top of page
Forum Posts
MECM Techie
Jun 17, 2023
In MECM
When we are trying to create the CMG for VMSS in CloudMgr.log can see the below error.
ERROR: Resource Manager - Failed to finish deployment. Check [Monitor/Activity log] on Azure Portal for more information SMS_CLOUD_SERVICES_MANAGER 12/17/2022 2:41:11 AM 11316 (0x2C34)
Resource Manager - Getting deployment operation details for deployment CreateKeyVault cga3b4e4-af43-40ab-869c-e1d25f7cb862 in resource group ABC SMS_CLOUD_SERVICES_MANAGER 2/17/2022 2:41:11 AM 11316 (0x2C34)
Resource Manager - Got deployment operation details for deployment CreateKeyVaultcga3b4e4-af43-40ab-869c-e1d25f7cb862 in resource group ABC SMS_CLOUD_SERVICES_MANAGER 2/17/2022 2:41:11 AM 11316 (0x2C34)
ERROR: Resource Manager - Deployment operation details: {"value":[{"id":"/subscriptions/cga3b4e4-af43-40ab-869c-e1d25f7cb862 /resourceGroups/ABC/providers/Microsoft.Resources/deployments/CreateKeyVaultcga3b4e4-af43-40ab-869c-e1d25f7cb862 /operations/3A147DB86B09D513","operationId":"3A147DB86B09D513","properties":{"provisioningOperation":"Create","provisioningState":"Failed","timestamp":"2022-12-17T06:40:58.1327537Z","duration":"PT1.2442684S","trackingId":"16bc2fee-f88f-5d3c-7e96-345e3e942345","statusCode":"Conflict","statusMessage":{"error":{"code":"VaultAlreadyExists","message":"The vault name 'MECMTechie' is already in use. Vault names are globally unique so it is possible that the name is already taken. If you are sure that the vault name was not taken then it is possible that a vault with the same name was recently deleted but not purged after being placed in a recoverable state. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. For more information about VaultAlreadyExists, soft delete and purging a vault follow this link https://go.microsoft.com/fwlink/?linkid=2147740."}},"targetResource":{"id":"/subscriptions/cga3b4e4-af43-40ab-869c-e1d25f7cb862/resourceGroups/ABC/providers/Microsoft.KeyVault/vaults/MECMTechie","resourceType":"Microsoft.KeyVault/vaults","resourceName":"MECMTechie"}}}]} SMS_CLOUD_SERVICES_MANAGER 12/17/2022 2:41:11 AM 11316 (0x2C34)
We are prompting the above error because there is another already Key Vault created and creating conflict.
Login to Azure Portal
Search with Key Vaults
Click on Managed Deleted Vaults
Select the subscription and delete the key.
Run the Synchronize configuration in SCCM.
0
0
2
MECM Techie
May 19, 2021
In MECM
If SMSExec process crashing and open event viewer and look for Event ID -1000. Faulting application name:- SMSexec.exe, version : 5.0.9040.1000 exception code - 0xc00000474 Faulting application path: C:\Configuration manager\bin\x64\smsexec.exe Faulting module path: C:\windows\system32\ntdll.dll To fix the above issue- Install IIS from server manager or Run the below command from Powershell. Install-WindowsFeature -name Web-Server -IncludeManagementTools If ADR runs SMSExec services crashes SMS_RULE_ENGINE Downloading content with ID 1420039 in the package, srctype = 1, proxy is enabled. SMS_RULE_ENGINE Bypass proxy server for local addresses during download is enabled. To fix above issue below sql queries 1) select SiteNumber, SiteCode from SC_SiteDefinition where SiteCode = 'site code of top-level site' --> Returns site number 2) select SysResUseID from SC_SysResUse_Property where name = 'UseProxyForADR' and SiteNumber = <sitenumber from query 1> --> Returns SysResUseId. 3) insert into SC_SysResUse_Property (SysResUseId, SiteNumber, Name, Value3) VALUES(<SysResUseId from query 2>,<SiteNumber from query1>,'BypassProxyForLocal',0) --> Disable the proxy. 4) Restart the SMSexec. services.
0
0
351
MECM Techie
May 19, 2021
In MECM
Below errors may be seen at a primary site server with the remote SQL when trying to run site reset and move DB to new server. These could be possibly seen during other standard setup or recovery ConfimgrSetup.log 04-13-2021 18:39:07.193 Configuration Manager Setup 5876 (0x16f4) *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.~~ 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) *** Failed to connect to the SQL Server, connection type: SMS ACCESS. 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) Failed to get sql connection 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) Failed to get site exchange certificate 87d20002 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) Failed to decrypt data using format 0. 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) ERROR: Failed to decrypt SQL Server machine serialized pfx certificate (LastError=0) 04-13-2021 18:39:07.193 Configuration Manager Setup 5476 (0x18f4) ERROR: Failed to create SQL Always On certificate. To fix the above issue import all DB certificate to trusted root certificate of primary site server -Run site reset again. Exporting the SQL certificate from SQL server Launch SQL Server configuration manager. Expand the SQL Server configuration manager node and from here open the properties for the SQL instance we are targeting. On the protocols for the Server name dialog, select the certificate tab to reveal the certificates which SQL is utilizing and able to see certificates. Need to manually import and export into MECM server . .On the Welcome page of the wizard which appears, click Next .On the Export Private Key page, select to export the Private Key, click Next .On the Export File Format page, then click Next .Select Personal Information Exchange, .Select Include All Certificates in the chain .Select Export all Extended properties .On the Password page, set a simple password to protect this file – for example “SQL Cert” .On the File to Export Page, provide a path and name – for example “c:SQLcert.pfx” .On the completion page click Finish. Import the SQL Certificate to our SCCM Server Back on the SCCM Server, we now will open the Computers Certificates store and import this certificate into the trusted roots. •Launch MMC and add the Certificates Snap In, select the focus as Local Computer •Navigate to the Trusted Root Certificate Authorities, Certificates store •Right click, and select All Tasks, Import… •The Import page of the wizard will appear with its normal welcome, click Next •On the file to import page, click Browse •Set the File type to PFX •Navigate to the server location you saved the export a moment ago – for example \SQLCert.pfx •Click Ok to select the certificate •On the password page, enter the password you used for the export, and click Next •On the Certificate Store, the currently selected store will be offered, which should be “Trusted Root Certificate Authorities” •Click Next to complete and finish out the wizard
0
0
831
MECM Techie
May 15, 2021
In MECM
On the primary site server if we are trying to install SQL on the primary site server and prompt out below error in ConfigmgrSetup.log 05-13-2021 10:09:42.118 Configuration Manager Setup 11432 (0x2d0c) ~FQDN for server test1 is test1.mecmtechie.com 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) Cannot write CertBootStrap\SMS_SQL_SERVER\ registry key on server test1. The operating system reported error 4. 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) SetCertRegistryRemote failed with error 0x80004005 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) ERROR: Failed to write certificate configuration to registry on server test1 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) ERROR: Failed to create SQL Server [test1.mecmtechie.com] certificate remotely. 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) ERROR: Failed to create SQL Always On certificate. 05-13-2021 10:09:42.134 Configuration Manager Setup 11432 (0x2d0c) ~~===================== Failed Configuration Manager Server Setup - Modify Site Settings ==== To resolve above issue follow below steps: Local Administrator rights on the SQL Server Sysadmin role in SQL Security Key does not exist in the registry path Hkey_Local_machine\Software\Microsoft\SMS.
0
0
133
MECM Techie
May 12, 2021
In MECM
In this post we will see unable to run SSRS reports from other domain users and gives an error The Default Value expression for the report parameter ‘UserTokenSIDs’ contains an error: The user name or password is incorrect. (rsRuntimeErrorInExpression)" Below are details steps to fix the issue. Role Based Administration in MECM Current Branch, MECM will switch a flag in the registry. The registry key is HKLM\Software\Microsoft\SMS\SRSRP, value name is "EnableRbacReporting" set value to 0, No user from trusted domains can run the reports. We have to set the value back to 0 and restart the report server for it to work again. But after sometime, SCCM set the value back to 1 and we are lost again. We can change the value in WMI on the server where SSRS is installed. a. Open "WBEMTEST" with admin rights b. Click on Connect and type root\sms\site_code c. Select the Query section and paste below query and click on Apply Query:- Select * from sms_sci_sysresuse where itemname like '%reporting%' D. Check the populated window and cross verify it's the reporting point and double click on Query E. In populated window and Select "Props" F. Select "View Embedded" G. Window populated with the number of properties and find the property name with "EnableRbac Reporting" H. Change the value from 1 to 0 and Value 2 from 1 to 0 Final verify the value in registry.
0
0
901
MECM Techie
May 03, 2021
In MECM
SQL Installation failed with the error code 0x84B10001. Solution:- Add the account we were using to install SQL Server was part of the local "Administrators" group.
0
0
36
MECM Techie
Apr 17, 2021
In MECM
As part of installation process, it ask for prerequisite downloads folder and for it ,I can either choose Download Required files (it will download from internet ) or Use previously downloaded files (download the files on any machine that has internet access and copy the files to your SCCM server). I choose download required files from internet as my server is has internet access. In log Configmgrsetup.log INFO: Downloading http://go.microsoft.com/fwlink/?LinkID=2057042 as Client_SVE.cab Configuration Manager Setup 17-04-2021 19:40:56 5392 (0x1510) INFO: checking if there's an explicit proxy server. Configuration Manager Setup 17-04-2021 19:40:56 5392 (0x1510) INFO: WinHttpQueryHeaders() in Download() returned OK (200) Configuration Manager Setup 17-04-2021 19:40:59 5392 (0x1510) ERROR: WinHttpQueryHeaders -2 failed 80072f76 Configuration Manager Setup 17-04-2021 19:40:59 5392 (0x1510) ERROR: Download() failed with 0x80072F76 Configuration Manager Setup 17-04-2021 19:40:59 5392 (0x1510) In order to fix this ,we have to do some custom changes to Internet explorer settings to enable download file. Open IE settings --> Security Tab --> Internet --> Goto Custom level --> Downloads --> file download --> select enable
0
0
159
MECM Techie
Apr 15, 2021
In MECM
When running SCCM reports that depend on Role Based Access Control (RBAC), SQL Server Reporting Services (SSRS) will attempt to communicate with Active Directory via Kerberos authentication. It fail to run the reports with below error. As configured setting has effect of limiting the encryption types allowed for Kerberos authentication from the reporting point server to only AES128, AES256, and Future encryption types. The service account used by the SQL Reporting Services service was not properly configured to support these algorithms. Instead, SSRS was attempting to authenticate using the RC4 encryption type, which is no longer allowed on the server, resulting in the KDC error. 1. Steps to enable AES encryption
Open Active Directory Users and Computers Browse to the user account used by SQL Reporting Services on the affected server Right-click the user account and select Properties Click on the Account tab Under Account options , check the box next to one or both of the following: This account supports Kerberos AES 128 bit encryption This account supports Kerberos AES 256 bit encryption f. Click OK 2. Steps to configure the policy setting Network security a. On the affected server, open an elevated command prompt b. Type SECPOL and hit Enter c. In the Local Security Policy management console, expand Local Policies and click on Security Options d. Scroll down in the left-hand pane until you find the setting Network security: Configure encryption types allowed for Kerberos e. Right-click this setting and select Properties f. In the Local Security Settings tab, check the box next to RC4_HMAC_MD5 , AES128_HMAC_SHA1 , AES256_HMAC_SHA1 , and Future encryption types g. Click OK Try to reset the Service account/Domain account password to apply new algorithm policies
0
0
223
MECM Techie
Apr 09, 2021
In MECM
03-09-2021 09:47:25.497 WUAHandler 12204 (0x2fac) OnSearchComplete - Failed to end search job. Error = 0x800b0109. 03-09-2021 09:47:25.497 WUAHandler 12204 (0x2fac) Scan failed with error = 0x800b0109. when we decode the error state it as:- A certificate chain processed but terminated in a root certificate which is not trusted by the trust provider. Solution:- We need to import the Intermediate certificate into Trusted Root Certification Authorities (Certlm.msc ---> Trusted Root Certification Authorities --> Certificate) Run the action from the configuration manager applet & check the WUA handler.log and scan will be completed successfully.
0
0
548
MECM Techie
Apr 09, 2021
In MECM
For any windows updates issue we need to check the windowsupdate.log can give us more information and can easily isolate the issue. Here is some log entries for reference. 03-09-2021 09:47:25.497 WUAHandler 12204 (0x2fac) OnSearchComplete - Failed to end search job. Error = 0x80244010. 03-09-2021 09:47:25.497 WUAHandler 12204 (0x2fac) Scan failed with error = 0x80244010. windows update.log :- 03-11-2021 10:23:45.278 WebServices 9088 (0x2380) WS error: The body of the received message contained a fault. 03-11-2021 10:23:45.278 WebServices 9088 (0x2380) WS error: Fault occurred 03-11-2021 10:23:45.278 WebServices 9088 (0x2380) WS Error code: Client 03-11-2021 10:23:45.278 WebServices 9088 (0x2380) WS error: <detail><ErrorCode>InvalidParameters</ErrorCode><Message>parameters.OtherCachedUpdateIDs</Message><ID>9f8065b4-e326-59b2-88f9-218e88fbcfef</ID><Method>http://www.microsoft.com/.../ClientWebService/SyncUpdates"</Method></detail>" 03-11-2021 10:23:45.278 ProtocolTalker 9088 (0x2380) *FAILED* [80244007] SyncUpdates_WithRecovery failed 03-11-2021 10:23:45.279 IdleTimer 9088 (0x2380) WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 172) stopped; does use network; is at background priority 03-11-2021 10:23:45.279 ProtocolTalker 9088 (0x2380) SyncUpdates round trips: 1 03-11-2021 10:23:45.279 ProtocolTalker 9088 (0x2380) *FAILED* [80244007] Sync of Updates 03-11-2021 10:23:45.279 ProtocolTalker 9088 (0x2380) *FAILED* [80244007] SyncServerUpdatesInternal failed 03-11-2021 10:23:45.281 Agent 9088 (0x2380) *FAILED* [80244007] Synchronize Resolution:- As we have look at windowupdate.log can see it's failing with othercacheUpdateIDs we need to increase the count in below path. %programfiles%\UpdateServices\WebServices\ClientWebService look For CacheUPdateId update value from 44000 to 88000 Restart IIS Services and run the scan will run successfully.
0
0
978
MECM Techie
Apr 09, 2021
In MECM
client ID manager startup.log can see below error 03-26-2021 18:53:41.885 ClientIDManagerStartup 7036 (0x1b7c) [RegTask] - Client is not registered. Sending registration request for 63e89b2f-1ebd-4f79-ab9d-d31d1c85529b7 ... 03-26-2021 18:53:45.682 ClientIDManagerStartup 7036 (0x1b7c) [RegTask] - Server rejected registration request: 3 At the same time if we look at MP_registration manager.log 03-26-2021 18:54:3.532 MP_RegistrationManager 27315(0x5AC4) Rejecting the registration request because Agent Type is CD and registration hint is supplied. SCCM setup to use HTTPS/PKI. If we open the Control Panel Applet (Configuration Manager) I can see Client certificate: None Here is the solution when we searched for the device in SCCM --> Devices and went to properties, it was showing its old unique Identifier but in Configuration Manager applet will show another unique identifier. Delete the device from SCCM, then re-discover it from the AD system discovery agent. Then clients will get registered and will show a unique Identifier on both the SCCM server and a client machine.
0
0
2k
MECM Techie
Apr 09, 2021
In MECM
After running the below query in dmpdownloader.log we can see .CAB files are extracting. Run the below query in DB. EXEC spAddPackageToDownload 'XXXXXXXX' - replace XXXX with Package guid from Console
0
0
29
MECM Techie
Apr 09, 2021
In MECM
After adding the below registry you can successfully import the updates. Add below registry path - reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
0
0
58
MECM Techie
Admin
More actions
bottom of page