You are browsing the archive for CM12 R2 SP1.

Enterprise Mobility : In the land of NDES – Where one eye is King and you need to watch your CRL Delta files

7:26 pm in 1702, certificates, CM12 R2 SP1, ConfigMgr 2012 R2 SP1, ConfigMgr CB, Configmgr Current Branch, CRL, EMS, Enterprise Mobility Suite, error 500, intune, Intune Standalone, ndes, NDES Connector, Windows Intune, Windws Intune by Kenny Buntinx [MVP]

I was doing a EMS POC and deployment of certificates on mobile devices was a requirement. So I needed to setup an NDES server with a separate Subordinate CA for MDM , NDES Server and SCCM Certificate Registration Point (CRP). Big deal I thought as I did it a already multiple times. At my customer we worked close with the server team and setup the infrastructure which was working fine at first sight.

After a reboot of the NDES server I was struggling to get the Network Device Enrollment Service (NDES) up and running again as it would throw me an error 500.

Image result for error 500 ndes

The event log of the NDES Server told me the following:

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

When the service starts, it searches for two certificates that are used by the service :

1. The service searches in the machine MY store AND

2. The certificate must have the following extensions AND

For the Key Exchange certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Encryption (0x20)

For the enrollment agent certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Signature (0x80) 

3. The certificate must not be archived AND

4. The computer must have the private key for the certificate AND

5. The certificate must be issued by the same CA that the service is configured for AND

6. The certificate must have a valid chain AND

7. If there is more than one certificate for either of the certificates that meets the previous criteria, the service will select the most recent one (the latest that was issued)

Troubleshooting certificate issues will require you to enable the CryptoAPI 2.0 Event Logging :

The CryptoAPI 2.0 Diagnostics is a feature available from Windows Server 2008 that supports the trouble shooting of issues concerned with:

– Certificate Chain Validation

– Certificate Store Operations

– Signature Verification

Enable CAPI2 logging by opening the Event Viewer and navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it.  You should see a view named Operational.Next, right-click on the Operational view and click the Enable Log menu item.

Searching the right information under the capi2 operational log :

image

I was quite sure, that I was able to download the CRL (Certificate Revocation List) and I double checked that by browsing to the URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA>.crl’ and I was able to download the file. When digging deeper in the eventID’s , I found at EventID 42 , the following URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA+>.crl’ was shown. This means it was looking for the  availability of the Delta CRL, which was visible on the web site of my CRL:

image

When I finally tried to download this CRL Delta file, it failed. I remembered myself, that IIS is treating the + sign very differently in URL’s.

I needed to set the setting “Allow double escaping” in the web.config file as shown below :

clip_image002

After enabling this, NDES was able to retrieve the Delta CRL file and start the service gracefully.

So if your NDES Server is throwing “The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.”, do not only check your certificates on the Server, check also your CRLs and Delta CRLs!

Hope it Helps,

Kenny Buntinx

MVP Enterprise Mobility

images7T7SFLEG

When deploying Windows Server 2012R2 using an Configmgr OSD Task Sequence, additional disks will be offline when the Task Sequence completes

12:25 pm in 2012R2, CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, OSD by Kenny Buntinx [MVP]

 

When using a Configuration Manager OSD Task Sequence to deploy Windows Server 2012 or Windows Server 2012 R2 to a server (VM) that contains disks that are not local (such as SAN Disk), when the Task Sequence completes, the additional disks may not come online and may show as offline. Specifically in the Disk Management, the additional disks will show offline with the message:

Disk is offline due to a policy set by an administrator

If you look at my VM, you will see I have 2 separate disks that I will need in a later phase to install the backup software to the D:\ partition, residing on the other vmdk.

clip_image002

To resolve the issue, for the WinPE phase, the steps from KB971436 need to be added to the Task Sequence. For deployments from Operating System Images, a registry key value will need to be updated with the correct SAN policy value as shown below:

Just after the step where you apply the image, create a “RunCommand line called :”load system hive” and execute :” reg load HKUtemp "%OSPART%\WindowsSystem32ConfigSystem"”

clip_image004

Just after the step where you apply the “RunCommand line called :”load system hive”, create a “RunCommand line called :”Change Default SAN policy” and execute :”reg add HKUtempControlSet001HKLMSystemCurrentControlSetServicespartmgrParameters /v SanPolicy /t REG_DWORD /d 1 /f”

clip_image006

Just after the step where you apply the “RunCommand line called :”Change Default SAN policy”, create a “RunCommand line called :”Unload system hive” and execute :”reg unload HKUTEMP”

clip_image008

Next phase is to make sure that no drives will remain offline and all drives will still have the right driveletters assigned . Run a command line with : diskpart /s diskpart.txt

clip_image010

The contents of the diskpart.txt can be determined by yourself . Here is an example

clip_image012

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Configmgr 2012 : Broken Applications in your task sequences after an upgrade (error 615)

1:08 pm in 615, Application Model, applications, CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr SP2, coretech, err, error 615, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, troubleshooting, xmasblogroll by Kenny Buntinx [MVP]

 

Scenario: Upgrading a Configmgr 2012 RTM/SP1/R2 environment to a new R2 SP1 environment will end up into broken applications in your Task sequences with error 615 in the status messages.

Issue: After the upgrade was successfully performed , suddenly all applications within my OSD task sequence start failing with the following error code :

The task sequence failed to install application Intel Management Engine 6.0.40.1215(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_2071f753-7604-42a5-b6be-b1b45c3c1f0a) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.

clip_image002

To be honest with my blog readers, this particular message can be caused by multiple reasons. I will list all possible solutions / workarounds that I have come across to solve this issue.

Cause 1 – Applications have no ContentID associated:

I blogged about this beginning of 2013 at http://scug.be/sccm/2013/01/08/configmgr-2012-sp1-broken-applications-after-upgrading-from-rtm/

After some checks, I saw that it concerned only applications and I discovered that had no ContentID associated to each Deployment Type. In other words, all the applications created and that are embedded in a TS with no direct deployments attached to the Application. It appears that the upgrade process broke all applications.

You can confirm this with the Application Catalog downloads as well. You will see “+++ Did not detect app deployment type”… in the AppDiscovery.log file. Additionally, the Software Center will show the error message “Failed”. Clicking on the details will result in “The software change returned error code 0x87D00607(-2016410105).”

We found as workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

Following the steps as further discussed in this blog post at http://scug.be/sccm/2013/01/27/configmgr-2012-sp1-powershell-script-to-repair-broken-applications-after-upgrading-them-from-rtm/, the application will successfully install afterwards.

Cause 2 – Corrupt task sequence:

In some cases the policy that is related to the task sequence gets corrupt. This can be easily solved by creating a brand new task sequence and copying the steps from the older one side-by-side. Delete the old task sequence & create a new deployment for the just newly created task sequence.

Cause 3 – SMSMP parameter set incorrect:

I had also had problems after upgrading to SCCM R2 SP1. I was not able to install any applications as part of a task sequence as they all failed with error 615 or error 0x80004005. Installing applications outside of a Task sequence did work normally. The status message reported was exactly the same as described above "615 Password too short".

After investigating the client side log files it turned out, that the SCCM client was trying to download the application package using https first and after a few retry’s would switch to http only.

Because my DP is configured to accept http and https as like default behavior. I fixed the Problem by changing the value of the SMSMP parameter in the Task sequence step "Setup Windows and Configuration Manager" from

SMSMP=myserver.mydomain.local

to this:

SMSMP=http://myserver.mydomain.local

After this change, application installation worked as expected again.

clip_image004

Cause 4 – FIPS has been enabled :

Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to KB 245030 and this blog post.)

Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.

Microsoft advises not to use FIPS anymore as shown in the screenshot below : http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

clip_image006

In our case this solved the issue with the error 615. Probably it was a combination of things , but this is certainly something to disable and try.

Cause 5 – Use the latest CU2 on CM12 R2 SP1 :

Always make sure to use the latest CU’s as they include important fixes . You can download CU2 over here : https://support.microsoft.com/en-us/kb/3100144#/en-us/kb/3100144

The two most important fixes that may help to avoid error 615 in CU2 for R2 SP1 are :

– Applications will not install when you use them with a dynamic variable list in a task sequence if no SMB package share was defined for the content. This affects only installations that use a dynamic variable list. Other installation methods are unaffected.

No Http location found
Failed to download content for SMS package PRI00080, hr=0x80004005
Install Dynamic software action failed to resolve content for packageID: ‘PRI00080′, programID: ‘TestApp’. Error Code 0x80004005

– In a Configuration Manager environment in which multiple certificates are deployed to client computers, the client may select the wrong certificate for use in management point communication. This occurs when one certificate is based on a version 2 template and one is based on version 3. The client will select the certificate that has the longest validity period. This may be the version 3 certificate, and this certificate may not be currently supported by Configuration Manager. Errors that resemble the following are recorded in the ClientIDManagerStartup.log file.

[RegTask] – Executing registration task synchronously.
RegTask: Failed to create registration request body. Error: 0x80090014

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Mobility

HCIDKIDT ever since CM12 R2 SP1 : Software update groups additional data available in the console

6:09 pm in 2012R2, CM12 R2, CM12 R2 SP1, CM12 SP2, SCCM 2012 R2, SCCM 2012 R2 SP1, Software updates by Kenny Buntinx [MVP]

 

Hello Folks ,

I didn’t realize that one of my personal wishes has been granted in CM12R2 sp1. I always wanted a quick overview at my software group on how much updates it contained , how many expired and to how many collection I deployed it too …and now it is reality . Good work PG !

Non R2 SP1 :

image

With R2 SP1 :

image

 

Hope it Helps ,

Kenny Buntinx

Announcing the availability of System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2

4:11 pm in CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

 

Following the announcements made at the Microsoft Ignite conference last week, I am happy to let you know that System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2 are now generally available and can be downloaded on the Microsoft Evaluation Center. These service packs deliver full compatibility with existing features for Windows 10 deployment, upgrade, and management.

Also included in these service packs are new hybrid features for customers using System Center Configuration Manager integrated with Microsoft Intune to manage devices. Some of the hybrid features that you can expect to see are conditional access policy, mobile application management, and support for Apple Device Enrollment Program (DEP). You can view the full list of hybrid features included in these service packs here.

As a side note : To be absolutely sure that there will be no bear on the road during deployment for SP2 , please install CU5 http://blogs.technet.com/b/configmgrteam/archive/2015/05/06/now-available-cumulative-update-5-for-system-center-2012-r2-configuration-manager.aspx first before upgrading to SP2 as there is one issue fixed in CU5 that could affect R2 SP1 installation:

– if you have over 10,000 deployments for legacy software distribution packages the R2 SP1 upgrade could stall. Installing CU5 beforehand will prevent this. This does not make CU5 an official pre-req though, as the given scenario should be rare but it doesn’t hurt to install CU5 first on the site servers , before upgrading to CM12 R2 SP1 or CM12 SP2 , without upgrading you’re clients.

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management