MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

How to change the location where WSUS stores updates locally

You might run into this some time so good to know.

How to change the location where WSUS stores updates on your server.

  1. At the command prompt, navigate to the directory that contains WSUSutil.exe. (Default is: C:\Program Files\Update Services\Tools)
  2. Type the following: wsusutil.exe movecontent D:\WSUS\ D:\WSUSMove.log

In this example, D:\WSUS is the new path for local WSUS update storage and D:\WSUSMove.log is the path to the log file.

The destination folder where update files are moved to must be on an NTFS partition. The content move tool will not try to copy update files if they already exist in the destination folder. WSUSutil.exe sets the same permissions on the destination folder that were set on the original folder.

Additional Parameter
  Indicates that only the server configuration should be changed, and that the content files should not be copied.

MBSA Offline Scanning Command Line

I needed to scan a new Windows 7 reference build to check which security updates are required to bring the machine up-to-date. WSUS gave me this data but not in a nice spreadsheet.

Installed MBSA (Microsoft Baseline Security Analyzer) and downloaded the file.

Copy the CAB file to the MBSA cache folder: C:\Users\%username%\AppData\Local\Microsoft\MBSA\Cache

After some mucking and reading the FAQ,  I got the correct syntax:

mbsacli /target xx.xx.xx.xx /u xxxxxx /p xxxxxx /offline /catalog D:\

System Center Configuration Manager 2007: Troubleshooting Workshop

Just completed a 3 day troubleshoot course for System Center Configuration Manager 2007. The course was aimed at administrators who are responsible for maintaining ConfigMgr systems and clients. Some of the detail was beyond what I needed. I really enjoyed the Management Point troubleshooting, operating system deployment and Software updates sessions.

The course was run by Albert Sauz. He is a super guy with a great detail of experience in SCCM and Exchange.

Course Description:

This instructor-led course provides students with the knowledge and skills to troubleshoot common System Center Configuration Manager 2007 (ConfigMgr) issues. Students will learn how to properly configure ConfigMgr components and how to use various tools and log files used in ConfigMgr troubleshooting.

Topics include:

  • Troubleshooting Resources for Configuration Manager 2007
  • Management Point Troubleshooting
  • Client Health
  • Software Metering, Software and Hardware Inventory
  • Software Distribution
  • Software updates
  • Operating system deployment
  • Site to site replication
  • Desired Configuration Management

Desktop Deployment Planning Sessions

Just completed a five day Microsoft Desktop Deployment Planning Sessions with Lutz Seidemann. We covered everything to do with Windows deployment: WAIK, DISM, PEIMG, INTCFG, USMT, APP-V, DART, AGMP, MDT 2010, ZTI, LTI, WSUS, SCCM 2007, FEP 2010, MED-V, WDS, SCM, USV, OMPM, OCCI, OEAT, RDS, KMS, MAK, VAMT, ACT & SU.

Lutz was absolutely brilliant at presenting this course, he has the knowledge and experience to back up the theory.

The slides from the course are available @ Prepare for & Learn about DDPS Engagements

IIS Settings for WSUS SP2

Here is some information on installing WSUS SP2 on a Windows Server 2008 R2 machine.

Make sure you install the following Role Services in IIS from the Server Manager:

  • Common HTTP Features (including Static Content)
  • ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development)
  • Windows Authentication (under Security)
  • IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility)

For more info check out the Microsoft Windows Server Update Services 3.0 SP2 Deployment Guide.