Windows 10 upgrade breaks at 76% and present the logon screen while upgrade is still in progress in the background!

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).


Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 


The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.


Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

Version mismatch in custom iOS app causes reporting back to be unsuccessful in ConfigMgr and Intune

I’ve encountered quite an interesting issue when deploying a custom iOS (IPA) app using System Center Configuration Manager and Intune. The problem is that the deployment status for the app never reports as “Success” and is hung at “In progress”. As it turns out there is a mismatch in the version info that exist within the IPA file and the plist file that is included when deploying the IPA.

The CFBundleVersion listed within the IPA in the file info.plist


must match the bundle-version found in the plist file that is used when creating the app deployment in Configuration Manager.


If these values do not match the status will never be reported as successful in the ConfigMgr console. After the September 2014 maintenance window for Intune I also suspect that this version mismatch is causing the app to be re-deployed over and over again, however this has yet to be confirmed.

Note: You can easily check the content of info.plist within the IPA by renaming the IPA to ZIP and extract its contents. Use a plist viewer of your choice (there are several free for trial) to check the CFBundleVersion.

MBAM 2.5: The SQL Reporting Services URL that point to the MBAM reports is not valid

When adding the Monitoring and Administration Feature of MBAM 2.5 and checking the System Center Configuration Manager Integraton features in the setup wizard you typically enter the URL to the Reporting Server, for instance http://configmgrsrv/ReportServer. If you get the error

The SQL Reporting Services URL that point to the MBAM reports is not valid

it actually means that you before installing the Monitoring and Administration features must install the MBAM Reports feature. That is even though you are integrating MBAM into System Center Configuration Manager. Why is that? Because when integrating MBAM with ConfigMgr, the only reports that are managed in ConfigMgr are the compliance reports.

Intune/ConfigMgr email profiles are removed and not readded on iOS devices

If you are using System Center Configuration Manager 2012 R2 and Windows Intune to deploy email profiles to your iOS devices you should be aware of the fact that the email policy will vanish from your users’ iOS devices and then user then need to log in to the company portal for the email profile to get deployed once again to the iOS device. This is true in the following scenarios:

  • You make a change to the email policy, for instance changing the name of the email policy in the ConfigMgr console.
  • You install Cumulative Update 2 for System Center Configuration Manager 2012 R2.

No status on a fix for this bug at the moment.

80070002 and 80072ee2 error when deploying Windows using ConfigMgr 2012 R2

Encountered an interesting issue doing Windows 8.1 Deployment using ConfigMgr 2012 R2. A specific model was constantly failing at the very last step in the task sequence. The smsts.log revealed a few errors with the codes 80070002 and 80072ee2, failing at random files every time from the MDT Toolkit Package.

A few examples:

DownloadFiles() failed. 80072ee2.
DownloadContentAndVerifyHash() failed. 80070002.

It seems Microsoft is aware of the issue and the current workaround is to set the following variables first in the task sequence to address the problem until it hopefully will be fixed in a coming hotfix.

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

After settings these variables the deployment finish as expected.

UserLicenseTypeInvalid when enrolling an iOS device in Intune/ConfigMgr

When setting up and connecting Windows Intune to System Center Configuration Manager 2012 R2 and you are trying to enroll a mobile device (iOS device), you may receive the error “UserLicenseTypeInvalid”.

Checking the cloudusersync.log on the ConfigMgr server listed the following two lines which seemed to be relevant:

ERROR: SetLicensedUsers exception System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'msub05.manage.microsoft.com'

Solution: Simply restart the SMS_EXECUTIVE service and everything is back on track and you can enroll the user on the mobile device. I have seen this a few times now and thought I’d share some information on it, not sure why it fails quite often though.

UPDATE: I have also seen this (without the error message above) when the user has not been added yet to the User Collection and synced to Intune. Solution is to make sure that the user is added to the Intune user Collection and make sure via cloudusersync.log that the user is added correctly to the Intune service.

Deployment Roadshow vNext and Windows 8 loadfest

Two events are coming up; Deployment Roadshow vNext featuring System Center Configuration Manager 2012 and Microsoft Deployment Toolkit 2012 and a Windows 8 loadfest.

Deployment Roadshow vNext will take place in Sweden’s four largest cities and it will be presented by myself and colleague Johan Arwidmark from Knowledge Factory, Wally Mead the SCCM guru from Microsoft Corp and Mikael Nyström from Truesec. More info about the event at http://www.deploymentevents.se.

The Windows 8 loadfest will take place in early December in Stockholm and it hosted by me, Johan Arwidmark, Lars Gustavsson and Tim Nilamaa. More info about the event at http://www.deploywindows8.se.