Windows 10 20H2 Feature Update Error 0XC190012E

During our recent Windows 10 feature update deployment from 1809 to 20H2, we ran in to an issue on some clients where they reported back error 0XC190012E to ConfigMgr.

The error code its self is just a generic code and I couldn’t find it in either

Windows update error code list

Windows Update error code list by component – Windows Deployment | Microsoft Docs

or the Windows 10 upgrade errors doc

Get help with Windows 10 upgrade and installation errors (microsoft.com)

We first checked the temporary location that feature update deploys to c:\$Windows.~BT, to check if there was any issue in the compatibility xml file or in the setup logs under sources\panther, but there was no folders other than sources.

Since there was no files I though this might be a space issue so ran some remote WMI commands to check the disk space available. I used the below PowerShell using Get-WMIObject.

Get-WmiObject Win32_logicaldisk -ComputerName RemoteComputerName | Select-Object @{Name="Drive";E={$_.DeviceID}},
@{Name="Size(GB)";E={[math]::Round($_.size/1gb)}},
@{Name="Free Space(GB)";E={[math]::Round($_.freespace/1gb)}},
@{Name="%Free Space";E={"{0:N2}" -f (($_.freespace/$_.size)*100)}}

In this case it wasn’t disk space a there was over 100GB free.

There wasn’t much online about the error other than the usually run scf /scannow, diskcheck and run the update troubleshooter but none of these worked.

Then found this post on the Microsoft forms that pointed to an issue with the setupconfig.ini

Generic 0xc190012e trying to upgrade Windows 10 1909 to 20H2 – Microsoft Community

C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS

We aren’t using any custom setting in the setupconfig.ini so there was no issue for me to remove this.

Once I removed the file and kicked off the feature update again it now completes without issue.

I don’t know how the setupconfig.ini file was created on only a few devices but it was a quick fix once we found the issue was the config file.

Windows 10 20H2 Feature Update Error 0xC1900208 ConfigMgr

Recently we have been testing Windows 10 20H2 Feature update deployment using ConfigMgr. When the update was applying it was failing and the error in software center was 0xC1900208.

To check what the code means I usually use the below Microsoft Doc but unfortunately the below code was not showing.

Windows Update error code list by component – Windows Deployment | Microsoft Docs

The error is listed under below Windows 10 upgrade errors doc

Get help with Windows 10 upgrade and installation errors (microsoft.com)

Since the error was relating to incompatible app next I checked the feature update logs these are located under a hidden folder on the root of the C drive C:\$WINDOWS.~BT\Sources\Panther

I checked the Setupact.log and the compatdata XML.

In the compatdata XML there was an incompatibility with the version of McAfee DLP installed on the device. This device was not getting the latest version of DLP.

To try fix the issue I updated the version to the latest release which support Windows 1020H2 and tried the update again but it continued to fail with a different error code 0x80240020.

To get the update to work correctly I had to remove the following folders

C:\Windows\ccmcache

C:\$WINDOWS.~BT\

And delete all the files and folders under

C:\Windows\SoftwareDistribution\Download

I also ran the below three action from the configuration manager agent in the control panel:

Machine policy retrieval and evaluation cycle, Software updates deployment evaluation cycle and software updates scan cycle.

I waited around 5 minutes for the scan’s to complete and tried the feature update again and it installed without issue this time.

ConfigMgr query all devices software update install status

During a recent audit we need to get a list of all update and there install status on every device.

We use Configmgr for applying software update but I was not getting the information (well that I could find) using the out of the box reports.

I decided to write a SQL query to all devices, applicable updates and some device information.

To get the compliance status I used the Microsoft doc for the v_UpdateComplianceStatus SQL view.

SMS_UpdateComplianceStatus Class – Configuration Manager | Microsoft Docs

Below is the full SQL query

select rsys.name0 AS 'Computername',
 os.Caption0 AS 'Operating System',
 os.BuildNumber0 AS 'Build Number',
 ui.ArticleID AS 'Update ID',
 ui.Title,
 ui.Description,
 --Set Install Status
 Case
 when ucs.Status='0' then 'Detection state unknown'
 When ucs.Status='1' then 'Update is not required'
 when ucs.Status='2' then 'Update is required'
 When ucs.Status='3' then 'Update is installed'
 End As 'Install Status',
 --Set client Activity
 Case
 When ch.ClientActiveStatus='1' then 'Active'
 When ch.ClientActiveStatus='0' then 'Inactive'
 End As 'Client Active Status',
 ui.InfoURL,
 ui.DatePosted
 from v_updateinfo ui
 join v_UpdateComplianceStatus ucs on ucs.ci_id=ui.ci_id
 join v_CICategories_All catall on catall.CI_ID=UCS.CI_ID
 join v_CategoryInfo catinfo on catall.CategoryInstance_UniqueID = catinfo.CategoryInstance_UniqueID and catinfo.CategoryTypeName='UpdateClassification'
 join v_R_System rsys on rsys.resourceid=ucs.resourceid
 join v_GS_OPERATING_SYSTEM os on os.ResourceID = ucs.ResourceID
 join v_CH_ClientSummary ch on ch.resourceID = ucs.ResourceID
 order by rsys.name0

This is what the output should look like.

MECM Baseline: Check for GRUB vulnerability Windows 10

We needed to check for the GRUB vulnerability on our Windows 10 devices.

See advisory below:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011

We have a few thousand devices to check, so checking manually was going to be a issue, we decided to use MECM baseline to run a script to check for devices that had the issue.

Microsoft give the below command in the advisory to check if the issue exist

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’

If this command returns a true value the device is vulnerable.

To use the command in a baseline we used the try / catch in PowerShell to get a compliance response as the above command is a terminating error and wont return a result other wise.

try{
$GRUBCheck = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’
if ($GRUBCheck -eq $true){
$complinant = ‘False’
}
else
{
$complinant = ‘True’
}
}
catch {
}

$complinant

This slideshow requires JavaScript.

Once we had the script we needed to create the configuration item and baseline.

To create the configuration item open MECM console > Assets and Compliance > Overview > Compliance settings > Configuration item

Create Configuration Item GRUB3 Select Windows Desktops and Servers (custom) GRUB4 Select Windows 10 as the version of Windows that will be assessed. GRUB5 Add a new settings item. GRUB6 Give the item a name

Setting type to script and data type to string. Click Add script. GRUB7 Put in the script above. grub8 Next add in a compliance rule. GRUB10

Give the compliance rule a name, select the settings item we create earlier, set the value to True so that any devices that doesn’t have the vulnerability will return as compliant. GRUB11 Once all the settings and compliance rules are configure following the wizard to complete GRUB12 Next we need to create the configuration baseline

Assets and Compliance > Overview > Compliance settings > Configuration item GRUB13 Give the compliance baseline a name

Click add and select configuration item. GRUB14 Add the configuration item created earlier. GRUB15 Click ok to complete the baseline GRUB16 Once the baseline is configured, deploy the baseline to the required device collection GRUB17 You can either wait for the next time the client does a machine policy retrieval or run the action manually from the client. Once the client get the updated policy the baseline should show under configurations. GRUB18

Once evaluated we can check the deployment in MECM to find device that are compliant or non-compliant. GRUB19

Migrating User Data Using USMT: MECM OSD Deployment

We have been doing migration’s from some old Windows 8.1 devices to Windows 10, We couldn’t do a direct upgrade as the devices where going from 32 to 64bit and needed to reformat the disk to UEFI.

We needed to migrate the users data as to limit the manual work for each device so decided to use User State Migration Tool (USMT).

It’s been a few years since I had to use USMT so thought it would be good to do a post on using USMT.

First I went through the Microsoft USMT documentation.

https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/refresh-an-existing-computer-with-a-new-version-of-windows

https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-technical-reference

https://docs.microsoft.com/en-us/windows/deployment/usmt/understanding-migration-xml-files

We are using MECM 2002 and have installed ADK 1903 which has USMT version 10.

Since the disk is going to be wiped and reformatted we wont be able to save the state to a local partition so we will need to use the state migration point to save content too.

First step is to install and configure state migration point in MECM.

Open the MECM console and go to Administration > site configuration > server and site system roles and select or add the server that will be used as the state migration point

Set the max free space in MB, GB or percentage. we also need to set the boundary group that this state migration point will be associated with.

This slideshow requires JavaScript.

Once the role has been installed we can start to create the task sequence to wipe and reload the device.

We won’t go through creating the TS from scratch in this post.

First step is to check is the capture state task. USMT6 By default USMT will use the MigApp.xml and MigDocs.xml to set what will be copied.

To view the xml files you can go to the Windows ADK install location the default location is:

C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool\amd64

USMT8

USMT16 We will be using the default xml but you can create custom xml’s to customize what files and setting need to be copied and restored.

To set the custom xml select customize how user profiles are captured and click on the files button to add in the xml files. USMT7 Once the TS is setup we just need to deploy to a collection so that devices can be added and pick up the wipe and reload TS. USMT9 Once deployed either wait for the TS to be picked up or run the client action machine policy and app deployment evaluation. USMT10 USMT11 We can check the smsts.log file to view what is happening we can see below that the files are being downloaded for the USMT package. USMT12 Once the scanstate kicks off you can see the xml files that are used in the log. USMT13 USMT14 We can check the USMT folder on the state migration point to see if data is being copied. USMT15 Once the image is applied, we can check the restore state task in the smsts log. The command will call the loadstate and cause use the default or custom xml files. USMT19 USMT20 USMT18 When the TS has fully finished we can logon to Windows we should see that the devices is running Windows 10 and also has the file and settings migrated. USMT17

MECM 2002 Cloud Management Gateway Configuration

I have been looking at setting up MECM cloud management gateway (CMG) for a while but haven’t been able to, due to the need for PKI or Azure AD joined.

With the recent release of MECM 2002 this has added a new feature, that allows token based authentication. I decided to do a test deployment in my lab to see how this would work before deploying to our production environment.

With a CMG we can manage clients that don’t regularly connect back to the cooperate network which has become more of a priority recently.

There is a cost for running the VM’s in Azure that will be used as the CMG and for outbound data transfers. Johan Arwidmark has done a good real world cost estimates for a CMG.

https://deploymentresearch.com/real-world-costs-for-using-a-cloud-management-gateway-cmg-with-configmgr/

First step should be to have a read of the docs for planning a CMG

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

To use token base authentication require MECM 2002, so that is a pre-requisites for deploying a CMG in this way.

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token

There will be some required permission in Azure also for deploying the CMG.

Account that has Global Admin and Subscription Owner roles.
Content filter rules to allow outbound access (If there is a proxy or Firewall filtering traffic)

There will also be a requirement for a cert to be applied to the CMG, it is recommend to have a third party cert as it should automatically trusted by clients.

From looking through the documents below are the required URL https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/internet-endpoints#cmg-connection-point

*.cloudapp.net

*.blob.core.windows.net

Once all pre-requisites have been confirmed we can start to configure the CMG. We will need to pick a unique cloud service name as this will be required later, easiest way to check if the name you have select is unique is to logon to Azure go to cloud services (classic)

CloudService

Once the cloud service has been checked, then we need to configure the Azure services.

Logon to the MECM console and go to Administration > Cloud services > Azure services.

Click configure Azure services CMG1

Give the service a name and select cloud management CMG2

We need to configure a server and client applications CMG5 Give the applications a name and sign in to Azure using a account with the required permission CMG3 CMG4 I just left user discovery enabled. CMG6 Click next to finish configuring the Azure services. CMG7 Once finished the Azure service should now be showing CMG8 The Azure AD tenant should also show with both application we just created. CMG9

Once this has all been configured we can now start to setup the CMG.

To start the configuration go to Administration > Cloud services > Cloud Management Gateway

Click Create Cloud Management Gateway CMG10

Select AzurePublicCloud and sign in. (If the subscription ID doesn’t show it might be the account you are using is not an owner of the subscription.) CMG11

Now we need to configure the cloud services, this is where we will use the name we checked earlier.

Select the cert file, this needs to be a PFX with the private key (I am using one created on my internal CA but in production I will be using a third party CA like digicert or godaddy)
The cert name will be automatically set the deployment services name so this is why we should confirm the name before hand so we can generate the cert with the same name.
Select the region the CMG will be configured in
Either select a existing or create a new resource group (I chose new one to keep the CMG separate from my other Azure resources)
Select the required amount of VM’s this can go up to 16 (for high availability it recommend to configure 2 VM’s at least)
Tick the required security authentication I just ticked Enforce TLS 1.2
I also ticked using CMG and cloud distribution point

CMG12 I left the alerting as default CMG13 Just follow the wizard to complete. CMG15

Once completed the CMG should show as provisioning started

This slideshow requires JavaScript.

We can also logon to Azure to verify the cloud service has been created. CMG18

After the CMG has been configured we then need to install the Cloud management connection point to connect MECM to the CMG.

Go to Administration > site configuration > servers and site system roles, Add the Cloud management gateway connection point to the primary site server in MECM

This slideshow requires JavaScript.

After the role has been configured we need to configure a few steps on the site server, management point and software update point (if installed and configured)

Open the management point properties and tick the allow configuration manager cloud management gateway traffic. (If the tick box for is greyed out there is an additional step required.)

Go to Administration > site configuration > sites, then configure the primary site to use configuration manager generated certificate in communication security. Once this is done go back to the management point and the tick box should now be available.

CMG27

CMG23 CMG24 To allow the software update point to communicate with the CMG, tick the allow configuration manager cloud management gateway traffic. CMG26 After this has been configured the clients should now pick up a the CMG as a internet based management point in the network tab of client agent properties. CMG25

Once the client moves off the internal network and does a location lookup we should see that the connection type will change to internet from internal. CMG29

We can also check the location services log to see if the CMG is being picked up. CMG28

MECM check for all updates that are required but not deploy SQL Query

Recently we had an issues where some software updates where missed during regular patching cycle, I wanted to have an automated report to list all updates that where required on more than one system but no deployed.

First I checked the Microsoft SQL views for software updates

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager

The three tables I used where,

V_UpdateComplianceStatus: This table is used to the get status code for updates. Status of 2 means the update is required.

v_UpdateInfo: This table is used to get information on each update

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_updateinfo

v_Update_ComplianceSummary: This table is used to get compliance of each update to see how many devices are missing the updates.

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_update_compliancesummary

select distinct
UI.DatePosted as ‘Release Date’,
UI.articleid as ‘ArticalID’,
UI.Title,
Update_Required=(case when UCS.Status=2 then ‘Yes’ end),
CS.NumMissing,
Updates_Deployed=(case when UI.IsDeployed=0 then ‘NotDeployed’ end),
UI.InfoURL as InformationURL

from V_UpdateComplianceStatus UCS
join v_UpdateInfo UI on UI.CI_ID=UCS.CI_ID
join v_Update_ComplianceSummary CS on CS.CI_ID=UCS.CI_ID
WHERE UCS.Status=2 and UI.IsDeployed=0
order by NumMissing desc

Below is what the query return looks like in SQL Management Studio. missing1 To confirm the query is working we can create a search filter for all software updates to make sure they match. missing2 Last step was to create a weekly email report using SQL Server Reporting Services (SSRS).

To create a new report (MECM reporting point role will need to be installed for this) go to Monitoring > Reporting > Reports. missing3 I created a custom Reports folder to keep any report I created.

Right click on reports and click create report missing4

Give the report a name and a folder path the report will be stored. missing5 Follow the report wizard to finish the report creation. missing6 missing7 Once the report wizard completed the report builder should load. missing8 First create a new dataset. Right click on Datasets > Add Datasets missing9

Give the Dataset a name, Use a dataset embedded in my report, Data source and select the MECM data source and query type as text. Last part is to copy the query to the query field. missing10 Once that click ok and the dataset should show under datasets. missing11

Next we create a table for the report view. missing12 Select the dataset we create. missing13 I just wanted to use all values so drag all row to the value box. missing14 Next just go through the rest of the wizard. Once completed you should see something similar to the below. I added a text box at the top for a tile and added in some grey filling on the table. missing16 Now save the report and we can run from the MECM console to see what the report will look like. missing17 Last step is to create subscription to send a the weekly report missing18 Select report delivered by Email and put in the required detail and report to be included.(Email settings need to be configured in SSRS before you can select email as a deliver option) missing19 Set the schedule that is required and complete the wizard. missing20 The report should now be sent out weekly as a csv file.

MBAM Policy Error code: -2147217402 on Windows 10 1903

Recently I was installing MBAM 2.5 SP1 client on Windows 10 1903 during a ConfigMgr task sequence. Once the device was built and the user tried to put in a pin and start the encryption it would fail.

The below error was showing in the MBAM event logs. fail1 We currently install MBAM successfully on Windows 1809 so it didn’t look like a MBAM server issue or connection issue. I checked and there was a newer servicing release from May 2019

https://support.microsoft.com/en-us/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack

This update adds support for Windows 10 1903. I applied this update and can now encrypt successfully. Hopefully this helps if anyone else runs in to the same error.

Surface Pro 6 1TB Disk 0 not found SCCM OSD

We recently started to build the new surface pro 6 1TB using SCCM. When imaging the task sequence kept failing at the format and partitioning step. When I checked the SMSTS log I could see the below errors

Invalid disk number specified: 0

OSDDiskPart.exe failed: 0x80070490

error1

From the error the problem was that there was no disk 0 available, I usually only see this when there are driver issues with the storage controller.

To check and see what disk where available, we can open a command prompt in the task sequence (As long as it’s enabled on the boot image) with F8 and run diskpart, once diskpart has opened use the list disk command to view available disk.

On the surface pro there was no disk 0 or 1 but instead the 1TB disk shows as disk 2 which is the reason the format is failing as by default the disk that is to be formatted and partitioned is disk 0.

I had a look online and the reason seems to be that the 1TB disk in the Surface Pro 6 is actually 2 x 512GB disk mirrored using Storage Spaces technology. See support KB below.

https://support.microsoft.com/en-us/help/4046108/disk0-not-found-when-you-deploy-windows-on-surface

This is why the disk shows as 2 and the default disk number is set to 0.

error2

The support KB says to change the format task to use disk 2 but this would require a second task sequence which is not ideal as it means more management overhead.

To work around this I have created an additional format and partition step in my existing task sequence and use WMI query’s to apply the specific format step for the Surface Pro 6 1TB.

WMI query to exclude device with no disk 0

Disk index: SELECT * FROM Win32_DiskDrive WHERE Index = “0” error3

WMI query for surface pro 6 1TB

Disk index: SELECT * FROM Win32_DiskDrive WHERE Index = “2”

Select surface pro device: SELECT * from Win32_ComputerSystem WHERE Model LIKE “%Surface Pro 6%” error4

Once the query is set on the format and partition disk step in the task sequence, set the disk number to 2. error5 Now I can image the surface pro 6 1TB model successfully.

Create Windows 10 Answer file

In a previous post we went through creating and deploying language packs there was an additional step to create a Windows 10 answer file, I though it might be helpful to do a post on creating a basic answer file using Windows System Image Manager (SIM).

First step is to install Windows Assessment and deployment kit (ADK). To download the latest ADK use the below link:

https://go.microsoft.com/fwlink/?linkid=2086042

Select deployment tools. UA2 Once the install has finished, go to the start menu and down to Windows Kits and open Windows System Image Manager .

UA4

First step is to select a Windows image file, to get the image file just need to extra the required Windows ISO to a folder. UA5 Below is the extracted ISO. UA12 Go to Sources > install.wim. UA6 Select the version. UA7 Next create a new answer file. UA8 Go to Windows Image

UA13

Select Components, on the components below is the different type and examples

amd_64 =64bit components, only used on x64 installs

wow_64 = 32bit components or support components for 32bit installed on x64, only used on x64 installs

x86 = 32bit components installed on x86, only used on x86 installs

I used “amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral” > “OOBE” and click Add settings to Pass 7 oobeSystem.

Edit “amd64_Microsoft-Windows-Shell-Setup__neutral” to add in Register Owner and any other details as required. UA11 Next edit the required OOBE settings. UA10 Once all the settings have been added save the answer file. UA14 Last step is to create a package for the answer file and apply the answer file in the SCCM task sequence. UA15

Below is the content of the XML file.

<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”oobeSystem”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<ProtectYourPC>3</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
<RegisteredOwner>TheSleepyAdmin</RegisteredOwner>
</component>
</settings>
<cpi:offlineImage cpi:source=”” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />
</unattend>