Summary

Lists of the current known issues with implementing, configuring, using and extending Tachyon.

If you need further help, please refer to the Troubleshooting page for how to contact 1E Support and the technical support process.

On this page:

Tachyon

Please refer to Tachyon 5.0 - Troubleshooting for issues with other components of Tachyon.

Client installation issues on Windows

IssueDescriptionWorkaround

1E Client installer adds the Nomad registry settings even when Nomad module is NOT enabled during installation. If someone deletes those registry settings and enables Nomad module later, Nomad will not function correctly.

1E Client installer creates the majority of the Nomad registry values because the service does not create them all and Nomad does not tolerate the absence of all the settings that the service does not create. If these settings are deleted and the Nomad module is enabled later, then Nomad is unable to function correctly.

In such a scenario, 1E Client will need to be reinstalled with a new set of properties / transform that enables the Nomad module with the appropriate configuration.

When upgrading an existing 1E Client, none of the manually added configuration file properties in the *.conf file have been retained.

1E Client does not retain any configuration file property values that have been added as the upgrade process currently only checks the default values that exist in the old Tachyon.Agent.conf or new 1E.Client.conf.

This includes the Module.Inventory.ProcessUsage.Enabled=false values that was included in Tachyon Agent v4.0. After an upgrade this configuration file property will no longer appear and 1E Client uses the default (true).

The additional configuration file property values need to be added to the 1E.Client.conf file if they are required.

When upgrading an existing 1E Client that has been installed to a non-default installation directory, installation folder reverts to the default path.

If the previous Tachyon Agent was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\Agent", then the Installation folder in the wizard will revert to the new default path "%ProgramFiles%\1E\Client".

The same applies to silent upgrades where the Tachyon Agent was installed to another path, the installation folder will revert to the default unless the required directory is specified using INSTALLDIR.

Please upgrade by specify the required Installation folder in the wizard or using the installer property: INSTALLDIR

Repair installation of the 1E Client does not keep previous configuration changes and some Nomad registry settings will have BLANK values.

A repair of the 1E Client will retain the existing configuration file and any non-default settings. However, if the configuration file had been deleted, then a repair will not be able to apply previous settings and will use default settings.

Also a repair will set any properties passed in the command line, but will leave some Nomad properties like KnownMobileDevices and LocalCachePath as blank.

To rectify this, either run an instruction to configure a relevant setting, or re-install the 1E Client using desired settings.

Use an 1E Client configuration instruction in Tachyon Explorer for centralized post-installation configuration. Please contact 1E if you require the Product Pack that has this instruction.

Potential blue screen of death (BSOD) with Windows 7 SP1 and Tachyon inventory capture.

If Tachyon inventory is enabled on Windows 7 SP1 (without updates) there is the potential for BSOD issues on systems using out of date Windows drivers. Microsoft investigated the issue and confirmed the usbccgp.sys driver has a potential issue where it can fail to complete a power IRP in a timely manner.

Microsoft recommends the following fix:

1. Update the usbccgp.sys driver as follows:

    • Update the usbccgp.sys driver by installing update KB3125574.

Prerequisites: To apply this update, you must first install:

    • Service Pack 1 for Windows 7 or Windows Server 2008 R2: KB976932
    • April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2: KB3020369

2. Update tdx.sys to 6.1.7600.21050 to address TDI driver response issues as per: KB2028827

Tachyon features of the 1E Client cannot read private key for a Trusted Platform Module (TPM) protected certificate.

Tachyon client uses Windows certificate store, but is currently unable to access the private key of a client certificate that is protected using Windows Trusted Platform Module (TPM).

This issue was seen when a customer used Microsoft Intune for client certificate deployment and the Simple Certificate Enrollment Protocol (SCEP) certificate profile included 'Enroll to Trusted Platform Module (TPM) KSP'.

The 1E Client was unable to extract a handle to the private key in the Windows Certificate Store; 'NCryptExportKey failed with 0x8009000a'  (NTE_BAD_TYPE) was reported as an error in the 1E Client log.

Use a client certificate that is not protected using Windows Trusted Platform Module (TPM).

Examples of Microsoft cryptography providers that do not use TPM are:

  • Microsoft Enhanced (RSA and) AES Cryptographic Provider
  • Microsoft RSA/SChannel Cryptographic Provider
  • Microsoft Enhanced Cryptographic Provider
  • Microsoft Software Key Storage Provider (CNG)

Also, Microsoft Software Key Storage Provider is the only CNG provider supported by this version of Tachyon client.

Client installation issues on non-Windows

IssueDescriptionWorkaround

Microsoft InTune cannot be used to deploy the 1E Client package for macOS.

By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder. However, the 1E Client must be installed to /Library/Application Support since that is a secure location, writable only by root. Also the associated launch property list file must be installed under /Library/LaunchDaemons.Use an alternative deployment method for the 1E Client macOS package.

The 1E Client on macOS may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:
ERROR - Either the Switch certificate or the Tachyon client certificate is not trusted, use the 1E Client debug log setting to obtain certificate details.

If the 1E Client for macOS finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Client/.sslcerts, then the Keychain Access is not checked.

This cacert.pem is then used to validate the trust chains for the client certificate the Tachyon client will submit and also the Switch certificate received. The Tachyon client will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.

Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the 1E Client for macOS is to use the certificates from the Keychain Access.

Connection issues

IssueDescriptionWorkaround

Microsoft InTune cannot be used to deploy the 1E Client package for macOS.

By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder. However, the 1E Client must be installed to /Library/Application Support since that is a secure location, writable only by root. Also the associated launch property list file must be installed under /Library/LaunchDaemons.Use an alternative deployment method for the 1E Client macOS package.

The 1E Client on macOS may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:
ERROR - Either the Switch certificate or the Tachyon client certificate is not trusted, use the 1E Client debug log setting to obtain certificate details.

If the 1E Client for macOS finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Client/.sslcerts, then the Keychain Access is not checked.

This cacert.pem is then used to validate the trust chains for the client certificate the Tachyon client will submit and also the Switch certificate received. The Tachyon client will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.

Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the 1E Client for macOS is to use the certificates from the Keychain Access.

Inventory issues

IssueDescriptionWorkaround
No issues known.

Nomad

Please refer to Nomad 7.0 - Troubleshooting for issues with other components of Nomad, and Troubleshooting.

Client installation issues

IssuesDescription
1E Client installer adds Nomad registry settings even when Nomad module is NOT enabled while installation. If someone deletes those registry settings and enables Nomad module later, Nomad won't function right.

The installer is currently creating the majority of Nomad registry values because the service doesn’t create them all and Nomad doesn’t tolerate the absence of all the settings that the service doesn’t create. If someone deletes those settings and enables Nomad module later, Nomad won't function right.

We will be fixing this in a future release of 1E Client. Workaround: In such a scenario, we recommend reinstalling the 1E Client with a new set of properties / transform that enables the Nomad module.

On Windows XP, 1E.Client.log displays a warning "Unsupported OS version. Will not install Nomad." however the very next log lists that "Module 'Nomad' has been installed".Nomad is not support on Windows XP therefore when 1E Client is installed with Nomad module, the module is not enabled, and the Nomad Branch service is not installed.
Nomad may be downgraded by active Application deployments in CM, which may cause issues with behaviour of the 1E Client Nomad module.

If there is an active Application deployment in CM of an earlier version of Nomad, clients that have been upgraded with the 1E Client with the Nomad module enabled may be downgraded when the Application Enforcement cycle runs. In this scenario, if the 1E Nomad module is subsequently disabled in the 1E Client, the Nomad service will be removed. This is because once the Nomad module has been enabled, it is not aware nor does it check for older versions. If the Nomad module is subsequently disabled, the service is removed as the Nomad module believes it is not longer required.

To avoid this situation, always define Application Supersedence on the 1E Client Application such that it supersedes any Applications that install previous versions of Nomad (and the 1E Client when introducing new versions of the 1E Client).

To resolve this issue should it occur, first address the Application Supersedence to prevent it from recurring. Then run the following command from the 1E Client installation directory on the affected devices.

1E.Client.exe -reconfigure MODULE.NOMAD.ENABLED=false -restart & 1E.Client.exe -reconfigure MODULE.NOMAD.ENABLED=true -restart

This will disable the Nomad module and remove the Nomad service, then re-enable the Nomad module, which will in turn uninstall the earlier version of Nomad and install the Nomad module. The settings defined by the earlier Nomad install will be migrated - these may differ from the settings with which the Nomad module was initially configured with.

1E Nomad Branch and 1E Client Health services may be stopped if upgrading to Nomad 7.0 if previous version of Nomad installer is no longer in source folder or the Windows Installer cache.

The 1E Client installer stops the 1E Nomad Branch and 1E Client Health services if the Nomad module is enabled. The 1E Client installation completes successfully, after which the Nomad module attempts to uninstall the older version of Nomad. The uninstallation fails as Windows Installer cannot find the original source installer. The Nomad module is not enabled and the Nomad and Client Health services remains stopped.

In this scenario, to immediately restore Nomad functionality simply start the services. To fix completely you will need to remediate the installer source for the old version of Nomad on the affected client, then run the following command from the 1E Client installation directory to restart the 1EClient service.

1E.Client.exe -restart
Uninstalling 1E Client doesn't delete Nomad's P2P server certificate.When P2PEnabled value was set to 79 then NomadBranch server certificate does not get deleted after uninstallation.
Nomad crashes while downloading an application in original content having source path greater than 290 length.

When the source path of an application is longer than 290 chars and Nomad starts downloading application in original format (that is format 0) then Nomad crashes in between but successfully downloads the content and passes the hash check as well.

Workaround: Use Nomad SECure when a package has source path greater than 255 characters in length. Compressing and/or encrypting content results in a single file which the possibility of an overly long path.

WakeUp

Client installation issues

IssueDescriptionWorkaround
No issues known.

Shopping and WSA

Please refer to Shopping 5.6 - Troubleshooting for issues with other components of Shopping, and WSS 4.0 - Troubleshooting.

Client installation issues

IssueDescription
No issues known.