Use boundary groups in Configuration Manager to logically organize related network locations (boundaries) to make it easier to manage your infrastructure. You must Assign boundaries to boundary groups before using the boundary group.

Clients use a boundary group for:

• Automatic site assignment
• To find a site system server that can provide a service, including:
  • Distribution points for content location
  • Software update points
  • State migration points
  • Preferred management points
  • Cloud management gateway (starting in version 1902)

Boundary group caching was introduced with the first version of Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. For more information about boundary group caching and how it works, please read https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr/

If you have configured the boundaries and assigned this boundaries to boundary group with site system roles,the client will store this information in its WMI namespace root\ccm\LocationServices with class object BoundaryGroupCache.

If a client is in scope of boundary by any means like AD site, IP subnet or IP address range but not added to boundary group, then client will not have any boundary group cache info in WMI.

In my previous blog post, i talked about how to find the missing boundaries using SSRS report and troubleshooting based on boundary group caching . For more information, please read here

In this blog post, i am bringing  another SSRS report for you to find out the boundary group and its assignment details for the client device based on the its last inventory boundary group caching information.

Knowing client boundary group details is important for troubleshooting purpose.With this, you can quickly search what is the client boundary group and what boundaries are added in it.

This blog assumes that, you have extended hardware inventory as per Jason blog post and clients sent the hardware inventory details successfully.

What if you don't want to extend custom hardware inventory changes, but you still need to find out the clients that are missing from boundary groups? Well, you can do that by compliance baseline  My next blog post will be based on CI/CB.

Now that you have extended the custom hardware inventory changes and you have the following SQL view created with data in it.

--To see the boundary group cache data of clients (top 10 rows)

select top 10 * From v_GS_BOUNDARYGROUPCACHE bgc

As you can see above, there are clients that have 2 boundary group ID's which means, the client is part of 2 boundary groups. There could be more than 2 as well based on how you configure boundary groups in your infra.

Now,if you want to use this information and create a report to find client boundary group assignment details, we need to convert these multi value to single row.

Jason blog post has STRING_SPLIT function is available only under compatibility level 130 (SQL server 2016 and above).

My lab is running on SQL server 2014 and the string_split do not work. What other methods i have to convert the values to rows?

Other approach is to use XML Method with CROSS APPLY to split your Comma Separated Data :

Following is the SQL code that does the job.

SELECT distinct A.ResourceID,REPLACE((Split.a.value('.', 'NVARCHAR(MAX)')),' ','') GroupID FROM (
SELECT bgc1.ResourceID,CAST('<X>'+REPLACE(bgc1.BoundaryGroupIDs0, ',', '</X><X>')+'</X>' AS XML) AS String from v_GS_BOUNDARYGROUPCACHE bgc
) AS A CROSS APPLY String.nodes('/X') AS Split(a)

The above SQL code works on SQL edition 2014 and above.Anything lower than 2014 have not tested but it should work.

we now have complete info of client details with its boundary group ID's.

we will now use this boundary group ID and join with other SQL views to get the information that we needed.

I have used the following SQL views to fetch the relevant info.

vSMS_BoundaryGroupSiteSystems: store boundary group site system information

vSMS_BoundaryGroup: Store boundary group details

vSMS_BoundaryGroupMembers: Store boundary information.

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b.

After spending quite amount of time, I can finally make some nice SSRS report like below.

All you need is to key in computer name in the prompt and it will fetch the data for you based on its last successful hardware inventory.

You have both inventory of client and client boundary group assignment details.

you can download the report from Technet Gallery, upload to your SSRS reports, change the data source and run it.

If you wanted to know the summary of boundaries and boundary group with assignment details (boundary group management using SCCM boundary report), please read this blog post https://www.systemcenterdudes.com/boundary-management-using-sccm-boundary-report/

In the next blog post, we will see how to create compliance baseline to check client boundary group details.

Thanks for reading the post.

If you have any ideas on custom reporting, please leave them in comment section.

There was a request from twitter friend who is trying to create SQL report to list the content of distribution point group with content status such as total targeted, installed, progress and errors.

Distribution point groups is available in configuration manager for almost several years . This basically provide a logical grouping of distribution points for content distribution.

we can create and use DP groups groups to manage and monitor content from a central location for distribution points that span multiple sites.

For more information about managing distribution point and distribution point groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points

When you create DP group and add content to it, you see the content listed in the content properties as shown in the screenshot.

If you want to monitor the status of package or content on DP, you can use the default reports.

There are set of reports available with category Software Distribution – Content but there is nothing to monitor the content status of DP group.

The following SQL code help you to provide the summary of content on specific DP with targeted, installed, in progress and failure.

SELECT DISTINCT dpgr.NAME [DP Group],
pk.NAME [Package Name],
dgp.pkgid [Package ID],
dpcn.targeteddpcount,
dpcn.numberinstalled,
dpcn.numberinprogress,
dpcn.numbererrors,
CASE
WHEN pk.packagetype = 0 THEN 'Software Distribution Package'
WHEN pk.packagetype = 3 THEN 'Driver Package'
WHEN pk.packagetype = 4 THEN 'Task Sequence Package'
WHEN pk.packagetype = 5 THEN 'Software Update Package'
WHEN pk.packagetype = 6 THEN 'Device Setting Package'
WHEN pk.packagetype = 7 THEN 'Virtual Package'
WHEN pk.packagetype = 8 THEN 'Application'
WHEN pk.packagetype = 257 THEN 'Image Package'
WHEN pk.packagetype = 258 THEN 'Boot Image Package'
WHEN pk.packagetype = 259 THEN 'Operating System Install Package'
ELSE 'Unknown'
END AS 'Package Type'
FROM vsms_dpgroupinfo dpgr
INNER JOIN v_dpgrouppackages dgp
ON dgp.groupid = dpgr.groupid
LEFT JOIN v_package pk
ON pk.packageid = dgp.pkgid
LEFT JOIN v_dpgroupcontentdetails dpcn
ON dpcn.groupid = dpgr.groupid
AND dpcn.pkgid = pk.packageid
WHERE dpgr.NAME = 'Azure DP'

Replace the distribution point group name.

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2002 (MEMCM) via the opt-in method (fast-ring) which will is now available for you to install and also baseline version however the baseline media is not yet available for the download. The baseline version will be released when the build is made available to the console via slow-ring.

If you want to install a new Configuration Manager sites (fresh build), you can download 1902 as a baseline from the volume licensing portal until 2002 is released.

For more information about how to perform the in-console update for configuration manager update 2002, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2002) to avail the new client features that were added.

With this update 2002 build, there are a bunch of new features added. This means, there are also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/tables/functions for custom reporting.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2002 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

I was recently assisting a customer on the implementation of CMG to manage the windows devices over the internet.

Due to COVID-19, majority of the workforce is working from home and these devices connected not connect to the office for several weeks after the implementation of CMG.

Once the CMG and site system roles are installed, clients get the location of the CMG service automatically on the next location request. Clients must be on the intranet to receive the location of the CMG service but in the customer case, users are all working from home and no possibility to bring the devices for CMG aware.

So the alternative option is to reinstall the client on the internet-connected devices with the help of ccmsetup.exe using CMG command-line switches.

How do you install the client on the internet-connected device centrally? Well, the  customer has a different tool that helps to run the command line on all internet-connected devices.

As I mentioned in my previous blog post, you can use the command line to install the client on internet-connected devices but the question is how to get the command line switches will be covered in this blog post.

Following is the command line syntax that I have used to install the client on internet-based clients (I did not use token-based here because the customer has PKI/AAD/Hybrid AAD). For token-based, read here.

"C:\windows\ccmsetup\ccmsetup.exe" /nocrlcheck /mp:https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/6257556037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057556037928694 SMSSiteCode=PS1 AADTENANTID=5004305e-6764-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=3C6a28b2-9d0a-484d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService

When I was assisting the customer to prepare a command-line syntax just like above, I was searching at various places such as Azure portal, app registration, tenant ID, etc. But I have realized that, there is a SQL Table that stores all this information.

On the SCCM database, run the following 1 liner syntax.

select * from proxy_settings

Connectorinfo contains the mp and ccmhostname values.

AADConfig contains the AADTENANTID ,AADCLIENTAPPID and AADRESOURCEURI and  values.

AADTENANTID=Tenant ID

AADCLIENTAPPID=ClientID

AADRESOURCEURI=ResourceURI

Based on the above data, it is now much easier to prepare the command line syntax to install the client over CMG and manage the client from internet.

I hope it helps and thanks for reading!

For more information about client installation parameters and properties in Configuration Manager, please read here

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2006 (MEMCM) via the opt-in method (fast-ring) on 8^th of August, followed by slow-ring (GA) on 31^st Aug.

If you want to install a new Configuration Manager site (fresh build), you can download the baseline version which is 2003 from the volume licensing portal, and then do an in-console update to 2006.

For more information about what’s new in Configuration Manager 2006, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006

 And for a step-by-step guide to 2006, https://systemcenterdudes.com/step-by-step-sccm-2006-upgrade-guide/  

Once you complete the CAS/Primary site server update, you need to manually upgrade any secondary sites by right-clicking on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2006) to avail the new client features that were added.

As usual, whenever there is a new configuration manager build released, there are always new SQL views for the newly released/updated features which will help us to generate custom reports without doing any MOF extensions (in case you have done it for these).

In Configuration Manager 2006, there are few SQL Views added compared to its previous version 2002 listed below for your reference.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2006 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

The post What is new in Configuration Manager 2006 for custom reports first appeared on All about Microsoft Endpoint Manager.

I was recently assisting a customer on the Configuration Manager upgrade and after the upgrade is done, we need to upgrade the console on endpoint devices to the latest version.

When you install/update your configuration manager site, there will be a change in the console version which needs to be updated on all your endpoints that have the console installed.

If your site is running a new version of Configuration Manager build but your users are at lower version, users will be prompted to install the new console version, next time when they launch the console but it has the following prerequisites to install the console:

§ You have local Administrator rights on the target computer for the console.

§ You have read permissions to the location of the Configuration Manager console installation files.

we follow the standard method by creating a collection that identifies the devices running a lower version of the console, create an application using the admin console files and deploy it silently to upgrade the console.

To create a collection (device), use the following WQL Query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Endpoint Configuration Manager Console" or SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center Configuration Manager Console")
and SMS_G_System_ADD_REMOVE_PROGRAMS.Version < "5.2006.1024.1000"

Replace the console version that matches your site.

Now, we will create an application using the latest admin console setup files and deploy it to the collection.

Grab the following files from <Configuration Manager installation media>\SMSSETUP\BIN\I386 and copy them to a source folder.

• ConsoleSetup.exe
• AdminConsole.msi
• ConfigMgr.AC_Extension.i386.cab
• ConfigMgr.AC_Extension.amd64.cab

On the source folder where you placed the above files, create a batch script and use the following silent installation command line switch.

ConsoleSetup.exe /q TargetDir="%ProgramFiles%\ConfigMgr Console" DefaultSiteServerName=SG-CM01.intranet.eskonr

Replace the siteservername

Create an application with deployment type as script and use the following detection method.

Detection method:

Type: File system

Type: File

Path:%ProgramFiles(x86)%\Microsoft Configuration Manager\AdminConsole\bin

File or folder: Microsoft.ConfigurationManagement.exe

Value:5.2006.1024.1000

Replace the value that matches your site server console version.

Deploy the application to the collection that we created initially.

Monitor the deployment using built-in reports/in-console or your custom reports.

Following is the SQL query to find the count of devices with configuration manager console versions.

select arp.DisplayName0,arp.Version0,count(*) Total From v_Add_Remove_Programs arp
where arp.DisplayName0 like 'Microsoft Endpoint Configuration Manager Console'
or arp.DisplayName0 like 'System Center Configuration Manager Console'
group by arp.DisplayName0,arp.Version0

You can also monitor the console versions that are connected to Configuration manager console using the security view in the console.

\Administration\Overview\Security\Console Connections

Hope it helps!

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

Microsoft has released the version 2111 for Configuration Manager (Current Branch) which is now available as in-console update and is currently via opt-in script.

You can apply this update on sites that run version 2006 or later. If you are running older versions of the configuration manager, you will need to update the site to the supported version which you can see it in the console then update to 2111.

For a list of new features and improvements in configuration Manager 2111, please read https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2111

Just like any other configuration manager build release , this build has some new features,enhancement, so we will have some addition to the reporting.

In this blog post, I will walk you through what is new in configuration manager reporting in the newly released build (2111) and  how it can help us to create some custom reports.

I have uploaded the SQL views documentation to my GitHub repository, you can find it https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

So what is new in configuration manager 2111 for reporting from its previous build (2107)?

The following are the newly added SQL views/tables/functions that exist in 2111.

v_ApplicationRequests –> Holds information about the application request from users.
v_UpdateDataForMachine –> Hold compliance status of updates for devices with status required/install/not required.
vClientCoManagementState—> It is now easier to report the clients with co-management workloads for devices.
vNotificationSubscriptionEvents—> Holds subscription event information
vNotificationSubscriptionEventStatus—> Subscription event status
vSMS_ApplicationGroupItems—> Application group items
vSMS_AssignedDeviceApplicationGroups—> application groups assigned to devices
vSMS_ConsoleExtensionMetadata—> Holds the information about the console extensions and its status
vSMS_OrchestrationGroupScript –> Orchestration scripts

For list of SQL views for all configuration manager versions, download from https://github.com/eskonr/MEMPowered/tree/master/Reports/SQ%20Views

Happy reporting!

Introduction:

As a SCCM Configmgr administrator, one of your key responsibilities is to ensure the health of SCCM clients for tasks like application deployment, software updates, and inventory management.

Oftentimes, you may encounter situations where you need to identify computers that haven't contacted the server in a specific number of days or determine the clients with outdated policy requests or communication gaps.

This blog post aims to guide you on creating an SSRS report to present this information, allowing for easier troubleshooting and maintenance of SCCM clients.

Retrieving Client Activity Information:

In the Configuration Manager (ConfigMgr) Console, you have the ability to view and monitor various client activities. These activities include policy requests, heartbeat DDR (Discovery Data Record), hardware scans, and management point as shown in below picture.

To begin, we need to retrieve the client activity information from the SQL database. The data is stored in a view called vWorkstationStatus, which can be joined with collection views to obtain the desired results. Below is an SQL query that retrieves clients whose LastPolicyRequest is more than 25 days old, filtered by a specific collection.

Below is SQL query ,if you want to create powershell grid view. (This query is filtered to get clients if LastPolicyRequest request is more than 25 days and collection).

SELECT ws.Name, ws.UserName,ws.LastMPServerName,
CONVERT ( varchar (26) , ws.CreationDate , 100) CreationDate,
CONVERT ( varchar (26) , ws.LastDDR , 100) LastDDR,
CONVERT ( varchar (26) , ws.LastPolicyRequest,100) LastPolicyRequest,
CONVERT ( varchar (26) , ws.LastHardwareScan,100) LastHardwareScan,
ws.SystemRole,
DATEDIFF ( DAY , ws.LastPolicyRequest , getdate() ) 'Days Since Last Communication'
FROM  vWorkstationStatus ws
JOIN dbo.v_FullCollectionMembership vfcm ON vfcm.ResourceID = ws.ResourceID
JOIN dbo.v_Collection vc ON vc.CollectionID = vfcm.CollectionID
WHERE vc.Name='Your collection Name'
GROUP BY ws.Name, ws.UserName,ws.CreationDate,ws.LastMPServerName,ws.LastDDR,
ws.LastPolicyRequest,ws.LastHardwareScan,ws.SystemRole
HAVING (datediff(dd,max(ws.LastPolicyRequest),getdate()-25) >0)

In SSRS Report, I have made 2 parameters as prompts 1) Collection Name and 2) Number of days .

Below is SSRS report how it looks like?

To access the complete SSRS report, download the RDL file from the provided TechNet here. Once downloaded, upload the report to your SSRS Reports folder. Don't forget to update the data source to connect to your SQL database. After making the necessary configurations, run the report to generate the desired results.

Conclusion:

By utilizing SSRS reports in SCCM, you can easily monitor and troubleshoot client communication issues. This blog post has provided you with an SQL query to retrieve client activity information and guided you through the process of creating an SSRS report. With this report, you can efficiently identify clients with outdated policy requests or communication gaps, enabling you to take appropriate actions to maintain the health of your SCCM environment.

Questions appeared on https://social.technet.microsoft.com/Forums/en-US/b9940352-7382-462d-8ef9-8c7a1483a29f/sccm-client-last-communication-report?forum=configmanagerdeployment

https://social.technet.microsoft.com/Forums/office/en-US/5b21299a-d91a-43bd-bae7-dc02c09a8694/how-to-create-a-collection-based-on-days-since-last-communications?forum=configmanagerapps

https://www.reddit.com/r/SCCM/comments/3l67e8/help_with_custom_report/

We all know that Microsoft BitLocker Administration and Monitoring (MBAM) is an administrative tool for managing BitLocker Drive Encryption for windows devices that are on-prem domain joined.

MBAM mainstream support ended on July 2019 and is currently in extended support until April 2026.

To know more about mainstream support and extended support, please read the article https://learn.microsoft.com/en-us/lifecycle/policies/fixed.

Considering the support for MBAM, what other alternative tools/products do we have to manage the BitLocker feature?

Microsoft has incorporated the MBAM features into Configuration Manager (SCCM) starting in version 1910, since then it has improved a lot with new features and improvements. We can also use Microsoft Intune as an alternative approach and is the future.

To know about the migration of the MBAM server to Microsoft Endpoint Manager (Intune), please read the article https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mbam-server-migration-to-microsoft-endpoint-manager/ba-p/2192984

Read the considerations from MBAM to SCCM https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

In this blog post, I would like to provide the steps that i have used to migrate the standalone MBAM to SCCM for my customers.

This migration steps assume that you are using MBAM server with a GPO configuration policy (BitLocker settings).

You want to migrate the clients from MBAM and continue to SCCM for the BitLocker feature.

Before we start the migration process, make sure your current SCCM infra has the BitLocker feature enabled and configured. Follow the Microsoft article on how to enable the bitlocker feature https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Enabling the BitLocker feature in SCCM is independent of your current MBAM setup. you can simply install/enable the bitlocker in SCCM but don't create or deploy any BitLocker policies to your clients (collection).

Once you have enabled the BitLocker feature in SCCM and is working condition (verify the IIS web portals if they are working or not), we will need to collect the settings from the existing MBAM setup such as encryption method, cipher strength, etc that you configured in GPO.

Go to your GPO, and identify the policy that has the BitLocker settings configured such as bitlocker cipher strength such as AES 128, AES 256 etc. This is one of the important settings we will need for SCCM.

Once you have got the information, go to the SCCM server, endpoint protection, and Create a new bitlocker policy with settings similar to GPO.

If there is any difference in the bitlocker policy settings (algorithm 128 to 256) from MBAM to SCCM, there will be conflicts when you deploy this to the collection and you may see unexpected results.

If you would like to change the encryption algorithm such as 128 (MBAM) to 256 (SCCM), you need to decrypt the disk first before you encrypt using 256.

Note: What happens if deploy a bitlocker policy from SCCM with an encryption algorithm of 256 to the devices when the devices are already bitlocker with a different algorithm using MBAM?

In my testing , the SCCM client will evaluate the policy and report the device as non-compliant due to mismatch in the configuration settings (key will still escrow being non-compliant) without making any trouble with the device.

Once you created the bitlocker policy with settings that matches your MBAM GPO, create a collection and add a few devices to it.

Deploy the bitlocker policy to the test collection that you have created above.

Initiate the machine policy cycle or wait for the policy to trigger on the machine. If you cannot wait, run the machine policy cycle, go to the PC, and initiate the bitlocker policy from the configuration tab in the configuration manager applet.

Wait for the device to evaluate the policy and escrow the key to SCCM using the recovery service.

Read the client log BitlockerManagementHandler.log  located in C:\windows\ccm\logs for troubleshooting purpose.

Note: When you deploy the bitlocker policy to the collection, if the device is already bitlocker by MBAM, SCCM client simply validate the settings, if it matches, the client simply escrows the keys to the SCCM database and this process has no impact to the end-user.

This entire process happens silently in the backend.

If the client is bitlocker with different settings than what you deploy in SCCM, the client will simply report to SCCM as non-compliant due to a mismatch in the settings. https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#re-encryption

If the client is not bitlocker by MBAM, but it is in the SCCM deployment schedule, SCCM client evaluates the policy and performs the bitlocker and escrows the key to SCCM server.

Note: Microsoft has deprecated key escrow via the Recovery Service a long time ago . So SCCM client escrows the key directly via the current MP using a secure channel.

Now Check if the client bitlocker key is available SCCM database or not using the following SQL query.

select a.Name, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime
from dbo.RecoveryAndHardwareCore_Machines a
inner join dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name ='cmcb-w11-03'

Run the self-service portal and helpdesk portal for recovery keys and confirm the functionality of the bitlocker is working.
SCCM also comes with enterprise bitlocker reports as part of the default SCCM reports. you can make use of these reports as well to check the bitlocker compliance status.

At this stage, we have created the bitlocker policy in SCCM and deployed it to our test collection, validated the key in the database, and also reports.

In addition to this, if you are provisioning the devices using SCCM (imaging), you can make use of the task sequence to perform bitlocker (silent) during the imaging process itself. Read the article from Niall Brady https://www.niallbrady.com/2022/03/03/escrow-bitlocker-recovery-password-to-the-site-during-a-task-sequence-in-configuration-manager-2203/

We will now expand SCCM bitlocker policy deployment to other collections (staggered approach) till we reach the end.

Monitor the deployment status using console and compliance reports

At this stage, you need to decide if you would like to stop the new devices managed by MBAM for bitlocker. If you are good to stop the new devices managed by MBAM, we will take the database backup and/or backup the keys from MBAM database to a secure location.

Once you migrate all the clients from MBAM to SCCM, we will start the decommissioning process of the MBAM and GPOs.

Start unlinking the GPO process on 1 OU and monitor the feedback (there should not be any issues ). Wait for a day or 2 and continue the approach on all the OUs till you reach end.

Plan for the shutdown of the server for 1-2 weeks before the commission of the server.

Remove the MBAM GPOs.

Thank you for reading the post and let me know your feedback via the comments section.

References:

https://learn.microsoft.com/en-us/answers/questions/738022/move-standalone-mbam-to-sccm-integrated-mbam.html

https://www.niallbrady.com/2020/01/19/learn-about-mbam-in-microsoft-endpoint-configuration-manager-version-1910-part-8-migration/

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

The following SQL query can be used to query the list of collections that doesn't have any deployments. you can review the number of collections with no deployments and you can further extend the query to exclude certain folders where you use these exception collections for troubleshooting or other purpose.

select Col.Name,
col.CollectionID,
case when col.CollectionType='2' then 'Device Based' 
when col.CollectionType='1' then 'Used Based' 
Else 'Others' end as 'Collection Type',
col.MemberCount,
coll.ObjectPath from dbo.v_Collection Col
inner join v_Collections coll on coll.SiteID=col.CollectionID
Where Col.CollectionID not in (select CollectionID from dbo.v_Advertisement)
order by Col.Name