that media, and I wont be covering it in this post.)

After the download completes and you’re certain you have a backup of your site, I’d make sure the server that hosts your site is fully patched so that pending reboots don’t break the upgrade.


When you’re back up and running, mount the ISO and launch splash.hta which will start the application to perform the upgrade.

You’ll be greeted with this page that defaults to the upgrade so you can leave it as-is.

And you’ll need to accept three sets of EULAs before you can continue.

Now, just like in your production version of 2012, you have prereqs to download.  If you’ve already done so, here’s where you would tell the wizard to grab them for the install.  I prefer to keep anything that’s not the OS on my E:\ drive.

And if you did specify a path to download (aka you didn’t download the prereqs beforehand), the app will then initiate the download as soon as you click next (and it’s really quick too!).

When the download completes you can add language support.  While you  can add languages after the fact, if you plan to add support for anything other than the default, do it now please :).


You’ll then configure service connection point and select (the only option) setup type.  If you choose not to connect the service now, you’ll have to do it after the fact.  So unless you have a really good reason not to, just connect now.

Next comes the prerequisite check for the upgrade.  You can ignore the warnings if you want, but you have to remediate all failures to be able to continue.  As you can see here, I needed to install USMT as well as remove Distribution Point role (the only role installed on that server – which is how I knew what to do 🙂 ) from the server that sat on the same cluster as my primary site.

You’ll click through a few more steps and then the upgrade starts.  You can watch what’s going on in the ConfigMgrSetup log on C:\ by opening it in CMTrace.

Go ahead and take a coffee break (I recommend this) because it will take a bit to complete.  When it’s done you can close the app.

Now comes the fun part – getting to 1602.  I, like an idiot had left the console open during the upgrade and saw in the setup log that the new console failed to install.  Even if I hadn’t seen it, I was blocked with an error message that told me I couldn’t connect to my site.  Before worrying about permissions, I decided to reinstall the console – if this happens to you, you can easily reinstall the console by navigating to your ISO and go to SMSSETUP\BIN\I386 and launch consolesetup.exe .

With the console open, go to Administration – Overview – Cloud Services – Updates and Servicing.  (As of today) You’ll see the upgrade for 1602.  Right click it and first run the prerequisite check and then finally right click again to install it.

Note:  You can choose to run against a non-production collection if you have such a thing 🙂 or you can go ahead straight to production.  Since I’m my own boss, I don’t have much of a reason to pick a collection to test against.

And when it’s finished you’ll need a new version of the console again.  This time, clicking Ok caused the console to upgrade without any manual work for me.

If you didn’t already have automatic client upgrades turned on, I really think you should.  I say this because I had it turned on and configured to what works for my environment as far as days to install the client.  It’s great because the new client package was already distributed for me and I can see that some of my endpoints already have the new client.  To turn it on, go to  Administration – Overview – Site Configuration – Sites and go to Heirarchy Settings (on the ribbon) and tick the box to allow the auto upgrade.

And finally you’ll want to check to make sure the client package has been distributed (and if it hasn’t you’ll need to do so) by going to  Software Library – Application Management – Packages.  While you’re in there, check on your boot images too by going to the Operating Systems node in Software Library – they get updated during the upgrade and therefore should be replaced on all your distribution points too.

Depending on the complexity of your environment or if you want to add or remove roles/features you’ll have more work to do.  Of course if you need help, you can always ping me on Twitter.