On a normal Management point it is pretty straight forward to test if the management point is working by browsing to these addresses:
http://<mp_server_name>/sms_mp/.sms_aut?mplist
http://<mp_server_name>/sms_mp/.sms_aut?mpcert
But if you try to do that on a HTTPS-enabled management point as a normal user you will get an error with access denied. This is because the CM client uses a computer certificate to communicate with the management point but when you are browsing using your favorite browser as a normal user you don’t have access to this certificate.
But using PowerShell as an admin and running the command Invoke-WebRequest we can specify a certificate to use.
Running the following PowerShell cmd will list all certificates in the computer “personal store”:
Get-ChildItem -Path "cert:\LocalMachine\MyThe certificate you need to find should be a certificate used for Client Auth and from the template you specified setting up you CM in HTTPS mode. Once you have the correct cert you can run the following command:
$cert = Get-ChildItem -Path "cert:\LocalMachine\My\<ThumbprintOfCert>"
Invoke-WebRequest -Uri "https://<mp_server_name>/sms_mp/.sms_aut?mplist" -Certificate $certOne thing I noticed if that you try and run these command from a client that allows TLS 1.0 or TLS 1.1 against an MP that is running on Windows Server 2019 it will fail. This is because WS 2019 only accepts TLS1.2 traffic. To force PowerShell and Invoke-WebRequest to use TLS1.2 the following line must be specified before you run the above commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12This is only valid for the current PowerShell session and must be specified every time you start a new session.
I have also created a script that can be found here:
https://github.com/matbe/PowerShell/blob/master/ConfigMgr/Test-CMMPUrl.ps1
The script only outputs True or False in the default setting. If you want more detailed information specify the –Detail switch and it will output something like this:
It is based on a script created by Jeff Hicks (https://www.petri.com/testing-uris-urls-powershell) so shout out to him.
If you have any feedback let me know on https://twitter.com/matbg
-Matt
If I run this in Posh 7 it fails and if I run it in VScode with Posh 5 or 7 it returns a 404 but If I run it with the windows native Posh 5 it runs a 202 (True).
Hey Joe, I have only tested with Windows Native Posh so do not know about Posh 7 or why it does not work in VS Code, if you figure it out please let me know and I will update the post.
Wow. That was a life saver. Trying to find out whether I had a MP issue after migrating 2500 clients. using the invoke-webrequest/cert command let verified what I needed to know. Thanks.
Thanks! Happy it helped someone!
Thanks for the script, it'll come in handy. I had to modify it slightly as the URI was having HTTPS or HTTP appended twice (see below) $thumbprint = Get-ChildItem -Path "cert:\LocalMachine\My\" Test-CMMPURL -FQDN "cm01.corp.viamonstra.com" -https -detail -Thumbprint $thumbprint -verbose ResponseUri : httpshttps://cm01.corp.viamonstra.com/sms_mp/.sms_aut?mpcert ContentLength : 0 ContentType : LastModified : 01/01/0001 00:00:00 Status : 404 ResponseUri : httpshttps://cm01.corp.viamonstra.com/sms_mp/.sms_aut?mplist ContentLength : 0 ContentType : LastModified : 01/01/0001 00:00:00 Status : 404 I removed lines 85 to 90 to fix this. I also found $thumbprint = Get-ChildItem -Path "cert:\LocalMachine\My\" didn't work for me because my device was co-managed and had other certificates in… Read more »
Thanks for reporting, the url issue was already fixed but somehow i manged to upload an old version without noticing..
The Get-ChildItem -Path "cert:\LocalMachine\My\ command was just an example, the correct thumbprint for your specific environment must be submitted as input to the script.