ConfigMgr 2012 Application Installation Failures

Patch My Pc | install & update thousands of apps

I’ve seen this as an issue now a few times now in my lab and production environments as well as on the forums. In brief, this specific issue is an access denied (hresult of 0x80070005) when downloading the application content and is clearly denoted in either smsts.log (if the application install is during a task sequence) or CAS.log.

This only happens on client systems in untrusted domains (note that workgroups are essentially untrusted domains); for task sequences, this is of course the case during a build and capture.

So what’s the fix? A simple hotfix as described in KB2522623 and titled “InitializeSecurityContext function might not fall back to NTLM authentication in Windows 7 or in Windows Server 2008 R2 when Kerberos fails and has the STATUS_NO_LOGON_SERVERS status”.

For a build and capture task sequence, simply put the hotfix msu into a “classic” package and use a Software Install task followed by a reboot task before you try to deploy any applications.

Software Install Task for Hotfix

This isn’t a cure all for any woes you may be having deploying applications in ConfigMgr 2012, but it does fix this specific access denied issue when downloading application content on Windows 7 SP1 client systems in an untrusted domain.

On a different, but similar note, for build and capture task sequences, you should also be specifying the SMSMP public property in the Setup Windows and ConfigMgr task so that the the MP can be found. During a build and capture, the client is in a workgroup and thus has no way to locate the MP which is needed for Application installs as well as Software Updates during the task sequence.

Specify SMSMP in the Task Sequence

10 thoughts on “ConfigMgr 2012 Application Installation Failures

  1. According to the name of the Hotifix file it seems to be for x86 machines, does it also work for x64 machines?

    1. When you go to the hotfix download request page, make sure you select the link that says “Show hotfixes for all platforms and languages”. By default, the page only shows hotfixes that match the OS and architecture of the system you are browsing on. Pressing this link will reveal all of the available OSes and architectures for the hotfix.

  2. I will test this recomendations….

    But if it is real reason then I can`t understand why first 3 packages/Applications are sucessfully installed.

    1. Hi Arnis
      Did you get this fixed?
      We have the exact same problem with the first apps installing correctly and then the successors fails..

      1. Sorry Thomas,

        Not sure what you are referring to. This post about is about an issue with Windows 7 itself and contains information on how to apply the update to Windows 7 during OSD in ConfigMgr. Is this what you are referring to or something else?

        J

  3. This worked brilliantly. I was unsuccessful at installing the Hotfix during the Task Sequence, but applying the Hotfix with Dism did the job. I can’t believe how hard it was to find that this was the problem I had.

    Why doesn’t everyone (who wants to Build and Capture with Applications on a Windows 7 WIM) have the same problem? If enough people have this same problem, why isn’t it spelled out in all the best practices to apply this hotfix. I have the feeling my environment has specific properties that make this Hotfix necessary.

    Does anyone know WHY I need this hotfix?

    1. Ultimately, this is a bug in Windows 7 and really has nothing to do with ConfigMgr itself; ConfigMgr is just affected by it in these somewhat fringe scenarios. The KB does a pretty good of explaining what’s going on or really, in this case, what’s not going on. The clients try to use Kerberos (to authenticate and use the network access account while acquiring content) but can’t because the systems aren’t part of the domain and then Win 7 fails to fall back to NTLM so the content download fails completely.

  4. Hi,
    I am getting same error with 2012 R2 servers which are at workgroup. I have a patch KB2522623 / KB 2533623 for 2008 and 2008 R2 only. Is there any hotfix released from Microsoft for 2012 R2 servers which are getting this errors

    1. You are most likely having a different issue then. I’d suggest posting on Reddit or the TechNet forums (including complete details and the complete and relevant smsts.log snippet).

Leave a Reply

Your email address will not be published. Required fields are marked *

9  +  1  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.