DISM Error:5 error when building boot ISO with WADK 8 and MDT 2012 sp1

All replies

• 

  

  2

  Sign in to vote

  The issue here was McAfee VirusScan 8.8 Access protection. While there was no log of it preventing any activity, when disabling the 'access control', it added the packages successfully. I will have to dig through the access control modules to exactly what is getting blocked

  • Marked as answer by Zain Richards Thursday, September 20, 2012 3:43 PM

  Thursday, September 20, 2012 3:43 PM
• 

  

  0

  Sign in to vote

  Hi,

  I have the exact same issue on my MDT server (2008 R2, ADK, VirusScan 8.8, MDT 2012 U1) and my conclusion is the same as yours.

  For now, I have disabled Access protection but I can't find exactly what is causing the issue on the Access Protection module. Nothing appears on the logs.

  Please share any information that you may have about this.
  

  
  

  • Edited by JFD7 Monday, September 24, 2012 8:20 AM

  Monday, September 24, 2012 8:17 AM
• 

  

  0

  Sign in to vote

  As a test, I disabled all Access control modules and enabled logging for them and tried to create images. This still failed with with Access control is enabled. It therefore seems that McAfee has default access protection on something in ADK. I say ADK as the issue only appears ADK and not waik. I have logged an SR with McAfee and hopefully they'll get it sorted

  Tuesday, September 25, 2012 10:10 AM
• 

  

  0

  Sign in to vote

  Ok thanks for the update. Please let me know what McAfee said about this.

  Wednesday, September 26, 2012 8:13 AM
• 

  

  0

  Sign in to vote

  Any news ?

  Thursday, October 4, 2012 9:34 AM
• 

  

  0

  Sign in to vote

  Not yet. The SR has been escalated to McAfee tier 2 support and I await their response

  Thursday, October 4, 2012 9:39 AM
• 

  

  0

  Sign in to vote

  Hi,

  Have you found a solution with McAfee ?
  

  Wednesday, October 17, 2012 9:02 AM
• 

  

  0

  Sign in to vote

  The issue has been escalated to McAfee Tier 3 support. Will post if we find a resolution. In the meantime, disable access protection when creating the ISO

  Wednesday, October 24, 2012 8:59 AM
• 

  

  0

  Sign in to vote

  Same problem here.  Hope you find out what's the underlying cause.

  Monday, November 5, 2012 9:50 PM
• 

  

  0

  Sign in to vote

  We experience the same problem here when we try to add updates to an OS image in SCCM 2012 RTM. With McAfee Acceess Protection enabled the adding of updates fails. As soon as AP is disabled the updates are added successfully.

  I hope there is a permanent solution to this problem because I don't like to disable AP manually whenever we want to patch an image. And disabling it permanently is no option for the IT  Security Officer.

  Thursday, November 8, 2012 8:54 AM
• 

  

  0

  Sign in to vote

  The issue has been escalated to McAfee Tier 3 support. Will post if we find a resolution. In the meantime, disable access protection when creating the ISO

   Still no solution found with McAfee support ?

  Monday, December 3, 2012 8:26 AM
• 

  

  0

  Sign in to vote

  The issue has been submitted to the developer team so it will only be resolved using during the next VSE patch or hotfix.

  Monday, December 3, 2012 8:29 AM
• 

  

  0

  Sign in to vote

  FYI, McAfee investigated this issue at the code level and found the behavior of DISM.exe is not within their control.

  i.e. Access Protection is not actively causing DISM to fail - McAfee is taking no action on anything DISM is doing, but DISM is taking some code path to fail seemingly just because McAfee's code is present. Thus McAfee will be releasing a KB article advising folks to use the workaround if they want a McAfee resolution, or to engage Microsoft to find out why DISM is behaving the way it is.

  Monday, December 10, 2012 5:46 PM
• 

  

  0

  Sign in to vote

  Check this blog:

  http://donnystyle.wordpress.com/2013/01/13/mcafee-causes-boot-image-action-problems-configuration-manager-2012-sp1-sysctr/

  • Proposed as answer by -_Muffy_- Friday, January 18, 2013 12:07 AM
  • Unproposed as answer by -_Muffy_- Friday, January 18, 2013 12:07 AM

  Wednesday, January 16, 2013 11:48 PM
• 

  

  0

  Sign in to vote

  The solution we used was to identify the WAIK and MDT exes and make exceptions in McAfee. The hit is on the YUNSIP32 virus heuristic as a usp10.dll is being written on the drive in a location other than C:\Windows\System32.  Once the exception is set MDT2012 runs without error. I discovered the heristic using Beyond Compare to sync the DeploymentShares. Once BC.exe found the error I ran a manual copy (explorer.exe)without issue but once a third party tool copies the file McAfee pulls its triggers.

  Friday, January 18, 2013 12:18 AM
• 

  

  0

  Sign in to vote

  FYI, McAfee investigated this issue at the code level and found the behavior of DISM.exe is not within their control.

  i.e. Access Protection is not actively causing DISM to fail - McAfee is taking no action on anything DISM is doing, but DISM is taking some code path to fail seemingly just because McAfee's code is present. Thus McAfee will be releasing a KB article advising folks to use the workaround if they want a McAfee resolution, or to engage Microsoft to find out why DISM is behaving the way it is.

  McAFee KB Posted:  https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=search&viewlocale=en_US&searchid=1366808442071

  Johnnnie

  Wednesday, April 24, 2013 3:30 PM
• 

  

  0

  Sign in to vote

  Does this solution works ?  There is no way we can just disable On access / HIPS on our Servers.  We could create exceptions if needed.

  Can you just give all details on exceptions you created to have a MDT 2012 working as supposed on a server with VSE and HIPS.

  Thank you,

  Monday, June 3, 2013 1:46 PM
• 

  

  0

  Sign in to vote

  McAfee has updated the KB.

  https://kc.mcafee.com/corporate/index?page=content&id=KB76867&cat=CORP_PRODUCTS&%20actp=LIST

  After working with Microsoft, it is apparent that Microsoft is unable to address the two known issues in the registry API, due to the complexity and ramifications to the operating system.
  
  As such, Microsoft worked with McAfee to help identify an alternate workaround that McAfee has plans to implement.
  
  McAfee has reviewed Microsoft's proposal and plans to adopt it in a future release. However, this is not a small code change and has complexity and ramifications for VSE. This article will be updated when a release is available that includes this code change.

  ---

  Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.

  
  

  This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or MVPs.

  Twitter: @alexverboon | Blog: Anything About IT

  • Proposed as answer by Scoobysnax Thursday, January 16, 2014 7:52 AM

  Monday, July 22, 2013 6:31 PM
• 

  

  0

  Sign in to vote

  https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=LIST

  ---

  There are 10 kinds of people in the world. Those who understand binary and those who dont.

  Thursday, January 16, 2014 7:41 AM
• 

  

  0

  Sign in to vote

  Has anyone found a solution or at least heard an update?  I cannot get it to work even with the work-around of disabling Access Protection.

  Monday, July 28, 2014 4:58 PM
• 

  

  0

  Sign in to vote

  FYI, the issue has been fixed in VSE 8.8 Patch 5 :

  https://kc.mcafee.com/corporate/index?page=content&id=KB76867

  Tuesday, February 2, 2016 2:24 PM