SCCM Crashes After Upgrading or Installing Shavlik Patch 2.2 on Servers with FIPS Enabled

Version 7



    This document will explain why SCCM crashes after installing or upgrading to Shavlik Patch 2.2 on servers with FIPS enabled . It will also provide workaround options.



    We upgraded to SHA-256 with the release of Shavlik Patch 2.2.  .Net Framework with FIPS enabled does not map the SHA-256 encryption which causes a SCCM crash.


    Reference Link


    Details of the Crash:


    Faulting application name: Microsoft.ConfigurationManagement.exe, version: 5.0.8239.1000, time stamp: 0x552ce699

    Faulting module name: KERNELBASE.dll, version: 6.3.9600.18202, time stamp: 0x569e72bb

    Exception code: 0xe0434352

    Fault offset: 0x00015b68

    Faulting process id: 0x2f4

    Faulting application start time: 0x01d190c9bf09eaae

    Faulting application path: E:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe

    Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll

    Report Id: 0838e339-fcbd-11e5-8116-005056bc65f8

    Faulting package full name:

    Faulting package-relative application ID:


    Application: Microsoft.ConfigurationManagement.exe

    Framework Version: v4.0.30319

    Description: The process was terminated due to an unhandled exception.

    Exception Info: System.InvalidOperationException

    at System.Security.Cryptography.SHA256Managed..ctor()


    You can verify FIPS is enabled on the SCCM server here:





    You can choose between one of two workarounds:


    1. Revert to Shavlik Patch 2.1. You can do this by uninstalling Shavlik 2.2 and installing Shavlik 2.1.  This is a seamless downgrade.
    2. Manually enable FIPS compliant SHA-256 with .Net Framework on the SCCM server.

              a. This is a system wide change and may affect other applications with .Net Frame specific compliance settings.


    For option 2:


         1. Navigate to:  %windir%\Microsoft.NET\Framework64\v4.0.30319\config\ and/or %windir%\Microsoft.NET\Framework\v4.0.30319\config\

         2. Create a backup of the machine.config file(s).

         3. Edit the machine.config file(s): (make sure SCCM is not open)

              a. If you already have a <mscorlib> section, you will need to open a case with Support.  If you are already working with Support, please zip and attach the machine.config file(s) to the case.

              b. If <mscorlib> does not exist, paste the following at the end of the file(s) right before </configuration>






    <cryptoClass SHA256Cng="System.Security.Cryptography.SHA256Cng, System.Core, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>


    <nameEntry name="SHA-256" class="SHA256Cng"/>

    <nameEntry name="SHA256" class="SHA256Cng"/>

    <nameEntry name="System.Security.Cryptography.SHA256" class="SHA256Cng"/>

    <nameEntry name="" class="SHA256Cng"/>





         4. Save the machine.config file.

         5. Attempt to open and use SCCM when Shavlik Patch 2.2 is installed.

    Additional Information

    A future version of Shavlik Protect will correct this behavior at install.


    Affected Product(s)

    Shavlik Patch 2.2