Other day,I was trying to create my first SCCM Configmgr SSRS report with RBA (role based administration) what it means is ,data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles.

The report which was trying to create : Get the Status of Bitlocker for all physical devices(Laptop and desktops) for specific collection .The main difference between the normal SQL code and SQL code that you use for RBA reports is ,you simply replace V_ with fn_rbac_ and append (@userSIDs) at the end of the SQL view name . SQL code i used in this report with RBA is given at the end of the post.

Since the report has collection prompt ,i created dataset for collection that also uses fn_rbac and tried to run the report .For some reason ,it failed to run with following error code.

Error: " The report parameter 'A' has a default value or valid value that depends on the report parameter 'A'. Forward dependencies are not valid ".

The above screen clearly says that ,COLLID prompt depends on the report parameter UserSIDs which is another parameter,hence forward dependencies are not valid. In SSRS ,the parameters always executed in specific order how you define them. All parameters cannot run at time.

If you look at my parameters in my SSRS ,they are in order 1)CollID 2)usertokenIDs and 3)UserIDs.

CollID has UserIDs parameter which cannot accept forward dependencies.

I need to change the order of parameters how they execute .So in your reporting tool, (I use visual Studio 2012) ,click on the parameters ,select the parameter value ,select the arrow to change the order of parameters and run the report.

I have to pull down the COLLID parameter to last to fix my issue here.

Download the SSRS report with RBA enabled from Technet Gallary.

SQL code to get the status of bitlocker for all physical devices from specific collection:

SELECT distinct SYS.Netbios_Name0 [Name],sys.User_Name0,
OS.Caption0 [OS],MEM.TotalPhysicalMemory0/1024 [Memory (MB)],
CS.Model0,
ev.driveletter0,
case when ev.protectionstatus0=1 then 'Yes' else 'No' end as 'IsDrive Bitlocker',
CONVERT(nvarchar(26), ws.LastHWScan , 100) [Last inventory],
CONVERT(nvarchar(26), sys.Last_Logon_Timestamp0 , 100) [Last Logontimestamp]
FROM fn_rbac_R_System(@UserSIDs) SYS
LEFT JOIN  fn_rbac_GS_X86_PC_MEMORY(@UserSIDs) MEM on SYS.ResourceID = MEM.ResourceID
LEFT JOIN  fn_rbac_GS_COMPUTER_SYSTEM(@UserSIDs) CS on SYS.ResourceID = CS.ResourceID
LEFT JOIN fn_rbac_GS_OPERATING_SYSTEM(@UserSIDs) OS on SYS.ResourceID=OS.ResourceID
--LEFT OUTER JOIN fn_rbac_R_User(@UserSIDs) vUSER ON vUSER.[User_Name0] = SYS.User_Name0
left join fn_rbac_GS_ENCRYPTABLE_VOLUME(@UserSIDs) EV on ev.resourceid=sys.resourceid
left join fn_rbac_GS_WORKSTATION_STATUS(@UserSIDs) ws on sys.ResourceID=ws.ResourceID
left join fn_rbac_FullCollectionMembership(@UserSIDs) fcm on sys.ResourceID=fcm.ResourceID
WHERE
fcm.CollectionID=@COLLID
and cs.Model0 not like '%virtual%'
ORDER BY SYS.Netbios_Name0

If you want to run the above SQL code in SQL server management studio ,simply replace the @COLLID with collection ID and add Declare @UserSIDs as varchar(Max) = 'Disabled' at the beginning of the query .

Collection Prompt:

select CollectionID, Name from fn_rbac_Collection(@UserSIDs)
order by Name

While i was checking the software update compliance reports for Microsoft and Non-Microsoft (3rd party updates ,SCUP integrated) ,i see that ,compliance report looks good for Microsoft but not for 3rd party updates.

SCCM Version: Configmgr Current Branch 1702 with SCUP integrated for 3rd party updates.

During the investigation on 1 client, found that ,it is failing to install only adobe & Java updates but rest of the 3rd party updates (Chrome, Filezilla,Firefox etc) installed successfully.

Initially when i ran the software update report and compliance % was not at at good shape ,so my thinking was ,it could be because of certificate issue but after logging to the client, found few 3rd party updates installed but not Java & Adobe.

So as part of troubleshooting ,verified the SCUP certificate imported successfully (double check though other 3rd party updates installed) ,AcceptTrustedPublisherCerts=1 set in registry correctly HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

Next is to look at the client logs for software updates. The first log to look at is wuahandler.log .

Failed to download updates to the WUAgent datastore. Error = 0x80246002.

0x80246002 refers to A download manager operation could not be completed because the file digest was not recognized.

After seeing above error, i went to ccmcache to verify the content download was successful or not but i can see the content downloaded to ccmcache and i can extract the file (cab) to see installation file for Java.

So next step is to look at UpdatesHandler.log if i can find any other information

Failed to initiate install of WSUS updates, error = 0x80246002

Failed to start batch install through WSUS Install handler , error = 0x80246002

Next to look at windowsupdate.log ,even that has same error as above.

All the logs have same error code “file digest was not recognized”. This could be due to the hash mismatch issue so which lead me to think about re-publishing the Java and Adobe (these 2 have issues) from SCUP to SCCM ,resync the software updates ,redownload the content ,delete the existing deployments, create new deployment solve the issue.

Steps that i followed to the fix are long enough but you can give a try by simply re-distributing the content to DP ,delete the existing deployment and re-create the deployment for Adobe & java updates to see if that works for you.

How did i solve the issue ?

1. Open SCUP console, go to publications ,look at the folder that has Java & Adobe updates . Select the folder ,click on Publish Icon that you see on the top

2.During the publish option ,do select the following Sign All ,click next ,next and close . Monitor SCUP.log for any errors.

3. Go back to SCCM console ,perform software update sync ,monitor wsyncmgr.log

4. After the sync success ,re-download Java & Adobe updates to package.

5.Delete the existing deployments because client must re-download the new package that you download now else client will follow the old content that was stored in ccmcache and it will keep failing.

6.After you delete and re-create the deployments, initiate the machine policy using client notification for clients to download the new policy

7.Login to one of the problematic client ,open software center ,if there is no maintenance window to install the updates ,install the updates manually ,monitor the logs (wuahandler.log,updatesdeployment.log,updatehanlder.log & windowsupdate.log)

Hope it helps.

Setting up Configuration Manager current branch (1702) lab for testing. While running the Configmgr reports using IE browser ,http://servername/Reports/Pages/Folder.aspx ,it failed with error code HTTP 500 Internal Server Error. SQL server installed locally on Configmgr box .

I have seen this error couple of time but i don't remember what was the solution to get it fix. So ,in this blog post, we will try to troubleshoot the issue by going through the log files and solve it.

Following the error snippet while while browsing Configmgr reports :

When you get this error, the first place to look at is ,reporting point role installation logs which are located in your Configmgr installation logs folder.

srsrpsetup.log Records results of the reporting point installation process

srsrp.log Records information about the activity and status of reporting services point

From srsrpsetp.log ,reporting services role successfully installed . Next log to look at is srsrp.log to check the health

srsrp.log :

System.Web.Services.Protocols.SoapException: The operation you are attempting requires a secure connection (HTTPS). ---> Microsoft.ReportingServices.Diagnostics.Utilities.SecureConnectionRequiredException: The operation you are attempting requires a secure connection (HTTPS).~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.EnsureHttpsLevel(SoapMessage message)~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.ProcessMessage(SoapMessage message)~   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)~   at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters()~   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Failures reported during periodic health check by the SRS Server servername.domainname

SSRS Role was installed successfully but health check did not run successfully.

Next is to check Reporting services Configuration Manager wizard if anything configured faulty or reporting services running correctly or not (this can be check from services.msc)

At this stage ,all checks passed but still issue persists.

Till now ,we have done the troubleshooting in in Configmgr point of view , but from now onwards ,we will go little further to check from SQL point of view.

Next is to look at SQL reporting services log which is located in your SQL installation folder .Since am using SQL server 2014 on my SCCM server (SQL installed locally) ,reporting services logs can be found at

C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles

Look at recently modified date (ReportServerService__07_14_2017_00_05_14)  ,open the log using cmtrace.exe

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Did a internet search using ‘This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms’ ,found this  https://blogs.msdn.microsoft.com/dataaccesstechnologies/2015/07/16/report-manager-system-invalidoperationexception-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms/

Follow the instructions given in the above link and apply the solution.

For me, after applying the changes said above (i did web.config) ,i got the following error which leads me to change SecureConnectionLevel to 0 in rsreportserver.config file located in C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer ,referrence TechNet article here

Error: The underlying connection was closed: An unexpected error occurred on a send

Solution:

Go back to your reports URL (http://servername/Reports/Pages/Folder.aspx) ,run the reports again to see if it works or not ?

Hope it helps!

Quick post on how to get count of list of updates or count of updates in your Configuration Manager with severity categorised as Critical,Important,Moderate and Low.

In order to get this information count of updates with severity, you first need to identify what the SQL views that store this information about software updates.

Get the SQL views documentation for all Configmgr versions starting from SCCM 2012 to Current Branch 1702 from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Severity of the software updates is stored in v_UpdateInfo .This SQL view stores lot of other information like title,article ID,bulletin ID,date posted and lot more. Most of the metadata about software update information is stored in this SQL view v_UpdateInfo.

We will try to use this SQL view to get count of software updates with its severity.

Listed below are severity and its description:

Severity=2 –> Low

Severity=6—>Moderate

Severity=8—>Important

Severity=10—>Critical

Am Listing 2 SQL Queries here for you . 1) without any filters and this will get you what is available in your CM database 2) With custom filters and more of modified version (Thanks to Sherry on myitforum)

1.

select CASE(ui.Severity)
When 2 Then 'Low' When 6 Then 'Moderate' When 8 Then 'Important' When 10 Then 'Critical' Else 'NA' End as 'Severity',
ui.Severity ,count(ui.ci_id) [Total Updates]
from v_updateinfo ui
group by ui.severity
order by 3 desc

2.

;with cte as (   select
   CI_ID,
           BulletinID,
           ArticleID,
           Title,
           DatePosted,
                   DateRevised,
                   isExpired,
                   isSuperseded,
           CI_UniqueID,
         case
        when (ui.severity=0 and ui.CustomSeverity=0) or ui.severity is null then '0 None'
        when ui.CustomSeverity=6 then '6 Moderate'
        when ui.CustomSeverity=8 then '8 Important'
    when ui.CustomSeverity=10 then '10 Critical'
    when ui.CustomSeverity=2 then '2 Low'
    when ui.Severity=2 and ui.CustomSeverity=0 then '2 Low'
        when ui.Severity=6 and ui.CustomSeverity=0  then '6 Moderate'
        when ui.Severity=8 and ui.CustomSeverity=0  then '8 Important'
        when ui.Severity=10 and ui.CustomSeverity=0  then '10 Critical'
        end as 'Severity'
    from v_UpdateInfo ui
Where
   ui.title not like '%Itanium%'
)
select severity, count(*) [Count]
from cte
group by Severity
order by Severity

You can add  more filters to 2nd query like superseded!=0 and expired=1 etc.

In this post, i will discuss about the requirement that i have got recently. Local team /manager wants to run the software update compliance report for their LBU machines (collections) to see if all the clients in collection are compliant or not for all the patches with released date between X date to Y date.

No matter whether all the patches that are requested/available in SCCM are deployed or not but it should appear in SCCM report if the clients are in good shape or not for specific period.

By default in SCCM, there are couple of reports available for software update compliance but if you want to know the compliance status for specific collection for all updates that exist in SCCM (no software update group here) between specific period let say Jan 1,2015 to Dec 31 2015 or X range to Y range.

How to generate software update compliance report for specific collection for all the updates available in SCCM within specific date ?

To create a report for this requirement, we need set of SQL views that have information about software updates ,collection,inventory of client etc.

Below are the SQL views that i used in this report:

v_GS_COMPUTER_SYSTEM

v_CICategories_All

v_CategoryInfo

v_gs_workstation_status

v_fullcollectionmembership

v_UpdateInfo

v_UpdateComplianceStatus

Download SSRS Report from Technet Gallery,Upload to your SSRS Folder ,change data source and run the report.

When you run the report ,it prompt for collection ,Start Date and End Date shown below.

The result what see in the report is excluded by superseded and expired updates (IsExpired=0 and IsSuperseded=0) .

The original report is taken from Garth post http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx and modified to include the date prompt ,superseded,expired ,added inventory information like OS,update scan,IP address,Last reboot into the report.

Linked report to see list of updates for each client will be in the next post.

Microsoft released Technical Preview update 1707 for Configuration Manager with some new features and improvements with its last Technical preview Update (1706).

These technical preview updates will help you to test in lab environment and report feedback to Microsoft before they make into current Branch (Production Version). You can install this version to update and add new capabilities to your existing Configuration Manager technical preview site.

To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 1703 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment.  For more information about technical preview and updates, please refer https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

New features you can try out with this update are:

1. Client Peer Cache support for express installation files for Windows 10 and Office 365

2. Surface Device dashboard

3. Configure and deploy Windows Defender Application Guard policies

4. Add parameters when you deploy PowerShell scripts from Configuration Manager

For more information about these features ,read the documentation here https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1707

I will be testing this update in my lab to see the new features and improvements especially adding parameters when deploying powershell scripts.

I have seen this questions often in social communities and online forums on this topic and how they work during content download. So i will try to explain what they mean and how they work when it comes to content download.

when you create any deployment (applications,software updates,task sequence etc) ,you will see two options for ‘Type of Deployment’ (for software updates) ,Purpose (for applications) with Required and Available. In this blog post, we will see what they mean and how they work .

Available:  Available deployments will not have any deadline and they meant for optional. When you choose the type of deployment as Available ,user can see the deployments in Software Center and it will never be installed automatically unless user select and install it.

When user choose to install the available deployments in Software Center ,it will start downloading the content and install it ,no matter if the client has maintenance window or not as it is initiated by User and it will proceed to install the deployment after the download but if the deployment require reboot ,it will check for MW (maintenance window) and only reboot.

In this type of deployment ,deployments will not be downloaded automatically unless user initiate the deployment.

Required: Required deployment have  available time and deadline time. When you create deployment ,you will have to set available time (For clients to download the policies and download the content ) and deadline time (for installation).

When machine policy runs on the client , client will download the policies that are new or updated ,evaluate the policies and inject into wmi.

If you have any deployments with future deadline date but not as soon possible (which means the current time when you do the deployment) ,client will not perform the evaluation of the deployment for content download ,instead it will wait for the deadline date for content download and install (if enough maintenance window available).

In Required deployment ,content download happens only when the deployment reaches/passes the deadline date .Once the download is finished, it will check for enough maintenance window ,if there is ,it will install right after the content download. If there is future maintenance window available ,it must wait for the MW and install it .

If you have set deadline to ‘As soon as possible which means the current time on the site server, client receive the policy ,process it and download the content immediately due to deadline behaviour but for install ,it will check if MW ,if yes,wait for the MW else install the deployment.

My Observation in software updates deployments:

Take an example that ,I have deployed few software update groups to a collection with future deadline date but available time is current date . After 60 min (default ) ,client will receive the new/updated policies ,they process it and inject into wmi --but the content will not be downloaded until it reach the deadline time.

In this case ,all my deployments are set to future deadline date ,so they will never be evaluated by software update deployment evaluation cycle unless the deadline reaches and you will not see the updates in software center. When the deadline time triggers ,patches will be downloaded and install if enough MW available.

you will only see the list of patches available in software center if it is evaluated by software update deployment evaluation cycle and this happens automatically when the deadline reaches or you can initiate the

What happens if the client downloaded the policies but you initiated the deployment evaluation ?

Once the deadline time reached, deployment evaluation starts ,it will pick the policies that are available in client WMI and start processing each update with its compliance check (require,not require or already install) and start download the updates into ccmcache.

In this scenario, the download happens when the deadline reaches but not because of the maintenance window available. Maintenance window is only for the installation of updates but not for download of updates.

For more information about how the maintenance window is calculated, take a look at https://blogs.technet.microsoft.com/charlesa_us/2015/04/21/system-center-configuration-manager-2012-maintenance-windows-getting-to-know-you/

My Observation in Application Deployment:

Like i said how the content download happens for software updates ,it is not same for application Deployment .

For application deployment ,after the deployment to collection with available time as current time and deadline time as future time ,it took random time of 3-4 hours for the application to display in software center and also download happen automatically (Disable deadline randomisation is set to Yes but still it happens after sometime).

Hope You will find this article useful.

Few months ago ,i wrote blog post about how to use Compliance Settings to clean content in ccmcache folder. For more information, please refer http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

This blog post is about deletion of client log files that contain SCNotify and SCClient.

What does these logs capture information about ?

SCNotify_<domain>@<username>_1.log : Records the activity for notifying users about software for the specified user.

SCNotify_<domain>@<username>_1-<date_time>.log: Records the historical information for notifying users about software for the specified user.

SCClient_<domain>@<username>_1.log: Records the activity in Software Center for the specified user on the client computer.

SCClient_<domain>@<username>_2.log: Records the historical activity in Software Center for the specified user on the client computer.

From these  logs ,you will see lot of wmi classes and information about application notification to user with their availability and also use activities performed against the software center.

We will use compliance settings to detect if there are any files with these logs that are older than 7 days and if the count is more than 0 then perform the cleanup.

I am not going in detail step by step to show you how to create compliance settings ,instead i will provide the discovery script and remediate script along with CAB files that i exported from my lab.

So If you want to create your own from scratch ,just replace the script form below for discovery and remediation and you are good OR

you can import the CAB file into your Configmgr and make changes how you like for example ,changing the number of days from 7 to 15 or what ever you like and logs folder location (C:\windows\ccm\logs).

Import the CAB file, deploy the configuration baseline to your clients on schedule basis.

Download the Configuration Baseline file from Technet Gallary

Discovery Script:

#discover
$MinDays = 7
(Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))} |Measure-Object).count

Remediation Script:

#Remediate
$MinDays = 7
$logs=Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))}
ForEach ($log in $Logs)
{
del $log.FullName
}

Here is the client that i noticed ,it has 1436 logs out of which with size of 530MB ,of which ,450MB+ logs are with SCNotify and SCClient that are older than 7 days.

Before i run the script ,there are 1436 files with size about 550MB.

After the script:

After the script ,file count reduced to 189 with size 20MB.

Hope this helps !

If you are using SCUP (system Center Update Publisher) tool to manage 3rd Party updates integrated with Configuration manager, there are 2 things which you need to look at .

1) The settings that are configured in SCUP Console are per user specific and stored in User profile (user.config in C:\Users\%UserName%\AppData\Local\Microsoft\Scup2011.exe_StrongName_XXXXXXXXXX)

2) Database file that store all your 3rd party catalogue ,publications etc also stored in user profile (C:\Users\%username%\AppData\Local\Microsoft\System Center Updates Publisher 2011\) at the time of configuration of SCUP.

If other users who have permissions ,try to open SCUP console , they will see everything blank and it is because of above said points . SCUP settings ,configurations and database are user specific when installed and configured.

It is always difficult for new users to go through the configurations ,settings,importing the catalogues  etc before they publish the updates.

In this blog post,we will see how to make the SCUP console settings and database available (shared)  to all users who ever want to manage 3rd party updates.

1. How to make SCUP Settings like publish to an updating server, Configmgr Integration ,Trusted Publishers(all your catalogue’s) and proxy settings (except password) available to all users.

To copy user specific settings to all users ,perform the following changes.

Go to user profile (C:\Users\%Username%\AppData\Local\Microsoft) who had configured SCUP settings ,imported the catalogues and publish updates to Configmgr.

In this folder ,you will see folder called Scup2011.exe_StrongName_Random number ,go into the folder to see user.config file.

C:\Users\%username%\AppData\Local\Microsoft\Scup2011.exe_StrongName_2wzdfznimh1kefuisr0pqsefwkw5k4tp\5.0.1727.0

This user.config file has all settings of your SCUP console .

We will try to copy these settings to config file (kind of shared) that will be used for all users (except proxy password if you have used in SCUP console ) .

Open the user.config file using notepad and keep this file aside .We will soon copy the settings from this file to commonly used config file .

Go to your SCUP installation folder , open Scup2011.exe.config file with notepad

By default ,the settings in the file are not configured with any values and this settings will be used to create new user config file when they try to launch SCUP console.

Now we have 2 Config files (user.Config and other is Scup2011.exe.config) .

If you have proxy server name with password, copying the setting will  not help .You will have to re-enter the password for the proxy .

Note: Take a backup of these 2 files before editing (incase something goes wrong while editing the files ).

Copy the settings that are common from User.Config to Scup2011.exe.config

Once you have copied all the settings ,save Scup2011.exe.config .

Now we have completed the task 1 that will help new users to get certificate and SCCM integration and other settings.

Wait, we are yet to complete Task 2 which is database that will contain information about catalogue ,publications etc.

Go to User profile (C:\Users\%UserName%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000) and copy the database file scupdb.sdf

We are going to paste the database file to SCUP installation folder which is C:\Program Files (x86)\System Center Updates Publisher 2011

Now ,we will edit the config (Scup2011.exe.config ) file for all users to use this database as shared.

Edit Scup2011.exe.config  located at C:\Program Files (x86)\System Center Updates Publisher 2011 .

As you can see below ,the datafile is set to empty ,we will now change the value to point to datafile.

Add the following database file to value as shown below and click save ,close the notepad file.

<value>C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf</value>

From now onwards , When existing user( who is using the console to manage SCUP updates) or new user try to launch the SCUP console ,they will point the database file to C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf and also settings automatically loaded ,which can be verified using SCUP console –Options—Advanced-Current connection Details

With this ,we have completed copying the setting for new users and also made SCUP database as shared.

Hope this helps!

OverJoyed …..I got an email yesterday from the Microsoft MVP Award team saying that ,I have been awarded with Microsoft MVP award in Enterprise Mobility for 2017. I am extremely proud and honored to receive this award.

I started blogging (www.eskonr.com) in year 2009 to to share my technical views,tips and tricks that I have seen in my daily work on SMS 2003 /SCCM/Configmgr In 2012 and to keep this as my reference .I have no idea what the award means when I started blogging in the early stages of my career .It was purely on the basis of sharing the knowledge and helping the community. This blog has now over 2.5 million views since then with over 400+ subscribers ,500+ posts and 2000+ comments .

Here is what email says:

We are extremely pleased to present you with the 2017-2018 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment.

Thank you Microsoft for recognizing my contributions towards community.

Thanks to all  those who supported and encouraged me over the last few years (Janaka ,Niall Brady, Garth Jones)  and especially to my wife who let me spend time on blogging,being active in social communities .

I have got  my standalone Intune setup with few devices enrolled . In this post, i will go through the reporting feature using  using Power BI to connect to Intune to load data and generate reports dynamically.

These reports will help us to analyse the users who are enrolling the devices for license purchases ,to see the OS manufactures ,compliance status ,updates etc.

Before we proceed further ,first download the Power BI Desktop using link https://powerbi.microsoft.com/en-us/downloads/

Power BI Desktop file is about 140MB ,once it is downloaded ,run the setup file with default options.

Start the Power BI

Click on Get Data

To get odata feed URL ,you need to login to https://portal.azure.com and search for Intune ,click on Intune ,you will find Intune data Warehouse on the right-side ,click on it

Copy the Tenant URL under use third-party reporting services

while you are on this page ,download the power BI file (intune data warehouse) which has basic set of custom reports to get started https://github.com/Microsoft/Intune-Data-Warehouse/blob/master/Samples/PowerBI/Intune%20Data%20Warehouse%20Report%20(AMSUC0301).pbix?raw=true (this URL is from above link ,might change)

Put the URL into Power BI Odata URL and click Ok

It will load with few options to select the level to apply these settings ,i choose the default one that it load automatically

Click on connect

If it ask for authentication ,go to Organizational account and click on sign in.

The user account that you try to login must have power BI license which can be assigned to your user account in Azure portal .

Once you login ,you will see page below and click on connect

From the navigator, select the options that you be interested to see the data for and click on load . Please be sure the fields that you want. If you choose all tables ,it might take longer to get the data loaded into the file.

For me ,it took approximately 2 min to load the data (i have only few devices enrolled).

We have now the data loaded and we should be able to generate the reports dynamically however we want.

Now ,lets try to download the some sample power BI (pbix)  files and load into the power BI using https://github.com/Microsoft/Intune-Data-Warehouse/blob/master/Samples/PowerBI/Intune%20Data%20Warehouse%20Report%20(AMSUC0301).pbix?raw=true

Go to file and open report that you downloaded using above URL.

Once you are imported ,click on apply changes to load your intune data into the imported power BI file  which takes time to load all the tables .

I have few error while loading the data and that is related to memory (less RAM) due to resource constraint ,but after closing other applications ,i can successfully import the data.

Once the data is loaded fully ,You can click on the pie charts to know its data .

you will see different tabs at the bottom of power BI tool like Devices,Enrollment,App protection policy,Compliance policy,Device configuration profiles,Software updates,Device inventory logs.

These tabs comes from the file that we imported. You can also created/customize pie charts and save the file as  pbix file which can be shared to others.

For each tab have filters which can be changed depends on the requirements like i want to know the devices that are enrolled between specific dates ,last contacted date and based on manufacturer etc.

All these filters can be applied in each tab in this report.

References

https://powerbi.microsoft.com/en-us/documentation/powerbi-service-get-started/

https://docs.microsoft.com/en-us/intune/reports-proc-get-a-link-powerbi

If you want to know who executed (number of times ) the Configuration manager reports (or any other SSSRS reports) or if anyone compliant that some of the Configmgr reports are running slow or timed out ,how do you find the such reports and take action ?

I receive requests from remote users saying that they have issue while running some of the custom reports but when i run ,they works fine but not for remote users. There could be so many reasons why the report loads slow (network or SQL code issues etc) which am not going to discuss here.

Recently i was checking on this to see what are the reports ran by users most of the times and ,how many times they have run ,what are the top most reports and how long these report take time to execute .

When you run the SSRS reports ,it will log lot of information back into the report executionlog .

This report execution log is stored in the Reportserver database that by default is named ReportServer .if you have custom database name ,then you must that database to run the query.

As you can see in the following reportserver ,there are 3 SQL views that contain the information about execution log

Below is the take from Microsoft article about these executionlog sql views.

Now ,lets try SQL query to pull the information about the SSRS reports with its execution time, users ,time start etc.

Use  ReportServer
select * from ExecutionLog3
order by TimeStart desc

Results using above SQL Query:

Below query help you to find number of times that each user run the report.

Use ReportServer
select ItemPath,UserName,count(*) [No of times executed] from ExecutionLog3
group by ItemPath,UserName
order by 3 desc

One of the ways to reduce the disks space/cpu I/O is to enable cache use cache option in reports ,further reading ,please have a look at https://www.enhansoft.com/blog/how-to-setup-report-caching-for-a-ssrs-report

More information about the columns and its description can be found from http://www.sqlchick.com/entries/2011/2/6/querying-the-report-server-execution-log.html

Hope it helps!

I had setup standalone intune (MDM authority to Intune)  to manage mobile devices long-time ago ,but after doing some testing on android,windows and iOS devices ,i decided to change MDM authority from Intune to Configuration Manager console (hybrid) . To change the MDM authority from intune to hybrid ,Login login to SCCM console  ,go to administration –>cloud services –>Microsoft intune subscription –>Add Microsoft Intune Subscription

This process will prompt you to login using Microsoft intune subscription ,configure company contact information,logo etc.

After doing all the initial setup , verified logs and confirm that the MDM authority is set to Hybrid using URL https://admin.manage.microsoft.com/MicrosoftIntune/App.aspx

Admin page—>Mobile device management ,Mobile device management authority set to Configuration Manager

After this is done ,you can enable windows and android platform directly but for iOS devices ,you need to create APN certificate request ,download the APN certificate which is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

Once you are done with the enable iOS enrolment and uploaded the Apple Push Notification service certificate ,you can start enrolling the iOS devices.

Note:Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrolment in the Configuration Manager console.

Once am done with the configuration setup ,i have enrolled windows and Android devices and these devices appear in SCCM console but not iOS devices.

Have tried enrolling few iOS devices ,but they never appear in SCCM console.I can see the applications ,company logo etc that i published to my users in the company portal in iOS device but the compliance just stuck for longer time without any joy.

This lead me to look at the logs .For this ,open the company portal and shake the device to get option to send logs.

Here is snippet from log .

After going through lot of troubleshooting steps which includes verifying the APN certificate expiry date in SQL database ,settings etc ,finally reach out to microsoft to check what is happening behind the scenes. There is nothing for us to troubleshoot on the intune part .

After spending few hours time with Microsoft support engineer ,they have told me that ,APN certificate that was uploaded corrupted and it requires to reset the MDM authority to fix the issue.

To reset MDM authority ,i need to perform the following actions

1. remove the users from the Intune User Group. Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection  and confirm in the CloudUserSync.log that users are removed.

2. Uncheck the iOS platform to purge the APNs certificate

3.  Delete any and all published applications that are for MDM Devices

4. Delete any and all polices that are for MDM Devices

5. Remove the Windows Intune Connector from within the Configuration Manager Console.

6. Remove the Intune subscription by right-clicking the subscription and selecting Delete

• Restart the SMS Executive Service

Once you are done with these steps ,Microsoft Engineer will proceed to reset MDM authority and able to successfully enroll iOS devices.

After you change the MDM authority from intune to sccm ,devices are already enrolled to intune will switch to SCCM and for this ,it can upto 8 hours to re-appear these devices into your SCCM console.

What you need to consider (best practise)  while switching your MDM authority from Intune to Configuration Manager is that ,you should use the same APN certificate that was used in standalone in SCCM but with renewed  certificate means ,renew the APN certificate that was used intune ,download it from apple store and uploaded into SCCM to avoid corruption of APN certificates.

Reference https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

Maintenance windows in SCCM Configmgr enable you to define a time when SCCM operations can be carried out on members of a device collection. These maintenance windows are helpful to ensure that client configuration changes occur during periods that do not affect the productivity of the organization. More information about  Maintenance windows refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/use-maintenance-windows

I had requirement to remove all Maintenance windows that are set on list of collections .Removing the Maintenance windows for each collection would be tedious task. Right click on collection ,select maintenance window and delete the Maintenance window.

Note:Removing the Maintenance windows allow to install deployments that are pushed to collections.

In this blog post, we will see how powershell can do this task in seconds for any number of collections that you pipe into txt file.

All you need is ,get the list of Collection IDs and supply it to text file ,run the script.

This script will not output any results to log file saying what is the existing Maintenance window and what is deleted. If you want ,you can customize the script to log the output.

This script uses 2 basic powershell cmdlets available in configuration manager module which are

Get-CMMaintenanceWindow Gets the maintenance windows for a collection

Remove-CMMaintenanceWindow Removes a maintenance window associated with a collection

Download the powershell script from Technet Gallary ,supply the list of collection IDs ,run the script.

Microsoft Azure portal for Intune provide you the information about user sign-in activities (includes usage of managed applications) and Audit Logs (information about users ,group management ,your managed applications and directory activities) through reporting.

The information which is tracked ,will help you to determine sign-in status for applications,with MFA(Multi factor authentication),MFA results etc

To see the activity of Sign-ins and Audit logs, login to https://portal.azure.com ,click on Intune ,right side you will see Users

Click on Users to see activity with Sign-ins and Audit logs ,Click on Sign-Ins

On the right side ,you will see list of all users with their sign-in status for applications.

On the top, you will see several filters like Date (Range from 1 month,7 days,24 hours and custom) ,User (user name or UPN name),Application (application name),client and Sign-in status (success,failure or all).

I want to see the activities performed by specific users (eswar) ,to see that, simply type the user name or UPN in User filter tab and click on Apply to see the results

You also have an option to download the results into CSV format.

To see the audit logs ,while you are on users and groups- sign-ins ,click on Audit logs to see information about users ,group management.

Audit logs also filter option to list the activities performed by specific user instead of seeing long results.

As you can see from above snippet,there are several activities for user eswar koneti like change user license ,add owner to group,member to group,update user initiated by (actor) .

This also gives you option to download the results into CSV file.

I will need to see if this information can get from Power BI without going through Azure portal. Power BI for Microsoft Intune ,please refer http://eskonr.com/2017/09/power-bi-for-microsoft-intune/ .

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

References:

Relationships:

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.

I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.

From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.

Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.

How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe

Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account

PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .

This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?

Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.

Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS

we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.

After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .

 https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/

http://www.mssccmfaq.de/2012/06/02/sup-synchronisation-schlagt-fehl-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/

https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/

After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.

References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura 

https://technet.microsoft.com/en-sg/library/bb892795.aspx

This is quick blog post to address the issue of blank site in the installation options while installing SCCM Client software using client push installation method.

In SCCM 2012 and above ,you have RBAC (Role based administration access) to secure the access that is needed to administer Configuration Manager. You also secure access to the objects that you manage, like collections, deployments, and sites. For more information about RBAC ,please read https://docs.microsoft.com/en-us/sccm/core/understand/fundamentals-of-role-based-administration  and https://blogs.technet.microsoft.com/hhoy/2012/03/06/role-based-administration-in-system-center-2012-configuration-manager/

Coming to the subject line ,We have created security scopes and security roles for different LBU’s with required permissions limiting to their country collections (Note: we have removed the default security scope from user/group permissions ).

when the LBU (local business unit) team try to perform the client installation using client push ,they do not see option to choose the site to install the client software . Allowing this will install the client software from specified site server.

This happens because user do not have access to view/read the site (it could be primary or secondary site).

To fix this ,you need to add the security scope that you assigned to user/group in primary/secondary site .

Go to administration—site configuration sites ,right click on Primary or secondary site that you want users to select ,click on set security scopes

choose from the available security scopes

Click ok ,now users should be able to choose the site to install client software from.

Hope it helps!

Microsoft has released SCUP 2017 preview 2 update with enhanced update catalog to provide better experience for users in consuming large catalog updates. While old catalog formats are still supported, catalog providers will need to add information to their existing catalogues to take advantage of these improvements that exist in this preview 2 update. This preview 2 update contains the following improvements:

• Indexing for quicker imports of previously imported catalogs – Catalog producers can now index their catalogs. This will allow users to import large catalogs containing few new updates more quickly.
• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs. This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.
• Signature Timestamp – Updates published to a WSUS server will by default have the signature time-stamped. Note, this functionality requires internet access. If you have upgraded from preview 1 this will not be automatically enabled.  To enable or disable the signature timestamp or configure the timestamp server that is used see the Advanced page under Options.

In this post ,we will see how to

1. Download the SCUP Preview here.

2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.

3. Configure the options for SCUP.

4. Start using the features of SCUP.

5. More information about SCUP ,refer https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher

Download the SCUP Preview from https://www.microsoft.com/en-us/download/details.aspx?id=55543 ,installer size is around 5MB

Run the downloaded file on supported platform OS ,in this case, i will run the installer on my SCCM server in my lab.My lab server do not have any SCUP .since this is still in preview,do not install in production environment.

Before you run the SCUP tool ,make sure you meet the prerequisites listed below.

The following are required on the computer that runs Updates Publisher.+

• 64-bit operating system: The computer where you install Updates Publisher must run a 64-bit operating system.
• WSUS 4.0 or later:
  • On Windows Server, install the default Administration Console to meet this requirement.
  • For Windows 10 and Windows 8.1, install the Remote Server Administration Tools (RSAT) for Windows operating systems. This installs the necessary support to use Updates Publisher (API and PowerShell cmdlets, and User Interface Management Console).
• Permissions:
  • Installation: Local admin
  • Most operations: local user
  • Publishing, or operations that involve WSUS: Member of WSUS Administrators group on the WSUS Server.

Installation is straight forward.

Click next,next,finish

On the device that you installed preview, search for Update publisher (Preview)

.

Accept the license terms ,let it do some pre checks before the console made available to you.

Version of this SCUP 2017 Preview 2 is : 6.0.219.0

If you are using SCUP 2011 ,you now have 2 new features added in preview release with updates and logging.

Logging:

In advance tab ,you can now change the database file instead of leaving it in user profile and Signature Timestamp URL is enabled by default.

Timestamp: When enabled, a timestamp is added to updates you sign that identifies when it was signed. An update that was signed while a certificate was valid can be used after that signing certificate expires. By default, software updates cannot be deployed after their signing certificate expires.

In preview release, all the nodes are added with workspace like updates workspace,publications workspace,rules workspace and catalos workspace.

From the default catalog i can see only acrobat and reader but no flash player along with dell,HP,Fujitsu . For Adobe flash player ,you need to add the scup catalog manually. http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.cab

SCUP log that track the information about importing catalogs, publish and download of updates is changed from SCUP.log to updatepublisher.log which still store in user profile (%appdata%)

when you try to import download catalog file(cab) ,it will prompt you with few options like approve,always approve and decline.

Once the catalog is approved (always) ,you will not see any prompts during the publish of updates (content download) .This is really helpful if you are trying to publish lot of updates and have a coffee while it download the content and publish the info to WSUS server

In the older version,when you try to publish the updates ,it prompt to approve the content which is troublesome if you have multiple updates published at one go.

More to test on this ,Stay tuned until further updates.

In this blog post, we will see how to use conditional access to deny/block access to Office 365 Exchange Online (emails) from windows devices and mac devices .

conditional access allow access to company data only for authenticated users from compliant devices (If you apply conditional access to list of users ,device must enroll before they check for device compliance) from approved apps under the right conditions. More information about conditional access read from Technet https://docs.microsoft.com/en-us/intune/conditional-access

To block access to o365 exchange online (not for exchange on-prem) from windows and mac devices using mobile apps and desktop apps like outlook or other apps ,we need to create condition access policy with assignments and access controls.

to start with ,go to https://portal.azure.com ,click on Intune  on the right side, click on Conditional access.

Click on Policies ,create New policy

Give the policy Name ,on the assignments ,click users and groups ,choose select users and groups ,on the right side ,you can choose users or groups or you can choose all users ,click  Done

On the cloud apps, select the apps (in this case , office 365 exchange online) ,client done

On the conditions ,select device platforms ,choose windows and macOS (preview)  ,client done

On the  client apps ,choose mobile apps and desktop clients (since we have chosen only windows and mac, this will apply to desktop clients and no mobile apps) .

Click on access controls ,Grant ,Choose Block to deny access to exchange online if users connect from desktop clients using windows and mac (as per the above setting)

Click on Enable policy to save the changes and enable the policy

End user experience:

If user is trying to access access exchange online using native app (that comes with windows 10 by default or desktop clients) from windows or mac device for emails ,they will straight away hit following error message which is coming from conditional access.

Hope it helps!

References :

Conditional access https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access

Protect access to email, Office 365, and other services with Microsoft Intune https://docs.microsoft.com/en-us/intune-classic/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune