Eventviewer, eventvwr.exe commandline filter XML query buildingm (Call and pre filter view with one line)

by butsch 28. July 2023 21:46


Event logs provide valuable insights into system operations, allowing IT professionals to monitor and troubleshoot potential issues. When dealing with Windows event logs, PowerShell is a powerful tool that enables event filtering, but it may not be everyone's preferred choice due to complexity and perceived security concerns. In this blog post, we will explore an alternative method - using the command-line filter of Event Viewer - to easily access Critical, Error, and Warning events from the Application log.

In this command, we construct an XML query that filters events based on severity levels:

Level=1 corresponds to Critical,

Level=2 corresponds to Error, and

Level=3 corresponds to Warning.

The command will open the Event Viewer and present the filtered results, saving valuable time for IT operations and support personnel.

eventvwr.exe /f:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select></Query></QueryList>\"


Advantages of the Command-Line Filter:

Familiarity: Many seasoned IT professionals prefer using a simple command-line approach they are familiar with, making it easier to find and work with event logs efficiently.

Accessibility: The command-line filter is available on all modern Windows operating systems, eliminating compatibility concerns.

Trustworthy: Since the command-line tool is a built-in Windows feature, there are no worries about third-party dependencies or security issues.


PowerShell Approach:

Before diving into the command-line filter, let's quickly review the PowerShell method. By leveraging the Get-EventLog cmdlet, one can filter events based on severity levels and display them in PowerShell console. The script would look like this:

Get-EventLog -LogName "Application" -EntryType Error, Warning, Information | Where-Object { $_.EntryType -eq "Error" -or $_.EntryType -eq "Warning" -or $_.EntryType -eq "Information" }

But we want it commandline style because most people with long term expierence are used to that tool/console to find and work.

eventvwr.exe /h

What? ;-)


Ok let's try:

Go to XML tab

Cut and paste into notepad


<Query Id="0" Path="Application">

<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>





If you see this than all fine:


If you see this than you did not read 100% and checked all " > ' and the \ at the end or you try to

call together with /c:application (Channel) and Query (/f:)


Wrong sample:


Some Microsoft Links (One sample is wrong there and I did not understand what he tells at once and the eventvwr.exe /h is really nerdy? ;-)









Client Management | Deployment | Scripting

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

by butsch 15. August 2022 16:11

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert



System which is not affected


The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass


Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)


What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)


Keypoint / problem:

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.


So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.


Some sample dumps and how to find out:


Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline


Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:



Automate checking client for PCR7:


You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs


psexec -s \\computer001 c:\windows\system32\manage-bde.exe -protectors -get c:

PsExec v2.4 - Execute processes remotely

Copyright (C) 2001-2022 Mark Russinovich

Sysinternals - www.sysinternals.com



BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.19041

Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.


Volume "C:" [Windows]

Alle Schlüsselschutzvorrichtungen


Numerisches Kennwort:

ID: {6E770EF9-56D2-430D-81SAFE82-0E9A555D3D8A9}





ID: {9BE23A51-4A8B-4649-98SAFEDE-FAD6FB7165B9}


7, 11

(Verwendet den sicheren Start für die Integritätsüberprüfung)


c:\windows\system32\manage-bde.exe exited on pen10nb014 with error code 0.


Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool


Systeminformationsbericht erstellt am: 08/15/22 13:51:16

Systemname: SBBCARW10EL0145



Element    Wert    

Betriebsystemname    Microsoft Windows 10 Enterprise    

Version    10.0.19042 Build 19042    

Weitere Betriebsystembeschreibung     Nicht verfügbar    

Betriebsystemhersteller    Microsoft Corporation    

Systemname    PEN10NB014    

Systemhersteller    Dell Inc.    

Systemmodell    Precision 5530    

Systemtyp    x64-basierter PC    

System-SKU    087D    

Prozessor    Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 2904 MHz, 6 Kern(e), 12 logische(r) Prozessor(en)    

BIOS-Version/-Datum    Dell Inc. 1.12.0, 27.06.2019    

SMBIOS-Version    3.1    

Version des eingebetteten Controllers    255.255    

BIOS-Modus    UEFI    

BaseBoard-Hersteller    Dell Inc.    

BaseBoard-Produkt    0FP2W2    

BaseBoard-Version    A00    

Plattformrolle    Mobil    

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden    


Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:







Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)


manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated


You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.




  1. Check that you have the latest Bios/Firmware
  2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

To workaround this issue, do one of the following before you deploy this update

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:


Manage-bde –Protectors –Disable C: -RebootCount 1


Then, deploy the update and restart the device to resume the BitLocker protection.


On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:


Manage-bde –Protectors –Disable C: -RebootCount 3    


Then, deploy the update and restart the device to resume the BitLocker protection.


Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community


Windows Server shows PCR7 configuration as "Binding not possible" - Windows Server | Microsoft Docs

In this scenario, when you run msinfo32 to check the PCR7 Configuration, it's displayed as Binding not possible.

Windows Server shows PCR7 configuration as "Binding not possible"

Article, 02/24/2022


This article introduces the Binding not possible issue in msinfo32 and the cause of the issue. This applies to both Windows clients and Windows Server.


PCR7 Configuration in msinfo32

Consider the following scenario:


Windows Server is installed on a secure boot-enabled platform.

You enable Trusted Platform Module (TPM) 2.0 in Unified Extensible Firmware Interface (UEFI).

You turn on BitLocker.

You install chipset drivers and update the latest Microsoft Monthly Rollup.

You also run tpm.msc to make sure that the TPM status is fine. The status displays The TPM is ready for use.


In this scenario, when you run msinfo32 to check the PCR7 Configuration, it's displayed as Binding not possible.




Client Management | Deployment | Hotfixes / Updates | Microsoft SCCM/MEM/MDT | WSUS

Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

by butsch 18. March 2022 00:02

Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:





Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

    Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

    Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

    Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

    Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

    Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)





Service‐ oder Autoinstaller?

Spielt doch keine Rolle?


Kommt das Paket via Enteo Serviceinstaller dann können keine Meldungen an den User gemacht werden. Der

Autoinstaller ist nichts anderes als NIAGNT32.EXE.

Der Enteo Autoinstaller. Nur dieser zeigt mögliche POPUPS durch msgboxt.exe. Kommt etwas mit dem Serviceinstaller im Hintergrund und eben als Service ist nicht zu sehen.


 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

PSKILL.EXE, Systernals Process Kill von Microsoft um WinWord, IE zu killen.

MSGBOXT.EXE, Gibt eine Meldung inkl. Menu für den User aus. Suchen Sie nach "Frank Scholer" im Enteo Forum um dies zu finden.

Locked.exe, Ist ein AutoIT Script das kontrolliert ob der PC/Client gesperrt ist. Quelle Google. Gibt 0/1 zurück. Es gibt auch c++ oder Skript Varianten.


Directory EXTERN$ im Enteo Project Folder

Das sind die Files des Master Paketes


Was macht Ihr mit der ID‐Nummer?


Diese wird im Script verwendet:


In den Logfiles oder zum feststellen ob eine Software vorhanden ist arbeiten wir mit einer ID. Wir verlassen uns nicht auf Enteo Mechanismen sonder machen einfach ein Directory (Flag) und prüfen dies dann später. Besteht das Directory ist die Software installiert.



Dies wird z.B. hier verwendet:


Einzelne Teile des Enteo Skriptes erklärt:


Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

Hier wird dem Enteo Admin gezeigt was mit dem Paket passierte oder wie der User reagierte (Ja/Nein/Timeout). Dies entspricht dem Text den ich dem Enteo Befehl

ExitPROXEC übergebe.








Client Management | Deployment | Ivanti Frontrange Enteo | Scripting | W10 | WMI

WSUS, W10/11 how to Install a KB patchfrom WSUScontent with DISM

by butsch 16. November 2021 14:11

WSUS, W10/11 how to install a WSUS Update (KB patch) Manual with DISM from WSUScontent source Directory

This blog entry is about two things.

  1. How to install a Windows Update from WSUS Source content folder manual by hand with DISM
  2. Mcafee ENS 10.X, IPS Exploit Rule 6133 may block tiworker.exe with some updates (Mitre T1562)

Here is how to get the info which file is for what KB from WSUS-Server:

Search the file in your WSUSCONTENT folder

UN-7ZIP the cab file

For most Monthly patch day packages you also often need SSU (Servicing Stack Update). In most patches this is included. So you have several CAB files as seen above. Install the SSU first.

Servicing Stack Updates (SSU): Frequently Asked Questions (microsoft.com)

Install 1 the SSU.

dism /Online /Add-Package /PackagePath:"c:\drivers\SSU-19041.1220-x64.cab.cab"

Install 2 patch itself:

dism /Online /Add-Package /PackagePath:"c:\drivers\Windows10.0-KB5005565-x64.cab"

Keep an EYE on complex Antivirus with IPS Modules that do more than pattern scanning.

We have seen some Exploit IPS rules from Mcafee ENS 10.X which are ON by default but should be on to protect from Ransomware. It is good to keep an eye on those rules. Please carefully read the FULL alert in your ENS. Most of the times it says "WOULD BLOCK" if the EPO Admin did activate some rules in monitor mode (To Test new rules).

Exploit Rule 6133, change EPO side in ENS Policy





Deployment | WSUS | Hotfixes / Updates

W10 Update Deployment Silent, certain not used old DLL in OEM Install paths BLOCKS update c:\drivers or c:\SWSETUP

by butsch 29. December 2020 19:50


Microsoft W10 Update to 1909 failed because the pre Check found the certain DLL somewhere under the c:\drivers or C:\SWSETUP olders. (APP/Software or driver was not installed, Update block by JUST finding the Certain DLL somewhere on certain paths used by certain Producer/OEM.

Often used paths for drivers and where W10 Update tried to find add. Info about a system and what was installed (Beside Software, Registry and Windows-Installer Cache/DB).

  • HP > C:\SWSETUP\
  • DELL > c:\DRIVERS\
  • Our deployment solution > c:\DRIVERS\

We just had a case where we update W10 1709 to 1909 through a Deployment solution. Updates of HP Laptop failed.

If we installed the Update manual we did see that the "Infineon TPM Professional Package" was blocking. But the software was not installed.


Reason for W10 Update failing:

At that customer we use c:\drivers\ for our deployment structure on HP (Like Dell does > By the way don't use c:\drivers for your own packages/batch on DELL systems it will break some DELL batches).

Under that structure we have a library of certain most used HP Service Packs. There was one which included an Infineon TPM driver. Just by searching through those files

Microsoft thinks the drivers IS installed a Blocks the update. The driver was not installed on the system.


Just delete those Directory and files if you don't reference them and they are not used MSI-Source files on the system you handle the update. On HP systems you can even rename the folder like from C:\SWSETUP\ to C:\_SWSETUP\ and it will work.

Where we found that info:

We silent deploy the 1909 there will following command line which gives us detailed Debug Log Info:

c:\drivers\setup\CUSTOMER_W10_1909\setup.exe /auto upgrade /copylogs \\SERVER\w10_1909$\CLIENTS_DEBUG\%computername% /DiagnosticPrompt enable /Priority Normal /postoobe c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ENDE_OK.cmd /postrollback c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ROLLBACK.cmd /Quiet /ShowOOBE none /telemetry disable /compat IgnoreWarning /DynamicUpdate disable /migratedrivers all

In these Logfiles then you will find the reason why he did not upgrade. You will also see why if you skip the OPTIONS: /Quiet /ShowOOBE none

search over all log files for "StatusDetail="UpgradeBlock"

It will be found in the logfile Compatdata*.xml

Here is the info regarding the Block within the XML File:

<Program IconId="ifxspmgt.exe_f069054697b0a0ae" Id="0006c5c9b5d907dd9c81f4d74bb61beb7e3900000904" Name="Infineon TPM Professional Package">

<CompatibilityInfo BlockingType="Hard" StatusDetail="UpgradeBlock"/>

<Action Name="ManualUninstall" ResolveState="NotRun" DisplayStyle="Text"/>


The where the files that Windows 10 Update found BUT where not installed on the system.

Just delete the files if unused and the update will do it what it should.




Ivanti Frontrange Enteo | Deployment | W10

BACKUP configuration of Vmware ESXI with POWERCLI

by butsch 13. September 2020 15:47

Backup the config from a VMware ESXI free Version up to 6.7.

There is a nice way to backup the free ESXi configuration settings into one file. This us usefull to document the ESXi before you update it and don't want to make 200 screenshots.

  1. Download and Install POWERCLI from VMware.



  1. Start Power shell elevated (As Administrator)
  2. set-executionpolicy remotesigned
  3. run from "C:\Program Files (x86)\VMware\Infrastructure\PowerCLI\Scripts"


  1. Do the backup

set-executionpolicy remotesigned -Confirm:$False

Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$False

Connect-VIServer -Server -User root -Password **********

Get-VMHostFirmware -VMHost -BackupConfiguration -DestinationPath C:\20_SERVER_ESX_ASUS_P11C-M4L\03_ESX_CONFIG_BACKUP

Disconnect-VIServer -Server -Confirm:$False




C:\> Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$False

Scope ProxyPolicy DefaultVIServerMode InvalidCertificateAction DisplayDeprecationWarnings WebOperationTimeout


----- ----------- ------------------- ------------------------ -------------------------- -------------------

Session UseSystemProxy Multiple Ignore True 300


AllUsers Ignore



C:\> Connect-VIServer -Server -User root -Password imelsasswohntdegillesim

Name Port User

---- ---- ---- 443 root



C:\> Get-VMHostFirmware -VMHost -BackupConfiguration -DestinationPath C:\20_SERVER_ESX_ASUS_P11C-M4L\03_ESX_CONFIG_BACKUP

Host Data

---- ---- 20_SERVER_ESX...



C:\> Disconnect-VIServer -Server -Confirm:$False






Restore from the backup would be:


set-executionpolicy remotesigned -Confirm:$False

Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$False

Connect-VIServer -Server -User root -Password **********

Set-VMHostFirmware -VMHost -Restore -SourcePath C:\20_SERVER_ESX_ASUS_P11C-M4L\03_ESX_CONFIG_BACKUP \configBundle- -HostUser root -HostPassword **

Disconnect-VIServer -Server -Confirm:$False



You can view the config if you UNPACK 10x TAR and ZIP files from the backup file:




VMware Link:




VMWare | Deployment

WMI Filter for GPO WIN 10 and 1709, 1803, 1809, 1903, 1909

by butsch 30. July 2020 01:47

Here is how to catch different Windows 10 OS release within WMI.

We used this the first time during a 1709 > 1909 Migration where we wanted to push customer startlayout.xml (Different new syntax and command for W10 1909)

with GPO ONLY to the 1909 clients. SBS/KMU seamless upgrades but often forget to handle GPO Policy side during the upgrade process. If you wan to modify

The startlayout/startmenu tiles this is often the first place you will need the WMI filters.


W10 Version Info:

Major   Minor   Version Build      Info       Released

10           0             1607       14393    2016 RTM LTSC 09/26/2016

10           0             1709       16299    2016 SAC            10/17/2017

10           0             1803       17134    2016 SAC            04/30/2018

10           0             1809       17763    2019 LTSC           11/13/2018

10           0             1903       18362    2019 SAC            5/21/2019

10           0             1909       18363    2019 SAC            11/12/2019


WMI Query to check which version you run of Windows 10.


W10 1607:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "14393"

W10 1709:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "16299"

W10 1803:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17134"

W10 1809:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17763"

W10 1903:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18362"

W10 1909:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18363"




Based on above info from us you can build the GPO filter for each W10 version.


Example: Use the Paessler WMI tester to check

If the query was successful then you get FEEDBACK from the Query (if not it would be empty)


Please also check these WMI related links from us:









Deployment | WMI

Server 2016 unable to change Product key MAK in GUI (BUG)

by butsch 11. June 2019 22:18

We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.




Use the Activation Wizards to do it. In a cmd type.

slui 3


The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ato



Deployment | W10 | Office KMS,MAK,APPV | Server 2012 R2

Server 2016, MDT 2013, W10 1809 6.3.8456.1000 SQL Compact Database

by butsch 28. March 2019 16:34

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf


You can also access through API Web:





It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.


C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf


To see or view data itself you could use:





Client Management | Deployment | Microsoft SCCM/MEM/MDT

KB 4489881 Breaks WDS MDT on Server 2016 PXE boot

by butsch 20. March 2019 21:08

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)


Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"



Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.


Deployment | Microsoft SCCM/MEM/MDT | W10 | Microsoft Server OS

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: