AzureIntuneSCCM

How to Run Device Actions from MEM Admin Center

The aim of this post is to show you how to run device actions from the MEM admin center. From the admin center you can trigger or run Sync Machine Policy, Sync User Policy and App Evaluation Cycle.

Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service. You can run device actions from the Devices blade in the MEM admin center.

In SCCM version 1906, you could enable co-management for Endpoint Manager (Intune) devices in the Azure Public Cloud. This is indeed a prerequisite before you run device actions in the MEM admin center.

In my previous blog post I showed you how to enable SCCM tenant attach. Before you run device actions from MEM admin center, you must enable the tenant attach.

Run Device Actions from MEM Admin Center

In the Microsoft Endpoint Manager admin center you can run three device actions. The device actions are visible only when you select a Windows device.

  • Sync Machine Policy
  • Sync User Policy
  • App Evaluation Cycle

To run device actions from MEM admin center, in the MEM admin center, go to Devices and click Windows. From the list of the devices select any device and you can run device actions.

Run Device Actions from MEM Admin Center
Run Device Actions from MEM Admin Center

Run Sync Machine Policy from MEM Admin Center

From the list of actions, we will first run Sync Machine Policy. Select a device and click on Sync machine policy in the Microsoft Endpoint Manager console.

When you run the sync machine policy, the Configuration Manager will request the client to download computer policy. To continue this operation, click Yes.

Run Sync Machine Policy from MEM Admin Center
Run Sync Machine Policy from MEM Admin Center

Now you see the status as Sync machine policy pending. Under the device action status, you see the status as Pending connection to Microsoft Endpoint Configuration Manager site. You also see a Date/Time stamp.

Run Sync Machine Policy from MEM Admin Center
Run Sync Machine Policy from MEM Admin Center

When you run device actions from Microsoft Endpoint Manager admin center, open the CMGatewayNotificationWorker.log on service connection point.

Within the same log file look for the line – Received new notification. Validating basic notification details…

That confirms the Sync Machine Policy action is in progress.

CMGatewayNotificationWorker to monitor the sync progress
CMGatewayNotificationWorker to monitor the sync progress

Let’s take a look at PolicyAgent.log on the client machine. The PolicyAgent.log is located in C:\Windows\CCM\Logs folder on client computer. Open this log file with CMtrace tool.

In the PolicyAgent.log you see Requesting Machine policy assignments from MEM authority SMS:MEM (MEM is my ConfigMgr site code).

You can also look at the date and time in the log file and compare with the time when you triggered the sync machine policy from MEM admin center. They both should closely match.

PolicyAgent Requesting Machine policy assignments from MEM authority
PolicyAgent Requesting Machine policy assignments from MEM authority

Finally in the Microsoft Endpoint Manager admin center, we see the Sync machine policy:Completed. Under the device actions status, we see the status as complete.

Run Sync Machine Policy Complete
Run Sync Machine Policy Complete

Run Sync User Policy from MEM Admin Center

From the Microsoft Endpoint Manager admin center, you can Sync User Policy. This pretty much works similar to Sync machine policy.

Select a device in the admin center and click Sync user policy. Configuration Manager will request the client to download the policy for the currently logged on user. To continue this operation, click Yes.

Run Sync User Policy from MEM Admin Center
Run Sync User Policy from MEM Admin Center

On the ConfigMgr service connection point, you can monitor progress of sync user policy in the CMGatewayNotificationWorker.log. You see the line Received new notification. Validating basic notification details.

Received new notification. Validating basic notification details.
Received new notification. Validating basic notification details.

You also see the following lines in the CMGatewayNotificationWorker.log.

Authorized to perform client action. TemplateID: RequestUserPolicyForAllUsers
Forwarded BGB remote task. TemplateID: 4 TaskGuid: 783c0544-919b-4273-bf5e-8de61e642fc8 TaskParam: TargetDeviceIDs: 1 SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

Meanwhile you should see status as Pending connection to Microsoft Endpoint Configuration Manager site in admin center.

However once the sync is complete, in the MEM admin center you should see Sync user policy Completed.

Run Sync User Policy Completed
Run Sync User Policy Completed

Run App Evaluation Cycle from MEM Admin Center

From the Microsoft Endpoint Manager admin center you can run App Evaluation cycle. This device action allows Configuration Manager to request the client to reevaluate the requirement rules for all deployments. Any missing applications will be reinstalled.

Select a device in the admin center and run the app evaluation cycle. On the confirmation box, click Yes. In the admin center you will see App evaluation cycle pending.

Run App Evaluation Cycle from MEM Admin Center
Run App Evaluation Cycle from MEM Admin Center

Monitor the CMGatewayNotificationWorker.log file to see the progress of App Evaluation cycle. You should find the below info.

Received new notification. Validating basic notification details
Authorized to perform client action. TemplateID: ApplicationDeploymentEvaluation
Forwarded BGB remote task. TemplateID: 8 TaskGuid: a2954544-eeb5-43d3-b146-b07cd8ec3f72 TaskParam: TargetDeviceIDs: 1 SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker
CMGatewayNotificationWorker App Evaluation Cycle
CMGatewayNotificationWorker App Evaluation Cycle

Now open the AppDiscovery.log on the client computer. This log file is located in C:\Windows\CCM\Logs folder. Look for the line.

Entering ExecQueryAsync for query select * from CCM_AppDeliveryType
Entering ExecQueryAsync for query select * from CCM_AppDeliveryType
Entering ExecQueryAsync for query select * from CCM_AppDeliveryType

Since there are no required application deployments on clients, we don’t see much logging being done in AppDiscovery.log. In the Microsoft Endpoint Admin center, we see we have run all the action cycles successfully.

Run Device Actions from MEM Admin Center
Run Device Actions from MEM Admin Center

Run Device Actions Log Files

Here are the log files associated with Run Device actions and you can use them whenever you trigger a specific device action.

Run Device Actions NameDevice Actions Log Files
Sync Machine PolicyCMGatewayNotificationWorker.log, PolicyAgent.log
Sync User PolicyCMGatewayNotificationWorker.log, PolicyAgent.log
App Evaluation CycleCMGatewayNotificationWorker.log, AppDiscovery.log, AppEnforce.log, AppIntentEval.log

Prajwal Desai

Hi, I am Prajwal Desai. For last few years I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Azure, Security etc. I created this site so that I can share valuable information with everyone.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button