January 4 2013

SCCM 2012 signature verification failure and Schannel errors



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

I came across an interesting problem when working with a client on a SCCM 2012 implementation:

Problem

Clients in the secondary site boundary failed to request application installation in software center, and the locationservices.log shows errors about failure to verify signatures eg:

LocationServices::CCMVerifyServiceSignature: Signature verification of data failed after refreshing web service certificate.
LocationServices::VerifyDataSignature: Overall signature verification failed – 0x80004005; checking if status message should be sent.

Meanwhile, in the system event log on the secondary site servers we can find a lot of error events with ID 36888 and 36884, eg:

Event ID: 36884

Source: Schannel

Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is <Name of the SQL cluster instance>. The SSL connection request has failed. The attached data contains the server certificate.

 

Environment

  • SCCM 2012 RTM is running (no service packs or hotfixes)
  • The primary site database server is on an SQL cluster instance
  • Secondary sites are using SQL express as the database and was installed by push installation from primary site
  • As per http://support.microsoft.com/kb/2688247 the SQL server 2008 R2 SP1 CU4 was applied on the secondary site servers with SQL Express, but it did not resolve the problem

 

Further info

  • We found the SQL server native client version on primary site is SQL server 2008 (without R2), however on the secondary site server is SQL server 2008 R2.
  • There is a Microsoft known issue when the SQL native client version is 2008 R2 and the primary site database is on a cluster, the access will fail.
  • By default during SCCM installation on the primary site server it installs the SQL native client, it’s SQL 2008 (without R2), however on secondary site servers it installed SQL server 2008 Express, and SQL Express would install the SQL server 2008 R2 native client.

 

Solution

  • Uninstall SQL server 2008 R2 native client on secondary site server
  • Restart secondary site server
  • Install SQL server 2008 native client on secondary site server
  • Restart all SCCM services on secondary site servers

 

As mentioned above, this is a known issue with SCCM 2012 and expected to be fixed by Microsoft with the release of Service Pack 1 for SCCM 2012.

 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

December 21 2012

SCCM 2012 client goes into Provisioning Mode

Problem Summary

SCCM 2012 client goes into provisioning mode after running the ‘Configuration Manager Health Evaluation’ scheduled task and it is deemed necessary to try and reinstall the client.
 
Problem Details

In SCCM 2012, after running the ‘Configuration Manager Health Evaluation’ scheduled task and trying to reinstall the client, the SCCM client enters provisioning mode – this means that the SCCM client stops functioning and the Configuration Manager Control Panel applet actions tab only shows the ‘Machine Policy Retrieval & Evaluation Cycle’ and the ‘User Policy Retrieval & Evaluation Cycle’ actions and nothing else. In addition, the registry values on the client shows:

HKLMSOFTWAREMicrosoftCCMCcmExecProvisioningMode = True
HKLMSOFTWAREMicrosoftCCMCcmExecSystemTaskExclude = SchedulerStartup;SchedulerShutdown;SchedulerLogon;SchedulerLogoff;ClientRegistrationStartup

On a healthy machine that has finished a task sequence, these registry values should be:

HKLMSOFTWAREMicrosoftCCMCcmExecProvisioningMode = False
HKLMSOFTWAREMicrosoftCCMCcmExecSystemTaskExclude = (no value, should be blank)

Even after fixing the registry value to look like a healthy machine, once the ‘Configuration Manager Health Evaluation’ scheduled task runs again, the client will once again be broken and the
registry values set back to provisioning mode.

Also, checking the Mobileclient.tcf file in the ccmsetup directory of a fully built machine shows SMSPROVISIONINGMODE=1 in the client install section – on a healthy client this should be
SMSPROVISIONINGMODE=0
 
Cause

The SMSPROVISIONINGMODE value in Mobileclient.tcf is incorrectly set to the value of 1 after the task sequence instead of 0.
According to Microsoft Premier Support, this is scheduled to be fixed in Service Pack 1 of SCCM 2012 that is due for release in early 2013.
 
Solution

Create a VB script to run at the end of the task sequence to remove the SMSPROVISIONINGMODE value from Mobileclient.tcf:

==================

Const ForReading = 1
Const ForWriting = 2

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objFile = objFSO.OpenTextFile(“C:windowsccmsetupMobileClient.TCF”, ForReading)

strText = objFile.ReadAll
objFile.Close
strNewText = Replace(strText, “SMSPROVISIONINGMODE=1 “, “”)

Set objFile = objFSO.OpenTextFile(“C:windowsccmsetupMobileClient.TCF”, ForWriting)
objFile.WriteLine strNewText
objFile.Close
 
Related information

 

December 18 2012

KB2506143 (WMF 3.0) breaks SCCM 2012

I’m currently working with a client that has installed Microsoft Update KB2506143 (Windows Management Framework 3.0) that was released by Microsoft on 12/12/2012 on their SCCM 2012 clients. Microsoft have confirmed that this KB has a known issue that breaks WMI and subsequently SCCM 2012 clients and management points.

I would suggest removing the update from SCCM until a fix is found.  See http://blog.danovich.com.au/2012/12/18/decline-exclude-an-update-in-sccm-2012/

Update 21.12.2012 – KB released http://support.microsoft.com/kb/2796086

December 18 2012

Decline / exclude an update in SCCM 2012

Recently I needed to decline an update in SCCM 2012 so it wouldn’t install or get approved again via an Automated Deployment Rule.

Remove / Decline Update

  1. Go to All Software Updates
  2. Find the Update you want to decline
  3. Highlight and right-click, then select Edit Membership
  4. Uptick all of the Software Update Groups and click OK

Stop automatic approval via Automated Deployment Rule

  1. Set the Custom Severity for the update you want to exclude to Low
  2. In the ADR(s),  add the Custom Severity field and set it to None. This will exclude any update(s) that are set to Low.

 

 

 

September 17 2012

VMWare ESX support for Windows Server 2012

I found it quite hard to find this information so I figured I would share it. I was looking for an official line from VMWare on the versions of ESX that would Windows Server 2012 as a guest operating system.

Directly quoted from http://blogs.vmware.com/guestosguide/2012/09/windows-server-2012.html :

The release of vSphere 5.1 introduces support for Windows Server 2012 on ESXi 5.1, with the following support considerations:

  • Installation instruction can be found here http://partnerweb.vmware.com/GOSIG/Windows_Server_2012.html
  • Snapshots, checkpoints and VMotion actions for virtual machines with Windows 8 or Windows Server 2012 are incompatible between hosts running ESXi 5.0 Update 1 or ESXi 5.0 P03 with host running later versions of ESXi ( ESXi 5.0 Update 2, ESXi 5.1, etc.). Please refer to KB-2033723 for more information.
  • The Guest OS Customization feature in vCenter does not support Windows 8 or Windows Server 2012 in vSphere 5.1.
  • vSphere client will use EFI BIOS for VMs configured for Windows 8 or Windows Server 2012 with hardware version 9, however, EFI BIOS is not compatible with the Fault Tolerance feature. Therefore to use Fault Tolerance feature, it is recommended to use Legacy BIOS instead of EFI BIOS.

For more information about software support, please check the VMware Compatibility Guide

Also from http://kb.vmware.com/selfservice/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=2006859&sliceId=2&docTypeID=DT_KB_1_1  I have extracted this one liner:

Windows 8 / Windows Server 2012 will not be supported on ESXi/ESX 4.0 or 4.1.

And finally, from http://partnerweb.vmware.com/comp_guide2/pdf/VMware_GOS_Compatibility_Guide.pdf (page 103) I read that supported releases are ESXi 5.1 or ESXi 5.0 U1.

More information:

Category: Windows | LEAVE A COMMENT