RBAC and New Boot Media

This is a pretty simple one, but I love when solutions to problem I’m having with ConfigMgr Current Branch are the same (and thus the same solutions) as people using ConfigMgr 2007 (this seems to be a recurring trend with me).

I was creating new boot media using the New-CMBootableMedia cmdlet, and getting this error message:

New-CMBootableMedia : Create media exited with an error: -2147217407 (0x80041001)

If I tried to use the console I got this error:

Media creation failed with error code -2147217407.
Refer to CreateTsMedia.log file to find more details.

Checking CreateTsMedia.log (this file is created on the system where you’re creating the media from, at something like C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\AdminUILog\CreateTsMedia.log) I see this block of red text:

Staging certificate
Error invoking WMI method SMS_Site.SubmitRegistrationRecord (0x80041001)
StageCertificate::Register() failed. 0x80041001
Error executing state StageCertificate
Error executing first single pass
Failed to create media (0x80041001)
CreateTsMedia failed with error 0x80041001, details=''

CMtrace helpfully informs me that 0x80041001 is Generic Error, so things aren’t looking good.  After some Googling I come across someone with what sounds like the same error as me, except they’re having it with 2007, not 2012/CB.  But they did have a solution

My problem has been solved.  The SMS Admins group did not have “Import computer entry” and “Manager OSD and ISV Proxy Certificates” rights.

Well crap, the 2007/2012 permissions model is completely different, but I am running this as an account that doesn’t have the Full Administrator role, so let’s see what we can find.  I already had the “Import Computers” permission, under the Site node, but right below also in the Site node it was “Manage Certificates for Operating System Deployment” set to No.  Switch that to yes and give it another try, the boot media is successfully created!

Certificates would appear to be “scopeless” here.  Normally something at a system level without a scope belongs to the Default scope, but my account doesn’t have any roles applied to the Default scope, so it would appear that granting that permission is sufficient regardless of what scope the role is applied to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.