configmgr – All about Microsoft Endpoint Manager

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

30196	User "%1" created updates assignment %2 (%3).
30197	User "%1" modified updates assignment %2 (%3).
30198	User "%1" deleted updates assignment %2 (%3).

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

I was troubleshooting the client issue for co-management and found that the device was not hybrid Azure AD Joined.

Hybrid Azure AD joined (if your devices are on-prem) is one of the pre-requisites for co-management.

To check if the devices are hybrid Azure AD joined or not, you can open cmd and run dsregcmd /status

If the device is hybrid Azure AD joined, the status for AzureAdJoined=Yes (This field is applicable for both AAD or hybrid AAD).

On the problematic machine, there is no data for the dsregcmd.

For more information about configuring the Hybrid Azure AD joined and troubleshooting, please refer part 1 & Part 2 and the troubleshooting

For device registration process in hybrid azure ad joined task, we usually refer to the event viewer logs located at event viewer/Microsoft/Windows/User Device Registration/Admin

Under this path, there are no logs related to the device registration process.

The device registration process will be initiated by a task scheduler called Workplace Join during the system boot and this task will run with system account.

This task is located under Task Scheduler Library> Microsoft > Windows > Workplace Join > Automatic-Device-Join Task

The task is disabled on the system hence the device registration task did not run.

Enable the task and run it. (Running the task require local admin rights).If you do not have local admin rights, reboot the system, the task will run automatically with system account.

This task is disabled by default on windows 10 workgroup computer but when you join the device to domain, it will be enabled automatically. For some reason, the task did not enable.

If you want to enable the task on all your windows 10 computers, you can make use of GPO

There could be lot of devices with the task scheduler disabled which will impact the co-management enrollment.

How do we identify the device that have Automatic-Device-Join Task disabled?

In SCCM, we can make use of scripts feature, CMPivot or configuration baseline.

In this blog post, i will discuss about 2 options 1) configuration baseline and 2) Scripts.

For configuration baseline, we will use simple PowerShell script to detect the status of the schedule task and the same script can also be used in scripts feature.

In your SCCM, Create a configuration Item and choose the PowerShell script.

you can also use this as scripts and run it on targeted computers or

$status=(Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join | Select State).state
if ($status -eq 'Disabled')
{
write-host "Non-Compliant"
}
else
{
write-host "compliant"
}

If you use scripts feature, running the script on target computer will get you the output status either compliant (enabled) or non-compliant (disabled).

I have uploaded the exported copy of configuration baseline to github.

You can download, import and deploy to your windows 10 collection to check if any devices has this task disabled.

As part of the monthly release updates for Configuration Manager Technical Preview, this month has got Technical preview version 2105 for Configuration Manager is available with some cool features such as enhanced script editing, VM size for CMG, support Center themes (dark and white), client deployment pre-req, powershell release notes.

You can Install this version to update your existing lab and add new features to your technical preview site.

If you want to install/setup technical preview site in lab, you can download the baseline version of 2103 from https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-endpoint-configuration-manager-technical-preview and setup the SCCM site.

Technical preview 2105:

ConfigMgr site version: 5.00.9051.1000

ConfigMgr Client version:5.00.9051.1000

Technical preview 2105 features:

Enhanced code editor: This feature allows you to edit the scripts in an enhanced editor and is integrated with SCCM console.You can use script editor feature for viewing or edit the script the scripts the following locations.

Configuration item
- Scripts
- SQL and WQL queries
- Detection methods
Application detection scripts
Query statement properties
Create script wizard
Script properties
Orchestration group
- pre-installation scripts
- post-installation scripts
Task sequence
- PowerShell scripts
- Query WMI option

The new code editor supports the following features:

Editor mode with syntax highlighting and plain text toggle
Toggle word wrap and line numbers
Code folding
Language selection
Find, Find and Replace, and Go To line number
Font type and size selection
Zoom using buttons or with Ctrl + mouse wheel.
The information bar at the bottom displays:
- Number of lines and characters in the script
- Cursor position
- If the script is read-only
Persistent settings across instances for the code window, such as code folding, word wrap, and window size.

The following is for application deployment detection method using script:

The code editor has different langue modes.

VM size for CMG:

You can now select the VM size with configuration such as B2S (mostly for lab purpose),A2_V2 as standard vm and if you want higher specs, go for D2_V3.

when you setup a CMG with virtual machine scale set, the default VM size that CMG deploys is Standard (A2_V2) size but you can change the specification during the setup.

Support Center tools in dark and light themes:

The support Center tool that is available in this version comes with 2 themes apart from system default theme.

The installer (SupportCenterInstaller.msi) is available in the EasySetupPayload\4c55e125-ec45-459a-b1eb-06e2f9cb791e\SMSSETUP\TOOLS\SupportCenter

The following tools are part of Support Center:

Support Center Viewer
Support Center OneTrace
Support Center Log File Viewer

One Trace:

Log viewer:

New files added in the client deployment prerequisite:

Starting with this release, Configuration manager client now uses the Microsoft Visual C++ 2015-2019 Redistributable version 14.28.29914.0. This will help to improve stability in Configuration Manager client operations.

For more information about the full set of technical preview 2105, please read through https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2021/technical-preview-2105

The other day, I have powered ON my Configuration Manager lab after long a time to test something on the reporting and found that, the reporting URL does not work.

Browsing the reports URL leads to service unavailable with http error 503, The service unavailable.

I have verified that, the SQL server reporting services is running fine and i have restarted the service as well to check if this works or not but no luck.

I have realized that, there is something seriously wrong and took sometime to troubleshoot further.

The first log to check is srsrp.log (ConfigMgr log) for reporting services located in your configMgr installation directory\logs folder.

The log has the following errors:

The request failed with HTTP status 503: Service Unavailable.

(!) SRS not detected as running

Failures reported during periodic health check by the SRS Server CMserver.domain.name

I have also checked the reporting server configuration manager, everything seems to be fine.

The next is to look at the SQL server reporting services log located in

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles

The log has the following error messages:

configmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Error loading configuration file: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired. A license is now required.

appdomainmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Appdomain:1 DefaultDomain failed to initialize. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. ---> Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired. A license is now required..

AS you can see in the log, the license has expired for SQL server reporting services.

When you install the SQL server reporting services, you will be asked for the trail of 180 days or input the license key of the SQL server.

If you choose trail, then after 180 days, you will have the same issue like mine.

So now, we found that, the license for the SQL server reporting services is expired, how do we activate it now?

The only way that I could find is to reinstall the reporting services.

Run the SQL server reporting services installation wizard (I did 2019), you will see the following options. Choose upgrade, you will be asked for the key to activate it.

Once the installation is completed, wait for the reporting services to check the license status and rebuild the reports (there wont be any changes your default/custom reports) and after sometime, your reporting URL will be up and running.

hope this helps!

A quick blogpost to trigger the installation of software updates (missing/failed/available in software Center) remotely from the console using built-in scripts feature.

If you have deployed software updates to your clients and during the windows update compliance check, you found that, the clients are still reporting as non-compliance (required).

There could be several reasons why the client is still reporting as non-compliance. For more information about the software updates compliance states, please refer https://docs.microsoft.com/en-us/mem/configmgr/sum/understand/software-updates-introduction#software-updates-compliance-states

To check if the client has any updates available in software Center but waiting for maintenance window or failed to install or other reason and trigger the installation, we can make use of the built-in scripts feature.

The following is the PowerShell script which will check for the windows updates (it can be Microsoft or 3rd party), and trigger the installation. Doing this action, will ignore the maintenance window ONLY (if you have any) and follow the reboot schedule as per the assignment.

To create and run PowerShell script, please follow the guide here using the following script.

$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
if ( $MissingUpdatesReformatted)
{
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk
write-host "Updates found, initiated"
}
else
{
write-host "No updates found"
}

Once the script is created, approved, you can run it on individual machine or device collection.

Script output:

The other day, I was running the ConfigMgr reports in my lab, especially the asset intelligence reports for some hardware information.

I tried to run the first report __ Hardware 01A – Summary of computers in a specific collection, it did not run successfully.

The following is the error code.

The report server cannot process the report or shared dataset. The shared data source 'AutoGen__5C6358F2_4BB6_4a1b_A16E_8D96795D8602_' for the report server or SharePoint site is not valid. Browse to the server or site and select a shared data source. (rsInvalidDataSourceReference)

Based on the error code, the issue could be related to the shared data source. So when I checked data source properties for the report, it has no value configured in it.

The shared data source reference is no longer valid.

To fix this, click on the select a shared data source, select {5C6358F2-xxx}, click on Ok.

Run the report now, it works fine.

Likewise, I run another report, it also had the same issue. This report also starts with a double underscore (__)

So I have searched with the first report to see if any duplicates. I got 2 entries.

Based on this, I figured out, the reports with a double underscore (__) are duplicates of the original and might have happened during the upgrade of the Configuration manager site (2103).

Since the configuration site in my lab was upgraded to 2013 followed by the latest hotfix a few months ago, the logs are overwritten hence cannot find the root cause.

For now, I will need to figure out, how many reports are duplicated with a double underscore (__) and get rid of them (delete them).

The following is the SQL query for it.

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

The following is the SQL query to get a list of reports without double underscore (__).

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
 FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

Before we take delete action, we can do a quick comparison (VLOOKUP/excel) to confirm these __ reports are duplicated or not.

There are about 250+ reports which have the same symptoms and these can be deleted.

Now, how do we remove these duplicate reports? Deleting one by one by going to each category based on the SQL data?

We can make sure of the PowerShell script to delete these reports in one go.

The following is the PowerShell script from the Technet forum.

#######################################################################################################################
# SCCM2012SP1-RemoveDuplicateSSRSReports.ps1
# This script will connect to SSRS on a specified server and delete all reports that begin with a double underscore
# Used for SSRS cleanup after SCCM 2012 SP1 installation
# Script must be run from an account that has access to modify the SSRS instance
# 2/15/2013 - Mike Laughlin
#
# Resources used in writing this script:
# Starting point: http://stackoverflow.com/questions/9178685/change-datasource-of-ssrs-report-with-powershell
# API Documentation: http://msdn.microsoft.com/en-us/library/ms165967%28v=sql.90%29.aspx
#######################################################################################################################

# Define variables
	$SiteCode = ""
	$serverName = ""

# Set the value of $noConfirm to $True only if you don't want to manually confirm report deletion. Use with caution.
	$noConfirm = $False

# Safeguard	
	If ( $SiteCode -eq "" -or $serverName -eq "" ) { Write-Host "Enter the required information for the SiteCode and serverName variables before running this script." -ForegroundColor Red -BackgroundColor Black ; Exit }

# Connect to SSRS
	$ssrs = New-WebServiceProxy -uri http://$serverName/ReportServer/ReportService2005.asmx?WSDL -UseDefaultCredential

# Get a listing of all reports in SSRS
	$reportFolder = "/ConfigMgr_" + $SiteCode
	$reports = $ssrs.ListChildren($reportFolder, $True)
	
# Find all reports starting with double underscores
	$reportsToDelete = $reports | Where { $_.Name.Substring(0,2) -eq "__" }
	
# Quit if no reports are found
	If ( $reportsToDelete.Count -eq 0 ) { Write-Host "No reports found. Quitting." ; Exit }
	
# Show a listing of the reports that will be deleted
	Write-Host "The following reports will be deleted from SSRS on" $serverName":`n"
	$reportsToDelete.Name
	Write-Host "`nTotal number of reports to delete:" $reportsToDelete.Count "`n"
	
# Get confirmation before deleting if $noConfirm has not been changed
	If ( $noConfirm -eq $False ) 
	{ 
		$userConfirmation = Read-Host "Delete these reports from" $serverName"? Enter Y or N"
		If ( $userConfirmation.ToUpper() -ne "Y" ) { Write-Host "Quitting, reports have not been deleted." ; Exit }
	}
	
# Delete the reports
	$deletedReportCount = 0
	
	Write-Host "Beginning to delete reports now. Please wait."
	ForEach ( $report in $reportsToDelete ) { $ssrs.DeleteItem($report.Path) ; $deletedReportCount++ } 
	Write-Host "Reports have been deleted. Total number of deleted reports:" $deletedReportCount

Hope this helps!

Microsoft has released the update 2107 for Configuration Manager (Current Branch) which is now available as in-console update. You don’t need to run opt-in script.

You can apply this update on sites that run version 2002 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you see in the console then update to 2107.

For a list of new features and improvements in configuration Manager 2107, please read https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107

Just like any other configuration manager update release, i always try to look and see what is new available from the reporting point of view.

I try to see what is new available in this from previous version (2103).

This build adds up some new SQL views/tables such as user based applications,extensions, client diagnostics etc for custom reporting and it is always good to build some reports when you don’t find what you are looking for.

So what is new in configuration manager 2107 for reporting?

The following are the list of SQL views.

v_GS_CLIENT_DIAGNOSTICS
v_GS_USER_BASED_APPLICATIONS

v_LifecycleDetectedResourceIdsByGroupName
v_SMS_G_System_ExtensionData
v_SMS_G_User_ExtensionData
vNotificationEventRules

For full list of SQL views documentation along with data available in this build and also for previous builds, please refer Github https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Microsoft has released the version 2111 for Configuration Manager (Current Branch) which is now available as in-console update and is currently via opt-in script.

You can apply this update on sites that run version 2006 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you can see it in the console then update to 2111.

For a list of new features and improvements in configuration Manager 2111, please read https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2111

Just like any other configuration manager build release , this build has some new features,enhancement, so we will have some addition to the reporting.

In this blog post, I will walk you through what is new in configuration manager reporting in the newly released build (2111) and how it can help us to create some custom reports.

I have uploaded the SQL views documentation to my GitHub repository, you can find it https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

So what is new in configuration manager 2111 for reporting from its previous build (2107)?

The following are the newly added SQL views/tables/functions that exist in 2111.

v_ApplicationRequests –> Holds information about the application request from users.
v_UpdateDataForMachine –> Hold compliance status of updates for devices with status required/install/not required.
vClientCoManagementState—> It is now easier to report the clients with co-management workloads for devices.
vNotificationSubscriptionEvents—> Holds subscription event information
vNotificationSubscriptionEventStatus—> Subscription event status
vSMS_ApplicationGroupItems—> Application group items
vSMS_AssignedDeviceApplicationGroups—> application groups assigned to devices
vSMS_ConsoleExtensionMetadata—> Holds the information about the console extensions and its status
vSMS_OrchestrationGroupScript –> Orchestration scripts

For list of SQL views for all configuration manager versions, download from https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Intune has a Co-management eligibility report (currently in preview) which provides an eligibility evaluation for devices that can be co-managed. For devices to become co-managed, they must be running on windows 10 and enroll to Azure Active Directory.

For a full set of intune reports, please refer to https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports

The other day, I was looking into the cloud-attached devices (preview) in Endpoint Manager for the co-management eligibility report. For more information about the Co-management eligibility report, https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports#co-management-eligibility-report-organizational

From the report, in the dropdown list, I am interested viewing only the devices that need AAD join.

Generating the report reveals that there are a large number of devices that are needed azure ad join.

These devices are on-prem domain joined and for some reason, they are not hybrid azure AD joined.

For on-prem devices to reach co-management, first they must be hybrid azure ad joined, before they enroll to intune.

So I picked a device that is available from this list, check the status in the azure ad portal for Hybrid AAD joined, they show pending status.

I have logged into the machine to check the event viewer logs for further troubleshooting.

On the problem PC, Open cmd, run dsregcmd.exe /status , from the output, the device is not hybrid azure ad joined and AzureAdPrt : NO.

From the event viewer (Microsoft->Windows->User Device Registration->Admin), I can see the following data.

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c0002
Server error: The verification of the target computer's SID (S-1-5-21-1704617455-1677075968-155068508-164177.2021-11-30 15:38:59Z) signature failed. Device id: (147f3ddd-0c43-45d5-895b-54e8e18e39f9).
Tenant type: Federated
Registration type: fallback_sync
Debug Output:
joinMode: Join
drsInstance: azure
registrationType: fallback_sync
tenantType: Federated
tenantId: d0d068a1-f100-44e9-afeb-cdb37c8f5d07
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

Based on the error code, the verification of the target computer SID failed.

For further troubleshooting, and step 1) I have removed the device from the azure AD, wait for the Azure AD Connect sync (depends on your schedule how you have configured it) and run the workplace join task (Automatic-Device-Join) located at the task scheduler Microsoft—>Windows—>Workplace Join

This time, the device has completed the hybrid azure ad joined process, status appears in azure AD portal and finally the device is co-management.

The next step is to fix the remaining devices from the list that are not hybrid azure ad joined and also not co-managed.

The steps are, 1)remove the devices from the Azure AD portal, 2)Run the automatic device join task using SCCM (without rebooting the device).

1)Remove the devices from Azure AD portal:

Create a powershell script using the following code, save the devices to Comanageddevices.txt

<#

Description:Delete devices from Azure AD portal
Author:Eswar Koneti
Date:04-Dec-2021
#>
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)
$inputfile="$dir\Comanageddevices.txt"
$Outfile = "$dir\DevicesStatus.log"
import-module MSOnline
Write-Host "Checking for MSonline module..."
$Module = Get-Module -Name "MSOnline"
if (!($Module)) {
write-host
write-host "MSOnline Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module Msonline' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
else
{
"---------------Script started at $date" | Out-File $Outfile -Append
Connect-msolservice
$inputfile=Get-Content -Path $inputfile
foreach ($pc in $inputfile)
{
$details=Get-MsolDevice -Name $pc -ErrorAction SilentlyContinue
if($details)
{
try
{
if( Remove-MsolDevice -DeviceId ($details.DeviceId).guid -Force)
{
"Deleted the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
catch
{
"Failed to Delet the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
"device $pc not found" | Out-File $Outfile -Append
}
}
"---------------Script completed at $date" | Out-File $Outfile -Append

2) Run the workplace join/device registration task using Configuration Manager scripts feature.

<#
Description:Check if the device is AAD/HAAD and receive PRT token.
Author:Eswar Koneti
Date:04-Dec-2021
#>

dsregcmd.exe /status | Out-File "C:\programdata\HAAD.txt" -Force
$search = Select-String -Path "C:\programdata\HAAD.txt" -Pattern "AzureAdPrt : Yes"

if ($search)
{
echo "HAAD"
}
else
{
echo "Not HAAD"
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join|Enable-ScheduledTask -ErrorAction SilentlyContinue
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | ? TaskName -eq Automatic-Device-Join|Start-ScheduledTask -ErrorAction SilentlyContinue
}
Remove-Item -Path "C:\programdata\HAAD.txt" -Force -ErrorAction SilentlyContinue

Hope you find this article helpful

For Azure Active Directory device management FAQ https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#general-faq

Troubleshoot hybrid Azure AD-joined devices https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

Pending devices in Azure Active Directory https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices

Managing software updates and creation of custom reports in ConfigMgr is OCEAN. You have so much data to visualize based on your needs.

One of the very common requirements or reports is, find out the missing/required updates of a device that is managed by SCCM.

If you have not moved the device management solution to Microsoft Intune, especially windows updates and you are still with ConfigMgr, then this post is for you.

I have written a couple of blog posts on finding the missing/required updates for a specific device in SCCM are listed below for your reference.

http://eskonr.com/2016/08/sccm-configmgr-sql-query-to-find-top-x-missing-updates-for-specific-collection-for-specific-update-group/

http://eskonr.com/2015/12/sccm-configmgr-ssrs-report-get-list-of-missing-updates-for-pc-from-specific-software-update-group/

likewise, you can create many reports, but it is not always convenient when you need to quickly check the required updates for a specific device within the SCCM console.

I have started reading about the creation of custom right-click tools (Neilp,Ryan) and created a custom tool, integrated with SCCM console to make things easy for you to find the required updates with one click.

The output will look like the following when you right-click on a device in the console, click on required updates, you will see a list of all required updates with a few columns.

How to configure/install this right-click tools extension?

Download the files from Github.

Extract the files, you will find required.updates.ps1, and folder.

Edit Required.updates.xml located in folder ed9dee86-eadd-4ac8-82a1-7234a4646e62

You need to edit line 19 for the location of the PowerShell script. You can copy the Required.updates.ps1 to your ConfigMgr admin location or anywhere that you can launch later from the console.

"G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Required.updates.ps1"

I copied it to the admin console install folder (bin).

Now, copy the folder (ed9dee86-eadd-4ac8-82a1-7234a4646e62) to XmlStorage\Extensions\Actions folder.

In my case, the actions folder is in G:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions

Close the SCCM console (in case it is opened already) and launch the console again.

Right-click on any device, you will see the required updates option, click on it, it shows the missing updates.

You can sort the columns available in the grid window by title, superseded, expired, date posted.

When the updates are superseded, they appear in orange color, if expired, they appear in red. If updates are expired and also superseded, they still appear in orange color.

I know the information that is presented in the RCT tool for required updates is limited and there is a scope to add a lot more information such as is the update targeted to the device, which SUG groups, the update is a member of, etc.

Due to the information available in the SMS provider and the complexity of the code, I have put it aside for now.

Limitations of this RCT tool and you may see empty results if the device meets the following.

1. Device has no SCCM Agent/not healthy or updates scan is not successful.

2. The device is co-managed and the windows update workload is shifted to Intune.

In case you are looking for a SQL query to gather additional information that I could not represent in the RCT solution, is given below.

The following is the SQL code to get the required updates of a device.

declare @PC nvarchar (255);set @PC='CMCB-CL01'

select ui.Title, ui.articleid [ArticleID],
UpdateClassification=cls.CategoryInstanceName,
Required=(case when ucs.Status=2 then 'Yes' else 'No' end),
Targeted=(case when ctm.ResourceID is not null then 'Yes' else 'No' end),
ui.InfoURL as InformationURL,
ui.DateLastModified[Date Posted] ,
case when ui.IsSuperseded=1 then 'Yes' else 'No' end as 'Superseded',
case when ui.IsExpired=1 then 'Yes' else 'No' end as 'Expired'
from V_UpdateComplianceStatus ucs
join v_UpdateInfo ui on ui.CI_ID=ucs.CI_ID
left join v_CITargetedMachines ctm on ctm.CI_ID=ucs.CI_ID and ctm. ResourceID = ucs.ResourceID
join v_CICategoryInfo_All vnd on vnd.CI_ID=ui.CI_ID and vnd.CategoryTypeName='Company'
join v_CICategoryInfo_All cls on cls.CI_ID=ui.CI_ID and cls.CategoryTypeName='UpdateClassification'
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = ucs.ResourceID
WHERE ucs.Status=2 and vrs.Name0=@PC
order by 1

Hope you find this article useful!

Co-management (cloud attach) enables you to manage Windows 10 or later devices simultaneously by using both Configuration Manager and Microsoft Intune. For more information about co-management, please refer here.

For a device to be co-managed, one of the pre-requisite is Windows devices must be connected to Azure AD using Hybrid Azure AD joined or Azure AD joined (cloud domain joined).

Currently, co-management supports the following workloads.

Co-management supports the following workloads:

Let's assume, you have enabled the cloud attach (co-management) and you have also moved some of the workloads such as windows updates and device compliance policies to intune.

The devices will receive the policies and start communicating with Microsoft Intune for the applied workloads.

If you wanted to know the workloads applied for a specific device for troubleshooting purposes, you can either look at the intune console, for a specific device and check the intune managed workloads in the overview page.

The other way is to get the co-managed workload ID from the SCCM database and translate the workload ID into a descriptive value which is blogged by Ben

Although there is a co-management dashboard view within the SCCM console, it is limited and not possible to click the workloads to see data further.

And, I cannot find any reports available to see the workload information at a device level.

So, are you co-managed and you are interested to view the workloads applied to a specific device including the device hybrid azure adjoined or azure adjoined and other important information with one click view from the SCCM console, devices node?

I have this covered for you in this blog post.

when you right-click on a device in the SCCM console, you will see the Co-Mgmt workloads icon and click on that.

If the device is co-managed and workloads are switched to intune or with ConfigMgr, you will see the status in the workloads section.

If the device is not co-managed, you will see red color indicator with workload status as not Co-Managed. This is something you will need to troubleshoot further to get the device into co-managed state.

This tool is not applicable for server OS as co-management is applicable only to non-server OS (windows 10 and later OS).

How to implement the changes?

Download the files (co-managed workloads.zip) from Github.

Extract the files, you will find comanagement.workloads.ps1, and folder.

Edit Co-mgmt.Workloads.xml located inside folder ed9dee86-eadd-4ac8-82a1-7234a4646e62

You need to edit line 19 for the location of the PowerShell script. You can copy the comanagement.workloads.ps1 to your ConfigMgr admin location or anywhere that you have access.

"G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Required.updates.ps1"

I copied it to the admin console install folder (bin).

Now, copy the folder (ed9dee86-eadd-4ac8-82a1-7234a4646e62) to XmlStorage\Extensions\Actions folder.

In my case, the actions folder is in G:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions

Close the SCCM console (in case it is opened already) and launch the console again to see the changes.

I hope you find this tool useful for troubleshooting!

If you have any feedback on this tool or would like to add more data into the tool of device, please comment below.

I was recently looking for a solution to add a device to SCCM Collection using the Task sequence. During the search, I have found Trevor has a blog post on this.

So before I use the code in the task sequence, I plan to test it on a client device.

The full code is given below. You will have to change the parameters where needed.

cmd /c powershell.exe -Command "&{$Me = $Env:COMPUTERNAME; Invoke-command -Computername "SCCMSERVERFQDN" -ArgumentList $Me -scriptblock {param($Me)Import-Module ConfigurationManager; cd SITECODE:; $Computer = Get-CMDevice -Name $Me; if ($Computer){Add-CMDeviceCollectionDirectMembershipRule -CollectionID 'COLLECTIONID' -ResourceId $computer.resourceid}}}"
Query to add device to collection

Login to client computer that doesn't have any configuration manager module installed, open the cmd (run as an account that has RBAC permissions to collect to SCCM server)

Running the query, returned an error code.

The specified module 'ConfigurationManager' was not loaded because no valid module file was found in any module directory.

Cannot find drive. A drive with the name 'CB1' does not exist.

Since I am running the code on a client device, i would like to see if this works on SCCM server (local) , I experienced the same error code. Even though the server has configuration manager module loaded but for some reason, it is not picking up or identifying correctly.

During the troubleshooting, I have found that, the configuration manager module path is missing in the system variable.

The fix is given below.

On your SCCM server, go to system properties or you can run sysdm.cpl from run command.

Click on advance, Environment Variables

Copy the variable value for variable name SMS_ADMIN_UI_PATH.

Now, select PSModulePath and click on edit

Click on new and copy the variable value that you have copied earlier (remove i386).

G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin

Click on Ok, Ok, Ok

Changes are now saved.

lets go back to the client PC and run the query again.

This time it executed successfully. I can now use this query in my task sequence to add the device to specific collection.

Hope you find this article useful!

Long ago, I wrote a blog post on a report for finding the devices with pending reboot, more information is available on https://eskonr.com/2019/01/sccm-report-get-list-of-devices-with-pending-reboot-in-a-collection-with-different-states/

I was recently working on checking the compliance of the devices in SCCM for windows patching and I could see that the software update compliance is not that great due to various reasons.

Before I start to dig deeper into it, the first thing was to check the pending reboot of the devices.

In this blog post, I will provide 2 collections that will be useful for identifying the pending reboot devices.

The following WQL collection query can be used to create a collection for a list of all devices with a pending reboot.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.clientstate != 0

Of all the devices pending reboot, I want to further drill down to see the pending reboot devices with no user currently logged on.
The following is the WQL collection query to list all devices with pending reboot and no user currently logged-on.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.clientstate != 0
and sms_combineddeviceresources.CurrentLogonUser is NULL

You can further filter these queries to show online devices, last policy request is within 30 days etc.

Once you have the collection, you can either initiate the pending reboot from the collection using client notification (which inherits the client settings) or schedule toast notification for device restart.

The following is the sample WQL query which includes multiple sub-selected queries such as hardware inventory is older than 25 days and last policy request is within 25 days.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System
where (SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId
where DATEDIFF(dd,SMS_G_System_WORKSTATION_STATUS.LastHardwareScan,GetDate()) > 25) or SMS_R_System.ResourceId not in (select ResourceID from SMS_G_System_WORKSTATION_STATUS)) and
SMS_R_System.ResourceId not in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId
where(DATEDIFF(dd,SMS_G_System_CH_ClientSummary.LastPolicyRequest,GetDate()) < 25))

I hope you will find these queries useful in day to day operations.

Microsoft Endpoint Manager (ConfigMgr & Intune) allows us to configure and deploy the Microsoft Store apps. For more information, please read through ConfigMgr and Intune .

In my recent engagement with customer, there is need to deploy Microsoft store app (offline) using Configuration Manager as there is no integration with store for business.

Online: This license type requires users and devices to connect to the store to get an app and its license. Devices running Windows 10 or later should be Azure Active Directory (Azure AD)-joined or hybrid Azure AD-joined. They can also be Azure AD-registered.
Offline: This type lets you cache apps and licenses to deploy directly within your on-premises network. Devices don't need to connect to the store or have a connection to the internet.

In this blog post, we will see how to deploy the Microsoft Store apps such as Microsoft To-do or any other store app without integrating the store for business with ConfigMgr or device is managed by Intune.

This scenario will be useful if your ConfigMgr not is integrated with store for business or devices is not being managed by Intune (standalone or co-managed).

Please note that, Microsoft Store for Business will be retiring in the first quarter of 2023.

we can install the store apps using Powershell command: Add-AppxProvisionedPackage but how do we get the store apps for offline deployment?

You will need to have access to the windows store for business to download the apps for offline install.

In this blog post, we will see how deploy Microsoft To-Do using ConfigMgr (no store for business integration).

Click on search the store for specific App. In my case, I will search for Microsoft To do

Select the app

In the drop down, select offline. For some apps, the offline option is not available so you can only do online deployment for such apps.

Click on get the app

Thank you

Now click on Manage

You will be directed to the download page, change the architecture and download the files.

we are at the final page to download the package for offline use and then we will use powershell script to deploy using ConfigMgr apps deployment.

Download the package, license (uncoded in xml file) and the required frameworks.

The download contains 4 appx, 1 xml (license) and 1 appxbundle file

we will now use Powershell command Add-AppxProvisionedPackage to install the package framework followed by the main application.

The powershell script is available in Github. Replace the xml file along with appxbundle file that you downloaded from the store.

The following is the detection logic to verify the presence of the application.

if( (Get-AppxPackage -AllUsers | Where-Object Name -like 'Microsoft.Todos' | Select-Object Name).Name)
{
Write-Host "installed"
}
else
{
}

You can now create an application in Configuration with detection logic and deploy to computers or users. You can also add this method by creating win32 app for Intune.

I was approached by a customer who had issues deploying the March 2022 windows 10 cumulative updates.

The error code and the screenshot is provided below.

The software updates are failed with error code 0x87D00664 (-2016410012).

The error code 0x87D00664 translates to ‘Updates handler job was cancelled’.

There could be several reasons why the updates are failed. In this blog post, we will see how to troubleshoot the issue based on the information available in the client logs.

This is not one-stop solution for every issue that has been reported with the error code 0x87D00664 .

Let’s dive into the troubleshooting part.

For software updates troubleshooting, the important log files are listed below.

1. WUAhandler.log—> Records details about the Windows Update Agent on the client when it searches for software updates.

2.UpdatesHandler.log—> Records details about software update compliance scanning and the download and installation of software updates on the client.

3.UpdatesDeployment.log—>Records details about deployments on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

So let’s look at each log and understand what is going on.

WUAhandler.log has the following error:

The installation job encountered some failures. Job Result = 0x80240022.

Update ID for the failed patch from the log file is: 6b5fa06e-2bec-411b-a3b0-bfb10bf50240.

The error code 0x80240022 translates to ‘Operation failed for all the updates’.

UpdatesHandler.log has some information related to the update ID that we are looking for.

Bundle update (6b5fa06e-2bec-411b-a3b0-bfb10bf50240) is requesting download from child updates for action (INSTALL)

IMaintenanceCoordinator::GetTaskState failed because MTC job has not been created yet.

Not a valuable information found from this log as well.

The next log to look at is UpdatesDeployment.log

The error code 0x87d00215 translates to ‘Item not found ‘

The item not found is due to the content unable to download from the distribution point before it executes.

In the same log, I can see some more information that is useful on the content download progress which is stuck at downloading.

Search with the update ID 6b5fa06e-2bec-411b-a3b0-bfb10bf50240

Update (Site_E9267BCB-2995-4BF8-8CC8-A8CB5064F44C/SUM_6b5fa06e-2bec-411b-a3b0-bfb10bf50240) Progress: Status = ciStateDetecting, PercentComplete = 0, DownloadSize = 0, Result = 0x0

Microsoft has very nice article on troubleshooting/track the software update deployment process https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/track-software-update-deployment-process

I have also reviewed the CAS and other logs for content download process from the distribution point, but I could not find any entries related to the deployment patch.

Now, we will need to verify if the content of the patch is distributed to the distribution point or not.

So let’s switch to SCCM server and verify the patch is downloaded and successfully distributed to the distribution point and is also verify the presence of the patch in content library. All of this verified, and they look good.

What could go wrong at this stage? we have verified the client logs, SCCM side DP content and so far, it looks good.

After checking some internal things, identified that, the device has some security components (CyberArk Endpoint Privilege Manager) installed which is blocking the download of the patch and seen from the EPM logs.

After adjusting some settings on the EPM tool, the client is able to download the patches and install it successfully.

I hope you found this blog useful.

This is quick post on the recent inquiry on various forums such as Twitter, reddit and Microsoft forums about the download of configuration manager build (Evaluation) from the evalcenter.

if you try to download the Configuration Manager current branch or technical preview from the evalcenter using https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview , you will be redirected to https://www.microsoft.com/en-us/download and end up seeing the following screen.

Currently, the evaluation center links for downloading of the OS and application builds are broken or down and Microsoft is working on it.

For those who do not have access to MSDN, VLSC or visual studio subscription to download the media, you can use the following links to download the latest builds for Configuration Manager current branch or Technical preview.

ConfigMgr 2203 current branch Eval - https://aka.ms/MECM2203CB-Eval

ConfigMgr 2202 technical preview baseline - https://aka.ms/MECM2202TP-Baseline

Thanks to Yvette O'Meally for arranging the links.

Hope it helps!

Few years ago, I have blogged about the client update scan failure due to GPO’s. https://eskonr.com/2014/10/sccm-configmgr-2012-software-update-scan-error-group-policy-settings-were-overwritten-by-a-higher-authority-error-code-0x87d00692/

Introduction:

When the software update point is configured for a site, client computers receive a machine policy that provides the active software update point server name (WSUS) and configures the Specify intranet Microsoft update service location local policy on the client device.

The windows update agent retrieves the server name (WSUS) specified in the Set the intranet update service for detecting updates setting, and then connects to this server when it scans for software updates compliance.

Problem:

I was working on an issue to troubleshoot the server clients where the software update scan is failing. I have noticed that, it is failing on majority of the servers but not on workstations.

For a client to receive the software updates from SCCM, it must first complete a software update scan successfully.

Software update scan details are tracked in the wuahandler.log located in C:\windows\ccm\logs (client location).

Unable to read existing WUA resultant policy. Error = 0x80070002.

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED

Failed to Add Update Source for WUAgent of type (2) and id ({B9DB41D0-CCA2-4FC4-BC70-5EC97B1FC1A2}). Error = 0x87d00692.

Based on the error, the first check is to review the GPO’s that are applied to the device with the help of RSOP.MSC( run as administrator) and gpresult on the local machine.

From the RSOP.MSC and gpresults, i could only see the following setting for windows update section which do not conflict with GPO. since these are servers, prefer to disable automatic updates (windows side).

The next is to look at the local group policy (gpedit.msc) to see if SCCM client has set the ‘Set the intranet update service for detecting updates ‘ with the WSUS entries.

I can see there are 2 settings configured by the client correctly. These are coming from the device client settings.

Next is to look at the registry if any entries listed for windows update at location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

There are no entries found in the registry location for WUServer.

I have also reviewed the registry.pol (c:\windows\system32\grouppolicy\machine\registry.pol), it has the WSUS entries updated correctly.

The next location is event viewer for GPO entries, I could not find any errors or warnings there too.

During the course of investigation, it happened to see the GPO which is applied to the client ‘Turn off Local Group Policy Objects processing’

If you enable this policy, the client or the system does not process and apply any Local GPOs.

The fix:

Thee GPO policy must be set to either not configured or disabled. Once the configuration is changed, the local GPO that was configured by the client for WSUS will be picked by the client and complete the update scan.

Is there any workaround without making the changes to the GPO?

The SCCM client already applied the local GPO with WSUS server name and port number however it is not up for processing due to the GPO block.

I could not find any other methods to get the update scan work without modifying the ‘Turn off Local Group Policy Objects processing’ setting.

Temporary solution: We can have this policy one time off at the OU level, let the client process the local GPO and once this is done, you can revert the GPO and it should be ok as long as the client is not reinstalled. Any new servers that is onboarded and install the client, it will have the same issue again.

Hope this helps!

Continue reading

Troubleshoot software update management in Configuration Manager

Troubleshoot software update scan failures in Configuration Manager

I was installing the famous SCCM right-click tools from recast software (there are other right-click tools as well) on the freshly installed SCCM site for a customer, the installation of right-click tools went well, the console doesn’t seem to get registered with the right-click tools and there is no option when you right-click on a collection for performing tasks such as adding devices to the collection.

I have looked at the XMLstorage extensions folder, there are over 6500+ files that exists. I have closed the console and launched it to see if that helps. the issue persists.

I recall that starting with Configuration Manager 2103, Microsoft has enabled a new feature Console extensions node which will allow you to start managing the approval and installation of console extensions.

By default, Only allow console extensions that are approved for the hierarchy setting enabled.

You can also find the approved console extensions in the console node in the administration pane.

As you can see above, the right-click tools are not in the approved state hence the issue.

How to fix this issue?

1. You can disable the setting in the hierarchy settings properties and run the setup once again. Copy the tool and run the installer

2. you can download console extensions from the Community hub.

Click on download

Once the download is successful, you can go to the administration, console extension, you can see the console listed there.

Select the tool and approve for installation.

Once it is approved for installation, you can install the extensions from the console.

The console will auto close and update the extensions.

Launch the console, you will see the right-click tools on the collection menu and another node as well.

Hope it helps!

Continue to read

About the Console Extensions node https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#about-the-console-extensions-node

Get console extensions https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#get-console-extensions

https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/import-admin-console-extensions

I was recently working on an issue reported by the team on the CMPivot issue.

CMPivot is a ConfigMgr tool that helps to get access to a real-time state of the devices in your environment. CMPivot tools can be used to run a query on all currently connected devices in the target collection and returns the results.

The execution of the CMPivot query is successful but it doesn't display any results in the CMPIVOT UI.

Microsoft has a nice troubleshooting guide on the CMPivot https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/cmpivot-tsg

During the course of the investigation, I can see that the CMPivot query is successful, and data is being processed and inserted into the database but the CMPivot UI is blank.

CMPivot Query is successful.

CMPivot query results in the database.

Script output:

Next is look at the smsprov.log which reveals the following information.

*** [42000][15517][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot execute as the database principal because the principal "smsdbuser_ReadOnly" does not exist, this type of principal cannot be impersonated, or you do not have permission. : CMPivot_RunQueryImage

From the log, it says, the account "smsdbuser_ReadOnly" doesn't exist in the SQL database when executing the CMPivot queries.

What is this account used for?

The account ‘smsdbuser_ReadOnly’ is used to read the data from the table CMPivotResult when CMPivotResult portal loads the data in the SQL database which we saw earlier.

Even though the data from the CMPivot exist in the database but to fetch the data from SQL DB to CMPivot UI, you need this account with read permissions.

This account is created by the SCCM site automatically during the installation but for some reason this is missing, which requires some investigation on the SQL side.

To fix this issue, re-create the account and granted read-only access to the database.

Audit messages for software update deployments in Configuration Manager

Troubleshooting Co-management enrollment issues–hybrid Azure AD join

Technical preview 2105 released for Configuration Manager

Enhanced code editor: This feature allows you to edit the scripts in an enhanced editor and is integrated with SCCM console.You can use script editor feature for viewing or edit the script the scripts the following locations.

VM size for CMG:

Support Center tools in dark and light themes:

Reporting services – The request failed with HTTP status 503 Service Unavailable

Using Scripts to trigger software updates remotely from the SCCM console

How to fix duplicate reports with double underscore (__) in Configuration Manager

What is new in Configuration Manager 2107 Reporting

What is new in Configuration Manager 2111 Reporting

Troubleshooting co-management eligibility devices using scripts feature in SCCM

SCCM Right click tools–find missing updates of a client

SCCM Right Click Tool Managed workloads of co-managed device

How to Add device to collection using task sequence- troubleshooting

SCCM Collections for devices with pending reboot

How to deploy Microsoft Store apps (offline) using Microsoft Endpoint Manager

SCCM Software Update installation failed with error code 0x87D00664

Download ConfigMgr builds while the evalcenter links are fixed

Update scan failed due to Group policy settings were overwritten by a higher authority

The fix:

Continue reading

Troubleshoot software update management in Configuration Manager

Troubleshoot software update scan failures in Configuration Manager

Right-click installer tools unable to register correctly with SCCM console

Continue to read

About the Console Extensions node https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#about-the-console-extensions-node

Get console extensions https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#get-console-extensions

SCCM CMPivot query success but returns no data–account smsdbuser_ReadOnly does not exist

Read more about CMPivot

Investigating SCCM Client Policy Request and Communication Status with a Collection Specific Report