On Jan 15th, 2020 Microsoft has officially launched new version of Microsoft edge browser based on chromium for windows and Mac OS. It is compatible with all supported versions of Windows, and with macOS.

It replaces the legacy version of Microsoft Edge on Windows 10 PCs. With speed, performance, best-in-class compatibility for websites and extensions, and built-in privacy and security features, it's the only browser you'll ever need.

As you already know , windows 7 support ended Jan 14th ,2020 however, Microsoft has made the new edge browser available for windows 7.

If you want to download the new Microsoft Edge based on chromium for windows 7, windows 8.1 and windows 10 and Mac OS, please visit https://www.microsoft.com/en-us/edge?

This is not offline installer, it is 2mb file and when you lunch it, it will connect to internet and download the required setup files.

if you want to download the offline installer, you can refer to this article and find the right version for you https://www.microsoft.com/en-us/edge/business/download

Now how do we install the Stable version of new microsoft edge browser using Microsoft Endpoint manager (CMCB 1910 ) for endpoints in the organization?

MEMCM 1910 has feature to deploy Microsoft Edge, version 77 and later to your users. This will help you download and create the application automatically without doing anything manual.

If you are not running on configuration manager current branch 1910, then you need to download the offline installer and create application manually.This is same process how you do for other applications.

This blog post assumes that you are running on configuration manager 1910. If you are not on 1910, please read this blog post for how to get  current branch 1910.

In the console,click on Software library, click on Microsoft Edge Management and choose create Microsoft Edge application

Provide the Name and content location. This is to save the application source files and the name is what appear in applications node .

In the channel, choose stable , this is the version released today by Microsoft  and version, choose latest.

In the deployment, choose No for now, as we edit the deployment settings and deploy to collection later.

Click next on the summary page.

Now, based on the internet connectivity, the download of the edge stable version will start and create the application automatically.

You can monitor the download of the updates from %temp% folder with log called: patchdownloader.log

Log file location:

Monitoring the download process:

Once the download is finished, you can see the app in the application node.

It has 2 deployment types because it downloaded both x86 and x64 but the priority is x64.

The source location has the following content. Powershell script and MSI.

If you edit the x64 deployment type, you will see the program command line syntax.

we will now modify the syntax with -executionpolicy bypass. This is not mandatory to use however i have seen some of the installation error in the previous builds so i simply edit it with bypass and continue.

Append the syntax after file

for x64:

powershell -executionpolicy bypass -File ".\Install-Edge.ps1" -MSIName "MicrosoftEdgeEnterpriseX64.msi" -ChannelID "{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}"

You can do the same for x86 as well.

update the syntax and click ok.

For detection method: we dont do any changes but i have listed this for your information incase you want to create the application manually and you are not in CMCB 1910.

Hive:HKLM

Key:SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\Clients\{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}

Value: pv

data type: version

Operator: Greater than or equal to

value:79.0.309.65

Now distribute the application to distribution points.

Monitor the distribution status  and once it is distributed, you are now ready to deploy to collection. Log file: distmgr.log on your configmgr site.

Deploy to collection:

Once the application is deployed to collection, depend on the machine policy cycle, device will receive the policy, download the content and install the application.

Deployment results:

You can monitor the installation status using appenforce.log located at C:\windows\ccm\logs.

You can see Microsoft Edge in the start menu.

Launch the Microsoft Edge

If you look at the about page in the edge, you see that, your organization disabled the updates.

This is happening because of the script that is used to install the Edge application.

The script is designed to disable the automatic updates and let configuration manager manages the updates just like other windows and office 365 updates.

Now on your configuration manager, you need to enable the Microsoft Edge product in SUP section.

If you are not able to see the product then simply run software update sync , wait for the sync to complete.

Now go back to SUP properties, you will now see the Microsoft Edge, select it and click ok.

Right click on All microsoft edge updates and initiate sync.

After a while you will see the updates in the console.

Once the updates are available in the console, you can patch Edge browser just like any other windows/office365 updates.

The following information is provided to know, what registry key used to enable or disable the automatic updates for Edge.

The registry key for disabling the edge updates is:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate with value 0

To enable automatic updates for edge browser, you can change the update value from 0 to 1.

Launch edge and type edge://settings/help to see the status.

Before you start deploying the Edge browser in an enterprise, please read through the Microsoft article for edge policies using GPO/Intune. https://docs.microsoft.com/en-us/microsoft-edge/ 

Hope you found this article useful!

In the last 2 blog posts, I talked about the SCCM report for missing boundaries and How to find client boundary and boundary group information. These 2 blog post has a dependency on extending the MOF for client boundary group cache.

In this blog post, we will see how to check if the client is missing in the boundary group. This method doesn't need the MOF extension and we query the wmi on the client directly and report the compliance or non-compliant status.

we will use compliance settings (configuration item and configuration baseline) to detect if the client is in the configured boundary group or not.

To know more about boundary groups in configuration manager, please read https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups

I am not going through step-by-step however I will give instructions and steps that are necessary to accomplish the task using compliance settings. Please read this guide to step by step creation of configuration item and configuration baseline  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

we will start creating a configuration item with simple powershell script/

Create configuration item:

Create setting:

Setting type: Script

Data type: String

Edit the script and copy the following code.

Discovery script (powershell):

$BGIDs=(get-wmiobject -namespace root\ccm\locationservices -class boundarygroupcache -ErrorAction SilentlyContinue).boundarygroupIDs
if (($BGIDs | Measure-Object).count -gt 0)
{
write-host "Compliant"
}
else
{
Write-host "Non-compliant"
}

This script will query wmi class boundarygroucache and find out if there are any boundarygroup ID's. If no boundary group ID then client is not able to find its correct BG assignments.

click ok and next

create new compliance rule

Click next to see the summary

Click next to finish the configuration item.

we will now create configuration baseline and add the configuration item that we created above.

Now deploy the baseline to collection:

After a while, client receive the policy and evaluate the compliance check , following is the end results.

you can check the deployment status using the configuration baseline.

You can also view the results from monitoring page or configuration manager reports or create custom reports.

Get started with compliance settings in Configuration Manager

Due to the COVID-19 outbreak and the situation is constantly changing around the world, the organization's started moving the workforce either from remote or work from home.

Considering the number of users working remotely, it is very important to make sure that the devices are protected in all possible ways starting from windows security patching, antivirus, and other security tools available on the device.

For windows security patching (manage the devices remotely) using SCCM/configuration manager, you have different options in configuration manager such as cloud management gateway, co-management. If your organization has installed a VPN on the endpoint, you can use split tunneling.

Please read more information about managing the remote devices using configuration manager https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895 and https://miketerrill.net/2020/03/18/forcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update/

Both the above posts cover almost everything that you need to patch the remote devices including VPN connected devices.

Like other organizations, we have also enabled the split-tunneling and using CMG to download the Microsoft updates from internet and not from corporate/on-premise network.

For the remote devices to get the windows updates from Microsoft using configuration manager, it is important to set the correct options in the software update deployment group.

Following are the settings to enable for the VPN or internet based clients to download the updates directly from Microsoft updates.

If you don't configure the above setting in the software deployment deployment group, your VPN/CMG connected clients will fail to download the patches from windows update and always look for DP.

For the newly created software update deployment group, you can enable the checkbox since you go through the process of deployment but if you want to monitor OR enable the checkbox for existing/already created software update group deployment, you need report and Powershell script to enable the checkbox .

If you have fewer SUG deployments (10 or so), you can right-click the deployment and change the properties but this is not going to be an easy task if you have hundreds of SUG deployments and make sure they are enabled.

The following SCCM report would help to identify the list of all software update deployments that are enabled and not enabled with above option for your reference and also the Powershell script will enable the checkbox for all software update deployments.

I have also provided the powershell cmdlet to enable or disable the checkbox for the software update deployments you wish to.

Preview of the SSRS report:

This report comes with prompt to select option 'Download content from Microsoft updates'.

In my research , If the DP Locality falls in the range of 262144, 262208,393280,393216 then it is considered as download from MSFT.

If you  notice anything wrong with column 'download from MSFT',  please report in the comments section.

Following are the settings available in the SSRS report.

Deployment settings with type of deployment and Wake-on-LAN.

User experience with user notifications, deadline behavior, device restart behavior, and software updates deployment re-evaluation behavior upon restart

Download settings with download content from Microsoft updates.

If you want other fields that are not listed in the report, you can get it from SQL View v_CIAssignment.

To enable the check box to download the content from Microsoft updates, use the following the powershell cmdlet.

Set-CMSoftwareUpdateDeployment

Download the SSRS report from the download section

Happy managing the VPN/internet connected devices.

Microsoft releases the configuration manager production builds 3 times a year. The first production build for this year,which is configuration manager 2002 is released today and is available as an in-console update (fastring only for now) and baseline version.

You can apply this update on sites that run version  1806,1810, 1906 or 1910 from the console. You can also use this build 2002 to install new configuration manager sites.

Before we start upgrading the site to latest build ,some of the interesting features are listed below.

Following are some of the exciting features that we were all waiting to see in the production build.

tenant attach –> Device sync and device actions

Site infrastructure—> Remove a central administration site

Cloud-attached management—>Token-based authentication for cloud management gateway

Desktop Analytics—>Connection Health dashboard sh

Client management—>Client log collection

Application management—>Microsoft Edge management dashboard

OS deployment—>Improvements to Check Readiness task sequence step

Software updates—>Evaluate software updates after a servicing stack update

Reporting—>Integrate with Power BI Report Server

Configuration Manager console—>Show boundary groups for devices

For full of features with description please read https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002

For full list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/2002-release-notes?view=sccm-ps

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes

Now we will look at, how to install the configuration manager build 2002 on the existing sites.

To install this update from the console, you must be running on 1806,1810 ,1902 or 1906 .

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 2002 in console. You need to request the updates manually using script.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1906. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet https://download.microsoft.com/download/7/c/4/7c48f2c7-f433-414b-a901-753a61c7956d/EnableEarlyUpdateRing2002.exe and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1.      Launch an elevated command prompt

2.      Run PowerShell

3.      Run the EnableEarlyUpdateRing2002.ps1 script (bundled in the exe in the link above)

·         EnableEarlyUpdateRing2002.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

Script will now force SMS_DP_downloader service to  to check for the update.

You can verify this from the updates and servicing node.

·         Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates".

You will see ‘configuration manager 2002 in the console with downloading state. If it shows as available to download, you can select the update and click on download.

To see the status of the download, you can open dmpdownloader.log from SCCM installation logs folder.

Logs to check for the backend process: Hman.log ,dmpdownloader.log

You can also refer the download location at <Configmgr Install dir:\>easysetuppayload\

Wait for the download to be completed and you will see it the console with state ‘ready to install’

If the download stuck at downloading for some reason ,look at dmpdownloader.log and to start the download again, restart SMS_Executive or dmpdownloader component .

run the prerequisite check to ensure the site server meet all the requirements before the installation start.

Monitor the pre-req check for any errors.

If you don't see any errors that stop you to perform upgrade, right click on the update and select install this update.

choose the new features if you are interested. You can also select them after the installation is completed.

Choose the collection that you want to pre-production the client

we will now monitor the status of the installation using logs and also from console

For monitoring the installation status, refer to ConfigMgrSetup.log that is available at the root of the window drive and cmupdate.log available at configmgr logs folder.

you can monitor the installation status from console . Go to monitoring tab ,click on updates and servicing status node.

After a while, you should see a bar at the top of the console notifying to install.

Client on install new console version

If the above step fail to upgrade the console and you try to launch the console, you will see the image like below.

Click on Ok and it will upgrade the console for you.

Now ,update the client package which is located under packages to all distribution points .

As per your client upgrade schedule that you configured in site hierarchy settings ,it will start sending the client policy and trigger the installation of client using the task scheduler job .

you can monitor the client installation status from monitor node.

If you have used client startup script using GPO http://eskonr.com/2016/09/sccm-configmgr-how-to-implement-jason-sandys-client-startup-script-to-achieve-good-client-success-rate/ ,please update your xml file with 2002 client version else your client will reinstall on every restart.

Finally ,check the version of the site .

Site version:5.0.8968.1000

Client version:5.0.8968.1008

Once the site installation is completed and if you have secondary sites, you must manually initiate the upgrade to bring the secondary sites to the same build version to support the new features.

In the next blog, i will talk about the new features that are released in this update along with SSRS reporting .

Happy exploring new features.

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Evaluate Configuration Manager in a lab
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

In the next couple of blogs, we will explore the new features of configuration manager 2002 build.

Microsoft Endpoint Configuration Manager 2002 production build is out today. It is now available as in-console (for now only fast-ring) and baseline (will be available in the next couple of weeks).

It has a bunch of new and updated features. For full list of features and installation, please refer http://eskonr.com/2020/04/sccm-configmgr-current-branch-2002-is-available-as-in-console-and-baseline-version/

One of the features that is available in this build version is ‘Show boundary groups for devices in configuration manager console’.

clients use boundary group’s for site assignment, content location (DP), SUP, MP, and SMP. SMP doesn't use fallback relationships.

From this build version, we can now identify the client boundary group for site assignment and content troubleshooting within the configuration manager console.

How to identify the boundary groups for the specific client in the console?

From the console (2002 build onwards), In the Devices node or when you show the members of a Device Collection, add the new Boundary Group(s) column to the list view.

Console view:

Please note the following on the client boundary group’s.

• If a device is in more than one boundary group, the value is a comma-separated list of boundary group names.
• The data updates when the client makes a location request to the site, or at most every 24 hours.
• If a client is roaming and not a member of a boundary group, the value is blank.

Since we have the client boundary group information available, we will use this to create a collection to identify the clients with a NULL value( no boundary group or missing boundary groups).

Create a collection with the following WQL query to get the list of all clients that don't have any boundary group or missing in the boundary group.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus
where SMS_CollectionMemberClientBaselineStatus.boundarygroups is NULL)
and SMS_R_System.Name not in ("Unknown") and SMS_R_System.Client = "1"

\

You can also use the reports to identify the clients missing the boundaries and boundary groups.

Following are the few custom reports created for earlier version of configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2002 (MEMCM) via the opt-in method (fast-ring) which will is now available for you to install and also baseline version however the baseline media is not yet available for the download. The baseline version will be released when the build is made available to the console via slow-ring.

If you want to install a new Configuration Manager sites (fresh build), you can download 1902 as a baseline from the volume licensing portal until 2002 is released.

For more information about how to perform the in-console update for configuration manager update 2002, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2002) to avail the new client features that were added.

With this update 2002 build, there are a bunch of new features added. This means, there are also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/tables/functions for custom reporting.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2002 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

I had set up a new lab a few days ago using the configuration manager current branch baseline version 2002 with SQL Server 2019.

Installation went fine and I was able to play with it.

By the way, I have used the Johan hydration kit to set up this lab to save some time. Though the current hydration kit that is available is with SQL 2017, I tweaked it and added SQL 2019 for my lab setup.

After a couple of days, when I tried to launch the configuration manager console, I ended up seeing the following screen.

Since the above error talks about the connectivity to SMS provider, I started looking at the SMSPROV.log

Error from the log:

[HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.

[HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.

[HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state.   [HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.  ThreadID : 4844 , DbError: 596 , Sev: 21~*~*

SQL Error: [HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state.

If you use SQL Server 2019 for configuration manager 1910 and above (supported versions) , there's a known issue with the new scalar UDF inlining feature in SQL 2019 and the workaround to fix this issue is to disable the UDF lining using following command.

Open the SQL server management studio and run the following syntax:

ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF

After you run the syntax, you need to restart the SQL server service.

without restarting the SQL Service, you will not be able to launch the console.

Go to services.msc and restart SQL Server

After the SQL Service started, launch the console, you should be able to connect to SMS Provider.

Though SQL server 2019 is supported for configuration manager build 1910 onwards, this is know issue and there is also workaround for this provided by Microsoft for now.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-sql-server-versions#known-issue-with-sql-server-2019

I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.

Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.

Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.

So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.

How do you install the client on the internet-connected device centrally? Well, the  customer has a different tool that helps to run the command line on all internet-connected devices.

As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.

Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.

"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.

On the SCCM database, run the following 1 liner syntax.

select * from proxy_settings

Connectorinfo contains the mp and ccmhostname values.

AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and  values.

AADTENANTID=Tenant ID

AADCLIENTAPPID=ClientID

AADRESOURCEURI=ResourceURI

Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.

I hope it helps and thanks for reading!

For more information about client installation parameters and properties in Configuration Manager, please read here

With Configuration Manager technical preview build, a bunch of Tenant attach features were released which will help you to take actions from the devices blade in the Admin center.

One of the coolest feature in this preview release is, we can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center.

What do we need to do to install the application in Realtime from the admin center?

Prerequisites:

You'll need to meet all of the prerequisites for Tenant attach: ConfigMgr client details:

• An environment that's tenant attached with uploaded devices.
• One of the following browsers:
  • Microsoft Edge, version 77 and later
  • Google Chrome
• The user account has been discovered with both Azure Active Directory (Azure AD) user discovery and Active Directory user discovery.
  • Meaning the user account needs to be a synced user object in Azure.

The following prereq are newly added, Inorder to initiate the application install from the admin center.

• Enable the optional feature Approve application requests for users per device. For more information, see Enable optional features from updates.

• At least one application deployed to a device collection with the An administrator must approve a request for this application on the device option set on the deployment. For more information, see Approve applications.
  • User targeted applications or applications without the approval option set don't appear in the application list.

As you can in the application deployment settings, the deployment must be targeted to a device collection with purpose available and check ‘an administrator must approve a request for this application on the device’

You can now review the log for data upload.

1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
2. The next sync time is noted by log entries similar to Next run time will be at approximately: 30/05/2020 16:35:31.
3. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
4. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center.

In Technical preview, to install the app, we must right click on the device and choose admin center preview and initiate it from there.

When this feature release in current branch, we can directly open the MEM admin center portal (https://endpoint.microsoft.com) and perform the device actions.

For now, we need to open the admin center from the device tenant attached. From the configuration manager console, right click on tenant attached device, start and choose Admin center preview

If the Admin center preview is grayed out, then the device is not part of the tenant attach collection in co-management settings.

You will be prompted for authentication and you will see the following screen.

Click on applications to see the available apps that are ready to install on the device.

we have published an application to the device collection which can be initiated from the MEM admin center

Now go back to your configuration manager installation directory and open log CMGatewayNotificationWorker.log to see the status of the application install.

When an action is initiated from the Microsoft Endpoint Manager admin center on Configmgr client, CMGatewayNotificationWorker.log processes the request.

You will see the information about sending application request and also create approved request and more details about the request in the log.

Sending AdminService request with URL: https://sg-cmtp01.domain/AdminService/wmi/SMS_ApplicationRequest.CreateApprovedRequest

After a while, if you look at the client appenforce.log, the application installation is completed.

we can now go back to admin center and refresh the page to see the updated status as ‘Installed’.

With this feature, we can now act on the user application deployment request from anywhere with 1 click using mobile without touching the Configuration manager console.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#bkmk_apps

I was recently troubleshooting the sccm client installation issue on a server that was configured as a distribution point.

Installation of client The client installation setup and process is very simple and straight forward unless you hit issues like this.

When I started looking at the client installation log( ccmsetup.log), I saw the below information in the log.

The client version 5.00.8913.1000 (build 2002) does not match the MP version 5.00.8790.1000 (Build 1910). The client cannot be installed.

ccmsetup failed with error code 0x80004005

The above error code says, there is a management point installed on the server which is not matching the client version that you are trying to install.

Management point and client shared the same binaries for it to operate hence the client version must match.

So, I started looking at the SCCM site system roles and its configured with the role of DP ONLY and no other roles are configured.

But from the IIS and registry, I can see that, there are some entries about Management point as you can see below.

So the question is, where did this management point install from?

I have reached out to the customer and got to know the following information:

The DP server that is having the issue was earlier configured as Management point and distribution and attached to Site P01 (old SCCM).

The customer had planned to install a new sccm site (PS1) and re-use the remote site that was having an issue now as DP for the new site.

The customer had uninstalled the MP and DP roles from the old site but for some reason, the uninstallation of DP or MP could not complete successfully, and later the problem server was installed with DP role from new SCCM site (PS1).

and the old SCCM site (P01) was decommissioned.

We now know the background of the issue and we will see how to fix this issue.

I have tried uninstalling the client completely using ccmsetup.exe /uninstall and also used ccmclean.exe but I could not able to get it working.

When you install configuration manager client, it creates a namespace called Root\CCM and it holds the configuration and policies that govern the operation of the ConfigMgr client and also management point (if the role is installed).

On a device that has the client installed and also MP installed, there will be a wmi instance created inside the namespace root\ccm called CCM_InstalledProduct

There will be 2 MSI products listed inside the WM, 1 for configmgr client, and other one for MP role.

when we try ccmsetup.exe /uninstall, it does the removal of only 1 product that is for configuration manager client but the 2nd product remains there and hence the issue.

To uninstall the management point completely along with configuration manager client (if installed), use the following vb script.

'Uninstall configmgr client and MP if exists
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'First, find the GUID
strComputer = "."
Set wmiService = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set wmiObjs = wmiService.InstancesOf("CCM_InstalledProduct")
For Each wmiObj In wmiObjs
     cmdLine = "msiexec /x " & wmiObj.ProductCode
     WScript.Echo cmdLine
     WshShell.Run cmdLine
Next

save the script as removeMP.vbs and run it on the problem server using administrative rights.

After the script run successfully, a reboot will be prompted (mandatory).

Reboot the server and install the configuration manager client. This time it installed successfully and able to communicate with new sccm site (PS1).

Hope this helps!

Microsoft has released Configuration Manager Technical Preview version 2006 with a lot of cloud features. For more information about the features of this preview release, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2006

This Technical preview version is not a baseline version and can be installed only from the in-console update. If you are building a new site, please install the baseline version (tech preview) 2002 and update it to 2006 using in-console.

This technical preview version focused more on cloud-related feature.One of the most waiting features of CMG is, to allow intranet clients to scan against CMG software update point when you configure the boundary groups.

Until now, in all the preview technical preview features and also in the current branch build, all the client (on-prem) traffic can be routed via CMG except the software update scan which is now possible using a technical preview build 2006.

The following are the 2 scenarios in which you can configure the boundary groups to allow intranet clients to scan against CMG software update point.

· When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

· If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it

How to test this feature to allow intranet clients to scan against CMG SUP?

Create boundaries and boundary groups for your VPN clients. In my lab, i use my intranet client as VPN boundary.

Boundary group:

Go to properties of the VPN boundary group and click on references:

Add the CMG here (pls note that, am using 3rd party cert in my lab, hence there is no cloudapp.net).

My lab has only 1 SUP so i configured it to support both intranet and internet based clients.

The following setting is applicable in scenario, If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

If you have dedicated SUP for internet-based clients then you can choose ‘Allow Internet-only client connections’ for your VPN clients. So when an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

In the relationships tab, leave it blank. There is no need to configure any fallback.

In the options tab (for downloads), configure the ‘prefer cloud based sources over on-premise sources’.

Now login to the client (win10- connected to on-prem ) and restart the SMS agent host service for a quick test or refresh the machine policy cycle.

From the configuration manager applet, run software update scan cycle and monitor wuahandler.log and locationservices.log

Locationservices.log

wuahandler.log:

As you can see, client is connected to intranet but the software update scan is scanning against the CMG software update point.

Following is the SQL code that will help you to identify the clients connecting to CMG software update point.

select uss.LastScanPackageLocation [Scan Location],
count(*) Total
from v_UpdateScanStatus uss
group by uss.LastScanPackageLocation

This is great feature to route all the traffic via internet.

Hope to see this feature in the next version of production build.

This is a quick post on an issue that I come across recently at a customer who was unable to install the IIS role for setting up a distribution point.

As we all know, IIS is a prerequisite for setting up a distribution point in Configuration Manager.

During the installation of the IIS feature, you need to provide the path to source files, this will be usually the SXS folder from the OS media file as shown below.

I have specified the SxS folder during the installation of IIS and made sure that, the OS version matches the ISO file that was downloaded.

 This is the usual procedure that we all do to install the IIS feature and it always works, but in this case, it never worked for me.

Following is the error code:

The request to add or remove features on the specified server failed. The source files could not be found. Error Code 0x800f081f.

I tried a couple of times by changing the ISO to the latest one, but it failed with the same error code.

what other options do we have to install the IIS role now for DP to work?

If the SxS source files cannot be used by the server to install IIS, we will use the WIM file from the same ISO to install the IIS feature using Powershell cmdlet.

Following is the PowerShell syntax.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Here 2 refers to the index.

How do we know what index to use? This is based on the OS edition installed on the server.

You can check the OS edition on the server using WINVER from the RUN command.

Once you are done with this, run the following DISM command to know the index.

dism /get-wiminfo /wimfile:E:\sources\install.wim

Index 2 refers windows server 2019 standard with desktop experience

If your OS is datacenter with desktop experience, you need to use index 4.

once we have all the necessary information, run the PowerShell to install the IIS role.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Status after the Powershell command.

likewise, you can install all other features using the same format.

If the standard practice doesn’t work, we take other routes to make things work

Hope it helps!

I was recently assisting a customer on the Configuration Manager upgrade and after the upgrade is done, we need to upgrade the console on endpoint devices to the latest version.

When you install/update your configuration manager site, there will be a change in the console version which needs to be updated on all your endpoints that have the console installed.

If your site is running a new version of Configuration Manager build but your users are at lower version, users will be prompted to install the new console version, next time when they launch the console but it has the following prerequisites to install the console:

§ You have local Administrator rights on the target computer for the console.

§ You have read permissions to the location of the Configuration Manager console installation files.

we follow the standard method by creating a collection that identifies the devices running a lower version of the console, create an application using the admin console files and deploy it silently to upgrade the console.

To create a collection (device), use the following WQL Query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Endpoint Configuration Manager Console" or SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center Configuration Manager Console")
and SMS_G_System_ADD_REMOVE_PROGRAMS.Version < "5.2006.1024.1000"

Replace the console version that matches your site.

Now, we will create an application using the latest admin console setup files and deploy it to the collection.

Grab the following files from <Configuration Manager installation media>\SMSSETUP\BIN\I386 and copy them to a source folder.

• ConsoleSetup.exe
• AdminConsole.msi
• ConfigMgr.AC_Extension.i386.cab
• ConfigMgr.AC_Extension.amd64.cab

On the source folder where you placed the above files, create a batch script and use the following silent installation command line switch.

ConsoleSetup.exe /q TargetDir="%ProgramFiles%\ConfigMgr Console" DefaultSiteServerName=SG-CM01.intranet.eskonr

Replace the siteservername

Create an application with deployment type as script and use the following detection method.

Detection method:

Type: File system

Type: File

Path:%ProgramFiles(x86)%\Microsoft Configuration Manager\AdminConsole\bin

File or folder: Microsoft.ConfigurationManagement.exe

Value:5.2006.1024.1000

Replace the value that matches your site server console version.

Deploy the application to the collection that we created initially.

Monitor the deployment using built-in reports/in-console or your custom reports.

Following is the SQL query to find the count of devices with configuration manager console versions.

select arp.DisplayName0,arp.Version0,count(*) Total From v_Add_Remove_Programs arp
where arp.DisplayName0 like 'Microsoft Endpoint Configuration Manager Console'
or arp.DisplayName0 like 'System Center Configuration Manager Console'
group by arp.DisplayName0,arp.Version0

You can also monitor the console versions that are connected to Configuration manager console using the security view in the console.

\Administration\Overview\Security\Console Connections

Hope it helps!

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

GPO:

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Hope it helps!

I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.

This folder primarily stores the information about.

1. Software update end-user license agreement (EULA).

2. Microsoft patches for windows and other products for standalone WSUS.

3. 3rd party updates In case you have integrated the 3rd party patching tool.

The following is the screenshot for the wsuscontent folder size.

When the customer reported about the wsuscontent size is huge, the following questions were raised.

1. Is it standalone or integrated with Configuration Manager? –-> Integrated with ConfigMgr.

2. Are you using any 3rd party patching tool hence the content download is higher?—>There is a 3rd party pathing tool, it is only Microsoft updates.

From the above questions, WSUSContent cannot be larger. The troubleshooting as follows.

1. Open the WSUS console, options, open Automatic Approvals

There was a default automatic approval rule which was enabled with the rule properties.

What does it do? when the WSUS sync runs, the updates that match with update classification that you have selected will be approved, downloaded to the wsuscontent folder.

This is needed only when you use a standalone WSUS server but not with Configuration Manager.

If you have integrated WSUS server with Configuration Manager, you should un-touch the WSUS MMC from the time you do the initial configuration.

By default, when you integrate WSUS with ConfigMgr, this automatic rule is un-selected.

So someone has made the changes unknowingly which causes the content folder to grow bigger.

How do we fix this now?

1. Since WSUS is integrated with ConfigMgr, we can de-select the automatic approval rule, so there won't be any content download thereafter.

2. To clean up the downloaded content on the WSUSContent folder, we will need to decline all the updates in WSUS console (don't worry, this won't impact your ConfigMgr patching or metadata in ConfigMgr console, you are safe doing it) and run the server clean up wizard.

So go ahead and un-tick the default automatic approval rule and click ok.

To decline all approved updates, click on updates, all updates.

For the approval, select approved, and status: any

you should see the list of updates that are approved which are downloaded as well to the wsuscontent folder.

In my case, there are 636 updates approved.

Select all the updates, right-click, and choose decline.

you will be prompted with the following screen, select Yes.

Depending on the number of updates, it may take sometime.

Once the updates are declined, refresh the page.

Now we will need to clean-up the content stored in the folder.

Now, in the console, click on options, select server clean-up wizard

You will be asked with multiple options to clean up but the first one is our fix to remove the downloaded content.

As you can see, we have now cleaned up around 320GB.

Depending on the number of updates, you may see the MMC console crash but don't worry, try it again and you will get succeed. 

You also have scripts available to perform the clean-up without the MMC crash but UI works fine.

Once the clean-up is done, go back and check the size of wsuscontent, it is now 3.7GB which is normal.

Hope you find this post useful.

I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.

Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]

I have tried various command line switches for SCEP client installation but all returned the same error code.

The server was installed with Configuration Manager client 2010 and server is fully patched.

I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.

As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.

To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.

EppSetup.log and MSSecurityClient_Setup_4.7.209.0_epp_Install.log reveals the same information that is shown in the UI.

The following is a piece of information that can get it from the log MSSecurityClient_Setup log.

setup CA ERROR  : CryptCATAdminAddCatalog failed with 1062

NIS setup CA ERROR  : InstallNisDriver: InternalInstallCatalog failed with 1603

NIS setup CA INFO   : InstallNisDriver completed with error result 1603

CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.

Open the cmd on the problmatic server and run sc query cryptsvc

The specified service do not exist as an installed service.

How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.

Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.

The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.

The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.

The following is the registry of the service.

Export the registry, import into the server, reboot the server.

After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.

Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.

Hope this helps!

This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.

When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer here

How do we create a collection for clients that are online? 

Collections uses WQL and following is the WQL syntax you can use to create the collection.

we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.

This collection uses sub-selected query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

If your configuration manager is running on 2010, you will have option to preview the results. Click on the play button to see the results before you confirm the changes.

Save the collection and wait for few seconds before the data appear.

Based on the device collection membership, the results get updated.

If you want to create a reports based on the online status, you can refer http://eskonr.com/2016/04/how-to-query-clients-collection-or-ssrs-ssrs-with-online-status-in-sccm-configmgr-1602/

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

I was troubleshooting the client issue for co-management and found that the device was not hybrid Azure AD Joined.

Hybrid Azure AD joined (if your devices are on-prem) is one of the pre-requisites for co-management.

To check if the devices are hybrid Azure AD joined or not, you can open cmd and run dsregcmd /status

If the device is hybrid Azure AD joined, the status for AzureAdJoined=Yes (This field is applicable for both AAD or hybrid AAD).

On the problematic machine, there is no data for the dsregcmd.

For more information about configuring the Hybrid Azure AD joined and troubleshooting, please refer part 1 & Part 2 and the troubleshooting

For device registration process in hybrid azure ad joined task, we usually refer to the event viewer logs located at event viewer/Microsoft/Windows/User Device Registration/Admin

Under this path, there are no logs related to the device registration process.

The device registration process will be initiated by a task scheduler called Workplace Join during the system boot and this task will run with system account.

This task is located under Task Scheduler Library> Microsoft > Windows > Workplace Join > Automatic-Device-Join Task

The task is disabled on the system hence the device registration task did not run.

Enable the task and run it. (Running the task require local admin rights).If you do not have local admin rights, reboot the system, the task will run automatically with system account.

This task is disabled by default on windows 10 workgroup computer but when you join the device to domain, it will be enabled automatically. For some reason, the task did not enable.

If you want to enable the task on all your windows 10 computers, you can make use of GPO

There could be lot of devices with the task scheduler disabled which will impact the co-management enrollment.

How do we identify the device that have Automatic-Device-Join Task disabled?

In SCCM, we can make use of scripts feature, CMPivot or configuration baseline.

In this blog post, i will discuss about 2 options 1) configuration baseline and 2) Scripts.

For configuration baseline, we will use simple PowerShell script to detect the status of the schedule task and the same script can also be used in scripts feature.

In your SCCM, Create a configuration Item and choose the PowerShell script.

you can also use this as scripts and run it on targeted computers or

$status=(Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join | Select State).state
if ($status -eq 'Disabled')
{
write-host "Non-Compliant"
}
else
{
write-host "compliant"
}

If you use scripts feature, running the script on target computer will get you the output status either compliant (enabled) or non-compliant (disabled).

I have uploaded the exported copy of configuration baseline to github.

You can download, import and deploy to your windows 10 collection to check if any devices has this task disabled.