Friday, June 28, 2019

ConfigMgr Clients are no longer receiving User Deployments

Removing the Application Catalog Role within ConfigMgr was not as straight forward as i was hoping !

Like many SCCM admins historically the Application Catalog Web service Point and Website point were installed in order to deploy applications to Users.  
However, this feature is now depreciated and User deployments can be deployed without this role as the client will query a management point instead for all deployments (user and device).

I decided that this role should be removed as we were on 1810 Hotfix2 and colleagues had stated the transition was near seamless (see below regarding a reported BUG and quick fix to modify any Client setting).

The procedure to remove the App Catalog role is straight forward:
1. Remove references to App Catalog website within Client Settings.
2. Remove the Roles within the SCCM console.

In our case the removal of the website within Client Settings and the system roles was straight forward however, we saw in a few cases Clients are no longer receiving User Deployments and I thought I would write this blog to share my experience and how to detect systems in a similar state.

Lets gather the logs!

SCClient_Domain@USERNAME_1.log
Using endpoint Url: https://AppCatalogSERVER:443/CMApplicationCatalog, Windows authentication (Microsoft.SoftwareCenter.Client.Data.ACDataSource+<>c at <RefreshLocalSettingsAsync>b__13_0)
The client is looking for User deployments using the AppCatalog server website however, this does not exist and it not referenced in Client Settings.

PolicyAgent.log

Raising event:
instance of CCM_PolicyAgent_PolicyDownloadSucceeded 
Failed to compile rule "{Rule_WRC10000}": 0x8000ffff
Raising event:
instance of CCM_PolicyAgent_PolicyCompileFailed 
We can see that Policy is downloaded however fails to compile.

The Image below details the "Actual" policy applied and as you can see 'Reserved1' details the AppCatalog Website which does not exist; however the client is told to use this address to find User deployments.  As the site does not exist policy cannot exist and Software Center does not show User deployed Applications.

The Image below details the "Requested" policy applicable via Client Settings. As you can see 'Reserved1' does not detail the AppCatalog Website; the client should understand that and receive User policy from the Management Points as intended.  If this was working the SCClient_Domain@USERNAME_1.log would show details for the Management Points instead.



While I cannot explain why the Client Settings are not compiling it did conclusively show that the Site Server was offering the right policy but the client was not applying it.  Various sites have stated this behavior is a known bug and that simply changing a Client Setting would re-engage the client and allow the desired policy to apply.

This client would not update which made me wonder how many systems in the estate have this exact issue?


Using PowerShell you can query the class CCM_ClientAgentConfig namespace and report a compliance metric; this is easily deployed via ConfigMgr Baselines..

$ClientConfig =Get-WmiObject -class CCM_ClientAgentConfig -namespace "root\ccm\policy\machine\actualconfig"
IF ($ClientConfig.Reserved1 -eq "https://AppCatalogSERVER:443/CMApplicationCatalog")
{Write-host "Non-Compliant"}
ELSE
{Write-host "Compliant"}


The hope at this point is that the Agent Config client settings compile issue is limited to a small number of systems. Once the exposure of non-compliant system is understood we can see if a Remediation Script needs to be added to the Baseline.

...........Watch this space for Remediation (28/06/19)




Key Search words, phrases

CCM_PolicyAgent_PolicyCompileFailed
Policy not compiling
Remove AppCatalog

No comments:

Post a Comment