Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.
MECM OSD TS Application Installations fail randomly to download content.
We are experiencing a persistent and well-documented issue with MECM OSD Task Sequences where Applications randomly fail to install after the MECM client has been installed. This behavior seems to affect many environments and has been an ongoing problem for years, yet a definitive solution remains elusive. In our case, we have over 30 Applications included in the OSD Task Sequence. Despite implementing all commonly recommended mitigations—such as inserting an additional restart after the MECM client installation and including a two-minute delay before the Application install task group begins—we still encounter random failures. The issue is not limited to any specific Application; it can be any one of the 30+ Apps, and the failure to download appears to occur entirely at random. Occasionally, most of the Applications install successfully, and only one will fail, which subsequently causes the entire Task Sequence to fail with the same error. Importantly, all of these Applications install without any issues post-OSD, further confirming that the problem lies not with the Applications themselves but with the process during the Task Sequence. The randomness of which App fails also suggests an underlying process, feature, or timing issue—not an App configuration problem. We have thoroughly validated all related infrastructure settings: Boundaries and boundary groups have been triple-checked. No boundary is assigned to multiple groups. Site system assignments are correct. We are using PKI certificates and HTTPS, and the client authentication certificate is present on the device at the time of failure. The issue has been replicated across both Windows 10 and Windows 11, ruling out any specific cumulative updates or OS version anomalies. No additional language packs are being installed—only language fallback is applied via the "Apply Windows Settings" step. One suspicious observation is the lack of any reference to our local Distribution Point in the LocationServices or CAS logs during failure events. Initially, this pointed to a possible boundary misconfiguration, but after multiple checks, no issues have been identified. Unfortunately, we are unable to use the common workaround of converting Applications to Packages, due to internal policies and deployment requirements. Therefore, we need to resolve this while continuing to use Applications in the Task Sequence. Given the number of years this issue has persisted across customer environments, it's surprising there isn’t more formal guidance or documentation available to help isolate the root cause. If anyone has encountered a similar scenario or has any advanced troubleshooting tips, we would greatly appreciate your insight.
Software Center Restart Loop
Hi, i have to devices that are stuck on reboot loop. the computer restarts then the restart count down starts again over and over. the computers are running the latest Windows 11 Build and they have the latest CM Client (5.00.9132.1011). i have done the normal troubleshooting process like CM Client repair, uninstall CM client and delete CCM, CCMSetup folders then install the client. run update evalution from CM Console and from the client. the only solution that i am left with is reinstall the whole system but that something i would do if there is no way out any input is appreciatedInstallations via InTunes failing but work from SCCM
We have pretty much completed our migration from using SCCM to InTune (IT). However, we are encountering a few apps which hang at certain points during the installation. These have worked 100% falwlessly through SCCM and indeed, if we revive the SCCM deployment, we can install via that route. I strongly suspect that IT is handling output (STDOUT?) differently than SCCM does, wherein the installer is trying to display a screen but cannot and so just hangs indefinitely. Aside from the above return-to-using-SCCM work-around, we have occasionally resorted to repackaging the offending installer but this obviously introduces a delay in getting apps deployed to our user-base. Is there some flag we can set when adding apps to IT that we're somehow not seeing, or some other configuration we set - maybe at the client-level - to bypass this behaviour? If you feel like experimenting, grab the Innorix Agent installer which is one that's causing us grief presently.
Windows Defender AntiVirus with Intune
Hello Windows Defender antivirus is enabled with Intune(Co-managed deployment) Antivirus policy, Our organization normally had Symantec and did not use Defender. However the below is showing in Virus and Threat Protection. Basic settings are used in the policy: Allow Archive Scanning Allowed. Scans the archive files. Allow Behavior Monitoring Allowed. Turns on real-time behavior monitoring. Allow Cloud Protection Allowed. Turns on Cloud Protection. Allow Email Scanning Not allowed. Turns off email scanning. Allow Full Scan On Mapped Network Drives Not allowed. Disables scanning on mapped network drives. Allow Full Scan Removable Drive Scanning Allowed. Scans removable drives. Allow scanning of all downloaded files and attachments Allowed. Allow Realtime Monitoring Allowed. Turns on and runs the real-time monitoring service. Allow Scanning Network Files Not allowed. Turns off scanning of network files. Allow Script Scanning Allowed. Allow User UI Access Allowed. Lets users access UI. Avg CPU Load Factor 50 Check For Signatures Before Running Scan Enabled Cloud Block Level High Cloud Extended Timeout 50 Days To Retain Cleaned Malware 0 Disable Catchup Full Scan Disabled Disable Catchup Quick Scan Disabled Enable Low CPU Priority Disabled Enable Network Protection Enabled (block mode) PUA Protection PUA Protection on. Detected items are blocked. They will show in history along with other threats. Real Time Scan Direction Monitor all files (bi-directional). Scan Parameter Quick scan Schedule Quick Scan Time 720 Schedule Scan Day Monday Signature Update Interval 4 Submit Samples Consent Send safe samples automatically.HAADJ with Intune Co-Management
Hello, -I have HAADJ tenant with Intune Co-Management. -AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated). -Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO. -They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed. -Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. https://www.burgerhout.org/the-bitlocker-haadj-nightmare/ Question(s): 1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested. 2-After testing Recovery key is stored in Intune but not stored in the below location https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials) 3-Devies in Azure under the following URL Devices - Microsoft Entra admin center -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?SCCM / MECM Metering - Could not get a SQL connection to database
I have an SCCM infrastructure with a Site Server and a separate database server. I am running the .\\runmetersumm.exe CM\_XX0 tool (I filled XX0 with the name of my database) on the database server but I am getting the error: Could not get a SQL connection to database: CM\_XX0. I am not able to see any errors in the swmproc.log, sinvproc.log, and smsdbmon.log logs. Can you please help me?Windows Servers AAD Hybrid Joined and SCCM ConfigMgr Co-Management MDM Auto-Enrollment
I have doubts about some configurations. Basically, we have: sccm installation with co-management performed via cloud-attach wizard intune pilot group device collection configured default client setting policy allows device registration in azure ad azure ad connect configured for hybrid join mdm user scope configured to all in azure ad mam user scope configured to none users can register devices in azure ad (Users may join devices to Azure AD) business premium licenses usage location configured in the azure ad synced user no conditional access or mfa configured The situation is that both client and server are synchronized in azure ad and are seen as join type "hybrid azure ad joined". In azure ad the clients has as mdm "microsoft configuration manager", the same clients then on intune in the managed column by show "co-managed". Servers on the other hand (windows 2016) are not automatically enrolled in intune and i don't understand why, the are hybrid azure ad joined in azure ad as devices. Other unclear thing, do i have to create the gpo for automatic enrollment in active directory (enable automatic mdm enrollment using default azure ad credentials)? At the moment it is created and linked to the OU containing servers and set as "device credential" (i read in documentation that with sccm or azure virtual desktop it is supported), even if i set in "user credential" anyway it doesn't work. With the gpo applied the scheduled task is created but in the events I get the following error: Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018001c) By doing a dsregcmd /status on the machine everything seems ok. I don't understand what the best practices are regarding this gpo, and where I am going wrong.
