OSD and Co-Management - can't deploy any software through SCCM client after OSD

Occasional Contributor

Hi Guys

 

I am struggling with problem with Co-Management and newly imaged (SCCM OSD) computers. Simply SCCM Client shows that device is co-managed, shows information about MP etc. but it seems to be broken - it has some tabs missing and only two actions available to trigger.

 

In Intune I see:

 

Configuration Manager agent state
Could not connect
Details
The Configuration Manager client is currently unable to reach the Configuration Manager management point. Make sure the client can communicate with the server. For more information on client communication issues, see the CcmMessaging.log, LocationServices.log, or ClientLocation.log files on the Configuration Manager client.
 
however I don't see anything special on these logs.
 
Also there is no problem with already existed devices - almost all are co-managed and SCCM Client working without any issues.
 
All devices are Hybrid-Joined.
 
Am I missing something in Client Configuration during OSD Task Sequence?
 
Really appreciate for any help and/or suggestions.
 
Best regards
Damian
9 Replies
Hello,
Looks like your client failed to register to MP.
Can you post/show the comanagementhandler.log & your ccmsetup.log ?

Mathieu

@maleroyfr 

 

Hi Mathieu

 

I attached log files.

 

Thanks!

Hello,

Are you on CB2103 or later ?
I guess you tried to restart the SMS Agent ?
What is happening if you trigger a machine policy cycle ?
You mention Hybrid Azure AD join, can you confirm that the device is correctly enrolled with the command dsregcmd /Status ?
Any issues logged in policyagent.log ?

@maleroyfr 

 

Hi,

we use CM2006.

I restarted SMS Agent a couple of times, I also re-built affected machines and built another one and the issue is still present.

Machine policy cycle triggers Host Process for OMA-DM Client process mostly and some actions from Host Process for Conf Manager (but it is minor activity)

Here output from dsregcmd:

 

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES

 

I am not sure if anything else is necessary however output for older and working machine is the same.

I put a policyagent log - no error but some warnings - not sure if relevant.

Regards
Damian

I also checked health of MP - no issues

And I am able to see content of:

http://<ServerName.FQDN>/sms_mp/.sms_aut?mplist
http://<ServerName.FQDN>/sms_mp/.sms_aut?mpcert
http://<ServerName.FQDN>/sms_mp/.sms_aut?MPKEYINFORMATION
Hello,

I strongly suggest you upgrade your hierarchy to 2103 at minimum as your version is no longer supported.

Mathieu

Hi Mathieu

I know - we are in the middle of planning an update however in our env it will takes some time.

However I made some progress in troubleshooting. It seems that this problem affects only these computers that work in Intranet and try to pull policy from on-premise MP. I look on datatransfering log and there are a lot of transient errors (0x80200024) when client tries to download policies/content. Problem doesn't occurs on devices connected to VPN - they have been switched to use internet-based (CMG) MP. I double checked boundaries and they look ok - they have not been changed for a long time. Our network team look into Palo Alto FW logs to check packets drops.

I am wondering if enabling of co-management could triggers this issue? We have done this a two weeks ago. However I am not sure when these transient errors started as I just returned from holidays.

Regards
Damian

Hello Damian !

If you enroll Windows devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. Please check https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints

For 0x80200024 and Palo Alto FW, please check http://blog.configmatt.com/2020/04/configuration-manager-policy-and.html

Regards,
Mathieu

@maleroyfr 

 

Hi Mathieu,

 

I found this thread related to PaloAlto and that gave me a good directions for further troubleshooting.

 

I found another thread in Palo Alto KB that suggests to enable HTTP Partial Response on FW. Our network team done that for one subnet and it seems that was a solution. I will test it deeper on Monday and let network team know to enable this for all affected subnets.

 

Thank you for help Mathieu! Have a great weekend.

 

Regards

Damian