anyweb

Introduction Microsoft recently released a new feature for Windows 365 Cloud PC’s namely the ability to move one or more Cloud PCs to another region. This involves editing a previously created provisioning policy and then deciding whether you want to move all Cloud PC’s or only a subset targeted by that policy. All data/settings etc on the device (except for stored snapshots) will be retained with the move, which is great from an end user perspective. Microsoft themselves recommends testing this on a few Cloud PCs to review how the end to end process works for your users’ Cloud PCs. Why change location ? But first of all, why would we want to change the location of a Cloud PC ? Changing the location of a Windows 365 Cloud PC can be beneficial for several reasons: Improved Performance: Moving the Cloud PC to a location closer to the user can reduce latency and improve overall performance, making applications and services more responsive. Compliance and Data Sovereignty: Different regions have varying regulations regarding data storage and processing. Moving the Cloud PC to a location that complies with local laws can ensure adherence to data sovereignty requirements. Cost Optimization: Some regions may offer lower costs for cloud services. By relocating the Cloud PC to a more cost-effective region, businesses can reduce their operational expenses. Disaster Recovery and Redundancy: Relocating the Cloud PC to a different region can enhance disaster recovery plans by ensuring redundancy and availability in case of regional outages or disasters. User Experience: If a business has employees in different geographical locations, moving the Cloud PC closer to the majority of users can enhance their experience by providing faster access to resources. Scalability: Certain regions may offer better scalability options or more advanced infrastructure, allowing businesses to expand their operations more efficiently. Security: Some regions may have more robust security measures or offer specific compliance certifications that are important for certain industries. So let’s dig in and see how this works in reality. Moving one or more Cloud PC’s In the Intune console, locate the Windows 365 node and select Provisioning policies. Select the target provisioning policy, and click it to edit it. the policy details are revealed. Take note of the current location configured within the policy, this is optional but useful to know if you want to revert to that location later on. Review location before change At this point, pick a test Cloud PC to allow you to review that the move process goes smoothly. On that Cloud PC, verify the current location using a site such as https://www.whatismyipaddress.com or https://mylocation.org/. Below you can see the approximate location of our test Cloud PC before any move is attempted. As we can see it’s listed in Iowa, in the United States. 1. Inform the users Now that we know which provisioning policy we’ll be editing, and what location our target Cloud PC’s reside in, we need to pick one or more users of those Cloud PC’s and inform them of what is about to happen (and why). You need to explain to the users that they must save any open documents, close their apps and to sign out of their Cloud PC for the weekend. It’s a good idea to do the move over the weekend as obviously some Cloud PC’s will have more data/apps/settings to move than others. 2. Edit the policy In the General section of the provisioning policy, click Edit and modify the Geography. I chose European Union as that’s where I want to move my target Cloud PC’s. You can fine tune the region and select an actual region such as Sweden, but it’s recommended to choose the Automatic (Recommended) option to avoid provisioning failure. For a list of supported regions see here. As this is an actual move and not a provisioning, I chose Sweden. after editing the policy, click Next followed by Update. 3. Pick one or more target Cloud PC’s Now that you’ve changed the Geography and Region of your provisioning policy, click Apply this configuration to select one or more target Cloud PC’s. To select one or more devices, click the third option which is Region or Azure network connection for select devices and click Apply. That will bring up a list of devices to select. Select one or more targets and place a check in the Cloud PC’s will be disconnected and shutdown while the configuration is updating. Any unsaved work may be lost message. Note that the disconnect only affects selected devices, not all targeted by this provisioning policy. 4. Review the Cloud PC’s status The status of the selected Cloud PC’s will change to Moving region or network in the All Cloud PC’s section of the Windows 365 node. Individual Cloud PC’s will also show new status in Intune devices via the Overview and Device action status areas of each device. Also to note, the above statuses will have changed even before the move of the actual target takes place, so the Cloud PC may still be online for a brief period before it receives the instructions to shutdown. You can also monitor the status using the Cloud PC actions report. which reveals some more data for individual Cloud PC’s plus, if you selected multiple Cloud PC’s, click on Bulk batches. After some time, the status should update on the device to Completed and the Cloud PC actions report will be updated with the new status. And on the target PC itself, you can verify it’s location using the previously mentioned sites to confirm the new location. Job done! Final thoughts Keep in mind that after you’ve completed your Cloud PC move operations, that any new Cloud PC’s targeted by that provisioning policy will also be provisioned in the new region. This new ability is great, and I’ve tested it successfully in multiple tenants. I do however feel that with just a little bit more work it could be even better. What I’d like to see is native ability within Intune to send customizable emails/alerts/notification for any Cloud PC’s targeted by the move operation, both before and after the event to alert the end users about what is happening and when, and more importantly to let them know that operations are complete. Great job Microsoft!

Introduction In a previous blog post I started troubleshooting why my Windows app showed a blank white screen instead of the usual User Interface. I did a bunch of troubleshooting but it didn’t lead anywhere or so I thought. No matter what I did, I could not use the Windows app any more. So I kept digging. By checking the Details section of Task Manager, I could see where the Windows365.exe executable file was launched from. C:\Program Files\WindowsApps\MicrosoftCorporationII.Windows365_2.0.366.0_arm64__8wekyb3d8bbwe I browsed the files and folders in there and found an interesting to me json file called system_settings.json in the Resources folder, it referenced the Microsoft remote desktop client agent (msrdc) and a quick search on the internet revealed that that version was not the latest. So I downloaded the latest version and installed it. I then re-attempted to start the Windows app, but to no avail, it was still blank. The MSRDC agent I’ve been using the Windows app since it’s first iteration, so it was easy to forget about msrdc. Launching that Microsoft Remote Desktop Client agent allowed me to see and use my Cloud PC’s so that was at least a workaround for accessing them until the problem was resolved. Back to the problem though. Looking through event viewer I could see lots of errors in AppXDeployment-Server, maybe they had something to do with my problem. That error was: Deployment Register operation with target volume 😄 on Package MicrosoftCorporationII.Windows365_2.0.365.0_arm64__8wekyb3d8bbwe from: (AppXManifest.xml) failed with error 0x80073D02. See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues. I followed the link and it revealed the following for that error code. Webview2 revisited This ‘currently in use’ error got me thinking again about the Outlook New Webview2 problem, which I never managed to solve in part 1. But first, what is Webview2 ? see here. WebView2 is a way for app developers to embed web content (such as HTML, JavaScript, and CSS) in Windows applications. By including the WebView2 control in an app, a developer can write code for a website or web app, and then reuse that web code in their Windows application, saving time and effort. See Introduction to Microsoft Edge WebView2. So what was the Outlook New problem ? Namely every time I started Outlook New, it would prompt me to install Webview2. As you can see in the previous part I tried to fix that and thought that I had, but in reality, the problem was still there and Outlook New always complained about the Webview2 requirement. Could the Webview2 installer be stuck in a loop somehow and that could be affecting the Windows app from updating/deploying properly ? When I tried to solve it in part 1, I launched Outlook New from an administrative command prompt, or chose “run as administrator” after elevating myself. However the solution we use for elevation only elevates processes such as cmd.exe or what you click on. It seems that the Webview2 installer, ignores the permissions that Outlook New is launched from. Eureka This became clear when I forgot my phone at home, and thus was not able to enter the MFA code to elevate a process in my continued troubleshooting., instead, I used ControlUp to elevate my session. I then logged off, and logged on to Windows again, and tested my elevation, I was elevated. The difference here is my Windows session was elevated, not just a process. I then launched Outlook New as administrator, got the Webview2 popup, clicked OK and …. some minutes later, Outlook opened, for the first time in days! Clearly, Webview2 was now installed. I then launched the Windows app using ‘run as administrator’ and it too, launched, successfully ! Wonderful ! So at this point I’m fairly confident that Webview2 was the problem here, or if both the Windows app and Outlook New for some reason needed the Windows session elevated in order to complete pending Webview2 update actions. I’m also very happy that my Windows app is once again working on my Qualcomm ARM64 laptop ! If you are wondering whether Webview2 is even used for the Windows App, open task manager, search for View and launch the Windows app. Look what appears. I’ve placed red rectangles around three things, Outlook, Windows 365 and MS Teams. Why the other apps ? during my the last week or so I also had serious lagging issues in Teams, and it too, uses Webview2 as you can clearly see in the image above. Fixing the Webview2 installer in Outlook (New) via an elevated Windows session solved all my problems in the following apps: Outlook (New) Teams Windows App Update I’ve since had the exact same problem occur another 3 times and I’m getting much better at fixing it, especially after reading this. In a nutshell elevate your Windows session (as described above), then delete the following registry key: HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} Once done, run the Edge troubleshooter here. This will successfully download and reinstall Webview2 and life will be bearable again, for a while. I’m not sure what app or process breaking my Webview2 but I can tell you this much, it’s very very annoying.

Introduction I use my Windows app daily from a variety of devices to access my Cloud PC’s. Today like any day I clicked the Windows app icon but this time, nothing happened, the familiar Windows app did not appear. So I clicked it again and this time it did appear but was blank. Note: This problem occurred only on my ARM64 device, the Windows app worked just fine on other X64 devices. As you can see in the screenshot above, it’s completely blank, empty of any content, so it’s impossible to use. Trying to fix it I thought the app somehow became corrupt, so I tried to reset & repair the app. Neither of these options helped. Next, I tried to end the processes for the Windows in task manager. And killed the Windows365.exe process tree… but these didn’t help either. The app simply refused to display it’s content. While troubleshooting I noticed a Windows cumulative update was ready to install, you can see it below with the blank Windows app in-front. so I let Windows update do it’s thing and manually restarted the computer. It didn’t help. What about the logs ? Next I looked at the logs connected to the Windows app in %temp%\DiagOutputDir\Windows365\Logs as documented here. The logs (4 in total) did not give me anything to go on other than to highlight that I did have a problem. The most interesting log snippet was this” [2025-03-21 12:53:49.547] [async_logger] [error] [MSAL:0003] ERROR ErrorInternalImpl:134 Created an error: 8xg43, StatusInternal::InteractionRequired, InternalEvent::None, Error Code 0, Context ‘Could not find an account. Both local account ID and legacy MacOS user ID are not present’ but I saw that was repeated even when my Windows app was working, so I chose to ignore it. So what else could I do at this point ? uninstall the app. I then reinstalled the app from the store. end result, same problem! At this point I reverted back to the logs, and found this section, it reminded me of an error I saw this week when launching Outlook (New). The Outlook (New) webview2 error is also shown on top of the log file below: I never bothered to install that Webview2 component as it requires local administrative permissions to do so and I’m a standard user (as I should be). So I elevated my session and tried clicking ok to the Outlook (New) message. That didn’t help, it just kept looping through a prompt asking me to install the new Webview2. A google search led me to this post, and I downloaded the Webview2 client (for ARM64) from here. After deleting the reg key and installing the Webview2 update & restarting the computer I still had the issue with Outlook New prompting to install Webview2 and my Windows app not working. Next up I checked the version of Windows app I was running and it was the latest, 2.0.365.0(ok there’s a insider preview version that’s newer but… I don’t think that’ll help). At this point I’m out of ideas and will inform the Microsoft Group in charge of Windows 365 to see what they have to say about it, I’ll revert in part 2 once this is hopefully solved cheers niall

can you share your smspxe.log file with me and i'll take a look, it may reveal the source of the problem,

it could simply be corrupt task sequence policy, can you do a test and deploy the exact same TS to either the same collection or another collection that this device is in, and retry I tested pxe boot just now in my 2503 lab and all is good, even in a fully PKI environment

the last error in your provided log is "There are no task sequences available to this computer.. Please ensure you have at least one task sequence deployed to this computer. Unspecified error (Error: 80004005; Source: Windows" so.. make sure that whatever you are pxe booting actually is in a collection that is targeted by a task sequence

i've messaged you

i'm happy to hear it

I asked copilot and it gave me this response, try it !, if it works then you can just apply the registry key via a step in the task sequence just before it normally shows up Open Registry Editor: Press Win + R, type regedit, and press Enter. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE Create a new DWORD (32-bit) Value: Name it SkipMachineOOBE. Set its value to 1. Create another DWORD (32-bit) Value: Name it SkipUserOOBE. Set its value to 1. These changes should bypass the "Just a moment" screen during the OSD process.

I'd suggest you talk to your network team.

here's the error in CMTrace, you really should use that for reviewing any SCCM log as it highlights warnings and errors The text of interest is: Failed to download PXE variable file after 6 entries. Exit code=14. A quick google reveals that this could be because your VMware client is on a different subnet to that hosted by your PXE enabled distribution point, or that your router is handling subnets in an incorrect way.

you need to press F8 as soon as you the Configuration Manager wallpaper (see my screenshot below).... (also make sure command prompt/f8 support is enabled on the boot image) and grab the smsts.log in X:\Windows\Temp\SMSTSLog, in there you'll probably find out that the reason it's restarting is because of missing drivers or no task sequence advertised to these devices. you can post the log here once you have it, you can copy it off the machine using a usb key or map a network share using net use

I guess you were trying to ask a question, but in case you didn't know CMTrace.exe is already in the C:\Windows\CCM folder see here so as long as you have the ConfigMgr client installed, you'll also have CMTrace.

Introduction Last month I posted about my CMG (Cloud Management Gateway) going AWOL (absent without leave) and staying broken, this was in response to a tweet from Panu, and I documented the sorry story here. I tried many things including the hotfix that was available at the time of posting, but nothing helped. My CMG remained broken and stayed in a state of disconnected. I had planned on removing it entirely and recreating the CMG but time got the better of me. Today however I got a notification from Linkedin that someone had responded to one of my posts about that problem so I took a look. Steven mentioned a hotfix rollup (HFRU) and it was a new one. https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2409/30385346 The issues fixed with this hotfix rollup are pasted from that article below, with the important CMG bits highlighted in bold italic: Issues that are fixed Internet based clients using the alternate content provider are unable to download content from a cloud management gateway or cloud distribution point. Deployment or auto upgrade of cloud management gateways can fail due to an incorrect content download link. Internet based clients can fail to communicate with a management point. The failure happens if the SMS Agent Host service (ccmexec.exe) on the management point terminates unexpectedly. Errors similar to the following are recorded in the LocationServices.log file on the clients. Console [CCMHTTP] ERROR INFO: StatusCode=500 StatusText=CMGConnector_InternalServerError The Configuration Manager console displays an exception when you check the properties of a Machine Orchestration Group (MOG). Membership of the MOG can’t be modified; it must be deleted and recreated. The exception happens when the only computer added to a MOG doesn’t have the Configuration Manager client installed. Hardware inventory collection on a client gets stuck in a loop if the SMS_Processor WMI class is enabled, and the processor has more than 128 logical processors per core. If a maintenance window is configured with Offset (days) value, it will fail to run on clients if the run date happens on the next month. Errors similar to the following are recorded in the UpdatesDeployment.log file. Console Failed to populate Servicewindow instance {GUID}, error 0x80070057 The spCleanupSideTable stored procedure fails to run and generates exceptions on Configuration Manager sites using SQL Server 2019 when recent SQL cumulative updates are applied. The dbo.Logs table contains the following error. Console "ERROR 6522, Level 16, State 1, Procedure spCleanupSideTable, Line 0, Message: A .NET Framework error occurred during execution of user-defined routine or aggregate "spCleanupSideTable": System.FormatException: Input string was not in a correct format. System.FormatException: at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal) at System.Number.ParseInt64(String value, NumberStyles options, NumberFormatInfo numfmt) at Microsoft.SystemsManagementServer.SQLCLR.ChangeTracking.CleanupSideTable(String tableToClean, SqlInt64& rowsDeleted) ." Multiple URLs are updated to handle a back-end change to the content delivery network used for downloading Configuration Manager components and updates. The Configuration Manager console can terminate unexpectedly if a dialog contains the search field. This gave me some hope so I powered up that lab and took a look. As you can see the hotfix rollup is ready to install. Note: Yes I’m aware one of my app secrets is about to expire, that’s not part of this blog post or problem so I’ll ignore it for now. Before installing the hotfix rollup however I checked on the status of my CMG. And to my great surprise after weeks (a month even) of being broken and disconnected it was now………. connected. Uh… what ? Ok, that’s weird. I ran the connection analyzer as well just for giggles, and for the first time in a long time it passed with flying colours. As the server log files have unfortunately rolled over, I cannot see ‘when’ it self-fixed itself or whether that was on the backend (the CMG in Azure) or on the CM server itself. Just as a reminder, my now working CMG is in this state without me doing anything further after my original blog post, so it self fixed itself after many weeks of being broken. Installing the hotfix rollup To wrap things up, I decided I’ll install the hotfix rollup, to see what if anything it can do. And after some time it was done, however as you can see I still have 2 Configuration Manager 2409’s listed (one was the early ring upgrade). Well that’s it for this blog post, thanks Steven for the heads up on the hotfix rollup, however it didn’t resolve my issue, which seemed to solve itself prior to the rollup.

10 years actually

have you verified that the cert in your dp is updated also ? see step 5 here

ah great to hear it and thanks @Cerberus24 for posting your findings, i'm sure it'll help someone !

hi @Martinez in my #11 lab (domain controller) I have a DHCP server running, so any device that connects into that lab will receive a valid ip address I hope that helps cheers niall

Introduction Panu Sakku posted the following tweet recently asking if anyone noticed their CMG (Cloud Management Gateway) was broken after it got a recent update. I checked my lab, and sure enough, it was also dead in the water, and could not start. After checking the logs I replied to Panu. The errors in the SMS_CLOUD_PROXYCONNECTOR.log file in red were many, and here’s a paste of some of them to help others find out how to resolve this problem. ERROR: Web socket: Failed to online with Proxy server CLOUDATTACHCMG.AZURENOOB.COM:443. System.AggregateException: One or more errors occurred. —> System.Net.WebSockets.WebSocketException: Unable to connect to the remote server —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.126.223.196:443~~ at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)~~ at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)~~ at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~ — End of inner exception stack trace —~~ at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)~~ at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)~~— End of stack trace from previous location where exception was thrown —~~ at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()~~ at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)~~ at System.Net.WebSockets.ClientWebSocket.<ConnectAsyncCore>d__21.MoveNext()~~ — End of inner exception stack trace —~~ at System.Net.WebSockets.ClientWebSocket.<ConnectAsyncCore>d__21.MoveNext()~~ — End of inner exception stack trace —~~ at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)~~ at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.WebSocketConnection.Online()~~—> (Inner Exception #0) System.Net.WebSockets.WebSocketException (0x80004005): Unable to connect to the remote server —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.126.223.196:443~~ at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)~~ at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)~~ at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~ — End of inner exception stack trace —~~ at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)~~ at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, and ERROR: Failed to build WebSocket connection 1800a2f4-5e7c-4aa7-9c5d-0b4027ab939d with server CLOUDATTACHCMG.AZURENOOB.COM:443. Exception: System.Net.WebException: Failed to online~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.WebSocketConnection.Online()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections() and ERROR: Failed to build HttpV2 connection 1800a2f4-5e7c-4aa7-9c5d-0b4027ab939d with server CLOUDATTACHCMG.AZURENOOB.COM:443. Exception: System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.126.223.196:443~~ at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)~~ at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)~~ at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)~~ — End of inner exception stack trace —~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, String payload, Int32& statusCode, Byte[]& responsePayload)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, Byte[] payload)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.Online()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections() Shortly after I replied, Johnny Radeck posted an update, he solved it by uninstalling an extension and then making a change to the CMG properties. But let’s see why he did that. If you go to the Azure portal and locate your CMG, you’ll see it’s got a Failed status (1). If you click Restart (2) after a few minutes it’ll be failed again but you’ll get a notification (3) explaining what failed. Failed to restart virtual machine scale set Failed to restart virtual machine scale set ‘cloudattachcmg’. Error: VM has reported a user failure when processing extension ‘InstallCMG’. Please correct the error and try again. (publisher ‘Microsoft.Compute’ and type ‘CustomScriptExtension’). Error code: ‘2’. Error message: ‘Command execution finished, but failed because it returned a non-zero exit code of: ‘1”. Detailed error: ”. More information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot. So it’s clear that Azure has problems starting the CMG due to “VM has reported a user failure when processing extension ‘InstallCMG’.” I wonder what the ‘user failure’ means ? Let’s try Johnny’s advice then. Fixing the problem ? Click on Settings, select Extensions + applications and then place a checkmark in InstallCMG, it’ll bring up it’s properties and you can now select Uninstall. The settings in that extension are listed here, just to see if they change after the fix. “commandToExecute”: “powershell.exe -File cmgsetup.ps1 -storageAccountName cloudattachcmg -storageEndpointSuffix core.windows.net -serviceName cloudattachcmg -serviceCName cloudattachcmg.azurenoob.com -certStoreName My -certThumbprint 2D2F89A0F44335C0D57678DA5AC80663660B0250 -crlAction enable -tls12Enforced True -nodeName localhost -bDisabledSharedKey True”, “fileUris”: [ “https://cloudattachcmg.blob.core.windows.net/stageartifacts/cmgsetup.ps1” ] } After a while it’ll be uninstalled and you’ll get a notification telling you that it’s done. After changing Client revocation settings, and changing the maintenance window to be in the future (otherwise you’ll get an error) before clicking Apply. A quick look at the CloudMgr.log reveals it’s updating the CMG and the status of the CMG in SCCM changes to Upgrading. while in Azure, the CMG has a status of Updating. and after a while everything should hopefully be fixed. Note: If it works for you, then don’t forget to set the client revocation option back on again. Oops In my case however, no matter how many times I tried my CMG remained well and truly broken. It’s still broken. I’ll update this post if/when I come up with a solution that works for me, but for now, this is just where I’m at with this problem and I’m blogging this as I’ve spent so many hours on it already.

if you have access to teams we can do a session to talk about this, ping me there niall AT windowsnoob DOT com, i'm based in Europe.

@Cerberus24 what client OS are you testing this on as a matter of interest? I'm, happy to do a remote session to compare my lab to yours but it would be good to get more info about your setup

and it's encrypting without any interaction from me

before getting bitlocker policy added the device to my bitlocker policy collection the client has determined it is 'non compliant' for Encryption

ok imaging done, device is NOT encrypted (as I wanted), next up, i'll add it to a collection targeted by BitLocker Encryption policy and see what happens

i'm imaging a VM now and will let it complete, once done i'll drop it un-encrypted into a collection targeted with BitLocker policy, i'll share my results here once done