Offline Servicing is broken 0x800f082f

, , , ,


Offline Servicing Problem.
I was at a new customers site this week performing an assessment of their environment. Their biggest problem was patching and everything that comes with it. These were things as broken ADRs, dozens of empty SUGs, failed packages, etc. The environment was actually behind several years of patching and it was unknown to customer until my arrival. Even the latest image at the customers site which was less than 2 months old was out of date several years on patches. It was determined at customers request that we address the patch compliance situation by re-imaging all the machines as I pointed out to them that nearly 25% of the environment has been re imaged in the last 3 months. Instead of building a fresh new image I turned to offline servicing to update the Win 7 image as a quick solution while I focus on other projects. In this environment Offline Service Error 0x800f082f was a problem when I tried to provide an updated wim. 
 

It is important that you approve/download all CBS patches for the image you are intending on updating. If this is not approved when you attempt to schedule updates via offline servicing nothing new will be found. This was the problem at the customers site where the broken ADR was not downloading the required products. Once the patches were approved we was able to see over 100 patches could be add to the WIM in the screenshot below

Offline Servicing


The process of offline servicing basically takes your selected wim and creates a backup copy. Next the selected patches will be download to a key location and then DISM into the WIM. Once this completes successfully we would expect to see a larger sized wim and a backup copy of our original WIM

On the site server we can see the folder being created “ConfigMgr_OffineImageServicing” with the image (MOC00BE8) and individual GUIDs. At this point everything looks to be fine in the beginning of the process. 

Offline Servicing

We can track this process from start to finish in the “OfflineServicingMgr.Log” located on the primary server.

We are only starting to see failures when trying to inject patches. 

 OfflineServicingMgr.LOG

“InstallUpdate returned code 0x800f082f
Failed to install update with ID 17242935 on the image. ErrorCode = 2095”

 

Offline Servicing

 

For these errors I recommend taking the steps below to the existing WIM or creating a copy of the WIM.

  1. Manually mount the image via DISM.
  2. Load the registry software key (from the image) onto your local system
  3.  Find Registry Key HKLMMyKeyMicrosoftWindowsCurrentVersionComponent Based ServicingSessionsPending and set the “Exclusive” REG_DWORD value to “0”
  4. Unload the registry
  5. Commit changes to the WIM
  6. Reimport the WIm and perform offline servicing again
Below you will see that I ran an elevated command prompt to successfully mounted the image.
                 “DISM /Mount-Wim /WimFile:C:UsersH93-extraDesktop20170424V4.2_MRO_Win7_ENT_SP1_x64.wim /Index:1 /MountDir:C:UsersH93-extraDesktopMount”’
Offline Servicing

 

Next we need to load the registry key from the mounted WIM onto our local system.

               

  “Reg Load HKLMMykey C:UsersH93-ExtraDesktopMountWindowsSystem32ConfigSoftware”

When we launch Regedit on our local system we see “MyKey” located in our HKLM on our local system. 

Offline Servicing
From here we need to expand to HKLMMyKeyMicrosoftWindowsCurrentVersionComponent Based ServicingSession Pending and verify what value is set on “Exclusive”
Offline Servicing




We see the value is currently set to “3” when it should be set to “0”.  When changing it we discover we have permissions issues below.

 

Offline Servicing
We need to take ownership of the key, assigning full control, and making it inheritable to all child objects. That would be too much for me to edit out of the screenshot so just pretend it is below.

We are now able to set the value to “0”

Offline Servicing

 

We can unload the registry, and verify it is unloaded

 

“Reg unload HKLMMykey”

Offline Servicing

 

Offline Servicing

 

We have verified to be unloaded we can then go ahead and unmount the WIM. 
“DISM /UnMount-Wim /MountDir:C:UsersH93-extraDesktopMount /Commit”

 

Offline Servicing

Whenever I manually modify the WIM i tend to compare the size of it. We can see below the slight change in size from our changes.

 

Offline Servicing
The new image is now renamed and imported into SCCM and we begin offline servicing. There are no errors to be seen in the “OfflineServicingMgr.Log”

 

Offline Servicing

 

This actually successfully finishes and we can see the new size of the WIM has grown by 1.2 GB. 

Offline Servicing

 

On the WIM we can see that there are over 100 security patches added to the WIM.
Offline Servicing

 

Now there are no more X64 updates available as the image is completely patched and ready for testing.We  now are able to image new systems that are fully patched

Offline Servicing

 

SCCM Revoked Clients Registration

, ,

SCCM Revoked Clients Registration

I ran into an issue where a few sites would call my SCCM team indicating they were having client problems. They would say the clients do not have all action items and it has been over 2 hours since the system finished the OSD Process. I had a few initial thoughts but they all were wrong. First we verified that VMware tools on the MP was fine, boundaries were correct, and that the client was not stuck in provisioning mode. The next course of action was to connect to a machine, investigate the bad client and start checking log files.

The SCCM Client looked as below with certificate set to none as you can see below instead of self-signed. This points out the client has not yet registered with the MP.

SCCM Revoked Clients Registration

The next was to investigate the ClientIDManagerStartup.log which showed the error “Server Rejected registration Request: 3” This gave me the idea of clearing out the certs and trying to reinstall the client again.

SCCM Revoked Clients Registration

however this produced another GUID with the same error problem so the pointed me to check log files on the MP.

SCCM Revoked Clients Registration

This was quickly becoming a high exposure problem was our environment images anywhere between 25 – 175 machines a day. After a quick google search we were able to find a blog post where the solution was a few simple SQL lines.

The line below will identify systems that have revoked clients

Select * from ClientKeyData where isrevoked=1

SCCM Revoked Clients Registration

The line below will clear out the problematic requests. Once these are cleared the systems should be able to successfully register

Update ClientKeyData set isrevoked=0 where isrevoked=1

SCCM Revoked Clients Registration

Thanks to Emmanuel Rached blogpost below this was quickly resolved. The log files were screencaps from his blog post and everything else was from my environment. Please check out his blog as there is tons of other great stuff. https://www.emmanuelrached.com/2014/09/08/sccm-revoked-clients-registration/

ALSO CHECK: SQL Query to identify Win 10 security features for HP / DELL