IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM: Best Practice Tips and Tricks from systemcenterdudes

Windows 10: Install RSAT

With 1803 MS includes RSAT into W10 Image as an optional feature. On Enterprise Edition it should be installed with Powershell as described here:

SCCM: Third-party Updates download failed with: “Error: Failed to download content ID XXXXXXX. Error: The thread is not in background processing mode”

I rebuilt my SCCM 1811 TP Lab and decided to offload WSUS content folder from my SCCM server. I put it on a file server where I do have my SCCM Source folders. Microsoft Updates worked just fine, but when I  tried to download an Adobe Update (used new SCCM Third-party Update support) I got “Error: Failed to download content ID <ID of my  update>. Error: The thread is not in background processing mode.


I checked Advanced settings of my WSUS App Pool and found the content share was registered incorrectly (“\\”  was missed) and content subfolders were not accessible.


so I fixed this issue firs (added “\\” before the server name and immediately could see the sub-folders.


Unfortunately that was not enough to resolve the issue. Luckily I found an article on Shavlik forum discussing similar issue.

So, for my Adobe update package I switch download settings from “Download Software Updates from Internet”


to “Download software updates from a location on my network”


This is weird – my old SCUP was working perfectly fine without that, but it looks like SCCM feature works differently now. Anyway, as soon as I did that my Adobe update was downloaded successfully:


SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary * I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: 

The only difference – I did not use internal domain name for CMG, just left it as That allowed me to avoid CNAME requirement.

after that I configured co-management as per

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended:

Nick provided great help with tokens troubleshooting. I found his article here:

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.


it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully:


Azure: App Service cannot connect to vnet-base VM

Bumped into unusual issue today:

I do have a SQL Reporting Services VM on one of my Azure Vnets. I also have several App Services (Web Applications ) connected to it. Normally when I set up VNet integration for App Service Azure creates a P2S SSL VPN and routes, and ranges to the tunnel. An everything works fine.

I created a new App Service and configured it for Vnet Integration. Surprisingly the app was not able to connect to SSRS.

I ran Kudu debug console and found tcpping from the App to SSRS failed.

It turned out during P2S VPN creation Azure for some reasons added only qnd (???) as the tunnel destination.

Resolution: I added IP address of my SSRS to the table and successfully connected to the Web Service of my SSRS. I guess that happened because I an using hub-and-spoke for my vnet. The only question why it was working before for other App Services  Smile


Hyper-V: Automatic VM Activation keys

AVMA keys used to automatically activated VMs running on a Hyper-V host are available here:

Windows 10: Cannot connect to Hyper-V after upgrade to 1809

I upgraded my W10 machine to 1809 (just before the fiasco forcing MS to stop delivery). My documents are intact, but what I found – Hyper-V on the machine cannot be connected anymore.

When I started Hyper-V MMC it did not connect to the local machine automatically and when I tried to force it I received and error:

“An error occurred while attempting to connect to server “xxx”. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.”

After some googling I found a solution from Anders Hanson which worked for me:

1. Open “Window Security”

2. Open “App & Browser control”

3. Click “Exploit protection settings” at the bottom

4. Switch to “Program settings” tab

5. Press “+” sign to add an exact path to a file or locate “C:\WINDOWS\System32\vmcompute.exe” in the list and expand it

6. Click “Edit”

7. Scroll down to “Code flow guard (CFG)” and uncheck “Override system settings”

8. Start vmcompute from powershell “net start vmcompute”

here is the original trail

Azure: Free Public cert for a Lab

Recently I needed a free certificate for my Azure Lab. With StartSSL stopped service since Jan 2018 there are still several options left. For example Comodo gives a 90-days trial.

I decided to try Let’s Encrypt service.

Since the service is free (donates are welcome) the process requires some work.

Luckely, I discovered a convenient tool developed by Sverrir Sigmundarson. It work in combination with Let’s Encrypt API Web site

There is a nice Video Manual at

The tool itself is available on Github:

At the end of the process you get a certificate signed by the Public CA. to bind a private key and convert to PFX use OpenSSL command:

openssl pkcs12 -export -in Cert_cert.crt -inkey domain.key -out cert.pfx

Azure: WEB Listener cannot be deleted on Azure Application Gateway

Recently I had a project where I needed to put an Azure App Service behind App Gateway.

The Customer also asked to create HTTP-HTTPS redirection for better and-user experience.

I created two listeners (for port 80 and 443) and two rules: one for traffic on port 443 to redirect to my backend pool and the second one for traffic on port 80 – to redirect to my 443 listener. Everything worked fine. We progressed with the project and at a certain time needed to remove the listeners.

From my previous experience I knew – you never delete rules first – delete the listener first. Since we did have a redirection I deleted port 80 listener first. Azure kindly deleted associated rule. At least it is disappeared Smile

Next I tried to delete 443 Listener and at that point got an error saying:

“Failed to save configuration changes to application gateway…. Error: Resource <Path to my 443 Listener> referenced by resource <Path to my HTTP-HTTPS redirection rule> was not found. Please make sure that the referenced resource exists and both resources are in the same region.”

Sounds weird taking in consideration I did not see the redirection rule in GUI.

So I brought Azure CLI (for some reasons MS provided commands for CLI, or maybe I just did not find those for PowerShell) and run

az network application-gateway redirect-config show -g <resource group name> –gateway-name <gateway name>

sure enough the rule was still there.

after that I run

az network application-gateway redirect-config delete –g <resource group name> –gateway-name <gateway name> –n <rule name>

and this time the rule was deleted completely.

After that the remaining listener was deleted without problems.