locked
2012 SP1 Client Upgrade from 2007 via SUP failing unless registry key HTTPSSTATE changed RRS feed

  • Question

  • Hi,

    We are moving from 2007 to 2012 Sp1 via SUP method.  The new 2012 SP1 environment is fully secured via PKI.  A manual client install works fine with everything being discovered automatically and certificates being created and used.  If we push via SUP the client upgrade fails, the management points are discovered but are then shown in ccmsetup.log as being imcompatible...

    The MP name retrieved is 'xxx' with version '7804' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>'	ccmsetup	13/05/2013 14:14:45	4556 (0x11CC)
    MP 'xxx' is not compatible	ccmsetup	13/05/2013 14:14:45	4556 (0x11CC)
    The MP name retrieved is 'xxx' with version '7804' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>'	ccmsetup	13/05/2013 14:14:45	4556 (0x11CC)
    MP 'xxx' is not compatible	ccmsetup	13/05/2013 14:14:45	4556 (0x11CC)
    Retrieved 0 MP records from AD for site 'AP1'	ccmsetup	13/05/2013 14:14:45	4556 (0x11CC)

    I have found that if I change the key (64-bit OS):

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CCM\HttpsState

    from 0 to 1 the installation will work correctly.

    Is there a neater way to enforce ccmsetup.exe to use this via the adm?  I've tried ccmsetup.exe CCMHTTPSSTATE=1 but this does not work, I also tried CCMHTTPSSTATE=480 as this number appears in the logs when it does work but this also fails. 

    Thanks



    • Edited by Alan Dooley Tuesday, May 14, 2013 8:04 AM typo
    Monday, May 13, 2013 3:19 PM

All replies

  • I've done a comparison of a successful setup after changing the registry key.  When the key is left to zero ccmsetup selects a certificate from the SMS store on the client rather than the correct certificate from the personal store. 

    Fail : CCMCERTID:    SMS;73CE4B792B05F6D11E18D958F24F14CFA98EADEF

    Success : CCMCERTID:    MY;DE5C22207A628249FEA1FD2826D2F26E90004AB3

    It seems when it is failing it isn't even searching for the certificate within personal, it is just selecting the SMS certificate.  Have tried using "CCMCERTSTORE=Personal" to try and force it to look there but with no luck... 

    Tuesday, May 14, 2013 8:35 AM
  • We seem to be having the same issue also.

    Wednesday, June 19, 2013 9:01 PM
  • Hi Alan, please check out http://social.technet.microsoft.com/Forums/en-US/67d85763-f787-4a8f-99c4-0ffa1a392829/client-install-via-wsus-fails

    Saturday, June 22, 2013 12:08 AM