SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr

Let’s understand the ConfigMgr Tenant Attach Troubleshooting Issues via Logs, and Tenant Attach Background Process Walkthrough via Log files. You can initiate many client actions from the Intune portal without connecting to the ConfigMgr console.

In this post, I will use a CMPivot query as an example to understand the background process using SCCM logs. I’m initiating a CMPivot query from the admin centre (Intune) portal.

Configuration Manager can record process information in log files for client and site server components. These log files help troubleshoot any issues that may arise. Configuration Manager automatically enables logging for client and server components.

The Configuration Manager CMPivot tool allows us to assess the state of devices quickly. When a query is executed against a device collection, CMPivot promptly runs the query in real time on all currently connected (online) devices within the selected collection.

Patch My PC
Index
Tenant Attach Troubleshooting
Process – Tenant Attach Troubleshooting
CMGatewayNotificationWorker.log
AdminService.log
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Table 1

Tenant Attach Troubleshooting

Let’s understand how SCCM/ConfigMgr authenticates the user who initiated the task from the cloud console (Intune portal). Find answers to the following queries: Do we have the tenant ID and all the other details stored in ConfigMgr log files? Or Can we see the CMPivot query details in the log files, etc.?

  • CMPivot query against the resource highlighted below:
    • Name – Prod-Win20
    • Resource ID – 16777219
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.1
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.1
  • How do you initiate a CMPivot query from the Intune portal?
    • Once initiated, check out the logs below to understand the background process:
    • Click on the Run button.
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.2
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.2

ProcessTenant Attach Troubleshooting

To understand the process, you must monitor two main log files (more details below). I think Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the critical processes from the ConfigMgr server side.

Adaptiva

The communication between the SCCM server and Cloud gateways is managed by the thread called “SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker“.

CMGatewayNotificationWorker.log

Let’s use CMGatewayNotificationWorker.log to check and understand the background processes running on the SCCM server and cloud side. This log records all the coordinated activities between Intune and ConfigMgr (I think). If you disagree, let me know in the comments section.

When you initiate a CMPivot or any other Tenant attach operations (like Run Script, CMPivot, etc..), the SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker component gets the details of the activity from the cloud services like Intune.

Create a web request using the US gateway of ConfigMgr for the CMPivot query initiated from the Intune portal (a.k.a. admin centre). Note the resource ID of the device 16777219 to identify the workflow.

Sending AdminService request with URL: https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot
Using direct connection to URL 'https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification
Authenticating with web service at: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification
Getting web response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification for new notifications…
Creating web request to: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Method: GET Activity ID: b6c22581-5257-4769-af90-aa3fcabaa84a
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.3
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.3

Now, let’s check the completion of the process on the ConfigMgr gateway in the cloud using the log file (CMGatewayNotificationWorker.log) from your SCCM server.

I can see a warning from the CM Gateway Notification worker and an error 404 (0x80131509) stating that “The remote server returned an error: (404) Not Found”. However, I don’t see any blocking issue with this warning. You can ignore it for now.

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]
The remote server returned an error: (404) Not Found. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.CloudBase.ODataServiceCaller.HttpCallerWithCustomCertValidation.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.ConfigurationManager.ServiceConnector.AdminServiceCaller.d__9.MoveNext()
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.4
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.4

You can get the tenant to attach an activity ID, Status code, Result ID, etc.. from the following log file: CMGatewayNotificationWorker.log.

In my experience, activity ID helps Microsoft support engineers troubleshoot issues from the cloud. I don’t think an average SCCM admin will have access to check the CM gateway-related logs related to tenant attachment.

  • Notification Results are shared with Gateway servers.
  • Activity ID details are provided.
  • Status Code 200 (OK) – The operation is completed successfully.
[Patched https://us.gateway.configmgr.manage.microsoft.com/api/gateway/NotificationResult(TenantId=d61fa037XXXX29df,NotificationId=145d2046-d675-4458-b239-05d39d31e0d3) for notification result with ID: 145d2046-d675-4458-b239-05d39d31e0d3]
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 200 (OK)
Response status code: 200 (OK) Activity ID: a7e9d4e1-9e36-48c6-8de4-9f158ad19b52

AdminService.log

Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the critical processes from the ConfigMgr server side.

Let’s check the AdminService.log to initiate the request using the CMPivot query from the Intune portal. This log snippet gives more details about the remote port and IP address it’s using.

It also gives you more details about the action initiated from the cloud side (admin centre/Intune portal). In this scenario, it was a CMPivot query against the resource with ID 16777219.

This adminservice.log provides more details about authentication, CMPivot queries, and permission details for admin users.

Processing incoming request for resource https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot
Context: RemoteIpAddress= fe80::7011:3441:e910:1b04%3
Context: RemotePort=65076
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.5
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.5

The AdminService.log confirms whether the CMPivot or any other ConfigMgr Tenant attach channel operations are working fine. The log snippet also helps you troubleshoot tenant-attach operations-related issues.

  • I am successfully validating the request.
  • Authenticating user details and SCCM access to the user is done.
  • CMPivot query details are also stored in AdminService.log.
  • Job ID details for the CMPivot query.
  • Response code = 200 completed the operation.
Received request from Service Connection Point
Successfully validated request from Service Connection Point
Successfully validated user [e9c9edXXXXXe66ca1] from tenant [d61fa03XXXXX529df]
Provider authentication level and exception list up to date
User MEMCM\anoop is allowed because it is validated with current authentication level Default
Get instance of Device with key '16777219'
User MEMCM\anoop has permission to run CMPivot on device 16777219
Input Query: QuickFixEngineering | where InstalledOn >= ago(220d)
User MEMCM\anoop successfully created a job to deploy a CMPivot script to device 16777219 (PROD-WIN20). Job ID is 16777275
Completing request with response code [200] reason [OK]
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr - Fig.6
SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr – Fig.6

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

1 thought on “SCCM Tenant Attach Troubleshooting Issues via Logs | ConfigMgr”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.