The Microsoft Endpoint Configuration Manager Administration Service Guide

This post is dedicated to the System Center Configuration Manger (SCCM/ConfigMgr) Administration Service (AdminService for short). Please check back here for helpful links and to blog posts, documentation and examples for using the AdminService. Please note, I wasn’t sure what the name was officially when I first started, and I didn’t expect to keep posting new info about it, so sorry if it’s disjointed.

Update: 11/3/2109 – I am updating this post to show information for the the latest ConfigMgr Current Branch release. Trying to keep track of changes between releases is not all that useful except for in Technical Previews.

Original Posts

Latest AdminService News

Community Blogs

Sandy Yinghua – Use ConfigMgr administration service (AdminService) over internet

Nathan Niehnert – Working with the AdminService – Reading Data
Securing the AdminService over CMG

The Basics

The AdminService is a REST API that runs as a service, independent of the other web components in IIS on your site servers.

Service

You can check the status of the service in the console under \Monitoring\Overview\System Status\Component Status – SMS_REST_PROVIDER

Files and Registry Keys

There are several files to be aware of. Below are the key files of interest.

  • Service components
    • <INSTALLDIR>\bin\X64\CMRestProvider\sccmprovidergraph.exe
    • <INSTALLDIR>\bin\X64\CMRestProvider\sccmprovidergraph.exe.config
  • Logs
    • Locations
      • <INSTALLDIR>\Logs
      • Application Event Log – Source – CMRestProviderService
    • Files
      • SMS_REST_PROVIDER.log – Logs the status of the provider service
      • AdminService.log – logs commands run against the AdminService
  • Registry
    • HKLM\SOFTWARE\Microsoft\SMS\Tracing\SMS_REST_PROVIDER
    • HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_REST_PROVIDER
    • HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_SITE_COMPONENT_MANAGER\Component Servers\<SERVERNAME>\Components\SMS_REST_PROVIDER

Setup

Beginning in 1810 CB, you will see the SMS Provider API as an option during setup. This feature enables the AdminSerivce REST API. You also have the option to install the SMS Provider role on additional site servers. When you do this, the AdminService will also be included on this new server. See info here: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/plan-for-the-sms-provider

Additionally, you can configure the AdminService to communicate through the Cloud Management Gateway CMG by configuring the SMS Provider role.

Usage

My earlier posts linked above show the progression of testing that I performed with the AdminService. Below is a summary and key changes between releases. You can test using PostMan or another REST API testing tool.

Routes/URLs

There are 2 main Routes in the AdminService – v1.0 and wmi. v1.0 is for items newer items that have been transitioned from WMI to OData/SQL. These are already in use for several item including parts of the SCCM console and Application Approvals. The wmi routes should match the WMI class names that you should already be familiar with – most beginning with SMS_.

Versioned Route Controllers
https://<ServerName/AdminService/v1.0/
https://<ServerName/AdminService/v1.0/$metadata

WMI Route Controller

https://<ServerName/AdminService/wmi
https://<ServerName/AdminService/wmi/$metadata

Read-Only Query Basics

Note: All queries in this section use a HTTP GET method. Also, everything is CASE SenSiTiVe.

  • Get all Devices
    • https://<ServerName>/AdminService/wmi/SMS_R_System
  • Get All Users
    • https://<ServerName/AdminService/wmi/SMS_R_User
  • Get Device By ResourceID (same syntax for users)
    • https://<ServerName>/AdminService/wmi/SMS_R_System
      (12345678)
  • Get User By ResourceID
    • https://<ServerName>/AdminService/wmi/SMS_R_User
      (12345678)
  • Retrieve related class information. This example gets Operating System information for a specific device. *As of 1906 CB, I’m having trouble getting this working again.
    • https://<ServerName>/AdminService/wmi/SMS_R_System(
    • 12345678)/SMS_G_System_OPERATING_SYSTEM

You can find more query examples in my previous posts.

Create and Edit Methods using wmi Controller

In my recent testing, this doesn’t seem to work with 1906 CB but does work with 1910 TP. Will update if this changes with the next release. The general concept should apply moving forward – you can use POST and a body to create new objects.

Create a new Package

POST – https://<ServerName>/AdminService/wmi/SMS_Package
BODY – {"Name": "Test Package", "Manufacturer": "ASD"}

You should be able to see your new package in the console or you can use the AdminService to query SMS_Package to find it.

GET – https://<ServerName>/AdminService/wmi/SMS_Package?$filter=Name eq 'Test Package'

Editing A Package

Using the methods above, we can edit the package that we just created. First we have to get the ResourceID for the package.

GET – https://<ServerName>/AdminService/wmi/SMS_Package?$filter=Name eq 'Test Package'

{
    "@odata.context": "https://cmtp1-cm1.asd.lab/AdminService/wmi/$metadata#SMS_Package",
    "value": [
        {
            "@odata.etag": "TP100009;",
            "ActionInProgress": 0,
            "BaseBoardProductID": "",
            "DefaultImageFlags": 0,
            "Description": "",
            "DriverManufacturer": "",
            "DriverModel": "",
            "DriverOSVersion": "",
            "DriverPkgVersion": "",
            "ForcedDisconnectDelay": 5,
            "ForcedDisconnectEnabled": false,
            "ForcedDisconnectNumRetries": 2,
            "Icon": null,
            "IgnoreAddressSchedule": false,
            "IsPredefinedPackage": false,
            "IsVersionCompatible": true,
            "ISVString": "",
            "Language": "",
            "LastRefreshTime": "2019-02-12T06:28:44Z",
            "LocalizedCategoryInstanceNames": [],
            "Manufacturer": "ASD",
            "MIFFilename": "",
            "MIFName": "",
            "MIFPublisher": "",
            "MIFVersion": "",
            "Name": "Test Package",
            "NumOfPrograms": 0,
            "ObjectPath": "/",
            "PackageID": "TP100009",
            "PackageSize": 0,
            "PackageType": 0,
            "PkgFlags": 0,
            "PkgSourceFlag": 1,
            "PkgSourcePath": "",
            "PreDownloadRule": "",
            "PreferredAddressType": "",
            "Priority": 2,
            "SecuredScopeNames": [
                "Default"
            ],
            "SedoObjectVersion": "3E8D6AB8-D17A-4B0D-BB4B-515DD092760F",
            "ShareName": "",
            "ShareType": 1,
            "SourceDate": "2019-02-12T06:28:18Z",
            "SourceSite": "TP1",
            "SourceVersion": 1,
            "StoredPkgPath": "",
            "StoredPkgVersion": 1,
            "TransformAnalysisDate": "1980-01-01T06:00:00Z",
            "TransformReadiness": 0,
            "Version": "",
            "__GENUS": 2,
            "__CLASS": "SMS_Package",
            "__SUPERCLASS": "SMS_PackageBaseclass",
            "__DYNASTY": "SMS_BaseClass",
            "__RELPATH": "SMS_Package.PackageID=\"TP100009\"",
            "__PROPERTY_COUNT": 48,
            "__DERIVATION": [
                "SMS_PackageBaseclass",
                "SMS_BaseClass"
            ],
            "__SERVER": "CMTP1-CM1",
            "__NAMESPACE": "root\\sms\\site_TP1",
            "__PATH": "\\\\CMTP1-CM1\\root\\sms\\site_TP1:SMS_Package.PackageID=\"TP100009\""
        }
    ]
}

Edit the Package object

POST – https://<SERVERNAME>/AdminService/wmi/SMS_Package
Body – {"PackageID": "TP100009", "Name": "Test Package #1", "Manufacturer": "A Square Dozen"}

You can also return just the properties that you want, however in 1906 the $select operator doesn’t work – but it does on 1910 TP and previous builds.

GET –
https://<SERVERNAME>/AdminService/wmi/SMS_Package?$filter=Name eq 'Test Package %231'&$select=PackageID,Name,Manufacturer

{
    "@odata.context": "https://cmtp1-cm1.asd.lab/AdminService/wmi/$metadata#SMS_Package",
    "value": [
        {
            "@odata.etag": "TP100009;",
            "Manufacturer": "A Square Dozen",
            "Name": "Test Package #1",
            "PackageID": "TP100009",
            "__GENUS": 2,
            "__CLASS": "SMS_Package",
            "__SUPERCLASS": "SMS_PackageBaseclass",
            "__DYNASTY": "SMS_BaseClass",
            "__RELPATH": "SMS_Package.PackageID=\"TP100009\"",
            "__PROPERTY_COUNT": 3,
            "__DERIVATION": [
                "SMS_PackageBaseclass",
                "SMS_BaseClass"
            ],
            "__SERVER": "CMTP1-CM1",
            "__NAMESPACE": "root\\sms\\site_TP1",
            "__PATH": "\\\\CMTP1-CM1\\root\\sms\\site_TP1:SMS_Package.PackageID=\"TP100009\""
        }
    ]
}

Console Connections

Navigate to \Administration\Overview\Security\Console Connections in the Admin Console to see a list of all Admin Consoles that are connected and their versions. Check the AdminService.log to see the query that get’s executed.
https://<SERVERNAME>/AdminService/v1.0/ConsoleAdminsData

Look for the Console Heartbeat feature coming soon.

Application Approvals

Depending on whether you’ve enabled the AdminService to communicate through the CMG or not, the email approvals will include a URL to approve an application request. The URL can only be used once since the email GUID is removed from the database once the URL is clicked.

Check this box to allow the AdminService to use the Cloud Management Gateway
Application Approval Request Email

Internal URL
https://<SERVERNAME>/v1.0/UserApplicationRequest/AdminService.ApproveRequest(Guid=%27<GUID>%27)

CMG URL
https://<InternetFacingURL>/CCM_Proxy_ServerAuth/ImplicitAuth?AADTenantID=<TENANTGUID>&RoleID=<ROLEID>&EndpointName=AdminService&Path=v1.0/UserApplicationRequest/AdminService.ApproveRequest(Guid=%27<GUID>%27)

Read more about it here.

PowerShell Usage

You can use the above queries in PowerShell as well. I have several sample scripts on my GitHub Repo here. It’s just for demo purposes and isn’t complete but it should give you a good starting point. Feel free to reach out if you have questions.

Cloud Management Gateway (CMG)

Check my GitHub Repo for a sample script to query the AdminService from the internet through the CMG.

Read more about it here.

OData

I’m having trouble getting this to work in 1906 and 1910 TP at the moment. Since the AdminSerivce uses OData, it can be integrated directly into PowerBI with no need to understand the database or SQL queries.

Summary

I plan to update this page as new AdminService features are released. Please check back for more info. Also, I’d love to hear what things you’ve tested out. Check out my ConfigMgrAdminService GitHub Repo for more sample files in the future.

10 Comments

  • Reply
    Mike
    July 8, 2019 at 10:18 am

    Rocking! Your sceenshot has a Typo 🙂
    AdminSevice instead of AdminService

  • Reply
    Ryan Hathaway
    November 22, 2019 at 4:15 pm

    I was in your MMS Jazz Adminservice session. Just got around to starting to play with this, and I can see why you were so excited about it. I just tested your adminservice collection query sample with a sort added to the end, vs

    $SUGType = ‘SUG | Workstation | ‘
    $SUGs = Get-CMCollection | Where-Object { $_.Name -like “$SUGType*”} | Select-Object -ExpandProperty Name
    $SUGs = $SUGs | Sort

    TotalMilliseconds : 12894.6838 vs TotalMilliseconds : 195.2171

  • Reply
    Anthony Condegni
    March 10, 2020 at 9:44 am

    What authentication parameters are being used to successfully execute the REST API from Postman, as in your screenshots. I am not able to successfully GET data.

    If I access the REST API URL directly from a browser, it works fine.

    • Reply
      Adam Gross
      March 10, 2020 at 10:29 am

      Unfortunately PostMan doesn’t seem to work any longer with the recent changes to auth in the AdminService. Try using Fiddler to test with. It seems to work well as a replacement.

      • Reply
        Anthony Condegni
        March 10, 2020 at 11:05 am

        OK Thanks. And the correct authentication for the REST API is NTLM?

        • Reply
          jsantosup
          April 7, 2020 at 6:16 am

          Did you find out which login method to perform?

          • Anthony Condegni
            April 7, 2020 at 6:52 am

            No, I was not able to get this to work, outside of a browser.

  • Reply
    Jason Baxter
    April 3, 2020 at 7:31 am

    Glad I found this post. I was pulling my hair out trying to figure out why it wasn’t authenticating in Postman but working in the browser.

  • Reply
    Pradeep
    July 8, 2020 at 8:53 am

    I would like to use it from a java HTTP Client,

    But i could not find any way to Authenticate it for Negotiate Authentication mechanism, which need to fallback to NTLM.

    Can someone guide me how to proceed further.

  • Reply
    Jiri Fabik
    November 4, 2020 at 6:33 am

    Hi, may I have a question?

    We are currently developing an integration from our product to SCCM and we just need to read some HW Inventory data over the internet.
    Our windows service is authenticated using token gained by grant “Resource Owner Password Credentials”. I know, it’s not recommended flow, but it works fine. Unfortunately, one of our custommers is using federation services for their accounts and ROPC doesn’t apperantely work for federations.
    Therefore, we’d rather like to use Client Credentials flow to get a token, but this is a scenario without user context.

    So here are my two questions?
    1. Is there a way to access AdminService data without a user context?
    2. Is there a way to get an access token with user context from windows service for account that is under ADFS synchronization?

    Thank you for your answers.

  • Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    15,743