Jump to content


Alexandros

Established Members
  • Posts

    19
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Alexandros

  1. 1806 and still persists? I didn’t test myself as I am also on 1806. We need to somehow report this to the devs. Anyone here has any contacts ? Alex
  2. Thanks a lot Oktay for looking into this! I have sent the forum thread to Microsoft Intune support as they have a dedicated topic for Comanagement. Let's hope they help me out here. I am also seeing a weird issue when I do gpupdate: "Windows failed to apply the MDM policy settings" Have you noticed any similar issue? Thanks a lot. Alex
  3. I am facing a very weird issue with SCCM CoManagement where Windows 10 machines registered to AzureAD in Hybrid Azure AD Join, are shown as Azure AD Joined. I will be focusing on one machine so we see the issue in depth. Configuration details SCCM Current Branch 1802 with all three hotfixes installed Windows 10 Enterprise 1803 with latest updates Co-Management Enabled for All Devices (no pilot group) No workloads have yet been migrated to Intune Group Policies for Automatic Enrollment to MDM and Automatic Registration with AzureAD enabled SCCM Client Cloud option for Automatic Registration enabled Intune set as Standalone Intune Enrollment set as MDM only (MAM disabled) ADFS Federated Domain 3.0 (2012R2) with AAD Connect Federation Facts SSO et. all are working as expected on the client Client detects client as Hybrid Azure AD Joined Intune detects client as Hybrid Azure AD Joined Issue SCCM detects client as Azure AD Joined I will now provide all relevant screenshots from Intune, SCCM and Client. SCCM As seen below, SCCM thinks the device is Azure AD Join and not Hybrid Azure AD Join. I also used the following SCCM query: select SMS_R_System.NetbiosName, SMS_Client_ComanagementState.Authority, SMS_Client_ComanagementState.AADDeviceID, SMS_Client_ComanagementState.ComgmtPolicyPresent, SMS_Client_ComanagementState.EnrollmentErrorDetail, SMS_Client_ComanagementState.EnrollmentFailed, SMS_Client_ComanagementState.EnrollmentStatusCode, SMS_Client_ComanagementState.HybridAADJoined, SMS_Client_ComanagementState.MDMEnrolled, SMS_Client_ComanagementState.MDMWorkloads, SMS_Client_ComanagementState.AADJoined from SMS_R_System inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceID = SMS_R_System.ResourceId where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 and SMS_Client_ComanagementState.MDMEnrolled = 1 And had the following results, same probem. Azure AD Joined = Yes, Hybrid Azure AD Joined = No AzureAD As seen on the Devices > Azure AD Devices, the machine is properly detected as Hybrid Azure AD Joined As seen below, DeviceTrustType = Domain Joined and DeviceTrustLevel = Managed should be correct (see here). Get-MsolDevice -Name hp-eb-g3 Enabled : True ObjectId : cxxxxxxxxxxxxxxxxxxxxxxxx0 DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2 DisplayName : HP-EB-G3 DeviceObjectVersion : 2 DeviceOsType : Windows 10 Enterprise DeviceOsVersion : 10.0 (17134) DeviceTrustType : Domain Joined DeviceTrustLevel : Managed DevicePhysicalIds : {[USER-GID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2, [GID]:g:6xxxxxxxxxxxxxxxx2, [USER-HWID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2, [HWID]:h:6xxxxxxxxxxxxxxxxxx2} ApproximateLastLogonTimestamp : 27/07/2018 15:00:56 AlternativeSecurityIds : {X509:<SHA1-TP-PUBKEY>0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} DirSyncEnabled : True LastDirSyncTime : 03/08/2018 02:31:16 RegisteredOwners : {} GraphDeviceObject : Microsoft.Azure.ActiveDirectory.GraphClient.Device Intune This is how the device shows up in Intune Client DeviceManagement Log event 75 properly happened Client properly seeing management from Intune dsregcmd properly recognizes machine as AAD and MDM enrolled and AD Domain Joined dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxx2 Thumbprint : 0xxxxxxxxxxxxxxxxxxxxxxA KeyContainerId : cxxxxxxxxxxxxxxxxxxxxxx7 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES KeySignTest: : PASSED Idp : login.windows.net TenantId : 9xxxxxxxxxxxxxxxxxxx2 TenantName : Axxxxxxxxxxxxxs AuthCodeUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxx2/oauth2/authorize AccessTokenUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxx2/oauth2/token MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance SettingsUrl : JoinSrvVersion : 1.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/9xxxxxxxxxxxxxxxxxxxxxxxxxxxx2/ WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvVersion : 1.0 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2/ DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net DomainJoined : YES DomainName : XXXXXXXXXX +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : NO WamDefaultSet : YES WamDefaultAuthority : organizations WamDefaultId : https://login.microsoft.com WamDefaultGUID : {Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0} (AzureAd) AzureAdPrt : YES AzureAdPrtAuthority : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxxx2 EnterprisePrt : NO EnterprisePrtAuthority : +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsUserAzureAD : YES PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : NO CertEnrollment : none AadRecoveryNeeded : NO PreReqResult : WillNotProvision Can anyone having a similar configuration crosscheck and let me know what difference there is? References: https://www.imab.dk/flipping-the-switch-how-to-enable-co-management-in-configuration-manager-current-branch/ https://allthingscloud.blog/automatically-mdm-enroll-windows-10-device-using-group-policy/ -- Alex
  4. Dear all, I am trying to figure out what is the difference between the two below options. 1. The first is Capture User State that has an option for Offline USMT 2. The second is a script call under Offline USMT node. Can anyone please help me understand the difference? Thank you!
  5. I found the following that happens on 1610 and seems like a bug which Microsoft acknowledged. https://social.technet.microsoft.com/Forums/en-US/7bfdd65e-d81f-447c-a132-3df9f2b296c7/client-fails-to-request-user-state-store-no-local-smp-found?forum=configmanagerosd Removing the Failback boundary group from the Boundary, solves the problem. Just tested it and verified that this bug is still there. -- Alex
  6. And yes, this is now resolved. On the Boundary Group, I had only added the local DP (which carries the SMP role as well) and lives in the same subnet. I hadn't added the main Site System which is over WAN and is holding the Primary Site server role and the MP. I don't know if this is the proper way to set this up, but this has now solved the problem. BUT, if the secondary host (the Primary Site Server) is also a DP and SMP, then the client could possibly choose that one as a DP? Any help here appreciated. Alex
  7. Here is the log from this change. Number of remote SMP's = 1 OSDSMPClient 23/02/2018 05:50:17 3656 (0x0E48) Adding http://server.company.intern.com to Remote SMP list. OSDSMPClient 23/02/2018 05:50:17 3656 (0x0E48) -- Alex
  8. Folks, I dug deeper in the issue. My Client is on a subnet that is properly in the boundary group of the server below. So, Client : 192.168.51.150 SMP: 192.168.51.50 These are properly bordered in the SMP role, but still the smsts.log fails with: Number of local SMP's = 0 OSDSMPClient 23/02/2018 03:39:40 2080 (0x0820) SMP Location Info = <SMPLocationInfo> <Sites> <Site> <SMPSite SiteCode="XX1" MasterSiteCode="XX1" SiteLocality="REMOTE"> <LocationRecords> <LocationRecord> <ADSite Name="SITE1"/> <IPSubnets> <IPSubnet Address="192.168.51.0"/> <IPSubnet Address=""/> </IPSubnets> <ServerName>http://server.company.intern.com</ServerName> </LocationRecord> </LocationRecords> </SMPSite> </Site> </Sites> </SMPLocationInfo> So, I changed the Task Sequence to be allowed to fallback on a Remote DP and that worked so this is the root of the problem. Possible causes: a. The client is in two Boundary Groups, one via the AD Site and one via the IP Subnet b. Dual network interfaces exist on the client so it gets confused I will look into both issues. -- Alex
  9. On a SCCM 1606 fresh install, I see that Accounts tab is empty. Is this normal? -- Alex
  10. Although it worked once, now it fails with below error. Administration > Add System Site Role Wizard > Add a Reporting Point. When I try to provide the user account and click Existing Accounts I get the following error. Invalid parameter ------------------------------- Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException The SMS Provider reported an error. Stack Trace: at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__74.MoveNext() at Microsoft.ConfigurationManagement.ManagementProvider.QueryProcessorBase.ProcessQuery(Object sender, DoWorkEventArgs e) at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e) at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument) ------------------------------- System.Management.ManagementException Invalid parameter Stack Trace: at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__74.MoveNext() at Microsoft.ConfigurationManagement.ManagementProvider.QueryProcessorBase.ProcessQuery(Object sender, DoWorkEventArgs e) at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e) at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument) ------------------------------- If I try to add an account on the spot, I can complete the User and Password fields but when I hit OK, it doesn't show up -and can't continue- ! Any ideas? Has the DB been broken? -- Alex
  11. Yes! That did it. But now, I still have a failing: ERROR: Failed to execute spConfigureServiceBroker ERROR: Failed to ExecuteConfigureServiceBrokerSp Apparently because I had pre-configured the service broker port on 4022. *** [42000][9692][Microsoft] [SQL Server]The Service Broker endpoint cannot listen on port 4022 because it is in use by another process. -- Alex
  12. It seems I found the problem was with the actual ISO of 1702! https://social.technet.microsoft.com/Forums/en-US/242348d5-610e-4a8a-a9b6-66cbcbcc3363/core-setup-sccm-1702-failed?referrer=http://social.technet.microsoft.com/Forums/en-US/242348d5-610e-4a8a-a9b6-66cbcbcc3363/core-setup-sccm-1702-failed?forum=ConfigMgrCBGeneral My reply and results are shown there. -- Alex
  13. One question on the SQL Service Broker port. Is it supposedly created by the SCCM installer or must we pre-create it? I have pre-created it since SCCM installer doesn't seem to do it. I am doing: Service Broker with AlwaysOn Availability Groups (SQL Server) https://technet.microsoft.com/en-us/library/hh710058(v=sql.110).aspx Please let me know which is the proper way to go. Alex
  14. Hello Noobs! Just joined to one of the best forums -as all previous posts show- for Microsoft technologies. I am a long standing Winadmin with many years of work in my back (like most here!). So, I have the following issue when trying a fresh install for SCCM 1702. CMServer I provide the connection string to the db as: Host: SQLServer.domain.com Instance Name: SCCM SQLServer Named Instance listening on port 1460. Port 1433 is deaf, noone lives there. As I am monitoring the configinstall.log, I see the following (no other errors until that point. CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:22:59.572+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:22:59.603+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:02.635+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:02.635+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:05.674+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:05.674+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:08.716+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:08.716+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:11.752+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:11.752+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:14.788+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:14.788+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:17.820+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:17.820+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:20.849+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:20.849+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:23.889+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:23.889+00><thread=5704 (0x1648)> CSql Error: Cannot find data for connection type: CCAR_DB_ACCESS, cannot get a connection. $$<Configuration Manager Setup><01-30-2018 10:23:26.930+00><thread=5704 (0x1648)> INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:26.930+00><thread=5704 (0x1648)> ERROR: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure $$<Configuration Manager Setup><01-30-2018 10:23:29.961+00><thread=5704 (0x1648)> Failed to get DB connection for turning off client piloting for CD upgrade. $$<Configuration Manager Setup><01-30-2018 10:23:29.961+00><thread=5704 (0x1648)> And later on in the log I get: INFO: Adding a login for SMS Provider: IF NOT EXISTS (select * from master.sys.server_principals where ******************') CREATE LOGIN [******************* FROM WINDOWS $$<Configuration Manager Setup><01-30-2018 10:15:57.783+00><thread=5704 (0x1648)> INFO: Grant this login for SMS Provider to have View Server State permission: GRANT VIEW SERVER STATE TO *****************] $$<Configuration Manager Setup><01-30-2018 10:15:57.814+00><thread=5704 (0x1648)> INFO: Creating user for SMS Provider: IF NOT EXISTS (select * from sys.database_principals where ****************') CREATE USER ****************] $$<Configuration Manager Setup><01-30-2018 10:15:57.830+00><thread=5704 (0x1648)> INFO: Adding SMS Provider machine account to smsdbrole_siteprovider: EXEC sp_addrolemember N'smsdbrole_siteprovider', N'A***********' $$<Configuration Manager Setup><01-30-2018 10:15:57.845+00><thread=5704 (0x1648)> INFO: Getting SMS Provider version... $$<Configuration Manager Setup><01-30-2018 10:24:18.777+00><thread=5704 (0x1648)> ERROR: Failed to get SMS Provider version. $$<Configuration Manager Setup><01-30-2018 10:24:59.127+00><thread=5704 (0x1648)> INFO: Build version is 8498, loaded SMS Provider Version is . $$<Configuration Manager Setup><01-30-2018 10:24:59.127+00><thread=5704 (0x1648)> The final death of the deployment is comes much later as: INFO: 'sqlserver.domain.com' is a valid FQDN. Configuration Manager Setup 30/01/2018 08:27:48 5260 (0x148C) *** [08001][10060][Microsoft] TCP Provider: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Configuration Manager Setup 30/01/2018 08:28:51 5260 (0x148C) *** [HYT00][0][Microsoft][SQL Server Native Client 11.0]Login timeout expired Configuration Manager Setup 30/01/2018 08:28:51 5260 (0x148C) *** [08001][10060][Microsoft][SQL Server Native Client 11.0]A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online. Configuration Manager Setup 30/01/2018 08:28:51 5260 (0x148C) *** Failed to connect to the SQL Server, connection type: SQLSERVER.DOMAIN.COM SCCM\MASTER. Configuration Manager Setup 30/01/2018 08:28:51 5260 (0x148C) INFO: SQL Connection failed. Connection: SQLSERVER.DOMAIN.COM SCCM\MASTER, Type: Secure Configuration Manager Setup 30/01/2018 08:28:51 5260 (0x148C) After some more time where some more work happens on the installer side, I get the following irrelevant screen: "Setup failed to configure SQL Service Broker. Each Configuration Manager site must have its own SQL Server instance. Verify that the selected SQL server instance is not in use by another Configuration Manager site." The Service Broker port is there and properly configured by SCCM installer so this is an erroneous message. And all that, after the database is being properly created and multiple times earlier in the process I am getting SQL successful connections! The only point of interest I found is below and in the same log file. INFO: 'sqlserver.domain.com' is a valid FQDN. Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Read SQL Data and Log file Path from script file if specified. Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Validating correct drive letter. Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Validating correct drive letter. Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: This is a named instance SQL Server. Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: SQL Server instance name (pSetupInf->SqlInstName): sccm Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: SQL Server master database (pSetupInf->SqlMasterDB): sccm\master Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Site SQL Server database name (pSetupInf->SqlDatabaseName): sccm\CM_AP1 Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Site SQL Server computer name (pSetupInf->SqlServer): sqlserver.domain.com Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Site SQL Server Data File Path (pSetupInf->SqlDataFilePath): F:\SCCM-Data\MSSQL13.SCCM\MSSQL\DATA Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Site SQL Server Log File Path (pSetupInf->SqlLogFilePath): H:\SCCM-LOG Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) INFO: Site SQL Server service port : 1433 Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) <------------------- THIS IS NOT CORRECT. SERVICE PORT IS 1460, NOTHING LISTENS ON 1433 INFO: Site SQL Server SSB port : 4022 Configuration Manager Setup 30/01/2018 07:54:15 5260 (0x148C) <---- THIS IS CORRECT AND PROPERLY EXISTS AND LISTENING Any ideas? - Alex
×
×
  • Create New...