Development, Security, Infrastructure

SCCM 2012 OSD invalid task sequence step condition breaks deployment

posted Feb 19, 2015, 5:34 AM by Adrian P   [ updated Feb 20, 2015, 12:14 PM ]

March 20, 2014 / adrian posted in Infrastructure

I've recently encountered an interesting issue with SCCM 2012 OS deployment. Some hardware models would complete successfully while others didn't. SCCM deployment status would be reported as successful for all instances, but this wasn't accurate. Some machines would be missing critical apps.

The task sequence would execute as expected up until about half way through, when it would simply end. A big chunk of the TS was ignored; no errors or anything, just a friendly CTRL+ALT+DEL prompt.

The weird part of all this was that the smsts.log file seemed to stop logging after a particular step, but the TS continued executing several other steps beyond that point.

First thing’s first:

What’s wrong with the engine? Why isn't it logging? I paused the TS right before the "failure" and opened the log file in notepad.exe (nightmare); CMTrace was not available on the machine yet. When i scrolled to the bottom, I saw the “TS engine returned 0x0” message.


I thought the engine stopped logging… why isn't CMTrace showing me this line? 

SMSTS is written in XML; CMTrace will parse this awful XML code to make it easier to read. Something’s wrong with the XML in this log file and it’s breaking CMTrace. Time to open this up in an XML editor and see if I can spot any issues with the code (good luck proof-reading 10MB of XML…).

The closest thing I had to a proper XML viewer was IE9 and its View Source dialog. I renamed smsts.log to smsts.log.xml and opened it up. Scroll scroll scroll and suddenly:

… everything past a certain point was being interpreted as a string.

If you look closely near the WMI query where the colour suddenly changes, there is an unescaped and open double quotation mark:

Query=SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE "%ThinkPad%%X240%]LOG]!><time="14:57:54.052+240"

This WMI query string comes from the task sequence editor and it is used in one of the conditions for one of the steps. When the TS engine writes the log file, it does not escape this reserved character and breaks the integrity of the XML code. CMTrace cannot display the rest of the log file, because it’s still waiting for that opened quotation to be closed.

It should look more like:

Query=SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE "%ThinkPad%%X240%"]LOG]!><time="14:57:54.052+240"

Ahhh.. so if CMTrace breaks because of this, could it be that the TS engine is in the same boat? Chances are the engine doesn't know what to do with that orphaned quotation and incorrectly determines the rest of the XML is part of the WMI query.

I added the missing end quotation mark in my WMI queries and all was well again with the task sequence.

Note: This only seems to be an issue if the parent group of the step containing the faulty condition, is to be executed. If the group is disabled or skipped due to it’s own condition, the TS will continue to function.

Note: If you use something like Notepad++/Firefox/Komodo to try and identify this issue in SMSTS.log, it won’t help. Notepad++ (and other 3rd party editors) correctly parses the “broken” XML code. You will not see irregularities; syntax highlighting won’t help much here.

This problem is only evident if you rename the SMSTS.log file to .xml and open it in IE9’s View Source dialog. 

If you export the TS itself to XML and try to view it in an XML editor, you will still not spot the issue. The exported TS is properly formatted and the orphaned quotation mark is correctly interpreted as a value for that particular element.

If you suspect the XML code might be the issue, you can also run the TS export through an XML validator.

SCCM 2012 SP1 task sequence hangs indefinitely during Install Package step

posted Feb 19, 2015, 5:30 AM by Adrian P   [ updated Feb 20, 2015, 7:17 AM ]

October 29, 2013 / adrian posted in Infrastructure, Operating System Deployment, Planet CDOT

If you’re experiencing an issue with your SCCM 2012 SP1 task sequence hanging randomly at an Install Package/Updates step, apply the following fix in the deployment task sequence after the Setup Windows and ConfigMgr step (followed by a Restart):

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set colSWbemObjectSet = objSWbemServices.InstancesOf("SMS_MaintenanceTaskRequests")
For Each objSWbemObject In colSWbemObjectSet
    strInstance = "SMS_MaintenanceTaskRequests.TaskID='" & objSWbemObject.TaskID & "'"
    objSWbemServices.delete strInstance

Note: applying this in the build and capture TS does not get rid of the issue

This issue occurs when attempting to deploy a newly captured (usually newer than 12 hours) Windows 7 SP1 image using SCCM 2012 SP1. 

Waiting 12h+ before deploying the image also seems to be a workaround.

Users have reported the issue persists with 2012 SP1 CU1 as well and Microsoft is looking into a fix.

SCCM 2012 Could not connect or execute SQL query setup error

posted Feb 19, 2015, 5:29 AM by Adrian P   [ updated Feb 20, 2015, 7:07 AM ]

July 10, 2012 / adrian posted in Infrastructure, Operating System Deployment, Planet CDOT

I’ve managed to deploy the latest version of SCCM 2012 in the lab, but not without a few issues. Most notably the "could not connect" or execute SQL query generic not-very-helpful error.

The first thing you do in this case is check the setup logs. Connections to INSTANCE\master were successful but setup still reported failure. I was able to telnet on port 1433, as per remote SQL instance requirements, and that was successful as well.

..but still:

If you’ve seen this before and Google’d it, no doubt you've come across:,v=Technet.10).aspx. This didn’t help me, as I was able to check all those items off and still run into the issue.

The lab SQL server has multiple instances and multiple IPs. Each instance is configured to listen on port 1433 for a specific IP, so naturally I turned off Listen All. The dynamic ports feature was also disabled by clearing the settings in SQL Server Configuration Manager MMC.

So.. I can telnet to 1433 using the SQL server’s FQDN, I can connect it using Management Studio and the permissions are all correct.. what’s the problem? This same error popped up for both Standalone Primary Site installations as well as Central Administration Site (CAS) installations.

Well it turns out that the IPAll setting in SQL Server Config Manager MMC (SQL Server Network Config->Protocols for INSTANCE->TCP/IP Properties), mustbe set to 1433 even if Listen All is set to No:

Perhaps the Setup Wizard, uses this value to figure out what port the instance is listening on in order to create a second connection and initialize the database. I had this field cleared because Listen All was disabled.

Setting the value to 1433 (the port used by ConfigMgr 2012 for remote SQL server instance installations) fixed the issue and I was able to install SCCM 2012.

Note: setting the IPAll value while Listen All (in the Protocol tab) is disabled does not force SQL server to listen on (IPAll LISTEN).

Force Google Chrome Incognito mode

posted Feb 19, 2015, 5:27 AM by Adrian P   [ updated Feb 19, 2015, 9:27 AM ]

February 10, 2012 / adrian posted in Development, Planet CDOT, Security

Much like its competitors, Chrome allows an Incognito mode which will discard any browser data after the session ends. This is great, however there is no way (that I could find) to tell Chrome to always start in this mode. Yes you can change the shortcut on your desktop and add the -incognito switch but this is not always invoked. If Chrome is your default browser Start > Run > will not launch it in Incognito Mode. If any applications start the browser without using the shortcut (through protocol or file associations) the browser will start in normal mode.

There is no .conf or .ini or .json file you can edit to tell Chrome to always start in Incognito Mode, which seems like a strange omission from the Chrome dev team. By altering a few default settings, FF and IE can be told to remove all traces of browser data upon exiting. The only thing in Chrome that comes close is under PrivacyCookies section. You can remove all cookies and “other site data” when exiting the browser but this is not the equivalent of Ctrl + Shift + Del.

What we can do is modify some registry settings and tell Windows to start a batch file instead of the chrome.exe main application. When Chrome is made the default browser, among other things, it modifies a few registry keys to tell Windows where to go when associating a protocol with an application (in our case: HTTP and HTTPS).

So let’s tell it to use chrome.cmd instead of chrome.exe:

Windows Registry Editor Version 5.00
@=""C:\Tools\start_chrome_incognito.cmd" -- "%1""
@=""C:\Tools\start_chrome_incognito.cmd" -- "%1""
@=""C:\Tools\start_chrome_incognito.cmd" -- "%1""
@=""C:\Tools\start_chrome_incognito.cmd" %1"

Save this as chrome_file_association_fix.reg and run it. For reasons I have yet to understand, you can’t use environment variables in the registry path. Likely has to do with the host process not having an environment when it executes the application. But who knows..

You cannot add the switches directly to the registry key. This would be more convenient since it wouldn’t require a separate batch file to maintain, but this breaks the host process that attempts to start the application.

Create a start_chrome_incognito.cmd in your C:Tools folder and put this into it:

@echo off
start /D"%LocalAppData%\Google\Chrome\Application" chrome.exe -incognito --purge-memory-button --memory-model=low %*
:: for XP use the following
:: start /D"%AppData%\Google\Chrome\Application" chrome.exe -incognito --purge-memory-button --memory-model=low %*

Add whatever options you want before %* and you should be good to go. If you are on Windows XP still, upgrade. If you can’t upgrade then make sure you use the appropriate path to chrome.exe in your batch file.

Now when you start Chrome using something like Start > Run > you will be browsing in Incognito mode.

Hacky but it works.

Google, please add an option to do this natively, thanks.

SCCM Task Sequence editor "Too many steps" error

posted Feb 19, 2015, 5:23 AM by Adrian P   [ updated Feb 20, 2015, 11:46 AM ]

September 12, 2011 / adrian posted in Operating System Deployment, Planet CDOT

Earlier today I was playing around with ConfigMgr 2007 and editing a fairly large task sequence (a couple of hundred steps). When I attempted to save, I got the following error:

I googled around and saw suggestions to adjust the WMI provider’s memory allocation, restart the WMI service and even re-integrate MDT with SCCM.

I restarted the WMI services but the error did not go away. SMSAdminUI.log recorded the following messages:

instance of SMS_ExtendedStatus
Description = "Invalid sequence input parameters - task sequence not found.";
ErrorCode = 1078462229;
File = "c:\qfe\nts_sms_fre\sms\siteserver\sdk_provider\smsprov\ssptspackage.cpp";
Line = 2711;
Operation = "ExecMethod";
ParameterInfo = "SMS_TaskSequencePackage";
ProviderName = "WinMgmt";
StatusCode = 2147749889;

“task sequence not found”??

I duplicated the task sequence from the console and was able to make changes, add steps and save the newly created TS. Exporting the troublesome TS also revealed that the task sequence was under the 4MB limit (only about 200kb).

After editing the duplicate task, I shutdown all instances of MMC, restarted WMI/SMS Agent Host services and was able to edit the task sequence once more.

SCCM upstream SUP and downstream SUP fail SSL/TLS negotiation

posted Feb 19, 2015, 5:20 AM by Adrian P   [ updated Feb 20, 2015, 11:44 AM ]

May 4, 2011 / adrian posted in Infrastructure

I have two SCCM SUP systems, one is the top and the other is downstream. The SCCM infrastructure is operating in Native Mode and all WSUS synchronizations and configurations happen over HTTPS.

The internal SUP (SKN01) is the site server and has a site system in the DMZ (DMZ01) which it uses as a SUP for external IBCM clients. I had a look at the system status a couple of days ago only to see the SMS_WSUS_CONFIGURATION_MANAGER component had gone critical with this message all over the place:

WSUS Configuration Manager failed to configure upstream server settings on WSUS Server "Internal".
Possible cause: WSUS Server version 3.0 SP1 and above is not installed or cannot be contacted.
Solution: Verify that the WSUS Server version 3.0 SP1 or greater is installed. Verify that the IIS ports configured in SMS are same as those configured on the WSUS IIS website.

I looked at WCM.log to see exactly which server it is failing to configure. To reproduce the error I started and stopped the SMS_WSUS_CONFIGURATION_MANAGER component using theConfigMgr Service Manager tool.

WCM.log showed the initial connection to the primary SKN01 SUP as successful with a fairly odd .NET exception following:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)~~
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)~~
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~ at

Basically, this meant that whatever WSUS server the primary was attempting to connect to (it wasn’t exactly specific…) was failing to negociate SSL and aborting. FYI, I used ProcMon to figure out which WSUS server it was connecting to during the failure. It turns out it was DMZ01

This was odd because WSUS synchronization and configuration had worked for a while and seemingly overnight the certificate became invalid? Not likely. I checked the machine certificates and their trust chain and it all seemed in order on both servers.

I remembered that recently I was troubleshooting an issue with the Management Point and I had removed the Intranet FQDN from the site system in the DMZ (the IBCM SUP server, DMZ01).

It turns out all I had to do was enter the Intranet FQDN in the DMZ site system’s properties (DMZ01) and all was well. If you’re still experiencing issues after entering the FQDN, remove the SUP from the DMZ site and re-add it.

Who knew that removing this FQDN would cause the WSUS configuration to fail. I guess the internal SUP uses the supplied internal FQDN by the DMZ site system to validate the web server certificate supplied by WSUS?

So yeah.. make sure you configure both the Intranet and Internet FQDNs in the DMZ site system’s properties. Make sure they match the web server certificate’s SAN (Subject Alternative Name).

SCCM Task Sequence editor fails to find the MDT Toolkit package

posted Feb 19, 2015, 5:14 AM by Adrian P   [ updated Feb 20, 2015, 11:48 AM ]

April 19, 2011 / adrian posted in Infrastructure, Operating System Deployment

I’ve recently encountered an issue with an MDT integrated System Center Configuration Manager 2007 SP2 R3 installation. In a non-MDT task sequence, if you disable the parent group of the Use Toolkit Package step, the SCCM task sequence editor reports an error in locating the package:

You can re-select the package from your list and the (X) goes away until you click Apply or re-open the TS editor.

Workaround: If you disable the Use Toolkit Package step itself, the package is found and there is no error reported by the editor:

This is not exactly a blocker and there is a quick and dirty workaround but may prove tedious on more complex task sequences.

I’ve experienced this issue on two separate System Center Configuration Manager 2007 SP2 R3 installations, both MDT 2010 Update1 integrated:
  • Windows Server 2008 x86
  • Windows Server 2008 R2 x64

Batch rename files with PowerShell and Regular Expressions

posted Feb 19, 2015, 5:12 AM by Adrian P   [ updated Feb 19, 2015, 8:39 AM ]

April 18, 2011 / adrian posted in Development, Infrastructure, Planet CDOT

There have been a few times in the past where I've had to rename a large number of files for various reasons (ie: remove a common piece of text from the name) and I’ve always resorted to PowerShell.

Piping dir into a where and matching the files I wanted to rename was effective but tedious. Cue the mass_rename.ps1 script:

$ext = $args[0];

$dir = $args[1];

$what = $args[2];

$with = $args[3];

$whatif = $args[4];

$count = 0;

if ($args.length - lt 4) {

    write - host "Invalid parameters" - fore red;


    write - host " .mass_rename.ps1 &lt;ext&gt; &lt;dir&gt; &lt;what&gt; &lt;with&gt; [-whatif]";


    write - host " Example (don't do any replacing, -whatif):";

    write - host " .mass_rename.ps1 .docx c:Documents 'version 1.1' 'version 1.2' -whatif";


    exit 1;


ls - recurse - path $dir | ? {

    ($$ext)) - and($ - imatch $what)

} | % {

    if ($whatif - eq "-whatif") {

        write - host("whatif: '" + $_.fullname + "' -&gt; '" + ($ - ireplace $what, $with) + "'");

    } else {

        $from = $_.fullname;

        $to = ($ - ireplace $what, $with);

        mv - literalpath $from - destination($_.directoryname + "" + $to) - force;

        write - host "Renamed '$from' -&gt; '$to'" - fore yellow;




write - host "Done. Processed $count files." - fore green

The script will accept 4 parameters with an optional -whatif as the 5th. Fairly self explanatory with one mention: the $what parameter is a regular expression. Keep this in mind when, for example, you are trying to match for a period (.) as you would have to escape it (as per the example usage).

The -whatif parameter will only output the before and after file names without modifying the files themselves.

That’s it, set the execution policy and enjoy.

Exchange SMTP Send Connector on a port other than 25

posted Feb 19, 2015, 5:10 AM by Adrian P   [ updated Feb 19, 2015, 8:48 AM ]

February 18, 2011 / adrian posted in Infrastructure

I’ve setup an Exchange 2007 SP1 server recently to sync with a few remote Exim POP/IMAP accounts, in order to provide push email to my new Windows Phone 7. After battling with certificate issues, I managed to sync the phone to the Exchange server with all of the accounts I wanted. Email was being pushed, all was well. The only issue was.. sending email using the ActiveSync accounts on WP7.

By default Exchange 2007 does not relay messages to remote domains (, etc). You have to create a SMTP Send Connector for all domains (*, or specific domains if you wish) on the Hub Transport Role server. This is all well and good... but my ISP blocks all outgoing connections to port 25. If you’re using the GUI to create this connector you wont have the option to modify this port number.

Say my connector name was “All Mail” I would type this in the Exchange Management Shell:

Set-SendConnector -id "All Email" -port 2525

And that’s that. Exchange can talk to my Exim server and relay messages to the outside world.

To see the current port assigned to the “All Email” connector type in the Exchange Management Shell:

(Get-SendConnector -id "All Email").Port

Restoring /usr/bin with rpm and yum

posted Feb 19, 2015, 5:09 AM by Adrian P   [ updated Feb 20, 2015, 7:02 AM ]

January 6, 2011 / adrian posted in Planet CDOT

I was recently writing a Makefile for cramfs, specifically the distclean and install sections. The installation would copy the program binaries to /usr/bin while the cleanup would remove them… simple enough right?

I wrote a for loop to go through $(PROGS) and remove them from $(INSTLOC):

INSTLOC = /usr/bin
PROGS = mkcramfs cramfsck

all: $(PROGS)

distclean clean:
for p in $(PROGS);
    rm -rf $p $(INSTLOC)/$p;


The problem was that I ran this as root (tsk tsk), and since Makefile requires that for loop variables be escaped (line 9: $$p not $p), the rm command translated to this:

rm -rf /usr/bin/

Great! So now I had no binaries in /usr/bin, which includes: yum, bash, crontab, python, perl… (800+ on a minimal install).

Since I only deleted the binaries, the programs were still listed as installed in the RPM database. The first thing I had to do was re-install yum and its “usrbin” dependency python:

[root@demon ~]# mount /dev/sr0 /media/cdrom
[root@demon ~]# cd /media/cdrom/Packages
[root@demon ~]# rpm -Uvh --force python-2.6.5-3.el6.i686.rpm
[root@demon ~]# rpm -Uvh --force yum-3.2.27-14.el6.noarch.rpm

The next step was to figure out which packages had binaries in /usr/bin so I can reinstall them:

[root@demon ~]# rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort

… and finally send those to yum to do a reinstall and get the binaries back:

[root@demon ~]# yum reinstall $(rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort)
[root@demon ~]# ls -la /usr/bin|wc -l
[root@demon ~]#

… crisis averted! Snapshot time.

One last note: If you manually installed third party RPMs (not listed in the /etc/yum.repos.d/repositories), they will not be re-installed. You can perform re-install these one by one using the rpm -Uvh command above. Keep in mind that if these RPMs have not undergone proper QA they may overwrite your current configuration files

You can run these RPMs through rpmlint to see if they produce any warnings or errors that may cause a problem when re-installing:

[root@demon ~]# rpmlint -iv iplog-2.2.1-1_RH7.i386.rpm
iplog.i386: W: conffile-without-noreplace-flag /etc/iplog.conf
A configuration file is stored in your package without the noreplace flag. A
way to resolve this is to put the following in your SPEC file:
%config(noreplace) /etc/your_config_file_here
[root@demon ~]#

1-10 of 25