This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are using ConfigManager 2111. Ever since updating to this version, we have not been able to do any OSD deployments that are started via Required or Available collections, from Software Center. OSDs performed via PXE boot or other methods outside of Windows environment continue to work fine - but this is not appropriate to image hundreds of computers in our computer labs.
It seems like in testing, the issue stems from the fact that a) all of our computers use TPM, and b) we are using HTTPS. Computers without TPM chips (of which we have only one, for testing) work fine.
Basically here's what happens:
At this point, the SCCM client is not installed, so none of the other Tasks in the Task Sequence have been done - no other software in the Application Install tasks, not joined domain, etc etc.
Looking at the smsts.log file in c:\windows\temp near the bottom, the following errors are present in lines 58 and 60. The installation of the client fails soon afterward.
This issue has been present for months with no hotfix from Microsoft in sight. We would rather not revert our site to an earlier version of ConfigManager.
Can we get a fix for this problem, or ideas on how it can be fixed? Thank you.
==============================[ OSDSetupHook.exe ]==============================
Logging successfully initialized to C:\_SMSTaskSequence\Logs
Running module version 5.0.9049.1001 from location 'C:\WINDOWS\system32\OSDSETUPHOOK.EXE'
Clients is not joined to a domain.
Executing task sequence
Loading the Task Sequencing Environment from "C:\_SMSTaskSequence\TSEnv.dat".
Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00350031004100300031003600420036002D0046003000440045002D0034003700350032002D0042003900370043002D003500340045003600460033003800360041003900310032007D00'
Environment scope successfully created: Global\{51A016B6-F0DE-4752-B97C-54E6F386A912}
Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00420041003300410033003900300030002D0043004100360044002D0034006100630031002D0038004300320038002D003500300037003300410046004300320032004200300033007D00'
Environment scope successfully created: Global\{BA3A3900-CA6D-4ac1-8C28-5073AFC22B03}
Reading logging settings from Task Sequence environment to set Task Sequence logging.
Setting LogEnabled to 1
Setting LogMaxSize to 5242880
Setting LogMaxHistory to 3
Setting LogLevel to 0
Setting LogDebug to 1
Saving existing desktop wallpaper settings.
Setting desktop wallpaper.
Configuring local administrator account
Enabling local administrator account
Re-assign all drive letters...
bIsMBR, HRESULT=00000000 (..\diskutils.cpp,2048)
This program is not running on MBR disk. No need to re-assign drive letters.
Installing SMS client
Setting variable to indicate client installation attempted
Clearing existing client configuration.
Cleaning existing client certificates from SMS certificate store
Restoring SMS client identity.
::DecompressBuffer(65536)
Decompression (zlib) succeeded: original size 2345, uncompressed size 7732.
hTempCertStore != NULL, HRESULT=80092002 (..\installclient.cpp,212)
Could not import certificate to temporary store (0x80092002)
Failed to restore client certificates. Code 0x80092002.
RestoreCertificateStore( hSmsCertStore, sEncodedSMSCert, sClientGuid ), HRESULT=80092002 (..\installclient.cpp,341)
Failed to restore SMS client identity. Code 0x80092002.
RestoreClientIdentity(), HRESULT=80092002 (..\installclient.cpp,964)
Setting URL = https://Mendez.privatedomain.com, Ports = 80,443, CRL = false
Setting Server Certificates.
Setting Authenticator.
::DecompressBuffer(65536)
Decompression (zlib) succeeded: original size 2345, uncompressed size 7732.
Setting Client Certificate.
Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
CreateTemporaryCertificateContextFromPfx(pbPfxBlob, pbPfxBlobSize, psPfxPasswd, &m_hClientCertStore, &pCertContext, szOID), HRESULT=80092002 (..\libsmsmessaging.cpp,9010)
mtHttpTransport.SetClientCertificateContext( clientCertBuffer.getBuffer(), clientCertBuffer.size(), sClientId, g_szSMSSigningCertOID), HRESULT=80092002 (..\utils.cpp,7864)
PrepareTransport() failed. 0x80092002.
PrepareTransport(mtHttpTransport), HRESULT=80092002 (..\utils.cpp,7948)
Non fatal error 0x80092002 in sending task sequence execution status message to Management Point
Setting URL = https://Mendez.privatedomain.com, Ports = 80,443, CRL = false
Setting Server Certificates.
Setting Authenticator.
::DecompressBuffer(65536)
Decompression (zlib) succeeded: original size 2345, uncompressed size 7732.
Setting Client Certificate.
Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
CreateTemporaryCertificateContextFromPfx(pbPfxBlob, pbPfxBlobSize, psPfxPasswd, &m_hClientCertStore, &pCertContext, szOID), HRESULT=80092002 (..\libsmsmessaging.cpp,9010)
mtHttpTransport.SetClientCertificateContext( clientCertBuffer.getBuffer(), clientCertBuffer.size(), sClientId, g_szSMSSigningCertOID), HRESULT=80092002 (..\utils.cpp,7864)
PrepareTransport() failed. 0x80092002.
PrepareTransport(mtHttpTransport), HRESULT=80092002 (..\utils.cpp,7948)
Non fatal error 0x80092002 in sending task sequence execution status message to Management Point
InstallSMSClient(loadDir, dwResult), HRESULT=80092002 (..\basesetuphook.cpp,1543)
Failed to install SMS Client (0x80092002)
Restoring original desktop wallpaper.
Uninstalling Setup Hook
Removing setup hook from registry.
Successfully removed C:\WINDOWS\system32\OSDGINA.DLL
Could not delete the file C:\WINDOWS\system32\OSDSETUPHOOK.EXE. Error code 5
Marking the file C:\WINDOWS\system32\OSDSETUPHOOK.EXE for deletion on Reboot
Successfully removed C:\WINDOWS\system32\OSDSETUPHOOK.EXE
Successfully removed C:\WINDOWS\system32\_SMSOSDSetup
::RegOpenKeyExW (HKEY_LOCAL_MACHINE, sKey.c_str(), 0, KEY_READ, &hSubKey), HRESULT=80070002 (..\utils.cpp,1105)
RegOpenKeyExW is unsuccessful for Software\Microsoft\SMS\Task Sequence
GetTsRegValue() is unsuccessful. 0x80070002.
End program:
Finalizing logging from process 5496
Successfully finalized logs to SMS client log directory from C:\WINDOWS\TEMP
Cleaning up task sequencing logging configuration.
Cleaning up task sequence folder
Deleting volume ID file C:\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca ...
this->run( bReboot ), HRESULT=80092002 (..\vistasetuphook.cpp,223)
pHook->execute(), HRESULT=80092002 (..\osdsetuphook.cpp,399)
Failed to execute task sequence (0x80092002)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
I have the exact same issue in a client's environment when I run the refresh TS using their existing Boot WIM.
The boot WIM looks like it was created with MDT.
If I associate a base boot WIM, with the same client version, the problem is solved.
I still haven't figured out what the exact cause is, but it is in the boot WIM.
Hi @MD5Hash ,
Thanks very much for your feedback. We're glad that the question is solved now. It's appreciated that you could click "Accept Answer" to the helpful reply, this will help other users to search for useful information more quickly. Here's a short summary for the problem.
Problem/Symptom:
Computers with TPM fail to install client agent and run post tasks with the error 80092002 in ConfigManager version 2111 with HTTPS mode, while Computers without TPM work fine.
Solution/Workaround:
Do an "Update Distribution Points" to upgrade the ConfigManager client from version 2103 (build number 5.00.9049) to version 2111 (build number5.00.9068).
Thanks again for your time! Have a nice day!
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @MD5Hash ,
Could we close this case now? It's appreciated that you could click "Accept Answer" to your helpful answer, this will help other users to search for useful information more quickly.
If you have any questions in future, we warmly welcome you to post in Microsoft Q&A forum again.
Best regards,
Simon
Hi,
Thanks for posting in Microsoft MECM Q&A forum.
I find a similar thread for your reference. You can try the workaround.
Add the following command as a Run Command Line task before the Pre-provision BitLocker task to fix the issue:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f
Similar thread for your reference:
Windows ADK for Windows 11 breaks Bitlocker in WinPE with some models (MECM/SCCM)
TPM Group Policy settings
Hope it helps. Thanks for your time.
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Simon - thanks for the reply. I looked in my original smsts.log from yesterday and we were never having errors in provisioning bitlocker, but since you requested it, I followed your instructions exactly:
================================ [ smsswd.exe ] ================================
Running module version 5.0.9049.1035 from location 'X:\sms\bin\x64\smsswd.exe'
PackageID = ''
BaseVar = '', ContinueOnError=''
ProgramName is being logged ('OSDDoNotLogCommand' is not set to 'True')
ProgramName = 'reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f'
SwdAction = '0001'
Will run Command Line under SYSTEM account
Command line for extension .exe is "%1" %*
Set command line: Run command line
Working dir 'not set'
Executing command line: Run command line with options (0, 4)
Process completed with exit code 0
The operation completed successfully.
Command line is being logged ('OSDDoNotLogCommand' is not set to 'True')
Command line reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f returned 0
Process completed with exit code 0
As you can see, it exited successfully.
However, the task sequence fails in the exact same way during the OSDSetupHook.exe stage. Snippits from that part of the log are identical:
Could not import certificate to temporary store (0x80092002)
Failed to restore client certificates. Code 0x80092002.
Failed to restore SMS client identity. Code 0x80092002.
Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
Failed to install SMS Client (0x80092002)
Failed to execute task sequence (0x80092002)
Any thoughts on what to do next?
Hi,
Thanks for your reply.
Maybe it is caused by a functionality change in Configuration Manager 2107 to harden the self-signed client certificates and anchor them in the hardware-based, TPM certificate store (if available) and fronted by the KSP. Editing the registry value changes this. Please try the method in the similar threads:
SCCM 2107 Certificate issues since upgrade.
Certificate issue since 2107
Please note: The links are not from Microsoft, just for your reference. Thanks for your time.
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Simon Ren-MSFT - yes, we saw that post on reddit months ago. We used that one first but it made no difference either. Exact same error. I just disabled it in this screenshot after applying your new reg add which I named "workaround: tpm ownership fix"
It would be nice to hear from ConfigManager development if they are experiencing this same failure to do OSDs from within Windows, if using TPM + HTTPS? I am shocked that this problem made it through testing. Everything was perfectly before 2107, yes - 2111 continued to have the issue.
Looking at my screenshot, are those registry changes located in the right order in the task sequence? Please let me know if the developers believe we must have BOTH these registry hacks in place in order to be able to successfully OSD.
And is there an expected long-term fix for this or is it going to be unofficial registry hacks for ConfigManager from now on?