Forum Widgets
Latest Discussions
Block or Prevent user for installing any software without administration permission
Hi, I want to block user permission for installing any software without administrator permission. How do I implement this policy via Intune? Users have M365 E3 license and joined Azure AD I need an appropriate solution.Rasel_AhmedApr 25, 2021Copper Contributor22KViews0likes3CommentsWSUS Sync Failing
Within the last hour or so I have carried up a cleanup of our WSUS and reindexed the database as per this article https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/ Once complete I re-enable the SUP schedule and WSUS has not been able to Sync since. Our SCCM Version is 1702 with the hotfix, hosted on a Server 2012r2 system. WSUS content is within a SQL database. WCM.log; "System.Net.WebException: The request failed with HTTP status 403: Target service not allowed.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)" WsusCtrl.log does not seem to indicate any proxy related errors; "No changes - local WSUS Server Proxy settings are correctly configured as Proxy Name ####### and Proxy Port ##"DeletedJul 21, 2017Not applicable17KViews0likes9CommentsConnection Error after upgrading to version 2203
On Monday, I upgraded Endpoint Manager to version 2203. Everything appears to be working fine on the server itself. We only have one Endpoint Manager server with SQL collocated. After upgrading the Endpoint Manager console on remote systems, I am having some errors. When I go to the Console Extensions node or the Console Connections under Administration, I receive the following message Configuration Manager can’t connect to the administration service The Configuration Manager console can’t connect to the site database through the administration service on <ServerFQDN> Verify the following There’s no certificate on the SMS Provider site system server. Make sure it has a valid PKI or Configuration Manager-generated certificate for the site. Additionally, It looks like until I’m able to make this connection I can’t update the WebView2 extension and without that extension the console crashed with I try to access the Windows Servicing and Microsoft Edge Management nodes under Software library. If I manually import the self sign certificate from Endpoint Manager (we are not using PKI) into the Trusted People container in the Certificates MMC on the remote systems then the console works correctly. I’d prefer not to band aid this problem but instead fix it. I’ve tried the following that I found on blog posts to resolve this issue but all with no success Made sure that “Use Configuration Manager-generated certificates for HTTP site system” is enabled Made sure no certificates are block in Configuration Manager I’ve checked the SSL Certificate on the Default Website and it is the self signed certificate from Endpoint Manager. Turned off Windows Firewall Reviewed the SmsAdminUI.log file. The SmsAdminUI.log file show the following entries: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://<ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsRequired eq true and IsTombstoned eq false and IsApproved eq true Could not connect to the AdminService to check for requirements. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData GET request: https://< ServerFQDN>/AdminService/v1.0/ConsoleExtensionMetadata?$filter=IsApproved eq false Error getting custom console extensions IDs, versions and names using Admin Service: SSLFailure System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Failed to get a response for OData POST request: https:// <FQDN>//AdminService/v1.0/ConsoleUsageData/AdminService.UpdateConsoleHeartbeat Microsoft.ConfigurationManagement.ManagementProvider.ODataConnectionException: SSLFailure At this point, I don’t know where to go next. Any help would be greatly appreciated.RyanD79Jun 16, 2022Copper Contributor13KViews0likes10CommentsCreateProcessAsUser Error 5 - ServiceUI.exe
Hi All I've recently updated my SCCM Site version to v1910, since performing this update i've been having issues with my Upgrade Task Sequence. Previously i've had a command line step in the upgrade task sequence to run a manually built "Windows 10 Splash Screen" using ServiceUI.exe to allow the user to install or postpone the upgrade. This has been issue free until the update to SCCM 1910, since then when i try to run the task sequence the following step fails with this error. Has anyone got any idea how i can resolve this? Been racking my brain for days now...Elliot_the_GooseMay 27, 2020Copper Contributor12KViews0likes9CommentsSCCM Remote Desktop capabilities
Hello, I've been looking into getting SCCM for our organisation. We currently have a Logmein subscription and wondered if SCCM's Remote Control solution will be a good alternative. We also have Office 365 Business Premium licences. What I'm hoping to achieve with SCCM: Remote access to local network devices (I've seen this work from clips online) Remote access to remote worker devices. (Devices connected to the domain / Azure AD, but not on the local network) When I'm accessing remote devices as the administrator, I need UAC access to install applications. Does Remote Control support UAC prompt window? The reason I'm asking, is I was potentially going to use Microsoft Teams with 'Share Desktop' to support end users. However, the UAC prompt window doesn't appear. I haven’t tested with Skype for Business? But I’m trying to get away from using it. OR could this be done with policies being pushed to the remote device? I would test this myself with the evaluation licence of SCCM. We’re in the process of upgrading our infrastructure currently, so I’m unable to install and test it myself. If anyone could point me in the right direction I would be most grateful.David NobleAug 02, 2018Iron Contributor12KViews0likes3CommentsUPGRADE_EXPERIENCE_INDICATORS in Resource Explorer
We are seeing that the Config Manager hardware inventory contains the UPGRADE_EXPERIENCE_INDICATORS section which shows data that appears to be about upgrade compatibility to specific builds (with CO21H2 being Windows 11 21H2, for example). Could someone please share what the attributes named Upg Ex Prop and Upg Ex U and the color values they have actually mean? We've seen Red, Orange, Yellow, and Green, but it doesn't appear to be documented anywhere what the attributes or values represent. We would like to use these values for collection membership and Windows 11 Upgrade task sequence deployment, but want to fully understand what they represent. Note: We have compared these to what is shown in Endpoint Analytics for Windows 11 readiness status. While green has matched Capable and red has matched Not Capable, we're seeing a mix of Capable and Unknown for both yellow and orange. Thank you.Joe_FriedelApr 19, 2022Iron Contributor10KViews1like4CommentsIssue setting up the cmg connection point role
Hi! I deployed the cmg connection point role (only) to a new site server (MECM 1910 (5.0.8913.1000)), but the connection point just stayed disconnected from a functioning cmg. The log file sms_cloud_proxyconnector.log showed: "missing role certificate. reload in next cycle" every 60s. I ended up installing the mp role as well on the same server, and the cmg cp started working as intended. The certificate store on the site server has now a "cloud proxy connector" certificate under SMS\Certificates, which wasn't there before I installed the mp role. I've removed the mp role and its prerequisites and the cmg cp is still working. We're using "enhanced http" mode for client communication. Anybody else seen this behavior? Is it not supported to install the cmg cp role independently? Thanks!Marcel BiebricherMar 19, 2020Copper Contributor10KViews0likes3CommentsCMG Error in 2006
I am experiencing a lot of error in the ProxyService_IN_0-CMGService.log file on my production machine. The errors are shown below. We are not using PKI, we use a public wildcard cert for server authentication. I have virtually an exact duplicate setup with a public cert and no errors are being reported in the log files. When ever I run the CMG Analyzer I get error at "Check Config setting are up to date" or "Testing the CMG Channel" They will never pass. In my test environment they will pass within about 10 seconds of starting. Could this error be coming from the CMG server itself. ERROR: Security token validation exception with requesting URL https://xxx.xxx.xxxx/CCM_Proxy_ServerAuth/72057594037927940/CCM_STS. System.IdentityModel.Tokens.SecurityTokenValidationException: System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~ at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey) ---> System.Security.Cryptography.CryptographicException: CryptVerifySignature failed with HRESULT 0x80090006~~ at Microsoft.ConfigurationManager.CommonBase.SignatureUtilities.ValidateSignature(Byte[] token, Byte[] signature, Byte[] publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~ --- End of inner exception stack trace ---~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateCcmAuthHeader(String authHeader, String publicKey)~~ at Microsoft.ConfigurationManager.CloudBase.AuthorizationToken.TokenValidator.ValidateTokenEx(String token, String tokenHint)~~ at Microsoft.ConfigurationManager.BgbServerChannel.BgbServerReverseProxy.ValidateAuthorizationToken(String authorizationToken, EndpointClientAuthScheme clientAuthScheme, Uri requestUri, IToken& validatedToken, EndpointClientAuthScheme& validatedScheme)Ronald LawrimoreOct 07, 2020Brass Contributor6.9KViews0likes9CommentsMaintenanceCoordinator Orchestration Lock is required
I have been getting this since installing the update that converted Server Groups to Orchestration Groups. I have removed all "converted" Server Groups and now have no Orchestration Groups. I have uninstalled and deleted the devices from ConfigMgr. Discovered and Re-installed the client but the clients all still never install "required" updates. The will just say "waiting to install" In the MaintencanceCoordinator.log file it will say ... Task did not pass service window check CheckServiceWindow() Orchestration lock is required LockIsAvailable RequestSent: 00000001 Start Timer: 60 Basic Timer is already queued It will just keep repeating that over and over. Thanks for any suggestions.Dave BarkerFeb 23, 2021Copper Contributor5.6KViews0likes6CommentsLocal administrator created during OSD doesn't get administrator access
This is an issue at the intersection between application deployment (via task sequence) and operating-system deployment. I have a setup.exe installer (actually, several of them, all part of the same collection - but the issue can be illustrated by talking about just one) which works fine when run as an ordinary local administrator, but fails with error 1619 when run as SYSTEM. As best I've been able to determine, the installer detects that the embedded MSI would be extracted to a location under the Windows folder, decides that's a security violation, and intentionally does things in a way that will result in this error. To work around this, I have created a task sequence (without a boot image) to run the installation as a temporary local administrator account. Specifically, this task sequence has the following series of actions: * A Run Command Line action to create a new local user account, by running 'net user TEMPORARYUSERNAME PASSWORD /add'. * A Run Command Line action to add that user to the local Administrators group, by running 'net localgroup Administrators TEMPORARYUSERNAME /add'. * A Run Command Line action to invoke the setup.exe from its package, with the "run this step from the following account" box checked, the username set to '%computername%\TEMPORARYUSERNAME', and the password entered accordingly. * A Run Command Line action to delete the temporary local user, by running 'net user TEMPORARYUSERNAME /delete'. If I create a deployment of this task sequence to a collection, and invoke it manually from the Software Center, it works; the program is installed as intended, and the user is created and cleaned up along the way. Event Viewer does log a warning (or perhaps an error) indicating having failed to load the user profile for this account, but that doesn't seem to do any harm, and I haven't yet found any way to avoid having it happen. If I then go to an OSD task sequence and add a Run Task Sequence action (after rebooting out of Windows PE and into Windows proper) which invokes the above task sequence, and then deploy that OSD task sequence to a computer, the embedded task sequence fails. More specifically, it gets as far as the action which invokes setup.exe, and then records that the installation failed with error 1603. As best I can determine based on analyzing the logs, the 1603 in this case is a simple "access denied" error, and means that the account which is being used to run the program does not have write access to the install location. However, because the user has been added to the local Administrators group, that user should have Administrator-level access to the entire system - including the install location. The fact that this install succeeds when invoked from Software Center seems to indicate that this user *does* in fact get such access in that environment - but in the post-WinPE OSD environment, it apparently does not. I have gone so far as to add a reboot step in between the step which adds the temporary account to the local Administrators group and the step which invokes setup.exe, in the hopes that the reboot would lead the system to recognize that the temporary account is a member of that group. However, this did not appear to produce any change in the behavior of the setup.exe step. My first question is: How can I get Windows to properly grant local Administrator access (and, as a consequence, write access to the install location) to this user no matter which environment the "inner" task sequence is run from? If there's no apparent way to do that, my second question is: How else can I get this install to run as a non-SYSTEM user with local administrator access? Running as the built-in administrator account itself is not really an option. We manage that account's password with LAPS, so while I know what that password is at Windows install time, as soon as we join the domain (which, for various reasons, will have happened by this point in the task sequence) there's a possibility that the password will have changed; as a result, I can't specify that password in the Run Command Line action.Andrew_BuehlerAug 31, 2022Copper Contributor5.3KViews0likes2Comments
Tags
- cm current branch49 Topics
- Operating System Deployment20 Topics
- software update management15 Topics
- Site Setup and client deployment10 Topics
- App Management8 Topics
- general7 Topics
- SCCM7 Topics
- cloud-attached management6 Topics
- endpoint protection5 Topics
- security and compliance5 Topics