DSC WebDownloadManagerGetActionFailed event id 4252
WebDownloadManagerGetActionFailed event id 4252
C:\ Update-DscConfiguration -CimSession ms2 -Wait -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfigurationM
anager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer MS2 with user sid S-1-5-21-3841426147-920288206-1542301449-500.
VERBOSE: [MS2]: [] Executing Get-Action with configuration 's checksum: 666345C3DEE430EF11DBE636BB2BDD373457A9783F8B73AD64FA7316742EC8E9.
VERBOSE: [MS2]: [] Executing Get-Action with configuration 's checksum failed. Please check the availability of pull server.
Failed to get the action from server https://pull.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='03e16925-7517-4e20-a4f7-186691a1ddec')/GetAction.
+ CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : WebDownloadManagerGetActionFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand
+ PSComputerName : ms2
This issue is related to the new xDSCWebService property UseSecurityBestPractices. If you set that to true it is is going to stamp some registry settings to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols which seem to cause this issue. To prevent the issue in the future, either set UseSecurityBestPractices to $false or if setting to $true also use:
DisableSecurityBestPractices = 'SecureTLSProtocols'
To fix your pull server go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols and delete all the keys with TLS (I haven’t narrowed it down yet to which one causes the problem). On a clean copy of the pull VM the only populated key under protocols is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client. After doing that restart your pull server and it should work with SSL again.