MDM errors failures and how to fix them

Over the course of this many month Air-Watch MDM project I’ve been conducting, I have run into WAY more than my fair share of MDM enrollment related issues.

Troubleshooting MDM issues presents a whole new set of difficulties, because where SCCM provides glorious log files with tons of community engagement and answers, MDM gives you hard to locate Windows Event logs. Every SCCM error code is meticulously documented on the web, where MDM errors give you this result:

This is how you know you are WAY off the reservation!

Never fear though, for I have compiled the most common and frustating errors which I have painstakingly worked through into this, very originally named volume

Where to find enrollment errors

You can monitor the status of an enrollment in the Windows Event Viewer, under this area:


It is routine to see some errors here, so not all errors need to be solved, however when you’re trying to troubleshoot why a machine won’t enroll in MDM, then you should be looking here first.   Continue reading

SCCM SQL Reports fail with ‘An Error has occurred during report processing’

Recently at a client, we encountered this lovely error message when launching a Configuration Manager (ConfigMgr) report from the webconsole:

“An error occurred during client rendering.
An error has occurred during report processing. (rsProcessingAborted)
Cannot impersonate user for data source ‘AutoGen_[GUID]_’. (rsErrorImpersonatingUser)
Log on failed. (rsLogonFailed)
For more information about this error navigate to the report server on the local server machine, or enable remote errors ”

Additionally, we witnessed a similar message with stack trace info in the SCCM console itself.

Such a great way to start your day, eh?

The fix for this error is one of two things:

  1. Ensure that you’re using a service account to access the SCCM Data Source, this is configured under Administration -> Site Configuration ->Servers and Site Roles->Site Server Running Reporting->Reporting Services Point.

    Double-check that a local user account with a changing user account IS NOT being used.

    If these credentials are valid, move on to #2.

  2. Connect to the reporting service point with an account that has administrative rights from a web console.  Click your SQL Reporting instance and go to Security.  Ensure the account above has at least SQL Reporting Administrator rights.

    If this is set, move on to #3.

  3. Launch Reporting Services Configuration Manager and connect to the server running your SQL Reporting Instance.  Ensure that the same account above is listed as the Execution Account.

We detected that the issue was caused by an administrators account being used for the above fields (it was set during installation before the service account was ready), and the password recently changed.  Hope this helps!

Azure Powershell – Current Storage Account error when making a new VM

I was trying to make a new Linux VM using the Azure PowerShell commandlet New-AzureQuickVM, which basically makes a VM very quickly for you using one of the images available in the catalog.  However, I kept running into this message:

New-AzureQuickVM : CurrentStorageAccountName is not accessible. Ensure the current storage account is accessible and in the same location or affinity group as your cloud service.

Now, when you first create a VM in the Azure Web Console, you’ll be prompted to create a Storage Account if you don’t already have one.  Assuming you’ve done so, the first thing you should check is to see if the Storage Account is defined within your Azure Subscription.  From Powershell, run the


Command. Continue reading

SCCM OSD: The case of the nightmare desktop

Recently, a client has been mentioning some issues they’ve had when doing image testing on a new desktop model.  I came in to help sort out the issue, and it was quite an experience!  We received all sorts of errors, many were quite puzzling.  In the end, this desktop (the HP ProDesk 6oo G1 SFF / Small Form Factor) and the issues around it tested every element of my SCCM OSD Troubleshooting knowledge.  

Now that the matter has been solved, I’ll detail out the symptom and cause of each error:

On PXE Booting, the Task Sequence window never loads

Whenever a new model comes in to the environment, we always check to see if the machine can boot off of the drivers already imported into the wim.  In this case, the tech burned a disc using the old WIM, and once WinPE started, we were unable to connect to the SCCM Policy Provider to see what advertisements are available.

Test via: launching a command prompt (F8 if enabled on the WinPE WIM) and check to see if the system has an IP Address

When a Task Sequence is selected, it immediately fails

Continue reading

Solving 5447, MP has rejected a policy request because it was not approved.

You may see the error message like this from time to time:


MP has rejected a policy request from GUID:XXXXX-XXXX-XXX-XXX-XXXXXXXXXXXXXX because it was not approved.

This really means that the client…is not approved.  This can happen for a few reasons, but namely one.  If you set SCCM to Manual Approval mode at some point, be it for testing or troubleshooting, any clients that attempted to be approved at that time are marked as Unapproved, pretty much until the end of time.  You have to find these systems and mark them as approved.

If you use my method to[get system names from a status message], you can just run this on the status message Id of ‘5447’ and see the computer names.  Now, just copy and paste these into the SCCM WQL query I’ve provided here [Where machine name is in this list of names], approve them all and here you go, problem solved.