I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

As you already know that, Windows 7 and windows server 2008/R2 has reached their end of support lifecycle on January 14, 2020, however you can purchase the extended security updates (ESU) for windows 7 and server 2008/R2 through volume licensing to make sure these devices are protected. For more information about how to purchase the ESU, refer to this blog.

After you have purchased the ESU, you can install and activate window 7 or server 2008/R2 devices using Configuration Manager task sequence or scripting or by other means. There are multiple posts on the internet on how to install ESU.

In this blog post, we will see how to check the activation status of ESU on windows 7 and server 2008/R2. This monitoring will help you take action on the missing ESU devices to avoid the possible threats.

If you have installed the ESU key on the windows device, the information gets stored in WMI class called ‘SoftwareLicensingProduct’

If you know where does the ESU information stored in WMI, it would be easier for us to use configuration manager to gather data for further analysis.

By default, SCCM clients do not send the information about this class SoftwareLicensingProduct hence if you try to create a collection or query database using this class, you get empty results.

So to check the activation status, we can use 1) Enable the Software_licensing_product in client inventory settings (hardware inventory) 2) Use compliance settings to detect the ESU activation status and 3) script

I DO NOT recommended option 1) because SoftwareLicensingProduct class contains a lot of data that will be collected from all devices along with activation information which will bloat your database.

A simple example is, on your Windows 7, open PowerShell command and run the following syntax to see the data that is available in SoftwareLicensingProduct

Get-WmiObject -query "select * from softwarelicensingproduct"

The above command will generate a lot of data that is not required for us.

What other options do we have without bloating the database? A simple and easier method is compliance settings.

I am not doing step by step guide in this post on how to create the compliance item and compliance baseline then deploy to the collection but I will give you the steps and also the exported baseline configuration for you to import the settings into your configuration manager and deploy it.

Steps required for this:

1. Create a collection for all windows 7 and windows server 2008/R2. You can use this guide to create the collections.

2. Download the configuration baseline file (SCCM Baseline for ESU Activation.zip) from Github. This is a ZIP file which contains 2 baseline policies. After you download, you need to extract it to get .cab files.

3. Go to your configuration manager, configuration baseline, right-click, and import configuration data. Import the .cab file that you download from Github.

You will need to do this task twice because there are 2 baseline files available 1) for windows 7 and 2) for server 2008/R2.

Note: The PowerShell script that I have used in the baseline will check if the device activated with 1 year or 2 year or 3 year ESU key and report as compliant. If any of these ESU key not found, then report as non-compliant. The ESU keys are taken from this blog post. Once you import the baseline policies, you can go to CI and change the script as per your requirement.

4. You can now deploy the baseline policy to the respective collections that you created earlier.

5. Based on the schedule, clients will run through the compliance settings and report the status.

6. Run the reports to identify the list of devices that are still not installed/activated with ESU.

Once you have the data, you can use reports or create a collection for non-compliant devices for further troubleshooting.

Until next blog post!

Recommended articles:

Windows 7 support ended on January 14, 2020

FAQ about Extended Security Updates for Windows 7

I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.

Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.

Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.

So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.

How do you install the client on the internet-connected device centrally? Well, the  customer has a different tool that helps to run the command line on all internet-connected devices.

As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.

Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.

"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.

On the SCCM database, run the following 1 liner syntax.

select * from proxy_settings

Connectorinfo contains the mp and ccmhostname values.

AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and  values.

AADTENANTID=Tenant ID

AADCLIENTAPPID=ClientID

AADRESOURCEURI=ResourceURI

Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.

I hope it helps and thanks for reading!

For more information about client installation parameters and properties in Configuration Manager, please read here

When I talk to my customers about the SCCM Cloud Management Gateway setup, the first question that will be asked is, will there be any cost associated with this service? if so, what will be the cost for X number of clients that will be utilizing the CMG service.

Even though the implementation of CMG doesn't require on-premise infrastructure* but there will be cost associated with this solution every month.

In this blog post, I will provide some information on how to estimate the cost for your infrastructure based on the number of clients that you support using CMG.

Note: The following information provided is for estimation purpose ONLY.

The following are the components (Azure) involved in costing:

1. Virtual Machine—>CMG uses a virtual machine in Azure Cloud Services as a platform as a service (PaaS). The standard VM that it uses is A2 V2 per instance.

2.Outbound data transfer (egress or download)—> The data that flow into the Azure is free. Anything that flows out of the Azure will be charged such as policies, client notifications, content download, inventory reports, status messages, compliance status, etc.

3.Content Storage (egress or download)—>This data includes the content/applications that clients download from the distribution point.

Cost estimation for each Azure component:

1. Virtual Machine:

Let's take an example, you are managing 10000 clients using SCCM, out of which, you expect 5000 clients will use CMG services on internet.

As per the Microsoft recommendation, 1 CMG instance will support up to 6000 simultaneous connections which means you can go with 1 instance but recommended to have 2 for HA. Let's stick with 1 for now for cost.

The cost for 1 instance per month will be around 87.60 (excluding the OS license,Azure Hybrid benefit). If you include the OS license for the Azure VM, the cost will be around 131.40$

The price will vary if you go with reserved instance, but if you go with pay as you go and Azure hybrid benefit, the cost will be around 87.60$.

2.Outbound data transfer (egress or download):

The outbound data transfer includes 2 ways such as client policy polling interval, software update scan, etc, and the other data that flows from CMG to an on-premise site such as inventory reports, status messages, and compliance. There will be an estimation of 100-300MB per client per month from internet-connected.

This again depends on how you configure your client settings. If you have configured the client settings with policy poling internal every 30 min or so, client hardware inventory, every few hours etc then there will be more data generated which will increase the cost.

With default client settings configuration such as 60 min policy polling interval,7 days hardware inventory, 7 days software update scan cycle etc., will estimate of 100MB. The more aggressive client settings will lead to 300MB or even higher.

we will consider 200MB per client per month.

For 5000 clients, The total egress will be 5000*200MB=1TB

The total cost for 1TB per month= 1000GB*0.087(cost per GB based on central US region)=87$

Please note that the first 5GB per month is free is not specific to CMG service but it is for the entire azure tenant where the CMG subscription is located.

3.Content Storage (egress or download):

This is mostly for content download from the cloud DP such as applications, packages for your deployments. We consider about 200GB worth of applications/packages downloaded by your clients in a month.

The cost will be around 200GB*0.087=18$.

If you don't deploy any apps but software updates only, then there is no charge for downloading the software updates from the internet. It is recommended not to distribute the software update content to cloud DP.

If we sum up the cost for 5000 CMG clients for all the CMG services including 1 VM, storage cost, it will be 87.60+87+18=200$ per month.

If you have more than 5000 clients using CMG service, you may have to increase the number of VM Instances to 2 which will add another 87$ and the outbound data transfer cost as well.

If you don't want any surprises in the month-end, you have an option to stop the CMG service when the critical threshold is exceeded.

You can also read the blog post from John about some real world cost for using CMG: https://deploymentresearch.com/real-world-costs-for-using-a-cloud-management-gateway-cmg-with-configmgr/

Thanks for reading the post!

Microsoft released Technical preview 2005 for May 2020. This preview release contain lots of tenant attached features along with some cloud management gateway as well.

This preview version is available only via in-console update. If you want to build a new lab, you need to download the baseline version of tech preview 2002 and then update to 2005. For more information about Technical preview, please read here

I just updated my lab to technical preview 2005 to explore the new tenant attach features.

Technical preview 2005:

Top features:

1. A task sequence launched from boot media or PXE can retrieve content from cloud based sources:Starting in this release, when a task sequence is started from boot media or PXE, if the client is in a boundary group associated with a cloud distribution point or content enabled CMG the task sequence can download content from the cloud based sources.
2. Client install and upgrade on metered connection:Client installation and upgrades can be configured to occur on devices connected to metered networks.
3. Disk encryption options when enabling BitLocker in a task sequence:An admin is now able to select disk encryption level on the "Pre-provision BitLocker" and "Enable BitLocker" task sequence steps.
4. Improvements to cloud management gateway cmdlets
5. Improvements to the content library cleanup tool
6. Microsoft Endpoint Manager tenant attach:CMPivot real-time queries from Microsoft Endpoint Manager admin center
7. Microsoft Endpoint Manager tenant attach:Device timeline in Microsoft Endpoint Manager admin center
8. Microsoft Endpoint Manager tenant attach:Install an application for an uploaded device: An admin can now initiate an application install in real-time for a tenant attached device via the admin center.
9. Microsoft Endpoint Manager tenant attach, Run Scripts from the Microsoft Endpoint Manager admin center:Initiate PowerShell scripts in real-time from the cloud against an individual ConfigMgr managed device and see the script output and status back to the Microsoft Endpoint Manager admin center.
10. Notification for expiration of Azure Active Directory application secret key:You will now be warned with a console notification when the Azure Active Directory application secret key is close to expiring or is expired. This enables administrators to renew the key and prevent impact to cloud attached features.
11. Report setup and upgrade failures to Microsoft:If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. In the event of a failure, there is a "Report update error to Microsoft" button that walks through an interactive wizard allowing you to provide more information to Microsoft. In Technical Previews, this button is always enabled even when setup completes successfully.
12. VPN boundary type:You can now create a new boundary type to simplify managing VPN clients. All clients that connect through a VPN automatically belong to boundary group(s) associated with this new boundary type.

For full features list and description,please read https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005

In the next few blog post, i will discuss about the tenant attach and cloud features.

With Configuration Manager technical preview build, a bunch of Tenant attach features were released which will help you to take actions from the devices blade in the Admin center.

One of the coolest feature in this preview release is, we can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center.

What do we need to do to install the application in Realtime from the admin center?

Prerequisites:

You'll need to meet all of the prerequisites for Tenant attach: ConfigMgr client details:

• An environment that's tenant attached with uploaded devices.
• One of the following browsers:
  • Microsoft Edge, version 77 and later
  • Google Chrome
• The user account has been discovered with both Azure Active Directory (Azure AD) user discovery and Active Directory user discovery.
  • Meaning the user account needs to be a synced user object in Azure.

The following prereq are newly added, Inorder to initiate the application install from the admin center.

• Enable the optional feature Approve application requests for users per device. For more information, see Enable optional features from updates.

• At least one application deployed to a device collection with the An administrator must approve a request for this application on the device option set on the deployment. For more information, see Approve applications.
  • User targeted applications or applications without the approval option set don't appear in the application list.

As you can in the application deployment settings, the deployment must be targeted to a device collection with purpose available and check ‘an administrator must approve a request for this application on the device’

You can now review the log for data upload.

When an admin runs an action from Microsoft Endpoint Manager admin center (intune console), the notification request is forwarded to Configuration Manager site, and from the site to the client.

1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
2. The next sync time is noted by log entries similar to Next run time will be at approximately: 30/05/2020 16:35:31.
3. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
4. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center.

In Technical preview, to install the app, we must right click on the device and choose admin center preview and initiate it from there.

When this feature release in current branch, we can directly open the MEM admin center portal (https://endpoint.microsoft.com) and perform the device actions.

For now, we need to open the admin center from the device tenant attached. From the configuration manager console, right click on tenant attached device, start and choose Admin center preview

If the Admin center preview is grayed out, then the device is not part of the tenant attach collection in co-management settings.

You will be prompted for authentication and you will see the following screen.

Click on applications to see the available apps that are ready to install on the device.

we have published an application to the device collection which can be initiated from the MEM admin center

Now go back to your configuration manager installation directory and open log CMGatewayNotificationWorker.log to see the status of the application install.

When an action is initiated from the Microsoft Endpoint Manager admin center on Configmgr client, CMGatewayNotificationWorker.log processes the request.

You will see the information about sending application request and also create approved request and more details about the request in the log.

Sending AdminService request with URL: https://sg-cmtp01.domain/AdminService/wmi/SMS_ApplicationRequest.CreateApprovedRequest

After a while, if you look at the client appenforce.log, the application installation is completed.

we can now go back to admin center and refresh the page to see the updated status as ‘Installed’.

After some days, if user uninstall the application, the status will be updated in the admin center with status ‘Install requested’ and you will get an option to Retry installation. By clicking on Retry installation, the app will get install on the device.

With this feature, we can now act on the user application deployment request from anywhere with 1 click using mobile without touching the Configuration manager console.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#bkmk_apps

Troubleshooting device actions for Configuration Manager devices from admin center

I was recently troubleshooting the sccm client installation issue on a server that was configured as a distribution point.

Installation of client The client installation setup and process is very simple and straight forward unless you hit issues like this.

When I started looking at the client installation log( ccmsetup.log), I saw the below information in the log.

The client version 5.00.8913.1000 (build 2002) does not match the MP version 5.00.8790.1000 (Build 1910). The client cannot be installed.

ccmsetup failed with error code 0x80004005

The above error code says, there is a management point installed on the server which is not matching the client version that you are trying to install.

Management point and client shared the same binaries for it to operate hence the client version must match.

So, I started looking at the SCCM site system roles and its configured with the role of DP ONLY and no other roles are configured.

But from the IIS and registry, I can see that, there are some entries about Management point as you can see below.

So the question is, where did this management point install from?

I have reached out to the customer and got to know the following information:

The DP server that is having the issue was earlier configured as Management point and distribution and attached to Site P01 (old SCCM).

The customer had planned to install a new sccm site (PS1) and re-use the remote site that was having an issue now as DP for the new site.

The customer had uninstalled the MP and DP roles from the old site but for some reason, the uninstallation of DP or MP could not complete successfully, and later the problem server was installed with DP role from new SCCM site (PS1).

and the old SCCM site (P01) was decommissioned.

We now know the background of the issue and we will see how to fix this issue.

I have tried uninstalling the client completely using ccmsetup.exe /uninstall and also used ccmclean.exe but I could not able to get it working.

When you install configuration manager client, it creates a namespace called Root\CCM and it holds the configuration and policies that govern the operation of the ConfigMgr client and also management point (if the role is installed).

On a device that has the client installed and also MP installed, there will be a wmi instance created inside the namespace root\ccm called CCM_InstalledProduct

There will be 2 MSI products listed inside the WM, 1 for configmgr client, and other one for MP role.

when we try ccmsetup.exe /uninstall, it does the removal of only 1 product that is for configuration manager client but the 2nd product remains there and hence the issue.

To uninstall the management point completely along with configuration manager client (if installed), use the following vb script.

'Uninstall configmgr client and MP if exists
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'First, find the GUID
strComputer = "."
Set wmiService = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set wmiObjs = wmiService.InstancesOf("CCM_InstalledProduct")
For Each wmiObj In wmiObjs
     cmdLine = "msiexec /x " & wmiObj.ProductCode
     WScript.Echo cmdLine
     WshShell.Run cmdLine
Next

save the script as removeMP.vbs and run it on the problem server using administrative rights.

After the script run successfully, a reboot will be prompted (mandatory).

Reboot the server and install the configuration manager client. This time it installed successfully and able to communicate with new sccm site (PS1).

Hope this helps!

Microsoft has released Configuration Manager Technical Preview version 2006 with a lot of cloud features. For more information about the features of this preview release, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2006

This Technical preview version is not a baseline version and can be installed only from the in-console update. If you are building a new site, please install the baseline version (tech preview) 2002 and update it to 2006 using in-console.

This technical preview version focused more on cloud-related feature.One of the most waiting features of CMG is, to allow intranet clients to scan against CMG software update point when you configure the boundary groups.

Until now, in all the preview technical preview features and also in the current branch build, all the client (on-prem) traffic can be routed via CMG except the software update scan which is now possible using a technical preview build 2006.

The following are the 2 scenarios in which you can configure the boundary groups to allow intranet clients to scan against CMG software update point.

· When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

· If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it

How to test this feature to allow intranet clients to scan against CMG SUP?

Create boundaries and boundary groups for your VPN clients. In my lab, i use my intranet client as VPN boundary.

Boundary group:

Go to properties of the VPN boundary group and click on references:

Add the CMG here (pls note that, am using 3rd party cert in my lab, hence there is no cloudapp.net).

My lab has only 1 SUP so i configured it to support both intranet and internet based clients.

The following setting is applicable in scenario, If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

If you have dedicated SUP for internet-based clients then you can choose ‘Allow Internet-only client connections’ for your VPN clients. So when an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

In the relationships tab, leave it blank. There is no need to configure any fallback.

In the options tab (for downloads), configure the ‘prefer cloud based sources over on-premise sources’.

Now login to the client (win10- connected to on-prem ) and restart the SMS agent host service for a quick test or refresh the machine policy cycle.

From the configuration manager applet, run software update scan cycle and monitor wuahandler.log and locationservices.log

Locationservices.log

wuahandler.log:

As you can see, client is connected to intranet but the software update scan is scanning against the CMG software update point.

Following is the SQL code that will help you to identify the clients connecting to CMG software update point.

select uss.LastScanPackageLocation [Scan Location],
count(*) Total
from v_UpdateScanStatus uss
group by uss.LastScanPackageLocation

This is great feature to route all the traffic via internet.

Hope to see this feature in the next version of production build.

With COVID-19 around the globe, the organizations who are using Configuration Manager have shown much interest in Cloud Management Gateway.

Cloud Management Gateway helps you to manage the clients on the internet. For more information on how to setup CMG, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/setup-cloud-management-gateway

A customer who recently deployed Cloud management gateway, wanted to monitor the software update compliance for the CMG connected devices ONLY.

As these CMG devices are on internet and focus for patch compliance status is always have high visibility from the management prospective.

I know that there are several default software update compliance reports available and i also posted some custom reports on software update compliance but knowing the compliance status only for CMG connected devices is something that is not availabel unless you crate a collection for CMG connected devices and run the deault or custom compliance reports.

So lets start how to get a compliance report for CMG connected devices.

When I first started creating the SQL code for compliance reports for CMG connected devices, I started searching for the SQL view’s that has the information about the CMG info.

As usual, I looked at the SQL views documentation to find the right SQL views for this requirement and have found BGB_ResStatus .

So doing a simple query select top 10 * from BGB_ResStatus reveals the following information.

This information is coming from a fast channel (BGB) from the client. If you want to know more information about fast channel communication in the configuration manager, please refer to this post

To create a collection or identify devices that are connected to CMG, we can do so by adding the new attribute value to the device collection and search for the value ccm_proxy_mutual

Or follow this post to create a collection or report for CMG connected devices.

The SCCM client automatically determines whether it's on the intranet or the internet. If the client can resolve a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet and uses the location of the CMG service to communicate with the site.

When the client switches to the internet and select the CMG service for communication, the client management point information can be seen in the console and the database as something like http://CMG servicename/CCM_Proxy_Mutualauth/ and this will be recorded into AccessMP.

Until the client connects to the on-premise network, the ACCESSMP holds the CMG service name.

The following are the SQL views that I will use to create the software update compliance report for CMG connected devices.

v_Update_ComplianceStatusAll

v_r_system

v_FullCollectionMembership

v_AuthListInfo

BGB_ResStatus

Based on the above data, I have created 2 reports

Summary of the compliance status for the CMG connected devices

List of clients with specific software update compliance status for the update group.

2^nd report is linked to the first report and the parameters are hidden for the 2^nd report, so you will have to run the first report to go to 2^nd report.

1. Summary of the compliance status for the CMG connected devices

To see the list of required or unknown clients, click on the link (blue icon).

Since Technet is going offline very soon, I have uploaded the reports into my Github account. Download the report, upload it to your SSRS folder, change the data source, and run it.

Make sure you upload the reports into the same folder and do not change the 2^nd report name as it is linked to the first report.

Happy patching!

Another month pass by and Microsoft released Technical preview for Configuration Manager 2010. These technical previews will be released every month and is for lab purpose ONLY.

For more information about the technical preview and how to use it, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/technical-preview

The active baseline version as of today for technical preview is 2007 and this can be downloaded from Evaluation Center.

Following are the new features in Technical preview 2010.

Deploy a task sequence to a user as an app model deployment type

Starting in the release, you can now deploy a non-OS deployment task sequence to a user-based collection when you add a task sequence deployment type to an application either to install or uninstall the app.

To create Create a task sequence for non-OS deployments, please refer https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-for-non-operating-system-deployments

You can’t deploy an app task sequence to user collection and is known issue. For more information, please refer https://docs.microsoft.com/en-us/mem/configmgr/apps/get-started/creating-windows-applications#bkmk_tsdt

Enable user proxy for software update scans

Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections. Learn more about the September 2020 changes to improve security for Windows devices scanning WSUS.

Improvements to scenario health

With scenario health, you can now monitor the health of the channel used for client actions. If you've onboarded to cloud management. This improvement helps to surface potential issues with client actions from Microsoft Endpoint Manager admin Center. This monitoring can also be used for on-premises client actions such as CMPivot, Run scripts, and waking up machines.

Run this action from \Monitoring\Overview\Scenario Health

Shortcut to status messages

You now have an easier way to view status messages for the deployment, content, device and user objects.

Following are the objects that you can select:

• Devices
• Users
• Content
• Deployments
  • Monitoring workspace
    • Phased deployments (select Show Deployments from the Phased Deployments node)
  • Deployments tab in the details pane for:
    • Packages
    • Task sequences

Right click on the selected object, Choose ‘Show Status Messages’ from the ribbon for a selected object.

Support for Windows 10 Enterprise LTSC on Desktop Analytics

The long-term servicing channel (LTSC) was designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. The LTSC servicing model prevents Windows 10 Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. For customers that want to shift from LTSC to the semi-annual servicing channel to have access to new features, services, and other major changes, Desktop Analytics now supports enrolling and evaluating LTSC devices in your deployment plans.

Syntax highlighting for scripting languages in the Configuration Manager console

To assist you when creating scripts and queries in the Configuration Manager console, you will now see syntax highlighting. Supported languages include PowerShell, JavaScript/JScript, VBScript and SQL/WQL.

Defender App Control policy supports Windows Server 2016+ clients now

Configuration Manager to-date has supported Defender App Control policies for Windows 10 clients. We're extending this support to include Windows Server 2016+ endpoints.

Technical preview 2010 build installation:

Monitor the content download status from dmpdownloader.log

Once the content is download and is ready to install, install the update.

Site version: 500.9032.1000

Client version:5.00.9032.1000

Happy testing the preview build.

I was recently assisting a customer on the Configuration Manager upgrade and after the upgrade is done, we need to upgrade the console on endpoint devices to the latest version.

When you install/update your configuration manager site, there will be a change in the console version which needs to be updated on all your endpoints that have the console installed.

If your site is running a new version of Configuration Manager build but your users are at lower version, users will be prompted to install the new console version, next time when they launch the console but it has the following prerequisites to install the console:

§ You have local Administrator rights on the target computer for the console.

§ You have read permissions to the location of the Configuration Manager console installation files.

we follow the standard method by creating a collection that identifies the devices running a lower version of the console, create an application using the admin console files and deploy it silently to upgrade the console.

To create a collection (device), use the following WQL Query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Endpoint Configuration Manager Console" or SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center Configuration Manager Console")
and SMS_G_System_ADD_REMOVE_PROGRAMS.Version < "5.2006.1024.1000"

Replace the console version that matches your site.

Now, we will create an application using the latest admin console setup files and deploy it to the collection.

Grab the following files from <Configuration Manager installation media>\SMSSETUP\BIN\I386 and copy them to a source folder.

• ConsoleSetup.exe
• AdminConsole.msi
• ConfigMgr.AC_Extension.i386.cab
• ConfigMgr.AC_Extension.amd64.cab

On the source folder where you placed the above files, create a batch script and use the following silent installation command line switch.

ConsoleSetup.exe /q TargetDir="%ProgramFiles%\ConfigMgr Console" DefaultSiteServerName=SG-CM01.intranet.eskonr

Replace the siteservername

Create an application with deployment type as script and use the following detection method.

Detection method:

Type: File system

Type: File

Path:%ProgramFiles(x86)%\Microsoft Configuration Manager\AdminConsole\bin

File or folder: Microsoft.ConfigurationManagement.exe

Value:5.2006.1024.1000

Replace the value that matches your site server console version.

Deploy the application to the collection that we created initially.

Monitor the deployment using built-in reports/in-console or your custom reports.

Following is the SQL query to find the count of devices with configuration manager console versions.

select arp.DisplayName0,arp.Version0,count(*) Total From v_Add_Remove_Programs arp
where arp.DisplayName0 like 'Microsoft Endpoint Configuration Manager Console'
or arp.DisplayName0 like 'System Center Configuration Manager Console'
group by arp.DisplayName0,arp.Version0

You can also monitor the console versions that are connected to Configuration manager console using the security view in the console.

\Administration\Overview\Security\Console Connections

Hope it helps!

There are times where you need to troubleshoot the Microsoft Teams client issues such as app crashing, poor call quality, new features not working as expected, etc.

When you get any of such issues, you will need to collect the team’s client logs to investigate further and if possible, you likely need to share the logs with the Microsoft support engineer for further help.

There are different logs in Teams client that help you to troubleshoot the issue. The following are the important set of logs.

•  Debug logs
•  Media logs
•  Desktop logs
• Event viewer

As the teams client installed in the user profile (%appdata%), the log collection needs to be done from the user profile. so you need to request user and assist them to get these logs.

These common logs located in different folders under the user profile and guiding the user for these logs would take longer and sometimes get annoyed.

Except for Debug logs, all other logs are readily available for remote collection.

Debug logs is something that needs user intervention (not possible remotely) and the user needs to press shortcut Ctrl + Alt + Shift + 1 to generate the debug logs.

For more information about the log files and troubleshooting Teams client, please refer https://docs.microsoft.com/en-us/microsoftteams/log-files 

From this article, we know the location of the Teams log files, we can make use of Microsoft Endpoint Manager Configuration Manager scripts feature to collect the client logs for troubleshooting the teams issue remotely.

The scripts feature simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently. For more information about PowerShell scripts from Configuration Manager Admin console, please refer here

This script can be used manually or remotely using Configuration Manager.

What does this script do?

1. The script check if the user logged into the machine or not, if yes, then collect the media logs, desktop logs,debug logs and event viewer from the locations and store it in C:\Temp\Teamslog

2.If no user logged into the machine , the script does nothing.

3. Once the logs are collected and store it on the share drive, the temp logs from local drive C:\temp\teamslog will be removed.

What is required to run the script?

1. You will need to provide the log share name to store the logs. The logs are zip and store it with username-timestamp.zip.

2. You will need notify user to use the shortcut Ctrl + Alt + Shift + 1 to generate debug logs. Once this is done, the script will look for the debug logs and collect it.

3. If user don’t run the Ctrl + Alt + Shift + 1, the script will not collect the debug logs but collect other logs if available.

Once you have filled in the log share, you can use take this script and use it in Configuration Manager scripts and run it on device where user logged for the log collection.

The script is uploaded to github, you can download it from here.

For teams client troubleshooting, please refer https://docs.microsoft.com/en-us/MicrosoftTeams/troubleshoot/teams-welcome

Over the last couple of years, I have been using this method to extract the status messages for various components in Configuration Manager such as SMS provider, Site server and client.

These status messages critical and useful when it comes to troubleshooting the components, clients etc. Status messages are similar to Windows NT Events and they have a severity, ID, description, etc.

These status messages ID appear in lot of places like logs, event viewer,configuration manager console. During the troubleshooting, it is hard to find out the description for the status message ID that you looking for and not everything can be found on the internet during the search.

As the current branch gets released every 3 months (based on the past trends), there will be changes to the status message IDs (addition/deletion) and it is always important to keep a copy of the status message ID’s for each build that you are working with.

In this blog post, we will see how to generate the status message IDs, description for your Configuration Manager build.

What is required to generate the status messages?

1. You will need the following dll files that are available in your your CAS/Primary site server for your current build

CLIMSGS.DLL

PROVMSGS.DLL

SRVMSGS.DLL

These dll files located in your site server location: <CM Installed directory:>\bin\X64\system32\smsmsgs

2. Copy these dll files to a folder on your computer.

3. Now download the script from Github, save it in the same folder where you copied the dll files.

4. Run the script. The script will create an excel file with 3 sheets called client, site server and sms provider and list down the status message ID’s along with description.

5. Output

Every time when you update your Configuration Manager build version, you can get the updated dll files and run the script.

I hope you found this useful.

References:

https://gallery.technet.microsoft.com/scriptcenter/Enumerate-status-message-6e7e1761

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.

Microsoft has released another update rollup (KB4575790) to fix client setup content download issue from CMG distribution point.

The following listed issues and the rollup update is available in updates and servicing node only if you have installed the recently released update rollup KB 4578605 for Configuration Manager 2006 build.

If you have not installed KB 4578605, then you will not see this update in the updates and servicing console.

Issues:

1. If you have configured cloud management gateway along with cloud DP and running the ccmsetup.exe (client installation) , the client will failed to download the client installation file (ccmsetup.cab) from Azure blob storage.

The following is the error code seen from the ccmsetup.log:

[CCMHTTP] ERROR: URL=https://{Azure_blob_storage}:443/content-l0000003/ccmsetup.cab?..., Port=443, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=400 StatusText=Authentication information is not given in the correct format. Check the value of Authorization header.

2. If you have clients that ONLY use PKI for authentication, then they also failed to upgrade or install the client.

This occurs if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties. Errors resembling the following are recorded in the ccmsetup.log file on the client.

Client is not allowed to use PKI issued certificate or not able to use AAD token or ContentToken thus can not talk in HTTPS.
Failed to download client files by BITS. Error 0x8000ffff

In my case, I did not install the applicable update KB 4578605 hence the update KB4575790 is not visible in the console.

If you have installed the KB 4578605, you will see KB4575790 in updates and servicing node.

This update include site server and client updates.

Once you install the update (if applicable to your site), you don't have to restart the site server and no need to update the console version.

The client patch (.MSP file) contained in this update supersedes the versions that shipped with update rollup KB 4578605 and update KB 4575787. Therefore, only one client upgrade is required.

The client update (.msp) is located in <SCCM Installdir:>\Microsoft Configuration Manager\Client\i386\ClientUpdate

Following screenshot for KB4578605

After you install KB4575790, it will replace KB4578605

Now you need to update your clients to the latest patch . You can do this by enabling client upgrade in hierarchy settings.

Client version with this rollup update :5.00.9012.1056

Here is the collection query to find list of clients older than this version:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion not in ("5.00.9012.1056")

You also need to update your boot images to match the client version.

If you dont get your boot images to match the client version, you may encounter issues like me.

Hoe you found this article useful.

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

Introduction:

I was recently working on project performing the network assessment for teams call quality issues. The network assessment is being done using the free tool provided by Microsoft which is Skype for Business Network Assessment Tool (can be downloaded from Microsoft site).

The Microsoft Network Assessment Tool provides the ability to perform a simple test of network performance to determine how well the network would perform for a Microsoft Teams or Skype for Business Online call. The tool tests the connection to Microsoft Network Edge by streaming a set of packets to the nearest edge site and back for approximately 17 seconds for a configured number of iterations.

You can download the the free tool from https://www.microsoft.com/en-us/download/details.aspx?id=53885

After you download and complete the installation, you will find an installation guide (usage.docx) in the installed directory that will help you prior to the use of network assessment tool.

The tool reports  Packet loss,Jitter,Round-trip latency and Reorder packet percentage etc.

As part of the network assessment, we need to run two commands, these commands store the results in user profile, collect the files, review the data before taking any action such firewall ports, proxy,network etc.

The following is a sample of how both the commands console output and the results look like:

Command 1:

C:\Program Files (x86)\Microsoft Skype for Business Network Assessment Tool>NetworkAssessmentTool.exe

Command 2:

C:\Program Files (x86)\Microsoft Skype for Business Network Assessment Tool>NetworkAssessmentTool.exe /connectivitycheck

Output files are stored in user profile “C:\Users\%username%\AppData\Local\Microsoft Skype for Business Network Assessment Tool”

The end goal is to collect these files, but it involves end-user interaction by instructing the user to run the commands,wait for sometime, collect the logs and provide via email or place them in share folder for review.

If you are using the Endpoint Manager tool such as Configuration Manager, this entire process can be automated using PowerShell script and use the scripts feature in ConfigMgr to collect the logs in no time.

How do we use Configuration Manager to automate the process and collect the logs of Network Assessment Tool ?

The scripts in Configuration Manager simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently.

[Note]: Make sure you have the network assessment tool is pre-installed on remote endpoints else this script wont work.

Download the PowerShell script available in Github.

Follow the steps outlined here to create a script in Configuration Manager and use the script from Github.

Hope it helps!

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

GPO:

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Hope it helps!

I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.

This folder primarily stores the information about.

1. Software update end-user license agreement (EULA).

2. Microsoft patches for windows and other products for standalone WSUS.

3. 3rd party updates In case you have integrated the 3rd party patching tool.

The following is the screenshot for the wsuscontent folder size.

When the customer reported about the wsuscontent size is huge, the following questions were raised.

1. Is it standalone or integrated with Configuration Manager? –-> Integrated with ConfigMgr.

2. Are you using any 3rd party patching tool hence the content download is higher?—>There is a 3rd party pathing tool, it is only Microsoft updates.

From the above questions, WSUSContent cannot be larger. The troubleshooting as follows.

1. Open the WSUS console, options, open Automatic Approvals

There was a default automatic approval rule which was enabled with the rule properties.

What does it do? when the WSUS sync runs, the updates that match with update classification that you have selected will be approved, downloaded to the wsuscontent folder.

This is needed only when you use a standalone WSUS server but not with Configuration Manager.

If you have integrated WSUS server with Configuration Manager, you should un-touch the WSUS MMC from the time you do the initial configuration.

By default, when you integrate WSUS with ConfigMgr, this automatic rule is un-selected.

So someone has made the changes unknowingly which causes the content folder to grow bigger.

How do we fix this now?

1. Since WSUS is integrated with ConfigMgr, we can de-select the automatic approval rule, so there won't be any content download thereafter.

2. To clean up the downloaded content on the WSUSContent folder, we will need to decline all the updates in WSUS console (don't worry, this won't impact your ConfigMgr patching or metadata in ConfigMgr console, you are safe doing it) and run the server clean up wizard.

So go ahead and un-tick the default automatic approval rule and click ok.

To decline all approved updates, click on updates, all updates.

For the approval, select approved, and status: any

you should see the list of updates that are approved which are downloaded as well to the wsuscontent folder.

In my case, there are 636 updates approved.

Select all the updates, right-click, and choose decline.

you will be prompted with the following screen, select Yes.

Depending on the number of updates, it may take sometime.

Once the updates are declined, refresh the page.

Now we will need to clean-up the content stored in the folder.

Now, in the console, click on options, select server clean-up wizard

You will be asked with multiple options to clean up but the first one is our fix to remove the downloaded content.

As you can see, we have now cleaned up around 320GB.

Depending on the number of updates, you may see the MMC console crash but don't worry, try it again and you will get succeed. 

You also have scripts available to perform the clean-up without the MMC crash but UI works fine.

Once the clean-up is done, go back and check the size of wsuscontent, it is now 3.7GB which is normal.

Hope you find this post useful.

Starting in Configuration Manager 2010, we can use OS boot media from SCCM to reimage internet-based devices that connect through a Cloud Management Gateway (CMG). Do note that, this method cannot join the devices to domain but only in a workgroup as there is no domain connectivity for internet-based clients.  This scenario is useful to support remote workers. Though the devices are in workgroup, these can be managed via Configuration Manager for application deployment, patching, and other features that support a client over CMG.

In case of any issues with remote worker windows OS, we can use the OS Boot media (send over USB) to reinstall the windows. All this happens through the cloud management gateway.

For more information about how to do task sequence over the internet using cloud management gateway using the bootable ISO, please refer here.

Prerequisites for boot media via CMG refer here

When i was doing some testing on this feature in my lab, i encountered some issues and i would like to discuss them in this blog post with fix.

My lab is running on HTTP (no PKI) and the CMG server authentication cert is using enterprise cert (On-prem CA). All of my clients are hybrid Azure AD Joined.

So when my clients move to internet, they use hybrid azure AD join for authentication.

As per this guide, I have created boot media that uses CMG as a management point. Since my SCCM is not running PKI infra, I don't have to import any certificate (PKI) into boot image while creating it. you only need it when your site is running on HTTPS (and clients too). The boot image uses a self-signed media certificate ONLY.

When booting the device which is on internet using the ISO that we created above, it failed with error code as listed below.

asynccallback(): winhttp_callback_status_secure_Failure encountered

winhttp_callback_status_flag_invalid_CA

The device is authenticating with my CMG (https://cmcb1.cloudapp.net)  which is using enterprise CA cert.

The boot image that we created is using self-signed certificate which is not enough to authenticate with CMG.

How do we fix this certificate issue for CMG bootable using self-signed certificate?

Since my CMG server authentication certificate using enterprise CA, I will need to have root CA into the boot image. That can be verified from your site properties, communication security.

As you can see above, there is no root CA specified. For a successful task sequence deployment over CMG using boot media, I would need to import the root CA.

To import the cert, click on set, click on start burst, import the cert and click Ok.

Now go back to your task sequence and create new boot media using the self-signed certificate. This time, it will allow you select the task sequence that are deployed to unknown collection and continue from there.

When I choose the task sequence, i hit with another error. The device unable to verify the content located on a distribution point.

I did verified that, the content is distributed to cloud DP and can located in blog storage as well.

After checking my client settings, it was found that, I had custom client settings for CMG and is deployed to collection. This will restrict desktops/servers from receiving the CMG settings.

For unknown clients on internet, you will have to make the changes in the default client settings for CMG.

Edit the default settings, cloud services, choose the CMG settings as listed below.

Once you make the changes in default settings, you don't have to re-create the boot image.

Now go back to the internet device, retry the task sequence.

Client is able to connect to CMG, cloud DP for content download.

Depends on the speed of the internet, the deployment may take time.

Hope it helps!