co-management
23 Topics- Configuration Manager technical preview version 2411Operating System support added for Windows 11 24H2 and Windows Server 2025 With this version of Configuration Manager, support is added for Windows 11 24H2 and Windows Server 2025. Windows 11 24H2 & Windows Server 2025 are added to Product lifecycle dashboard and supported platform. Windows 11 24H2 & Windows Server 2025 Client support is added. Boot image creation in SCCM on Windows Server 2025 now supports latest Windows ADK Windows upgrade readiness dashboard now supports Windows 11 24H2 for upgrading clients. Note: Windows Server and Windows 11 24H2 do not support Firewall Rules. This will result in a non-compliant status in the Configuration Manager applet. Enhanced Security for CMG CMG Setup now uses Managed Identities and third-party Server App to interact with CMG's Azure Storage Account, instead of storage account keys. Hence storage account key access is disabled for new CMG setup. For sessions upgrading from earlier versions to 2405 TP, the 'CMG enhanced security' button is shown as enabled. When the enhanced security option is selected, the VMSS OS Auto Upgrade feature is also activated. An extra panel appears, prompting the admin to provide maintenance window details. Azure uses this information to schedule upgrades whenever new OS images become available. CMG Entra Application secret renewal The 'Renew Secret Key' feature now opens a dialog with four options for the validity period. This update also prevents applications older than 800 days (approximately two years) from renewing their secret keys. The same options are available when creating a new app. Note: The admin must sign in using tenant global administrator credentials and then click on the renew button. SQL 2012 and 2014 support are deprecated Starting with this version, Configuration Manager no longer supports SQL Server 2012 and 2014. Upgrade to the latest SQL Server version or at least SQL Server 2016. If you don’t upgrade, CM upgrades are blocked, and you see an error during the pre-req check. Software metering support in Arm64 devices The Configuration Manager now supports Software metering for Arm64 devices. Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe. For more information, Software metering in Configuration Manager Update 2411 for Technical Preview Branch is available in the Microsoft Configuration Manager Technical Preview console. For new installations, the 2411 baseline version of Microsoft Configuration Manager Technical Preview Branch is available on the link: CM2411TP-Baseline or from Eval center Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. We would love to hear your thoughts about the latest Technical Preview! Send us feedback directly from the console. Thanks, The Configuration Manager team Configuration Manager Resources: Documentation for Configuration Manager Technical Previews Try the Configuration Manager Technical Preview Branch Documentation for Configuration Manager Configuration Manager Forums Configuration Manager Support5.3KViews1like7Comments
- Autopilot, Co-Management and ESP Timeouts (and BITS too)I'm working with a customer who has been having a great deal of issues with their Autopilot implementation. Basically, the ESP page will timeout with one of these two error codes: 0x800705b4 0x00000004 This shows as an error to the end-user, and is unacceptable The interesting thing was that, if you left the device for an hour, then hit continue (that option is set in the ESP properties), then everything will have installed correctly, and the device is compliant. So why would the ESP page fail with a timeout way before the 6 hour limit I had set? The 0x800705b4 Error The first thing I discovered is that all this is related to co-management and the CM client install. Getting the first timeout: 0x800705b4 I noticed the following two value's values were strange: HKLM\Software\Microsoft\Windows\Autopilot\EnrollmentStatusTracking\Device\DevicePreparation\PolicyProviders\ConfigMgr Updating Media InstallationState would be 1 (Installing) or 4 (Failed) (It's 1 if the client is still installing, it will switch to 4 if the install fails or the registration fails) InstallDuration would be 1800 (not 1801, nor 598, nor 1799, ALWAYS 1800) If I looked at the CCMSetup.log file it would show that the installation was successful, and the return code would be 0, as expected. But on looking at start time and end times on the logs, I noticed the install was taking over 40 minutes to complete. In this case it was 27 minutes but the ESP still failed? This is becaause the client, although installed, has not registered I'll go into this more in the 0x00000004 error below. But is this case the combined install time of 27 minutes to install and 10 minutes to register took the install time over 1800 seconds and so it failed with the 0x800705b4 error. If the combined times (say 500 for the install and 600 for the registration, which comes to 1100) is less than 1800, but the registration fails 6 times taking 10 minutes, then we get the 0x00000004 error On further investigation of this log, I found that I would occasionally get a BG Error Context is 5 notification, and that the download of the client would be divided into multiple 5-minute segments, with each segment downloading only around 28MB. Which meant the net time to download the binaries would be 40 minutes or more. Now given that 1800 seconds = 30 minutes, I realized that the ESP had a second timeout, totally unrelated to the one set in the properties within Intune. Basically, if the CM client did not install within the 30 minutes, the ESP failed, regardless of whether the install was finished or not. So when linking this with the BG Error Context is 5, I realized that this was a BITS issue, I have no idea why BITS would be throttled during an Autopilot install process, but it was. The solution was to add the following command line option to the Co-Management properties. /BITSPriority:FOREGROUND. This effectively removes the limitations on the BITS download, and the entire installation time sunk to less than 3 to 10 minutes, depending on Internet bandwidth. This was a great win, and with it, the 0x800705b4 disappeared. The 0x00000004 Error Only to be replaced by the 0x00000004 error (I might have the number of 0s wrong here, I'm working from memory). The 0x00000004 Error As with the previous error, this was not a constant, it would happen, then it wouldn't, then it would again. But it happened enough to be a problem. I looked at the registry again and noticed this: InstallationState would be 4 (failed) InstallDuration would be LESS THAN 1800 I kept digging. The answer was found in the ClientIDManagerStartup.log log. Once the CM Client is installed, the next step is to register it with an MP and get it into the MECM database. As shown by the image below, if it fails, it sleeps 60 seconds, and tries again, then another 60, then 120, then another 120, and then 240 and finally a final 240 (10 minutes in total) at which point it fails, and if you look at the last line in the daigram, it sets the ConfigMgr Install state to 4, which fails the ESP, this time with the 0x00000004 error. As with the previous error, this doesn't mean anything actually broke. It just means it didn't occur with the allowed timeframe (this time 10 minutes). The difference between the two errors is simply that in the first one the combined time to install the CM Client and the 10 minutes of sleeps in the ClientIDManageStartup log exceed 1800, whereas in the second, they do not. The important note, is that they both register the 10 minutes of sleeping and fail the ESP. So, if you factor 10 minutes to install the CM Client and another 10 attempting to register, this failure can occur after only 20 minutes, way less than the 3600 minutes set in the ESP. So why is the client not registering immediately? That is the million-dollar question. and as far as I have got with this issue. I looked to the MPs to see if there was a bottleneck in the outboxes, returning the acknowledgment that the client is registered, but couldn't see anything out of the ordinary. Another thing to note, is that if you have a Provision TS running, it will kick off immediately after the ClientIDManager fails the ESP. So any apps being delivered via this task sequence will install and the device will complete successfully (other than the ESP error). Final Thoughts What is interesting (or frustrating, depending on your viewpoint) is that Autopilot and the ESP really doesn't actually do anything (except a few things like setting user install type and making ConfigMgr a 1st app, to ensure it takes the MDM authority, preventing ESP from ending until certain apps are installed. The rest is controlled by Intune or ConfigMgr natively. If you don't assign blocked apps to users or groups, they don't get installed that's it. Same with policies and profiles etc., but by the same process, if the ESP (and by extension Autopilot) fails, it doesn't mean everything stops installing. It continues installing everything and provided there are no actual issues it finishes successfully which makes it very hard to troubleshoot. The first thing I do when I start troubleshooting is look to see what didn't get installed/applied. In this case everything gets installed, everything gets installed. The only error is the ERROR ITSELF. In a prefect world, if I have set the timeout for 6 hours and the CM client takes 5 hours to install, then there should be no error. Same with registering the client. If it takes 2 hours of 'sleeping' to get it registered, who cares? I have 6 hours to play with. Obviously we don't want things to take that long, but we all know that MECM is not the fastest moving software in the world, before it was Intune Configuration Manager, and Microsoft Endpount Configuration Manager (MECM) etc., it was knows as SMS which was affectionately renamed Slow Moving Software.5.7KViews1like4Comments
- Windows Servers AAD Hybrid Joined and SCCM ConfigMgr Co-Management MDM Auto-EnrollmentI have doubts about some configurations. Basically, we have: sccm installation with co-management performed via cloud-attach wizard intune pilot group device collection configured default client setting policy allows device registration in azure ad azure ad connect configured for hybrid join mdm user scope configured to all in azure ad mam user scope configured to none users can register devices in azure ad (Users may join devices to Azure AD) business premium licenses usage location configured in the azure ad synced user no conditional access or mfa configured The situation is that both client and server are synchronized in azure ad and are seen as join type "hybrid azure ad joined". In azure ad the clients has as mdm "microsoft configuration manager", the same clients then on intune in the managed column by show "co-managed". Servers on the other hand (windows 2016) are not automatically enrolled in intune and i don't understand why, the are hybrid azure ad joined in azure ad as devices. Other unclear thing, do i have to create the gpo for automatic enrollment in active directory (enable automatic mdm enrollment using default azure ad credentials)? At the moment it is created and linked to the OU containing servers and set as "device credential" (i read in documentation that with sccm or azure virtual desktop it is supported), even if i set in "user credential" anyway it doesn't work. With the gpo applied the scheduled task is created but in the events I get the following error: Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018001c) By doing a dsregcmd /status on the machine everything seems ok. I don't understand what the best practices are regarding this gpo, and where I am going wrong.2.7KViews0likes2Comments
- Cloud Attach Your Future - Part II - "The Big 3"When the global pandemic started, we were all thrust into the new (and very lightly explored) area of managing devices remotely 100% of the time. Of course, everyone rushed to their VPN solution only to uncover new obstacles and even more significant challenges which they had never anticipated. As I talk to customers and I listen to how their management of the Windows estate has changed, I am always surprised by the lack of the "Big 3": Cloud management gateway (CMG) Tenant attach Co-management These are the essential features that you need NOW as you continue to modernize and streamline your management solution.28KViews9likes6Comments
- Update 2303 for Microsoft Configuration Manager current branch is now available.Microsoft Configuration Manager product branding Starting with Configuration Manager version 2303 Microsoft Endpoint Configuration Manager is now Microsoft Configuration Manager. Microsoft Configuration Manager is an integrated solution for managing all your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing. Continue to use your existing Configuration Manager investments, while taking advantage of the power of the Microsoft cloud at your own pace. Cloud-attached management Improvements to Cloud Sync (Collections to Azure Active Directory Group Synchronization) feature Starting with Configuration Manager version 2303 collection member sync status (Success, In Progress, Failed - with reason for failure) is available in the Collection Cloud Sync dashboard for the chosen collection on the bottom pane. Earlier with Configuration Manager version 2211, the scalability of this feature has been improved with better throttling and error handling. Additionally, dedicated dashboards for user collections and device collections are added in Monitoring workspace to show Cloud Sync status. The dashboard displays the Cloud Sync status per collection with the mapped Azure AD group, total member count, synced member count, status (success, failed, in progress) and last sync details. For more information, see Synchronize collections to Azure Active Directory Group. Endpoint Security reports in Intune admin center for Tenant Attached devices Starting with Configuration Manager version 2303, you can now opt for Endpoint Security reports in Intune admin center for tenant attached devices. Once you opt in, Unhealthy endpoints and Active malware operational reports under Endpoint security node in Intune admin center will start showing data from tenant attached devices. Also, Antivirus agent status and Detected malware organizational reports under Microsoft Defender Antivirus in Reports section will show data from tenant attached devices. For more information, see Tenant attach - Create and deploy Antivirus policies from the admin center. Site infrastructure Authorization failure message in admin service now shown in Status message viewer We have introduced audit messages about authorization failure in admin service. You can now view request details and status messages. These messages are shown in “All Status Message” at “Status Message Queries” in “Monitoring” ribbon. Previously these failures were logged in log files. With the new audit messages, we intend to avoid the inconvenience of log files rollback. Details about the user, resource access attempts and the number of attempts for all the authorized requests made by user in a day will now be available. We are also auditing read operations for HTTPS requests and for cloud-initiated operations. This helps admins to scope permission and roles of users while also determining if there are any malicious users. All unauthorized requests are aggregated for 24 hours before being sent to the status message viewer. For more information, see Administration Service documentation. SQL Server 2022 version support added for Configuration Manager Starting with 2303, support is added for SQL server 2022 RTM version. You can use this version of SQL Server for the following sites: A central administration site A primary site A secondary site The following table identifies the recommended compatibility levels for Configuration Manager site databases: SQL Server version Supported compatibility levels Recommended level SQL Server 2022 150, 140, 130, 120, 110 150 For more information, see support-for-sql-server-versions. Software updates Unified update platform (UUP) GA release The Unified Update Platform (UUP) servicing is finally here for all Windows 11, version 22H2 updates delivered via Windows Server Update Services (WSUS) and Configuration Manager! Starting March 28, on-premises Windows 11, version 22H2 devices will receive quality updates via the Unified Update Platform (UUP). For more information, see What’s UUP? New update style!. The Unified Update Platform (UUP) is a single publishing, hosting, scan, and download model for OS quality and feature updates. It offers improved delivery technologies in response to IT admin requests for more seamless updates, more control over installation time, more battery life, and lighter download size. Note: A one-time 10-GB download to distribution points with your first UUP update. UUP is becoming the default and only way to download quality updates. This means that you should plan for an extra 10GB download to distribution points (not endpoint clients) with the March 28th update. That's a one-time 10GB download for updates for Windows 11, version 22H2 per architecture (AMD64 and ARM64). Let's look at the key benefits, version requirements. Quality updates for Windows 11 22H2 and above Quality updates with the UUP continue to be cumulative and include all released Windows quality and security fixes. All of these new capabilities are brought to you by UUP on premises! If interested in learning more about these improvements, read Faster, Smaller. Windows 11, version 22H2 update fundamentals. UUP on premises unlocks some amazing benefits going forward: Up to 30% smaller client downloads for monthly quality updates Cumulative update integration with feature updates (i.e., get current in one reboot) Seamless retention of installed language packs and optional features on demand (FODs) during feature updates Reduced client downloads for feature updates (i.e., inbox app downloads are conditional) Automatic OS healing during the update process1 that requires no action from the enterprise admins End-user acquisition of language packs and FODs Note: To receive quality updates on Windows 11, we recommend that the latest security updates be installed on your devices. Minimally, devices should be updated through Windows 11 22H2. To take advantage of UUP on premises, you must be using a supported platform: Recommended version: 2203 Configuration Manager Current Branch and above Enable Software Update on client’s settings to Yes. For Client Operating Systems that can support delta download (Win 10 Version 10.0.16299 or up), delta download endpoint will always get turned on regardless of the Client Agent Settings, and the port number will be honored even if Delta downloads not enabled. If Delta Download disabled, only UUP update will do delta download, all other updates, regardless of if express or not, will all do full file download. If Delta Download enabled, all updates will go with delta download code path regardless of if express or not, unless the only DP available is cloud DP. Any supported versions of Windows Server Update Services (WSUS) Note If you're a WSUS Standalone admin, please apply the upcoming February and March updates promptly to ensure your readiness! And if you haven't yet, learn about Adding file types for Unified Update Platform on premises . Known issue: On newly installed CM client, Delta Download delays to start on. Patchdownloader.log shows incorrect download percentage. WSUS Servers running on server 2022, 2019 or 2016 likely to break after Feb 2023 LCU if custom mime types are added at a subsite level in IIS. Update to the default value of supersedence age in months for software updates With Unified Update Platform (UUP) general availability release, the feature update and non-feature update supersedence should be greater than 3. For new software update role installations, we're updating this to 6, existing customers can review and update to 6. Update to the default value of supersedence age in months for software updates. Known issue: Update to the default value of supersedence age in months for software updates will not impact existing configurations. Removing SUP role in Admin Console does not reset the supersedence age property in WMI. As a result, while reconfiguring the role, the previously configured value is shown in the configuration window. Enable Windows features introduced via Windows servicing that are off by default The Commercial control for continuous innovation in Windows is now integrated with Configuration Manager 2303 release. Commercial control for continuous innovation (Windows 11) For more information, see client settings in Configuration Manager Configuration Manager console Dark theme extended to delete secondary site wizard The Configuration Manager console now extends the dark theme for the delete secondary site wizard. This wizard will also have a new look for the normal theme. This is part of the ongoing effort to make dark theme and overall admin console experience better. To use the theme, select the arrow from the top left of the ribbon, then choose the Switch console theme. Select Switch console theme again to return to the light theme. For more information, see Dark theme for the console. Deprecated features Removed Community hub service and integration with ConfigMgr Removed Community Hub configuration from Hierarchy settings and Community Hub service integration. Learn about support changes before they're implemented in removed and deprecated items. Other updates Maintenance window schedules Offset for recurring monthly maintenance window schedules. Based upon your feedback, you can now offset monthly maintenance window schedules to better align deployments with the release of monthly security updates. For example, using a maximum offset of seven days after the second Tuesday of the month, sets the maintenance window for next Monday. Removing Microsoft Store for Business and Education new config capability As part of Microsoft Store for Business deprecation, we are making these changes to the customer experience with using this feature: Removing a user's ability to create new Microsoft Store for Business in Configuration Manager. Display a warning message box when user triggers a sync from Microsoft Store for Business. Display a warning in the Create Application Wizard when user attempts to create a new app from Store license information. For more information, see removed and deprecated items. For more details and to view the full list of new features in this update, check out our What’s new in version 2303 of Microsoft Configuration Manager documentation. For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Feedback in the Configuration Manager console. Continue to share and vote on ideas about new features in Configuration Manager. Thank you, The Configuration Manager team Additional resources: What’s New in Configuration Manager Documentation for Configuration Manager Microsoft Configuration Manager announcement Microsoft Configuration Manager vision statement Evaluate Configuration Manager in a lab Upgrade to Configuration Manager Configuration Manager Forums Configuration Manager Support Report an issue Provide suggestions30KViews10likes3Comments
- Recommendations and insights to enrich the Configuration Manager site health and device managementYou can now use the Microsoft Intune admin center to view recommendations and insights for your Configuration Manager sites. These recommendations can help you improve the site health and infrastructure along with enriching the device management experience. With so many features and updates available, implementing the right available resources for your infrastructure management is essential. You might be new to the management world, or even if you have been managing your company’s infrastructure for a long time, this feature will provide you with insights that can help you to level up. We are currently providing recommendations that can help in following ways: Help you to simplify your infrastructure by reviewing your hierarchy. Assist you to enhance device management through co-management enablement. Refine gathering of device insights via endpoint analytics enablement. Improve the health of the site by reviewing current peer cache and delivery optimization settings. These recommendations will be based on your current site infrastructure and settings. Applying the recommendations is solely the admin’s discretion. We have created recommendation for TA customer solely based on their Site Configuration without interfering customer's privacy. Each recommendation points out how customer is leveraging features provided in site configuration. Recommendations are derived from database. Each recommendation is evaluated and updated in the next cycle. Recommendation will not be visible in the next cycle if fully applied or recommendation insight will be changed if partially applied. Every cycle we inspect the customer DB through static query and then flow this insight to cloud to show the recommendation. How can you view the recommendations? A user with global admin rights will be able to view recommendations for configuration manager sites that are version 2211 or higher and tenant attached. To view recommendations, open the Microsoft Endpoint Manager admin center, and go to Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager, and select a site to view recommendations for that site. Once selected, you’ll find the Recommendations tab that displays each insight along with a Learn more link that opens details on how to apply that recommendation. We are open to adding more recommendations in future and would love to hear from you!9.5KViews2likes4Comments
- Configuration Manager technical preview version 2303Dark theme extended to one customer voice (OCV) wizard The Configuration Manager console now extends the dark theme for the one customer voice (OCV) wizards. All 'Send a smile' and 'Send a frown' wizards will adhere to dark theme starting in Technical Preview 2303. This is part of the ongoing effort to make dark theme and overall admin console experience better. To use the theme, select the arrow from the top left of the ribbon, then choose Switch console theme. Select Switch console theme again to return to the light theme. Known issue. Console restart is required on doing the theme switch, as the node navigation pane might not properly render when you move to a new workspace. SQL Server 2022 version support added for Configuration Manager Starting with technical preview 2303, support is added for SQL server 2022 RTM version. You can use this version of SQL Server for the following sites: A central administration site A primary site A secondary site The following table identifies the recommended compatibility levels for Configuration Manager site databases: SQL Server version Supported compatibility levels Recommended level SQL Server 2022 150, 140, 130, 120, 110 150 Prerequisites for the site server roles now include ODBC driver for SQL Server Starting with technical preview 2303, Configuration Manager requires the installation of the ODBC driver for SQL server as a prerequisite. This prerequisite is required when you create a new site or update an existing one. Configuration Manager doesn't manage the updates for the ODBC driver. Ensure that this component is up to date. For more details and to view the full list of new features in this update, check out our Features in Configuration Manager technical preview version 2303 documentation. Update 2303 for Technical Preview Branch is available in the Microsoft Configuration Manager Technical Preview console. For new installations, the 2302 baseline version of Microsoft Configuration Manager Technical Preview Branch is available on the link: CM2302TP-Baseline or from Eval center Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. We would love to hear your thoughts about the latest Technical Preview! Send us feedback directly from the console. Thanks, The Configuration Manager team Configuration Manager Resources: Documentation for Configuration Manager Technical Previews Try the Configuration Manager Technical Preview Branch Documentation for Configuration Manager Configuration Manager Forums Configuration Manager Support8.5KViews2likes1Comment