Anurag Shukla | Support Engineer | Manageability - Microsoft Corporation

Hello everyone, I wrote a blog post some time back that explained how to move the System Center Configuration Manager 2007 (ConfigMgr 2007) site database from a SQL 2005 to SQL 2008 (link), and here’s how to do the same with System Center 2012 Configuration Manager (ConfigMgr 2012).

This information is ‘AS IS’ and is provided for guidance to move the ConfigMgr Site Database to a new SQL Server. Note that this may not be the only way to successfully migrate the DB but it’s a method I’ve used successfully in the past. Please use this as a guide for getting the understanding of what all steps are involved in moving the Site database. Please use it at your own risk.

Since the inception of ConfigMgr 2012, a lot has changed from the SQL standpoint as we are now heavily relying on the SQL Broker Service and change tracking. Because of this, our approach also needs to change when we are planning to move the Site database to a new system.

LAB SETUP

Site Server: CM12PRI.CM12.LOCAL

SQL Server: CM12PRI.CM12.LOCAL

SMS Provider: CM12PRI.CM12.LOCAL

Also note that CM12PRI has a named instance where I am hosting my Site database.

Backing up the SQL database and preparing the new SQL server

We will use some SQL queries to identify the SQL server versions, configurations, service packs and configurations.

-- CHECK SQL SERVER VERSIONS

Select @@version

-- Microsoft SQL Server 2008 R2 (SP1) - 10.50.2806.0 (X64)   Feb 14 2012 18:18:40   Copyright (c) Microsoft Corporation  Standard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)

This shows the SQL Server version, edition and version we are running. In my case, our existing server is running on version 10.50.2806.0. This version number will vary based on the edition you are using and on which SQL Cumulative Update your server is running. The following query can also show you the same details about the SQL Server.

--- Verify the Product version, Product Level, Editions

SELECTSERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition')

The last query we will use identifies some core features that are required for ConfigMgr 2012 (e.g. whether SQL Broker is enabled or if the database is marked as trustworthy, etc.).

select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on fromsys.databases

Here we can see various properties of our Site database server. It has SQL Broker enabled, plus the database is marked as trustworthy and is honoring the SQL Broker priority.

Step 1:

Before we move our ConfigMgr 2012 database to a different site system, we should create a current backup of the database.  Before you start the SQL backup, ensure that you run PREINST /STOPSITE to stop the Site Components. Here is what you will see, when you’ll run that command:

Step 2:

Now we will use the SQL Management studio to back up the database. Using the context menu on the Database, click Backup and you’ll see a page like the one below. Choose Full as the Backup type. You can place it on a network share, however in my case I will go-ahead and keep it local under c:\bkp\cm_pr1bkp.

Now it’s time to prepare our new SQL Server. In my lab this is named WINDOWS-S2TH386 CM12.LOCAL.

The new SQL Server should be running the same or higher version of the previous SQL Server. It’s possible to have a SQL Server that was running the Cumulative Update 4 (source database) and now you’re moving the database to a server that is running Cumulative Update 6, however if you are moving to the same version of the SQL server, please try to keep them alike to avoid any unwanted results.  

STEP 3:

Before you restore the ConfigMgr database on the new SQL Server computer, please verify Server Collation setting by doing the following:

a. Open Microsoft SQL Server Management Studio.

b. Choose Connect.

c. Right-click on your Server Name and choose properties.

d. Check for the following:

e. The server collation settings should match those on our old SQL Server.

Make sure that the CLR integration is enabled.  To check that run the following stored procedure:

sp_configure 'clr enabled'

Look for the RUN_VALUE - if that is marked as 1 then it means CLR is enabled. Once you have verified these settings, let’s move on to the next step.

Restoring the database on the new SQL Server

In my lab, the new SQL Server is named WINDOWS-S2TH386 CM12.LOCAL

1. Click on Restore Database under the database node in SQL Management Studio as shown below:

2. On the restore database page, choose the option “From device”:

3. Provide the backup file that was created in the previous step. I had already copied the backup file to the WINDOWS-S2TH386 CM12.LOCAL server at c:\bkp\cm_pr1bkp. I will pick the cm_pr1bkp file and then restore the database on the new server as shown below.

4. Verify the new SQL Server configuration on the new server. I used the same query which was used in the first step above:

Here you can see that my database didn’t retain the is_trustworthy_on and is_broker_enabled settings. Use the following queries to enable them:

--- Enable the SQL Broker on the Site database

USE master;
GO
ALTER DATABASE CM_PR1 SET ENABLE_BROKER
GO

--- SET the Site Database as trustworthy

USE master;
GO
ALTER DATABASE CM_PR1 SET TRUSTWORTHY ON
GO

--- SET the Database to honor the HONOR_BROKER_PRIORITY

USE master;
GO
ALTER DATABASE CM_PR1 SET HONOR_BROKER_PRIORITY ON;
GO

Now, run the following query to check the settings again

select name, collation_name, user_access_desc, is_read_only, state_desc, is_trustworthy_on, is_broker_enabled,is_honor_broker_priority_on fromsys.databases where name = 'CM_PR1'

Now we can see that my database is ready for site maintenance.

5. Run Site maintenance.

Run the ConfigMgr setup from the start menu:

Then click Next on the “Before you Begin” page. Click Perform site maintenance or reset this Site on the Setup Wizard page as shown below:

Select Modify SQL Server configuration on the Configuration Manager Setup Wizard Site Maintenance page:

That will show you the old information about the SQL server. We will change that to our new SQL Server.

Now just let the ConfigMgr setup complete. After setup finishes, reboot the ConfigMgr site server and the SQL Server.  After the reboot, check the site settings in the ConfigMgr console and verify that it shows the new SQL Server listed. You might see a prompt stating that the site is in a Read Only mode; this can be ignored for now as we are running the re-synch.

Anurag Shukla | Support Engineer | Manageability - Microsoft Corporation

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Just a quick tip to let you know that we just published a new KB article on MBAM and ConfigMgr that explains an issue where the MBAM installer fails during the prerequisite check with the following error:

System Center CM Objects Already Installed

You can find the article here:

KB2831166 - Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed" (http://support.microsoft.com/kb/2831166)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Just wanted to let you know about a new KB article we published today. This one is a Configuration Manager article that documents an issue where the ConfigMgr CMEnroll tool fails on a Mac client computer if the user has the special characters  "&" and "<" in their domain password.

You can find the complete article here:

KB2839072 - System Center 2012 Configuration Manager Mac client enrollment fails if passwords contain special characters (http://support.microsoft.com/kb/2839072)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

As you may be aware, after our recent announcement regarding the Microsoft Anti-Malware Platform Update, the two stand-alone releases (KB2831312 and KB2831316) were temporarily removed from Microsoft Update on April 10. This was because of a detection logic issue that was discovered with the Windows Defender platform update made available to Windows 8 clients (see http://support.microsoft.com/kb/2781197). The Windows Defender update was being erroneously offered to clients that had the new FEP or SCEP platform updates applied, leading to installation failures of KB2781197 that were misleading as the update does not actually apply when FEP or SCEP have been updated to the latest platform.

This has been addressed and these updates will be restored on Wednesday April 17 (today).

The KB articles for these updates are as follows:

Stand-alone / Unmanaged Clients:

KB2831312 - An anti-malware platform update for stand-alone Forefront Endpoint Protection 2010 clients is available from Microsoft Update (http://support.microsoft.com/kb/2831312)

KB2831316 - An anti-malware platform update for stand-alone System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Update (http://support.microsoft.com/kb/2831312)

ManagedClients (by Configuration Manager 2007 for FEP, or by System Center 2012 Configuration Manager for SCEP):

KB2827684 - An anti-malware platform update for Forefront Endpoint Protection 2010 clients is available from Microsoft Support (http://support.microsoft.com/kb/2827684)

KB2828233  - An anti-malware platform update for System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Support (http://support.microsoft.com/kb/2828233)

As noted in the KB articles, these updates may require reboots during installation.

Note that managed customers (using Configuration Manager 2007 or System Center 2012 Configuration Manager) may also see failures when installing update KB2781197 on Windows 8 clients that have the FEP or SCEP platform update applied. These failures can be ignored and should cease now that the update KB2781197 detection logic has been revised.

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

We published a new hotfix today for Configuration Manager 2012 Service Pack 1 to correct the following issue:

Consider the following scenario:

• You configure a Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1) primary site and a System Center 2012 Configuration Manager SP1 secondary site.
• You create a package on the primary site.
• You distribute the package to the distribution point of the secondary site.
• You validate the package on the distribution point of the secondary site after the content status reads Success.
• You verify that the content status reads Success after the validation is completed.
• You right-click the package and then select Update distribution point.

You can find the complete article as well as download information for the hotfix here:

KB2828900 - FIX: The content status of a package is stuck in "In progress - Waiting for Content" status in System Center 2012 Configuration Manager SP1 (http://support.microsoft.com/kb/2828900)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Buz Brodin| Senior Support Escalation Engineer

Hi everyone, Buz Brodin here. I recently had an interesting AMT provisioning case with System Center 2012 Configuration Manager where we hit multiple issues so I captured some of the various symptoms and error details and did some write ups that I wanted to share with you today. 

Problem 1: Initial attempt at provisioning fails

Symptoms

When attempting to provision machines in System Center 2012 Configuration Manager, the following error occurs in the Amtopmgr.log and provisioning is not successful:

ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed         SMS_AMT_OPERATION_MANAGER       
Fail to call SubmitRequest in IssueCertificateFromES     SMS_AMT_OPERATION_MANAGER       
ERROR: Fail to issue certificate  SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device SMS_AMT_OPERATION_MANAGER

The following application event error coincides with the provisioning attempt on the issuing Certificate Authority:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Event ID:      53
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      Site.Server.Domain.Com
Description:
Active Directory Certificate Services denied request 49938 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422).  The request was for Domain\Computer$iME.  Additional information: Denied by Policy Module
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
    < EventID Qualifiers="33370">53</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    < Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    < TimeCreated SystemTime="2012-10-12T20:43:46.000000000Z" />
   < EventRecordID>18258</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>computer.domain.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  < EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
    <Data Name="RequestId">49938</Data>
    <Data Name="Reason">The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)</Data>
    <Data Name="SubjectName">domain\computername$iME</Data>
    <Data Name="AdditionalInformation">Denied by Policy Module</Data>
  </EventData>
< /Event>

The EnrollmentService.log on the Out of Band Management ConfigMgr Server Role will show the following:

[22, PID:14736][03/14/2013 13:17:45] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[22, PID:14736][03/14/2013 13:17:45] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Denied by Policy Module ErrorCode: 2
[22, PID:14736][03/14/2013 13:17:45] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[22, PID:14736][03/14/2013 13:17:45] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[22, PID:14736][03/14/2013 13:17:45] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
   at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
   at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
   at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
   at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)

Cause

This issue occurs because the Security Group for the newly created AMT computernameIMEIME objects does not have the correct permissions on the ConfigMgr AMT Web Server Certificate template.

Resolution

To resolve this you need to configure permissions for the Web Server certificate template.

Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning.

1. On the CA computer, click Start, type certtmpl.msc, and then press ENTER.

2. In the contents pane, right-click the Web Server template, and then click Properties.

3.Click the Security tab, and then click Add.

4. In Enter the object names to select, type the name of the security group that contains the AMT computer accounts

This security group should contain, at least temporarily when requesting custom certificates, the computer accounts of the AMT enabled machines that ConfigMgr will try to provision.

5. In Permissions, click Enroll under Allow, and then click OK.

More Information

Deployment of the PKI Certificates for Configuration Manager: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012

Problem 2: Second attempt at provisioning the same machine fails with different error now

Symptoms

When you try to provision a computer in ConfigMgr 2012 you find provisioning fails and the following errors occur:

The request subject name is invalid or too long

In the Amtopmgr.log you see the following:

ERROR: [EnrollmentWrapper]: Enrollment service reports error: CertificateAuthorityError. Detail message: Submitting cert request and issuing cert failed SMS_AMT_OPERATION_MANAGER Fail to call SubmitRequest in IssueCertificateFromES SMS_AMT_OPERATION_MANAGER ERROR: Fail to issue certificate SMS_AMT_OPERATION_MANAGER
Error: Can't finish provision on AMT device computer.domain.com with configuration code (0)! SMS_AMT_OPERATION_MANAGER

EnrollmentService.log contains entries similar to this:

[8, PID:5604][03/14/2013 15:14:56] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
[8, PID:5604][03/14/2013 15:14:56] :CALayer: SubmitRequest CA: computer.domain.com\Contoso Issuing CA1 Errormessage: Error Constructing or Publishing Certificate ErrorCode: 2
[8, PID:5604][03/14/2013 15:14:56] :Only one CA is specified in profile. Failed to enroll with the specified CA: computer.domain.com\Contoso Issuing CA1
[8, PID:5604][03/14/2013 15:14:56] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :EnrollAMTDevice: Error: Submitting cert request and issuing cert failed
[8, PID:5604][03/14/2013 15:14:56] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollAmtDevice(String certRequest, String template, String hashIdentity, String deviceName, String& provisioning, String& hashProvisioning)
at Microsoft.ConfigurationManagement.Enrollment.AmtEnrollmentService.EnrollAMTDevice(String certRequest, String templateId, String hashIdentity, String deviceName)

Cause

This issue can occur if the properties of the ConfigMgr AMT Web Server Certificate template are not set correctly.

Resolution

On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.

In the properties of the ConfigMgr AMT Web Server Certificate click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.

More Information

For more information see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority: http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_AMT2008_cm2012

Problem 3: Third attempt fails, this time with a different error; AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT

Symptoms

Provisioning attempt fails with the following error in SMS_AMT_Proxy_Compoenent log:

AMT AD accounts already exists. SMS_AMT_PROXY_COMPONENT
*** EN_EnrollmentAdminResetPin @DeviceName = *ComputerNameiME', @EncSessionKey =

[42000][50000][Microsoft][SQL Server Native Client 11.0][SQL Server]Failed to set enrollment pin. Cannot find matching record. : EN_EnrollmentAdminResetPin SMS_AMT_PROXY_COMPONENT
Error: Failed to reset enrollment record pin! SMS_AMT_PROXY_COMPONENT
Error: Failed to create enrollment record. SMS_AMT_PROXY_COMPONENT

Cause

This issue can occur if you try to reprovision a machine after a failed provision attempt and the IME$ account in the AD OU for the AMT Enabled Device still exists from the previous provisioning attempt.

Resolution

Delete the matching *ComputerNameiME account from the OU that you defined in the Out Of Band Service Point Properties and try to provision again.

More Information

Before you start provisioning, you are instructed to create an OU that will contain AMT-based computers, then define this OU in the Out Of Band Service Point Properties. During provisioning AMT accounts for each provisioned computer will be created in this OU by ConfigMgr 2012.

How to Provision and Configure AMT-Based Computers in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712319.aspx

Problem 4: Fourth attempt at provisioning appears to succeed however now we get an error when opening the OOB Console and trying to connect to this provisioned machine

Symptoms

When you attempt to open the OOB Console to connect to a provisioned machine in ConfigMgr 2012 you receive the following error:

Error connecting with OOB Console = oobconsole.exe application error
The exception unknown software exception (oxe0434352) occurred in the application at location 0x7602b9bc

Cause

This was caused by a corrupt Adminconsole.ui.dat file in the user profile.

Resolution

Delete the Adminconsoleui.dat file contained in the APPData\Microsoft directory of the current logged in users profile and relaunch the console.

Problem 5: Machines are now all provisioned, we can launch the OOB Console, power controls and Serial Over LAN work fine, but we are not able to connect to the same machines internal web server via port 16993 in Internet Explorer. We get a login prompt or a page cannot be displayed message.

Symptoms

After you successfully provision a machine in ConfigMgr 2012 you find that you are not able to connect to the same machines internal web server via port 16993. However, in Internet Explorer you can connect from the same machine using the OOB Console in ConfigMgr.

Cause

A registry setting HAS to be in place on the machine you are initiating the connection FROM for the connection to work inside of Internet Explorer. This is the same as it was for ConfigMgr 2007 Service Pack 1.

Resolution

On the machine you are initiating the connection FROM, create the following registry keys:

For 32-bit computers

1. Click Start, click Run, type regedit and then click OK.

2. In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

3. On the Edit menu, point to New and then click Key.

4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.

5. On the Edit menu, point to New and then click DWORD Value.

6. Type iexplore.exe and then press ENTER.

7. On the Edit menu click Modify.

8. Type 1 in the Value data box and then click OK.

9. Exit Registry Editor.

For 64-bit computers

1. Click Start, click Run, type regedit and then click OK.

2. In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl

3. On the Edit menu, point to New and then click Key.

4. Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 and then press ENTER.

5. On the Edit menu, point to New and then click DWORD Value.

6. Type iexplore.exe and then press ENTER.

7. On the Edit menu click Modify.

8. Type 1 in the Value data box and then click OK.

9. Exit Registry Editor.

Now you can connect with IE as well to http://clientname.domain.com:16993

More Information

For more information on troubleshooting OOBConsole connectivity please see the following:

Troubleshooting OOBConsole connectivity after an Intel vPro enabled device has been successfully provisioned in ConfigMgr 2007: http://blogs.technet.com/b/oob/archive/2011/02/17/troubleshooting-oobconsole-connectivity-after-an-intel-vpro-enabled-device-has-been-successfully-provisioned-in-configmgr-2007.aspx

Buz Brodin| Senior Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

We published a new hotfix today for Configuration Manager 2007 Service Pack 2 to correct the following issue:

Consider the following scenario:

• You create a package in Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2).
• You assign multiple access accounts for the package.
• You update the package multiple times by adding additional access accounts.

You can find the complete article as well as download information for the hotfix here:

KB2830195 - FIX: The content status of a package is stuck in "In progress - Waiting for Content" status in System Center 2012 Configuration Manager SP1 (http://support.microsoft.com/kb/2830195)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

We published a new hotfix today for ConfigMgr 2012 SP1 to correct the following issue:

Consider the following scenario:

• You enable the Upgrade client automatically when new client updates are available option on a Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1) site.
• You assign a Microsoft System Center Configuration Manager 2007 client to the site.

You can find the complete article as well as download information for the hotfix here:

KB2832622 - FIX: Automatic client updates are unsuccessful for Configuration Manager 2007 clients in System Center 2012 Configuration Manager Service Pack 1 (http://support.microsoft.com/kb/2832622)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Looking to integrate your virtual application management with App-V 5.0 and System Center 2012 Configuration Manager Service Pack 1 (SP1)? If so then Microsoft’s own Thamim Karim has you covered.

You can read Thamim’s post on his blog here: http://blogs.technet.com/b/virtualvibes/archive/2013/04/22/sccm-2012-sp1-and-app-v-5-0-documentation.aspx

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Consider the following scenario:

• You have Cumulative Update 1 for System Center 2012 Configuration Manager (ConfigMgr) Service Pack 1 (SP1) installed.
• You install a stand-alone primary site server or a hierarchy in the ConfigMgr environment.
• You create a Windows Intune subscription, and then you install the Windows Intune connector.
• The Windows Intune Service throws some exceptions between data transmissions when the first upload to Windows Intune starts.

In this scenario, the DMP Uploader component continuously tries to send the queued messages (every 1 second), and the attempt to upload to Windows Intune is unsuccessful.

For more information and to download a hotfix that corrects this issue please see the following:

KB2832598 - DMP Uploader enters a bad loop in System Center 2012 Configuration Manager Service Pack 1 (http://support.microsoft.com/kb/2832598)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

We published a new hotfix today for ConfigMgr 2007 SP2 to correct the following issue:

You have a Management Point installed on a site server in Microsoft System Center Configuration Manager 2007 Service Pack 2. In some cases, such as scenarios that involve low disk space, the Management Point may experience high CPU usage or high memory consumption. This may result in an overall decrease in performance.

You can find the complete article as well as download information for the hotfix here:

KB2823071 - FIX: A Management Point experiences high CPU usage or high memory consumption in System Center Configuration Manager 2007 Service Pack 2 (http://support.microsoft.com/kb/2823071)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Just wanted to let you know about a new Knowledge Base article for ConfigMgr 2007 that we published today. This one talks about a fairly rare issue that you may run into if you modify the properties of a maintenance window right after creating a new software update deployment. The update still gets deployed, it just may happen a little later than you might expect.

You can get all of the details here:

KB2850370 - Modifying a Configuration Manager 2007 service window may cause an unexpected delay in a software update deployment (http://support.microsoft.com/kb/2850370)

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/