I am super excited and honored to receive an email from Microsoft about my MVP (Microsoft Most Valuable Professional) award renewal for the year 2020-2021 in Enterprise Mobility area .

This is my 4th consecutive year MVP award (First year 2017) and glad that, I am still part of great MVP community for another year.

Following is the email received on the MVP Award from Microsoft.

Dear Eswar Koneti,

We’re once again pleased to present you with the 2020-2021 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership.

We appreciate your outstanding contributions in the following technical communities during the past year:

I would like to thanks to my followers on linked-in, Facebook, twitter and to my blog readers for their support on Enterprise Mobility area.

This is a quick post on an issue that I come across recently at a customer who was unable to install the IIS role for setting up a distribution point.

As we all know, IIS is a prerequisite for setting up a distribution point in Configuration Manager.

During the installation of the IIS feature, you need to provide the path to source files, this will be usually the SXS folder from the OS media file as shown below.

I have specified the SxS folder during the installation of IIS and made sure that, the OS version matches the ISO file that was downloaded.

 This is the usual procedure that we all do to install the IIS feature and it always works, but in this case, it never worked for me.

Following is the error code:

The request to add or remove features on the specified server failed. The source files could not be found. Error Code 0x800f081f.

I tried a couple of times by changing the ISO to the latest one, but it failed with the same error code.

what other options do we have to install the IIS role now for DP to work?

If the SxS source files cannot be used by the server to install IIS, we will use the WIM file from the same ISO to install the IIS feature using Powershell cmdlet.

Following is the PowerShell syntax.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Here 2 refers to the image index.

How do we know what index to use? This is based on the OS edition installed on the server.

You can check the OS edition on the server using WINVER from the RUN command.

Once you are done with this, run the following DISM command against the source wim file to know the index.

dism /get-wiminfo /wimfile:E:\sources\install.wim

Index 2 refers windows server 2019 standard with desktop experience

If your OS is datacenter with desktop experience, you need to use index 4.

once we have all the necessary information, run the PowerShell to install the IIS role.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Status after the Powershell command.

likewise, you can install all other features using the same format.

If the standard practice doesn’t work, we take other routes to make things work

Hope it helps!

Introduction:

Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.

Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.

If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.

Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).

The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.

The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.

Microsoft strongly recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.

For more information about the Cloud Management Gateway choices, please refer Jason post here

In this blog post, we will see how to create a CMG server authentication certificate from DigiCert.

Following are the steps:

Check the DNS name in the Azure portal (cloud classic services)?

First, we will need to identify a DNS name availability in the Azure portal.

Log in to the Azure portal, click on all services, select cloud services (classic)

Click on Add

Choose the DNS name that you want to create and verify it must exist (green tick box). If you get a red color then it is already taken and you must choose another.

If it exists, make a note of it. In my case, cmcb.cloudapp.net exist. Do not create any, just verify if it exists or not.

Create a CNAME record in the public DNS?

Next, we will have to go to the public DNS that you manage and create a CNAME record.

In my case, I have public DNS that is Eskonr.com and will create a CNAME record for cmcb.eskonr.com for the real hostname cmcb.cloudapp.net

In your organization, you may have to reach out to the team that manages the public DNS and provide the following details.

CNAME record for cmcb.cloudapp.net with cmcb.eskonr.com

Make sure that, cmcb.eskonr.com is not in use in your public DNS and it must be unique.

Following is the CNAME record in the public DNS. You can leave the default values such as 600.

Request a public certificate from DigiCert for CMG server authentication?

Now we will request a server authentication certification from DigiCert using the common name (CN) of the CNAME alias.

As part of the cert creation, we will use DigiCert Certificate Utility for Windows

we need to download the DigiCert windows utility from https://www.digicert.com/util/

Once the tool is downloaded, launch the diticertutil.exe tool

Click on the SSL and click create CSR

Enter the common name. This will be the CNAME record that we created in our public DNS (cmcb.eskonr.com). CMG server authentication certificate supports wildcards such as *.eskonr.com.

Click on Generate

Now you will see a CSR code which you can copy it to a txt file

Click on close

Request your SSL certificate for CMG cloud service:

We will now login to the DigiCert portal and select the certificate category, upload this CSR code, and do the payment.

Login to https://www.digicert.com/

After you log in to the DigiCert portal, you will see a request a certificate, and click on it will display the category list.

Once you select the certificate, you will be prompted with certificate details.

Upload the CSR file and choose the validity period. Based on your selection, the cost will be shown in the transaction summary.

In the prove control over your domain, I selected email as it is easy to confirm through email with one click.

There is a list of pre-defined email addresses of your domain. so you order the certificate, you can edit the order and choose the email address that you want to send the confirmation email to prove the control over the domain.

Once you are done with the payment and all, click on Submit certificate request.                                                                                        

Once the order confirmation is done, you will see the order status as pending.

Before DigiCert can issue your certificate, you must prove your control over the domains listed on the certificate.

On the order section, you can customize additional emails, renewal notice, renewal messages for this order, etc.

Once the order is approved, you can log in to the DigiCert portal and download the certificate.

Following is the sample email that I received from DigiCert.

Please note that, when you to go the download section, there are many formats that you can choose.

In my case, I selected the following.

You can also choose separate primary and intermediate .crt files (zipped)

I tried with .cer and .crt, both have the same output for CMG cert (pfx format).

Once the certs are downloaded, extract it, you will see cert with a common name (cmcb.eskonr.com) ends with .cer

Import SSL certificate:

Now go the computer that you ran the DigiCert tool earlier to generate the CSR, launch the tool and sing-in, click on SSL and click on import

Based on the cert that you downloaded earlier (.cer or .crt), choose the file name contains a common name (in my case it is cmcb.eskonr.com)

Once it is done, the certificate will be visible in the SSL certificate list.

Export the SSL certificate (PFX format):

Click on the certificate that we imported and select export certificate

To protect the certificate, key in a strong password

Finally, you will be prompted to save the .pfx certificate.

We have now successfully created a server authentication certificate that can be used to create a CMG cloud service using a public cert.

To set up a cloud management gateway service, please refer to this guide.

I hope this has been informative for you.

Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.

Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.

If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.

Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).

The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.

The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.

Microsoft recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.

For more information about the Cloud Management Gateway choices, please refer Jason post here

Issue description:

I recently had a requirement to convert or redeploy the CMG cloud service from PKI to public cert.

If you want to make changes to the following configurations, then you need to consider to redeploy the CMG service.

• Classic deployment method to Azure Resource Manager
• Subscription
• Service name
• Private to public PKI
• Region

So how do you convert the existing CMG cloud service from PKI to public cert or redeploy the CMG cloud service?

Since the existing cloud service uses cloudapp.net and this domain is managed by Microsoft, we don’t a public cert matching that name.

The only possibility is to add another CMG cloud service with public cert and wait for the clients to be aware of the new CMG instance (both intranet and internet) before deleting the CMG with PKI.

In this blog post, I am going to use a certificate from DigiCert. There are various global trust providers, so please choose based on your organizational needs.

I recently published a blog post on how to secure a server authentication certificate for Cloud management gateway cloud service from DigiCert. For more details, please refer here.

This blog post assumes that you already have a server authentication certificate from a public provider. The server authentication certificate format should be .pfx and no other formats are supported at the time of writing this blog post.

How to verify if the CMG service is configured with PKI or public cert?

In the SCCM console, go to administration node, cloud services, cloud management gateway, on the right side, you will see service name ends with .cloudapp.net

Existing lab setup:

 A very simple and plain hierarchy with 1 primary site hosted with SQL (server A) and all client-facing roles such as MP, SUP, DP, etc for intranet clients.

The site is enabled with eHTTP and I don’t use client authentication certs.

CMG cloud service is created with PKI cert.

CMG connection point, MP, and SUP for internet facing are installed on server B. This is to isolate from intranet clients and internet clients.

Build version is 2002 which means, all my clients can make use of token-based authentication.

In addition to token-based, I have also hybrid AAD/AAD, so clients have the option to choose one of the authentication methods (Token/Hybrid AAD/AAD) with CMG cloud service.

Server B (SG-CM02) hosts the CMG CP, MP, and SUP roles.

You can create multiple CMG services in Azure, and you can create multiple CMG connection points. Multiple CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.

With the existing SCCM setup that I have, I am able to manage both internal clients and also internet-based clients successfully.

How to redeploy the CMG service using the public cert?

Since we already acquired the public cert, we will setup the new cloud service. For this, follow the Microsoft article. This is very straight forward and all the instructions available in the documentation.

As you can see, the service name does not contain .cloudapp.net

After a while, you will see that the configuration update completed.

To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log on your site server logs.

We now have 2 CMG cloud services, but we have only 1 CMG connection point installed on server B and this CMG CP is linked to PKI cloud service.

Do not make any changes to the existing CMG CP in the dropdown selection. Just leave it. If you make any changes, it is going to impact the clients and internet-based clients are cannot communicate .

It is recommended to keep at least one active CMG for internet-based clients to receive an updated policy.

Until now, we created a new CMG service with public CA but we do not have a CMG CP linked to the new CMG service. This is must for clients to be aware of the new CMG service.

At this point, on an intranet or internet client, run the following PowerShell command to see the internet MP details.

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

As you can see, I have only 1 active MP which is PKI cloud service.

For clients to be aware of the 2^nd cloud service that we recently created, we need to create additional CMG CP.

For this, build a new server or use the existing server to host additional CMG CP and link this with the new CMG cloud server (public CA).

From the console, Add a new site system role and select the CMG CP role.

In the cloud management gateway name, select the instance that we created with public cert (not with cloudapp.net).

Click next and finish.

To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log on the site server.

As you can see, we now have two CMG connection points and we have only 1 CMG MP.

We can also use CMG connection analyzer for real-time verification to aid troubleshooting.

The in-console utility checks the current status of the service, and the communication channel through the CMG connection point to any management points that allow CMG traffic.

As you can see below, the CMG channel for Management point is with server B. As I described in the beginning, server B (SG-CM02) holds the MP and SUP for internet facing clients.

At this point, we have 2 cloud services, 2 CMG CP and 1 MP, SUP to support internet-based clients. The internet support MP and SUP can be on any server and is independent of the CMG CP role.

Both intranet and internet clients will get the location of this new CMG service automatically in the next location request (every 24 hours) or when the SMS agent host service started.

Since we already have the working CMG, clients that are on the internet will receive information about the new CMG service in the above conditions.

As we are doing it in the lab, I don’t want to wait for longer, and to make this faster, restart the SMS agent host service on the internet-based client.

After the service restarted, wait for a few mins before we read the locationservices.log file.

As you can see in the log, the client has picked the new CMG cloud service.

Running the PowerShell script on the client shows that, there are 2 CMG cloud services that clients can pick any of them randomly for communication.

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

Likewise, all the intranet and internet-based clients will know about the new CMG instance before we proceed to delete the old CMG instance. For this, we can probably wait for a couple of weeks assuming the device connects at least once to the internet to receive the new CMG info using the old CMG proxy.

If the old CMG service is removed, clients cannot communicate with the old CMG service to receive any new policies to get the information about the new CMG service.

If the internet clients are offline for a longer period and if they are not aware of the new CMG instance, then they can't communicate with a removed CMG and they must roam back to the intranet to know about the new CMG or reinstall the client with /mp parameter to specify the CMG's URL.

It is also important to distribute the content to the new cloud DP so that clients can get the location request from the CMG MP.

Now we will go back to SCCM console and do a search filter in the devices section with CMG proxy.

As you can see below, I have one device which is talking to new CMG service (online) and 2 devices were talking to old CMG service (offline).

It is good that we have got the new CMG service running and clients that are connected to the internet able to communicate with old CMG service, have got the information about new CMG service, but how do I know that all of my internet-based clients are aware of the new CMG service?

For this, you can create a collection or report based on the client's last policy request or hardware inventory or when was it last time online.

When you plan to delete the old CMG service, do not delete anything directly on the Azure portal, simply go to SCCM console and select the CMG instance and right click and delete. This will delete the VM instance, cloud DP and all other components from the Azure portal.

After you delete the old CMG instance, the clients that are aware of the new CMG service, they will automatically pick it upand continue to communicate . You don’t have to do anything for this, but clients that are not aware of the new CMG instance, must roam back to an intranet or install the client using internet-based client switches.

I hope this post has been informative for you.

The following are some of the blog posts on CMG for your reference:

Cloud Management Gateway Community Session with the Patch My PC Team

Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

Managing Patch Tuesday with Configuration Manager in a remote work world 

Mastering Configuration Manager Bandwidth limitations for VPN connected Clients

Get Azure IP Ranges for Your Cloud Management Gateway

Forcing Configuration Manager VPN Clients to get patches from Microsoft Update

Real-world costs for using a Cloud Management Gateway (CMG) with ConfigMgr

Software update deployment report for CMG enabled

CMG Cost estimation calculator

After the configuration manager current branch 2002 released, there are 4 update rollups and 1 hotfix (out-of-band) (if am tracking them correctly) released by Microsoft.

Following are the complete list of update rollups (first 4) and hotfix (last) for configuration manager version 2002.

KB4553501

KB4563473

KB4567007

KB4560496

KB4575774

Today, Microsoft has released hotfix (out-of-band) for the following issue:

After updating to Configuration manager current branch, version 2002, the New-CMTSStepPrestartCheck PowerShell cmdlet returns an error resembling the following when used.

The action "Check Readiness for Upgrade" is invalid. The property OSArchitecture contains an unsupported value 64-bit. The task sequence must be corrected before it can be used with SMS. Unspecified error (Error: 80004005; Source: Windows)

This error occurs due to changes in the Check Readiness task sequence step in version 2002.

Unlike other update rollup’s which usually appear in the console (updates and servicing), this hotfix is not available in the console and must download and install manually.

If you want to import the hotfix into the configuration manager console (updates and servicing), you can use update registration tool.

You can download the hotfix from this location. This update is around 50mb in size.

To apply this hotfix, you must have the configuration manager build 2002 along with recently released update rollup KB4560496.

After applying this update, you don't have to restart the server.

Configuration Manager uses collection evaluation to update collection membership, based on the collection rules you define. Collection evaluation scope and timing differ depending on site and collection configuration and evaluation type.

With Configuration Manager Technical preview release 2008, a new feature is introduced that helps to integrate collection Evaluation viewer into the configuration manager console directly.

With this new feature, we don’t need to run the standalone tool ceviewer,exe (servertools) to monitor collection evaluation data.

We can now use the console to view and monitor the collection evaluation process for troubleshooting issues such as slow collection evaluation.

The configuration manager console now displays the following information:

• Historic and live information for full and incremental collection evaluations
• The evaluation queue status
• The time for collection evaluations to complete
• Which collections are currently being evaluated
• The estimated time that a collection evaluation will start and complete

How to view the collection evaluation data in the console?

In the Configuration Manager console, go to Assets and Compliance > Overview > Device Collections.

Under the device collection, the new column called ‘Evaluation (Full) Last Completion Time’ is now enabled now by default.

Following are the list of properties for the collection that you can select to view:

You can also view the View the summary of collection information

On the summary page, you also see the Related Objects give links to view status of the collection in the specific queue under the Collection Evaluation node in the Monitoring workspace.

By clicking on each link will creates a new node is created where you can see the evaluation status for the specific collection.

You can also Monitoring collection evaluation queues from the Monitoring node.

From the Monitoring workspace, go to the Collection Evaluation node.

Clicking on the collection evaluation folder show you the total number of collections in queue and queue length is listed as a summary.

The following status summaries for the evaluation queues are listed:

• Number of collections in queue
• Queue length
• Current evaluation collection
• Current evaluation started on
• Current evaluation elapsed (seconds)

 The following queues are summarized and have their own sub nodes under the Collection Evaluation:

Full Evaluation Queue: For collections due for full evaluation

Incremental Evaluation Queue: For collections with incremental evaluation

Manual Evaluation Queue: For collections that an administrator has manually selected for evaluation from the console

New Evaluation Queue: For newly created collections

This is great feature that helps administrators to view and troubleshoot the collection evaluation process.

For more information about the Collection evaluation

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/collection-evaluation

Microsoft released Configuration Manager Technical preview build 2009 with some cool features applicable to cloud management gateway.

This technical preview is for lab purpose ONLY and can be installed on 3 successive build versions which are from 1906,1907 and 1908.

The latest active baseline version available is 2007 and can be downloaded from the Evaluation Center.

If you want to build lab, download the baseline version (2007) and then do in-console update to latest preview build 2009.

The following features are available with Configuration Manager technical preview build 2009:

• Cloud management gateway with Azure VM scale set

Cloud management gateway deployments now use the Azure virtual machine scale set, which introduces support for Azure Cloud Solution Provider subscriptions.

• Deploy an operating system over CMG using boot media

An admin can now reimage devices on the Internet over cloud management gateway using boot media

• Improved Windows Server device restart experience for non-administrator accounts

Administrators can now allow low-rights users to perform Configuration Manager initiated restarts for Windows Server.

• Improvements to in-console notifications

You now have an updated look and feel for in-console notifications. Notifications are more readable and the action link is easier to find. Additionally, the age of the notification is displayed to help you find the latest information. If you dismiss a notification, that action is now persistent for a user across consoles.

• Notifications for devices no longer receiving updates

To help you manage security risk in your environment, you will be notified in-console about devices with operating systems that are past the end of support date and that are no longer eligible to receive security updates.

• Remote control anywhere using Cloud Management Gateway

An admin or helpdesk operator can now connect to a client via remote control over the Internet via cloud management gateway.

• View Collection Relationships

You can now view dependency relationships between collections in a graphical format. Limiting, include, and exclude relationships are shown.

• Wake machine at deployment deadline using peer clients on the same remote subnet

When you enable 'Send wake-up packets' on a deployment, the site will now identify another client that's awake on the same remote subnet. The awake client then sends a wake on LAN request (magic packet).

Configuration Manager Technical Preview 2009 :

Technical preview 1909 site version:5.00.9030.1000

Client version (1909):5.00.9030.1000

One of most requested feature in the recent times after the cloud management gateway introduced is the Remote control for internet connected devices.

Remote control for CMG connected devices was first introduced in technical preview version 1906 which is now improved.

Prerequisites for remote control over CMG connected devices:

1. You need to enable the remote tools in the client settings and add the user or group as permitted viewer for remote control.
2. Update the configuration manager client to the latest version (1909)
3. The client needs to be online

What are the authentication methods used in the remote control of internet device?

• A valid PKI client certificate
• Azure Active Directory (Azure AD)
• Token-based authentication

The above authentication methods aren't unique to remote control. If you properly configure clients to communicate with a CMG, HTTPS management points, or sites with enhanced HTTP, then they already use a supported authentication method.

Now lets test the remote control over internet connected device.

I have a device (Win10-11) that is on the internet is ONLINE and connected to CMG:

Right click on the device and select the remote control.

select the option to Connect via CMG or HTTPS MP for any of the following scenarios:

• CMG
• HTTPS management point
• Enhanced HTTP site

• Address: The target address of the client. To connect using CMG, you must use the FQDN. You can't use the hostname or IP address.
• Connect via CMG or HTTPs MP: This option allows for fallback from a TCP direct connection to use the CMG service.
• Server name: The CMG service name to which the current user and target client can connect.
• HTTPS port: If needed, change the default port from 443.
• Verify server certificate revocation: If the CRL DP location isn't accessible for the current user, disable this option for testing purposes.
• Azure environment: This option will prompt for sign in with your Azure AD credentials. Then, select the Azure environment for that user.
• Click OK to connect. Remote control will attempt a direct connection first, then fallback to CMG for connection.

• Please make sure the fully qualified domain name (FQDN) of the applicable service for CMG or https MP.

In my case, the CMG is using public cert and is CMTPTP1.eskonr.com.

If you are using the certs from CA, then you will have something like CMTPTP1.cloudapp.net.

When you click on Ok, it will prompt for Azure AD authentication and follow the remote-control settings on the target device.

Authentication:

If the user is permitted to view the remote control of the device and the device is online,

The end-user receives a pop-up to approve or deny the remote control request.

Finally, we can do a remote control for CMG connected device just like we do it for corporate network-connected devices.

Troubleshooting:

How to troubleshoot the remote-control issues for internet connected devices?

When you perform a remote control, there is cmrcviewer.log under %temp% folder

If any non-permitted user is trying to perform a remote control, it will be tracked in the ccm_sts log located on the management point logs.

Following is the log that shows Koneti\eswar is not permitted viewer to perform remote control of the device.

When I authenticated the Azure AD with different user (Eswar.koneti) who have permissions to remote control, it works.

If the device is Offline in the console, and you try to do remote control, you will see the following screen:

There are many other cool features available in this release.

Happy testing!

The post Configuration Manager Remote control for CMG Connected devices first appeared on All about Microsoft Endpoint Manager.

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2006 (MEMCM) via the opt-in method (fast-ring) on 8^th of August, followed by slow-ring (GA) on 31^st Aug.

If you want to install a new Configuration Manager site (fresh build), you can download the baseline version which is 2003 from the volume licensing portal, and then do an in-console update to 2006.

For more information about what’s new in Configuration Manager 2006, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006

 And for a step-by-step guide to 2006, https://systemcenterdudes.com/step-by-step-sccm-2006-upgrade-guide/  

Once you complete the CAS/Primary site server update, you need to manually upgrade any secondary sites by right-clicking on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2006) to avail the new client features that were added.

As usual, whenever there is a new configuration manager build released, there are always new SQL views for the newly released/updated features which will help us to generate custom reports without doing any MOF extensions (in case you have done it for these).

In Configuration Manager 2006, there are few SQL Views added compared to its previous version 2002 listed below for your reference.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2006 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

The post What is new in Configuration Manager 2006 for custom reports first appeared on All about Microsoft Endpoint Manager.

Microsoft released an in-console update (KB4580678) that helps you to enables the Run scripts feature from the Microsoft Endpoint Manager admin center (Intune) and is now available to the customers who have enabled the tenant attach in Configuration Manager. This update also resolves other tenant attach related issues and is a prerequisite to use the Run scripts feature from the admin center (Intune).

If you have not yet started the tenant attach process, please start now https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/ and take actions of your devices from mobile anywhere without accessing the configuration manager console.

Along with enabling the run script features from MEM admin center, it also fix the following issues:

• Features, such as Scripts, in the admin center do not appear for users that are assigned to all security scopes but are not full administrators.
• Internet-based links to approve or deny user application requests via email fail in Microsoft Endpoint Configuration Manager current branch, version 2006. This occurs for internet-based clients managed with a cloud management gateway (CMG).
  The administrator will receive an HTTP Error 400 when clicking the email link. Note that requests can still be approved using the Configuration Manager console, or other channels such as WMI that rely on the Configuration Manager administration service.
• The online status listed for devices on the internet connecting via a cloud management gateway (CMG) in the Configuration Manager console may be incorrect. This occurs when the CMG connection point is co-located with the service connection point, and the management point is co-located with the SMS provider.

This update is only available to customers who have enabled the tenant attach process and must be running on build version 2006.

After the installation of the update, you don’t need to restart the server.

If you have any secondary sites, you need to update them by right click on the site and choose recover the secondary site.

Alternatively, you can also check the status of your secondary sites using the SQL query.

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

How to run the scripts using MEM Admin center?

Launch https://endpoint.microsoft.com, Select Devices then All Devices.

Select a device that is synced from Configuration Manager via tenant attach.

Click on scripts (preview)

You will see all the scripts that were directly targeted the device. If you have run the scripts against a specific collection where device is member of, won’t be shown here.

As you can see, I ran 2 scripts on a device that were recently executed.

User can now select the script and initiate it from the web directly.

It would nice to have list all scripts that are available in Configuration manager based on the RBAC for the user to be shown for each device so user can pick the script and run if needed instead of showing only the scripts that ran already.

For more information about pre-req, permissions for run scripts, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/scripts

Troubleshooting the client details in the admin center for tenant attach, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/troubleshoot-client-details

The post Rollup update for Tenant attach - Run scripts first appeared on All about Microsoft Endpoint Manager.

Another month pass by and Microsoft released Technical preview for Configuration Manager 2010. These technical previews will be released every month and is for lab purpose ONLY.

For more information about the technical preview and how to use it, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/technical-preview

The active baseline version as of today for technical preview is 2007 and this can be downloaded from Evaluation Center.

Following are the new features in Technical preview 2010.

Deploy a task sequence to a user as an app model deployment type

Starting in the release, you can now deploy a non-OS deployment task sequence to a user-based collection when you add a task sequence deployment type to an application either to install or uninstall the app.

To create Create a task sequence for non-OS deployments, please refer https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-for-non-operating-system-deployments

You can’t deploy an app task sequence to user collection and is known issue. For more information, please refer https://docs.microsoft.com/en-us/mem/configmgr/apps/get-started/creating-windows-applications#bkmk_tsdt

Enable user proxy for software update scans

Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections. Learn more about the September 2020 changes to improve security for Windows devices scanning WSUS.

Improvements to scenario health

With scenario health, you can now monitor the health of the channel used for client actions. If you've onboarded to cloud management. This improvement helps to surface potential issues with client actions from Microsoft Endpoint Manager admin Center. This monitoring can also be used for on-premises client actions such as CMPivot, Run scripts, and waking up machines.

Run this action from \Monitoring\Overview\Scenario Health

Shortcut to status messages

You now have an easier way to view status messages for the deployment, content, device and user objects.

Following are the objects that you can select:

• Devices
• Users
• Content
• Deployments
  • Monitoring workspace
    • Phased deployments (select Show Deployments from the Phased Deployments node)
  • Deployments tab in the details pane for:
    • Packages
    • Task sequences

Right click on the selected object, Choose ‘Show Status Messages’ from the ribbon for a selected object.

Support for Windows 10 Enterprise LTSC on Desktop Analytics

The long-term servicing channel (LTSC) was designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. The LTSC servicing model prevents Windows 10 Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. For customers that want to shift from LTSC to the semi-annual servicing channel to have access to new features, services, and other major changes, Desktop Analytics now supports enrolling and evaluating LTSC devices in your deployment plans.

Syntax highlighting for scripting languages in the Configuration Manager console

To assist you when creating scripts and queries in the Configuration Manager console, you will now see syntax highlighting. Supported languages include PowerShell, JavaScript/JScript, VBScript and SQL/WQL.

Defender App Control policy supports Windows Server 2016+ clients now

Configuration Manager to-date has supported Defender App Control policies for Windows 10 clients. We're extending this support to include Windows Server 2016+ endpoints.

Technical preview 2010 build installation:

Monitor the content download status from dmpdownloader.log

Once the content is download and is ready to install, install the update.

Site version: 500.9032.1000

Client version:5.00.9032.1000

Happy testing the preview build.

There are times where you need to troubleshoot the Microsoft Teams client issues such as app crashing, poor call quality, new features not working as expected, etc.

When you get any of such issues, you will need to collect the team’s client logs to investigate further and if possible, you likely need to share the logs with the Microsoft support engineer for further help.

There are different logs in Teams client that help you to troubleshoot the issue. The following are the important set of logs.

•  Debug logs
•  Media logs
•  Desktop logs
• Event viewer

As the teams client installed in the user profile (%appdata%), the log collection needs to be done from the user profile. so you need to request user and assist them to get these logs.

These common logs located in different folders under the user profile and guiding the user for these logs would take longer and sometimes get annoyed.

Except for Debug logs, all other logs are readily available for remote collection.

Debug logs is something that needs user intervention (not possible remotely) and the user needs to press shortcut Ctrl + Alt + Shift + 1 to generate the debug logs.

For more information about the log files and troubleshooting Teams client, please refer https://docs.microsoft.com/en-us/microsoftteams/log-files 

From this article, we know the location of the Teams log files, we can make use of Microsoft Endpoint Manager Configuration Manager scripts feature to collect the client logs for troubleshooting the teams issue remotely.

The scripts feature simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently. For more information about PowerShell scripts from Configuration Manager Admin console, please refer here

This script can be used manually or remotely using Configuration Manager.

What does this script do?

1. The script check if the user logged into the machine or not, if yes, then collect the media logs, desktop logs,debug logs and event viewer from the locations and store it in C:\Temp\Teamslog

2.If no user logged into the machine , the script does nothing.

3. Once the logs are collected and store it on the share drive, the temp logs from local drive C:\temp\teamslog will be removed.

What is required to run the script?

1. You will need to provide the log share name to store the logs. The logs are zip and store it with username-timestamp.zip.

2. You will need notify user to use the shortcut Ctrl + Alt + Shift + 1 to generate debug logs. Once this is done, the script will look for the debug logs and collect it.

3. If user don’t run the Ctrl + Alt + Shift + 1, the script will not collect the debug logs but collect other logs if available.

Once you have filled in the log share, you can use take this script and use it in Configuration Manager scripts and run it on device where user logged for the log collection.

The script is uploaded to github, you can download it from here.

For teams client troubleshooting, please refer https://docs.microsoft.com/en-us/MicrosoftTeams/troubleshoot/teams-welcome

Over the last couple of years, I have been using this method to extract the status messages for various components in Configuration Manager such as SMS provider, Site server and client.

These status messages critical and useful when it comes to troubleshooting the components, clients etc. Status messages are similar to Windows NT Events and they have a severity, ID, description, etc.

These status messages ID appear in lot of places like logs, event viewer,configuration manager console. During the troubleshooting, it is hard to find out the description for the status message ID that you looking for and not everything can be found on the internet during the search.

As the current branch gets released every 3 months (based on the past trends), there will be changes to the status message IDs (addition/deletion) and it is always important to keep a copy of the status message ID’s for each build that you are working with.

In this blog post, we will see how to generate the status message IDs, description for your Configuration Manager build.

What is required to generate the status messages?

1. You will need the following dll files that are available in your your CAS/Primary site server for your current build

CLIMSGS.DLL

PROVMSGS.DLL

SRVMSGS.DLL

These dll files located in your site server location: <CM Installed directory:>\bin\X64\system32\smsmsgs

2. Copy these dll files to a folder on your computer.

3. Now download the script from Github, save it in the same folder where you copied the dll files.

4. Run the script. The script will create an excel file with 3 sheets called client, site server and sms provider and list down the status message ID’s along with description.

5. Output

Every time when you update your Configuration Manager build version, you can get the updated dll files and run the script.

I hope you found this useful.

References:

https://gallery.technet.microsoft.com/scriptcenter/Enumerate-status-message-6e7e1761

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.

Microsoft has released another update rollup (KB4575790) to fix client setup content download issue from CMG distribution point.

The following listed issues and the rollup update is available in updates and servicing node only if you have installed the recently released update rollup KB 4578605 for Configuration Manager 2006 build.

If you have not installed KB 4578605, then you will not see this update in the updates and servicing console.

Issues:

1. If you have configured cloud management gateway along with cloud DP and running the ccmsetup.exe (client installation) , the client will failed to download the client installation file (ccmsetup.cab) from Azure blob storage.

The following is the error code seen from the ccmsetup.log:

[CCMHTTP] ERROR: URL=https://{Azure_blob_storage}:443/content-l0000003/ccmsetup.cab?..., Port=443, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=400 StatusText=Authentication information is not given in the correct format. Check the value of Authorization header.

2. If you have clients that ONLY use PKI for authentication, then they also failed to upgrade or install the client.

This occurs if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties. Errors resembling the following are recorded in the ccmsetup.log file on the client.

Client is not allowed to use PKI issued certificate or not able to use AAD token or ContentToken thus can not talk in HTTPS.
Failed to download client files by BITS. Error 0x8000ffff

In my case, I did not install the applicable update KB 4578605 hence the update KB4575790 is not visible in the console.

If you have installed the KB 4578605, you will see KB4575790 in updates and servicing node.

This update include site server and client updates.

Once you install the update (if applicable to your site), you don't have to restart the site server and no need to update the console version.

The client patch (.MSP file) contained in this update supersedes the versions that shipped with update rollup KB 4578605 and update KB 4575787. Therefore, only one client upgrade is required.

The client update (.msp) is located in <SCCM Installdir:>\Microsoft Configuration Manager\Client\i386\ClientUpdate

Following screenshot for KB4578605

After you install KB4575790, it will replace KB4578605

Hope you found this article useful.

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

GPO:

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Hope it helps!

I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.

This folder primarily stores the information about.

1. Software update end-user license agreement (EULA).

2. Microsoft patches for windows and other products for standalone WSUS.

3. 3rd party updates In case you have integrated the 3rd party patching tool.

The following is the screenshot for the wsuscontent folder size.

When the customer reported about the wsuscontent size is huge, the following questions were raised.

1. Is it standalone or integrated with Configuration Manager? –-> Integrated with ConfigMgr.

2. Are you using any 3rd party patching tool hence the content download is higher?—>There is a 3rd party pathing tool, it is only Microsoft updates.

From the above questions, WSUSContent cannot be larger. The troubleshooting as follows.

1. Open the WSUS console, options, open Automatic Approvals

There was a default automatic approval rule which was enabled with the rule properties.

What does it do? when the WSUS sync runs, the updates that match with update classification that you have selected will be approved, downloaded to the wsuscontent folder.

This is needed only when you use a standalone WSUS server but not with Configuration Manager.

If you have integrated WSUS server with Configuration Manager, you should un-touch the WSUS MMC from the time you do the initial configuration.

By default, when you integrate WSUS with ConfigMgr, this automatic rule is un-selected.

So someone has made the changes unknowingly which causes the content folder to grow bigger.

How do we fix this now?

1. Since WSUS is integrated with ConfigMgr, we can de-select the automatic approval rule, so there won't be any content download thereafter.

2. To clean up the downloaded content on the WSUSContent folder, we will need to decline all the updates in WSUS console (don't worry, this won't impact your ConfigMgr patching or metadata in ConfigMgr console, you are safe doing it) and run the server clean up wizard.

So go ahead and un-tick the default automatic approval rule and click ok.

To decline all approved updates, click on updates, all updates.

For the approval, select approved, and status: any

you should see the list of updates that are approved which are downloaded as well to the wsuscontent folder.

In my case, there are 636 updates approved.

Select all the updates, right-click, and choose decline.

you will be prompted with the following screen, select Yes.

Depending on the number of updates, it may take sometime.

Once the updates are declined, refresh the page.

Now we will need to clean-up the content stored in the folder.

Now, in the console, click on options, select server clean-up wizard

You will be asked with multiple options to clean up but the first one is our fix to remove the downloaded content.

As you can see, we have now cleaned up around 320GB.

Depending on the number of updates, you may see the MMC console crash but don't worry, try it again and you will get succeed. 

You also have scripts available to perform the clean-up without the MMC crash but UI works fine.

Once the clean-up is done, go back and check the size of wsuscontent, it is now 3.7GB which is normal.

Hope you find this post useful.

I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.

Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]

I have tried various command line switches for SCEP client installation but all returned the same error code.

The server was installed with Configuration Manager client 2010 and server is fully patched.

I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.

As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.

To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.

EppSetup.log and MSSecurityClient_Setup_4.7.209.0_epp_Install.log reveals the same information that is shown in the UI.

The following is a piece of information that can get it from the log MSSecurityClient_Setup log.

setup CA ERROR  : CryptCATAdminAddCatalog failed with 1062

NIS setup CA ERROR  : InstallNisDriver: InternalInstallCatalog failed with 1603

NIS setup CA INFO   : InstallNisDriver completed with error result 1603

CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.

Open the cmd on the problmatic server and run sc query cryptsvc

The specified service do not exist as an installed service.

How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.

Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.

The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.

The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.

The following is the registry of the service.

Export the registry, import into the server, reboot the server.

After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.

Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.

Hope this helps!

This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.

When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer here

How do we create a collection for clients that are online? 

Collections uses WQL and following is the WQL syntax you can use to create the collection.

we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.

This collection uses sub-selected query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

If your configuration manager is running on 2010, you will have option to preview the results. Click on the play button to see the results before you confirm the changes.

Save the collection and wait for few seconds before the data appear.

Based on the device collection membership, the results get updated.

If you want to create a reports based on the online status, you can refer http://eskonr.com/2016/04/how-to-query-clients-collection-or-ssrs-ssrs-with-online-status-in-sccm-configmgr-1602/

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. For more information about Co-management, benefits, pre-requisites, licensing, read https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

When you have windows 10 devices that are Azure AD joined, enrolled to Intune, and also co-managed, these devices would appear in Configuration Manager.

In this blog post, i will show you how to create a collection for Azure AD joined co-managed devices.

When a device is AAD joined and co-managed ( not on-prem domain joined but only the cloud), we will have the tenantID, device ID, domain or group, and other information.

we will use 2 important fields to identify if the device is AAD joined. 1) AADTenantID 2)Resource_Domain_OR_Workgr0

The device should have AADTenantID and should not be in your in domain which means it will be in a workgroup.

we don’t go with workgroup as this is something that can be customizable by the user and can change as per their needs like MyPC etc.

So we will go with the domain. Anything that is AAD and not in the corporate domain (intranet.eskonr) then they fall into the collection.

Create a collection with the following WQL Query using sub selected:

select *  from  SMS_R_System where SMS_R_System.AADTenantID = "4252590E-6F9B-4AA1-AA9F-D7717C111B07" and
SMS_R_System.ResourceId not in (select ResourceID  from  SMS_R_System where SMS_R_System.ResourceDomainORWorkgroup = "INTRANET")

INTRANET is my domain name, if you have multiple domains, you can add so.

Once you paste the query into the query designer, you can click on the play button (green color) to see the list of devices that match with this query.

I have got 1 device that is AAD joined but co-managed.

Hope this helps!