SCCM 2012 R2 IBCM - Certificates

Similar Messages

• SCCM 2012 DB migration - certificate chain error

  Hi all
  I am having an issue with migrating an SCCM 2012 database to a new SQL instance that doesn't seem to be uncommon however have had no luck in resolving the issue with what other people have suggested on forums...I have an SCCM 2012 installation which currently
  has the site database located on a co-located SQL 2012 instance. I am trying to migrate this database to a different SQL 2012 server with multiple named instances.
  I have followed the instructions as per the following article:
  http://blogs.technet.com/b/configurationmgr/archive/2013/04/02/how-to-move-the-configmgr-2012-site-database-to-a-new-sql-server.aspx
  I have backed up and restored the database to the new instance as per the guide however when running the Configuration Manager Setup Wizard I am getting the following errors:
  *** Failed to connect to the SQL Server, connection type: SMS ACCESS. Configuration Manager Setup 22/04/2015 11:51:10 AM 4428 (0x114C)
  INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure Configuration Manager Setup 22/04/2015 11:51:10 AM 4428 (0x114C)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)
  *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)
  *** Failed to connect to the SQL Server, connection type: SMS ACCESS. Configuration Manager Setup 22/04/2015 11:51:13 AM 4428 (0x114C)
  The errors will continue to pop up every 3 seconds for a few minutes before timing out and the wizard errors out.
  I have tried as others suggested and performed the following with no luck:
  - added the SCCM 2012 service account (account that I'm running the Config Manager wizard as) and computer account to the local administrators group on the SQL server
  - given the SCCM 2012 service account (account that I'm running the Config Manager wizard as) sysadmin privileges to the SQL instance
  - from our internal CA I've issued a certificate for the SQL server and installed it on both the SQL and SCCM server
  - tried exporting the SCCM server cert from the SMS_SITE_COMPONENT_MANAGER\Trusted People store and installed it into the Local Computer\Personal certificate store on the SQL server. Even tried installing it into the MSSQL$INST02\Personal store (INST02 being
  the name of the SQL instance)
  Articles that I've already referenced to try and fix this however without any luck:
  https://social.technet.microsoft.com/Forums/en-US/b5e1fc09-1f09-4de2-93c3-c0261fdda238/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted-when-migrating-to-sql-2012?forum=configmanagerdeployment#a294676b-d51a-4049-82cf-adde14f9711a
  https://social.technet.microsoft.com/Forums/en-US/1726fa9d-a97b-41cb-8531-5a5f7191132e/cant-migrate-sccm-database-to-sql-server-2008-r2-cluster-connection-failed-sms-access?forum=configmanagergeneral
  Does anyone have any suggestions? The ideal would solution for me would be to remove the need to use certificates for the connection to the SQL backend if that it at all possible.
  Cheers
  Brady

  At this point I recommend that you connect Microsoft support CSS and ask them how to solve this problem.
  IMO you shouldn't need the two certs from your internal CA but you will need the two cert from your site server.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Does sccm 2012 supports ibcm for linux and unix operating systems

  folks,
  does SCCM 2012 supports linux and unix operating system for IBCM ..........as per my knowledge it dont what i have learn t through bing........

  I thought it's not supported for Linux and Unix, see also:
  http://blogs.msdn.com/b/teju_shyamsundar/archive/2014/05/23/installing-the-system-center-2012-r2-configuration-manager-client-on-linux-part-2.aspx
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Updates Publisher 2011 + SCCM 2012 - no signing certificate every time (Bug?)

  Hello everybody,
  I got a strange problem with the System Center Updates Publisher 2011 which I want to use with SCCM 2012 (SP1).
  Some weeks ago I was able to enable the publishing on the update server (SCUP + SCCM + WSUS are the same machine), to create a self signed certificate and to astablish the connection to the WSUS server.
  Some weeks later the SCUP seems to "forgot" the certificate and the option "Enable publishing to an update server" is disabled.
  If I try to reactivate this option then I can not create a new self signed certificate anymore.
  I get always the "... test connection succeeded. However, no signing certificate was detected ..." dialog.
  I also can not choose the existing certificate (.pfx) file ("No certificate information available").
  Is this a bug?
  Can I deinstall the SCUP completely and create a new certificate again?

  Did you open SCUP as administrator? But Yes, you can reinstall SCUP and create another cert or use the existing cert.
  Kent Agerlund | My blogs: blog.coretech.dk/kea and
  SCUG.dk/ | Twitter:
  @Agerlund | Linkedin: Kent Agerlund |
  Mastering ConfigMgr 2012 The Fundamentals

• [SCCM 2012 R2] - IBCM - Authenticate computers on TMG from another forest

  Hi All,
  There is no article on TechNet that describe client certificate requirements for computers in another forest.
  Scenario:
  We have Domain A [aaa.bbb.ccc] and Domain B [111.222.333] and those domains are in different forest. There is "Forest" trust between forests.
  TMG and IBCM site server are in Domain A and computers authenticate successfully from Internet to TMG using SSL client authentication. Problem are computers from Domain B that cannot authenticate to TMG.
  We used old documentation
  https://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixA for SCCM 2007 and ISA without success. I created certificate for computers in Domain B with custom
  SAN:upn=<hostname>$@<domain.tld> and TMG still cannot authenticate computers from Domain B.
  Please help.
  Thank you in advance.
  Regards,

  There's no difference -- ConfigMgr does *not* care about forests, domain, or trusts for client authentication and neither does certificate based authentication.
  The certs in use, both the client auth and server auth certs, must of course be trusted by the site systems and the clients and in this case the TMG server -- that's simply how certs work though and has nothing to do with ConfigMgr. Additionally, the CRLs
  for the certs in use must be accessible to the clients and servers via an accessible CRL DP but that is also simply how certs work.
  For what you've described above, does TMG trust the certs issued to the clients? In other words, does it trust the CA that issued those certs and can it access a CRL for that CA?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 Secondary site certificat on DC

  Hi,
  I have some SCCM distributions points on Windows 2003 DC. but, in CertMgr.log, I found some certificates inscription trouble :
  "  ERROR: could not add certificate (HRESULT=0x80070005)  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.333-120><thread=3856 (0xF10)>
   Error: Failed to write certificate from server (SRV-AG34-WSUS.ort.ad)(SRV-AG34-WSUS.ort.ad\TrustedPeople).  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.338-120><thread=3856 (0xF10)>
   Cancelling network connection to
  \\SRV-AG34-WSUS.ort.ad\ADMIN$.  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.344-120><thread=3856 (0xF10)>
   Failed to process notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG34-WSUS.ort.ad.CMN (0x87d20805).   $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.407-120><thread=3856 (0xF10)>
   ~Found notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG35-WSUS.ort.ad.CMN  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.411-120><thread=3856 (0xF10)>
   The machine account will be used for ["Display=\\SRV-AG35-WSUS.ort.ad\"]MSWNET:["SMS_SITE=AIX"]\\SRV-AG35-WSUS.ort.ad\.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.422-120><thread=3856 (0xF10)>
   Successfully made a network connection to
  \\SRV-AG35-WSUS.ort.ad\ADMIN$.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:18.608-120><thread=3856 (0xF10)>
     ERROR: could not add certificate (HRESULT=0x80070005)  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.685-120><thread=3856 (0xF10)>
   Error: Failed to write certificate from server (SRV-AG35-WSUS.ort.ad)(SRV-AG35-WSUS.ort.ad\TrustedPeople).  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.687-120><thread=3856 (0xF10)>
   Cancelling network connection to
  \\SRV-AG35-WSUS.ort.ad\ADMIN$.  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.689-120><thread=3856 (0xF10)>
   Failed to process notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG35-WSUS.ort.ad.CMN (0x87d20805).   $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.770-120><thread=3856 (0xF10)>
   ~Found notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG46-WSUS.ort.ad.CMN  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.774-120><thread=3856 (0xF10)>
   The machine account will be used for ["Display=\\SRV-AG46-WSUS.ort.ad\"]MSWNET:["SMS_SITE=AIX"]\\SRV-AG46-WSUS.ort.ad\.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:21.783-120><thread=3856 (0xF10)>
   Successfully made a network connection to
  \\SRV-AG46-WSUS.ort.ad\ADMIN$.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:22.026-120><thread=3856 (0xF10)>
     ERROR: could not add certificate (HRESULT=0x80070005)  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.876-120><thread=3856 (0xF10)>
   Error: Failed to write certificate from server (SRV-AG46-WSUS.ort.ad)(SRV-AG46-WSUS.ort.ad\TrustedPeople).  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.880-120><thread=3856 (0xF10)>
   Cancelling network connection to
  \\SRV-AG46-WSUS.ort.ad\ADMIN$.  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.884-120><thread=3856 (0xF10)>
   Failed to process notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG46-WSUS.ort.ad.CMN (0x87d20805).   $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.887-120><thread=3856 (0xF10)>
   ~Found notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG54-WSUS.ort.ad.CMN  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.891-120><thread=3856 (0xF10)>
   The machine account will be used for ["Display=\\SRV-AG54-WSUS.ort.ad\"]MSWNET:["SMS_SITE=AIX"]\\SRV-AG54-WSUS.ort.ad\.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.899-120><thread=3856 (0xF10)>
   Successfully made a network connection to
  \\SRV-AG54-WSUS.ort.ad\ADMIN$.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:42.930-120><thread=3856 (0xF10)>
     ERROR: could not add certificate (HRESULT=0x80070005)  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.024-120><thread=3856 (0xF10)>
   Error: Failed to write certificate from server (SRV-AG54-WSUS.ort.ad)(SRV-AG54-WSUS.ort.ad\TrustedPeople).  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.029-120><thread=3856 (0xF10)>
   Cancelling network connection to
  \\SRV-AG54-WSUS.ort.ad\ADMIN$.  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.033-120><thread=3856 (0xF10)>
   Failed to process notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG54-WSUS.ort.ad.CMN (0x87d20805).   $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.036-120><thread=3856 (0xF10)>
   ~Found notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG64-WSUS.ort.ad.CMN  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.040-120><thread=3856 (0xF10)>
   The machine account will be used for ["Display=\\SRV-AG64-WSUS.ort.ad\"]MSWNET:["SMS_SITE=AIX"]\\SRV-AG64-WSUS.ort.ad\.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.048-120><thread=3856 (0xF10)>
   Successfully made a network connection to
  \\SRV-AG64-WSUS.ort.ad\ADMIN$.~  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:45.191-120><thread=3856 (0xF10)>
     ERROR: could not add certificate (HRESULT=0x80070005)  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:47.805-120><thread=3856 (0xF10)>
   Error: Failed to write certificate from server (SRV-AG64-WSUS.ort.ad)(SRV-AG64-WSUS.ort.ad\TrustedPeople).  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:47.810-120><thread=3856 (0xF10)>
   Cancelling network connection to
  \\SRV-AG64-WSUS.ort.ad\ADMIN$.  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:47.814-120><thread=3856 (0xF10)>
   Failed to process notification file E:\SCCM\inboxes\certmgr.box\3_SRV-AG64-WSUS.ort.ad.CMN (0x87d20805).   $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:47.818-120><thread=3856 (0xF10)>
   servers will be polled in 644 seconds...  $$<SMS_CERTIFICATE_MANAGER><10-24-2012 11:18:47.821-120><thread=3856 (0xF10)>"
  (All servers in this part of log are DC)
  Any suggestion to help me ?
  Thx

  I am seeing this same symptom right now at a client, though just Server 2003 member server, not a DC.  I know this is an old thread but did you ever get a resolution on this?

• SCCM 2012 R2 IBCM

  Looking to setup Internet-Based Client Management for a client and just want to make sure I have everything I need. They are running CM 2012 R2 and have a site system server in the DMZ with MP, DP, SUP, FBS, and AC to handle the internet clients. For the
  firewall between intranet and DMZ I am going to recommend opening ports 80, 445, 443, 1433, and 145. For the firewall between DMZ and internet, 80 and 443. Which one of these have to be incoming, outgoing, and bi-directional? Any other
  configurations you think I should need would be helpful to. Thanks.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

  For ConfigMgr you look good, but you might also want to add a CRLDP and not install the FPS on the same box as the other server (security)
  Kent Agerlund | My blogs: blog.coretech.dk/kea and
  SCUG.dk/ | Twitter:
  @Agerlund | Linkedin: Kent Agerlund |
  Mastering ConfigMgr 2012 The Fundamentals

• [SCCM 2012 R2] IBCM - Test and Troubleshoot

  Hi All,
  We have one Internet based site system placed in intranet network and deployed only for Internet-only clients. It will be protected via reverse proxy for Internet clients.
  For present testing and future troubleshooting it would be great if there is a way to fool the SCCM client who is on intranet network to think that client is on Internet.
  I tried to create deny firewall rule to all IP addresses except Internet based site system and adding Internet MP FQDN to HOSTS file with NO LUCK.
  Please help.
  Thank you in advance.
  Regards,

  The Network Location determination relies on the IP address or the boundary you set for the site. Blocking the communication is of no avail.
  Juke Chou
  TechNet Community Support

• WildCard Certificate for IBCM - SCCM 2012

  Hi,
  I have a Primary Site at the DataCenter. There are 2 MP's installed there.
  One MP I would like to publish using ISA/TMG for Internet Based Client Management. Can I use a wild card certificate on ISA Server for the same? The MP would have Local Cert in IIS.
  Does SCCM 2012 support wild card certificate?

  My assumption was that you had purchased a wildcard cert and thus were purchasing your certs as you made no mention of an internal PKI.
  What happens at your ISA box is between the client OS and ISA and really has nothing to do with ConfigMgr. So, although I haven't tried it, it should work. If you have an internal PKI though, why aren't you just issuing a non-wildcard cert to the ISA?
  Jason | http://blog.configmgrftw.com

• IBCM Migrating existing SCCM 2012 Clients

  Hi,  We have in our current environment 120,000 endpoints configured on CAS with 3 Primary sites. All the clients are currently setup for SCCM 2012. 
  We started new project to introduce IBCM in the environment and here is the question on the clients, what is needed to setup the existing clients for IBCM, so basically when connected on the "Intranet" they will use infrastructure on the Intranet
  and when connected to the "Internet" they would use our infrastructure we installed in the DMZ with Public DNS entries etc.... 
  what I like to understand is what is needed on the existing clients to configure them to be IBCM aware.
  I've done some testing in my Dev environment and managed to configure client using https and PKI Certs.
  Few questions on this
  New Client Installation parameters
  currently we have installed all our clients using following command line "/Service SMSSITECODE=AUTO" I've left out the other parameters but basically the current clients are not IBCM aware
  New install command I'm using:  /Service /UsePKICert SMSSITECODE=<SiteCode> CCMHOSTNAME=<FQDN MP>.  With this command line the client gets installed on the Intranet I can see it does recognize the Certificate, however when I switch
  over to the internet, checking control panel applet it's still saying "Client Certificate: Self-signed" ==> Would this not switch to PKI?  to be clear for my Intranet I don't use https but just http and I would like to keep it that way.
  I've tried using the script I found on TechNet and that does set the Internet MP, but checking the properties of the client it still shows "Client Certificate: Self-signed", even when connected on the Internet.
  Client Migration
  I've tried using the script I found on TechNet and that does set the Internet MP, but checking the properties of the client it still shows "Client Certificate: Self-signed", even when connected on the Internet.
  Does it require to re-install the client so it will be IBCM aware?  We're planning to upgrade our Client to R2 release in August, would it be sufficient if I then update the ClientPush parameters to include the IBCM specific parameters and guess
  that would  work also?
  Thx.

  Hi Jason, thx for the reply and here are some answers to your questions early
  Background is R2, but clients are not yet upgraded (SCCM 2012 SP1), they will be upgraded aug-sept time frame, using the built-in upgrade process, obviously after doing our testing :-)
  You said:
  "No, you should not have to do anything for the clients to be Intranet and Internet capable as long as they have properly trusted and valid client auth certs. Note that this includes being able to reach the CRL on an accessible CDP."  
  ==> How is the client then going to find his Internet Management Point?  I know the clients gets MP List every 25 hours  I assume that would include the Internet MP's, is that the way the client will find the internet mp?
  Checking the logs on 1 client I can see in "ClientLocation.log"
                 Client is internet
                 Current internet Management point is <empty>
  if I check the control panel applet - "Network", the Internet MP is empty for that particular client.
  I will have full infrastructure available in DMZ, currently doing my testing in DEV environment, have to be creative in faking Intranet/Internet using 2 separate networks
  Follow-up question.
  If I understand you correctly, I don't have to change anything on the installation params that I'm currently using.  This assumes clients have valid certificates and can access CRL.
  thx again for your help appreciated.

• Using a custom certificate store for SCCM 2012 clients and primary site server

  I have read what seems to be all the pki related documentation out there for SCCM 2012. I have a PKI infrastructure up and running issueing certificates with an offline root through group policy autoenrollment. The problem that i'm faced with is we are migrating
  from SCCM 2007 that was in native mode and we chose not to use the CA that we used for the old SCCM environment. When the clients attempt to communicate with the M.P. it runs through all of the different certificates and adds a tremendous amount of overhead
  to the M.P. We will have ten's of thousands of clients by migration end. Could someone please point me to a document that goes over how to leverage a custom certificate store that I could then tell the new 2012 environment to use? I know that it's in there,
  I've seen it in the console. The setup is one primary site server with SQL on box and the pki I just mentioned as well as the old 2007 environment that is still live.
  I read that you can try and use SAN as a method of identifying the new certs but I haven't found a good document covering exactly how that works. Any info you could provide I would be very grateful for. Thanks.

  Jason, thank you for your reply. I'm getting the impression that you have never been in the situation where you had to deal with 2 different PKI environments. Let me state that I understand what your saying about trust. We have to configure the trusted root
  CA via GPO. That simply isn't enough, and I have a valid example to backup this claim. When the new clients got the advertisement and began the ccmsetup process I used the /pki switch among others. What the client end up doing was selecting a certificate that
  had the longest validity period which was issued by our old CA. It checked the authentication chain, found it to be valid and selected it for communication. At that point the installation failed, period, no caveats as you say. The reason the install failed
  because the new PKI infrastructure is integrated into the new environment, and the old is not. So when you said " that
  are trusted and they can use *any* cert that is trusted because at the end of the day, there is no
  difference between two valid certs that have the same purpose as long as they are trusted. "
  that is not correct. Both certs are trusted, and use the same certificate template, but only one certificate would allow the install to complete successfully.
  Once I started using the CCMCERTISSUERS
  switch the client install went swimmingly. The only reason I'm still debating this point is because someone might read this thread see your comments and assume "well I've got my new PKI configured as a trusted root CA, I should be all set" and their
  deployment will fail, just as my pilot did.
  About Intune I'm looking forward to doing a POC in the lab i built with my Note 3. I'm hoping it goes well as I really want to have our MDM migrated into ConfigMgr... I think the
  biggest obstacle outside of selling it to management will be the actual device migration from the current MDM solution. From what I understand of the enrollment process manual install and config is the only path forward.
  Thanks Jason for your post and discussion.

• SQL Connection Failed for SCCM 2012 R2 (Unable to load user-specified certificate)

  We've recently completed an upgrade from SCCM 2012 SP1 to 2012 R2 and have been running in the new environment for about a week. As of this morning, The consoles failed to connect to the CAS' and one of the Primary Site's database. The issue was resolved
  easily enough by addressing a certificate issue in SQL, but I'm left wondering if there's a correlation between the SP1-to-R2 upgrade that would cause the cert to fail. Anyone have experience with this?
  2014-01-21 22:10:11.81 Server      The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.
  2014-01-21 22:10:11.81 Server      Error: 26014, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      Unable to load user-specified certificate [Cert Hash(sha1) "haaaaassssshhhh"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See
  "Configuring Certificate for Use by SSL" in Books Online.
  2014-01-21 22:10:11.81 Server      Error: 17182, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
  2014-01-21 22:10:11.81 Server      Error: 17182, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
  2014-01-21 22:10:11.81 Server      Error: 17826, Severity: 18, State: 3.
  2014-01-21 22:10:11.81 Server      Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
  2014-01-21 22:10:11.81 Server      Error: 17120, Severity: 16, State: 1.
  2014-01-21 22:10:11.81 Server      SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

  We got the same certificate related error events after a fresh install of SCCM 2012 R2 on a new server. It happened during the first reboot after SCCM was installed. In the Certificates mmc, I right-clicked on the certificate used by SQL and chose Manage
  Private Keys. Giving the service account that runs the MSSQLSERVER service read rights to the private key allowed SQL to start. However, after a day or so we rebooted the server again, and SQL wouldn't start. Something had removed the service account's read
  permission. Since the SCCM configuration wasn't that far along, we uninstalled SCCM. After giving the service account read rights again, and rebooting several times over a few days, and SQL started every time. We then installed SCCM 2012 R2 again, and checked
  the certificate's permissions before rebooting. The service account still had read permissions when the install completed, but as soon as the server was rebooted, it lost the permissions again.
  The Certificates mmc was then used to request a second computer certificate and then SQL was configured to use that new certificate via SQL Server Configuration Manager. After several days and a number of reboots the SQL services have started normally every
  time so the second certificate seems to have fixed the issue. I have kept the original certificate for fear that removing it will cause whatever part of SCCM 2012 R2 that modifies the original certificate to start removing permissions from the new certificate
  as well.

• 2012 SCCM SP1 Distribution Point Certificate store error on Server 2003 R2

  Has anyone had this issue on Server 2003 R2 where you are getting this error listed below? All content is being distributed ok. But, monitoring is showing errors with all my Distribution points and I want these errors to go away so I don't have to sift through
  all the darn errors.
  Thanks for your help. Daniel.
  Report status message 0x40000952 to MP
  Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance.
  The parameter is incorrect. (Error: 80070057; Source: Windows)
  Status message has been successfully sent to MP from remote DP

  I have found the error message in the smsdpmon.log on a Windows Server 2003 SP2 system acting as a Distribution Point (only).  The error shows up when / during a scheduled content validation on that server and is repeated after each package is "validated".
  From the smsdpmon.log:
  - Start to evaluate package share for package 'XXX0004F' version 5 ...
  - Package XXX0004F is verified successfully
  - Report state message 0x40000950 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Report Body: <ReportBody><StateMessage MessageTime="20140315150802.000000+000" SerialNumber="5"><Topic ID="XXX0004F" Type="901" IDType="0"/><State ID="2384" Criticality="0"/><UserParameters Flags="0" Count="2"><Param>XXX0004F</Param><Param>["Display=\\DPSERVNAME.domain.com\"]MSWNET:["SMS_SITE=XXX"]\\DPSERVNAME.domain.com\</Param></UserParameters></StateMessage></ReportBody>
  - Report status message 0x40000950 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Status message has been successfully sent to MP from remote DP
  - Report status message 0x80000954 to MP
  - Failed to create certificate store from encoded certificate.. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows)
  - Status message has been successfully sent to MP from remote DP
  I tried to pretty up the above - not sure that I was successful.
  The site server is a Windows Server 2012 R2 Standard running SCCM 2012 R2.

• IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall

  Hi All
  IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall for our site syatem in DMZ with role MP,sup &DP

  I agree, for IBCM you need SSL.
  But as far as i know your Update Point isn't forced to run on SSL (8531) unless you tick your Update point with "Require SSL" within your update point configuration - which ofcourse is the idael configuration.
  And if that's the case it's running 8530.
  That's true, but for IBCM, as Peter pointed out HTTPS is required. Thus, if you don't configure your WSUS instance to run using SSL, I doubt that it will work simply because the client agent will be "smart" enough to see that you don't have an SSL
  capable WSUS instance and thus won't configure the WUA to use the non-SSL WSUS instance. I can't say I've tested this though, so it's possible that it works, but I doubt it.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Import certificate in to Firefox certificate store using SCCM 2012 R2

  Hello,
  I'm trying to figure out how to import a certificate in to the Firefox certificate store using SCCM 2012 R2 to push out to 8,000 computers. The only answer I have found was to import the certificate manually on my computer and copy the "cert8.db" file out of my "appdata\Roaming\Mozilla\Firefox\Profiles\******.default\" folder and use this file to copy to all profiles on each computer. I have not tried this since I believe this is not a standard practice. Is there a Firefox certificate scripting tool that I can use to accomplish this or a recommended way?
  Thanks,
  Matt

  Hi,
  It is listed here:http://technet.microsoft.com/en-us/library/gg712298.aspx
  There are a number of limitations to supporting workgroup computers:
  Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point.
  Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information.
  Active Directory discovery methods cannot discover computers in workgroups.
  You cannot deploy software to users of workgroup computers.
  You cannot use the client push installation method to install the client on workgroup computers.
  Workgroup clients cannot use Kerberos for authentication and so might require manual approval.
  A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec