configmgr – All about Microsoft Endpoint Manager

Few months ago i blogged about How to install SCCM client using win32 apps in Intune for co-management and CMG .when you create a win32 app for ConfigMgr client with the command line switches as said in the blog post, ccmsetup.exe will always get the source files from CMG.

The download of the client files from CMG happens due to the parameter /mp. This parameter will help client to download the content from the nearest distribution point. we want to avoid client to download client files from CMG and always use local source files (win32 app) that was downloaded from intune.

why do you need to use the local source files to install client instead of downloading from CMG? If you read the Microsoft article for CMG, Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload). So when client download source files of 240mb, there will be cost involved and if there are 5000+ clients download the data, this sums up to Terabytes and when you have already have source files locally available, why do you need to download from CMG again?

In this blog post, we will see how to install configuration manager client using IME cache data that is downloaded from intune without connecting to CMG.

Before we create win32app or make changes to command line switches, we first need to understand how to use offline source files.

Here is the powershell script that will do all the magic here.

we first copy the Configmgr client folder to c:\windows\temp\intunetemp and run the ccmsetup.exe with /source switch and other command line that will help client to assign to site.

we will try this until the ccmexec (SMS Agent host) service is installed (you can use other ways as well like registry etc.) to confirm configmgr client installed successfully.

If the ccmexec service installed then return code 0 else 1 after 5 retries with wait of every 60 sec.

Powershell:

Copy-Item -Path ".\Client" -Destination "c:\windows\temp\intunetemp" -Recurse

c:\windows\temp\intunetemp\ccmsetup.exe /nocrlcheck /source:c:\windows\temp\intunetemp CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928694 SMSSiteCode=PS1 AADTENANTID=4007305e-1664-4e6b-c9a4-c3d5ccfd1524 AADCLIENTAPPID=6g4a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

$retry = 0

while($retry -lt 5)

{

$service= get-service -name CcmExec

if($service)

{

exit 0

}

else

{

start-sleep -s 60

$retry ++

write-output "Retrying $retry"

}

exit 1

With this PowerShell script, we will now generate win32app in intune and assign it to the device group.

1. Create a folder called ConfigMgrclient (C:\ConfigMgrclient)

2.Copy the client files into ConfigMgrclient (C:\ConfigMgrclient\Client)

3. Save the above PowerShell script as install.ps1 into (C:\ConfigMgrclient). Don't forget to change the parameters in the ccmsetup.exe command line above.

4.Create an empty text file with name cmclient.txt (C:\ConfigMgrclient)

5.Download win32 app packaging tools from here

Now your folder content looks like this:

5.Open command prompt and go to win32 app packaging directory and run IntuneWinAppUtil.exe

6.Please specify the source folder:C:\ConfigMgrclient

7.Please specify the setup file:Install.ps1

8.Please specify the output folder:C:\ConfigMgrclient

To create win32 app, login to device management portal or azure portal and go to intune, client apps, add new app as win32

select app package file that we created above

install command: powershell.exe -exec bypass -file .\install.ps1

uninstall command: C:\windows\ccmsetup\ccmsetup.exe /uninstall

Requirements: you can choose as per your infra requirement.

Detection rule, registry key:

Key path:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client

Value Name:ProductVersion

save the app

Go to assignment and add device security group or autopilot AD sec group that you created to install client.

When you deploy the client to devices, ccmsetup.exe will download the files from C:\windows\temp\intunetemp folder.

with this, we managed to save cost for downloading the content from CMG (it could be peanuts as well Smile but still ) and also the time that it takes for download .

Hope it helps!

Use boundary groups in Configuration Manager to logically organize related network locations (boundaries) to make it easier to manage your infrastructure. You must Assign boundaries to boundary groups before using the boundary group.

Clients use a boundary group for:

Automatic site assignment
To find a site system server that can provide a service, including:
- Distribution points for content location
- Software update points
- State migration points
- Preferred management points
- Cloud management gateway (starting in version 1902)

Boundary group caching was introduced with the first version of Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. For more information about boundary group caching and how it works, please read https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr/

If you have configured the boundaries and assigned this boundaries to boundary group with site system roles,the client will store this information in its WMI namespace root\ccm\LocationServices with class object BoundaryGroupCache.

If a client is in scope of boundary by any means like AD site, IP subnet or IP address range but not added to boundary group, then client will not have any boundary group cache info in WMI.

In my previous blog post, i talked about how to find the missing boundaries using SSRS report and troubleshooting based on boundary group caching . For more information, please read here

In this blog post, i am bringing another SSRS report for you to find out the boundary group and its assignment details for the client device based on the its last inventory boundary group caching information.

Knowing client boundary group details is important for troubleshooting purpose.With this, you can quickly search what is the client boundary group and what boundaries are added in it.

This blog assumes that, you have extended hardware inventory as per Jason blog post and clients sent the hardware inventory details successfully.

What if you don't want to extend custom hardware inventory changes, but you still need to find out the clients that are missing from boundary groups? Well, you can do that by compliance baseline My next blog post will be based on CI/CB.

Now that you have extended the custom hardware inventory changes and you have the following SQL view created with data in it.

--To see the boundary group cache data of clients (top 10 rows)

select top 10 * From v_GS_BOUNDARYGROUPCACHE bgc

As you can see above, there are clients that have 2 boundary group ID's which means, the client is part of 2 boundary groups. There could be more than 2 as well based on how you configure boundary groups in your infra.

Now,if you want to use this information and create a report to find client boundary group assignment details, we need to convert these multi value to single row.

Jason blog post has STRING_SPLIT function is available only under compatibility level 130 (SQL server 2016 and above).

My lab is running on SQL server 2014 and the string_split do not work. What other methods i have to convert the values to rows?

Other approach is to use XML Method with CROSS APPLY to split your Comma Separated Data :

Following is the SQL code that does the job.

SELECT distinct A.ResourceID,REPLACE((Split.a.value('.', 'NVARCHAR(MAX)')),' ','') GroupID FROM (
SELECT bgc1.ResourceID,CAST('<X>'+REPLACE(bgc1.BoundaryGroupIDs0, ',', '</X><X>')+'</X>' AS XML) AS String from v_GS_BOUNDARYGROUPCACHE bgc
) AS A CROSS APPLY String.nodes('/X') AS Split(a)

The above SQL code works on SQL edition 2014 and above.Anything lower than 2014 have not tested but it should work.

we now have complete info of client details with its boundary group ID's.

we will now use this boundary group ID and join with other SQL views to get the information that we needed.

I have used the following SQL views to fetch the relevant info.

vSMS_BoundaryGroupSiteSystems: store boundary group site system information

vSMS_BoundaryGroup: Store boundary group details

vSMS_BoundaryGroupMembers: Store boundary information.

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b.

After spending quite amount of time, I can finally make some nice SSRS report like below.

All you need is to key in computer name in the prompt and it will fetch the data for you based on its last successful hardware inventory.

You have both inventory of client and client boundary group assignment details.

you can download the report from Technet Gallery, upload to your SSRS reports, change the data source and run it.

In the next blog post, we will see how to create compliance baseline to check client boundary group details.

Thanks for reading the post.

If you have any ideas on custom reporting, please leave them in comment section.

You can use Configuration Manager remote control to remotely administer, provide assistance, or view any client computer in the hierarchy. You can use the remote control to troubleshoot hardware and software configuration problems on client computers and to provide support. Configuration Manager supports the remote control of all workgroup computers and domain-joined computers that run supported operating systems for the Configuration Manager client.

Before you begin to use the remote control, ensure that you review the information in the following articles:

Prerequisites for remote control

Configuring remote control

Recently, a colleague of mine troubleshooting an office 365 issue on the end-user device and trying to do remote sessions using Microsoft Teams. Although Teams application has a desktop sharing feature, sometimes it behaves very weirdly.He had issues with desktop sharing sessions using teams so the alternative approach is SCCM remote control tool.

I did a blog post on how to deploy SCCM remote control tools on user device without installing SCCM console, please refer this blog post for more information http://eskonr.com/2018/08/how-to-deploy-sccm-remote-control-bits-standalone-to-clients-without-configmgr-console-being-installed/

You can create a package and deploy the SCCM remote tools to users who are need of it.

When he tried remote control to the user device, it failed with access denied error.

To capture the error details etc., I reproduce the issue and the following is the output of remote control (error snippet is below).

The remote control log (CmRcService.log) on the client located at C:\windows\ccm\logs shows the following error details:

Session denied: The remote user is not authorized to perform remote control on this system.

Disconnecting the connection. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to do Handshake in Server. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to validate Security requirement. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

The following are the basic checklist for remote control troubleshooting:

1. Check the firewall port 2701 from the device that you run configuration manager console/sccm remote control tools (source) for remote control to the destination device.

2. Check if the remote control client settings with relevant user groups (permitted viewers) deployed to the client device.

How do you check what remote control settings with user groups added to the device?

When you deploy multiple client settings to the same device, user, or user group, the prioritization and combination of settings are complex. To view the client settings, you can use Resultant Client Settings.

From the SCCM Console, right-click on the device and choose client settings—>Resultant Client Settings

From the resultant client settings , remote tools, remote control is enabled with permitted viewers who can use the remote tools feature.

Both the above checklist are working. now we move on to the client troubleshooting.

When the remote control feature is enabled on the client-side, there will be policy downloaded on the client and remote tools will be enabled. This can be seen from the configuration manager applet.

There is also a registry key and local security group called 'ConfigMgr Remote Control Users' that will get created when you enable remote control tools using device client settings.

Registry location for SCCM remote control: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control

Local security group: ConfigMgr Remote Control Users

Permitted viewers of the remote control and remote assistance that you added in client settings will be added to both registry and local security group.

In my case, only the registry key was updated with permissions (PermittedViewers) however the local security group was empty.

To fix this issue, we can either add the permitted viewers using GPO or compliance baseline using SCCM.

After adding the user group to the configmgr remote control users group, issue was resolved.

To find the root cause, we can simply create new client settings and increase the priority of the client setting, deploy to client device and monitor the log (CmRcService.log).

How do we find the device that have this issue and fix it with automation?

Following is the simple powershell script to find the devices that have no members added to 'ConfigMgr Remote Control Users' . This can be used to create configuration item and deploy to all devices.

if ((Get-LocalGroupMember "ConfigMgr Remote Control Users").count -ge 1)
{
write-host "Compliant"
}
else
{
write-host "Non-complaint"
}

If compliant then atleast 1 group is member of remote control users, if non-compliant then the group is empty.

you can alter this script to query registry as well.

In order for me to fix the issue, i have created the following powershell script and deploy using compliance baseline method.

This script will check if the permitted group (configured in client setting) is not member then add the group else exit the script and report to sccm with status.

Discover script:

#Discover
If(Get-LocalGroupMember "ConfigMgr Remote Control Users"| where {$_.name -like "eskonr\SCCM-remote-control-users"})
{write-host "Compliant"}
else{write-host "Non-Compliant"}

Remediation script:

#Remediate
Add-LocalGroupMember -Group "ConfigMgr Remote Control Users" -Member "eskonr\SCCM-remote-control-users"

Create configuration baseline and deploy to collection to receive these changes.

When you deploy the configuration baseline, the detection script will run and detect if the group is sec group is member of remote control group or not, if non-complaint then run the remediation script and run the detection script once again to make sure the remediation meet compliant status or not.

You can monitor the compliance baseline information using DcmWmiProvider.log

Reference:

Remotely administer a windows client computer https://docs.microsoft.com/en-us/configmgr/core/clients/manage/remote-control/remotely-administer-a-windows-client-computer

configuration baselines https://docs.microsoft.com/en-us/configmgr/compliance/deploy-use/create-configuration-baselines

On Jan 15th, 2020 Microsoft has officially launched new version of Microsoft edge browser based on chromium for windows and Mac OS. It is compatible with all supported versions of Windows, and with macOS.

It replaces the legacy version of Microsoft Edge on Windows 10 PCs. With speed, performance, best-in-class compatibility for websites and extensions, and built-in privacy and security features, it's the only browser you'll ever need.

As you already know , windows 7 support ended Jan 14th ,2020 however, Microsoft has made the new edge browser available for windows 7.

If you want to download the new Microsoft Edge based on chromium for windows 7, windows 8.1 and windows 10 and Mac OS, please visit https://www.microsoft.com/en-us/edge?

This is not offline installer, it is 2mb file and when you lunch it, it will connect to internet and download the required setup files.

if you want to download the offline installer, you can refer to this article and find the right version for you https://www.microsoft.com/en-us/edge/business/download

Now how do we install the Stable version of new microsoft edge browser using Microsoft Endpoint manager (CMCB 1910 ) for endpoints in the organization?

MEMCM 1910 has feature to deploy Microsoft Edge, version 77 and later to your users. This will help you download and create the application automatically without doing anything manual.

If you are not running on configuration manager current branch 1910, then you need to download the offline installer and create application manually.This is same process how you do for other applications.

This blog post assumes that you are running on configuration manager 1910. If you are not on 1910, please read this blog post for how to get current branch 1910.

In the console,click on Software library, click on Microsoft Edge Management and choose create Microsoft Edge application

Provide the Name and content location. This is to save the application source files and the name is what appear in applications node .

In the channel, choose stable , this is the version released today by Microsoft and version, choose latest.

In the deployment, choose No for now, as we edit the deployment settings and deploy to collection later.

Click next on the summary page.

Now, based on the internet connectivity, the download of the edge stable version will start and create the application automatically.

You can monitor the download of the updates from %temp% folder with log called: patchdownloader.log

Log file location:

Monitoring the download process:

Once the download is finished, you can see the app in the application node.

It has 2 deployment types because it downloaded both x86 and x64 but the priority is x64.

The source location has the following content. Powershell script and MSI.

If you edit the x64 deployment type, you will see the program command line syntax.

we will now modify the syntax with -executionpolicy bypass. This is not mandatory to use however i have seen some of the installation error in the previous builds so i simply edit it with bypass and continue.

Append the syntax after file

for x64:

powershell -executionpolicy bypass -File ".\Install-Edge.ps1" -MSIName "MicrosoftEdgeEnterpriseX64.msi" -ChannelID "{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}"

You can do the same for x86 as well.

update the syntax and click ok.

For detection method: we dont do any changes but i have listed this for your information incase you want to create the application manually and you are not in CMCB 1910.

Hive:HKLM

Key:SOFTWARE\Wow6432Node\Microsoft\EdgeUpdate\Clients\{56eb18f8-b008-4cbd-b6d2-8c97fe7e9062}

Value: pv

data type: version

Operator: Greater than or equal to

value:79.0.309.65

Now distribute the application to distribution points.

Monitor the distribution status and once it is distributed, you are now ready to deploy to collection. Log file: distmgr.log on your configmgr site.

Deploy to collection:

Once the application is deployed to collection, depend on the machine policy cycle, device will receive the policy, download the content and install the application.

Deployment results:

You can monitor the installation status using appenforce.log located at C:\windows\ccm\logs.

You can see Microsoft Edge in the start menu.

Launch the Microsoft Edge

If you look at the about page in the edge, you see that, your organization disabled the updates.

This is happening because of the script that is used to install the Edge application.

The script is designed to disable the automatic updates and let configuration manager manages the updates just like other windows and office 365 updates.

Now on your configuration manager, you need to enable the Microsoft Edge product in SUP section.

If you are not able to see the product then simply run software update sync , wait for the sync to complete.

Now go back to SUP properties, you will now see the Microsoft Edge, select it and click ok.

Right click on All microsoft edge updates and initiate sync.

After a while you will see the updates in the console.

Once the updates are available in the console, you can patch Edge browser just like any other windows/office365 updates.

The following information is provided to know, what registry key used to enable or disable the automatic updates for Edge.

The registry key for disabling the edge updates is:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate with value 0

To enable automatic updates for edge browser, you can change the update value from 0 to 1.

Launch edge and type edge://settings/help to see the status.

Before you start deploying the Edge browser in an enterprise, please read through the Microsoft article for edge policies using GPO/Intune. https://docs.microsoft.com/en-us/microsoft-edge/

Hope you found this article useful!

With the release of Microsoft Endpoint Manager configuration manager technical preview 2001 released in Jan 2020, we can now integrate Power BI Report Server with Configuration Manager reporting.

Integrating configuration manager with Power BI Report Servers gives you modern visualization and better performance. It adds console support for Power BI reports similar to what already exists with SQL Server Reporting Services.

Read more information about configuration manager technical preview 2001 here https://docs.microsoft.com/en-us/configmgr/core/get-started/2020/technical-preview-2001#bkmk_powerbi

In this blog post, we will see how to integrate Power BI Report Server with Configuration Manager reporting in Technical preview 2001.

Note: This is not applicable to current branch releases and is purely for technical preview 2001. These changes will come to current branch at in the upcoming months.

What are the Prerequisites and initial setup for this integration:

Power BI Report Server license. For more information, see Licensing Power BI Report Server. You need to evaluate the licensing before you proceed.
Download Microsoft Power BI Report Server-September 2019
Download Microsoft Power BI Desktop (Optimized for Power BI Report Server - September 2019).
Important: Only use this version of Power BI Desktop, don't use the version from the Microsoft Store.
Configure the reporting services point
Configure the Configuration Manager console

The first component to look at is Reporting services point.

Configure the reporting services point

This process varies depending upon whether you already have this role in the site server.

There are 2 scenarios a) If you don't have reporting services b) If you have reporting services

a) If you don't have a reporting services point ?

If you don’t have reporting services point installed on the site or you are trying to install new site using the baseline then

Install Power BI Report Server (Download from the above link and install it) . Installation of power BI report server is straight forward and all you need is to accept the default switches.
Once the installation of power BI report server is completed, launch Report Server Configuration Manager and configure it. See below steps how to configure Report Server Configuration Manager.
Add the reporting services point role in Configuration Manager. For more information, see Configure reporting.

b) If you already have a reporting services point and configured for reports? This is where we mostly fall into.

Follow the steps below to do it on the same server.

If you have SQL Server reporting services installed ,launch Reporting Server Configuration Manager from start menu
we will now back up the Encryption Keys. we will import this key to power BI report server. For more information, see SSRS Encryption Keys - Back Up and Restore Encryption Keys.
In my case, it is grayed out .The reason for this is , i did not configure the SSRS database in my technical preview version hence the error. But when this feature release to production, you will already have ssrs reporting working.
After creating SSRS database, you should now see the encryption keys option available.
Click on backup and save the key into location with password protected.
Now remove the reporting services point role from the site server.
Uninstall SQL Server Reporting Services, but keep the database.
If you are running SQL server 2016 and above,SSRS is separate component and you need to remove it from programs and features.
If your SQL is running older than 2016 then you need to launch SQL server setup,modify components and choose to remove reporting services.
Once the SSRS component is removed, Install Power BI Report Server using the file that you downloaded above.
When you install power BI server and launch the configuration wizard, you will see the following with Instance ID: PBIRS
Click on database , you will see the database name is empty. we will now use same database that we had earlier with SSRS.
Click on change database
Choose reportserver database
Click next next and finish.
Now we will restore the Encryption keys that we backup earlier. On the report server configuration manager, click on Encryption keys and click Restore
As you can see, the backup is grayed-out and restore is available to bring the keys. When you restore the key, it prompt for password.
we have now successfully restored the key and we are now good to Add the reporting services point role in Configuration Manager.
While adding reporting services point role, if you see reporting services server instance blank, you need to configure the web service URL in report server configuration manager.
Click on cancel the ‘add site system role wizard ’ and launch report server configuration manager in power BI report server, go to web service URL and click on Copy.
You also need to click on web portal URL and click on copy. If you already have the URLs displayed then you don't need to do anything.
we now have both web service URL and web portal URL working. Now add the reporting services point role.
Now we are into the final portion which is Configure the Configuration Manager console
1. On a computer that has the Configuration Manager console, update the Configuration Manager console to the latest version.
2. Install Power BI Desktop. Make sure the language is the same.
3. After it installs, launch Power BI Desktop at least once before you open the Configuration Manager console.

Now launch the Configuration Manager console, go to the Monitoring workspace, expand Reporting, and select the new Power BI Reports node. (\Monitoring\Overview\Reporting\Power BI Reports)

we are now ready to start creating power BI reports.

When the power BI desktop is opened, you can create the report and When the report is ready to save, go to the File menu, select Save as, then choose Power BI Report Server.

In the Power BI Report Server Selection window, enter the URL for the reporting services point as the New report server address. For example, http://sg-cmtp01.azure.eskonr.com/Reports

SSRS is now changed to power BI report server

For more information on log files to use for reporting, see Log file reference - Reporting.

Hope you found this useful and happy reporting in Power BI.

In the last 2 blog posts, I talked about the SCCM report for missing boundaries and How to find client boundary and boundary group information. These 2 blog post has a dependency on extending the MOF for client boundary group cache.

In this blog post, we will see how to check if the client is missing in the boundary group. This method doesn't need the MOF extension and we query the wmi on the client directly and report the compliance or non-compliant status.

we will use compliance settings (configuration item and configuration baseline) to detect if the client is in the configured boundary group or not.

To know more about boundary groups in configuration manager, please read https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups

I am not going through step-by-step however I will give instructions and steps that are necessary to accomplish the task using compliance settings. Please read this guide to step by step creation of configuration item and configuration baseline http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

we will start creating a configuration item with simple powershell script/

Create configuration item:

Create setting:

Setting type: Script

Data type: String

Edit the script and copy the following code.

Discovery script (powershell):

$BGIDs=(get-wmiobject -namespace root\ccm\locationservices -class boundarygroupcache -ErrorAction SilentlyContinue).boundarygroupIDs
if (($BGIDs | Measure-Object).count -gt 0)
{
write-host "Compliant"
}
else
{
Write-host "Non-compliant"
}

This script will query wmi class boundarygroucache and find out if there are any boundarygroup ID's. If no boundary group ID then client is not able to find its correct BG assignments.

click ok and next

create new compliance rule

Click next to see the summary

Click next to finish the configuration item.

we will now create configuration baseline and add the configuration item that we created above.

Now deploy the baseline to collection:

After a while, client receive the policy and evaluate the compliance check , following is the end results.

you can check the deployment status using the configuration baseline.

You can also view the results from monitoring page or configuration manager reports or create custom reports.

Get started with compliance settings in Configuration Manager

Due to the COVID-19 outbreak and the situation is constantly changing around the world, the organization's started moving the workforce either from remote or work from home.

Considering the number of users working remotely, it is very important to make sure that the devices are protected in all possible ways starting from windows security patching, antivirus, and other security tools available on the device.

For windows security patching (manage the devices remotely) using SCCM/configuration manager, you have different options in configuration manager such as cloud management gateway, co-management. If your organization has installed a VPN on the endpoint, you can use split tunneling.

Both the above posts cover almost everything that you need to patch the remote devices including VPN connected devices.

Like other organizations, we have also enabled the split-tunneling and using CMG to download the Microsoft updates from internet and not from corporate/on-premise network.

For the remote devices to get the windows updates from Microsoft using configuration manager, it is important to set the correct options in the software update deployment group.

Following are the settings to enable for the VPN or internet based clients to download the updates directly from Microsoft updates.

If you don't configure the above setting in the software deployment deployment group, your VPN/CMG connected clients will fail to download the patches from windows update and always look for DP.

For the newly created software update deployment group, you can enable the checkbox since you go through the process of deployment but if you want to monitor OR enable the checkbox for existing/already created software update group deployment, you need report and Powershell script to enable the checkbox .

If you have fewer SUG deployments (10 or so), you can right-click the deployment and change the properties but this is not going to be an easy task if you have hundreds of SUG deployments and make sure they are enabled.

The following SCCM report would help to identify the list of all software update deployments that are enabled and not enabled with above option for your reference and also the Powershell script will enable the checkbox for all software update deployments.

I have also provided the powershell cmdlet to enable or disable the checkbox for the software update deployments you wish to.

Preview of the SSRS report:

This report comes with prompt to select option 'Download content from Microsoft updates'.

In my research , If the DP Locality falls in the range of 262144, 262208,393280,393216 then it is considered as download from MSFT.

If you notice anything wrong with column 'download from MSFT', please report in the comments section.

Following are the settings available in the SSRS report.

Deployment settings with type of deployment and Wake-on-LAN.

User experience with user notifications, deadline behavior, device restart behavior, and software updates deployment re-evaluation behavior upon restart

Download settings with download content from Microsoft updates.

If you want other fields that are not listed in the report, you can get it from SQL View v_CIAssignment.

To enable the check box to download the content from Microsoft updates, use the following the powershell cmdlet.

Set-CMSoftwareUpdateDeployment

Download the SSRS report from the download section

Happy managing the VPN/internet connected devices.

Microsoft releases the configuration manager production builds 3 times a year. The first production build for this year,which is configuration manager 2002 is released today and is available as an in-console update (fastring only for now) and baseline version.

You can apply this update on sites that run version 1806,1810, 1906 or 1910 from the console. You can also use this build 2002 to install new configuration manager sites.

Before we start upgrading the site to latest build ,some of the interesting features are listed below.

Following are some of the exciting features that we were all waiting to see in the production build.

tenant attach –> Device sync and device actions

Site infrastructure—> Remove a central administration site

Cloud-attached management—>Token-based authentication for cloud management gateway

Desktop Analytics—>Connection Health dashboard sh

Client management—>Client log collection

Application management—>Microsoft Edge management dashboard

OS deployment—>Improvements to Check Readiness task sequence step

Software updates—>Evaluate software updates after a servicing stack update

Reporting—>Integrate with Power BI Report Server

Configuration Manager console—>Show boundary groups for devices

For full of features with description please read https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002

For full list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/2002-release-notes?view=sccm-ps

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes

Now we will look at, how to install the configuration manager build 2002 on the existing sites.

To install this update from the console, you must be running on 1806,1810 ,1902 or 1906 .

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 2002 in console. You need to request the updates manually using script.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1906. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet https://download.microsoft.com/download/7/c/4/7c48f2c7-f433-414b-a901-753a61c7956d/EnableEarlyUpdateRing2002.exe and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1. Launch an elevated command prompt

2. Run PowerShell

3. Run the EnableEarlyUpdateRing2002.ps1 script (bundled in the exe in the link above)

· EnableEarlyUpdateRing2002.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

Script will now force SMS_DP_downloader service to to check for the update.

You can verify this from the updates and servicing node.

· Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates".

You will see ‘configuration manager 2002 in the console with downloading state. If it shows as available to download, you can select the update and click on download.

To see the status of the download, you can open dmpdownloader.log from SCCM installation logs folder.

Logs to check for the backend process: Hman.log ,dmpdownloader.log

You can also refer the download location at <Configmgr Install dir:\>easysetuppayload\

Wait for the download to be completed and you will see it the console with state ‘ready to install’

If the download stuck at downloading for some reason ,look at dmpdownloader.log and to start the download again, restart SMS_Executive or dmpdownloader component .

run the prerequisite check to ensure the site server meet all the requirements before the installation start.

Monitor the pre-req check for any errors.

If you don't see any errors that stop you to perform upgrade, right click on the update and select install this update.

choose the new features if you are interested. You can also select them after the installation is completed.

Choose the collection that you want to pre-production the client

we will now monitor the status of the installation using logs and also from console

For monitoring the installation status, refer to ConfigMgrSetup.log that is available at the root of the window drive and cmupdate.log available at configmgr logs folder.

you can monitor the installation status from console . Go to monitoring tab ,click on updates and servicing status node.

After a while, you should see a bar at the top of the console notifying to install.

Client on install new console version

If the above step fail to upgrade the console and you try to launch the console, you will see the image like below.

Click on Ok and it will upgrade the console for you.

Now ,update the client package which is located under packages to all distribution points .

As per your client upgrade schedule that you configured in site hierarchy settings ,it will start sending the client policy and trigger the installation of client using the task scheduler job .

you can monitor the client installation status from monitor node.

If you have used client startup script using GPO http://eskonr.com/2016/09/sccm-configmgr-how-to-implement-jason-sandys-client-startup-script-to-achieve-good-client-success-rate/ ,please update your xml file with 2002 client version else your client will reinstall on every restart.

Finally ,check the version of the site .

Site version:5.0.8968.1000

Client version:5.0.8968.1008

Once the site installation is completed and if you have secondary sites, you must manually initiate the upgrade to bring the secondary sites to the same build version to support the new features.

In the next blog, i will talk about the new features that are released in this update along with SSRS reporting .

Happy exploring new features.

Additional resources:

In the next couple of blogs, we will explore the new features of configuration manager 2002 build.

Microsoft Endpoint Configuration Manager 2002 production build is out today. It is now available as in-console (for now only fast-ring) and baseline (will be available in the next couple of weeks).

It has a bunch of new and updated features. For full list of features and installation, please refer http://eskonr.com/2020/04/sccm-configmgr-current-branch-2002-is-available-as-in-console-and-baseline-version/

One of the features that is available in this build version is ‘Show boundary groups for devices in configuration manager console’.

clients use boundary group’s for site assignment, content location (DP), SUP, MP, and SMP. SMP doesn't use fallback relationships.

From this build version, we can now identify the client boundary group for site assignment and content troubleshooting within the configuration manager console.

How to identify the boundary groups for the specific client in the console?

From the console (2002 build onwards), In the Devices node or when you show the members of a Device Collection, add the new Boundary Group(s) column to the list view.

Console view:

Please note the following on the client boundary group’s.

If a device is in more than one boundary group, the value is a comma-separated list of boundary group names.
The data updates when the client makes a location request to the site, or at most every 24 hours.
If a client is roaming and not a member of a boundary group, the value is blank.

Since we have the client boundary group information available, we will use this to create a collection to identify the clients with a NULL value( no boundary group or missing boundary groups).

Create a collection with the following WQL query to get the list of all clients that don't have any boundary group or missing in the boundary group.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus
where SMS_CollectionMemberClientBaselineStatus.boundarygroups is NULL)
and SMS_R_System.Name not in ("Unknown") and SMS_R_System.Client = "1"

You can also use the reports to identify the clients missing the boundaries and boundary groups.

Following are the few custom reports created for earlier version of configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

There was a request from twitter friend who is trying to create SQL report to list the content of distribution point group with content status such as total targeted, installed, progress and errors.

Distribution point groups is available in configuration manager for almost several years . This basically provide a logical grouping of distribution points for content distribution.

we can create and use DP groups groups to manage and monitor content from a central location for distribution points that span multiple sites.

For more information about managing distribution point and distribution point groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points

When you create DP group and add content to it, you see the content listed in the content properties as shown in the screenshot.

If you want to monitor the status of package or content on DP, you can use the default reports.

There are set of reports available with category Software Distribution – Content but there is nothing to monitor the content status of DP group.

The following SQL code help you to provide the summary of content on specific DP with targeted, installed, in progress and failure.

SELECT DISTINCT dpgr.NAME [DP Group],
pk.NAME [Package Name],
dgp.pkgid [Package ID],
dpcn.targeteddpcount,
dpcn.numberinstalled,
dpcn.numberinprogress,
dpcn.numbererrors,
CASE
WHEN pk.packagetype = 0 THEN 'Software Distribution Package'
WHEN pk.packagetype = 3 THEN 'Driver Package'
WHEN pk.packagetype = 4 THEN 'Task Sequence Package'
WHEN pk.packagetype = 5 THEN 'Software Update Package'
WHEN pk.packagetype = 6 THEN 'Device Setting Package'
WHEN pk.packagetype = 7 THEN 'Virtual Package'
WHEN pk.packagetype = 8 THEN 'Application'
WHEN pk.packagetype = 257 THEN 'Image Package'
WHEN pk.packagetype = 258 THEN 'Boot Image Package'
WHEN pk.packagetype = 259 THEN 'Operating System Install Package'
ELSE 'Unknown'
END AS 'Package Type'
FROM vsms_dpgroupinfo dpgr
INNER JOIN v_dpgrouppackages dgp
ON dgp.groupid = dpgr.groupid
LEFT JOIN v_package pk
ON pk.packageid = dgp.pkgid
LEFT JOIN v_dpgroupcontentdetails dpcn
ON dpcn.groupid = dpgr.groupid
AND dpcn.pkgid = pk.packageid
WHERE dpgr.NAME = 'Azure DP'

Replace the distribution point group name.

I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

As you already know that, Windows 7 and windows server 2008/R2 has reached their end of support lifecycle on January 14, 2020, however you can purchase the extended security updates (ESU) for windows 7 and server 2008/R2 through volume licensing to make sure these devices are protected. For more information about how to purchase the ESU, refer to this blog.

After you have purchased the ESU, you can install and activate window 7 or server 2008/R2 devices using Configuration Manager task sequence or scripting or by other means. There are multiple posts on the internet on how to install ESU.

In this blog post, we will see how to check the activation status of ESU on windows 7 and server 2008/R2. This monitoring will help you take action on the missing ESU devices to avoid the possible threats.

If you have installed the ESU key on the windows device, the information gets stored in WMI class called ‘SoftwareLicensingProduct’

If you know where does the ESU information stored in WMI, it would be easier for us to use configuration manager to gather data for further analysis.

By default, SCCM clients do not send the information about this class SoftwareLicensingProduct hence if you try to create a collection or query database using this class, you get empty results.

So to check the activation status, we can use 1) Enable the Software_licensing_product in client inventory settings (hardware inventory) 2) Use compliance settings to detect the ESU activation status and 3) script

I DO NOT recommended option 1) because SoftwareLicensingProduct class contains a lot of data that will be collected from all devices along with activation information which will bloat your database.

A simple example is, on your Windows 7, open PowerShell command and run the following syntax to see the data that is available in SoftwareLicensingProduct

Get-WmiObject -query "select * from softwarelicensingproduct"

The above command will generate a lot of data that is not required for us.

What other options do we have without bloating the database? A simple and easier method is compliance settings.

I am not doing step by step guide in this post on how to create the compliance item and compliance baseline then deploy to the collection but I will give you the steps and also the exported baseline configuration for you to import the settings into your configuration manager and deploy it.

Steps required for this:

1. Create a collection for all windows 7 and windows server 2008/R2. You can use this guide to create the collections.

2. Download the configuration baseline file (SCCM Baseline for ESU Activation.zip) from Github. This is a ZIP file which contains 2 baseline policies. After you download, you need to extract it to get .cab files.

3. Go to your configuration manager, configuration baseline, right-click, and import configuration data. Import the .cab file that you download from Github.

You will need to do this task twice because there are 2 baseline files available 1) for windows 7 and 2) for server 2008/R2.

Note: The PowerShell script that I have used in the baseline will check if the device activated with 1 year or 2 year or 3 year ESU key and report as compliant. If any of these ESU key not found, then report as non-compliant. The ESU keys are taken from this blog post. Once you import the baseline policies, you can go to CI and change the script as per your requirement.

4. You can now deploy the baseline policy to the respective collections that you created earlier.

5. Based on the schedule, clients will run through the compliance settings and report the status.

6. Run the reports to identify the list of devices that are still not installed/activated with ESU.

Once you have the data, you can use reports or create a collection for non-compliant devices for further troubleshooting.

Until next blog post!

Issues that are fixed:

A Central Administration Site (CAS) may be placed in maintenance mode if the site database contains BitLocker management data and one of the following scenarios is true.
1. If the or data link between a primary site and CAS is unavailable, and data is backed up for 5 days.
2. If the site goes through the data reinitialization (reinit) process.
3. If the CAS is recovered.

Microsoft Advanced Threat Protection (ATP) policy deployment status shows as “Unknown” when deployed from the Microsoft Endpoint Management admin center.

The SMS Agent Host process (CCMExec.exe) may cause high CPU and memory utilization when the computer is not a member of an orchestration group. The MaintenanceCoordinator.log will show the entry “Orchestration lock is required.”.

The download of third-party updates for internet clients will fail if only a cloud distribution points is available unless the user triggers the installation via Software Center.

A computer restart initiated from Software Center on a client will fail if a Windows Servicing Stack Update (SSU) was installed with other updates.

If both a Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) are deployed together and past due, the SSU is not installed first.

Clients in boundary groups with limited network speed or BITS throttling ignore the “Prefer cloud based sources over on-premise sources" setting.

The Desktop Analytics dashboard may show stale data up to 12 hours out of date if duplicate devices are in the environment.

Site installation fails when the database is installed on a clustered instance of SQL on a Windows Server 2012 R2 server.

Administrators cannot run CMPivot scripts without having default scope access.

The Azure_CloudService table has inconsistent data after onboarding, offboarding, then onboarding co-management.

A client only retries a failed management point connection one time until the client is restarted, leading to delays in policy retrieval.

Windows Feature Updates that installed successfully may still appear in Software Center as pending installation after the client computer restarts.

The link to the Microsoft Intune Device Explorer for a specific device in the Configuration Manager console does not load correctly.

A site administrator with rights to read Devices and Boundary Groups is unable to query the same data using the administration service.

Administrators receive an “Insufficient user permissions” error in the Microsoft Endpoint Manager admin center when their on-premises permissions are granted via Active Directory group membership.

The Workspace Key and Workspace ID fields are now optional in the Create Microsoft Defender ATP Policy Wizard.

Application content fails to download from a cloud distribution point when BranchCache is enabled and there are multiple files to be downloaded.

The “Prefer cloud based sources over on-premise sources” boundary group setting is not used for Microsoft Ofice 365 update content downloads.

The tenant attach process fails if the SMS Provider is installed remotely from the site database server.

After client upgrade the PolicyAgent.log may be flooded with duplicate log entries, overwriting information valuable to troubleshooting. The entries resemble the following.

Policy instance for 'SMS:Client:Default:{guid}' with unknown policy source 'SMS:Client:Default:{guid}'. Ignoring it.

The administration service is unavailable if the service connection point is installed remotely from the site server.

The Windows PowerShell Integrated Scripting Environment (ISE) generates a “Failed to refresh” error when loading the cmdlet library and refreshing the list of available cmdlets.

Upgrade of the Configuration Manager client fails on Windows 10 clients with error code 80070020 when using the “Auto upgrade” and “Auto upgrade(Pre-production collection)”.

Error handling for the administration service is improved.

Installation of dynamic packages via the Install Package task in a Task Sequence fails with error 0x87d02004. This occurs if the “Allow this program to be installed from the Install Package task sequence without being deployed” option is selected in the program for the package.

Desktop analytics deployment plans in large environments may not display correctly in the Configuration Manager console due to a SQL timeout.

If the site database and data warehouse database are on different computers, and the data warehouse service point is on a different computer from the data warehouse database, the synchronization process may fail. Errors resembling the following are recorded in the Microsoft.ConfigMgrDataWarehouse.log file.

Process encountered an unexpected error
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

Additional hotfixes contained in this update

KB 4561494: Microsoft Edge application creation fails in Configuration Manager

References:

Update for Microsoft Endpoint Configuration Manager version 2002, early update ring

Updates and servicing for Configuration Manager

I had set up a new lab a few days ago using the configuration manager current branch baseline version 2002 with SQL Server 2019.

Installation went fine and I was able to play with it.

By the way, I have used the Johan hydration kit to set up this lab to save some time. Though the current hydration kit that is available is with SQL 2017, I tweaked it and added SQL 2019 for my lab setup.

After a couple of days, when I tried to launch the configuration manager console, I ended up seeing the following screen.

Since the above error talks about the connectivity to SMS provider, I started looking at the SMSPROV.log

Error from the log:

[HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.

[HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state. [HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server. ThreadID : 4844 , DbError: 596 , Sev: 21~*~*

SQL Error: [HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state.

If you use SQL Server 2019 for configuration manager 1910 and above (supported versions) , there's a known issue with the new scalar UDF inlining feature in SQL 2019 and the workaround to fix this issue is to disable the UDF lining using following command.

Open the SQL server management studio and run the following syntax:

ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF

After you run the syntax, you need to restart the SQL server service.

without restarting the SQL Service, you will not be able to launch the console.

Go to services.msc and restart SQL Server

After the SQL Service started, launch the console, you should be able to connect to SMS Provider.

Though SQL server 2019 is supported for configuration manager build 1910 onwards, this is know issue and there is also workaround for this provided by Microsoft for now.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-sql-server-versions#known-issue-with-sql-server-2019

I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.

Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.

Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.

So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.

How do you install the client on the internet-connected device centrally? Well, the customer has a different tool that helps to run the command line on all internet-connected devices.

As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.

Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.

"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.

On the SCCM database, run the following 1 liner syntax.

select * from proxy_settings

Connectorinfo contains the mp and ccmhostname values.

AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and values.

AADTENANTID=Tenant ID

AADCLIENTAPPID=ClientID

AADRESOURCEURI=ResourceURI

Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.

I hope it helps and thanks for reading!

For more information about client installation parameters and properties in Configuration Manager, please read here

Microsoft released Technical preview 2005 for May 2020. This preview release contain lots of tenant attached features along with some cloud management gateway as well.

This preview version is available only via in-console update. If you want to build a new lab, you need to download the baseline version of tech preview 2002 and then update to 2005. For more information about Technical preview, please read here

I just updated my lab to technical preview 2005 to explore the new tenant attach features.

Technical preview 2005:

Top features:

A task sequence launched from boot media or PXE can retrieve content from cloud based sources:Starting in this release, when a task sequence is started from boot media or PXE, if the client is in a boundary group associated with a cloud distribution point or content enabled CMG the task sequence can download content from the cloud based sources.
Client install and upgrade on metered connection:Client installation and upgrades can be configured to occur on devices connected to metered networks.
Disk encryption options when enabling BitLocker in a task sequence:An admin is now able to select disk encryption level on the "Pre-provision BitLocker" and "Enable BitLocker" task sequence steps.
Improvements to cloud management gateway cmdlets
Improvements to the content library cleanup tool
Microsoft Endpoint Manager tenant attach:CMPivot real-time queries from Microsoft Endpoint Manager admin center
Microsoft Endpoint Manager tenant attach:Device timeline in Microsoft Endpoint Manager admin center
Microsoft Endpoint Manager tenant attach:Install an application for an uploaded device: An admin can now initiate an application install in real-time for a tenant attached device via the admin center.
Microsoft Endpoint Manager tenant attach, Run Scripts from the Microsoft Endpoint Manager admin center:Initiate PowerShell scripts in real-time from the cloud against an individual ConfigMgr managed device and see the script output and status back to the Microsoft Endpoint Manager admin center.
Notification for expiration of Azure Active Directory application secret key:You will now be warned with a console notification when the Azure Active Directory application secret key is close to expiring or is expired. This enables administrators to renew the key and prevent impact to cloud attached features.
Report setup and upgrade failures to Microsoft:If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. In the event of a failure, there is a "Report update error to Microsoft" button that walks through an interactive wizard allowing you to provide more information to Microsoft. In Technical Previews, this button is always enabled even when setup completes successfully.
VPN boundary type:You can now create a new boundary type to simplify managing VPN clients. All clients that connect through a VPN automatically belong to boundary group(s) associated with this new boundary type.

For full features list and description,please read https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005

In the next few blog post, i will discuss about the tenant attach and cloud features.

With Configuration Manager technical preview build, a bunch of Tenant attach features were released which will help you to take actions from the devices blade in the Admin center.

One of the coolest feature in this preview release is, we can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center.

What do we need to do to install the application in Realtime from the admin center?

Prerequisites:

You'll need to meet all of the prerequisites for Tenant attach: ConfigMgr client details:

An environment that's tenant attached with uploaded devices.
One of the following browsers:
- Microsoft Edge, version 77 and later
- Google Chrome
The user account has been discovered with both Azure Active Directory (Azure AD) user discovery and Active Directory user discovery.
- Meaning the user account needs to be a synced user object in Azure.

The following prereq are newly added, Inorder to initiate the application install from the admin center.

Enable the optional feature Approve application requests for users per device. For more information, see Enable optional features from updates.

At least one application deployed to a device collection with the An administrator must approve a request for this application on the device option set on the deployment. For more information, see Approve applications.
- User targeted applications or applications without the approval option set don't appear in the application list.

As you can in the application deployment settings, the deployment must be targeted to a device collection with purpose available and check ‘an administrator must approve a request for this application on the device’

You can now review the log for data upload.

When an admin runs an action from Microsoft Endpoint Manager admin center (intune console), the notification request is forwarded to Configuration Manager site, and from the site to the client.

Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
The next sync time is noted by log entries similar to Next run time will be at approximately: 30/05/2020 16:35:31.
For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center.

In Technical preview, to install the app, we must right click on the device and choose admin center preview and initiate it from there.

When this feature release in current branch, we can directly open the MEM admin center portal (https://endpoint.microsoft.com) and perform the device actions.

For now, we need to open the admin center from the device tenant attached. From the configuration manager console, right click on tenant attached device, start and choose Admin center preview

If the Admin center preview is grayed out, then the device is not part of the tenant attach collection in co-management settings.

You will be prompted for authentication and you will see the following screen.

Click on applications to see the available apps that are ready to install on the device.

we have published an application to the device collection which can be initiated from the MEM admin center

Now go back to your configuration manager installation directory and open log CMGatewayNotificationWorker.log to see the status of the application install.

When an action is initiated from the Microsoft Endpoint Manager admin center on Configmgr client, CMGatewayNotificationWorker.log processes the request.

You will see the information about sending application request and also create approved request and more details about the request in the log.

Sending AdminService request with URL: https://sg-cmtp01.domain/AdminService/wmi/SMS_ApplicationRequest.CreateApprovedRequest

After a while, if you look at the client appenforce.log, the application installation is completed.

we can now go back to admin center and refresh the page to see the updated status as ‘Installed’.

After some days, if user uninstall the application, the status will be updated in the admin center with status ‘Install requested’ and you will get an option to Retry installation. By clicking on Retry installation, the app will get install on the device.

With this feature, we can now act on the user application deployment request from anywhere with 1 click using mobile without touching the Configuration manager console.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#bkmk_apps

Troubleshooting device actions for Configuration Manager devices from admin center

I was recently troubleshooting the sccm client installation issue on a server that was configured as a distribution point.

Installation of client The client installation setup and process is very simple and straight forward unless you hit issues like this.

When I started looking at the client installation log( ccmsetup.log), I saw the below information in the log.

The client version 5.00.8913.1000 (build 2002) does not match the MP version 5.00.8790.1000 (Build 1910). The client cannot be installed.

ccmsetup failed with error code 0x80004005

The above error code says, there is a management point installed on the server which is not matching the client version that you are trying to install.

Management point and client shared the same binaries for it to operate hence the client version must match.

So, I started looking at the SCCM site system roles and its configured with the role of DP ONLY and no other roles are configured.

But from the IIS and registry, I can see that, there are some entries about Management point as you can see below.

So the question is, where did this management point install from?

I have reached out to the customer and got to know the following information:

The DP server that is having the issue was earlier configured as Management point and distribution and attached to Site P01 (old SCCM).

The customer had planned to install a new sccm site (PS1) and re-use the remote site that was having an issue now as DP for the new site.

The customer had uninstalled the MP and DP roles from the old site but for some reason, the uninstallation of DP or MP could not complete successfully, and later the problem server was installed with DP role from new SCCM site (PS1).

and the old SCCM site (P01) was decommissioned.

We now know the background of the issue and we will see how to fix this issue.

I have tried uninstalling the client completely using ccmsetup.exe /uninstall and also used ccmclean.exe but I could not able to get it working.

When you install configuration manager client, it creates a namespace called Root\CCM and it holds the configuration and policies that govern the operation of the ConfigMgr client and also management point (if the role is installed).

On a device that has the client installed and also MP installed, there will be a wmi instance created inside the namespace root\ccm called CCM_InstalledProduct

There will be 2 MSI products listed inside the WM, 1 for configmgr client, and other one for MP role.

when we try ccmsetup.exe /uninstall, it does the removal of only 1 product that is for configuration manager client but the 2nd product remains there and hence the issue.

To uninstall the management point completely along with configuration manager client (if installed), use the following vb script.

'Uninstall configmgr client and MP if exists
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'First, find the GUID
strComputer = "."
Set wmiService = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set wmiObjs = wmiService.InstancesOf("CCM_InstalledProduct")
For Each wmiObj In wmiObjs
     cmdLine = "msiexec /x " & wmiObj.ProductCode
     WScript.Echo cmdLine
     WshShell.Run cmdLine
Next

save the script as removeMP.vbs and run it on the problem server using administrative rights.

After the script run successfully, a reboot will be prompted (mandatory).

Reboot the server and install the configuration manager client. This time it installed successfully and able to communicate with new sccm site (PS1).

Hope this helps!

Here is another interesting issue that I come across recently with the Configuration Manager build version 2002.

I was reviewing the client health dashboard in the monitoring workspace and saw the following status..

As you can see above, the bar chart for the client's overall health, the client policy request is at a very low percentage compared to other scenarios such as client health, software inventory, hardware inventory, etc..

The client policy is something that you can configure in device the client settings (default 60 min) and help the client to download the policies from the Management point.

By clicking on the policy request bar chart, I can see that, there are a large number of client devices with time stamp very old (almost 2 months old).

From the above screenshot, many clients are online and active but the policy request timestamp is OLD.

By looking at the old timestamp, the first thing that came in mind is, clients might be having issues with downloading the policies which will cause the deployment issues.

I picked one of the online clients with an old timestamp and looked at the client logs such as policyagent.log and other deployment logs such as appenforce.log,wuahandler.log, updatesdeployment.log, etc.

These logs can help us to identify if the client is able to download the policies and install the deployments if any.

On the client that I picked, it has installed applications very recently and also monthly software update patches which is a good thing.

So now, there are no issues with deployments and also the client policy download but why is policy request timestamp not getting updated?

A couple of things verified before applying the NASTY workaround.

1. Verified the MP logs such as MP_Getpolicy.log, MP_policy on the MP server, IIS logs. All looks good.

2. Verified that, inbox folder polreq.box has huge backlogs that are failed to process (E:\Program Files\Microsoft Configuration Manager\inboxes\polreq.box). This inbox folder keeps increasing. I could not able to find anything in the logs that refers to this action.

3. Verified the antivirus exclusions for configuration manager are configured correctly.

4. Restarted the SMS executive services for a fix but could not get through.

The solution (NOT RECOMENDED IN PRODUCTION ENVIRONMENT UNLESS YOU KNOW WHAT YOU ARE DOING)

When there are a large number of clients that are having old timestamp, i started digging into the database as well and found a SQL table called v_CH_PendingPolicyRequests.

This SQL Table list the information about policy request including the GUID of the request.

Run the following syntax on your SQL management studio:

select * from v_CH_PendingPolicyRequests

As you can see above, a large number of clients with an old timestamp, GUID, and also its Management point.

DISCLAIMER: Please take a back up of your ConfigMgr SQL database before performing this step. Once the changes are made, they cannot be UNDO.

we will remove all the pending records from this table v_CH_PendingPolicyRequests and monitor the client policy request again.

On your SQL management studio, perform the following syntax.

TRUNCATE TABLE v_CH_PendingPolicyRequests

Now run the SQL Query to verify if there are any more results or not?

select * from v_CH_PendingPolicyRequests

Confirm that, there are no records in it.

Now delete the backlog files inside the inbox folder polreq.box

Now we will monitor the client policy requests from the clients and this time, all the clients have updated their timestamp correctly in the console and also in the client health dashboard.

Is there any other fix without truncating the records in the SQL table? No, i don’t have at this point.

I hope you find this useful!

Microsoft has released Configuration Manager Technical Preview version 2006 with a lot of cloud features. For more information about the features of this preview release, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2006

This Technical preview version is not a baseline version and can be installed only from the in-console update. If you are building a new site, please install the baseline version (tech preview) 2002 and update it to 2006 using in-console.

This technical preview version focused more on cloud-related feature.One of the most waiting features of CMG is, to allow intranet clients to scan against CMG software update point when you configure the boundary groups.

Until now, in all the preview technical preview features and also in the current branch build, all the client (on-prem) traffic can be routed via CMG except the software update scan which is now possible using a technical preview build 2006.

The following are the 2 scenarios in which you can configure the boundary groups to allow intranet clients to scan against CMG software update point.

· When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

· If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it

How to test this feature to allow intranet clients to scan against CMG SUP?

Create boundaries and boundary groups for your VPN clients. In my lab, i use my intranet client as VPN boundary.

Boundary group:

Go to properties of the VPN boundary group and click on references:

Add the CMG here (pls note that, am using 3rd party cert in my lab, hence there is no cloudapp.net).

My lab has only 1 SUP so i configured it to support both intranet and internet based clients.

The following setting is applicable in scenario, If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

If you have dedicated SUP for internet-based clients then you can choose ‘Allow Internet-only client connections’ for your VPN clients. So when an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

In the relationships tab, leave it blank. There is no need to configure any fallback.

In the options tab (for downloads), configure the ‘prefer cloud based sources over on-premise sources’.

Now login to the client (win10- connected to on-prem ) and restart the SMS agent host service for a quick test or refresh the machine policy cycle.

From the configuration manager applet, run software update scan cycle and monitor wuahandler.log and locationservices.log

Locationservices.log

wuahandler.log:

As you can see, client is connected to intranet but the software update scan is scanning against the CMG software update point.

Following is the SQL code that will help you to identify the clients connecting to CMG software update point.

select uss.LastScanPackageLocation [Scan Location],
count(*) Total
from v_UpdateScanStatus uss
group by uss.LastScanPackageLocation

This is great feature to route all the traffic via internet.

Hope to see this feature in the next version of production build.

Using intune to install ConfigMgr client as win32 app using local source files without downloading from CMG

How to find ConfigMgr client boundary and boundary group details based on boundary group caching

SCCM remote control failed to do Handshake in Server. An existing connection was forcibly closed by the remote host Error 80072746

How to deploy Microsoft Edge Chromium stable version using Configuration Manager

How to integrate Power BI Report Server with Configuration Manager reporting

Using compliance settings to check client boundary group in configuration manager

Get started with compliance settings in Configuration Manager

How to find software update deployments enabled with download content from Microsoft update for clients from VPN CMG internet connected

Set-CMSoftwareUpdateDeployment

SCCM ConfigMgr Current Branch 2002 is available as in-console and baseline version

tenant attach –> Device sync and device actions

Site infrastructure—> Remove a central administration site

Cloud-attached management—>Token-based authentication for cloud management gateway

Desktop Analytics—>Connection Health dashboard sh

Client management—>Client log collection

Application management—>Microsoft Edge management dashboard

OS deployment—>Improvements to Check Readiness task sequence step

Software updates—>Evaluate software updates after a servicing stack update

Reporting—>Integrate with Power BI Report Server

Configuration Manager console—>Show boundary groups for devices

How to create a collection based on boundary group for client assignment and content troubleshooting

SCCM SQL query to list all the content of distribution point group

Configuration Manager report for a list of clients missing boundaries

Use SCCM compliance settings to detect the ESU activation for windows 7 and server 2008

Early update ring available for Configuration Manager version 2002 (KB4553501)

Issues that are fixed:

Additional hotfixes contained in this update

Update for Microsoft Endpoint Configuration Manager version 2002, early update ring

SCCM console connectivity issues with SQL Server 2019 – Connection may have been terminated by the server

How to prepare SCCM CMG Client installation switches for internet based client

Configuration Manager Technical preview 2005 is released- bunch of cloud integration features

Technical preview 2005 – Tenant attach Install application in real time from admin center

Failed to install Configmgr Client- The client version does not match the MP version The client will not be installed

Troubleshooting the Configuration Manager client policy request timestamp is old

Configuration Manager Technical preview 2006 – Allow Intranet clients to scan against CMG Software update point