Upon reviewing CcmMessaging.log (C:\Windows\CCM\logs) on a client machine, the following error messages were noted:
Failed to decode message.
Hook authenticate. Error 0x87d00309
InvokeDecodingHooks failed (0x87d00309).
HandleRemoteSyncSend failed (0x87d00309).
CForwarder_Sync::Send failed (0x87d00309).
CForwarder_Base::Send failed (0x87d00309).
After coming through server logs, discovered an issue with Active Directory Publishing
In Endpoint Configuration Manager console:
Administration - Hierarchy Configuration - Active Directory Forests
Publishing Status was blank
Right Clicked domain for domain properties
When domain properties displayed, clicked Publishing tab
Site was not checked under "Select the site that will be published"
checked the checkbox by the sitename
clicked OK
Publishing status updated to display "Insufficient Access Rights"
MECM AD Forest publishing requires that the Management Points computer accounts have full access to the System Management OU in AD
Launched Active Directory User and Computers
Clicked View and select Advanced
expanded domain
expanded System
right clicked System Management
clicked properties
clicked Security tab
Noted only one MP listed with full access, but permissions were "This Object Only"
Changed permissions to "This object and all descendant objects" (as per https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/publish-site-data)
Added computer account for second MP, granted full access and set permissions to "This object and all descendant objects"
Clicked OK
Closed AD Users and Computers
Refreshed screen in MECM console for Administration - Overview - Hierarchy Configuration - Active Directory Forests
After a few minutes, publishing displayed "Succeeded"
After 30 minutes, devices began to show online in Assets and Compliance - Devices
After an hour, deployments began to show progress.
Tested imaging a workstation and it completed successfully.
Posts
