Microsoft Purview: Endpoint DLP Part 1
Meet Frank P. He is a project manager in the development department of a medium-sized automotive company.
Meet Frank P. He is a project manager in the development department of a medium-sized automotive company.
Sailor,
this is part 5 of my series about Windows 10 provisioning packages:
Ahoey Pirate!
Recently I had an issue where every client went from active to inactive.
At Site Status SMS_MP_CONTROL_MANAGER reported Management point as “critical” with two significant errors:
“MP could not write out CCM setting to WMI.
Possible cause: MP didn’t get installed properly.
Solution: Ensure MP setup succeeded; if not, reinstall MP”
and
“SMS Executive detected that this component stopped unexpectedly.
Possible cause: The component is experiencing a severe problem that caused it to stop unexpectedly.
Solution: Refer to your ConfigMgr Documentation or the Microsoft Knowledge Base for further troubleshooting information.”
For me the next step was to look into mpcontrol.log where I found these errors
“CMPControlManager::WriteToCCMSettings(): pWmi->GetObject() failed – 0x80041002”
“MPStart(): WriteToCCMSettings() failed – 0x80041002”
“SMS_MP_CONTROL_MANAGER failed to start with 0x80041002”
“CMPControlManager::ReadConfigurationSettings(): m_pWmi->GetObject() failed – 0x80041010”
For me it seemed to be an issue with WMI. So first thing I tried was to connect to a client with Windows Management Instrumentation Tester (wbemtest) and that worked. Next I tried to do a clean client installation by using the “Uninstall existing Configuration Manager client before the client is installed” function. The client installation aboarded nearly instant with the following message:
“GetDPLocations failed with error 0x8000ffff”
“Failed to get DP locations as the expected version from MP ‘[SERVERNAME]’. Error 0x8000ffff”
So I tried to figure out if the client is able to connect to the management point. Therefore you can use your Web browser and type in following adress
HTTP://[Hostname or FQDN]/SMS_MP/.SMS_AUT?MPCERT
instead of something like this:
I got an Internal server error.
So everything pointet out to be a faulty or misconfigured management point and I decided to reinstall that role. So I opened up Administration\Overview\Site Configuration\Servers and Site System Roles\ selected the affected Management Point and hit on Remove Role. In MPSetup.log you can follow the deinstallation.
After a while I reinstalled the Management Point.
Management Point was available via Internet Explorer and my client reported Client Activity as Active. Problem solved!
Good luck
*Captain
Sailors,
I’ve set up a new SCOM environment at a customers side. Once the installation and the base configuration was finished, I let the server run and collect alerts for several days. On the next workshop day we had a lot of warnings like these and the customer asked me why:
I have to admit, I was a litte bit confused in the beginning too, because I’m trying to configure my environments on the least privilege way. But then I recognized, that the customers admin has started to configure Run As Accounts on his own way and it became clearer…
If you create a Run as Account of type “Windows” and set the Distribution of this account to “less secure” this account gets distributed to every system and SCOM trys to autenticate with every “less secure” Run As Account on every system.
You shouldn’t use “less secure” accounts at all. Work with more secure accounts and specify the servers on which you want them to be provided to.
Aaaaaaaaarrrrr
*Captian
Ahoy Sailor,
a few weeks ago I had a case at a customers site where the following event showed up in ConfigMgr Site status.
Configuration Manager cannot create the object “cn=SMS-MP-[SiteCode]-[FQDN]” in Active Directory ([DOMAIN]).
Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.Possible cause: Another Active Directory object named “cn=SMS-MP-[SiteCode]-[FQDN]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location. Then allow the site to create a new object.Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended. The schema can be extended with the tool “extadsch.exe” from the installation media.
Configuration Manager cannot create the object “SMS-Site-[SiteCode]” in Active Directory ([Domain]).
Possible cause: The site server’s machine account may not have full control rights for the “System Management” container in Active Directory
Solution: Give the site server’s machine account full control rights to the “System Management” container, and all child objects in Active Directory.Possible cause: Another Active Directory object named “SMS-Site-[SiteCode]” already exists somewhere outside of the “System Management” container
Solution: Locate the other object with the same name, and delete the object from its current location. Then allow the site to create a new object.Possible cause: The Active Directory schema has not been extended with the correct ConfigMgr Active Directory classes and attributes.
Solution: Turn off Active Directory publishing for each site in the forest, until the schema can be extended. The schema can be extended with the tool “extadsch.exe” from the installation media.
For me the error seemed to be very obvious. So I decided to do the schema extension.
Referring on TechNet the ExtAdSch.exe is a good way to do this so I executed extadsch.exe on a domain controller. Unfortunately this did not work the first time…
<09-19-2014 17:21:29> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:21:29> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=mS-SMS-Assignment-Site-Code.
<09-19-2014 17:21:30> Defined attribute cn=MS-SMS-Site-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Roaming-Boundaries.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-Default-MP.
<09-19-2014 17:21:31> Defined attribute cn=mS-SMS-Device-Management-Point.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Name.
<09-19-2014 17:21:31> Defined attribute cn=MS-SMS-MP-Address.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Health-State.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Source-Forest.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-Low.
<09-19-2014 17:21:32> Defined attribute cn=MS-SMS-Ranged-IP-High.
<09-19-2014 17:21:32> Defined attribute cn=mS-SMS-Version.
<09-19-2014 17:21:33> Defined attribute cn=mS-SMS-Capabilities.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<09-19-2014 17:21:33> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<09-19-2014 17:21:33> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.<09-19-2014 17:25:47> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:25:47> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:25:47> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:25:47> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:25:48> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:25:48> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:25:49> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:25:49> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:25:50> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Management-Point. Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Server-Locator-Point. Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Site. Error code = 8202.
<09-19-2014 17:25:50> Failed to create class cn=MS-SMS-Roaming-Boundary-Range. Error code = 8202.
<09-19-2014 17:25:50> Failed to extend the Active Directory schema, please find details in “C:\ExtADSch.log”.
Turned out that I didn’t pick the schema master. So I had to figure out which server the schema admin is. Therefore I used the following command…
netdom /query fsmo
Executing the extadsch.exe on the schema master and everything was fine…
<09-19-2014 17:46:19> Modifying Active Directory Schema – with SMS extensions.
<09-19-2014 17:46:19> DS Root:CN=Schema,CN=Configuration,DC=sys,DC=net
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Assignment-Site-Code already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Site-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Roaming-Boundaries already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Default-MP already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Device-Management-Point already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Name already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-MP-Address already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Health-State already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Source-Forest already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-Low already exists.
<09-19-2014 17:46:19> Attribute cn=MS-SMS-Ranged-IP-High already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Version already exists.
<09-19-2014 17:46:19> Attribute cn=mS-SMS-Capabilities already exists.
<09-19-2014 17:46:20> Defined class cn=MS-SMS-Management-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Server-Locator-Point.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Site.
<09-19-2014 17:46:21> Defined class cn=MS-SMS-Roaming-Boundary-Range.
<09-19-2014 17:46:21> Successfully extended the Active Directory schema.<09-19-2014 17:46:21> Please refer to the ConfigMgr documentation for instructions on the manual
<09-19-2014 17:46:21> configuration of access rights in active directory which may still
<09-19-2014 17:46:21> need to be performed. (Although the AD schema has now be extended,
<09-19-2014 17:46:21> AD must be configured to allow each ConfigMgr Site security rights to
<09-19-2014 17:46:21> publish in each of their domains.)
*Captain