Let’s understand how SCCM/ConfigMgr authenticates the user who initiated the task from the cloud console (Intune portal). Find out answers for the following queries: Do we have the tenant ID and all the other details stored in ConfigMgr log files? Or Can we see the CMPivot query details in the log files etc…?
- CMPivot query against the resource highlighted below:
- Name – Prod-Win20
- Resource ID – 16777219
- How to initiate a CMPivot query from the Intune portal?
- Once initiated, check out the logs below to understand the background process:
- Click on the Run button.
There are two main log files (more details below) that you need to monitor to understand the process. I think Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the key processes from the ConfigMgr server side.
The communication between the SCCM server and Cloud gateways are managed by the thread called “SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker“.
Let’s check and understand the background processes that are running at the SCCM server and cloud side using CMGatewayNotificationWorker.log. All the coordinated activities between Intune and ConfigMgr are recorded in this log (I think). If you don’t agree with this statement, let me know in the comments section.
When you initiate a CMPivot or any other Tenant attach operations (like Run Script, CMPivot, etc..), the SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker component gets the details of the activity from the cloud services like Intune.
Creating a web request using US gateway of ConfigMgr for the CMPivot query initiated from the Intune portal (a.k.a admin center). Make a note of the resource ID of the device 16777219 to identify the workflow.
Sending AdminService request with URL: https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot Using direct connection to URL 'https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Authenticating with web service at: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Getting web response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification for new notifications… Creating web request to: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Method: GET Activity ID: b6c22581-5257-4769-af90-aa3fcabaa84a
Now, let’s check the completion of the process on ConfigMgr gateway in the cloud using the log file (CMGatewayNotificationWorker.log) from your SCCM server.
I can see a warning from CM Gateway Notification worker and an error 404 (0x80131509) stating that “The remote server returned an error: (404) Not Found”. However, I don’t see any blocking issue with this warning you can just ignore it for now.
[Warning][CMGatewayNotificationWorker][System.Net.WebException][0x80131509] The remote server returned an error: (404) Not Found. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory
1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action
1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.CloudBase.ODataServiceCaller.HttpCallerWithCustomCertValidation.d__8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.AdminServiceCaller.d__9.MoveNext()
You can get the tenant to attach an activity ID, Status code, Result ID, etc.. from the following log file CMGatewayNotificationWorker.log.
In my experience, activity ID helps Microsoft support engineers to troubleshoot things from the cloud side of things. I don’t think normal SCCM admin will have access to check the CM gateway related logs related to tenant attach.
- Notification Results are shared with Gateway servers.
- Activity ID details are provided.
- Status Code 200 (OK) – This means the operation is completed successfully.
[Patched https://us.gateway.configmgr.manage.microsoft.com/api/gateway/NotificationResult(TenantId=d61fa037XXXX29df,NotificationId=145d2046-d675-4458-b239-05d39d31e0d3) for notification result with ID: 145d2046-d675-4458-b239-05d39d31e0d3] [GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 200 (OK) Response status code: 200 (OK) Activity ID: a7e9d4e1-9e36-48c6-8de4-9f158ad19b52
Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the key processes from the ConfigMgr server side.
Let’s check the AdminService.log to initiate the request using the CMPivot query from the Intune portal. This log snippet gives more details about the remote port it’s using and the remote IP address.
Also tells you more details about the action initiated from the cloud side (admin center/Intune portal). In this scenario, it was a CMPivot query against the resource with ID 16777219.
This adminservice.log provides more details about the authentication, CMPivot query, and Permission details of admin user.
Processing incoming request for resource https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot Context: RemoteIpAddress= fe80::7011:3441:e910:1b04%3 Context: RemotePort=65076
You can see the AdminService.log confirm whether the CMPivot or any other operations through ConfigMgr Tenant attach channel is working fine. Also, the log snippet helps you to troubleshoot tenant attach operations related issues.
- Successfully validating the request
- Successfully authenticating user details and SCCM access to the user.
- CMPivot query details are also stored in AdminService.log.
- Job ID details for the CMPivot query.
- Response code = 200 successfully completed the operation.
Received request from Service Connection Point Successfully validated request from Service Connection Point Successfully validated user [e9c9edXXXXXe66ca1] from tenant [d61fa03XXXXX529df] Provider authentication level and exception list up to date User MEMCM\anoop is allowed because it is validated with current authentication level Default Get instance of Device with key '16777219' User MEMCM\anoop has permission to run CMPivot on device 16777219 Input Query: QuickFixEngineering | where InstalledOn >= ago(220d) User MEMCM\anoop successfully created a job to deploy a CMPivot script to device 16777219 (PROD-WIN20). Job ID is 16777275 Completing request with response code  reason [OK]