Skip to main content

1E 9.x (on-premises)

Known issues

Lists of the current known issues with implementing, configuring, using, and extending 1E.

If you cannot find an issue and its workaround on this page, please try searching the 1E Support Portal https://support.1e.com/ for issues that have hotfixes.

If you need further help, please refer to the Troubleshooting page for how to contact 1E Support and the technical support process.

Installation
Installing 1E Client on Windows

Issue

Description

Workaround

1E Client installed on Windows 11 device reports Operating System value as "Windows 10 21H2"

1E Client installed on Windows 11 device reports Operating System value as "Windows 10 21H2".

None

1E Client UI runs even when 1E module is not enabled (e.g. Content Distributiononly install)

Installing the 1E Client without enabling the 1E Module (only Content Distribution or Shopping module is enabled) enables and displays the survey notifications in 1E Client notification icon.

In order to suppress this, the Module.Interaction.Enabled=false can be set in the config file on the 1E Client or use the corresponding MSI property (i.e. MODULE.INTERACTION.ENABLED=false).

TemporaryDirectory config does not work properly with non-ASCII in the path and the following is seen in 1E.Client.logs:

ERROR - Temporary directory: Cannot create file in 
overriding path 'c:\t€mp\acme€'; using default location

The error is seen if the TEMPORARYDIRECTORY MSI property for the 1E Client contains a non-ASCII value such as "c:\t€mp\acme€" and the directory exists.

The same applies if this is added directly to 1E.Client.conf.

Please provide a path that only uses ASCII values.

Manually uninstall of 1E Client using Programs and Features displays dialog "The setup must update files or services that cannot be updated while the system is running. If you choose to continue, a reboot will be required to complete the setup."

Running the 1E Client MSI manually with Remove option displays the following: "The setup was unable to automatically close all requested applications. Please ensure that the applications holding the files in use are closed before continuing with the installation."

These messages appear as the services that are about to be removed are running, but the 1E Client handles the shutdown so this message can be ignored.

Silent uninstall does not present this issue.

None

1E Client installer adds the Content Distribution registry settings even when the Content Distribution module is NOT enabled during installation. If someone deletes those registry settings and enables the module later, it will not function correctly.

1E Client installer creates the majority of the Content Distribution registry values because the service does not create them all and Content Distribution does not tolerate the absence of all the settings that the service does not create. If these settings are deleted and the module is enabled later, then it is unable to function correctly.

In such a scenario, 1E Client will need to be reinstalled with a new set of properties / transform that enables the module with the appropriate configuration.

When upgrading an existing 1E Client, none of the manually added configuration file properties in the *.conf file have been retained.

1E Client does not retain any configuration file property values that have been added as the upgrade process currently only checks the default values that exist in the old Tachyon.Agent.conf or new 1E.Client.conf.

This includes the Module.Inventory.ProcessUsage.Enabled=false values that were included in Tachyon Agent v4.0. After an upgrade, this configuration file property will no longer appear and 1E Client uses the default (true).

The additional configuration file property values need to be added to the 1E.Client.conf file if they are required.

Please refer to 1E client settings for list of the available configuration options.

When upgrading an existing 1E Client that has been installed to a non-default installation directory, the installation folder reverts to the default path.

If the previous1E Agent was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\Agent", then the Installation folder in the wizard will revert to the new default path "%ProgramFiles%\1E\Client".

The same applies to silent upgrades where the 1E Agent was installed to another path, the installation folder will revert to the default unless the required directory is specified using INSTALLDIR.

Please upgrade by specifying the required Installation folder in the wizard or using the installer property: INSTALLDIR

Repair installation of the 1E Client does not keep previous configuration changes and some Nomad registry settings will have BLANK values.

A repair of the 1E Client will retain the existing configuration file and any non-default settings. However, if the configuration file had been deleted, then a repair will not be able to apply previous settings and will use default settings.

Also, a repair will set any properties passed in the command line, but will leave some Content Distribution properties like KnownMobileDevices and LocalCachePath as blank.

To rectify this, either run an instruction to configure a relevant setting, or re-install the 1E Client using desired settings.

Use a 1E Client configuration instruction in Endpoint Troubleshooting for centralized post-installation configuration. Please contact 1E if you require the Product Pack that has this instruction.

Potential blue screen of death (BSOD) with Windows 7 SP1 and Tachyon inventory capture.

If 1E inventory is enabled on Windows 7 SP1 (without updates) there is the potential for BSOD issues on systems using out-of-date Windows drivers.

Microsoft investigated the issue and confirmed the usbccgp.sys driver has a potential issue where it can fail to complete a power IRP in a timely manner.

Microsoft recommends the following fix:

1. Update the usbccgp.sys driver as follows:

    • Update the usbccgp.sys driver by installing update KB3125574.

Prerequisites: To apply this update, you must first install:

    • Service Pack 1 for Windows 7 or Windows Server 2008 R2: KB976932

    • April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2: KB3020369

2. Update tdx.sys to 6.1.7600.21050 to address TDI driver response issues as per: KB2028827

1E features of the 1E Client cannot read the private key for a Trusted Platform Module (TPM) protected certificate.

1E platform client uses Windows certificate store but is currently unable to access the private key of a client certificate that is protected using Windows Trusted Platform Module (TPM).

This issue was seen when a customer used Microsoft Intune for client certificate deployment and the Simple Certificate Enrollment Protocol (SCEP) certificate profile included 'Enroll to Trusted Platform Module (TPM) KSP'.

The 1E Client was unable to extract a handle to the private key in the Windows Certificate Store; 'NCryptExportKey failed with 0x8009000a' (NTE_BAD_TYPE) was reported as an error in the 1E Client log.

Use a client certificate that is not protected using Windows Trusted Platform Module (TPM).

Examples of Microsoft cryptography providers that do not use TPM are:

  • Microsoft Enhanced (RSA and) AES Cryptographic Provider

  • Microsoft RSA/SChannel Cryptographic Provider

  • Microsoft Enhanced Cryptographic Provider

  • Microsoft Software Key Storage Provider (CNG).

Also, Microsoft Software Key Storage Provider is the only CNG provider supported by this version of the client.

Installing 1E Client on non-Windows

Issue

Description

Workaround

Microsoft InTune cannot be used to deploy the 1E Client package for macOS.

By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder. However, the 1E Client must be installed to /Library/Application Support since that is a secure location, writable only by root. Also, the associated launch property list file must be installed under /Library/LaunchDaemons.

Use an alternative deployment method for the 1E Client macOS package.

The 1E Client on macOS may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:

ERROR - Either the Switch certificate or the client certificate is not trusted, use the 1E Client debug log setting to obtain certificate details.

If the 1E Client for macOS finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Client/.sslcerts, then the Keychain Access is not checked.

This cacert.pem is then used to validate the trust chains for the client certificate the client will submit and also the Switch certificate received. The client will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.

Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the 1E Client for macOS is to use the certificates from the Keychain Access.

Installing TIMS on Windows

Issue

Description

Workaround

When upgrading an existing TIMS that has been installed to a non-default installation directory, the installation folder reverts to the default path.

If the previous TIMS was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\TIMS", then the Installation folder in the wizard will revert back to the default path.

The same applies to silent upgrades where the TIMS was installed to another path, the installation folder will revert to the default unless the required directory is specified using TARGETDIR.

Please upgrade by specifying the required Installation folder in the wizard or using the installer property: TARGETDIR

e.g. msiexec /i TIMS-x64.msi /qn TARGETDIR="c:\TIMS"

Installing 1E Toolkit

Issue

Description

Workaround

Interactive upgrade of 1E Toolkit does not detect previous settings.

1E Toolkit installer does not detect the previous 1E Server settings or the installation folder if it was installed to an alternate directory. This will default back to 'C:\Program Files (x86)\1E\Tachyon\Toolkit'.

These will need to be specified again during the upgrade.

Installing 1E Server

Issue

Description

Workaround

The 1E Coordinator may indicate that it is not correctly signed, and licensing will state that the license is invalid.

The 1E Coordinator service will not start and the Tachyon.Coordinator log will indicate something similar to the following, despite being correctly signed (verify with get-authenticodesignature)

..

ERROR LicensingCallback - License.dll callback: Error: certificate signature failure (depth=1)

ERROR LicensingCallback - License.dll callback: SignerCert check failed(3)

...

The version of OpenSSL in the License.dll (1.0.2) contains a bug that causes incompatibility on Intel 10th generation and onwards processor microcode.

Set the following system variable and reboot the machine

OPENSSL_ia32cap=:~0x20000000

1E Platform installed on Windows Server 2022 fails to upload product packs having attached resources successfully.

When Product packs are uploaded, either through 1E 1E product pack deployment tool or Settings > Instructions > Instruction sets option, product packs with attached resources fails to upload through Background Channel.

Windows Server 2022 has TLS v1.3 over TCP enabled, by default which causes ssl renegotiation failure.

Please follow below steps:

  • Launch IIS Manager

  • Navigate to 1E website

  • Click on Bindings

  • Edit Tachyon Server binding

  • Check "Disable TLS 1.3 over TCP" settings (this is enabled/unchecked by default)

  • Execute an iisreset command.

After an upgrade from either v5.1 or v5.2, the user or group may now be assigned to what appears to be duplicate Roles allocated to multiple Management Groups including the All Devices.

Previously in v5.1 and v5.2 the old schema allowed one permissions to be linked to any Management Groups through a many-to-many link table, however in the new schema, permissions are no longer linked to Management Groups. Instead, all the permissions of a Role are now associated to one Management Group. It is no longer possible to have a Role containing some permissions to All Devices and specific Instruction Set permissions to other Management Groups.

In this instance after an upgrade, the User or Group will now have the previously assigned Role associated to All Devices and also to each Management Group (where it had an Instruction Sets permission granted to a Management Group).

Please review the Role permissions where it may previously have contained a mixture of permissions (Localized Permissions and Global Permissions) for All Devices and also included any Instruction Set permissions associated with different Management Groups.

After an upgrade from v5.2 the TachyonInstall.log displays "Windows Installer requires a system restart" and there may be a prompt to restart the server.

In some instances, it may not be possible to stop a service during an upgrade so there may be instances where you are prompted to restart the server in order to complete the installation.

Restart the Server.

The default installation account is not set a System principal account and can be modified or accidentally deleted.

During the Post-installation checks process in the Tachon.Setup, the Product Pack Deployment Tool (PPDT) can be launched by clicking the Deploy link and when launched via the Tachyon.Setup the installation account used to run it is temporarily granted the required permissions to upload Product Packs.

The first installation account is usually set as a System Principal account which cannot be changed, but during this period whilst the PPDT is running, the installation account will be modified so it is not a system principal. This means that the account could, during this period be modified by another 1E administrator.

Ensure the PPDT is always closed after the product packs have been successfully deployed in order to ensure the default installation account is locked down again and set as a System Principal account to avoid any accidental modifications to it.

After an upgrade the Post-installation check for "1E Tachyon Switch Host service is running" fails and the Switch log displays: ERROR - Denied by security level | Level: 5, Action: 'AllowTestCerts', Event: 'DeniedBySecurityLevel',

If prior to upgrade the Switch was configured to use any of the options requiring a lower Security Level, (e.g. -allowtestcerts or anything that requires SecurityLevel=4), then on upgrade the Setup overwrites this back to the default SecurityLevel=5 and the post installation checks for Switch fails as the Switch service is unable to start.

The Switch SecurityLevel needs to be manually set back to "4" and the Switch Host service started.

Tachyon Setup.exe does not auto-select the Switch IP address during DMZ configuration.

The Tachyon Setup.exe does not auto-select the Switch IP address when DMZ Configuration is upgraded from v5.1 to v5.2 or v8.0, due to unavailable connectivity to Database server.

Ensure the Switch IP address is selected during DMZ configuration upgrade

Content Distribution events are not deployed and policy document created under /ProgramData/1E/Tachyon/PolicyDocuments has no reference to Content Distribution.

The following error can be seen in the ContentDistributionInstall.log:

Failed to get management group id for all devices: Tachyon.SDK.Consumer.Exceptions.TachyonSdkException`1[Tachyon.SDK.Consumer.Models.Common.ManagementGroup]: Cannot retrieve licensing information.

Failed to handle Event subscriptions and assignments for Content Distribution consumer. Please check logs for more details.

1E Server Setup runs a post installation action to automatically deploy all event subscriptions, but this requires the Coordinator service to be running.

Where 1E Server is installed on server that is offline, the Coorinator service is unable to contact the license server to activate the license so the Coordinator service stops.

To enable 1E Server to connect to the internet and restart the Coordinator service in order to allow it to activate your license. Log into the 1E portal with user that has Consumer Administrator permissions and click Deploy on the Settings > Consumers page.

If during upgrade from previous 1E Server to latest, the installation directory is changed to a non-default INSTALLDIR (i.e. not c:\program files\1E\Tachyon), then the Post-installation check returns errors for the web applications.

1E Server Setup utility copies all the files correctly to the new installation directory during upgrade, but the MSI installer is unable to handle the creation of the sites to the new directories under IIS Manager.

When the 1E web site is clicked within IIS Manager, the following error may be displayed: "The system cannot find the file specified".

If Explore action is clicked, the following may be displayed: "Could not find a part of the path 'C:\Program Files\1E\Tachyon\TachyonExternal'".

This issue can be resolved by editing the Basic settings for the 1E website and pointing the Physical path to the new installation directory.

e.g. if the new INSTALLDIR is "E:\1E\Tachyon", then set this as the Physical path.

Once the 1E Server Setup utility has been run to upgrade existing versions of 1E components, an attempt to uninstall an older version of Business Intelligence v2.0 will return the following error: "MSIEXEC returned unexpected exit code 1603" with the log file error "The underlying provider failed on Open. Login failed for user ''."

Business Intelligence (BI) is dependent on the SLA configuration. During an upgrade of the previous version of SLA v3.3, the custom actions are changed and no longer available or work for an older version of BI, therefore causing the uninstall to fail.

This would not be an issue if the BI component is selected together with SLA when using Setup to upgrade 1E.

Follow the process in Upgrading 1E Platform.Upgrading 1E Platform

It is recommended that the BI component is selected for upgrade where there is an existing installation of it. Otherwise, please uninstall the BI v2.0 prior to upgrading 1E. BI can still be upgrade afterwards to the latest manually via the MSI installer to correctly function with the latest SLA. If you are affected by this, please contact 1E Support for additional help.

After installing Master and Response stack, the Coordinator keeps logging: ERROR PostInstructionToCores - Posting Question with ID 11 to Core API 1 failed 'NotFound' and instructions cannot be uploaded.

When using the Setup utility to install a 1E Master Stack, the installer incorrectly adds a (local) CoreApiConfiguration which is not required and causes the error logging in the Coordinator and an additional BackgroundChannelApiConfiguration value for the 1E Master Stack server that prevents upload of instructions. Both of these will need to be removed.

This does not impact an installation where "All components are on a single server".

If you are affected by this, please contact 1E Support.

"Unable to fetch list of connectors" is displayed when attempting to connect to the 1E web pages.

Sometimes after install via the 1E Server Setup the Admin application under the Tachyon website will have anonymous authentication set to true. This breaks communication between the API and SLA. The Tachyon.AdminApi.log will display an error including the message:

An anonymous identity cannot perform an impersonation (Mike Yarwood Show June 1971)

To fix this ensure that for the Admin application that windows authentication is set to Enabled and that anonymous authentication is set to Disabled.

1E Server Setup utility validation fails or Installation cannot start with Error "No such host is known".

When the 1E Server Setup utility is used, the HTTP Host Header in the Website Configuration Screen is populated with the server's Host Name. If the Host Name is greater than 15 characters the 1E Installer only picks up the first 15 character and truncates the rest.

The 1E Server Setup utility will issue a warning during the pre-requisite check if the Hostname is longer than 12 characters.

None

Customised email headers for the Authentication emails are no longer retained after an upgrade of 1E Server.

Previously 2 separate email headers could be customized. However after an upgrade of 1E Server, the Authentication emails are no longer retain. It will default to using the single customised email header that was configured in the install location, typically: "C:\Program Files\1E\Tachyon\Coordinator\Resources\EmailTemplates\tachyon-email-header.jpg"

None

1E services stop if host time and 1E license server times are out by 6 minutes or more and the following warning is displayed in the Coordinator logs: WARN LicensingCallback - License.dll callback: No Activation signature.

If the 1E server time is allowed to drift, the Coordinator service will be unable to activate the license and the service is terminated.

Coordinator logs: DEBUG LicensingCallback - License.dll callback: ERROR: DateTime out of Sync

Use NTP servers or Windows Time service to ensure the server is always synchronized.

If 1E Server is installed where TachyonMaster and TachyonResponses databases are hosted on different SQL Servers or separate SQL named instances the following error may be seen in logs: ERROR Tachyon.Server.Api.Consumer.Attributes. ConsumerAttribute - Platform error

System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'ACME\ACME-TCN01$'

Consumer will log a login failed for user if the TachyonMaster and the Tachyon Response are installed on different SQL instances.

This is happening due to a bug in N1E.MSI.Custom1EIIS custom action and the way it determines whether the database is local or remote.

On a single server installation, the TachyonMaster and TachyonResponses databases should be installed on a single SQL instance.

Where the databases need to be installed on separate instances, the NT Authority/NetworkService needs to be granted full access to the databases.

When clicking the Edit button on the Security tab of the 1E Licensing folder property, a Windows Security dialog may be displayed: "The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective."

On some environments on which the 1E Server is installed, the licensing folder permissions are incorrectly ordered.

View Properties of folder "C:\ProgramData\1e\Licensing". Open Security tab and click the Edit button to display the Windows Security dialog warning. Click OK to confirm. To resolve the issue, click Reorder on the subsequent Windows Security dialog which will be displayed:

The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective.

- To order the permissions correctly, click Reorder.

- To leave the permissions unchanged (the view will be read-only), click Cancel.

1E Consumer is unable to communicate with Coordinator as certificates cannot be applied on a non-English Server during installation.

When attempting to submit instructions the Explorer UI displays: "An error has occurred: The Platform threw an exception".

1E Server installer fails to assign the correct certificate during installation on a non-English Server as the Certificate field names have been translated and do not match.

Tachyon.ConsumerAPI.log may display errors related to:

Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException: Exception of type 'Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException' was thrown. at Tachyon.Server.OperationalSafeGuards.OperationalSafeGuardsManager.GetFlatLicense()

This version of 1E requires the server to be US-English.

If you are affected by this, please contact 1E Support.

Any other products installed on 1E Server that uses http://localhost:8080 may return HTTP Error 503-Service is unavailable.

Previously 1E Server used port 8080 as its default value for communications between Consumer and Workflow service. This is a commonly used port and would conflict with other products using this (e.g. 1E SLA website pre-v4.0).

The 1E Server can be installed using an alternative value for WORKFLOWWEBPORT on the msiexec command line. For example:

msiexec /i TachyonServer.msi WORKFLOWWEBPORT=8081

Note: If custom workflow ports are used, they will not be removed on uninstall.

Install 1E Server on a dedicated domain-joined (member) server.

It's recommended that the 1E Server is installed using 1E Server Setup (Tachyon.Setup.exe) which selects port 8081 by default.

If you need to co-host the 1E Server with another web application, for example in a lab, use a different port with the installer property WORKFLOWWEBPORT.

Check if the duplicate 8080 port exists after install using:

netsh http show urlacl

Manually delete the default 8080 port binding after install using:

netsh http delete urlacl url=http://+:8080/

Other web applications stop working after installation of 1E Server.

1E Server installation will reconfigure existing HTTP and HTTPS bindings.

Install 1E Server on a dedicated domain-joined (member) server.

See Windows Server requirements.

Installing 1E Server on a Domain Controller may fail with Error 27506 executing SQL script AddRoleMembers.sql

Installing 1E Server on a DC is not supported.

The failure occurs in the AddRoleMember.sql. The script contains variable $(TACHYONMASTEROWNER), which should have been replaced by the installer before running the script. However, the installer sets it to DOMAIN\None when run on a DC.

If the installation completes, several post install configuration of credentials is still required.

Install 1E Server on a dedicated domain-joined (member) server.

See Windows Server requirements.

Database exception is seen related to database being offline whilst 1E Server is being installed.

Occasionally 1E Server installation fails with following database error:

An error has occurred while modifying the database: A database script has failed with the error, Could not find database ID 11, name "11". The database may be offline. Wait a few minutes and then try again,*(code -2146232060). See the log for more details.

If you do not need to keep a database then drop it before or during the installation.

If you want to keep a database, then ensure it has no active connections.

Follow the process in Upgrading 1E Platform, which includes a SQL command to report active connections.Upgrading 1E Platform

Database exception related to 'TachyonMaster' is already open while installing the 1E Server.

If the TachyonMaster database has active connections and 1E Server installation was attempted, the following exception may be displayed:

An error occurred while modifying the database: A database script has failed with error "Database 'TachyonMaster' is already open and can only have one user at a time." (code -2146232060). See the log for more details.

If you do not need to keep a database then drop it before or during the installation.

If you want to keep a database, then ensure it has no active connections.

Follow the process in Upgrading 1E Platform, which includes a SQL command to report active connections.Upgrading 1E Platform

1E Server upgrade fails consistently with the message "An error occurred while modifying the database: Unable to proceed with the upgrade as the database is an inconsistent state".

If performing a 1E upgrade where the TachyonMaster or TachyonResponses database is on a remote SQL instance then installation will fail if there are any open sessions to a database.

To prevent this happening, ensure there are no active connections to the databases before starting an upgrade.

Follow the process in Upgrading 1E Platform, which includes a SQL command to report active connections.Upgrading 1E Platform

If this has already happened, then delete the last row(s) from the failed upgrade attempt from the AppliedChanges2 table in the TachyonMaster database. Then ensure there are no active connections.

After 1E Server is upgraded the Responses page shows instructions that have failed.

Instructions in progress during an upgrade of 1E Server may fail and some may progress successfully depending on their state prior to the upgrade.

Follow the process in Upgrading 1E Platform.Upgrading 1E Platform

Please ensure there are no in-flight instructions running prior to performing the 1E Server upgrade.

After a server upgrade or re-installation in which the 1E Master database was dropped and recreated, any existing clients ignore the first instruction.

If the 1E Master database is dropped, the system does not have a record of the last instruction sent and will start from scratch. 1E clients recover from this situation and start the new sequence, however the first instruction will always be lost and no responses will be received.

Re-submit the first instruction.

After upgrading a 1E Server using a different LOGPATH property to the original installation, the new Switch log file does not exist where expected, but remains in the original location.

LOGPATH can be specified as an msiexec command-line property in order to specify a non-default location for 1E Server logfiles. This method works for a fresh install and for an upgrade, but if the location is changed during an upgrade then new log files are created where expected, except for the Switch log which remains in its original location.

This occurs because the Switch log path is defined in the Switch configuration table in the 1E Master database, which is deliberately not modified during an upgrade. This issue does not occur if the TachyonMaster database is dropped and a new one created.

1E Server Setup does not provide the ability to configure a non-standard LOGPATH.

If you have changed the log path during an upgrade, then you need to edit the SwitchConfiguration table in the TachyonMaster database to change the log path for the relevant Switch(es), then restart the relevant Switch Host service.

Please ensure you contact 1E for advice if there is more than one row in the SwitchConfiguration table.

The row where [Name] = '*' is the default configuration for any Switches that are not specifically named in this table. Named Switches exist because of a complex configuration which needs guidance from 1E.

Error 401 Unauthorized is displayed when attempting to connect to the Endpoint Troubleshooting for the first time after a new installation of a 1E Server.

Or in 1E portal "An error occurred!" page is displayed in the Edge browser.

This may be due to a number of reasons.

  1. If the website prompts you to provide an account and password, then you may be using using invalid credentials or an account in a domain that is not trusted by the Tachyon Server.

  2. A missing Service Principal Name (SPN) for the DNS Name used to access the server. See 401 Not Authorized.

  3. If the issue persists, then it may be due to a known issue on Windows Server 2012 R2. Also applies to Windows 10. More information here: https://social.technet.microsoft.com/Forums/systemcenter/en-US/22120c03-e6c6-473b-bc73-ab2dfc65f7d6/knowledge-article-error-401-unauthorized.

Do not do the following unless you are experiencing the issue, and have tried other remedies.

  1. On the 1E Server, start Registry Editor (Regedit).

  2. Locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa

    1. Right-click Lsa, select New, and DWORD (32-bit) Value.

    2. Rename the new value Name to DisableLoopbackCheck, and press ENTER

    3. Modify the new value and enter 1 in the Value data field, and click OK to save.

  3. Locate the following registry key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

    1. Right-click Parameters , select New, and DWORD (32-bit) Value.

    2. Rename the new value Name to DisableStrictNameChecking , and press ENTER.

    3. Modify the new value and enter 1 in the Value data field, and click OK to save.

  4. Quit Registry Editor

  5. For Edge, please run the following command:

    CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe

  6. Restart your computer.

Email and two-factor authentication

Issue

Description

Workaround

Users do not receive email communications related to Actions that have been initiated or emails related to Two-Factor-Authentication.

User A - Logged in to Configuration Manager Console

User B - Logged in to Endpoint Troubleshooting

When User A initiated an action through CM Console right click extension, the action was getting initiated as User B and the required authentication code was being sent to User B instead of User A.

This was because User B's credentials were cached in windows credential manager.

Clear the cached credentials from Control Panel → Credential Manager.

Users do not receive emails about approvals or response expiry.

Emails are not sent if the SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.

Correct the SMTP configuration. See Changing the SMTP Host configuration.

Any instruction that requires approval can still be done using the Endpoint Troubleshooting Pending Approval Notifications page.

Users do not receive emails about two-factor authentication codes.

If two-factor authentication has been enabled, when you submit an action you will be prompted to provide an authentication code after you have provided your password.

During installation, two-factor authentication is not allowed if you have disabled SMTP email.

Emails are not sent if SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.

Enabling or disabling Two-factor Authentication

Changing the SMTP Host configuration

Configuring 1E
1E client connections

Issue

Description

Workaround

1E.Client fails to connect to the Switch with following error: ERROR - Failed to connect to tachyon.acme.local: invalid padding (138)

During the establishment of an https connection between the client and the Switch, the client receives and verifies the Switch certificate. This is received from the Switch as an X.509 certificate chain, from which the 1E Client will extract the Switch's public key and verify the certificate chain. On a successful SSL handshake where the CRL is checked, it will report both the serial number of each certificate as it walks the chain and the Authority Key Id (AKID) of the CA that issued that certificate. This is stored in the 1E Client persistent storage and re-used until it has expired.

If the 1E Client connects to another Switch where the certificate chain is different (e.g. CA certs have been re-issued), the 1E Client may log the following warning since there is a mismatch of the Authority Key Id (AKID) saved in the persistent storage from previous CA:

WARN - X509: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed

WARN - X509: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

WARN - X509: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Delete the cached certificate entries in the 1E Client persistent storage (default location is C:\ProgramData\1E\Client\Persist) and restart the 1E Client.

Non-Windows clients may disconnect due to the keep-alive period being too high.

Clients on Non-Windows may disconnect if the keep-alive period is too high.

Non-Windows clients need to have a maximum keep-alive time of 4 minutes (240s).

The keep-alive time needs to be updated in the 1E.Client.conf file: ConnectionKeepaliveTimeInSecondsMin should be set to 120 (default) and ConnectionKeepaliveTimeInSecondsMax should be set to 240 (default is 600).

These settings can be set during installation or changed post-install.

A client does not start and the 1E Client log shows: ERROR - Certificate Verification failed : CRL path validation error. This occurs even when CRLChecks=soft.

The client will not connect if it is unable to create a trust chain, despite having the correct root CA certificates. This is due to the local computer certificate store containing "CrossCA" certificates.

Please ensure the client certificate store does not contain any "CrossCA" certificates in the local Trusted Root or Intermediate CA stores.

The client is unable to start on the Root CA.

A client attempting to run on a Root CA server will log the following error:

WinTrustVerify returns 0x800b010a (CERT_E_CHAINING) “A certificate chain could not be built to a trusted root authority”

A Root CA sits at the top of the public key infrastructure (PKI), there are no higher authorities, and so it effectively self-signs its certificates, which 1E is specifically prevented from using.

It is not good security practice to have a Root CA online therefore do not install the client.

You could configure your 1E system to not use client certificates.

Resetting Hyper-V Agents can cause the Switch to become unresponsive and log erroneously.

Powering off or resetting a guest Hyper-V virtual machine without shutting it down, can cause the Switch to refuse connections from the client when it restarts, and the Switch starts spurious logging.

To rectify this issue restart both the Switch and the 1E Client service.

The client fails to start and the 1E Client log shows errors relating to Certificate Revocation List (CRL).

See 1E client settings.

An error is logged if CRLChecks=hard and the client is unable to locate a valid HTTP-based CRL Distribution Point for a certificate.

An error is logged if CRLChecks=soft and the client is able to get a CRL from the CRL DP, but the CRL indicates revocation of the device certificate or a certificate in its trust path.

The client requires a valid SSL certificate presented by each server it connects to. This includes any Switch, Background Channel or other HTTPS server from which the client downloads content. The client does not connect to a server if it knows a certificate is invalid.

CRLs are obtained by contacting the CRL Distribution Point(s) whose URL is embedded within the certificates. At present, the client supports only HTTP-based CRL Distribution Points. It ignores any non-HTTP CRL DPs that may be included in a certificate, such as file or LDAP, and does not support OCSP.

If the machine is not be able to contact a HTTP-based CRL Distribution Point, please ensure CRLChecks=soft within the 1E.Client.conf file. This will prevent the client from failing in the event of being unable to locate a CRL Distribution Point

Enabling, disabling, adding or removing network adapters on the 1E Server computer will cause issues with Switches issuing instructions or unable to use features like "Export All Results".

The 1E Server Core web applications have access restricted by the IIS feature IP Address and Domain Restrictions. All connections are denied, except for local connections. Changing adapter configuration after installation can cause the entries in the IIS feature to become incorrect and cause issues with 1E Server.

If for example the IPv6 address assigned is different from the one which was installed by 1E, then Tachyon.Workflow.log is likely to contain errors:

"Posting Housekeeping to Core API 1 failed 'Forbidden'"

"Delete with ID 22 to Core API 1 failed 'Forbidden'"

Or Tachyon.ConsumerAPI.log may have "Data export fail" errors when attempting to "Export All Results".

Please update entries in the IP Address and Domain Restriction feature of the CoreInternal and the Core website to include all local IP v6 and v6 addresses.

Please refer to IP Address and Domain Restrictions.

Settings application

Issue

Description

Workaround

Settings > Instruction Set uploader displays:

"Failed to upload: This Product Pack structure is not supported by this version. If you want to upload an Integrated Product Pack then you must use the Product Pack Deployment Tool".

It is currently not possible to use the Tachyon Portal > Settings > Instructions > Instruction sets page to upload Integrated Product Packs and user will be displayed a "Failed to upload" error message. Only Classic Products Packs can be upliaded via the Settings application.

Please use the 1E product pack deployment tool.

After an upgrade, attempting to re-upload the latest product packs displays the following error: "Something went wrong while processing request. Error: An error occurred while uploading the entries in the database".

This happens after an upgrade of 1E Server and attempting to re-uploading an existing instruction using a product pack where the instruction is within a zip.

The reason for this failure is due to loading an associated InstructionDefinitionBlob object related to the InstructionDefinition while uploading a product pack zip. It is fine with single InstructionDefinition upload.

Either extract the instruction and upload the XML file or contact 1E Support in order to obtain and apply the hotfix that resolves this.

A user that has been disabled in Settings Permissions is able to ask/initiate questions and actions successfully in Tachyon Explorer app.

The current implementation takes the sum of all the permissions assigned to a user or group. Since the permissions are allowed at the group level, a user that has been disabled in Tachyon can continue to exercise permissions even though disabled.

When a user is disabled, also remove the user account from all security groups that are being used for permissioning instruction sets.

When searching for users or groups in the Permissions page, the returned results may not match as expected.

When searching for a user account, the search uses CN or SAM account name. Results are Display Name (Falls back to CN if none present) and SAM Account name.

Therefore, in some cases it is possible for the result returned to not contain the search string (ie the user can search for "ABC" and get the result "XYZ" which, while valid, is confusing)

None

Members displayed for an Active Directory group may not be up to date on the Permissions page soon after a change has been made to the AD object.

In the Permissions page of Endpoint Troubleshooting the Members button will display membership of a group, but it may not be up to date if the AD object has been recently changed.

The same applies to the capabilities of 1E users in groups configured through role-based access to 1E features.

Allow time to elapse so permissions cache expires (10 minutes).

Server configuration

Issue

Description

Workaround

In the 1E connector setup, if user provides the account password starting with a semicolon character ";" then the 1E connector test and synchronization action will fail.

Semicolon ";" is used as a separator in the connection string for the DB (stored encrypted) and if the semicolon is in the beginning of the password then the length will be considered as 0 resulting in failure of 1E connector test and synchronization action.

User will need to create account password not starting with semicolon ";" character.

Tachyon.CoreAPI.log reports the following:

ERROR Tachyon.Server.Services.Core.Services. HttpSendProvider - POST to https://<tachyon DNS Name FQDN>/Experience/Offload/Events returned status Unauthorized

When 1E is installed with multiple Response Stacks where there are remote Switches configured, these remote servers are not automatically granted permission to offload Experience events back to the Master Stack so an unauthorized error is seen.

The remote server machine account needs to be granted permissions by adding it to Experience configuration in "C:\Program Files\1E\Tachyon\Experience\Web.config":

<add key="AllowedUsers" value="NT AUTHORITY\Network Service;<domain>\<machine>$" />

Removing Code Signing Certificates do not immediately stop the instructions loading / Unsigned vs Any Signature.

1E Consumer API trusts any certificate in Local Computer Trusted Publishers store to be a trusted instruction definition publisher. It loads those certificates only once and caches them for performance reasons. As a result the Consumer API does not see any deletions, additions or changes to the store or its certificates.

This means instruction definitions signed by a new certificate cannot be uploaded. Similar situation is true for deleted certificate where user will still be able to upload an instruction definition signed by the deleted certificate.

Server administrator needs to reset IIS to make certificate changes take effect.

Using 1E
Endpoint Troubleshooting application

Issue

Description

Workaround

An approver of a child management group receives approval notification email, but the email link takes user to "No notification" page.

If the action was submitted by a user who has permissions to All devices or a parent level management group e.g. "UK Servers" (to the approver's associated child management group "UK Desktops") and the instruction was targeted to the approver's accessible management group "UK Desktops", then the approver will not have access to approve it.

This is due to the workflow looking at the user's permission and not the scope of the target devices which could potentially include devices that another user is not allowed to view or approve.

Please review the approver's accessible management group in order to make the necessary approvals

When creating a Daily Instruction Schedule on the Instructions→Tasks page in Endpoint Troubleshooting a validation error message is displayed on the Instruction scheduler popup under the Repeat Every field suggesting the field is mandatory.

While trying to create a Daily Instruction Schedule in the Instruction scheduler popup on clicking Save you are prompted to enter a value in the Repeat Every Hour field. If the field is left blank the text Must be a number is displayed. If you try to enter a number but set it to 0 the validation error Must be between 1 and 23 is displayed.

The field is not actually mandatory but the validation will not allow the schedule to be created unless a value has been set.

If you see the Must be a number validation error, type any number into the field to clear this message, then delete the value in the field.

If you see the Must be between 1 and 23 validation error delete the value in the field, which clears the validation error.

You will then be able to click Save to save the schedule without the additional hours.

When Firefox browser is used to access the 1E portal, potential security risk message is displayed by Firefox browser.

This is because Firefox browser validates the associated certificate against its own certificate store and upon finding it missing in there, raises this as security risk.

Firefox browser requires Root CA Certificate to be imported into Firefox certificate store when used to access 1E portal.

Please follow the steps mentioned below to fix the above issue:

  1. Launch Firefox browser

  2. Navigate to browser's options menu

  3. Select Privacy & Security and go to Certificates section

  4. Click on View Certificates ->Authorities tab

  5. Identify the certificate used when 1E was installed

  6. Click on Import option

  7. Relaunch the Firefox browser and access the 1E portal

Endpoint Troubleshooting UI in Firefox browsers may briefly display blank areas with no text.

When using Firefox browser, the Endpoint Troubleshooting page may not get rendered properly and displays some content as blank areas. This has been seen most often with Firefox version 61.

This can be resolved by refreshing the Firefox browser using F5 function key or clicking anywhere else within the Endpoint Troubleshooting UI page.

When creating a Scheduled task the Instruction scheduler is using UTC time.

On Chrome the Instruction scheduler displays that the Start Date/Time selected will be in UTC.

However, on other browsers (e.g. Firefox and Microsoft Edge) the UTC text is missing and it may appear that the Date/Time selected is the current local time even though it uses UTC.

None.

Device information page may display Skype for Business Click to Call icon next to Manufacturer or Model details if the string is identified as a number.

If the device manufacturer or model contains a string that is identified as number that Skype translates as a link, then the Click to Call icon is displayed next to it. This could be seen when clicking on the information icon next to any Tachyon client devices in the Explorer > Devices > Table or Response pages.

None.

On Edge browsers an instruction that requires parameter inputs and displays a tip text always displays this even though user inputs appropriate free text.

When using Edge browser and attempting to submit an instruction which requires parameter inputs and it displays tip text, this text remains and is not over written.

The light grey tip text is only displayed in the Endpoint Troubleshooting page of the Edge browser and does not get submitted as part of the instruction so it can be ignored.

None.

"Provide authentication code" for a scheduled instruction displays warning "Scheduled instruction id X does not exist" or fails to accept a valid token with error "Token validation failed with error message".

Scheduled instruction workflow is not displaying the appropriate warnings when multiple users have updated a scheduled instruction or when there are multiple updates on one that is pending approval or waiting for the authentication code to be applied.

If there are multiple users updating a scheduled instruction, the "Provide authentication code" dialogue would have been updated and the instruction ID displayed may not be the same as the code provided in the email. Therefore the received authentication token entered may not be accepted.

Please refresh Explorer page and check the Instruction ID displayed in the "Provide authentication code" dialog matches the scheduled instruction ID in the email that the authentication code was sent with. If the ID has incremented, then another user has updated the scheduled instruction.

Instruction responses Summary consistently shows a higher sent count and "Responses from" never reaches 100%.

TachyonMaster Switch table may contain multiple entries if the IP address of the server running the Switch Host service has changed and this will cause the sent count to go up for any instruction submitted.

If using DHCP, please provide a static DHCP assignment to any 1E Servers.

GetProcesses method does not return full list of processes on Android M6 (Marshmallow) or upwards.

Due to security lock down on Android since version M6 (Marshmallow), the GetProcesses method returns an incomplete process list since an Android applications are now sandboxed to enhanced security by application isolation. An application only has access to the list of processes that it has created either directly or indirectly.

None.

On new installations of 1E, first visit to Endpoint Troubleshooting may show Access Denied page.

Post clean install of 1E server, when user logs in for the first time to Endpoint Troubleshooting, the Endpoint Troubleshooting lands on error page complaining about lack of permissions.

This can also be seen if the user presses Ctrl+F5 key to refresh the Endpoint Troubleshooting page. When same keys are pressed second time, the Explorer does not land on error page

Refresh the web page or press Ctrl+F5 again.

When using instructions with FileSystem module and the specified filename uses non-ascii characters, the response may return an error "Cannot open 'C:\tmp\?file.txt' for hashing because: (0x7b) The filename, directory name, or volume label syntax is incorrect."

If the specified filename uses non-ascii characters, the FileSystem module may not be able to find the file and therefore it will not be able to retrieve further information about it and report it's size as -1 and that the hash is "invalid hash".

None.

When using Filter Results and searching responses that relate to certificates, no results are found.

This can happen when an extra space exists in the search string or in responses.

Examples

Searching for subject for 'CN= machine.contoso.com' does not return any matches, whereas searching for 'CN=machine.contoso.com' will return matches.

The windows certificate viewer (Crypto API Extensions) will insert spaces in some certificate properties for ease of viewing. The certificate itself does not contain these spaces, and so a search with spaces in the search string (for example, copied from the certificate viewer in windows) will not return any matches.

If you run a command-line from cmd.exe with parameters (e.g. "psexec -i -s"), cmd.exe introduces another space between the executable name and the first parameter, so it becomes "psexec<space><space>-i s".

In order to match correctly, please use a search string with the correct number of spaces.

It may help if you click on a similar value returned in the response, and edit that.

Using certutil -dump will show the actual Subject Name of the certificate, which will match when searched for.

When a client is running on a laptop connected to a WiFi network and the connection is lost (or it's turned off via the Wireless Network Connection), then the responses are lost.

If a client on a laptop has been processing instructions and the WiFi connection is lost, it does not recognise the connection is no longer available and continues to send responses. No responses will be received by the 1E Server.

Re-submit the instructions.

The Endpoint Troubleshooting Responses page displays a blank page with no results.

This can occur if the SQL instance and the TachyonResponses database are unreachable.

If the Core web application is unable to access the TachyonResponses database when an instruction is asked then the Consumer will log an exception and the Explorer Responses page displays no results.

This is more likely to occur if the 1E Server is configured either with a remote database or multiple databases.

Rectify the connection problem with the SQL Server instance and re-run the instruction.

If the client is restarted whilst it's attempting to download a resource (such as a script) while executing an instruction it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>).

If the client is restarted whilst it's attempting to download a resource script, it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>)

On restart the client will not re-process the instruction so the error is not sent up to the server.

Re-submit the instruction.

The Sent Count for an instruction, and the statistics derived from it, imply that an instruction has been sent to more clients than the number deployed or targeted.

If the client service is terminated abruptly while processing an instruction, the client will re-request the instruction when it next starts up. This causes the Switch to re-send the the same instruction to the client, which in turn will cause the statistics to show an increased Sent Count.

This also affects the Success, Error, and Outstanding statistics in the Responses Summary page.

None.

Large responses to instructions may not be received from the client if the instruction is cancelled, even though you have selected to "Keep Results".

If the client is in the middle of an upload at the point that the instruction is cancelled, the Switch will cancel the upload if the size of the response exceeds 4K.

None.

An Action can not be approved or in a failed state.

When the Coordinator service goes into faulted state (e.g. as the result of an internal error), any live instructions remain in the "created" state and cannot be approved.

Faults may be caused when a 1E Server has been upgraded when the instruction was still in-progress state during the upgrade process. The workflow will be unable to process the instruction after the upgrade and the error will be recorded in the Explorer portal Admin Log page.

The action needs to be re-submitted.

Instructions

Issue

Description

Workaround

Instructions using Device.GetDisks method on Windows 8, Windows 7, Vista or Server 2012R2 will return Error "Unsupported"

Device.GetDisk method uses WMI namespace query that is not supported in the earlier operating systems so the 1E Client will return an Error.

1E Client logs display the following:

ERROR - Method error at L1.C1-L1.C17

ERROR - Unsupported

None

Running instruction with OperatingSystem.ControlStop and specifying 'IncludeDependents' as false to stop a service that has dependents return Success - no content even though 1E Client may log:

ERROR - Could not perform ControlService because [ (1051/0X41b) A stop control has been sent to a service that other running services are dependent on. ]

When an instruction exercising agent method OperatingSystem.ControlService with parameter IncludeDependents = false (default) is sent to targeted endpoints; to stop/start specified service and the service fails the action due to dependent services , the instruction returns status Success-no-content" instead of Error.

None

Running an instruction with a FileSystem.FindFileBySizeAndHash or FileSystem.FindFileByName method e.g. "Which devices have a file named %filename% on a fixed disk?" may not return complete list on macOS Big Sur 11.0 and logs show error similar to:

"ERROR - Could not open directory '/private/var/db/appinstalld' because: (1) Operation not permitted"

Apple have clamped down on free access to the filesystem(s) in recent versions of macOS, and granting the "full disk access" from System Preferences --> Security & Privacy --> Privacy seems to be limited to applications, not individual executables such as the 1E.Client daemon and the 1E Client installation cannot set up the permissions.

Currently the only solution around this would be to add bin/bash give the 1E.Client daemon Full Disk Access (FDA). This can only be done by adding bin/bash FDA as we use bash to launch the Client Daemon. On launch, Client Daemon inherits the FDA permission from bash. Some directories still remain locked as they fall under macOS's System Integrity Protection (SIP).

This is not recommended as adding bash to FDA can lead to serious security issues.

None

1E Client becomes unresponsive to any instructions after performing an Extensibility update even though the Client continues to appear on online.

The 1E Client logs will display that all modules have been unloaded, but it continues to send Keep alive messages.

Or if PXE module is enabled, the following is seen in the Agent logs:

Faulting module path: C:\Program Files\1E\Client\Extensibility\1E.Client.Module.PXEEverywhere.dll

Once the Extensibility update instruction “Check for 1E Client updates and apply them” has been run and the Client has downloaded all the modules, it attempts to unload the existing ones in order to apply the updates. However, if the Inventory module is currently processing, it causes the Client to become unresponsive even though it continues to send keep alive messages to the Switch.

This applies to all 1E Client (including the non-windows platforms).

Once the update has been run, the 1E Client process will need to be killed and the service restarted. Please avoid using any instructions which use the Agent.CheckForUpdates method.

Responses Chart view only displays as text.

Some instructions (e.g. What BIOS firmware is installed?) are authored so the responses are displayed as Chart view, but on Firefox this view may not be displayed correctly.

Use alternative web browser.

Instructions that have aggregation on floating point or DateTime values fail to return results.

When the instruction is run in TIMS, the raw values are shown correctly, but when uploaded to Tachyon the aggregation fails to sum the values, returning an empty row set.

Aggregation on DateTime values where the input data looks like this also fail to return results: 01/17/2018 16:32:47.648

None.

Explorer response displays error 'Could not deserialize JSON into DataTable'.

If an instruction includes the Scripting.Run method running a PowerShell script, and the script fails or generates error output that is sent to standard out, this will be considered part of the output of the script, and cannot be converted into the format (JSON schema) expected for the response.

Please ensure the PowerShell script is written to either output data according to the JSON schema specified in the instruction definition, or exit with an exitcode, and not a mixture.

1E Client installed on macOS - Big Sur "(1) Operation not permitted" errors from FindFileByName

Apple have clamped down on free access to the filesystem(s) in recent versions of macOS, and granting the "full disk access" from System Preferences --> Security & Privacy --> Privacy seems to be limited to applications, not individual executables such as the 1E.Client daemon and the 1E Client installation cannot set up the permissions.

None.

Endpoint Automation application

Issue

Description

Workaround

Any pending changes in Endpoint Automation and/or Experience Analytics applications that are deployed during upgrade process from 1E platform v5.1 to v5.2 or v8.0. This is also true if there is an already deployed unlicensed rule/recondition/check or fix.

1E Server Setup runs a post installation action to automatically deploy all policies and event subscriptions.

Ensure any pending deployment changes under review are either deployed prior to upgrade process is initiated or respective rule/policy/Survey should be marked as disabled to prevent deployment during upgrade process

Endpoint Automation Overview pages show incorrect devices when Policy with no Rules have been assigned to a Management Group.

On the Endpoint Automation Overview page, the Online, Online last 7 days and Last seen per Criticality Level charts all show incorrect counts when a Policy is assigned to a Management Group, but no Rules have been assigned yet.

This will display correct values once Rules are assigned and devices have responded to the events.

None

Opening an instruction or fragment that has been exported using the Consumer API displays the following message when viewed in TIMS:

"This instruction definition was signed by CN=Tachyon Explorer Instructions but the content has been tampered with.

An instruction exported through Postman can generate file with whitespace differences and file size between the original file which is not accepted by TIMS as it's considered to be tampered.

Use alternative API tools (e.g Fiddler).

"Ensure Nomad can communicate through the Windows Firewall" remediation is being executed even when firewall is disabled from the GPO.

"Ensure Nomad can communicate through the Windows Firewall" remediation is being carried out when there is a firewall policy that has been disabled through group policy. This means that when firewall policy has been disabled explicitly, instead of ignoring the fix, the firewall is set to enabled and the firewall exceptions are set for Nomad.

None

On a ConfigMgr Distribution Point, the Rule to "Check the Nomad has a virtual directory on ConfigMgr distribution points to perform LSZ generation" always passes even though a failure reason may be returned in the Data field.

The check fragment should verify that the LSZFILES website setup by Nomad on a DP has certain characteristics, but even when errors are found the check status is "Passed".

The logic in the PowerShell parts of the fragments uses a $errorOccurred variable to set the exit code, but this variable is initialized to $false and then never changed even when an error is detected.

e.g Data field returns: "Windows authentication not enabled. Require SSL flag is not disabled. Directory browsing not correctly set."

None

1E Client logs several unsuccessful remediation attempts within a 24hr period.

There is currently no longer a cap on the number of time a remediation step can occur on a machine within 24hrs. This differs from 1E Client Health where after 3 failures to remediate an issue, further remediation would not occur until 24hrs have passed.

None

Experience Analytics application
Inventory Insights

Issue

Description

Workaround

No issues currently known.

1E Catalog

Issues

Notes

Workaround

Any Title of a Vendor with two different colloquial versions should not be allowed when other fields are same.

There may be instances where a product has different colloquial versions for the same version such as Microsoft Excel 15.0 with a 2013 colloquial version and Microsoft Excel 15.0 with a 2015 colloquial version.

None

Timeout is displayed during updates and the Catalog UI is not available during that time.

The Catalog Web UI is unavailable when it's downloading data from the 1E Cloud Catalog.

If you try again after some time the Catalog Web UI should work.

The installer creates the database when you cancel the process in the setup wizard.

If you decide to abort the installation after providing the name of the Catalog database, the installer creates the database despite the cancellation.

None

Pressing Cancel when prompted for your credentials on the Web UI Admin page displays an error.

If you click Cancel on the Web UI Admin page when prompted for your credentials, an HTTP error 401.1 – Unauthorized error is displayed.

None

Unable to create new versions with more than 4-part numbers in the Catalog Web UI.

If you attempt to curate a version with more than 4-parts (for example, 1.2.0.1.2) in the Catalog Web UI, it displays the error – The version is not in the correct format.

None

The Catalog Web UI does not report if the Catalog service is unavailable.

During a downtime, if you try to navigate through Catalog Web UI, it becomes unresponsive but does not display a message that the service is unavailable.

None

The Catalog Web UI displays an incorrect message if you leave the page and return to it.

During a resynchronization event, if you navigate to a different page and immediately return to the Admin page, it displays a Resync completed Successfully message, even though it has not. The resynchronization event keeps running in the background until it successfully completes.

None

Best Match API times out when indexes are being compiled.

If the Best Match API is called while the indexes are being compiled, it times-out. However, the second call will succeed.

The second call will succeed.

Unable to cancel the installer while it is migrating to a new version.

During a migration to a newer version of the Catalog, pressing Cancel does not stop or roll back the installation – it continues uninterrupted.

None

The number of records pulled during a 1E Cloud Catalog synchronization event is not known at the start of it.

When the Catalog synchronization event starts, you're not able to discover the total number of records that will be inserted into the database. The logs register the number of records it inserts successfully but you would not know the total records to be inserted beforehand.

None

Clicking Back to list in Catalog Web UI navigates to the Home page instead of the previous page.

If you filter on a vendor and go to any next page to set license rules for that vendor, and then click Back to list, it takes you back to the Home page and does not retain the filter applied in the previous step.

None

The unattended install does not check Catalog prerequisites.

The installation will fail if requirements are not met.

None

Indexing fails when if the rebuild index and incremental index events are run simultaneously.

If a rebuild index and incremental index conflict, indexing will not complete successfully.

It will complete successfully the next time the incremental index event runs.

Error when user modifies an edition from Catalog Web UI.

If you attempt to modify the edition of a product then "An error has occurred while processing your request" message is displayed.

None

Log files and other folders not deleted from program data folder after uninstalling catalog.

If the Catalog is uninstalled, its logs folder structure is not deleted from the Program Data folder.

None

On the Catalog Web UI new bundles screen selection of multiple dropboxes gives wrong filtered record.

On Catalog Web UI new bundles screen, selection of multiple dropboxes returns an incorrect filtered record.

None

File Version filter on Catalog Web UI does not work.

File Version on product file screen filter is not working.

None

A prompt to reboot the server is displayed when you upgrade or uninstall the product.

There may be instances where you are prompted to restart the server in order to complete the installation.

Restart the server.

Installer unable to connect to the database when you run a repair on the Catalog from Programs and Features.

In a TLS environment, if you opt to repair the Catalog from Programs and Features by choosing the Repair option, you will be prompted with this error: Error 27502: Could not connect to Microsoft SQL Server ... SSL Security error. (18)

Uninstall and reinstall the Catalog

Lucene index folder is not deleted on uninstalling catalog.

On uninstalling the catalog, Index directory from program data is not getting deleted.

None

Wrong Surrogate key mapping is formed in case product is deleted from client side and upgrade is performed

On upgrading the catalog deleted site define entries are not getting persists

None

Installer should have a check for ASP.NET as Catalog is not failing when "ASP.NET" is not installed

The Prerequisite check of installer does not check for ASP.NET

None

Re-Sync: Timeout error is observed while getting site defined on one client machine while Re-Sync with another client machine is in progress

Re-Sync is successful on one of the client and error is observed on second client while it's getting the site defined entries.

Following is observed in the logs:-

The timeout period elapsed prior to completion of the operation or the server is not responding.

None

Error message is observed in logs while indexes are recreated after sync in edge case installation scenario

Install catalog through unified tachyon installer, after successful installation, uninstall the catalog. If user Installs the catalog stand-alone start the sync then its IIS services should shift into different pool due to which indexes will break.

None

Catalog 2.0 error '500 Internal server Error)Index is getting failed' in the 'Catalog.UpdateService.log' when the 1E Catalog service account uses domain user account. (Highly Intermittent).

When the 1E Catalog service account is using a domain user account rather than Network Service account, the index is getting failed after sync is completed.

This issue does not cause functional issues and can be safely ignored.

Catalog 2.0 if an upgrade fails, the 1E Catalog installer will roll back the installation and remove any customizations in the 'web.config' and 'CatalogUpdateService.exe.config' files.

If an upgrade fails, the 1E Catalog installer will roll back the installation and remove any customizations in the 'web.config' and 'CatalogUpdateService.exe.config' files.

This is resolved by backing up the configuration files prior of upgrading as covered in the 'installation and upgrades' section of the documentation.

1E Toolkit

Issue

Description

Workaround

1E Toolkit extensions are not visible on the CM Console for both Devices and Device Collections

In the past, any installed extension was allowed to be displayed. Microsoft has changed the way that the Console Extensions are allowed to be displayed within the ConfigMgr Console and if in the Administration -> Site Configuration -> Sites -> Hierarchy Settings from the ribbon. and under the General tab:

"Only allow console extensions that are approved for the hierarchy" is selected it will prevent the 1E right-click actions and the Instruction Runner from becoming available.

Ensure the "Only allow console extensions that are approved for the hierarchy" is not selected in the Hierarchy Settings Properties.

Please contact 1E Support for additional help where the 1E right-click extensions only appear for the Devices and not Device collections.

Configuration Manager console shows duplicate right-click options for 1E.

1E shows multiple times in a collection property when the collection belongs to nested folders in the Configuration Manager console.

Restart the Configuration Manager console.