Jump to content


Martinez

Established Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

 Content Type 

Posts posted by Martinez

  7. Computers do not switch to PKI based certs

    in System Center Configuration Manager (Current Branch)

    Posted

    Hello,

    We are on SCCM CB 1910 since end of January [WS 2016], single primary site and 20+ DPs.

    Last week, we have moved to PKI based certificates, all required cert templates are in place, GPO; Two new certs were also requested on every site system with IIS role, reconfiguration of MP to HTTPS, IIS bindings on every site system plus additional IIS config on SUP, certs imported to DPs. On Primary site I haven't switched to HTTPS only, yet, due to issues with PXE (resolved now). I have check all the configuration as per the guides ohere on wn and recordings of Justin from PatchMyPC on yt, all matches.

    The problem we have is that out of 3600 computers, approx 85 % switched to PKI, rest is on self-signed, as one of the consequences, they do not install software updates.

    I have tried deleting it and requesting new certs [Workstation authentication], checking if these systems have access to CRL list [they do), it they can open https://MP.FQDN site (they can), IIS reset on MP, CCM agent reinstallation with mp:https:// command, but nothing changes. 

    ClientIDManagerStartup:
    [RegTask] - Client is not registered. Sending registration request for GUID:
    RegTask: Failed to send registration request message. Error: 0x87d00231
    RegTask: Failed to send registration request. Error: 0x87d00231
    [RegTask] - Sleeping for 480 seconds ...

    CCMMessaging.log
    Successfully queued event on HTTP/HTTPS failure for server 'MP.FQDN'.
    Post to https://MP.FQDN/ccm_system/request failed with 0x87d00231.
    Failed to open to WMI namespace '\\.\root\ccm' (80041003)
    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78
    [CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system_windowsauth/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE
    [CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=
    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:xxxxx";
    DateTime = "20200602111635.355000+000";
    HostName = "MP.FQDN";
    HRESULT = "0x80072f78";
    ProcessID = 4904;
    StatusCode = 0;
    ThreadID = 7160;
    };
    CcmMessaging 6/2/2020 4:16:35 AM 7160 (0x1BF8)

    LocationServices.log
    Failed to send management point list Location Request Message to MP.FQDN
    4 assigned MP errors in the last 10 minutes, threshold is 5.
    Current AD site of machine is AD-SITE LocationServices
    Current AD site of machine is AD-SITE LocationServices
    Assigned MP error threshold reached, moving to next MP.


    CCMSetup.log
    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78
    [CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE
    [CCMHTTP] ERROR INFO: StatusCode=200 StatusText=
    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:xxxxx";
    DateTime = "20200602103445.016000+000";
    HostName = "MP.FQDN";
    HRESULT = "0x80072f78";
    ProcessID = 2972;
    StatusCode = 200;
    ThreadID = 8076;
    };

    Failed to submit event to the Status Agent. Attempting to create pending event.
    Raising pending event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:e2ea64fd-5790-4d63-99ba-24c870cf2387";
    DateTime = "20200602103445.016000+000";
    HostName = "MP.FQDN";
    HRESULT = "0x80072f78";
    ProcessID = 2972;
    StatusCode = 200;
    ThreadID = 8076;
    };

    Successfully submitted pending event to WMI.
    Failed (0x80072f78) to send location request to 'MP.FQDN'. StatusCode 200, StatusText ''
    Failed to send location message to 'https://MP.FQDN'. Status text ''
    GetDPLocations failed with error 0x80072f78
    Failed to get DP locations as the expected version from MP 'https://MP.FQDN'. Error 0x80072f78
    Failed to find DP locations from MP 'https://MP.FQDN' with error 0x80072f78, status code 200. Check next MP.
    Only one MP https://MP.FQDN is specified. Use it.
    Have already tried all MPs. Couldn't find DP locations.

     

    The computers on self-signes are Windows 10 (1809), WS2008R2, 2012 R2, 2016 and 2019, across different sites. At the same time, other computers with the same systems and locations are on PKI.

    I am running out of ideas what else I can try/configure to sort this out.

    Any help is appreciated. Thank you.

  9. How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1

    in System Center Configuration Manager (Current Branch)

    Posted

    Hi,

    I just wanted to share my experience, a company with almost 4000 devices, twenty few site systems. I was using this guid to get better picture on the steps needed as well as Justin's videos, also mentioned here on top.

    - For the pre-requisites part on certificate templates, review if you already have Workstation Certificate issues to all computers, most likely yes. And most likely there is also a GPO in place that enables cert Auto-Enrollment.

    - It may take some time for all the computers to switch to PKI, take into account all inactive computer objects.

    - You may experience issues with OSD [PXE-E16/18/53]. I had all certs imported, everything was inplace, just apparently it takes time for the changes to be applied and OSD start working again [unless there was something on network on ou side at that time]. That OSD issue I tested on three different physical sites with the same result. In the end, I have restarted MP server one more time, and site system server restart also helped, but not straightaway, took it like 1hr after reboot to allow OSD in particular site. Erros in PXE and SMSDP logs started disappearing after few hrs.

    - I also had errors and warning in \Monitoring\Overview\System Status\Component Status node. Especially MP_Control_Manager. Again, give it some time.

    - Some endpoint devices while switching from self-signed to PKI based cert had Software Center with missing applications, only package deployments were there, but again, for a short while before the policy was picked up and applied.

    In the end, a really helpful additional article, if I can share it please:

    https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/gg712284(v=technet.10)?redirectedfrom=MSDN#planning-a-transition-strategy-for-pki-certificates-and-internet-based-client-management

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/preparing-for-https-only/ba-p/884761

    Following that gives you option to see if clients are HTTPS capable.

     

    EDIT: for the certificates imported to IIS and DPs/MP, add for yourself or to whole team a reminder in Outlook to renew them in 3 years time [or whatever validity period you have put], so you don't end up with unnecessary issues etc. :)

     

    Best regards,

    Marcin

  11. How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1

    in System Center Configuration Manager (Current Branch)

    Posted

    Hi Niall,

    Very good series, this one, the one on PKI and CMG, all of them really helpful.

    I have a question if I may.

    On 7/21/2018 at 11:45 PM, anyweb said:

    You'll notice that for the SCCM IIS Certificate, more information is required to enroll, Click on the message to enter this info.

    For Alternative Name, choose the DNS option and then click on Add to add the hostname and fully qualified domain name of your SCCM server (CM01).

    When you import that IIS Certificate, you need to do this only on SCCM Primary Site Server or any site system that holds IIS role and then request that cert on each of these with DNS name of each site system?

    I cannot find this answer anywhere ?

  12. How can I forcefully upgrade Windows 7 or Windows 10 to the latest version of Windows 10 using System Center Configuration Manager (Current Branch)?

    in System Center Configuration Manager (Current Branch)

    Posted

    Hi Niall

    Thank you. Tthis is what I already have in the TS, with some custom information like new default BitLocker PIN after completion etc :)

    The side effect of hiding the Software Center notification to have TS initiate the program without the standard message as above is that at the same time the monthly updates can be running.

    I have clicked Upgrade Now, but the updates were already running [or just started] so the upgrade did not start straightaway, letting updates to complete. Once updates were completed, the Upgrade has resumed and TS initiated, but the script has skipped the condition for reboot, as this was checked before the updates completed. 

    2018-03-06 12:28:34 Upgrade_Forced found in HKCU, checking for DO_NOT_UPGRADE.txt file...
    2018-03-06 12:28:34 C:\ProgramData\DO_NOT_UPGRADE.txt doesn't exist. Upgrade is allowed
    2018-03-06 12:28:34 creating Upgrade_Forced.txt file
    2018-03-06 12:28:34 Checking is model supported...
    2018-03-06 12:28:34 Model detected=20FAS4RU0K
    2018-03-06 12:28:34 Computer model is supported
    2018-03-06 12:28:34 Checking for on battery...
    2018-03-06 12:28:34 computer does have a battery...
    2018-03-06 12:28:34 computer IS connected to Power...
    2018-03-06 12:28:34 computer IS connected to Power...
    2018-03-06 12:28:34 Checking for free disc space...
    2018-03-06 12:28:34 computer has more than 25GB disc space...181.87
    2018-03-06 12:28:34 Checking for VPN...
    2018-03-06 12:28:35 VPN not found...
    2018-03-06 12:28:35 Checking for pending reboot...
    2018-03-06 12:28:35 computer did NOT need a reboot...
    2018-03-06 12:28:35 exiting wrapper script with exit code 0
    2018-03-06 12:28:35  The registry value does  not exist.
    2018-03-06 12:28:35  The 5 registry value exists, deleting it !.
    2018-03-06 12:28:35 exiting wrapper script with exit code 0, task sequence should begin after this...

    And the upgrade has started at 2PM approximately. 
     

  14. How can I forcefully upgrade Windows 7 or Windows 10 to the latest version of Windows 10 using System Center Configuration Manager (Current Branch)?

    in System Center Configuration Manager (Current Branch)

    Posted

    Hi again :)

    I have one small issue, when I deploy the script [all configured as per instructions], first I get standard Software Center popup, instead of the hta. The below screen shows the timing to be next available deployment occurrence, for testing purposes I have 9:20 AM daily. Once I click OK on the below, only then the hta windows is brought with all the user information and deferrals count. Am I missing something maybe?

    image.png.fb378dcd4f1840cd00705a3e266b501a.png

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.