IT Consultant Everyday Notes

Just some problems/solutions storage

Monthly Archives: April 2020

SCCM: Edge Chromium installation failed with 1(1x)

With SCCM (MEMCM) 1910 we can create Edge deployment directly from SCCM console the same way as O365 (even though the old .MSI is still working).

Sounds like a nice idea. I created a deployment (here is a nice outline: https://stevenbart.com/en/2020/01/09/deployer-microsoft-edge-chromium-au-travers-de-configuration-manager/) and saw a new Application “Edge Deployment” under Applications node in SCCM.

I refreshed computer policies on a Client and manually started “Edge Deployment” Application installation from Software center. It miserably failed.

After digging fresh logs I found:

in AppEnforce.log

Unmatched exit code (1) is considered an execution failure

Long story short: Microsoft uses a PowerShell script for the .msi installation. Even though the script is signed, the default Powershell Execution POlicy (Restricted) does not allow that. So you need either relax the policy to “Remote Signed” at least or add –ExecutionPolicy Bypass clause to the installation command in your deployment type(s) like this:

image

After that update machine policy on your test client and start the installation again. At least that fixed the issue for me.

SCCM: MP is not reachable via CMG (PKI scenario)

One of my Customers asked me to help with a CMG deployment. The idea is to get Internet-based machines managed and patched.

They do not have Hybrid AAD joined environment yet, so I need to use old good PKI.

I decided to get it in my Lab first. I do have CA on my pfsense router to get it even more interesting (the certs do not CRL link).

I issued required certificates for my SCCM, CMG and Clients and flipped my Primary site to PKI. On all Certificate settings I checked “No CRL verification” box (sice I do not have one.

Internally everything worked fine, but when I flipped a Client to “Internet” subnet I found it can connect for a short period of time only. After that connection to MP via CMG is lost, client goes grey and I see:

[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=CMGConnector_Clientcertificaterequired

in LocationServices.log on the Client.

It turned out to be a known issue (KB4503442) or better by design behaviour for a scenario when Azure AD tokens are not in use.

So, I added a Client cert with the name of my MP as Subject Name and in SAN. Restarted Cloud Connector on my SCCM.

Still no go.

Checked the SMS_Cloud_ProxyConnector.log  and found:

Chain build failed cert: 77…………………………………………1

Chain 0 status: RevocationStatusUnknown

ok… So it looks like even though I unchecked Revocation List check in properties of CMG the connector is still trying to check it Smile. In troubleshooting guide (https://support.microsoft.com/en-ae/help/4520150/troubleshooting-co-management-bootstrap-with-modern-provisioning)  Microsoft says the best way is to publish CRL properly (sure, I know that). and do not provide information how to disable the check.

But if we take a look in the registry HKLM\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR  we can find a key: ClientCertSelectionNoCRLCheck set to 0 by default.

I switched it to 1 and restarted the connector.

After that the Internet Client successfully connected to the MP.

Note: I completely agree with the Vendor – the proper approach is to have your PKI properly configured and CRL published with public access; but in my case it is a Lab, so the workaround is acceptable.