Microsoft's System Center Configuration Manager (SCCM) delivers an "umbrella" approach for patch and application management, but when it comes to third-party application management and system management operations the process is still tiresome. SCCM current branch allows you to subscribe to third-party catalogs, publish updates to your software update point (SUP), and then deploy them to clients however it has limitations patching third-party components running on a network.

With a huge number of security vulnerabilities attributed to non-Microsoft applications, it is mandatory to patch these applications to shield your enterprise from data breaches. To be more precise, Adobe and Mozilla applications pose the biggest security threats, but a comprehensive patching strategy can minimize security issues in your network.

Make the most out of your SCCM ?

ManageEngine Patch Connect Plus is the non-Microsoft tool that efficiently
automates both system management operations and third-party software deployments, and extends SCCM's patching capabilities to more than 380 third-party applications. It provides end-to-end automated patching support via the SCCM console, scans the network, fetches the latest updates from vendor sites, publishes the patches to Windows Server Update Services (WSUS), initiates the WSUS-SCCM sync, and performs patch deployment and reporting. Additionally, it enables you to customize your process using templates, and create pre- and post- deployment scripts.

The Catalog Subscription feature in Patch Connect Plus provides you with a smart way to automatically import and manage over 300+ third-party updates to the SCCM server software catalog. Plus, with the Auto-catalog Scheduler, you can automate the publishing process, and eliminate the need to wait for the Microsoft-prescribed seven days to synchronize the updated catalogs.

Third-Party software deployment ?

Patch Connect Plus Application Management module facilitates the deployment of more than 300+ applications authored by third-party vendors such as Apple, Adobe, Java, Mozilla, and Google. As part of the software deployment, vendor download sites are contacted automatically, ensuring a streamlined and efficient process. The application template feature enables you to select all the options you need for your deployment.
Also, once a package has been created, Patch Connect Plus auto-updates the new versions that are released consecutively for that particular application.

For enterprises that often must address various contingencies, Patch Connect Plus application management capabilities enable you to run custom pre- and post deployment scripts to help  you efficiently streamline the process.

Administrator Tools for system management operations ?

Patch Connect Plus' Admin Tools helps you perform system management operations, troubleshooting, and other on-demand client operations remotely. This encompasses actions like registry, bit locker status, client group update policy, PowerShell, Command Prompt, control panel, and opening running processes. Additionally, troubleshooting operations such as client restart, accessing network folders, and other important client
actions like collecting data from the evaluation cycle, software metering usage reports, and scan cycle can be performed. Once you configure Admin Tools, you can accomplish client management operations on each client machine.

Now that you have an idea about how you can achieve the best results from your SCCM infrastructure, take a deeper look at Patch Connect Plus. Learn more and sign up for a free, 30-day trial .

It's Microsoft Ignite this week (Sun, 3 Nov 2019 – Thu, 7 Nov 2019) with tons of announcements . One of the key announcements around ConfigMgr/Intune area is Microsoft Endpoint Manager (MEM) and licensing for intune.

Microsoft Endpoint Manager (MEM) is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing. Continue to leverage your existing Configuration Manager investments, while taking advantage of the power of the Microsoft cloud at your own pace.

The following Microsoft management solutions are all now part of the Microsoft Endpoint Manager brand:

• Configuration Manager
• Intune
• Desktop Analytics
• Autopilot
• Other features in the Device Management Admin Console

For more information about Microsoft Endpoint Manager , please refer https://www.microsoft.com/en-us/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/ 

and if you own ConfigMgr ,you now automatically have Intune licenses for co-managing Windows devices. Does this cover Azure AD Premium license ? No ,you still need to purchase it separately .

Configuration Manager technical preview version 1911 version released early for this month and is available as both an in-console update and as a new baseline version.

if you want to see this update in the SCCM console using updates and servicing, you must be running atleast 1908 and above (three successive versions are available) .

If you want to setup new lab ,then you can Download a baseline version from the TechNet Evaluation Center.

There is not much new features with this preview version but as we talked above, MEM (MEMCM) is biggest news  and is now part of MEM and not System center (SC).

The only new feature that is added with this preview release is:  Microsoft Connected Cache support for Intune Win32 apps 

When you enable Microsoft Connected Cache on your Configuration Manager distribution points, they can now serve Microsoft Intune Win32 apps to co-managed clients.

Before you start updating or installing new SCCM preview lab ,please go through https://docs.microsoft.com/en-us/configmgr/core/get-started/technical-preview

To update 1911 using in-console updates, go-to administration ,updates and servicing ,click on check for updates.

Logs to check for the backend process: Hman.log ,dmpdownloader.log

Once the updates are synced,you will see it in the console and ready to install.

Now right click on the update and select install update pack.

Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Now monitor the status using logs and also from the console:

Console:\Monitoring\Overview\Updates and Servicing Status

Logs to check: Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Once the installation is completed ,you will be prompted to install new version of admin console.

Microsoft Endpoint Configuration Manager 1911 Tech Preview installation completed.

Before the preview update:

After the preview update:

And from programs and features ,the display name for ConfigMgr console appear as ‘Microsoft Endpoint Configuration Manager Console ’

Once these changes (MEM) goes into production ,then you should alter your collections that have sccm console installed with the above name. This is because the old name appear in programs and features is not same as with MEMCM.

SCCM console version:5.1910.1060.1000

SCCM client version:5.00.8909.1000

How to enable Cache support for Intune Win32 apps :

Happy learning!

The Microsoft Store for Business (wsfb) is where you find and acquire Windows apps for your organization. When you connect the store to Configuration Manager, you then synchronize the list of apps you've acquired. View these apps in the Configuration Manager console, and deploy them like you deploy any other app.

More information about Microsoft Store for Business, please read here

Our users were trying to install some apps from the Microsoft store. when users try to install the apps from the store, it failed because of proxy issues. Microsoft Store on Windows 10 sign-in page goes through login.live and is blocked for security reasons.

So, we have to look for an alternative to deploy store apps for our users and we decided to integrate MSFB with the configuration manager and make full use of features that msfb provide.

Follow the guide here to Integrate Microsoft store for business with Configuration Manager.

How to integrate windows store for business with system center configuration manager ?

Login to console and browse to \Administration\Overview\Cloud Services\Azure Services

Click on configure azure services and follow the steps given in the screenshots below.

After the configuration of azure services for wsfb, wsfb failed to download Windows Store for Business application inventory.

Error code from the log WsfbSyncWorker.log located in your configuration manager setup folder.

Exception: [Microsoft.ConfigurationManager.CloudBase.CMHttpRequestException: Unsuccessful response when content result expected for request.

Error occurred making HTTP request calling 'GET' method on 'https://bspmts.mp.microsoft.com/V1/Inventory?maxResults=100&modifiedSince=0001-01-01T00:00:00.0000000&includeRemoved=true': (Unauthorized) 'Unauthorized'.

at Microsoft.ConfigurationManager.CloudBase.SmsHttpClient.<GetStringFromHttpResponseMessageAsync>d__35.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

What it means is, The azure web application that you created during the wsfb wizard does not have access to download the wsfb inventory.

In order to fix this, we will need to configure a tool to synchronize your Microsoft Store for Business inventory.

Login to https://businessstore.microsoft.com/ with an admin account.

Click on settings, distribute https://businessstore.microsoft.com/en-us/manage/settings/distribute

Click on add management tool

In the search, type the azure web app name that you created during the integration of wsfb in Configuration Manager.

Click add

Now we have given the permissions to the Azure web app to download the inventory.

When you add the tool, the status is in inactive, Click on Activate

The status is now changed to active and action changed to deactivate.

We will now go back to Configuration Manager console and perform sync from Microsoft Store for Business.

Monitor the log WsfbSyncWorker.log for sync status.

Soon after the sync successful, you will see the apps appear in the software library: \Software Library\Overview\Application Management\License Information for Store Apps

Reference:

Troubleshoot the Microsoft Store for Business integration with Configuration Manager

Configure mdm provider microsoft store for business

Microsoft released an update 1910 for Configuration Manager. This update is available as an in-console update and not a baseline version. You can apply this update on sites that run version 1806 (Min version 5.00.8692.0000) or later.

If you want to install a new Configuration Manager, then you must use the baseline version which is 1902 and then perform an in-console update to receive update 1910.

Recently, at Ignite 2019, Microsoft announced ,that they are integrating Microsoft Intune, Configuration Manager, and more into a single solution called Microsoft Endpoint Manager. For more information about Microsoft Endpoint Manager, please read here

The following Microsoft management solutions are all now part of the Microsoft Endpoint Manager brand:

• Configuration Manager
• Intune
• Desktop Analytics
• Autopilot
• Other features in the Device Management Admin Console

From this update 1910, system center configuration manager is changed to Microsoft Endpoint Configuration Manager and no more part of system center suite (MEMCM/MECM ,no #SCCM).

What’s new and improved in the Configuration Manager 1910 update?

Site infrastructure

Cloud-attached management

Desktop Analytics

Real-time management

Content management

Client management

Co-management

Application management

OS deployment

Software Center

Software updates

Office management

Protection

Configuration Manager console

Extend and migrate on-premises site to Microsoft Azure

Improvements to console search

At this time, update 1910 is released for the early update ring. To install this update via an in-console update, you need to opt-in.

How tp opt-in ?

Microsoft has released PowerShell script that helps you to get this update in your console using an early update ring.

Before you start updating your site, please read through the pre-requisites check for things like a supported version of ADK, SQL and others.

Once you validated the prerequisites checks and running on supported configuration, you can run the PowerShell script.

Download the Powershell script from Technet

Launch an elevated command prompt and run the enableearlyupdatering1910.ps1 script.

.\enableearlyupdatering1910.ps1 -site server CAS/Primary site name|IP address -Verbose

The command completed successfully.

If your sccm server has a service connection point with internet access, you will now see a 1910 update in the console.

If the update 1910 is applicable or not to your site, you can monitor hman.log

Once we know that, the update is applicable, we can now launch the console and download the update.

Lunch the SCCM Console, click administration bar and under updates and servicing, you will see 1910 with state ‘available to download’

If you are not seeing the update, force a check for the update by clicking click "Check for Updates" in the updates and servicing console.

Once the update is available, click on the update and choose download.

Monitor the download progress using log: dmpdownloader.log

Depending on your internet connectivity, download takes a while.

you can also monitor ConfigMgrSetup.log to see If the download finished successfully or not.

Now the update is downloaded and ready to install.

Here is a nice flowchart that explains how the in-console update installation and replication works. Please read through https://docs.microsoft.com/en-us/configmgr/core/servers/manage/update-replication-flowchart

Now right click on the update and run a prerequisite check before installing the update. This will help you to be in a ready state.

You can monitor the status by looking at the log or from monitoring \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 1910

Once the prerequisite check is passed, we are now ready to install the update.

Right-click on update and choose to install update pack.

Click next

Choose the features that you are interested in. You can also enable them after the update.

Choose the pre-production collection(a subset of clients) to validate the client update before you take this to production (all clients)

Accept the license terms and click next to install the update.

There is a nice flowchart that explains how the in-console update download works.Please read through https://docs.microsoft.com/en-us/configmgr/core/servers/manage/download-updates-flowchart

We will now monitor the status from the console and from the log (cmupdate.log/ConfigMgrSetup.log)

\Monitoring\Overview\Updates and Servicing Status\Configuration Manager 1910

There will be a hidden package created for this update(PS10006) and save the content to the content library and replicate it to site servers ONLY (Primary).

The installation takes a while to finish.

After a while, you will see a notification in the console appear on top, a new version of the console is available. Click on install.

If you didn’t notice this and close the console, next time when you launch console, you will be prompted with new version of the console available.

You will see that the Microsoft Endpoint Configuration Manager console is installing.

Console version: 5.1910.1067.1300

Site version:5.00.8913.1000

Client Version: 5.00.8913.1006

And the re-brand of system center configuration manager is now Microsoft Endpoint Configuration Manager (#MEMCM/#MECM)

About :

Installed application name in programs and features is changed to Microsoft Endpoint Configuration Manager Console with version:5.1910.1067.1000

If you have any collections created that look for console install, please change the installed application to Microsoft Endpoint Configuration Manager Console.

What things change in Configuration Manager with Microsoft Endpoint Manager?

In version 1910, aside from the name change, Configuration Manager still functions the same. Some of the name changes may impact your use of the following components:

• Configuration Manager console: Find shortcuts to the console and the Remote Control Viewer under the Windows Start menu in the Microsoft Endpoint folder.
• Software Center: Find the Software Center shortcut under the Windows Start menu in the Microsoft Endpoint Manager folder.

In the next blog post, I will talk about new features in MEMCM/MECM

Happy exploring!

Microsoft has released update 1910 for SCCM which is now termed as Microsoft Endpoint Configuration Manager (#MEMCM) and is available as in-console update ONLY. You can apply this update on sites that runs on 1810 and later. For more information, please read

If you want to install a new Configuration Manager site, you can download 1902 as a baseline from the volume licensing portal.

For more information about how to perform in-console update for configuration manager update 1910, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose upgrade.

You also need to update your Configuration Manager clients to the latest version (1910) to newly supported client features.

With this update 1910, there are a bunch of new features added. This means, there is also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/SMS tables for custom reporting.

we can make use of these SQL views and create variety of dashboards.

Some of the interesting things that will be useful are:

v_GS_BITLOCKER_DETAILS

vDeviceActionsHistory

vSMS_Office*

Download Microsoft endpoint configuration manager (#MEMCM) SQL views documentation for 1910 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

For more information about Configuration manager 1910 ,please read http://eskonr.com/2019/11/configuration-manager-update-1910-is-now-available-as-microsoft-endpoint-configuration-manager-current-branch/

Happy reporting!

Few months ago i blogged about How to install SCCM client using win32 apps in Intune for co-management and CMG .when you create a win32 app for ConfigMgr client with the command line switches as said in the blog post, ccmsetup.exe will always get the source files from CMG.

The download of the client files from CMG happens due to the parameter /mp. This parameter will help client to download the content from the nearest distribution point. we want to avoid client to download client files from CMG and always use local source files (win32 app) that was downloaded from intune.

why do you need to use the local source files to install client instead of downloading from CMG? If you read the Microsoft article for CMG, Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload). So when client download source files of 240mb, there will be cost involved and if there are 5000+ clients download the data, this sums up to Terabytes and when you have already have source files locally available, why do you need to download from CMG again?

In this blog post, we will see how to install configuration manager client using IME cache data that is downloaded from intune without connecting to CMG.

Before we create win32app or make changes to command line switches, we first need to understand how to use offline source files.

Here is the powershell script that will do all the magic here.

we first copy the Configmgr client folder to c:\windows\temp\intunetemp and run the ccmsetup.exe with /source switch and other command line that will help client to assign to site.

we will try this until the ccmexec (SMS Agent host) service is installed (you can use other ways as well like registry etc.) to confirm configmgr client installed successfully.

If the ccmexec service installed then return code 0 else 1 after 5 retries with wait of every 60 sec.

Powershell:

Copy-Item -Path ".\Client" -Destination "c:\windows\temp\intunetemp" -Recurse

c:\windows\temp\intunetemp\ccmsetup.exe /nocrlcheck /source:c:\windows\temp\intunetemp CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928694 SMSSiteCode=PS1 AADTENANTID=4007305e-1664-4e6b-c9a4-c3d5ccfd1524 AADCLIENTAPPID=6g4a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

$retry = 0

while($retry -lt 5)

     {

$service= get-service -name CcmExec

if($service)

           {

exit 0

           }

else

           {

start-sleep -s 60

$retry ++

write-output "Retrying $retry"

           }

          }

exit 1

With this PowerShell script, we will now generate win32app in intune and assign it to the device group.

1. Create a folder called ConfigMgrclient (C:\ConfigMgrclient)

2.Copy the client files into ConfigMgrclient (C:\ConfigMgrclient\Client)

3. Save the above PowerShell script as install.ps1 into (C:\ConfigMgrclient). Don't forget to change the parameters in the ccmsetup.exe command line above.

4.Create an empty text file with name cmclient.txt (C:\ConfigMgrclient)

5.Download win32 app packaging tools from here

Now your folder content looks like this:

5.Open command prompt and go to win32 app packaging directory and run  IntuneWinAppUtil.exe

6.Please specify the source folder:C:\ConfigMgrclient

7.Please specify the setup file:Install.ps1

8.Please specify the output folder:C:\ConfigMgrclient

To create win32 app, login to device management portal or azure portal and go to intune, client apps, add new app as win32

select app package file that we created above

install command: powershell.exe -exec bypass -file .\install.ps1

uninstall command: C:\windows\ccmsetup\ccmsetup.exe /uninstall

Requirements: you can choose as per your infra requirement.

Detection rule, registry key:

Key path:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client

Value Name:ProductVersion

save the app

Go to assignment and add device security group or autopilot AD sec group that you created to install client.

When you deploy the client to devices, ccmsetup.exe will download the files from C:\windows\temp\intunetemp folder.

with this, we managed to save cost for downloading the content from CMG (it could be peanuts as well but still ) and also the time that it takes for download .

Hope it helps!

Use boundary groups in Configuration Manager to logically organize related network locations (boundaries) to make it easier to manage your infrastructure. You must Assign boundaries to boundary groups before using the boundary group.

Clients use a boundary group for:

• Automatic site assignment
• To find a site system server that can provide a service, including:
  • Distribution points for content location
  • Software update points
  • State migration points
  • Preferred management points
  • Cloud management gateway (starting in version 1902)

Boundary group caching was introduced with the first version of Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. For more information about boundary group caching and how it works, please read https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr/

If you have configured the boundaries and assigned this boundaries to boundary group with site system roles,the client will store this information in its WMI namespace root\ccm\LocationServices with class object BoundaryGroupCache.

If a client is in scope of boundary by any means like AD site, IP subnet or IP address range but not added to boundary group, then client will not have any boundary group cache info in WMI.

In my previous blog post, i talked about how to find the missing boundaries using SSRS report and troubleshooting based on boundary group caching . For more information, please read here

In this blog post, i am bringing  another SSRS report for you to find out the boundary group and its assignment details for the client device based on the its last inventory boundary group caching information.

Knowing client boundary group details is important for troubleshooting purpose.With this, you can quickly search what is the client boundary group and what boundaries are added in it.

This blog assumes that, you have extended hardware inventory as per Jason blog post and clients sent the hardware inventory details successfully.

What if you don't want to extend custom hardware inventory changes, but you still need to find out the clients that are missing from boundary groups? Well, you can do that by compliance baseline  My next blog post will be based on CI/CB.

Now that you have extended the custom hardware inventory changes and you have the following SQL view created with data in it.

--To see the boundary group cache data of clients (top 10 rows)

select top 10 * From v_GS_BOUNDARYGROUPCACHE bgc

As you can see above, there are clients that have 2 boundary group ID's which means, the client is part of 2 boundary groups. There could be more than 2 as well based on how you configure boundary groups in your infra.

Now,if you want to use this information and create a report to find client boundary group assignment details, we need to convert these multi value to single row.

Jason blog post has STRING_SPLIT function is available only under compatibility level 130 (SQL server 2016 and above).

My lab is running on SQL server 2014 and the string_split do not work. What other methods i have to convert the values to rows?

Other approach is to use XML Method with CROSS APPLY to split your Comma Separated Data :

Following is the SQL code that does the job.

SELECT distinct A.ResourceID,REPLACE((Split.a.value('.', 'NVARCHAR(MAX)')),' ','') GroupID FROM (
SELECT bgc1.ResourceID,CAST('<X>'+REPLACE(bgc1.BoundaryGroupIDs0, ',', '</X><X>')+'</X>' AS XML) AS String from v_GS_BOUNDARYGROUPCACHE bgc
) AS A CROSS APPLY String.nodes('/X') AS Split(a)

The above SQL code works on SQL edition 2014 and above.Anything lower than 2014 have not tested but it should work.

we now have complete info of client details with its boundary group ID's.

we will now use this boundary group ID and join with other SQL views to get the information that we needed.

I have used the following SQL views to fetch the relevant info.

vSMS_BoundaryGroupSiteSystems: store boundary group site system information

vSMS_BoundaryGroup: Store boundary group details

vSMS_BoundaryGroupMembers: Store boundary information.

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b.

After spending quite amount of time, I can finally make some nice SSRS report like below.

All you need is to key in computer name in the prompt and it will fetch the data for you based on its last successful hardware inventory.

You have both inventory of client and client boundary group assignment details.

you can download the report from Technet Gallery, upload to your SSRS reports, change the data source and run it.

In the next blog post, we will see how to create compliance baseline to check client boundary group details.

Thanks for reading the post.

If you have any ideas on custom reporting, please leave them in comment section.

Starting in version Microsoft Endpoint Configuration Manager current branch 1910, we can use the optional feature called BitLocker management to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).

Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Prerequisites to plan BitLocker management:

· In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

· To integrate the BitLocker recovery service in Configuration Manager requires an HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS.

Since my SCCM Lab is running on the HTTP environment, it doesn't support for BitLocker management hence i decided to convert my lab from HTTP to https (PKI).

There are many guides out there on how to convert HTTP SCCM infra to https (PKI).

It involves the creation of few certificates which include IIS, DP and client certificate.

I have created the required certificates for SCCM and imported into the certificate store on the SCCM server then make the changes to site properties for PKI and change the site system roles like MP, DP and SUP with https.

After making changes to the site hierarchy and site system roles, MP, DP and SUP roles will be reinstalled. This can be monitored from the respective components setup log (mpsetup.log,sitecomp.log etc)

I have validated the site components and site hierarchy is running fine.

Now its time to move clients from HTTP to https (PKI).

I have picked one client that was running on the self-signed certificate and now has got a client authentication certificate through GPO as part of our cert enrollment process.

When I log in to the client that was working fine on HTTP (self-signed), it keeps failing with the below error message (locationservices.log).

CCMVerifyMsgSignature failed.

Failed to verify received message 0x80090006

Failed to verify message. Could not retrieve certificate from MPCERT.

MPCERT requests are throttled for 00:05:00

Failed to send management point list Location Request Message to SG-CM001.azure.eskonr.com

The log says, could not retrieve the certificate from the MPCERT—>Based on this, I looked at the MP logs to verify if the MP is functioning correctly or not, then looked at site monitoring if there are any alerts for site components.

I could not find anything wrong with the site and everything seems to be normal and functional.

I thought may be restarting the SMS agent service on the client could help but that doesn't make any difference and It failed with the same error message again.

I have uninstalled the client and installed again with the following syntax

CCMSetup.exe /MP:sg-cm001.azure.eskonr.com /USEPKICERT /NOCRLCHECK /FORCEINSTALL SMSSITECODE=PS1 CCMHTTPSPORT=443 RESETKEYINFORMATION=TRUE

Client installation succeeded, however, the registration with MP/site (ClientIDManagerStartup.log) and locationservices.log repeat with the same errors as above.

Solution:

I was going through the console and looked at active directory forests node and saw that, publishing status showing failed

Publishing of site information in Active Directory Domain Services is logged into hman.log on your site server.

As you can see the log, site Could not connect to the RootDSE container in Active Directory. HRESULT=0x8007052E using the account that was configured.

The error code 0x8007052E translates to ‘the user name or password incorrect.’

The following is the place to configure the active directory forest account.

I realized that, there was change in the password for that account earlier (before the https changes to the site) hence the site publishing failed.

Why is this changing the password of the account that was configured to publish the site info into AD domain services causing all this problems?

Long story short, If you look into the DNS server for the service location records, you can see that, site still using port 80 where as the actual configuration, it uses port 443.

Go to back to the site and re-enter the correct password of the account and monitor the log (hman.log) to see if the site info is published or not.

Site information is now published to AD domain services and port number also updated correctly to 443 in the DNS for service location records.

Now go back to the client , run machine policy cycle and monitor the logs locationservices.log and ClientIDManagerStartup.log

You will see things get progress and the client register with MP successfully.

You now see the client is now using PKI cert.

I can now start testing the BitLocker management with current branch 1910.

Changing the password of an account has caused all the damage today.

You can use Configuration Manager remote control to remotely administer, provide assistance, or view any client computer in the hierarchy. You can use the remote control to troubleshoot hardware and software configuration problems on client computers and to provide support. Configuration Manager supports the remote control of all workgroup computers and domain-joined computers that run supported operating systems for the Configuration Manager client.

Before you begin to use the remote control, ensure that you review the information in the following articles:

Prerequisites for remote control

Configuring remote control

Recently, a colleague of mine troubleshooting an office 365 issue on the end-user device and trying to do remote sessions using Microsoft Teams. Although Teams application has a desktop sharing feature, sometimes it behaves very weirdly.He had issues with desktop sharing sessions using teams so the alternative approach is SCCM remote control tool.

I did a blog post on how to deploy SCCM remote control tools on user device without installing SCCM console, please refer this blog post for more information http://eskonr.com/2018/08/how-to-deploy-sccm-remote-control-bits-standalone-to-clients-without-configmgr-console-being-installed/

You can create a package and deploy the SCCM remote tools to users who are need of it.

When he tried remote control to the user device, it failed with access denied error.

To capture the error details etc., I reproduce the issue and the following is the output of remote control (error snippet is below).

The remote control log (CmRcService.log) on the client located at C:\windows\ccm\logs shows the following error details:

Session denied: The remote user is not authorized to perform remote control on this system.

Disconnecting the connection.  An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to do Handshake in Server. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to validate Security requirement. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

The following are the basic checklist for remote control troubleshooting:

1. Check the firewall port 2701 from the device that you run configuration manager console/sccm remote control tools (source) for remote control to the destination device.

2. Check if the remote control client settings with relevant user groups (permitted viewers) deployed to the client device.

How do you check what remote control settings with user groups added to the device?

When you deploy multiple client settings to the same device, user, or user group, the prioritization and combination of settings are complex. To view the client settings, you can use Resultant Client Settings.

From the SCCM Console, right-click on the device and choose client settings—>Resultant Client Settings

From the resultant client settings , remote tools, remote control is enabled with permitted viewers who can use the remote tools feature.

Both the above checklist are working. now we move on to the client troubleshooting.

When the remote control feature is enabled on the client-side, there will be policy downloaded on the client and remote tools will be enabled. This can be seen from the configuration manager applet.

There is also a registry key and local security group called 'ConfigMgr Remote Control Users' that will get created when you enable remote control tools using device client settings.

Registry location for SCCM remote control: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control

Local security group: ConfigMgr Remote Control Users

Permitted viewers of the remote control and remote assistance that you added in client settings will be added to both registry and local security group.

In my case, only the registry key was updated with permissions (PermittedViewers) however the local security group was empty.

To fix this issue, we can either add the permitted viewers using GPO or compliance baseline using SCCM.

After adding the user group to the configmgr remote control users group, issue was resolved.

To find the root cause, we can simply create new client settings and increase the priority of the client setting, deploy to client device and monitor the log (CmRcService.log).

How do we find the device that have this issue and fix it with automation?

Following is the simple powershell script to find the devices that have no members added to 'ConfigMgr Remote Control Users' . This can be used to create configuration item and deploy to all devices.

if ((Get-LocalGroupMember "ConfigMgr Remote Control Users").count -ge 1)
{
write-host "Compliant"
}
else
{
write-host "Non-complaint"
}

If compliant then atleast 1 group is member of remote control users, if non-compliant then the group is empty.

you can alter this script to query registry as well.

In order for me to fix the issue, i have created the following powershell script and deploy using compliance baseline method.

This script will check if the permitted group (configured in client setting) is not member then add the group else exit the script and report to sccm with status.

Discover script:

#Discover
If(Get-LocalGroupMember "ConfigMgr Remote Control Users"| where {$_.name -like "eskonr\SCCM-remote-control-users"})
{write-host "Compliant"}
else{write-host "Non-Compliant"}

Remediation script:

#Remediate
Add-LocalGroupMember -Group "ConfigMgr Remote Control Users" -Member "eskonr\SCCM-remote-control-users"

Create configuration baseline and deploy to collection to receive these changes.

When you deploy the configuration baseline, the detection script will run and detect if the group is sec group is member of remote control group or not, if non-complaint then run the remediation script and run the detection script once again to make sure the remediation meet compliant status or not.

You can monitor the compliance baseline information using DcmWmiProvider.log

Reference:

Remotely administer a windows client computer https://docs.microsoft.com/en-us/configmgr/core/clients/manage/remote-control/remotely-administer-a-windows-client-computer

configuration baselines https://docs.microsoft.com/en-us/configmgr/compliance/deploy-use/create-configuration-baselines

On Jan 15th, 2020 Microsoft has officially launched new version of Microsoft edge browser based on chromium for windows and Mac OS. It is compatible with all supported versions of Windows, and with macOS.

It replaces the legacy version of Microsoft Edge on Windows 10 PCs. With speed, performance, best-in-class compatibility for websites and extensions, and built-in privacy and security features, it's the only browser you'll ever need.

As you already know , windows 7 support ended Jan 14th ,2020 however, Microsoft has made the new edge browser available for windows 7.

If you want to download the new Microsoft Edge based on chromium for windows 7, windows 8.1 and windows 10 and Mac OS, please visit https://www.microsoft.com/en-us/edge?

This is not offline installer, it is 2mb file and when you lunch it, it will connect to internet and download the required setup files.

if you want to download the offline installer, you can refer to this article and find the right version for you https://www.microsoft.com/en-us/edge/business/download

Now how do we install the Stable version of new microsoft edge browser using Microsoft Endpoint manager (CMCB 1910 ) for endpoints in the organization?

MEMCM 1910 has feature to deploy Microsoft Edge, version 77 and later to your users. This will help you download and create the application automatically without doing anything manual.

If you are not running on configuration manager current branch 1910, then you need to download the offline installer and create application manually.This is same process how you do for other applications.

This blog post assumes that you are running on configuration manager 1910. If you are not on 1910, please read this blog post for how to get  current branch 1910.

In the console,click on Software library, click on Microsoft Edge Management and choose create Microsoft Edge application

Provide the Name and content location. This is to save the application source files and the name is what appear in applications node .

In the channel, choose stable , this is the version released today by Microsoft  and version, choose latest.

In the deployment, choose No for now, as we edit the deployment settings and deploy to collection later.

Click next on the summary page.

Now, based on the internet connectivity, the download of the edge stable version will start and create the application automatically.

You can monitor the download of the updates from %temp% folder with log called: patchdownloader.log

Log file location:

Monitoring the download process:

Once the download is finished, you can see the app in the application node.

It has 2 deployment types because it downloaded both x86 and x64 but the priority is x64.

The source location has the following content. Powershell script and MSI.

If you edit the x64 deployment type, you will see the program command line syntax.

we will now modify the syntax with -executionpolicy bypass. This is not mandatory to use however i have seen some of the installation error in the previous builds so i simply edit it with bypass and continue.

Append the syntax after file

for x64:

powershell -executionpolicy bypass -File ".\Install-Edge.ps1" -MSIName "MicrosoftEdgeEnterpriseX64.msi" -ChannelID "{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}"

You can do the same for x86 as well.

update the syntax and click ok.

For detection method: we dont do any changes but i have listed this for your information incase you want to create the application manually and you are not in CMCB 1910.

Hive:HKLM

Key:SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\Clients\{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}

Value: pv

data type: version

Operator: Greater than or equal to

value:79.0.309.65

Now distribute the application to distribution points.

Monitor the distribution status  and once it is distributed, you are now ready to deploy to collection. Log file: distmgr.log on your configmgr site.

Deploy to collection:

Once the application is deployed to collection, depend on the machine policy cycle, device will receive the policy, download the content and install the application.

Deployment results:

You can monitor the installation status using appenforce.log located at C:\windows\ccm\logs.

You can see Microsoft Edge in the start menu.

Launch the Microsoft Edge

If you look at the about page in the edge, you see that, your organization disabled the updates.

This is happening because of the script that is used to install the Edge application.

The script is designed to disable the automatic updates and let configuration manager manages the updates just like other windows and office 365 updates.

Now on your configuration manager, you need to enable the Microsoft Edge product in SUP section.

If you are not able to see the product then simply run software update sync , wait for the sync to complete.

Now go back to SUP properties, you will now see the Microsoft Edge, select it and click ok.

Right click on All microsoft edge updates and initiate sync.

After a while you will see the updates in the console.

Once the updates are available in the console, you can patch Edge browser just like any other windows/office365 updates.

The following information is provided to know, what registry key used to enable or disable the automatic updates for Edge.

The registry key for disabling the edge updates is:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate with value 0

To enable automatic updates for edge browser, you can change the update value from 0 to 1.

Launch edge and type edge://settings/help to see the status.

Before you start deploying the Edge browser in an enterprise, please read through the Microsoft article for edge policies using GPO/Intune. https://docs.microsoft.com/en-us/microsoft-edge/ 

Hope you found this article useful!

Microsoft recently released notes for customers who are running on current branch 1910 , Client automatic upgrade happens immediately for all clients after you update the site to 1910.

For more information about the release notes, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/install/release-notes#client-automatic-upgrade-happens-immediately-for-all-clients

Today ,Microsoft has released an update to fix for this issue and is now available in the console.

This update is applicable only to early update and globally available installations of Configuration Manager, version 1910 that are installed by using one of the following package GUIDs:

0BB82139-0DC3-4B18-B219-97FB2EFD9E56
E2F7B2F9-4828-4650-9144-5DC7956781B7
It is also applicable to the following package GUID's with the private TAP rollup, or update KB 4535819 applied:
3B4824FF-02FC-40B8-95AB-2AE986B0B63F
D237809A-6210-4209-A0E6-247543C241E4

Note: This issue is already resolved in the revised version of Configuration Manager version 1910 released on January 17, 2020. so if you haven't installed 1910 yet then the issue already taken care in the form of new build.

​​​​​​To verify which build is installed, add the Package GUID column to the details pane of the Updates and Servicing node in the console.

As you can see , i am running package ID D237809A-6210-4209-A0E6-247543C241E4, hence the available is available in the console .

Choose the update and click install update

This hotfix is only about 20bm in size and you can see this in configmgr easysetuppayload folder.

click Next

Click next to see the summary.

you can monitor the status from monitoring node \Monitoring\Overview\Updates and Servicing Status

Alternatively you can monitor using log cmupdate.log and ConfigMgrSetup.log

Since the update is 20mb file, the process complete in less than 10 min.

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

Reference:

Clients immediately upgrade after updating to Configuration Manager current branch, version 1910

With the release of Microsoft Endpoint Manager configuration manager technical preview 2001 released in Jan 2020, we can now integrate Power BI Report Server with Configuration Manager reporting.

Integrating configuration manager with Power BI Report Servers gives you modern visualization and better performance. It adds console support for Power BI reports similar to what already exists with SQL Server Reporting Services.

Read more information about configuration manager technical preview 2001 here https://docs.microsoft.com/en-us/configmgr/core/get-started/2020/technical-preview-2001#bkmk_powerbi

In this blog post, we will see how to integrate Power BI Report Server with Configuration Manager reporting in Technical preview 2001.

Note: This is not applicable to current branch releases and is purely for technical preview 2001. These changes will come to current branch at in the upcoming months.

What are the Prerequisites and initial setup for this integration:

• Power BI Report Server license. For more information, see Licensing Power BI Report Server. You need to evaluate the licensing before you proceed.
• Download Microsoft Power BI Report Server-September 2019
• Download Microsoft Power BI Desktop (Optimized for Power BI Report Server - September 2019).

  Important: Only use this version of Power BI Desktop, don't use the version from the Microsoft Store.

• Configure the reporting services point
• Configure the Configuration Manager console

The first component to look at is Reporting services point.

Configure the reporting services point

This process varies depending upon whether you already have this role in the site server.

There are 2 scenarios a) If you don't have reporting services b) If you have reporting services

a) If you don't have a reporting services point ?

If you don’t have reporting services point installed on the site or you are trying to install new site using the baseline then

1. Install Power BI Report Server (Download from the above link and install it) . Installation of power BI report server is straight forward and all you need is to accept the default switches.
2. Once the installation of power BI report server is completed, launch Report Server Configuration Manager and configure it. See below steps how to configure Report Server Configuration Manager.
3. Add the reporting services point role in Configuration Manager. For more information, see Configure reporting.

b) If you already have a reporting services point and configured for reports? This is where we mostly fall into.

Follow the steps below to do it on the same server.

1. If you have SQL Server reporting services installed ,launch Reporting Server Configuration Manager from start menu
3. we will now back up the Encryption Keys. we will import this key to power BI report server. For more information, see SSRS Encryption Keys - Back Up and Restore Encryption Keys.
5. In my case, it is grayed out .The reason for this is , i did not configure the SSRS database in my technical preview version hence the error. But when this feature release to production, you will already have ssrs reporting working.
7. After creating SSRS database, you should now see the encryption keys option available.
9. Click on backup and save the key into location with password protected.
10. Now remove the reporting services point role from the site server.
12. Uninstall SQL Server Reporting Services, but keep the database.
15. If you are running SQL server 2016 and above,SSRS is separate component and you need to remove it from programs and features.
16. If your SQL is running older than 2016 then you need to launch SQL server setup,modify components and choose to remove reporting services.
17. Once the SSRS component is removed, Install Power BI Report Server using the file that you downloaded above.
18. When you install power BI server and launch the configuration wizard, you will see the following with Instance ID:  PBIRS
20. Click on database , you will see the database name is empty. we will now use same database that we had earlier with SSRS.
22. Click on change database
24. Choose reportserver database
26. Click next next and finish.
27. Now we will restore the Encryption keys that we backup earlier. On the report server configuration manager, click on Encryption keys and click Restore
29. As you can see, the backup is grayed-out and restore is available to bring the keys. When you restore the key, it prompt for password.
31. we have now successfully restored the key and we are now good to Add the reporting services point role in Configuration Manager.
32. While adding reporting services point role, if you see reporting services server instance blank, you need to configure the web service URL in report server configuration manager.
34. Click on cancel the ‘add site system role wizard ’ and launch report server configuration manager in power BI report server, go to web service URL and click on Copy.
36. You also need to click on web portal URL and click on copy. If you already have the URLs displayed then you don't need to do anything.
38. we now have both web service URL and web portal URL working. Now add the reporting services point role.
40. Now we are into the final portion which is Configure the Configuration Manager console
    1. On a computer that has the Configuration Manager console, update the Configuration Manager console to the latest version.
    2. Install Power BI Desktop. Make sure the language is the same.
    3. After it installs, launch Power BI Desktop at least once before you open the Configuration Manager console.

Now launch the Configuration Manager console, go to the Monitoring workspace, expand Reporting, and select the new Power BI Reports node. (\Monitoring\Overview\Reporting\Power BI Reports)

we are now ready to start creating power BI reports.

When the power BI desktop is opened, you can create the report and When the report is ready to save, go to the File menu, select Save as, then choose Power BI Report Server.

In the Power BI Report Server Selection window, enter the URL for the reporting services point as the New report server address. For example, http://sg-cmtp01.azure.eskonr.com/Reports

SSRS is now changed to power BI report server

For more information on log files to use for reporting, see Log file reference - Reporting.

Hope you found this useful and happy reporting in Power BI.

Here is a simple PowerShell script that helps you to export a list of all task sequences in your configuration manager server to a folder.

These exported task sequences can be then imported to another environment (Dev to PROD) and get things moving instead of creating them from scratch.

Exporting the task sequence can be done using GUI or scripting (Powershell).

Powershell would be nicer to export multiple task sequence’s in an automated schedule.

we can make use of Configuration Manager cmdlets and scripts by using the Configuration Manager console or by using a Windows PowerShell session.

When you run Configuration Manager cmdlets by using the Configuration Manager console, your session runs in the context of the site.

we will use built-in PowerShell cmdlet to export the list of all task sequences with its dependencies exclude the content of it to a shared folder.

Export-CMTaskSequence help to exports a Configuration Manager task sequence.

With this cmdlet, we will create simple powershell script and export all task sequences.

we will get list of all task sequences using Get-CMTaskSequence and export it.

If you want to export the task sequence with content, change -WithContent to true and -WithDependence $true

Change the folder path where to save the task sequence files in zip format.

<#
.DESCRIPTION
Exports all configuration manager task sequences without content/dependencies.

Author: Eswar Koneti
Version: 1.0
Date: 24/Jan/2020
#>

#Get the script start time
$starttime=get-date
Write-host "Script started at $starttime"
#import configuration manager powershell module
try {
Import-Module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
}
catch [System.Exception] {
Write-Warning "Unable to load the Configuration Manager Powershell module from $env:SMS_ADMIN_UI_PATH" ; break
}
#get the sitecode
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location -Path "$($SiteCode.Name):\"
#get list of all task sequences
$ts = Get-CMTaskSequence  | select Name
foreach($name in $ts)
{
#Replace any unsupported characters with empty space for folder name
$tsname=$name.Name.replace(":","").replace(",","").replace("*","").replace("?","").replace("\","").replace("\","").replace("<","").replace(">","")
#export the task sequences to share folder
Export-CMTaskSequence -Name $name.name -WithDependence $false  -withContent $false -ExportFilePath ("\\servername\Task sequence\"+$tsname+ ".zip") -Force
}
#Get script end time
$endtime=Get-date
#Get the script execution time (total)
$Scripttime=($endtime-$starttime).Seconds
write-host "Script ended at $endtime with execution time of $Scripttime seconds"

if you want to export specific task sequence, please refer https://docs.microsoft.com/en-us/powershell/module/configurationmanager/export-cmtasksequence?view=sccm-ps

Recommend reading :

Get started with Configuration Manager cmdlets https://docs.microsoft.com/en-us/powershell/sccm/overview?view=sccm-ps

In the last 2 blog posts, I talked about the SCCM report for missing boundaries and How to find client boundary and boundary group information. These 2 blog post has a dependency on extending the MOF for client boundary group cache.

In this blog post, we will see how to check if the client is missing in the boundary group. This method doesn't need the MOF extension and we query the wmi on the client directly and report the compliance or non-compliant status.

we will use compliance settings (configuration item and configuration baseline) to detect if the client is in the configured boundary group or not.

To know more about boundary groups in configuration manager, please read https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups

I am not going through step-by-step however I will give instructions and steps that are necessary to accomplish the task using compliance settings. Please read this guide to step by step creation of configuration item and configuration baseline  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

we will start creating a configuration item with simple powershell script/

Create configuration item:

Create setting:

Setting type: Script

Data type: String

Edit the script and copy the following code.

Discovery script (powershell):

$BGIDs=(get-wmiobject -namespace root\ccm\locationservices -class boundarygroupcache -ErrorAction SilentlyContinue).boundarygroupIDs
if (($BGIDs | Measure-Object).count -gt 0)
{
write-host "Compliant"
}
else
{
Write-host "Non-compliant"
}

This script will query wmi class boundarygroucache and find out if there are any boundarygroup ID's. If no boundary group ID then client is not able to find its correct BG assignments.

click ok and next

create new compliance rule

Click next to see the summary

Click next to finish the configuration item.

we will now create configuration baseline and add the configuration item that we created above.

Now deploy the baseline to collection:

After a while, client receive the policy and evaluate the compliance check , following is the end results.

you can check the deployment status using the configuration baseline.

You can also view the results from monitoring page or configuration manager reports or create custom reports.

Get started with compliance settings in Configuration Manager

Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. It combines data from your organization with data aggregated from millions of devices connected to Microsoft cloud services. For more information and how to setup desktop analytics, please read https://docs.microsoft.com/en-us/configmgr/desktop-analytics/set-up.

After setting up the desktop analytics, I went through some troubleshooting issues as the devices are not successful in the enrollment in the first place. The issues related to the proxy, network, services, etc.

In this blog post, I am going to list down the things that are important and help you to troubleshoot further to resolve the enrollment issues.

When you configure desktop analytics, the devices need to send diagnostic data to Microsoft. If your environment uses a proxy server, then make sure that a proxy doesn't block the diagnostic data because of authentication.

If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches given in the documentation https://docs.microsoft.com/en-us/configmgr/desktop-analytics/enable-data-sharing#proxy-server-authentication

Diagnostic data levels:

In the desktop analytics connection, you can also choose if the device can use user-authenticated proxy for outbound communication or not.

By default, this value is No. If needed in your environment, set to Yes.

Client side troubleshooting:

Desktop Analytics service has no agents to install on windows devices. Device enrollment requires configuring settings on the devices you want it to monitor. These settings control to which Desktop Analytics instance the device should send its data, and other configuration options.

When you enable the desktop analytics and configure/deploy it to collection, Configuration Manager creates a settings policy to configure devices in the Target Collection.

This policy includes the diagnostic data settings to enable devices to send data to Microsoft. By default, clients update policy every hour. After receiving the new settings, it can be several hours more before the data is available in Desktop Analytics.

This configuration baseline is hidden in the console and you cannot not find it in compliance settings.

You can see it as deployment on the target collection and in the monitoring space too.

To see the compliance status for this, you can either check the client logs or monitoring space.

On the client side, you can see it in the configuration manager applet in control panel, configurations tab with name: M365Asettings.

This configuration baseline setting will set some registry keys that help the client to communicate with desktop analytics and forward the telemetry data based on the configuration you did in configmgr DA.

Monitor the log SettingsAgent.log for Enforcement of specific applications, records orchestration of application group evaluation, and details of co-management policies.

There are few registry keys that will set to configuration ID.

Registry values to be set: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection

You can also monitor the logs to check if the client successfully configured for enrollment by looking at M365AHandler.log

Starting in ConfigMgr 1906, we can use DesktopAnalyticsLogsCollector.ps1 tool from the ConfigMgr install directory to help troubleshoot Desktop Analytics device enrollment issues.

It runs some basic troubleshooting steps and collects the relevant logs into a single working directory.

To run the script, you can launch powershell window as admin and run the script.

As you can see below, the service connected user experiences and telemetry is not running.

Following are the services to be running for Desktop Analytics:

Services:

Connected user experiences and Telemetry

Program compatibility assistance service

Diagnostic policy service

To help remediate issues such as app compatibility data (RunAppraiser failed), run the following commands from an elevated Windows PowerShell console on the affected client:

# stop associated services

Stop-Service -Name diagtrack #Connected User Experiences and Telemetry
Stop-Service -Name pcasvc #Program Compatibility Assistant Service
Stop-Service -Name dps #Diagnostic Policy Service

# regenerate diagnostic data cache
Remove-Item -Path $Env:WinDir\appcompat\programs\amcache.hve
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" -Name AmiHivePermissionsCorrect -Force

# set ASL logging level to output log files in %windir%\temp
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" -Name LogFlags -Value 4 -PropertyType DWord -Force

# restart services
Start-Service -Name diagtrack
Start-Service -Name pcasvc
Start-Service -Name dps

There are lot of device properties for the desktop analytics device enrollment, please read https://docs.microsoft.com/en-us/configmgr/desktop-analytics/monitor-connection-health for troubleshooting.

There are also nice built-in connection health to monitor the status of desktop analytics enrollment issues.

Clicking on donut help you to identify the list of devices with device properties.

I will keep updating this blog post whenever i come across any issues with DA.

If you have come across any issues during the device enrollment, please report them via comment section.

Continue reading:

Desktop Analytics connection health monitoring Monitor connection health

Desktop Analytics FAQS https://docs.microsoft.com/en-us/configmgr/desktop-analytics/faq

Desktop Analytics troubleshooting https://docs.microsoft.com/en-us/configmgr/desktop-analytics/troubleshooting

Due to the COVID-19 outbreak and the situation is constantly changing around the world, the organization's started moving the workforce either from remote or work from home.

Considering the number of users working remotely, it is very important to make sure that the devices are protected in all possible ways starting from windows security patching, antivirus, and other security tools available on the device.

For windows security patching (manage the devices remotely) using SCCM/configuration manager, you have different options in configuration manager such as cloud management gateway, co-management. If your organization has installed a VPN on the endpoint, you can use split tunneling.

Please read more information about managing the remote devices using configuration manager https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895 and https://miketerrill.net/2020/03/18/forcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update/

Both the above posts cover almost everything that you need to patch the remote devices including VPN connected devices.

Like other organizations, we have also enabled the split-tunneling and using CMG to download the Microsoft updates from internet and not from corporate/on-premise network.

For the remote devices to get the windows updates from Microsoft using configuration manager, it is important to set the correct options in the software update deployment group.

Following are the settings to enable for the VPN or internet based clients to download the updates directly from Microsoft updates.

If you don't configure the above setting in the software deployment deployment group, your VPN/CMG connected clients will fail to download the patches from windows update and always look for DP.

For the newly created software update deployment group, you can enable the checkbox since you go through the process of deployment but if you want to monitor OR enable the checkbox for existing/already created software update group deployment, you need report and Powershell script to enable the checkbox .

If you have fewer SUG deployments (10 or so), you can right-click the deployment and change the properties but this is not going to be an easy task if you have hundreds of SUG deployments and make sure they are enabled.

The following SCCM report would help to identify the list of all software update deployments that are enabled and not enabled with above option for your reference and also the Powershell script will enable the checkbox for all software update deployments.

I have also provided the powershell cmdlet to enable or disable the checkbox for the software update deployments you wish to.

Preview of the SSRS report:

This report comes with prompt to select option 'Download content from Microsoft updates'.

In my research , If the DP Locality falls in the range of 262144, 262208,393280,393216 then it is considered as download from MSFT.

If you  notice anything wrong with column 'download from MSFT',  please report in the comments section.

Following are the settings available in the SSRS report.

Deployment settings with type of deployment and Wake-on-LAN.

User experience with user notifications, deadline behavior, device restart behavior, and software updates deployment re-evaluation behavior upon restart

Download settings with download content from Microsoft updates.

If you want other fields that are not listed in the report, you can get it from SQL View v_CIAssignment.

To enable the check box to download the content from Microsoft updates, use the following the powershell cmdlet.

Set-CMSoftwareUpdateDeployment

Download the SSRS report from the download section

Happy managing the VPN/internet connected devices.

Microsoft Endpoint Configuration Manager 2002 production build is out today. It is now available as in-console (for now only fast-ring) and baseline (will be available in the next couple of weeks).

It has a bunch of new and updated features. For full list of features and installation, please refer http://eskonr.com/2020/04/sccm-configmgr-current-branch-2002-is-available-as-in-console-and-baseline-version/

One of the features that is available in this build version is ‘Show boundary groups for devices in configuration manager console’.

clients use boundary group’s for site assignment, content location (DP), SUP, MP, and SMP. SMP doesn't use fallback relationships.

From this build version, we can now identify the client boundary group for site assignment and content troubleshooting within the configuration manager console.

How to identify the boundary groups for the specific client in the console?

From the console (2002 build onwards), In the Devices node or when you show the members of a Device Collection, add the new Boundary Group(s) column to the list view.

Console view:

Please note the following on the client boundary group’s.

• If a device is in more than one boundary group, the value is a comma-separated list of boundary group names.
• The data updates when the client makes a location request to the site, or at most every 24 hours.
• If a client is roaming and not a member of a boundary group, the value is blank.

Since we have the client boundary group information available, we will use this to create a collection to identify the clients with a NULL value( no boundary group or missing boundary groups).

Create a collection with the following WQL query to get the list of all clients that don't have any boundary group or missing in the boundary group.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus
where SMS_CollectionMemberClientBaselineStatus.boundarygroups is NULL)
and SMS_R_System.Name not in ("Unknown") and SMS_R_System.Client = "1"

\

You can also use the reports to identify the clients missing the boundaries and boundary groups.

Following are the few custom reports created for earlier version of configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

There was a request from twitter friend who is trying to create SQL report to list the content of distribution point group with content status such as total targeted, installed, progress and errors.

Distribution point groups is available in configuration manager for almost several years . This basically provide a logical grouping of distribution points for content distribution.

we can create and use DP groups groups to manage and monitor content from a central location for distribution points that span multiple sites.

For more information about managing distribution point and distribution point groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points

When you create DP group and add content to it, you see the content listed in the content properties as shown in the screenshot.

If you want to monitor the status of package or content on DP, you can use the default reports.

There are set of reports available with category Software Distribution – Content but there is nothing to monitor the content status of DP group.

The following SQL code help you to provide the summary of content on specific DP with targeted, installed, in progress and failure.

SELECT DISTINCT dpgr.NAME [DP Group],
pk.NAME [Package Name],
dgp.pkgid [Package ID],
dpcn.targeteddpcount,
dpcn.numberinstalled,
dpcn.numberinprogress,
dpcn.numbererrors,
CASE
WHEN pk.packagetype = 0 THEN 'Software Distribution Package'
WHEN pk.packagetype = 3 THEN 'Driver Package'
WHEN pk.packagetype = 4 THEN 'Task Sequence Package'
WHEN pk.packagetype = 5 THEN 'Software Update Package'
WHEN pk.packagetype = 6 THEN 'Device Setting Package'
WHEN pk.packagetype = 7 THEN 'Virtual Package'
WHEN pk.packagetype = 8 THEN 'Application'
WHEN pk.packagetype = 257 THEN 'Image Package'
WHEN pk.packagetype = 258 THEN 'Boot Image Package'
WHEN pk.packagetype = 259 THEN 'Operating System Install Package'
ELSE 'Unknown'
END AS 'Package Type'
FROM vsms_dpgroupinfo dpgr
INNER JOIN v_dpgrouppackages dgp
ON dgp.groupid = dpgr.groupid
LEFT JOIN v_package pk
ON pk.packageid = dgp.pkgid
LEFT JOIN v_dpgroupcontentdetails dpcn
ON dpcn.groupid = dpgr.groupid
AND dpcn.pkgid = pk.packageid
WHERE dpgr.NAME = 'Azure DP'

Replace the distribution point group name.

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2002 (MEMCM) via the opt-in method (fast-ring) which will is now available for you to install and also baseline version however the baseline media is not yet available for the download. The baseline version will be released when the build is made available to the console via slow-ring.

If you want to install a new Configuration Manager sites (fresh build), you can download 1902 as a baseline from the volume licensing portal until 2002 is released.

For more information about how to perform the in-console update for configuration manager update 2002, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2002) to avail the new client features that were added.

With this update 2002 build, there are a bunch of new features added. This means, there are also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/tables/functions for custom reporting.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2002 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary