CVAD-While Installing the Citrix components (Delivery Controller, Storefront,License )/, it prompts for reboot. Error “You must restart the machine before continuing ” “

– On the DDC VM, run the below steps to identify the pending reboot registry.

-1. Open an elevated PowerSell session.

2. Install-Module PendingReboot ( Internet access required on DDC machine )

3 . Set-ExecutionPolicy -ExecutionPolicy “Unrestricted”)

4. Import-Module PendingReboot

5. Test-PendingReboot -detailed

6 – Delete the registry key mentioned in the Powershell output.

7- Now the DDC, can be upgraded without restart prompt.

Related:

  • No Related Posts

Random machines will remain Off after a Restart Schedule is completed

MaxShutdownDelayMin is defaulted to a value of 10 minutes.

Inspecting Event Viewer and CDF traces captured from the DDC, you will notice the powered off machine has exceeded the shutdown timeout period:

Worker(SID) failed to reboot/shutdown within allowed time

Related:

Debugging Layer Integrity Problems in Citrix App Layering 4.x and later

In V4, when you’re ready to shutdown and finalize a layer, you run the Shutdown for Finalize icon on the desktop (As Administrator). It makes a call to uniservice.exe to get the current Layer Integrity state. Uniservice is tracking all the same things it always has for Layer Integrity: NGEN or MSCORLIB is still running, a reboot is pending, a domain operation is still pending, or a RunOnce script is still waiting.

Shutdown for Finalize is checking to see if anything is still pending that should happen in the layer rather than happen in the image later. If something is, it does not shut down, and instead puts up a statement about the pending issue. Fix the issue (for instance, reboot) and try again. It also writes this information into two log files:

C:Program FilesUnideskUniserviceLogLayerIntegrity.txt

C:Program FilesUnideskUniserviceLogUniBilcLogs_X.txt

You can’t know exactly which UniBilcLogs file it’s using, so look for the one with the latest timestamp. That will be for the current boot. Search for “Integrity”.

You might think you could bypass the Layer Integrity check by just shutting down the machine normally and finalizing that. But if you try, you will find the ELM will stop the task and return you to the Packaging Machine, because it knows that the Layer Integrity Checks either failed or never ran. You must successfully run that Shutdown for Finalize script to finalize a layer.

The registry key, noted at the end of this article, to bypass or ignore integrity problems still works, and you should be just as reluctant to use it as ever. But it’s still a valid way to give up and bypass it.

There are 7 Layer Integrity warnings you can see:

“a RunOnce script is outstanding – please check and reboot the Packaging Machine”

“a post-installation reboot is pending – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is in progress in the background {0}”

“an MSI install operation is in progress – please check the Packaging Machine”

“a reboot is pending to update drivers on the boot disk – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is needed”

“Software Center Client is configured to run, but the SMSCFG.INI is still present. See https://social.technet.microsoft.com/wiki/contents/articles/23923.implementing-sccm-in-a-xendesktop-vdi-environment.aspx”

“A RunOnce script is outstanding” is telling you that there is a key in either of these two locations:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRunOnce

Windows normally deletes those keys on reboot, but we have seen circumstances (especially with our own script, envsetup.cmd) where that doesn’t happen. You can manually run the referenced script and delete the key, or just delete the key if the script file no longer exists.

“A post-installation reboot is pending” is looking at six different registry keys. Your first course of action should be to reboot, more than once(in some cases it has taken 3+ reboots), just to make sure that it isn’t a real reboot being requested by some software. It may also be helpful, if the problem is NetLogon, to restart the Unidesk Service for Message Management.

First we check for the existence of any of these three:

HKLMSystemCurrentControlSetControlSession ManagerPendingFileRenameOperations

HKLMSOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending

HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired

You can manually modify any of these to suit your needs, including just deleting them.

Then we look for changes in the NetLogon key (if the current value is now different from what it was at bootup), and to see if the computer name doesn’t match the active computer name. This is how we determine that a domain-join operation is still waiting for a reboot.

HKLMSYSTEMCURRENTCONTROLSETSERVICESNETLOGONStart

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMEACTIVECOMPUTERNAME

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMECOMPUTERNAME

Generally you cannot modify these. I’ve seen some software modify the NETLOGONStart key on every reboot, so maybe that’s happening. If, after cleaning out the top three, you still get the prompt on reboot, you will need to use the flag to ignore layer integrity checks.

“A Microsoft NGen operation is in progress in the background” is telling you that a foreground or background NGEN operation (where .Net assemblies are compiled into native images) is still in progress. Generally this is simply true: the ngen rebuild is still running. To watch it in the foreground, run “ngen update /force”. Or you can wait it out, and run “ngen queue status” periodically to see how it’s doing, but that will slow it down because the background process pauses every time you check its status in the foreground. Don’t reboot or you might cause it to have to start over.

It’s important to let NGEN finish. If you kill the process or reboot in the middle, you might wind up with partially written .Net assemblies that crash programs when they show up in an image. You should be patient. However, sometimes we have seen background MSCORSVW.EXE processes, clearly doing nothing, that just don’t finish even after hours. A reboot might help those.

We are looking for the following services in the running process: ngen.exe, ngentask.exe, mscorsvw.exe.

“An MSI install operation is in progress” is very specific: it is saying that a system mutex (mutual exclusion object) named precisely Global_MSIExecute exists. The MSI installer uses that to ensure that only one installer can run at a time. I don’t know of anything you can do about this manually, if you are certain that no MSI installations are happening.

(Note, there was in App Layering 4.2 a bug with upgrading an existing Windows 10 layer from 1611 to 1703 where this flag could be set and not cleared.)

“A reboot is pending to update drivers on the boot disk” is telling you that a service or driver that is set to start at system boot time (the START= value in the registry is 0) was modified or installed, and App Layering wants to make sure the modified driver can boot successfully. Normally you just need to reboot once, and the driver will work fine. We have on some occasions seen software (like Microsoft Defender) attempt to modify its driver file on every single boot, triggering this integrity check every time, so no number of reboots is sufficient to clear it.

“a Microsoft NGen operation is needed” is telling you that an application was installed on the packaging machine and that it scheduled items to be updated at a priority level of 3. That means that the ngen will run when idle and that it is simply waiting until there is no more activity. We are blocking because the ngen needs to create the binaries now instead of on every machine that the application will be deployed to in order to ensure that the application will run in the most optimal way. You should run an ngen eqi 3 in both the c:windowsmicrosoft.netframeworkv4.0.30319 directory and the c:windowsmicrosoft.netframework64v4.0.30319 dirctory to have the ngen complete the operations that are needed. You can also wait, as the ngen will typically pick up and run on its own after 15 minutes of idle time.

The values that is being examined are HKLMSOFTWAREMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending and HKLMSOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending. A value of 1 means that there are work items queued up to be processed.

“Software Center Client is configured to run, but the SMSCFG.INI is still present….” is telling you that we have seen that this machine has ccmexec.exe configured as a service and that it is not configured as disabled. Since we know that any layers created on a packaging machine need to be sealed properly in order to deploy correctly in a VDI environment, we are checking to make sure the SMSCFG.ini is not present. See the web page indicated to get an understanding of why the software center client needs to be sealed. We have provided the commands to run in a batch command file that you can use to seal the layer (run c:windowssetupscriptsSEALSCCMCLIENT.cmd for an administrator command window).

If you have a layer that simply won’t ever get to finalize, for whatever reason (like it always thinks it still has a reboot pending, or you don’t care about corrupted .NET assemblies and don’t want to wait for NGEN to finish), you can tell that single layer to ignore its layer integrity checks and allow you tin shutdown to finalize, using a registry key.

Run regedit.exe and create this key

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUniservice:]

“BypassLayerCheck”=DWORD 1

The value doesn’t matter, all that matters is that the value exists. This will block all layer integrity checks and allow a layer to be finalized regardless as to how bad we think it might be.

Please do not use this key except as a last resort. We block you from finalizing in these 4 circumstances specifically because we believe allowing you to finalize will irreparably harm the layer and/or the image you publish with it. Always try to solve the problem within Windows first.

Related:

Citrix Cloud Connector servers are in reboot loop after new update was pushed


There are some locations on operating system where it stores flag for pending reboot:

Look for presence of ‘PendingFileRenameOperations‘ inside following key:

HKLM:SYSTEMCurrentControlSetControlSession Manager

Look for presence of key ‘RebootPending‘ as below:

HKLM:SoftwareMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending

Look for presence of key ‘RebootRequired‘ as below:

HKLM:SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired

Most of these flags will be cleared with first reboot of operating system.

But in some special cases, ‘PendingFileRenameOperations‘ would continue to remain inside HKLM:SYSTEMCurrentControlSetControlSession Manager even after reboot.

The value ‘PendingFileRenameOperations‘ stores the names of files that the operating system will rename when it restarts. The key consists of pairs of file names. The operating system renames the file in the first item of the pair to match the second item of the pair.

In such cases, we should check for the value data of ‘PendingFileRenameOperations‘ from registry to identify the files that are pending for rename. Once we know the application responsible for those files (mostly a 3rd party application), follow below steps:

  1. Disable ‘Citrix Cloud Services Agent WatchDog’ to stop the reboot loop temporarily.
  2. Disable the identified applications service(s) OR uninstall the application completely.
  3. Delete ‘PendingFileRenameOperations’ from HKLM:SYSTEMCurrentControlSetControlSession Manager
  4. Reboot the service manually and confirm ‘PendingFileRenameOperations’ doesn’t appear any more inside HKLM:SYSTEMCurrentControlSetControlSession Manager
  5. Enable ‘Citrix Cloud Services Agent WatchDog’ to automatic and start the service.

The pending connector update will begin in few minutes and run a health check from console after the upgrade to ensure it is healthy.

Related:

Machines enter BSOD on upgrade from 14.2.3357.1000 to 14.2 RU2 (14.2.5323.1000)

I need a solution

Hi

We recently upgraded our Sepm managers to 14.2 ru2 (no issues) and have started upgrading our clients now.

it has come to our notice that few of our clients end in BSOD post reboot and this is a show stopper .We have submitted the memory dump to Symantec support and the response we got is that it was because of AC definitions (which were btw latest defs in the clients which failed) and that the issue is occurring in some “win10” machines during reboot due to the sysplant.driver.

this information doesn’t really help .we need to upgrade our clients at the earliest and disabling adc is not an option as we need it .Further fresh installation causes no issues in the same machines which landed in bsod during upgrade .however this cannot be followed for all our clients.

Any suggestions / solutions ?

Ps: we do have machines which upgraded successfully( running with the same Os/build config as the ones which resulted in Bsod …so this rules out that it may be related to config or build of Os)

0

1580829392

Related:

Debugging Layer Integrity Problems in Citrix App Layering 4.x

In V4, when you’re ready to shutdown and finalize a layer, you run the Shutdown for Finalize icon on the desktop (As Administrator). It makes a call to uniservice.exe to get the current Layer Integrity state. Uniservice is tracking all the same things it always has for Layer Integrity: NGEN or MSCORLIB is still running, a reboot is pending, a domain operation is still pending, or a RunOnce script is still waiting.

Shutdown for Finalize is checking to see if anything is still pending that should happen in the layer rather than happen in the image later. If something is, it does not shut down, and instead puts up a statement about the pending issue. Fix the issue (for instance, reboot) and try again. It also writes this information into two log files:

C:Program FilesUnideskUniserviceLogLayerIntegrity.txt

C:Program FilesUnideskUniserviceLogUniBilcLogs_X.txt

You can’t know exactly which UniBilcLogs file it’s using, so look for the one with the latest timestamp. That will be for the current boot. Search for “Integrity”.

You might think you could bypass the Layer Integrity check by just shutting down the machine normally and finalizing that. But if you try, you will find the ELM will stop the task and return you to the Packaging Machine, because it knows that the Layer Integrity Checks either failed or never ran. You must successfully run that Shutdown for Finalize script to finalize a layer.

The registry key, noted at the end of this article, to bypass or ignore integrity problems still works, and you should be just as reluctant to use it as ever. But it’s still a valid way to give up and bypass it.

There are 7 Layer Integrity warnings you can see:

“a RunOnce script is outstanding – please check and reboot the Packaging Machine”

“a post-installation reboot is pending – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is in progress in the background {0}”

“an MSI install operation is in progress – please check the Packaging Machine”

“a reboot is pending to update drivers on the boot disk – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is needed”

“Software Center Client is configured to run, but the SMSCFG.INI is still present. See https://social.technet.microsoft.com/wiki/contents/articles/23923.implementing-sccm-in-a-xendesktop-vdi-environment.aspx”

“A RunOnce script is outstanding” is telling you that there is a key in either of these two locations:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRunOnce

Windows normally deletes those keys on reboot, but we have seen circumstances (especially with our own script, envsetup.cmd) where that doesn’t happen. You can manually run the referenced script and delete the key, or just delete the key if the script file no longer exists.

“A post-installation reboot is pending” is looking at six different registry keys. Your first course of action should be to reboot, more than once(in some cases it has taken 3+ reboots), just to make sure that it isn’t a real reboot being requested by some software. It may also be helpful, if the problem is NetLogon, to restart the Unidesk Service for Message Management.

First we check for the existence of any of these three:

HKLMSystemCurrentControlSetControlSession ManagerPendingFileRenameOperations

HKLMSOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending

HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired

You can manually modify any of these to suit your needs, including just deleting them.

Then we look for changes in the NetLogon key (if the current value is now different from what it was at bootup), and to see if the computer name doesn’t match the active computer name. This is how we determine that a domain-join operation is still waiting for a reboot.

HKLMSYSTEMCURRENTCONTROLSETSERVICESNETLOGONStart

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMEACTIVECOMPUTERNAME

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMECOMPUTERNAME

Generally you cannot modify these. I’ve seen some software modify the NETLOGONStart key on every reboot, so maybe that’s happening. If, after cleaning out the top three, you still get the prompt on reboot, you will need to use the flag to ignore layer integrity checks.

“A Microsoft NGen operation is in progress in the background” is telling you that a foreground or background NGEN operation (where .Net assemblies are compiled into native images) is still in progress. Generally this is simply true: the ngen rebuild is still running. To watch it in the foreground, run “ngen update /force”. Or you can wait it out, and run “ngen queue status” periodically to see how it’s doing, but that will slow it down because the background process pauses every time you check its status in the foreground. Don’t reboot or you might cause it to have to start over.

It’s important to let NGEN finish. If you kill the process or reboot in the middle, you might wind up with partially written .Net assemblies that crash programs when they show up in an image. You should be patient. However, sometimes we have seen background MSCORSVW.EXE processes, clearly doing nothing, that just don’t finish even after hours. A reboot might help those.

We are looking for the following services in the running process: ngen.exe, ngentask.exe, mscorsvw.exe.

“An MSI install operation is in progress” is very specific: it is saying that a system mutex (mutual exclusion object) named precisely Global_MSIExecute exists. The MSI installer uses that to ensure that only one installer can run at a time. I don’t know of anything you can do about this manually, if you are certain that no MSI installations are happening.

(Note, there was in App Layering 4.2 a bug with upgrading an existing Windows 10 layer from 1611 to 1703 where this flag could be set and not cleared.)

“A reboot is pending to update drivers on the boot disk” is telling you that a service or driver that is set to start at system boot time (the START= value in the registry is 0) was modified or installed, and App Layering wants to make sure the modified driver can boot successfully. Normally you just need to reboot once, and the driver will work fine. We have on some occasions seen software (like Microsoft Defender) attempt to modify its driver file on every single boot, triggering this integrity check every time, so no number of reboots is sufficient to clear it.

“a Microsoft NGen operation is needed” is telling you that an application was installed on the packaging machine and that it scheduled items to be updated at a priority level of 3. That means that the ngen will run when idle and that it is simply waiting until there is no more activity. We are blocking because the ngen needs to create the binaries now instead of on every machine that the application will be deployed to in order to ensure that the application will run in the most optimal way. You should run an ngen eqi 3 in both the c:windowsmicrosoft.netframeworkv4.0.30319 directory and the c:windowsmicrosoft.netframework64v4.0.30319 dirctory to have the ngen complete the operations that are needed. You can also wait, as the ngen will typically pick up and run on its own after 15 minutes of idle time.

The values that is being examined are HKLMSOFTWAREMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending and HKLMSOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending. A value of 1 means that there are work items queued up to be processed.

“Software Center Client is configured to run, but the SMSCFG.INI is still present….” is telling you that we have seen that this machine has ccmexec.exe configured as a service and that it is not configured as disabled. Since we know that any layers created on a packaging machine need to be sealed properly in order to deploy correctly in a VDI environment, we are checking to make sure the SMSCFG.ini is not present. See the web page indicated to get an understanding of why the software center client needs to be sealed. We have provided the commands to run in a batch command file that you can use to seal the layer (run c:windowssetupscriptsSEALSCCMCLIENT.cmd for an administrator command window).

If you have a layer that simply won’t ever get to finalize, for whatever reason (like it always thinks it still has a reboot pending, or you don’t care about corrupted .NET assemblies and don’t want to wait for NGEN to finish), you can tell that single layer to ignore its layer integrity checks and allow you tin shutdown to finalize, using a registry key.

Run regedit.exe and create this key

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUniservice:]

“BypassLayerCheck”=DWORD 1

The value doesn’t matter, all that matters is that the value exists. This will block all layer integrity checks and allow a layer to be finalized regardless as to how bad we think it might be.

Please do not use this key except as a last resort. We block you from finalizing in these 4 circumstances specifically because we believe allowing you to finalize will irreparably harm the layer and/or the image you publish with it. Always try to solve the problem within Windows first.

Related:

SEP 14/15 runs in Safe Mode?

I need a solution

Hi all.  I lack the ability to confirm this for myself anytime soon due to lack of a machine with SEP 14/15 that I can reboot , but does SEP fully run in safe mode?  I ask because of that recent security bulletin about whatever the ransomware name was where it reboots the computer and runs itself in safe mode so AV is bypassed.  I have to think SEP is robust enough to run at all times but as I said, I can’t test 🙁

Thank you.  

0

1576674569

Related:

  • No Related Posts

14.2.4814.1101.105 clients rebooting unexpectedly

I do not need a solution (just sharing information)

I’ve got a whole bunch of Windows Server 2012 systems, running SEP 14.2.4814.1101.105, “basic protection for servers” package.

Some of them have rebooted unexpectedly, due to SEP:

The process C:Program Files (x86)SymantecSymantec Endpoint Protection14.2.4814.1101.105BinccSvcHst.exe (SERVERNAME) has initiated the restart of computer SERVERNAME on behalf of user NT AUTHORITYSYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart
 Comment: 

For most of the problem clients, this has only happened once that I’m aware of, either when the SEPM server was rebooted, or the SEP Master Service was restarted, e.g. for an upgrade to SEPM.  Some of those were several weeks back, and one was this morning. 

For one problem client, this happens every single time the master service restarts or the SEPM server is rebooted – I can replicate at will by simply restarting the master service on the SEPM server or rebooting the SEPM server, then waiting a couple minutes for the SEP client to trigger a reboot on the problem client.

My current plan is to do a full uninstall, reboot, run cleanwipe, reboot, and install the latest client package on the one really bad problem client, and seeing how things go.

For the other clients, scheduling downtime for many of them is difficult, so I’m wondering if this is a known bug, if there are workarounds, or what.

Thanks.

0

Related:

Linux PVS Target fail to automatically or manually reset its machine account.

Follow symptoms are observed:

1. Linux PVS Targets are unable to manually or automatically reset its machine account.

2. Machine account password reset from PVS Server Console successfully resets the machine account password and the Target is able to join the domain after the reboot.

3. While running “net ads testjoin” following error is observed:

[root@MachineName ~]# net ads testjoin

kerberos_kinit_password MachineName$@Domain.com failed: Preauthentication failed

kerberos_kinit_password MachineName$@Domain.com failed: Preauthentication failed

Join to domain is not valid: Logon failure

4. Manual reset of the password by running the script “sh ad_change_pw.sh –override-timeout”, completes without any errors but the machine fails to join the domain after the reboot.

Related:

BSOD: DRIVER_POWER_STATE_FAILURE

I need a solution

seems that Symantec encryption 10.4.2 mp3 is causing bsod. actually I think its been happening in windows 10 for about a year. introduced with 1803/1809 carried over into 1903. so it may have started with earlier version not just mp3. pgpwded.sys seems to be the culprit. anyone else experiencing?

Windows failed to resume from hibernate with error status 0xC0000001.

Microsoft-Windows-Kernel-Boot

Keywords (8796093022208)

FailureStatus: 3221225473

FailureMsg: A fatal error occurred processing the restoration data

The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000009f (0x0000000000000003, 0xffff800efe7ea060, 0xfffffe01efc8f7b0, 0xffff800f0ccee6e0). A dump was saved in: C:WINDOWSMEMORY.DMP. Report Id: 2830e9ce-7a77-4bad-85b4-1983571d377a.

The previous system shutdown at 1:43:24 AM on ‎10/‎18/‎2019 was unexpected. <- Interesting, that is probably the time I hibernated before shutting down to go to sleep…and this error showed up in the log after the boot failure 8 hours later marked 9:41:21AM…

10/18/2019 9:41:08 AM The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. <- That is when the fault happened.

Session “ReadyBoot” stopped due to the following error: 0xC0000188 <- Does ReadyBoot have anything to do with Fast Start? I am going to try to disable Fast Start and see if that makes any difference…

0

Related: