Office 365 Updates via SCCM showing as "Not Required" and then error 0x80040154

I was at a client site today and they had two issues with Office 365 Updates being pushed via SCCM.

The first issue was that the update was not showing as "Required" and then the second issue was that the update would not install but show an error code of 0x80040154.

Issue 1:

When reviewing SCCM there were no devices that required the update.

You can see there should be at least 137 devices that required the update.

This meant that the Click-to-Run configuration was incorrect. When reviewing the Windows Update Logs using the Powershell command Get-WindowsUpdateLog I noticed that the Office Channel was "Deferred".

I doubled checked the update channel of Office by navigating to the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration.

Checking the CNDBaseUrl key will show you the Content Delivery Network URL. 

To confrim the channel is correct compare with the links below:

·       Monthly Channel
CDNBaseUrl = http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60

·       Semi-Annual Channel
CDNBaseUrl = http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114

·       Monthly Channel (Targeted)
CDNBaseUrl = http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be

·       Semi-Annual Channel (Targeted)
CDNBaseUrl = http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf

I was able to confirm that the Semi-Annual Channel (Targeted) was selected. When checking deeper I found that the OfficeChannel which was showing in the Windows Update logs was from the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\Common\OfficeUpdate\"

The update branch is using the old naming standard by Microsoft This is still part of the Group Policy ADMX's which Microsoft releases with Office 2016. You can see the below link:

https://getadmx.com/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_UpdateBranch

Resolution:

Force a channel change to ensure all the correct registry keys are set for the Click-to-Run agent. This will allow SCCM to correctly identify the right update channel. Below is the PowerShell command I use to refresh the update channel to Semi-Annual Channel (Targeted).

Issue 2: 

After the update was being detected it was attempting to install but it will always fail with 0x80040154. This error means that the class is not registered.

Resolution:

I did some research and found that the  Office 365 Click-to- run provides a Com interface for the Update Mangement. More information in below link.

https://msdn.microsoft.com/en-us/library/office/mt608768.aspx

This allows me to stumble on the following Reddit article which provided a script to re-register the  OfficeC2RCom.

https://www.reddit.com/r/SCCM/comments/7jsyby/office_365_updates_failing_0x87d0024a/

Overal Solution: 

Now putting both solutions together I created the below script.

	<#
	.SYNOPSIS
	To fix a number of Office 365 Update issues.
	.DESCRIPTION
	First the script will add OfficeC2RCom as COM+ application and then refresh the update channel for Office 365.
	.EXAMPLES
	C:\PS> Office365UpdateScript.ps1 -Channel "Monthly"
	.NOTES
	Channel CDNBase URL:
	• Monthly Channel
	http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
	• Semi-Annual Channel
	http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114
	• Monthly Channel (Targeted)
	http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
	• Semi-Annual Channel (Targeted)
	http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf
	.LINK
	https://msdn.microsoft.com/en-us/library/office/mt608768.aspx
	https://www.reddit.com/r/SCCM/comments/7jsyby/office_365_updates_failing_0x87d0024a/
	https://getadmx.com/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_UpdateBranch
	#>
	param(
	[Parameter()]
	[ValidateSet("MonthlyTargeted","Monthly","SemiAnnualTargeted","SemiAnnual")]
	[string]$Channel
	)
	Function ChannelChange ($Channel) {
	If ($channel -eq "MonthlyTargeted"){
	$CDNBaseUrl = "64256afe-f5d9-4f86-8936-8840a6a4f5be"
	$UpdateBranch = "FirstReleaseCurrent "
	}elseif($channel -eq "Monthly"){
	$CDNBaseUrl = "492350f6-3a01-4f97-b9c0-c7c6ddf67d60"
	$UpdateBranch = "Current"
	}elseif($channel -eq "SemiAnnualTargeted"){
	$CDNBaseUrl = "b8f9b850-328d-4355-9145-c59439a0c4cf"
	$UpdateBranch = "FirstReleaseDeferred"
	}elseif($channel -eq "SemiAnnual"){
	$CDNBaseUrl = "7ffbc6bf-bc32-4f92-8982-f9dd17fd3114"
	$UpdateBranch = " Deferred"
	}
	new-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name CDNBaseUrl -Value "http://officecdn.microsoft.com/pr/$CNDBaseUrl" -PropertyType String -Force
	new-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\OfficeUpdate\" -Name "updatebranch" -Value $UpdateBranch -force
	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "UpdateUrl" -Force
	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "UpdateUrl" -Force
	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name "UpdateToVersion" -Force
	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Updates" -Name "UpdateToVersion" -Force
	Start-Process -FilePath "$env:CommonProgramFiles\microsoft shared\ClickToRun\OfficeC2RClient.exe" -ArgumentList "/update user" -wait
	}
	function OfficeC2Rcom {
	#Remove the COM+ Application which was hosting the UpdateNotify.Object
	Write-Host "Remove the OfficeC2RCom COM+ App if exists"
	$comCatalog = New-Object -ComObject COMAdmin.COMAdminCatalog
	$appColl = $comCatalog.GetCollection("Applications")
	$appColl.Populate()
	foreach($app in $appColl)
	{
	if ($app.Name -eq "OfficeC2RCom")
	{
	$appColl.Remove($index)
	$appColl.SaveChanges()
	}
	$index++
	}
	# Create a COM+ application to host UpdateNotify.Object
	$comAdmin = New-Object -comobject COMAdmin.COMAdminCatalog
	$apps = $comAdmin.GetCollection("Applications")
	$apps.Populate();
	$newComPackageName = "OfficeC2RCom"
	$app = $apps | Where-Object {$_.Name -eq $newComPackageName}
	if ($app)
	{
	# OfficeC2RCom app already exists. Output some info about it
	Write-Host ""
	$appname = $app.Value("Name")
	"This COM+ Application already exists : $appname"
	Write-Host ""
	"ID: " + $app.Value("ID")
	"Identity: " + $app.Value("Identity")
	"ApplicationDirectory: " + $app.Value("ApplicationDirectory")
	"ConcurrentApps:" + $app.Value("ConcurrentApps")
	"RecycleCallLimit:" + $app.Value("RecycleCallLimit")
	"Activation:" + $app.Value("Activation")
	"ApplicationAccessChecksEnabled:" + $app.Value("ApplicationAccessChecksEnabled")
	Write-Host ""
	}
	Else
	{
	# OfficeC2RCom app doesn't exist, creat it
	# Add the App
	Write-Host "Adding OfficeC2RCom COM+ Application..."
	Try
	{
	$app = $apps.Add()
	$app.Value("Name") = $newComPackageName
	$app.Value("Identity") = "NT AUTHORITY\LocalService"
	$app.Value("ApplicationAccessChecksEnabled") = 1
	$app.Value("ID") = "{F6B836D9-AF6A-4D05-9A19-E906A0F34770}"
	$saveChangesResult = $apps.SaveChanges()
	"Results of the Apps SaveChanges operation : $saveChangesResult"
	$appid = $app.Value("ID")
	# Adding roles
	Write-Host "Adding Administrator role to $newComPackageName"
	$roles = $apps.GetCollection("Roles", $app.Key)
	$roles.Populate()
	$role = $roles.Add()
	$role.Value("Name") = "Administrator"
	$saveChangesResult = $roles.SaveChanges()
	"Results of the Roles SaveChanges operation : $saveChangesResult"
	# Get the localized string of the Builtin\Administrators
	$id = [System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid
	$Account = New-Object System.Security.Principal.SecurityIdentifier($id, $null)
	$localizedAdministrators = $Account.Translate([System.Security.Principal.NTAccount]).Value
	"Results of the localized administrators string : $localizedAdministrators"
	# Adding BUILTIN\Administrators to the Administrator Role
	$users = $roles.GetCollection("UsersInRole", $role.Key)
	$users.Populate()
	$user = $users.Add()
	$user.Value("User") = $localizedAdministrators
	$saveChangesResult = $users.SaveChanges()
	"Results of the Users SaveChanges operation : $saveChangesResult"
	}
	catch
	{
	Write-Host "Failed to add OfficeC2RCom as COM+ application." -ForegroundColor White -BackgroundColor Red
	exit
	}
	Write-Host "Successfully added COM+ application: $newComPackageName, id: $appid" -ForegroundColor Blue -BackgroundColor Green
	}
	# Adding the UpdateNotify.Object as the component of OfficeC2RCom
	$comps = $apps.GetCollection("Components", $app.Key)
	$comps.Populate()
	$newCompName = "UpdateNotify.Object.1"
	$comp = $comps | Where-Object {$_.Name -eq "UpdateNotify.Object.1"}
	if ($comp)
	{
	"The $newCompName already exists!"
	}
	Else
	{
	Try
	{
	$comAdmin.ImportComponent($newComPackageName, $NewCompName)
	}
	catch
	{
	Write-Host "Failed to add $newCompName to $newComPackageName" -ForegroundColor White -BackgroundColor Red
	exit
	}
	Write-Host "Successfully added $newCompName to $newComPackageName" -ForegroundColor Blue -BackgroundColor Green
	}
	}
	#Main Script
	OfficeC2Rcom
	ChannelChange $Channel

view raw Office365UpdateScript.ps1 hosted with ❤ by GitHub

Hope this helps someone...

Installing Applications Dynamically in the SCCM Task Sequence

I had a client that required to install Tier 3 applications dynamically during the build process. The idea behind it was to ensure that all the applications which the user requirements were installed. So that when the laptop was delivered there was no waiting for the application to download and install. Of course, each user has different requirements so the solution needed to be dynamic. There are some requirements for this soultion to work.

• Applications will need to be deployed to a user collections. All the collections will need to be under one unique container name.
• The user is required to be assigned to the device (Device Affinity) during the build process.
• Applications have to be allowed to install via Task Sequence.

User Collections

To enable the script to determine what applications have been assign to the user. A query of the user collections is required to gather information on the user's membership of the collection. To ensure that only certain applications are installed a unique container name with all the user collections under it will need to created. For example, a container called "Tier 3 Applications " has been created which is unique to any other container. All the collections are contained within this folder so that only these collections will be queried.

Primary User Assignment

During the build process, the device will need to be assigned to the user. This can be done if you are importing the computer to SCCM before building the laptop using. Import the computer information.

Once the device has been imported into you can assign the primary user. If you are deploying using unknown computers then you will need to assign the device to the user during the build process (i.e using an HTA file for user input). I will follow up this blog with how to create an HTA file.

Allow Application to install in TS

To be able to install applications dynamically the “Allow this application to be installed from the Install Application task sequence action without being deployed” needs to be selected.

If the applications are not enabled to install during the task sequence it will fail with the below error in the C:\Windows\Logs\smsts.log.

"App Policy for Application not received. Make sure the application is marked for dynamic app install. Policy download failed, hr=0x80004005"

Install Applications Dynamically Script

The following PowerShell script will find the primary user via WMI in SCCM. It will then look to see if they are a member of the user collections. Review the applications deployed to it and then create a .csv file to create the Task Sequence Variable. The reason a .csv file is created is due to the script requiring to run under an account with administrative rights to the SCCM server to run WMI.

To use the script you will need the following details:

• Site Code
• Site Server Name
• Unique Container Name

Here is an example of what it will look like to pass these variables to the script:

 InstallApplicationsDynamically.ps1 -SiteCode "AU1" -ContainerName "Tier 3 Applications" -SiteServer "SiteServerName.astzum.local"

Here is the "InstallApplicationsDynamically.ps1" script:

	<#
	.SYNOPSIS
	To install applications dynamically in SCCM during the build process.
	.DESCRIPTION
	The following is required for the script to work:
	- The device will need to have a primary user assigned to it.
	- A unique container name with the user collections which have applications deployed to it.
	- Application enabled to install during Task Sequence.
	The script will n d collecting the information a .csv file is created with an Application ID and the application name.
	.EXAMPLE
	You will require the Site Server, Sitecode and the unique container name were all the user collections have applications deployed to.
	InstallApplicationsDynamically.ps1 - SiteCode "AU1" -ContainerName "Tier 3 Applications" -SiteServer "SiteServerName.astzum.local"
	#>
	########## Param ####################
	Param(
	[Parameter(Mandatory=$true)]
	[String] $SiteCode,
	[Parameter(Mandatory=$true)]
	[String] $ContainerName,
	[Parameter(Mandatory=$true)]
	[String] $SiteServer
	)
	################# Functions #################
	Function LogWrite
	{
	Param ([string]$logstring)
	Add-content "C:\Windows\Temp\Tier3ApplicationScript.log" -value $logstring
	}
	################# Setting Variables #################
	$Count = 1
	$csvfile= @()
	$CsvFileCheck = $false
	$ResourceName = $env:COMPUTERNAME
	################# Script #################
	#Find the Primary User of the Device
	$RelationShipArray = Get-WmiObject -ComputerName $SiteServer -Class SMS_UserMachineRelationship -Namespace root\SMS\Site_$SiteCode -Filter "ResourceName='$ResourceName'"
	foreach ($user in $RelationShipArray){
	If ($user.Isactive -eq $true){
	$PrimaryUser = $user.UniqueUserName
	}
	}
	If ($PrimaryUser -eq $null){
	LogWrite "Unable to get the PrimaryUser for the device. Exiting Script."
	Exit 0
	}else{
	LogWrite "PrimaryUser is $PrimaryUser"
	}
	#Change the backslash to double backslash for the query to work
	$PrimaryUser = $PrimaryUser.Replace('\','\\')
	#Find the Resource ID of Primary User
	$PrimaryUSerID = (Get-WmiObject -ComputerName $SiteServer -Namespace root\SMS\Site_$SiteCode -Class SMS_R_USER -Filter "UniqueUserName='$PrimaryUser'").ResourceID
	LogWrite "PrimaryUserID is $PrimaryUserID"
	#Find USer Collection Continer ID
	$ContainerNodeId = (Get-WmiObject -ComputerName $SiteServer -Class SMS_ObjectContainerNode -Namespace root/SMS/site_$SiteCode -Filter "Name='$ContainerName' and ObjectTypeName='SMS_Collection_User'").ContainerNodeId
	#Query what collection ID's are under the contianer name
	$ArrayCollectionId = (Get-WmiObject -ComputerName $SiteServer -Class SMS_ObjectContainerItem -Namespace root/SMS/site_$SiteCode -Filter "ContainerNodeID='$ContainerNodeId'").InstanceKey
	#Check every collection under the Tier 3 application container to see if the user is a member of it
	Foreach ($collectionid in $ArrayCollectionId){
	#There is a class for every collection. Querying each class is the quickest method.
	$class = "SMS_CM_RES_COLL_$collectionid"
	#Serach the collection
	$Collection = (Get-WmiObject -ComputerName $SiteServer -Class $class -Namespace root\SMS\Site_$SiteCode -filter "ResourceID=$PrimaryUSerID").ResourceID
	#The search results are successful check to see what applications are being deployed to that collection.
	If ($Collection -ne $null){
	LogWrite "User is a member of the collection:$CollectionId"
	$Applications = (Get-WmiObject -ComputerName $SiteServer -Class SMS_ApplicationAssignment -Namespace root/SMS/site_$SiteCode -Filter "TargetCollectionID='$CollectionId' and OfferTypeID='0'").ApplicationName
	If ($Applications -ne $Null){
	foreach ($ApplicationName in $Applications) {
	LogWrite "The collection $collectionId has the Application $ApplicationName deployed to it. "
	#Create a Application Variable for every application needing to be installed.
	$Id = "{0:00}" -f $Count
	$AppId = "AppID$Id"
	$Count = $Count + 1
	LogWrite "AppID is $AppID"
	#Setting Task Sequence Variable
	$CsvFileCheck = $true
	$row = New-Object System.Object
	$row | Add-Member -MemberType NoteProperty -Name "AppId" -Value $AppID
	$row | Add-Member -MemberType NoteProperty -Name "Name" -Value $ApplicationName
	$csvfile += $row
	}
	}else{
	LogWrite "No Application found for collection $Collection"
	}
	}
	If ($CsvFileCheck -eq $true){$csvfile | Export-CSV -Path "C:\Windows\Temp\Tier3ApplicationScript.csv" -NoTypeInformation}
	}

view raw InstallApplicationsDynamically.ps1 hosted with ❤ by GitHub

Setting Task Sequence Variables Script

The script "SettingTaskSequenceVariables.ps1" will set the  Task Sequence variables of applications that have been discovered for the user. This is done by importing the .csv file "C:\Windows\Temp\Tier3ApplicationScript.csv".

Here is the "SettingTaskSequenceVariables.ps1" script

	<#
	.SYNOPSIS
	Creating Task Sequence Variables from the discovered applications in
	InstallApplicationsDynamically.ps1.
	.DESCRIPTION
	Obtaining the Tier3ApplicationScript.csv and creating Task Sequence Variables
	#>
	################# Set Variables #################
	$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
	################# Main Script #################
	#Import applications
	$array = import-csv "C:\Windows\Temp\Tier3ApplicationScript.csv"
	#Create the task sequence variables for each applications
	foreach ($app in $array){
	$AppId = $app.AppID
	$ApplicationName = $App.Name
	$tsenv.Value("$AppId") = $ApplicationName
	}

view raw SettingTaskSequenceVariables.ps1 hosted with ❤ by GitHub

Create a package for the scripts

You will need to create a package which will have both the scripts in it. We can then call this package when executing the scripts during the build.

No need for a program to be created.

Task Sequence

Okay, the last step is to add the steps to the build. There is going to be three steps in total.

• InstallApplicationsDynamically.ps1(Run Command Line)
• SettingTaskSequenceVariables.ps1 (Run Powershell Script)
• Install the applcations (Install Applications)

Frist create the step to discover the applications for the primary user. Ensure the account used to run the step has rights to run WMI on the SCCM Site Server. 

Next, run the script to create the Task Sequence Variables.

The last step is to install applications by using the AppID task sequence variable set.

Troubleshooting

A log file called “Tier3ApplicationScript.log” is created under C:\Windows\Temp.

The log file shows if there is a primary user attached to the device and also the primaryuserID. If there is no primary user or primaryuserID then no applications will install. The log also shows what applications will be installed.

If the applications didn’t install, then check the C:\Windows\Logs\smsts.log file to see if there are any errors. First, check to see if the task sequence variables have been created,

Check in the C:\Windows\Logs\smsts.log to see if the application installs. If the log file says that SCCM is unable to install the application due to permission issues. Check to ensure the application is enabled to be deployed using a task sequence

Intel's Meltdown and Spectre vulnerabilities

If you have not been living under a rock, you might have heard about Intel’s vulnerabilities called “Meltdown” and “Spectre”. In some cases, you may have to treat each vulnerability differently.  There is a lot of information out there, so I thought I would collect some information to help people understand it.

If interested who discovered the bug, the bug was found by Security researchers at Cyberus Technology, Google, and the Graz University of Technology

Please see the below link from Googles security research team Project Zero.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1272

To go into details of Meltdown and Spectre is, please see the below link from the Graz University of Technology.

https://meltdownattack.com/

Microsoft has released a patch to resolve certain aspects of the vulnerabilities. The patch was released in January 2018.  First released was the operating system's patch but now you can also download the Internet Explorer, Edge and SQL patches.  Details of the patches and vulnerabilities can be found here:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

At the time of writing there is currently no patch for Windows Server 2008 and also Windows Server 2012.

Meltdown

For the vulnerability Meltdown, Microsoft had a lot of issues initially with the patch as they found a lot of the Anti-Virus programs making incorrect calls to the Kernel Memory. The initial testing found a lot of devices blue screening.

You can find information below:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

As stated in the article you will need to check to see if you have the latest Anti-Virus software and that it is compatible with the patch. Otherwise, you will not get the update. Within WSUS or SCCM, it will say that the update is not required. You will also never get future updates as well! If you are using Microsoft products you are in luck as all their products are compatible.

“Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the January 2018 security updates and have set the required registry key.”

For any third-party software you will need to check if the following key is set on a machine

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

If not ensure you have the latest Anti-Virus software. In some case, you could set the registry key, for example, Trend believes there are no issues and have to advise to set the key manually to get the update.

https://success.trendmicro.com/solution/1119183

For Symantec, they have a bug which will create a new GUI every few seconds which will take a large percentage of your CPU usage and cause it to freeze. It happened to me it is not fun. There should be a patch by the 17^th of January.

https://support.symantec.com/en_US/article.TECH248552.html

To find out if your anti-virus program is compatible and has set the registry please see Kevin Beaumont spreadsheet. Thanks Kev.

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Spectre

Now to protect your servers from Spectre you will need to do the following:

• Apply the Windows operating system update.
• Make necessary configuration changes to enable protection.
• Apply an applicable firmware update from the OEM device manufacturer

Update

The updates that are required are:

Operating system version	Update KB
Windows Server, version 1709 (Server Core Installation)	4056892
Windows Server 2016	4056890
Windows Server 2012 R2	4056898
Windows Server 2012	Not available
Windows Server 2008 R2	4056897
Windows Server 2008	Not available

To enable protection you will need to run the following commands:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

Firmware

To update your firmware please see the following manufactures websites:

• Intel - https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
• AMD - http://www.amd.com/en/corporate/speculative-execution

All the information from Microsoft can be found here:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Now there has been a lot of talk of performance derogation. This seems to be true just a quick search you can find some examples. Microsoft has acknowledged it:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Intel has completed some testing and shared their results:

https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/

Okay, this was a just quick post to help people in the right direction. Hopefully, this helps a few people understand what to do. 

SCCM Capture Media "Machine Check Exception"

Today I was trying to capture a Server 2012 R2 image using a SCCM capture disc. The current environment is using SCCM CB 1702 which has Windows 10 ADK installed. I was using the WinPE version 10.0.15063.0.  I was getting the error of "Machine Check Exception" after the device was sysprep.

I made the simple mistake of believing that the latest version would be backward compatible and able to use for Server 2012 R2. This is not the case and for Server 2012 R2 I would need version 6.3.9300.  I downloaded the Windows 8.1 ADK and copied the boot image into SCCM.  This resolved the issue.