Existing required application deployments policy is not sent to devices
I have couple hundred applications in SCCM/MCM that are set to required and whenever there is a new device is built, all these required applications automatically get installed. I am on 2503 and 5 days ago i started seeing this issue. But if modify that deployment with current date and time then the application gets deployed right away if i run Application Deployment evaluation cycle. I also tested by deleting the existing deployment and created a new required deployment and run Application Deployment evaluation cycle then the application installs right away. The problem seems like the Primary server is not sending the policy to the client for existing deployments. The application compliance that we see for every deployment under Monitoring for all the devices moved to Error with Success. Not sure why this is happening. All these changes i noticed in the last one week. A week ago all these Already Compliant and Success status device count is under Success tab. Let me know if you have any suggestions.
Can't find and delete an antivirus exclusion made in MECM.
In the Microsoft Endpoint Configuration Manager current brunch I've added some of the detected malware to exclusions list via right-click in the section "Monitoring-Security-Endpoint protection status - Malware detected" and "Allow this threat". They were excluded for all the computers in a collection. How and where to find this exclusions and delete them? They are appeared on the client computers but not in the MECM Antimalware policies.
Using REST API to get / set device variables
Hi, I'm trying to set a couple of variables against a machine name, through using the REST API. These are the variables that are set that you can see in the console if you right click properties on a device and go to the 'Variables' tab. These are handy because they can later be referenced during Task Sequences / OSD. I just can't figure out how to do it with the REST API. I have no issues doing it with the powershell module using the 'New-CMDeviceVariable' command, but my solution i'm building at the moment requires the solution to be done with rest api, not with ps modules... I can connect to REST API using powershell using commands such as the below. This all works fine. $ConfigMgrServerURL = "https://SCCMserver.domain.local" $MachineName = "MachineName1" # Following command is a sample GET request, which works. (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/wmi/SMS_R_System?`$filter=Name eq '$MachineName'" -Credential $Credential) #I can also fetch "Custom Properties" via this command (Invoke-RestMethod -Method Get -Uri "$ConfigMgrServerURL/AdminService/v1.0/Device($ResourceID)/AdminService.GetExtensionData" -Credential $Credential) Now i just can't see where i can go to set a variable on the machine. Does anyone have any ideas ? Thanks!
Win11 24H2 slow to restart TS task execution following reboot task in bare metal OS deployment
When comparing OS deployment bare metal task sequence times between Windows 11 24H2 and Windows 10 22H2 I could see that 24H2 was considerably slower even though the task sequences were almost identical other than the OS being laid down on the device. I did a timing comparison and noticed two things in particularly that were taking considerably longer on the 24H2 device: 1) reboot tasks 2) time to finish up the task sequence work after the last step. For reboot tasks, I can see that the delay is between these two events in the SMSTS.log log: Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace and Policy verification done within the OSDSetupHook component. On the Windows 10 device the time between those log entries was 1 second, but on Windows 11 24H2 those log entries vary, but it's usually around 2 minutes. At the end of the task sequence, after executing the last task, following The task execution engine successfully completed the current task sequence step smsts.log entry to when the smsts.log stops being written to, it takes 14 seconds for the Windows 10 device, but it takes 4:29 seconds for the Windows 11 device. The delays are similar, between these two events in SMSTS.log (see attached screen shot): End Task Sequence policy cleanup and Policy evaluation initiated within the TSManager component. Any reason policy work should take considerably longer on Win11 24H2? Any suggestions on where I can look to see as to why it's taking such a longer time to deal with policy work in 24H2? Is this a Win11 24H2 issue, a ConfigMan issue, or ConfigMan configuration issue? I am welcome to entertain any thoughts or suggestions folks have. Anyone else seeing this issue in their environment? Environment details: CM 2503 (5.0.9135.1000) without KB33177653 or KB34503790 installed. Windows 11 = 24H2 customized reference image built from August 2025 ISO. ADK = 21H2 (10.1.22000.1).
Windows/Defender Updates not deployed to SCCM server (all clients work fine!)
After battling for a few weeks with this it finally occurred to me to reach out for help, and I found this forum. So here goes… I have a relatively small environment with Windows Updates managed by SCCM. Currently, all clients are receiving updates as expected, the only client that isn’t is the Windows Server that’s hosting SCCM itself. Should I be configuring the winhttp proxy settings on that one server to point to our proxy (I have tried it and it didn’t seem to make a difference)? Without the winhttp proxy set, when I check the Windows update log, it seems to be trying the automatic proxy settings and quite rightly failing. It runs out of options and tries the user proxy as a last resort. I have checked that I can reach the URL configured in the Windows Update settings in Group Policy from the SCCM server and it works fine. Is there something I need to do differently with the SCCM server versus all the other clients? The SCCM client is installed on the SCCM server and is reporting healthy status with expected policies applied like all other managed clients in the estate. The SCCM server is in the same boundary as other servers that are receiving updates. SCCM 2503 running on Windows Server 2019. WSUS is running on the same server. The Software Update Point is configured with proxy settings. Thanks in advance!!Re-Join SCCM Client to Intune for Co-Managed join Type
Hello, I have been using SCCM for a long time, I have it is setup for Co-management, and all my workloads are moved over to Intune. I have a few clients that for one reason or other have not been added to Intune. I can get them onboarded, but the join type always ends up Intune. I am trying to find out the correct recipe to reenroll an SCCM client to Intune. I have tried uninstalling the SCCM client and reinstalling. I have tried removing registry keys for Intune to ensure it joins again. I have used DSREGCMD to leave and join back. I have completely removed from Domain and deleted from Intune. I have tried combinations of all of these things together. I have yet to come up with a specific order to do them in. I still think there is some remnant that is preventing a rejoin. Does anyone have details that help me to get systems to rejoin via SCCM? Some may say what is the difference. The difference is there are tools that are not present if the Join type is incorrect. Best regards and thanks.
How to determine what a Package ID is associated with
We have hundreds of packages, applications, software update packages, driver packages, OS images, etc. There are times I only have a package ID and I need to determine what it is. A royal pain to manually search each one of those categories in the console. Anyone have a Powershell script to find what the package ID is associated with?
Migrate from SCCM 2012 R2 SP1 to Current Branch
Hey folks I am planning to migrate my System Center 2012 R2 Configuration Manager SP1 to the most recent Current Branch of System Center 2025, because the old version is still running on an old windows server version and we need to upgrade to a new windows Server 2025 and also the most recent current branch of configuration manager. Now the documentation for upgrading Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/install/upgrade-to-configuration-manager states, that upgrading from 2012 is only supported until Current Branch 2203; from 2303 on, you can't do the upgrade anymore. But since this "Important-Warning" message isn't shown on the migration article for Configuration Manager https://learn.microsoft.com/en-us/intune/configmgr/core/migration/migrate-data-between-hierarchies I am wondering if this only applies to upgrading configuration Manager on the same host? Or does it also apply to the scenario where I do a side by side migration (Install latest windows server on a new VM, install latest Current Branch of Configuration Manager and then do a migration via data gathering and migration job). You would help me a lot, because I can't find official info about it and I am very concerned about not being able to do the migration from 2012 to Current Branch 2503.. :( So if it also applies to migration; I can still do migration to 2203 as described in the "migration" article with the video https://www.youtube.com/watch?v=6_0EwW-5b4E and then do an inplace upgrade from 2203 to 2503?Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.
