CCM LAB

Recently, I deployed a few accounts to the Local Administrators group on end-user devices through Intune . The path I used was: Endpoint Security → Account Protection → Local User Group Membership Since I only needed to add specific accounts without removing existing ones, I chose the “Add (Update)” option under Group and user action . However, on all  Hybrid Azure AD Joined  devices, the policy failed with  error code 65000 . Here’s why it happened—and how to fix it. 👇 Why Does the Error Happen When selecting users or groups directly from Intune’s "Select users/groups" option, the system maps them in the following format: AzureAD\test2@ccmlab.space, AzureAD\admin@ccmlab.space This format doesn’t establish a proper mapping between the user accounts and their security identifiers (SIDs) on hybrid-joined devices, causing the policy to fail. You can check the event logs end user device Event Viewer → Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provid...

During the SCCM Management Point installation, you may encounter the error that the SMS Notification Server is not installed. In this scenario, client's status will appear with a question mark. You may also try adding below lines to regsvcs.exe and InstallUtil.exe with their .config files by adding the following: <runtime>     <loadFromRemoteSources enabled="true"/> </runtime> However, this did not resolve the issue.  In the Component Status within the SCCM console, the SMS Notification Server status will appear as Critical and display a message similar to the one below. In the BgbSetup.log, you will see entries similar to the following.  Fatal MSI Error - bgbisapi.msi could not be installed In the BgbisapiMSI.log, you can see the following details. Product: BGB http proxy -- Installation operation failed  Windows Installer installed the product. Product Name: BGB http proxy. Product Version: 5.00.9128.1000. Product Language: 1033. Manufacturer...

When attempting to install Windows 11 feature upgrade via SCCM, you might notice that the update fails quickly, and under the “More Information” section, it shows the error code 0xC1900200 (-1047526912) . Additionally, you may observe that the update content is not downloading properly, and within a few minutes, the installation fails. I encountered this issue on several HP laptops and was able to identify the root cause and solution. The first step in troubleshooting should be reviewing the Panther logs , which can help pinpoint the exact blocker. You can find the Panther logs at the following location: C:\$WINDOWS.~BT\Sources\Panther Next, you need to check the XML files located in the Panther folder, as shown in the screenshot above. Look for the most recently created CompatData.xml file. This file corresponds to the latest SCCM feature update attempt that failed. Open this file using CMTrace , which makes it easier to read and highlight error codes or issues in a structured form...

How to Deploy Feature Updates Using Intune: A Step-by-Step Guide Microsoft Intune provides a streamlined method for managing Windows feature updates across your organization. In this guide, I'll walk through the essential prerequisites, policy creation steps, deployment, and monitoring process to ensure a smooth rollout of feature updates using Intune. 1. Verify Prerequisites Before you create a feature update policy, ensure the following prerequisites are met on the target devices: Device Enrollment : Devices must be enrolled in Intune, either as Microsoft Entra hybrid joined or Microsoft Entra joined . Supported OS : Devices must be running a supported version of Windows 10 or Windows 11 . Telemetry Settings : Devices must have the telemetry level set to Required . You can configure this via Devices > Windows> Configuration > Create Policy > Templates>  Device Restrictions > Reporting and Telemetry > Share Usage Data >Set as Required...

Can Intune Deploy Shell Scripts to Linux Devices? Yes! Just like deploying PowerShell scripts to Windows, Intune can also deploy shell scripts to Linux devices. In this blog, I'll walk you through the process of deploying shell scripts to Linux using Intune, making it easier to automate tasks and manage Linux endpoints efficiently. Prerequisites Before deploying a shell script via Intune, ensure the following requirements are met: 1. Intune and Microsoft Entra ID Your environment must have Microsoft Intune configured for device management. This setup enables secure enrollment and policy enforcement on Linux devices. 2. Linux Device Enrollment The Linux PC must be properly enrolled in Intune to receive policies and scripts. If the device is not enrolled, follow Microsoft's documentation on Linux enrollment in Intune. Deploying the Shell Script Once the prerequisites are met, follow these steps to deploy your shell script through Intune: Access Microsoft Intune Sign in to the ht...

  Removing Obsolete Computer Records from Active Directory Using PowerShell Active Directory (AD) environments can accumulate obsolete computer objects over time. These stale records not only clutter the directory but can also pose security risks. This article provides a PowerShell-based approach to identifying and removing outdated computer records from Active Directory. Identifying Obsolete Computer Accounts The first step in cleaning up AD is to identify inactive computers based on their last logon timestamp and password last set date. Below is a PowerShell script to find obsolete devices that have not logged in for more than 60 days: Import-Module ActiveDirectory $DaysInactive = 60 $time = (Get-Date).AddDays(-$DaysInactive) # Identify obsolete devices $obsoleteDevices = Get-ADComputer -Filter { (LastLogonTimeStamp -lt $time -and PasswordLastSet -lt $time) -and (OperatingSystem -like '*Windows 10*' -or OperatingSystem -like '*Windows 11*' -or OperatingSystem...

Exporting All AD Computers by OU using PowerShell When you run this script, it generates a CSV file containing the following details for all computers in the specified OU: DistinguishedName : The full Active Directory path of the computer object. Name : The hostname of the computer. ObjectGUID : The unique identifier for the computer in AD. OperatingSystem : The installed OS on the machine. OperatingSystemVersion : The version of the installed OS. LastLogonDate : The last recorded logon date of the computer. The output file C:\Reports\AllComputers.csv can be opened in Excel or any text editor for further analysis. ------------------------------------------------------------------------------------------------------------- # Define the Organizational Unit (OU) to search $OU = "DC=CCM,DC=LOCAL"  # Change this if you want to target a specific OU # Retrieve all computers within the specified OU and export to CSV Get-ADComputer -SearchBase $OU -Filter * `     -Properties Dist...