Some of my Hot Picks for MMS Sessions

October 8, 2014 Leave a comment

There are a ton of great sessions at MMS. Here’s a pic of many of the keywords you’ll find in the session titles:

MMS_Wordcloud

There are a lot of great speakers, and I’ll be sad because I won’t be able to attend all of the sessions (only so many slots in a 3-day conference :(, and I’m co-presenting 3 or 4 of them). Check out more about MMS in my previous post.

Here are a few on my ‘must see’ list:

ConfigMgr State and Status Messages – Under the Hood – Anything from Michael Wiles or Steve Rachui are on my hot list – Steve is a support engineer at Microsoft. Michael used to be my Dedicated Support Engineer at Microsoft, until I managed to talk him into joining my team! State and status messages are a challenge, and any opportunity to understand them better, as well as ‘taming the beast’ is a good thing in my book.

Deep Dive into Content Flow – This is another session from Michael and Steve, and understanding content flow should be near the top of our list of issues to learn to troubleshoot better. Pull DPs, standard DPs, DP on and off a site server – content flow is key to keeping us employed.

OS Deployment at Level 500 – The training wheels are long gone. Johan is going to dive into the guts of OSD, and you’re going to learn about things that until now, were in the same category as Leprechauns and Unicorns.

PowerShell, PowerShell, PowerShell – Aleksandar Nikolic has three sessions diving into PowerShell Remoting, Workflows, and more. You have skills in PowerShell? Attend these sessions to learn something new.

Windows Deployment – Now and Into the Future – Michael Niehaus will be presenting this session. With Windows 10 around the corner, there are plenty of new “features” and enhancements we all need to be aware of, in order to deploy this newest OS.

Birds of a Feather Sessions – MMS has tons of them. 1) topic-focused BoF sessions each morning – bring your questions, share your knowledge, network. 2) BoF in every session – we plan for 60 minutes presentation, and additional 45 minutes at the end of each session for BoF, additional Q&A, and anything else you’d like to discuss about the presented topic.

And what’s most important to realize is that this is only a very small sampling of the content – we have so many great sessions, great speakers (and great friends), I would literally need to paste the entire session catalog to tell you about all the great content.

Oh, and I forgot to mention – NETWORKING. I have met so many people through the SMS/ConfigMgr community, and a very significant number of those people have built great friendships, as well as advanced their career as a result of networking that has occurred at previous user group and MMS events. Meet people, share ideas, build friendships (and future employment opportunities).

Stay tuned – the session schedule will be posted very soon over at http://mms.mnscug.org.

Greg

 

Filed under ConfigMgr 2012, PowerShell, Training, Troubleshooting Tagged with , ,

Watch out for that Service! CNG Key Isolation

April 3, 2014 1 Comment

Probably just about anyone who may be reading this blog has probably also reviewed Microsoft’s Prerequisites for Windows Client Deployment in ConfigVeniceuration Manager, and many of you may have learned the hard way for dependencies like BITs, Task Scheduler, and maybe even Remote Differential Compression (RDC). I have a new one for you that we learned about it over the weekend-the CNG Key Isolation Service (KeyISO).

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.

The symptom: ConfigMgr client installed successfully (both client push, and manual client installation), but the client did not successfully register with its assigned site. Upon inspection, we noticed the following errors:

CertificateMaintenance.log

Creating Signing Certificate… CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Failed to create certificate 80090020 CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() failed (0x80090020). CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Raising pending event:

instance of CCM_ServiceHost_CertificateOperationsFailure

{

DateTime = “20140329065655.902000+000”;

HRESULT = “0x80090020”;

ProcessID = 6036;

ThreadID = 5944;

};

CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event. CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

ClientIDManagerStartup.log

Client is set to use HTTPS when available. The current state is 224. ClientIDManagerStartup 3/29/2014 3:34:45 AM 5836 (0x16CC)

CCMCreateAuthHeadersEx failed (0x80004005). ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

PopulateRegistrationHint failed (0x80004005), expected upon first start of non-upgrade client. ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

[RegTask] – Executing registration task synchronously. ClientIDManagerStartup 3/29/2014 3:34:50 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Read SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Evaluated SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

No SMBIOS Changed ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SMBIOS unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SID unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

HWID unchanged ClientIDManagerStartup 3/29/2014 3:34:53 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:55 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:57 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:01 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:05 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:11 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:17 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:25 AM 788 (0x0314)

We also noticed that each time we cycled the “SMS Agent Host” (ccmexec) service, we received an error in the system event log The CNG Key Isolation service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

You guessed it, that was it. On a group of servers, someone had configured this service to logon as a domain account, instead of as the local system account. When a client is configured to use HTTP (instead of HTTPs, fka ‘native’), it generates a self-signed certificate during the client install (or at least shortly thereafter), and that process depends on the CNG Key Isolation service, which needs to be configured to use the local system account (and the service not be ‘disabled’ – ‘manual’ service start is fine).

The solution:  Don’t modify that service configuration! Leave the default (manual, run as local system). If you MUST, it appears that you can change it back to your custom config after the ConfigMgr client is healthy. But in the long run, that will just cause you more problems when you need to re-install or repair the client.

Greg

 

Filed under ConfigMgr 2012, Troubleshooting Tagged with ,

Older posts