AAD devices can't communicate with the CMG
Hybrid domain joined computers can e.g. download software from the CMG but AAD computers can't. The AAD devices have root and intermediate certs via PKI installed and as a test I installed the actual cmg cert (from windows certificate authority service) on an AAD device and checked that the certificate chain is ok for the device. The root and intermediate certs were also specified when creating the CMG. Connection analyser is green ticks everywhere. The site is HTTPS only and we use certificates on all devices. The CMG has been recreated from scratch using a scale set and with new app registrations and we use a cname dns entry to map to Azure CMG dns name, The devices appear to install ok via autopilot co-management using this script: CCMSETUPCMD="CCMHOSTNAME=ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx SMSSiteCode=555" The main errors are these in ccmMessaging log: Failed to get CCM access token while token auth is required. Error 0x87d00231 [CCMHTTP] ERROR: URL=https://ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx/ccm_system/request, Port=443, Options=448, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE Post to https://ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx/ccm_system_windowsauth/request failed with 0x87d00231. Thanks for any ideas - the case has been with Microsoft support for weeks and no answer as yet.Microsoft Patching is not working until User logon to the newly imaged device
Hi All, I have a customer that they have two separate SCCM and WSUS environments in the same domain and they use SCCM for OS imaging and WSUS for patch updates. The problem is end user hast to logon to the device after imaging the OS using SCCM to kick start the patching process from WSUS. My client's understanding is that it should work without user logon to the device since GPO targeted to all authenticated users. Please also note that the computer objects and other settings are working without any issues. I would appreciate if anyone come across such a behavior and there is any workaround that we can do kick start the patching regardless of user login or is this behavior by design? Thanks, Dilan
Connection Error after upgrading to version 2203
On Monday, I upgraded Endpoint Manager to version 2203. Everything appears to be working fine on the server itself. We only have one Endpoint Manager server with SQL collocated. After upgrading the Endpoint Manager console on remote systems, I am having some errors. When I go to the Console Extensions node or the Console Connections under Administration, I receive the following message Configuration Manager can’t connect to the administration service The Configuration Manager console can’t connect to the site database through the administration service on <ServerFQDN> Verify the following There’s no certificate on the SMS Provider site system server. Make sure it has a valid PKI or Configuration Manager-generated certificate for the site. Additionally, It looks like until I’m able to make this connection I can’t update the WebView2 extension and without that extension the console crashed with I try to access the Windows Servicing and Microsoft Edge Management nodes under Software library. If I manually import the self sign certificate from Endpoint Manager (we are not using PKI) into the Trusted People container in the Certificates MMC on the remote systems then the console works correctly. I’d prefer not to band aid this problem but instead fix it. I’ve tried the following that I found on blog posts to resolve this issue but all with no success Made sure that “Use Configuration Manager-generated certificates for HTTP site system” is enabled Made sure no certificates are block in Configuration Manager I’ve checked the SSL Certificate on the Default Website and it is the self signed certificate from Endpoint Manager. Turned off Windows Firewall Reviewed the SmsAdminUI.log file. The SmsAdminUI.log file show the following entries: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://<ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsRequired eq true and IsTombstoned eq false and IsApproved eq true Could not connect to the AdminService to check for requirements. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://< ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsApproved eq false Error getting custom console extensions IDs, versions and names using Admin Service: SSLFailure System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData POST request: https:// <FQDN>//AdminService/v1.0/ConsoleUsageData/AdminService.UpdateConsoleHeartbeat Microsoft.ConfigurationManagement.ManagementProvider.ODataConnectionException: SSLFailure At this point, I don’t know where to go next. Any help would be greatly appreciated.
Securing customSettings.INI
This is my customSettings.INI file used by MDT/SCCM OSD task sequence gather step: [Settings] Priority=CSettings, Default Properties=OSInstall, DomainNetBiosName, TimeZoneName,CustomProperty1,CustomProperty2 [Default] OSInstall=N SkipCapture=YES SkipAdminPassword=NO SkipProductKey=YES KeyboardLocale=en-AU SLShare=\\server1.mydomain.local\myLogs$\Logs [CSettings] SQLServer=server1.mydomain.local\ps1SCCM Database=myDBTst Netlib=DBMSSOCN DBID=MDTMyCS DBPwd=myPass Table=ComputerSettings Parameters= MacAddress, OSDCOmputerName ParameterCondition=OR Is there a way to secure DBPwd by either encrypting or supplying through a TS variable instead of plaintext? SCCM version CB 1906 ; MDT integrated.Migrating from SCCM to another deployment tool
My work was in the process of migrating to SCCM, but for a few reasons has decided to retire SCCM from our environment. We still have the previous tool in place so that tool is fully functional. Is there a best practice on the order on how to retire SCCM from a environment? Thanks, JeffNew feedback system for Configuration Manager docs
Starting today, the Configuration Manager doc library is using a new feedback system. The feedback section of all articles is now integrated with GitHub Issues. For more information about this change, see the docs platform blog post. Read about it in the Enterprise Mobility + Security blog.
