Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc...
Let’s discuss the SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification. SCCM CB 1708 version added a new feature called the “Reboot” action to the fast channel push client notification.
SCCM CB preview version 1708 has been released. I have the pleasure of upgrading my lab environment to this preview version.
We can use the SCCM console to identify client devices that are pending reboot. Once identified, the devices can be restarted using a client notification action.
This post will show the Video Experience of the SCCM Reboot Task for the Collection of Devices via Fast Channel Push Notification. The YouTube video tutorial is here.
This video provides all the details of the Reboot Task via Fast Channel SCCM CB 1708. The video details are shown below.
SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification – Video 1
How to Restart Computers from the SCCM Console– SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification
Using the SCCM CB 1708 preview version, you can restart the computers in a device collection. The first step is to identify the computers in a “pending restart” state.
How Do you Find Out the Restart/Reboot of Pending Devices?
Once restart pending devices are identified, right-click on collection or device to initiate the REBOOT action. This reboot action is created via the FAST client notification channel.
SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification – Fig.1
We don’t have a reboot script that can be deployed to machines. Most importantly, this “REBOOT” action is triggered via the PUSH channel of SCCM CB client notification.
SCCM Reboot Task for Collection of Devices
Assets and Compliance
Overview
Devices
All Desktop and server clients
Client Notification
Reboot
SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification – Table 1
SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification – Fig.2
Restart Action Failed on a Client Device?
I initiated a reboot action for the Pending reboot machine, and it didn’t work. Why? I checked the log files and ConfigMgr applet on a Windows 10 machine.
I realized that I had upgraded the SCCM CB server version (5.00.8549.1000) to 1708, but we didn’t upgrade the Windows 10 machine’s SCCM client version (5.00.8542.1000) to 1708.
CcmNotificationAgent.log is the best log to check for troubleshooting fast-channel push notification tasks.
You can check the status of the REBOOT action in the monitoring workspace, the “Client Operations” node in the SCCM console.
The operation name for the REBOOT action is Task 17! But I’m sure this will be changed in the production version of the release. The error logging can be improved because the error message was “Failed to execute task, error 0.”
CcmNotificationAgent LOG with Errors
<![LOG[NetworkInfo: IPAddress 20.20.20.23,fe80::b09e:95a3:172a:4212]LOG]!><time="21:07:18.726-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:124">
<![LOG[NetworkInfo: IPSubnet 255.0.0.0,64]LOG]!><time="21:07:18.726-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:147">
<![LOG[NetworkInfo: AccessMP SCCMTP1.Intune.com]LOG]!><time="21:07:18.757-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:155">
<![LOG[NetworkInfo: IsClientOnInternet 0]LOG]!><time="21:07:18.757-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:159">
<![LOG[Update the timeout to 900 second(s)]LOG]!><time="21:07:18.757-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbtcpclient.cpp:916">
<![LOG[Receive signin confirmation message from server, client is signed in.]LOG]!><time="21:07:18.851-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:221">
<![LOG[Receive task from server with pushid=1002, taskid=1007, taskguid=5AFF6AEA-67D5-4124-B04F-162FDB0E314E, tasktype=17 and taskParam=]LOG]!><time="21:13:36.115-330" date="08-26-2017" component="BgbAgent" context="" type="1" thread="6212" file="bgbconnector.cpp:312">
<![LOG[Failed to find action instance for task type 17]LOG]!><time="21:13:36.115-330" date="08-26-2017" component="BgbAgent" context="" type="3" thread="6212" file="bgbcontroller.cpp:682">
<![LOG[Failed to execute task, error 0]LOG]!><time="21:13:36.115-330" date="08-26-2017" component="BgbAgent" context="" type="3" thread="6212" file="bgbcontroller.cpp:646">
Results of Successful REBOOT PUSH Task
Upgraded the client version to 5.00.8549.1000 and reinitiated the REBOOT task by right-clicking on a collection – Client Notification – Reboot. This action created a new task for the devices (pending reboot) in that collection through SCCM PUSH fast channel notification.
What is the architecture flow of SCCM CB Fast channel push notification? I have explained fast channel architecture flow in the post here.
The SCCM fast channel push client notification service will immediately notify the client about the task assigned. However, the client won’t be restarted immediately after receiving the task from the notification server component. The SCCM client will check the policy settings for “Computer Restart” and schedule the restart per the policy.
The computer restart policy is 90 minutes by default, and you can customize this policy from the client settings tab. The reboot or restart notification is very well integrated with the “Software Center” experience, which is a great advantage of this feature.
SCCM Reboot Task for Collection of Devices via Fast Channel Push Notification – Fig.3
Resources
Update 1708 for Configuration Manager Technical Preview Branch – Available Now! – here
Capabilities in Technical Preview 1708 for System Center Configuration Manager – here
Video Guide to Troubleshoot SCCM CB Fast Channel Notification Issues – here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Troubleshoot SCCM Fast Channel Push Notification Issues. The fast channel notification feature has been in SCCM products since 2012 SP1. SCCM fast channel notification was mainly used to notify clients about vital policies, collect inventories, etc.
SCCM CB 1706 introduced the “RUN Script” option through the fast channel push notification. This post will use a video guide to troubleshoot SCCM CB fast channel push notification issues. A video tutorial about SCCM CB fast channel push notification is here.
Let’s understand Fast channel notifications for clients. SCCM Fast channel notification is a “PUSH” method of notifying clients about the new policies. This communication channel for SCCM client fast notification is TCP (port 10123) or HTTP (port 80).
How to Troubleshoot SCCM CB Fast Channel Notification Issues
In the video, you’ll find comprehensive details on troubleshooting SCCM CB Fast Channel Notification issues. This guide will cover scenarios where Fast Channel Notifications may fail or encounter issues within the SCCM environment.
Troubleshoot SCCM Fast Channel Push Notification Issues – Video 1
What is SCCM Fast Channel Push Notification?– Troubleshoot SCCM Fast Channel Push Notification Issues
The SCCM client communicates to its MP every 15 minutes to confirm that it’s still online. When your client does not show as ONLINE in the SCCM console, we may have a problem with the fast notification communication channel.
SCCM Push Vs. Pull
Historically, SCCM uses the PULL method, expecting the client to ask for new policies regularly. But, the fast channel uses the PUSH method. What is BGB in SCCM? BGB = Fast Channel Notification related components. I don’t know whether this notification channel was codenamed “Big Green Button” or not 😉
Troubleshoot SCCM Fast Channel Push Notification Issues – Fig.1
What are the Components of SCCM CB Fast Channel Notification?
SCCM CB fast channel notification has three components. The notification manager will be located along with site servers (Primary/Secondary). It generates “push messages” for clients, sends notifications to the BGB server (MP), and stores the results.
The notification manager initiates push notifications from the site server. The log file BGBmgr.log provides more details about the notification manager. Notification files (*.BOS files) are stored in the INBOX/BGB.box folder. The video tutorial here shows the BOS file being created.
As you can see in the following fast channel notification architecture diagram, when the primary server has an MP component, the notification manager and notification server are also on that primary server.
The notification server will be located along with the Management Point (MP) and secondary sites. It will have TCP and HTTP listeners. These will help listen to the notification manager (DB) push notifications and confirm the client’s online status.
The notification manager pushes result files (*.BTS) from clients. BGBServer.log is the file on the MP setup or site server setup directory.
The Notification Agent is a fast-channel notification component at the SCCM client end. It’s part of the SMS agent (CCMEXEC). The agent establishes a persistent connection with its notification server.
This will receive the PUSH messages from MP. CcmNotificationAgent.log is the log file on the SCCM client device. The log can note MP/Notification server communication errors.
What is the architecture flow of SCCM CB Fast channel push notification?
Troubleshoot SCCM Fast Channel Push Notification Issues – Fig.2
Why is the SCCM CB Client NOT Showing as ONLINE?
The problem is that the SCCM CB client is not showing as ONLINE in the console. Instead, it always stays offline. The problem is ONLY with FAST notification channel communication; normal deployments and policies are working fine.
Troubleshooting of SCCM CB Fast Channel Notification
First, you must ensure all the notification components are installed correctly on the server and client sides. The following log files can confirm this for installation issues and troubleshooting.
Installation Issues and Troubleshooting
SCCM CB Notification Server/Manager
BGBServer.log
BgbHttpProxy.log
BgbSetup.log
BGBisapiMSI.log
Troubleshoot SCCM Fast Channel Push Notification Issues – Table 1
Fast Channel Notification – Server-Side Troubleshooting
I checked the log files on my primary and MP (both are on the same server), and BGBServer.log shows a warning all the time: “WARNING: Notification Server (% systemroot%system32dllhost. exe) with TCP port 10123 is NOT allowed by Windows Firewall on all interfaces I.” But I thought it should work with the port 80 HTTP channel. It was not working as expected.
Following are the extracts of troublesome logs on the BGB notificationserver. BGBServer.log
Starting SMS Notification Server…~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.005-330> Server GC is OFF~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.006-330> Trigger to start TCP listener~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.022-330> The HTTP listener is started~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.030-330> Listening connections on port 10123. Waiting for clients to connect…~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.061-330> WARNING: Notification Server (%systemroot%\system32\dllhost.exe) with TCP port 10123 is NOT allowed by Windows Firewall on all interfaces.~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:16:02.062-330> Total online clients: 0 (TCP: 0 HTTP: 0)~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:21:02.039-330> Generated BGB online status FULL report C:\Program Files\Microsoft Configuration Manager\inboxes\bgb.box\Bgb72ul2.BOS (version: 0) at 08/15/2017 01:21:02~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:21:02.055-330> WARNING: Notification Server (%systemroot%\system32\dllhost.exe) with TCP port 10123 is NOT allowed by Windows Firewall on all interfaces.~~
lt;SMS_NOTIFICATION_SERVER><08-15-2017 01:21:02.067-330> Wait 300 seconds for notifications…
The notification agent was running. But, the CcmNotificationAgent.log log showed loads of errors. One of the errors indicated that there could be a communication issue between the server and the client.
Troubleshoot SCCM Fast Channel Push Notification Issues – Fig.3
Error 10060 means ==> A connection attempt failed because the connected party did not appropriately respond after a period, or an established connection failed because the connected host could not respond. BGBAgent component log :-
<![LOG[Bgb client agent is starting...]LOG]!><time="01:23:55.212-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="6372" file="agentendpoint.cpp:238">
<![LOG[BgbController main thread is started with settings: {bgb enable = 1}, {tcp enabled = 1}, {tcp port = 10123} and {http enabled = 1}.]LOG]!><time="01:23:55.259-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="6372" file="bgbcontroller.cpp:126">
<![LOG[Startup random sleep for 1 seconds.]LOG]!><time="01:23:55.290-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcontroller.cpp:416">
<![LOG[Critical Battery: [FALSE]]LOG]!><time="01:23:56.306-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcommon.cpp:60">
<![LOG[Connection Standy: [FALSE]]LOG]!><time="01:23:56.306-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcommon.cpp:61">
<![LOG[Network allowed to use: [TRUE]]LOG]!><time="01:23:56.306-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcommon.cpp:62">
<![LOG[Access point is SCCMTP1.INTUNE.COM. (SSLEnabled = 0)]LOG]!><time="01:23:56.415-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcontroller.cpp:276">
<![LOG[CRL Checking is Enabled.]LOG]!><time="01:23:56.431-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcontroller.cpp:284">
<![LOG[Both TCP and http are enabled, let's try TCP connection first.]LOG]!><time="01:23:56.431-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcontroller.cpp:792">
<![LOG[Connecting to server with IP: 20.20.20.22 Port: 10123
]LOG]!><time="01:23:56.447-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbtcpclient.cpp:699">
<![LOG[Failed to connect to server with IP v4 address with error 10060. Try next IP...
]LOG]!><time="01:24:17.468-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbtcpclient.cpp:703">
<![LOG[Failed to signin bgb client with error = 80004005.]LOG]!><time="01:24:17.468-330" date="08-15-2017" component="BgbAgent" context="" type="3" thread="5200" file="bgbcontroller.cpp:635">
<![LOG[Connecting to server with IP: 20.20.20.22 Port: 10123
]LOG]!><time="01:25:17.482-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbtcpclient.cpp:699">
<![LOG[Failed to connect to server with IP v4 address with error 10060. Try next IP...
]LOG]!><time="01:25:38.501-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbtcpclient.cpp:703">
<![LOG[Failed to signin bgb client with error = 80004005.]LOG]!><time="01:25:38.501-330" date="08-15-2017" component="BgbAgent" context="" type="3" thread="5200" file="bgbcontroller.cpp:635">
<![LOG[Fallback to HTTP connection.]LOG]!><time="01:25:38.501-330" date="08-15-2017" component="BgbAgent" context="" type="1" thread="5200" file="bgbcontroller.cpp:828">
[CCMHTTP] ERROR: URL=http://SCCMTP1.Intune.com/bgb/handler.ashx?RequestType=Continue, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
Successfully queued event on HTTP/HTTPS failure for server 'SCCMTP1.Intune.com'.
Failed to post continue request with error code 87d0027e.
Troubleshoot SCCM Fast Channel Push Notification Issues – Fig.4
Fix for SCCM CB Fast Channel Notification Issues
The Firewall port 10123 was not opened between the SCCM client and the primary BGB server. I ran the following command from the client, “Telnet 10123,” and it didn’t work (the port was not opened).
I checked the software and hardware firewalls on the server side and discovered that Windows Firewall was blocking the port communication 10123.
Disabled the Windows Firewall on the notification server for testing and restarted the client agent services (SMS Agent) on the client machine. This helped to resolve the fast channel notification issue with the SCCM CB environment.
In an ideal world, you should exclude/exempt port 10123/80 from the hardware and software firewall between the fast channel notification server and agent. This will help to resolve the issue.
More details are available in the video tutorial here
Troubleshoot SCCM Fast Channel Push Notification Issues – Fig.5
Server Side Logs – After Successful Actions on Fast Channel Notification
I finished sending push tasks (PushID: 1 TaskID: 3) to 1 client and generated the BGB online status DELTA report, two critical lines of SCCM CB fast notification channel server log BGBServer.log.
Fast channel notification and MP replica issues – Here
What’s New With ConfigMgr’s Client Notification Feature – Here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the SCCM CB 1708 Preview Upgrade Video Guide New Features. SCCM CB preview version 1708 has been released.
I enjoy upgrading my lab environment to the SCCM CB 1708 preview version. However, upgrading to SCCM CB preview version 1708 will fail if you have an SCCM primary server in passive mode.
It would help if you remembered that the SCCM ConfigMgr CB technical preview version should not be deployed to a production environment. This post will see the SCCM CB 1708 Preview Upgrade Video Guide. You can find the YouTube video tutorial here.
The SCCM CB preview version is similar to the Windows Insiders program, which helps SCCM admins test the new features of SCCM CB. Before installing this technical preview, you can review the limitations of the SCCM CB version here.
We can’t install the CAS version of SCCM CB with the preview version. The prerequisite for installing the SCCM CB 1708 preview version has not changed.
SCCM CB 1708 Preview Upgrade Video Guide New Features – Fig.1
How to Download SCCM CB Preview Version
The upgrade process is explained in the video tutorial here. Have you installed an SCCM CB preview version? If not, you can download the latest baseline version of ConfigMgr SCCM CB Technical Preview from here. One particular version of the SCCM preview has a maximum validity of only 3 months (90 days).
How to Upgrade from SCCM CB 1707 to 1708?
The SCCM CB update and servicing process are the same as before. Once the latest version of the preview is released, the update will be available in the SCCM console.
The update will automatically download to your server. This behavior depends on the Service connection point (SCP) mode. There are two modes for SCP: ONLINE and OFFLINE.
The next upgrade process step is the replication of new content to secondary servers. Once replication is completed successfully, the update component will start the prerequisite checks on the SCCM CB hierarchy. The prerequisite checks will run on all the site servers and site systems.
Detailed Status for the SCCM Technical Preview 1708
Details
Installation
In progress
Start WMI
Completed
Install Services
Not Started
SCCM CB 1708 Preview Upgrade Video Guide New Features – Table 1
SCCM CB 1708 Preview Upgrade Video Guide New Features – Fig.2
Once prerequisite checks have been completed, the update component will start the actual upgrade/installation process of SCCM CB 1708. After the upgrade process, the post-installation or upgrade process will begin. All these are explained in the video tutorial here.
New Features of SCCM CB 1708 Preview Version
One of the newest features added to SCCM CB 1708 is the ability to create and run scripts with optional parameters. This script deployment is done through SCCM CB’s new fast channel.
Supported Scenarios of Run Script Option Scenarios
There is no need to deploy the script as a package or application; rather, you can directly import the PowerShell script. This Script can be targeted to collections or devices without creating any deployment.
Create and run PowerShell scripts on collections of devices from the Configuration Manager console.
Create and run PowerShell scripts with parameters to devices and collections from the Configuration Manager console.
Create and run PowerShell scripts with optional parameters to devices and collections from the Configuration Manager console.
SCCM Infra Management insights is another option in SCCM CB 1708. This will give you valuable insights into your environment’s current state based on the data analysis in the site database. This will provide the details of EMPTY collections and applications without deploying your environment.
You can view the management insights below – \Administration\Overview\Management Insights.
Scenarios: Review a management insight to understand your environment better and take action based on the insight
SCCM CB 1708 Preview Upgrade Video Guide New Features – Fig.3
The two new features added to SCCM CB 1708 are initiating restarting computers from the admin console and the pending restart column. The restart computer action is also performed through SCCM fast channel notification.
The monitoring workspace in the SCCM CB 1708 console shows a different name for the Restart computer action: Operation Name #17.
SCCM CB 1708 Preview Upgrade Video Guide New Features – Fig.4
References
Update 1708 for Configuration Manager Technical Preview Branch – Available Now! – here.
Capabilities in Technical Preview 1708 for System Center Configuration Manager – here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Step-by-Step Guide to Creating and Deploying APPX Apps via SCCM and Troubleshooting Tips. Windows 10 S will only run executable code signed with a Windows, WHQL, ELAM, or Store certificate. Is it correct to assume that the only supported application in the Windows 10 S version is Windows Store apps (APPX)?
So, is this a good reason to start repackaging your LOB apps to APPX apps (SCCM App Deployment)? In this post, we will see a step-by-step video guide to create and Deploy APPX Apps via SCCM and Troubleshooting Tips.
To install the APPX app, the sideloading feature should be enabled on Windows 10 or Windows 11 machines. This can be done via Group Policies or Windows 10—Settings—Update & Security—For Developers—Use developer features and select the Sideload apps option.
Are you unfamiliar with the term “sideload“? In Windows 10, sideloading means installing apps on your computer that haven’t been certified to appear in the Store and run on a Windows device.
High-level Details about APPX App Packages (SCCM App Deployment)– Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips
What is unique with APPX apps? Windows APPX applications will be isolated from the rest of the host machine. This means UWP/APPX application apps won’t be able to access the kernel and system drivers. These are now containerized and more secured. UWP/APPX apps never create registry keys to the system registry.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.1
Prerequisites for APPX App Package Installation
APPX application architecture is very important when creating the application package. I have seen APPX application deployment errors caused by the wrong architecture in the APPX package.
It is highly recommended that you build your APPX app package to target all architectures. Universal Windows Platform (UWP) apps can be configured to run on x86, x64, and ARM architectures.
Once the APPX package is created and tested on a Windows 10 machine, the appx app deployment through SCCM is straightforward.
Package Information
x64
neutral
x86
x64
arm
arm64
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Table 1
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.2
APPX Application Deployment Troubleshooting on Windows 10
I tried to install an APPX application package to Windows 10 devices, but it failed. As part of troubleshooting, I checked the requirement rules of automatically getting imported to SCCM from the APPXBundle file. SCCM App Deployment.
The application requirement is set to run only on Windows 10 mobile versions. I explained some of the issues and troubleshooting log files (AppDicover and AppEnforce) details in the video tutorial here.
Another problem I encountered was related to the APPX app-supported architecture. Windows cannot install applications because APPX requires ARM Architecture, but the computer has architecture x64 when deployed.
The following is one example of APPX application deployment. I have also seen installation failures of APPX applications when the APPX architecture is set to “Neutral.” Error details – Unable to make changes to your software. There was a problem applying modifications to the software.
Here is more information about error code 0x80073D10 (-2147009264). This error means the deployment operation failed because the package targets the wrong processor architecture.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.3
How to Import or Create APPX Application Package in the SCCM Console
The video tutorial details creating Windows Store (UWP) apps. Open SCCM CB console – Application management – Applications – Create new Application. Now, from the app creation wizard, we need to specify settings for the appx application.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Video 1
Select “Automatically detect information about this application from installation files,” and the application type should be “Windows app package (*.appx, *.appxbundle).” We need to provide the UNC path for the application source on the location on this page.
We can verify the imported information from the appx bundle file on the Import Information page. The General Information page is where you can change the name of the Windows 10 APPX application.
The application’s name, Publisherdetails, and Software version details could be changed from this page.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.5
How to Distribute APPX App Content to DPs
Once the APPX application has been created, we must distribute the source files to SCCM CB distribution points (DPs). The DPs are where the client will get/download the source files during installation (SCCM App Deployment).
Right-click on the APPX application from the SCCM console and select the Distribute Content option, as I showed in the video tutorial above. The distributing Content Wizard helps complete the content distribution process.
We need to select the content destination details in the wizard. This is the place where you choose DP server details or collection details. The source files of the APPX application will be replicated to selected DP servers.
You can monitor the content distribution from the SCCM console’s monitoring workspace. To do so, go to the details pane and select View status.
The distmgr.log and PkgXFermgr.log files are your best friends for troubleshooting SCCM content replication issues.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.6
How Do I Deploy the APPX Application to a Windows 10 Device?
Once the APPX application is created and the content is successfully distributed to DPs, we can deploy the Appx package to the SCCM client Windows 10 machines.
What is an application deployment from an SCCM perspective? Deployment is nothing but providing instructions to targeted machines/users (in a collection). The instructions include scheduling time, the application installation behavior, etc.
Deploy software wizard guides us through the SCCM APPX application deployment process. We need to specify general information for this deployment on the General page.
This page should automatically display the software name. We need to select target devices and user collections to deploy APPX apps.
Ensure we have selected the “Automatically distribute content for dependencies” option in this wizard to automatically distribute the content of dependent apps.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.7
Deployment settings are another vital option for specifying settings to control how this software is deployed. To install the APPX application, we must select the action called Install. To uninstall the APPX application, we need to choose the action called uninstall.
The application has other control settings called Purpose. When you select purpose as available, the application will be available in the Software Center of the Windows 10 machine.
The APPX application installation won’t start automatically. The user needs to initiate the application’s structure manually.
The required option in deployment settings should be selected when we automatically install the APPX application onto the machine without any manual intervention.
When you choose purpose as Required in the deployment settings, another three checkboxes will be enabled on the page.
Pre-Deploy software to the user’s primary device Send wake-up packets Allow clients on a metered internet connection to download content after the installation deadline, which might incur additional costs.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.8
The deploy software wizard guides us through the APPX application deployment schedule. We can schedule the application to be available after a specific time, which can be used in future applications.
Another option we can schedule for the application deployment is the installation deadline. The following deployment option we can specify on this deployment wizard page is user experience. SCCM App Deployment.
End-user Experience of APPX Deployment and Installation on Windows 10
The user will automatically receive a notification from the Software Center according to the user experience you set in the deployment setting wizard. The user can then open the Software Center and the listed APPX application.
Also, when you click on a specific application, you will get more details about the progress of the application installed on Windows 10 machines.
You can see the deployment status in the SCCM console when the installation is completed. The recently installed application will also be displayed in the Windows 10 start menu.
Step by Step Guide to Create Deploy APPX Apps via SCCM and Troubleshooting Tips – Fig.9
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to block How to Block Windows Devices from Enrolling to Intune. I have seen a scenario where Intune exclusively manages iOS and Android devices.
Windows devices are managed through SCCM and must be disabled or prevented from enrolling in Intune. We can achieve this with new Intune Enrollment restriction policies. I have a blog post explaining “How to Use Intune Enrollment Restriction Rules“.
This post covers everything you need to know about stopping Windows devices from enrolling in Intune. It explains each step clearly so you can understand it easily. Whether you’re just starting out or want to improve your setup, this post will guide you through keeping your devices out of Intune’s management system.
I tested Windows 10 enrollment to Intune via “Add Work or School Account.” This was tested successfully before restricting Windows 10 devices from the Intune console. Check out the following message after the Windows 10 device is successfully enrolled. More details are in the video below.
How to Restrict Windows 10 Devices from Intune Management
This video provides a step-by-step guide on restricting Windows 10 devices from being managed through Intune. It covers all the necessary details, including the settings and configurations required to ensure proper restriction.
How to Block Windows Devices from Enrolling to Intune – Video 1
Add Work or School Account
“We’ve added your account successfully, and you can now access your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”
How to Block Windows Devices from Enrolling to Intune – Fig.1
Change the Intune Device Enrollment Policy to Restrict Windows Device
Navigate through the New Azure portal – Microsoft Intune – Device Enrollment – Enrollment restrictions. You will be able to see two Intune enrollment restriction policies: 1.
Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling on Intune.
This policy will prevent Windows 8.1 and later devices from Intune management and restrict Windows 10 device enrollment. Windows 10 mobile devices will also be blocked when we configure this policy.
How to Block Windows Devices from Enrolling to Intune – Fig.2
End-User Experience of Windows 10 Device Restriction
I successfully added a Work or School account to a Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received differed from the one I got above.
We’ve successfully added your account, and you can access your organization’s apps and Services. Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device was enrolled without any error.
However, the main question is whether this device would be managed via Intune. Did the device receive Intune policies? The answer is in the paragraph below.
How to Block Windows Devices from Enrolling to Intune – Fig.3
Experience on Azure – Intune Portal for Windows 10 Restriction
The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft Azure – Microsoft Intune – Devices – All Devices). However, the device was listed in Azure AD, as shown in the video tutorial.
The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure—Users and groups—All users > Kaith Nair). But, as you can see in the screenshot below, the Windows device is NOT MANAGED by INTUNE.
Hence, the device won’t receive any Intune policies or be managed through Intune. It also won’t have access to corporate mail, SharePoint, OneDrive, and Skype for Business.
NAME
ENABLED/DISABLED
PLATFORM
TRUST TYPE
IS COMPLIANT
MANAGED BY
Windows10_BYOD
Enabled
Windows 10.0.15063.0
Workplace
None
None
How to Block Windows Devices from Enrolling to Intune – Table 1
How to Block Windows Devices from Enrolling to Intune – Fig.4
References
Set Intune enrollment restrictions policies – here
How to configure device restriction settings in Microsoft Intune – here
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706. I continue to produce comparison videos with every production release of SCCM CB.
This post helps you go through the “Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706.” The previous week was busy because of the SCCM CB preview and production version release.
Being on a business trip didn’t stop me from upgrading my LAB environment to the SCCM CB 1706 production version. In this post, you will find all the details of the Feature Comparison Video between SCCM ConfigMgr CB 1702 and 1706.
The post provides a look at the differences and improvements between the two versions, helping you understand what has changed and how the updates can benefit your system management.
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706
In the comparison video tutorial, we see the SCCM console GUI changes. What are the new nodes added to the 1706 console? We also see some deep dives into new features, tools, and settings introduced in the SCCM CB 1706 version.
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706
Console
SCCM CB 1706
Version
1706
Console version
5:00.8540.1300
Site Version
5.0.8540.1000
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Table 1
Console – SCCM CB 1706 = Version 1706
Console version: 5:00.8540.1300
Site Version: 5.0.8540.1000
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.1
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706
There are 24 Features in SCCM CB 1706, whereas only 21 in 1702. 3 new features were added in SCCM CB 1706 production release. The important point to note here is some pre-release features are still not ready for production release.
These are Cloud Management Gateway, Server Groups, TS Pre-Caching Device Guard, and Client Peer Cache, which are still in pre-release.
The new features introduced in SCCM CB 1706 are Create and Run Scripts, Surface Driver Updates, and PFX Create.
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.2
Compare the New Tools and Features of SCCM CB 1706
Client Peer Cache support for express installation files for Windows 10 and Office 365. There are improvements for SQL Server Always On Availability Groups.
Update Reset tool is released with the SCCM CB 1706 production version. The CMUpdateReset.exe tool helps to fix issues when in-console updates have problems downloading or replicating content to primary servers.
The SCCM CB 1706 production release includes improvements for software update points working with boundary groups.
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.3
You have improved the integration of SCCM and Azure AD (AAD). These improvements streamline how you configure the Azure services you use with SCCM and help you manage clients and users who authenticate through Azure AD.
There are some new Compliance Settings (Configuration Items) for Windows 10 Intune-managed clients. The updated/improved categories are Password, Device, Store, and Microsoft Edge.
Android for Work configuration items for the Allow data sharing between work and personal profile settings descriptions have been updated.
NEW Compliance Policy Rules in SCCM CB 1706 Production Version
The following are very important compliance policies available in the SCCM CB 1706 version. Required Password Type—Either Alphanumeric or Numeric is supported for Windows phones, Windows devices, and iOS.
Block USB debugging on Devices, Block apps from unknown sources, and Require threat scan on apps. Compliance policies are supported for Android Devices.
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.4
New Additions in Application Management – SCCM CB 1706
We can deploy PowerShell Scripts from the SCCM CB 1706 console. Run scripts on collections of Windows client PCs and on-premises managed Windows PCs. The script runs in nearly REAL TIME on client devices.
NEW MAM Policy setting in SCCM CB 1706 – Block Screen Capture (only for Android), Disable contact sync, and Disable printing. Software Updates – Manage Microsoft Surface driver updates, which is ONLY possible when your SUPs are on SERVER 2016.
SCCM CB 1706 Security Improvement
SCCM CB 1706 can deploy Device Guard policy management. Device Guard is a group of Windows 10 features designed to protect PCs against malware and other untrusted software.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial. The SCCM/ConfigMgr CB 1707 preview version was released last week. I enjoyed upgrading my SCCM CB 1706 preview version to 1707.
As expected, this was a straightforward process for me. I didn’t see any issues during the upgrade process of SCCM CB 1707. We see the SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial in this post.
Preview versions of SCCM CB should NOT be deployed to a production environment. This is similar to the Windows Insiders program, which helps SCCM admins test the new features of SCCM CB.
Before installing this technical preview version, you can review the limitations of the SCCM CB version.
SCCM 1707 Preview Guide Upgrade Process and New Feature Overview
In this video, you will find all the details about the SCCM 1707 Preview Guide Upgrade process and an overview of the new features. The guide will walk you through each step of the upgrade process, ensuring you understand how to implement it smoothly.
SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial – Video 1
SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial
The screenshot below provides a comprehensive look at the new features introduced in SCCM 1707, helping you make the most of the latest updates and improvements.
SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial – Fig.1
What are the New Features Introduced in the SCCM CB 1707 Preview?
My favorite features of the SCCM CB 1707 preview version are Windows Defender application guard policies for Windows 10 RS3 and PowerShell Script parameter investments.
Client Peer Cache support for express installation files for Windows 10 and Office 365
Surface Device dashboard
Percent of Surfaces
Percent of Surface models
Top five operating system versions
Configure and deploy Windows Defender Application Guard policies for Windows 10 RS3
Add parameters when you deploy PowerShell scripts
Known Issues with SCCM CB 1707 Upgrade
SCCM CB 1707 upgrade process has not changed much. It’s the same as the preview SCCM CB preview upgrades. New features have been introduced in this preview version. There are some known issues with an upgrade when you install a passive primary server.
The issue is the only application for the SCCM environment with 1706 TP and used the site server always-on, a feature that means the passive site server was configured.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the SCCM Upgrade Guide Updates and Servicing Configuration Manager. Microsoft SCCM team released the production version of SCCM 1706. The SCCM 1706 updates are available as an in-console update for previously installed sites that run SCCM CB versions 1606, 1610, or 1702.
The secret is the continuous improvements that Microsoft SCCM PG (Product Group) implemented in SCCM CB. There are loads of things involved in a constant improvement story.
Step by Step Guide Upgrade Process of SCCM CB 1702 to 1706
In this video, you will learn everything you need about upgrading the SCCM Current Branch from version 1702 to 1706. The guide breaks down the process into easy-to-follow steps. You’ll get clear instructions on preparing for the upgrade, running the upgrade, and verifying the upgrade’s success.
SCCM Upgrade Guide Updates and Servicing Configuration Manager – Video 1
What is the Secret of the SCCM Updates and Servicing Model?
This post will examine prerequisite checks during the console update and servicing process. SCCM PG uses feedback and telemetry data to improve prerequisite checks.
SCCM Upgrade Guide Updates and Servicing Configuration Manager – Fig.1
Why are the Prerequisite Checks Important in the Updates & Servicing Model?
Prerequisite checks are essential parts of the SCCM CB updates and servicing framework. Do you know how many prerequisite checks there are in this framework? SCCM CB updates and serves as a prerequisite checker that validates whether the entire SCCM CB infra is ready for an in-place upgrade. Hence, it can ensure a 99% success rate in the promotion.
The release of SCCM CB 1706 includes 62 prerequisite checks. I never knew that the SCCM CB upgrade process involves 62 reviews to ensure that everything is OK before starting the upgrade.
I have listed all the checks included in the production version of SCCM CB 1706. The prerequisite checks cover CAS, Primary servers, and remote site systems servers.
It also includes SQL version, Collation settings, and Replication link verification. SCCM CB prerequisite checks consist of unsupported configurations (NAP, System Health Validation Point) with an SCCM CB environment.
List of SCCM 1706 Prerequisites
Let’s discuss the list of SCCM 1706 Prerequisites. The list below helps you understand the SCCM Prerequisites.
Upgrade Assessment Toolkit is no longer supported
Administrative rights on-site system
Administrative rights on the central administration site
Connection to SQL server on CAS
Check Server Service is Running
Domain Membership
Active Directory Domain Functional Level Checks
Free Disk space on-site server
Pending System Restart
Read-Only Domain Controller
Site Server FQDN Length
Microsoft XML Core Services 6.0(MSXML6.0)
Windows Server 2003-based channel hotfix
Microsoft Remote Differential Compression (RDC) library is registered on the computer specified for SCCM site server installation.
Microsoft Windows Installer
Existing SCCM server component installed on target site server
Firewall Exceptions for SQL Server
Firewall Exception for SQL server (Standalone primary)
SQL server service running account
Dedicated SQL Server Instance
Parent/Child database collation
Minimum .NET Framework version for SCCM
Windows Deployment Tools Installed
User State Migration Tool (USMT) installed
Primary FQDN
Site Code in Use
Verify CAS version
Required SQL Server Collation
Backlogged Inboxes
DP package version
SQL Server Database collation
Share Name in Package
Software Update Point in NLB configuration
Migration active source hierarchy
Unsupported upgrade path
Active Replica MP
Parent Site replication status
Unsupported site system role “Out of band service point.”
The System health Validation point site system role is NO longer supported
Network Access Protection (NAP) is no longer supported
Verify Database Consistency
SQL Server Sysadmin rights
SQL server admin rights for reference site
Site Server computer account administrative rights
SQL Server Version
SQL Server Edition
SQL Server TCP port
Case-insensitive collation on SQL server
Validate FQDN of SQL server computer
Windows Failover Cluster
Windows PE Installed
SMS Provider machine has the same domain as the site server
Custom Client Agent Settings have NAP enabled
Default Client Agent Settings have NAP enabled
SQL Availability group configured for the readable secondary server
SQL Availability group configured for manual failover
SQL Availability group configured on the default instance
SQL Index creates Memory Option
SQL Server Supported version
Unsupported site server operating system version for setup
Unsupported Operating System version for Site System Role
SUP using a Load Balancer(NLB/HLB)is no longer supported
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Security Compliance Manager SCM Installation Video Configuration Manager. Security Compliance Manager (SCM) provides security baseline management for organizations.
This post will see the Security Compliance Manager Installation Video Guide. SCM helps accelerate your organization’s ability to manage the security and compliance process efficiently.
SCM is mainly used to set up Microsoft technologies ‘security and compliance baselines. It includes support for Server Operating Systems, Client Operating Systems, IE, Office, Exchange, and Microsoft MCS USGCB (United States Government Configuration Baseline). The Security Compliance Manager Installation Video helps to install and configure SCM v4.
SCM 4.0 supports Windows 10 and Server 2016 baselines and bug fixes. SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and SCCM.
Microsoft Visual C++ 2010 Redistributable, .NET Framework 3.5, and SQL Server 2008 Express got installed during SCM installation. This software is a prerequisite for SCM.
Security Compliance Manager SCM Installation Video Configuration Manager
We need to install .NET Framework 3.5 on Windows 10 machines as it comes with .NET Framework 4.0 version. There is some surprising news about the future of SCM releases from Microsoft at the bottom of this post.
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.1
SCM V4 Installation and Importing of Default Baselines
The first step after installing SCM is importing all the default baselines to the database. Default baselines are Windows 7, Windows 2012, Exchange, and Internet Explorer.
The Windows 10 and Server 2016 baselines will not be automatically imported to the SCM DB. We must manually import the Windows 10 1607, Server 2016, and Server 2012 R2 baselines to the SCM DB.
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.2
Download Windows 10 1607 Baseline
From the SCM V 4.0 version home page, we can select “Download Microsoft Baseline automatically” to download and import the Windows 10 1607 baseline.
This is explained in the video tutorial. Windows 10 1607 Security compliance baseline contains BitLocker Security, Computer security compliance, Credential guard security, Domain security compliance, and user security compliance.
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.3
Define Security Policy for your Organization
Windows 10 1607 domain security compliance 1.0 has many critical severity settings. This page of SCM shows us the default values of Windows 10 1607 and gives us Microsoft’s recommended value for each security setting. This baseline has two segregations: account lock and password attribute.
If I take an example of “Password attributes” –> Minimum Password age, there are 3 values 1. Default 2. Microsoft and 3. Customized. For example, the values of the Microsoft column in the Windows 10 1607 baseline are the ones I would like to implement as security policies for an organization.
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
