Configuration Manager Client fails to install after KB2828233 Hotfix is Installed

Posted: May 24, 2013 in Configuration Manager, System Center Configuration Manager 2012
Tags:

After the “Update for System Center Endpoint Protection 2012 Client – KB2831316”  was released back in April and the SCEP 2012 version was updated from 4.1.522.0 to 4.2.223.0 every client we deployed always had to install the KB2831316 after it was deployed to get the updated version.

So today I decided to install “KB2828233 – An anti-malware platform update for stand-alone System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Update” that fixes this problem since it will update the client files on the site server to the newest version;

1

when a client is deployed now it will have version 4.2.223.0 of SCEP 2012 installed directly.

After the update was installed on my site server and the distribution point was updated, I decided to re-deploy a computer to verify that it worked. So this was when the “fun” began, when the Task Sequence reach the “Setup Windows and ConfigMgr” step, the Task Sequence fails and the sccm client will not install. I tried 2 more times with the exact same result. So what is happening?

I logon to the machine to take a look at the ccmsetup.log (located here; C:\Windows\ccmsetup\Logs) and there I see what the problem is;

File ‘C:\Windows\ccmsetup\SCEPInstall.exe’ with hash ‘495B488FFCEE7C2D682AC6ABFC62D7F9CCB15E22911BA2B76C41307343E617CC’ from manifest doesn’t match with the file hash ‘EEBF8FBE6920D51B2728DE6303457F25DE302C1E3A5742ED175D281CAEC276BD’ ccmsetup 5/24/2013 2:37:53 PM 6940 (0x1B1C)

I did a quick search online and found the following post on the Technet Forums; SCEPinstall.exe fails hash check after KB2828233 Hotfix

So I checked my ccmsetup.xml (found inside the ccmsetup.cab file in the Client folder) file to see if this was it;

<Item FileName="SCEPInstall.exe" FileHash="495B488FFCEE7C2D682AC6ABFC62D7F9CCB15E22911BA2B76C41307343E617CC" KeepAfterExit="true">
<Applicability Platform="ALL" OS="ALL"/>  
<Discovery Type="File" Identifier="%windir%\ccmsetup\SCEPInstall.exe" VerifyHash="true">
<Property Name="Version" Operator="&gt;=">4.1.522.0</Property>
</Discovery>
<Installation Order="17" InstallationType="NONE"/>
</Item>

The file in my Client folder is the following and check the dates;

2

So I decide to try the fix from the forum post and uninstalls the KB2828233 hotfix and then I rename the ccmsetup.cab file in the Client folder to ccmsetup.bak and install the KB2828233 hotfix again, after the installation a new ccmsetup.cab is created. (Note the date on this file in the screenshot below)

3

I check the ccmsetup.xml again inside this newly created ccmsetup.cab file and this is now what I see;

<Item FileName="SCEPInstall.exe" FileHash="EEBF8FBE6920D51B2728DE6303457F25DE302C1E3A5742ED175D281CAEC276BD" KeepAfterExit="true">
<Applicability Platform="ALL" OS="ALL"/>
<Discovery Type="File" Identifier="%windir%\ccmsetup\SCEPInstall.exe" VerifyHash="true">
<Property Name="Version" Operator="&gt;=">4.2.223.0</Property>
</Discovery>
<Installation Order="17" InstallationType="NONE"/>
</Item>

As you see the FileHash and Version is now updated to the correct values.

So I update the Client Package so it sends the new bits to the distribution point and starts a new OSD, and now everything completes successfully and the SCEP 2012 version installed is version 4.2.223.0.

The reason that this happened in the first place is described in the article and this is why the dates on the ccmsetup.cab files are important;

We installed SCCM 2012 SP1 PRIOR to the refreshed source code that contained the updated version of microsoftpolicyplatformsetup.msi, so we had already installed “KB2801987 – Installation error 0x800b0101: System Center 2012 Configuration Manager Service Pack 1 client” on the site server to fix this problem; this hotfix update the date on the ccmsetup.cab file to 11.01.2013, so then when I installed KB2828233, the ccmsetup.cab was not updated since it had a newer date than the one in the hotfix. You see this after I re-install the hotfix after renaming ccmsetup.cab to .bak and the ccmsetup.cab is installed from the hotfix, the date now is 20.12.2012 and contains the correct Hash for SCEPInstall.exe.

Spent a lot of time with this issue before I figured it out so hopefully this will assist someone else getting this issue too and a big thank you to William Bracken who posted the solution on the Technet Forums.

Advertisements
Comments
  1. Rob says:

    Hi Odd-Magne Kristoffersen,

    1st, very useful post! – leads me to have a couple of questions:

    #1. Where is the hotfix for the SCEP SP1 platform update supposed to be installed? – you mention in the post that you installed it on the management server, but this isn’t mentioned on the KB itself (how would you find this out if, like me, your new to this tech??).

    — Assuming the HF is applied to the Management Server: Does SCCM automatically push the SCEP agent update or is there further steps necessary? (packages, deployment rules etc)

    #2. I notice the SCEP platform update is available via win updates (but is the stand alone version) – so in theory could be deployed via WSUS and SCCM using a one off ADR – what would be the correct filter settings to grab this update?

    #3. RE The problem you faced – was this due to an early download of the SCCM 2012 .iso? – I understand there was a re-release of the .iso in late Jan 2013 that fixed some issues: http://www.windows-noob.com/forums/index.php?/topic/7342-you-may-need-to-re-download-configuration-manager-2012-and-endpoint-protection-2012-sp1-binaries/ — if not, potentially the same issue could affect everyone?

    — There are 2 versions of the SCCM managed platform updates – one for SP! and one for SP1 + CU1. If we apply this HF would we need to reapply if upgrading the environment to SP1 CU1?

    … what a mess this MS stuff is!! 🙂

    any help to clarify would be much appreciated, it seems the more you dig into this with MS the more confusing it all seems!

    Thanks
    Rob

    • Hi Rob,

      #1 – Install the HF on your Primary Site, and it will update the Client folder with the newest bits. Assuming you are using the default ‘Configuration Manager Client Package’ there is nothing more you need to do for your new clients to get the latest bits. (You might need to go to Software Library -> Packages and right click Your Configuration Manager Client Package and click Update Distribution Points.)

      #2 – To exsisting Clients you can deploy this update using WSUS/SCCM with an ADR as you describe. I assume you already have an ADR for Endpoint Protection Definition Updates, do not include this update in this ADR since the result could be that your clients starts rebooting in work hours. Your ADR for Endpoint Protection Definition Updates should have a criteria with Update Classification “Definition Updates” so only definition updates deployd with this rule.

      I’ve included ‘Forefront Endpoint Protection 2010’ as a Product criteria in my Patch Tuesday ADR and this update was picked up by that ADR and deployed to existing Clients.You will also need a criteria with Update Classification “Critical Updates” for this update to be picked up by the ADR.

      #3 – I used the early bits and I’m not sure if this is fixed in the re-release. You can check this by looking at the date of the ccmsetup.cab in your client folder.

      #4 – If you apply this patch before you apply CU1 you will need to re-apply it after you’ve installed CU1 by using the CU1 version of this HF. (This is what I had to do, since I applied CU1 after I wrote this post.)

  2. weho says:

    Thank you for this!

  3. weho says:

    Question: When you said: “So I decide to try the fix from the forum post and uninstalls the KB2828233 hotfix and then I rename the ccmsetup.cab file in the Client folder to ccmsetup.bak and install the KB2828233 hotfix again, after the installation a new ccmsetup.cab is created” – What exactly did you do? Did you uninstall the hotfix and simply rename the ccmsetup.cab?

    2nd Question: You said, “So I update the Client Package so it sends the new bits to the distribution point” – How did you exactly do that? Where is that?

    Thanks for this post!

    • Hi weho,

      Question 1: You are correct, I uninstalled the hotfix, renamed the ccmsetup.cab and installed the hotfix again.

      Question 2: Go to Software Library -> Packages and right click Your Configuration Manager Client Package and click Update Distribution Points.

  4. Glad it was helpful to others! Thanks for taking the time to create a more detailed blog post about it. 🙂

  5. […] installation will fail. Or worse, if the requirements are invalid this will also cause issues. An invalid hash for SCEPInstall.exe was the culprit of an update released by Microsoft or the publically acknowledged […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s