Configuration Manager Current Branch 2006 向けロールアップ リリース (KB4578605)

皆さん、こんにちは。

今回は、Microsoft Endpoint Configuration Manager (MECM, SCCM, Configuration Manager) Current Branch 2006 向けの更新プログラム (ロールアップ) について紹介したいと思います。

今回の更新プログラムは、ロールアップであるため、複数の不具合を修正したものとなります。

<更新プログラム (ロールアップ) の詳細>

KB4578605 (https://support.microsoft.com/help/4578605)

• During client policy download, the execmgr.log repeats the following log entry multiple times every minute.

  Device is not MDM enrolled yet. All workloads are managed by SCCM

  This results in potentially valuable troubleshooting information being overwritten.

• Client computers that are performing a PXE boot to install a new operating system are unable to find the boot WIM file. This occurs when the WIM file is stored in a content library split across multiple drives. Errors resembling the following are recorded in the SMSPXE.log file.

  CContentDefinition::GetFileProperties failed; 0x80070003
  CContentDefinition::TotalFileSizes failed; 0x80070003

   

• Computers are unexpectedly removed from orchestration groups. This occurs if the site has the option Use this boundary group for site assignment enabled, but the target computers are not in that boundary group.
• Clients are unable to communicate over a custom port for a management point when other communications changes are made to the site. For example, enabling HTTPS communication for a site causes previously defined custom HTTP ports to stop working.
• State messages from clients may not be properly recorded if the client computer restarts within 10 seconds of state message generation. This results in inconsistent or unexpected state message values, affecting the accuracy of task sequence and software deployment reporting.
• Clients incorrectly attempt to use PKI certificates for communication, even if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties.
• Intranet clients will not fall back to another management point (MP) if the preferred MP is also a cloud management gateway.
• After updating to Configuration Manager current branch, version 2006, client installation using the PROVISIONTS property fails if the “Allow access to cloud distribution point” device setting is set to “No”.  The client is unable to download content, and an error resembling the following is recorded in the tsagent.log file.

   ‘{Task Sequence Deployment ID}’ finished with exit code 2147746050

   

• Installation of a passive site server fails if orphaned .JOB files are present in the \inboxes\schedule.box folder. A message resembling the following is repeated in the FailOverMgr.log file.

  site server job [Passive Site Server Installation][<old server>] is not targeted for this server <active server>

   

• Adding a passive site into a Configuration Manager infrastructure with at least 1 secondary site and client language packs installed will trigger a re-installation of all secondary sites.
• The Configuration Manager client installed on a Windows Embedded device stays in servicing mode if the maximum run time of a deployment is greater than the duration of the maintenance window.
• Improvements are made to the download process in the case of a timeout when the Download delta content when available client setting is enabled.
• The content download step of a task sequence may fail to download files to clients. This occurs if the BranchCache Windows feature is enabled, and the environment is using enhanced HTTP for communication with distribution points. The clients will retry the download step, but overall completion is delayed. Errors resembling the following are recorded in the smsts.log on the client.

  Downloaded file from http://{Distribution_Point}:443/CCMTOKENAUTH_SMS_DP_SMSPKG$/{Package_ID}/sccm?/{Filename.ext}
  Downloading file /CCMTOKENAUTH_SMS_DP_SMSPKG$/PR100090/sccm?/{Filename.ext} range 0-570085
  WinHttpReadData() failed.
  ReadDataAndWriteToFile() failed. 80072efd
  ReadDataAndWriteToFile() failed for C:\_SMSTaskSequence\Packages\PR100090\{Filename.ext}. 0%
  DownloadFileWithRanges() failed. 80072efd.
  DownloadFile() failed for http://{Distribution_Point}:443/CCMTOKENAUTH_SMS_DP_SMSPKG$/{Package_ID}/sccm?/{Filename.ext}, C:\_SMSTaskSequence\Packages\PR100090\{Filename.ext}. 80072efd.

   

• Improvements are made to the synchronization and processing of policy assignments and policy data between the Microsoft Endpoint admin center and the Configuration Manager console. This prevents issues such as creating a policy in the admin center that is not visible in the on-premises console.
• The Configuration Manager console may generate an exception resembling the following when attempting to complete the Co-management Configuration Wizard.

  ConfigMgr Error Object: instance of SMS_ExtendedStatus { Description = “User DOMAIN\\Username is not able to get the lock at this time. Error: 0x40480732”; ErrorCode = 1078462258;

  This occurs after removing previously created settings.

• Configuration Manager clients deployed to Mac computers receive duplicate GUIDs. This occurs if the same user name is provided as a parameter to the CMEnroll tool during client installation.
• Clients may receive the incorrect policy, including scripts or settings, when multiple orchestration groups are present. Consider the following scenario:
  Client 1 is a member of orchestration group 1.
  Client 2 is a member of orchestration group 2.
  Client 1 may receive policy from orchestration group 2, causing it to run the pre- and post-scripts intended for group 2 when installing an update intended for group 1.
  Note: Any affected orchestration groups must be deleted and recreated after installing this update to correct the policy issue.
• The setting Allow access to cloud distribution points is not configured when clients are deployed using the Autopilot service and the PROVISIONTS parameter.  This causes Install Application and Install Software Updates task sequence steps to fail.
• Client connections to a cloud management gateway may fail when multiple clients perform full software update scans in a short amount of time. Errors resembling the following are recorded in the SMS_Cloud_ProxyConnector.log file.

  ERROR: Invalid operation when send the proxy message to internal server.Exception: System.InvalidOperationException: There were not enough free threads in the ThreadPool to complete the operation.~~

   

• After installing the Windows update KB 4579311, Configuration Manager clients are unable to download Office 365 updates. Errors resembling the following are recorded in the PatchDownloader.log located in the temp directory on the client.

  Download http://officecdn.microsoft.com/pr/{update_GUID}/office/data/16.0.13231.20368/i640.cab.cat to C:\Users\{username}\AppData\Local\Temp\2\CABC1A4.tmp returns 0
  Authentication of file C:\Users\{username}\AppData\Local\Temp\2\CABC1A4.tmp failed, error 0x800b0004
  ERROR: DownloadContentFiles() failed with hr=0x80073633

   

• Windows 10 feature updates may fail to install on client computers using fast physical hardware. Errors resembling the following are recorded in the UpdatesHandler.log.

  Contents already available for the update (update_guid).
  Bundle update (bundle_guid) internal state transition: RUNNING to WAIT_CONTENTS
  Bundle update (bundle_guid) internal state transition: WAIT_CONTENTS to EXECUTE_READY
  StateCore – bundle update (bundle_guid) state changed from (WAIT_CONTENTS) to (EXECUTE_READY) as child update state changed
  Update (bundle_guid) state (6) in-consistent for job after initiating execute.
  CDeploymentJob – ExecuteUpdates failed. Error = 0x87d00654
  Failing the job ({job_guid}) as updates agent internal error.

   

• Clients may randomly fail to install an update, or series of updates, due to a timing condition when they are deployed to a software update group. Errors resembling the following are recorded in the UpdatesHandler.log.

  Failed to initiate install of WSUS updates, error = 0x87d0024a
  Failed to start WSUSUpdate, error = 0x87d0024a
  CDeploymentJob — Failed to start procesing of the update (update_guid). Error = 0x87d0024a

  Messages resembling the following are recored in the WUAHandler.log at the same time as the UpdateHandler errors.

  Async installation of updates started.
  CCM_E_JOB_ALREADY_CONNECTED, HRESULT=87d0024a
  Cannot start another installation while one is already in progress.

下記の修正プログラムも今回のロールアップには含まれています。

KB4576791

KB4580678

KB4584759

<Office 365 (Microsoft 365 Apps) の更新プログラムのダウンロードが失敗する問題について>

上記のロールアップの修正項目にも記載されていますが、2020 年 10 月にリリースされた Windows の累積更新プログラムを適用したコンピューターにおいて、Configuration Manager コンソールを用いて、Microsoft 365 Apps (Office 365 ProPlus) の更新プログラムをダウンロードするとエラーが発生します。本ロールアップでは、下記の問題にも対処しています。

After installing the Windows update KB 4579311, Configuration Manager clients are unable to download Office 365 updates. Errors resembling the following are recorded in the PatchDownloader.log located in the temp directory on the client.

Download http://officecdn.microsoft.com/pr/{update_GUID}/office/data/16.0.13231.20368/i640.cab.cat to C:\Users\{username}\AppData\Local\Temp\2\CABC1A4.tmp returns 0
Authentication of file C:\Users\{username}\AppData\Local\Temp\2\CABC1A4.tmp failed, error 0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633

具体的には、下記のスクリーン ショットのようにエラーが発生します。

[エラー メッセージ]

エラー: コンテンツ ID 17994266 をダウンロードできませんでした。エラー: 証明書の署名が無効です

[ログ (PatchDownloader.log)]

Downloading content for ContentID = 18027359, FileName = office\data\16.0.13328.20356\i320.cab.cat.
FileHash value is NULL. Hash verification for this file will not be performed.
Proxy is enabled for download, using registry settings or defaults.
Connecting – Adding file range by calling HttpAddRequestHeaders, range string = “Range: bytes=0-”
Download http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/16.0.13328.20356/i320.cab.cat in progress: 28 percent complete
Download http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/16.0.13328.20356/i320.cab.cat in progress: 56 percent complete
Download http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/16.0.13328.20356/i320.cab.cat in progress: 84 percent complete
Download http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/16.0.13328.20356/i320.cab.cat in progress: 100 percent complete
Download http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/16.0.13328.20356/i320.cab.cat to C:\Windows\TEMP\CAB21DC.tmp returns 0
Using machine settings for CRL checking.
Cert revocation check is disabled so cert revocation list will not be checked.
To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation
Verifying file trust C:\Windows\TEMP\CAB21DC.tmp
Authentication of file C:\Windows\TEMP\CAB21DC.tmp failed, error 0x800b0004
ERROR: DownloadUpdateContent() failed with hr=0x80073633

自動展開規則では、下記のようなエラーになっています。

エラー コード : 0X87D20417

Microsoft Endpoint Configuration Manager サポート チームの記事も公開されています。

Microsoft Endpoint Configuration Manager において、 Microsoft 365 Apps 更新プログラムのダウンロードが「証明書の署名が無効です」エラーとなる事象について

<更新プログラム (ロールアップ) のインストール>

対象環境の Configuration Manager コンソールには、下記のように KB4578605 が表示されています。特段理由がない場合は早期にアップデートすることをお勧めいたします。