Client – SCCM Monde

Tool for collecting SCCM information

I developed a tool to collect SCCM information. This tool is not perfect, but it can save you a lot of time and efforts in daily troubleshooting sccm / mecm issues.

Used to collect from the following endpoints:

general computer information
enable/disable sccm verbose
information of computers which have SCCM/MECM installed
information of computers which have Software Update Point role installed
information of computers which have Distribution Point role installed
information of computers which have Management Point role installed
Site Server information
WSUS configuration information
computer upgrade information

Usage: Run as Administrator: ConfigMgr-Tool.exe

Link – https://github.com/gaulogao/mecm/blob/f1a5333a02002222be6e59489d9fa1be24cc6745/ConfigMgr-Tool.exe

How to cancel restart initiated by mistake from Client Notification in SCCM console?

If you inadvertently clicked on Restart menu from Client Notification, that can be scaring if the target computers are critical servers in your company.

Don’t panick. Here is a way to cancel it.

Solution

Run the script as Admin on all the affected computers in whatever way you feel comfortable with.

#CANCEL a pending reboot
Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\SMS\Mobile Client\Reboot Management\RebootData'
Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\SMS\Mobile Client\Updates Deployment\RebootFlag
Remove-ItemProperty -Name * -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired'
Shutdown -a
Restart-Service ccmexec -force

How to trigger Configuration Manager Actions with command

Many times, you may want to trigger SCCM Actions with command to simulate manual click.

Microsoft provides an official documentation on how to do that with PowerShell. Here is the link – https://learn.microsoft.com/en-us/mem/configmgr/develop/reference/core/clients/client-classes/triggerschedule-method-in-class-sms_client

However, you can be frustrated when it comes to triggering actions like Application Deployment Evaluation Cycle. In this case, that article is not going to help you because the PowerShell commands only work when they are run as Admin. What if I just want to simulate manual click to trigger even user-based actions?

Here is a way on how to do that. The following code is an example for Updates Source Scan Cycle in Visual Basic.

Sub InitiateSoftwareUpdatesScanCycle()

' Set the required variables.
actionNameToRun = "Updates Source Scan Cycle"

' Create a CPAppletMgr instance.
Dim oCPAppletMgr
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")

' Get the available ClientActions object.
Dim oClientActions
Set oClientActions = oCPAppletMgr.GetClientActions()

' Loop through the available client actions. Run the matching client action when it is found.
Dim oClientAction
For Each oClientAction In oClientActions
If oClientAction.Name = actionNameToRun Then
oClientAction.PerformAction
End If
Next
wscript.echo "Ran: " & actionNameToRun

End Sub

Save the script in vbs file and run it in user context. There you go! It works just as the logged-in user click on that particular action.

If you need to trigger other actions, just replace with the following action names:

Software Metering Usage Report Cycle
Request & Evaluate Machine Policy
Updates Source Scan Cycle
Request & Evaluate User Policy
Hardware Inventory Collection Cycle
Software Inventory Collection Cycle
Application Global Evaluation Task
Software Updates Assignments Evaluation Cycle
Discovery Data Collection Cycle
MSI Product Source Update Cycle
Standard File Collection Cycle

Official document link is here – https://learn.microsoft.com/en-us/previous-versions/system-center/developer/cc144313(v=msdn.10)?redirectedfrom=MSDN

0x800706d9 – There are no more endpoints available from the endpoint mapper

ISSUE

0x800706d9 – There are no more endpoints available from the endpoint mapper

You may come across this exception in case of downloading content via Background Intelligence Service (bits), eg. during ccmsetup.

SOLUTION

Start Windows Firewall service

REFERENCES

https://social.technet.microsoft.com/Forums/en-US/df5e62d6-5be0-4336-95ab-9d1f414699dd/windows-10-and-windows-server-2016-require-the-windows-firewall-for-bits

Find MAC address from SCCM

There are two ways to find MAC Address from SCCM.

SQL Query

SELECT * from v_RA_System_MACAddresses WHERE ResourceID in (select  ItemKey from vSMS_R_System)

You can add other WHERE conditions to refine the result.

WMI

Open SCCM console
Expand the top-left arrow menu and click Connect via Windows PowerShell

$SC = 'PS1' # Replace PS1 with the actual Site Code
$Computer = 'CONTOSOClIENT0' # Replace CONTOSOClIENT0 with the actual computer name
Get-WmiObject -Class SMS_R_SYSTEM -Namespace "root\sms\site_$SC" | where {$_.Name -eq "$Computer"}).MACAddresses

References

Connect via PowerShell

Windows Server 2012 R2 Standard with TPM 2.0 – Client certificate shows None with error “Failed to set ACL to key, 0x80090029″

Windows Server 2012 R2 Standard with TPM 2.0 – Client certificate shows None with error “Failed to set ACL to key, 0x80090029”

ISSUE

Windows Server 2012 R2 Standard with TPM 2.0 – Client certificate shows None

Started since SCCM upgraded from 2103 to SCCM 2111

Actions tab has only two actions

LOG

CertificateMaintenance    2576 (0xa10)    The primary key is not found from provider Microsoft Platform Crypto Provider
CertificateMaintenance    2576 (0xa10)    Primary key not found in the key storage. Will create the key and the certs.
CertificateMaintenance    2576 (0xa10)    Deleted key ConfigMgrPrimaryKey from provider Microsoft Software Key Storage Provider
CertificateMaintenance    2576 (0xa10)    Failed to set ACL to key, 0x80090029
CertificateMaintenance    2576 (0xa10)    CCMDoCertificateMaintenance() failed (0x80090029).

REASON

This originates from a change to SCCM since 2107:

“Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0. The certificate is also marked non-exportable.

If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It uses its self-signed certificate for signing messages with the site.”

Refer to – https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2107#clients-store-configuration-manager-self-signed-certificates-in-hardware-tpm

As confirmed with Microsoft, this is an issue with Windows Server 2012 R2. Windows Server 2016 does not have such an issue. Microsoft is not planning to make any changes to Windows Server 2012 R2.

Note that this happens also to Windows 8.1.

Solution

Force client computer to use Software KSP by adding one registry entry:

HKLM\Software\Microsoft\CCM\DWORD:UseSoftwareKSP=1

References

Client deployment cannot be fulfilled since use of metered network is not allowed

SCCM client installation failed with 0x87d00227

Though not commonly seen, you may run into SMS Agent Host client installation failure on metered network. ccmsetup.log shows messages like the following.

03-25-2022 12:33:56.196    ccmsetup    8828 (0x227c)    Client deployment cannot be fulfilled since use of metered network is not allowed.
03-25-2022 12:33:56.196    ccmsetup    8828 (0x227c)    Failed to parse 'C:\WINDOWS\ccmsetup\ccmsetup.exe /ignoreskipupgrade /config:MobileClient.tcf         /RetryWinTask:9' with error 0x87d00227

0x87d00227 means functionality disabled.

Error Code:	0x87D00227 (2278556199)
Error Name:	CCM_E_DISABLED
Error Source:	Configuration Manager
Error Message:	Functionality disabled

This happened because “Client communication on metered internet connections” in Metered Internet Connections in Client settings is set to Block.

When the device is on a metered internet connection, the Configuration Manager client doesn’t try to communicate with the site. This option is the default.
Metered Internet Connections

SOLUTION

Set “Client communication on metered internet connections” to Allow in Metered Internet Connections in Client settings

If you are using manual installation method, you can also add /AllowMetered to workaround this issue.

When you allow client communication on a metered network for ccmsetup, it downloads the content, registers with the site, and downloads the initial policy. Any further client communication follows the configuration of the client setting from that policy.
AllowMetered

You may also think of disabling metered internet connection settings for client network adapters, but that can be difficult in an enterprise environment where policies are applied strictly. To disable metered internet connection, refer to –

https://support.microsoft.com/en-us/windows/metered-connections-in-windows-7b33928f-a144-b265-97b6-f2e95a87c408

References

SCCM console shows client No

ISSUE

SCCM console shows client No while sccm client is actually installed with success on client computers

client.msi.log indicates successful sccm client installation.

MSI (s)    164 (0xa4)    Windows Installer installed the product. Product Name: Configuration Manager Client. Product Version: 5.00.9049.1000. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
ClientIDManagerStartup    10120 (0x2788)    [RegTask] - Client is registered. Server assigned ClientID is GUID:6569ECAC-3E32-430C-AE22-4689E619AFC9. Approval status 1

CcmNotificationAgent.log shows errors as below.

BgbAgent    2300 (0x8fc)    Connecting to server with IP: 192.34.50.217 Port: 10123
BgbAgent    2300 (0x8fc)    NetworkInfo: IPAddress 192.34.220.38
BgbAgent    2300 (0x8fc)    NetworkInfo: AccessMP IT00S431.uaes.com
BgbAgent    2300 (0x8fc)    sBoundaryGroupID: 16777218,
BgbAgent    2300 (0x8fc)    sIpAddress: 192.34.220.38,
BgbAgent    2300 (0x8fc)    Failed to receive buffer from server with err=0x80090304.
BgbAgent    2300 (0x8fc)    Failed to receive expected response from server with error 80090304.

Reason

There are duplicate client GUID in the site database

Solution

Delete problematic client computers from sccm console
On problematic client computers, delete smscfg.ini and SMS registry as well SMS certificates:

del %systemroot%\smscfg.ini
reg delete HKLM\software\Microsoft\SMS /f
certutil -delstore SMS SMS
net stop ccmexec
net start ccmexec

or use PowerShell commands:

Remove-Item C:\Windows\smscfg.ini
Remove-Item -Path Registry::HKLM\software\Microsoft\SMS -Recurse
Get-ChildItem cert:LocalMachine\SMS | Remove-Item -Recurse -Force
Stop-Service ccmexec
Start-Service ccmexec

SCCM client always reports to old site and management point after client installation

Group Policy Updated the assigned site code , which is different than the existing assigned site code . Will attempt re-assignment.

ISSUE

SCCM client always reports to old site and management point after client installation

The background is the I was doing a migration and was moving clients from the old sccm to their new sccm. I adopted manual sccm client installation.

In the very beginning, I used the following command to install sccm client –

ccmsetup.exe /mp:newsccm.contoso.lab /forceinstall FSP=newsccm.contoso.lab SMSMP=newsccm.contoso.lab SMSSITECODE=CON

But the client still reported to the old site. The reason is that the previous trusted key of the client still points to the one coming from the old site. This situation may occur when you move a client from one site hierarchy to another. Thus, to update the trusted root key, I added the switch RESETKEYINFORMATION=TRUE to the ccmsetup.exe command –

cmsetup.exe /mp:newsccm.contoso.lab /forceinstall FSP=newsccm.contoso.lab SMSMP=newsccm.contoso.lab SMSSITECODE=CON RESETKEYINFORMATION=TRUE

However, the client still reports the old site. Th site code still shows OOE instead of CON and the assignment management point the old one instead of the assigned one in the command.

LOGS

LocationServices.log says a group policy updated the assigned site code to OOE, which is the old sccm site code.

01-28-2022 13:45:57.930    LocationServices    3632 (0xe30)    LSRefreshSiteCode: Group Policy Updated the assigned site code <OOE>, which is different than the existing assigned site code <>. Will attempt re-assignment.
01-28-2022 13:45:57.992    LocationServices    3632 (0xe30)    Sending Fallback Status Point message, STATEID='500'.
01-28-2022 13:45:58.195    LocationServices    3632 (0xe30)    Processing GroupPolicy site assignment.
01-28-2022 13:45:58.195    LocationServices    3632 (0xe30)    Assigning to site 'VN1'
01-28-2022 13:45:58.195    LocationServices    3632 (0xe30)    LSIsSiteCompatible : Verifying Site Compatibility for <OOE>
01-28-2022 13:45:58.211    LocationServices    4104 (0x1008)    Failed to execute task 'LSSiteRoleCycleTask'. Error 0x80004005
01-28-2022 13:45:58.211    LocationServices    4104 (0x1008)    CSiteRoleCycleTask::Execute failed (0x80004005).

The resultant group policy retrieved by running gpresult /h c:\res.html has no group policies about assigning site code. After a moment of struggling, I found it related to a registry value in the following path –

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client: GPRequestedSiteAssignmentCode

SOLUTION

Delete the registry value and reinstall sccm client.

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client" /v GPRequestedSiteAssignmentCode /f
ccmsetup.exe /mp:newsccm.contoso.lab /forceinstall FSP=newsccm.contoso.lab SMSMP=newsccm.contoso.lab SMSSITECODE=CON RESETKEYINFORMATION=TRUE

After that, the issue was gone.

References

Client icon shows question mark in SCCM console

Client icon shows question mark in SCCM console with “Failed to receive buffer from server with err=0x80090304.”

ISSUE

Client icon shows question mark in SCCM console with Client Yes

A number of client computers turn offline show question mark icon in SCCM console while they have sccm client installed actually.

CcmNotificationAgent.log –

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Critical Battery: [FALSE]

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Connection Standy: [FALSE]

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Network allowed to use: [TRUE]

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Access point is contosomp.com. (SSLEnabled = 0)

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    CRL Checking is Enabled.

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Both TCP and http are enabled, let's try TCP connection first.

07-07-2021 23:45:31.111    BgbAgent    6608 (0x19d0)    Connecting to server with IP: 10.221.108.12 Port: 10123

07-07-2021 23:45:31.127    BgbAgent    6608 (0x19d0)    Handshake was successful

07-07-2021 23:45:31.127    BgbAgent    6608 (0x19d0)    Pass verification on server certificate.

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    NetworkInfo: IPAddress 10.221.123.26,fe80::ecd4:75f7:bc84:8bf

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    NetworkInfo: IPSubnet 255.255.255.0,64

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    NetworkInfo: AccessMP contosomp.com

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    NetworkInfo: IsClientOnInternet 0

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    Sent all 429 byte(s) to server.

07-07-2021 23:45:31.142    BgbAgent    6608 (0x19d0)    Update the timeout to 900 second(s)

07-07-2021 23:45:31.158    BgbAgent    6608 (0x19d0)    Connection is reset

07-07-2021 23:45:31.158    BgbAgent    6608 (0x19d0)    Failed to receive buffer from server with err=0x80090304.

07-07-2021 23:45:31.158    BgbAgent    6608 (0x19d0)    Failed to signin bgb client with error = 80090304.

07-07-2021 23:46:31.169    BgbAgent    6608 (0x19d0)    Connecting to server with IP: 10.221.108.12 Port: 10123

07-07-2021 23:46:31.169    BgbAgent    6608 (0x19d0)    Handshake was successful

07-07-2021 23:46:31.169    BgbAgent    6608 (0x19d0)    Pass verification on server certificate.

07-07-2021 23:46:31.184    BgbAgent    6608 (0x19d0)    NetworkInfo: IPAddress 10.221.123.26,fe80::ecd4:75f7:bc84:8bf

07-07-2021 23:46:31.184    BgbAgent    6608 (0x19d0)    NetworkInfo: IPSubnet 255.255.255.0,64

07-07-2021 23:46:31.184    BgbAgent    6608 (0x19d0)    NetworkInfo: AccessMP contosomp.com

07-07-2021 23:46:31.184    BgbAgent    6608 (0x19d0)    NetworkInfo: IsClientOnInternet 0

07-07-2021 23:46:31.184    BgbAgent    6608 (0x19d0)    Sent all 429 byte(s) to server.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Connection is reset

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Failed to receive buffer from server with err=0x80090304.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Failed to signin bgb client with error = 80090304.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Fallback to HTTP connection.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Client is not on internet

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Client is not set to use any webproxy.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    ccmhttp: Host=contosomp.com, Path=/bgb/handler.ashx?RequestType=LogIn, Port=80, Protocol=http, CcmTokenAuth=0, Flags=0x1, Options=0xe0

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Created connection on port 80

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Raising event:

 

instance of CCM_CcmHttp_Status

{

                    ClientID = "GUID:A8CD789C-44CD-472B-8631-E685CE2A53D9";

                    DateTime = "20210707154631.200000+000";

                    HostName = "contosomp.com";

                    HRESULT = "0x00000000";

                    ProcessID = 6272;

                    StatusCode = 0;

                    ThreadID = 6608;

};

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Successfully submitted event to the Status Agent.

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Session ID size is 72 byte(s).

07-07-2021 23:46:31.200    BgbAgent    6608 (0x19d0)    Session ID is 5129e3ed-25d4-439a-b409-90f39524c05e

07-07-2021 23:46:31.215    BgbAgent    6608 (0x19d0)    NetworkInfo: IPAddress 10.221.123.26,fe80::ecd4:75f7:bc84:8bf

07-07-2021 23:46:31.215    BgbAgent    6608 (0x19d0)    NetworkInfo: IPSubnet 255.255.255.0,64

07-07-2021 23:46:31.215    BgbAgent    6608 (0x19d0)    NetworkInfo: AccessMP contosomp.com

07-07-2021 23:46:31.215    BgbAgent    6608 (0x19d0)    NetworkInfo: IsClientOnInternet 0

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    Sending buffer size = 1002.

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    Client is not on internet

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    Client is not set to use any webproxy.

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    ccmhttp: Host=contosomp.com, Path=/bgb/handler.ashx?RequestType=Continue, Port=80, Protocol=http, CcmTokenAuth=0, Flags=0x1, Options=0xe0

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    Created connection on port 80

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    [CCMHTTP] ERROR: URL=http://contosomp.com/bgb/handler.ashx?RequestType=Continue, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

07-07-2021 23:46:31.231    BgbAgent    6608 (0x19d0)    [CCMHTTP] ERROR INFO: StatusCode=990 StatusText=BGB Session Ended

07-07-2021 23:46:31.247    BgbAgent    6608 (0x19d0)    Raising event:

 

instance of CCM_CcmHttp_Status

{

                    ClientID = "GUID:A8CD789C-44CD-472B-8631-E685CE2A53D9";

                    DateTime = "20210707154631.247000+000";

                    HostName = "contosomp.com";

                    HRESULT = "0x87d0027e";

                    ProcessID = 6272;

                    StatusCode = 990;

                    ThreadID = 6608;

};

07-07-2021 23:46:31.247    BgbAgent    6608 (0x19d0)    Successfully submitted event to the Status Agent.

07-07-2021 23:46:31.247    BgbAgent    6608 (0x19d0)    Successfully queued event on HTTP/HTTPS failure for server 'contosomp.com'.

07-07-2021 23:46:31.247    BgbAgent    6608 (0x19d0)    Failed to post continue request with error code 87d0027e.

07-07-2021 23:46:31.247    BgbAgent    6608 (0x19d0)    Failed to signin bgb client with error = 87d0027e.

bgbserver.log –

07-13-2021 10:09:25.944    SMS_NOTIFICATION_SERVER    3316 (0xcf4)    Failed to process SignIn message from client [::ffff:10.221.123.26]:52155.~~

07-13-2021 10:09:25.989    SMS_NOTIFICATION_SERVER    3316 (0xcf4)    ERROR: The message timestamp is older or newer than 1 hour. 2021-07-13T11:06:47Z~~

07-13-2021 10:09:25.989    SMS_NOTIFICATION_SERVER    3316 (0xcf4)    ERROR: The message body is invalid.~~

07-13-2021 10:09:25.989    SMS_NOTIFICATION_SERVER    3316 (0xcf4)    Failed to process SignIn message from client 10.221.123.26:52156.~~

REASON

The time between the client computer and the management point is greater than 1 hour

SOLUTION

Make sure the time between the client computer and the management point it reports to is less than 1 hour