Thursday, September 06, 2018

Windows 10 Feature Update Fails with Error = 0x80240022. Commit Result = 0x00000001 (or 0x80070522: A required privilege is not held by the client)

Using Bryan Dam's excellent Software Update Installation Failures by Update report, I discovered almost a thousand systems failing to apply the 1709 Feature update that I'd deployed via ConfigMgr. 

The error was seemingly random since over 3000 systems had successfully updated. All were 1607 (though I think this symptom could apply to other versions).

The error was either:

0x80070522: A required privilege is not held by the client
or
0x80240022. Commit Result = 0x00000001

The feature update would not install. Moreover, it failed almost instantly in Software Center. UpdateDeployment.log and WUAHandler.log both reporting 0x80240022.

Cue lots of log-trawling and internet searching (and even an opened case with Microsoft) all without success - shame on you Microsoft! I then noticed that using 'Check online for updates from Microsoft Update' was also immediately failing; usually with error 0x80070006. This led me to this site: https://superuser.com/questions/1195688/windows-update-error-0x80070006

Comparing the sc query wuauserv results for broken and working systems showed a difference in the TYPE:

Broken


 Working


I set the process Type to be shared using: sc config wuauserv type= share


Then restart the computer (or you could use sc sidtype wuauserv none if you're doing all this via a remote command prompt using PSEXEC!)

The Feature update then installed successfully from Software Center with no errors.

Friday, April 13, 2018

Error Deploying CDP: ERROR: Communication exception occured. Http Status Code: BadRequest, Error Message: The private key for the remote desktop certificate cannot be accessed.

My environment: Single primary site, recently upgraded to 1802. I want to deploy a CDP.
I first created two self-signed certs, one with PFX and one CER (for the Azure Management portal) as per the documentation.
Then start the create CDP wizard. Walking through the create Cloud Distribution Point and entering my Subscription ID and Management certificate and then the additional details (Region, Site and Certificate file) everything was fine. However when provisioning started cloudmgr.log logged error and it failed to provision:
ERROR: Communication exception occured. Http Status Code: BadRequest, Error Message: The private key for the remote desktop certificate cannot be accessed. This may happen for CNG certificates that are not supported for Remote Desktop., Exception Message: The remote server returned an unexpected response: (400) Bad Request.. SMS_CLOUD_SERVICES_MANAGER  13/04/2018 09:28:56 10808 (0x2A38)
More errors would be created such as: 
ERROR: Communication exception occured. Http Status Code: NotFound, Error Message: No deployments were found., Exception Message: There was no endpoint listening at https://management.core.windows.net/[mystuff]/services/hostedservices/[mystuff]/deploymentslots/Production that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.. SMS_CLOUD_SERVICES_MANAGER  13/04/2018 09:28:56 10808 (0x2A38)
but the indicative error is the first one specifically: "...The private key for the remote desktop certificate cannot be accessed..."
Everything looked fine with my pfx certificate - it was exported, passworded and PSS could see nothing wrong either, so this was annoying!
ReasonThe cloud service server certificate (in the second screen of the wizard) private key isn't exported (or readable perhaps).
Solution: Use Open SSL to export the private key and then create a new pfx and reimport back as a new pfx 
  • Download openssl
  • Export the PFX to a file from your mmc e.g. mypfx.pfx 
  • Extract the Key:    openssl pkcs12 -in mypfx.pfx -nocerts -out key.key   <--this is the key obviously..
  • Extract the certificate:    pkcs12 -in mypfx.pfx -clcerts -nokeys -out mycert.crt  <---cert without key
  • Combine back to pfx and export:     pkcx12 -export -out newpfx.pfx -inkey key.key -in newcert.crt 
  • Take newpfx.pfx and use that in the your wizard

Cloudmgr.log reports all is well and completes, deploying your CDP.
It's not just me who has had this, see here http://blog.configmatt.com/2017/06/sccm-cloud-management-gateway.html but that page doesn't give the openssl stuff. My PSS engineer said they don't get a whole lot of CDP requests for things, so this may be something they'll update documentation with.

Thursday, November 02, 2017

[SQL] Windows Update Scan State

SELECT 

a.LastErrorCode as "Error",
b.Name0,
b.Last_Logon_Timestamp0,
c.Caption0,
d.WUServer0


  FROM v_UpdateScanStatus a
  inner join v_R_System b on a.ResourceID = b.ResourceID
  inner join v_GS_OPERATING_SYSTEM c on a.ResourceID = c.ResourceID
  inner join v_GS_WSUSSettings_WSUSServer0 d on a.ResourceID = d.ResourceID
  where a.LastErrorCode!= '0'
  order by Error ASC
  

Thursday, June 01, 2017

WSUS Server Report

COMPLIANT
SELECT a.ResourceID
      ,b.Name0 as "Name"
      ,a.TimeStamp as "Time Stamp"
      ,a.WUServer0 as "WSUS Server"
 ,b.Full_Domain_Name0 as Domain
 ,b.Distinguished_Name0 as FQDN
 ,b.Operating_System_Name_and0 as OS
 ,b.Build01 as "OS Build"
  FROM v_GS_WSUSSettings_WSUSServer0 a
  join v_R_System b on a.ResourceID=b.ResourceID
  WHERE a.WUServer0 = 'http://WSUSSERVER:8530'

NON-COMPLIANT
SELECT a.ResourceID
      ,b.Name0 as "Name"
      ,a.TimeStamp as "Time Stamp"
      ,a.WUServer0 as "WSUS Server"
 ,b.Full_Domain_Name0 as Domain
 ,b.Distinguished_Name0 as FQDN
 ,b.Operating_System_Name_and0 as OS
 ,b.Build01 as "OS Build"
  FROM v_GS_WSUSSettings_WSUSServer0 a
  join v_R_System b on a.ResourceID=b.ResourceID
  WHERE (a.WUServer0 <> 'http://WSUSSERVER:8530' or a.WUServer0 IS NULL)

****
IMPORT.MOF:
// RegKeyToMOF by Mark Cochrane (tribute to Skissinger & Steverac)
// this section tells the the inventory agent what to report to the server
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("WSUSServer", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("WSUSServer"),SMS_Class_ID("WSUSSettings|WSUSServer|1.0")]
Class WSUSServer: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String WUServer;
};

CONFIGURATION.MOF
// RegKeyToMOF by Mark Cochrane (tribute to Skissinger & Steverac)
// this section tells the inventory agent what to collect
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("WSUSServer", NOFAIL)
[DYNPROPS]
Class WSUSServer
{
[key] string KeyName;
String WUServer;
String WUStatusServer;
Uint32 AcceptTrustedPublisherCerts;
};

[DYNPROPS]
Instance of WSUSServer
{
keyname="RegKeyToMOF[MarkCochrane]";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|WUServer"),Dynamic,Provider("RegPropProv")] WUServer;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|WUStatusServer"),Dynamic,Provider("RegPropProv")] WUStatusServer;
};

Tuesday, January 10, 2017

SQL - Add Remove Programs joined to Logged on User

select 
hs.ResourceID,hs.ARPDisplayName0,hs.ProductVersion0,
b.User_Domain0, b.User_Name0,b.Name0
from v_HS_INSTALLED_SOFTWARE hs 
join v_R_System b on hs.ResourceID=b.ResourceID
where ProductName0 like '%app name%'

Wednesday, November 16, 2016

Remove Citrix ICA Webclient (7.x)

when installed via browser (minimal)

@echo off
cls
echo Running Removal of Citrix ICA WEB Client (Minimal) 7.0.17534
echo Stopping Services
REM TASKKILL /F /IM pn.exe
REM TASKKILL /F /IM wfcrun32.exe
REM TASKKILL /F /IM wfica32.exe
TASKKILL /F /IM iexplore.exe

:: Process
If %PROCESSOR_ARCHITECTURE% == x86 goto OS32bit_i
If %PROCESSOR_ARCHITECTURE% == AMD64 goto OS64bit_i

:OS32bit_i
"C:\Program Files\Citrix\icacab\wfica32.exe" /unregserver
RD /s /q "C:\Program Files\Citrix"
REG DELETE "HKLM\SOFTWARE\Citrix" /f 
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Small Citrix ICA Web Client" /f
goto end

:OS64bit_i
"C:\Program Files\Citrix\icacab\wfica32.exe" /unregserver
RD /s /q "C:\Program Files\Citrix"
REG DELETE "HKLM\SOFTWARE\Wow6432Node\Citrix" /f
REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Small Citrix ICA Web Client" /f
goto end

:end
PAUSE

+++++++

When installed via ica32t.exe (setup)

@echo off
cls
echo Running Removal of Citrix ICA WEB Client 7.0.17534
echo Stopping Services
REM TASKKILL /F /IM pn.exe
REM TASKKILL /F /IM wfcrun32.exe
REM TASKKILL /F /IM wfica32.exe
TASKKILL /F /IM iexplore.exe

:: Process
If %PROCESSOR_ARCHITECTURE% == x86 goto OS32bit_i
If %PROCESSOR_ARCHITECTURE% == AMD64 goto OS64bit_i

:OS32bit_i
"C:\Program Files\Citrix\icaweb32\wfica32.exe" /unregserver
RD /s /q "C:\Program Files\Citrix"
del c:\windows\System32\ctxsetup.exe
RD /s /q "C:\Program Files\Citrix"
RD /s /q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix ICA Client"
REG DELETE "HKLM\SOFTWARE\Citrix" /f 
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Citrix ICA Web Client" /f
goto end

:OS64bit_i
"C:\Program Files (x86)\Citrix\icaweb32\wfica32.exe" /unregserver
RD /s /q "C:\Program Files (x86)\Citrix"
del c:\windows\SysWOW64\ctxsetup.exe
REG DELETE "HKLM\SOFTWARE\Wow6432Node\Citrix" /f
REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Citrix ICA Web Client" /f
goto end

:end
PAUSE

Monday, October 31, 2016

File Version Detection Login

$FilePath = "7-Zip"
$FileName = "7zFM.exe"
$DesiredVer = "16"
$FileVerLength = 2

If (Test-Path $env:ProgramFiles\$FilePath\$FileName) {
$AppVer = (Get-Item -Path $env:ProgramFiles\$FilePath\$FileName).VersionInfo
$AppVer = $AppVer.FileVersion.substring(0,$FileVerLength)
if ($AppVer -ge $DesiredVer)

{ write-host "Success" }
}


Reason:
    Performing detection of app deployment type Install_7Zip_16.04.0.0(ScopeId_BEBD3B8D-19A8-422B-BBE9-9ECCE2A830DC/DeploymentType_33465a95-df3e-4cd6-be8c-84afb5629c79, revision 5) for user. AppDiscovery 02/11/2016 10:57:46 15744 (0x3D80)
    In-line script returned error output: Get-Item : Cannot find path 'C:\Program Files\7-Zip\7zFM.exe' because it does not exist.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:6 char:12
+ $AppVer = (Get-Item -Path $env:ProgramFiles\$FilePath\$FileName).Vers ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program Files\7-Zip\7zFM.exe:String) [Get-Item], ItemNotFoundExcepti 
   on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:7 char:1
+ $AppVer = $AppVer.FileVersion.substring(0,$FileVerLength)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)
A script execution error has occurred. The script has no output in stdout and an error message in stderr. AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)
Script Execution returned error message: Get-Item : Cannot find path 'C:\Program Files\7-Zip\7zFM.exe' because it does not exist.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:6 char:12
+ $AppVer = (Get-Item -Path $env:ProgramFiles\$FilePath\$FileName).Vers ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program Files\7-Zip\7zFM.exe:String) [Get-Item], ItemNotFoundExcepti 
   on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:7 char:1
+ $AppVer = $AppVer.FileVersion.substring(0,$FileVerLength)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

, ExitCode: 4294967295 AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)
  Script Execution Returned :4294967295, Error Message: Get-Item : Cannot find path 'C:\Program Files\7-Zip\7zFM.exe' because it does not exist.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:6 char:12
+ $AppVer = (Get-Item -Path $env:ProgramFiles\$FilePath\$FileName).Vers ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program Files\7-Zip\7zFM.exe:String) [Get-Item], ItemNotFoundExcepti 
   on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\91159495-3fce-405a-8392-edadd4f20e36.ps1:7 char:1
+ $AppVer = $AppVer.FileVersion.substring(0,$FileVerLength)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

. [AppDT Id: ScopeId_BEBD3B8D-19A8-422B-BBE9-9ECCE2A830DC/DeploymentType_33465a95-df3e-4cd6-be8c-84afb5629c79, Revision: 5] AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)
CScriptHandler::DiscoverApp failed (0xffffffff). AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)
Deployment type detection failed with error 0xffffffff. AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)

Failed to perform detection of app deployment type Install_7Zip_16.04.0.0(Install_7Zip_16.04.0.0, revision 5) for user. Error 0xffffffff AppDiscovery 02/11/2016 10:57:47 15744 (0x3D80)