PH25

Update - I've decided that rather than move just the SCCM DB, I'll build a new site with a fresh DB and do a side-by-side migration. Although, If anyone does know the answer to the error above, I'd still be interested to know.

Hi, Has anyone come across this before? I am moving our SCCM database from SQL 2012 on a 2012r2 server to SQL 2019 on a 2019 server, by recovering from a backup. All seems to have gone fine, until the final step of running config manager setup again to choose the site maintenance option, to 'modify SQL server configuration', in order to point SCCM to the new server that is now hosting the database. ERROR: SQL Server error: [42000][137][Microsoft][SQL Server Native Client 11.0][SQL Server]Must declare the scalar variable "@String". : dbo.spCreateAndBackupSQLCert Create_BackupSQLCert : Failed to execute spCreateAndBackupSQLCert CSiteControlSetup::SetupCertificateForSSB : Failed to create/backup SQL SSB certificate. ERROR: Failed to set up SQL Server certificate for service broker on "SERVER NAME" . I have enabled broker, set trustworthy on and honor broker priority on, on the new instance before running setup.exe again. From some reading online, I believe it could be something to do with setting up SCCM initially with one account, but then changing it to another domain account running the service(s) and now somehow not being able to unlock the master key for the database certs. Sorry if this is making no sense, I am no SQL expert. Being right at the final stage of moving the database, I'm really stuck with this issue now, so any advice/pointers would be greatly welcomed, even if it's just to point me in the direction of which account I need to try to figure out was initially running things - I'm not clear whether that means the account running the config mgr console, the database instance, or the running the sql or sccm services. Thanks Paul

No. Nothing. I thought that the reports would be visible by default since the upgrade. If they don't appear until you start enabling bitlocker management, then maybe that's my answer for why I can't see them.

Ah thanks for this. I'll take a look. I didn't get a notification for this for some reason (they are turned on), so sorry for the slow reply. I don't see the BitLocker category under 'Reports' at all. I know that we do not use PKI certificates, so having had a quick glance at your posts, I guess this could cause a problem down the line with using the integrated BitLocker features, but shouldn't the reports at least be visible since I upgraded to 2107?

I'm looking to use the built in BitLocker reports. https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/view-reports I am running config mgr 2107, so believe they should be there, but I don't see them. Does anyone know how I make them appear? I've only just enabled the Bitlocker Management feature. Is this a factor? We do not use config mgr to administer BitLocker but I'm hoping that I can still access the reports. It doesn't look like I have any new reports available since upgrading to 2107. Thanks!

Since upgrading to Endpoint Configuration Manager 2107, our Win 8.1 laptops have not been communicating with Config manager. It looks like they upgraded to the new client, then stopped communicating. We do not use PKI certificates and since the upgrade, I believe I've made the correct changes to use enhanced http. The problem laptops show Client Certificate: None, rather than Self-Signed. Some reading has led me to believe that this is something to do with a new feature of 2107 that states "When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0". Examples of errors in client logs are - Failed to get certificate. Error: 0x80004005 Failed to set ACL to key, 0x80090029 The primary key is not found from provider Microsoft Platform Crypto Provider Does anyone have any idea how to fix this, so that clients speak to config manager again? Some forum posts suggest using a reg key HKLM\Software\Microsoft\CCM\DWORD:UseSoftwareKSP=1, but I don't want to apply that without properly understanding the implications.

I am testing what happens when users enter their bitlocker PIN wrong too many times, but cannot find a way to access the password to unlock the TPM. I believe all that is visible is a hash of it. Does anyone have any info on this? At the moment, all i can do is leave the computer logged in with recovery key and left active until the TPM reset period passes.

I have SCCM deploying Windows 8.1 via a task sequence using x64 boot image but it only works when i set BIOS to legacy. This is an issue as we have some newer PCs which use TPM 2.0 and require UEFI. When i change bios to UEFI, i cannot PXE boot. I get the message 'Start PXE over ipv4' then it moves onto 'Start PXE over ipv6', but never actually PXE boots and just loops. Can anyone help?

Hi Anyweb, I tried using your steps, but i can't distribute the empty package to the DP, as it is greyed out, presumably because it is an empty package. Is there a way around this? I only want to run two lines of powershell, is the package method the best way and how can i make it work? Task sequence fails with 0x80070002 error, because it can't find the package.

Is it possible for me to use a task sequence to pre provision and setup bitlocker on an existing drive? I don't want to have to reinstall OS on existing machines in order to get this working. So, we have OS already installed and i want to use a task sequence to perhaps shrink volume and create a new bitlocker volume, then enable bitlocker.

Hi Garth, I'm not sure at what point i had posted the original query but it was either the firewall or the fact that we only ever had one Active Directory Site in Sites and Services. Recently, our Network administrator created new sites and hadn't added our subnets into Sites and services, so i think this was causing an issue trying to contact the DP. Thanks for your help.

I'm hoping this should be a fairly easy one for someone to help with. When my task sequence finishes and OS is installed, i see the folder C:\Users\ADMINI~1 What is this folder used for? I set the administrator account to active and set a password in my task sequence and it works fine, so is this folder just something used by SCCM? I saw this article https://social.technet.microsoft.com/Forums/en-US/d4a29c47-0d1f-4069-8160-e0b8c10f296f/cusersadmini1?forum=configmanagerosd but, my logs are definitely in the location C:\Windows\CCM\Logs, so i don't think it's that the logs are trying to be copied somewhere else. It is confusing, because our task sequence is very basic, we really aren't doing very much customisation at all in it. We have a captured WIM and apply licence key and administrator password and not very much else.

This is now Solved.

Solved. We only ever had one Active Directory Site in Sites and Services. Recently, our Network administrator created new sites and hadn't added our subnets into Sites and services, so i think this was causing an issue trying to contact the DP.

My task sequence fails with - "this task sequence cannot run because the program files for 00100002 cannot be located on a distribution point" (00100002 is config manager client). Does anyone have any idea why? I notice that my client package says 0 programs and has DEPLOY greyed out, so cant be deployed. Has anyone seen this before? the 'version' field is also blank