The certificate’s CN name does not match the passed value

An error has occurred during report processing. (rsProcessingAborted).

Cannot create a connection to data source ‘AutoGen_{5C6358F2-4BB6-4a1b-A16E-8D96795D8602}’. A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – the certificate’s CN name does not match the passed value.)

When you try testing the data source connectivity, you will receive the same error;

The error indicates the installed certificate does not match with current SQL server name. If we open the data source of the SQL server reporting services, on the connection string we can see the actual SQL server name. If we modify the server name under the connection string, the connection will successes. However, the modified SQL server name will revert as soon as save and close the page.

To fix the certificate’s CN name does not match the passed value, we have to change the SQL server name on the actual reporting server where reporting services role is installed.

Go to \Administration\Overview\Site Configuration\Servers and Site System Roles in SCCM console then identify the server where reporting server services installed. Then open the properties of the Reporting services point. 

On the General tab go to site database server name then enter the current SQL server name then click on Verify under the database name. If the database server name is correct then we should get successfully verified message.

Now, run the report. It should connect and run the reports without any errors.

SCCM Current Branch site recovery using database backup

The article is to provide steps involved in recovering a standalone  System Center Configuration Manager Current Branch 1610 primary site. 

This guide is for System Center Configuration Manager Current Branch 1610 only. Most of the steps will be same for the other versions, but please test it carefully on your test environment. 

Before we start talking about SCCM site recovery using database backup, we need to prepare our current SCCM server and the new SCCM Server.

Prepare Current SCCM site server:

- Make sure that we have latest backup and it is valid (Preferably with in the retention period)

- Copy the whole backup folder to a different server or a network share

- Get Installed SQL server version and edition

- Copy the SCCM source content to some other server (if stored locally)

- Shutdown the server (Do not rename)

Prepare new SCCM Site server:

- Install OS and patch it fully

- Join to the domain using exactly same name as previous SCCM site server

- Install SCCM site server prerequisites (Roles and Features) - Refer to this article for complete list of prerequisites: 

- Install ADK

- Install SQL server same version and edition as the production SCCM site server Database Server

- Copy the whole backup folder on to the local server

Site Recovery:

Launch splash.hta from <Backuplocation>\CD.Latest folder;

On the Microsoft System Center Configuration Manager window, click Install;

 Note: Make sure you launch the setup sing CD.Latest folder from the backup and the version number on the Microsoft system Center Configuration Manager window should match the current SCCM environment. Otherwise, we will receive "The site being recovered using a different build number than the build version of the ConfigMgr backup error".

Click Next on Before you begin page;

On Getting Started page, under Available Setup Options select Recover a site then click next;

On Site Server and Database Recovery Options page;
Select Recover this site server using an existing backup then browse to the backup location.

For site database recovery options select Recover the site database using the backup set at the following location and browse to the path to the backup folder;

On Site Recovery Information, by default Recover Primary site will be selected. Click next;

Enter the product key or choose evaluation then click next;

Agree to all the product licenses terms and conditions then click next;

On Prerequisites downloads page, if prerequisites already downloaded then browse to the location or provide a path to download the files then click next;
This will start downloading or validating the files

On Site and Installation Settings page;
Site code will be auto populated along with the site name.
If we want to change the default installation directory then browse to the location and choose the option to install the SCCM console or not, then click next;

On the Database Information page, enter the SQL Server name. the database name is not required as it auto populates from the backup DB. Leave the service broker port to 4022 then click next;

On the second database information page, choose the path to the SQL server data file. by default, the SQL server data file will be stored under C:\Program Files;

Click next on Diagnostic and usage data;

On the summary page, review all the settings carefully. If all looks good, then click next;

Now the install will start and it will take some time. In my LAB it took just over an hour to recover the full site.

If the recovery media is different version then the backup Database site version, the Evaluating setup environment step will fail with "The site being recovered using a different build number than the build version of the ConfigMgr backup" error.

If everything is good the setup will continue. 

Once we see Core setup has completed on the install page, click next;  

On the Finished page, we will see list of Post-recovery actions.

Perform the post recovery actions after launching the console.

When we open the console, we can see all the objects. However, if the content source is store on the local SCCM server, then we need to create the same share and copy all the content to the new server. If the content is stored on different server, then applications will work without performing any additional steps.

That's it. we have successfully performed SCCM site recovery using existing database backup.

Click here for complete SCCM 1511 Current Branch setup step by step guide.

Click here for complete SCCM 1511 Current Branch step by step guide, step by step migration guide, step by step monitoring and health check guide and step by step SCCM Current Branch servicing guide.

The site being recovered using a different build number than the build version of the ConfigMgr backup

As part of Disaster recovery (DR) testing, I have tried to recover my Current Branch 1610 site using 1606 ISO I have received following error when running Evaluating setup environment step;

The site being recovered using a different build number than the build version of the ConfigMgr backup. The recovery build number must match with the previous installed build version. Click the view log button for more information.

As message indicates the site was upgraded to 1610 build few days ago. However as of today, we cannot build 1610 site with ISO or any other media as part of the site recovery using previous SCCM database backup. so how can we recover SCCM current branch 1610 site with correct build version? Well, if we check the site server DB backup folder, there is folder called CD. Latest.

The CD.Latest folder with in the backup folder holds the installer files for 1610 build for recovery.

CD.Latest holds the installer files for 1610 build for recovery. To verify build media version in the CD.Latest folder, launch the splash.hta, the first screen will display the version number 1610 under Microsoft System Center Configuration Manager.

So launch splash.hta file from <yourbackuplocation>\CD.Latest then follow the prompts for site recovery. The recovery should continue without build version error.

Step by Step SCCM 1610 Upgrade Guide

Few days ago Microsoft has released Update 1610 for System Center current branch.

This is the 3rd servicing update since the current branch is released. This guide explains upgrade the current branch from 1606 to 1610 or any earlier versions of current branch to 1610.

Pre-upgrade Check:

SCCM Current branch 1610 upgrade is same as any other previous upgrade.

Follow the upgrade check list before performing an upgrade to prevent running into any potential issue.

1. Must use service connection point site system role at the top-level site of your hierarchy

2. Update 1610 can only be installed at the top-level site of your hierarchy, Child primary sites will be updated automatically. Secondary sites need to be updated manually from primary parent site

3. Upgrade the console manually when prompted soon after the hierarchy upgrade

4. To install 1610 the hierarchy must run one of the versions of System Center 1511, 1602, or 1606.

5. Review the site hierarchy health and remediate any issues

6. Disable database replicas for management points at primary sites in a multi-site environment

7. If SQL AlwaysOn availability is configured, then Set SQL Server AlwaysOn availability groups to manual failover

8. If NLB is installed, then Reconfigure software update points that use NLBs

9. Backup site database

Download the update:

1. Click on "Check for Updates" from \Administration\Overview\Cloud Services\Updates and Servicing

2. If update is not available, then get EnableFastUpdateRing1610.ps1 PowerShell script from here 

3. Run the script from elevated PowerShell window (ex: EnableFastUpdateRing1610.ps1 SCCB )

         Note: Just use server name without FQDN.

         You will get The command(s) completed successfully. 

4. Click on "Check for Updates" from \Administration\Overview\Cloud Services\Updates and Servicing in SCCM console

5. After 10-15 min, the console will show Configuration Manager 1606 update and should be in downloading state

6. The SMS_DMP_DOWNLOADER component log following entries in dmpdownloader.log (<Install_DIR>\Microsoft Configuration Manager\Logs\)

           I. Found a new available update 

         
         II. Downloading large file with BITs

Wait until the console changes the status of the update from downloading to Available.

Installing the update:
If we check the console version before the upgrade, the version numbers will be as below;
          System Center Configuration Manager Version 1606
          Console Version: 5.0.8412.1003
          Site Version: 5.00.8412.1000

Like any other previous updates, first run the Run Prerequisite check. Once the prerequisite check is passed then run Install Update Pack.

The installer will start the Configuration Manager updates wizard. Click Next on the General tab;

Select required features to be installed then click Next (I chose the default settings);

Select required client update options then click Next;

Accept the license terms then click Next;

Review the selection options then click Next;

Close the completion window.

It will take 20-30 min (based on the server performance) to complete the update.
During the upgrade process, you can click on the view status button to see a detailed progress of the installation.

Once the update is installed, Configuration Manager 1610 update status will be changed from Available yo Installed.

Console Upgrade:
After upgrading the site server to SCCM Current Branch 1610, If we re-launch or check the console version, we will get a popup message saying A new version of the console is available (5.00.8458.1500).

Click OK to upgrade the console and follow the on screen prompts to complete the upgrade process.

Once the update is installed the version number of SCCM will be;
         System Center Configuration Manager Version 1606
         Console Version: 5.00.8458.1500
         Site Version: 5.00.8458.1000

Click here for complete SCCM 1511 Current Branch setup step by step guide.

Click here for complete SCCM 1511 Current Branch step by step guide, step by step migration guide, step by step monitoring and health check guide and step by step SCCM Current Branch servicing guide.

Invalid MP Cert Info No signature Failed to query MP locator

Invalid MP Cert Info; No signature, Check MPs Boundary group...
GetMpLocations failed;0x80004005
Failed to query  for MP location

 
QueryMPLocator: no valid MP locations are received
Failed to query MP locator

I have received this error, when performing bare metal builds using a boot disk in a newly built System Center Current Branch infra.
I have already created boundary groups and assigned as required.

The reason for this error seems to be the certificate for MP in the boot image is different than what been discovered. When I have created the boot image I have selected Dynamic media under select how media finds a management point option. Dynamic media option caused the error because at this stage we did not publish the SCCM CB to the AD and existing SCCM 2012 is published. So it is querying the existing SCCM 2012 to get the MP location details which doesn’t match the certificate on the boot image.

I have created a new media and selected Site-based media.

This time the build worked without any error.

Windows 7 and Windows 8.1 servicing changes

Microsoft has moved the traditional windows updates release to rollup model for supported windows operating systems.
Below is a quick summary of Windows 7 and Windows 8.1 servicing changes

Which Operating Systems are included in new servicing?
Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2

When will new rollup model will start?
 October 2016

How it impacts SCCM ADR? or Current patching?
If the current ADR has Update Classification: Security updates enabled, then the ADR will end up downloading Security only updates and security and quality rollup as well. This will consume the drive space and as well as network bandwidth.

What happens if we deploy Security only update and security and quality rollup?
If we deploy both (deploy Security only update and security and quality rollup), there is no way to control which one will install first. If Security only update installs first, then the system will run security and quality rollup as well. However, if security and quality rollup runs first, then it will not run the security only update as already all the current and previous updates are installed by installing security and quality rollup.

How to use ADR to deploy security and quality rollup and remove security only updates?
When Security updates classification is used in creating ADR, the ADR will add security only and security and quality rollup in the deployment package. To exclude Security only update from the list, add a Title property filter then enter -Security only. This will remove all the updates listed as Security Only.

What happens to the individual patches after October? 
There will not be any individual patches from October 2016.

How are office updates deployed in the servicing model?
Office patches not part of the new servicing model. All the updates to the office products will be deployed like before. This servicing changes are ONLY for Windows OS products not for any other Microsoft product.

How can we block an update from security and quality rollup if there is an issue?
No, we cannot block a single update from a security rollup. That is why before rolling out any updates to the production devices, test as much as you can. Other option is deploying Security only updates and exclude unwanted update from the list.

Read the complete article More on Windows 7 and Windows 8.1 servicing changes

Software updates ADR only for x64 updates or for x86 updates

This article will help in creating Automatic Deployment Rule to deploy ONLY Windows 10 x64 updates. 

Normally we can use in-built property filters to filter out non-English, Severity based, Superseded updates. We can also use Required option to choose if an update is required more than x devices then add to the ADR.

When we use filter property for Language - English, Product - Windows 10 or Windows 10 LTSB Severity - Critical OR Important, Superseded - No, I will get below number of updates;

I want to keep the updates only for x64 platform and remove for x86. To achieve this, we don’t have any inbuilt filter. So to get updates for only x64 platform simply select Title property filter then add x64. This will filter out all the update which doesn’t have x64 in the title of the update.

The new update list will look as below;

To get the updates only for x86 updates, select Title property filter then add -x64. This will remove all the updates which has x64 in the update title and will keep the updates which doesn’t have x64.

The new update list will provide only x86 updates as below;

List all the data sources used in SCCM SSRS reporting

If we ever needed to find out about which data source been used for a particular report, then run below query in SQL management studio.
The report will provide all the reports and assigned datasource to them.
****************************************************************
SELECT Catalog.Name, Cat1.Name DataSource
FROM Catalog
JOIN DataSource on Catalog.ItemID = DataSource.ItemID
Join Catalog Cat1 on DataSource.Link = Cat1.ItemID
WHERE Catalog.Type = 2
****************************************************************

RecoverCrypto: File is encrypted, but no key was provided

Windows 10 1607 feature update will fail when deployed with SCCM Current Branch 1606.

The following error will be displayed in C:\$Windows.~BT\Sources\Panther\setupact.log

RecoverCrypto: File is encrypted, but no key was provided.

MOUPG  CDlpActionRecoverCrypto::DoCrypto(1713): Result = 0xC1800118

 

WUAHandler.log will show;

Upgrade installation result indicates that commit cannot be done. 

Installation job encountered some failures. Error = 0x80240022. Commit Result = 0x00000001.

We will receive above error even after installing KB3159706 with post installation steps.

I think the post installation steps are incomplete and not documented very well.

After installing the KB3159706, the SUP need to be uninstalled and re-installed.

This will fix the error File is encrypted, but no key was provided problem.

If remediating an existing environment, the best thing will be;

-          Uninstall WSUS

-          Delete SUP database

-          Remove WSUS folder

-          Uninstall SUP

-          Reboot the server

-          Delete the Update services folder from C:\Program Files

-          Install WSUS

-          Install KB3095113 (If not installed previously)

-          Install KB3159706 (If not installed previously)

-          Reboot the server

-          Install SUP

If installing on a new environment

-          Install WSUS

-          Install KB3095113

-          Install KB3159706

-          Reboot the server

-          Install SUP

Once the SUP is successfully installed, create a new servicing plan and deploy the feature update.

This time the update will install without File is encrypted, but no key was provided.

Failed to copy Program Files\Microsoft Configuration Manager\bin\x64\smspxeperf.dll

You may receive below error msg when upgrading System Center Current Branch 1602 to 1606. (in fact in any SCCM version upgrade)

distmgr.log on the Primary site;
Failed to copy f:\Program Files\Microsoft Configuration Manager\bin\x64\smspxeperf.dll to \\SCCB-DP-W2012.LAB\SMS_DP$\sms\bin\smspxeperf.dll. GLE = 32
or
The distribution point ["Display=\\SCCB-DP-W2012.LAB \"]MSWNET:["SMS_SITE=SCB"]\\SCCB-DP-W2012.LAB \ is not installed or upgraded yet.
or
DP thread with ID 6096 failed to process DP action

Event Log on problem DP;
On the DP, Application event log will show "An error occurred while trying to load the module from \SMS_DP$\sms\bin\smspxe.dll for provider SMSPXE. If the provider is marked as critical, the Windows Deployment Services server will be shut down".
Error Information: 0x7F

This will break all the content distribution to the problem distribution point in SCCM.

Fix:
First check and compare the smspxeperf.dll on the primary site server with file on the problem DP.
If the versions won’t match, then rename the existing version on the DP.
If you get access denied error stop WDS service, then rename the smspxeperf.dll. Now copy the new file from primary server or CAS to the problem DP under \SMS_DP$\sms\bin\
You can wait for an hour to site server to re-run the DP upgrade or simply re-start the SMS_SITE_COMPONENT_MANAGER service on the primary site server. This will start the upgrade process straight away. Review the distmgr.log to see the progress of the upgrade.
Once the DP is upgraded try to distribute a simple package and that should get distributed without any issues.

Also review the \SMS_DP$\sms\bin\vcredist.log on the DP for any errors, as in many instances Visual Runtime install also caused the problem.

SCCM SQL Server vlogs

If we ever want to view the SQL logs to troubleshoot SCCM related issue, we can get information from SQL vlog.

To get top 1000 records from vlog;
SELECT TOP 1000 * FROM vLogs
NOTE: make sure you use top otherwise the SQL will get all the log entries and will cause perfomance issues.

To search vlogs log time in between days then ;
SELECT * FROM vLogs 
WHERE LogTime > '2016-07-25 12:00:00' and LogTime < '2016-07-26 12:00:00'
ORDER by LogTime desc

SCCM 1606 Step by Step Upgrade Guide

A week or so ago Microsoft has released Update1606 for System Center current branch.

The 1606 release notes can be found on Microsoft Enterprise Mobility and Security Blog

If SCCM 1606 update is not showing up in the console (most likely you are not in the release of first ring) and don’t want wait then get EnableUpdateRing.ps1 from Here

Launch PowerShell as administrator then run EnableUpdateRing.ps1 <Siteservername>

Note: Just use server name without FQDN.

You will get The command(s) completed successfully.

Now go to \Administration\Overview\Cloud Services\Updates and Servicing node in SCCM console, then run Check for updates.

After 10-15 min later, the console will show Configuration Manager 1606 and should be in downloading state;

The SMS_DMP_DOWNLOADER component will start downloading a large file and we can see download of a large file in dmpdownloader.log (<Install_DIR>\Microsoft Configuration Manager\Logs\);

Before upgrading the SCCM to 1606, the versions will be (1602);

          System Center Configuration Manager Version 1602

          Console Version: 5.0.8355.1306

          Site Version: 5.00.8355.1000

Once the download is completed, the console will show the state of Configuration Manager 1606 is Available

Now like any other previous updates, first run the Run Prerequisite check. Once the prerequisite check is passed then run Install Update Pack.

It will start the Configuration Manager updates wizard. Click next on the General tab

Select required features to be installed then click next;

Select required client update options then click next;

Accept the license terms then click next;

Review the selection options then click next;

Close the completion window. It will take 20-30 min (based on the server performance) to complete the update.

If we re-launch or check the console version, we will get a popup message saying A new version of the console is available (5.00.8412.100).

Click OK to upgrade the console.

Once the update is installed the version number of SCCM will be;

         System Center Configuration Manager Version 1606

         Console Version: 5.0.8412.1003

         Site Version: 5.0.8412.100

That’s It.

We have completed upgrading System Center Current Branch 1602 to System Center Current Branch 1606.

Click here for complete SCCM 1511 Current Branch setup step by step guide.

Click here for complete SCCM 1511 Current Branch step by step guide, step by step migration guide, step by step monitoring and health check guide and step by step SCCM Current Branch servicing guide.