FIX SCCM Administration Service Issues

SCCM 1906 (TP) onwards, administration service helps SCCM console to communicate with the SMS Provider over HTTPS (instead WMI). In this video post, you will see an issue with SCCM 1906 Technical Preview version “Configuration Manager Can’t connect to the administration Service.”

Log file AdminService.log

Introduction

You can now enable some nodes of the SCCM console to use the administration service. This change allows the console to communicate with the SMS Provider over HTTPS instead of via WMI. This change is only applicable to the following nodes:

  • Administrative Users
  • Security Roles
  • Security Scopes
  • Console Connections

Note! – You can read more details about SCCM Administration Service from here.

The Issue

I upgraded to SCCM 1906 technical preview, and since then, I was not able to access four (4) nodes mentioned above.

Whenever I try to access Administrative Users node from SCCM console, it gave me the following error.

“Configuration Manager can’t connect to the administration service. The configuration manager console can’t connect to the site database through the administration service on SCCMTP2.intune.com.”

Configuration Manager can't connect to the administration service
Configuration Manager can’t connect to the administration service

FIX – Administration Service Issue

You need to enable the following configuration/checkbox to get the SCCM console for Administrative users, Security Scopes, and security roles nodes.

  • In the SCCM console, go to the Administration workspace, expand Site Configuration, and select the Sites node. In the ribbon, select Hierarchy Settings.
  • On the General page, select the option to Enable the Configuration Manager console to use the administration service.
FIX - administration Service
FIX – administration Service

Above Fix – Didn’t Work?

As Mentioned in the above video, you need to make sure you have enabled the following settings. Also, it’s worth restarting the SCCM Console.

  • Enable “Use Configuration Manager generated certificates for HTTP site systems.
  • Make sure – SMS Issuing certificate is not BLOCKED
  • Restart the SCCM console and check the SCCM console nodes
FIX - administration Service
FIX – administration Service

Resource

SCCM Community Hub How to Join Contribute Using Your GitHub Account

In this video post, Let’s learn how to join SCCM community hub using your GitHub account if you don’t have a git up an account you can create it for free. Let’s learn what Contribute Item Wizard is.

NOTE! – This post is based on SCCM 1906 Technical Preview version

This post you will get more details about it’s the SCCM community hub, and you can refer to my previous post to get much more detailed information about downloading the reports and scripts from SCCM community hub.

Subscribe to this blog via eMail

[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”undefined” custom_text_button_color=”undefined” submit_button_text=”Subscribe” submit_button_classes=”undefined” show_subscribers_total=”false” ]

Why to Join SCCM Community Hub?

The SCCM Community hub is the place from where you can download script, reports, etc. To download scripts/reports which are available in the community hub, you don’t require to join it’s the same community hub with your GitHub account.

However, if you want to contribute to the SCCM community hub, then you need to join using the process which I explained in the able video and the following steps.

How to Join SCCM community Hub?

Let’s see what the steps you need to follow to join the SCCM community hub are?

Join the Community Hub - Join SCCM community Hub. Contribute Item Wizard.
Join the Community Hub – Join SCCM community Hub
  • To join the community hub, you need to have a GitHub account. This is the link to create the GitHub, and that is free
  • The second step is to go to SM console navigate through Community workspace
  • From the community workspace, you can click on sign in button on the right-hand side of the console
  • On the next screen, it will ask for the GitHub username and password. Enter your GitHub username and password.
  • Click on sign in button
  • Click on authenticate cloud management button
  • No, the console will present a screen which will give you an option to join the SCCM community hub. So, click on the Join button to get access to the community hub.
  • Once you press join button will initiate a mail to Microsoft and at the moment for the preview version Microsoft is approving the join requests every 24 hours.
  • On the next screen, you will see a notification which says Membership request received – Your hub membership request is pending once approved, you will receive an email invitation do you are associated GitHub account accept the invitation to begin contributing to the hub.
  • Once your request is approved, you will get a new page in the console with heading Welcome to the hub, and you will also be able to see add an item option in that new page.

How to start Contributing to SCCM Community Hub?

Let’s see how to add an item to the SCCM community hub. Follow the below steps to add an ITEM like applications, scripts, or reports to a community hub.

SCCM Contributing to SCCM Community Hub Contribute Item Wizard
SCCM Contributing to SCCM Community Hub
  • Click on Add an Item button from MY Hub tab from Community workspace
  • Contributes item wizard will pop up
  • From Specify settings for an object to share page, you need to select one of the options from the drop-down list Configuration Item, Report, Script, Task Sequence or Application
  • Once you choose the type of item which you want to contribute, then you need to click on the browse button to select the object from SCCM console  
  • Under the description, you can provide the details of the object which you are going to contribute
  • Click on next button
  • The progress page of contributes item wizard will give you the status of the upload
  • On the completion page of contributes item wizard, you will get the output of the SCCM Community contribution action.

KNOWN Issue?

NOTE! – In my is SCCM technical preview lab the uploading of the contribution didn’t work. I tried several times, and it was giving me an error. Ah, something went wrong, and you were unable to contribute to the hub error number 404 not found. Typescript name gets toys version.

Resources

How to Install SCCM 2007

Let’s see how to install SCCM 2007 for the last time. 9th July 2019 is the day when SCCM 2007 is going out of support/end of life forever.

I have created a video to show the experience of SCCM 2007 primary site installation (hypothetically). More details about SCCM 2007 risks and migration strategies are available here in my previous post.

How to Decommission SCCM 2007

Yeah if you still have SCCM 2007 installed in your environment, try to migrate it to the latest SCCM CB environment. Following are tasks for Decommissioning Sites and Hierarchies of SCCM 2007. Or you can just shutdown the SCCM 2007 VMs and delete them.

What is SCCM ITMU?

Well, ITMU is the patching mechanism used in SCCM 2007. Later, SCCM started using software updates with WSUS integration.

SCCM 2007 Icons?

More details about SCCM icons are available here.

SCCM 2007 install
SCCM 2007

Resources

Latest SCCM CB Version Video Documentation

Desktop Analytics Configuration Step by Step Guide – Device Mgmt Portal

In this video post, you will see the Azure cloud side Azure Desktop Analytics configuration from the Device Management portal. I have a previous post which explains the configuration from SCCM Desktop Analytics (1902 Technical Preview) side.

NOTE! – Microsoft announced public preview of Desktop analytics today Check out and join public preview from the above Microsoft’s post.

Subscribe to this blog via eMail

[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”#00d084″ custom_text_button_color=”undefined” submit_button_text=”Subscribe” submit_button_classes=”wp-block-button__link has-text-color has-background has-vivid-green-cyan-background-button-color” show_subscribers_total=”false” ]

What is Desktop Analytics?

Desktop Analytics is a cloud-based service that provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows and Office. It combines data from your organization with data aggregated from millions of devices connected to Microsoft cloud services.

Why Desktop Analytics

Use Desktop Analytics with Configuration Manager to:

  • Create an inventory of apps running in your organization.
  • Assess app compatibility with the latest Windows 10 feature updates.
  • Identify compatibility issues and receive mitigation suggestions based on cloud-enabled data insights.
  • Create pilot groups that represent the entire application and driver estate across a minimal set of devices.
  • Deploy Windows 10 to pilot and production-managed devices using SCCM.
  • Minimize deployment risks by monitoring the health state of your devices during and after the deployment.
  • Ensure your devices are still supported with security and feature updates status.

Prerequisites – Azure Desktop Analytics

As mentioned above today, Microsoft released Desktop Analytics in public preview mode.

This Public preview of Desktop Analytics is made available to you to test and check out the configuration for your pilot devices. More detailed explanation about technical requirements here.

  • Login with Global Administrative access and
    • Use credentials that have at least Workspace Contributors permissions.
  • We need to verify that you have one of the following license subscriptions:
    • Windows 10 Enterprise E3 or E5; or Microsoft 365 F1, E3, or E5
    • Windows 10 Education A3 or A5; or Microsoft 365 A3 or A5
    • Windows Virtual Desktop Access E3 or E5

Configuration – Setup Azure Desktop Analytics

Following are the steps which I explained in the video to setup Desktop Analytics in Azure Device Management portal (setup Azure Desktop Analytics).

Azure Desktop Analytics
Azure Desktop Analytics

NOTE! – If you are prompted for an invitation code during the onboarding process, use: DesktopAnalyticsRocks! (Note that the code is case-sensitive and includes the !) More details here.

  • Do you have one of the supported subscriptions?
    • Yes
    • Why do I need one of these subscriptions?
      • Desktop Analytics requires one of the license subscriptions above. If you don’t have one of these subscriptions, you cannot continue set up.
  • Give users and apps access
    • In order to access Desktop Analytics, users need the ‘Desktop Analytics administrator’ (or equivalent) Directory role and workspace access.
  • Directory role management
    • Allow Desktop Analytics to manage Directory roles on your behalf
      • Yes
      • By selecting ‘Yes’, we will assign the ‘Desktop Analytics administrator’ role to Workspace owners.
  • Workspace owners
    • Users in this security group will be granted Azure owner access to the Log Analytics workspace associated with your Desktop Analytics portal. (Azure Desktop Analytics)
  • Security group: M365 Analytics Client Admins
  • Set up your workspace
    • To set up Desktop Analytics, you need an Azure subscription. Create an Azure subscription
    • This step sets the Log Analytics workspace we’ll use to store insights for devices in your organization. To use an existing workspace for Desktop Analytics, select it and Set as Desktop Analytics workspace. If you’re already using Windows Analytics, select that same workspace.
  • If you don’t see the workspace, you’d like to use with Desktop Analytics, check your subscription, Resource group and workspace permissions.
  • Select an Azure subscription.
  • Configure and enroll devices in SCCM to populate your workspace.
  • Keep your Commercial ID key handy; you may need it afterward when you configure Desktop Analytics in SCCM.
  • On the Last steps page, select Go to Desktop Analytics. The Azure portal shows the Desktop Analytics Home page.

Resources

Is SCCM Dead? Microsoft SCCM Intune Roadmap?

Common! I still get the same question. Is Intune going to take over SCCM? SCCM Dead? Check out the Video from the Brad Anderson Head of Microsoft Engineering teams of Microsoft Intune & Microsoft SCCM (System Center Configuration Manager).

No! SCCM is not dead. How do we Define – Die? EOL = End of Life? Yes, SCCM will definitely have an End of Life, but even Microsoft doesn’t know when that is going to be! It’s all about the investment of resources and money! Microsoft is still able to make money with SCCM + Intune integration.

Is SCCM Dying?

Updated News

@djammmer – After hearing more incidents of customer confusion, or incorrect messaging from #SCCM competitors… thought it would be a good time to rebroadcast this quote… 17 seconds!

Introduction – SCCM Dead?

NO! SCCM is not dead! Microsoft is NOT planning to reduce investments in SCCM development. SCCM development team in Redmond is developing the product with much more passion to help the SCCM customers.

https://twitter.com/Anderson/status/1191474439285858305?s=20

SCCM Intune Roadmap is Explained

Nice to hear (again & again) from Brad Anderson that SCCM is not dead 🙂 You can take this as an official announcement from Microsoft corporate VP!

This is what Brad Anderson said “What’s your level of investments in ConfigMgr these days ..there are more people working on SCCM team today than there have been in a decade

SCCM Dead

Co-Management

As explained in the above video, SCCM & Intune co-existence and Co-Management are the future!

Resources

SCCM Folder RBAC Permission Setup Guide

In this video blog, we are going to learn about the new feature “set security scopes for folders (SCCM Folder RBAC Permission),” which got introduced in SCCM 1906 technical preview. I’m sure this feature will be there in the production version of as SCCM 1906.

I have a couple of others SCCM RBAC related posts, which will give you more details about an end to end SCCM RBAC implementation scenario. More information in the following post.

SCCM Folders are Securable Objects

Until now, SCCM admins are not able to control the visibility of SCCM folders from other admins. There was no option to hide folders from other admins. SCCM Folder RBAC Permission.

The SCCM folders will be visible in their console, but they won’t be able to see the objects (Applications, Packages, Collections, Task Sequences, etc.) inside the folders. This behavior was because of the objects inside the folder where securable objects.

SCCM Folder Permission
SCCM Folder Permission

This SCCM RBAC behavior created some confusion for the admins. Moreover, in some scenarios, admins started using wrong folders to place their associated applications or packages. Because the folders were not securable object, we cannot control the access of those folders anyone can put their applications packages or task sequences into wrong folders.

Microsoft is resolving this issue by making folders as a securable object. Now you can control the access of the folders within your administrators using set security scope option in essence Yum console. You can see more details in the below section of this post.

How to Control SCCM Folder Access Using set security scopes Option

SCCM 1906 onwards you can control the folder access within SCCM console. You can decide which admin should have access to which folder. As an example, in the above video, you can see, I have created folders depending on the location or offices. So, you can provide access to a particular folder if you have an admin from that specific office or site.

Remember you must create security scopes depending on the location as I have shown in the video. If you already have implemented SCCM RBAC, then security scopes should be in place already.

Steps to Implement SCCM Folder RBAC Permissions

SCCM Folder RBAC Permissions
SCCM Folder RBAC Permissions

The following steps will help you to set up permissions to SCCM folders (SCCM Folder RBAC).

  • In the SCCM console, right-click on a folder.
    • For example, right-click a folder under the Applications, Packages, Software Updates, Collections, or Task Sequences node.
  • Select Folder and click on Set Security Scopes option.
  • Choose the security scopes you want to apply then click OK.
  • OR If you’re already in the folder (applications, collections, Task Sequences folders), you can also click on Set Security Scopes in the ribbon.

Resources

Microsoft MVP Award 2019-2020 Video

Hope you have already listen to the video which is posted above. I received a mail yesterday from Microsoft MVP program to let me know I’m re-awarded as Microsoft MVP Award.

Related PostSCCM Intune Microsoft MVP Award 2019 – The Journey from 4000 to 3000 ?

[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”undefined” custom_text_button_color=”undefined” submit_button_text=”Subscribe” submit_button_classes=”undefined” show_subscribers_total=”false” ]

Get in Touch – Get Updated about Technologies

Community Groups to Contribute & Learn

Facebook Groups

LinkedIn Groups

Telegram Group

Resources

SCCM Clear Application Content from Cache After Installing

Hello in this video post you are going to see and the new feature or new option which got introduced in SCCM 1906 technical preview. We will see more about “Clear Application Content from Cache After Installing.”

Introduction

The new option “Clear Application Content from Cache After Installing” is very useful for OS deployment scenarios. In many scenarios yes, the SCCM client might have limited cache size so it will be challenging for most of most of the SCCM admins to manage the client cache.

What is the Advantage?

The new feature got introduced in SCCM 1906 technical preview version and I’m sure it will come to the production version of 1906 as well) is very useful in real-world scenarios.

With “Clear Application Content from Cache After Installing” option, you can clear in the application cache content from the client cache once the application is installed during the task sequence process. This this option is very helpful in many Windows 10 upgrade scenarios.

How to Use – Clear Application Content from Cache After Installing

So, let’s see how to enable this (Clear SCCM Cache content) option or how to use this option?

  • Right Click on the task sequence and click on Edit. (DO NOT DOUBLE CLICK ON Task Sequence – view is the default option when you double click)
  • Once the SCCM TS Editor window is opened with all the steps go to ADD menu and go to software and click on install application.
  • Select the option called clear application content from cache after installing (this option is at the bottom of the page)
  • Click OK to finish
SCCM TS - clear application content from cache after installing
SCCM TS – clear application content from cache after installing

NOTE! – Once you enable this option after the application installation that Task Sequence will make sure that application content is cleared or removed from the client cache. What do you think about this particular option which got added to SM 1906?

Resource

SCCM 1906 New Features Sneak Peek

In this video, you will see the sneak peek of most of the following list of features released in SCCM 1906 Technical Preview. My favorite among those is SCCM RBAC features for folders.

SCCM Client, Console, Build Version Numbers Details are available here.

List of SCCM 1906 TP New Features

The list of SCCM 1906 TP features is available in this release of the technical preview version.

  • ✔ Improvements to maintenance tasks
  • ✔ Additional options for SCCM third-party update catalogs
  • ✔ SCCM update database upgrade monitoring
  • ✔ Multiple pilot groups for co-management workloads
  • ✔ SCCM RBAC on Folders
  • ✔ Azure Active Directory group discovery Options
  • ✔ Remote control anywhere using Cloud Management Gateway
  • ✔ Improvements to CMPivot
  • ✔ Support for Windows Virtual Desktop
  • ✔ More frequent countdown notifications for restarts
  • ✔ SCCM Co-management auto-enrollment using Azure AD device token
  • ✔ SCCM Management Insights – Rule for NTLM fallback
  • ✔ SCCM Integrated MBAM Improvement

SCCM RBAC for Folders

SCCM 1906 technical preview version introduced new feature role based access for folders. The RBAViewer.exe is the tool which will help you to understand SCCM RBAC in a better way.

  • Collection Folders RBAC
  • Application Folders RBAC
  • Task Sequence Folders RBAC
SCCM 1906 - RBAC for Folders
SCCM 1906 – RBAC for Folders

Multiple Pilot Groups SCCM co-Management Workloads

You can now configure different pilot collections for each of the co-management workloads. Being able to use various pilot collections allows you to take a more granular approach when shifting workloads.

SCCM 1906 - Co-Management Pilot Groups
SCCM 1906 – Co-Management Pilot Groups

Management Insights Rule for NTLM Fallback

SCCM Management insights include a new rule that detects if you enabled the less secure NTLM authentication fallback method for the site: NTLM fallback is enabled. Network Access Account is the example for NTLM.

SCCM 1906 -  NTLM authentication
SCCM 1906 – NTLM authentication

Improvements Third-Party Software Update

SCCM 1906 released with one of the major improvement for SCCM Third-Party Software Updates. SCUP had options to select required categories from vendor catalog cab file. But, this feature was not available until the 1906 version of SCCM.

NOTE! – The latest third-party software update catalog version introduced in SCCM 1906 is TP is Version 3 (V3).

The following steps will help you to check out the new catalog (V3) feature.

  1. In the SCCM console, go to the Software Library workspace. Expand Software Updates and select the Third-Party Software Update Catalogs node.
  2. Select the catalog to subscribe and click Subscribe to Catalog in the ribbon.
  3. Choose your options on the Select Categories page:
    • Synchronize all update categories (default)
      • Synchronizes all updates in the third-party update catalog into SCCM.
    • Select categories for synchronization
      • Choose which categories and child categories to synchronize into SCCM
SCCM 1906 - Third-Party Software Update
SCCM 1906 – Third-Party Software Update

Edit SCCM Maintenance Tasks

There are changes in maintenance tasks viewer in the latest version of SCCM 1906 TP. I have a post with SQL query to find out SCCM maintenance tasks. No need to use this SQL query from SCCM 1906 TP onwards.

  1. In the Administration node, expand Site Configuration, then click on Sites.
  2. Select a site from your list, then click on the Maintenance Tasks tab in the detail panel.
  3. Right-click one of the maintenance tasks and select one of the following options:
    • Enable – Turn on the task.
    • Disable – Turn off the task.
    • Edit – Edit the task schedule or its properties.
SCCM 1906 - Maintenance Tasks
SCCM 1906 – Maintenance Tasks

Resources

Features in SCCM technical preview version 1906

SCCM Console Debugger – Show SCCM Object Details Option

SCCM console has many hidden debugging options. In the SCCM Console Debugger video tutorial post, you will see and learn more details about debugging options.

SCCM Console WMI Classes

Before going into SCCM console debug options and show object details option, you can learn more about SCCM WMI Classes related to Console and provider.

NOTE! – SCCM Console Debugger option called “Show Object Details” shall help to get the following WMI class details from SCCM console itself. More information about the right click option called Show Object Details in the video guide here.

  • The SMS_InstanceChangeNotification WMI class that notifies the SCCM admin console that an alert has changed its status.
  • The SMS_ObjectContainerItem contains information about an SCCM console folder item (Object details inside a particular folder in SCCM console etc…).
  • The SMS_ObjectContainerNode contains information for a given SCCM Console folder (folder details Folder Name etc..).
  • The SMS_ObjectContentExtraInfo & SMS_ObjectContentInfo contains the details about Application or Package Content Information and some extra information.

NOTE! – I don’t find the much difference between SMS_ObjectContentExtraInfo & SMS_ObjectContentInfo WMI classes.

  • The SMS_RoleInObjectType object helps to map a role and its associated object types.
  • The SMS_SearchFolder WMI class behaves the same as SMS_ObjectContainerNode is only used for search operations.

SCCM Console Connectivity

The following diagram will give you more details about SCCM architecture. Also, this diagram will provide the Details about SCCM Console -> SMS Provider – WMI – SCCM Site connectivity.

NOTE! – You can find more details about SCCM Console Connectivity and SCCM architecture details from here. More detailed SCCM architecture decision-making tips are available here.

SCCM Console Connection - SCCM Console Debugger
SCCM Console Connection – SCCM Console Debugger

How to Enable SCCM Console Debugger?

There is a hidden workspace called TOOLS in SCCM console, and that is referred SCCM Console Debugger in this post.

You can enable SCCM Tools workspace (SCCM Console Debugger) from the SCCM console shortcut file. The steps mentioned in the following link shall help you to allow the hidden Tools workspace visible in the console.

The following Step by Step Guide to Enable “Show Object Details” right-click option on all SCCM console objects >>>> https://www.anoopcnair.com/sccm-console-tips-tools-workspace-debug-view/

Resources