I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.

Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]

I have tried various command line switches for SCEP client installation but all returned the same error code.

The server was installed with Configuration Manager client 2010 and server is fully patched.

I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.

As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.

To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.

EppSetup.log and MSSecurityClient_Setup_4.7.209.0_epp_Install.log reveals the same information that is shown in the UI.

The following is a piece of information that can get it from the log MSSecurityClient_Setup log.

setup CA ERROR  : CryptCATAdminAddCatalog failed with 1062

NIS setup CA ERROR  : InstallNisDriver: InternalInstallCatalog failed with 1603

NIS setup CA INFO   : InstallNisDriver completed with error result 1603

CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.

Open the cmd on the problmatic server and run sc query cryptsvc

The specified service do not exist as an installed service.

How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.

Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.

The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.

The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.

The following is the registry of the service.

Export the registry, import into the server, reboot the server.

After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.

Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.

Hope this helps!

This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.

When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer here

How do we create a collection for clients that are online? 

Collections uses WQL and following is the WQL syntax you can use to create the collection.

we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.

This collection uses sub-selected query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

If your configuration manager is running on 2010, you will have option to preview the results. Click on the play button to see the results before you confirm the changes.

Save the collection and wait for few seconds before the data appear.

Based on the device collection membership, the results get updated.

If you want to create a reports based on the online status, you can refer http://eskonr.com/2016/04/how-to-query-clients-collection-or-ssrs-ssrs-with-online-status-in-sccm-configmgr-1602/

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. For more information about Co-management, benefits, pre-requisites, licensing, read https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

When you have windows 10 devices that are Azure AD joined, enrolled to Intune, and also co-managed, these devices would appear in Configuration Manager.

In this blog post, i will show you how to create a collection for Azure AD joined co-managed devices.

When a device is AAD joined and co-managed ( not on-prem domain joined but only the cloud), we will have the tenantID, device ID, domain or group, and other information.

we will use 2 important fields to identify if the device is AAD joined. 1) AADTenantID 2)Resource_Domain_OR_Workgr0

The device should have AADTenantID and should not be in your in domain which means it will be in a workgroup.

we don’t go with workgroup as this is something that can be customizable by the user and can change as per their needs like MyPC etc.

So we will go with the domain. Anything that is AAD and not in the corporate domain (intranet.eskonr) then they fall into the collection.

Create a collection with the following WQL Query using sub selected:

select *  from  SMS_R_System where SMS_R_System.AADTenantID = "4252590E-6F9B-4AA1-AA9F-D7717C111B07" and
SMS_R_System.ResourceId not in (select ResourceID  from  SMS_R_System where SMS_R_System.ResourceDomainORWorkgroup = "INTRANET")

INTRANET is my domain name, if you have multiple domains, you can add so.

Once you paste the query into the query designer, you can click on the play button (green color) to see the list of devices that match with this query.

I have got 1 device that is AAD joined but co-managed.

Hope this helps!

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

The other day, I have powered ON my Configuration Manager lab after long a time to test something on the reporting and found that, the reporting URL does not work.

Browsing the reports URL leads to service unavailable with http error 503, The service unavailable.

I have verified that, the SQL server reporting services is running fine and i have restarted the service as well to check if this works or not but no luck.

I have realized that, there is something seriously wrong and took sometime to troubleshoot further.

The first log to check is srsrp.log (ConfigMgr log) for reporting services located in your configMgr installation directory\logs folder.

The log has the following errors:

The request failed with HTTP status 503: Service Unavailable.

(!) SRS not detected as running

Failures reported during periodic health check by the SRS Server CMserver.domain.name

I have also checked the reporting server configuration manager, everything seems to be fine.

The next is to look at the SQL server reporting services log located in

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles

The log has the following error messages:

configmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Error loading configuration file: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required.

appdomainmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Appdomain:1 DefaultDomain failed to initialize. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error.  ---> Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required..

AS you can see in the log, the license has expired for SQL server reporting services.

When you install the SQL server reporting services, you will be asked for the trail of 180 days or input the license key of the SQL server.

If you choose trail, then after 180 days, you will have the same issue like mine.

So now, we found that, the license for the SQL server reporting services is expired, how do we activate it now?

The only way that I could find is to reinstall the reporting services.

Run the SQL server reporting services installation wizard (I did 2019), you will see the following options. Choose upgrade, you will be asked for the key to activate it.

Once the installation is completed, wait for the reporting services to check the license status and rebuild the reports (there wont be any changes your default/custom reports) and after sometime, your reporting URL will be up and running.

hope this helps!

Microsoft has released the update 2107 for Configuration Manager (Current Branch) which is now available as in-console update. You don’t need to run opt-in script.

You can apply this update on sites that run version 2002 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you see in the console then update to 2107.

For a list of new features and improvements in configuration Manager 2107, please read https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107

Just like any other configuration manager update release, i always try to look and see what is new available from the reporting point of view.

I try to see what is new available in this from previous version (2103).

This build adds up some new SQL views/tables such as user based applications,extensions, client diagnostics etc for custom reporting and it is always good to build some reports when you don’t find what you are looking for.

So what is new in configuration manager 2107 for reporting?

The following are the list of SQL views.

v_GS_CLIENT_DIAGNOSTICS
v_GS_USER_BASED_APPLICATIONS

v_LifecycleDetectedResourceIdsByGroupName
v_SMS_G_System_ExtensionData
v_SMS_G_User_ExtensionData
vNotificationEventRules

For full list of SQL views documentation along with data available in this build and also for previous builds, please refer Github https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Microsoft has released the version 2111 for Configuration Manager (Current Branch) which is now available as in-console update and is currently via opt-in script.

You can apply this update on sites that run version 2006 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you can see it in the console then update to 2111.

For a list of new features and improvements in configuration Manager 2111, please read https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2111

Just like any other configuration manager build release , this build has some new features,enhancement, so we will have some addition to the reporting.

In this blog post, I will walk you through what is new in configuration manager reporting in the newly released build (2111) and  how it can help us to create some custom reports.

I have uploaded the SQL views documentation to my GitHub repository, you can find it https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

So what is new in configuration manager 2111 for reporting from its previous build (2107)?

The following are the newly added SQL views/tables/functions that exist in 2111.

v_ApplicationRequests –> Holds information about the application request from users.
v_UpdateDataForMachine –> Hold compliance status of updates for devices with status required/install/not required.
vClientCoManagementState—> It is now easier to report the clients with co-management workloads for devices.
vNotificationSubscriptionEvents—> Holds subscription event information
vNotificationSubscriptionEventStatus—> Subscription event status
vSMS_ApplicationGroupItems—> Application group items
vSMS_AssignedDeviceApplicationGroups—> application groups assigned to devices
vSMS_ConsoleExtensionMetadata—> Holds the information about the console extensions and its status
vSMS_OrchestrationGroupScript –> Orchestration scripts

For list of SQL views for all configuration manager versions, download from https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Intune has a Co-management eligibility report (currently in preview) which provides an eligibility evaluation for devices that can be co-managed. For devices to become co-managed, they must be running on windows 10 and enroll to Azure Active Directory.

For a full set of intune reports, please refer to https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports

The other day, I was looking into the cloud-attached devices (preview) in Endpoint Manager for the co-management eligibility report. For more information about the Co-management eligibility report, https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports#co-management-eligibility-report-organizational

From the report, in the dropdown list, I am interested viewing only the devices that need AAD join.

Generating the report reveals that there are a large number of devices that are needed azure ad join.

These devices are on-prem domain joined and for some reason, they are not hybrid azure AD joined.

For on-prem devices to reach co-management, first they must be hybrid azure ad joined, before they enroll to intune.

So I picked a device that is available from this list, check the status in the azure ad portal for Hybrid AAD joined, they show pending status.

I have logged into the machine to check the event viewer logs for further troubleshooting.

On the problem PC, Open cmd, run dsregcmd.exe /status , from the output, the device is not hybrid azure ad joined and AzureAdPrt : NO.

From the event viewer (Microsoft->Windows->User Device Registration->Admin), I can see the following data.

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c0002
Server error: The verification of the target computer's SID (S-1-5-21-1704617455-1677075968-155068508-164177.2021-11-30 15:38:59Z) signature failed. Device id: (147f3ddd-0c43-45d5-895b-54e8e18e39f9).
Tenant type: Federated
Registration type: fallback_sync
Debug Output:
joinMode: Join
drsInstance: azure
registrationType: fallback_sync
tenantType: Federated
tenantId: d0d068a1-f100-44e9-afeb-cdb37c8f5d07
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

Based on the error code, the verification of the target computer SID failed.

For further troubleshooting, and step 1) I have removed the device from the azure AD, wait for the Azure AD Connect sync (depends on your schedule how you have configured it) and run the workplace join task (Automatic-Device-Join) located at the task scheduler Microsoft—>Windows—>Workplace Join

This time, the device has completed the hybrid azure ad joined process, status appears in azure AD portal and finally the device is co-management.

The next step is to fix the remaining devices from the list that are not hybrid azure ad joined and also not co-managed.

The steps are, 1)remove the devices from the Azure AD portal, 2)Run the automatic device join task using SCCM (without rebooting the device).

1)Remove the devices from Azure AD portal:

Create a powershell script using the following code, save the devices to Comanageddevices.txt

<#

Description:Delete devices from Azure AD portal
Author:Eswar Koneti
Date:04-Dec-2021
#>
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)
$inputfile="$dir\Comanageddevices.txt"
$Outfile = "$dir\DevicesStatus.log"
import-module MSOnline
Write-Host "Checking for MSonline module..."
$Module = Get-Module -Name "MSOnline"
if (!($Module)) {
write-host
write-host "MSOnline Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module Msonline' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
else
{
"---------------Script started at $date" | Out-File $Outfile -Append
Connect-msolservice
$inputfile=Get-Content -Path $inputfile
foreach ($pc in $inputfile)
{
$details=Get-MsolDevice -Name $pc -ErrorAction SilentlyContinue
if($details)
{
try
{
if( Remove-MsolDevice -DeviceId ($details.DeviceId).guid -Force)
{
"Deleted the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
catch
{
"Failed to Delet the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
"device $pc not found" | Out-File $Outfile -Append
}
}
"---------------Script completed at $date" | Out-File $Outfile -Append

2) Run the workplace join/device registration task using Configuration Manager scripts feature.

<#
Description:Check if the device is AAD/HAAD and receive PRT token.
Author:Eswar Koneti
Date:04-Dec-2021
#>

dsregcmd.exe /status | Out-File "C:\programdata\HAAD.txt" -Force
$search = Select-String -Path "C:\programdata\HAAD.txt" -Pattern "AzureAdPrt : Yes"

if ($search)
{
     echo "HAAD"
}
else
{
     echo "Not HAAD"
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join|Enable-ScheduledTask -ErrorAction SilentlyContinue
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | ? TaskName -eq Automatic-Device-Join|Start-ScheduledTask -ErrorAction SilentlyContinue
}
Remove-Item -Path "C:\programdata\HAAD.txt" -Force -ErrorAction SilentlyContinue

Hope you find this article helpful

Continue Reading

For Azure Active Directory device management FAQ https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#general-faq

Troubleshoot hybrid Azure AD-joined devices https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

Pending devices in Azure Active Directory https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices

Managing software updates and creation of custom reports in ConfigMgr is OCEAN. You have so much data to visualize based on your needs.

One of the very common requirements or reports is, find out the missing/required updates of a device that is managed by SCCM.

If you have not moved the device management solution to Microsoft Intune, especially windows updates and you are still with ConfigMgr, then this post is for you.

I have written a couple of blog posts on finding the missing/required updates for a specific device in SCCM are listed below for your reference.

http://eskonr.com/2016/08/sccm-configmgr-sql-query-to-find-top-x-missing-updates-for-specific-collection-for-specific-update-group/

http://eskonr.com/2015/12/sccm-configmgr-ssrs-report-get-list-of-missing-updates-for-pc-from-specific-software-update-group/

likewise, you can create many reports, but it is not always convenient when you need to quickly check the required updates for a specific device within the SCCM console.

I have started reading about the creation of custom right-click tools (Neilp,Ryan) and created a custom tool, integrated with SCCM console to make things easy for you to find the required updates with one click.

The output will look like the following when you right-click on a device in the console, click on required updates, you will see a list of all required updates with a few columns.

How to configure/install this right-click tools extension?

Download the files from Github.

Extract the files, you will find required.updates.ps1, and folder.

Edit Required.updates.xml located in folder ed9dee86-eadd-4ac8-82a1-7234a4646e62

You need to edit line 19 for the location of the PowerShell script. You can copy the Required.updates.ps1 to your ConfigMgr admin location or anywhere that you can launch later from the console.

"G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Required.updates.ps1"

I copied it to the admin console install folder (bin).

Now, copy the folder (ed9dee86-eadd-4ac8-82a1-7234a4646e62) to XmlStorage\Extensions\Actions folder.

In my case, the actions folder is in G:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions

Close the SCCM console (in case it is opened already) and launch the console again.

Right-click on any device, you will see the required updates option, click on it, it shows the missing updates.

You can sort the columns available in the grid window by title, superseded, expired, date posted.

When the updates are superseded, they appear in orange color, if expired, they appear in red. If updates are expired and also superseded, they still appear in orange color.

I know the information that is presented in the RCT tool for required updates is limited and there is a scope to add a lot more information such as is the update targeted to the device, which SUG groups, the update is a member of, etc.

Due to the information available in the SMS provider and the complexity of the code, I have put it aside for now.

Limitations of this RCT tool and you may see empty results if the device meets the following.

1. Device has no SCCM Agent/not healthy or updates scan is not successful.

2. The device is co-managed and the windows update workload is shifted to Intune.

In case you are looking for a SQL query to gather additional information that I could not represent in the RCT solution, is given below.

The following is the SQL code to get the required updates of a device.

declare @PC nvarchar (255);set @PC='CMCB-CL01'

select ui.Title, ui.articleid [ArticleID],
UpdateClassification=cls.CategoryInstanceName,
Required=(case when ucs.Status=2 then 'Yes' else 'No' end),
Targeted=(case when ctm.ResourceID is not null then 'Yes' else 'No' end),
ui.InfoURL as InformationURL,
ui.DateLastModified[Date Posted] ,
case when ui.IsSuperseded=1 then 'Yes' else 'No' end as 'Superseded',
case when ui.IsExpired=1 then 'Yes' else 'No' end as 'Expired'
from V_UpdateComplianceStatus  ucs
join v_UpdateInfo ui on ui.CI_ID=ucs.CI_ID 
left join v_CITargetedMachines  ctm on ctm.CI_ID=ucs.CI_ID and ctm. ResourceID = ucs.ResourceID
join v_CICategoryInfo_All vnd on vnd.CI_ID=ui.CI_ID and vnd.CategoryTypeName='Company'
join v_CICategoryInfo_All cls on cls.CI_ID=ui.CI_ID and cls.CategoryTypeName='UpdateClassification'
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = ucs.ResourceID
WHERE  ucs.Status=2 and vrs.Name0=@PC
order by 1
   

Hope you find this article useful!

Co-management (cloud attach) enables you to manage Windows 10 or later devices simultaneously by using both Configuration Manager and Microsoft Intune. For more information about co-management, please refer here.

For a device to be co-managed, one of the pre-requisite is Windows devices must be connected to Azure AD using Hybrid Azure AD joined or Azure AD joined (cloud domain joined).

Currently, co-management supports the following workloads.

Co-management supports the following workloads:

• Compliance policies
• Windows Update policies
• Resource access policies
• Endpoint Protection
• Device configuration
• Office Click-to-Run apps
• Client apps

Let's assume, you have enabled the cloud attach (co-management) and you have also moved some of the workloads such as windows updates and device compliance policies to intune.

The devices will receive the policies and start communicating with Microsoft Intune for the applied workloads.

If you wanted to know the workloads applied for a specific device for troubleshooting purposes, you can either look at the intune console, for a specific device and check the intune managed workloads in the overview page.

The other way is to get the co-managed workload ID from the SCCM database and translate the workload ID into a descriptive value which is blogged by Ben

Although there is a co-management dashboard view within the SCCM console, it is limited and not possible to click the workloads to see data further.

And, I cannot find any reports available to see the workload information at a device level.

So, are you co-managed and you are interested to view the workloads applied to a specific device including the device hybrid azure adjoined or azure adjoined and other important information with one click view from the SCCM console, devices node?

I have this covered for you in this blog post.

when you right-click on a device in the SCCM console, you will see the Co-Mgmt workloads icon and click on that.

If the device is co-managed and workloads are switched to intune or with ConfigMgr, you will see the status in the workloads section.

If the device is not co-managed, you will see red color indicator with workload status as not Co-Managed. This is something you will need to troubleshoot further to get the device into co-managed state.

This tool is not applicable for server OS as co-management is applicable only to non-server OS (windows 10 and later OS).

How to implement the changes?

Download the files (co-managed workloads.zip) from Github.

Extract the files, you will find comanagement.workloads.ps1, and folder.

Edit Co-mgmt.Workloads.xml located inside folder ed9dee86-eadd-4ac8-82a1-7234a4646e62

You need to edit line 19 for the location of the PowerShell script. You can copy the comanagement.workloads.ps1 to your ConfigMgr admin location or anywhere that you have access.

"G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Required.updates.ps1"

I copied it to the admin console install folder (bin).

Now, copy the folder (ed9dee86-eadd-4ac8-82a1-7234a4646e62) to XmlStorage\Extensions\Actions folder.

In my case, the actions folder is in G:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions

Close the SCCM console (in case it is opened already) and launch the console again to see the changes.

I hope you find this tool useful for troubleshooting!

If you have any feedback on this tool or would like to add more data into the tool of device, please comment below.

Long ago, I wrote a blog post on a report for finding the devices with pending reboot, more information is available on https://eskonr.com/2019/01/sccm-report-get-list-of-devices-with-pending-reboot-in-a-collection-with-different-states/

I was recently working on checking the compliance of the devices in SCCM for windows patching and I could see that the software update compliance is not that great due to various reasons.

Before I start to dig deeper into it, the first thing was to check the pending reboot of the devices.

In this blog post, I will provide 2 collections that will be useful for identifying the pending reboot devices.

The following WQL collection query can be used to create a collection for a list of all devices with a pending reboot.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.clientstate != 0

Of all the devices pending reboot, I want to further drill down to see the pending reboot devices with no user currently logged on.
The following is the WQL collection query to list all devices with pending reboot and no user currently logged-on.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.clientstate != 0
and sms_combineddeviceresources.CurrentLogonUser is NULL

You can further filter these queries to show online devices, last policy request is within 30 days etc.

Once you have the collection, you can either initiate the pending reboot from the collection using client notification (which inherits the client settings) or schedule toast notification for device restart.

The following is the sample WQL query which includes multiple sub-selected queries such as hardware inventory is older than 25 days and last policy request is within 25 days.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System
where (SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId
where DATEDIFF(dd,SMS_G_System_WORKSTATION_STATUS.LastHardwareScan,GetDate()) > 25) or SMS_R_System.ResourceId not in (select ResourceID from SMS_G_System_WORKSTATION_STATUS)) and
SMS_R_System.ResourceId not in (select  SMS_R_System.ResourceID  from   SMS_R_System  inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId
where(DATEDIFF(dd,SMS_G_System_CH_ClientSummary.LastPolicyRequest,GetDate()) < 25))

I hope you will find these queries useful in day to day operations.

I was approached by a customer who had issues deploying the March 2022 windows 10 cumulative updates.

The error code and the screenshot is provided below.

The software updates are failed with error code 0x87D00664 (-2016410012).

The error code 0x87D00664 translates to ‘Updates handler job was cancelled’.

There could be several reasons why the updates are failed. In this blog post, we will see how to troubleshoot the issue based on the information available in the client logs.

This is not one-stop solution for every issue that has been reported with the error code 0x87D00664 .

Let’s dive into the troubleshooting part.

For software updates troubleshooting, the important log files are listed below.

1. WUAhandler.log—> Records details about the Windows Update Agent on the client when it searches for software updates.

2.UpdatesHandler.log—> Records details about software update compliance scanning and the download and installation of software updates on the client.

3.UpdatesDeployment.log—>Records details about deployments on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface.

So let’s look at each log and understand what is going on.

WUAhandler.log has the following error:

The installation job encountered some failures. Job Result = 0x80240022.

Update ID for the failed patch from the log file is: 6b5fa06e-2bec-411b-a3b0-bfb10bf50240.

The error code 0x80240022 translates to ‘Operation failed for all the updates’.

UpdatesHandler.log has some information related to the update ID that we are looking for.

Bundle update (6b5fa06e-2bec-411b-a3b0-bfb10bf50240) is requesting download from child updates for action (INSTALL)

IMaintenanceCoordinator::GetTaskState failed because MTC job has not been created yet.

Not a valuable information found from this log as well.

The next log to look at is UpdatesDeployment.log

The error code 0x87d00215 translates to ‘Item not found ‘

The item not found is due to the content unable to download from the distribution point before it executes.

In the same log, I can see some more information that is useful on the content download progress which is stuck at downloading.

Search with the update ID 6b5fa06e-2bec-411b-a3b0-bfb10bf50240

Update (Site_E9267BCB-2995-4BF8-8CC8-A8CB5064F44C/SUM_6b5fa06e-2bec-411b-a3b0-bfb10bf50240) Progress: Status = ciStateDetecting, PercentComplete = 0, DownloadSize = 0, Result = 0x0

Microsoft has very nice article on troubleshooting/track the software update deployment process https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/track-software-update-deployment-process

I have also reviewed the CAS and other logs for content download process from the distribution point, but I could not find any entries related to the deployment patch.

Now, we will need to verify if the content of the patch is distributed to the distribution point or not.

So let’s switch to SCCM server and verify the patch is downloaded and successfully distributed to the distribution point and is also verify the presence of the patch in content library. All of this verified, and they look good.

What could go wrong at this stage? we have verified the client logs, SCCM side DP content and so far, it looks good.

After checking some internal things, identified that, the device has some security components (CyberArk Endpoint Privilege Manager) installed which is blocking the download of the patch and seen from the EPM logs.

After adjusting some settings on the EPM tool, the client is able to download the patches and install it successfully.

I hope you found this blog useful.

This is quick post on the recent inquiry on various forums such as Twitter, reddit and Microsoft forums about the download of configuration manager build (Evaluation) from the evalcenter.

if you try to download the Configuration Manager current branch or technical preview from the evalcenter using https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview , you will be redirected to https://www.microsoft.com/en-us/download and end up seeing the following screen.

Currently, the evaluation center links for downloading of the OS and application builds are broken or down and Microsoft is working on it.

For those who do not have access to MSDN, VLSC or visual studio subscription to download the media, you can use the following links to download the latest builds for Configuration Manager current branch or Technical preview.

ConfigMgr 2203 current branch Eval - https://aka.ms/MECM2203CB-Eval

ConfigMgr 2202 technical preview baseline - https://aka.ms/MECM2202TP-Baseline

Thanks to Yvette O'Meally for arranging the links.

Hope it helps!

Few years ago, I have blogged about the client update scan failure due to GPO’s. https://eskonr.com/2014/10/sccm-configmgr-2012-software-update-scan-error-group-policy-settings-were-overwritten-by-a-higher-authority-error-code-0x87d00692/

Introduction:

When the software update point is configured for a site, client computers receive a machine policy that provides the active software update point server name (WSUS) and configures the Specify intranet Microsoft update service location local policy on the client device.

The windows update agent retrieves the server name (WSUS) specified in the Set the intranet update service for detecting updates setting, and then connects to this server when it scans for software updates compliance.

Problem:

I was working on an issue to troubleshoot the server clients where the software update scan is failing. I have noticed that, it is failing on majority of the servers but not on workstations.

For a client to receive the software updates from SCCM, it must first complete a software update scan successfully.

Software update scan details are tracked in the wuahandler.log located in C:\windows\ccm\logs (client location).

Unable to read existing WUA resultant policy. Error = 0x80070002.

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server  and Policy NOT CONFIGURED

Failed to Add Update Source for WUAgent of type (2) and id ({B9DB41D0-CCA2-4FC4-BC70-5EC97B1FC1A2}). Error = 0x87d00692.

Based on the error, the first check is to review the GPO’s that are applied to the device with the help of RSOP.MSC( run as administrator) and gpresult on the local machine.

From the RSOP.MSC and gpresults, i could only see the following setting for windows update section which do not conflict with GPO. since these are servers, prefer to disable automatic updates (windows side).

The next is to look at the local group policy (gpedit.msc) to see if SCCM client has set the ‘Set the intranet update service for detecting updates ‘ with the WSUS entries.

I can see there are 2 settings configured by the client correctly. These are coming from the device client settings.

Next is to look at the registry if any entries listed for windows update at location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

There are no entries found in the registry location for WUServer.

I have also reviewed the registry.pol (c:\windows\system32\grouppolicy\machine\registry.pol), it has the WSUS entries updated correctly.

The next location is event viewer for GPO entries, I could not find any errors or warnings there too.

During the course of investigation, it happened to see the GPO which is applied to the client ‘Turn off Local Group Policy Objects processing’

If you enable this policy, the client or the system does not process and apply any Local GPOs.

The fix:

Thee GPO policy must be set to either not configured or disabled. Once the configuration is changed, the local GPO that was configured by the client for WSUS will be picked by the client and complete the update scan.

Is there any workaround without making the changes to the GPO?

The SCCM client already applied the local GPO with WSUS server name and port number however it is not up for processing due to the GPO block.

I could not find any other methods to get the update scan work without modifying the ‘Turn off Local Group Policy Objects processing’ setting.

Temporary solution: We can have this policy one time off at the OU level, let the client process the local GPO and once this is done, you can revert the GPO and it should be ok as long as the client is not reinstalled. Any new servers that is onboarded and install the client, it will have the same issue again.

Hope this helps!

Continue reading

Troubleshoot software update management in Configuration Manager

Troubleshoot software update scan failures in Configuration Manager

I was installing the famous SCCM right-click tools from recast software (there are other right-click tools as well)  on the freshly installed SCCM site for a customer, the installation of right-click tools went well,  the console doesn’t seem to get registered with the right-click tools and there is no option when you right-click on a collection for performing tasks such as adding devices to the collection.

I have looked at the XMLstorage extensions folder, there are over 6500+ files that exists. I have closed the console and launched it to see if that helps. the issue persists.

I recall that starting with Configuration Manager 2103, Microsoft has enabled a new feature Console extensions node which will allow you to start managing the approval and installation of console extensions.

By default, Only allow console extensions that are approved for the hierarchy setting enabled.

You can also find the approved console extensions in the console node in the administration pane.

As you can see above, the right-click tools are not in the approved state hence the issue.

How to fix this issue?

1. You can disable the setting in the hierarchy settings properties and run the setup once again. Copy the tool and run the installer

2. you can download console extensions from the Community hub.

Click on download

Once the download is successful, you can go to the administration, console extension, you can see the console listed there.

Select the tool and approve for installation.

Once it is approved for installation, you can install the extensions from the console.

The console will auto close and update the extensions.

Launch the console, you will see the right-click tools on the collection menu and another node as well.

Hope it helps!

Continue to read

About the Console Extensions node https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#about-the-console-extensions-node

Get console extensions https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/admin-console-extensions#get-console-extensions

https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/import-admin-console-extensions

Did you ever had difficulties importing, exporting or migrating the SSRS reports from one Configuration infra to other ConfigMgr infra? If so, how do you migrate reports ? When i work with my customers on the hardware migration of the SCCM and especially the SSRS reports, i always use the tool rather powershell scripts.

To get the SSRS Reports from the Configuration Manager , you can either run the SSRS reports,download the reports manually into rdl format and upload to other SSRS report server. This is applicable when you have single digit reports. What if you have large number of reports and you want to migrate them from source SSRS to destination SSRS with same folder structure? Doing manual takes lot of time and is not efficient way of doing it.

This blog post discuss about how to migrate reports ,download,upload your custom reports to Configmgr SSRS folder.

During my Search ,I found a tool called ReportSync that does the following activities .

• Sync reports between two SSRS servers.
• Download RDL Files from SSRS  to local PC.
• Upload RDL files to a SSRS server
• Attach datasources automatically on upload(Data source name given in the report must exist on server)

I use this tool often while working with SSRS Reports since it gives me the flexibility to upload multiple reports to specific folder in SSRS. (Default via SSRS browser allows only one at a time).

Download the tool from https://code.google.com/p/reportsync/

Run the Tool

This tool contains 2 fields 1) Source SSRS Web service and 2 ) Destination SSRS Web service.

As I said before,you can use this tool download SSRS Reports to local Drive,migrate reports between the SSRS Servers,upload the reports from Drive.

If you want to download the Reports (.RDL) files from your SSRS server (Configmgr 2007 or 2012 ),enter the source URL ,User hat has permissions to connect to SSRS,Password in Source URL Web Service and click on Load.

How to get the right SSRS URL that has been configured in your environment ?

From your Configmgr server or SQL Server,Launch Reporting services Configuration manager tool and look for Web service URL

After you run the tool ,It takes few seconds or minute to load the reports from your SSRS Folder .

Select the report that you want ,provide the local path to store these reports (.RDL files) and click on Download.

Each category what you see in this tool will be created as Folder in yours local Path.

Reports folder look like this :

You can also try to upload your customized reports to Destination server ,sync and do other functions with this tool.

Incase you have any issues with this tool, feel free to post in the comment section.

Hope it helps!

We all know that Microsoft BitLocker Administration and Monitoring (MBAM) is an administrative tool for managing BitLocker Drive Encryption for windows devices that are on-prem domain joined.

MBAM mainstream support ended on July 2019 and is currently in extended support until April 2026.

To know more about mainstream support and extended support, please read the article https://learn.microsoft.com/en-us/lifecycle/policies/fixed.

Considering the support for MBAM, what other alternative tools/products do we have to manage the BitLocker feature?

Microsoft has incorporated the MBAM features into Configuration Manager (SCCM) starting in version 1910, since then it has improved a lot with new features and improvements. We can also use Microsoft Intune as an alternative approach and is the future.

To know about the migration of the MBAM server to Microsoft Endpoint Manager (Intune), please read the article https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mbam-server-migration-to-microsoft-endpoint-manager/ba-p/2192984

Read the considerations from MBAM to SCCM https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

In this blog post, I would like to provide the steps that i have used to migrate the standalone MBAM to SCCM for my customers.

This migration steps assume that you are using MBAM server with a GPO configuration policy (BitLocker settings).

You want to migrate the clients from MBAM and continue to SCCM for the BitLocker feature.

Before we start the migration process, make sure your current SCCM infra has the BitLocker feature enabled and configured. Follow the Microsoft article on how to enable the bitlocker feature https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Enabling the BitLocker feature in SCCM is independent of your current MBAM setup. you can simply install/enable the bitlocker in SCCM but don't create or deploy any BitLocker policies to your clients (collection).

Once you have enabled the BitLocker feature in SCCM and is working condition (verify the IIS web portals if they are working or not), we will need to collect the settings from the existing MBAM setup such as encryption method, cipher strength, etc that you configured in GPO.

Go to your GPO, and identify the policy that has the BitLocker settings configured such as bitlocker cipher strength such as AES 128, AES 256 etc. This is one of the important settings we will need for SCCM.

Once you have got the information, go to the SCCM server, endpoint protection, and Create a new bitlocker policy with settings similar to GPO.

If there is any difference in the bitlocker policy settings (algorithm 128 to 256) from MBAM to SCCM, there will be conflicts when you deploy this to the collection and you may see unexpected results.

If you would like to change the encryption algorithm such as 128 (MBAM) to 256 (SCCM), you need to decrypt the disk first before you encrypt using 256.

Note: What happens if deploy a bitlocker policy from SCCM with an encryption algorithm of 256 to the devices when the devices are already bitlocker with a different algorithm using MBAM?

In my testing , the SCCM client will evaluate the policy and report the device as non-compliant due to mismatch in the configuration settings (key will still escrow being non-compliant) without making any trouble with the device.

Once you created the bitlocker policy with settings that matches your MBAM GPO, create a collection and add a few devices to it.

Deploy the bitlocker policy to the test collection that you have created above.

Initiate the machine policy cycle or wait for the policy to trigger on the machine. If you cannot wait, run the machine policy cycle, go to the PC, and initiate the bitlocker policy from the configuration tab in the configuration manager applet.

Wait for the device to evaluate the policy and escrow the key to SCCM using the recovery service.

Read the client log BitlockerManagementHandler.log  located in C:\windows\ccm\logs for troubleshooting purpose.

Note: When you deploy the bitlocker policy to the collection, if the device is already bitlocker by MBAM, SCCM client simply validate the settings, if it matches, the client simply escrows the keys to the SCCM database and this process has no impact to the end-user.

This entire process happens silently in the backend.

If the client is bitlocker with different settings than what you deploy in SCCM, the client will simply report to SCCM as non-compliant due to a mismatch in the settings. https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#re-encryption

If the client is not bitlocker by MBAM, but it is in the SCCM deployment schedule, SCCM client evaluates the policy and performs the bitlocker and escrows the key to SCCM server.

Note: Microsoft has deprecated key escrow via the Recovery Service a long time ago . So SCCM client escrows the key directly via the current MP using a secure channel.

Now Check if the client bitlocker key is available SCCM database or not using the following SQL query.

select a.Name, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime
from dbo.RecoveryAndHardwareCore_Machines a
inner join dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name ='cmcb-w11-03'

Run the self-service portal and helpdesk portal for recovery keys and confirm the functionality of the bitlocker is working.
SCCM also comes with enterprise bitlocker reports as part of the default SCCM reports. you can make use of these reports as well to check the bitlocker compliance status.

At this stage, we have created the bitlocker policy in SCCM and deployed it to our test collection, validated the key in the database, and also reports.

In addition to this, if you are provisioning the devices using SCCM (imaging), you can make use of the task sequence to perform bitlocker (silent) during the imaging process itself. Read the article from Niall Brady https://www.niallbrady.com/2022/03/03/escrow-bitlocker-recovery-password-to-the-site-during-a-task-sequence-in-configuration-manager-2203/

We will now expand SCCM bitlocker policy deployment to other collections (staggered approach) till we reach the end.

Monitor the deployment status using console and compliance reports

At this stage, you need to decide if you would like to stop the new devices managed by MBAM for bitlocker. If you are good to stop the new devices managed by MBAM, we will take the database backup and/or backup the keys from MBAM database to a secure location.

Once you migrate all the clients from MBAM to SCCM, we will start the decommissioning process of the MBAM and GPOs.

Start unlinking the GPO process on 1 OU and monitor the feedback (there should not be any issues ). Wait for a day or 2 and continue the approach on all the OUs till you reach end.

Plan for the shutdown of the server for 1-2 weeks before the commission of the server.

Remove the MBAM GPOs.

Thank you for reading the post and let me know your feedback via the comments section.

References:

https://learn.microsoft.com/en-us/answers/questions/738022/move-standalone-mbam-to-sccm-integrated-mbam.html

https://www.niallbrady.com/2020/01/19/learn-about-mbam-in-microsoft-endpoint-configuration-manager-version-1910-part-8-migration/

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

This is a quick blog post on an issue that I recently looked at regarding the client issue with content download from the distribution point.

Clients in one specific boundary could not able to download the content from its assigned distribution point.

Though the client was healthy, the inventory cycle is up to date but content download from DP having issues.

Looking at the client logs, especially the DataTransferService.log which is responsible for tracking the information about the content download from the distribution point.

Following the error code from the DataTransferService.log

[CCMHTTP] ERROR INFO: StatusCode=503 StatusText=

GetDirectoryList_HTTP Error sending DAV request. HTTP code 503, status 'Service Unavailable'

[CCMHTTP] ERROR: URL=http://SGCM01:80/SMS_DP_SMSPKG$/Content_18138fe6-0b71-4590-b6ac-16d6af0ba673.1, Port=80, Options=1216, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

DTSJob({3DED9C85-4798-4D9B-A857-C9F933DF2C74}):CDTSJob::ProcessManifestCallback - Error retrieving manifest (0x800705b4).

I have tried accessing the URLhttp://SGCM01:80/SMS_DP_SMSPKG$/Content_18138fe6-0b71-4590-b6ac-16d6af0ba673.1 in the browser, but the request did not succeed.

Based on the above error codes and the URL connectivity, the issue seems to be related to IIS on the distribution point.

After logging to the distribution point, and looking at the IIS configuration, there are a couple of security prompts (bit9) on the server about the wmiprvse.exe and w3wp.exe process.

On the IIS server, application pools, SMS distribution points pool is stopped.

For clients to be able to download the content successfully, this application service pool must be running.

The application pool service will fail immediately after the start. Upon the investigation, looking at the event viewer, there was a security agent (bit9) installed on the server which was blocking the application pool.

Looking at the bit9 security agent, there were so many errors about this specific IIS pool issue.

After adding the following paths to the exclusion list in bit9, the function started working and clients were able to download the content as usual.

• %windir%\System32\inetsrv\w3wp.exe
• %windir%\SysWOW64\inetsrv\w3wp.exe

Microsoft has published an article on the Configuration Manager Current Branch Antivirus Exclusions . This is must read article to follow for a successful device management solution by SCCM.

Hope you find this blog useful.

References:

Configuration Manager Current Branch Antivirus Exclusions

Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients

Introduction:

Organizations are continually seeking more efficient ways to manage and deploy Windows updates. Moving Windows Update for Business (WUfB) workloads from SCCM to Intune is a popular choice for achieving modern management and ensuring seamless updates.

However, this migration process can sometimes reveal unexpected challenges.

In this blog post, we'll explore an interesting issue that I have faced during the migration of WUFB workloads from SCCM to Intune.

This issue pertained to client devices experiencing difficulties with WUfB workloads, as indicated by non-compliant error messages in the logs. We'll go into what "non-compliant" means in this context and discuss how to resolve the problem.

Understanding WUfB Workloads:

Before we dive into the troubleshooting process, let's first establish some background information. WUfB workloads are an essential part of modern management for managing windows updates using Intune.

Once workloads are moved to a pilot collection or Intune, it is expected that client devices receive policies and process these workloads.

Before moving the wufb workloads to intune, client has already received some workloads as stated below.

Incase you have assigned the wufb ring policies to the devices that are not moved with wufb workloads successfully, the wufb ring status shows not applicable.

The Challenge:

After the wufb workload is moved to intune, the Intune-managed workloads hadn't changed as expected. Upon investigating the client logs, specifically the "CoManagementHandler.log," discovered the following error message:

"Failed to process SET for assignment (ScopeId_B2BF025F-3D87-43A5-8125-449D55F8CCA6/ConfigurationPolicy_82e8efbb-1955-4890-ac6e-266c77edce38 : 7). Error 0x80041013."

The error code "0x80041013" translates to a provider load failure within Windows Management Instrumentation (WMI).

To know more details about the co-management policies , there is another log "SettingsAgent.log," which provides information related to the enforcement of specific applications, records the orchestration of application group evaluation, and details of co-management policies.

The information retrieved from the "SettingsAgent.log" is below.

"Id = {DE9AE64E-340D-4C32-A48D-848AE4B0C3AB}; ClientMachine = APS-567GHA48 NT AUTHORITY\SYSTEM; ClientProcessId = 4328."

It also contained the following entry:

"Start IWbemServices::ExecQuery - root\ccm\StateMsg : SELECT * FROM CCM_StateMsg WHERE TopicType='401' AND TopicID='ScopeId_B2BF025F-3D87-43A5-8125-449D55F8CCA6/Baseline_db1d21e6-b445-4ad8-9ca8-7beea9c82909/4' AND UserSID=''; PossibleCause = Unknown."

This log entry indicated an issue querying data from "StateMsg."

Resolution:

The root of the problem appeared to be a corrupted "StateMsg" namespace. To fix this , I have attempted to compile "StateMessageProvider.mof" using the following steps:

1. mofcomp C:\Windows\CCM\StateMessageProvider.mof
2. Net stop winmgmt
3. Net start winmgmt
4. Ran the co-management baseline policy from the Configuration Manager applet.

However, even after these steps, the error persisted, and the client continued to experience a provider load failure.

Before trying out the uninstall of sccm client and reinstalled, took a different approach and decided to use "ccmrepair.exe," located in the "C:\windows\ccm" folder.

After successfully running "ccmrepair.exe," attempted the WMI query again, and this time, the error message no longer appeared in the log file.

With the "CoMgmtSettingsProd" baseline policy initiated using the configuration manager applet, the WUFb workload was finally processed successfully.

But what's the connection between the WUFb workload processing and the WMI StateMessage query? Why does the client device check the StateMessage before processing the WUfB workload?

Key insight:

Before a device can process any workloads from SCCM, it first checks if "CoMgmtAllow" and "AutoEnroll" settings are already compliant. This compliance data is stored in the "StateMsg" namespace within WMI. In our case, the "StateMsg" namespace was corrupted, which prevented the workload from being processed and led to a non-compliant status in the logs.

Running the Remediation Script:

To identy the devices having similar symptoms , the following PowerShell script that can be used to identify and fix devices exhibiting the symptoms described above. It's essential to test this script before deploying it to a large number of devices.

<#
Script Name: Remediate - StateMsg WMI Status
Description: Fix the Statemsg namespace issue for co-management WUFb workload processing.
#>

 

# WMI query to Statemsg namespace
$wmiObject = Get-WmiObject -Namespace root\ccm\StateMsg -Query "SELECT * FROM CCM_StateMsg WHERE TopicType='401'"

 

# Check if the query was successful
if ($wmiObject) {
# Query was successful
Write-Host "StateMsg is working"
} else {
# Query failed
try {
# Run ccmrepair.exe
Start-Process -FilePath "C:\windows\ccm\ccmrepair.exe"
Write-Host "StateMsg not working, ccmrepair.exe success"
} catch {
Write-Host "StateMsg not working, ccmrepair.exe failed"
}
}

Hope you find this post useful.

Verbose logging is a powerful tool that provides a detailed record of events, actions, and errors, making it invaluable for troubleshooting, diagnosing issues, and monitoring activities.

When enabled, verbose logging offers an enhanced view of what's happening within client, offering deeper insights that can prove essential for IT administrators and support person.

By default, SCCM keeps verbose logging disabled. This conservative approach is to prevent generating extensive log files, However, when tackling complex problems or investigating unusual behavior, verbose logging becomes an essential ally.

Here, we'll explore how to enable and disable verbose logging at the client level in SCCM using PowerShell commands. These commands allow you to quickly switch between standard and verbose logging as needed.

Enable-Verbose.ps1

Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogLevel -value 0 -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogMaxSize -value 15500000 -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogMaxHistory -value 5 -ErrorAction SilentlyContinue
New-Item -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging -Name DebugLogging -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\DebugLogging -Name Enabled -value True -ErrorAction SilentlyContinue
Restart-Service ccmexec

Disable-Verbose.ps1

Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogLevel -value 1 -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogMaxSize -value 250000 -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\@GLOBAL -name LogMaxHistory -value 2 -ErrorAction SilentlyContinue
New-Item -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging -Name DebugLogging -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path Registry::HKLM\SOFTWARE\Microsoft\CCM\Logging\DebugLogging -Name Enabled -value False -ErrorAction SilentlyContinue
Restart-Service ccmexec

These PowerShell scripts allow you to enable or disable verbose logging quickly. They set various parameters within the Windows Registry that control SCCM's logging behavior. Remember to restart the "ccmexec" service to apply the changes.

There are alternative methods for enabling or disabling verbose logging such as using the SCCM console at the client level.

Depending on your specific needs and preferences, you can choose the method that best suits your requirements.