Skip to main content

1E 23.11 (SaaS)

Known issues

Lists of the current known issues with implementing, configuring, using, and extending 1E.

If you cannot find an issue and its workaround on this page, please try searching the 1E Support Portal https://support.1e.com/ for issues that have hotfixes.

If you need further help, please refer to the Troubleshooting page for how to contact 1E Support and the technical support process.

Installation
Installing 1E Client on Windows

Issue

Description

Workaround

1E Client installed on Windows 11 device reports Operating System value as "Windows 10 21H2"

1E Client installed on Windows 11 device reports Operating System value as "Windows 10 21H2".

None

1E Client UI runs even when 1E module is not enabled (e.g. Content Distributiononly install)

Installing the 1E Client without enabling the 1E Module (only Content Distribution or Shopping module is enabled) enables and displays the survey notifications in 1E Client notification icon.

In order to suppress this, the Module.Interaction.Enabled=false can be set in the config file on the 1E Client or use the corresponding MSI property (i.e. MODULE.INTERACTION.ENABLED=false).

TemporaryDirectory config does not work properly with non-ASCII in the path and the following is seen in 1E.Client.logs:

ERROR - Temporary directory: Cannot create file in 
overriding path 'c:\t€mp\acme€'; using default location

The error is seen if the TEMPORARYDIRECTORY MSI property for the 1E Client contains a non-ASCII value such as "c:\t€mp\acme€" and the directory exists.

The same applies if this is added directly to 1E.Client.conf.

Please provide a path that only uses ASCII values.

Manually uninstall of 1E Client using Programs and Features displays dialog "The setup must update files or services that cannot be updated while the system is running. If you choose to continue, a reboot will be required to complete the setup."

Running the 1E Client MSI manually with Remove option displays the following: "The setup was unable to automatically close all requested applications. Please ensure that the applications holding the files in use are closed before continuing with the installation."

These messages appear as the services that are about to be removed are running, but the 1E Client handles the shutdown so this message can be ignored.

Silent uninstall does not present this issue.

None

1E Client installer adds the Content Distribution registry settings even when the Content Distribution module is NOT enabled during installation. If someone deletes those registry settings and enables the module later, it will not function correctly.

1E Client installer creates the majority of the Content Distribution registry values because the service does not create them all and Content Distribution does not tolerate the absence of all the settings that the service does not create. If these settings are deleted and the module is enabled later, then it is unable to function correctly.

In such a scenario, 1E Client will need to be reinstalled with a new set of properties / transform that enables the module with the appropriate configuration.

When upgrading an existing 1E Client, none of the manually added configuration file properties in the *.conf file have been retained.

1E Client does not retain any configuration file property values that have been added as the upgrade process currently only checks the default values that exist in the old Tachyon.Agent.conf or new 1E.Client.conf.

This includes the Module.Inventory.ProcessUsage.Enabled=false values that were included in Tachyon Agent v4.0. After an upgrade, this configuration file property will no longer appear and 1E Client uses the default (true).

The additional configuration file property values need to be added to the 1E.Client.conf file if they are required.

Please refer to 1E client settings for list of the available configuration options.1E client settings

When upgrading an existing 1E Client that has been installed to a non-default installation directory, the installation folder reverts to the default path.

If the previous1E Agent was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\Agent", then the Installation folder in the wizard will revert to the new default path "%ProgramFiles%\1E\Client".

The same applies to silent upgrades where the 1E Agent was installed to another path, the installation folder will revert to the default unless the required directory is specified using INSTALLDIR.

Please upgrade by specifying the required Installation folder in the wizard or using the installer property: INSTALLDIR

Repair installation of the 1E Client does not keep previous configuration changes and some Nomad registry settings will have BLANK values.

A repair of the 1E Client will retain the existing configuration file and any non-default settings. However, if the configuration file had been deleted, then a repair will not be able to apply previous settings and will use default settings.

Also, a repair will set any properties passed in the command line, but will leave some Content Distribution properties like KnownMobileDevices and LocalCachePath as blank.

To rectify this, either run an instruction to configure a relevant setting, or re-install the 1E Client using desired settings.

Use a 1E Client configuration instruction in Endpoint Troubleshooting for centralized post-installation configuration. Please contact 1E if you require the Product Pack that has this instruction.

Potential blue screen of death (BSOD) with Windows 7 SP1 and Tachyon inventory capture.

If 1E inventory is enabled on Windows 7 SP1 (without updates) there is the potential for BSOD issues on systems using out-of-date Windows drivers.

Microsoft investigated the issue and confirmed the usbccgp.sys driver has a potential issue where it can fail to complete a power IRP in a timely manner.

Microsoft recommends the following fix:

1. Update the usbccgp.sys driver as follows:

    • Update the usbccgp.sys driver by installing update KB3125574.

Prerequisites: To apply this update, you must first install:

    • Service Pack 1 for Windows 7 or Windows Server 2008 R2: KB976932

    • April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2: KB3020369

2. Update tdx.sys to 6.1.7600.21050 to address TDI driver response issues as per: KB2028827

1E features of the 1E Client cannot read the private key for a Trusted Platform Module (TPM) protected certificate.

1E platform client uses Windows certificate store but is currently unable to access the private key of a client certificate that is protected using Windows Trusted Platform Module (TPM).

This issue was seen when a customer used Microsoft Intune for client certificate deployment and the Simple Certificate Enrollment Protocol (SCEP) certificate profile included 'Enroll to Trusted Platform Module (TPM) KSP'.

The 1E Client was unable to extract a handle to the private key in the Windows Certificate Store; 'NCryptExportKey failed with 0x8009000a' (NTE_BAD_TYPE) was reported as an error in the 1E Client log.

Use a client certificate that is not protected using Windows Trusted Platform Module (TPM).

Examples of Microsoft cryptography providers that do not use TPM are:

  • Microsoft Enhanced (RSA and) AES Cryptographic Provider

  • Microsoft RSA/SChannel Cryptographic Provider

  • Microsoft Enhanced Cryptographic Provider

  • Microsoft Software Key Storage Provider (CNG).

Also, Microsoft Software Key Storage Provider is the only CNG provider supported by this version of the client.

Installing 1E Client on non-Windows

Issue

Description

Workaround

Microsoft InTune cannot be used to deploy the 1E Client package for macOS.

By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder. However, the 1E Client must be installed to /Library/Application Support since that is a secure location, writable only by root. Also, the associated launch property list file must be installed under /Library/LaunchDaemons.

Use an alternative deployment method for the 1E Client macOS package.

The 1E Client on macOS may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:

ERROR - Either the Switch certificate or the client certificate is not trusted, use the 1E Client debug log setting to obtain certificate details.

If the 1E Client for macOS finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Client/.sslcerts, then the Keychain Access is not checked.

This cacert.pem is then used to validate the trust chains for the client certificate the client will submit and also the Switch certificate received. The client will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.

Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the 1E Client for macOS is to use the certificates from the Keychain Access.

Installing TIMS on Windows

Issue

Description

Workaround

When upgrading an existing TIMS that has been installed to a non-default installation directory, the installation folder reverts to the default path.

If the previous TIMS was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\TIMS", then the Installation folder in the wizard will revert back to the default path.

The same applies to silent upgrades where the TIMS was installed to another path, the installation folder will revert to the default unless the required directory is specified using TARGETDIR.

Please upgrade by specifying the required Installation folder in the wizard or using the installer property: TARGETDIR

e.g. msiexec /i TIMS-x64.msi /qn TARGETDIR="c:\TIMS"

Installing 1E Toolkit

Issue

Description

Workaround

Interactive upgrade of 1E Toolkit does not detect previous settings.

1E Toolkit installer does not detect the previous 1E Server settings or the installation folder if it was installed to an alternate directory. This will default back to 'C:\Program Files (x86)\1E\Tachyon\Toolkit'.

These will need to be specified again during the upgrade.

Email and two-factor authentication

Issue

Description

Workaround

Users do not receive email communications related to Actions that have been initiated or emails related to Two-Factor-Authentication.

User A - Logged in to Configuration Manager Console

User B - Logged in to Endpoint Troubleshooting

When User A initiated an action through CM Console right click extension, the action was getting initiated as User B and the required authentication code was being sent to User B instead of User A.

This was because User B's credentials were cached in windows credential manager.

Clear the cached credentials from Control Panel → Credential Manager.

Users do not receive emails about approvals or response expiry.

Emails are not sent if the SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.

Correct the SMTP configuration. See Changing the SMTP Host configuration.Changing the SMTP Host configuration

Any instruction that requires approval can still be done using the Endpoint Troubleshooting Pending Approval Notifications page.

Users do not receive emails about two-factor authentication codes.

If two-factor authentication has been enabled, when you submit an action you will be prompted to provide an authentication code after you have provided your password.

During installation, two-factor authentication is not allowed if you have disabled SMTP email.

Emails are not sent if SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.

Enabling or disabling Two-factor AuthenticationEnabling or disabling Two-factor Authentication

Changing the SMTP Host configurationChanging the SMTP Host configuration

Configuring 1E
1E client connections

Issue

Description

Workaround

1E.Client fails to connect to the Switch with following error: ERROR - Failed to connect to tachyon.acme.local: invalid padding (138)

During the establishment of an https connection between the client and the Switch, the client receives and verifies the Switch certificate. This is received from the Switch as an X.509 certificate chain, from which the 1E Client will extract the Switch's public key and verify the certificate chain. On a successful SSL handshake where the CRL is checked, it will report both the serial number of each certificate as it walks the chain and the Authority Key Id (AKID) of the CA that issued that certificate. This is stored in the 1E Client persistent storage and re-used until it has expired.

If the 1E Client connects to another Switch where the certificate chain is different (e.g. CA certs have been re-issued), the 1E Client may log the following warning since there is a mismatch of the Authority Key Id (AKID) saved in the persistent storage from previous CA:

WARN - X509: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed

WARN - X509: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

WARN - X509: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Delete the cached certificate entries in the 1E Client persistent storage (default location is C:\ProgramData\1E\Client\Persist) and restart the 1E Client.

Non-Windows clients may disconnect due to the keep-alive period being too high.

Clients on Non-Windows may disconnect if the keep-alive period is too high.

Non-Windows clients need to have a maximum keep-alive time of 4 minutes (240s).

The keep-alive time needs to be updated in the 1E.Client.conf file: ConnectionKeepaliveTimeInSecondsMin should be set to 120 (default) and ConnectionKeepaliveTimeInSecondsMax should be set to 240 (default is 600).

These settings can be set during installation or changed post-install.

A client does not start and the 1E Client log shows: ERROR - Certificate Verification failed : CRL path validation error. This occurs even when CRLChecks=soft.

The client will not connect if it is unable to create a trust chain, despite having the correct root CA certificates. This is due to the local computer certificate store containing "CrossCA" certificates.

Please ensure the client certificate store does not contain any "CrossCA" certificates in the local Trusted Root or Intermediate CA stores.

The client is unable to start on the Root CA.

A client attempting to run on a Root CA server will log the following error:

WinTrustVerify returns 0x800b010a (CERT_E_CHAINING) “A certificate chain could not be built to a trusted root authority”

A Root CA sits at the top of the public key infrastructure (PKI), there are no higher authorities, and so it effectively self-signs its certificates, which 1E is specifically prevented from using.

It is not good security practice to have a Root CA online therefore do not install the client.

You could configure your 1E system to not use client certificates.

Resetting Hyper-V Agents can cause the Switch to become unresponsive and log erroneously.

Powering off or resetting a guest Hyper-V virtual machine without shutting it down, can cause the Switch to refuse connections from the client when it restarts, and the Switch starts spurious logging.

To rectify this issue restart both the Switch and the 1E Client service.

The client fails to start and the 1E Client log shows errors relating to Certificate Revocation List (CRL).

See 1E client settings.1E client settings

An error is logged if CRLChecks=hard and the client is unable to locate a valid HTTP-based CRL Distribution Point for a certificate.

An error is logged if CRLChecks=soft and the client is able to get a CRL from the CRL DP, but the CRL indicates revocation of the device certificate or a certificate in its trust path.

The client requires a valid SSL certificate presented by each server it connects to. This includes any Switch, Background Channel or other HTTPS server from which the client downloads content. The client does not connect to a server if it knows a certificate is invalid.

CRLs are obtained by contacting the CRL Distribution Point(s) whose URL is embedded within the certificates. At present, the client supports only HTTP-based CRL Distribution Points. It ignores any non-HTTP CRL DPs that may be included in a certificate, such as file or LDAP, and does not support OCSP.

If the machine is not be able to contact a HTTP-based CRL Distribution Point, please ensure CRLChecks=soft within the 1E.Client.conf file. This will prevent the client from failing in the event of being unable to locate a CRL Distribution Point

Enabling, disabling, adding or removing network adapters on the 1E Server computer will cause issues with Switches issuing instructions or unable to use features like "Export All Results".

The 1E Server Core web applications have access restricted by the IIS feature IP Address and Domain Restrictions. All connections are denied, except for local connections. Changing adapter configuration after installation can cause the entries in the IIS feature to become incorrect and cause issues with 1E Server.

If for example the IPv6 address assigned is different from the one which was installed by 1E, then Tachyon.Workflow.log is likely to contain errors:

"Posting Housekeeping to Core API 1 failed 'Forbidden'"

"Delete with ID 22 to Core API 1 failed 'Forbidden'"

Or Tachyon.ConsumerAPI.log may have "Data export fail" errors when attempting to "Export All Results".

Please update entries in the IP Address and Domain Restriction feature of the CoreInternal and the Core website to include all local IP v6 and v6 addresses.

Please refer to IP Address and Domain Restrictions.IP Address and Domain Restrictions

Settings application

Issue

Description

Workaround

Settings > Instruction Set uploader displays:

"Failed to upload: This Product Pack structure is not supported by this version. If you want to upload an Integrated Product Pack then you must use the Product Pack Deployment Tool".

It is currently not possible to use the Tachyon Portal > Settings > Instructions > Instruction sets page to upload Integrated Product Packs and user will be displayed a "Failed to upload" error message. Only Classic Products Packs can be upliaded via the Settings application.

Please use the 1E product pack deployment tool.

After an upgrade, attempting to re-upload the latest product packs displays the following error: "Something went wrong while processing request. Error: An error occurred while uploading the entries in the database".

This happens after an upgrade of 1E Server and attempting to re-uploading an existing instruction using a product pack where the instruction is within a zip.

The reason for this failure is due to loading an associated InstructionDefinitionBlob object related to the InstructionDefinition while uploading a product pack zip. It is fine with single InstructionDefinition upload.

Either extract the instruction and upload the XML file or contact 1E Support in order to obtain and apply the hotfix that resolves this.

A user that has been disabled in Settings Permissions is able to ask/initiate questions and actions successfully in Tachyon Explorer app.

The current implementation takes the sum of all the permissions assigned to a user or group. Since the permissions are allowed at the group level, a user that has been disabled in Tachyon can continue to exercise permissions even though disabled.

When a user is disabled, also remove the user account from all security groups that are being used for permissioning instruction sets.

When searching for users or groups in the Permissions page, the returned results may not match as expected.

When searching for a user account, the search uses CN or SAM account name. Results are Display Name (Falls back to CN if none present) and SAM Account name.

Therefore, in some cases it is possible for the result returned to not contain the search string (ie the user can search for "ABC" and get the result "XYZ" which, while valid, is confusing)

None

Members displayed for an Active Directory group may not be up to date on the Permissions page soon after a change has been made to the AD object.

In the Permissions page of Endpoint Troubleshooting the Members button will display membership of a group, but it may not be up to date if the AD object has been recently changed.

The same applies to the capabilities of 1E users in groups configured through role-based access to 1E features.

Allow time to elapse so permissions cache expires (10 minutes).

Server configuration

Issue

Description

Workaround

In the 1E connector setup, if user provides the account password starting with a semicolon character ";" then the 1E connector test and synchronization action will fail.

Semicolon ";" is used as a separator in the connection string for the DB (stored encrypted) and if the semicolon is in the beginning of the password then the length will be considered as 0 resulting in failure of 1E connector test and synchronization action.

User will need to create account password not starting with semicolon ";" character.

Tachyon.CoreAPI.log reports the following:

ERROR Tachyon.Server.Services.Core.Services. HttpSendProvider - POST to https://<tachyon DNS Name FQDN>/Experience/Offload/Events returned status Unauthorized

When 1E is installed with multiple Response Stacks where there are remote Switches configured, these remote servers are not automatically granted permission to offload Experience events back to the Master Stack so an unauthorized error is seen.

The remote server machine account needs to be granted permissions by adding it to Experience configuration in "C:\Program Files\1E\Tachyon\Experience\Web.config":

<add key="AllowedUsers" value="NT AUTHORITY\Network Service;<domain>\<machine>$" />

Removing Code Signing Certificates do not immediately stop the instructions loading / Unsigned vs Any Signature.

1E Consumer API trusts any certificate in Local Computer Trusted Publishers store to be a trusted instruction definition publisher. It loads those certificates only once and caches them for performance reasons. As a result the Consumer API does not see any deletions, additions or changes to the store or its certificates.

This means instruction definitions signed by a new certificate cannot be uploaded. Similar situation is true for deleted certificate where user will still be able to upload an instruction definition signed by the deleted certificate.

Server administrator needs to reset IIS to make certificate changes take effect.

Using 1E
Endpoint Troubleshooting application

Issue

Description

Workaround

An approver of a child management group receives approval notification email, but the email link takes user to "No notification" page.

If the action was submitted by a user who has permissions to All devices or a parent level management group e.g. "UK Servers" (to the approver's associated child management group "UK Desktops") and the instruction was targeted to the approver's accessible management group "UK Desktops", then the approver will not have access to approve it.

This is due to the workflow looking at the user's permission and not the scope of the target devices which could potentially include devices that another user is not allowed to view or approve.

Please review the approver's accessible management group in order to make the necessary approvals

When creating a Daily Instruction Schedule on the Instructions→Tasks page in Endpoint Troubleshooting a validation error message is displayed on the Instruction scheduler popup under the Repeat Every field suggesting the field is mandatory.

While trying to create a Daily Instruction Schedule in the Instruction scheduler popup on clicking Save you are prompted to enter a value in the Repeat Every Hour field. If the field is left blank the text Must be a number is displayed. If you try to enter a number but set it to 0 the validation error Must be between 1 and 23 is displayed.

The field is not actually mandatory but the validation will not allow the schedule to be created unless a value has been set.

If you see the Must be a number validation error, type any number into the field to clear this message, then delete the value in the field.

If you see the Must be between 1 and 23 validation error delete the value in the field, which clears the validation error.

You will then be able to click Save to save the schedule without the additional hours.

When Firefox browser is used to access the 1E portal, potential security risk message is displayed by Firefox browser.

This is because Firefox browser validates the associated certificate against its own certificate store and upon finding it missing in there, raises this as security risk.

Firefox browser requires Root CA Certificate to be imported into Firefox certificate store when used to access 1E portal.

Please follow the steps mentioned below to fix the above issue:

  1. Launch Firefox browser

  2. Navigate to browser's options menu

  3. Select Privacy & Security and go to Certificates section

  4. Click on View Certificates ->Authorities tab

  5. Identify the certificate used when 1E was installed

  6. Click on Import option

  7. Relaunch the Firefox browser and access the 1E portal

Endpoint Troubleshooting UI in Firefox browsers may briefly display blank areas with no text.

When using Firefox browser, the Endpoint Troubleshooting page may not get rendered properly and displays some content as blank areas. This has been seen most often with Firefox version 61.

This can be resolved by refreshing the Firefox browser using F5 function key or clicking anywhere else within the Endpoint Troubleshooting UI page.

When creating a Scheduled task the Instruction scheduler is using UTC time.

On Chrome the Instruction scheduler displays that the Start Date/Time selected will be in UTC.

However, on other browsers (e.g. Firefox and Microsoft Edge) the UTC text is missing and it may appear that the Date/Time selected is the current local time even though it uses UTC.

None.

Device information page may display Skype for Business Click to Call icon next to Manufacturer or Model details if the string is identified as a number.

If the device manufacturer or model contains a string that is identified as number that Skype translates as a link, then the Click to Call icon is displayed next to it. This could be seen when clicking on the information icon next to any Tachyon client devices in the Explorer > Devices > Table or Response pages.

None.

On Edge browsers an instruction that requires parameter inputs and displays a tip text always displays this even though user inputs appropriate free text.

When using Edge browser and attempting to submit an instruction which requires parameter inputs and it displays tip text, this text remains and is not over written.

The light grey tip text is only displayed in the Endpoint Troubleshooting page of the Edge browser and does not get submitted as part of the instruction so it can be ignored.

None.

"Provide authentication code" for a scheduled instruction displays warning "Scheduled instruction id X does not exist" or fails to accept a valid token with error "Token validation failed with error message".

Scheduled instruction workflow is not displaying the appropriate warnings when multiple users have updated a scheduled instruction or when there are multiple updates on one that is pending approval or waiting for the authentication code to be applied.

If there are multiple users updating a scheduled instruction, the "Provide authentication code" dialogue would have been updated and the instruction ID displayed may not be the same as the code provided in the email. Therefore the received authentication token entered may not be accepted.

Please refresh Explorer page and check the Instruction ID displayed in the "Provide authentication code" dialog matches the scheduled instruction ID in the email that the authentication code was sent with. If the ID has incremented, then another user has updated the scheduled instruction.

Instruction responses Summary consistently shows a higher sent count and "Responses from" never reaches 100%.

TachyonMaster Switch table may contain multiple entries if the IP address of the server running the Switch Host service has changed and this will cause the sent count to go up for any instruction submitted.

If using DHCP, please provide a static DHCP assignment to any 1E Servers.

GetProcesses method does not return full list of processes on Android M6 (Marshmallow) or upwards.

Due to security lock down on Android since version M6 (Marshmallow), the GetProcesses method returns an incomplete process list since an Android applications are now sandboxed to enhanced security by application isolation. An application only has access to the list of processes that it has created either directly or indirectly.

None.

On new installations of 1E, first visit to Endpoint Troubleshooting may show Access Denied page.

Post clean install of 1E server, when user logs in for the first time to Endpoint Troubleshooting, the Endpoint Troubleshooting lands on error page complaining about lack of permissions.

This can also be seen if the user presses Ctrl+F5 key to refresh the Endpoint Troubleshooting page. When same keys are pressed second time, the Explorer does not land on error page

Refresh the web page or press Ctrl+F5 again.

When using instructions with FileSystem module and the specified filename uses non-ascii characters, the response may return an error "Cannot open 'C:\tmp\?file.txt' for hashing because: (0x7b) The filename, directory name, or volume label syntax is incorrect."

If the specified filename uses non-ascii characters, the FileSystem module may not be able to find the file and therefore it will not be able to retrieve further information about it and report it's size as -1 and that the hash is "invalid hash".

None.

When using Filter Results and searching responses that relate to certificates, no results are found.

This can happen when an extra space exists in the search string or in responses.

Examples

Searching for subject for 'CN= machine.contoso.com' does not return any matches, whereas searching for 'CN=machine.contoso.com' will return matches.

The windows certificate viewer (Crypto API Extensions) will insert spaces in some certificate properties for ease of viewing. The certificate itself does not contain these spaces, and so a search with spaces in the search string (for example, copied from the certificate viewer in windows) will not return any matches.

If you run a command-line from cmd.exe with parameters (e.g. "psexec -i -s"), cmd.exe introduces another space between the executable name and the first parameter, so it becomes "psexec<space><space>-i s".

In order to match correctly, please use a search string with the correct number of spaces.

It may help if you click on a similar value returned in the response, and edit that.

Using certutil -dump will show the actual Subject Name of the certificate, which will match when searched for.

When a client is running on a laptop connected to a WiFi network and the connection is lost (or it's turned off via the Wireless Network Connection), then the responses are lost.

If a client on a laptop has been processing instructions and the WiFi connection is lost, it does not recognise the connection is no longer available and continues to send responses. No responses will be received by the 1E Server.

Re-submit the instructions.

The Endpoint Troubleshooting Responses page displays a blank page with no results.

This can occur if the SQL instance and the TachyonResponses database are unreachable.

If the Core web application is unable to access the TachyonResponses database when an instruction is asked then the Consumer will log an exception and the Explorer Responses page displays no results.

This is more likely to occur if the 1E Server is configured either with a remote database or multiple databases.

Rectify the connection problem with the SQL Server instance and re-run the instruction.

If the client is restarted whilst it's attempting to download a resource (such as a script) while executing an instruction it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>).

If the client is restarted whilst it's attempting to download a resource script, it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>)

On restart the client will not re-process the instruction so the error is not sent up to the server.

Re-submit the instruction.

The Sent Count for an instruction, and the statistics derived from it, imply that an instruction has been sent to more clients than the number deployed or targeted.

If the client service is terminated abruptly while processing an instruction, the client will re-request the instruction when it next starts up. This causes the Switch to re-send the the same instruction to the client, which in turn will cause the statistics to show an increased Sent Count.

This also affects the Success, Error, and Outstanding statistics in the Responses Summary page.

None.

Large responses to instructions may not be received from the client if the instruction is cancelled, even though you have selected to "Keep Results".

If the client is in the middle of an upload at the point that the instruction is cancelled, the Switch will cancel the upload if the size of the response exceeds 4K.

None.

An Action can not be approved or in a failed state.

When the Coordinator service goes into faulted state (e.g. as the result of an internal error), any live instructions remain in the "created" state and cannot be approved.

Faults may be caused when a 1E Server has been upgraded when the instruction was still in-progress state during the upgrade process. The workflow will be unable to process the instruction after the upgrade and the error will be recorded in the Explorer portal Admin Log page.

The action needs to be re-submitted.

Instructions

Issue

Description

Workaround

Instructions using Device.GetDisks method on Windows 8, Windows 7, Vista or Server 2012R2 will return Error "Unsupported"

Device.GetDisk method uses WMI namespace query that is not supported in the earlier operating systems so the 1E Client will return an Error.

1E Client logs display the following:

ERROR - Method error at L1.C1-L1.C17

ERROR - Unsupported

None

Running instruction with OperatingSystem.ControlStop and specifying 'IncludeDependents' as false to stop a service that has dependents return Success - no content even though 1E Client may log:

ERROR - Could not perform ControlService because [ (1051/0X41b) A stop control has been sent to a service that other running services are dependent on. ]

When an instruction exercising agent method OperatingSystem.ControlService with parameter IncludeDependents = false (default) is sent to targeted endpoints; to stop/start specified service and the service fails the action due to dependent services , the instruction returns status Success-no-content" instead of Error.

None

Running an instruction with a FileSystem.FindFileBySizeAndHash or FileSystem.FindFileByName method e.g. "Which devices have a file named %filename% on a fixed disk?" may not return complete list on macOS Big Sur 11.0 and logs show error similar to:

"ERROR - Could not open directory '/private/var/db/appinstalld' because: (1) Operation not permitted"

Apple have clamped down on free access to the filesystem(s) in recent versions of macOS, and granting the "full disk access" from System Preferences --> Security & Privacy --> Privacy seems to be limited to applications, not individual executables such as the 1E.Client daemon and the 1E Client installation cannot set up the permissions.

Currently the only solution around this would be to add bin/bash give the 1E.Client daemon Full Disk Access (FDA). This can only be done by adding bin/bash FDA as we use bash to launch the Client Daemon. On launch, Client Daemon inherits the FDA permission from bash. Some directories still remain locked as they fall under macOS's System Integrity Protection (SIP).

This is not recommended as adding bash to FDA can lead to serious security issues.

None

1E Client becomes unresponsive to any instructions after performing an Extensibility update even though the Client continues to appear on online.

The 1E Client logs will display that all modules have been unloaded, but it continues to send Keep alive messages.

Or if PXE module is enabled, the following is seen in the Agent logs:

Faulting module path: C:\Program Files\1E\Client\Extensibility\1E.Client.Module.PXEEverywhere.dll

Once the Extensibility update instruction “Check for 1E Client updates and apply them” has been run and the Client has downloaded all the modules, it attempts to unload the existing ones in order to apply the updates. However, if the Inventory module is currently processing, it causes the Client to become unresponsive even though it continues to send keep alive messages to the Switch.

This applies to all 1E Client (including the non-windows platforms).

Once the update has been run, the 1E Client process will need to be killed and the service restarted. Please avoid using any instructions which use the Agent.CheckForUpdates method.

Responses Chart view only displays as text.

Some instructions (e.g. What BIOS firmware is installed?) are authored so the responses are displayed as Chart view, but on Firefox this view may not be displayed correctly.

Use alternative web browser.

Instructions that have aggregation on floating point or DateTime values fail to return results.

When the instruction is run in TIMS, the raw values are shown correctly, but when uploaded to Tachyon the aggregation fails to sum the values, returning an empty row set.

Aggregation on DateTime values where the input data looks like this also fail to return results: 01/17/2018 16:32:47.648

None.

Explorer response displays error 'Could not deserialize JSON into DataTable'.

If an instruction includes the Scripting.Run method running a PowerShell script, and the script fails or generates error output that is sent to standard out, this will be considered part of the output of the script, and cannot be converted into the format (JSON schema) expected for the response.

Please ensure the PowerShell script is written to either output data according to the JSON schema specified in the instruction definition, or exit with an exitcode, and not a mixture.

1E Client installed on macOS - Big Sur "(1) Operation not permitted" errors from FindFileByName

Apple have clamped down on free access to the filesystem(s) in recent versions of macOS, and granting the "full disk access" from System Preferences --> Security & Privacy --> Privacy seems to be limited to applications, not individual executables such as the 1E.Client daemon and the 1E Client installation cannot set up the permissions.

None.

Endpoint Automation application

Issue

Description

Workaround

Any pending changes in Endpoint Automation and/or Experience Analytics applications that are deployed during upgrade process from 1E platform v5.1 to v5.2 or v8.0. This is also true if there is an already deployed unlicensed rule/recondition/check or fix.

1E Server Setup runs a post installation action to automatically deploy all policies and event subscriptions.

Ensure any pending deployment changes under review are either deployed prior to upgrade process is initiated or respective rule/policy/Survey should be marked as disabled to prevent deployment during upgrade process

Endpoint Automation Overview pages show incorrect devices when Policy with no Rules have been assigned to a Management Group.

On the Endpoint Automation Overview page, the Online, Online last 7 days and Last seen per Criticality Level charts all show incorrect counts when a Policy is assigned to a Management Group, but no Rules have been assigned yet.

This will display correct values once Rules are assigned and devices have responded to the events.

None

Opening an instruction or fragment that has been exported using the Consumer API displays the following message when viewed in TIMS:

"This instruction definition was signed by CN=Tachyon Explorer Instructions but the content has been tampered with.

An instruction exported through Postman can generate file with whitespace differences and file size between the original file which is not accepted by TIMS as it's considered to be tampered.

Use alternative API tools (e.g Fiddler).

"Ensure Nomad can communicate through the Windows Firewall" remediation is being executed even when firewall is disabled from the GPO.

"Ensure Nomad can communicate through the Windows Firewall" remediation is being carried out when there is a firewall policy that has been disabled through group policy. This means that when firewall policy has been disabled explicitly, instead of ignoring the fix, the firewall is set to enabled and the firewall exceptions are set for Nomad.

None

On a ConfigMgr Distribution Point, the Rule to "Check the Nomad has a virtual directory on ConfigMgr distribution points to perform LSZ generation" always passes even though a failure reason may be returned in the Data field.

The check fragment should verify that the LSZFILES website setup by Nomad on a DP has certain characteristics, but even when errors are found the check status is "Passed".

The logic in the PowerShell parts of the fragments uses a $errorOccurred variable to set the exit code, but this variable is initialized to $false and then never changed even when an error is detected.

e.g Data field returns: "Windows authentication not enabled. Require SSL flag is not disabled. Directory browsing not correctly set."

None

1E Client logs several unsuccessful remediation attempts within a 24hr period.

There is currently no longer a cap on the number of time a remediation step can occur on a machine within 24hrs. This differs from 1E Client Health where after 3 failures to remediate an issue, further remediation would not occur until 24hrs have passed.

None

Experience Analytics application
Inventory Insights

Issue

Description

Workaround

No issues currently known.

1E Catalog

Issues

Notes

Workaround

Any Title of a Vendor with two different colloquial versions should not be allowed when other fields are same.

There may be instances where a product has different colloquial versions for the same version such as Microsoft Excel 15.0 with a 2013 colloquial version and Microsoft Excel 15.0 with a 2015 colloquial version.

None

Timeout is displayed during updates and the Catalog UI is not available during that time.

The Catalog Web UI is unavailable when it's downloading data from the 1E Cloud Catalog.

If you try again after some time the Catalog Web UI should work.

The installer creates the database when you cancel the process in the setup wizard.

If you decide to abort the installation after providing the name of the Catalog database, the installer creates the database despite the cancellation.

None

Pressing Cancel when prompted for your credentials on the Web UI Admin page displays an error.

If you click Cancel on the Web UI Admin page when prompted for your credentials, an HTTP error 401.1 – Unauthorized error is displayed.

None

Unable to create new versions with more than 4-part numbers in the Catalog Web UI.

If you attempt to curate a version with more than 4-parts (for example, 1.2.0.1.2) in the Catalog Web UI, it displays the error – The version is not in the correct format.

None

The Catalog Web UI does not report if the Catalog service is unavailable.

During a downtime, if you try to navigate through Catalog Web UI, it becomes unresponsive but does not display a message that the service is unavailable.

None

The Catalog Web UI displays an incorrect message if you leave the page and return to it.

During a resynchronization event, if you navigate to a different page and immediately return to the Admin page, it displays a Resync completed Successfully message, even though it has not. The resynchronization event keeps running in the background until it successfully completes.

None

Best Match API times out when indexes are being compiled.

If the Best Match API is called while the indexes are being compiled, it times-out. However, the second call will succeed.

The second call will succeed.

Unable to cancel the installer while it is migrating to a new version.

During a migration to a newer version of the Catalog, pressing Cancel does not stop or roll back the installation – it continues uninterrupted.

None

The number of records pulled during a 1E Cloud Catalog synchronization event is not known at the start of it.

When the Catalog synchronization event starts, you're not able to discover the total number of records that will be inserted into the database. The logs register the number of records it inserts successfully but you would not know the total records to be inserted beforehand.

None

Clicking Back to list in Catalog Web UI navigates to the Home page instead of the previous page.

If you filter on a vendor and go to any next page to set license rules for that vendor, and then click Back to list, it takes you back to the Home page and does not retain the filter applied in the previous step.

None

The unattended install does not check Catalog prerequisites.

The installation will fail if requirements are not met.

None

Indexing fails when if the rebuild index and incremental index events are run simultaneously.

If a rebuild index and incremental index conflict, indexing will not complete successfully.

It will complete successfully the next time the incremental index event runs.

Error when user modifies an edition from Catalog Web UI.

If you attempt to modify the edition of a product then "An error has occurred while processing your request" message is displayed.

None

Log files and other folders not deleted from program data folder after uninstalling catalog.

If the Catalog is uninstalled, its logs folder structure is not deleted from the Program Data folder.

None

On the Catalog Web UI new bundles screen selection of multiple dropboxes gives wrong filtered record.

On Catalog Web UI new bundles screen, selection of multiple dropboxes returns an incorrect filtered record.

None

File Version filter on Catalog Web UI does not work.

File Version on product file screen filter is not working.

None

A prompt to reboot the server is displayed when you upgrade or uninstall the product.

There may be instances where you are prompted to restart the server in order to complete the installation.

Restart the server.

Installer unable to connect to the database when you run a repair on the Catalog from Programs and Features.

In a TLS environment, if you opt to repair the Catalog from Programs and Features by choosing the Repair option, you will be prompted with this error: Error 27502: Could not connect to Microsoft SQL Server ... SSL Security error. (18)

Uninstall and reinstall the Catalog

Lucene index folder is not deleted on uninstalling catalog.

On uninstalling the catalog, Index directory from program data is not getting deleted.

None

Wrong Surrogate key mapping is formed in case product is deleted from client side and upgrade is performed

On upgrading the catalog deleted site define entries are not getting persists

None

Installer should have a check for ASP.NET as Catalog is not failing when "ASP.NET" is not installed

The Prerequisite check of installer does not check for ASP.NET

None

Re-Sync: Timeout error is observed while getting site defined on one client machine while Re-Sync with another client machine is in progress

Re-Sync is successful on one of the client and error is observed on second client while it's getting the site defined entries.

Following is observed in the logs:-

The timeout period elapsed prior to completion of the operation or the server is not responding.

None

Error message is observed in logs while indexes are recreated after sync in edge case installation scenario

Install catalog through unified tachyon installer, after successful installation, uninstall the catalog. If user Installs the catalog stand-alone start the sync then its IIS services should shift into different pool due to which indexes will break.

None

Catalog 2.0 error '500 Internal server Error)Index is getting failed' in the 'Catalog.UpdateService.log' when the 1E Catalog service account uses domain user account. (Highly Intermittent).

When the 1E Catalog service account is using a domain user account rather than Network Service account, the index is getting failed after sync is completed.

This issue does not cause functional issues and can be safely ignored.

Catalog 2.0 if an upgrade fails, the 1E Catalog installer will roll back the installation and remove any customizations in the 'web.config' and 'CatalogUpdateService.exe.config' files.

If an upgrade fails, the 1E Catalog installer will roll back the installation and remove any customizations in the 'web.config' and 'CatalogUpdateService.exe.config' files.

This is resolved by backing up the configuration files prior of upgrading as covered in the 'installation and upgrades' section of the documentation.

1E Toolkit

Issue

Description

Workaround

1E Toolkit extensions are not visible on the CM Console for both Devices and Device Collections

In the past, any installed extension was allowed to be displayed. Microsoft has changed the way that the Console Extensions are allowed to be displayed within the ConfigMgr Console and if in the Administration -> Site Configuration -> Sites -> Hierarchy Settings from the ribbon. and under the General tab:

"Only allow console extensions that are approved for the hierarchy" is selected it will prevent the 1E right-click actions and the Instruction Runner from becoming available.

Ensure the "Only allow console extensions that are approved for the hierarchy" is not selected in the Hierarchy Settings Properties.

Please contact 1E Support for additional help where the 1E right-click extensions only appear for the Devices and not Device collections.

Configuration Manager console shows duplicate right-click options for 1E.

1E shows multiple times in a collection property when the collection belongs to nested folders in the Configuration Manager console.

Restart the Configuration Manager console.