SMS_HIERARCHY_MANAGER Warning

Copper Contributor

Hi,

 

unfortunately the SMS_HIERARCHY_MANAGER component on my site shows a warning. When i view the logs it gives me an error:

mjgatt_1-1644417526998.png

Messages from hman.log:

Failed 'C', 874, 0x8009310b

Failed to read certificate context from file 'readme.txt', 0x8009310b

Failed to process TPM certs cab, 0x8009310b

 

Although it says the possible cause may be a sql problem, i am not sure since nothing was changed on the database.

 

Does anyone have an idea how such behaviour is caused?

(Configuration Manager 2111)

 

Thank you

11 Replies
Did you review all the items listed within the error as possible causes?

@Garth Jones 

 

Thank you for your reply, I have checked all the suggestions according to the site database and have found no issues so far.

@mjgatt Did you manage to get to the bottom of this?

About the hman.log error "Failed to read certificate context from file 'readme.txt', 0x8009310b"
-> If you look inside the CAB file mentioned in the log (inboxes\hman.box\CFD\TrustedTpm.CAB) there actually is a readme.txt file included in the archive ("AMD\IntermediateCA\readme.txt"). I'm guessing that is not supposed to be there which is causing the error in hman.log.

I don't think the hman.log errors are related to SQL problems since I'm currently working with a ConfigMgr site (version 2111), have the same error in hman.log but the site is working fine without any SQL errors.

@henrip This happened immediately after the 2111 upgrade for me.

@MarkA-G 

Did you mange to find a solution to this issue?

Should I hold of from upgrading to 2111?

@tOADeater I've only updated my test environment, haven't noticed any impact yet. Our severs are vm's so might be related to outdated virtual TPM devices if any, or we might find the impact later in task sequences related to TPM actions. I'll be doing some testing this week but if it hasn't surfaced as an issue since it's release in December then any impact is likely obscure. Also if it's related specifically to AMD certificates, then we don't have many AMD devices in our SOE.

@MarkA-G 

are you using bitlocker in your test environment?

and as it's an issue with a certificate within a CAB does that mean the other certificates with in the CAB will also not be loaded?

Yeah, for our endpoints, I don't think the servers have it. Yes, my impression is that none of the certificates in the cab are loaded/imported/processed. I've lodged a ticket with Microsoft, it's likely the CAB just needs to be regenerated without the readme, or the processing script modified to accommodate non cert files in the cab.

The TrustedTPM.cab can be installed manually (link below), but not sure if configmgr does anything different in it's processing of the cab file, it still keeps trying to process the CAB file as long as it's still in the configmgr inbox, even after manual installation.

https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-i...

Response from Microsoft Ticket

Here is our SCCM product team's explanation for this issue:
Looks like the cab file was updated with this “readme.txt” and somehow the code doesn’t filter it out. Since 2111, we added hardware Windows AIK attestation into the client registration. This cab file is downloaded from Microsoft. It contains up to date OEMs TPM cert chains so that we can verify if the device’s AIK certificate. The purpose of that obviously is we can have higher level of client identification, and also later we can use it to integrate with Intune etc. But for now, no actual features are built on top of it yet so the customers can safely ignore it.

We have confirmation from the guy creating the code that we can ignore those messages and once you upgrade the version to 2203, the error message will gone.