LanSweeper Scanner Stuck IP Scanning

 LanSweeper Scanner does not complete scanning devices in IP Scanning queue - IP addresses shown as processing not completing.


Exclude Problematic IP or Device

Try to determine the device with the IP address where the scanner is getting stuck. If unneeded, try excluding the device type or the specific IP address:

From the Scanning Tab, select Scanning Targets, then click Add Exclusion 


LanSweeper provides 4 Exclusion Types:

Asset Type, IP Address or Range, Windows Computer, and Workgroup of Domain.


Disable Unneeded Scanning Services

Configuration Tab
Click Server Options


Lower Log Data Retention

On the same page, lower the retention of any or all logs - especially Eventlog Entries



Perform LanSweeper Database Maintenance 

On the LanSweeper Scanning Server
Launch Windows Services
Stop the LanSweeper Server Service


Stop IIS Service


Run the LanSweeper Database Maintenance Tool
C:\Program Files (x86)\Lansweeper\Tools\DatabaseMaintenance.exe



Click Truncate Logs
Status will show "In Progress". Status will show "Healthy" when completed.

Click Shrink
Status will show "In Progress". Status will show "Healthy" when completed.

Click Rebuild Index
Status will show "In Progress". Status will show "Healthy" when completed.

Close the LanSweeper Database Maintenance Tool

Restart IIS Express Service



Restart LanSweeper Server Service



Deploying Windows Metro Apps With Microsoft Endpoint Configuration Manager (MECM) Without the Microsoft Store Installed

 To Deploy Windows Metro Apps in Config Manager, first download the desired app

Open a browser and navigate to the Microsoft Store: https://www.microsoft.com/en-us/store/apps/windows

search and locate the desired app



copy the URL from the address bar without the #activetab=pivot:overviewtab


ex: https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg

convert the link to the actual Microsoft Store item using the website https://store.rg-adguard.net.

change the option RP to Retail then click the check mark


From the results, locate the latest version with the extension appxbundle

to download the app package, copy and paste the link and open it in a new browser tab (clicking for some reason usually doesn't work)

Create a package in MECM console and distribute it with the app

copy the application to a network share

Overview - Software Library - Applications - Packages
Click the Create Package icon
provide the package a name
check the box "This package contains source files" and browse to the network share where the app was saved
NEXT
click the radio button Do Not Create a Program
NEXT
NEXT
CLOSE

Right Click the newly created package
Click Distribute Content
proceed to deploy to all distribution servers

Create a Task Sequence to Install the App

Overview - Software Library - Operating Systems 
Expand Task Sequences
Click Apps
Click the Create Task Sequence icon
Name the task sequence

add Run Command Line

name: enable Client License Service

Command Line:  cmd /c sc config ClipSVC start = auto

on the options tab check "continue on error" 


add Run Command Line

name: Start Client License Service

Command Line:  net start ClipSVC

on the options tab check "continue on error" 


add Run Command Line

name: Enable Appx Deployment Service

Command Line:  ncmd /c sc config AppxSVC start=auto

on the options tab check "continue on error" 


add Run Command Line

name: Start Appx Deployment Service

Command Line:  net start AppxSVC

on the options tab check "continue on error" 


add Run Command Line

name: Copy App

Command Line: Xcopy ".\" "C:\Temp" /D /E /C /R /H /I /K /Y /Q

check the Package box

browse to the package created in the previous step


add Run Command Line

name: Install App

Command Line: cmd /c DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath:C:\Temp\package name downloaded in step one /SkipLicense


add Run Command Line

name: Clean Up

Command Line: cmd /c del /q c:\temp\package name downloaded in step one 

Click OK

Deploy the Task Sequence

Right click the newly created task sequence and deploy it to the appropriate device collection

Change the Internet FQDN for a Configuration Manager (SCCM) (MECM) Distribution Point/Management Point Internet-Based Client Management (IBCM)

To Change the Internet FQDN for a Configuration Manager (SCCM) (MECM) Distribution Point/Management Point Internet-Based Client Management (IBCM) 


  • Open Configuration Manager Console
  • Navigate to Administration
  • Site Configuration
  • Servers and Site System Roles
  • Click the name of the site system to update
  • in the lower pane, right click Site System
  • click Properties
  • On the General tab, modify the entry "Internet FQDN"
  • Click OK

Using REG QUERY to Find Uninstallers on Remote Machines

 One of the most tedious tasks a System Administrator or Information Security Analyst faces is locating the proper uninstaller to remove unauthorized or vulnerable application software package from a remote client machine.

The Command line command REG QUERY is your friend.

Open a command prompt with administrator level access and enter the following command:

REG QUERY \\RemoteMachineName\HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s

This command returns all uninstaller information listed 

REG QUERY \\RemoteMachineName\HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s

This command returns all uninstaller information listed under the WOW6432Node section

Review the information from these two commands, and locate the uninstaller required.


SCCM MECM Configuration Manager Client not downloading content from distribution point Error: CTM encountered error processing reply from DTS. Code 0x80096004

Configuration Manager Client not downloading content from distribution point. Verified a distribution point was properly assigned to the applicable boundary group and that the distribution point had the content in question.

Reviewing the CCMCACHE folder on the client machines, found folders created for the content in question but no actual content. Began reviewing log files in C:\Windows\CCM\Logs 


In CAS.LOG: Error CTM encountered error processing reply from DTS. Code 0x80096004

​Error Code: 0x80096004 (2148098052) 

 Error Name: TRUST_E_CERT_SIGNATURE 

 Error Source: Windows 

 Error Message: The signature of the certificate cannot be verified. 

 The client was registered using the self-signed certificate issued to 'SMS' Client is configured to use HTTPS when available 

 In the CAS.log 


 both http and https locations are being returned for content locations 

When the issue occurs, the following events occur leading to the 0x80096004 error: ​

​CTM job {A18CC6C5-2A7B-4D84-B4C2-3EB1EC1F22EF} switched to location 'xxx/SMS_DP_SMSPKG$/ACC00A5E'


CTM job {B64D5D76-3846-4415-84F4-503722AF09C8} switched to location 'http://xxx/SMS_DP_SMSPKG$/ACC00A70'


CTM job {A0E7A3F6-76C6-449A-BB13-2C5D5439FE03} switched to location 'http://xxx/SMS_DP_SMSPKG$/Content_81f1d394-c68c-4d8e-8fdd-33756a934992.1'


CTM encountered error processing reply from DTS. Code 0x80096004


CTM job {620B0A00-D1D8-4115-A7D1-962E268AFCCF} entered phase CCM_DOWNLOADSTATUS_PREPARING_DOWNLOAD


CTM encountered error processing reply from DTS. Code 0x80096004


CTM job {A0E7A3F6-76C6-449A-BB13-2C5D5439FE03} entered phase CCM_DOWNLOADSTATUS_PREPARING_DOWNLOAD


CTM job {A18CC6C5-2A7B-4D84-B4C2-3EB1EC1F22EF} entered phase CCM_DOWNLOADSTATUS_PREPARING_DOWNLOAD


CTM encountered error processing reply from DTS. Code 0x80096004


CTM job {B64D5D76-3846-4415-84F4-503722AF09C8} entered phase CCM_DOWNLOADSTATUS_PREPARING_DOWNLOAD


CTM encountered error processing reply from DTS. Code 0x80096004




In the DataTransferService.log:


​Completed validation of Certificate [Thumbprint F49997EE2BB8A7ABC5A7B9FE929B08B969DD7981] issued to 'xxx' 

Failed to verify if the cert is sccm issued. Error 0x80096004 

Completed validation of Certificate [Thumbprint F49997EE2BB8A7ABC5A7B9FE929B08B969DD7981] issued to 'xxx' 

Begin validation of Certificate [Thumbprint F49997EE2BB8A7ABC5A7B9FE929B08B969DD7981] issued to 'xxx' 

DTS job: '{F3496177-0337-4DDA-9672-473BEFB7BEFD}' AddTransportSecurityOptionsToBITSJob failed: (0x80096004) 

Completed validation of Certificate [Thumbprint F49997EE2BB8A7ABC5A7B9FE929B08B969DD7981] issued to 'xxx' 

Failed to verify if the cert is sccm issued. Error 0x80096004 

DTS job: '{FCAA0817-C92F-46E4-AD39-C1E23B25BCAA}' AddTransportSecurityOptionsToBITSJob failed: (0x80096004) 


 Resolution: 

  1. Connect to the Primary Site Server's Configuration Manager Admin Console and reviewed the properties for the applicable Distribution Point.

    On the Communications Tab, found the self-signed certificate's expiration date had passed.

    Updated the self-signed certificate's expiration date.

  2. On the distribution server, opened CertLM.MSC from and administrator command prompt and reviewed.


    Found SMS Issuing certificate was not in the Personal Store nor the Trusted Root. Exported SMS Issuing Certificate from the site server and imported into Personal Store and the Trusted Root on the problematic Distribution Server.

  3. Reviewed IIS Manager on the Distribution Server:
    Default Website
    SMS_DP_PKG$
    Authentication

    Found Windows Authentication missing

    Opened Server Manager
    In Server Manager, click the Manage menu, and then click Add Roles and Features.
    In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
    On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Windows Authentication. Click Next.
    On the Select features page, click Next.
    On the Confirm installation selections page, click Install.
    On the Results page, click Close.

    Restarted Distribution Server

  4. Reviewed DataTransferService.log and found successfully completed downloads

SCCM MECM Configuration Manager: Troubleshooting Windows Update Deployments (WSUS) - Clients Not Showing Progress and Clients With Unknown Status

 When reviewing Windows Update Deployments in Configuration Manager Monitoring - Deployments, administrator discovers numerous clients showing unknown status and complaint status is not incrementing.

Troubleshooting

Start by utilizing the built in tools in the Configuration Manager Reporting:

  1. Navigate to Monitoring - Reporting - Reports
  2. Expand "Software Updates - E Troubleshooting"
  3. run the report "Troubleshooting 1 - Scan Errors"
  4. run the report "Troubleshooting 2 - Deployment Errors"
  5. run the report "Troubleshooting 3 - Computers Failing With Specific Scan Error"
  6. run the report "Troubleshooting 3 - Computers Failing With Specific Deployment Error"
  7. Review the reports

Possible Errors Found:

Error Code -2145107934 Hex Error Code 80244022 "Same as HTTP Status 503 - the service is temporarily overloaded"

and 

Error Code -2145107940 Hex Error Code 8024401C "Same as HTTP status 408 - the server timed out waiting for the request"

these errors indicate a possible issue with the WSUS IIS Application Pool.

Resolution:

Review the WSUS IIS Application Pool in II Manager
If it is stopped, this may indicate the service is crashing due to lack of adequate resources and may need to be optimized.

  1. Restart the WSUSPOOL in IIS Manager
  2. Optimize the Service:
  3. IIS Manager > Application Pools > WsusPool > Advanced Settings 
  4. make the following changes to the settings for the WSUSPool:
Queue Length: 2000 (default 1000)
Idle Time-out (minutes): 0 ( default 20)
Ping Enabled: False (default True)
Private Memory Limit (KB): 0 (unlimited) (default 1,843,200 KB)
Regular Time Interval (minutes): 0 (to prevent a recycle) (default 1740)

image source: https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices#disable-recycling-and-configure-memory-limits




SCCM MECM Configuration Manager Clients Not Checking in With Management Point, Server Certificate Retrieved in TLS is Not an Exact Match of the Current MP Encryption Certificate 0x80004005

Issue: 

After migrating to a new management point, many clients were not checking into the management point. When reviewing the Devices under Assets and Compliance, many clients were showing offline even though the were actually online and responded to ping from the server.

Reviewing the logs on the client machines, the CCM Notification log CCMNotificationAgent.log showed:

Server Certificate Retrieved in TLS is Not an Exact Match of the Current MP Encryption Certificate 0x80004005

Reviewing logs on the management point server, the BGB Server Log bgbserver.log  showed:

Expecting More Data From Client

and

Can't Finish Connecting With Client, Which Might Have Already Disconnect System.IO.IOException: Authentication Failed Because the Remote Party Has Closed the Transport System

Reviewing the Configuration Manager Console

Administration - Hierarchy Configuration - Active Directory Forests

Publishing Status showed Authentication Failure

Reviewed properties of Domain Forest and Use Computer Account of Site Server was checked

Resolution:

In Active Directory Users and Computers Click View and check Advanced
Expand System OU
Grant the Site Server's Computer Account Full Permissions on the System Management container


This article was helpful in resolving the issue: http://eskonr.com/2019/12/client-assignment-failed-from-http-to-https-with-error-code-failed-to-verify-message-could-not-retrieve-certificate-from-mpcert/