Jump to content


Martinez

Established Members
  • Content Count

    12
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Martinez

  • Rank
    Member
  1. Alright, so I ended up with creating a temporary secondary MP with HTTP traffic so that computers receive policies and switch to PKI. Seems to do the trick. I am still not sure, why many computers could have switched from self-signed to PKI and some did not [different OS version and edition, different locations].
  2. Hello Peter, No proxy involved, but thank you for suggesting this. There is one more thing though thay I have spotted, there are old objects in AD System Management from previous SCCM infras (2007 & 2012), the MP publishing records were never cleand in the decomm process. I need to clean this up and try again. Also, planning to install HFRU to MECM 1910.
  3. Yes, I have, the pasted error above is from the re-installation attempt. One one I have uninstalled completed, and now it doesn't want to install at all. Yes, the client receive the auto-enrollment cert via group policy. Also tried to delete it and refresh policies, cert appears, but on agent reinstallation attempt it fails.
  4. Hello, We are on SCCM CB 1910 since end of January [WS 2016], single primary site and 20+ DPs. Last week, we have moved to PKI based certificates, all required cert templates are in place, GPO; Two new certs were also requested on every site system with IIS role, reconfiguration of MP to HTTPS, IIS bindings on every site system plus additional IIS config on SUP, certs imported to DPs. On Primary site I haven't switched to HTTPS only, yet, due to issues with PXE (resolved now). I have check all the configuration as per the guides ohere on wn and recordings of Justin from PatchMyPC on yt, all matches. The problem we have is that out of 3600 computers, approx 85 % switched to PKI, rest is on self-signed, as one of the consequences, they do not install software updates. I have tried deleting it and requesting new certs [Workstation authentication], checking if these systems have access to CRL list [they do), it they can open https://MP.FQDN site (they can), IIS reset on MP, CCM agent reinstallation with mp:https:// command, but nothing changes. ClientIDManagerStartup:[RegTask] - Client is not registered. Sending registration request for GUID:RegTask: Failed to send registration request message. Error: 0x87d00231 RegTask: Failed to send registration request. Error: 0x87d00231[RegTask] - Sleeping for 480 seconds ...CCMMessaging.logSuccessfully queued event on HTTP/HTTPS failure for server 'MP.FQDN'.Post to https://MP.FQDN/ccm_system/request failed with 0x87d00231. Failed to open to WMI namespace '\\.\root\ccm' (80041003) Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78 [CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system_windowsauth/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE [CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText= Raising event:instance of CCM_CcmHttp_Status{ClientID = "GUID:xxxxx";DateTime = "20200602111635.355000+000";HostName = "MP.FQDN";HRESULT = "0x80072f78";ProcessID = 4904;StatusCode = 0;ThreadID = 7160;};CcmMessaging 6/2/2020 4:16:35 AM 7160 (0x1BF8)LocationServices.logFailed to send management point list Location Request Message to MP.FQDN4 assigned MP errors in the last 10 minutes, threshold is 5.Current AD site of machine is AD-SITE LocationServicesCurrent AD site of machine is AD-SITE LocationServicesAssigned MP error threshold reached, moving to next MP. CCMSetup.logFailed in WinHttpReceiveResponse API, ErrorCode = 0x2f78[CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE[CCMHTTP] ERROR INFO: StatusCode=200 StatusText=Raising event:instance of CCM_CcmHttp_Status{ClientID = "GUID:xxxxx";DateTime = "20200602103445.016000+000";HostName = "MP.FQDN";HRESULT = "0x80072f78";ProcessID = 2972;StatusCode = 200;ThreadID = 8076;};Failed to submit event to the Status Agent. Attempting to create pending event. Raising pending event:instance of CCM_CcmHttp_Status{ClientID = "GUID:e2ea64fd-5790-4d63-99ba-24c870cf2387";DateTime = "20200602103445.016000+000";HostName = "MP.FQDN";HRESULT = "0x80072f78";ProcessID = 2972;StatusCode = 200;ThreadID = 8076;};Successfully submitted pending event to WMI. Failed (0x80072f78) to send location request to 'MP.FQDN'. StatusCode 200, StatusText ''Failed to send location message to 'https://MP.FQDN'. Status text '' GetDPLocations failed with error 0x80072f78 Failed to get DP locations as the expected version from MP 'https://MP.FQDN'. Error 0x80072f78Failed to find DP locations from MP 'https://MP.FQDN' with error 0x80072f78, status code 200. Check next MP. Only one MP https://MP.FQDN is specified. Use it.Have already tried all MPs. Couldn't find DP locations. The computers on self-signes are Windows 10 (1809), WS2008R2, 2012 R2, 2016 and 2019, across different sites. At the same time, other computers with the same systems and locations are on PKI. I am running out of ideas what else I can try/configure to sort this out. Any help is appreciated. Thank you.
  5. Now I am planning a CMG, I will share experience after the work is completed.
  6. Hi, I just wanted to share my experience, a company with almost 4000 devices, twenty few site systems. I was using this guid to get better picture on the steps needed as well as Justin's videos, also mentioned here on top. - For the pre-requisites part on certificate templates, review if you already have Workstation Certificate issues to all computers, most likely yes. And most likely there is also a GPO in place that enables cert Auto-Enrollment. - It may take some time for all the computers to switch to PKI, take into account all inactive computer objects. - You may experience issues with OSD [PXE-E16/18/53]. I had all certs imported, everything was inplace, just apparently it takes time for the changes to be applied and OSD start working again [unless there was something on network on ou side at that time]. That OSD issue I tested on three different physical sites with the same result. In the end, I have restarted MP server one more time, and site system server restart also helped, but not straightaway, took it like 1hr after reboot to allow OSD in particular site. Erros in PXE and SMSDP logs started disappearing after few hrs. - I also had errors and warning in \Monitoring\Overview\System Status\Component Status node. Especially MP_Control_Manager. Again, give it some time. - Some endpoint devices while switching from self-signed to PKI based cert had Software Center with missing applications, only package deployments were there, but again, for a short while before the policy was picked up and applied. In the end, a really helpful additional article, if I can share it please: https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/gg712284(v=technet.10)?redirectedfrom=MSDN#planning-a-transition-strategy-for-pki-certificates-and-internet-based-client-management https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/preparing-for-https-only/ba-p/884761 Following that gives you option to see if clients are HTTPS capable. EDIT: for the certificates imported to IIS and DPs/MP, add for yourself or to whole team a reminder in Outlook to renew them in 3 years time [or whatever validity period you have put], so you don't end up with unnecessary issues etc. Best regards, Marcin
  7. Ohh, I saw this page but apparently wasn't obvious for me at first, but now after redaing again it makes sense. Thank you Niall
  8. Hi Niall, Very good series, this one, the one on PKI and CMG, all of them really helpful. I have a question if I may. When you import that IIS Certificate, you need to do this only on SCCM Primary Site Server or any site system that holds IIS role and then request that cert on each of these with DNS name of each site system? I cannot find this answer anywhere 😐
  9. Hi Niall Thank you. Tthis is what I already have in the TS, with some custom information like new default BitLocker PIN after completion etc The side effect of hiding the Software Center notification to have TS initiate the program without the standard message as above is that at the same time the monthly updates can be running. I have clicked Upgrade Now, but the updates were already running [or just started] so the upgrade did not start straightaway, letting updates to complete. Once updates were completed, the Upgrade has resumed and TS initiated, but the script has skipped the condition for reboot, as this was checked before the updates completed. 2018-03-06 12:28:34 Upgrade_Forced found in HKCU, checking for DO_NOT_UPGRADE.txt file... 2018-03-06 12:28:34 C:\ProgramData\DO_NOT_UPGRADE.txt doesn't exist. Upgrade is allowed 2018-03-06 12:28:34 creating Upgrade_Forced.txt file 2018-03-06 12:28:34 Checking is model supported... 2018-03-06 12:28:34 Model detected=20FAS4RU0K 2018-03-06 12:28:34 Computer model is supported 2018-03-06 12:28:34 Checking for on battery... 2018-03-06 12:28:34 computer does have a battery... 2018-03-06 12:28:34 computer IS connected to Power... 2018-03-06 12:28:34 computer IS connected to Power... 2018-03-06 12:28:34 Checking for free disc space... 2018-03-06 12:28:34 computer has more than 25GB disc space...181.87 2018-03-06 12:28:34 Checking for VPN... 2018-03-06 12:28:35 VPN not found... 2018-03-06 12:28:35 Checking for pending reboot... 2018-03-06 12:28:35 computer did NOT need a reboot... 2018-03-06 12:28:35 exiting wrapper script with exit code 0 2018-03-06 12:28:35 The registry value does not exist. 2018-03-06 12:28:35 The 5 registry value exists, deleting it !. 2018-03-06 12:28:35 exiting wrapper script with exit code 0, task sequence should begin after this... And the upgrade has started at 2PM approximately.
  10. Hi again I have one small issue, when I deploy the script [all configured as per instructions], first I get standard Software Center popup, instead of the hta. The below screen shows the timing to be next available deployment occurrence, for testing purposes I have 9:20 AM daily. Once I click OK on the below, only then the hta windows is brought with all the user information and deferrals count. Am I missing something maybe?
  11. Hello Niall, this is a wonderful post, something I really needed Just reviewed the wrapper script, supported model line 221, and mapped the PC models into more readable naming, see attached. Best regards, Marcin Win32ComputerSystem-ID-To-ModelNameMapping.xlsx
×
×
  • Create New...