Microsoft Endpoint Configuration Manager 2002 production build is out today. It is now available as in-console (for now only fast-ring) and baseline (will be available in the next couple of weeks).

It has a bunch of new and updated features. For full list of features and installation, please refer http://eskonr.com/2020/04/sccm-configmgr-current-branch-2002-is-available-as-in-console-and-baseline-version/

One of the features that is available in this build version is ‘Show boundary groups for devices in configuration manager console’.

clients use boundary group’s for site assignment, content location (DP), SUP, MP, and SMP. SMP doesn't use fallback relationships.

From this build version, we can now identify the client boundary group for site assignment and content troubleshooting within the configuration manager console.

How to identify the boundary groups for the specific client in the console?

From the console (2002 build onwards), In the Devices node or when you show the members of a Device Collection, add the new Boundary Group(s) column to the list view.

Console view:

Please note the following on the client boundary group’s.

• If a device is in more than one boundary group, the value is a comma-separated list of boundary group names.
• The data updates when the client makes a location request to the site, or at most every 24 hours.
• If a client is roaming and not a member of a boundary group, the value is blank.

Since we have the client boundary group information available, we will use this to create a collection to identify the clients with a NULL value( no boundary group or missing boundary groups).

Create a collection with the following WQL query to get the list of all clients that don't have any boundary group or missing in the boundary group.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus
where SMS_CollectionMemberClientBaselineStatus.boundarygroups is NULL)
and SMS_R_System.Name not in ("Unknown") and SMS_R_System.Client = "1"

\

You can also use the reports to identify the clients missing the boundaries and boundary groups.

Following are the few custom reports created for earlier version of configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

There was a request from twitter friend who is trying to create SQL report to list the content of distribution point group with content status such as total targeted, installed, progress and errors.

Distribution point groups is available in configuration manager for almost several years . This basically provide a logical grouping of distribution points for content distribution.

we can create and use DP groups groups to manage and monitor content from a central location for distribution points that span multiple sites.

For more information about managing distribution point and distribution point groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points

When you create DP group and add content to it, you see the content listed in the content properties as shown in the screenshot.

If you want to monitor the status of package or content on DP, you can use the default reports.

There are set of reports available with category Software Distribution – Content but there is nothing to monitor the content status of DP group.

The following SQL code help you to provide the summary of content on specific DP with targeted, installed, in progress and failure.

SELECT DISTINCT dpgr.NAME [DP Group],
pk.NAME [Package Name],
dgp.pkgid [Package ID],
dpcn.targeteddpcount,
dpcn.numberinstalled,
dpcn.numberinprogress,
dpcn.numbererrors,
CASE
WHEN pk.packagetype = 0 THEN 'Software Distribution Package'
WHEN pk.packagetype = 3 THEN 'Driver Package'
WHEN pk.packagetype = 4 THEN 'Task Sequence Package'
WHEN pk.packagetype = 5 THEN 'Software Update Package'
WHEN pk.packagetype = 6 THEN 'Device Setting Package'
WHEN pk.packagetype = 7 THEN 'Virtual Package'
WHEN pk.packagetype = 8 THEN 'Application'
WHEN pk.packagetype = 257 THEN 'Image Package'
WHEN pk.packagetype = 258 THEN 'Boot Image Package'
WHEN pk.packagetype = 259 THEN 'Operating System Install Package'
ELSE 'Unknown'
END AS 'Package Type'
FROM vsms_dpgroupinfo dpgr
INNER JOIN v_dpgrouppackages dgp
ON dgp.groupid = dpgr.groupid
LEFT JOIN v_package pk
ON pk.packageid = dgp.pkgid
LEFT JOIN v_dpgroupcontentdetails dpcn
ON dpcn.groupid = dpgr.groupid
AND dpcn.pkgid = pk.packageid
WHERE dpgr.NAME = 'Azure DP'

Replace the distribution point group name.

I was recently contacted by a team who was unable to see the volume purchase program app in the intune apps.

The customer has working intune setup to enroll the iOS/iPadOS devices purchased through apple's Automated Device Enrollment (formerly DEP – Device Enrollment Program). AED/DEP lets you enroll a large number of devices without touching them.

Since the customer has DEP, applications are purchased through the Volume Purchase Program and will be synced to intune for the deployment of apps to user mobile devices.

Few days ago, there was an app that the customer has requested the team to purchase and then deploy to iOS devices that were enrolled as part of AED/DEP.

Purchasing an app through the Volume Purchase Program with Microsoft Intune is very easy. If you already have a working setup, you can log in to the apple business/school account and purchase the apps (free/license).

As a usual practice, I logged into the apple business manager portal, added the app with X licenses.

Once the app is added successfully, intune syncs with Apple VPP service twice a day however we can do a manual sync.

since the request is urgent, did manual sync by going to  Tenant Administration, Apple VPP Tokens, right-click on the VPP Token, and click sync

Sync takes a few mins to complete and the app will be available in the Intune apps node.

I waited for an hour or so to see the app in the intune apps node but there is nothing available.

At this point, i was thinking of sync did not successfully done so try the sync one more time and see if that helps but no luck.

This time, i have purchased another app to see if the sync works or not, this time, app visible in the intune portal successfully.

So, this leads me to go back to the customer to ask about the application and how is it designed for accessibility such as any limitations on the region.

The customer told that this app has region limitations and can be accessed within the country.

At this point, i have to go back and check my VPP token properties and how is it created.

Go back to your VPP and click on properties to see the country/region, it is set to the united states.

Country/regional plays an important role in synchronizing the VPP apps from a specified VPP country/regional store.

Now I know, why did my VPP app not synced to intune and is because of the country/region.

I now have 2 options 1) Edit the settings of the existing VPP token or 2) Create a new VPP token with country/region by selecting the app country.

I would prefer option 2) by creating a new VPP token.

Before creating a new VPP token, you would need to generate a token file and import it.

Now create a new VPP Token and choose the VPP token file and this time choose the country/region as the country where the app is limited to use.

Once the VPP token is created, sync the token and wait for a couple of minutes to see the app in the Intune Apps node.

Now you can assign the app to group of users/devices.

I hope you find this article useful!

Microsoft whiteboard is out almost 2 years that is available to users on Windows 10 which lets users to type, draw, erase and attach notes, images, and beyond what you cannot do it on a physical whiteboard.

Following are some of the activities that you can do with whiteboard:

• Running effective meetings
• Brainstorming
• Team sprint planning
• Project planning
• Problem-solving
• Incident management

Whiteboard app is available in the Microsoft Store for Windows 10, and on the App Store for iPhone and iPad. You can also use the whiteboard in the browser.

Microsoft Whiteboard is integrated with office 365 (Microsoft Teams) and you can enable it from office 365 admin portal. For more information about the user of Microsoft Whiteboard in Teams, please refer help guide.

You can use a personal account (Microsoft) or work/school account to sign-in to the whiteboard because all sessions stored in the cloud.

The problem:

Though we have enabled the whiteboard functionality in office 365 back way back, users started using it from the last few months, and especially due to COVID situation around the globe, the majority of the workforce is working from home, the demand for whiteboard is increased.

For office 365, we have a mix of devices that includes hybrid Azure AD joined, Azure AD joined and Intune enrolled ONLY devices.

On devices that are hybrid azure AD joined, the whiteboard app and browser is working fine.

On devices that are Azure AD joined and intune enrolled ONLY have issues launching the Microsoft whiteboard app but the browser URL works fine.

These Azure AD joined and Intune enrolled (MDM) ONLY devices are managed by Intune hence it has App protection policies controlled by Windows information protection.

When users try to sign-in to the Microsoft Whiteboard app, they see the following error code.

Sign-in using work or school account:

Click on Continue and failed with following error code:

We couldn’t sign you in. There is problem signing in. Please check your internet connection and try signing in again.

Error code: 80070164

Clicking on more details takes you to the Microsoft URL but that doesn't help much.

The solution:

If you search on the internet with this error code, you will get many sites that talk about the error but none of them helped me.

I have also tried sign-in to the app using Microsoft account (personal account) but I get the same error code.

I have looked at the Azure AD sign-in logs for with correlation ID but nothing tracked in there.

The next option is to install fiddler and capture the logs if there is any URL that is getting blocked or something happening but there are no URLs about the error code. So fiddler also doesn't help much at this time.

Take a deep breath and analyze what is going on here.

On Hybrid Azure AD joined, it works fine but AAD/Intune managed devices, the only browser works but not the App.

The only difference between these 2 types of devices is intune enrolled devices that are controlled by windows information protection.

For windows information protection (WIP), i have looked at the event viewer logs on the device but could not find any relevant information.

Though i could not find traces about the issue that is caused by WIP, i took a chance to look at the windows information protection policy that is applied to the user for further troubleshooting.

When i look at the WIP policy, managed apps, there is no Microsoft whiteboard added there.

A few months ago, i pushed an article on how to add Microsoft store apps to windows information protection policy . Follow this article to add the Microsoft store app as a managed app into WIP policy.

Once you add the app into WIP, the policy gets updated on the user device in the next hour and the user should be able to sign-in to the Microsoft whiteboard.

The WIP policy changes applied on the device and loaded into applocker,storeapps folder policy file (C:\windows\system32\AppLocker\MDM\)

Following is the policy file that gets updated with Microsoft store apps As you can see, the whiteboard app is now managed app.

Long story but simple fix for the devices that are managed by intune with app protection policies applied (WIP)

Hope you find this article useful!

Windows information protection is mobile application management (MAM) for windows 10 and it helps to protect the enterprise data from unauthorized or accidental data leakage.

On Jan 15th, 2020, Microsoft released a new edge chromium-browser which is so amazing. When it was released, some of our users requested to roll out to their devices which are Azure AD joined/Intune enrolled devices.

we use windows information protection to protect the corporate data for the approved/managed/enlighten applications. For more information about windows information protection and how to configure, please refer here

Before releasing any feature /product/application to end-users (especially in the cloud era), we do conduct some testing's internally both technical functionality and security (DLP).

As part of this, we have done some testing on the edge browser support for windows information protection and found that edge was not ready for WIP at that point of time (first release of Edge). For more details, you can refer to my previous blogpost.

On April 13th, 2020, Microsoft released stable version 81.0.416.53 which supports Windows Information Protection (WIP) which will help enterprise customers to protect corporate data from the leakage.

Starting with Microsoft Edge version 81, the following features are supported for Windows Information Protection:

· Worksites will be indicated by a briefcase icon on the address bar.

· Files downloaded from a work location are automatically encrypted.

· Silent/Block/Override enforcement for work file uploads to non-work locations.

· Silent/Block/Override enforcement for file Drag & Drop actions.

· Silent/Block/Override enforcement for Clipboard actions.

· Browsing to work locations from non-work profiles automatically redirects to the Work Profile (associated with the Azure AD Identity.)

· IE Mode supports full WIP functionality.

How to configure Windows Information Protection to protect the Microsoft Edge browser?

If you already have a working WIP policy in your intune tenant, the procedure is very simple.

1. Login to https://endpoint.microsoft.com

2.Browse to apps, app protection policies

3. Select the WIP policy, properties, Targeted apps, click edit.

4. When you click on Edit, you will see a list of managed/protected apps by WIP. Click on Add

5. In the recommended apps, scroll down down bottom, you will see an XML file MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml which  is made available to all tenants by Microsoft.

Is there way to download this XML to see what is inside? yes, you can download the XML file from here.

If you are not using Microsoft Intune, you can download the XML file and apply the policy update in the WIP Enterprise Applocker Policy File.

6. Click add , click review and save and save the policy.

You will now see the policy saved and the protected apps are also increased.

7. If you have not already targeted the policy to users, please assign it to the AD sec group (user-based).

If you do not an existing WIP policy, please follow the steps outlined here and enable the edge support using the above steps.

As soon as the policy is saved, devices that are managed by intune will receive the policy and update the changes.

The changes can be seen on the intune enrolled device from C:\windows\system32\AppLocker\MDM\ folder (app locker enterprisedataprotection, exe)

The above information is coming from the XML that we imported earlier.

we have now successfully created/updated the Windows Information Protection policy to protect the Edge browser.

Before we see the end-user experience results, please note that Windows Information Protection with Microsoft Edge requires (mandatory) the presence of work profile.

Without creating a profile with a work account, the user will not be able to access corporate data on the browser.

On Azure AD joined devices, when users launch the edge browser, it does automatically create work profile and sign-in with a user account. To make sure that users don't remove this profile, which is needed for WIP, configure NonRemovableProfileEnabled policy.

End user experience:

When end-user launches the edge browser and access the corporate data, they will see a briefcase icon (This is coming from my WIP policy).

When the URL is protected, the data that is being copied from the URL to notepad/managed apps, data is still protected.

Copying the data from Edge to unmanaged apps such as WhatsApp, notepad++,google chrome etc, user will see the following.

Your organization doesn't allow you to use work content with this application

Limitations:

The Edge support for Windows Information protection has a limitation with identify protection.

If you create more than 1 work profile with different identities (corporate profile and personal profile that has office 365 for testing) then the WIP policy will be applied to all identities in the Edge browser.

For example, I have created 2 profiles in edge browser 1) with my office identify (Eswar.koneti@abc.com) 2) with my personal/other tenant (eswar.koneti@xyz.com)

On the device that is managed by a company called abc.com, if I launch teams/office 365 resources in the XYZ work profile, the data is still protected with corporate WIP policies configured by abc.com which is a drawback.

In reality, not every user has multiple identities to access office 365 resources.

Hope to see Microsoft fix the this limitation in the upcoming versions of Edge.

All in all, good to see that Microsoft Edge now support Windows Information Protection to protect enterprise data.

Recommended reading:

WIP Prerequisites

Plan your deployment of Microsoft Edge

Microsoft Edge – Available Policies

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2002 (MEMCM) via the opt-in method (fast-ring) which will is now available for you to install and also baseline version however the baseline media is not yet available for the download. The baseline version will be released when the build is made available to the console via slow-ring.

If you want to install a new Configuration Manager sites (fresh build), you can download 1902 as a baseline from the volume licensing portal until 2002 is released.

For more information about how to perform the in-console update for configuration manager update 2002, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2002) to avail the new client features that were added.

With this update 2002 build, there are a bunch of new features added. This means, there are also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/tables/functions for custom reporting.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2002 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

As you already know that, Windows 7 and windows server 2008/R2 has reached their end of support lifecycle on January 14, 2020, however you can purchase the extended security updates (ESU) for windows 7 and server 2008/R2 through volume licensing to make sure these devices are protected. For more information about how to purchase the ESU, refer to this blog.

After you have purchased the ESU, you can install and activate window 7 or server 2008/R2 devices using Configuration Manager task sequence or scripting or by other means. There are multiple posts on the internet on how to install ESU.

In this blog post, we will see how to check the activation status of ESU on windows 7 and server 2008/R2. This monitoring will help you take action on the missing ESU devices to avoid the possible threats.

If you have installed the ESU key on the windows device, the information gets stored in WMI class called ‘SoftwareLicensingProduct’

If you know where does the ESU information stored in WMI, it would be easier for us to use configuration manager to gather data for further analysis.

By default, SCCM clients do not send the information about this class SoftwareLicensingProduct hence if you try to create a collection or query database using this class, you get empty results.

So to check the activation status, we can use 1) Enable the Software_licensing_product in client inventory settings (hardware inventory) 2) Use compliance settings to detect the ESU activation status and 3) script

I DO NOT recommended option 1) because SoftwareLicensingProduct class contains a lot of data that will be collected from all devices along with activation information which will bloat your database.

A simple example is, on your Windows 7, open PowerShell command and run the following syntax to see the data that is available in SoftwareLicensingProduct

Get-WmiObject -query "select * from softwarelicensingproduct"

The above command will generate a lot of data that is not required for us.

What other options do we have without bloating the database? A simple and easier method is compliance settings.

I am not doing step by step guide in this post on how to create the compliance item and compliance baseline then deploy to the collection but I will give you the steps and also the exported baseline configuration for you to import the settings into your configuration manager and deploy it.

Steps required for this:

1. Create a collection for all windows 7 and windows server 2008/R2. You can use this guide to create the collections.

2. Download the configuration baseline file (SCCM Baseline for ESU Activation.zip) from Github. This is a ZIP file which contains 2 baseline policies. After you download, you need to extract it to get .cab files.

3. Go to your configuration manager, configuration baseline, right-click, and import configuration data. Import the .cab file that you download from Github.

You will need to do this task twice because there are 2 baseline files available 1) for windows 7 and 2) for server 2008/R2.

Note: The PowerShell script that I have used in the baseline will check if the device activated with 1 year or 2 year or 3 year ESU key and report as compliant. If any of these ESU key not found, then report as non-compliant. The ESU keys are taken from this blog post. Once you import the baseline policies, you can go to CI and change the script as per your requirement.

4. You can now deploy the baseline policy to the respective collections that you created earlier.

5. Based on the schedule, clients will run through the compliance settings and report the status.

6. Run the reports to identify the list of devices that are still not installed/activated with ESU.

Once you have the data, you can use reports or create a collection for non-compliant devices for further troubleshooting.

Until next blog post!

Recommended articles:

Windows 7 support ended on January 14, 2020

FAQ about Extended Security Updates for Windows 7

Microsoft released the first early update ring (hotfix) for Microsoft Endpoint Configuration Manager current branch 2002. This is available and applicable to those who have downloaded and installed build 2002 via fast ring (opt-in) method between March 23, 2020, and May 11, 2020.

For those who have downloaded the build version 2002 from the console on or after May 11, 2020, you will not see this update in the console. So if you don't see it then you are covered with all the fixes in this update.

You can also validate if you are eligible for this early update ring by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The following are the package GUID that will receive this early update ring.

AA9975F2-160A-4910-A698-B7A4AF35D727
B39BBA45-E1F0-4233-971E-BB66EB25359D
382F6B53-9217-47CB-9852-7A53232EC80D
0808D0BA-B36F-4719-BD10-08585C1B8B3E
AA09154F-56FB-449D-8009-5BBB7C23CB4F
C427C4F5-6967-4B64-86BC-DEC9E0F201CC
06F89B19-5A8B-460E-A7F4-6CC0E86A1FC6

I have updated my configuration manager site to 2002 in one of my lab yesterday that has the following Package GUID which is not in the above list.So am covered with the fixes.

Once you install the update on the primary site, you must manually update the secondary sites by clicking on the secondary site and click on recovery.

To verify if your primary and secondary sites are running the same build, add a build number column, and check the versions.

you can also use the following SQL query to validate the secondary sites are up-to-date or not.

If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

This first early update ring addresses important, late-breaking issues that were resolved after version 2002 became available globally (slow-ring).

Issues that are fixed:

• A Central Administration Site (CAS) may be placed in maintenance mode if the site database contains BitLocker management data and one of the following scenarios is true.
  1. If the or data link between a primary site and CAS is unavailable, and data is backed up for 5 days.
  2. If the site goes through the data reinitialization (reinit) process.
  3. If the CAS is recovered.

• Microsoft Advanced Threat Protection (ATP) policy deployment status shows as “Unknown” when deployed from the Microsoft Endpoint Management admin center.

• The SMS Agent Host process (CCMExec.exe) may cause high CPU and memory utilization when the computer is not a member of an orchestration group. The MaintenanceCoordinator.log will show the entry “Orchestration lock is required.”.

• The download of third-party updates for internet clients will fail if only a cloud distribution points is available unless the user triggers the installation via Software Center.

• A computer restart initiated from Software Center on a client will fail if a Windows Servicing Stack Update (SSU) was installed with other updates.

• If both a Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) are deployed together and past due, the SSU is not installed first.

• Clients in boundary groups with limited network speed or BITS throttling ignore the “Prefer cloud based sources over on-premise sources" setting.

• The Desktop Analytics dashboard may show stale data up to 12 hours out of date if duplicate devices are in the environment.

• Site installation fails when the database is installed on a clustered instance of SQL on a Windows Server 2012 R2 server.

• Administrators cannot run CMPivot scripts without having default scope access.

• The Azure_CloudService table has inconsistent data after onboarding, offboarding, then onboarding co-management.

• A client only retries a failed management point connection one time until the client is restarted, leading to delays in policy retrieval.

• Windows Feature Updates that installed successfully may still appear in Software Center as pending installation after the client computer restarts.

• The link to the Microsoft Intune Device Explorer for a specific device in the Configuration Manager console does not load correctly.

• A site administrator with rights to read Devices and Boundary Groups is unable to query the same data using the administration service.

• Administrators receive an “Insufficient user permissions” error in the Microsoft Endpoint Manager admin center when their on-premises permissions are granted via Active Directory group membership.

• The Workspace Key and Workspace ID fields are now optional in the Create Microsoft Defender ATP Policy Wizard.

• Application content fails to download from a cloud distribution point when BranchCache is enabled and there are multiple files to be downloaded.

• The “Prefer cloud based sources over on-premise sources” boundary group setting is not used for Microsoft Ofice 365 update content downloads.

• The tenant attach process fails if the SMS Provider is installed remotely from the site database server.

• After client upgrade the PolicyAgent.log may be flooded with duplicate log entries, overwriting information valuable to troubleshooting. The entries resemble the following.

Policy instance for 'SMS:Client:Default:{guid}' with unknown policy source 'SMS:Client:Default:{guid}'. Ignoring it.

• The administration service is unavailable if the service connection point is installed remotely from the site server.

• The Windows PowerShell Integrated Scripting Environment (ISE) generates a “Failed to refresh” error when loading the cmdlet library and refreshing the list of available cmdlets.

• Upgrade of the Configuration Manager client fails on Windows 10 clients with error code 80070020 when using the “Auto upgrade” and “Auto upgrade(Pre-production collection)”.

• Error handling for the administration service is improved.

• Installation of dynamic packages via the Install Package task in a Task Sequence fails with error 0x87d02004. This occurs if the “Allow this program to be installed from the Install Package task sequence without being deployed” option is selected in the program for the package.

• Desktop analytics deployment plans in large environments may not display correctly in the Configuration Manager console due to a SQL timeout.

• If the site database and data warehouse database are on different computers, and the data warehouse service point is on a different computer from the data warehouse database, the synchronization process may fail. Errors resembling the following are recorded in the Microsoft.ConfigMgrDataWarehouse.log file.

Process encountered an unexpected error
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

Additional hotfixes contained in this update

KB 4561494: Microsoft Edge application creation fails in Configuration Manager

References:

Update for Microsoft Endpoint Configuration Manager version 2002, early update ring

Updates and servicing for Configuration Manager

Every week Microsoft Introduces new features to Microsoft Intune which you can find it from https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new .

As of  May 11th ,2020, Microsoft releases new feature which is very helpful for intune admins to customize the self-service device actions in the company portal for enrolled devices.

When a device is successfully enrolled into Microsoft Intune, users can perform the following actions (self-service) using the Company Portal app, Company Portal website, or the Intune app on Android..

Following are the available self-service device actions when a device successfully enrolled to Intune:

• Retire – Removes the device from Intune Management. In the company portal app and website, this shows as Remove.
• Wipe – This action initiates a device reset. In the company portal website this is shown as Reset, or Factory Reset in the iOS/iPadOS Company Portal App.
• Rename – This action changes the device name that the user can see in the Company Portal. It does not change the local device name, only the listing in the Company Portal.
• Sync – This action initiates a device check-in with the Intune service. This shows as Check Status in the Company Portal.
• Remote Lock – This locks the device, requiring a PIN to unlock it.
• Reset Passcode – This action is used to reset device passcode. On iOS/iPadOS devices the passcode will be removed and the end user will be required to enter a new code in settings. On supported Android devices, a new passcode is generated by Intune and temporarily displayed in the Company Portal.
• Key Recovery – This action is used to recover a personal recovery key for encrypted macOS devices from the Company Portal website.

Now with intune release version (2005), you can restrict (hide) some of the self-service device actions from users.

• Hide Remove button on corporate Windows devices.
• Hide Reset button on corporate Windows devices.
• Hide Remove button on corporate iOS/iPadOS devices.
• Hide Reset button on corporate iOS/iPadOS devices.

How to configure these settings in the Intune portal?

Login to https://endpoint.microsoft.com/ , browse to Tenant Administration , you will notice the service release 2005.

On the left, click on the Customization and click on Edit default policy.

Scroll down all the way to see the Hide features.

You can enable the actions to hide from users on respective devices.

when you make changes to the default policy, it will be applied to all users who have successfully enrolled the devices.

Is there a way to apply these settings to specific group instead of applying all users? No, I cannot find it. I tried creating custom policy but it doesn’t have the above settings to hide.

So it is default policy for now and changes to this will be applicable to all users.

Hope it helps!

References:

User self-service device actions from the Company Portal

Self-Service Actions

I had set up a new lab a few days ago using the configuration manager current branch baseline version 2002 with SQL Server 2019.

Installation went fine and I was able to play with it.

By the way, I have used the Johan hydration kit to set up this lab to save some time. Though the current hydration kit that is available is with SQL 2017, I tweaked it and added SQL 2019 for my lab setup.

After a couple of days, when I tried to launch the configuration manager console, I ended up seeing the following screen.

Since the above error talks about the connectivity to SMS provider, I started looking at the SMSPROV.log

Error from the log:

[HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.

[HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.

[HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state.   [HY000][0][Microsoft][SQL Server Native Client 11.0]Unspecified error occurred on SQL Server. Connection may have been terminated by the server.  ThreadID : 4844 , DbError: 596 , Sev: 21~*~*

SQL Error: [HY000][596][Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot continue the execution because the session is in the kill state.

If you use SQL Server 2019 for configuration manager 1910 and above (supported versions) , there's a known issue with the new scalar UDF inlining feature in SQL 2019 and the workaround to fix this issue is to disable the UDF lining using following command.

Open the SQL server management studio and run the following syntax:

ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF

After you run the syntax, you need to restart the SQL server service.

without restarting the SQL Service, you will not be able to launch the console.

Go to services.msc and restart SQL Server

After the SQL Service started, launch the console, you should be able to connect to SMS Provider.

Though SQL server 2019 is supported for configuration manager build 1910 onwards, this is know issue and there is also workaround for this provided by Microsoft for now.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-sql-server-versions#known-issue-with-sql-server-2019

I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.

Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.

Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.

So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.

How do you install the client on the internet-connected device centrally? Well, the  customer has a different tool that helps to run the command line on all internet-connected devices.

As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.

Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.

"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.

On the SCCM database, run the following 1 liner syntax.

select * from proxy_settings

Connectorinfo contains the mp and ccmhostname values.

AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and  values.

AADTENANTID=Tenant ID

AADCLIENTAPPID=ClientID

AADRESOURCEURI=ResourceURI

Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.

I hope it helps and thanks for reading!

For more information about client installation parameters and properties in Configuration Manager, please read here

When I talk to my customers about the SCCM Cloud Management Gateway setup, the first question that will be asked is, will there be any cost associated with this service? if so, what will be the cost for X number of clients that will be utilizing the CMG service.

Even though the implementation of CMG doesn't require on-premise infrastructure* but there will be cost associated with this solution every month.

In this blog post, I will provide some information on how to estimate the cost for your infrastructure based on the number of clients that you support using CMG.

Note: The following information provided is for estimation purpose ONLY.

The following are the components (Azure) involved in costing:

1. Virtual Machine—>CMG uses a virtual machine in Azure Cloud Services as a platform as a service (PaaS). The standard VM that it uses is A2 V2 per instance.

2.Outbound data transfer (egress or download)—> The data that flow into the Azure is free. Anything that flows out of the Azure will be charged such as policies, client notifications, content download, inventory reports, status messages, compliance status, etc.

3.Content Storage (egress or download)—>This data includes the content/applications that clients download from the distribution point.

Cost estimation for each Azure component:

1. Virtual Machine:

Let's take an example, you are managing 10000 clients using SCCM, out of which, you expect 5000 clients will use CMG services on internet.

As per the Microsoft recommendation, 1 CMG instance will support up to 6000 simultaneous connections which means you can go with 1 instance but recommended to have 2 for HA. Let's stick with 1 for now for cost.

The cost for 1 instance per month will be around 87.60 (excluding the OS license,Azure Hybrid benefit). If you include the OS license for the Azure VM, the cost will be around 131.40$

The price will vary if you go with reserved instance, but if you go with pay as you go and Azure hybrid benefit, the cost will be around 87.60$.

2.Outbound data transfer (egress or download):

The outbound data transfer includes 2 ways such as client policy polling interval, software update scan, etc, and the other data that flows from CMG to an on-premise site such as inventory reports, status messages, and compliance. There will be an estimation of 100-300MB per client per month from internet-connected.

This again depends on how you configure your client settings. If you have configured the client settings with policy poling internal every 30 min or so, client hardware inventory, every few hours etc then there will be more data generated which will increase the cost.

With default client settings configuration such as 60 min policy polling interval,7 days hardware inventory, 7 days software update scan cycle etc., will estimate of 100MB. The more aggressive client settings will lead to 300MB or even higher.

we will consider 200MB per client per month.

For 5000 clients, The total egress will be 5000*200MB=1TB

The total cost for 1TB per month= 1000GB*0.087(cost per GB based on central US region)=87$

Please note that the first 5GB per month is free is not specific to CMG service but it is for the entire azure tenant where the CMG subscription is located.

3.Content Storage (egress or download):

This is mostly for content download from the cloud DP such as applications, packages for your deployments. We consider about 200GB worth of applications/packages downloaded by your clients in a month.

The cost will be around 200GB*0.087=18$.

If you don't deploy any apps but software updates only, then there is no charge for downloading the software updates from the internet. It is recommended not to distribute the software update content to cloud DP.

If we sum up the cost for 5000 CMG clients for all the CMG services including 1 VM, storage cost, it will be 87.60+87+18=200$ per month.

If you have more than 5000 clients using CMG service, you may have to increase the number of VM Instances to 2 which will add another 87$ and the outbound data transfer cost as well.

If you don't want any surprises in the month-end, you have an option to stop the CMG service when the critical threshold is exceeded.

You can also read the blog post from John about some real world cost for using CMG: https://deploymentresearch.com/real-world-costs-for-using-a-cloud-management-gateway-cmg-with-configmgr/

Thanks for reading the post!

Microsoft released Technical preview 2005 for May 2020. This preview release contain lots of tenant attached features along with some cloud management gateway as well.

This preview version is available only via in-console update. If you want to build a new lab, you need to download the baseline version of tech preview 2002 and then update to 2005. For more information about Technical preview, please read here

I just updated my lab to technical preview 2005 to explore the new tenant attach features.

Technical preview 2005:

Top features:

1. A task sequence launched from boot media or PXE can retrieve content from cloud based sources:Starting in this release, when a task sequence is started from boot media or PXE, if the client is in a boundary group associated with a cloud distribution point or content enabled CMG the task sequence can download content from the cloud based sources.
2. Client install and upgrade on metered connection:Client installation and upgrades can be configured to occur on devices connected to metered networks.
3. Disk encryption options when enabling BitLocker in a task sequence:An admin is now able to select disk encryption level on the "Pre-provision BitLocker" and "Enable BitLocker" task sequence steps.
4. Improvements to cloud management gateway cmdlets
5. Improvements to the content library cleanup tool
6. Microsoft Endpoint Manager tenant attach:CMPivot real-time queries from Microsoft Endpoint Manager admin center
7. Microsoft Endpoint Manager tenant attach:Device timeline in Microsoft Endpoint Manager admin center
8. Microsoft Endpoint Manager tenant attach:Install an application for an uploaded device: An admin can now initiate an application install in real-time for a tenant attached device via the admin center.
9. Microsoft Endpoint Manager tenant attach, Run Scripts from the Microsoft Endpoint Manager admin center:Initiate PowerShell scripts in real-time from the cloud against an individual ConfigMgr managed device and see the script output and status back to the Microsoft Endpoint Manager admin center.
10. Notification for expiration of Azure Active Directory application secret key:You will now be warned with a console notification when the Azure Active Directory application secret key is close to expiring or is expired. This enables administrators to renew the key and prevent impact to cloud attached features.
11. Report setup and upgrade failures to Microsoft:If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. In the event of a failure, there is a "Report update error to Microsoft" button that walks through an interactive wizard allowing you to provide more information to Microsoft. In Technical Previews, this button is always enabled even when setup completes successfully.
12. VPN boundary type:You can now create a new boundary type to simplify managing VPN clients. All clients that connect through a VPN automatically belong to boundary group(s) associated with this new boundary type.

For full features list and description,please read https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005

In the next few blog post, i will discuss about the tenant attach and cloud features.

With Configuration Manager technical preview build, a bunch of Tenant attach features were released which will help you to take actions from the devices blade in the Admin center.

One of the coolest feature in this preview release is, we can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center.

What do we need to do to install the application in Realtime from the admin center?

Prerequisites:

You'll need to meet all of the prerequisites for Tenant attach: ConfigMgr client details:

• An environment that's tenant attached with uploaded devices.
• One of the following browsers:
  • Microsoft Edge, version 77 and later
  • Google Chrome
• The user account has been discovered with both Azure Active Directory (Azure AD) user discovery and Active Directory user discovery.
  • Meaning the user account needs to be a synced user object in Azure.

The following prereq are newly added, Inorder to initiate the application install from the admin center.

• Enable the optional feature Approve application requests for users per device. For more information, see Enable optional features from updates.

• At least one application deployed to a device collection with the An administrator must approve a request for this application on the device option set on the deployment. For more information, see Approve applications.
  • User targeted applications or applications without the approval option set don't appear in the application list.

As you can in the application deployment settings, the deployment must be targeted to a device collection with purpose available and check ‘an administrator must approve a request for this application on the device’

You can now review the log for data upload.

1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
2. The next sync time is noted by log entries similar to Next run time will be at approximately: 30/05/2020 16:35:31.
3. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
4. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center.

In Technical preview, to install the app, we must right click on the device and choose admin center preview and initiate it from there.

When this feature release in current branch, we can directly open the MEM admin center portal (https://endpoint.microsoft.com) and perform the device actions.

For now, we need to open the admin center from the device tenant attached. From the configuration manager console, right click on tenant attached device, start and choose Admin center preview

If the Admin center preview is grayed out, then the device is not part of the tenant attach collection in co-management settings.

You will be prompted for authentication and you will see the following screen.

Click on applications to see the available apps that are ready to install on the device.

we have published an application to the device collection which can be initiated from the MEM admin center

Now go back to your configuration manager installation directory and open log CMGatewayNotificationWorker.log to see the status of the application install.

When an action is initiated from the Microsoft Endpoint Manager admin center on Configmgr client, CMGatewayNotificationWorker.log processes the request.

You will see the information about sending application request and also create approved request and more details about the request in the log.

Sending AdminService request with URL: https://sg-cmtp01.domain/AdminService/wmi/SMS_ApplicationRequest.CreateApprovedRequest

After a while, if you look at the client appenforce.log, the application installation is completed.

we can now go back to admin center and refresh the page to see the updated status as ‘Installed’.

With this feature, we can now act on the user application deployment request from anywhere with 1 click using mobile without touching the Configuration manager console.

Reference:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#bkmk_apps

App protection policies in intune help you to ensure the organization data is secure on managed apps. If you want to use MAM protection policies for securing the org data on iOS and Android, you don't have to enroll the device into intune however you can create the MAM policies for both enrolled and without enrolled devices.

For the creation and protecting the organization data using MAM, pls read here

In this post, we will see how to monitor the MAM protection policy settings such as app PIN, contact sync, managed locations, etc on iOS, and Android devices for troubleshooting purposes.

Before the release of the Edge mobile browser, on iOS, we can type in about:intunehelp in intune managed browser which will launch a page to select the application and review the MAM protection policy settings.

And for Android, the intune managed browser does not work and the only way is to use the company portal and generate the logs.

With the introduction of the Edge mobile browser, the viewing of intune MAM protection policies are now much easier and is constant across the OS (iOS and Android) and that can be viewed using Edge mobile browser.

On the iOS/Andriod, launch a mobile edge browser. Make sure you signed into the edge browser using your work account.

On the address bar, type about:intunehelp

you will see the following page:

If you are working with a support engineer and you want to send the logs, you can click on send an email and upload logs.

You can also upload LOGS only.

In both the scenarios, you will be given with Incident ID that will help support engineer to read the logs.

To view the MAM protection settings that are applied at each intune managed app, click on View App info

you will be presented with a list of intune managed apps that have MAM policies applied.

Choose the app that you want to view the settings.

Here you can see a list of all app protection policy settings with the controls applied.

For a list of app protection policy settings and the description, you can refer here

I was recently troubleshooting the sccm client installation issue on a server that was configured as a distribution point.

Installation of client The client installation setup and process is very simple and straight forward unless you hit issues like this.

When I started looking at the client installation log( ccmsetup.log), I saw the below information in the log.

The client version 5.00.8913.1000 (build 2002) does not match the MP version 5.00.8790.1000 (Build 1910). The client cannot be installed.

ccmsetup failed with error code 0x80004005

The above error code says, there is a management point installed on the server which is not matching the client version that you are trying to install.

Management point and client shared the same binaries for it to operate hence the client version must match.

So, I started looking at the SCCM site system roles and its configured with the role of DP ONLY and no other roles are configured.

But from the IIS and registry, I can see that, there are some entries about Management point as you can see below.

So the question is, where did this management point install from?

I have reached out to the customer and got to know the following information:

The DP server that is having the issue was earlier configured as Management point and distribution and attached to Site P01 (old SCCM).

The customer had planned to install a new sccm site (PS1) and re-use the remote site that was having an issue now as DP for the new site.

The customer had uninstalled the MP and DP roles from the old site but for some reason, the uninstallation of DP or MP could not complete successfully, and later the problem server was installed with DP role from new SCCM site (PS1).

and the old SCCM site (P01) was decommissioned.

We now know the background of the issue and we will see how to fix this issue.

I have tried uninstalling the client completely using ccmsetup.exe /uninstall and also used ccmclean.exe but I could not able to get it working.

When you install configuration manager client, it creates a namespace called Root\CCM and it holds the configuration and policies that govern the operation of the ConfigMgr client and also management point (if the role is installed).

On a device that has the client installed and also MP installed, there will be a wmi instance created inside the namespace root\ccm called CCM_InstalledProduct

There will be 2 MSI products listed inside the WM, 1 for configmgr client, and other one for MP role.

when we try ccmsetup.exe /uninstall, it does the removal of only 1 product that is for configuration manager client but the 2nd product remains there and hence the issue.

To uninstall the management point completely along with configuration manager client (if installed), use the following vb script.

'Uninstall configmgr client and MP if exists
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'First, find the GUID
strComputer = "."
Set wmiService = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set wmiObjs = wmiService.InstancesOf("CCM_InstalledProduct")
For Each wmiObj In wmiObjs
     cmdLine = "msiexec /x " & wmiObj.ProductCode
     WScript.Echo cmdLine
     WshShell.Run cmdLine
Next

save the script as removeMP.vbs and run it on the problem server using administrative rights.

After the script run successfully, a reboot will be prompted (mandatory).

Reboot the server and install the configuration manager client. This time it installed successfully and able to communicate with new sccm site (PS1).

Hope this helps!

Here is another interesting issue that I come across recently with the Configuration Manager build version 2002.

I was reviewing the client health dashboard in the monitoring workspace and saw the following status..

As you can see above, the bar chart for the client's overall health, the client policy request is at a very low percentage compared to other scenarios such as client health, software inventory, hardware inventory, etc..

The client policy is something that you can configure in device the client settings (default 60 min) and help the client to download the policies from the Management point.

By clicking on the policy request bar chart, I can see that, there are a large number of client devices with time stamp very old (almost 2 months old).

From the above screenshot, many clients are online and active but the policy request timestamp is OLD.

By looking at the old timestamp, the first thing that came in mind is, clients might be having issues with downloading the policies which will cause the deployment issues.

I picked one of the online clients with an old timestamp and looked at the client logs such as policyagent.log and other deployment logs such as appenforce.log,wuahandler.log, updatesdeployment.log, etc.

These logs can help us to identify if the client is able to download the policies and install the deployments if any.

On the client that I picked, it has installed applications very recently and also monthly software update patches which is a good thing.

So now, there are no issues with deployments and also the client policy download but why is policy request timestamp not getting updated?

A couple of things verified before applying the NASTY workaround.

1. Verified the MP logs such as MP_Getpolicy.log, MP_policy on the MP server, IIS logs. All looks good.

2. Verified that, inbox folder polreq.box has huge backlogs that are failed to process (E:\Program Files\Microsoft Configuration Manager\inboxes\polreq.box). This inbox folder keeps increasing. I could not able to find anything in the logs that refers to this action.

3. Verified the antivirus exclusions for configuration manager are configured correctly.

4. Restarted the SMS executive services for a fix but could not get through.

The solution (NOT RECOMENDED IN PRODUCTION ENVIRONMENT UNLESS YOU KNOW WHAT YOU ARE DOING)

When there are a large number of clients that are having old timestamp, i started digging into the database as well and found a SQL table called v_CH_PendingPolicyRequests.

This SQL Table list the information about policy request including the GUID of the request.

Run the following syntax on your SQL management studio:

select * from v_CH_PendingPolicyRequests

As you can see above, a large number of clients with an old timestamp, GUID, and also its Management point.

DISCLAIMER: Please take a back up of your ConfigMgr SQL database before performing this step. Once the changes are made, they cannot be UNDO.

we will remove all the pending records from this table v_CH_PendingPolicyRequests and monitor the client policy request again.

On your SQL management studio, perform the following syntax.

TRUNCATE TABLE v_CH_PendingPolicyRequests

Now run the SQL Query to verify if there are any more results or not?

select * from v_CH_PendingPolicyRequests

Confirm that, there are no records in it.

Now delete the backlog files inside the inbox folder polreq.box

Now we will monitor the client policy requests from the clients and this time, all the clients have updated their timestamp correctly in the console and also in the client health dashboard.

Is there any other fix without truncating the records in the SQL table? No, i don’t have at this point.

I hope you find this useful!

Microsoft has released Configuration Manager Technical Preview version 2006 with a lot of cloud features. For more information about the features of this preview release, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2006

This Technical preview version is not a baseline version and can be installed only from the in-console update. If you are building a new site, please install the baseline version (tech preview) 2002 and update it to 2006 using in-console.

This technical preview version focused more on cloud-related feature.One of the most waiting features of CMG is, to allow intranet clients to scan against CMG software update point when you configure the boundary groups.

Until now, in all the preview technical preview features and also in the current branch build, all the client (on-prem) traffic can be routed via CMG except the software update scan which is now possible using a technical preview build 2006.

The following are the 2 scenarios in which you can configure the boundary groups to allow intranet clients to scan against CMG software update point.

· When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

· If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it

How to test this feature to allow intranet clients to scan against CMG SUP?

Create boundaries and boundary groups for your VPN clients. In my lab, i use my intranet client as VPN boundary.

Boundary group:

Go to properties of the VPN boundary group and click on references:

Add the CMG here (pls note that, am using 3rd party cert in my lab, hence there is no cloudapp.net).

My lab has only 1 SUP so i configured it to support both intranet and internet based clients.

The following setting is applicable in scenario, If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

If you have dedicated SUP for internet-based clients then you can choose ‘Allow Internet-only client connections’ for your VPN clients. So when an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

In the relationships tab, leave it blank. There is no need to configure any fallback.

In the options tab (for downloads), configure the ‘prefer cloud based sources over on-premise sources’.

Now login to the client (win10- connected to on-prem ) and restart the SMS agent host service for a quick test or refresh the machine policy cycle.

From the configuration manager applet, run software update scan cycle and monitor wuahandler.log and locationservices.log

Locationservices.log

wuahandler.log:

As you can see, client is connected to intranet but the software update scan is scanning against the CMG software update point.

Following is the SQL code that will help you to identify the clients connecting to CMG software update point.

select uss.LastScanPackageLocation [Scan Location],
count(*) Total
from v_UpdateScanStatus uss
group by uss.LastScanPackageLocation

This is great feature to route all the traffic via internet.

Hope to see this feature in the next version of production build.

I am super excited and honored to receive an email from Microsoft about my MVP (Microsoft Most Valuable Professional) award renewal for the year 2020-2021 in Enterprise Mobility area .

This is my 4th consecutive year MVP award (First year 2017) and glad that, I am still part of great MVP community for another year.

Following is the email received on the MVP Award from Microsoft.

Dear Eswar Koneti,

We’re once again pleased to present you with the 2020-2021 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership.

We appreciate your outstanding contributions in the following technical communities during the past year:

I would like to thanks to my followers on linked-in, Facebook, twitter and to my blog readers for their support on Enterprise Mobility area.