Category Archives: SCCM Current Branch

PXE – RequestMPKeyInformation: Send() failed.

I recently applied a hotfix to my SCCM Current Branch environment. When attempting to PXE boot a machine, the smspxe.log reported:

RequestMPKeyInformation: Send() failed.
PXE::MP_InitializeTransport failed; 0x80004005
PXE::MP_ReportStatus failed; 0x80070490
PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
PXE::MP_LookupDevice failed; 0x80070490

PXE01

I first tried unchecking the PXE option on the distribution point to remove Windows Deployment Services and then re-enabling PXE support on the distribution point. This was the same issue.  After troubleshooting more I tried to open up http://fqdn/sms_mp/.sms_aut?mplist in IE and it displayed a 403.4 Forbidden Access error. My management point is not set to use HTTPS.

I checked the IIS logs on my management point and saw consistent 403.4 forbidden access on directories such as SMS_MP and ccm_system. In IIS on those virtual direcories, I checked the SSL Settings and noticed they were set to “Require SSL”. This is strange because my management point is in HTTP.

The fix was to uninstall the management point and then reinstall it. Keep an eye on MPSetup.log in your SCCM site server logs for when the MP has uninstalled and then re-add the role.

PXE started working again without any errors.

Advertisements

PXE – Not Serviced no advertisements found

When at a new client site (SCCM Current Branch 1706) and trying to PXE boot a machine by importing the client MAC address into a collection where the task sequence is deployed, the smspxe.log was showing:

,  : Not Serviced
,  : device is in the database
,  : no advertisements found

The device was in the database because I imported it as I am not using Unknown Computer support. There was an advertisement targeted to the MAC address as I deployed my task sequence to the collection which the client was a member of.

The actual issue was that the Boot Image was not distributed to the PXE server as it was a new boot image. Once the boot image was distributed the client could PXE boot without issues.

If you run into this issue, check in the console in Monitoring\Distribution Status\Content Status and make sure the Boot Image is on the PXE enabled DP’s that you are using.

Customize Software Center – SCCM 1710

Since Microsoft released SCCM Current Branch 1710, you can now add enterprise branding elements and choose to hide certain tabs in Software Center. This example will show how you can customize Software Center by deploying new custom client settings, and the user experience in a Windows 10 machine.

In the Administration section of the SCCM console, select Client Settings. You can choose to use the Default Client Settings, but I would recommend creating some new custom client settings for any tests, as the Default Client Settings apply to all machines.

custom01

Give the custom client settings a name, and select Software Center. Once you check the Software Center box, you will see the settings now appear on the top left.

custom02

I have selected Yes next to the arrow, given my company name, and also selected a custom colour scheme, and uploaded a company logo. Note that the maximum dimensions are 100×400 for the logo, and it cannot be larger than 750kb in size. Here you can also choose to hide any tabs you wish.

custom03

I will now deploy the custom settings to a collection, and then initiate a machine policy evaluation on my test client. After a few minutes, open Software Center and you will notice the new changes.

custom04

custom05

This is what my new Software Center looks like. I have not chosen to hide any tabs, but I have selected the custom image on the top left, given the company name (Nhogarth.net) and chosen the custom blue colour.

custom06

 

 

Co-management – Enabling Co-management SCCM 1710

This post will show how you can enable co-management in SCCM 1710 and how to automatically enroll a Windows 10 1709 machine into Intune (Intune standalone) when it is currently managed by SCCM 1710.

Prerequisites:

  • Configuration Manager version 1710 or later
  • Azure AD
  • EMS or Intune license for all users
  • Azure AD automatic enrollment enabled
  • Intune subscription (MDM authority in Intune set to Intune)

Suggested readings:
Co-management for Windows 10 devices
Enable Windows 10 automatic enrollment
How to configure hybrid Azure Active Directory joined devices

In portal.azure.com then Azure Active Directory, Mobility (MDM and MAM), Microsoft Intune, I have set my MDM user scope to All for automatic Intune enrollment for Windows.

intunecomgmt-17

In the SCCM console, in Administration, expand Cloud Services, right click on Co-management to create a new co-management policy.

intunecomgmt-02

Sign in with the Intune account

intunecomgmt-03

I have set automatic enrollment in Intune to pilot.

intunecomgmt-04

Configure the workloads.

intunecomgmt-05

I have created a collection called Comanagement Pilot. I have added my test Windows 10 1709 machine managed by SCCM 17010 into this collection.

intunecomgmt-06

intunecomgmt-07

You can check the Monitoring node and look for the CoMgmtSettingsPilot status. You can see my test machine WIN10MDT has successfully had the co-management policy applied.

intunecomgmt-16

Previously in the Azure Active Directory then Devices blade in portal.azure.com you can see that my Windows 10 1709 machine is Hybrid Azure AD joined but the MDM was set to none.

intunecomgmt-19

Once the policy was applied above, you can see the machine has changed from None under MDM, to Microsoft Intune.

intunecomgmt-18

Co-management – Installing SCCM 1710 Client from Intune

With co-management available in SCCM Current Branch 1710, you can install the SCCM client on a Windows 10 1709 Intune enrolled machine (Intune standalone) by creating an app in Intune. This will leverage the Cloud Management Gateway and Azure AD User Discovery. This example post is for a Windows 10 1709 Intune enrolled machine, but you could also use Autopilot with the steps below to get the SCCM client installed as well.

Microsoft lists two paths for co-management. This post is about the second path.

Co-management for Windows 10 devices

https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

There are two main paths to reach to co-management. One is Configuration Manager provisioned co-management where Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune. The other is Intune provisioned devices that are enrolled in Intune and then installed with the Configuration Manager client reach a co-management state.

Prerequisites:

  • SCCM Current Branch 1710 – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1710
  • Cloud Management Gateway configured – See https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/
  • Azure AD User Discovery configured – See https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/Azure-services-wizard#webapp
  • Cloud Distribution Point – See https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point
  • Windows 10 1709 machine enrolled in Intune and Azure AD joined
  • Management Point with HTTPS enabled for Azure AD user authentication

Firstly, distribute the Configuration Manager Client Package to the Cloud Distribution Point.

intunecomgmt-01

Next co-management will be enabled. This will provide the SCCM command line arguments with the correct information to install the SCCM client through Intune.

In Administration section, expand Cloud Services and right click Co-management

intunecomgmt-02

Sign in with your Intune account and click Next.

intunecomgmt-03

Select the required settings. Copy the command line arguments for later as this will be used in Intune to deploy the SCCM client.

intunecomgmt-04

I have set all to Pilot Intune.

intunecomgmt-05

I have created a test Pilot Intune collection.

intunecomgmt-06

Close the Wizard.

intunecomgmt-07

ccmsetup.msi needs to be uploaded from C:\Program Files\Microsoft Configuration Manager\bin\i386 on the SCCM 1710 site server to Intune

In portal.azure.com go to Intune then Mobile Apps, then Apps and click Add.

intunecomgmt-08

Browse to the ccmsetup.msi

intunecomgmt-09

Fill in the details. You can change the name and other information as you like. For the Command-line arguments, paste in the details that we copied before.

intunecomgmt-10

The ccmsetup.msi will then begin to upload. You can view the notifcation below to see when it has been uploaded.

Click on Assignments and select a group. I created an Azure AD dynamic group for Windows 10 1709 machines and made the app as “Required”

intunecomgmt-11

On the Windows 10 1709 machine, you can do a Sync, then you can see the SCCM client is installing. If you see the ccmsetup.log file, it will start to grab the SCCM client files from the Cloud DP (make sure the client is distributed to the Cloud DP)

intunecomgmt-13

When you open up Company Portal now, you will see “Your apps are located in Software Center”. You can see in Software Center my SCCM applications are now appearing.

intunecomgmt-14

You can now see the device appearing in the SCCM console as active as it is communicating through the CMG.

intunecomgmt-15

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity