Document Signing Certificate in SCCM PKI Infrastructure

In SCCM 2007/2012 Native Mode(uses PKI infrastructure), Document Signing Certificate plays major role and must have certificate in SCCM 2007/2012 Native mode.

The Site server signing certificate signs the policies that clients download from their management point so that clients know the policies originate from their assigned site.This certificate is not required on secondary site servers.Clients must have a copy of this certificate before they can accept policies signed with it. 

Screenshot of Document Signing Certificate(highlighted) at Server Side:

Screenshot of Document Signing Certificate configuration at Server side:

Screenshot of Document Signing Certificate public key(highlighted) at client side:

Public key of Document Signing Certificate can be located at registry of client. It is located at HKLM\SOFTWARE\MICROSOFT\CCM\SECURITY

We can deploy Document Signing Certificate in clients in three different ways:

1) Automatically from Active Directory

2) Manually during client installation and 

3) From Management point

If there is any problem in configuration and deployment of DocSign Certificate, you may get below error in server side. You need to check the component SMS_POLICY_PROVIDER which states that component has failed to sign policy due to problem in Document Signing certificate.

At client side, you may get below error lines if you check 'LocationService.log'(%windir%\system32\ccm\logs)

'Rejected the new site signing certificate'
'Failed to update Site Signing Certificate over AD with error 0x800b0109'

'Failed to update signing certificate over http with error code 0x800b0109'

If you get similar issues like mentioned above, you need to check the Document Signing Certificate at server side and need to make sure that client gets copy of certificate either from AD(first try from client) or from Management Point(Second Try). Until you rectify the issue, you cant see all require tabs at SCCM client applet in Control Panel of client computer.

If everything is OK, you can see below message at Server side and also can see all tabs reflected at client side.

For details of Document Signing certificate configuration and deployment, please refer below Technet articles available at Microsoft site.

For SCCM 2007 PKI infra in Windows Server 2008 : https://technet.microsoft.com/en-in/library/cc872789.aspx

For SCCM 2012 PKI infra in Windows Server 2008/2012: https://technet.microsoft.com/en-us/library/gg682023.aspx

Note: All above screenshots are taken from LAB setup created at my home. 

Read More

Sending with winhttp failed; 80072ee7

I came across below error message during SCCM 2007 R3 client push from server. When I checked the CCMSETUP.log file, I found error message:

"Sending with winhttp failed;8002ee7"






I convert the hexadecimal error code 80072ee7 into decimal and found that decimal error code is 12007(if you properly check the error lines shown in above pic, you can see 'Error at WinHttp SendRequest: 12007') which is "ERROR_INTERNET_NAME_NOT_RESOLVED".

ERROR_INTERNET_NAME_NOT_RESOLVED means there is problem in DNS name resolution. 

I checked IP address settings in my client. BOOM !!! I found it...Due to misconfiguration in DNS, primary IP address for DNS server was 127.0.0.1. I changed the primary IP address for DNS with actual one. After that change, client starts download the client package from server and installation completed successfully. 
Thats it!
Suggestion: You may find different answers against this error. Don't just apply anything. Try to decode the error and analyse the issue properly so that you can apply correct setting to solve the issue.

Read More

The SMS State System message file processing processed one or more files that contained errors or invalied data

You may encounter below error message in SCCM 2007.

Error:"The SMS State System message file processing processed one or more files that contained errors or invalied data.." in SMS_STATE_SYSTEM

Reason: This means client computer's key is not present in server database. Its may be client record was aged out or deleted manually.Since there is no valid key in the database, Server is not accepting the client's data.

Solution: i) Generate new GUID for the client or ii) Reinstall the client

Read More

Unable to connect to WMI on remote machine..error = 0x800706ba

Sometimes you may find below error message in CCM.log file (in SCCM server side) during client

push process initiated from server(automatic or manually done by admin):
Error:Unable to connect to WMI on remote machine "MachineName", error = 0x800706ba



Reason:Lets decipher the meaning behind this error. If I convert the error code  0x800706ba to decimal, I get 1722. If I go dipper by checking  " net helpmsg 1722 " , I get the following respons: "THE RPC SERVER IS UNAVAILABLE".

Solution(s):

1. Try to access the ADMIN$ share of the target system using the same account that is used for client push activity from server side. If its through, then you need to go to next step else check whether client push account has local admin access in target system or not.

2. Check DNS name resolution. First ping the target computer. If you get reply with IP address then type "Ping -a <IP Address of target computer>". If it resolves the same name as you expected, then you move to next step else check DNS access.

3. Now check the Windows OS firewall settings. If you find the Firewall feature is turn on please turn it off from Control Panel.

Read More