IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: SCCM

SCCM: Third-party Updates download failed with: “Error: Failed to download content ID XXXXXXX. Error: The thread is not in background processing mode”

I rebuilt my SCCM 1811 TP Lab and decided to offload WSUS content folder from my SCCM server. I put it on a file server where I do have my SCCM Source folders. Microsoft Updates worked just fine, but when I  tried to download an Adobe Update (used new SCCM Third-party Update support) I got “Error: Failed to download content ID <ID of my  update>. Error: The thread is not in background processing mode.

image

I checked Advanced settings of my WSUS App Pool and found the content share was registered incorrectly (“\\”  was missed) and content subfolders were not accessible.

image

so I fixed this issue firs (added “\\” before the server name and immediately could see the sub-folders.

image 

Unfortunately that was not enough to resolve the issue. Luckily I found an article on Shavlik forum discussing similar issue.

So, for my Adobe update package I switch download settings from “Download Software Updates from Internet”

image

to “Download software updates from a location on my network”

image

This is weird – my old SCUP was working perfectly fine without that, but it looks like SCCM feature works differently now. Anyway, as soon as I did that my Adobe update was downloaded successfully:

image

Advertisements

SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE 

The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.

after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.

image

it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully:

image

SCCM: Windows 10 1803 lost Office 365 shortcuts in Start menu

A while ago I prepared a StartLayout.xml file to customize Start Screen for one of my Customers.

He called me today saying everything worked fine for Windows 10 1703 and 1709, but as soon as he created an image for Windows 10 1803, Office 365 Applications shortcuts are disappeared (except One Note).

Sure enough, Microsoft decided it is a good idea to change shortcut names for all apps except One  Note Smile

so whatever was   “Word 2016.lnk” is “Word.lnk” now! Great idea.

So I needed to create another Startlayout.xml file for 1803 image now. Leaving One Note with “2016” Winking smile 

version for pre-Windows 10 1803:

<LayoutModificationTemplate
xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”
xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”
xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”
xmlns:taskbar=”http://schemas.microsoft.com/Start/2014/TaskbarLayout”
Version=”1″>
  <LayoutOptions StartTileGroupCellWidth=”6″ />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth=”6″>
        <start:Group Name=”Genaral”>
          <start:Tile Size=”2×2″ Column=”0″ Row=”0″ AppUserModelID=”microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar” />
          <start:SecondaryTile AppUserModelID=”Microsoft.WindowsAlarms_8wekyb3d8bbwe!App” TileID=”LocalTime” DisplayName=”” Size=”4×2″ Column=”2″ Row=”0″ Arguments=”TIMEAPP_CITY_TILE_TYPE” Square150x150LogoUri=”ms-appx:///Assets/WorldClockMedTile.png” Wide310x150LogoUri=”ms-appx:///Assets/WorldClockWideTile.png” ShowNameOnSquare150x150Logo=”true” ShowNameOnWide310x150Logo=”true” BackgroundColor=”#00000000″ ForegroundText=”light” />
        </start:Group>
        <start:Group Name=”Office”>
          <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk” />
        </start:Group>
        <start:Group Name=”Revera Tools”>
          <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco AnyConnect Secure Mobility Client\Cisco AnyConnect Secure Mobility Client.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk” />
        </start:Group>
        <start:Group Name=”Browsers”>
          <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk” />
          <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
    <CustomTaskbarLayoutCollection PinListPlacement=”Replace”>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>
        <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk”/>
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
< /LayoutModificationTemplate>

version for Windows 10 1803

<LayoutModificationTemplate
xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”
xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”
xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”
xmlns:taskbar=”http://schemas.microsoft.com/Start/2014/TaskbarLayout”
Version=”1″>
   <LayoutOptions StartTileGroupCellWidth=”6″ />
   <DefaultLayoutOverride>
     <StartLayoutCollection>
       <defaultlayout:StartLayout GroupCellWidth=”6″>
         <start:Group Name=”Genaral”>
           <start:Tile Size=”2×2″ Column=”0″ Row=”0″ AppUserModelID=”microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar” />
           <start:SecondaryTile AppUserModelID=”Microsoft.WindowsAlarms_8wekyb3d8bbwe!App” TileID=”LocalTime” DisplayName=”” Size=”4×2″ Column=”2″ Row=”0″ Arguments=”TIMEAPP_CITY_TILE_TYPE” Square150x150LogoUri=”ms-appx:///Assets/WorldClockMedTile.png” Wide310x150LogoUri=”ms-appx:///Assets/WorldClockWideTile.png” ShowNameOnSquare150x150Logo=”true” ShowNameOnWide310x150Logo=”true” BackgroundColor=”#00000000″ ForegroundText=”light” />
         </start:Group>
         <start:Group Name=”Office”>
           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Skype for Business.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk” />
         </start:Group>
         <start:Group Name=”Revera Tools”>
           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco AnyConnect Secure Mobility Client\Cisco AnyConnect Secure Mobility Client.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk” />
         </start:Group>
         <start:Group Name=”Browsers”>
           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk” />
           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” />
         </start:Group>
       </defaultlayout:StartLayout>
     </StartLayoutCollection>
   </DefaultLayoutOverride>
     <CustomTaskbarLayoutCollection PinListPlacement=”Replace”>
     <defaultlayout:TaskbarLayout>
       <taskbar:TaskbarPinList>
         <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>
         <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk”/>
       </taskbar:TaskbarPinList>
     </defaultlayout:TaskbarLayout>
   </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

SCCM: Packages 00002 and 00003 are not distributed

SCCM 1702, fresh installation. DP is on a standalone server.

Error: When DP is installed SCCM tries to distribute SCCM Client content (packages <SITE CODE>0002 and Client Upgrade package <SITE CODE>00003) to the DP automatically. It can fail in some cases

Resolution:

Go to Monitoring-Distribution Status – Content Status

Select “Configuration Manager Client  package”.

Click View Status and go to Error tab.

Right-Click the error and select “Redistribute”

Repeat for “Configuration Manager Client Upgrade Package”

SCCM: Backup SCCM using native SQL Backup

Native SQL backup has many advantages like compression, for example. Kent Agerlund has a nice tutorial how to automate the backup including saving zipped cd.latest file which is necessary for SCCM CB recovery if you made at least one in-console upgrade for your SCCM. The article is here. Unfortunately his powershell script does not clean old cd.latest archives and that can be a problem taking in consideration their size. In one of the comments under original post a modification was suggested, so Copy cd.latest powershell script would look like:

powershell.exe -command “Get-ChildItem –Path ‘U:\SQLBackup\*’ –Include ‘*.zip’ | Where-Object {$_.CreationTime -lt (Get-Date).AddDays(-7)} | Remove-Item; Add-Type –Assembly ‘System.IO.Compression.FileSystem’ -PassThru | Select -First 1 | ForEach-Object { [IO.Compression.ZIPFile]::CreateFromDirectory(‘e:\program files\microsoft configuration manager\cd.latest’, ‘U:\sqlBackup\cdlatest’ + (Get-Date –format ‘yyyyMMddHHmm’) + ‘.zip’) }”

  (of course, change paths to your SCCM installation folder and your backup folders).

With that script implemented only last 7 cd.latest archives will be saved.

SCCM: In-console Update stuck in “Checking prerequisites”

I am installing quite a lot of SCCM environments these days and several times bumped into an issue when in-console update from one version of SCCM to the next one stuck on some step.

For “Downloading” Microsoft recommends to restart SMS_Executive, but for “Checkin Prerequisites” it was more difficult – Community recommended to play with SQL databases or start update from cd.latest.

None of those methods is supported by Microsoft though. (Se more here: http://gerryhampsoncm.blogspot.ca/2016/04/configuration-manager-cb-upgrades-what.html)

With version SCCM build 1706 Microsoft finally introduced a CMUpdateReset tool allowing to rectify a failed state for in-console upgrade by deleting a failing package. Here is a link to KB describing the process: https://docs.microsoft.com/en-us/sccm/core/servers/manage/update-reset-tool

SCCM: Side-by-side migration issue with client reassignment

I was busy with an SCCM migration recently. A Customer wanted to get gradual side-by-side migration from an old SCCM 2012 R2 to a shiny SCCM CB.

The issue I faced was related to a Client re-assignment from the old to the new SCCM site.

As recommended I tried Jason Sandy’s script to reinstall the old client and configure the new one for the new site.

The Client was successfully installed, but kept connect to the old site.

I tried to re-register site assignment in WMI as described https://prajwaldesai.com/change-site-code-of-configuration-manager-client/ and restart CCMEXEC service.

In ClientLocation log I saw the new site was assigned, MP found, but after that the site immediately was re-assigned to an old one and the Client tried to connect back to the old site Sad smile

I tried  completely uninstall the client, use push etc.. without success.

Finally I noted

LSRefreshSiteCode: Group Policy Updated the assigned site code <old site code>, which is different than the existing assigned site code <new site code >. Will attempt re-assignment.

I checked GPOs and found a disabled GPO containing SCCM ADMX template with a site assignment.

The matter in fact once applied GPO tattoes its settings in the registry and they remains there even if GPO is not active anymore.

So I opened GPO template (located in ConfigMgr installation folder\Tools\ConfigMgrADMTemplates and founf the registry key in question is “hklm\SOFTWARE\Microsoft\SMS\Mobile Client”. Originally I planned to change only site code value there, but found Henrik’s article where he recommended to remove all values from the key all together.

Probably both approaches can work, so I created a simple cmd script and pushed it from the SCCM

REG delete “hklm\SOFTWARE\Microsoft\SMS\Mobile Client” /v GPRequestedSiteAssignmentCode /f
REG delete “hklm\SOFTWARE\Microsoft\SMS\Mobile Client” /v GPSiteAssignmentRetryDuration(Hour) /f
REG delete “hklm\SOFTWARE\Microsoft\SMS\Mobile Client” /v GPSiteAssignmentRetryInterval(Min) /f
cscript set-site-code.vbs

first three commands are cleaning settings hardcoded by GPO, the forth one force SCCM site code using a VBS script from here

After the script finished I restarted ccmexec and fount the client registered in the new site successfully.

SCCM: Installation on hardened server

One of my Customers asked me to migrate an existing SCCM 2012 R2 to SCCM CB. They preferred side-by-side migration.

Everything looked good until I figure out the server they gave me for the new SCCM was hardened. I guess security team did it for good but as a result I had some fun with a trivial SCCM installation.

1. They used a third-party tool to remove TLS 1.0-1.1 and old SSL leavin only TLS 1.2 available. 3DES was killed too.

As a result, when I ran prereqchk.exe /Local before SCCM installation I received errors about SQL indexing, collation page (which I knew I set correctly), sysadmin membership etc… SQL looked good, but in

prereqchk log I saw: “Failed to connect to the SQL Server, connection type: SMS Master”

and in even log I observed: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I removed fresh Machine keys from Programdata\microsoft\crypto\RSA – did not help

I set “Use FIPS compliant algorithms for encryption”  after that the error in event log changed saying TLS 1.0 protocol is using (never new it is FIPS compliant), but it is not configured.

So, at this point I ran IISCrypto and learnt the protocols are disabled.

As soon as I enabled the old obsolete TLS 1.0 prereqchk.exe passed smoothly and I started SCCM installation

Microsoft says  only SSL3.0 should be disabled and clearly requires both TLS 1.1 and 1.2 enabled. But in my case I still needed TLS 1.0 enabled too. So it looks like a working progress for me.

There is another article from Microsoft. It talks about TLS 1.2 configuration for SCCM CB 1610+. But it looks like it is about post-installation TLS 1.2 support and had an issue during installation. In addition, I tried my best to understand what should I configure on Windows Server 2016 with .Net 4.7 and SQL 2016 SP1 and as far as I understood I should do nothing, it supposed just work Smile. I would prefer Microsoft present the information in some kind of matrix for different .Net versions, OS versions and SQL…

2. Everything was fine until installer tried to setup a Management Point.

This time an error in ConfigMgrsetup.log said:

Unable to find an existing certificate in the store.  Creating a new self-signed certificate…    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a cryptographic key (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a CSP or key container (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to create the certificate (0x8009000f)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
ERROR: Failed to find or create SQL Server certificate.    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)

this time I spent more time troubleshooting and finally opened a case with Microsoft. The tech found local Administrators was kicked out from permissions for Programdata\microsoft\crypto\RSA  and Setup could not create a private key there. We granted Full Control to local Administrators group, re-install MP and tis time it was setup.

3. Setup, bot not properly running – both standard tests (https://technet.microsoft.com/en-us/library/bb932118.aspx?f=255&MSPPError=-2147217396) from web browser gave me Internal Server Error (HTTP Error 500.19)

Fortunately I found Heinrich’s article (http://heinrichandsccm.blogspot.ca/2013/05/http-error-50019-internal-server-error.html). I re-installed WSUS  and MP started to work. After that I ran wsusutil for postinstall configuration and it finished successfully.

And after all changes above I succeeded to install SCM 4.0 before it failed with generic 1603 error.

SCCM: SCUP 2011 on Windows Server 2016

found a nice post ( http://www.slr-corp.fr/2017/02/tips-tricks-installing-system-center-updates-publisher-scup-2011-windows-server-2016/) describing how to Install SCUP 2011 on Server 2016. Normally installation fails due to WSUS version check, but if you change WSUS version to  6.3.9600.1777 in registry (HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup VersionString) for time of SCUP installation you can apparently finish SCUP installation. Of course without any support from MS Smile

or, as mentioned in the post comments just run SCUP .msi with /qb switch Winking smile

Meanwhile people continue to vote for this feature for SCCM CB here: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8803711-3rd-party-patching-scup-integration-with-sccm-co