IT Consultant Everyday Notes

Just some problems/solutions storage

Monthly Archives: November 2018

SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary * I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: 

The only difference – I did not use internal domain name for CMG, just left it as That allowed me to avoid CNAME requirement.

after that I configured co-management as per

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended:

Nick provided great help with tokens troubleshooting. I found his article here:

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.


it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully:


Azure: App Service cannot connect to vnet-base VM

Bumped into unusual issue today:

I do have a SQL Reporting Services VM on one of my Azure Vnets. I also have several App Services (Web Applications ) connected to it. Normally when I set up VNet integration for App Service Azure creates a P2S SSL VPN and routes, and ranges to the tunnel. An everything works fine.

I created a new App Service and configured it for Vnet Integration. Surprisingly the app was not able to connect to SSRS.

I ran Kudu debug console and found tcpping from the App to SSRS failed.

It turned out during P2S VPN creation Azure for some reasons added only qnd (???) as the tunnel destination.

Resolution: I added IP address of my SSRS to the table and successfully connected to the Web Service of my SSRS. I guess that happened because I an using hub-and-spoke for my vnet. The only question why it was working before for other App Services  Smile