Microsoft released Configuration Manager technical preview version 2010.2 which is 2nd release for Oct 2020. These Technical previews released every month for testing, explore new and improved features and provide feedback in case of any issues.

This Technical previews brings the following new and improved features.

Tenant attach: Troubleshooting portal lists a user’s devices based on usage

Tenant attach: Create and deploy firewall policies

Enhancements to applications in Microsoft Endpoint Manager admin Center

Manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG)

Improvements to deploy an OS over CMG using boot media

Desktop Analytics support for new Windows 10 data level

Immediate distribution point fallback for clients downloading software update delta content

Disable Azure AD authentication for onboarded tenants

Additional options when creating app registrations in Azure Active Directory

Validate internet access for the service connection point

Improvements to the administration service

For more information about the features https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2010-2

You can install this Technical preview from the console, updates and servicing node.

If you want to setup Technical Preview lab, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/set-up-your-lab

if you don't see the update, click on check for updates, monitor the log dmpdownloader.log

When the update is downloaded, you will see it in the console ‘ready to install’

Right click on the update and install it, after a while and if the installation is success, you will see warning to install new console version.

Site version:5.00.9039.1000

Client Version:5.00.9039.1000

Once the site is upgraded, you also need to upgrade the clients to the latest version to support the client features.

How do we get the Bitlocker supported for clients that are connected to CMG?

If you already have working Bitlocker policies created, make sure that, you have got the remote client upgraded to the latest client of the tech preview build and deploy the Bitlocker policies to internet based client.

There is no change to the setup process of Bitlocker management and it works with your existing configuration.

References:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2010-2

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/technical-preview

There are times where you need to troubleshoot the Microsoft Teams client issues such as app crashing, poor call quality, new features not working as expected, etc.

When you get any of such issues, you will need to collect the team’s client logs to investigate further and if possible, you likely need to share the logs with the Microsoft support engineer for further help.

There are different logs in Teams client that help you to troubleshoot the issue. The following are the important set of logs.

•  Debug logs
•  Media logs
•  Desktop logs
• Event viewer

As the teams client installed in the user profile (%appdata%), the log collection needs to be done from the user profile. so you need to request user and assist them to get these logs.

These common logs located in different folders under the user profile and guiding the user for these logs would take longer and sometimes get annoyed.

Except for Debug logs, all other logs are readily available for remote collection.

Debug logs is something that needs user intervention (not possible remotely) and the user needs to press shortcut Ctrl + Alt + Shift + 1 to generate the debug logs.

For more information about the log files and troubleshooting Teams client, please refer https://docs.microsoft.com/en-us/microsoftteams/log-files 

From this article, we know the location of the Teams log files, we can make use of Microsoft Endpoint Manager Configuration Manager scripts feature to collect the client logs for troubleshooting the teams issue remotely.

The scripts feature simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently. For more information about PowerShell scripts from Configuration Manager Admin console, please refer here

This script can be used manually or remotely using Configuration Manager.

What does this script do?

1. The script check if the user logged into the machine or not, if yes, then collect the media logs, desktop logs,debug logs and event viewer from the locations and store it in C:\Temp\Teamslog

2.If no user logged into the machine , the script does nothing.

3. Once the logs are collected and store it on the share drive, the temp logs from local drive C:\temp\teamslog will be removed.

What is required to run the script?

1. You will need to provide the log share name to store the logs. The logs are zip and store it with username-timestamp.zip.

2. You will need notify user to use the shortcut Ctrl + Alt + Shift + 1 to generate debug logs. Once this is done, the script will look for the debug logs and collect it.

3. If user don’t run the Ctrl + Alt + Shift + 1, the script will not collect the debug logs but collect other logs if available.

Once you have filled in the log share, you can use take this script and use it in Configuration Manager scripts and run it on device where user logged for the log collection.

The script is uploaded to github, you can download it from here.

For teams client troubleshooting, please refer https://docs.microsoft.com/en-us/MicrosoftTeams/troubleshoot/teams-welcome

Over the last couple of years, I have been using this method to extract the status messages for various components in Configuration Manager such as SMS provider, Site server and client.

These status messages critical and useful when it comes to troubleshooting the components, clients etc. Status messages are similar to Windows NT Events and they have a severity, ID, description, etc.

These status messages ID appear in lot of places like logs, event viewer,configuration manager console. During the troubleshooting, it is hard to find out the description for the status message ID that you looking for and not everything can be found on the internet during the search.

As the current branch gets released every 3 months (based on the past trends), there will be changes to the status message IDs (addition/deletion) and it is always important to keep a copy of the status message ID’s for each build that you are working with.

In this blog post, we will see how to generate the status message IDs, description for your Configuration Manager build.

What is required to generate the status messages?

1. You will need the following dll files that are available in your your CAS/Primary site server for your current build

CLIMSGS.DLL

PROVMSGS.DLL

SRVMSGS.DLL

These dll files located in your site server location: <CM Installed directory:>\bin\X64\system32\smsmsgs

2. Copy these dll files to a folder on your computer.

3. Now download the script from Github, save it in the same folder where you copied the dll files.

4. Run the script. The script will create an excel file with 3 sheets called client, site server and sms provider and list down the status message ID’s along with description.

5. Output

Every time when you update your Configuration Manager build version, you can get the updated dll files and run the script.

I hope you found this useful.

References:

https://gallery.technet.microsoft.com/scriptcenter/Enumerate-status-message-6e7e1761

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.

Microsoft has released another update rollup (KB4575790) to fix client setup content download issue from CMG distribution point.

The following listed issues and the rollup update is available in updates and servicing node only if you have installed the recently released update rollup KB 4578605 for Configuration Manager 2006 build.

If you have not installed KB 4578605, then you will not see this update in the updates and servicing console.

Issues:

1. If you have configured cloud management gateway along with cloud DP and running the ccmsetup.exe (client installation) , the client will failed to download the client installation file (ccmsetup.cab) from Azure blob storage.

The following is the error code seen from the ccmsetup.log:

[CCMHTTP] ERROR: URL=https://{Azure_blob_storage}:443/content-l0000003/ccmsetup.cab?..., Port=443, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=400 StatusText=Authentication information is not given in the correct format. Check the value of Authorization header.

2. If you have clients that ONLY use PKI for authentication, then they also failed to upgrade or install the client.

This occurs if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties. Errors resembling the following are recorded in the ccmsetup.log file on the client.

Client is not allowed to use PKI issued certificate or not able to use AAD token or ContentToken thus can not talk in HTTPS.
Failed to download client files by BITS. Error 0x8000ffff

In my case, I did not install the applicable update KB 4578605 hence the update KB4575790 is not visible in the console.

If you have installed the KB 4578605, you will see KB4575790 in updates and servicing node.

This update include site server and client updates.

Once you install the update (if applicable to your site), you don't have to restart the site server and no need to update the console version.

The client patch (.MSP file) contained in this update supersedes the versions that shipped with update rollup KB 4578605 and update KB 4575787. Therefore, only one client upgrade is required.

The client update (.msp) is located in <SCCM Installdir:>\Microsoft Configuration Manager\Client\i386\ClientUpdate

Following screenshot for KB4578605

After you install KB4575790, it will replace KB4578605

Now you need to update your clients to the latest patch . You can do this by enabling client upgrade in hierarchy settings.

Client version with this rollup update :5.00.9012.1056

Here is the collection query to find list of clients older than this version:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion not in ("5.00.9012.1056")

You also need to update your boot images to match the client version.

If you dont get your boot images to match the client version, you may encounter issues like me.

Hoe you found this article useful.

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

GPO:

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Hope it helps!

I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.

This folder primarily stores the information about.

1. Software update end-user license agreement (EULA).

2. Microsoft patches for windows and other products for standalone WSUS.

3. 3rd party updates In case you have integrated the 3rd party patching tool.

The following is the screenshot for the wsuscontent folder size.

When the customer reported about the wsuscontent size is huge, the following questions were raised.

1. Is it standalone or integrated with Configuration Manager? –-> Integrated with ConfigMgr.

2. Are you using any 3rd party patching tool hence the content download is higher?—>There is a 3rd party pathing tool, it is only Microsoft updates.

From the above questions, WSUSContent cannot be larger. The troubleshooting as follows.

1. Open the WSUS console, options, open Automatic Approvals

There was a default automatic approval rule which was enabled with the rule properties.

What does it do? when the WSUS sync runs, the updates that match with update classification that you have selected will be approved, downloaded to the wsuscontent folder.

This is needed only when you use a standalone WSUS server but not with Configuration Manager.

If you have integrated WSUS server with Configuration Manager, you should un-touch the WSUS MMC from the time you do the initial configuration.

By default, when you integrate WSUS with ConfigMgr, this automatic rule is un-selected.

So someone has made the changes unknowingly which causes the content folder to grow bigger.

How do we fix this now?

1. Since WSUS is integrated with ConfigMgr, we can de-select the automatic approval rule, so there won't be any content download thereafter.

2. To clean up the downloaded content on the WSUSContent folder, we will need to decline all the updates in WSUS console (don't worry, this won't impact your ConfigMgr patching or metadata in ConfigMgr console, you are safe doing it) and run the server clean up wizard.

So go ahead and un-tick the default automatic approval rule and click ok.

To decline all approved updates, click on updates, all updates.

For the approval, select approved, and status: any

you should see the list of updates that are approved which are downloaded as well to the wsuscontent folder.

In my case, there are 636 updates approved.

Select all the updates, right-click, and choose decline.

you will be prompted with the following screen, select Yes.

Depending on the number of updates, it may take sometime.

Once the updates are declined, refresh the page.

Now we will need to clean-up the content stored in the folder.

Now, in the console, click on options, select server clean-up wizard

You will be asked with multiple options to clean up but the first one is our fix to remove the downloaded content.

As you can see, we have now cleaned up around 320GB.

Depending on the number of updates, you may see the MMC console crash but don't worry, try it again and you will get succeed. 

You also have scripts available to perform the clean-up without the MMC crash but UI works fine.

Once the clean-up is done, go back and check the size of wsuscontent, it is now 3.7GB which is normal.

Hope you find this post useful.

Starting in Configuration Manager 2010, we can use OS boot media from SCCM to reimage internet-based devices that connect through a Cloud Management Gateway (CMG). Do note that, this method cannot join the devices to domain but only in a workgroup as there is no domain connectivity for internet-based clients.  This scenario is useful to support remote workers. Though the devices are in workgroup, these can be managed via Configuration Manager for application deployment, patching, and other features that support a client over CMG.

In case of any issues with remote worker windows OS, we can use the OS Boot media (send over USB) to reinstall the windows. All this happens through the cloud management gateway.

For more information about how to do task sequence over the internet using cloud management gateway using the bootable ISO, please refer here.

Prerequisites for boot media via CMG refer here

When i was doing some testing on this feature in my lab, i encountered some issues and i would like to discuss them in this blog post with fix.

My lab is running on HTTP (no PKI) and the CMG server authentication cert is using enterprise cert (On-prem CA). All of my clients are hybrid Azure AD Joined.

So when my clients move to internet, they use hybrid azure AD join for authentication.

As per this guide, I have created boot media that uses CMG as a management point. Since my SCCM is not running PKI infra, I don't have to import any certificate (PKI) into boot image while creating it. you only need it when your site is running on HTTPS (and clients too). The boot image uses a self-signed media certificate ONLY.

When booting the device which is on internet using the ISO that we created above, it failed with error code as listed below.

asynccallback(): winhttp_callback_status_secure_Failure encountered

winhttp_callback_status_flag_invalid_CA

The device is authenticating with my CMG (https://cmcb1.cloudapp.net)  which is using enterprise CA cert.

The boot image that we created is using self-signed certificate which is not enough to authenticate with CMG.

How do we fix this certificate issue for CMG bootable using self-signed certificate?

Since my CMG server authentication certificate using enterprise CA, I will need to have root CA into the boot image. That can be verified from your site properties, communication security.

As you can see above, there is no root CA specified. For a successful task sequence deployment over CMG using boot media, I would need to import the root CA.

To import the cert, click on set, click on start burst, import the cert and click Ok.

Now go back to your task sequence and create new boot media using the self-signed certificate. This time, it will allow you select the task sequence that are deployed to unknown collection and continue from there.

When I choose the task sequence, i hit with another error. The device unable to verify the content located on a distribution point.

I did verified that, the content is distributed to cloud DP and can located in blog storage as well.

After checking my client settings, it was found that, I had custom client settings for CMG and is deployed to collection. This will restrict desktops/servers from receiving the CMG settings.

For unknown clients on internet, you will have to make the changes in the default client settings for CMG.

Edit the default settings, cloud services, choose the CMG settings as listed below.

Once you make the changes in default settings, you don't have to re-create the boot image.

Now go back to the internet device, retry the task sequence.

Client is able to connect to CMG, cloud DP for content download.

Depends on the speed of the internet, the deployment may take time.

Hope it helps!

I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.

Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]

I have tried various command line switches for SCEP client installation but all returned the same error code.

The server was installed with Configuration Manager client 2010 and server is fully patched.

I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.

As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.

To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.

EppSetup.log and MSSecurityClient_Setup_4.7.209.0_epp_Install.log reveals the same information that is shown in the UI.

The following is a piece of information that can get it from the log MSSecurityClient_Setup log.

setup CA ERROR  : CryptCATAdminAddCatalog failed with 1062

NIS setup CA ERROR  : InstallNisDriver: InternalInstallCatalog failed with 1603

NIS setup CA INFO   : InstallNisDriver completed with error result 1603

CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.

Open the cmd on the problmatic server and run sc query cryptsvc

The specified service do not exist as an installed service.

How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.

Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.

The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.

The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.

The following is the registry of the service.

Export the registry, import into the server, reboot the server.

After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.

Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.

Hope this helps!

This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.

When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer here

How do we create a collection for clients that are online? 

Collections uses WQL and following is the WQL syntax you can use to create the collection.

we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.

This collection uses sub-selected query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

If your configuration manager is running on 2010, you will have option to preview the results. Click on the play button to see the results before you confirm the changes.

Save the collection and wait for few seconds before the data appear.

Based on the device collection membership, the results get updated.

If you want to create a reports based on the online status, you can refer http://eskonr.com/2016/04/how-to-query-clients-collection-or-ssrs-ssrs-with-online-status-in-sccm-configmgr-1602/

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. For more information about Co-management, benefits, pre-requisites, licensing, read https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

When you have windows 10 devices that are Azure AD joined, enrolled to Intune, and also co-managed, these devices would appear in Configuration Manager.

In this blog post, i will show you how to create a collection for Azure AD joined co-managed devices.

When a device is AAD joined and co-managed ( not on-prem domain joined but only the cloud), we will have the tenantID, device ID, domain or group, and other information.

we will use 2 important fields to identify if the device is AAD joined. 1) AADTenantID 2)Resource_Domain_OR_Workgr0

The device should have AADTenantID and should not be in your in domain which means it will be in a workgroup.

we don’t go with workgroup as this is something that can be customizable by the user and can change as per their needs like MyPC etc.

So we will go with the domain. Anything that is AAD and not in the corporate domain (intranet.eskonr) then they fall into the collection.

Create a collection with the following WQL Query using sub selected:

select *  from  SMS_R_System where SMS_R_System.AADTenantID = "4252590E-6F9B-4AA1-AA9F-D7717C111B07" and
SMS_R_System.ResourceId not in (select ResourceID  from  SMS_R_System where SMS_R_System.ResourceDomainORWorkgroup = "INTRANET")

INTRANET is my domain name, if you have multiple domains, you can add so.

Once you paste the query into the query designer, you can click on the play button (green color) to see the list of devices that match with this query.

I have got 1 device that is AAD joined but co-managed.

Hope this helps!

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

I was troubleshooting the client issue for co-management and found that the device was not hybrid Azure AD Joined.

Hybrid Azure AD joined (if your devices are on-prem) is one of the pre-requisites for co-management.

To check if the devices are hybrid Azure AD joined or not, you can open cmd and run dsregcmd /status

If the device is hybrid Azure AD joined, the status for AzureAdJoined=Yes (This field is applicable for both AAD or hybrid AAD).

On the problematic machine, there is no data for the dsregcmd.

For more information about configuring the Hybrid Azure AD joined and troubleshooting, please refer part 1 & Part 2 and the troubleshooting

For device registration process in hybrid azure ad joined task, we usually refer to the event viewer logs located at event viewer/Microsoft/Windows/User Device Registration/Admin

Under this path, there are no logs related to the device registration process.

The device registration process will be initiated by a task scheduler called Workplace Join during the system boot and this task will run with system account.

This task is located under Task Scheduler Library> Microsoft > Windows > Workplace Join > Automatic-Device-Join Task

The task is disabled on the system hence the device registration task did not run.

Enable the task and run it. (Running the task require local admin rights).If you do not have local admin rights, reboot the system, the task will run automatically with system account.

This task is disabled by default on windows 10 workgroup computer but when you join the device to domain, it will be enabled automatically. For some reason, the task did not enable.

If you want to enable the task on all your windows 10 computers, you can make use of GPO

There could be lot of devices with the task scheduler disabled which will impact the co-management enrollment.

How do we identify the device that have Automatic-Device-Join Task disabled?

In SCCM, we can make use of scripts feature, CMPivot or configuration baseline.

In this blog post, i will discuss about 2 options 1) configuration baseline and 2) Scripts.

For configuration baseline, we will use simple PowerShell script to detect the status of the schedule task and the same script can also be used in scripts feature.

In your SCCM, Create a configuration Item and choose the PowerShell script.

you can also use this as scripts and run it on targeted computers or

$status=(Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join | Select State).state
if ($status -eq 'Disabled')
{
write-host "Non-Compliant"
}
else
{
write-host "compliant"
}

If you use scripts feature, running the script on target computer will get you the output status either compliant (enabled) or non-compliant (disabled).

I have uploaded the exported copy of configuration baseline to github.

You can download, import and deploy to your windows 10 collection to check if any devices has this task disabled.

As part of the monthly release updates for Configuration Manager Technical Preview, this month has got Technical preview version 2105 for Configuration Manager is available with some cool features such as enhanced script editing, VM size for CMG, support Center themes (dark and white), client deployment pre-req, powershell release notes.

You can Install this version to update your existing lab and add new features to your technical preview site.

If you want to install/setup  technical preview site in lab, you can download the baseline version of 2103 from https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-endpoint-configuration-manager-technical-preview  and setup the SCCM site.

Technical preview 2105:

ConfigMgr site version: 5.00.9051.1000

ConfigMgr Client version:5.00.9051.1000

Technical preview 2105 features:

Enhanced code editor: This feature allows you to edit the scripts in an enhanced editor and is integrated with SCCM console.You can use script editor feature for viewing or edit the script the scripts the following locations.

• Configuration item
  • Scripts
  • SQL and WQL queries
  • Detection methods
• Application detection scripts
• Query statement properties
• Create script wizard
• Script properties
• Orchestration group
  • pre-installation scripts
  • post-installation scripts
• Task sequence
  • PowerShell scripts
  • Query WMI option

The new code editor supports the following features:

• Editor mode with syntax highlighting and plain text toggle
• Toggle word wrap and line numbers
• Code folding
• Language selection
• Find, Find and Replace, and Go To line number
• Font type and size selection
• Zoom using buttons or with Ctrl + mouse wheel.
• The information bar at the bottom displays:
  • Number of lines and characters in the script
  • Cursor position
  • If the script is read-only
• Persistent settings across instances for the code window, such as code folding, word wrap, and window size.

The following is for application deployment detection method using script:

The code editor has different langue modes.

VM size for CMG:

You can now select the VM size with configuration such as B2S (mostly for lab purpose),A2_V2 as standard vm and if you want higher specs, go for D2_V3.

when you setup a CMG with virtual machine scale set, the default VM size that CMG deploys is Standard (A2_V2) size but you can change the specification during the setup.

Support Center tools in dark and light themes:

The support Center tool that is available in this version comes with 2 themes apart from system default theme.

The installer (SupportCenterInstaller.msi) is available in the EasySetupPayload\4c55e125-ec45-459a-b1eb-06e2f9cb791e\SMSSETUP\TOOLS\SupportCenter

The following tools are part of Support Center:

• Support Center Viewer
• Support Center OneTrace
• Support Center Log File Viewer

One Trace:

Log viewer:

New files added in the client deployment prerequisite:

Starting with this release, Configuration manager client now uses the Microsoft Visual C++ 2015-2019 Redistributable version 14.28.29914.0. This will help to improve stability in Configuration Manager client operations.

For more information about the full set of technical preview 2105, please read through https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2021/technical-preview-2105

The other day, I have powered ON my Configuration Manager lab after long a time to test something on the reporting and found that, the reporting URL does not work.

Browsing the reports URL leads to service unavailable with http error 503, The service unavailable.

I have verified that, the SQL server reporting services is running fine and i have restarted the service as well to check if this works or not but no luck.

I have realized that, there is something seriously wrong and took sometime to troubleshoot further.

The first log to check is srsrp.log (ConfigMgr log) for reporting services located in your configMgr installation directory\logs folder.

The log has the following errors:

The request failed with HTTP status 503: Service Unavailable.

(!) SRS not detected as running

Failures reported during periodic health check by the SRS Server CMserver.domain.name

I have also checked the reporting server configuration manager, everything seems to be fine.

The next is to look at the SQL server reporting services log located in

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles

The log has the following error messages:

configmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Error loading configuration file: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required.

appdomainmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Appdomain:1 DefaultDomain failed to initialize. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error.  ---> Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required..

AS you can see in the log, the license has expired for SQL server reporting services.

When you install the SQL server reporting services, you will be asked for the trail of 180 days or input the license key of the SQL server.

If you choose trail, then after 180 days, you will have the same issue like mine.

So now, we found that, the license for the SQL server reporting services is expired, how do we activate it now?

The only way that I could find is to reinstall the reporting services.

Run the SQL server reporting services installation wizard (I did 2019), you will see the following options. Choose upgrade, you will be asked for the key to activate it.

Once the installation is completed, wait for the reporting services to check the license status and rebuild the reports (there wont be any changes your default/custom reports) and after sometime, your reporting URL will be up and running.

hope this helps!

A quick blogpost to trigger the installation of software updates (missing/failed/available in software Center) remotely from the console using built-in scripts feature.

If you have deployed software updates to your clients and during the windows update compliance check, you found that, the clients are still reporting as non-compliance (required).

There could be several reasons why the client is still reporting as non-compliance. For more  information about the software updates compliance states, please refer https://docs.microsoft.com/en-us/mem/configmgr/sum/understand/software-updates-introduction#software-updates-compliance-states

To check if the client has any updates available in software Center but waiting for maintenance window or failed to install or other reason and trigger the installation, we can make use of the built-in scripts feature.

The following is the PowerShell script which will check for the windows updates (it can be Microsoft or 3rd party), and trigger the installation. Doing this action, will ignore the maintenance window ONLY (if you have any) and follow the reboot schedule as per the assignment.

To create and run PowerShell script, please follow the guide here using the following script.

$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
if ( $MissingUpdatesReformatted)
{
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk
write-host "Updates found, initiated"
}
else
{
write-host "No updates found"
}

Once the script is created, approved, you can run it on individual machine or device collection.

Script output:

The other day, I was running the ConfigMgr reports in my lab, especially the asset intelligence reports for some hardware information.

I tried to run the first report __ Hardware 01A – Summary of computers in a specific collection, it did not run successfully.

The following is the error code.

The report server cannot process the report or shared dataset. The shared data source 'AutoGen__5C6358F2_4BB6_4a1b_A16E_8D96795D8602_' for the report server or SharePoint site is not valid. Browse to the server or site and select a shared data source. (rsInvalidDataSourceReference)

Based on the error code, the issue could be related to the shared data source. So when I checked data source properties for the report, it has no value configured in it.

The shared data source reference is no longer valid.

To fix this, click on the select a shared data source, select {5C6358F2-xxx}, click on Ok.

Run the report now, it works fine.

Likewise, I run another report, it also had the same issue. This report also starts with a double underscore (__)

So I have searched with the first report to see if any duplicates. I got 2 entries.

Based on this, I figured out, the reports with a double underscore (__) are duplicates of the original and might have happened during the upgrade of the Configuration manager site (2103).

Since the configuration site in my lab was upgraded to 2013 followed by the latest hotfix a few months ago, the logs are overwritten hence cannot find the root cause.

For now, I will need to figure out, how many reports are duplicated with a double underscore (__) and get rid of them (delete them).

The following is the SQL query for it.

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

The following is the SQL query to get a list of reports without double underscore (__).

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
 FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

Before we take delete action, we can do a quick comparison (VLOOKUP/excel) to confirm these __ reports are duplicated or not.

There are about 250+ reports which have the same symptoms and these can be deleted.

Now, how do we remove these duplicate reports? Deleting one by one by going to each category based on the SQL data?

We can make sure of the PowerShell script to delete these reports in one go.

The following is the PowerShell script from the Technet forum.

#######################################################################################################################
# SCCM2012SP1-RemoveDuplicateSSRSReports.ps1
# This script will connect to SSRS on a specified server and delete all reports that begin with a double underscore
# Used for SSRS cleanup after SCCM 2012 SP1 installation
# Script must be run from an account that has access to modify the SSRS instance
# 2/15/2013 - Mike Laughlin
#
# Resources used in writing this script:
# Starting point: http://stackoverflow.com/questions/9178685/change-datasource-of-ssrs-report-with-powershell
# API Documentation: http://msdn.microsoft.com/en-us/library/ms165967%28v=sql.90%29.aspx
#######################################################################################################################

# Define variables
	$SiteCode = ""
	$serverName = ""

# Set the value of $noConfirm to $True only if you don't want to manually confirm report deletion. Use with caution.
	$noConfirm = $False

# Safeguard	
	If ( $SiteCode -eq "" -or $serverName -eq "" ) { Write-Host "Enter the required information for the SiteCode and serverName variables before running this script." -ForegroundColor Red -BackgroundColor Black ; Exit }

# Connect to SSRS
	$ssrs = New-WebServiceProxy -uri http://$serverName/ReportServer/ReportService2005.asmx?WSDL -UseDefaultCredential

# Get a listing of all reports in SSRS
	$reportFolder = "/ConfigMgr_" + $SiteCode
	$reports = $ssrs.ListChildren($reportFolder, $True)
	
# Find all reports starting with double underscores
	$reportsToDelete = $reports | Where { $_.Name.Substring(0,2) -eq "__" }
	
# Quit if no reports are found
	If ( $reportsToDelete.Count -eq 0 ) { Write-Host "No reports found. Quitting." ; Exit }
	
# Show a listing of the reports that will be deleted
	Write-Host "The following reports will be deleted from SSRS on" $serverName":`n"
	$reportsToDelete.Name
	Write-Host "`nTotal number of reports to delete:" $reportsToDelete.Count "`n"
	
# Get confirmation before deleting if $noConfirm has not been changed
	If ( $noConfirm -eq $False ) 
	{ 
		$userConfirmation = Read-Host "Delete these reports from" $serverName"? Enter Y or N"
		If ( $userConfirmation.ToUpper() -ne "Y" ) { Write-Host "Quitting, reports have not been deleted." ; Exit }
	}
	
# Delete the reports
	$deletedReportCount = 0
	
	Write-Host "Beginning to delete reports now. Please wait."
	ForEach ( $report in $reportsToDelete ) { $ssrs.DeleteItem($report.Path) ; $deletedReportCount++ } 
	Write-Host "Reports have been deleted. Total number of deleted reports:" $deletedReportCount

Hope this helps!

Microsoft has released the update 2107 for Configuration Manager (Current Branch) which is now available as in-console update. You don’t need to run opt-in script.

You can apply this update on sites that run version 2002 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you see in the console then update to 2107.

For a list of new features and improvements in configuration Manager 2107, please read https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107

Just like any other configuration manager update release, i always try to look and see what is new available from the reporting point of view.

I try to see what is new available in this from previous version (2103).

This build adds up some new SQL views/tables such as user based applications,extensions, client diagnostics etc for custom reporting and it is always good to build some reports when you don’t find what you are looking for.

So what is new in configuration manager 2107 for reporting?

The following are the list of SQL views.

v_GS_CLIENT_DIAGNOSTICS
v_GS_USER_BASED_APPLICATIONS

v_LifecycleDetectedResourceIdsByGroupName
v_SMS_G_System_ExtensionData
v_SMS_G_User_ExtensionData
vNotificationEventRules

For full list of SQL views documentation along with data available in this build and also for previous builds, please refer Github https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Microsoft has released the version 2111 for Configuration Manager (Current Branch) which is now available as in-console update and is currently via opt-in script.

You can apply this update on sites that run version 2006 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you can see it in the console then update to 2111.

For a list of new features and improvements in configuration Manager 2111, please read https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2111

Just like any other configuration manager build release , this build has some new features,enhancement, so we will have some addition to the reporting.

In this blog post, I will walk you through what is new in configuration manager reporting in the newly released build (2111) and  how it can help us to create some custom reports.

I have uploaded the SQL views documentation to my GitHub repository, you can find it https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

So what is new in configuration manager 2111 for reporting from its previous build (2107)?

The following are the newly added SQL views/tables/functions that exist in 2111.

v_ApplicationRequests –> Holds information about the application request from users.
v_UpdateDataForMachine –> Hold compliance status of updates for devices with status required/install/not required.
vClientCoManagementState—> It is now easier to report the clients with co-management workloads for devices.
vNotificationSubscriptionEvents—> Holds subscription event information
vNotificationSubscriptionEventStatus—> Subscription event status
vSMS_ApplicationGroupItems—> Application group items
vSMS_AssignedDeviceApplicationGroups—> application groups assigned to devices
vSMS_ConsoleExtensionMetadata—> Holds the information about the console extensions and its status
vSMS_OrchestrationGroupScript –> Orchestration scripts

For list of SQL views for all configuration manager versions, download from https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!