All Activity

Introduction Look out for a new series of blogs from myself and my MVP buddy, Paul Winstanley as we explore the world of Azure Virtual Desktop (AVD). In the meantime, we have collaborated on a kick the tyres exercise to experience the AVD solution via the Microsoft quickstart. This blog post details that experience with a simple step-by-step guide. Microsoft provides the quickstart as a great way to test out an AVD environment with minimal fuss. It will create a small, low cost environment in approximately 20 minutes. Prerequisites To create the environment you will need to meet the following prerequisites: An active Azure subscription An Entra account with the following roles assigned: Contributor User access administrator Some test Entra accounts, for authentication into the AVD environment Available quota for your subscription for the Standard_D4ds_v4 virtual machine. If you have insufficient quote then you can increase – https://learn.microsoft.com/en-us/azure/quotas/per-vm-quota-requests Access to the required FQDNs and endpoints in Azure – https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure What gets deployed during the Quickstart A resource group called rg-avd-quickstart-<GUID> A virtual network and subnet. The IPv4 address space will be 192.168.0.0/24 and will use Azure provided DNS servers A network security group that is associated with the subnet of the virtual network and uses only the default rules. No inbound rules are required for Azure Virtual Desktop A host pool with single-sign-on (SSO) enabled An Entra joined session host running Windows 11 Enterprise multi-session with Microsoft 365 apps preinstalled with English (US). The virtual machine is a Standard_D4ds_v4 size virtual machine (4 vCPUs, 16 GiB memory) configured with a standard SSD disk An application group that publishes the desktop from the session host A workspace For a complete list of the resource published by the quickstart, take a look the Microsoft documentation https://learn.microsoft.com/en-us/azure/virtual-desktop/quickstart?tabs=windows#deployed-resources. Getting started The first step is to register the Microsoft.DesktopVirtualization resource provider on your Azure subscription In the Azure portal, go to your Subscriptions and select that one you will use for this exercise. Select Resource providers from the menu and look for Microsoft.DesktopVirtualization. If this is listed as NotRegistered in your subscription, then click the three dots and select Register as shown below. If it is already listed as Registered then there is nothing else you need to do. Before continuing, ensure that Microsoft.DesktopVirtualization is listed as registered. Deploying the quickstart solution You can find the quickstart solution in the Azure portal by searching for Azure Virtual Desktop and then selecting Quickstart from the menu. Click the Create button to begin the process. You will need to enter specific information on the Basics tab. Subscription: Ensure you choose the subscription where you have registered the resource provider previously. Location: Select the Azure region where you want the AVD resources deployed to. Local administrator account: Username: Enter the name for a local administrator Password: Enter and confirm your password for the local admin User assignment: Select a maximum of two users who will have access to the AVD devices (see screenshot below) Once all the details have been entered click Review + create to continue through the quickstart wizard. Ensure you receive a confirmation that Validation passed and click Create. The deployment of the resources will be in progress. If all goes well, Your deployment is complete will be returned. Connecting to your AVD desktops You can connect to your AVD desktops via the Windows app, which is available from the Microsoft Store. When installed, and one of your allocated users is authenticated to the app, you should see a SessionDesktop item (in addition to any Cloud PC’s or other AVD’s available to that user). This is your AVD desktop. Click Connect to access. Once done, you will be prompted to enter your password, or MFA details and then asked to Allow remote desktop connection. This message can be suppressed using a list of trusted devices (see https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on for more information). Just to note, you can also alter the display settings for your AVD session by clicking the ellipsis (three dots) and adjusting. Eventually, you will hit the Windows 11 desktop. Since this is multi session, your other allocated user can log in and use the AVD desktop at the same time. Note, the screenshot below, the same hostname is in use. Removing the quickstart services Once you have used the quickstart, you may wish to clean up the resources, ready for your deeper dive into AVD. To do this, locate your AVD virtual machine under Virtual machines in the Azure portal and click on the device. Click Stop to deallocate the device. You will be prompted to confirm the deallocation. Click Yes. Wait until the device reports back as Stopped (deallocated) under its Status. Now we need to remove the resources which were created. In Azure, search for Resource groups and find the one created by AVD. As mentioned, this will have a naming convention of rg-avd-quickstart-<GUID>. Click into the resource group, select all the resources under Overview and then click Delete. You will need to confirm their removal by entering delete in the field below and also you can select Apply force delete for selected Virtual machines and Virtual machine scales sets, if you so wish. Once done, click the red Delete button. You will then need to confirm the deletion of the resources. Click Delete one more time. The resources will no longer be listed when they are removed. Next, click Delete resource group to remove the quickstart resource group. Enter the name of the resource group to confirm its deletion and click Delete. Once again, confirm by clicking Delete. I hope this guide gives you a good oversight into how quickly you can test out the Azure Virtual Desktop using Microsoft’s quickstart option. You can get a VM up and running in no time and experiment with it. As mentioned, we will be taking a deeper dive look at AVD very soon, so watch this space and keep an eye on the SCCMentor and Windowsnoob websites.

How did you change the PW for the default datasource used by ConfigMgr? Did you do something like this? Changing ConfigMgr Report Account Password, How do I do it?

Not sure I am following. But all my custom reports and default SSRS reports for the config manager are using the same shared data source.

From a security perspective, on the SQL and SSRS host (which is the same server), I’ve turned on Extended Protection for Authentication (EPA) and SMB signing across the environment. These help block Kerberos attacks like replay attacks and pass-the-ticket attacks across systems. Replay attacks could only happen if someone’s already on the SSRS host or inside the same secure channel. Plus, they’d have to know the complex password for the service account, which I only use for SQL/SSRS stuff. I’ve also blocked RDP access for that account, cutting off a common way attackers move laterally. Also, my SCCM setup uses HTTPS only, so all traffic is encrypted. On top of that, I’m planning to use a different account for client push. That way, if one of my endpoints gets compromised, it limits the damage and keeps my critical service account safe. If you have any suggestions on how I can improve my security posture, I’d really appreciate it.

Yes, you can do that. See this post. https://askgarth.com/blog/adding-an-all-option-to-your-prompt/

So just to be clear did you change the default ConfigMgr datasource? if so it will get reset, in the future.

great findings and glad you got it sorted are you sure with the changes made that it's going to work security wise ?

Issue Resolved: SSRS Kerberos Authentication Failure Due to Protected Users Group I successfully resolved the above issue by removing the SSRS service account from the Protected Users security group. During the investigation, I uncovered several critical configuration requirements necessary for enabling Kerberos authentication with a domain-based service account in SSRS. Key Findings and Configuration Requirements: Windows Authorization Access Group The service account must be a member of the Windows Authorization Access Group to read token information (e.g., user attributes) required for Kerberos delegation. Read Access to Active Directory Objects The service account must have read permissions to the Active Directory users, OUs, and computers it attempts to authorize through SSRS. Account is Sensitive and Cannot Be Delegated This property must be disabled for the service account in Active Directory. Delegation Settings (Kerberos Only) The service account must be configured in Active Directory for "Kerberos only" delegation to specific services. Delegation should be strictly scoped to only the required services (If possible). Service Principal Name (SPN) Registration Proper SPNs must be registered for the SSRS service (e.g., HTTP/reportserver.domain.com, MSSQLSvc/reportserver.domain.com, MSSQLSvc/reportserver.domain.com:1433) under the service account. SSRS Configuration Settings SSRS was configured to use Kerberos only by setting the authentication mode appropriately in RSReportServer.config. ExtendedProtectionLevel was also enabled. This is optional but strongly recommended for environments with strict security requirements. References and Resources: Microsoft Docs – Reports Not Run as Expected Recast Software – Windows Authorization Access Group, SSRS, and SCCM Blake Drumm – How to Change Reporting to Use Kerberos Instead of NTLM

Now, given that I am using a password for the shared data source. It should not be trying to delegate. At this point, I am not completely sure how to attack this issue. Any ideas would be greatly appreciated.

Use native solution to migrate mailboxes but it requires additional cross tenant user data migration license. However, if you are looking for third-party tools for your migration needs, you can use google to search for a 3rd party company to get the quote and solution.

Hi Anyweb, I’ve started noticing an issue with our SSRS reporting portal. When attempting to run certain reports, I receive the following error: “The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: A specified logon session does not exist. It may already have been terminated. (rsRuntimeErrorInExpression)” At the same time, I’m seeing the following entries in the sccmreporting.log on our SQL server (which also runs SSRS): 08/05/2025 17:11 EnableRbacReporting key exists. Value = 1 08/05/2025 17:11 A specified logon session does not exist. It may already have been terminated. The timestamps in the logs appear to align with the error, and based on similar reports I’ve read, these messages seem to be related. Some background on the setup: SQL Server and SSRS are running under a domain account (not a domain admin). The service account is a member of the Windows Authorization Access Group. The service account has read access to the Users container/OU in Active Directory. SSRS authentication is configured to use Windows Negotiate. The service account has SPNs correctly configured. The account is enabled for Kerberos AES encryption (128-bit and 256-bit) in Active Directory. The service account is configured for “Trust this user for delegation to any service (Kerberos only)” in AD. The SSRS shared data source is configured to use the service account credentials. All custom reports and default SCCM reports use the same shared data source. As a workaround, I disabled RBAC by setting the EnableRbacReporting registry key to 0 on the SSRS server. This resolved the issue and allowed the reports to run properly, effectively forcing SSRS to bypass RBAC. That makes me think the problem may be related to Kerberos authentication or token delegation in some way, but I'm unsure how to proceed further with troubleshooting it. Let me know if you've seen this before or have any guidance on what to look into next.

Hi I was send a PM to you. Thank's

Hi everyone, We are running Microsoft Configuration Manager Version 2403, Site Version 5.0.9128.1000. We always had a working boot image x64 with OS Version 10.0.19041.1. Our ADK Version is 10.0.22621.1. This boot image works on all our devices. Recently we received new hardware and with our working "old" bootstick we receive the error message "failed to find a valid network adapter". In smsts.og: "GetAdaptersInfo() failed." VerifyNetworkAdapter() failed. 0x800700E8" Since the OS Version of the old Boot Image doesn't match the ADK version I cannot add drivers, because the tab is missing. I tried to copy the boot.wim of the old working boot image, import it into SCCM, reload the ADK and import the network drivers from the vendors site, but now when I create an ISO from this new boot image with the NIC, WinPE is loading, a white Configuration Manager page is shown and the the client restart after 20 seconds. I can run the command prompt, but it is rebooting anyway. I tried the bootstick on other prod devices where the old bootstick was working, but the same issue appears as for the new device. I also tried to create a completely new boot image without and with NICs, but the same scenario. I also added a storage drivers, but still the same happens. Boot image and drivers are distributed to DPs. I don't want to reload the "old" working boot image so it matches the ADK version, because this is the only boot image that works for us in prod. Any help is appreciated. Thanks! Image (1).jfif

send me a pm

I would try yes, but can i guarantee no issue, no. if you do get a problem post here and i'll do my best to help

Ten years later and i'm running into the same exact issue. How did you get this resolved?

Hi, I have created a new TS for Build and capture Windows 11 Build 24 H2 using Workgroup and NOT DOMAIN. I am using SCCM2403 It is working and it is creating a WIM File, but my selected Application did not install my setting on the following Options Configure the network Join a workgroup Workgroup: DOM Install the Configuration Manager client Select the Configuration Manager Client Package package Installation Properties: DNSSUFFIX=adamix.domlocal.com SMSMP=evaix.domlocal.com That is my domain adamix.local.com that is my SCCM Server evaix.local.com If I deploy my same TS without Capture it, is deploying all applications without any issue. (by that step I joined the domain) Any Idea why I cannot install my Applications? Regards Nick

yes I am already running SCCM 2403. Do you mean I can go ahead and upgrade it without any issue?

I need that too please share with me

Using CMTrace error lookup, I can see that the error message is actually an RPC server is unavailable I asked Google (ai) what this could be, The "RPC server is unavailable" error (0x800706BA) in SCCM (System Center Configuration Manager) typically indicates a problem with communication between the SCCM server and a client machine. This usually stems from network connectivity issues, firewall restrictions, or incorrect service configurations. Here's a breakdown of potential causes and solutions: 1. Network Connectivity Issues: Verify Network Connectivity: Ensure that the SCCM server and the client machine can communicate over the network. Try accessing the client machine from the server using its hostname or IP address in Windows Explorer (e.g., \\clientname\c$ or \\192.168.1.10\c$). Check DNS Settings: Incorrect DNS settings can cause name resolution issues, preventing the server from finding the client. Verify that the DNS settings are correct on both the server and client. Time Synchronization: Ensure the time and time zone settings are synchronized between the client and server. Inaccurate time can also cause communication problems. 2. Firewall Restrictions: Firewall Configuration: Firewalls, both on the client and potentially on the network infrastructure, might be blocking the necessary ports for RPC communication. Specifically, verify that ports 135 (TCP and UDP) and the dynamic RPC port range are open. Outbound Traffic Inspection: Some firewalls with outbound traffic inspection capabilities might be blocking RPC traffic. Check if any such rules are in place. 3. Service Issues: RPC Services: The Remote Procedure Call (RPC) service and other related services, like the "DCOM Server Process Launcher" and "Remote Registry" services, must be running on both the client and server. Service Configuration: Ensure that these services are set to start automatically (Automatic) after a system restart. 4. Account Permissions: User Account Permissions: Verify that the account used for the SCCM connection has the necessary permissions to access the client machine and its resources. DCOM Permissions: Check DCOM (Distributed Component Object Model) permissions on the client machine, as they might be preventing the connection. 5. Troubleshooting Steps: Restart RPC Services: Restart the RPC service on both the client and server to reset its state. Reboot the Client: After making configuration changes, reboot the client machine to ensure the changes are applied. Use wbemtest.exe: Test WMI connectivity to the client machine using the wbemtest.exe tool. This can help isolate whether the issue is WMI-related or broader RPC communication problem. Deploy Recast Agents: If using Recast Software's Right Click Tools, deploying their agents can help resolve RPC communication issues. In Summary: The "RPC server is unavailable" error in SCCM is often a network or configuration issue. By systematically checking network connectivity, firewall settings, service states, and account permissions, you can identify and resolve the problem.

We are a small school district in northern VA, every summer we wipe and reload all of our Windows PC's so that the students and staff have a fresh PC at the beginning of the year. Each school has a task sequence unique to their building for software programs. All software is being deployed via the package model during the TS. I recently upgraded our server to CM 2503. We do not use intune nor do we have any type of cloud presence. We have been imaging PC's this way for years. This issue just started after upgrading to version 2503. We are experiencing a high rate of failure deploying the task sequences. When I look at the smsts logs I am getting error 800706ba. The error happens randomly, one PC will fail on Office 2021, and another will fail on adobe reader. There isn't a consistent failure on one specific package. I have tried re-distributing all of my software packages and I have verified that there are no firewalls between the clients and my SCCM server and DP's. We did notice that the Task Sequence fails less frequently on PC's that are directly connected to a core switch. In many of our buildings we have a lack of network drops, so we utilize the ethernet pass through on the back of our cisco phones to provide a connection to the staff PC. If we plug the PC directly into the wall drop instead of the phone our chances of a successful TS completion is much better, but still not perfect. Again, this is a brand new problem after upgrading to 2503. I have attached a snippet of the smsts log. Obviously this could be network related, but since this just started with the latest version of SCCM, I am just trying to rule out any issues that could be caused by the SCCM environment before I go to my network team. SMStslog.log

but you are already running SCCM 2403, right ? so... just go ahead and upgrade

Hi I have seen that Info https://learn.microsoft.com/en-us/intune/configmgr/core/servers/manage/checklist-for-installing-update-2503#early-update-ring Is that correct?

You can upgrade directly to 2503 it's cumulative. So it should contain all the fixes and updates from the previous version. do check out the official known issues here: https://learn.microsoft.com/en-us/intune/configmgr/core/plan-design/changes/whats-new-in-version-2503 and my take here: https://www.niallbrady.com/2025/04/04/configuration-manager-2503-is-out-350-bugs-fixed/

Hi, At the time I have running SCCM 2403 with hotfix. Can I upgrade it directly to the new Version 2503 without any issue? Or should I first upgrade to 2409 with hotfix and then to 2503? Thank you for help. Regards