Lock screen image not showing – Windows 10 1703

Recently I was trying to apply a lock screen image with a GPO. I distributed the image to the C:/Windows/Web/Wallpaper directory and configured the Windows 10 GPO to that location. After running the Windows 10 Task Sequence successfully, the default lock screen image came up. I was using a large image from the client so that it still looks good on bigger screens. I’ve found out that after resizing the image back to 1080P, the image was applied successfully after locking the machine. Looks like a strange bug if you would ask me.


SCCM – IIS Error code 403 13 2148081683


If you see the following error in your IIS Logs (C:\inetpub\logs\LogFiles\W3SVC1), it’s possible that the CRL of your Certificate Authority isn’t reachable or valid anymore:

<IP Address> GET /SMS_MP/.sms_aut MPLIST 443 – <IP Address> SMS_MP_CONTROL_MANAGER – 403 13 2148081683 5701 18


Export a certificate from your personal certificate store, for example, an SCCM Client Certificate to your C: drive. Open a command prompt with elevated rights and type:

certutil -url “C:\Certificate.cer”

Check if the CRL can be verified. Open the CRL manually and check that the BASE and DELTA CRL’s aren’t expired. In this case, the AD CS service wasn’t started and the Delta CRL’s were not up-to-date. The service may have been crashed because the startup type was set to “Automatic”.

Enable Hyper-V during Task Sequence in SCCM 2012 R2

Because I wanted to configure Device Guard with Windows 10, I need the Hyper-V Hypervisor to be enabled on Windows 10. I tried to do this with DISM and an answer file, but it’s not possible to enable Hyper-V during the Task Sequence Deployment because Hyper-V requires a couple of reboots.


Create a new “Set Task Sequence Variable” task in your Task Sequence. This will run the PowerShell command after the Task Sequence ends. I’ve set this task before enabling the Driver Package, but it should be possible to place this task anywhere you like.

Task Sequence Variable: SMSTSPostAction

Value: powershell -ExecutionPolicy ByPass -Command “Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor -all -NoRestart;Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All,Microsoft-Hyper-V-Services -NoRestart”

This will do the following:

  1. Enable all the Hyper-V Features after the deployment
  2. Remove the Hyper-V Tools and Services (Management Tools) afterwards. I found out that this is the best way to only add the Hyper-V Hypervisor.

You still need to reboot the system a few times to enable this feature. Because I enabled the BitLocker PIN, I can’t reboot the machine because it will ask for a PIN a few times.



SCCM – PXE stopped working after configuring Update Server in VMM

Recently I connected System Center – Virtual Machine Manager with WSUS. The WSUS server is installed on the primary site server of my SCCM 2012 R2 SP1 CU2 installation. After I configured my SCCM WSUS server as an update server for VMM, the distribution point in the office stopped working. You will see HTTP ERROR “12030” in your logs and the PXE request on a client will fail. Browsing to the website of the SCCM Primary Site server will fail too.

I found out that the certificate of IIS on my primary site was gone. There was no certificate selected for the Default Website. After adding the certificate again and restarting IIS, PXE started to work again.

SCCM – SMSPXE.log shows Untrusted certificate

Recently I found the following error in the SMSPXE.log log file on my newly created distribution point:

CryptVerifySignature failed, 80090006 SMSPXE <REMOVED TIME> 2500 (0x09C4)
untrusted certificate: <REMOVED CERTIFICATE> SMSPXE <REMOVED TIME> 2500 (0x09C4)
Failed to get information for MP: https://SCCMPRIMARY.DOMAIN.TLD. 80090006. SMSPXE <REMOVED TIME> 2500 (0x09C4)

After recreating my certificate template for the IIS Service on the primary site server, it fixed the problem. Check the online documentation of SCCM for the details of this certificate template.


SerializedMCSKey and SignedSerializedMCSKey registry keys are empty – SCCM


Sometimes it’s possible that the registry keys SerializedMCSKey and SignedSerializedMCSKey in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\MCS location are empty after a fresh installation or after reinstalling multicast.


Patience… It took like 5 or 6 hours to get those values populated by SCCM / WDS. I’ve searched for a way to force this, but I couldn’t find anything online. I’ve tried to reboot both machines, without any luck. If you know a way to force this, please let me know.