IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: SCCM

SCCM: Installation on hardened server

One of my Customers asked me to migrate an existing SCCM 2012 R2 to SCCM CB. They preferred side-by-side migration.

Everything looked good until I figure out the server they gave me for the new SCCM was hardened. I guess security team did it for good but as a result I had some fun with a trivial SCCM installation.

1. They used a third-party tool to remove TLS 1.0-1.1 and old SSL leavin only TLS 1.2 available. 3DES was killed too.

As a result, when I ran prereqchk.exe /Local before SCCM installation I received errors about SQL indexing, collation page (which I knew I set correctly), sysadmin membership etc… SQL looked good, but in

prereqchk log I saw: “Failed to connect to the SQL Server, connection type: SMS Master”

and in even log I observed: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I removed fresh Machine keys from Programdata\microsoft\crypto\RSA – did not help

I set “Use FIPS compliant algorithms for encryption”  after that the error in event log changed saying TLS 1.0 protocol is using (never new it is FIPS compliant), but it is not configured.

So, at this point I ran IISCrypto and learnt the protocols are disabled.

As soon as I enabled the old obsolete TLS 1.0 prereqchk.exe passed smoothly and I started SCCM installation

Microsoft says  only SSL3.0 should be disabled and clearly requires both TLS 1.1 and 1.2 enabled. But in my case I still needed TLS 1.0 enabled too. So it looks like a working progress for me.

There is another article from Microsoft. It talks about TLS 1.2 configuration for SCCM CB 1610+. But it looks like it is about post-installation TLS 1.2 support and had an issue during installation. In addition, I tried my best to understand what should I configure on Windows Server 2016 with .Net 4.7 and SQL 2016 SP1 and as far as I understood I should do nothing, it supposed just work Smile. I would prefer Microsoft present the information in some kind of matrix for different .Net versions, OS versions and SQL…

2. Everything was fine until installer tried to setup a Management Point.

This time an error in ConfigMgrsetup.log said:

Unable to find an existing certificate in the store.  Creating a new self-signed certificate…    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a cryptographic key (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a CSP or key container (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to create the certificate (0x8009000f)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
ERROR: Failed to find or create SQL Server certificate.    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)

this time I spent more time troubleshooting and finally opened a case with Microsoft. The tech found local Administrators was kicked out from permissions for Programdata\microsoft\crypto\RSA  and Setup could not create a private key there. We granted Full Control to local Administrators group, re-install MP and tis time it was setup.

3. Setup, bot not properly running – both standard tests (https://technet.microsoft.com/en-us/library/bb932118.aspx?f=255&MSPPError=-2147217396) from web browser gave me Internal Server Error (HTTP Error 500.19)

Fortunately I found Heinrich’s article (http://heinrichandsccm.blogspot.ca/2013/05/http-error-50019-internal-server-error.html). I re-installed WSUS  and MP started to work. After that I ran wsusutil for postinstall configuration and it finished successfully.

And after all changes above I succeeded to install SCM 4.0 before it failed with generic 1603 error.

Advertisements

SCCM: SCUP 2011 on Windows Server 2016

found a nice post ( http://www.slr-corp.fr/2017/02/tips-tricks-installing-system-center-updates-publisher-scup-2011-windows-server-2016/) describing how to Install SCUP 2011 on Server 2016. Normally installation fails due to WSUS version check, but if you change WSUS version to  6.3.9600.1777 in registry (HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup VersionString) for time of SCUP installation you can apparently finish SCUP installation. Of course without any support from MS Smile

or, as mentioned in the post comments just run SCUP .msi with /qb switch Winking smile

Meanwhile people continue to vote for this feature for SCCM CB here: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8803711-3rd-party-patching-scup-integration-with-sccm-co

SCCM: Task Sequence Import fails (System.NullReferenceException)

I am leading a Windows 10 migration project currently. We prepared TAsk Sequences in Dev environment and SCCM admin tried to export/import them from Dev to Prod. Export was successfull, but Import miserably failed with

System.NullReferenceException

Object Reference not set to an instance of an object.

As usual very nice and descriptive SCCM error.

Fortunately Mike Terrill bumped into it before and wrote about it: https://miketerrill.net/2016/07/31/import-task-sequence-failure-cm-1606/

Note: When we tried to open a zip file containing TS archive using internal Windows Zip packer it failed. We used 7zip – it opens/saves the archive successfully.

SCCM: SUP is not working due to WSUS crash

Interesting case – WSUS built for SCCM SUP crashed regularly. It started from once in a month, after that more and more often and finally WSUS application pool could not stay and hour. Recommended solution was to recycle WSUS application pool. But that was not really a solution since permanent monitoring is required.

It turned out to be a known issue for SCCM 2012 (looks like SCCM CB is affected too) and Microsoft recommends to enlarge App Pool private memory to 4 (or in some cases to 8!) GB. Sounds a bit crazy for me but at least WSUS is up and running now.

More technical details in the following article: https://blogs.technet.microsoft.com/configurationmgr/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors/

SCCM: Clean encrypted drive before TS start

One of my Customers happens to have a McAfee encrypted drives on Laptops and Desktops he plans to migrate to Windows 10. Unfortunately McAffee version was not cooperative with SCCM and he was ok to clean the drives.

To achieve that I added a file called diskpart.txt on my file server (where my Network Access Account has access)

The file contains two lines:

Select disk 0
Clean

After that I customized the boot image by adding a pre-start command and pointing the boot image to the shared folder containing my configuration file:

image

The script is invoked after you press ‘Next’ on OSD dialog logon page but before you select any Task Sequence.

Did the trick for me.

SCCM: How to convert Package to Application using Package Conversion Manager (PCM) on SCCM CB

PCM does not support SCCM Console newer than SCCM 2012 SP1. Jason Sandys published and article for SCCM R2. I used the same approach for SCCM CB (1607) and it seems to be working fine.

 

Step-by-step from Jason is here: http://blog.configmgrftw.com/package-conversion-manager-and-configmgr-r2-sp1-or-sp2/

SCCM: WSUS re-installation

I recently found a badly broken 2012 R2 WSUS in one of my Clients environment. After some troubleshooting I decided to re-install WSUS to save time.

Here are several points to remember during re-installation.

1. Not everything will be uninstall with WSUS

– Windows Internal Database (should be unchecked in Feature List during uninstallation or uninstalled using directions: https://technet.microsoft.com/en-us/library/dd939818(v=ws.10).aspx)

– Content of C:\Windows|WID should be cleared before the new install (otherwise you may have an error message “Synchronization in progress. Please cancel synchronization and rerun postinstall again.”  after the new WSUS will be installed

– you may decide to clean \WSUS folder created for the old WSUS

2. If you will use PowerShell for WSUS installation and wsusutill won’t be able to configure WSUSContent folder for you you may have an error saying Content folder cannot be accessed. In this case you may decide to add the content folder location to XML configuration script, the process is described here: https://gyorgybalassy.wordpress.com/2013/08/10/installing-wsus-on-windows-server-2012/

Unfortunately in my case postinstall failed regardless giving me weird: “System.InvalidOperationException — Client found response content type of ‘text/html; charset=utf-8’, but expected ‘text/xml’”. I tried to unistall MMC cache for WSUS, uninstall WID and WSUS, nothing helped.

Finally I uninstalled WSUS, WID, IIS, cleaned abovementioned directories, reboot the server and installed the WSUS back (enabled HTTP Activation under WCF for .Net 4.5 and  patched the server with the latest WSUS Updates). This time it successfully started.

SCCM: Windows 10 changes Default Application set for Adobe .pdf files

I am helping to create/deploy a Windows 10 image in one of my Customers environment. There is a requirement to have Adobe Reader DC in a Gold Windows 10 image.

I am preparing the Gold Image with MDT 2013 Upd 2 and deploy it with SCCM (build 1606).

One of issues we faced is a Software Association for Adobe Reader .pdf files: Even though Adobe Reader setup was customized with Customization Kit and Adobe Reader was set as default Application for PDF files after imaging we observe Microsoft Edge set itself as a default app for PDFs . Sad smile

I googled the issue and found I am not alone… Unfortunately the most common advice is to start Reader and configure it as default app in GUI (for example here is Adobe guide: https://helpx.adobe.com/acrobat/kb/not-default-pdf-owner-windows10.html). Work fine I guess for non-enterprise environment, but not suitable for my case. In addition it will set association for the current user only (http://www.winhelponline.com/blog/edge-hijack-pdf-htm-associations/)

Assoc command described here: https://support.microsoft.com/en-us/kb/184082 does not seem to be working in Windows 10. I mean even though assc .pdf  shows correct association Edge is still the default app Smile

I finally found a way to manipulate association with DISM command (https://technet.microsoft.com/en-us/library/hh824855.aspx)

So, here is the solution I am using:

1. On a reference machine with Adobe Reader installed (but not set as a default App for PDF) export default application configuration to a .XML file using dism command: “DISM.exe /Online /Export-DefaultAppAssociations >your.xml

2. Open the XML file in Notepad and delete unnecessary lines before XML header

3. Browse the XML to see association for .pdf

4. Here is a trick. You need aplicationID of Adobe Reader to be able to replace ApplicationID of EDGE you have in the XML. I right-clicked a PDF document and selected Open With. I see the prefered App is Edge, but the Reader is just after that. So in the XML file I copied the first ID from “OverwriteOfProgIdIs” parameter to ProgId parameter. Hopefully the explication is clear. Anyway, my line for .pdf association looks like:

<Association Identifier=”.pdf” ProgId=”AppX86746z2101ayy2ygv3g96e4eqdf8r99j” ApplicationName=”Adobe Reader” ApplyOnUpgrade=”true” OverwriteIfProgIdIs=”AppXk660crfh0gw7gd9swc1nws708mn7qjr1″ />

After that I I import the XML file back to Windows using:

Dism.exe /Online /Import-DefaultAppAssociations:your.xml

Please note, even that won’t change association for the current user. But, all new users will get it set properly.

So I created an additional application in my MDT to import the pre-created XML and inserted the Application Deployment step in my TS and re-generated the image. As soon as the image is deployed all domain users should have Adobe Reader as a default app for PDFs.

Note: I guess I could use offline servicing to inject XML into the image during the image creation and it would help with association for “Administrator”, but I guess online approach  is easier and cleaner.

 

You can also try a per-user GPO as described here: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html

SCCM: OSD to a KNOWN computer using media – There are no task sequences available for this computer.

 

At one of my Customer sites I migrated SCCM 2012 to SCCM CB and tried to deploy an OSD TS to a collection containing test machines.  I added a test machine manually using its MAC address and add it to a collection where the TS was deployed.

As soon as I boot the machine using generated SCCM Boot Media i got a message:

“There are no task sequences available for this computer.”

SMSTS.Log file showed the machine as “KNOWN”, but TS was not available for it. ^%&^%%

Resolution: I removed the machine from SCCM database and re-added it manually again. I think the migrated account contained a GUID from the old SCCM and probably that was an issue. Not sure for 100%, but it works now.

SCCM: SCCM needs update to use servicing feature for Windows 10 1607

Microsoft published a note: Update your ConfigMgr 1606 SUP servers to deploy the Windows 10 Anniversary Update.

It looks like SCCM servicing feature won’t work with KB and manual steps when use it for upgrade to W10 1607 (Anniversary Ed and following builds).

 

Workaround – use OSD.