Remove From My Forums

Push client installation - Authenticode errors

Question
0

Sign in to vote

Hello friends , my name is Oren.

I'm an SCCM integrator , and I'd like to share a bit of an annoyance I've encountered with one of my installations on my clients' environment.

I've successfully installed an SCCM 2012 R2 Primary site , everything's configured by the book ,
everything's working just great... only I've reached a small "fork in the road" with my deployment.

I'm deploying to a Windows 7 environment , and on a small percentage of my clients ,
I'm receiving authenticode errors on the ccmsetup.cab.

The error is the following:
Couldn't verify 'C:\Windows\ccmsetup\ccmsetup.cab' authenticode signature. Return code 0x800b010e   ccmsetup   3/25/2014 11:15:04 AM   6116 (0x17E4)
A Fallback Status Point has not been specified. Message with STATEID='316' will not be sent.   ccmsetup   3/25/2014 11:15:04 AM   6116 (0x17E4)
Failed to extract manifest cab file with error 0x80004005. Try next location.   ccmsetup   3/25/2014 11:15:04 AM   6116 (0x17E4)
Enumerated all 1 local DP locations but none of them is good. Fallback to MP.   ccmsetup   3/25/2014 11:15:04 AM   6116 (0x17E4)
GET 'HTTP://<SCCMSERVER>/CCM_Client/ccmsetup.cab'   ccmsetup   3/25/2014 11:15:04 AM   6116 (0x17E4)
Couldn't verify 'C:\Windows\ccmsetup\ccmsetup.cab' authenticode signature. Return code 0x800b010e   ccmsetup   3/25/2014 11:15:05 AM   6116 (0x17E4)
CcmSetup failed with error code 0x80004005   ccmsetup   3/25/2014 11:15:05 AM   4816 (0x12D0)

If I install the client manually on the workstations , everything's fine,
and out of every 150 clients I deploy , the errors occur only on a small percentage.

I'm aware of the issues detailed in the following post:
http://social.technet.microsoft.com/Forums/en-US/1fed93a5-f355-4229-85a9-f542ddf8c138/sccm-client-push-installation?forum=configmanagerdeployment

However , seeing as this issue refers to the SP1 release,
call me crazy , but I'd expect Microsoft to address the matter at hand accordingly towards the R2 release , seeing as the product team is quite aware of the matter at hand as it was addressed by rebuilding the download media.

Has anyone of you kind folks witnessed this scenario with the R2 release?

Would appreciate any and every bit of help I could get from you guys!

Thanks in advance,
Oren

Tuesday, March 25, 2014 9:35 AM

Answers

0

Sign in to vote
OK, everything is guess work on my part then. On a client having the issue, I would examine the ccmsetup.cab downloaded as well as its signing/authenticode cert and compare that to a system where it is working. It's possible that the systems having issues are having issues of their own causing them to fail the check. In any (and every) client management rollout I've ever been part of, there are always a number of systems that have unique issues that cause weird one-off failures that have nothing to do with the management tool.
Jason | http://blog.configmgrftw.com
- Proposed as answer by Joyce L Wednesday, March 26, 2014 1:52 AM
- Marked as answer by Robert Marshall - MVPMVP Monday, August 25, 2014 1:55 PM
Tuesday, March 25, 2014 7:06 PM
0

Sign in to vote
Have you sifted through the Clients GPO settings?

I call these odd issues, when we know something to work well, "Environmental issues", and I most often see them because of discreet actions taken by Group Policy guru's who fundamentally change how the OS functions and skew the environment away from the norm, resulting in 'issues'.

HTH
Robert Marshall | This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs
- Marked as answer by Robert Marshall - MVPMVP Monday, August 25, 2014 1:55 PM
Monday, June 30, 2014 6:57 AM

All replies

0

Sign in to vote

The issue described at the bottom of that thread is addressed and does not occur with the re-released SP1 media and R2.

Was you site upgraded from SP1 or RTM?

Jason | http://blog.configmgrftw.com

Tuesday, March 25, 2014 1:01 PM
0

Sign in to vote

Hi Jason,
the site was installed via R2 media from scratch upon release

Tuesday, March 25, 2014 1:13 PM
0

Sign in to vote

Do you have any previous installs of ConfigMgr in the environment?
Jason | http://blog.configmgrftw.com

Tuesday, March 25, 2014 3:16 PM
0

Sign in to vote

I do,
I have a working 2012 SP1 Primary site for the servers(no overlapping boundaries),
the site I'm having issues is targeting regular Windows 7 clients.

I can clearly see by the log that ccmsetup.exe is directed towards the relevant site...

Anything you can recommend I can try?

Tuesday, March 25, 2014 3:37 PM
0

Sign in to vote

Which DP is it downloading the client files from on those that are failing?
Jason | http://blog.configmgrftw.com

Tuesday, March 25, 2014 4:17 PM
0

Sign in to vote

The R2 site's DP,only one DP per each Primary site

Tuesday, March 25, 2014 6:35 PM
0

Sign in to vote
OK, everything is guess work on my part then. On a client having the issue, I would examine the ccmsetup.cab downloaded as well as its signing/authenticode cert and compare that to a system where it is working. It's possible that the systems having issues are having issues of their own causing them to fail the check. In any (and every) client management rollout I've ever been part of, there are always a number of systems that have unique issues that cause weird one-off failures that have nothing to do with the management tool.
Jason | http://blog.configmgrftw.com
- Proposed as answer by Joyce L Wednesday, March 26, 2014 1:52 AM
- Marked as answer by Robert Marshall - MVPMVP Monday, August 25, 2014 1:55 PM
Tuesday, March 25, 2014 7:06 PM
0

Sign in to vote

Pardon me if my responses have been a bit cold til now ,
I'm really just at my wit's end here! :D
I appreciate each and every response , hopefully due to all of this someone who encounters the same situation will have a shorter "feud" with the Configuration Manager scenario...

This is the first time I've encountered such a situation with client deployment,
so far every one of my installations + deployments have been pretty much smooth sailing , and
if there were any difficulties , my clients ended up re-imaging the workstations due to other necessities and such.

I have in fact compared the Cab files between a successful client and a failing client,
the cabs are the same , and all signatures seem completely the same.

I'm quite aware that no two deployments are the same for every environment,
and I know the "Push client " functionality is valid seeing as I have a very high success rate.

If there is anything else you can think of to help me , I'd really appreciate it!

Thank you in advance!

Wednesday, March 26, 2014 8:01 AM
0

Sign in to vote

If the files are the same then the breakdown must be in those systems verifying the signature. Did you explicitly check the Authenticode signature on the files on the systems having issues ensuring that the OS is seeing them as valid?

Is there something else unique about these systems like their time being incorrect, Win7 non-SP1, or something else like that that would/could affect the signature verification? Are these all older systems from a previous "image" that itself may have issues?
Jason | http://blog.configmgrftw.com

Wednesday, March 26, 2014 1:18 PM
0

Sign in to vote
Have you sifted through the Clients GPO settings?

I call these odd issues, when we know something to work well, "Environmental issues", and I most often see them because of discreet actions taken by Group Policy guru's who fundamentally change how the OS functions and skew the environment away from the norm, resulting in 'issues'.

HTH
Robert Marshall | This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs
- Marked as answer by Robert Marshall - MVPMVP Monday, August 25, 2014 1:55 PM
Monday, June 30, 2014 6:57 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Push client installation - Authenticode errors

Question

Answers

All replies