SCCM Crashes After Upgrading or Installing Shavlik Patch 2.2 on Servers with FIPS Enabled

Version 7

    Purpose

     

    This document will explain why SCCM crashes after installing or upgrading to Shavlik Patch 2.2 on servers with FIPS enabled . It will also provide workaround options.

     

    Overview


    We upgraded to SHA-256 with the release of Shavlik Patch 2.2.  .Net Framework with FIPS enabled does not map the SHA-256 encryption which causes a SCCM crash.

     

    Reference Link

     

    Details of the Crash:

     

    Faulting application name: Microsoft.ConfigurationManagement.exe, version: 5.0.8239.1000, time stamp: 0x552ce699

    Faulting module name: KERNELBASE.dll, version: 6.3.9600.18202, time stamp: 0x569e72bb

    Exception code: 0xe0434352

    Fault offset: 0x00015b68

    Faulting process id: 0x2f4

    Faulting application start time: 0x01d190c9bf09eaae

    Faulting application path: E:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe

    Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll

    Report Id: 0838e339-fcbd-11e5-8116-005056bc65f8

    Faulting package full name:

    Faulting package-relative application ID:

     

    Application: Microsoft.ConfigurationManagement.exe

    Framework Version: v4.0.30319

    Description: The process was terminated due to an unhandled exception.

    Exception Info: System.InvalidOperationException

    at System.Security.Cryptography.SHA256Managed..ctor()

     

    You can verify FIPS is enabled on the SCCM server here:

     

     

    Workaround

     

    You can choose between one of two workarounds:

     

    1. Revert to Shavlik Patch 2.1. You can do this by uninstalling Shavlik 2.2 and installing Shavlik 2.1.  This is a seamless downgrade.
    2. Manually enable FIPS compliant SHA-256 with .Net Framework on the SCCM server.

              a. This is a system wide change and may affect other applications with .Net Frame specific compliance settings.

     

    For option 2:

     

         1. Navigate to:  %windir%\Microsoft.NET\Framework64\v4.0.30319\config\ and/or %windir%\Microsoft.NET\Framework\v4.0.30319\config\

         2. Create a backup of the machine.config file(s).

         3. Edit the machine.config file(s): (make sure SCCM is not open)

              a. If you already have a <mscorlib> section, you will need to open a case with Support.  If you are already working with Support, please zip and attach the machine.config file(s) to the case.

              b. If <mscorlib> does not exist, paste the following at the end of the file(s) right before </configuration>

     

    <mscorlib>

    <cryptographySettings>

    <cryptoNameMapping>

    <cryptoClasses>

    <cryptoClass SHA256Cng="System.Security.Cryptography.SHA256Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

    </cryptoClasses>

    <nameEntry name="SHA-256" class="SHA256Cng"/>

    <nameEntry name="SHA256" class="SHA256Cng"/>

    <nameEntry name="System.Security.Cryptography.SHA256" class="SHA256Cng"/>

    <nameEntry name="http://www.w3.org/2001/04/xmlenc#sha256" class="SHA256Cng"/>

    </cryptoNameMapping>

    </cryptographySettings>

    </mscorlib>

     

         4. Save the machine.config file.

         5. Attempt to open and use SCCM when Shavlik Patch 2.2 is installed.


    Additional Information


    A future version of Shavlik Protect will correct this behavior at install.

     

    Affected Product(s)


    Shavlik Patch 2.2