[SCCM 2012] Task Sequence Hangs on Install Package During OSD (part 2)

So, in my previous post on the issue, I described a complicated series of hotfixes and WMI rebuild scripts which fix this serious issue. After a whole lot of trial and error, I recently found an easier workaround.

The Problem

Task sequences hang indefinitely on the ‘Install Package’ task sequence action.

The Solution

  1. In the ‘Apply Network Settings’ action, join a workgroup instead of a domain.
  2. Add a ‘Join Domain’ action later in the task sequence, but before any ‘Install Software Updates’ actions.

I have no idea why this works :(. However, it really does seem to work for me at least. Yay!

 

 

[Fixed] SCCM 2012 – User Notifications Not Working

So, you know how end-users are supposed to get pop-ups saying essentially, ‘IT needs to make changes to your computer’, and then allowing the user to schedule a reboot? Those weren’t working on our site.

The problem was the client setting named “Agent extensions manage the deployment of applications and software updates”. This must be set to false, unless you have some seriously crazy client scripting \ 3rd party application which requires it.

agent-extensions-false

I can’t find the site where changing this to false was suggested. If that was your blog or forum post, leave a comment and I’ll cite accordingly.

[fixed] WMI Corruption During OSD Captures Causes SCCM Install Package TS Actions to Hang

UPDATE! I found an easier workaround. See my other post on the issue.


I’ve had this long running problem with SCCM 2012 that was threatening to make me go bald. I would run a Build and Capture to get a blank Windows 7 image with all Windows updates. This would work great and produce a viable WIM. However, when I tried to use that WIM for another build and capture, no packages would install. The TS action would just hang, and the logs would show that the package install was waiting for a status update.

It turns out that this behavior is caused by three issues: WMI corruption caused by the B&C process, issues with SCCM client behavior which are resolved in CU2, and known-issues with WMI after any Windows 7 SP1 install (slipstreamed or not).

The Fix

Three Parts

  1. Hotfixes during Build and Capture
  2. WMI Repair Script after every install
  3. SCCM CU2 installed as part of OSD.

Hotfixes

Add the following Windows 7 Post-SP1 WMI hotfixes to your OSD process. I know this is a pain.

  • KB2617858 – Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7
  • KB2639505 – Loaded user profiles cannot be unloaded after you run WMI queries for the Win32_StartupCommand class in Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
  • KB2547244 – The WMI service and the WMI providers stop responding when you use WMI performance classes to monitor performance on a computer that is running Windows 7 or Windows Server 2008 R2
  • KB2639077 – Handle leak in Svchost.exe when a WMI query is triggered by using the Win32_PowerSettingCapabilities class in Windows 7 or in Windows Server 2008 R2
  • KB982293 – The Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
  • KB2465990 – “0x80041002 (WBEM_E_NOT_FOUND)” error occurs when you try to open a WMI namespace on a computer that is running Windows 7 or Windows Server 2008 R2
  • KB2492536 – Msinfo32.exe takes a long time to display or export system information on a computer that has many MSI-X-supported devices and that is running Windows 7 or Windows Server 2008 R2
  • KB2692929 – “0x80041001” error when the Win32_Environment WMI class is queried by multiple requestors in Windows 7 or in Windows Server 2008 R2
  • KB2705357 – The WMI process stops sending events to WMI clients from a Windows 7-based or Windows Server 2008 R2-based server

Here’s my install script. It will install all .msu hotfixes in the folder.

@ECHO Installing all hotfixes in the folder %~dp0.
@ECHO Do not close this window. It will close when finished.
for /f "usebackq delims=|" %%f in (`dir /b "%~dp0*.msu"`) do wusa.exe %~dp0%%f /quiet /norestart

exit 0

WMI Repair Script

The following script repairs a known-issue with WMI directly after a Windows 1 SP1 install. The details are documented in the following KB by microsoft: KB2545227 – Event ID 10 is logged in the Application log after you install Service Pack 1 for Windows 7 or Windows Server 2008 R2.

The script language is vbscript. Save it as repair-wmi-win7p1.vbs, put it in a package, and call it with a task sequence ‘Run Command Line’ action directly after the ‘Setup Windows and ConfigMgr’ step.

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\subscription")

Set obj1 = objWMIService.ExecQuery("select * from __eventfilter where name='BVTFilter' and query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ""Win32_Processor"" AND TargetInstance.LoadPercentage > 99'")
For Each obj1elem in obj1
	set obj2set = obj1elem.Associators_("__FilterToConsumerBinding")
	set obj3set = obj1elem.References_("__FilterToConsumerBinding")
	For each obj2 in obj2set
		WScript.echo "Deleting the object"
		WScript.echo obj2.GetObjectText_
		obj2.Delete_
	Next

	For Each obj3 in obj3set
		WScript.echo "Deleting the object"
		WScript.echo obj3.GetObjectText_
		obj3.Delete_
	Next

	WScript.echo "Deleting the object"
	WScript.echo obj1elem.GetObjectText_
	obj1elem.Delete_
Next

SCCM CU2 OSD Install

On your ‘Setup Windows and ConfigMgr’ TS action on all task sequences, add the following parameter. You will need to change ADM00002 to match the package ID of the SCCM client install package. Also, it’s important to make sure that the package contains the CU2 hotfix. To make sure, navigate to the package’s source folder. You can add the hotfix manually, then redistribute the package to the distribution points. It’s also important to use the correct architecture.

PATCH="C:\_SMSTaskSequence\OSD\ADM00002\x64\configmgr2012ac-rtm-kb2780664-x64.msp"

That’s it! Packages install properly for me again during OSD. It took exactly how long you’d expect to figure all this out… 😦

[fixed] Windows 7 Offline Files – Horrible Random Corruption and Long Login Time Issues

A couple of times this year we had laptop users call in complaining that they can’t access any of their files. One person in particular was about to give a talk in India, and couldn’t pull up the presentation.

The behavior? Offline files would just quick working while the laptop was in offline mode. Connecting via the VPN would make everything happy, but this only worked when there was an internet connection. Another problem we’ve been happening is that offline files users might require 15+ minutes to login while connected to the LAN.

The solution? Hotfixes. These three hotfixes are now a part of our standard OSD build process. Install all three (as of Jan 13, 2013) listed on this site: List of Windows 7 Post-SP1 Hotfixes Related to Offline Files. Once installed, make sure to reset the CSC cache by creating a DWORD at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache named “FormatDatabase” = 0, then rebooting.

Here’s the separate links:

  • KB2523887 – You may encounter file corruption issues when you use the Offline Files feature to synchronize data in Windows 7.
  • KB2561708 – Offline files synchronization may not finish on a computer that is running Windows 7 or Windows Server 2008 R2
  • KB2525332 – You encounter a long logon time after you enable the “Do not automatically make redirected folders available offline” Group Policy setting in Windows 7 or in Windows Server 2008 R2

I hope this makes your day much, much better.

WebDAV Registry Fixes for Windows 7

I’ve been working with WebDav for the first time, and came across gotchas and misinformation. Here we go!

Issue 1 – Max File Size

The Windows 7 WebDAV client defaults to only allowing transfers of files less than 50 MB.  Here’s the code needed in a .reg file to set the limit to 4 GB (the unfortunate maximum).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
"FileSizeLimitInBytes"=dword:ffffffff

Issue 2 – Authentication Problems

A lot of people are suggesting that you enable Basic Authentication to get around authentication failures using this registry key:

HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel

This will probably make things work, but it’s usually a bad idea because enabling Basic Authentication will cause usernames and passwords to be sent in clear text. The real problem is that your server either doesn’t support SSL (TLS), or it’s implemented incorrectly. If your webdav server’s web server certificate is self-signed, make sure that it passes validation checks (CDP and AIA locations, etc). Also, make sure that you’re trying to connect to the FQDN of the server and not the NetBIOS name.

That’s it! Good luck out there.

Working With RRAS for NAT and VPN

I’ve recently done some work with RRAS for the first time, and had a lot of trouble getting things together.

Issue 1 – NAT\VPN is Unreliable

I installed a VPN with RRAS, and couldn’t for the life of me figure out why it would randomly disconnect all the time. It turns out that my problem was that I had 2 default gateways specified. When using RRAS as a NAT Gateway + VPN, the Internal\Private interface should _not_ have a default gateway. This cleared things up like magic.

Issue 2 – RRAS on VMWare Is Not Working

This took a while to figure out. It turns out that RRAS is currently incompatible with VMXNet3 ethernet adapters. Switching to E1000’s (eww…I know) was like throwing the magic switch (like Issue 1!). Please post on the VMWare forum here asking them to get things fixed. If you figure out how to work around the issue, please leave a comment below.

Issue 3 – What Protocol Should I Use?

There are 4 available protocols and a quick summary based on my limited knowledge and research.

  • PPTP – Insecure (cryptographically broken). Do not use.
  • L2TP\IPSec – Requires client certificate. XP+.
  • SSTP – Great when inside restricted firewalls; works over 443 only. Requires a web server cert on the server. Compatible with Vista+.
  • IKEv2 – Enabled ‘VPN Reconnect’, which means that you can switch from LAN to WiFi and back without dropping the VPN, etc. Win7+.

Issue 4 – Can the Windows VPN Client Auto-Map Drives?

You can use the Connection Manager Administration Kit (CMAK) to create bundled ‘profiles’ that will do things like:

  • Configure a default primary and fall-back protocol. For example: “try IKEv2 then SSTP”.
  • Configure whether the client should use the default gateway on the WAN interface for all traffic.
  • Run a script on successful connect or disconnect.

The last one there is the key — you can run a vbscript to map necessary drives and printers on a connection, based off of any LDAP info like the connecting user’s group membership. CMAK is available as a ‘feature’ to be installed from Server Manager on Windows 2008+. Bug me and I’ll throw up a blog post about using it!

SCCM Primary Site Install User Permissions \ Kerberos 4 Error

Just  a quick fix.

I was trying to connect a primary site to a our college’s new CAS server today and kept getting the error, “The setup login user does not have sufficient permission to configure replication with specified central administration site”. In the Event Log, I found “Kerberos EventID 4”. After some googling, it turned out to be the fact that there was a computer in my local domain with the same name as the CAS server in the remote domain. Once I renamed the server in my domain, things connected properly.

This is a case where the SCCM installer should really have a better idea of the problem assuming  that’s possible.