Jump to content




All Activity

This stream auto-updates     

  1. Yesterday
  2. You may have already seen Part 2 of this series where you can automate BitLocker encryption in Intune using supplied MSI's, which contain logging, reboot prompt and other features. I've put together this video to show you how you can test the PowerShell scripts contained within the two MSI's here. This allows you to test the scripts outside of Intune, and when you are happy with the results you can re-package them and deploy the MSI via Intune. The video shows you how to use Psexec to start a process (in this example it's CMD.EXE) as SYSTEM. psexec.exe /s /i cmd.exe After starting the cmd prompt as SYSTEM, you can launch powershell. Next, browse to the folder where the scripts are, by default it's C:\Program Files (x86)\BitLockerTrigger and launch Enable_BitLocker.ps1. After the TriggerBitlocker msi is installed by Intune on a Windows AutoPilot enrolled device, the PowerShell script will run via the Scheduled Task as SYSTEM, so this method of testing is a valid way to verify any changes you add to the PowerShell script before repackaging it as an MSI. To see the video click below, have a look and happy troubleshooting. cheers niall
  3. it's working now, and i've added the updated USER msi to the original blogpost, please download and test, it works fine for me you can see a video of how to test it yourself outside of Intune, here cheers niall
  4. Last week
  5. i am getting similar messages but using only http: Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 1/18/2018 2:53:01 PM 14988 (0x3A8C) [] Params to send '5.0.8577.1000 Deployment Error: 0x80004004, ' ccmsetup 1/18/2018 2:53:01 PM 14988 (0x3A8C) Sending Fallback Status Point message to xxxxxxxxxxx', STATEID='306'. ccmsetup 1/18/2018 2:53:01 PM 14988 (0x3A8C) <ClientDeploymentMessage ErrorCode="-2147467260"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage> ccmsetup 1/18/2018 2:53:01 PM 14988 (0x3A8C) sending with winhttp failed; 80072ee2 FSPStateMessage 1/18/2018 2:53:22 PM 14988 (0x3A8C) State message with TopicType 800 and TopicId {4F42D607-E268-4796-A9A9-F294192C52D1} has been sent to the FSP FSPStateMessage 1/18/2018 2:53:22 PM 14988 (0x3A8C) Failed to connect to policy namespace. Error 0x8004100e ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) Failed to revoke client upgrade local policy. Error 0x8004100e ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) 'Configuration Manager Client Retry Task' is scheduled to run at 01/18/2018 07:53:22 PM (local) 01/19/2018 12:53:22 AM (UTC) time with arguments ' /RetryWinTask:1'. ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist. ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) Successfully created task 'Configuration Manager Client Retry Task' ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) CcmSetup failed with error code 0x80004004 ccmsetup 1/18/2018 2:53:22 PM 14988 (0x3A8C) MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 1/18/2018 2:59:03 PM 5776 (0x1690) GET 'HTTP://xxxxxxxxx/CCM_Client/ccmsetup.cab' ccmsetup 1/18/2018 2:59:03 PM 5776 (0x1690) Failed to send HTTP request. (Error at WinHttpSendRequest: 0x80072ee2) ccmsetup 1/18/2018 2:59:24 PM 5776 (0x1690) Next retry in 10 minute(s)... ccmsetup 1/18/2018 2:59:24 PM 5776 (0x1690)
  6. I have an Automatic Deployment Rule setup to deploy EP updates and I followed the guide here when I created it. The size of it is 2.5GB though. Is there a way to cut the size down and/or not have it keep so many expired updates in it? It seems to keep updates for about 10 days before it clears them even though they are expired. How do I limit the number of days worth it keeps?
  7. So the purpose of this thread is directly related to my issue in TechNet Post But I justified it deserves a separate post of itself. To summarise the problem, I have extended the scope of our SCCM to cover another domain, of which it has no problems deploying applications/updates to Desktops, but with servers it is only deploying applications but not software updates (although they are detected under UpdatesDeployment.log and UpdatesHandler.log). Before I continue, Boundaries and Boundary Groups are configured and working, as some of the working desktops fall in the same IP Range as the servers that are not working. For Example Boundaries IP Range: 10.10.10.1 - 10.10.10.254 Boundary Group: All DPs/MPs Working Desktop IP: 10.10.10.50 Non-Working Server IP: 10.10.10.200 Non-Working Client - ContentTransferManager.log CTM job {339D9C5D-6CB3-45F4-9789-D30018436A4D} entered phase CCM_DOWNLOADSTATUS_WAITING_CONTENTLOCATIONS Queued location request '{5B8ADECB-DD78-46A2-B6C2-F1E4013F8AB9}' for CTM job '{339D9C5D-6CB3-45F4-9789-D30018436A4D}'. CCTMJob::UpdateLocations - Received empty location update for CTM Job {339D9C5D-6CB3-45F4-9789-D30018436A4D} Working Client - ContentTransferManager.log CTM job {EDCAE134-0282-48B6-AF28-7E673DC79A49} entered phase CCM_DOWNLOADSTATUS_WAITING_CONTENTLOCATIONS Queued location request '{2FDD4693-2C59-4E9E-A467-15F9BBD6BFF8}' for CTM job '{EDCAE134-0282-48B6-AF28-7E673DC79A49}'. Persisted locations for CTM job {C3E0349C-691D-4FD0-A356-7402098F0AFB}: (LOCAL) http://SCCM_SERVER#/SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef (LOCAL) http:// SCCM_SERVER#/NOCERT_SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef (LOCAL) http:// SCCM_SERVER#/SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef (LOCAL) http:// SCCM_SERVER#.SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef (LOCAL) http:// SCCM_SERVER#/SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef (LOCAL) http:// SCCM_SERVER#/SMS_DP_SMSPKG$/d5b73f6c-662f-47c7-a6c6-5e495f0297ef I want to trace each granular step of this entire process to the point where I can see the CTM job {EDCAE134-0282-48B6-AF28-7E673DC79A49} entered phase CCM_DOWNLOADSTATUS_WAITING_CONTENTLOCATIONS job request on the server, and hopefully whatever the server is doing causing it send no DPs back to the client requesting this. I can't seem to find the root cause of this issue and really need to make some progress as it's already behind schedule and Management are waiting on me on this problem.
  8. Intel AMT password

    Actually it wasnt resolved. I was told to put it on the back burner for now so it gives me more time to research .
  9. I posted this on TechNet already, but as I'm still experiencing the issue I'm posting here as well. https://social.technet.microsoft.com/Forums/en-US/536377e1-b387-40e8-b40f-6e39ca0eacd2/client-doesnt-retrieve-dp-list-received-empty-location-update-for-ctm-job?forum=configmanagersecurity#cc043ccc-4572-4165-ab67-287bae2c7728 0 Sign in to vote I’ve been bashing my head on this issue for some time now, and trawled through many, many posts on the Internet without being able to resolve my issue. Background We have a working SCCM setup on Domain1. Recently I pushed out Domain1’s agent to all Domain2 computers and servers via a Powershell script with explicit install parameters; this is all fine. Patching and Software deployments are working are on all the test desktops I’ve deployed on, so this is a checkpoint for me as I know that MP/DP/BITs (firewall ports) connectivity is all working fine. On the server I’m testing on with Software Updates I get the following: UpdatesStore.log – Recognises software update deployments and missing updates are returning the correct Status = Missing entry in the log. UpdatesDeployment.log – Acknowledges the above with “EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 1” Further down the log, I get this error being flagged. I cannot determine if this is a red herring or not, but this post references the exact error and MS has dismissed it as not having any functional impact to SCCM. Failed to get SDM CI for update (Site_E0302A3C-FCA2-434A-8822-A1806E8739D3/SUM_96d2119c-c85d-4490-b58c-927d2ebe297c) from type store, error = 0x80070002 https://social.technet.microsoft.com/Forums/windows/en-US/e5a3a864-2d0c-40be-b7c7-d27b48bee17c/failed-to-get-sdm-ci-for-update-from-type-store-error-0x80070002?forum=ConfigMgrCompliance I never see any entries for the “CIStateDownloadingPercent” at all though, so it never even attempts to download, which leads me onto ContentTransferManager.log. ContentTransferManager.log CCTMJob::UpdateLocations - Received empty location update for CTM Job {D6A97A39-6FE4-4524-BFAD-7AE24F2A1019} WUAHandler.log – Correct SCCM server set as WSUS source. “Existing WUA Managed server was already set”. LocationServices.log - Correct SCCM server set as WSUS Path. Boundaries and Boundary Groups I’ve configured IP Range Boundaries which covers the IP of the server in question. Additionally I have subsequently added Active Directory Site Boundaries as well, with no difference. The IP Range and AD Site Boundaries are members of the Boundary Group which is referencing our MPs and DPs on Domain1. Deployment Package and DP These are always at 100% compliance state before I reinitiate scans on the server having the issue. Additionally, I've successfully tested an application deployment to the affected server and this was deployed fine, and the source files reside in the CCMCACHE folder which is even more confusing! Need some guidance on what else to check or look out for please, I keep getting pointed back to Boundary Group definitions which makes sense, but I've checked this over and over again, and there is only so much validation I can do on an IP address; I even ran a PS script on the site server to see what Boundaries the affected IP falls under and of course, it returned the Boundaries I defined.
  10. Intel AMT password

    if you found an answer then post it to help other.
  11. Is there seriously no one that knows anything about SCCM Alerts? I've looked everywhere on the web and can find nothing to indicate what we should be doing with SCCM alerts once they have triggered - do you all just live with them cluttering up the alerts dashboard?
  12. Hello. We have SCCM 1710 with SUP role configured. We have a lot of Windows 7 and 8.1 computers and we are migrating them to Windows 10 1709. Recently we noticed that sccm clients getting updates from sccm sup and Windows Update Internet locations both. We tried to configure to prevent updates form internet by GPO but clients still connecting internet. Is it posible to turn of internet updates for sccm clients complitely? Please help, because network team is going mad! Thanks in advance.
  13. Hi anyone have luck updating HP BIOS Laptops that are bitlocker encrypted
  14. Intel AMT password

    You can disregard this question
  15. Hello, what are some limitation that Intune has versus SSCM? Is there a list of tasks or policies I cannot do with Intune and I would need SSCM in order to do this? A website or if someone has a list would be helpful. Thanks
  16. Hello, Is there a way to deploy Skype for Business Basic (O365 Click-to-Run) during an Operating System Deployment task sequence? I'm able to deploy O365 Pro Plus with OSD. But if I include Skype in the configuration xml file, the application will not install. I broke Skype out into its own package with its own configuration xml and it still won't install during OSD. Can anyone provide some pointers on how to get this done, please?
  17. Does anyone know the best way to do this? Any advice would be much appreciated!
  18. I have configured a number of Malware alerts in SCCM CB and have tested them against a test client which I infected with the EICar test file. The configured alerts all trigger as expected and fire off emails to the addresses I have specified - which is great. However once triggered these alerts seem to remain in a state of 'Active' under 'Monitoring' > 'Overveiw' > 'Alerts' > 'All Alerts' / 'Active Alerts' despite the malware being successfully removed from the client via Endpoint Protection and the client reporting a remediation status of 'Cleaned' back to SCCM. I can see no way to dismiss these alerts or manually mark them as resolved - what do I do with them and should they automatically change state once the issue that triggered them has been resolved? It's been over 48 hours since the Malware was detected (and removed) by Endpoint and the alert triggered in SCCM.
  19. Is there a way to,change the AMT password on laptops using sccm? trying to,figure out a way to get ahead of this intel security issue
  20. how to you append to the file? I have created another copy of the file and added the new part to the end of the file and saved it. When I try to overwrite the existing configuration.mof, it does not allow me to do so.
  21. Introduction Yesterday I needed to deploy a new Windows 10 version 1709 Virtual Machine using Windows AutoPilot, with a user that did not have Administrative permissions on that Virtual Machine, so I created the profile in Windows AutoPilot in the Microsoft Store for Business and reset my virtual machine. After working my way through the Windows AutoPilot OOBE (out of box experience) screens, I was presented with a “Something went wrong” error shown below. This error can occur just after entering your password and should be the point where the device is setup and auto enrolled into MDM (if you have that option enabled and have Azure AD Premium). I decided to document the things I needed to check in order to resolve the issue to help others with the same problem. Thanks go to Per Larsen for pointing me in the right direction. Step 1. Check that the user has the correct license requirements For Auto-enrollment into MDM you need an Azure Ad Premium license, so I wanted to verify that the user in question was licensed appropriately. To do so, open https://portal.azure.com and open the Intune service, click on Users and select the username you wish to verify. The username used for this blog post was wipuser@windowsnoob.com. Next, click on Licenses in the left column. The Licenses available to the user are shown on the right blade along with a count of Enabled services. To drill down further, click on the Enterprise Mobility + Security E5 license. Details of the services enabled within that license are shown. So based on the above, you can see that the user is licensed for Azure AD Premium and Intune A direct so this is not a licensing issue. Step 2. Check the Device limit setting in Azure AD Note: Azure AD maximum devices controls Azure AD device registration, not MDM enrollment. Azure AD registration and MDM enrollment are two separate features controlled by two separate products. Not every MDM enrollment requires Azure AD registration and vice-versa. That said Windows AutoPilot does require Azure AD join, so it's a good idea to verify this setting prior to continuing your troubleshooting. You can set a limit on the number of devices users can enroll, to verify the current setting open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Maximum number of devices per user. The value is 20 which is an adequate number of devices that the user can have in Azure. Step 3. Check the number of devices the user has already enrolled Next, you should verify the number of devices the user in question has enrolled already. To do so, in the Intune service click on Users, select the username and then click on Devices. As you can see the user has already enrolled one device, and it’s well below the 20 max limit so you can determine that is not the issue. Step 4. Check if the user is in scope for MDM Next, verify that the user is actually in scope for MDM. To do so, in Azure Active Directory click on Mobility (MDM and MAM), select Microsoft Intune. In this example you can see that the MDM scope is set to Some, and that includes the following User Group All Windows Device Users. So next you need to verify that the user is in that User Group. And to do that in the Intune service click on Groups, then All Groups, select the group in question and search or locate your user in that group. And the user is present in the group so that is not the issue. Step 5. Check if the user is in scope for Azure AD Join To verify that the user can join devices into Azure AD, open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Users may join devices to Azure AD, it can be one of the following three options All Selected None In this example it is Selected and the User Group in question can be viewed by clicking on 1 member selected. The user group in this example is called Allowed Azure Ad Join. By clicking on the user group and then clicking on Members you can see what users are in that user group. From the above you can see that the user is NOT in this user group. To resolve the ‘something went wrong’ error, click on +Add members and select the user in question, then click on Try again on the Windows device. Step 6. Check for Enrollment restrictions In the Intune service click on Device Enrollment, then enrollment Restrictions and look at the settings for Device Limit Restrictions. In this case it's 15 which is more than the user has listed under their Devices. You can also review the Device Type restrictions however the Windows operating system is not listed as of 2017/1/16. Summary Sometimes when things go wrong and you get a message that tells you what the problem is, requires you to do some digging and verification in order to resolve. There may be other things that can generate the above error, if so let me know and I’ll add them.
  22. Hi everyone, I have the next error in all PCs with Windows 10 pro 64 bits: Adjunt WUAHandler.log Its a WSUS Update Source type ({2D2CD364-CCCE-4820-A6A2-38EF21312593}), adding it. WUAHandler 16/1/2018 9:45:07 9812 (0x2654) Enabling WUA Managed server policy to use server:http://MYSCCM12.mydomain.local:8530 WUAHandler 16/1/2018 9:45:07 9812 (0x2654) Waiting for 2 mins for Group Policy to notify of WUA policy change... WUAHandler 16/1/2018 9:45:07 9812 (0x2654) Waiting for 30 secs for policy to take effect on WU Agent. WUAHandler 16/1/2018 9:45:10 9812 (0x2654) Added Update Source ({2D2CD364-CCCE-4820-A6A2-38EF21312593}) of content type: 2 WUAHandler 16/1/2018 9:45:40 9812 (0x2654) Scan results will include all superseded updates. WUAHandler 16/1/2018 9:45:40 9812 (0x2654) Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver') WUAHandler 16/1/2018 9:45:40 9812 (0x2654) Async searching of updates using WUAgent started. WUAHandler 16/1/2018 9:45:40 9812 (0x2654) Async searching completed. WUAHandler 16/1/2018 9:49:42 6476 (0x194C) OnSearchComplete - Failed to end search job. Error = 0x80244007. WUAHandler 16/1/2018 9:49:42 6180 (0x1824) Scan failed with error = 0x80244007. WUAHandler 16/1/2018 9:49:42 6180 (0x1824) Its a WSUS Update Source type ({2D2CD364-CCCE-4820-A6A2-38EF21312593}), adding it. WUAHandler 16/1/2018 9:49:42 5720 (0x1658) Thank for you help. Grettings.
  23. Good morning fellow noob's, I have been given the task of finding out if SCCM 2012 R2 can deploy Chromium? I have searched high and low for information on this and it seems to be pretty sparse. I may just not looking in the right spot so any assist with doing this would be greatly appreciated! Thanks in advance MPH
  24. Hi Niall, did you make any progress on testing the TriggerBitlockerUser script? Thanks!
  25. Thank you garth thank god formthismsite it’s a huge help,to me
  26. I would suggest that you upgrade them as you see fit but I would upgrade them faster as fast as possible. If you designed your environment correctly, this upgrade should be no worse than the average app upgrade or SU deployment.
  27. I was worried after I did a side by side migration and I set the automatic client upgrade option it would cause a lot of traffic accross the network wasn’t sure. My plan was to set the upgrade automatically option for new client in 7 days or more to space out. I have around 3000 client machines
  1. Load more activity
×