After long-time ,i am back with quick SCCM Configmgr software update compliance report .A friend of mine asked me today morning that ,he wants to check the compliance report for specific computer (could be VIP ) against one or multiple software update groups that they have created/deployed.

How do you check the compliance status of computer for specific software update groups ONLY and not for all updates that are available in SCCM ?

You have several software update compliance reports for software update groups and for computers but there is none to check if the particular computer is compliant or not for given software update group. The only possible way is to run the compliance report for specific collection and that will give you the overall compliance status and drill down further or run other compliance report which is tedious process. And if you want to repeat this multiple times for different updates groups ? Not easy. The only solution is custom report .

So i started off looking at this request and search online but could not find any thing except this link https://social.technet.microsoft.com/Forums/en-US/6cb95ee0-808e-4c8f-a39c-11bc35282357/limit-specific-computer-report-to-a-software-update-group?forum=configmanagergeneral and is unanswered.

I have also looked at my blog if i posted something similar on this but nothing that matches the requirement.

So i started of writing the SQL code and convert that to nice SSRS report and is now available for you to download and play with it.

I had added most of the computer information like software update group ,computer name,User name, OS, Last Hardware scan, Last software update scan,Last logon time,IP address and patch compliance status to troubleshoot further .

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

How does this report works ? When you run this report  ,it prompt to choose list of software update groups that you are interested and enter the computer name (must enter ,no drop down ,just the computer name and no need to enter FQDN).

Output of the report shown below.

Download the report from Technet Gallery  ,upload to your SSRS reports, change the datasource and you are ready to run.

Some of software update compliance reports from my blog are listed below.

SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression

Configmgr SQL query to get the list of clients that require a specific software update patch

SCCM Configmgr Software Update Compliance Report for Specific Collection within Specific Time Frame

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr Get the Update Compliance Status for multiple Update groups against Multiple collections using SQL query without reporting

SCCM Configmgr Software update Compliance Report for multiple Software Update groups per collection

SCCM Configmgr SQL Query to check software update is superseded by what software updates

Configmgr How to list all Default and Custom reports with created by, modified by,data source , Path and Description

SCCM Configmgr How to generate patch compliance report that shows all updates for specific collection ?

SCCM Configmgr SSRS Report Get list of missing updates for PC from specific Software update group

sccm  SQL Query Get software updates that are downloaded but not in any software update group

SCCM Configmgr 2012 Software update compliant non-compliant results for list of computers from collection for specific month

SCCM Check Patch is member of what software update package

SCCM Configmgr  SSRS Patch Compliance Report Per Collection Per Update Group

SCCM Configmgr SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients

SCCM Configmgr Patch Report – OU based Compliance status per Update Group

SCCM Configmgr Report Get the Status of Software Update Scan results

SCCM Configmgr Software update compliance states

SCCM report applications installed on computers without Updates

SCCM Configmgr Report for Software Update Compliance

Beginning with the release of SCCM ConfigMgr Build 1710 or later , you can use the SCCM Console to identify client devices that require a restart, and then use a client notification action to restart them. If you want get this feature enabled on the client side ,you must also upgrade clients to version 1710 or later for this capability to function

This become so much easier for SCCM engineers to restart the device with just one click .

To identify devices that are pending a restart, you can go to the Assets and Compliance workspace and select the Devices node ,then right click on the right side details pane in a new column named Pending Restart.

Once you choose this, you can sort with pending restart to see list of all devices with client state .

Each device has one or more of the following values:

• No: there is no pending restart
• Configuration Manager: this value comes from the client reboot coordinator component (RebootCoordinator.log)
• File rename: this value comes from Windows reporting a pending file rename operation (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations)
• Windows Update: this value comes from the Windows Update Agent reporting a pending restart is required for one or more updates (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired)
• Add or remove feature: this value comes from the Windows component-based servicing reporting the addition or removal of a Windows feature requires a restart (HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending)

To restart the device ,you can simply right Right-click on the device, select Client Notification, and then select Restart. An information window opens about the restart. Click OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring client settings.

Settings for the restart behaviour are found on the Computer restart tab of the default settings.

If you want to know the list of pending reboot devices ,it is not always good to follow the steps that we did above .It doesn't give us the number of devices pending with reboot also ,you need to add the column and sort to find out how many.

In this blog post ,what we will see on how to create a dynamic collection that list all devices with pending reboot. This collection always be on your check list for troubleshooting.

Also ,i will get you nice SSRS report/s that show you the count of pending reboot devices against the collection Operating System and then it will have drilldown report to see list of all clients with client inventory.

Before we start creating collection with pending reboot ,we need to know ,where does this information store in WMI. Collection uses WQL hence you need to have the class and instance name.

Restart information stored in sms_combineddeviceresources with value clientstate.

Anything that is not 0 (clientstate!=0) will be treated as pending reboot.

Following are the list of applicable states you get with client pending reboot.

1 – Configuration Manager
2 – File Rename
3 – Configuration Manager, File Rename
4 – Windows Update
5 – Configuration Manager, Windows Update
6 – File Rename, Windows Update
7 – Configuration Manager, File Rename, Windows Update
8 – Add or Remove Feature
9 – Configuration Manager, Add or Remove Feature
10 – File Rename, Add or Remove Feature
11 – Configuration Manager, File Rename, Add or Remove Feature
12 – Windows Update, Add or Remove Feature
13 – Configuration Manager, Windows Update, Add or Remove Feature
14 – File Rename, Windows Update, Add or Remove Feature
15 – Configuration Manager, File Rename, Windows Update, Add or Remove Feature

Create a device collection ,choose query based and paste the following WQL Code into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on
sms_combineddeviceresources.resourceid = sms_r_system.resourceid
where sms_combineddeviceresources.clientstate != 0

we have just created a collection to know the list of devices with pending reboot. You can now decide if you can reboot them using client notification or not.

How to reboot all devices at once ? you cannot do it by right click on collection , you must go into the collection ,choose all devices ,right click and do client notification . Collection level do not have reboot option.

Now we will look at SSRS report.

With the information that is available in SCCM ,we can have variety of reports however ,i am going with following customisations.

A report with custom collection and device restart type (Configuration Manager ,Add or Remove Feature etc ,multiple) .  It will show you count of Pending restart devices by Operating System.

The count will have drill down report to show list of clients with inventory information like last hardware inventory, IP address, last MP ,software update scan etc.

Parent Report:

Click on Pending Restart count appear in Blue colour to see list of all clients of that particular OS.

Child Report (Drilldown Report):

Child report has 3 parameters: Collection name ,Restart state name and OS .All these parameters will be passed to child report from parent report.

You might see pending reboot for clients that are inactive and this because , client never reported back to SCCM after pending restart status message and it will remain same until the device comes online and report its status.

You must run parent report to go child report. If you try to run child report directly ,you will run into issues which is expected and is because of hidden parameters in child report.

How to get the reports ?

Download the RDL files from Technet Gallery ,extract it ,upload the files to your SSRS reports (make sure both the reports in same folder location) ,change the datasource and run the reports.

Reference:

https://blogs.technet.microsoft.com/meamcs/2019/01/10/understanding-and-using-the-pending-restart-feature-in-sccm-current-branch/

Microsoft released first Technical preview for Configuration Manager in this year 2019 with some exciting features Client health dashboard, management insights rules for collections,DP maintenance mode,search device using MAC address and many others.

If you want to get this preview install in your lab ,get the baseline version of Technical preview version 1810.2 from TechNet evaluation center . For more information about Technical previews ,please read here

Once you install baseline version, you will see 1901 in the console . Installation of Technical previews from the console is simple and very straight forward .

List of features that are added with this preview version 1901 are:

1. Client health dashboard
2. Specify priority for feature updates in Windows 10 servicing
3. Dedicated monitoring for phased deployments
4. Run CMPivot from the central administration site
5. Improvements to Run PowerShell Script task sequence step
6. Office products on lifecycle dashboard
7. Management insight rules for collections
8. Search device views using MAC address
9. Distribution point maintenance mode
10. Optimized image servicing
11. Import a single index of an OS image
12. Use Azure Resource Manager for cloud services
13. Confirmation of console feedback
14. Create a Configuration Manager technical preview lab in Azure
15. Specify a custom port for peer wakeup
16. View recently connected consoles
17. Stop cloud service when it exceeds threshold
18. Client provisioning mode timeout
19. Improvements to OS deployment

Some of the features that I am interested are client health dashboard ,insight for collection rules ,search device using MAC Address ,DP maintenance ,view recently connected consoles, monitoring phase deployment,create preview lab in azure.

I recently did blog post on how to identify the collections with different criteria and how to correct the collections where needed  http://eskonr.com/2019/01/sccm-configmgr-remove-collection-membership-for-direct-rule-collections-using-powershell/

http://eskonr.com/2019/01/sccm-configmgr-monitoring-collection-evaluations-and-change-update-membership-schedule-using-powershell/

Now Microsoft added way to identify the collections with different criteria listed below and take necessary action.

you can  use these insights to simplify management and improve performance.

The following rules are in the Collections group:

• Collections with no query rules and no direct members: To simplify the list of collections in your hierarchy, delete these collections.
• Collections with the same re-evaluation start time: These collections have the same re-evaluation time as other collections. Modify the re-evaluation time so they don't conflict.
• Collections with query time over two seconds: Review the query rules for this collection. Consider modifying or deleting the collection.
• The following rules include configurations that potentially cause unnecessary load on the site. Review these collections, then either delete them, or disable rule evaluation:
  • Collections with no query rules and incremental updates enabled
  • Collections with no query rules and enabled for scheduled or incremental evaluation
  • Collections with no query rules and schedule full evaluation selected

Double click on collection, you will see list of rules with progress status. Progress status will tell you whether action needed or not .

For each rule that it evaluates ,it will tell you if there is any action needed by admin or not .

From above, some rules says ,action needed. To know what collections  ,just double click on the rule to see .

I double click on Empty collections to see what collections are they.

I have a collection that has empty members . I can take action on this .

Once you are done, you can re-evaluate the rule by simply right click and re-evaluate .

Like there ,there are many other features added to preview version 1901.

Happy testing!

When you assign office 365 proplus license to users in your Microsoft 365 tenant ,users will have option to download the proplus setup manually by visiting https://office.com or https://portal.office.com/ and click on install office.

Even though you manage these proplus updates using SCCM and channel using GPO ,there will be users in organisation ,who will go to office portal and download the setup files manually to install for users.

When they download the setup file (it can be 32bit or 64 bit) ,by default they get monthly channel which is not what most organisation will be looking to give it to users. In order to provide consistent experience to all users in the org, you need to  make sure everyone gets same channel updates through the deployment tool. (it can be monthly,semi annual etc )

So ,how do we control this channel updates when user downloads it from office portal ?or How do we disable the install office option completely and let all the proplus installations go through specific deployment tool (SCCM/Intune) ?

In this blog post ,we will see ,how to control these proplus channel updates for manual download from office portal for end users ?

It is not good practice to disable this option completely ,if you do so ,then for manual installation, you will need to create a offline installer with xml file that helps to install proplus which is tedious process.

If you simply enable the proplus option for users with right channel ,then in some urgent situations, they can simply download 32 or 64 bit right from portal and get it installed.

How to control it ?

1. Login to https://admin.microsoft.com/AdminPortal/Home#/homepage . You may need GA permissions to modify these settings.

2. On the left hand side you will see Settings—> services & Add-ins

3. scroll down all the way ,you will see Office Software download settings . This is where ,we control channels and which office apps are available to download

4. All the settings are available below which you can control for users to download.

Choose which software your users can install directly from Office 365. If you don't want your users installing software themselves, set the toggle to Off to disable this option on both desktop and mobile devices.

I always prefer to use every 6 months (Semi-Annual channel) for many reasons .Check out the Technet documentation for more information on semi annual channel https://docs.microsoft.com/en-us/deployoffice/overview-of-update-channels-for-office-365-proplus

Click on save.

Now when users try to download the proplus from office portal ,they always get latest version of semi-annual channel .

The draw back with this is ,it doesn't give you an option to control versioning but just the channel (Build version will be same but the actual proplus version 16.0.xxxx keeps changing when MS releases updates).

Hope you find this blog post useful!

Microsoft has released Configuration Manager current branch 1902 as in-console and baseline version. You can apply this update on sites running on 1710, 1802, 1806, or 1810 .If you want to install new site ,you can download 1902 as baseline and install the update.

This build includes bunch of features listed below:

Site infrastructure:
  Client health dashboard
  New management insight rules
  Improvement to enhanced HTTP
  Improvement to setup prerequisites

Cloud-attached management:
  Stop cloud service when it exceeds threshold
  Use Azure Resource Manager for cloud services
  Add cloud management gateway to boundary groups

Real-time management:
  Run CMPivot from the central administration site
  Edit or copy PowerShell scripts

Content management:
  Distribution point maintenance mode

Client management:
  Client provisioning mode timeout
  View first screen only during remote control
  Specify a custom port for peer wakeup

Application management:
  Improvements to application approvals via email
  Improvements to Package Conversion Manager

OS deployment:
  Progress status during in-place upgrade task sequence
  Improvements to task sequence media creation
  Specify temporary storage
  Add a label to the media
  Import a single index of an OS image
  Optimized image servicing
  Improvements to Run PowerShell Script task sequence step
  Other improvements to OS deployment

Software Center:
  Replace toast notifications with dialog window
  Software changes are required
  Restart required
  Configure user device affinity in Software Center
  Configure default views in Software Center

Software updates:
Specify priority for feature updates in Windows 10 servicing

Office management:
  Redirect Windows known folders to OneDrive
  Integration with analytics for Office 365 ProPlus readiness
  Additional languages for Office 365 updates
  Office products on lifecycle dashboard

Phased deployments:
  Dedicated monitoring for phased deployments
  Improvement to phased deployment success criteria

Configuration Manager console:
    Improvements to Configuration Manager console
    Configuration Manager console notifications
    Confirmation of console feedback
   View recently connected consoles
    In-console documentation dashboard
    Search device views using MAC address
    Use .NET 4.7 for improved console accessibility

Read full set of features with description  https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1902 

list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/1902-release-notes?view=sccm-ps 

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes 

To download the baseline version of 1902 ,you can login to volume licensing servicing center or from evaluation center.

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 1902 in console.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1902. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet https://gallery.technet.microsoft.com/ConfigMgr-1902-Enable-87eef616?redir=0 and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1.      Launch an elevated command prompt

2.      Run PowerShell

3.      Run the EnableFastUpdateRing1902.ps1 script (bundled in the exe in the link above)

·         EnableFastUpdateRing1902.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

4.      Force a check for the update.

·         Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates". 

Once you ran the script ,close any SCCM console connections and restart SMS executive service .

Launch SCCM console now. On a side ,open dmpdownloader.log .This log will track all info related to download of update.

On the updates and servicing node, click on check for updates

After a while ,you will see 1902 update appear in the console.

You can monitor dmpdownloader.log for any errors.

Once you see 1902 update in the console ,run the pre-requisites check to see if your site is ready for the upgrade.

After a while ,status will be updated .

Run the pre-requisite checker to see if your site is ready to update to 1902.

Once the pre-req check is passed, you are good to install the update pack.

Choose the features that you want to enable. If you are not sure what to be enabled, you can do it later after the update installed via features .

Have a pre-production collection and select the collection to install the 1902 client.

Accept the license terms , click next

Check the summary page ,click Next

you will see completion wizard

Now ,monitor the status of update 1902 from updates and servicing node or using log file cmupdate.log

Once the installation completed ,you will see a prompt asking to install new console version .click ok  to install new console.

Configuration manager version:

SCCM Site version: 5.00.8790.1000

SCCM console version:5.1902.1085.1500

SCCM Client version: 5.00.8790.1005

Happy exploring !

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Evaluate Configuration Manager in a lab
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

Management insights are introduced from SCCM 1802 build to provide information about the current state of your environment. With build 1802 ,there are very limited insights added .These insights are based on analysis of data from the site database.These Insights help you to better understand your environment and take action based on rules that are pre-defined.

With the release of SCCM current branch 1902 ,there are more insights added to the console which will help you to understand your environment in more better way and take necessary action based on the recommendations .

To locate the management insights from the console ,\Administration\Overview\Management Insights

I am going to list down the list of all management insights (MI) that are available in CMCB 1902 .

There are total 27 management insights available in CMCB 1902.

These insights are grouped into 9 categories  based on their function like collection,packages,applications,boot images,software updates/ADR etc.

Management insight group names:

1. Security
2. Software Center
3. Software updates
4. Applications
5. Mac OS and Unix
6. Simplified management
7. Collections
8. Cloud Services
9. Proactive Maintenance

Following are the list of actual management insights that exist on SCCM Configmgr CMCB 1902 build along with its rule Description.Hope the following information useful for you to understand what each rule does .

If you want to know the status of each rule ,you can either check from SCCM admin console by clicking the insight group and go through each task or use SCCM report,but to take action ,you can only do using SCCM console and cannot be done using reporting .

On a schedule basis these rules will be evaluated and display the status in the console whether they are completed, failed or in progress .If any rules failed/action needed then you need to review the rule and take necessary action.

The management insight rules reevaluate their applicability on a weekly schedule. To reevaluate a rule on-demand, right-click the rule and select Re-evaluate.

The log file for management insight rules is SMS_DataEngine.log on the site server.

For example, Collections with query time over 5 minutes. What this rule does is ,it will check against all your CM collections and find collections that are taking more than 5 min for evaluation.

If you want know how many of these rules are needing your action, you need to click on each group and see the status which is time consuming process .

Starting in version 1810, the Management Insights node includes a graphical dashboard. This dashboard displays an overview of the rule states, which makes it easier for you to show your progress.

The new addition of MI in 1902 also included in the the dashboard .

Please note that, this dashboard is available only via console. If you want to view the MI stats using reporting URL ,you need to build custom report.

This dashboard is based on the SQL table vSMS_ManagementInsights and  ManagementInsightRulesLocalizedData . These are not SQL views hence non-SCCM Administrators (users are given with RBAC role) cannot access these SQL tables.

Following the SQL code for you to create custom SSRS report .

SELECT
MI.Id,
MI.GroupID,
loc.RuleName As Name,
case when MI.Status='1' then 'Completed' when MI.status='-1' then 'Action Needed' else 'Progress' end as 'Status',
MI.Results,
MI.LastRunTime,
MI.LastSuccessfulRunTime,
MI.Duration,
MI.Error,
MI.MoreInfoLink,
MI.ActionType
FROM vSMS_ManagementInsights MI
LEFT JOIN ManagementInsightRulesLocalizedData loc ON MI.Id = loc.Id
order by 2

Reference https://docs.microsoft.com/en-us/sccm/core/servers/manage/management-insights

Issue Description:

Few months ago, I have migrated the Primary SCCM site along with its secondary sites to SCCM build 1806 . Update of Primary site along with secondary site upgrades went fine except 1 secondary site.

The failed secondary site throw the following error code in log.

On the secondary site ,in the root of windows directory (C:\) ,you will find log called Configmgrsetup.log

Server components are experiencing fatal errors.

Failed to create process of SetupWpf.exe. return value 1

Error code 1 means Incorrect function.

While reading the log file ,found Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe

It looks to me that ,it is failing to register the smsprov.dll and it just hangs there for longer period (almost an hour).

Have looked at the AV (anti virus) if something holding the process for long time ,but there is nothing .Have even tried disabling the AV but no luck.

Without further waiting , have rebooted the server and initiated the secondary site upgrade using SCCM console.

This time ,it failed again with same error code. I could not troubleshoot much further so raised support case to identify the root cause and fix it.

Support engineer collected the dump file and also procmon logs to find the root cause .

we Notice that TMP folder is created and all files are existing. However, the log stopped at “INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~”. No further more logs after 30 minutes. Then bootstrap delete the TMP file.

1. Go through previous log, notice that it will take several hours to make the registration works. It is not a correct behavior.

10-06-2018 12:44:05.261    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~

10-06-2018 18:27:37.251    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\extnprov.dll with regsvr32.exe~

4. Manually run regsvr32.exe extnprov.dll. It did not finish. Check the process monitor. We see the process is there and did not process.
5. We check Analyze Wait Chain, it shows the block process is Isass.

6. We restart the secondary site, still not work.
7. Collected DUMP file of both Isass and regsvr32. DUMP shows that regsvr32 call isass. Isass send request to DC. But there is no information back. Below is details about the DUMP. “SMS Admins” is one default name, it will not display the exact account name.

The regsvr32.exe process stuck on the following call stack which invoke the RPC call LsaLookuprTranslateNames3 for account “SMS Admins” to LSASS.EXE process.

we tried possible solutions to fix the issue ,but none of the worked .support engineer discussed internally and come back with following workaround which is really simple.

Solution:

On secondary site (SS2) , open Local Users and Groups.

1. Click More Actions  > New Group…
2. Set group name as SMS Admins.

After you create SMS Admins group , reinitiate the secondary site upgrade ,that will fix the issue.

Few weeks ago ,on different customer, i ran into same issue for 2 of the secondary sites while upgrading to SCCM build 1810.  After creating SMS admins group locally ,secondary site installation went fine.

I hope this solution solve the mystery of installing secondary sites.

I was working on SCCM report for client health dashboard. During this report creation ,found that ,device appear twice with different GUID ID and resource ID but with same hostname.

So i started looking at this issue to see how identify the records with duplicate hostnames.

SCCM clients are uniquely identified by a GUID. A GUID is a combination of the client's media access control (MAC) address and the time when the GUID is assigned.

This combination produces a number that is virtually always unique. The GUID assignment occurs during the client discovery and installation processes.

The GUID is stored in the client's Registry and in a binary file on the client's hard disk into smscfg.ini file (C:\Windows\SMSCFG.INI)

As you see below snapshot ,computer record appear twice with the information that was gathered through inventory/BGB/discovery.

Take a look at the following screenshots with 3 different problems .

Device with different resource ID and Client=Yes

With this information ,i started looking at SQL to write code and convert that to collection ,so it would be easy to cleanup records in automated way.

Device with different resource ID and client =No

Device with different resource ID and client=No

So i went to site hierarchy settings to see the conflict records but the settings applied correctly:

Why did this happens ? Old article but still valid though https://support.microsoft.com/en-us/help/837374/how-to-locate-and-clean-advanced-client-duplicate-guids-in-sms-2003

If you have maintenance task enabled ,these obsolete or inactive stale records taken care by that but do want to wait until the default maintenance task runs ?

Here is the SQL code to find out the list of devices with appear in SCCM console with its count.

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by Name0

If you want to see the device that appear maximum times in the top ,use the following query:

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by 2 desc

If you want to see the list of all devices with its resource ID ,use the following query:

select sys.name0,sys.ResourceID from v_r_system as sys
full join v_r_system as sys1 on sys1.ResourceId = sys.ResourceId
full join v_r_system as sys2 on sys2.Name0 = sys1.Name0
where sys1.Name0 = sys2.Name0 and sys1.ResourceId != sys2.ResourceId
group by sys.Name0,sys.ResourceID
order by 1

Create WQL Collection with following syntax:

I am making use of SMS_R_System with full join.

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,
sys.ResourceDomainORWorkgroup,sys.Client from SMS_R_System as sys
full join SMS_R_System as sys1 on sys1.ResourceId = sys.ResourceId
full join SMS_R_System as sys2 on sys2.Name = sys1.Name
where sys1.Name = sys2.Name and sys1.ResourceId != sys2.ResourceId

P.S: The above queries are only used to find the computer names appear twice or more with different resource ID,GUID etc

Also note ,this collection includes active/live entry along with inactive entry .I could not find any way/logic to skip the active computers .

you can delete all these records  manually or create a powershell script with schedule to empty the collection . This way ,you loose the inventory of active computers but they send back in the next inventory cycle.

Hope it helps!

Introduction:

With the recent Current Branch updates starting from 1806 , Microsoft is making good improvement on Software updates maintenance but there is lot to come in the near future. Read the Software updates maintenance tasks available in SCCM https://docs.microsoft.com/en-us/sccm/sum/deploy-use/software-updates-maintenance

Many SCCM Admins think that ,installing WSUS ,doing initial configuration and configuring SUP role is enough for software update patching but that's not true. When you finish initial WSUS configuration ,you go SUP properties and start selecting classification and products. Based on this selection criteria , updates get synced with Microsoft . These synced updates include itanium and many other junk updates. Once the updates are synced successfully ,you will see them in SCCM console under software update section . With this ,you can start patching your clients but over a period of time ,if you don't maintain your metadata/update catalog with the help of maintenance job (custom scripts/tools) ,you will hit into lot of issues. These issues could be like high CPU usage (IIS worker process) ,WSUS application pool in IIS stops automatically ,clients software update scan performance issues and many more.

Top reasons to have site performance issues ,client update scan ,WSUS application pool etc, is due to large number of updates in your WSUS database which includes superseded ,Itanium and other unneeded updates. If you decline all unused,itanium, superseded updates etc. at regular intervals then your site server will be happy with better performance and also your clients to perform quick update scan which will help to achieve better compliance rate.

There are N number of questions asked in various forums around WSUS and software update scan issues and there are several posts available with maintenance solution.

After going through lot of forums ,blog posts ,suggestions from Microsoft, I have come up with standard document that i have used all the times in every SCCM infra that i setup as part of SUP maintenance.

This solution consists of PowerShell scripts and also SQL reports to perform the cleanup/decline the junk updates that will help to improve the site server performance and also client update scanning.

How is it different from the built in SUP maintenance tasks ? when am running current branch 1806 and above ,do i still need this solution ?

Yes, the software update maintenance solution that is built in does very basic things like expiring the superseded updates ,cleaning the unused updates etc but what am going to describe in this blog post is more of advanced to decline the unneeded updates ,

configure WSUS in IIS as per best practices and further more.

If you have CAS, primary,secondary sites then you should perform these steps from bottom to top (secondary ,primary and CAS ).

Steps at glance:

A) Check the status of WSUS database with count of updates. These count of updates decides the catalog size

B) Decline itanium and other junk updates that you don't use in your infra.

C) Decline superseded updates.

D) Perform SQL indexing

E) Invoke WSUS configuration (best practice)

F) Troubleshooting.

A) Check the status of WSUS database with count of updates:

We will first use some SQL queries to fetch the current status of WSUS with count of updates before we decline them.

1. Use the appropriate method to back up the WSUS database (SUSDB). For related information, please see Create a Full Database Backup (SQL Server) .

2.Once the database is being backed up ,run the following SQL code against your WSUS database to see the count of updates (superseded ,declined ,total updates, live updates etc). It is always good validate the results before and after cleanup task.

3.I assume your WSUS DB is running on SQL but not on windows internal database .If your wsus database is running windows internal database (WID) ,then follow this guide and run the following SQL command.

4. Open SQL server management studio ,connect to your secondary site database (incase you have ,else primary then CAS) and run the following SQL code:

--get the count of total updates, superseded ,declined updates.

use SUSDB;
select
(Select count (*) 'Total Updates' from vwMinimalUpdate ) 'Total Updates',
(Select count (*) 'Live updates'  from vwMinimalUpdate where declined=0) as 'Live Updates',
(Select count (*) 'Superseded'  from vwMinimalUpdate where IsSuperseded =1) as 'Superseded',
(Select count (*) 'Superseded But NoDeclined'  from vwMinimalUpdate where IsSuperseded =1 and declined=0) as 'Superseded but not declined',
(Select count (*) 'Declined'  from vwMinimalUpdate where declined=1) as 'Declined',
(Select count (*) 'Superseded & Declined' from vwMinimalUpdate where IsSuperseded =1 and declined=1) 'Superseded & Declined'

Total Updates: count of all updates which includes superseded ,decline .This basically include all updates in your wsus db.

Live updates: Count of updates without declined .This includes all updates with superseded/without superseded but not declined. These updates are considered to generate the update catalog file.

Superseded: Count of all superseded updates

Superseded but not declined: Count of all superseded updates but they are not declined yet.

Declined:Count of updates that are declined. Declined updates never goes into update catalog file .

Superseded & declined: Count of updates that are superseded and declined.

As you see above,the total live updates that are considered to generate update catalog is 18000+ .This usually be larger update catalog file and with huge amount of updates, it also impact the CPU,memory on your WSUS because clients always talk to WSUS to download update catalog.

B) Decline itanium and other junk updates that you don't need in your infra.

Now ,download and extract the PowerShell scripts and SQL files that are available here.

Following are the files you get from the download link

Following are 2 powershell scripts (customized) that am going to use to decline the unused /superseded/itanium updates.

b.1)Decline-OtherUpdates.ps1

b.2)Decline-supersededUpdates.ps1 /Decline-SupersededUpdatesWithExclusionPeriod.ps1

Decline-OtherUpdates script have the following titles to decline because i dont use them in my infra.

Itanium
ia64
ARM64-based Systems
Windows 10 (consumer editions)
Windows 10 Education
Windows 10 Team
Windows 10 Insider Preview

Please review the tiles and make changes as you need .

Run the PowerShell script with command line:  .\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServerName -Port 8530 –DeclineItanium

As you see ,i have 2402 updates declined. This includes all the titles listed above.

C) Decline superseded updates.

Now we will run decline superseded updates script.

There are 2 scripts here for you Decline-supersededUpdates.ps1 and other Decline-SupersededUpdatesWithExclusionPeriod.ps1 . The only difference with these 2 scripts are ,added with exclusion period as per your SUP settings.

Login to your secondary site (if you have any) ,launch powershell in admin and change directory to the script that you placed.

To decline superseded updates ,we can make use of ExclusionPeriod as criteria that will help to decline updates that are in sync with our software update component properties .

In your configuration manager SUP properties ,if you have set supersedence behavior to expire immediately then you don't need to use above ExclusionPeriod period in the PowerShell however ,if you have configured supersedence behavior with X months then i would recommend to use same period in the script.

The following command lines show different ways in which PS scripts can be run (if the script is run on a WSUS server, you can use LOCALHOST instead of the actual SERVERNAME).

Based on your SUP settings ,if you want to decline all superseded updates ,then run the following command:

Decline-supersededUpdates.ps1 -UpdateServer SERVERNAME -Port 8530

If you want to decline the superseded updates with some exclusion period ,use the following command:

Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 -ExclusionPeriod 60

ExclusionPeriod 60 to gather information about updates on the WSUS server from current date that you run the script and check the number of updates that can be rejected.

P.S: Don't look at SQL query count (18182) vs PowerShell count (18175) as they are not same servers when i execute the code  

Once the updates are declined ,go back to your SQL and run the query against your WSUS DB to see the status.

This time ,you should see different count compared to last time run .

After declining the updates in WSUS , these declined updates still appear in SCCM  until you run software update sync.

Once the software update sync happens on SCCM server ,the changes you made on WSUS will appear in SCCM console.

After SUP sync ,you will see all declined updates from WSUS will disappear from SCCM console.

D) Perform SQL indexing

After you decline the updates , SUSDB needs to be re-indexed for optimal performance. See the section on Re-Indexing the WSUS Database above for related information .

Please wait until the execution of script completed.

E) WSUS configuration (Best practice)

You will find script Invoke-WSUSConfiguration.ps1 which i got from Johan which i always use in all SCCM infra as per best practice .

Take a look at the script to see what it does before you execute in your infra.

F) Troubleshooting.

In some cases ,if your WSUS database never cleaned up before and is the first time you are doing it on some secondary /primary sites ,execution of scripts may fail with following error and is because of too many updates .

In my case ,I had 23k plus total number of updates in WSUS database, hence script was always failing to fetch the data.

Connecting to WSUS server localhost on Port 8530... Connected.
Getting a list of all updates... Failed to get updates.
Error: The operation has timed out
If this operation timed out, please decline the superseded updates from the WSUS Console manually.

I tried few times running the script but I could not get through even though i restarted the IIS service and WSUS service.

If you are unable to decline the updates using script ,what other possibilities do we have ? open the WSUS console and do manual update,that takes lot of time.

Microsoft support engineer posted SQL code to decline the updates in SUSDB. 

1. If you have not backed up your SUSDB database, back up your SUSDB database before continuing .
2. Connect to SUSDB using SQL Management Studio.
3. Execute the following query: The number 60 for the number of rows containing " DECLARE @thresholdDays INT = 60" corresponds to the number of rows before # 1 and the number of days that match the number of months configured in the Supersedence rule. If the expiration date is set to expire immediately, you must set the SQL query value @thresholdDays to zero.
4. The SQL code that was posted in support article needs some syntax corrections to get it work OR it could be the reason that ,the support article in in Japanese language so while translating ,syntax got changed.

--Decline superseded updates in SUSDB; alternative to Decline-SupersededUpdatesWithExclusionPeriod.ps1
DECLARE @thresholdDays INT = 60--Specify the number of days between today and the release date for which the superseded updates must not be declined (ie, updates older than 90 days). This should match configuration of supersedence rules in SUP component properties, if ConfigMgr is being used with WSUS.
DECLARE @testRun BIT = 0--Set this to 1 without test excluding anything.
--There shouldn't be any need to modify anything after this line.




DECLARE @uid UNIQUEIDENTIFIER
DECLARE @title NVARCHAR (500)
DECLARE @date DATETIME
DECLARE @userName NVARCHAR (100) = SYSTEM_USER




DECLARE @count INT = 0




DECLARE DU CURSOR FOR
     SELECT MU.UpdateID, U.DefaultTitle, U.CreationDate FROM vwMinimalUpdate MU
     JOIN PUBLIC_VIEWS.vUpdate U ON MU.UpdateID = U.UpdateId
WHERE MU.IsSuperseded = 1 AND MU.Declined = 0 AND MU.IsLatestRevision = 1
     AND MU.CreationDate <DATEADD (dd,-@thresholdDays, GETDATE ())
ORDER BY MU.CreationDate




PRINT 'Declining superseded updates older than' + CONVERT (NVARCHAR (5), @thresholdDays) + 'days.' + CHAR (10)




OPEN DU
FETCH NEXT FROM DU INTO @uid, @title, @date
WHILE (@@FETCH_STATUS>-1)
BEGIN
     SET @count = @count + 1
     PRINT 'Declining update' + CONVERT (NVARCHAR (50), @uid) + '(Creation Date' + CONVERT (NVARCHAR (50), @date) + ')-' + @title + '...'
     IF @testRun = 0
         EXEC spDeclineUpdate @updateID = @uid, @adminName = @userName, @failIfReplica = 1
     FETCH NEXT FROM DU INTO @uid, @title, @date
END
CLOSE DU
DEALLOCATE DU




PRINT CHAR (10) + 'Attempted to decline' + CONVERT (NVARCHAR (10), @count) + 'updates.'

To check progress, monitor the Messages tab in the Results pane.

Depending on the number of updates ,it may take longer time. In my case ,it took ~15 min to decline around 10K updates.

Once the superseded updates are declined using SQL ,we can now go back to PowerShell script and run other script (decline other updates.).

Hope you find this post useful.

Following are some of the References that would help to go through the WSUS maintenance solution.

https://support.microsoft.com/en-sg/help/4490644/complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maint

https://deploymentresearch.com/Research/Post/665/Fixing-WSUS-When-the-Best-Defense-is-a-Good-Offense

https://mnscug.org/blogs/sherry-kissinger/512-wsus-administration-wsuspool-web-config-settings-enforcement-via-configuration-items

https://home.configmgrftw.com/wsus-cleanup-for-configmgr/

https://damgoodadmin.com/2017/11/30/software-update-maintenance-its-a-thing-that-you-should-do/

I had setup SCCM Cloud Management gateway and Co-management for small customer who would like to extend their SCCM operations to windows 10 devices which are connected to internet.

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don't need to expose your on-premises infrastructure to the internet.

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.

Even though ,setting up co-management is  just 4 clicks but setting up CMG is lengthy process which involves certificates ,changes to site etc. For more information on how to setup CMG please refer following blogs.

https://www.systemcenterdudes.com/how-to-configure-sccm-1806-cloud-management-gateway/

https://blogs.technet.microsoft.com/arnabm/2018/03/31/step-by-step-cloud-management-gateway-on-arm/ and there could be many on internet.

The customer is running on windows 10 with combination of hybrid Azure AD join and Azure AD join (AAD) device.

Installation of sccm client for on-prem domain join devices can be achieved using client push ,GPO, startup script ,SUP etc. but for internet connected devices, we would use Intune.

In this blog post, i would like to go through the notes from the filed that i encounter while installing SCCM client from intune.

In order to install SCCM client, we  have 2 methods from intune 1)we can use windows LOB apps (using ccmsetup.msi) and 2) win32 apps which now allows greater Win32 app management capabilities.

It is always recommended to use win32 apps over LOB because ,win32 apps gives you the flexibility to define custom command line ,detection method ,requirement rule , dependencies and many other.

Windows LOB deployment method cannot deploy exe files and it supports only .msi, .appx, .appxbundle, .msix, and .msixbundle.

If you plan to use line of business (LOB) method ,you need to import ccmsetup.msi (located at <Configmgr Install Dir folder>:\cd.latest\SMSSETUP\BIN\I386) with following command line settings :

The below command line can be obtained from co-management properties (if you have enabled CMG ). If you didn't enable CMG then clients cannot be assigned to SCCM which are connected to internet.

CCMSETUPCMD="/nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSMP=https://remote1.contoso.net SMSSiteCode=CS1 AADTENANTID=256ed977-4388-a224-3d441dfb0def AADTENANTNAME=Contoso AADCLIENTAPPID=45b4c32c-89f9-4770-8a8b-a37d34fd2632 AADRESOURCEURI=https://contoso.onmicrosoft.com/d098acfa-8874-4ef6-a610-07440fb52c7c"

/nocrlcheck only if you you haven't published the CRL on internet.

With this LOB method ,client must connect to to MP (on-prem)  or you must enable CMG to download full installation files because you only specify MSI which is not complete source files.

SCCM client installation source file size is over 200mb includes many files in it.

2nd method that am going to talk about is win32 app. With this , we will convert the entire source files into .intunewin format using IntuneWinAppUtil.exe 

How to we convert the source files to supported format?

Copy the SCCM client installation files from your SCCM server (cd.latest\SMSSETUP\CLIENT) to C:\temp\sccmclient

Download the  intunewinapputil.exe

Now run the following command line to convert the source files .

IntuneWinAppUtil -c "C:\Temp\SCCMClient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps" –q

This process takes the content from c:\temp\sccmclient with executable file as ccmsetup.exe and place the intune package into win32_apps folder.

Once the file is ready ,use that to create win32 app in intune.

Following is the information that i have used to create win32 app in intune . with this method ,ccmsetup will not connect to CMG to download the contents files and it will recognize the required source files already exist in local cache that was deployed by win32 app.

This method helps you to reduce the time for downloading the full source files from CMG and also reduce cost .Charges are based on data flowing out of Azure (egress or download).Any data flows into Azure are free (ingress or upload).

Installation command for win32 apps:

ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

uninstall command: ccmsetup.exe /uninstall

Detection method: Use the MSI product code or registry key to check the client installation.

I have used ccmsetupcmd in the command line for win32 app and it never worked .By including ccmsetupcmd ,client installation will go through fine but client never connect to CMG ,no sitecode ,just dumb installation.

In order to fix it ,you must uninstall the client and run client manually with ccmsetup.exe or let intune run for you in right way with win32 app.

Note: If you only have ccmsetup.exe placed in folder and wrapped intune tool and uploaded, then at the time of client installation ,ccmsetup will still connect to CMG to download the contents files.

When device picks up the intune policies ,download content ,you can monitor the log (IntuneManagementExtension.log) from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

Intune download the content to incoming folder and then move to staging.

Once the content is downloaded and extracted ,installation will start with the command line that is used in win32 app.

Ccmsetup command line: ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01

After a while, you will see that ,client is downloading the content from local folder C:\windows\IMEcache instead of contacting MP or CMG

Downloading file C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1\ccmsetup.exe with source as IMECache (intune management extension cache folder)

Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /source:"C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1"  /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01"

Once the client installation is succeeded ,client will send registration request to CMG ,forwarded to Primary site to approve the request.

Since these devices are Azure AD join, they will always appear as workgroup in SCCM but they will get auto approve (this is what i found in my testing) even though you set ‘automatically approve computers in trusted domains’ in site hierarchy settings.

Once client get auto approve, you will see the entry like below . Domain is workgroup and client is approved.

How to create collection for all Azure AD domain join devices ?

You can either follow this blog post https://blog.hametbenoit.info/2017/09/05/sccm-identify-azure-ad-joined-device/#.XRyOqugzaUk or use the following method to create collection.

This method doesn't require any custom hardware inventory but just use the information available in SCCM for Azure AD joined devices.

Create a collection with criteria TenantID =’6007305E-2664-4E6B-B9A4-C4C5CCFD1524’and resource domain or workgroup=’WORKGROUP’

If you have the domain filed in system properties for these Azure AD joined devices changed to something else other than default value that is ‘WORKGROUP’ ,please look for it in the query.

WQL Query: select *  from  SMS_R_System where SMS_R_System.AADTenantID = "6007305E-2664-4E6B-B9A4-C4C5CCFD1524" and SMS_R_System.ResourceDomainORWorkgroup = "WORKGROUP"

Overview of win32 app for SCCM client  :

Hope you will find this useful!

References:

Add a Windows line-of-business app to Microsoft Intune https://docs.microsoft.com/en-us/intune/lob-apps-windows

Intune Standalone - Win32 app management https://docs.microsoft.com/en-us/intune/apps-win32-app-management

About client installation parameters and properties in System Center Configuration Manager https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties

Configuration Manager site database contains a large collection of information about the network, computers, users, user groups, and many other components of the computing environment. Being SCCM Admin, you need to understand the different categories of the SQL views, what information is stored in each view, and how the SQL views can be joined to one another to create reports that return the required information. For more information about SQL views please refer  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Hardware inventory views contain information about the computer hardware .Many hardware inventory views are created in ConfigMgr by default, and many can be enabled or created using the hardware inventory classes dialog box, accessible from client settings. Because of this, it is likely that ConfigMgr sites collect different hardware inventory resulting in different hardware inventory views.

If you want to know more about how extend hardware inventory in ConfigMgr ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/inventory/extend-hardware-inventory

The question in title was asked by one of my customer as they have lot of custom hardware inventory classes imported and they want to find a way to list-down all such custom hardware inventory classes.

Why is it important to know the list of custom hardware inventory classes that are imported (MOF changes)?

One of the reason i would think is ,to asses if these custom changes are still needed by the organization . If you have too many custom mof changes ,it enlarges the database and also impact clients sending huge inventory file back to  site server for processing.

The simple way to check the custom MOF configuration is to look at the configuration.mof file that is located in <SCCM installation dir>:\inboxes\clifiles.src\hinv but i started looking around database for list rather taking notes from the configuration.mof file.

This blog post will help you to get list of custom MOF imported to client device settings (Note: If you enable any of the existing classes not via MOF import in inventory settings, it is not covered in this post).

After going through the SQL views documentation ,found that ,there is one view called v_InventoryClass that store all inventory classes enabled in hardware inventory client settings.

v_InventoryClass Lists the WMI classes that are collected by ConfigMgr hardware inventory by class ID. The view also shows the WMI namespace, the class name and the name of the class as it will be displayed in Resource Explorer.

So i started querying this SQL view for the inventory classes.

select count(*) Total from v_InventoryClass

There are total of 161 inventory classes enabled in client device settings  .

Out of these 161, how do we tell the custom inventory classes (MOF IMPORT)?

By looking at above 161 classes , i thought to pick ‘isDeletable’ because all default classes that comes with Configmgr installation ,would not give you option to delete , which is not TRUE.

For for the WMI classes that are enabled by default at the time of ConfigMgr installation or available for you to enable can also be deleted from inventory settings.

So my next key observation was at SMSClassID.

For all default classes that are enabled at the time of ConfigMgr installation will start with Mcrosoft|.

Any custom inventory classes will not have Microsoft as starting word.

With this information ,i started creating SQL Query with count.

select tmp.[Inventory Type] ,count(*) Total  from
(
select case when IC.SMSClassID like 'Microsoft|%' then 'Default' else 'Custom'  end as 'Inventory Type'
from v_InventoryClass IC
) tmp
group by tmp.[Inventory Type]

To see the list of custom MOF changes ,following is the SQL query:

select * from v_InventoryClass IC
where ic.SMSClassID not like 'Microsoft|%'

Hope this helps!

I did detailed blog post on 'how to get  office 365 proplus activation status' with help of extended MOF file and inventory changes. With this method ,you will get the activation details such as user email address, shared computer activation etc. For more information, please refer http://eskonr.com/2018/10/how-to-get-office-365-proplus-activation-status-and-excluded-apps-etc-using-sccm-configmgr/ .

This method requires extension of MOF files ,make changes to hardware inventory which will then create new SQL views . If you don't' want go through all these , but just looking for office activation status (yes or No) ,then this blog will help you to achieve it.

In this blog post, we will see how to detect office activation status (can be office 2010,2013,2016,office 365 proplus or office 2019) using Configmgr compliance baseline method.

Before we start looking into SCCM ,we need to check Microsoft office activation via script or other possible ways and then make use of ConfigMgr baseline?

From office 2007 until office 365 proplus/office 2019 ,there is vbs script called OSPP.vbs which is Office Software Protection Platform script (ospp.vbs) enables you to configure volume licensed versions of Office products. For more information ,please refer https://docs.microsoft.com/en-us/deployoffice/vlactivation/tools-to-manage-volume-activation-of-office

To check the status of any Microsoft office products ,we will use this vb script with parameter /dstatus (Displays license information for installed product keys) .

For office 2016 ,office 365 proplus the installed location is  C:\Program Files (x86)\Microsoft Office\Office16 (for x86).

I ran the command line cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus to see the activation status:

Any product that is licensed will display the status in LICENSE STATUS.

with this information ,we can create simple PowerShell script to check the license status and get the results .

How to create Configuration baseline and deploy:

In SCCM console, assets and compliance, click compliance settings ,configuration item create new configuration item.

Name it as Office activation and choose windows desktops and servers and click next

choose the list of client OS to asses the compliance . I choose all platform

In setting ,click New ,Type the name: Detect Office activation

Setting: Script

Data type: String

Add script:

I have added all versions of office products into the script with their default location. If you have changed the default installation location of office installation to something else ,you need replace the path.

Add the following script into discovery script.

# Check for  office 2007
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office12\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
# Check for  office 2010
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office14\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /dstatus
}

# Check for  office 2013
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office15\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
# Check for  office 2016/office 365 proplus/office 2019
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office16\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /dstatus
}

if (( $status |Select-String -Pattern '---LICENSED---') -ne $null )
{
write-output "True"
}
else
  {
write-output "False"
}

Click on compliance rules,click New and the value to comply with our script is True.

Validate the setting

Click next ,next until you see the summary page

with this ,we have created the configuration item. we will now create configuration baseline and deploy to collection.

Create new configuration baseline ,name it CB – Office Activation

under configuration data ,choose configuration items and select the CI that we just created

you can choose co-managed clients if you have co-management enabled.

we are now ready to deploy this baseline to device collection to get the office activation status.

Before we deploy this to any device collection , it is good practice to create collection with Microsoft office product installed instead deploying to device collection with devices that may or may not have office product installed.

Once you create the collection ,deploy the configuration baseline to the collection.

I schedule it onetime instead of recurring schedule .

End results:

Wait for the client to pick the policy and run through the compliance. Or you can run machine policy cycle from the collection (right click tools) to speed up the process.

On activated device (office 365 proplus) , it is compliant

on non-activated device (office 365 proplus) ,it is non-compliant.

we can also monitor the compliance status using console or SCCM reports.

From the console:

I have also uploaded the exported version of Configuration baseline for you . You can download it from here ,extract the zip file and the cab file import into your baseline settings.

SCCM has multiple discovery methods help you discover devices on your network, devices and users from Active Directory, or users from Azure Active Directory (Azure AD). Read more about the discovery methods in SCCM https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/about-discovery-methods

AD system discovery help to discover computer resources that can be used to create collections and queries. You can also install the SCCM Client client on a discovered device by using client push installation.

In order to successfully discover the computer (by creating the DDR Record) in domain by AD system Discovery , it must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

You can check Active Directory System Discovery logs which gets recorded in the log file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

In this blog post, we will see how to create SCCM device collection to identify devices that have old AD system discovery time stamp (older than 14 days) . This will help us to find the devices that are having issues while discovering though AD system discovery(SMS_AD_SYSTEM_DISCOVERY_AGENT) ,like the devices that are deleted from Active Directory but still in SCCM or having DNS name resolution.

Create a new collection ,edit the query and past the following and click.

Collection (WQL Query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,

SMS_R_SYSTEM.Client from SMS_R_System where ((DATEDIFF(dd, SMS_R_SYSTEM.AgentTime, getdate()) > 14) and AgentName ="SMS_AD_SYSTEM_DISCOVERY_AGENT")

Devices might appear in this device collection may have SCCM agent installed and healthy but they are failed to discovery through AD system discovery from its last discovery date is older.

If the devices are deleted in AD but still in SCCM means with no active client, they are yet to be cleanup using site maintenance tasks.

If you want to find the devices that are not reported via specific agent with old timestamp , then simply replace the AgentName in the above collection.

There are different discovery agents available in SCCM, listed below.

SQL Query for list of discovery agents:

select AgentName from v_AgentDiscoveries

group by AgentName

AgentName

ConfigMgr

Heartbeat Discovery

MP_ClientRegistration

SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT

SMS_AD_SYSTEM_DISCOVERY_AGENT

SMS_AD_USER_DISCOVERY_AGENT

SMS_AZUREAD_USER_DISCOVERY_AGENT

SMS_NETWORK_DISCOVERY

SMS_WINNT_SERVER_DISCOVERY_AGENT

If you want SCCM Collection for active inactive computers using Last Logon timestamp and troubleshooting ,you can refer this post http://eskonr.com/2018/08/sccm-collection-for-active-inactive-computers-using-last-logon-timestamp-and-troubleshooting/

Hope it helps!

Microsoft released the technical preview for Configuration Manager, version 1910. These technical preview introduces new functionality that Microsoft is working on and  It introduces new features that aren't yet included in the current branch .

You can Install this version to update and add new features to your technical preview site but not available as baseline for new installation.

If you want to install Technical preview in lab ,then you need to download baseline version technical preview 1907 and then do console update. Download baseline versions from the TechNet Evaluation Center.

Technical preview version 1910 has the following features/improvements:

• Deploy Microsoft Edge, version 77 and later
• Include custom configuration baselines as part of compliance policy assessment
• Improvements to application groups
• Reclaim SEDO lock
• Attach files to feedback
• Client diagnostic actions
• Office 365 ProPlus pilot and health dashboard
• Improvements to console search
• New variable for Windows 10 in-place upgrade
• Improvements to Windows Virtual Desktop support

With this preview version,there is new device actions for Client Diagnostics in the console. This release includes the following actions:

• Enable verbose logging: Change the global log level for the CCM component to verbose, and enable debug logging.
• Disable verbose logging: Change the global log level to default, and disable debug logging.

Prerequisites

• Update the target client to the latest version.

• Your Configuration Manager administrative user needs the Notify resource permission. For more information, see Client notification

To enable /disable the verbose logging ,Launch SCCM console ,right click on the device and choose client diagnostic and choose enable or disable.

you will be prompted to continue

On the client, you will find log called diagnostics.log to track the status

Open the log to see the status:

Verify in registry:

You can disable verbose logging and monitor the log.

This is great feature added to see additional information about client communication and troubleshooting issues.

Happy exploring Technical preview .

References: https://docs.microsoft.com/en-us/sccm/core/get-started/2019/technical-preview-1910

Microsoft's System Center Configuration Manager (SCCM) delivers an "umbrella" approach for patch and application management, but when it comes to third-party application management and system management operations the process is still tiresome. SCCM current branch allows you to subscribe to third-party catalogs, publish updates to your software update point (SUP), and then deploy them to clients however it has limitations patching third-party components running on a network.

With a huge number of security vulnerabilities attributed to non-Microsoft applications, it is mandatory to patch these applications to shield your enterprise from data breaches. To be more precise, Adobe and Mozilla applications pose the biggest security threats, but a comprehensive patching strategy can minimize security issues in your network.

Make the most out of your SCCM ?

ManageEngine Patch Connect Plus is the non-Microsoft tool that efficiently
automates both system management operations and third-party software deployments, and extends SCCM's patching capabilities to more than 380 third-party applications. It provides end-to-end automated patching support via the SCCM console, scans the network, fetches the latest updates from vendor sites, publishes the patches to Windows Server Update Services (WSUS), initiates the WSUS-SCCM sync, and performs patch deployment and reporting. Additionally, it enables you to customize your process using templates, and create pre- and post- deployment scripts.

The Catalog Subscription feature in Patch Connect Plus provides you with a smart way to automatically import and manage over 300+ third-party updates to the SCCM server software catalog. Plus, with the Auto-catalog Scheduler, you can automate the publishing process, and eliminate the need to wait for the Microsoft-prescribed seven days to synchronize the updated catalogs.

Third-Party software deployment ?

Patch Connect Plus Application Management module facilitates the deployment of more than 300+ applications authored by third-party vendors such as Apple, Adobe, Java, Mozilla, and Google. As part of the software deployment, vendor download sites are contacted automatically, ensuring a streamlined and efficient process. The application template feature enables you to select all the options you need for your deployment.
Also, once a package has been created, Patch Connect Plus auto-updates the new versions that are released consecutively for that particular application.

For enterprises that often must address various contingencies, Patch Connect Plus application management capabilities enable you to run custom pre- and post deployment
scripts to help  you efficiently streamline the process.

Administrator Tools for system management operations ?

Patch Connect Plus' Admin Tools helps you perform system management operations, troubleshooting, and other on-demand client operations remotely. This encompasses actions like registry, bit locker status, client group update policy, PowerShell, Command Prompt, control panel, and opening running processes. Additionally, troubleshooting operations such as client restart, accessing network folders, and other important client
actions like collecting data from the evaluation cycle, software metering usage reports, and scan cycle can be performed. Once you configure Admin Tools, you can accomplish client management operations on each client machine.

Now that you have an idea about how you can achieve the best results from your SCCM infrastructure, take a deeper look at Patch Connect Plus. Learn more and sign up for a free, 30-day trial .

It's Microsoft Ignite this week (Sun, 3 Nov 2019 – Thu, 7 Nov 2019) with tons of announcements . One of the key announcements around ConfigMgr/Intune area is Microsoft Endpoint Manager (MEM) and licensing for intune.

Microsoft Endpoint Manager (MEM) is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing. Continue to leverage your existing Configuration Manager investments, while taking advantage of the power of the Microsoft cloud at your own pace.

The following Microsoft management solutions are all now part of the Microsoft Endpoint Manager brand:

• Configuration Manager
• Intune
• Desktop Analytics
• Autopilot
• Other features in the Device Management Admin Console

For more information about Microsoft Endpoint Manager , please refer https://www.microsoft.com/en-us/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/ 

and if you own ConfigMgr ,you now automatically have Intune licenses for co-managing Windows devices. Does this cover Azure AD Premium license ? No ,you still need to purchase it separately .

Configuration Manager technical preview version 1911 version released early for this month and is available as both an in-console update and as a new baseline version.

if you want to see this update in the SCCM console using updates and servicing, you must be running atleast 1908 and above (three successive versions are available) .

If you want to setup new lab ,then you can Download a baseline version from the TechNet Evaluation Center.

There is not much new features with this preview version but as we talked above, MEM (MEMCM) is biggest news  and is now part of MEM and not System center (SC).

The only new feature that is added with this preview release is:  Microsoft Connected Cache support for Intune Win32 apps 

When you enable Microsoft Connected Cache on your Configuration Manager distribution points, they can now serve Microsoft Intune Win32 apps to co-managed clients.

Before you start updating or installing new SCCM preview lab ,please go through https://docs.microsoft.com/en-us/configmgr/core/get-started/technical-preview

To update 1911 using in-console updates, go-to administration ,updates and servicing ,click on check for updates.

Logs to check for the backend process: Hman.log ,dmpdownloader.log

Once the updates are synced,you will see it in the console and ready to install.

Now right click on the update and select install update pack.

Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Now monitor the status using logs and also from the console:

Console:\Monitoring\Overview\Updates and Servicing Status

Logs to check: Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Once the installation is completed ,you will be prompted to install new version of admin console.

Microsoft Endpoint Configuration Manager 1911 Tech Preview installation completed.

Before the preview update:

After the preview update:

And from programs and features ,the display name for ConfigMgr console appear as ‘Microsoft Endpoint Configuration Manager Console ’

Once these changes (MEM) goes into production ,then you should alter your collections that have sccm console installed with the above name. This is because the old name appear in programs and features is not same as with MEMCM.

SCCM console version:5.1910.1060.1000

SCCM client version:5.00.8909.1000

How to enable Cache support for Intune Win32 apps :

Happy learning!

Microsoft Ignite is an event to learn innovative ways to build solutions and migrate and manage your infrastructure. You connect with over 25,000 individuals focused on software development, security, architecture, and IT. Explore new hands-on experiences that will help you innovate in areas such as security, cloud, and hybrid infrastructure and development.

For those of you, who would like to watch the ignite videos offline and download slide decks, they are available at https://myignite.techcommunity.microsoft.com/sessions? but difficult to search one by one and watch it when needed.

There are few Powershell scripts available online to download ignite videos however I have used use the Microsoft script ,modified little bit and input only the sessions codes that are related to ConfigMgr and intune for download.

By default, the script available in the Microsoft link that download videos with folder name as sessioncode .so i have modified the script to name the folder with title to make it more readable.In this modified script ,what i noticed is ,there are some sessions with  title contains invalid characters that are not supported for folder name .Please go with default script with sessioncode as folder name.

If you want to download all Ignite videos and slide decks, download the Powershell script https://myignite.techcommunity.microsoft.com/Download-Resources.zip and run it.

In this blog post, I will walk through the steps to download slide decks and videos of all Configmgr and intune sessions.

The following is the list of sessions related Configmgr/intune from Ignite 2019.

SCCM/Configmgr/Intune:

How to run the script to download videos and slide decks for the above sessions?

Download the script from here, open Powershell command and run with the following syntax:

.\Download-Resources.ps1 -directory . -sessionCodes "BRK3149,THR2265,BRK2230,BRK3082,BRK3253,THR2333,BRK3258,BRK3286,
PRE23,DEP50,WRK3036R,BRK2272R,THR3027,BRK3086,WRK3008R,BRK3286R,THR3134,
WRK3036,MLS1035,BRK2362,BRK3083,BRK3306R,THR2037,THR3028,BRK3076,BRK3219,
WRK3008,WRK3024R,BRK3331,THR3045,THR1061,THR3081,THR3026,WRK3019,WRK3019R,
THR2009,DEP40,WRK3024,BRK3084,BRK3306,BRK2272,THR3152,WRK3008R2,BRK3149,
BRK3085,THR2265,PRE25,BRK2230,THR3046,BRK3079,BRK3258,PRE23,THR3027,
BRK3086,WRK3008R,BRK3083,BRK3306R,BRK3076,WRK3008,BRK2177,THR3026,DEP40,
BRK3306,WRK3008R2"

Videos will be downloaded into the script folder with sessioncode name as folder name:

I have extracted the information for the following Microsoft products into CSV file with title,sessioncode,level and duration for your reference.

Products:

Office 365

Teams

Onedrive

Azure Active Directory

Microsoft Endpoint Manager (I have included configuration manager,Microsoft Intune ,Office 365 proplus into 1 csv file)

If you want to download session for the products listed above ,download the attachment,extract it , open CSV file and copy the session-codes and enter into the script as parameter.

Thanks for reading the post!

Microsoft has released update 1910 for SCCM which is now termed as Microsoft Endpoint Configuration Manager (#MEMCM) and is available as in-console update ONLY. You can apply this update on sites that runs on 1810 and later. For more information, please read

If you want to install a new Configuration Manager site, you can download 1902 as a baseline from the volume licensing portal.

For more information about how to perform in-console update for configuration manager update 1910, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose upgrade.

You also need to update your Configuration Manager clients to the latest version (1910) to newly supported client features.

With this update 1910, there are a bunch of new features added. This means, there is also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/SMS tables for custom reporting.

we can make use of these SQL views and create variety of dashboards.

Some of the interesting things that will be useful are:

v_GS_BITLOCKER_DETAILS

vDeviceActionsHistory

vSMS_Office*

Download Microsoft endpoint configuration manager (#MEMCM) SQL views documentation for 1910 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

For more information about Configuration manager 1910 ,please read http://eskonr.com/2019/11/configuration-manager-update-1910-is-now-available-as-microsoft-endpoint-configuration-manager-current-branch/

Happy reporting!

Use boundary groups in Configuration Manager to logically organize related network locations (boundaries) to make it easier to manage your infrastructure. You must Assign boundaries to boundary groups before using the boundary group.

Clients use a boundary group for:

• Automatic site assignment
• To find a site system server that can provide a service, including:
  • Distribution points for content location
  • Software update points
  • State migration points
  • Preferred management points
  • Cloud management gateway (starting in version 1902)

Boundary group caching was introduced with the first version of Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. For more information about boundary group caching and how it works, please read https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr/

If you have configured the boundaries and assigned this boundaries to boundary group with site system roles,the client will store this information in its WMI namespace root\ccm\LocationServices with class object BoundaryGroupCache.

If a client is in scope of boundary by any means like AD site, IP subnet or IP address range but not added to boundary group, then client will not have any boundary group cache info in WMI.

In my previous blog post, i talked about how to find the missing boundaries using SSRS report and troubleshooting based on boundary group caching . For more information, please read here

In this blog post, i am bringing  another SSRS report for you to find out the boundary group and its assignment details for the client device based on the its last inventory boundary group caching information.

Knowing client boundary group details is important for troubleshooting purpose.With this, you can quickly search what is the client boundary group and what boundaries are added in it.

This blog assumes that, you have extended hardware inventory as per Jason blog post and clients sent the hardware inventory details successfully.

What if you don't want to extend custom hardware inventory changes, but you still need to find out the clients that are missing from boundary groups? Well, you can do that by compliance baseline  My next blog post will be based on CI/CB.

Now that you have extended the custom hardware inventory changes and you have the following SQL view created with data in it.

--To see the boundary group cache data of clients (top 10 rows)

select top 10 * From v_GS_BOUNDARYGROUPCACHE bgc

As you can see above, there are clients that have 2 boundary group ID's which means, the client is part of 2 boundary groups. There could be more than 2 as well based on how you configure boundary groups in your infra.

Now,if you want to use this information and create a report to find client boundary group assignment details, we need to convert these multi value to single row.

Jason blog post has STRING_SPLIT function is available only under compatibility level 130 (SQL server 2016 and above).

My lab is running on SQL server 2014 and the string_split do not work. What other methods i have to convert the values to rows?

Other approach is to use XML Method with CROSS APPLY to split your Comma Separated Data :

Following is the SQL code that does the job.

SELECT distinct A.ResourceID,REPLACE((Split.a.value('.', 'NVARCHAR(MAX)')),' ','') GroupID FROM (
SELECT bgc1.ResourceID,CAST('<X>'+REPLACE(bgc1.BoundaryGroupIDs0, ',', '</X><X>')+'</X>' AS XML) AS String from v_GS_BOUNDARYGROUPCACHE bgc
) AS A CROSS APPLY String.nodes('/X') AS Split(a)

The above SQL code works on SQL edition 2014 and above.Anything lower than 2014 have not tested but it should work.

we now have complete info of client details with its boundary group ID's.

we will now use this boundary group ID and join with other SQL views to get the information that we needed.

I have used the following SQL views to fetch the relevant info.

vSMS_BoundaryGroupSiteSystems: store boundary group site system information

vSMS_BoundaryGroup: Store boundary group details

vSMS_BoundaryGroupMembers: Store boundary information.

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b.

After spending quite amount of time, I can finally make some nice SSRS report like below.

All you need is to key in computer name in the prompt and it will fetch the data for you based on its last successful hardware inventory.

You have both inventory of client and client boundary group assignment details.

you can download the report from Technet Gallery, upload to your SSRS reports, change the data source and run it.

If you wanted to know the summary of boundaries and boundary group with assignment details (boundary group management using SCCM boundary report), please read this blog post https://www.systemcenterdudes.com/boundary-management-using-sccm-boundary-report/

In the next blog post, we will see how to create compliance baseline to check client boundary group details.

Thanks for reading the post.

If you have any ideas on custom reporting, please leave them in comment section.

Starting in version Microsoft Endpoint Configuration Manager current branch 1910, we can use the optional feature called BitLocker management to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).

Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Prerequisites to plan BitLocker management:

· In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

· To integrate the BitLocker recovery service in Configuration Manager requires an HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS.

Since my SCCM Lab is running on the HTTP environment, it doesn't support for BitLocker management hence i decided to convert my lab from HTTP to https (PKI).

There are many guides out there on how to convert HTTP SCCM infra to https (PKI).

It involves the creation of few certificates which include IIS, DP and client certificate.

I have created the required certificates for SCCM and imported into the certificate store on the SCCM server then make the changes to site properties for PKI and change the site system roles like MP, DP and SUP with https.

After making changes to the site hierarchy and site system roles, MP, DP and SUP roles will be reinstalled. This can be monitored from the respective components setup log (mpsetup.log,sitecomp.log etc)

I have validated the site components and site hierarchy is running fine.

Now its time to move clients from HTTP to https (PKI).

I have picked one client that was running on the self-signed certificate and now has got a client authentication certificate through GPO as part of our cert enrollment process.

When I log in to the client that was working fine on HTTP (self-signed), it keeps failing with the below error message (locationservices.log).

CCMVerifyMsgSignature failed.

Failed to verify received message 0x80090006

Failed to verify message. Could not retrieve certificate from MPCERT.

MPCERT requests are throttled for 00:05:00

Failed to send management point list Location Request Message to SG-CM001.azure.eskonr.com

The log says, could not retrieve the certificate from the MPCERT—>Based on this, I looked at the MP logs to verify if the MP is functioning correctly or not, then looked at site monitoring if there are any alerts for site components.

I could not find anything wrong with the site and everything seems to be normal and functional.

I thought may be restarting the SMS agent service on the client could help but that doesn't make any difference and It failed with the same error message again.

I have uninstalled the client and installed again with the following syntax

CCMSetup.exe /MP:sg-cm001.azure.eskonr.com /USEPKICERT /NOCRLCHECK /FORCEINSTALL SMSSITECODE=PS1 CCMHTTPSPORT=443 RESETKEYINFORMATION=TRUE

Client installation succeeded, however, the registration with MP/site (ClientIDManagerStartup.log) and locationservices.log repeat with the same errors as above.

Solution:

I was going through the console and looked at active directory forests node and saw that, publishing status showing failed

Publishing of site information in Active Directory Domain Services is logged into hman.log on your site server.

As you can see the log, site Could not connect to the RootDSE container in Active Directory. HRESULT=0x8007052E using the account that was configured.

The error code 0x8007052E translates to ‘the user name or password incorrect.’

The following is the place to configure the active directory forest account.

I realized that, there was change in the password for that account earlier (before the https changes to the site) hence the site publishing failed.

Why is this changing the password of the account that was configured to publish the site info into AD domain services causing all this problems?

Long story short, If you look into the DNS server for the service location records, you can see that, site still using port 80 where as the actual configuration, it uses port 443.

Go to back to the site and re-enter the correct password of the account and monitor the log (hman.log) to see if the site info is published or not.

Site information is now published to AD domain services and port number also updated correctly to 443 in the DNS for service location records.

Now go back to the client , run machine policy cycle and monitor the logs locationservices.log and ClientIDManagerStartup.log

You will see things get progress and the client register with MP successfully.

You now see the client is now using PKI cert.

I can now start testing the BitLocker management with current branch 1910.

Changing the password of an account has caused all the damage today.