Beginning with the release of SCCM ConfigMgr Build 1710 or later , you can use the SCCM Console to identify client devices that require a restart, and then use a client notification action to restart them. If you want get this feature enabled on the client side ,you must also upgrade clients to version 1710 or later for this capability to function

This become so much easier for SCCM engineers to restart the device with just one click .

To identify devices that are pending a restart, you can go to the Assets and Compliance workspace and select the Devices node ,then right click on the right side details pane in a new column named Pending Restart.

Once you choose this, you can sort with pending restart to see list of all devices with client state .

Each device has one or more of the following values:

• No: there is no pending restart
• Configuration Manager: this value comes from the client reboot coordinator component (RebootCoordinator.log)
• File rename: this value comes from Windows reporting a pending file rename operation (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations)
• Windows Update: this value comes from the Windows Update Agent reporting a pending restart is required for one or more updates (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired)
• Add or remove feature: this value comes from the Windows component-based servicing reporting the addition or removal of a Windows feature requires a restart (HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending)

To restart the device ,you can simply right Right-click on the device, select Client Notification, and then select Restart. An information window opens about the restart. Click OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring client settings.

Settings for the restart behaviour are found on the Computer restart tab of the default settings.

If you want to know the list of pending reboot devices ,it is not always good to follow the steps that we did above .It doesn't give us the number of devices pending with reboot also ,you need to add the column and sort to find out how many.

In this blog post ,what we will see on how to create a dynamic collection that list all devices with pending reboot. This collection always be on your check list for troubleshooting.

Also ,i will get you nice SSRS report/s that show you the count of pending reboot devices against the collection Operating System and then it will have drilldown report to see list of all clients with client inventory.

Before we start creating collection with pending reboot ,we need to know ,where does this information store in WMI. Collection uses WQL hence you need to have the class and instance name.

Restart information stored in sms_combineddeviceresources with value clientstate.

Anything that is not 0 (clientstate!=0) will be treated as pending reboot.

Following are the list of applicable states you get with client pending reboot.

1 – Configuration Manager
2 – File Rename
3 – Configuration Manager, File Rename
4 – Windows Update
5 – Configuration Manager, Windows Update
6 – File Rename, Windows Update
7 – Configuration Manager, File Rename, Windows Update
8 – Add or Remove Feature
9 – Configuration Manager, Add or Remove Feature
10 – File Rename, Add or Remove Feature
11 – Configuration Manager, File Rename, Add or Remove Feature
12 – Windows Update, Add or Remove Feature
13 – Configuration Manager, Windows Update, Add or Remove Feature
14 – File Rename, Windows Update, Add or Remove Feature
15 – Configuration Manager, File Rename, Windows Update, Add or Remove Feature

Create a device collection ,choose query based and paste the following WQL Code into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on
sms_combineddeviceresources.resourceid = sms_r_system.resourceid
where sms_combineddeviceresources.clientstate != 0

we have just created a collection to know the list of devices with pending reboot. You can now decide if you can reboot them using client notification or not.

How to reboot all devices at once ? you cannot do it by right click on collection , you must go into the collection ,choose all devices ,right click and do client notification . Collection level do not have reboot option.

Now we will look at SSRS report.

With the information that is available in SCCM ,we can have variety of reports however ,i am going with following customisations.

A report with custom collection and device restart type (Configuration Manager ,Add or Remove Feature etc ,multiple) .  It will show you count of Pending restart devices by Operating System.

The count will have drill down report to show list of clients with inventory information like last hardware inventory, IP address, last MP ,software update scan etc.

Parent Report:

Click on Pending Restart count appear in Blue colour to see list of all clients of that particular OS.

Child Report (Drilldown Report):

Child report has 3 parameters: Collection name ,Restart state name and OS .All these parameters will be passed to child report from parent report.

You might see pending reboot for clients that are inactive and this because , client never reported back to SCCM after pending restart status message and it will remain same until the device comes online and report its status.

You must run parent report to go child report. If you try to run child report directly ,you will run into issues which is expected and is because of hidden parameters in child report.

How to get the reports ?

Download the RDL files from Technet Gallery ,extract it ,upload the files to your SSRS reports (make sure both the reports in same folder location) ,change the datasource and run the reports.

Reference:

https://blogs.technet.microsoft.com/meamcs/2019/01/10/understanding-and-using-the-pending-restart-feature-in-sccm-current-branch/

I was working on SCCM report for client health dashboard. During this report creation ,found that ,device appear twice with different GUID ID and resource ID but with same hostname.

So i started looking at this issue to see how identify the records with duplicate hostnames.

SCCM clients are uniquely identified by a GUID. A GUID is a combination of the client's media access control (MAC) address and the time when the GUID is assigned.

This combination produces a number that is virtually always unique. The GUID assignment occurs during the client discovery and installation processes.

The GUID is stored in the client's Registry and in a binary file on the client's hard disk into smscfg.ini file (C:\Windows\SMSCFG.INI)

As you see below snapshot ,computer record appear twice with the information that was gathered through inventory/BGB/discovery.

Take a look at the following screenshots with 3 different problems .

Device with different resource ID and Client=Yes

With this information ,i started looking at SQL to write code and convert that to collection ,so it would be easy to cleanup records in automated way.

Device with different resource ID and client =No

Device with different resource ID and client=No

So i went to site hierarchy settings to see the conflict records but the settings applied correctly:

Why did this happens ? Old article but still valid though https://support.microsoft.com/en-us/help/837374/how-to-locate-and-clean-advanced-client-duplicate-guids-in-sms-2003

If you have maintenance task enabled ,these obsolete or inactive stale records taken care by that but do want to wait until the default maintenance task runs ?

Here is the SQL code to find out the list of devices with appear in SCCM console with its count.

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by Name0

If you want to see the device that appear maximum times in the top ,use the following query:

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by 2 desc

If you want to see the list of all devices with its resource ID ,use the following query:

select sys.name0,sys.ResourceID from v_r_system as sys
full join v_r_system as sys1 on sys1.ResourceId = sys.ResourceId
full join v_r_system as sys2 on sys2.Name0 = sys1.Name0
where sys1.Name0 = sys2.Name0 and sys1.ResourceId != sys2.ResourceId
group by sys.Name0,sys.ResourceID
order by 1

Create WQL Collection with following syntax:

I am making use of SMS_R_System with full join.

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,
sys.ResourceDomainORWorkgroup,sys.Client from SMS_R_System as sys
full join SMS_R_System as sys1 on sys1.ResourceId = sys.ResourceId
full join SMS_R_System as sys2 on sys2.Name = sys1.Name
where sys1.Name = sys2.Name and sys1.ResourceId != sys2.ResourceId

P.S: The above queries are only used to find the computer names appear twice or more with different resource ID,GUID etc

Also note ,this collection includes active/live entry along with inactive entry .I could not find any way/logic to skip the active computers .

you can delete all these records  manually or create a powershell script with schedule to empty the collection . This way ,you loose the inventory of active computers but they send back in the next inventory cycle.

Hope it helps!

Configuration Manager site database contains a large collection of information about the network, computers, users, user groups, and many other components of the computing environment. Being SCCM Admin, you need to understand the different categories of the SQL views, what information is stored in each view, and how the SQL views can be joined to one another to create reports that return the required information. For more information about SQL views please refer  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Hardware inventory views contain information about the computer hardware .Many hardware inventory views are created in ConfigMgr by default, and many can be enabled or created using the hardware inventory classes dialog box, accessible from client settings. Because of this, it is likely that ConfigMgr sites collect different hardware inventory resulting in different hardware inventory views.

If you want to know more about how extend hardware inventory in ConfigMgr ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/inventory/extend-hardware-inventory

The question in title was asked by one of my customer as they have lot of custom hardware inventory classes imported and they want to find a way to list-down all such custom hardware inventory classes.

Why is it important to know the list of custom hardware inventory classes that are imported (MOF changes)?

One of the reason i would think is ,to asses if these custom changes are still needed by the organization . If you have too many custom mof changes ,it enlarges the database and also impact clients sending huge inventory file back to  site server for processing.

The simple way to check the custom MOF configuration is to look at the configuration.mof file that is located in <SCCM installation dir>:\inboxes\clifiles.src\hinv but i started looking around database for list rather taking notes from the configuration.mof file.

This blog post will help you to get list of custom MOF imported to client device settings (Note: If you enable any of the existing classes not via MOF import in inventory settings, it is not covered in this post).

After going through the SQL views documentation ,found that ,there is one view called v_InventoryClass that store all inventory classes enabled in hardware inventory client settings.

v_InventoryClass Lists the WMI classes that are collected by ConfigMgr hardware inventory by class ID. The view also shows the WMI namespace, the class name and the name of the class as it will be displayed in Resource Explorer.

So i started querying this SQL view for the inventory classes.

select count(*) Total from v_InventoryClass

There are total of 161 inventory classes enabled in client device settings  .

Out of these 161, how do we tell the custom inventory classes (MOF IMPORT)?

By looking at above 161 classes , i thought to pick ‘isDeletable’ because all default classes that comes with Configmgr installation ,would not give you option to delete , which is not TRUE.

For for the WMI classes that are enabled by default at the time of ConfigMgr installation or available for you to enable can also be deleted from inventory settings.

So my next key observation was at SMSClassID.

For all default classes that are enabled at the time of ConfigMgr installation will start with Mcrosoft|.

Any custom inventory classes will not have Microsoft as starting word.

With this information ,i started creating SQL Query with count.

select tmp.[Inventory Type] ,count(*) Total  from
(
select case when IC.SMSClassID like 'Microsoft|%' then 'Default' else 'Custom'  end as 'Inventory Type'
from v_InventoryClass IC
) tmp
group by tmp.[Inventory Type]

To see the list of custom MOF changes ,following is the SQL query:

select * from v_InventoryClass IC
where ic.SMSClassID not like 'Microsoft|%'

Hope this helps!

I did detailed blog post on 'how to get  office 365 proplus activation status' with help of extended MOF file and inventory changes. With this method ,you will get the activation details such as user email address, shared computer activation etc. For more information, please refer http://eskonr.com/2018/10/how-to-get-office-365-proplus-activation-status-and-excluded-apps-etc-using-sccm-configmgr/ .

This method requires extension of MOF files ,make changes to hardware inventory which will then create new SQL views . If you don't' want go through all these , but just looking for office activation status (yes or No) ,then this blog will help you to achieve it.

In this blog post, we will see how to detect office activation status (can be office 2010,2013,2016,office 365 proplus or office 2019) using Configmgr compliance baseline method.

Before we start looking into SCCM ,we need to check Microsoft office activation via script or other possible ways and then make use of ConfigMgr baseline?

From office 2007 until office 365 proplus/office 2019 ,there is vbs script called OSPP.vbs which is Office Software Protection Platform script (ospp.vbs) enables you to configure volume licensed versions of Office products. For more information ,please refer https://docs.microsoft.com/en-us/deployoffice/vlactivation/tools-to-manage-volume-activation-of-office

To check the status of any Microsoft office products ,we will use this vb script with parameter /dstatus (Displays license information for installed product keys) .

For office 2016 ,office 365 proplus the installed location is  C:\Program Files (x86)\Microsoft Office\Office16 (for x86).

I ran the command line cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus to see the activation status:

Any product that is licensed will display the status in LICENSE STATUS.

with this information ,we can create simple PowerShell script to check the license status and get the results .

How to create Configuration baseline and deploy:

In SCCM console, assets and compliance, click compliance settings ,configuration item create new configuration item.

Name it as Office activation and choose windows desktops and servers and click next

choose the list of client OS to asses the compliance . I choose all platform

In setting ,click New ,Type the name: Detect Office activation

Setting: Script

Data type: String

Add script:

I have added all versions of office products into the script with their default location. If you have changed the default installation location of office installation to something else ,you need replace the path.

Add the following script into discovery script.

# Check for  office 2007
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office12\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
# Check for  office 2010
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office14\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /dstatus
}

# Check for  office 2013
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office15\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
# Check for  office 2016/office 365 proplus/office 2019
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office16\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /dstatus
}

if (( $status |Select-String -Pattern '---LICENSED---') -ne $null )
{
write-output "True"
}
else
  {
write-output "False"
}

Click on compliance rules,click New and the value to comply with our script is True.

Validate the setting

Click next ,next until you see the summary page

with this ,we have created the configuration item. we will now create configuration baseline and deploy to collection.

Create new configuration baseline ,name it CB – Office Activation

under configuration data ,choose configuration items and select the CI that we just created

you can choose co-managed clients if you have co-management enabled.

we are now ready to deploy this baseline to device collection to get the office activation status.

Before we deploy this to any device collection , it is good practice to create collection with Microsoft office product installed instead deploying to device collection with devices that may or may not have office product installed.

Once you create the collection ,deploy the configuration baseline to the collection.

I schedule it onetime instead of recurring schedule .

End results:

Wait for the client to pick the policy and run through the compliance. Or you can run machine policy cycle from the collection (right click tools) to speed up the process.

On activated device (office 365 proplus) , it is compliant

on non-activated device (office 365 proplus) ,it is non-compliant.

we can also monitor the compliance status using console or SCCM reports.

From the console:

I have also uploaded the exported version of Configuration baseline for you . You can download it from here ,extract the zip file and the cab file import into your baseline settings.

SCCM has multiple discovery methods help you discover devices on your network, devices and users from Active Directory, or users from Azure Active Directory (Azure AD). Read more about the discovery methods in SCCM https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/about-discovery-methods

AD system discovery help to discover computer resources that can be used to create collections and queries. You can also install the SCCM Client client on a discovered device by using client push installation.

In order to successfully discover the computer (by creating the DDR Record) in domain by AD system Discovery , it must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

You can check Active Directory System Discovery logs which gets recorded in the log file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

In this blog post, we will see how to create SCCM device collection to identify devices that have old AD system discovery time stamp (older than 14 days) . This will help us to find the devices that are having issues while discovering though AD system discovery(SMS_AD_SYSTEM_DISCOVERY_AGENT) ,like the devices that are deleted from Active Directory but still in SCCM or having DNS name resolution.

Create a new collection ,edit the query and past the following and click.

Collection (WQL Query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,

SMS_R_SYSTEM.Client from SMS_R_System where ((DATEDIFF(dd, SMS_R_SYSTEM.AgentTime, getdate()) > 14) and AgentName ="SMS_AD_SYSTEM_DISCOVERY_AGENT")

Devices might appear in this device collection may have SCCM agent installed and healthy but they are failed to discovery through AD system discovery from its last discovery date is older.

If the devices are deleted in AD but still in SCCM means with no active client, they are yet to be cleanup using site maintenance tasks.

If you want to find the devices that are not reported via specific agent with old timestamp , then simply replace the AgentName in the above collection.

There are different discovery agents available in SCCM, listed below.

SQL Query for list of discovery agents:

select AgentName from v_AgentDiscoveries

group by AgentName

AgentName

ConfigMgr

Heartbeat Discovery

MP_ClientRegistration

SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT

SMS_AD_SYSTEM_DISCOVERY_AGENT

SMS_AD_USER_DISCOVERY_AGENT

SMS_AZUREAD_USER_DISCOVERY_AGENT

SMS_NETWORK_DISCOVERY

SMS_WINNT_SERVER_DISCOVERY_AGENT

If you want SCCM Collection for active inactive computers using Last Logon timestamp and troubleshooting ,you can refer this post http://eskonr.com/2018/08/sccm-collection-for-active-inactive-computers-using-last-logon-timestamp-and-troubleshooting/

Hope it helps!

Use boundary groups in Configuration Manager to logically organize related network locations (boundaries) to make it easier to manage your infrastructure. You must Assign boundaries to boundary groups before using the boundary group.

Clients use a boundary group for:

• Automatic site assignment
• To find a site system server that can provide a service, including:
  • Distribution points for content location
  • Software update points
  • State migration points
  • Preferred management points
  • Cloud management gateway (starting in version 1902)

Boundary group caching was introduced with the first version of Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. For more information about boundary group caching and how it works, please read https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr/

If you have configured the boundaries and assigned this boundaries to boundary group with site system roles,the client will store this information in its WMI namespace root\ccm\LocationServices with class object BoundaryGroupCache.

If a client is in scope of boundary by any means like AD site, IP subnet or IP address range but not added to boundary group, then client will not have any boundary group cache info in WMI.

In my previous blog post, i talked about how to find the missing boundaries using SSRS report and troubleshooting based on boundary group caching . For more information, please read here

In this blog post, i am bringing  another SSRS report for you to find out the boundary group and its assignment details for the client device based on the its last inventory boundary group caching information.

Knowing client boundary group details is important for troubleshooting purpose.With this, you can quickly search what is the client boundary group and what boundaries are added in it.

This blog assumes that, you have extended hardware inventory as per Jason blog post and clients sent the hardware inventory details successfully.

What if you don't want to extend custom hardware inventory changes, but you still need to find out the clients that are missing from boundary groups? Well, you can do that by compliance baseline  My next blog post will be based on CI/CB.

Now that you have extended the custom hardware inventory changes and you have the following SQL view created with data in it.

--To see the boundary group cache data of clients (top 10 rows)

select top 10 * From v_GS_BOUNDARYGROUPCACHE bgc

As you can see above, there are clients that have 2 boundary group ID's which means, the client is part of 2 boundary groups. There could be more than 2 as well based on how you configure boundary groups in your infra.

Now,if you want to use this information and create a report to find client boundary group assignment details, we need to convert these multi value to single row.

Jason blog post has STRING_SPLIT function is available only under compatibility level 130 (SQL server 2016 and above).

My lab is running on SQL server 2014 and the string_split do not work. What other methods i have to convert the values to rows?

Other approach is to use XML Method with CROSS APPLY to split your Comma Separated Data :

Following is the SQL code that does the job.

SELECT distinct A.ResourceID,REPLACE((Split.a.value('.', 'NVARCHAR(MAX)')),' ','') GroupID FROM (
SELECT bgc1.ResourceID,CAST('<X>'+REPLACE(bgc1.BoundaryGroupIDs0, ',', '</X><X>')+'</X>' AS XML) AS String from v_GS_BOUNDARYGROUPCACHE bgc
) AS A CROSS APPLY String.nodes('/X') AS Split(a)

The above SQL code works on SQL edition 2014 and above.Anything lower than 2014 have not tested but it should work.

we now have complete info of client details with its boundary group ID's.

we will now use this boundary group ID and join with other SQL views to get the information that we needed.

I have used the following SQL views to fetch the relevant info.

vSMS_BoundaryGroupSiteSystems: store boundary group site system information

vSMS_BoundaryGroup: Store boundary group details

vSMS_BoundaryGroupMembers: Store boundary information.

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b.

After spending quite amount of time, I can finally make some nice SSRS report like below.

All you need is to key in computer name in the prompt and it will fetch the data for you based on its last successful hardware inventory.

You have both inventory of client and client boundary group assignment details.

you can download the report from Technet Gallery, upload to your SSRS reports, change the data source and run it.

If you wanted to know the summary of boundaries and boundary group with assignment details (boundary group management using SCCM boundary report), please read this blog post https://www.systemcenterdudes.com/boundary-management-using-sccm-boundary-report/

In the next blog post, we will see how to create compliance baseline to check client boundary group details.

Thanks for reading the post.

If you have any ideas on custom reporting, please leave them in comment section.

There was a request from twitter friend who is trying to create SQL report to list the content of distribution point group with content status such as total targeted, installed, progress and errors.

Distribution point groups is available in configuration manager for almost several years . This basically provide a logical grouping of distribution points for content distribution.

we can create and use DP groups groups to manage and monitor content from a central location for distribution points that span multiple sites.

For more information about managing distribution point and distribution point groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points

When you create DP group and add content to it, you see the content listed in the content properties as shown in the screenshot.

If you want to monitor the status of package or content on DP, you can use the default reports.

There are set of reports available with category Software Distribution – Content but there is nothing to monitor the content status of DP group.

The following SQL code help you to provide the summary of content on specific DP with targeted, installed, in progress and failure.

SELECT DISTINCT dpgr.NAME [DP Group],
pk.NAME [Package Name],
dgp.pkgid [Package ID],
dpcn.targeteddpcount,
dpcn.numberinstalled,
dpcn.numberinprogress,
dpcn.numbererrors,
CASE
WHEN pk.packagetype = 0 THEN 'Software Distribution Package'
WHEN pk.packagetype = 3 THEN 'Driver Package'
WHEN pk.packagetype = 4 THEN 'Task Sequence Package'
WHEN pk.packagetype = 5 THEN 'Software Update Package'
WHEN pk.packagetype = 6 THEN 'Device Setting Package'
WHEN pk.packagetype = 7 THEN 'Virtual Package'
WHEN pk.packagetype = 8 THEN 'Application'
WHEN pk.packagetype = 257 THEN 'Image Package'
WHEN pk.packagetype = 258 THEN 'Boot Image Package'
WHEN pk.packagetype = 259 THEN 'Operating System Install Package'
ELSE 'Unknown'
END AS 'Package Type'
FROM vsms_dpgroupinfo dpgr
INNER JOIN v_dpgrouppackages dgp
ON dgp.groupid = dpgr.groupid
LEFT JOIN v_package pk
ON pk.packageid = dgp.pkgid
LEFT JOIN v_dpgroupcontentdetails dpcn
ON dpcn.groupid = dpgr.groupid
AND dpcn.pkgid = pk.packageid
WHERE dpgr.NAME = 'Azure DP'

Replace the distribution point group name.

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2002 (MEMCM) via the opt-in method (fast-ring) which will is now available for you to install and also baseline version however the baseline media is not yet available for the download. The baseline version will be released when the build is made available to the console via slow-ring.

If you want to install a new Configuration Manager sites (fresh build), you can download 1902 as a baseline from the volume licensing portal until 2002 is released.

For more information about how to perform the in-console update for configuration manager update 2002, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2002) to avail the new client features that were added.

With this update 2002 build, there are a bunch of new features added. This means, there are also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/tables/functions for custom reporting.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2002 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

I did a few blog posts on the client's boundary and boundary groups for configuration manager build versions lower than 2002. In one of the blog posts, I talked about, how to identify the clients that are missing boundaries/boundary groups. For more information, please refer http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

In all these blog posts, you would need to extend the MOF inventory (client settings, hardware inventory) for getting the client boundary group details.

With the release of the configuration manager current branch 2002, you no longer required to extend the MOF. Boundary group information is now available to help you troubleshoot the devices with site assignment/content location issues.

With this release, we can now create a collection for a list of clients that fall into specific boundary groups and also create a collection for a list of clients that are missing the boundary groups.

For the collections, you can refer these blog posts http://eskonr.com/2020/04/how-to-create-a-collection-based-on-boundary-group-for-client-assignment-and-content-troubleshooting/ and https://www.systemcenterdudes.com/sccm-powershell-collection-boundary-groups/

Now, in this blog post, we will see how to create/get a report for you to identify the list of clients from specific collections that are missing the boundaries/boundary groups.

I have created a report for you (this works only with configuration manager 2002 and later and also make sure your clients are upgraded to 2002 client) and is available in GitHub for your download.

Download the report from GitHub, upload it to your SSRS, change the data source, and run the report.

Clients missing boundaries: you need to go back and review your boundaries and boundary groups.

If your clients are running lower than 2002 then you don't see the data in the report because the boundary group info is enabled only in clients 2002 and later.

If your boundaries and boundary groups are configured perfect and all your clients running 2002 and later, you will see the following screen ( Don't look at the title as it has been changed later)

I hope you find the post useful!

The following are the few custom reports created for earlier versions of the configuration manager builds.

http://eskonr.com/2019/12/how-to-find-configmgr-client-boundary-and-boundary-group-details-based-on-boundary-group-caching/

http://eskonr.com/2017/09/sccm-configmgr-report-for-boundary-group-relationships-with-fallback-sites/

http://eskonr.com/2013/12/sccm-2012-ssrs-report-site-servers-and-its-assigned-boundary-information/

http://eskonr.com/2018/01/sccm-report-for-missing-boundaries-and-troubleshooting/

For more information about boundary groups, please refer https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_show-boundary

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2006 (MEMCM) via the opt-in method (fast-ring) on 8^th of August, followed by slow-ring (GA) on 31^st Aug.

If you want to install a new Configuration Manager site (fresh build), you can download the baseline version which is 2003 from the volume licensing portal, and then do an in-console update to 2006.

For more information about what’s new in Configuration Manager 2006, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006

 And for a step-by-step guide to 2006, https://systemcenterdudes.com/step-by-step-sccm-2006-upgrade-guide/  

Once you complete the CAS/Primary site server update, you need to manually upgrade any secondary sites by right-clicking on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2006) to avail the new client features that were added.

As usual, whenever there is a new configuration manager build released, there are always new SQL views for the newly released/updated features which will help us to generate custom reports without doing any MOF extensions (in case you have done it for these).

In Configuration Manager 2006, there are few SQL Views added compared to its previous version 2002 listed below for your reference.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2006 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

The post What is new in Configuration Manager 2006 for custom reports first appeared on All about Microsoft Endpoint Manager.

Microsoft has released update 2010 for Endpoint Manager Configuration Manager , the last build for this year with some great and enhanced features, for a complete list, please refer to https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010

This build version is currently available for you to install via opt-in method (fast-ring). You can download the script from and run it on your ConfigMgr site. To download the script, refer to https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2010#early-update-ring

With this update 2010, there are a bunch of new features added. This means that, there are also a number of SQL tables/views added which will help us to create some great custom reports to our customers.

Lets see what are the newly added SQL views/tables/functions that we can use for custom reporting.

Following are some of the list which will add value to the business.

For a complete list of SQL views available in Configuration Manager 2010 and what’s new in 2010 compared with its previous build 2006, please refer the documentation available at Github

In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.

One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.

when someone deploys something, they would not know it would cause some outage or impact the end-user experience.

When such things happen, you always in search of identifying who did that?.

In this blog post, we will see how to find who deployed or created an assignment for the software update group?

For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.

If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.

The following is the view of the software update deployment assignment.

As you can see, there is no user ID tagged for the specific update deployment group.

How do we trace it? There are few options for this.

1. Use smsprov.log

2. Use Status Message Queries

3.Use SQL database.

SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.

The next available options are with the help of Audit status messages and SQL database.

We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.

Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:

Go to monitoring workspace, click on System status, status message queries

Open All audit status messages from specific site.

Choose the site and time when the deployment was created (3/4/21), Click on OK.

If your deployment was created days or weeks ago, you can choose up to 1 year.

There was so many audit status messages for the specific duration.

we can use the filter with the message ID: 30196 to find the new assignments

Here you will find all the software update deployments that were created.

In the properties section, you will see the following information.

User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).

Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?

lets go back to the update deployment in the console and find out the deployment ID that we are looking for.

In my case, the deployment ID for the reporting is:16779253

From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.

we now see who created specific deployment type for the software update group.

How to find the data using SQL management studio or using the database?

Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.

The following is the SQL query to run against the SCCM database.

select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'

SQL query is much simpler to find the relevant information.

Hope you find this blog post useful!

The other day, I have powered ON my Configuration Manager lab after long a time to test something on the reporting and found that, the reporting URL does not work.

Browsing the reports URL leads to service unavailable with http error 503, The service unavailable.

I have verified that, the SQL server reporting services is running fine and i have restarted the service as well to check if this works or not but no luck.

I have realized that, there is something seriously wrong and took sometime to troubleshoot further.

The first log to check is srsrp.log (ConfigMgr log) for reporting services located in your configMgr installation directory\logs folder.

The log has the following errors:

The request failed with HTTP status 503: Service Unavailable.

(!) SRS not detected as running

Failures reported during periodic health check by the SRS Server CMserver.domain.name

I have also checked the reporting server configuration manager, everything seems to be fine.

The next is to look at the SQL server reporting services log located in

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles

The log has the following error messages:

configmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Error loading configuration file: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required.

appdomainmanager!DefaultDomain!5018!04/04/2021-14:23:28:: e ERROR: Appdomain:1 DefaultDomain failed to initialize. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error.  ---> Microsoft.ReportingServices.Diagnostics.EvaluationCopyExpiredException: The evaluation period for this instance of Microsoft SQL Server Reporting Services has expired.  A license is now required..

AS you can see in the log, the license has expired for SQL server reporting services.

When you install the SQL server reporting services, you will be asked for the trail of 180 days or input the license key of the SQL server.

If you choose trail, then after 180 days, you will have the same issue like mine.

So now, we found that, the license for the SQL server reporting services is expired, how do we activate it now?

The only way that I could find is to reinstall the reporting services.

Run the SQL server reporting services installation wizard (I did 2019), you will see the following options. Choose upgrade, you will be asked for the key to activate it.

Once the installation is completed, wait for the reporting services to check the license status and rebuild the reports (there wont be any changes your default/custom reports) and after sometime, your reporting URL will be up and running.

hope this helps!

The other day, I was running the ConfigMgr reports in my lab, especially the asset intelligence reports for some hardware information.

I tried to run the first report __ Hardware 01A – Summary of computers in a specific collection, it did not run successfully.

The following is the error code.

The report server cannot process the report or shared dataset. The shared data source 'AutoGen__5C6358F2_4BB6_4a1b_A16E_8D96795D8602_' for the report server or SharePoint site is not valid. Browse to the server or site and select a shared data source. (rsInvalidDataSourceReference)

Based on the error code, the issue could be related to the shared data source. So when I checked data source properties for the report, it has no value configured in it.

The shared data source reference is no longer valid.

To fix this, click on the select a shared data source, select {5C6358F2-xxx}, click on Ok.

Run the report now, it works fine.

Likewise, I run another report, it also had the same issue. This report also starts with a double underscore (__)

So I have searched with the first report to see if any duplicates. I got 2 entries.

Based on this, I figured out, the reports with a double underscore (__) are duplicates of the original and might have happened during the upgrade of the Configuration manager site (2103).

Since the configuration site in my lab was upgraded to 2013 followed by the latest hotfix a few months ago, the logs are overwritten hence cannot find the root cause.

For now, I will need to figure out, how many reports are duplicated with a double underscore (__) and get rid of them (delete them).

The following is the SQL query for it.

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

The following is the SQL query to get a list of reports without double underscore (__).

Use ReportServer;
Select ItemID,Path,Name,ParentID,Type,Description,Hidden,CreatedByID,CreationDate,ModifiedByID,ModifiedDate,Parameter 
 FROM dbo.Catalog
 WHERE Type = 2
 and name not like '[__]%'
 Order by Name

Before we take delete action, we can do a quick comparison (VLOOKUP/excel) to confirm these __ reports are duplicated or not.

There are about 250+ reports which have the same symptoms and these can be deleted.

Now, how do we remove these duplicate reports? Deleting one by one by going to each category based on the SQL data?

We can make sure of the PowerShell script to delete these reports in one go.

The following is the PowerShell script from the Technet forum.

#######################################################################################################################
# SCCM2012SP1-RemoveDuplicateSSRSReports.ps1
# This script will connect to SSRS on a specified server and delete all reports that begin with a double underscore
# Used for SSRS cleanup after SCCM 2012 SP1 installation
# Script must be run from an account that has access to modify the SSRS instance
# 2/15/2013 - Mike Laughlin
#
# Resources used in writing this script:
# Starting point: http://stackoverflow.com/questions/9178685/change-datasource-of-ssrs-report-with-powershell
# API Documentation: http://msdn.microsoft.com/en-us/library/ms165967%28v=sql.90%29.aspx
#######################################################################################################################

# Define variables
	$SiteCode = ""
	$serverName = ""

# Set the value of $noConfirm to $True only if you don't want to manually confirm report deletion. Use with caution.
	$noConfirm = $False

# Safeguard	
	If ( $SiteCode -eq "" -or $serverName -eq "" ) { Write-Host "Enter the required information for the SiteCode and serverName variables before running this script." -ForegroundColor Red -BackgroundColor Black ; Exit }

# Connect to SSRS
	$ssrs = New-WebServiceProxy -uri http://$serverName/ReportServer/ReportService2005.asmx?WSDL -UseDefaultCredential

# Get a listing of all reports in SSRS
	$reportFolder = "/ConfigMgr_" + $SiteCode
	$reports = $ssrs.ListChildren($reportFolder, $True)
	
# Find all reports starting with double underscores
	$reportsToDelete = $reports | Where { $_.Name.Substring(0,2) -eq "__" }
	
# Quit if no reports are found
	If ( $reportsToDelete.Count -eq 0 ) { Write-Host "No reports found. Quitting." ; Exit }
	
# Show a listing of the reports that will be deleted
	Write-Host "The following reports will be deleted from SSRS on" $serverName":`n"
	$reportsToDelete.Name
	Write-Host "`nTotal number of reports to delete:" $reportsToDelete.Count "`n"
	
# Get confirmation before deleting if $noConfirm has not been changed
	If ( $noConfirm -eq $False ) 
	{ 
		$userConfirmation = Read-Host "Delete these reports from" $serverName"? Enter Y or N"
		If ( $userConfirmation.ToUpper() -ne "Y" ) { Write-Host "Quitting, reports have not been deleted." ; Exit }
	}
	
# Delete the reports
	$deletedReportCount = 0
	
	Write-Host "Beginning to delete reports now. Please wait."
	ForEach ( $report in $reportsToDelete ) { $ssrs.DeleteItem($report.Path) ; $deletedReportCount++ } 
	Write-Host "Reports have been deleted. Total number of deleted reports:" $deletedReportCount

Hope this helps!

Last week, I was having a discussion with the manager about the User IE Home page/Start page to get a report on, how many users are set to Company intranet Page. I then asked him, what is the process/method that company currently follows to set IE Home page .He then replied, GPO ? my response for this was ,if GPO, then the Home page for IE should be set to the required one for all Domain Users (Domain users: where ever the GPO applied to) and using GPO, will have more control to restrict user to not to change the default IE Home page (Disable changing home page settings. and less troubleshooting required .

I have then checked my computer to find the default IE Home Page, it is set to the correct one but I do have flexibility to change it to custom. So boss asked me to check if there is way to get a compliance report on User IE Home page ,in case the GPO may not be applied to some of the OU to be identified.

Since the IE Home Page information stored in HKCU, we cannot use regkeytomof (it works only with HKLM) or MOF Extension or DCM (not easy).

The possible solution for this is involved with, 1) Create Custom WMI location 2) Copy the User IE home page info into this location 3)Edit the MOF to retrieve this WMI information into SCCM Database.

The above solution would work but how would you provide full permissions to WMI location to publish the User Registry info ? If users do not have admin rights on their computers ?

Long ago ,there was a discussion on sccm forum list ,about the this issue to get User IE home pages Using Configuration manager. Our MOF Master Sherry Kissinger has got workaround for this issue which I am going shortly.

This procedure requires creation  of  package with 2 programs (legacy is preferred and easy) 1) machine 2 ) User with dependency on machine.

Create a folder with standard naming convention as per required on your network share and place these files into it .files can be downloaded from Github

1.wmiNameSpaceandSecurity.vbs—>This script will create custom WMI name location ( root\CustomCMClasses—>CM_IEStartPages) using file called WmiSecurity.exe.

2.UserIEStartPage.vbs:This script publish the information from HKCU to custom WMI name location which is created using above script.

Before we start creating the packages,edit the script wmiNameSpaceandSecurity.vbs and replace the domain name to your domain name and save the script.

Create Package with 2 programs:

1.Create package with program cmd line: cscript.exe wminamespaceandsecurity.vbs under system context

2. Right click on the package created above and select Create program  (no need to create new package) with cmd line:cscript.exe UserIEStartPage.vbs under user context

and select ‘Run another program profile first’

we now created package with 2 programs :

Distribute the package to DP group or DP’s.

Now create deployment using UserIEStartPage to required collection.

Time to test the results:

Login to PC that has this deployment ,run machine policy ,monitor execmgr.log for progress of this deployment.

from above log, program executed successfully.

lets checkout the WMI classes and inventory information what is captured from HKCU.

open cmd and type wbemtest.exe ,connect to “root\CustomCMClasses”

lets checkout the homepage values from WMI class using simple WQL Query before we start working with MOF file.

while you are connected to “root\CustomCMClasses” ,Click on Query and use this query to run: SELECT * FROM CM_IEStartPages

From above, se see that ,User has set 2 tabs when IE Opens.Double click on either of the one and click on show MOF to see the URL page.

So far, All good. Now lets try doing some changes to the MOF to collect this information via Inventory on schedule basis (If Required,crate custom inventory to specific collection instead of doing it on default ).

Go to your CM12 Primary Site administration pane (if you have CAS then you should do make these changes there )—>client settings—Default settings. (You must import the custom attributes here before you create custom client settings.

we have now imported the custom WMI info into CM12 but we did not enable this setting to be collected from Configmgr clients.

on the background,Configmgr will be creating new table/view (CM_IESTARTPAGES_DATA/v_GS_CM_IESTARTPAGES) to store the information that comes from clients which can be monitor from dataldr.log from your Site server logs:

Now ,Create custom client agent setting that can be applied onto test collection before making to Big collection .

Deploy this setting to test collection and wait for the results (client should pick the new settings and send the inventory info to Site server). After a while,you see the information in CM12 Database.

Here is the Simple SQL Query:

SQL Quiries:

select sys1.netbios_name0, os.Caption0, st.userdomain0, st.username0, st.tab0 as [Tab], st.startpage0
from v_R_System_Valid sys1
join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys1.ResourceID
left join dbo.v_GS_CM_IESTARTPAGES st on st.resourceid=sys1.resourceid
order by sys1.Netbios_Name0, st.tab0

Get IE pages into same row:

select distinct sys1.netbios_name0, os.Caption0, st.userdomain0, st.username0,
RTRIM(substring(ISNULL((select ','+startpage0
from dbo.v_GS_CM_IESTARTPAGES ie1
where ie1.ResourceID = Sys1.resourceID for xml path('')),' '),2,2000)) as StartPages
from v_R_System_Valid sys1
join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys1.ResourceID
left join dbo.v_GS_CM_IESTARTPAGES st on st.resourceid=sys1.resourceid
order by sys1.Netbios_Name0

Did you ever had difficulties importing, exporting or migrating the SSRS reports from one Configuration infra to other ConfigMgr infra? If so, how do you migrate reports ? When i work with my customers on the hardware migration of the SCCM and especially the SSRS reports, i always use the tool rather powershell scripts.

To get the SSRS Reports from the Configuration Manager , you can either run the SSRS reports,download the reports manually into rdl format and upload to other SSRS report server. This is applicable when you have single digit reports. What if you have large number of reports and you want to migrate them from source SSRS to destination SSRS with same folder structure? Doing manual takes lot of time and is not efficient way of doing it.

This blog post discuss about how to migrate reports ,download,upload your custom reports to Configmgr SSRS folder.

During my Search ,I found a tool called ReportSync that does the following activities .

• Sync reports between two SSRS servers.
• Download RDL Files from SSRS  to local PC.
• Upload RDL files to a SSRS server
• Attach datasources automatically on upload(Data source name given in the report must exist on server)

I use this tool often while working with SSRS Reports since it gives me the flexibility to upload multiple reports to specific folder in SSRS. (Default via SSRS browser allows only one at a time).

Download the tool from https://code.google.com/p/reportsync/

Run the Tool

This tool contains 2 fields 1) Source SSRS Web service and 2 ) Destination SSRS Web service.

As I said before,you can use this tool download SSRS Reports to local Drive,migrate reports between the SSRS Servers,upload the reports from Drive.

If you want to download the Reports (.RDL) files from your SSRS server (Configmgr 2007 or 2012 ),enter the source URL ,User hat has permissions to connect to SSRS,Password in Source URL Web Service and click on Load.

How to get the right SSRS URL that has been configured in your environment ?

From your Configmgr server or SQL Server,Launch Reporting services Configuration manager tool and look for Web service URL

After you run the tool ,It takes few seconds or minute to load the reports from your SSRS Folder .

Select the report that you want ,provide the local path to store these reports (.RDL files) and click on Download.

Each category what you see in this tool will be created as Folder in yours local Path.

Reports folder look like this :

You can also try to upload your customized reports to Destination server ,sync and do other functions with this tool.

Incase you have any issues with this tool, feel free to post in the comment section.

Hope it helps!

We all know that Microsoft BitLocker Administration and Monitoring (MBAM) is an administrative tool for managing BitLocker Drive Encryption for windows devices that are on-prem domain joined.

MBAM mainstream support ended on July 2019 and is currently in extended support until April 2026.

To know more about mainstream support and extended support, please read the article https://learn.microsoft.com/en-us/lifecycle/policies/fixed.

Considering the support for MBAM, what other alternative tools/products do we have to manage the BitLocker feature?

Microsoft has incorporated the MBAM features into Configuration Manager (SCCM) starting in version 1910, since then it has improved a lot with new features and improvements. We can also use Microsoft Intune as an alternative approach and is the future.

To know about the migration of the MBAM server to Microsoft Endpoint Manager (Intune), please read the article https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mbam-server-migration-to-microsoft-endpoint-manager/ba-p/2192984

Read the considerations from MBAM to SCCM https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

In this blog post, I would like to provide the steps that i have used to migrate the standalone MBAM to SCCM for my customers.

This migration steps assume that you are using MBAM server with a GPO configuration policy (BitLocker settings).

You want to migrate the clients from MBAM and continue to SCCM for the BitLocker feature.

Before we start the migration process, make sure your current SCCM infra has the BitLocker feature enabled and configured. Follow the Microsoft article on how to enable the bitlocker feature https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Enabling the BitLocker feature in SCCM is independent of your current MBAM setup. you can simply install/enable the bitlocker in SCCM but don't create or deploy any BitLocker policies to your clients (collection).

Once you have enabled the BitLocker feature in SCCM and is working condition (verify the IIS web portals if they are working or not), we will need to collect the settings from the existing MBAM setup such as encryption method, cipher strength, etc that you configured in GPO.

Go to your GPO, and identify the policy that has the BitLocker settings configured such as bitlocker cipher strength such as AES 128, AES 256 etc. This is one of the important settings we will need for SCCM.

Once you have got the information, go to the SCCM server, endpoint protection, and Create a new bitlocker policy with settings similar to GPO.

If there is any difference in the bitlocker policy settings (algorithm 128 to 256) from MBAM to SCCM, there will be conflicts when you deploy this to the collection and you may see unexpected results.

If you would like to change the encryption algorithm such as 128 (MBAM) to 256 (SCCM), you need to decrypt the disk first before you encrypt using 256.

Note: What happens if deploy a bitlocker policy from SCCM with an encryption algorithm of 256 to the devices when the devices are already bitlocker with a different algorithm using MBAM?

In my testing , the SCCM client will evaluate the policy and report the device as non-compliant due to mismatch in the configuration settings (key will still escrow being non-compliant) without making any trouble with the device.

Once you created the bitlocker policy with settings that matches your MBAM GPO, create a collection and add a few devices to it.

Deploy the bitlocker policy to the test collection that you have created above.

Initiate the machine policy cycle or wait for the policy to trigger on the machine. If you cannot wait, run the machine policy cycle, go to the PC, and initiate the bitlocker policy from the configuration tab in the configuration manager applet.

Wait for the device to evaluate the policy and escrow the key to SCCM using the recovery service.

Read the client log BitlockerManagementHandler.log  located in C:\windows\ccm\logs for troubleshooting purpose.

Note: When you deploy the bitlocker policy to the collection, if the device is already bitlocker by MBAM, SCCM client simply validate the settings, if it matches, the client simply escrows the keys to the SCCM database and this process has no impact to the end-user.

This entire process happens silently in the backend.

If the client is bitlocker with different settings than what you deploy in SCCM, the client will simply report to SCCM as non-compliant due to a mismatch in the settings. https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#re-encryption

If the client is not bitlocker by MBAM, but it is in the SCCM deployment schedule, SCCM client evaluates the policy and performs the bitlocker and escrows the key to SCCM server.

Note: Microsoft has deprecated key escrow via the Recovery Service a long time ago . So SCCM client escrows the key directly via the current MP using a secure channel.

Now Check if the client bitlocker key is available SCCM database or not using the following SQL query.

select a.Name, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime
from dbo.RecoveryAndHardwareCore_Machines a
inner join dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name ='cmcb-w11-03'

Run the self-service portal and helpdesk portal for recovery keys and confirm the functionality of the bitlocker is working.
SCCM also comes with enterprise bitlocker reports as part of the default SCCM reports. you can make use of these reports as well to check the bitlocker compliance status.

At this stage, we have created the bitlocker policy in SCCM and deployed it to our test collection, validated the key in the database, and also reports.

In addition to this, if you are provisioning the devices using SCCM (imaging), you can make use of the task sequence to perform bitlocker (silent) during the imaging process itself. Read the article from Niall Brady https://www.niallbrady.com/2022/03/03/escrow-bitlocker-recovery-password-to-the-site-during-a-task-sequence-in-configuration-manager-2203/

We will now expand SCCM bitlocker policy deployment to other collections (staggered approach) till we reach the end.

Monitor the deployment status using console and compliance reports

At this stage, you need to decide if you would like to stop the new devices managed by MBAM for bitlocker. If you are good to stop the new devices managed by MBAM, we will take the database backup and/or backup the keys from MBAM database to a secure location.

Once you migrate all the clients from MBAM to SCCM, we will start the decommissioning process of the MBAM and GPOs.

Start unlinking the GPO process on 1 OU and monitor the feedback (there should not be any issues ). Wait for a day or 2 and continue the approach on all the OUs till you reach end.

Plan for the shutdown of the server for 1-2 weeks before the commission of the server.

Remove the MBAM GPOs.

Thank you for reading the post and let me know your feedback via the comments section.

References:

https://learn.microsoft.com/en-us/answers/questions/738022/move-standalone-mbam-to-sccm-integrated-mbam.html

https://www.niallbrady.com/2020/01/19/learn-about-mbam-in-microsoft-endpoint-configuration-manager-version-1910-part-8-migration/

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

The following SQL query can be used to query the list of collections that doesn't have any deployments. you can review the number of collections with no deployments and you can further extend the query to exclude certain folders where you use these exception collections for troubleshooting or other purpose.

select Col.Name,
col.CollectionID,
case when col.CollectionType='2' then 'Device Based' 
when col.CollectionType='1' then 'Used Based' 
Else 'Others' end as 'Collection Type',
col.MemberCount,
coll.ObjectPath from dbo.v_Collection Col
inner join v_Collections coll on coll.SiteID=col.CollectionID
Where Col.CollectionID not in (select CollectionID from dbo.v_Advertisement)
order by Col.Name