Microsoft has released another update rollup to fix client setup content download issue from CMG distribution point.

The following listed issues and the rollup update is available in updates and servicing node only if you have installed the recently released update rollup KB 4578605 for Configuration Manager 2006 build.

If you have not installed KB 4578605, then you will not see this update in the updates and servicing console.

Issues:

1. If you have configured cloud management gateway along with cloud DP and running the ccmsetup.exe (client installation) , the client will failed to download the client installation file (ccmsetup.cab) from Azure blob storage.

The following is the error code seen from the ccmsetup.log:

[CCMHTTP] ERROR: URL=https://{Azure_blob_storage}:443/content-l0000003/ccmsetup.cab?..., Port=443, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=400 StatusText=Authentication information is not given in the correct format. Check the value of Authorization header.

2. If you have clients that ONLY use PKI for authentication, then they also failed to upgrade or install the client.

This occurs if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties. Errors resembling the following are recorded in the ccmsetup.log file on the client.

Client is not allowed to use PKI issued certificate or not able to use AAD token or ContentToken thus can not talk in HTTPS.
Failed to download client files by BITS. Error 0x8000ffff

In my case, I did not install the applicable update KB 4578605 hence the update is not visible in the console.

Once you install the update (if applicable to your site), you don't have to restart the site server.

The client patch (.MSP file) contained in this update supersedes the versions that shipped with update rollup KB 4578605 and update KB 4575787. Therefore, only one client upgrade is required.

I was helping a customer who was trying to set up an android enterprise personally enabled (BYOD) work profile configuration.

In this blog post, I will try to explain the expected behavior (based on my testing) of the Android Enterprise work profile password.

A work profile is something that you can be set up on an Android device to separate work apps and data from personal apps and data. With a work profile you can securely and privately use the same device for work and personal purposes.

Using Intune, the work profile can be used in Android Enterprise personally owned devices with a work profile (BYOD) and Android Enterprise corporate-owned work profile (COPE).

For more information about the android enterprise, please refer to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enterprise-overview

Initially, when I configured Android Enterprise personally owned work profile, device restriction policy, I did configure the work profile password.

As you can see in the configuration, I do have some configurations for work profile to be applied when the device is enrolled to Intune with work profile.

As per the Microsoft docs, Require Work Profile Password: Require forces a passcode policy that only applies to apps in the personally-owned work profile. By default, users can use the two separately defined PINs. Or, users can combine the PINs into the stronger of the two PINs.

With this statement, we assume that, when the device is enrolled to Intune, the user gets prompt to set up a work profile password length of 8 as per the work profile which is true, and we agree with that.

At this stage, we were in the assumption that we will have 2 passwords 1) Device lock that is set up by user 2) Work profile.

We also expect that every 30 min of inactivity, the work profile should prompt for a password which is what we configured in the policy but does it happen? No

Let’s try to go a little deep and understand about Require Work Profile Password with a simple example.

I have a personal android device with a 4-digit password (easy to remember) and is enrolled to Intune using android enterprise (work profile). When the device is enrolled to Intune, the work profile password policy prompts me to set up a password with a length of 8 as per the policy.

By setting up this work profile password, it is replacing/removing your personal profile (device lock) password (4 digit) and making work profile password as your device lock password. So once this is done, you will be prompted only once for the device lock password and never for work profile because they share same password now.

It is also true that the inactivity time which we have configured for 30 min is also applicable to personal profile/device lock happens.

As an end-user, I always try with my 4 letter password to unlock the screen because that is what I have used all this while, but it won’t accept once the device is enrolled to Intune. you must always use work profile password.

If you are using face ID/fingerprint/Iris, you won’t be impacted with this but when these modern passwords don’t work, you will have to use the work profile password to unlock the device.

There is 1 more configuration setting in the work profile which is to apply the personal profile on devices using work profile.

If you configure this along with the work profile password, you will have only 1 configuration applied of which, the most restrictive WIN’s for both screen lock (personal) and work profile.

Summary:

The device will always use work profile passcode for both screens unlock, and Work profile unlock. when the user uses a passcode to unlock the screen, the work profile is also unlocked, when a user tries to access the work profile, there won’t be any passcode because the user has already used the passcode to unlock the screen.

In simple terms, this setting will replace the end-user password and screen lockout settings.

Why is this happening and how to prevent this?

When an android device is enrolled to Intune and work profile password is applied, the ‘Use One Lock’ setting will be enabled by default, and this will take over the device settings and replace it with work profile settings.

You need to disable the use one lock which is available work profile setting on the android device. In the process of disabling this setting, you will be prompted to setup work profile password. So, in this case, you will have 2 different passcodes 1) for device lock 2) work profile.

How do we disable this use One Lock? There is no configuration in Intune that you can do at the moment but there is user voice to disable this setting. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36211675-android-entreprise-disable-one-lock-password  Please go and vote for it if you need this feature.

Hope it helps!

A year ago, Apple announced a new method of iOS/iPad device enrolment which is called User Enrollment. This enrolment method is available in iOS 13 and macOS 10.15 Catalina and later OS.

With the availability of user enrolment from Apple, we can use Intune to enroll iOS and iPadOS devices using Apple's User Enrolment process.

Following are the 3 device enrolment types available.

For more information about user enrollment in Intune, please refer to https://docs.microsoft.com/en-us/mem/intune/enrollment/ios-user-enrollment?

After you create an enrolment profile, assign to a user group and enroll the devices, you may need to identify the list of devices that use a specific enrolment profile for reporting purpose.

In my tenant, I have created 3 different enrollment types and assigned them to various user groups based on the requirement.

Now how do we know devices that are are enrolled using particular enrollment type?

We can use Azure Active Directory dynamic membership group with an enrollment profile name.

Azure Active Directory (Azure AD) helps you to create complex attribute-based rules to enable dynamic memberships for groups.

To create dynamic Azure AD group for specific enrollment profile, follow the steps below.

1. Login to https://aad.portal.azure.com/ or https://endpoint.microsoft.com/
2. Click on Azure Active Directory, click on Groups
3. Click on create a new group, give it a name, description and for membership rule, choose Dynamic Device, click on add dynamic query

4. Configure the values as per below.

Value should be the enrollment type name that you created above.

5. Click on save and create

The group will now start processing the changes and fetch the devices that match the specific enrollment type.

Like wise, you can create several azure AD dynamic groups based on the attributes available and used in intune.

For a list of pre-defined rules and device attributes that can be used in dynamic groups, please refer

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

Introduction:

I was recently working on project performing the network assessment for teams call quality issues. The network assessment is being done using the free tool provided by Microsoft which is Skype for Business Network Assessment Tool (can be downloaded from Microsoft site).

The Microsoft Network Assessment Tool provides the ability to perform a simple test of network performance to determine how well the network would perform for a Microsoft Teams or Skype for Business Online call. The tool tests the connection to Microsoft Network Edge by streaming a set of packets to the nearest edge site and back for approximately 17 seconds for a configured number of iterations.

You can download the the free tool from https://www.microsoft.com/en-us/download/details.aspx?id=53885

After you download and complete the installation, you will find an installation guide (usage.docx) in the installed directory that will help you prior to the use of network assessment tool.

The tool reports  Packet loss,Jitter,Round-trip latency and Reorder packet percentage etc.

As part of the network assessment, we need to run two commands, these commands store the results in user profile, collect the files, review the data before taking any action such firewall ports, proxy,network etc.

The following is a sample of how both the commands console output and the results look like:

Command 1:

C:\Program Files (x86)\Microsoft Skype for Business Network Assessment Tool>NetworkAssessmentTool.exe

Command 2:

C:\Program Files (x86)\Microsoft Skype for Business Network Assessment Tool>NetworkAssessmentTool.exe /connectivitycheck

Output files are stored in user profile “C:\Users\%username%\AppData\Local\Microsoft Skype for Business Network Assessment Tool”

The end goal is to collect these files, but it involves end-user interaction by instructing the user to run the commands,wait for sometime, collect the logs and provide via email or place them in share folder for review.

If you are using the Endpoint Manager tool such as Configuration Manager, this entire process can be automated using PowerShell script and use the scripts feature in ConfigMgr to collect the logs in no time.

How do we use Configuration Manager to automate the process and collect the logs of Network Assessment Tool ?

The scripts in Configuration Manager simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently.

[Note]: Make sure you have the network assessment tool is pre-installed on remote endpoints else this script wont work.

Download the PowerShell script available in Github.

Follow the steps outlined here to create a script in Configuration Manager and use the script from Github.

Hope it helps!

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

GPO:

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Hope it helps!

Microsoft Azure Active Directory and Office 365 uses open standards and protocols such as OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization.

In Azure Active Directory, when a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, these access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them. The 1hr time period is long enough and there are possibilities for token exfiltration and other malicious activities can happen.

This is not just a Microsoft issue but an industry wide problem for all OAuth2.0 implementations. Meanwhile by using open standard protocols such as Continuous Access Evaluation protocol (CAEP) as described in  Shared Signals and Events working group and https://openid.net/wg/sse/ Microsoft has tried to address this issue.

So, what does CAE do and how does it help us to prevent such malicious activities?

By implementing the CAE,

• User termination or password change/reset: User session revocation will be enforced in near real time.
• Network location change: Conditional Access location policies will be enforced in near real time.
• Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

If your organization identify the risk of token exfiltration and you are not allowing your users to access office 365 resources from non-corporate network, then this is something that you must explore. Especially if you are not on Azure Active Directory Premium plans. P1 or P2. Microsoft will by default enable CAE for tenants that either do not have AAD P1/P2 or no Conditional Access policies are implemented.

Whilst, it is still not very clear from documentation, but our testing reveals that CAE works best with Conditional Access Policies for advanced networking scenarios such as blocking access to entire 365 suite outside corporate network, the traditional way of networking. For zero trust modes you are best off with Conditional Access Policies which provide the most robust access control and CAE only compliments it in scenarios where tokens can be stolen.

A balanced security approach in terms of securing endpoints with an endpoint security solution such as Microsoft Defender along with Windows 10 inbuilt credential theft guard combined can provide an active and sufficient mechanism to prevent credential theft and also can help in detecting it as such. Preventing installation of unauthorized software and avoiding granting local admin access to end users is the best preventive strategy which is age old and must still be practiced. If local admin access has to be granted for special cases, then adequate amount of monitoring has to be in place for such users and their machines.

Again, the scope of this blog is not to write about securing endpoints and hence I will stop here. For more on such setup stay tuned to my blogs as I write more about it in future.

Continuing our discussion on CAE, let’s see how we re-use the cookie that is exported from a corporate connected (secured) device and use the cookie on any BYOD machine connected from any unsecured network locations such as internet.

In my testing (limited set of tools/info), exchange online and SharePoint are the only two office 365 applications that can be prevented from accessing an exfiltered/exported token.

The following demo show you 1) how to export the cookie from corporate device, access o365 from any BYOD device—This is without CAE enabled.

2) Repeat the same with CAE enabled and see the outcome.

1) How to export the cookie from corporate device, use it on any BYOD device (without CAE enabled):

Note: This method bypass all the controls that you have implemented such as conditional access with hybrid azure AD join, Azure AD join, MFA etc.

There are various tools available to export cookie but one of the easiest way to do is, by adding the Editthiscookie plugin to your edge or google chrome browser (if you are allowed on your corporate device).

For more information, please follow the steps how to export the cookie https://samsclass.info/123/proj10/cookie-reuse.htm

Now we have understood how export the cookie and use it on BYOD to access office 365 email/SharePoint without credentials but with the use of cookies.

2) Now, we will apply the CAE to the same user/group that we have used above and see the results.

This method requires you to create named location with your corporate network zones and you need to create conditional access policy as per below.

Create a named location (required AAD P1 and above).

Now create a conditional access policy with access control Block with all network locations except the trusted (named) location that we added in the previous step.

Apply this CAE policy to the users/group who are part of the testing.

Now repeat the steps to export the cookie, go to BYOD device, import the cookie and try to access exchange online or SharePoint, you will be prompted for credential. The credential window is prompted by CAE.

For more information about Azure AD CAE, please read https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

Microsoft 365 endpoints are the set of destination IP addresses, DNS domain names, and URLs for Microsoft 365 traffic on the Internet.

To optimize performance to Microsoft 365 cloud-based services, these endpoints need special handling by client browsers and the devices in our edge network. These devices include firewalls, SSL Break and Inspect and packet inspection devices, and data loss prevention systems.

By default, there are 3 core services Exchange Online, SharePoint Online & OneDriveForBusiness, and Microsoft Teams. Apart from this, there is a very critical service which is a must needed for Office 365 which is Microsoft 365 Common and Office Online URLs.

These make it a total of 4 core services. These form the core of Office 365 and connectivity principles for these services are very easy to understand and straightforward to implement if all involved parties, the team that supports Office 365; Security Services, and Network Services team come together and implement them as per the guidelines.

There are 3 categories that Microsoft has come up with to establish connectivity principles. These are categorized as Optimize, Allow, and Default. For more information about the categories, please refer https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles?view=o365-worldwide#new-office-365-endpoint-categories

As per Microsoft documentation, Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This will allow customers who do not yet have automated updates to complete their processes before new connectivity is required.

If there are any endpoint URLs that have been changed and if you don’t pick the changes in your infra, there will be an impact to the services for the URLs that have been added.

Manually checking the endpoint URLs and finding what has been changed from its previous version is a very tedious process and you never know when will the changes happen for manual check.

So in this blog post, I will help you, how to monitor the endpoint URL changes and email the URL’s which can help you you to evaluate, configure, and stay up to date with changes.

I have utilized the Microsoft script and made the necessary updates to extract the changes what has happened recently or from its previous version and email it.

we can run this script as a scheduled task once in two weeks and email the changes incase any thing found.

The powershell script does the following:

• Checks the version number of the current Office 365 Worldwide instance endpoints by calling the web service REST API.
• Checks for a current version file at $Env:TEMP\O365_endpoints_latestversion.txt. The path of the global variable $Env:TEMP is usually C:\Users\<username>\AppData\Local\Temp.
• If this is the first time the script has been run, the script returns the current version and all current IP addresses and URLs, writes the endpoints version to the file $Env:TEMP\O365_endpoints_latestversion.txt and the endpoints data output to the file $Env:TEMP\O365_endpoints_data.txt. You can modify the path and/or name of the output file by editing these lines:

PowerShellCopy

$versionpath = $Env:TEMP + "\O365_endpoints_latestversion.txt"

$datapath = $Env:TEMP + "\O365_endpoints_data.txt"

• On each subsequent execution of the script, if the latest web service version is identical to the version in the O365_endpoints_latestversion.txt file, the script exits without making any changes.
• When the latest web service version is newer than the version in the O365_endpoints_latestversion.txt file, the script returns the endpoints and filters for the Allow and Optimize category endpoints, updates the version in the O365_endpoints_latestversion.txt file, and writes the updated data to the O365_endpoints_data.txt file.
•  The script generates a unique ClientRequestId for the computer it is executed on, and reuses this ID across multiple calls. This ID is stored in the O365_endpoints_latestversion.txt file.
• The script checks for the URL’s that has changed from their previous version, write the changes to csv file.
• Email the changes (CSV) file to the recipients.

Download the script (Office365-EndpointURL-Monitoring.ps1) from GitHub and edit the script to update fields such as email, recipients such as To and CC, SMTP details to receive emails. https://github.com/eskonr/MEMPowered/tree/master/Scripts/Office365

Script output:

References:

Office 365 changelog:

https://endpoints.office.com/version/worldwide?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

For the latest version of the Office 365 URLs and IP address ranges: https://endpoints.office.com/version

I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.

This folder primarily stores the information about.

1. Software update end-user license agreement (EULA).

2. Microsoft patches for windows and other products for standalone WSUS.

3. 3rd party updates In case you have integrated the 3rd party patching tool.

The following is the screenshot for the wsuscontent folder size.

When the customer reported about the wsuscontent size is huge, the following questions were raised.

1. Is it standalone or integrated with Configuration Manager? –-> Integrated with ConfigMgr.

2. Are you using any 3rd party patching tool hence the content download is higher?—>There is a 3rd party pathing tool, it is only Microsoft updates.

From the above questions, WSUSContent cannot be larger. The troubleshooting as follows.

1. Open the WSUS console, options, open Automatic Approvals

There was a default automatic approval rule which was enabled with the rule properties.

What does it do? when the WSUS sync runs, the updates that match with update classification that you have selected will be approved, downloaded to the wsuscontent folder.

This is needed only when you use a standalone WSUS server but not with Configuration Manager.

If you have integrated WSUS server with Configuration Manager, you should un-touch the WSUS MMC from the time you do the initial configuration.

By default, when you integrate WSUS with ConfigMgr, this automatic rule is un-selected.

So someone has made the changes unknowingly which causes the content folder to grow bigger.

How do we fix this now?

1. Since WSUS is integrated with ConfigMgr, we can de-select the automatic approval rule, so there won't be any content download thereafter.

2. To clean up the downloaded content on the WSUSContent folder, we will need to decline all the updates in WSUS console (don't worry, this won't impact your ConfigMgr patching or metadata in ConfigMgr console, you are safe doing it) and run the server clean up wizard.

So go ahead and un-tick the default automatic approval rule and click ok.

To decline all approved updates, click on updates, all updates.

For the approval, select approved, and status: any

you should see the list of updates that are approved which are downloaded as well to the wsuscontent folder.

In my case, there are 636 updates approved.

Select all the updates, right-click, and choose decline.

you will be prompted with the following screen, select Yes.

Depending on the number of updates, it may take sometime.

Once the updates are declined, refresh the page.

Now we will need to clean-up the content stored in the folder.

Now, in the console, click on options, select server clean-up wizard

You will be asked with multiple options to clean up but the first one is our fix to remove the downloaded content.

As you can see, we have now cleaned up around 320GB.

Depending on the number of updates, you may see the MMC console crash but don't worry, try it again and you will get succeed. 

You also have scripts available to perform the clean-up without the MMC crash but UI works fine.

Once the clean-up is done, go back and check the size of wsuscontent, it is now 3.7GB which is normal.

Hope you find this post useful.

Starting in Configuration Manager 2010, we can use OS boot media from SCCM to reimage internet-based devices that connect through a Cloud Management Gateway (CMG). Do note that, this method cannot join the devices to domain but only in a workgroup as there is no domain connectivity for internet-based clients.  This scenario is useful to support remote workers. Though the devices are in workgroup, these can be managed via Configuration Manager for application deployment, patching, and other features that support a client over CMG.

In case of any issues with remote worker windows OS, we can use the OS Boot media (send over USB) to reinstall the windows. All this happens through the cloud management gateway.

For more information about how to do task sequence over the internet using cloud management gateway using the bootable ISO, please refer here.

Prerequisites for boot media via CMG refer here

When i was doing some testing on this feature in my lab, i encountered some issues and i would like to discuss them in this blog post with fix.

My lab is running on HTTP (no PKI) and the CMG server authentication cert is using enterprise cert (On-prem CA). All of my clients are hybrid Azure AD Joined.

So when my clients move to internet, they use hybrid azure AD join for authentication.

As per this guide, I have created boot media that uses CMG as a management point. Since my SCCM is not running PKI infra, I don't have to import any certificate (PKI) into boot image while creating it. you only need it when your site is running on HTTPS (and clients too). The boot image uses a self-signed media certificate ONLY.

When booting the device which is on internet using the ISO that we created above, it failed with error code as listed below.

asynccallback(): winhttp_callback_status_secure_Failure encountered

winhttp_callback_status_flag_invalid_CA

The device is authenticating with my CMG (https://cmcb1.cloudapp.net)  which is using enterprise CA cert.

The boot image that we created is using self-signed certificate which is not enough to authenticate with CMG.

How do we fix this certificate issue for CMG bootable using self-signed certificate?

Since my CMG server authentication certificate using enterprise CA, I will need to have root CA into the boot image. That can be verified from your site properties, communication security.

As you can see above, there is no root CA specified. For a successful task sequence deployment over CMG using boot media, I would need to import the root CA.

To import the cert, click on set, click on start burst, import the cert and click Ok.

Now go back to your task sequence and create new boot media using the self-signed certificate. This time, it will allow you select the task sequence that are deployed to unknown collection and continue from there.

When I choose the task sequence, i hit with another error. The device unable to verify the content located on a distribution point.

I did verified that, the content is distributed to cloud DP and can located in blog storage as well.

After checking my client settings, it was found that, I had custom client settings for CMG and is deployed to collection. This will restrict desktops/servers from receiving the CMG settings.

For unknown clients on internet, you will have to make the changes in the default client settings for CMG.

Edit the default settings, cloud services, choose the CMG settings as listed below.

Once you make the changes in default settings, you don't have to re-create the boot image.

Now go back to the internet device, retry the task sequence.

Client is able to connect to CMG, cloud DP for content download.

Depends on the speed of the internet, the deployment may take time.

Hope it helps!

I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.

Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]

I have tried various command line switches for SCEP client installation but all returned the same error code.

The server was installed with Configuration Manager client 2010 and server is fully patched.

I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.

As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.

To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.

EppSetup.log and MSSecurityClient_Setup_4.7.209.0_epp_Install.log reveals the same information that is shown in the UI.

The following is a piece of information that can get it from the log MSSecurityClient_Setup log.

setup CA ERROR  : CryptCATAdminAddCatalog failed with 1062

NIS setup CA ERROR  : InstallNisDriver: InternalInstallCatalog failed with 1603

NIS setup CA INFO   : InstallNisDriver completed with error result 1603

CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.

Open the cmd on the problmatic server and run sc query cryptsvc

The specified service do not exist as an installed service.

How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.

Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.

The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.

The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.

The following is the registry of the service.

Export the registry, import into the server, reboot the server.

After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.

Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.

Hope this helps!

This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.

When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer here

How do we create a collection for clients that are online? 

Collections uses WQL and following is the WQL syntax you can use to create the collection.

we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.

This collection uses sub-selected query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

If your configuration manager is running on 2010, you will have option to preview the results. Click on the play button to see the results before you confirm the changes.

Save the collection and wait for few seconds before the data appear.

Based on the device collection membership, the results get updated.

If you want to create a reports based on the online status, you can refer http://eskonr.com/2016/04/how-to-query-clients-collection-or-ssrs-ssrs-with-online-status-in-sccm-configmgr-1602/

In this blog post, we will see how to use Microsoft Intune to disable the firewall and network protection notifications that pop-up on windows 10 workstation. The use case could be that, if you have POS devices where you need to disable/hide all notifications. We are not disabling the firewall instead it will be notifications ONLY.

To disable the firewall and network protection notifications using Microsoft Intune, we will use configuration service provider (CSP). A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device.

For a supported CSP’s, please refer Configuration service provider reference.

For firewall/network protection, there is CSP which we can use to create a custom device configuration policy in Microsoft Intune and deploy to user group.

From the Microsoft documentation, we can see that, there is setting ‘DisableInboundNotifications’

To create the custom device configuration policy, login to https://endpoint.microsoft.com/

Click on devices, configuration profiles

Click on Create a profile. Choose the platform and profile

Name the configuration profile.

For configuration settings, click on add

we will create 3 settings 1)Domain 2)Private 3) Public. These settings will be applied where applicable.

Domain profile:

Name:DomainProfile/DisableInboundNotifications

OMA-URI:./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableInboundNotifications

Date Type: Boolen

Value: True

Repeat the same for for private and public with following OMA-URI and set Boolean value to true.

Private:./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableInboundNotifications

Public:./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableInboundNotifications

For the assignments, add user security group.

Click Next and create.

End-user experience:

Before the policy was deployed:

After the policy is deployed:

You can check the assignment status in the Microsoft Intune for specific device configuration profile.

Continue Reading:

Add custom settings for Windows 10 devices in Microsoft Intune - Azure | Microsoft Docs

Policy CSP - Windows Client Management | Microsoft Docs

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. For more information about Co-management, benefits, pre-requisites, licensing, read https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

When you have windows 10 devices that are Azure AD joined, enrolled to Intune, and also co-managed, these devices would appear in Configuration Manager.

In this blog post, i will show you how to create a collection for Azure AD joined co-managed devices.

When a device is AAD joined and co-managed ( not on-prem domain joined but only the cloud), we will have the tenantID, device ID, domain or group, and other information.

we will use 2 important fields to identify if the device is AAD joined. 1) AADTenantID 2)Resource_Domain_OR_Workgr0

The device should have AADTenantID and should not be in your in domain which means it will be in a workgroup.

we don’t go with workgroup as this is something that can be customizable by the user and can change as per their needs like MyPC etc.

So we will go with the domain. Anything that is AAD and not in the corporate domain (intranet.eskonr) then they fall into the collection.

Create a collection with the following WQL Query using sub selected:

select *  from  SMS_R_System where SMS_R_System.AADTenantID = "4252590E-6F9B-4AA1-AA9F-D7717C111B07" and
SMS_R_System.ResourceId not in (select ResourceID  from  SMS_R_System where SMS_R_System.ResourceDomainORWorkgroup = "INTRANET")

INTRANET is my domain name, if you have multiple domains, you can add so.

Once you paste the query into the query designer, you can click on the play button (green color) to see the list of devices that match with this query.

I have got 1 device that is AAD joined but co-managed.

Hope this helps!

I was recently working on assignment to get the audit logs for list of SharePoint online sites with specific audit activities such as PageViewed, FileAccessed, FileDownloaded,FileDeleted (This can be expanded further based on the needs) and email the data at regular intervals.

For list of audited activities in office 365, https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities

For list of page and file activities https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#file-and-page-activities

If you are looking for audit logs (manual), you can do it using security and compliance center. For more information on how to do it using the security and compliance, refer https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#step-1-run-an-audit-log-search

If the ask is repeated on daily/weekly/monthly, you would definitely need an automation.

In this blog post, we will see how to email the audit logs for list of SharePoint online sites for x days on regular basis.

Pre-requisites:

1. You need Exchange online management PowerShell module to be installed.
2. Read access to view the audit logs. (This can be done using exchange online ECP)
3. List of SharePoint online sites that you want to generate the report for.

Once you met the pre-req, we are ready to get the required information.

We will be using a built-in PowerShell cmdlet for getting the audit logs is Search-UnifiedAuditLog

When I started using this cmdlet and generate report for the last 14 days, my results never go beyond 5K. This is because of the resultsize has default value is 100, maximum is 5,000.

To get all audit logs beyond the maximum (500), we will need to split the number of days into smaller chunks and then combine them to one file at the end.

For example, If I am retrieving the data for the last 15 days, I split the duration (15 days) to 5 iterations, each with 3 days and then combine the data into one file. If the usage of the SharePoint sites is higher then you will have to increase the iterations to 1 day for 15 times and combine the data.

-----------
Start date 01/24/2021 12:00:00
End date 01/27/2021 12:00:00
-----------
Start date 01/27/2021 12:00:00
End date 01/30/2021 12:00:00
-----------
Start date 01/30/2021 12:00:00
End date 02/02/2021 12:00:00
-----------
Start date 02/02/2021 12:00:00
End date 02/05/2021 12:00:00
-----------
Start date 02/05/2021 12:00:00
End date 02/08/2021 12:00:00

Since this is going to be completely automated using the task scheduler (1-time task), I will be using an account that has read-access to view the audit logs and encrypt the password into a file to connect to exchange online management.

You will need to edit the script, and provide the details such as email address, smtp, SPO sites, onetime o365 password (At your convenient) and other details.

I have provided all the instructions in the script .

You can download the script from GitHub

Technet Gallery has been there for almost 15 years for community to share scripts, files, utilities, tools etc for Microsoft Products.

With the retirement/closure of Technet Gallery, there are large number of scripts/reports that I have uploaded to Technet for my blog and now am receiving the feedback from the blog readers that they cannot download the files.

When you visit any of my blog post and find a link to Technet for sample download, you will be redirected to https://docs.microsoft.com/en-us/samples/browse/?redirectedfrom=TechNet-Gallery which does not help.

In this blog post, we will see, how to download the samples from Technet Gallery even after the retirement/closure.

1. Find the Technet Gallery URL for the sample that you wish to download. From this blog post, the Technet Gallery URL is: https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-01a44c2d

2.Now append the Technet URL to the following website.

http://web.archive.org/web/20200318065516/TechnetURL

The final URL will be something like the following.

http://web.archive.org/web/20200318065516/https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-01a44c2d

Now right click on the attachment and click on open in new tab.

This will start downloading the sample for you.

I have tried this method for few Technet Gallery samples for my website and it worked.

all the Technet Gallery samples of mine is available at http://web.archive.org/web/20200318141858mp_/https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=User&f%5B0%5D.Value=Eswar%20koneti

you can use this method for any Technet Gallery samples that you find missing and post your feedback in the comments section for alternate options that you know of.

I will try to gather the samples and upload them to GitHub.

I hope you find this post useful.

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

I was troubleshooting the client issue for co-management and found that the device was not hybrid Azure AD Joined.

Hybrid Azure AD joined (if your devices are on-prem) is one of the pre-requisites for co-management.

To check if the devices are hybrid Azure AD joined or not, you can open cmd and run dsregcmd /status

If the device is hybrid Azure AD joined, the status for AzureAdJoined=Yes (This field is applicable for both AAD or hybrid AAD).

On the problematic machine, there is no data for the dsregcmd.

For more information about configuring the Hybrid Azure AD joined and troubleshooting, please refer part 1 & Part 2 and the troubleshooting

For device registration process in hybrid azure ad joined task, we usually refer to the event viewer logs located at event viewer/Microsoft/Windows/User Device Registration/Admin

Under this path, there are no logs related to the device registration process.

The device registration process will be initiated by a task scheduler called Workplace Join during the system boot and this task will run with system account.

This task is located under Task Scheduler Library> Microsoft > Windows > Workplace Join > Automatic-Device-Join Task

The task is disabled on the system hence the device registration task did not run.

Enable the task and run it. (Running the task require local admin rights).If you do not have local admin rights, reboot the system, the task will run automatically with system account.

This task is disabled by default on windows 10 workgroup computer but when you join the device to domain, it will be enabled automatically. For some reason, the task did not enable.

If you want to enable the task on all your windows 10 computers, you can make use of GPO

There could be lot of devices with the task scheduler disabled which will impact the co-management enrollment.

How do we identify the device that have Automatic-Device-Join Task disabled?

In SCCM, we can make use of scripts feature, CMPivot or configuration baseline.

In this blog post, i will discuss about 2 options 1) configuration baseline and 2) Scripts.

For configuration baseline, we will use simple PowerShell script to detect the status of the schedule task and the same script can also be used in scripts feature.

In your SCCM, Create a configuration Item and choose the PowerShell script.

you can also use this as scripts and run it on targeted computers or

$status=(Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join | Select State).state
if ($status -eq 'Disabled')
{
write-host "Non-Compliant"
}
else
{
write-host "compliant"
}

If you use scripts feature, running the script on target computer will get you the output status either compliant (enabled) or non-compliant (disabled).

I have uploaded the exported copy of configuration baseline to github.

You can download, import and deploy to your windows 10 collection to check if any devices has this task disabled.

As part of the monthly release updates for Configuration Manager Technical Preview, this month has got Technical preview version 2105 for Configuration Manager is available with some cool features such as enhanced script editing, VM size for CMG, support Center themes (dark and white), client deployment pre-req, powershell release notes.

You can Install this version to update your existing lab and add new features to your technical preview site.

If you want to install/setup  technical preview site in lab, you can download the baseline version of 2103 from https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-endpoint-configuration-manager-technical-preview  and setup the SCCM site.

Technical preview 2105:

ConfigMgr site version: 5.00.9051.1000

ConfigMgr Client version:5.00.9051.1000

Technical preview 2105 features:

Enhanced code editor: This feature allows you to edit the scripts in an enhanced editor and is integrated with SCCM console.You can use script editor feature for viewing or edit the script the scripts the following locations.

• Configuration item
  • Scripts
  • SQL and WQL queries
  • Detection methods
• Application detection scripts
• Query statement properties
• Create script wizard
• Script properties
• Orchestration group
  • pre-installation scripts
  • post-installation scripts
• Task sequence
  • PowerShell scripts
  • Query WMI option

The new code editor supports the following features:

• Editor mode with syntax highlighting and plain text toggle
• Toggle word wrap and line numbers
• Code folding
• Language selection
• Find, Find and Replace, and Go To line number
• Font type and size selection
• Zoom using buttons or with Ctrl + mouse wheel.
• The information bar at the bottom displays:
  • Number of lines and characters in the script
  • Cursor position
  • If the script is read-only
• Persistent settings across instances for the code window, such as code folding, word wrap, and window size.

The following is for application deployment detection method using script:

The code editor has different langue modes.

VM size for CMG:

You can now select the VM size with configuration such as B2S (mostly for lab purpose),A2_V2 as standard vm and if you want higher specs, go for D2_V3.

when you setup a CMG with virtual machine scale set, the default VM size that CMG deploys is Standard (A2_V2) size but you can change the specification during the setup.

Support Center tools in dark and light themes:

The support Center tool that is available in this version comes with 2 themes apart from system default theme.

The installer (SupportCenterInstaller.msi) is available in the EasySetupPayload\4c55e125-ec45-459a-b1eb-06e2f9cb791e\SMSSETUP\TOOLS\SupportCenter

The following tools are part of Support Center:

• Support Center Viewer
• Support Center OneTrace
• Support Center Log File Viewer

One Trace:

Log viewer:

New files added in the client deployment prerequisite:

Starting with this release, Configuration manager client now uses the Microsoft Visual C++ 2015-2019 Redistributable version 14.28.29914.0. This will help to improve stability in Configuration Manager client operations.

For more information about the full set of technical preview 2105, please read through https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2021/technical-preview-2105

The other day, I have powered ON my Configuration Manager lab after long a time to test something on the reporting and found that, the reporting URL does not work.

Browsing the reports URL leads to service unavailable with http error 503, The service unavailable.

I have verified that, the SQL server reporting services is running fine and i have restarted the service as well to check if this works or not but no luck.

I have realized that, there is something seriously wrong and took sometime to troubleshoot further.

The first log to check is srsrp.log (ConfigMgr log) for reporting services located in your configMgr installation directory\logs folder.

The log has the following errors:

The request failed with HTTP status 503: Service Unavailable.

(!) SRS not detected as running

Failures reported during periodic health check by the SRS Server CMserver.domain.name

I have also checked the reporting server configuration manager, everything seems to be fine.

The next is to look at the SQL server reporting services log located in

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles

The log has the following error messages:

configmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Error loading configuration file: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required.

appdomainmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Appdomain:1 DefaultDomain failed to initialize. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error.  ---> Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required..

AS you can see in the log, the license has expired for SQL server reporting services.

When you install the SQL server reporting services, you will be asked for the trail of 180 days or input the license key of the SQL server.

If you choose trail, then after 180 days, you will have the same issue like mine.

So now, we found that, the license for the SQL server reporting services is expired, how do we activate it now?

The only way that I could find is to reinstall the reporting services.

Run the SQL server reporting services installation wizard (I did 2019), you will see the following options. Choose upgrade, you will be asked for the key to activate it.

Once the installation is completed, wait for the reporting services to check the license status and rebuild the reports (there wont be any changes your default/custom reports) and after sometime, your reporting URL will be up and running.

hope this helps!