Forum Widgets
Latest Discussions
SCCM Server fails Windows 11 24H2 upgrade package download
SCCM Server 2403 fails Windows 11 24H2 upgrade package download (both 2024-09B and 2024-10B). Running MP, DP, Site and WSUS database, several other roles on the same Windows Server 2022 VM. Running SUP/Wsus on another dedicated VM in the same subnet. When running ADR, GUI shows error message: 0x87d20417 ADR rule download failed When downloading the updates manually to new deployment package, error message: Failed to download content id 666666666 Cannot create a file when that file already exists Here is a sample from Patchdownloader.log file: Downloading content for ContentID = 18696696, FileName = professional_en-us.esd. Software Updates Patch Downloader 09.10.2024 13:26:50 11808 (0x2E20) Proxy is enabled for download, using registry settings or defaults. Software Updates Patch Downloader 09.10.2024 13:26:50 11808 (0x2E20) Connecting - Adding file range by calling HttpAddRequestHeaders, range string = "Range: bytes=0-" Software Updates Patch Downloader 09.10.2024 13:26:50 8052 (0x1F74) Download file size : 553783259 bytes Software Updates Patch Downloader 09.10.2024 13:26:50 8052 (0x1F74) Download http://dl.delivery.mp.microsoft.com/filestreamingservice/files/75ac9ad5-f29b-4e95-af3f-8a321bd39b92/public/professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd in progress: 10 percent complete Software Updates Patch Downloader 09.10.2024 13:26:51 8052 (0x1F74) ....... Download http://dl.delivery.mp.microsoft.com/filestreamingservice/files/75ac9ad5-f29b-4e95-af3f-8a321bd39b92/public/professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd in progress: 90 percent complete Software Updates Patch Downloader 09.10.2024 13:27:00 8052 (0x1F74) InternetReadFile() return true and pdwNumberOfBytesRead equals to 0, but ulTotalFileRead=553703152 still less than ulFileSize=553783259, treat it as a retriable error. Software Updates Patch Downloader 09.10.2024 13:27:01 8052 (0x1F74) InternetQueryDataAvailable return code = 183 - Can still retry for 3 times. Will retry in 10 seconds. Software Updates Patch Downloader 09.10.2024 13:27:01 8052 (0x1F74) the same kind of error is logged for several other files related to the upgrade package, but not all. Downloading using Edge browser on the same machine directly from url "[http://dl.delivery.mp.microsoft.com/filestreamingservice/files/75ac9ad5-f29b-4e95-af3f-8a321bd39b92/public/professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd]" works fine, so it should not be a connectivity issue. Downloading Windows 11 23H2 upgrade package works fine. Has anybody else faced the same issue?
two sccm to one tenant intune
I have a number of devices configured in SCCM "A" co-management with an intune tennant "A" I have a number of devices configured in SCCM "B" co-management with an intune "B" tennant. Now I need to undo the SCCM comanagement "A" and make a new co-management the intune tenant "B" What are the risks and process to do this?RSVP - August 29th - Unpacking Endpoint Management talks cloud migration
If you have questions, challenges, or best practices on migrating from on-premises endpoint management to the cloud, please join us live on Tuesday, August 29th at 8:00 a.m. PT for Unpacking Endpoint Management! Senior Program Managers @Danny Guillory and @Steve Thomas (GLADIATOR) will be joined by Aasawari Navathe and Microsoft MVPs TIMOTHY_MANGAN, Ronni Pedersen, and Peter van der Woude so it's sure to be a lively conversation---and there will be plenty of brain power to help answer your questions. How can you join? Add the event to your calendar. RSVP and post your questions early. Tune in live at 8:00 a.m. Pacific Time, or catch up on demand! Hope to see you there!Microsoft Patching is not working until User logon to the newly imaged device
Hi All, I have a customer that they have two separate SCCM and WSUS environments in the same domain and they use SCCM for OS imaging and WSUS for patch updates. The problem is end user hast to logon to the device after imaging the OS using SCCM to kick start the patching process from WSUS. My client's understanding is that it should work without user logon to the device since GPO targeted to all authenticated users. Please also note that the computer objects and other settings are working without any issues. I would appreciate if anyone come across such a behavior and there is any workaround that we can do kick start the patching regardless of user login or is this behavior by design? Thanks, DilanPKI certificate - Management Points IIS
Hi There I'm currently setting up PKI and was wondering in regards to the Configuration Manager IIS Certificate. I have two management points one on the Primary Server (e.g CMPrimary01.contoso.com) and another management point on another server (e.g. CMMP01). I do the following: On CMPrimary01 Expand Personal > Certificates Right Click Certificates > All Tasks > Request New Certificates Before you begin > Click Next Click "Active Directory Enrollment Policy" > Next Select CM DP Certificate and CM IIS Servers Certificate Under CM IIS Server Certificate click - More information required to enroll for this certificate. Click here to configure settings Under Alternative name, select Type = DNS, Value = CMPrimary01.contoso.com and CMPrimary01 and click add. Do I add in the DNS value as well CMMP01 and CMMP01.contoso.com> Do I need to add the certificates as well on CMMP01? THanks
Become a Microsoft Endpoint Configuration Center Ninja
Do you want to become a ninja for Microsoft Endpoint Configuration Manager? We can help you get there! We collected content to get you from endpoint newbie to becoming a MEME "Microsoft Endpoint Manager Expert". The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. We will keep updating this training on a regular basis and highlight new resources. Content Coming Soon!Securing customSettings.INI
This is my customSettings.INI file used by MDT/SCCM OSD task sequence gather step: [Settings] Priority=CSettings, Default Properties=OSInstall, DomainNetBiosName, TimeZoneName,CustomProperty1,CustomProperty2 [Default] OSInstall=N SkipCapture=YES SkipAdminPassword=NO SkipProductKey=YES KeyboardLocale=en-AU SLShare=\\server1.mydomain.local\myLogs$\Logs [CSettings] SQLServer=server1.mydomain.local\ps1SCCM Database=myDBTst Netlib=DBMSSOCN DBID=MDTMyCS DBPwd=myPass Table=ComputerSettings Parameters= MacAddress, OSDCOmputerName ParameterCondition=OR Is there a way to secure DBPwd by either encrypting or supplying through a TS variable instead of plaintext? SCCM version CB 1906 ; MDT integrated.
Tenant attach - 401 error
Hi, I have recently added Tenant attach to my SCCM server. One PC has successfully added into Intune, but all remote options are disabled saying "Device is blocked or unapproved in MECM". On checking both CMGatewayNotificationWorker and CMGatewaySyncUploadWorker logs, I get a 401 error: <![LOG[Worker CMGatewaySyncUploadWorker failure]LOG]!><time="16:06:46.8307671" date="3-22-2021" component="SMS_SERVICE_CONNECTOR_CMGatewaySyncUploadWorker" context="" type="3" thread="153" file=""> <![LOG[Exception details:]LOG]!><time="16:06:46.8307671" date="3-22-2021" component="SMS_SERVICE_CONNECTOR_CMGatewaySyncUploadWorker" context="" type="3" thread="153" file=""> <![LOG[[Critical][CMGatewaySyncUploadWorker][0][System.Net.WebException][0x80131509] The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d_ 13.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d 11.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d 10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.ConfigurationManager.ServiceConnector.DeltaUploadWorkerBase`1.<ProcessRequestQueueAsync>d 31.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.ConfigurationManager.ServiceConnector.DeltaUploadWorkerBase`1.<ProcessRequestQueueAsync>d 31.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.DeltaUploadWorkerBase`1.<DoWorkAsync>d 23.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.AadServiceConnectorWorker.<DoWorkAsync>d 16.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.ServiceConnectorWorkerBase.<ExecuteAsync>d_75.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() This has been setup for around 5 hours, with the error persisting through out. I have checked the pre-requisites and these are met (that I believe). Any other things to have a look at? Some Policies are not syncing in Intune, so this may be linked. Any help is appreciated Thanks ConorSource hierarchy migration to new domain, DP considerations.
Hi fellow professionals. I am currently doing a source hierarchy migration from 2002CB to 2002Cb in 1 forest trust with 2 domains. I done in a way so that the new site server mirrors the old one as much as possible Apart from the server OS which is 2016 as opposed to 2012 in the old environment There are 4 DPs in the source and I can see they are all eligible for re-assignment however my question is if those servers sit in the old domain but I need to move those servers in the new domain. What would be the best approach? I assume the only way would be to recreate those DPs in the new domain against the new site code? Is there a way to migrate DPs from source to new destination DP or is it case of introducing the new DPs in the destination hierarchy and then just ensure they have the DP role and then ensure the content is populated onto that DP before the old is decommissioned? Also currently the old DPs are serving PXE for OSD deployment so I believe before that is done the DHCP or switch helpers will need to point to the new DPs so that process can continue, would that be correct? I look forward to any responses. Thanks ThanksWindows 10 BitLocker Management Options
Introduction : Starting in version 1910, use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. Configuration Manager provides the following management capabilities for BitLocker Drive Encryption: •Deploy the BitLocker client to managed Windows devices running Windows 10 or Windows 8.1 •Manage BitLocker policies and escrow recovery keys for on-premises and Internet-based clients (Internet-based clients requires version 2010) •Compliance reports •Administration and Monitoring web site: allows other roles in your organization (for example Help Desk) outside of the Configuration Manager console to help with key recovery, including key rotation and other BitLocker-related support •User self-service portal: lets users help themselves with a single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device Basic requirements : The general requirements for Configuration Manager to manage BitLocker are: •Reporting Services Point (for reports) •HTTPS on the Management Point (for key recovery) •Self-service portal or the administration and monitoring website require an IIS server, this can be a site system or a dedicated server •BitLocker management isn't supported on virtual machines (VMs) or on server editions •Azure Active Directory (Azure AD)-joined, workgroup clients, or clients in untrusted domains aren't supported. BitLocker management in Configuration Manager only supports devices that are joined to on-premises Active Directory. Hybrid Azure AD-joined devices are also supported. Best practice: Encryption: Encrypt recovery data on the network: Required for recovery key escrow Uses https to the Management Point Different procedures to enable this capability depending on the CM build Encrypt recovery data in the database: Requires a SQL Server certificate (the certificate must then be managed) Option to encrypt only recovery data (recommended) vs the entire site database (may reduce performance by 25%) Recovery keys are never deleted – allows recovery of data from a device that was stolen and later retrieved. Each encrypted volume adds up to 9 KB to the site database. Best practice: Deployment BitLocker management in Configuration Manager includes the following components: BitLocker management agent: enabled when you create a policy and deploy it to a collection Recovery service: The server component that receives BitLocker recovery data from clients Before deploying BitLocker management policies, enable network encryption (required) and data encryption (recommended). Also, make sure that the partitions on the clients are ready to support BitLocker (see slide Best practice: General Deployment) To create a BitLocker management policy: The Full Administrator role in Configuration Manager is needed Operating System Drive, Fixed Drive, Removable Drive, and Client Management options are available When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a client, it uses the priority value to determine its settings. Starting in version 2006, you can also use Windows PowerShell cmdlets for this task. Monitoring BitLocker deployment: Basic compliance statistics about the policy deployment are shown in the details pane of the BitLocker Management node: •Compliance count •Failure count •Non-compliance count To understand why clients are reporting not compliant with the BitLocker management policy, non-compliance codes are used Dedicated client logs can also be retrieved for additional troubleshooting Group Policy: It is recommended to not use any BitLocker Group Policy settings along with Configuration Manager, as the GPOs will override the CM settings and result in unpredictable behavior Re-encryption If a drive is already encrypted with BitLocker, the CM agent will not re-encrypt the drive, but will evaluate the CM policy against the current settings – if these don’t match (for example because of different encryption algorithms), CM will report the device as non-compliant (but the device is still protected) To work around this issue, it is necessary to decrypt the volumes first, then re-encrypt them TPM password hash: Windows 10 does not save the TPM password – this applied to previous versions of Windows Co-management: The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune Switching encryption management authorities while maintaining the desired encryption algorithm doesn't require any additional actions on the client. However, if you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption. Best practice: BitLocker portals The BitLocker CM portals must be installed separately: User self-service portal Administration and monitoring portal (for help desk and admins) Starting in version 2006, you can install the BitLocker self-service portal and the administration and monitoring website at the central administration site. In version 2002 and earlier, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site HTTPS for these portals is not mandatory, but highly recommended You can install the portals on an existing site server or site system server with IIS installed, or use a standalone web server to host them. Their usage is typically low, so the additional load they generate is negligible, so there is typically no need to use a dedicated web server, unless this is to honor network segmentation policies Portal customizations: The self-service portal can be customized with a custom notice, your organization name, and other organization-specific information Roadmap: On-prem management BitLocker Management + CAS/Hierarchy support (2006 release) BitLocker Management support over CMG (2010 release) Listing on-prem stored BitLocker recovery key for ConfigMgr tenant attach in the Microsoft Endpoint Management cloud console (CY 2021)
