Monthly Archives: April 2011

Error 0x80092026 during Windows Updates

This error came up when we were trying to send out an update package to our Windows XP machines.  Microsoft has a couple of pages that describe what you can troubleshoot to fix this issue:

http://support.microsoft.com/kb/555374
http://support.microsoft.com/?kbid=822798

None of the suggestions worked for us.  Since our environment is locked-down via draconian Group Policy Objects, I thought that would be a logical place to continue troubleshooting.  After slumming around a bit, I discovered that Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Certificate Path Validation Settings/Trusted Publishers/Trusted Publishers can be managed by: was set to All administrators only.  This has to be set to All administrators and users for Windows Update (SCCM, SMS) to work properly.

Don’t say I never helped you out…

PKI certificate autoenrollment fails on Windows 7

Today is a blogging double-feature!  If your network has any type of security hardening (e.g. FDCC, DISA STIG, etc.) you may end up in a situation where your Windows 7 and 2008 R2 machines are not autoenrolling for PKI certificates from your internal enterprise CA.  We found that the following two settings must be enabled in policy:

1. NETWORK SERVICE must be given the “Access this computer from network” user right.  This allows the machine to enroll certificates.
2. The “Task Scheduler” service on the target machine must not be disabled.  The Certificate Services Client uses this service to autoenroll PKI certs.

WinPE SCCM boot image or OSD task sequence failure due to bad NIC driver

Have you experienced a problem loading network drivers into your Windows PE boot image on SCCM, or does your SCCM OSD task fail partway during OS install?  Well, read on!

If you get an error like “Failed to inject a Config Mgr driver into the mounted WIM” or an 0x80070040 “Access Denied” during OSD installation, it is due to the fact that WinPE needs monolithic NIC drivers.  You can verify this if you pull up a command prompt in WinPE (if enabled) by pressing F8 and running an IP config or ping check.  You won’t be able to contact any other machines and/or you’re assigned a link-local address.  For possible fixes, see: http://blogs.technet.com/b/configurationmgr/archive/2010/02/09/nic-devices-that-require-a-special-driver-for-winpe-may-cause-a-configmgr-task-sequence-to-fail-if-a-vista-or-newer-os-is-being-deployed-via-an-operating-system-install-package.aspx

Note that if you load a multi-tiered driver at ANY TIME during the OS install before the machine does its first reboot, that driver will take over and cause the connection to fail.  To work around this, create two driver packages, one without the NIC driver, that is applied during the WinPE phase and another with the NIC driver only, to be applied after reboot.