From my experience I’ve seen this when the SCCM Primary site server are on Server 2016 and Server 2019 and the new DP server is running 2019. If you for example install a new Site server with an Image that does not contain all the latest patches you might run in to issue. To be fair I’ve seen this on fully patched systems as well but from Microsofts documentation it states that a fully patched system should not see this. So, there might be something else in play here.
Logs and error messages
On the SCCM server side of things you might see error messages like this in the Status messages
Distribution Manager failed to connect to the distribution point [“Display=\CM05-DP.local\”]MSWNET:[“SMS_SITE=PS1”]\CM05-DP.local. Check your network and firewall settings.
And in Distrmgr.log on the Primary site (Program Files\Configuration Manager\Logs) you will find error messages like this
Failed to configure IIS virtual directories on the distribution point CM05-DP.LOCAL 9/30/2022 (0x0620)
Translated server name CM05-DP.local to local\CM05-DP.local. 9/30/2022
CWmi::Connect() failed to connect to \CM05-DP.local\root\SCCMDP. Error = 0x800706BA
DPConnection::ConnectWMI() – Failed to connect to CM05-DP.LOCAL. 9/30/2022
Last year Microsoft introduced a patch in Windows aimed to solve a specific vulnerability issue related to DCOM and RPC. This vulnerability is described in CVE-2021-26414 and Microsofts patch is KB5004442
One of the interesting part of this patch is that there is a timeline with different behavior changes. When first released it was disabled but could be enabled, one year later in 2022 this changed to now being enabled with the option to disable (this is where we are right now) but next year in 2023 it will be enforced fully with no capability to disabled it.
|Update release||Behavior change|
|June 8, 2021||Hardening changes disabled by default but with the ability to enable them using a registry key.|
|June 14, 2022||Hardening changes enabled by default but with the ability to disable them using a registry key.|
|March 14, 2023||Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.|
Disabled RPC hardening with registry setting
To disable the RPC hardening we need to set a registry value on the distribution point we have the problem on. And don’t forget to reboot the machine once the value has been configured.
- Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
- Value Name: “RequireIntegrityActivationAuthenticationLevel”
- Type: dword
- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.
Once the value is set, machine is rebooted the installation of the Distribution point role should continue to install successfully. If it still fails, there probably something else that is wrong.
That’s it for this time, Don’t forget to follow me on twitter @timmyitdotcom
Is there a “future-proof” solution that accommodates the “forced” hardening in 2023?