Client Device not listed in MECM (Configuration Manager) as having communicated despite being online and connected

Graham Duffy 0 Reputation points
2023-11-28T07:37:10.1366667+00:00

Hello

We have a hybrid environment.

We have on premises AD and Configuration Manager (MECM) and off premises\Cloud AAD (Enta ID) and Intune.

We often see client devices listed in MECM (Configuration Manager) being reported as having No client software installed and not having communicated with MECM at any point recently (see attached file), even when they have been online connected to the network for several days, and even when the user is shown via MECM aas being logged on at the time.

On such client devices we have confirmed:

  1. No network connectivity isssues from the client to the Managament Point via PING, NSLOOKUP and Tracert commands
  2. The client has Configuration Management software installed and it looks healthy - shows MP details, shows it has a PKI certificate and shows SMS Site Code and all actions are available (see inset into the attached file here)
  3. On examining the LocationServices log file from C:\Windows\CCM\Logs has listed the address of the Management Points we use
  4. Verified the SMS service and WMI serviuce are running on the client
  5. Through winmgmt /verifyrepoistory also has a working WMI

Thus why does only an un-install of the Configuration Manager Client on the device (ccmsetup.exe /un-install) and then a re-install (ccmsetup.exe /UsePKICert /NoCRLCheck SMSMP=https://Management_Point_URL FSP=Management_Point_URL DNSSUFFIX=Domain_Name SMSCACHESIZE=20480) resolve the issue

What is it that the client is missing\has wrong that prevents it from having communicated with the Management Point when all appears well on the client and the client has been online consistently ? What else can be checked on the client device ? Where\how would we check for any certificates issues if that is needed ? In regard to the last point, we have also vereified the Management Point is fine using tests as outlined in the article https://www.recastsoftware.com/resources/how-to-test-your-mp-to-confirm-if-it-is-healthy/

Microsoft Configuration Manager
0 comments No comments
{count} votes

9 answers

Sort by: Most helpful
  1. Graham Duffy 0 Reputation points
    2023-11-28T07:38:03.51+00:00
    0 comments No comments

  2. AllenLiu-MSFT 42,746 Reputation points Microsoft Vendor
    2023-11-29T02:52:05.1833333+00:00

    Hi, @Graham Duffy

    Thank you for posting in Microsoft Q&A forum.

    The issue may be related to the client's certificate. If the client's certificate is not valid or has expired, it may prevent the client from communicating with the management point. If the certificate is not valid or has expired, you can try renewing it.

    Another possible cause could be that the client is not properly registered with Microsoft Entra ID. You can check the client's registration status by running the following command on the client: dsregcmd /status. If the client is not registered, you can try re-registering it by running the following command: dsregcmd /join.

    You may check the common issues to see if it helps:

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/comanage-configmgr/troubleshoot-co-management-auto-enrolling#common-issues


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

    0 comments No comments

  3. Graham Duffy 0 Reputation points
    2023-11-29T06:41:08.8566667+00:00

    Thanks. Where would we check the client certificate validity i.e. where within certificate Manager - computer Certificate in Personal or Trusted Publishers section etc ?. Also if the following on a client reports correctly doe sthat mean the client certificate is OK anyway ? https://www.recastsoftware.com/resources/how-to-test-your-mp-to-confirm-if-it-is-healthy/

    Clients with this issue of not apparently cmmunicating to the MECM Management Point, are listed as registered with Azure\Entra ID.

    Thus still struggling to find a reason as to why teh clients appear not to be talking to the Management Point, where vall seems OK on them.


  4. Graham Duffy 0 Reputation points
    2023-11-30T07:04:41.7066667+00:00

    What within CCMMessaging.log should we be looking for specifically ?

    0 comments No comments

  5. Graham Duffy 0 Reputation points
    2023-11-30T09:49:15.4733333+00:00

    Attached is te CCMMessaging Log file (with Name_of_Mgmt_Point being substituted for the FQDN of our Management Point Server) . There are error in it such as:

    Supplied sender token is null. Using GetUserTokenFromSid to find sender's token.]LOG]!><time="06:02:48.959+00" date="11-30-2023" component="CcmMessaging" context="" type="1" thread="12988" file="messagequeueproc_outgoing.cpp:197">

    <![LOG[Could not open registry key for user S-1-5-21-475284968-560678093-3958883622-29235, 0x80070002]LOG]!><time="06:02:48.959+00" date="11-30-2023" component="CcmMessaging" context="" type="3" thread="12988" file="usertoken.cpp:111">

    <![LOG[GetuserTokenFromSid, couldn't find logon session for user sid S-1-5-21-475284968-560678093-3958883622-29235]LOG]!><time="06:02:48.959+00" date="11-30-2023" component="CcmMessaging" context="" type="3" thread="12988" file="usertoken.cpp:1022">

    <![LOG[Post to https://Name_of_Mgmt_Point/ccm_system/request failed with 0x87d00323.]LOG]

    What is that indicating an issue with - a certiicate or other ? What is the suplied Sender Token and unable to open Registry Key and could not find logon session and final error of 0x87d00323

    CcmMessaging.log