Aug 03 2022 02:35 AM
Aug 03 2022 02:35 AM
I am struggling with problem with Co-Management and newly imaged (SCCM OSD) computers. Simply SCCM Client shows that device is co-managed, shows information about MP etc. but it seems to be broken - it has some tabs missing and only two actions available to trigger.
In Intune I see:
Aug 03 2022 03:41 AM
Aug 03 2022 06:07 AM - edited Aug 03 2022 06:09 AM
I attached log files.
Aug 03 2022 06:20 AM
Aug 03 2022 07:19 AM
we use CM2006.
I restarted SMS Agent a couple of times, I also re-built affected machines and built another one and the issue is still present.
Machine policy cycle triggers Host Process for OMA-DM Client process mostly and some actions from Host Process for Conf Manager (but it is minor activity)
Here output from dsregcmd:
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
I am not sure if anything else is necessary however output for older and working machine is the same.
I put a policyagent log - no error but some warnings - not sure if relevant.
Aug 03 2022 07:27 AM
Aug 03 2022 07:34 AM
Aug 04 2022 08:10 AM - edited Aug 04 2022 08:13 AM
I know - we are in the middle of planning an update however in our env it will takes some time.
However I made some progress in troubleshooting. It seems that this problem affects only these computers that work in Intranet and try to pull policy from on-premise MP. I look on datatransfering log and there are a lot of transient errors (0x80200024) when client tries to download policies/content. Problem doesn't occurs on devices connected to VPN - they have been switched to use internet-based (CMG) MP. I double checked boundaries and they look ok - they have not been changed for a long time. Our network team look into Palo Alto FW logs to check packets drops.
I am wondering if enabling of co-management could triggers this issue? We have done this a two weeks ago. However I am not sure when these transient errors started as I just returned from holidays.
Aug 04 2022 08:21 AM
Aug 05 2022 08:59 AM
I found this thread related to PaloAlto and that gave me a good directions for further troubleshooting.
I found another thread in Palo Alto KB that suggests to enable HTTP Partial Response on FW. Our network team done that for one subnet and it seems that was a solution. I will test it deeper on Monday and let network team know to enable this for all affected subnets.
Thank you for help Mathieu! Have a great weekend.