Monday, January 7, 2013

Conficker GPO Policy Causing Management Point Installation Failed

Recently I encountered an error during the SCCM 2012 deployment. Everything looks good at the starting of the installation but the management point failed to install at the end of the installation.

clip_image002

The SMS_MP_CONTROL_MANAGER was reporting that:

“MP Control Manager detected MPsetup has failed to create the CCM_Incoming Virtual Directory.

Possible cause: The IIS IWAM account has expired, been disabled, or has invalid or too restrictive logon hours. You may verify this information by running the net user command line for the IWAM account. (i.e.: "net user IWAMMachineName)

Solution: Use the output to verify that the account is enabled, and logon is possible during the time of installation. Note: You can use "net user" to modify the account properties.
Possible cause: The IIS IUSR account has expired, been disabled, or has invalid or too restrictive logon hours. You may verify this information by running the net user command line for the IUSR account. (i.e.: "net user IWAMMachineName)

Solution: Use the output to verify that the account is enabled, and logon is possible during the time of installation. Note: You can use "net user" to modify the account properties.
Possible cause: The designated Web Site is disabled in IIS.

Solution: Verify that the designated Web Site is enabled, and functioning properly”.

Therefore, I follow the suggested solution to have the Web IIS checked. I also have the Web IIS removed and then reinstall, but the MP installation still failed.

I searched around the internet and some say that this issue happened during SCCM 2007 and might caused by Conficker Policy. I did a quick check on the SCCM server and I found Conficker Policy GPO is applied. The Conficker Policy removed the Full Control permission of the SYSTEMS account and Administrators account for the SVCHOST registry key and the %windir%\Tasks folder.  

I asked the AD administrator to block the Conficker Policy GPO and then I manually change the settings back to the default permission. I restart the SCCM Server to kick start the installation instead of waiting for the 60 minutes interval. The MP is installed and running.

References:
http://social.technet.microsoft.com/Forums/en-IE/configmgrsetup/thread/4f5aed8c-fb89-4558-9557-2f7fbf5b07e4
http://support.microsoft.com/kb/962007

No comments:

Post a Comment