Tag Archives: Microsoft

While packaging a few Intel drivers (video driver, USB 3.0, chipset, management engine components, etc.) for our HP laptops, I noticed that each of the driver downloads contained a file named “mup.xml”. This file contains, among other things, information about valid command line switches for the setup.exe installer.

A snippet of the mup.xml file for our video driver is below. Some valid command line switches (which I haven’t fully tested) that appear within the file are:

/v = extract drivers (providing a double-quote encapsulated path is optional)
/s = unattended (silent install)
/? = help
/overwrite = force (install over previous installation)
/report = change the log file location from the default (C:\Intel) by providing double-quote encapsulated path

It seems that using a dash/hyphen in place of the forward slash is also acceptable. Ex.: /silent or -silent are both valid.

The mup.xml file also contains information on non-zero exit codes that may be returned by the installer. So far, I’ve encountered exit code 14, REBOOT_REQUIRED, a few times.

  <executable>
    <executablename>setup.exe</executablename>
  </executable>
  <behaviors>
    <behavior name="freshinstall">
      <vendoroption>
        <optionvalue switch="/" requiresvalue="false">s</optionvalue>
      </vendoroption>
    </behavior>
    <!--Driver Only Package, Installer Doesn't need to support
    <behavior name="driveronly">
      <vendoroption>
         <optionvalue switch="/" requiresvalue="false"></optionvalue>
      </vendoroption>
    </behavior>
      <behavior name="applicationonly">
      <vendoroption>
         <optionvalue switch="/" requiresvalue="false"></optionvalue>
      </vendoroption>
    </behavior>
    -->
    <behavior name="extractdrivers">
      <vendoroption>
        <container>
          <containervalue switch="/" requiresvalue="false" valuedelimiter=" " enclose="&quot;">v</containervalue>
          <optionvalue switch="" requiresvalue="true" valuedelimiter="=" enclose="\&quot;">ExtractDrivers</optionvalue>
        </container>
      </vendoroption>
    </behavior>
    <behavior name="attended" />
    <behavior name="help">
      <vendoroption>
        <optionvalue switch="/" requiresvalue="false">?</optionvalue>
      </vendoroption>
    </behavior>
    <behavior name="unattended">
      <vendoroption>
        <optionvalue switch="/" requiresvalue="false">s</optionvalue>
      </vendoroption>
      <!-- The DUP will Restart the system
      <vendoroption>
        <optionvalue switch="/" requiresvalue="false">b</optionvalue>
      </vendoroption>
      -->
    </behavior>
  </behaviors>
  <parameters>
    <parametermapping name="force">
      <vendoroption>
        <optionvalue switch="/" requiresvalue="false">overwrite</optionvalue>
      </vendoroption>
    </parametermapping>
    <parametermapping name="logfile">
      <vendoroption>
        <optionvalue switch="/" requiresvalue="true" valuedelimiter=" " enclose="&quot;">report</optionvalue>
      </vendoroption>
    </parametermapping>
  </parameters>
  <returncodes>
    <returncodemapping name="REBOOTING_SYSTEM">
      <vendorreturncode>15</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="PASSWORD_REQUIRED">
      <vendorreturncode>2</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="NO_DOWNGRADE">
      <!--Always able to DownGrade, Installer Doesn't need to support-->
      <vendorreturncode>9999</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="REBOOT_UPDATE_PENDING">
      <!--Installer only Reboots Once, Installer Doesn't need to support-->
      <vendorreturncode>9999</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="DEP_SOFT_ERROR">
      <vendorreturncode>7</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="DEP_HARD_ERROR">
      <vendorreturncode>5</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="SUCCESS">
      <vendorreturncode>0</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="ERROR">
      <vendorreturncode>10</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="REBOOT_REQUIRED">
      <vendorreturncode>14</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="ERROR_INSTALL_PLATFORM_UNSUPPORTED">
      <vendorreturncode>3</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="UNKNOWN_OPTION">
      <vendorreturncode>1</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="ERROR">
      <vendorreturncode>9</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="ERROR">
      <vendorreturncode>6</vendorreturncode>
    </returncodemapping>
    <returncodemapping name="ERROR">
      <vendorreturncode>4</vendorreturncode>
    </returncodemapping>
  </returncodes>

So far, I’ve had good luck with the command: setup.exe /s /overwrite.

I have been working on some unattended installation scripts for applications to be deployed through an SCCM OSD task sequence that builds our Windows 10 workstations. Happily, many of the lessons learned with Windows 7 are directly applicable to Windows 10. However, Windows 10 has made a significant change to the way applications are able to set themselves as the default application for handling certain file types.

Recently, I’ve been working on migrating our Adobe Acrobat XI package from Windows 7 to Windows 10. Among the first things we noticed was that in Windows 10, Microsoft Edge remained the default handler for the .PDF file extension, even though we had configured Acrobat to be the default handler through the Adobe Customization Wizard. This discovery led to much investigation about the changes in Windows 10 that are purportedly intended to protect a user’s choice of applications. I’m not altogether sold on this as a way of protecting user choice, as it seems more like it’s trying to force users into using the application of Microsoft’s choice rather than the one the user has installed.

A good technical explanation of the changes to the registry employed by Windows 8 and later to protect certain file extensions can be found in this post: http://appsensebigot.blogspot.co.uk/2015/10/deploying-per-user-file-type.html. To quickly summarize, since Windows 7, Microsoft has added a new registry subkey, named “UserChoice”, to certain file extensions under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts, and the contents of the UserChoice subkey dictate the default application for opening the file type. The contents of the UserChoice subkey are protected from modification by a Deny permission applied to the current user’s account. Unfortunately, the workaround for Windows 8/Server 2012 R2 described in the post does not seem to work in Windows 10.

Let’s use Regedit to look at the registry entries for the .PDF file extension at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf. Out of the box, Windows 10 will set the contents of the UserChoice subkey to have the Progid value point to Microsoft Edge, referenced by its Windows application ID. The Hash value will contain a data that seems to be generated from the current user’s username, the computer name and the application, meaning that it will be unique for each user/computer/application combination. Thus, it would be difficult, and foolish, to try to calculate that value ourselves. You’ll also notice that you cannot change the data of the Progid or Hash values through Regedit. If you right-click the .pdf key and choose Permissions, you’ll see that the current user has special permissions assigned. Clicking on the Advanced button will show you that the current user is prevented from setting values under the UserChoice key by way of a Deny permission entry.

All of this makes things look pretty bleak.

But Microsoft has not forgotten about us system administrators. They have provided a way forward!

The best description I’ve found of Microsoft’s horrible, short-sighted method for system administrators to get around the UserChoice keys and set default application file associations can be found at this TechNet blog post: http://blogs.technet.com/b/mrmlcgn/archive/2013/02/26/windows-8-associate-a-file-type-or-protocol-with-a-specific-app-using-a-gpo-e-g-default-mail-client-for-mailto-protocol.aspx. There are many reasons why this method is unusable, but a very obvious one is that it isn’t graceful for deploying different combinations of default applications to different users. It’s completely unwieldy for configuring a multi-user XenApp server where users may have different default applications for the same file extension. It’s also clunky when it comes time to deploy a new version of an application that has been previously configured, as we would need to know which other extensions have been configured for that computer in the past before we change the handler to new application. Read the comments if you are curious about how your fellow sysadmins feel about this method.

A better method would avoid these problems and enable us to configure default applications per-user. So let’s engineer something.

The first thing we need to do is somehow deal with that UserChoice key. While we are not able to change the values under the key, the permissions allow us to delete the UserChoice key itself, with a catch. The catch is that we can’t use a simple REG DELETE command to delete the UserChoice key as it returns an “ERROR: Access is denied.” response. Trying REG DELETE against the parent subkey, .pdf, will delete everything except for the UserChoice key. Watching this process with Sysinternals Process Monitor shows that reg.exe tries to open the UserChoice key while requesting “All access”, which it won’t receive. But we can use REG IMPORT to import a .REG file that deletes the key. So far, it appears that deleting the key one time prevents it from returning at subsequent logons, so long as you have a local Windows profile to log on to. If you are using a mandatory profile, I expect that the key will be created at each logon and you’ll need to delete it at each logon.

I have found that when the UserChoice key is absent, the settings under the file type key are honored.

Once we’ve dealt with that UserChoice key, setting the remaining registry values under the extension key that configure the default application is straight-forward and familiar.

An example of the registry method for Adobe Acrobat Pro DC

By way of example, below is a .REG file that I am using to configure Adobe Acrobat Pro DC (also known as Acrobat 2015) as the default application for .PDF files. This file will delete the entire .pdf subkey to get rid of the UserChoice key and any other values that would set Microsoft Edge to be the default handler and then configure the values under the OpenWithList and OpenWithProgids keys to make Acrobat Pro DC the default handler.

Windows Registry Editor Version 5.00

;Delete the .pdf key under FileExts to clear the Microsoft Edge application association (which is the default handler for .pdf) and the UserChoice subkey.
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]

;Configure the .pdf key under FileExts to set Acrobat as the default handler.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList]
"a"="Acrobat.exe"
"MRUList"="a"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids]
"Acrobat.Document.2015"=hex(0):

One way of deploying these settings would be to drop this .REG file onto the computer or a share on your network, then create a GPP Registry item, set to “Apply once and do not reapply”, that creates a value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce to launch the command C:\Windows\System32\reg.exe IMPORT <path-to-REG-file>. At the user’s next logon, the RunOnce key will cause reg.exe to import the .REG file that deletes the UserChoice key and configures the default application. A nice advantage to using using the GPP Registry item is that it can be item-level targeted to a situation, for example, to an AD security group of users or to users logged onto computers with a certain application installed.

In my experience, the end result is that the user sees the correct Adobe Acrobat icon for .PDF files and double-clicking a .PDF file launches it in Adobe Acrobat without any prompting to set Acrobat as the default application for opening PDFs.

Over the Thanksgiving weekend, I upgraded one of my computers from Windows 7 to Windows 10 using Windows Update. It had been nagging me to upgrade for awhile and I finally gave in and did it. The upgrade appeared to go smoothly, but when I logged on to Windows 10 for the first time, I realized that I didn’t have any of my settings or files. I checked the Application event log and sure enough, I was logged in with a TEMP profile.

I Googled this a bit, thinking that perhaps it has happened to a few other people who could point me to a quick resolution, but it didn’t seem to be a common problem. Also, the proposed fixes (like running sfc /scannow didn’t strike me as being very promising.

So I open the Local Users and Groups manager (lusrmgr.msc) and checked the group membership of my account. I found that it was a member of the Administrators group and a HomeUsers group, but not a member of the Users group. I checked a Windows 10 computer that I had built from the 10240 build ISO as a clean install and didn’t find a HomeUsers group at all. Back on the problem computer, I added my broken account to the Users group, restarted, and logged in. This time, Windows took my account through the typical first-run setup stuff and then loaded the correct profile, with all of my settings and files from Windows 7 intact.

So, if you run into the problem where an account on a recently upgraded Windows 10 computer is missing settings and files, check the group membership. If the account is not a member of the Users group, you will not be able to log in properly. Add the account to that group, logout and then log back in. Your problem should be fixed

Today I learned that Microsoft Edge on Windows 10 does work with an Enterprise Mode Site List after all. I had been trying in vain for weeks (off and on) to get it to redirect into Internet Explorer those sites that I had configured to do so through the Enterprise Mode Site List XML file. As far as I could tell, I was correctly using the Group Policy setting “Allows you to configure the Enterprise Site list”, providing a valid UNC path to the sites.xml file on our DFS. No matter how I configured the contents of the file, Edge simply would not perform the redirection. The redirection would work flawlessly if I configured the Group Policy setting “Sends all intranet traffic over to Internet Explorer”, but I didn’t want to open all of our intranet sites in IE, and there were plenty of Internet sites that I wanted to open in IE.

Internet Explorer 11 on Windows 7 had been successfully retrieving the sites.xml file via a UNC path, rather than an URL, for months. Furthermore, Internet Explorer 11 on Windows 10 was able to retrieve the file via UNC path. Running short of new things to try, on a whim, I copied the sites.xml file to a web server and provided the path in the Group Policy setting as an HTTP address, and lo and behold, Edge happily loaded the file and redirected users to Internet Explorer.

To be sure I wasn’t making up the ability to use a UNC path, I checked the TechNet article Use Enterprise Mode to improve compatibility, which is part of the Microsoft Edge – Deployment Guide for IT Pros. It clearly states that the SiteList value at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode accepts a UNC path, and this is what was being created by my Group Policy setting. However, the Group Policy setting’s field, into which you enter the path, asks for a URL. So, perhaps the TechNet document is wrong. Maybe the editor simply copied and pasted from the IE11 article Turn on Enterprise Mode and use a site list, and did not validate those instructions for Microsoft Edge.

Anyway, I hope that this post helps other systems administrators who may find themselves in the same situation, but I also wish that Microsoft would address this inconsistency between Edge and IE. A UNC path on our DFS (which is something within my control) is far easier for me to administer than a file on a web server (which is outside of my control).

A resource for troubleshooting System Center Configuration Manager (Current Branch) and System Center 2012 Configuration Manager Task Sequence failures through analysis of errors reported in the smsts.log file.

When an SCCM task sequence fails, errors are written to the smsts.log file. Sometimes the error is descriptive and it’s possible to quickly identify the cause of the failure. But often the error is logged as “Unspecified error (Error: 80004005; Source: Windows)”, which requires further investigation. In this post, I’ve assembled a few errors that I’ve personally encountered, along with my analysis of the cause. It’s my hope that this post can help other ConfigMgr administrators find resolutions to their problems.


Error reported in smstslog:

Invoking App Management SDK to evaluate app polices	InstallApplication
Process completed with exit code 2147500037	TSManager
!--------------------------------------------------------------------------------------------!
Failed to run the action: VP Windows 10 Default File Association. 
Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

There is a logical error or typo in the detection method. Note that in this error, the non-zero exit code line immediately follows the “… evaluate app policies” line. It suggests that the error is not with the application itself but with the data about the application.

The application may install successfully, but the detection rule cannot be evaluated successfully because it is illogical or invalid.

For example, if a registry key/value is used as the rule, the rule might be misconfigured to look for a key at “HKLM\SOFTWARE\VedderPrice\Windows 10 Default File Associations” in the HKLM hive, instead of “SOFTWARE\VedderPrice\Windows 10 Default File Associations” in the HKLM hive. (Note the extra HKLM at the beginning of the path.)

Resolution:

Edit the Detection Method for the application to correct an invalid rule.


Error reported in smsts.log:

Retrieving Application Policy Mapping:
m_mapAppPolicies.find(sAppName) != m_mapAppPolicies.end(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\dautils.cpp,478)
App policy for 'Microsoft User Experience Virtualization (UE-V) 2.1 SP1 Generator' not received. Make sure the application is marked for dynamic app install
Policy download failed, hr=0x80004005
daUtil.DownloadPolicies(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\dainstaller.cpp,296)
Successfully cleared App model names from TS env.
daInstaller.Execute(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\main.cpp,260)
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Install Secondary Applications.
Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

The application in SCCM was not marked for dynamic app install, but is being installed as part of a dynamic variable list during the task sequence (the “Install applications according to dynamic variable list” option is selected in the Install Application step).

Resolution:

Edit the application’s properties and check the box labeled “Allow this application to be installed from the Installation Application task sequence action without being deployed”.


Error reported in smsts.log:

Installation job completed with exit code 0x00000000
Execution status received: 4 (Application failed to install )
Installation failed.

Failed for reason:

The application installer (in our case, the wrapper.vbs) did not error out, but the detection method could not confirm that the application installed successfully.

This is most commonly caused by a mismatch between detection method and what is actually happening during the installation. Typically, the application is installed successfully (hence the exit code 0) but the detection method is incorrectly configured (for example, there is a typo in the file path or registry key used as the detection rule).

Resolution:

Correct the detection method.


Error reported in smsts.log (on 2012 RTM/SP1 clients):

Installation job completed with exit code 0x00000000
Execution status received: 24 (Application download failed )
Installation failed.

Also (on 2012 R2 CU1 clients):

Installation job completed with exit code 0x00000000
Execution status received: 24 (Application download failed )
App install failed.

Failed for reason:

If the computer is not joined to the domain, an application may fail to download unless the Deployment Type has, under the Content tab, the Deployment option for “Select the deployment option to use when a client is within a slow or unreliable network boundary, or when the client uses a fallback source location for content.” is set to “Download content from distribution point and run locally”. If the computer is not joined to the domain, it will fail to download content if the Deployment option for slow or unreliable network boundary is set to “Do not download content”. Confirm that the OU structure exists for the computer being imaged, that the Network Service Account has rights to create computers in the destination OU, and that the computer is being added to the appropriate destination OU.

The cache may be full. Check the CAS.log and look for the entries:

----- CacheManager: Even if all currently inactive cached content was removed there would not be enough space available for the request.
Not enough space in Cache

“If a new package that must be downloaded would cause the folder to exceed the maximum size, and if the folder cannot be purged to make sufficient space available, the package download fails, and the program or application will not run.”
– https://technet.microsoft.com/en-us/library/gg699356.aspx

The Software Updates step will download hotfixes to the cache, even if those files exceeds the size limit of the cache. However, if a step later in the task sequence attempts to download content to the cache, which is now full or even over-full, the download will fail with “Not enough space in Cache”.

The cache may not have sufficient space for the application. Check the CAS.log and look for the entries:

Cache Size is too small for requested content
CreateContentRequest failed

In the CAS.log, you should see the URL of the failing application in the lines immediately above the errors. If you have access to the Right-Click Tools in the SCCM Admin Console, choosing the “Change Client Cache Size” option will display the current cache size and allow you to change it.

If cache size is the issue, consider rebuilding the WIM via a Build and Capture task sequence, but increasing the cache size via the SMSCACHESIZE parameter in the “Setup Windows and ConfigMgr” step to set the cache size. It more recent versions of the SCCM client, the SMSCACHESIZE parameter can be used in the “Setup Windows and ConfigMgr” step in an OSD task sequence to redefine the cache size.

I have also attempted to resolve this error via an Update Content on the Deployment Type, even though the application in question has not been modified since it was working successfully a few days prior. The Update Content action increments the version/revision, which may be what resolves the problem.

I would also confirm that the Boundaries look OK.

In one case, the application’s file files appeared to be successfully downloaded, and the DataTransferService.log file showed that the DTS job completed successfully a few minutes before the error appeared in smsts.log. My best guess was that the content was downloaded successfully but the task sequence engine wasn’t informed of this, although later experimentation with using a Package instead of an Application confirmed that Trend Micro OfficeScan was preventing the downloaded files from being hashed by the task sequencer. It is my hypothesis that Trend Micro OfficeScan may also have been responsible for the failure to complete the Application download, although this isn’t proven out in the logs. We revised our exclusion rules to prevent Trend from scanning the folders SCCM uses to download content.

It may be caused by the network not being ready when the TS resumes after a restart. Using a VBScript to pause TS execution for a minute or two after each restart is a proven workaround. Also, see this hotfix from December, 2014, for System Center 2012 R2 Configuration Manager: Applications may not be downloaded in System Center 2012 R2 Configuration Manager

To apply this hotfix, you must have Cumulative Update 3 for System Center 2012 R2 Configuration Manager installed.

This hotfix has been incorporated into SCCM 2012 R2 CU4 (and presumably later service packs): Description of Cumulative Update 4 for System Center 2012 R2 Configuration Manager

Resolution:

The resolution will vary based upon the actual cause, but I would recommend looking at the SMSTSAssignmentsDownloadInterval and SMSTSAssignmentsDownloadRetry task sequence variables available in System Center 2012 Configuration Manager SP1 and later. See: Task Sequence Built-in Variables in Configuration Manager

If you are still encountering this problem, I would suggest temporarily disabling your anti-virus, or creating exclusions to prevent scanning of the task sequence content download locations, and retesting.


Error reported in smsts.log:

unknown host (gethostbyname failed)
hr, HRESULT=80072ee7 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,8738)
sending with winhttp failed; 80072ee7
Will retry in 6 second(s)
Retrying...

Failed for reason:

The NIC driver is not available to the OS, or no network can be found by the OS.

The OS may not have picked up the NIC driver during the Apply Driver Package step.

If the TS can be caught during the error, hitting F8 and then running ipconfig should return no active network adapters, confirming that there is no network.

If ipconfig does return a network, pinging the Distribution Point results in a host not found message.

Resolution:

Confirm that the proper network adapter driver is injected into the full Operating System before the task sequence reboots into the full OS.


Error reported in smsts.log:

Waiting for job status notification...
Retrying: 1 attempt
Waiting for job status notification...
Retrying: 2 attempt
Waiting for job status notification...
Retrying: 3 attempt
nRetryVal != 0, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\installapplication.cpp,1164)
Exhausted retry attempts. Giving up.
WaitforJobCompletion(spAppMgmtSDK, m_guidPolicyEvalJobID, ulPolicyEvalTimeout, nPolicyEvalRetryAttempts), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\installapplication.cpp,986)
Step 2 out of 2 complete
Install application action failed: '<the application name goes here>'. Error Code 0x80004005
<skipping over some entries here>
Install Static Applications failed, hr=0x80004005
Process completed with exit code 2147500037

Failed for reason:

Unknown.

Resolution:

Unfortunately, I don’t have a resolution for this particular failure.


Error reported in smsts.log:

Installation job completed with exit code 0x00000000
Execution status received: 3 (Application is available for installation )
Installation failed.
Install application action failed: 'Hotfix for Microsoft Windows (KB2617858)'. Error Code 0x80004005
Sending error status message
Set authenticator in transport
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Hotfix for MS Windows (KB2617858) (Windows7). Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

Unknown. A few moments before the execution status 3, there is a line “NotifyProgress received: 4 (Application failed to install )”, indicating that the detection method did not find the application had installed.

We use a VBScript wrapper to provide a consistent method of packaging all of our applications. It appears that the application is failing when it is run from C:\Windows\ccmcache\, but the error response does not appear to be coming from the wrapper.vbs but a more generic error code from wscript (eg, some sort of invalid syntax).

In one case, the problem was resolved by deleting the content for this deployment type from a remote distribution point and redistributing it from the primary SCCM server.

Resolution:

I can only hypothesize that the exit code is coming from wscript.exe due to a logical error in the VBScript.


Error reported in smsts.log:

Installation job completed with exit code 0x00000000
Execution status received: 0 (No application state information is available )
Installation failed.
Install Dynamic application action failed to install application: 'PowerPivot for Excel'. Error Code 0x80004005
Sending error status message
Set authenticator in transport
Install Dynamic application action cannot continue. ContinueOnErrorFlag is set to false.
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Install Secondary Applications. Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

Unknown. In our task sequence, the Install Secondary Applications step installs any number of applications using Dynamic Variables, and this “Execution status received: 0 (No application state information is available )” error has only been seen when evaluating already installed applications in this way. The error has appeared for multiple different applications over time, and in each case, the application encountering the error is already installed on the machines, suggesting that the applications themselves are not at issue. The detection method should be detecting that the applications already exist, but it appears that the client cannot even determine the detection method.

Entries earlier in the smsts.log will contain entries similar to:

NotifyProgress received: 0 (No application state information is available )
CAppMgmtSDK::GetEvaluationState ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/RequiredApplication_1a5ff570-4bf6-4fa8-b9cf-d679aaa9e9da.4 = Unknown

Resolution:

None. This error appears to be caused by the task sequencer’s inability to determine or apply the detection rule for an application.


Error reported in smsts.log:

Installation job completed with exit code 0x80730017
Execution status received: 0 (No application state information is available )
Installation failed.
Step 2 out of 2 complete
Install application action failed: 'VP LocaleSelector HTA'. Error Code 0x80004005
Sending error status message
Set authenticator in transport
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: VP LocaleSelector HTA. Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

Unknown. It appears to be due to the task sequencer being unable to determine the detection rule for the application, as the application was already installed on the computer.

Entries earlier in the smsts.log appear normal and contain entries similar to:

NotifyProgress received: 1 (Application is installed successfully )	InstallApplication	1/2/2013 2:10:11 AM	2100 (0x0834)
CAppMgmtSDK::GetEvaluationState ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/RequiredApplication_6db08c1f-74b8-4649-94a1-2ba389ad0b91.3 = Enforced

And then seconds later:

NotifyProgress received: 0 (No application state information is available )	InstallApplication	1/2/2013 2:10:27 AM	2100 (0x0834)
CAppMgmtSDK::GetEvaluationState ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/RequiredApplication_6db08c1f-74b8-4649-94a1-2ba389ad0b91.3 = Unknown

Resolution:

None. This error appears to be caused by the task sequencer’s inability to determine or apply the detection rule for an application.


Error reported in smsts.log:

Policy Evaluation failed, hr=0x87d00440
Install application action failed: 'Workshare Professional 7 (2012.09.17)'. Error Code 0x87d00440
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Install Static Applications failed, hr=0x87d00440
Process completed with exit code 2278556736
!--------------------------------------------------------------------------------------------!
Failed to run the action: Workshare Professional 7 (2012.9.17). Expected policy documents are incomplete or missing. (Error: 87D00440; Source: CCM)

Failed for reason:

Unknown. Entries earlier in smsts.log indicate that the application was detected as already existing:

NotifyProgress received: 1 (Application is installed successfully )

Resolution:

None.


Error reported in smsts.log:

NotifyProgress received: 16 (Application failed to evaluate )
...
NotifyProgress received: 0 (No application state information is available )
...
Policy Evaluation failed, hr=0x80004005
Install application action failed: 'VP Wallpaper and User Account Image (Windows 7)'. Error Code 0x80004005
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Install Static Applications failed, hr=0x80004005
!--------------------------------------------------------------------------------------------!
Failed to run the action: VP Theme and User Account Image. Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

Unknown. This seems to be a policy evaluation problem.

Resolution:

None.


Error reported in smsts.log (SP1 client):

CAppMgmtSDK::GetEvaluationState ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/RequiredApplication_ce05eb75-c269-4f90-9546-72eab1d69c21.13 = Unknown
NotifyError received
NotifyError processed
Received job completion notification from DCM Agent
GetAppMgmtSDKInterface successful
Policy Evaluation failed, hr=0x87d00267
Setting TSEnv variable 'SMSTSAppPolicyEvaluationJobID__ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/Application_ce05eb75-c269-4f90-9546-72eab1d69c21'=''
...
Install application action failed: 'VP Wallpaper and User Account Image (Windows 7)'. Error Code 0x87d00267
...
Install Static Applications failed, hr=0x87d00267
Process completed with exit code 2278556263
!--------------------------------------------------------------------------------------------!
Failed to run the action: VP Theme and User Account Image. Download failed (Error: 87D00267; Source: CCM)

Failed for reason:

Unknown. This seems to happen when a network connectivity problem causes a content download problem. This error has typically occurred on the first Install Application step in the task sequence immediately after a computer restart.

This is also occurring on install dynamic variable applications, in which event the smsts.log reads similar to:

Install Dynamic application action failed to install application: 'Canon Scanner DR2580C and Capture Perfect 3.0'. Error Code 0x87d00267

This thread implicates the network switch (turning on PortFast resolves the problem), but it also seems to be caused by certain SSD drives: https://social.technet.microsoft.com/Forums/en-US/221bcfe8-4c1e-4766-be5b-fbf54fe0e66c/specific-model-suddenly-fails-on-any-application-install-packages-work-fine?forum=configmanagerosd

Resolution:

An effective workaround is to add a Run Command Line step that executes a VBScript from a package that simply calls Wscript.Sleep to create two-minute pauses after each Restart Computer step that occurs before an Install Application step to allow the network time to come up after a reboot. I experimented with shortening the pause to 1 minute and heard reports that the computers were failing again, so I increased the pause back to 2 minutes and the problem disappeared completely.

With SCCM 2012 R2, new task sequence variables are introduced that may overcome this problem by allowing the task sequence to retry to download files or policy instead of quickly giving up and failing the step.

See: https://social.technet.microsoft.com/Forums/en-US/54458340-e50d-4144-af0d-33c768861e97/osd-ts-fails-during-package-download-sendwinhttprequest-failed-80072ee2?forum=configmanagerosd

See: Task Sequence Built-in Variables in Configuration Manager


Error reported in smsts.log (SP1 client):

pNext != NULL, HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,1972)
reply has no message header marker
DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,5868)
Failed to get client identity (80004005)
ClientIdentity.RequestClientIdentity (), HRESULT=80004005 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1072)
failed to request for client
Exiting TSMediaWizardControl::GetPolicy.

Failed for reason:

Uncertain. The Task Sequence fails immediately after entering the Task Sequence Wizard password, before the available Task Sequences are displayed. The Task Sequence Wizard reports:

Failed to Run Task Sequence
An error occurred while retrieving policy for this computer  (0x80004005). For more information, contact your system administrator or helpdesk operator.

I’ve read that in the majority of cases, it is due to an incorrectly set BIOS clock. In my experience, this has always been the case.

Resolution:

Enter the BIOS and set the system clock to the correct date and time.


Error reported in smsts.log (SP1 client):

==============================[ OSDDiskPart.exe ]==============================
Command line: "osddiskpart.exe"
Succeeded loading resource DLL 'X:\sms\bin\x64\1033\TSRES.DLL'
FALSE, HRESULT=80070490 (e:\nts_sccm_release\sms\framework\tscore\diskutils.cpp,1372)
Invalid disk number specified: 0
CDisk::GetDiskSize(oDisk.getIndex(), cbDiskSize), HRESULT=80070490 (e:\nts_sccm_release\sms\client\osdeployment\osddiskpart\main.cpp,717)
LoadDiskConfiguration(oDisk), HRESULT=80070490 (e:\nts_sccm_release\sms\client\osdeployment\osddiskpart\main.cpp,1229)
Invalid configuration specified.  Please ensure that the task sequence is properly configured.
OSDDiskPart.exe failed: 0x80070490
Process completed with exit code 2147943568
!--------------------------------------------------------------------------------------------!
Failed to run the action: Format and Partition Disk. Element not found. (Error: 80070490; Source: Windows)

You will also find a number of these lines throughout smsts.log:

Volume D:\ is not a fixed hard drive
Volume X:\ is not a fixed hard drive

This error will appear immediately after starting the OSD task sequence.

Failed for reason:

Missing hard drive.

Resolution:

Add a hard drive to the computer.


Error reported in smsts.log:

No Env variable with specified basename APP and suffix '01' is found. No applications installed.
CheckForBaseVarsInTSEnv(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\dainstaller.cpp,233)
daInstaller.Execute(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\main.cpp,260)
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Install Applications. Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

The Install Application step is failing to install applications from a dynamic variable list because the list does not contain any variables, even though it’s silly that the step would fail for this reason.

Resolution:

The workaround/resolution is to create a condition on the Install Application step that allows it to run only if the first application task sequence variable is set. For example, in our environment, the basename (or prefix) is “APP” and the suffix (the numbers) begin with “01”, so the task sequence variable “APP01” will exist if at least one application is in the dynamic variable list. Our Install Application step, then, contains a condition to only run if the task sequence variable “APP01” exists.


Error reported in smsts.log:

CAppMgmtSDK::GetEvaluationState ScopeId_2247E2EC-D4AB-4C75-931D-572C34C9E802/RequiredApplication_2070c4eb-02e4-4b40-9917-6952b8322448.3 = AvailableForEnforcement

<em><exactly 6 hours pass></em>

Waiting for job status notification...
AppMgmtSDK handler is invalid. Trying to reconnect...
Failed to Reconnect to existing job, hr=0x87d00215
Reconnect Job request failed, hr=0x87d00215
Step 2 out of 2 complete
Install application action failed: 'Citrix Receiver Enterprise 3.4'. Error Code 0x87d00215
Sending error status message
Set authenticator in transport
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Install Static Applications failed, hr=0x87d00215
Process completed with exit code 2278556181
!--------------------------------------------------------------------------------------------!
Failed to run the action: Citrix Receiver Enterprise 3.4 (Windows 7). Item not found (Error: 87D00215; Source: CCM)

Failed for reason:

The application being installed kills the task sequence engine, leading to a 6 hour pause in the task sequence before it eventually times out after six hours and exits. More precisely, in our case, the Citrix Receiver Enterprise 3.4 installer first uninstalls Receiver 3.2, and during the uninstall process the task sequence engine process is killed.

The Install Application step fails after 6 hours exactly.

The application being installed does, in fact, successfully install according to 1) the Application event logged by our wrapper VBScript, 2) the application appears in Programs and Features, and 3) the application’s own About dialog box, which contains the correct version. In the case of Citrix Receiver Enterprise 3.4, it installs successfully in approximately 3 minutes.

The “Item not found” part of the error is misleading, as it seems to suggest that the content was not available, but it is.

Resolution:

We were not able to resolve this problem, but worked around the problem by pushing out Citrix Receiver Enterprise 3.4 as a required deployment outside of the task sequence.


Error reported in smsts.log:

'IsSrkAuthCompatible' failed (2150105106)
Tpm does not have compatible SRK
uStatus == 0, HRESULT=80280007 (e:\nts_sccm_release\sms\framework\tscore\tpm.cpp,548)
'IsEndorsementKeyPairPresent' failed (2150105095)
Tpm does not have EK pair
Initial TPM state: 4
(dwTpmState & Tpm::State_Enabled) != 0, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,434)
TPM cannot be enabled without physical presence
InitializeTpm(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1284)
ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1489)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382)
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Enable BitLocker (Laptops Only). Unspecified error (Error: 80004005; Source: Windows)

Failed for reason:

The BIOS is not correctly configured for BitLocker.

Resolution:

BitLocker is tricky to get right, but the first step is to enable the TPM in the BIOS.


Error reported in smsts.log:

Installation of updates started
Waiting for installation job to complete
Notification received, that updates installation has failed
Received job completion notification from Updates Deployment Agent 
One or more updates failed to install, hr=0x87d00656
Process completed with exit code 2278557270
!--------------------------------------------------------------------------------------------!
Failed to run the action: Install Software Updates. Updates handler was unable to continue due to some generic internal error (Error: 87D00656; Source: CCM)

Failed for reason:

Unknown. A small percentage of computers will fail to run Software Updates each month in the days after they are made available to them and they run our maintenance task sequence. Given enough attempts, the computers will eventually succeed in installing Software Updates.

Resolution:

None. If we put enough Install Software Updates steps (with a condition to Continue on Error) and reboots in between, most of the computers will successfully install the updates.


Error reported in smsts.log:

(Actually, no error is reported, but the task sequence fails to resume after a non-TS aware reboot immediately following a TS-aware reboot during the Install Software Updates step. The following typo-filled lines are written to smsts.log immediately after the second reboot.)

Failed to set log directory. Some execution history may be lost. The system cannot find the file specified. (Error: 80070002; Source: Windows)
Executing task sequence
Task Sequence environment not found.
Attempting to get active request.
Failed to create instance if Software Execution Request Managerr. 0x80070005
Waiting for ccmexec process to start.
Failed to create instance if Software Execution Request Managerr. 0x80070005
Waiting for ccmexec process to start.
GetActiveRequest failed with error code 0x87d01012
GetActiveRequest failed. 0x87D01012.
ReleaseActiveRequest failed. 0x87d01012.

Failed for reason:

One or more updates is causing a second reboot during the task sequence. The task sequence engine is not anticipating this reboot, and so does not set aside the data required to resume the task sequence after the reboot.

This is a known issue with the way Software Updates are installed during a task sequence. See the KB article:

Task sequence fails in Configuration Manager if software updates require multiple restarts

Resolution:

“You can avoid this issue in System Center 2012 Configuration Manager Service Pack 2 and System Center 2012 R2 Configuration Manager Service Pack 1 by using the new Retry option in the Install Updates task sequence step.”
https://support.microsoft.com/en-us/kb/2894518


Error reported in smsts.log:

VerifyContentHash: Hash algorithm is 32780
Cannot open source file c:\_smstasksequence\packages\rtm00307\citrix receiver and plug-ins\de\wince\cesh3\icasetup.sh3.cab, Win32 Error = 32
Failed to hash file, Win32 error = 32
Hash could not be matched for the downloded content. Original ContentHash = 3A97E3916B3E2C0C6C5447637754A5DC3A674B9BC3D9F2CC703F320F4B62050B, Downloaded ContentHash = 
Failed to resolve the source for SMS PKGID=RTM00307, hr=0x80091007
The user tries to release a source directory C:\_SMSTaskSequence\Packages\RTM00307 that is either already released or we have not connected to it
Install Software failed, hr=0x80091007
Process completed with exit code 2148077575
!--------------------------------------------------------------------------------------------!
Failed to run the action: Citrix XenApp 6.5 (Package). 
The hash value is not correct. (Error: 80091007; Source: Windows)

Failed for reason:

We use Trend Micro OfficeScan as our antivirus solution. The OfficeScan real-time scanning was holding the file open, preventing the task sequencer from hashing the file to determine that it had been successfully downloaded. This caused the Package to fail and therefore the task sequence to fail. Uninstalling OfficeScan resolved the problem.

Error 32 translates to ERROR_SHARING_VIOLATION – The process cannot access the file because it is being used by another process.

This thread implicates Trend OfficeScan specifically in file-not-hashing problems: https://social.technet.microsoft.com/Forums/en-US/1fa16900-4f41-4b4c-9d40-a27ae266d5c8/media-creation-fails-with-the-hash-value-is-not-correct-and-cannot-open-source-file?forum=configmanagerosd

Error 0x80091007 in smsts.log could also be due to a problem calculating the original content hash, due to problems with the source files, so check for hidden files and that annoying thumbs.db (also, reportedly, with binary replication of the package).

To search for the error code, one needs to convert the integer to a hex value (33 = 0x00000020). See: Win32 Error Codes

Resolution:

Temporarily disable anti-virus or any other software that would be scanning files as they are downloaded to the computer, to avoid conflicts with the task sequence engine verifying the integrity of the downloaded files.

This Windows Event Viewer query looks through the Network Profile/Operational log for network connection events (EventID=10000) where the “Category” equals “2”, which equates to “Domain Authenticated”. The neat part about this XML query is that it looks into the event details for additional criteria, which isn’t available through the filter GUI.

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational">
    <Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[(EventID=10000)]] and *[EventData[Data[@Name='Category'] and (Data='2')]]</Select>
  </Query>
</QueryList>

I use it as the custom query trigger for a scheduled task that initiates a few actions each time the computer is powered on/woken up while on the domain network, or has its network connection reestablished. A similar query without the Category=2 criteria would be triggered twice each time the computer is powered on: once when the network connection is established but on the public firewall profile (or something like that), and a second time when the connection changes to use the domain firewall profile (again, I’m not exactly clear).

For a good explanation of how to construct custom queries with examples, see the TechNet blog post at Advanced XML filtering in the Windows Event Viewer.

Update 8/12/2015: I’ve determined that the problem is due to my attempts at creating a custom Windows.UI.Logon.pri file to display a logon screen background image. Neither the utility nor the PowerShell script referenced below create a Windows.UI.Logon.pri file that is acceptable to Windows. In the meantime, I’ve decided to just eliminate the “Hero” wallpaper in favor of a solid color.

I’ve encountered a problem with Windows 10 Enterprise with Cumulative Update for Windows 10: August 5, 2015 (KB3081424) applied, where the secure logon screen is completely black instead of displaying the Ctrl+Alt+Delete message, clock, background wallpaper, etc.

Prior to KB3081424, I experienced a different problem at the Ctrl+Alt+Delete screen, where the lock screen wallpaper configured via Group Policy was not applied and the background was instead a solid blue color.

In both cases, the behavior was/is only evident when the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD is set to 0 (enforcing the Ctrl+Alt+Del screen). Deleting the DisableCAD value avoids the problem, however, it also removes the benefit of the secure logon screen.

When the computer is locked (for example, by hitting Ctrl+Alt+Del and selecting the Lock option) and the screen goes black, the following event is written to the Application event log:

Log Name:      Application
Source:        Application Error
Date:          8/7/2015 5:06:41 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      mycomputer.mydomain.com
Description:
Faulting application name: LogonUI.exe, version: 10.0.10240.16384, time stamp: 0x559f398c
Faulting module name: Windows.UI.Xaml.dll, version: 10.0.10240.16412, time stamp: 0x55b9a054
Exception code: 0xc000027b
Fault offset: 0x0000000000494ab9
Faulting process id: 0x1fdc
Faulting application start time: 0x01d0d15d56f2c0bf
Faulting application path: C:\WINDOWS\system32\LogonUI.exe
Faulting module path: C:\Windows\System32\Windows.UI.Xaml.dll
Report Id: 351d24a4-a031-4135-b595-334baef2ba99
Faulting package full name: 
Faulting package-relative application ID: 

Watching the LogonUI.exe process with Sysinternals Procmon shows that the process crashes when the computer is locked, causing the screen to go black. Hitting the Ctrl+Alt+Del key combination at the black screen launches a new LogonUI.exe process, the wallpaper image loads, and I’m taken to the logon page where I can enter my username and password and log on.

The problem exists on physical hardware as well as in a VMware Workstation 11 virtual machine, so I’m confident that it is not a driver-related issue. The only other particular thing about my setup is that I’m generating my own Windows.UI.Logon.pri wallpaper file using the utility discussed at: http://www.askvg.com/how-to-change-or-disable-login-screen-background-image-in-windows-10/ (although revisiting this page now indicates that .pri file generated by the utility may be responsible for lock screen problems).

I’ll test with the default wallpaper image, and with my desired wallpaper image repacked using the PowerShell script at: http://pastebin.com/aMBrHRwd .

Even if the Windows.UI.Logon.pri is the cause of the LogonUI.exe crashes, a bad file seems like something that the LogonUI process should tolerate.

I posted the problem to Microsoft’s Windows Feedback on 8/10/2015. A Google search turned up a few other people who have had problems at the lock screen, and there are a number of reports of similar problems going back a few versions of Windows.

This is just a quick post on creating a operating system-based collection query rule for Windows 10 in SCCM 2012. In preparation for the release of Windows 10, I have been working on an OSD task sequence that applies the Windows 10 Enterprise Insider Preview and creating collections in SCCM. There are a number of different ways to construct an operating system-based collection, but one method works more quickly than an alternative.

As you know, the System Center Configuration Manager client reports back details of the workstation or server environment to the SCCM management point, including information about the operating system. This information can be used to populate device collections through WQL queries of information in the SCCM database. But similar, if not equivalent, information is collected through different processes by the client, resulting in the SCCM primary site server potentially having incomplete details of a device. This is particularly evident when looking for details about a workstation computer shortly after it has completed an OSD task sequence.

After a Hardware Inventory cycle is run, SCCM will have access to the Operating System.Caption value, which will be, for the Windows 10 Insider Preview, “Microsoft Windows 10 Enterprise Insider Preview”. This query can be made more general by using the LIKE operator and then wrapping the search term in percent symbols: %Windows 10 Enterprise%.

But, if you want to be able to add computers to a collection before a Hardware Inventory cycle is run, you can use System Resource.Operating System Name and Version, which will be, for the Windows 10 Insider Preview, “Microsoft Windows NT Workstation 10.0”. This can be made more general by using LIKE operator and wrapping the search term in percent symbols: %Windows NT Workstation 10%.

The Query Statement that I am using to populate my collection of Windows 10 workstations is:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Microsoft Windows NT Workstation 10%"

This SMS_R_System.OperatingSystemNameandVersion query is useful because it is able to locate computers in SCCM within a few minutes after they have been reimaged, before the client has run a Hardware Inventory cycle. My hunch is that the operating system name and version are being sent to the management point as part of a Heartbeat Discovery that happens soon after the computer finishes the OSD task sequence. I’ll check the logs to confirm this.

This article is intended for systems administrators who use Group Policy/Group Policy Preferences to manage computers in a domain environment.

Among the many challenges faced by Windows desktop engineers, configuring Internet Explorer in a corporate environment to provide a good balance of security and convenience stands out as particularly difficult to get right. I cannot think of any other piece of software that has required more of my time and effort to tailor to our needs than IE. Nor can I think of another application that generates as many non-error-related calls to our help desk. My project this week has been to develop a process for allowing approved ActiveX controls (ie., vetted controls used by business-purpose sites) to be silently installed and enabled by end users without granting sites more rights than needed.

While working on this project, I found that there is a good deal of interplay among multiple Group Policy settings that, once configured, permit standard users to download, install, and enable ActiveX controls so that web sites “just work”. This blog post should help you configure those settings in three steps.

Step 1: Download

The first order of business is to allow a standard user to download the ActiveX control files from sites in the Internet Zone. This can be done by configuring the “Download signed ActiveX controls” and the “Download unsigned ActiveX controls” Group Policy settings in Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone. My understanding is that signed code from trusted publishers is always downloaded silently if the “Download signed ActiveX controls” setting is Enabled and the drop down menu item is set to Enable or Prompt. (It’s not clear to me why signed add-ons from trusted publishers wouldn’t be separately configurable here.) I have set “Download signed ActiveX controls” to Enable, and “Download unsigned ActiveX controls” to Prompt, although the more secure setting would be to Disable downloading unsigned controls.

Step 2: Install

The next order of business is to allow a standard user to install ActiveX controls for specific sites. This can be done by configuring the “Approved Installation Sites for ActiveX controls” setting in Computer Configuration/Policies/Administrative Templates/Windows Components/ActiveX Installer Service.

For each web site, enter the full domain name of the site where the ActiveX control is hosted (wildcards are not allowed) and provide a series of values governing the installation of trusted and signed, signed, and unsigned files, along with exceptions to HTTPS certificate errors. The default series of values is “2,1,0,0”, and I’ll expand on this later in the post. You may need to relax these settings for individual sites depending on whether the control is signed or if the site has HTTPS errors. Enter a detailed comment explaining the rationale for configuring the item (who configured it, when and why), so that you or another administrator can periodically revisit the list and evaluate whether the entries are still necessary and whether the settings are still correct.

A decent amount of thought needs to be given to the significance of the values, which are described more fully at Implementing and Administering the ActiveX Installer Service. The first three numbers in the default setting of “2,1,0,0” will (1) allow an ActiveX control that is signed by a certificate in the Machine or Enterprise Trusted Publishers store to be installed silently, (2) prompt the user before installing an ActiveX control that is signed by a certificate that is not in the Trusted Publisher Store, (3) and not install an unsigned ActiveX control.

For example, if we wish to allow the “Microsoft Update Catalog” ActiveX control to be silently installed when a user visits http://catalog.update.microsoft.com/v7/site/Install.aspx, we can add the domain name “http://catalog.update.microsoft.com” to the list and give it the values “2,1,0,0”. Because this ActiveX control is signed by a certificate in the Machine or Enterprise Trusted Publishers store, the first value “2” allows the silent installation.

If the user encounters an ActiveX control that can be downloaded but is not permitted to be installed silently, the user will receive a Security Warning pop-up window from the ActiveX Installer Service similar to the screen capture below.

Prompting the user for permission to install

Prompting the user for permission to install

In this case, the user encountered a signed ActiveX control that was not signed by a certificate in the Machine or Enterprise Trusted Publishers store. If we want to suppress this prompt so that the control will be installed silently, we would need to change the second number in the series to “2”, as so: “2,2,0,0”.

Step 3: Enable

As conscientious system engineers concerned about removing distractions for our users, we may wish to suppress the “This webpage wants to run the following add-on: ‘<add-on name>’ from ‘<company name>’.” warning/alert that appears in Internet Explorer when a user visits a site that loads an ActiveX control that has been downloaded and installed, but for which the ActiveX control is not yet enabled for the user.

This webpage wants to run the following add-on

This webpage wants to run the following add-on

To silently enable a specific ActiveX control for a specific domain for the current user, we can use Group Policy Preferences to create a registry value under HKCU with the Class ID (CLSID) of the add-on and the domain name where it is allowed to run. Be sure to enter a detailed comment explaining the rationale for configuring the item. The Class ID can be found via the Manage Add-ons dialog box (which means that the add-on will at least need to be downloaded).

For example, if we intend to allow the “Microsoft Update Catalog” ActiveX Control to be silently enabled to run on microsoft.com or any subdomain of microsoft.com, we may create the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AE58FCF-6F6A-49B2-B064-02492C66E3F4}\iexplore\AllowedDomains\microsoft.com]

If we intend to allow the ActiveX Control to run on any site, we would create a key named “*” (an asterisk) in place of the domain name, for example:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AE58FCF-6F6A-49B2-B064-02492C66E3F4}\iexplore\AllowedDomains\*]

That’s all there is to it. When a user encounters a site that requires an approved ActiveX control, the control will be downloaded, installed, and enabled in the background.

How can I enable an add-on and prevent users from disabling it?

The Group Policy setting “Add-on List”, available in both the User Configuration and Computer Configuration, accepts a CLSID and a numerical value indicating how the add-on should be handled. A 0 (zero) indicates that the add-on should be disabled and users should be prevented from enabling it. A 1 (one) indicates that the add-on should be enabled and users should be prevented from disabling it. A 2 (two) indicates that the add-on should be enabled and users should be permitted to enable and disable the add-on through the Manage Add-ons dialog box.

However, in my experience, configuring an add-on with a value of 2 does not automatically enable the add-on for users, and they will see the yellow bar asking them if they want to enable or disable it when they open IE. I can’t quite see the use case for the value of 2.

The (User) setting is found at User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. The registry keys for add-ons configured via the “Add-on List” setting in the User Configuration, named by CLSID, can be found as subkeys under:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]

How do I get more information about an add-on?

The details of each downloaded or installed add-on can be viewed using the Manage Add-ons dialog box in IE. Locate the add-on in the list and click the More Information link to view the Class ID as well as other information. For example, the details of the Microsoft Update Catalog control referenced throughout this post look like this:

Name: Microsoft Update Catalog
Publisher: Microsoft Corporation
Type: ActiveX Control
Architecture: 64-bit
Version: 7.4.7057.249
File date: ‎Thursday, ‎June ‎20, ‎2013, ‏‎10:56 AM
Date last accessed: ‎Today, ‎April ‎16, ‎2015, ‏‎3 minutes ago
Class ID: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4}
Use count: 8
Block count: 30
File: MicrosoftUpdateCatalogWebControl.dll
Folder: C:\Windows\System32

How do I get information about the ActiveX control file itself?

The binary file itself will be referenced in the HTML of the page that requires or installs the control. My preferred method of finding the binary is to use the DOM Explorer in IE’s F12 Developer Tools to view the rendered HTML of the page where the control is installed, and the search for the string “codebase”.

If we look at the HTML of the page at http://catalog.update.microsoft.com/v7/site/Install.aspx, we can find an OBJECT tag that contains the CODEBASE attribute which contains a relative path to a .cab file that is the control. As of this writing, the path is “ClientControl/en/x86/MuCatalogWebControl.cab?1429300094107#version=9.0.1268.0”. To find the absolute path to the .cab file, so that we can download it and inspect it, we need to join the URL of the page up to the last folder with the contents of the CODEBASE attribute, like so:

http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1429300094107#version=9.0.1268.0

Entering that URL in a browser will allow you to download the file and look at it. In the case of a digitally signed file, viewing the Properties of the file will reveal a Digital Signatures tab with more details about the signer and the certificate. An ActiveX control can be a .cab, a .dll, or a .ocx file.

So why don’t I need to enable the Adobe Flash ActiveX control in this way?

According to the MSDN blog post Controlling ActiveX in Internet Explorer, certain controls are exempt from requiring user approval to be enabled, including Adobe Flash. You can find the Class IDs for these pre-approved controls at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved]

As an alternative to the GPP HKCU registry method of approving ActiveX controls described above, an administrator could create a Class ID subkey under the PreApproved registry key to pre-approve the ActiveX control for all users of the computer on all web sites. Setting such a subkey still permits the user to Disable and Enable the add-on through the Manage Add-ons dialog box.

For example, if we intend to approve the “Microsoft Update Catalog” ActiveX control to run on any site, we would create the following HKLM key, for example, during operating system deployment:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5AE58FCF-6F6A-49B2-B064-02492C66E3F4}]

Using Trusted Sites

It is also possible to use the Trusted Sites zone as the mechanism for controlling installation policy for ActiveX controls. This can be done by configuring the “Establish ActiveX installation policy for sites in Trusted zones” setting in Computer Configuration/Policies/Administrative Templates/Windows Components/ActiveX Installer Service. The same options for trusted/signed, signed, and unsigned controls as well as exceptions for HTTPS errors exist in this setting, but they apply to any site in the Trusted Sites zone. Consider this carefully – once this setting is enabled and configured, any site in the Trusted Sites zone will be allowed to silently install ActiveX controls, even those sites that you may not wish to do so, and exceptions for signed/unsigned controls and HTTPS errors will be applied to all sites. This setting therefore offers far less granularity than configuring each site individually using the “Approved Installation Sites for ActiveX controls” setting described above.

You may need to disable unwanted ActiveX controls installed from these sites via GP by Class ID.

Sites can be added to the Trusted Sites zone via the “Site to Zone Assignment List” setting in User Configuration/Policies/Windows Components/Internet Explorer/Internet Control Panel/Security Page.

Microsoft’s recommendations

The Deployment Guy’s Enterprise Management of ActiveX Controls using ActiveX Installer Service blog post on TechNet describes some recommendations, including to install ActiveX controls only from reputable organizations, deploy commonly used ActiveX controls through your organization’s software deployment system rather than allowing controls to be installed automatically via the ActiveX Installer Service, and using only HTTPS hosted controls. These are excellent suggestions, but it’s not likely that your organization can follow all of these recommendations all of the time.

Troubleshooting

If ActiveX Filtering is enabled, IE prevents ActiveX controls from running on all web sites, except for those sites that have been added to the per-site exception list by the user. In IE11, if ActiveX filtering is enabled, a blue circle with a slash through it will appear on the right-hand side of the address bar.

See the MSDN blog post ActiveX Filtering for Consumers for an explanation of ActiveX Filtering.

If ActiveX Filtering is enabled via Group Policy, per-site exceptions can be created by a standard user by clicking on the blue circle with a slash through it in the address bar. Sites that have been added to the per-site exception list will be saved as registry values to the key at:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\ActiveXFilterExceptions]

If Enhanced Protected Mode is enabled, add-ons must be compatible with Enhanced Protected Mode in order to run without user intervention.

Internet Explorer's Enhanced Protected Mode

Internet Explorer’s Enhanced Protected Mode

As with ActiveX Filtering, it is possible to populate a per-site exception list for Enhanced Protected Mode. Sites that have been added to the exception list by clicking the “Run control” button in the alert box will be saved as registry values to the key at:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabProcConfig]

The Data for the values is a bit confusing, but the blog post How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations begins to explain the settings.

I recommend reading the MSDN blog post Understanding Enhanced Protected Mode, which is a pretty technical explanation of the subject, noting the differences in its implementation between Windows 7 and Windows 8.

ActiveX control blocking

Internet Explorer 8 through 11 includes a feature called out-of-date ActiveX control blocking, which is another candidate for configuration through Group Policy. If left unconfigured, scary looking security warnings may be displayed to users stating that certain controls are out of date.

I needed to insert a short delay between two processes, so I whipped up a little VBScript that accepts an argument in seconds and then sleeps for that amount of time. If no argument is passed, it sleeps for 3 seconds. It writes to the Application event log before it sleeps and after it wakes.

Usage: sleep.vbs 5

It could be better, sure, but I’m humble about it. It doesn’t validate that the argument is an integer, for example. But it does the trick when used correctly.

sleep.vbs

Option Explicit

'Accepts input in seconds and converts the input to microtime, then sleeps for that long

Dim WshShell
Dim strEventInfo
Dim intSeconds, intMicrotime

Set WshShell = CreateObject("WScript.Shell")

If WScript.Arguments.Count > 0 Then
	intSeconds = WScript.Arguments.Item(0)
Else
	intSeconds = 3
End If

intMicrotime = intSeconds * 1000

LogEvent "The sleep.vbs script is sleeping for " & intSeconds & " seconds."

'Sleep briefly to allow processes to finish
WScript.Sleep intMicrotime 

LogEvent "The sleep.vbs script is done sleeping."

'******************************************************
'* Subroutine: LogEvent(strEventInfo)
'*   Creates a Windows Event Log information entry with the specified text
'******************************************************
Sub LogEvent(strEventInfo)
	WshShell.LogEvent 4, strEventInfo
End Sub