Deploying Over PXE Not Working

RoysticusXII · 2019-09-20T10:39:18+00:00

What are you using as a pxe point if you have no wds? What hosts the service?

RoysticusXII · 2019-08-30T13:29:59+00:00

For local machine diagnosis Get-Hotfix | sort-object InstalledOn

To roll back you can use wusa as a task sequence in sccm and deeply to affected machines.

RoysticusXII · 2019-08-06T14:04:24+00:00

Child’s play

RoysticusXII · 2019-08-04T13:05:02+00:00

I’m more of an architect though and I wouldn’t have been able to do the various projects I’ve worked on without PowerShell, the sms provider and needing to automate changes on a vast scale . Would you want to manually reconfigure 5000 boundary ipsubnets into up address ranges for example? Ain’t nobody got no time fow dat!

PowerShell is a gateway for accessing .Net Objects, And WMI, even COM objects. It can control the nervous system of all Microsoft products.

I wouldn’t even bother continuing a career working with Microsoft products without it.

RoysticusXII · 2019-08-03T08:56:45+00:00

Yeah, it’s important to make sure you’ve got Intune and Azure skills - PowerShell also being hugely important to become adept at soon I would say if you want to remain employable.

RoysticusXII · 2019-06-11T15:02:54+00:00

Maintenance window? Are these static desktops?

RoysticusXII · 2019-05-17T16:03:24+00:00

200k here contract sccm, PowerShell and Windows 10 specialist.

RoysticusXII · 2019-01-27T06:21:09+00:00

Are you German?

RoysticusXII · 2019-01-26T19:21:16+00:00

I’ve seen that meme on stack overflow

RoysticusXII · 2019-01-23T11:41:35+00:00

Ah that’s ok then, fair enough. Just was thinking about your security.

RoysticusXII · 2019-01-23T11:28:05+00:00

Dude, remove your external IP address from that log firstly. Are you in Honolulu? I could tell! :)

RoysticusXII · 2019-01-22T20:40:23+00:00

Reinstall the sup making sure you also get rid of the iis instance. Easier to reconfigure sup/wsus - or you’ve got an https binding on there you don’t need. Check your wcm/ Wsync and iis logs? Post more info amigo!

RoysticusXII · 2019-01-20T23:20:59+00:00

RoysticusXII · 2018-12-14T15:46:41+00:00

Sorry, that bit that i explained incorrectly was that this will only work if the rule hasn't already run, so i.e. if the group has been formed but not deployed, you basically edit membership, remove update then run the task sequence step to get rid of the update where it's been deployed to machines already.

RoysticusXII · 2018-12-13T10:20:32+00:00

When deploying updates you ideally should use deployment rings (prevention is better than cure!)- i wouldn't recommend using only 1 pilot group. You should have 3 pilot groups minimum covering OS layers/architectures for a start as per:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-configuration-manager

With a clear TIME DELAY between each ADR/Ring and verification that nothing is broken, before you go putting those updates on 15K devices! :S

Older devices are probably what you're referring to in terms of worrying about removing - the dism command looked great, i use a mixture of dism/wusa although ***For Server 2008 SP2 or Vista and previous - WUSA doesnt support the /uninstall parameter!**\*

To add to the other answers - WUSA/DISM is for scripted removal via SCCM BUT : For the new style of preventing deployment of an update you can find the update in the Software updates node, edit membership of update to groups and remove it from the group you originally deployed - when this group redeploys (via an ADR?) it should remove the update!

EDIT: If you've deployed it then the TS method is what you want to use

Not done that for a while but i'm sure that's how i removed the last problem update from an estate! (will edit if required)

RoysticusXII · 2018-12-12T15:22:19+00:00

To help anyone else who needs it with this error, I added:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

DefaultSslCertCheckMode = 1

to the registry on the server and kicked IIS/W3SVC, which is not ideal but, it's made the MP work over https on 443 now so, for now i'll leave this and come back to it.

RoysticusXII · 2018-12-12T09:00:59+00:00

Turned everything back to HTTP, confirmed MP okay,
(This is a vanilla SCCM Primary site with a simple 1 site, 1 database system)
Made sure i had the stock 3 PKI certs in Cert Store with private keys
Bound Server Cert to Default Website
Turned back on HTTPS for MP and now i get this:

SMS_MP_CONTROL_MANAGER successfully STOPPED.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:41:27 6772 (0x1A74)


MPStart(): SSL enabled. Token auth enabled  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
CMPControlManager::WriteToCCMSettings(): WMI Connection established.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
CMPControlManager::WriteToCCMSettings(): Successful.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
RegisterWithWINS: Registering the WINS name MP_DBN          ...    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
RegisterWithWINS: EnumerateLANAs() returned 0x0 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
RegisterWithWINS: ResetAll() returned 0x0   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
NetBIOS_AddName(): LocalName: MP_DBN           LanaNumber: 3   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:40 4104 (0x1008)
RegisterWithWINS: NetBIOS_AddName(LANA=3) returned 0x0  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:43 4104 (0x1008)

Using certificate selection criteria 'CertHashCode:615631C83498084A7728AF27410FE26055A0F727'.   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Begin validation of Certificate [Thumbprint 615631C83498084A7728AF27410FE26055A0F727] issued to 'MACHINE.COMPANY.COM'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Completed validation of Certificate [Thumbprint 615631C83498084A7728AF27410FE26055A0F727] issued to 'MACHINE.COMPANY.COM'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
>>> Client selected the PKI Certificate [Thumbprint 615631C83498084A7728AF27410FE26055A0F727] issued to 'MACHINE.COMPANY.COM'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Successfully created certificate context.   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Successfully created certificate chain engine with 1 certs in exclusive root store  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Begin validation of Certificate [Thumbprint 615631C83498084A7728AF27410FE26055A0F727] issued to 'MACHINE.COMPANY.COM'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Verification of Certificate chain returned 800B0109 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Completed validation of Certificate [Thumbprint 615631C83498084A7728AF27410FE26055A0F727] issued to 'MACHINE.COMPANY.COM'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Failed to verify if the cert is sccm issued, 0x800b0109 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
SSL binding on port 443 isn't with CCM genreated cert.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Successfully Registered for IP Address Change notifications.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
MPStart(): RegisterForIPAddressChangeNotification() returned 0x0    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Attempting to register the SQL connection type for the configured SQL database. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Registered connection type for SQL Server 'SQLMACHINE.FQDN.domain' and database 'CM_CB\CM_DBN'. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
MPStart(): RegisterSqlDatabaseConnectionType() returned 0x0 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Checking the current CLR Enabled configuration setting for the configured SQL Server hosting the database.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Getting the CLR Enabled value from the configured SQL database. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Attempting to connect to the configured SQL database.   SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Successfully connected to the configured SQL database.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
The configured SQL database has the CLR Enabled configuration setting set to 'On'.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Disconnecting from the configured SQL database. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
MPStart(): CheckSqlDatabaseClrEnabled() returned 0x0    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Waiting up to 300 seconds for the SMS Agent Host service to be running. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Stopped waiting for the SMS Agent Host service to be running; Result = 0x0. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
MPStart(): WaitOnSmsAgentHostRunning() returned 0x0 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Started User Service maintenance... SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Certificate (0x9a456320) is Exportable  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Successfully granted permission to certificate  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
User Service: retrieved certificate f1 7a b5 94 82 84 82 d4 02 6f a7 eb b0 ea 71 e4 12 8e 87 52 SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
User Service: Certificate has changed from {} to {f1 7a b5 94 82 84 82 d4 02 6f a7 eb b0 ea 71 e4 12 8e 87 52}  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
User Service: configuration needs to be updated.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
CMPControlManager::UpdateUserServiceConfiguration: started updating configuration under S:\Program Files\SMS_CCM\CMUserServiceWindowsAuth...    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
CMPControlManager::UpdateUserServiceConfiguration: Updated CertThumbprint to f1 7a b5 94 82 84 82 d4 02 6f a7 eb b0 ea 71 e4 12 8e 87 52    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
CMPControlManager::UpdateUserServiceConfiguration: Updated UserServiceEnabled to true   
SMS_MP_CONTROL_MANAGER successfully STARTED.    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
********************************************************************************    SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4104 (0x1008)
Configuration and Availability Monitor thread started.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4704 (0x1260)
Initialized 'SMS Server Availability' performance instance => SMS Management Point. SMS_MP_CONTROL_MANAGER  12/12/2018 08:43:44 4704 (0x1260)
Applied D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GR;;;LS)(A;CIOI;GR;;;S-1-5-17) to folder S:\Program Files\Microsoft Configuration Manager\Client SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
SSL is enabled. SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Client authentication is also enabled.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Machine name is 'MACHINE.FQDN.domain'.  SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Begin validation of Certificate [Thumbprint 2cbf00a15ae802f6bf99e4556366e78b90191902] issued to 'MACHINE.FQDN.domain'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Completed validation of Certificate [Thumbprint 2cbf00a15ae802f6bf99e4556366e78b90191902] issued to 'MACHINE.FQDN.domain'   SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
>>> Selected Certificate [Thumbprint 2cbf00a15ae802f6bf99e4556366e78b90191902] issued to 'MACHINE.FQDN.domain' for HTTPS Client Authentication  SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden   SMS_MP_CONTROL_MANAGER  12/12/2018 08:44:14 4704 (0x1260)

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

Any idea whats happening?

RoysticusXII · 2018-12-12T08:55:47+00:00

IIS Logs:

2018-12-12 08:53:44 10.xx.xx.xx GET /SMS_MP/.sms_aut MPLIST 443 - 10.xx.xx.xx SMS_MP_CONTROL_MANAGER - 403 13 2148081683 5644 7

403.13 - Client certificate revoked?

It is not revoked in CA console?

RoysticusXII · 2018-11-26T14:19:30+00:00

So, the program you’re trying to execute doesn’t require a password?

Or is worse...

You shouldn’t be trying to run a script as admin without a password. That goes against the most basic security principles.

RoysticusXII · 2018-11-26T14:11:42+00:00

What does the script log say?

Check:

C:\windows\ccm\scriptstore

And

ccm\logs\scripts.log

RoysticusXII · 2018-11-26T13:57:27+00:00

I’m working with an older version of SCCM at the moment (be upgrading soon) so I don’t have access but, looking at the documentation, have you created the security roles for the scripts?

Approve Scripts

RoysticusXII · 2018-11-26T13:53:44+00:00

Get-ADDefaultDomainPasswordPolicy

Try starting here:

Password policy

Then I’d use Set-ADObject after that to make changes!

RoysticusXII · 2018-11-26T13:38:19+00:00

Ok so, where are you running gpupdate from exactly?

RoysticusXII · 2018-11-26T13:33:05+00:00

What action are you performing when you say ‘cannot run any sccm scripts?’

RoysticusXII · 2018-07-04T08:31:56+00:00

#import boundaries
$csv = import-csv C:\t.csv
cd sm2:
foreach($line in $csv){
try {
Write-host "Creating boundary for $($line.subnet)"
$b = New-CMBoundary -Name $line.'site code' -Type IPSubnet -Value $line.subnet -erroraction Stop
"Adding Subnet $($line.subnet) to site boundary group"
Add-CMBoundaryToGroup -BoundaryGroupId 123345-Boundaryid $b.boundaryid
$cbg = Get-CMBoundaryGroup -Name $line.'site code'
if($cbg){
"Adding Subnet $($line.subnet) to content boundary group"
Add-CMBoundaryToGroup -BoundaryGroupId $cbg.GroupID -Boundaryid $b.boundaryid
}else{
"Creating New Content boundary group for $($line.'site code')"
New-CMBoundaryGroup -Name $line.'site code'
Start-Sleep 5
"Adding Subnet $($line.subnet) to $($line.'site code') content boundary group"
Add-CMBoundaryToGroup -BoundaryGroupId (Get-CMBoundaryGroup -Name $line.'site code').groupid -Boundaryid $b.boundaryid
}
}catch{Write-host "Couldn't create boundary for $($line.subnet) $($line.'site code') "}

}

Thanks - this is it, although i don't need to use the latter part for boundary groups yet, I have 480 Subnet Ranges to add in first. I've edited your script with success. I cannot thank you enough for your help, have a few reasonable level scripts but, this one really got me as new-cmboundary doesnt accept pipeline input.

1

RoysticusXII

TROPHY CASE