Let’s understand the ConfigMgr Tenant Attach Troubleshooting Issues via Logs, and Tenant Attach Background Process Walkthrough via Log files. You can initiate many client actions from the Intune portal without connecting to the ConfigMgr console.
In this post, I will use a CMPivot query as an example to understand the background process using SCCM logs. I’m initiating a CMPivot query from the admin centre (Intune) portal.
Configuration Manager can record process information in log files for client and site server components. These log files help troubleshoot any issues that may arise. Configuration Manager automatically enables logging for client and server components.
The Configuration Manager CMPivot tool allows us to assess the state of devices quickly. When a query is executed against a device collection, CMPivot promptly runs the query in real time on all currently connected (online) devices within the selected collection.
Index |
---|
Tenant Attach Troubleshooting |
Process – Tenant Attach Troubleshooting |
CMGatewayNotificationWorker.log |
AdminService.log |
- Fix ConfigMgr Tenant Attach Error 401 403 | Missing Config| SCCM
- SCCM Tenant Attach Step-by-Step Guide Troubleshooting
- What Is ConfigMgr SCCM Tenant Attach Architecture?
Tenant Attach Troubleshooting
Let’s understand how SCCM/ConfigMgr authenticates the user who initiated the task from the cloud console (Intune portal). Find answers to the following queries: Do we have the tenant ID and all the other details stored in ConfigMgr log files? Or Can we see the CMPivot query details in the log files, etc.?
- CMPivot query against the resource highlighted below:
- Name – Prod-Win20
- Resource ID – 16777219
- How do you initiate a CMPivot query from the Intune portal?
- Once initiated, check out the logs below to understand the background process:
- Click on the Run button.
Process – Tenant Attach Troubleshooting
To understand the process, you must monitor two main log files (more details below). I think Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the critical processes from the ConfigMgr server side.
The communication between the SCCM server and Cloud gateways is managed by the thread called “SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker“.
CMGatewayNotificationWorker.log
Let’s use CMGatewayNotificationWorker.log to check and understand the background processes running on the SCCM server and cloud side. This log records all the coordinated activities between Intune and ConfigMgr (I think). If you disagree, let me know in the comments section.
When you initiate a CMPivot or any other Tenant attach operations (like Run Script, CMPivot, etc..), the SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker component gets the details of the activity from the cloud services like Intune.
Create a web request using the US gateway of ConfigMgr for the CMPivot query initiated from the Intune portal (a.k.a. admin centre). Note the resource ID of the device 16777219 to identify the workflow.
Sending AdminService request with URL: https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot Using direct connection to URL 'https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Authenticating with web service at: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Getting web response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification for new notifications… Creating web request to: https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification Method: GET Activity ID: b6c22581-5257-4769-af90-aa3fcabaa84a
Now, let’s check the completion of the process on the ConfigMgr gateway in the cloud using the log file (CMGatewayNotificationWorker.log) from your SCCM server.
I can see a warning from the CM Gateway Notification worker and an error 404 (0x80131509) stating that “The remote server returned an error: (404) Not Found”. However, I don’t see any blocking issue with this warning. You can ignore it for now.
[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509] The remote server returned an error: (404) Not Found. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func
2 endFunction, Action1 endAction, Task
1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.CloudBase.ODataServiceCaller.HttpCallerWithCustomCertValidation.d__8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ConfigurationManager.ServiceConnector.AdminServiceCaller.d__9.MoveNext()
You can get the tenant to attach an activity ID, Status code, Result ID, etc.. from the following log file: CMGatewayNotificationWorker.log.
In my experience, activity ID helps Microsoft support engineers troubleshoot issues from the cloud. I don’t think an average SCCM admin will have access to check the CM gateway-related logs related to tenant attachment.
- Notification Results are shared with Gateway servers.
- Activity ID details are provided.
- Status Code 200 (OK) – The operation is completed successfully.
[Patched https://us.gateway.configmgr.manage.microsoft.com/api/gateway/NotificationResult(TenantId=d61fa037XXXX29df,NotificationId=145d2046-d675-4458-b239-05d39d31e0d3) for notification result with ID: 145d2046-d675-4458-b239-05d39d31e0d3] [GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 200 (OK) Response status code: 200 (OK) Activity ID: a7e9d4e1-9e36-48c6-8de4-9f158ad19b52
AdminService.log
Admin Service (Microsoft.ConfigurationManager.AdminService) is the main thread that handles all the critical processes from the ConfigMgr server side.
Let’s check the AdminService.log to initiate the request using the CMPivot query from the Intune portal. This log snippet gives more details about the remote port and IP address it’s using.
It also gives you more details about the action initiated from the cloud side (admin centre/Intune portal). In this scenario, it was a CMPivot query against the resource with ID 16777219.
This adminservice.log provides more details about authentication, CMPivot queries, and permission details for admin users.
Processing incoming request for resource https://cmmemcm.memcm.com/AdminService/v1.0/Device(16777219)/AdminService.RunCMPivot Context: RemoteIpAddress= fe80::7011:3441:e910:1b04%3 Context: RemotePort=65076
The AdminService.log confirms whether the CMPivot or any other ConfigMgr Tenant attach channel operations are working fine. The log snippet also helps you troubleshoot tenant-attach operations-related issues.
- I am successfully validating the request.
- Authenticating user details and SCCM access to the user is done.
- CMPivot query details are also stored in AdminService.log.
- Job ID details for the CMPivot query.
- Response code = 200 completed the operation.
Received request from Service Connection Point Successfully validated request from Service Connection Point Successfully validated user [e9c9edXXXXXe66ca1] from tenant [d61fa03XXXXX529df] Provider authentication level and exception list up to date User MEMCM\anoop is allowed because it is validated with current authentication level Default Get instance of Device with key '16777219' User MEMCM\anoop has permission to run CMPivot on device 16777219 Input Query: QuickFixEngineering | where InstalledOn >= ago(220d) User MEMCM\anoop successfully created a job to deploy a CMPivot script to device 16777219 (PROD-WIN20). Job ID is 16777275 Completing request with response code [200] reason [OK]
Resources
- SCCM CMPivot Query Patches Installed in Last 90 Days | ConfigMgr
- How to use Resource Explorer to view hardware inventory in Configuration Manager
- Tenant attach: Resource explorer in the admin center (preview)
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
All of my logs look like yours except intune is saying the connector is “Unknown” and “Unhealthy,” any thoughts?