I recently worked on hardening an ConfigMgr Environment, using the CIS Windows Server 2016 Hardening Benchmarks. We’re a CIS member so I have access to the GPO template, so after reading through the benchmark document, I removed the few settings I knew I didn’t want.
After applying this policy to my site systems, clients were no longer showing activity in the console, and they’d lost their green check mark. I traced the path of a hardware inventory from one client, and it was able to successfully send the inventory to the management point, but it still wasn’t updating in the console. I cranked up logging on the management point, and looked in mpfdm.log. The log was full of errors like this:
**ERROR: Cannot connect to the inbox source, sleep 30 seconds and try again.
Occasionally I also had this error:
CFileDispMgr::GetStagingLocation(\) failed with 0X80070057
I found someone from 2011 with a similar problem as me, except they had hardened ConfigMgr 2007, not 2012/CB. Nevertheless, this gave me enough of an idea to find my problem.
Management points use the registry of the site server to determine where the inboxes are located, so the ConfigMgr installer adds SOFTWARE\Microsoft\SMS to Machine in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths.
CIS Benchmark 220.127.116.11 overwrites this setting, and removes SOFTWARE\Microsoft\SMS from the list of allowed paths. The management is unable to read the location of the inbox, and is unable to copy files from its outbox to the site server’s inbox.
The group policy that sets this is “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths.” I added SOFTWARE\Microsoft\SMS to this setting in my hardening policy and refreshed policy on the site server, and immediately I saw two weeks of inventory and policy requests move from the management points to the site server, where they were properly processed.