Forum Widgets
Latest Discussions
Block or Prevent user for installing any software without administration permission
Hi, I want to block user permission for installing any software without administrator permission. How do I implement this policy via Intune? Users have M365 E3 license and joined Azure AD I need an appropriate solution.
WSUS Sync Failing
Within the last hour or so I have carried up a cleanup of our WSUS and reindexed the database as per this article https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/ Once complete I re-enable the SUP schedule and WSUS has not been able to Sync since. Our SCCM Version is 1702 with the hotfix, hosted on a Server 2012r2 system. WSUS content is within a SQL database. WCM.log; "System.Net.WebException: The request failed with HTTP status 403: Target service not allowed.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)" WsusCtrl.log does not seem to indicate any proxy related errors; "No changes - local WSUS Server Proxy settings are correctly configured as Proxy Name ####### and Proxy Port ##"
Connection Error after upgrading to version 2203
On Monday, I upgraded Endpoint Manager to version 2203. Everything appears to be working fine on the server itself. We only have one Endpoint Manager server with SQL collocated. After upgrading the Endpoint Manager console on remote systems, I am having some errors. When I go to the Console Extensions node or the Console Connections under Administration, I receive the following message Configuration Manager can’t connect to the administration service The Configuration Manager console can’t connect to the site database through the administration service on <ServerFQDN> Verify the following There’s no certificate on the SMS Provider site system server. Make sure it has a valid PKI or Configuration Manager-generated certificate for the site. Additionally, It looks like until I’m able to make this connection I can’t update the WebView2 extension and without that extension the console crashed with I try to access the Windows Servicing and Microsoft Edge Management nodes under Software library. If I manually import the self sign certificate from Endpoint Manager (we are not using PKI) into the Trusted People container in the Certificates MMC on the remote systems then the console works correctly. I’d prefer not to band aid this problem but instead fix it. I’ve tried the following that I found on blog posts to resolve this issue but all with no success Made sure that “Use Configuration Manager-generated certificates for HTTP site system” is enabled Made sure no certificates are block in Configuration Manager I’ve checked the SSL Certificate on the Default Website and it is the self signed certificate from Endpoint Manager. Turned off Windows Firewall Reviewed the SmsAdminUI.log file. The SmsAdminUI.log file show the following entries: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://<ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsRequired eq true and IsTombstoned eq false and IsApproved eq true Could not connect to the AdminService to check for requirements. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://< ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsApproved eq false Error getting custom console extensions IDs, versions and names using Admin Service: SSLFailure System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData POST request: https:// <FQDN>//AdminService/v1.0/ConsoleUsageData/AdminService.UpdateConsoleHeartbeat Microsoft.ConfigurationManagement.ManagementProvider.ODataConnectionException: SSLFailure At this point, I don’t know where to go next. Any help would be greatly appreciated.
CreateProcessAsUser Error 5 - ServiceUI.exe
Hi All I've recently updated my SCCM Site version to v1910, since performing this update i've been having issues with my Upgrade Task Sequence. Previously i've had a command line step in the upgrade task sequence to run a manually built "Windows 10 Splash Screen" using ServiceUI.exe to allow the user to install or postpone the upgrade. This has been issue free until the update to SCCM 1910, since then when i try to run the task sequence the following step fails with this error. Has anyone got any idea how i can resolve this? Been racking my brain for days now...SCCM Remote Desktop capabilities
Hello, I've been looking into getting SCCM for our organisation. We currently have a Logmein subscription and wondered if SCCM's Remote Control solution will be a good alternative. We also have Office 365 Business Premium licences. What I'm hoping to achieve with SCCM: Remote access to local network devices (I've seen this work from clips online) Remote access to remote worker devices. (Devices connected to the domain / Azure AD, but not on the local network) When I'm accessing remote devices as the administrator, I need UAC access to install applications. Does Remote Control support UAC prompt window? The reason I'm asking, is I was potentially going to use Microsoft Teams with 'Share Desktop' to support end users. However, the UAC prompt window doesn't appear. I haven’t tested with Skype for Business? But I’m trying to get away from using it. OR could this be done with policies being pushed to the remote device? I would test this myself with the evaluation licence of SCCM. We’re in the process of upgrading our infrastructure currently, so I’m unable to install and test it myself. If anyone could point me in the right direction I would be most grateful.
Issue setting up the cmg connection point role
Hi! I deployed the cmg connection point role (only) to a new site server (MECM 1910 (5.0.8913.1000)), but the connection point just stayed disconnected from a functioning cmg. The log file sms_cloud_proxyconnector.log showed: "missing role certificate. reload in next cycle" every 60s. I ended up installing the mp role as well on the same server, and the cmg cp started working as intended. The certificate store on the site server has now a "cloud proxy connector" certificate under SMS\Certificates, which wasn't there before I installed the mp role. I've removed the mp role and its prerequisites and the cmg cp is still working. We're using "enhanced http" mode for client communication. Anybody else seen this behavior? Is it not supported to install the cmg cp role independently? Thanks!UPGRADE_EXPERIENCE_INDICATORS in Resource Explorer
We are seeing that the Config Manager hardware inventory contains the UPGRADE_EXPERIENCE_INDICATORS section which shows data that appears to be about upgrade compatibility to specific builds (with CO21H2 being Windows 11 21H2, for example). Could someone please share what the attributes named Upg Ex Prop and Upg Ex U and the color values they have actually mean? We've seen Red, Orange, Yellow, and Green, but it doesn't appear to be documented anywhere what the attributes or values represent. We would like to use these values for collection membership and Windows 11 Upgrade task sequence deployment, but want to fully understand what they represent. Note: We have compared these to what is shown in Endpoint Analytics for Windows 11 readiness status. While green has matched Capable and red has matched Not Capable, we're seeing a mix of Capable and Unknown for both yellow and orange. Thank you.
CMG Error in 2006
I am experiencing a lot of error in the ProxyService_IN_0-CMGService.log file on my production machine. The errors are shown below. We are not using PKI, we use a public wildcard cert for server authentication. I have virtually an exact duplicate setup with a public cert and no errors are being reported in the log files. When ever I run the CMG Analyzer I get error at "Check Config setting are up to date" or "Testing the CMG Channel" They will never pass. In my test environment they will pass within about 10 seconds of starting. Could this error be coming from the CMG server itself. ERROR: Security token validation exception with requesting URL https://xxx.xxx.xxxx/CCM_Proxy_ServerAuth/72057594037927940/CCM_STS. System.IdentityModel.Tokens.SecurityTokenValidationException: System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~ at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey) ---> System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~ at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~ --- End of inner exception stack trace ---~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateTokenEx(String token, String tokenHint)~~ at Microsoft.ConfigurationManager.BgbServerChannel.BgbServerReverseProxy.ValidateAuthorizationToken(String authorizationToken, EndpointClientAuthScheme clientAuthScheme, Uri requestUri, IToken& validatedToken, EndpointClientAuthScheme& validatedScheme)
Error with HTTPS/PXE on DP
I am running into an error when trying to load the PXE provider on a DP that has been enabled for HTTPS communication utilizing an internal CA. I have followed all the guides for setting up the PKI environment and certificate requirements for this and have everything configured correctly I think on the DP/MP. Troubleshooting steps have included all the normal stuff: remove DP role, verify that WDS was uninstalled, remove RemoteInstall folder and everything else I could find, all to no avail. The issue looks like it doesn't recognize that the DP is configured for SSL, but it clearly is. Listed below is the section of the SMSPXE.log file that is showing the errors. ================= PXE Provider loaded. ===================== Machine is running Windows Longhorn. (NTVersion=0XA00, ServicePack=0) Cannot read the registry value of MACIgnoreListFile (00000000) MAC Ignore List Filename in registry is empty Begin validation of Certificate [Thumbprint 33FB3DF0E2583F55CE8CFBC0B724FF152A83B22B] issued to server.name' Completed validation of Certificate [Thumbprint 33FB3DF0E2583F55CE8CFBC0B724FF152A83B22B] issued to server.name ' Using values from 'AllowedMPs' key. Prioritizing local MP server.name. Client is set to use HTTPS when available. The current state is 1472. Not in SSL. RequestMPKeyInformation: Send() failed. Unsuccessful in getting MP key information. 80004005. PXE::MP_InitializeTransport failed; 0x80004005 PXE::MP_LookupDevice failed; 0x80070490 PXE Provider failed to initialize MP connection. Element not found. (Error: 80070490; Source: Windows) Using values from 'AllowedMPs' key. Prioritizing local MP server.name. Not in SSL. RequestMPKeyInformation: Send() failed. Unsuccessful in getting MP key information. 80004005. PXE::MP_InitializeTransport failed; 0x80004005 PXE::MP_ReportStatus failed; 0x80070490 PXE::CPolicyProvider::InitializeMPConnection failed; 0x80070490 PXE::CBootImageInfo::CBootImageInfo: key= Adding 04900FFC.10 Adding 04900FFF.7 Found new image 04900FFC Loaded Windows Imaging API DLL (version '10.0.18362.1') from location 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimgapi.dll' Opening image file E:\RemoteInstall\SMSImages\04900FFC\WinPE.04900FFC.wim Found Image file: E:\RemoteInstall\SMSImages\04900FFC\WinPE.04900FFC.wim PackageID: 04900FFC ProductName: Microsoft® Windows® Operating System Architecture: 9 Description: Microsoft Windows PE (x64) Version: Creator: SystemDir: WINDOWS Closing image file E:\RemoteInstall\SMSImages\04900FFC\WinPE.04900FFC.wim Found new image 04900FFF Loaded Windows Imaging API DLL (version '10.0.18362.1') from location 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimgapi.dll' Opening image file E:\RemoteInstall\SMSImages\04900FFF\WinPE.04900FFF.wim Found Image file: E:\RemoteInstall\SMSImages\04900FFF\WinPE.04900FFF.wim PackageID: 04900FFF ProductName: Microsoft® Windows® Operating System Architecture: 0 Description: Microsoft Windows PE (x86) Version: Creator: SystemDir: WINDOWS Closing image file E:\RemoteInstall\SMSImages\04900FFF\WinPE.04900FFF.wim Begin validation of Certificate [Thumbprint 33FB3DF0E2583F55CE8CFBC0B724FF152A83B22B] issued to server.name ' Completed validation of Certificate [Thumbprint 33FB3DF0E2583F55CE8CFBC0B724FF152A83B22B] issued to server.name ' PXE Provider finished loading. I need to know how to make it see that it is in HTTPS mode and use that mode to communicate with the MP. I have attached the screen shots of my MP/DP Communication Settings I have also added an IIS cert to my default website on this same server. Any help would be greatly appreciated.
