Category Archives: SCCM Current Branch

Sync SCCM CB 1906 Collection membership to Azure AD groups

In the recently released 1906 version for SCCM Current Branch, you can now synchronize collection memberships to an Azure AD Group. This is really useful to take advantage of SCCM’s powerful collection membership queries that we can’t do today in Azure.

For more info, see

In this post I have tested it out in my lab with:

  • Hybrid Azure AD join set up using Azure AD Connect syncing my computers to Azure AD. The devices in my collection have synchronized to Azure AD.
  • Azure AD Tenant added to Azure Services in SCCM and Azure AD User Discovery enabled
  • An existing group already created in Azure AD. I will use this to sync the collection members to

This is a pre-release feature of SCCM Current Branch 1906, it needs to be turned on.


Once the feature has been turned on, you need to go to your Azure AD tenant in Azure Services, and Enable Azure Active Directory Group Sync.


In my test collection, I have some devices that are co-managed and already exist in Azure AD. If you go to the properties of the collection, you will see a tab AAD Group Sync. Click on Add.


Click on Search and then you will be prompted to login to your Azure tenant and then select the existing group in Azure AD.


Click on Apply.


The Azure AD synchronization happens every five minutes. It’s a one-way process, from SCCM to Azure AD.

Otherwise you can manually synchronize the collection to Azure AD, by right clicking on the collection and selecting Synchronize Membership (this is greyed out on collections that don’t have AAD Group Sync enabled)


If I check the group in Azure AD, I can now see my collection members.


CMG – Post to http://.COM/CCM_Proxy_MutualAuth//ccm_system/request failed with 0x87d00231.

Following up on a similar post I did here about requiring Azure AD User Discovery and Active Directory user discovery so Windows 10 machines can communicate over the CMG using Hybrid Azure Active Directory  –

You may run into an issue where a specific Windows 10 client cannot communicate with the CMG. In ccmmessaging.log you will see “Post to http://<CMG&gt;.COM/CCM_Proxy_MutualAuth/<ID>/ccm_system/request failed with 0x87d00231.”

You can run through the CMG Connection Analyzer to confirm that everything is working fine.


Then you realise it is something on the Windows 10 device end.

If you run “dsregcmd /status” and see that AzureAdJoined is set to No, then you know that the device is not Hybrid Azure AD joined, thus it cannot communicate with the SCCM CMG.


This particular machine was put in an OU that was not synced to Azure AD using Azure AD Connect. After moving it in the correct OU and doing another Azure AD Connect Sync (Start-ADSyncSyncCycle -PolicyType Delta) the device can then communicate over the CMG fine.


SCCM Current Branch 1810 – Windows Store for Business

This post will show how you can integrate Windows Store for Business with SCCM Current Branch 1810, to sync applications and deploy WSfB applications to machines like Company Portal app.

Suggested Reading for prerequisites: Manage apps from the Microsoft Store for Business with Configuration Manager

In the SCCM console, go to Cloud Services > Azure Services > Configure Azure Services


Enter in the Name, and then select Microsoft Store for Business and click Next.


If you already have other Azure services configured in SCCM (Cloud Management Gateway for example), then it will automatically pull the server app, then you can click Next. If it doesn’t find a web app, then follow the instructions below.


If it doesn’t find a web app, click on Browse and we will create it.


Click on Create.


Give it a name and sign in to create the web app.


Click on Next.


Enter in a path and select your languages and click Next.


Now we need to login to the Microsoft Store for Business and give the web app we created before permission. Log in to and go to Manage > Settings > Distribute > Add management tool


Enter in the name of the web app that was either created earlier in the Azure Services wizard, or the one that you imported.


Click on Activate.


Back in the SCCM console, select the Microsoft Store for Business and click Sync from Microsoft Store for Business


The sync status should change to Successful.


You can view the WsfbSyncWorker.log for more information.

After a successful sync, you should see your MSfB apps in License Information or Store Apps.


To deploy one of these apps, right click on the app and select Create Application and then follow through the wizard.



The application will then appear in the Applications section. You can now deploy it as normal.


Further reading: Manage apps from the Microsoft Store for Business with Configuration Manager

SCCM Current Branch – Currently logged on user in Console not displaying

One of the new features that came out in SCCM Current Branch 1806 was the ability for the SCCM console to show the currently logged on user.

I had an issue where this field was blank. First thing I checked was that the SCCM client on the device was up to date (1806 or later)

On all clients, in the ccmmessaging.log I noticed:

No reply message from Server. Server may be temporarily down or a transient network error.
Post to http://<mp>/ccm_system_windowsauth/request failed with 0x8000000a.

Then when checking the IIS status codes on the Management Point IIS logs it said:

CCM_POST /ccm_system_windowsauth/request 401.2 (401.2 – Logon failed due to server configuration.)
CCM_POST /ccm_system_windowsauth/request 500.0 (500.0 – Module or ISAPI error occurred.)

This was due to Active Directory User Discovery being disabled in my site.


Once it was enabled and the users were discovered, the errors went away in the ccmmessaging.log and as well as the MP IIS logs. Now the Last logged on username appears in the ConfigMgr console.


SCCM Co-management – MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’

Recently I was setting up Co-Management in SCCM Current Branch 1810. I was having issues with clients not being enrolled into Intune.

First I confirmed that the device was Hybrid Azure AD joined (this is a requirement, the device needs to be registered in Azure AD) then when looking at the CoManagementHandler.log file on the client I saw the error:

MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’. Will retry in 240 minutes…

I found this error to be misleading. I am using Azure AD Connect with password sync, and not ADFS.


In my case, this error was caused by an enrollment restriction being set that blocked Windows 10 devices from being enrolled.

In Intune ( or in Device enrollment > Enrollment restrictions

In my Default restriction in Properties, then Select platforms, I had Windows (MDM) set to Block.


After allowing Windows (MDM) to Allow, the CoManagementHandler.log said Queuing enrollment timer to fire at 01/15/2019 21:42:19 local time

After trying again it was successfully enrolled into Intune and you can see the Managed By now says MDM/ConfigMgr Agent


SCCM Current Branch – Import Azure Services existing Web Apps to use same Azure subscription for CMG in different SCCM environments

This post will show how you can import the Azure Web Apps in SCCM Current Branch so you can use the same Azure hosting subscription for the CMG for different SCCM Current Branch environments. For example, you might have a Dev SCCM environment and a Production SCCM environment, and you only have one Azure Subscription, but you want to deploy a CMG in both the Dev and Prod environment.

In the SCCM Cloud Management Gateway documentation, there is an FAQ’s section here that says:

Do the user accounts have to be in the same Azure subscription as the subscription that hosts the CMG cloud service?

If your environment has more than one subscription, you can deploy CMG into any subscription that can host Azure cloud services.

This question is common in the following scenarios:

  • When you have distinct test and production Active Directory and Azure AD environments, but one single, centralized Azure hosting subscription
  • Your use of Azure has grown organically across different teams

When you’re using a Resource Manager deployment, onboard the associated Azure AD tenant. This connection allows Configuration Manager to authenticate to Azure to create, deploy, and manage the CMG.

If you’re using Azure AD authentication for the users and devices managed over the CMG, onboard that Azure AD tenant. For more information on Azure services for cloud management, see Configure Azure services. When you onboard each Azure AD tenant, a single CMG can provide Azure AD authentication for multiple tenants, regardless of the hosting location.

In the SCCM console, go to Azure Services, then Configure Azure Services.


Give it a Name, and select Cloud Management Gateway.


Click on Brwose next to the Web app.


You can create a new one, or you can import the existing one. Select Import.


Now open up your Internet browser, go to, then Azure Active Directory, I am using the new preview for App Registrations, so I have selected App registrations (Preview) and selected my Server App that I want to import.


To import this web app, copy the Display Name, Client ID, and Tenant ID.


Also go to Certificates & secrets, and create a new client secret.


Copy the value. We will use this later.


Type in your Azure AD Tenant name, the Tenant ID that you copied earlier, the Application Name, Client ID, Secret Key,  Secret Key Expiry, and the App ID URI. Make sure to click the Verify button to verify that all the information is correct.


Click on OK.


Do the same for the Native Client app. You can follow the instructions above to get the correct values.


Once both apps have been imported, click on Next.


I won’t be enabling Azure AD discovery.


Finish the rest of the wizard and the the Subscription information will be imported so you can deploy the CMG in this subscription.


SCCM 1806 CMG – Hybrid Azure AD – Failed to get CCM access token

When using the Cloud Management Gateway in SCCM Current Branch 1806, with Hybrid Azure AD clients for authentication, you may see the following errors in ccmmessaging.log on the client:

[CCMHTTP] ERROR: URL=https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request, Port=0, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80004005
Post to https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request failed with 0x87d00231.


If you then check the logs on the management point, specifically CCM_STS.log, you will see:

AAD user with ID <ID> and SID is not completely discovered
Return code: 403, Description: Un-authorized request, AAD user is not discovered


At the time of writing this post, if you are using hybrid Azure AD for authentication, you need enable both Azure AD User Discovery, and the on-premises User Discovery. You can see in the CCM_STS.log above that it says the Azure AD user is not discovered which causes the 403 error.

Once both user discovery methods have been enabled, the client can authenticate over the CMG.

SCCM 1806 – Third Party Updates Error 13875

Recently when adding a catalog to the third party software update catalogs in SCCM Current Branch 1806 and trying to synchronize, I encountered the error “Unable to create the subscription. The console failed to download <product> from <URL> because of the error code 13875. For more information, see SmsAdminUI logfile.”


The error code 13875 means “Invalid certificate signature“. For more troubleshooting I downloaded the cab file by opening up IE and pasting in the link. Once the cab file was downloaded, I right clicked on the file then properties, clicked Digital Signatures tab:


Then here my issue was that the certificate in the signature could not be verified. I clicked on View Certificate to view more details.


My issue was that on the client server, it was missing some Trusted Root certificates. After these were installed the third party updates could then be synchronized to SCCM Current Branch 1806 without issues.


SCCM 1806 – Third Party Updates

This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.

The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See for further details.

First thing is to enable third party updates, and then let SCCM manage the certificate.


Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log


If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.


You can also see this certificate in the Trusted Publishers store as well.


Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.


Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.


If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.


If you doa gpresult /computer you can also see the local policy has set this as well.


You can also see that the code signing certificate has been installed.


Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.


Click on View Certificate and then click OK.


Once you have viewed the certificate you can click Next.


Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)


Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.


Once the sync has finished, go back into your SUP properties, click products, and add the product.


Another SUP sync needs to be done for the metadata to appear.


Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log


After the updates have been published and downloaded, we need to do another sync.


You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.


On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.


The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.


SCCM Current Branch 1806 – Cloud Management Gateway Improvements

In the recently released version 1806 for SCCM Current Branch there have been a number of improvements to the Cloud Management Gateway (CMG). You might have noticed these in the Technical Previews. More information about  new features can be seen here

Some of the nice new features for the Cloud Management Gateway:

Download content from a CMG – You can now allow the cloud management gateway to function as a cloud distribution point. This is one less cloud service virtual machine running, which saves costs. You can now right click on your cloud management gateway, view the properties, click settings, and check the box “Allow CMG to function as a cloud distribution point and serve content from Azure storage”


Or if you were to deploy a new CMG, you can view the checkbox below.


Trusted root certificate isn’t required with Azure AD – In the screenshot above, you will notice that you aren’t required to provide a trusted client root certificate anymore. This isn’t required when you use Azure AD for authentication.

CMG Connection Analyzer – This was in an earlier technical preview release and will help a lot of people. The Connection Analyzer allows you to troubleshoot connecting to your CMG. In the example below I have signed in as an Azure AD user and tested the connection. This was useful after configuring “Use Configuration Manager-generated certificates for HTTP site systems” in the screenshot below. After checking that box, I was able to leave my management point in HTTP mode and allow CMG traffic, and run through the tests to confirm that everything is working fine.


Use Configuration Manager-generated certificates for HTTP site systems – As mentioned above, this feature is awesome. After checking the box below on your site server, you can leave your management point in HTTP for cloud management gateway traffic, and not have to worry about installing PKI certificates.


Once the checkbox above is enabled, you will see that you can enable CMG traffic on your management point in the screenshot below.


If you also open IIS manager, you will see on the https binding that the SMS Role SSL Certificate is now selected. If you remove this certificate or change it, you will notice that the test in the Connection Analyzer above called Testing the CMG channel for management point will fail.


You will also find a nice Cloud Management dashboard in the Monitoring node to find some stats.