Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 32
fleet/docs/solutions/windows/scripts/remove-unreachable-wsus-configuration.ps1
Adam Baali f2f1f66d11
Add Windows MDM migration troubleshooting scripts and guide (#39548) 
Closes #38916
Related: #34993, #33985, fleetdm/confidential#13228

## Changes

**Article update** (`articles/windows-mdm-setup.md`)
- Adds "Migrating from another MDM solution" subsection under **Manual
enrollment** with overview of common migration issues and links to
remediation scripts

**New scripts** (`docs/solutions/windows/scripts/`)
- `reset-mdm-enrollment-flag.ps1` — Resets MmpcEnrollmentFlag blocking
MDM status after migration
- `remove-stale-mdm-enrollment-records.ps1` — Clears orphaned enrollment
GUIDs, AAD discovery cache, and MS DM Server cache
- `fix-workplace-join-configuration.ps1` — Re-enables
Automatic-Device-Join task and configures Workplace Join policies
- `remove-unreachable-wsus-configuration.ps1` — Removes unreachable WSUS
server config that breaks Windows Update

## Context

Customers migrating Windows hosts from Intune to Fleet have been hitting
recurring enrollment issues, MDM status stuck on "Off," enrollment
errors (`0x80190190`, `0x8018000a`), and Windows Update breakage from
leftover RMM agents. These scripts consolidate the workarounds from
multiple customer engagements into self-serve remediation that can be
deployed via **Controls > Scripts**.

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
2026-02-11 15:20:26 +01:00

40 lines
1.6 KiB
PowerShell
Raw Blame History

# Please don't delete. This script is referenced in the guide here: https://fleetdm.com/guides/windows-mdm-setup#migrating-from-another-mdm-solution
# Detects and removes unreachable WSUS server configurations that can break Windows Update
# after migrating from another MDM solution. Only removes WSUS config if the server cannot
# be reached at all (HTTP error responses like 403 are treated as reachable).
# Reboot the device after running this script.
$WUPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
if (-not (Test-Path $WUPath)) {
Write-Host "Windows Update policy path not found - no action needed"
exit 0
}
$wuServer = (Get-ItemProperty -Path $WUPath -Name "WUServer" -ErrorAction SilentlyContinue).WUServer
if (-not $wuServer) {
Write-Host "No WSUS server configured - no action needed"
exit 0
}
$reachable = $false
try {
$null = Invoke-WebRequest -Uri $wuServer -UseBasicParsing -TimeoutSec 5 -ErrorAction Stop
$reachable = $true
} catch [System.Net.WebException] {
if ($_.Exception.Response) {
# Server responded with an HTTP error (e.g., 403) - it is still reachable
$reachable = $true
}
} catch {
# Connection failed entirely
}
if ($reachable) {
Write-Host "WSUS server $wuServer is reachable - no action taken"
} else {
Write-Host "WSUS server $wuServer is unreachable - removing configuration"
Remove-ItemProperty -Path $WUPath -Name "WUServer" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $WUPath -Name "WUStatusServer" -ErrorAction SilentlyContinue
Restart-Service wuauserv -Force
Write-Host "Windows Update service restarted"
}
Reference in a new issue View git blame Copy permalink