Client assignment failed from http to pki with error code failed to verify message could not retrieve certificate from MPCERT

Starting in version Microsoft Endpoint Configuration Manager current branch 1910, we can use the optional feature called BitLocker management to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).

Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Prerequisites to plan BitLocker management:

· In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

· To integrate the BitLocker recovery service in Configuration Manager requires an HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS.

Since my SCCM Lab is running on the HTTP environment, it doesn't support for BitLocker management hence i decided to convert my lab from HTTP to https (PKI).

There are many guides out there on how to convert HTTP SCCM infra to https (PKI).

It involves the creation of few certificates which include IIS, DP and client certificate.

I have created the required certificates for SCCM and imported into the certificate store on the SCCM server then make the changes to site properties for PKI and change the site system roles like MP, DP and SUP with https.

After making changes to the site hierarchy and site system roles, MP, DP and SUP roles will be reinstalled. This can be monitored from the respective components setup log (mpsetup.log,sitecomp.log etc)

I have validated the site components and site hierarchy is running fine.

Now its time to move clients from HTTP to https (PKI).

I have picked one client that was running on the self-signed certificate and now has got a client authentication certificate through GPO as part of our cert enrollment process.

When I log in to the client that was working fine on HTTP (self-signed), it keeps failing with the below error message (locationservices.log).

image

CCMVerifyMsgSignature failed.

Failed to verify received message 0x80090006

Failed to verify message. Could not retrieve certificate from MPCERT.

MPCERT requests are throttled for 00:05:00

Failed to send management point list Location Request Message to SG-CM001.azure.eskonr.com

The log says, could not retrieve the certificate from the MPCERT—>Based on this, I looked at the MP logs to verify if the MP is functioning correctly or not, then looked at site monitoring if there are any alerts for site components.

I could not find anything wrong with the site and everything seems to be normal and functional.

I thought may be restarting the SMS agent service on the client could help but that doesn't make any difference and It failed with the same error message again.

I have uninstalled the client and installed again with the following syntax

CCMSetup.exe /MP:sg-cm001.azure.eskonr.com /USEPKICERT /NOCRLCHECK /FORCEINSTALL SMSSITECODE=PS1 CCMHTTPSPORT=443 RESETKEYINFORMATION=TRUE

Client installation succeeded, however, the registration with MP/site (ClientIDManagerStartup.log) and locationservices.log repeat with the same errors as above.

Solution:

I was going through the console and looked at active directory forests node and saw that, publishing status showing failed

image

Publishing of site information in Active Directory Domain Services is logged into hman.log on your site server.

image

As you can see the log, site Could not connect to the RootDSE container in Active Directory. HRESULT=0x8007052E using the account that was configured.

image

The error code 0x8007052E translates to ‘the user name or password incorrect.’

The following is the place to configure the active directory forest account.

image

I realized that, there was change in the password for that account earlier (before the https changes to the site) hence the site publishing failed.

Why is this changing the password of the account that was configured to publish the site info into AD domain services causing all this problems?

Long story short, If you look into the DNS server for the service location records, you can see that, site still using port 80 where as the actual configuration, it uses port 443.

image

Go to back to the site and re-enter the correct password of the account and monitor the log (hman.log) to see if the site info is published or not.

image

Site information is now published to AD domain services and port number also updated correctly to 443 in the DNS for service location records.

image

Now go back to the client , run machine policy cycle and monitor the logs locationservices.log and ClientIDManagerStartup.log

You will see things get progress and the client register with MP successfully.

image

You now see the client is now using PKI cert.

I can now start testing the BitLocker management with current branch 1910.

Changing the password of an account has caused all the damage today.

Leave a Reply