SOLVED SCCM CMG distribution failing out of the blue with error: 0x800704c8

[TheAzzy]

Hi fine community,

I'm struggeling for the past hours trying to find out why my CMG isn't receiving new packages.

Environment:
SCCM 2309 latest hotfix installed
Server 2019 across the board.

Analyzer no errors:

Secret key still valid
CMG Certificate got updated today just in case
Root cert still there
PkgXferMgr.log:


BranchCache service isn't running on the MP.

My search-fu on the internet came back pretty much empty.

Anyone else had this issue before or someone know how to fix this? Same packages distribute perfectly to other DP's.

 

[pingpongitore]

Removing that version of CrowdStrike worked for us almost instantly as well. Will need to discuss this with our security team to see what options we have to possibly go back to the prior version. Thanks

 

[miller_jam1982]

Removing that version of CrowdStrike worked for us almost instantly as well. Will need to discuss this with our security team to see what options we have to possibly go back to the prior version. Thanks

We have raised it with Crowdstrike, i'll let you know of any outcome.

 

[pingpongitore]

We have raised it with Crowdstrike, i'll let you know of any outcome.

Our security team is also going to raise a ticket with them. We also tried installing 7.13 and had the same issue. 7.11 worked for us as well.

 

[miller_jam1982]

Update: We have also seen this affect a couple of our task sequences when installing on a client.

 

[rbw1991]

Also had some endpoints failing to install packages, looks to be when using a task sequence it is removing exe files from C:\_SMSTaskSequence, remove Crowdstrike sensor and the task sequence installs fine now.

 

[Patrick.L]

I too am running in to the same issue and we have crowdstrike. Currently position 4 for their chat support. I will update once I get a ticket created.

 

[Patrick.L]

I can confirm that downgrading our sensor version fixes this issue and an issue with it hanging on a prereq check for the update. Our current sensor version now (that works) is 7.11.
Here is our CrowdStrike Ticket# . The easer we can show them its not isolated incidents, hopefully the faster they can resolve the issue.
Case: 01448376
Priority Level: P3 - Default

 

[bjackson]

Confirming the issue here as well. None of my updates deployments are working. Either scheduled or manual.
CrowdStrike Case # 01448460

We are requesting moving to P2 priority

 

[miller_jam1982]

Crowdstrike have acknowledged to our security team that they are receiving more calls about this and advised us to roll back the agent which we had done already.

 

[AS_B]

I have just deactivated the crowdstrike, now the pretest is running - I will try the installation on Friday...

actually seems to be a problem since version 7.12.18207.0...

OK, I'll report, but I think that's the solution

greetings andy

 

[AS_B]

we also created a ticket on crowdstrike

 

[TheAzzy]

We fixed the problem by adding the Microsoft usual AV exclusions.

So adding these folders for exclusion fixed it:

SCCMContentLib
SMSPKGD$
SMSSIG$
Microsoft Configuration Manager\Inboxes
Microsoft Configuration Manager\Logs


You can see that even on DP's you'd get a failed copy from SCCMContentLib to SMSPKGD$ .

That made me suspecious that it wasn't SCCM but something blocking the copy/write..

 

[AS_B]

We fixed the problem by adding the Microsoft usual AV exclusions.

So adding these folders for exclusion fixed it:

SCCMContentLib
SMSPKGD$
SMSSIG$
Microsoft Configuration Manager\Inboxes
Microsoft Configuration Manager\Logs


You can see that even on DP's you'd get a failed copy from SCCMContentLib to SMSPKGD$ .

That made me suspecious that it wasn't SCCM but something blocking the copy/write..

I'm surprised, since our CS team here doesn't need any exceptions, it does things differently )))))

You can see everyone cooking with the same water

 

[TheAzzy]

I'm surprised, since our CS team here doesn't need any exceptions, it does things differently )))))

You can see everyone cooking with the same water

We didn't need it in the past either until CS made changes with their sensor...

CS came back with adding the exceptions after us already doing that..

Files that got blocked were safe files in virus total..

Our CS security platform owner was very surprised and very annoyed that the console didn't report these issues. As he knows me and don't ask for crazy things, he followed my lead on testing monitoring mode etc to then notice it was CS.. If it would have been someone else, they would have been ignored because the console doesn't show any blocks being done.

Imagine the headache now.. The product you manage can now block things without notice and you'll just need to figure it out...

CS has been rock solid for years for us but this is pretty bad..

 

[TheAzzy]

Feel free to add SMS_DP$ folder as an exclusion too... CS looks inside the temp files and blocks the exe's for no reason...