Debug layer integrity messages

When you’ve shut down the packaging machine and run the Shutdown for Finalize icon on the desktop, you can receive one of the messages explained in this article.

When you run Shutdown for Finalize, it calls uniservice.exe to get the current layer integrity state. Shut down for Finalize is checking to see if any required processes are still pending. If a required process does not shut down, it gives you a message about the pending issue. App Layering writes this information into the following log files:

C:\Program Files\Unidesk\Uniservice\Log\LayerIntegrity.txt C:\Program Files\Unidesk\Uniservice\Log\UniBilcLogs_X.txt

You can’t know exactly which UniBilcLogs file it’s using, so look for the one with the latest timestamp. Search for “Integrity”.

You might think you can bypass the layer integrity check by shutting down the machine and finalizing it. But if you try, the App Layering appliance stops the task and returns you to the packaging machine. The Shutdown for Finalize script has to complete the layer finalization process.

Layer Integrity warnings

The following layer integrity messages tell you what queued operations must be completed before a layer is ready to finalize:

  • “A RunOnce script is outstanding - please check and reboot the packaging machine.”
  • “A post-installation reboot is pending - please check and reboot the packaging machine.”
  • “A Microsoft ngen operation is in progress in the background.”
  • “An MSI install operation is in progress - please check the packaging machine.”
  • “A reboot is pending to update drivers on the boot disk - please check and reboot the packaging machine.”
  • “A Microsoft ngen operation is needed.”
  • “Software Center Client is configured to run, but the SMSCFG.INI is still present.”

You cannot bypass layer integrity messages by shutting down the machine. The App Layering software stops and returns you to the packaging machine until all processes have completed.

If a Microsoft NGen operation is in progress, you can try to expedite it, as described in the next section.

“A RunOnce script is outstanding”

When you create a layer or add a version to it, you can specify a script to run the first time a user logs in after their desktop starts (or restarts). For example, you can use a Run Once script to complete the setup for an application. A Run Once script is a .cmd or .bat file installed on a layer.

After a Run Once script runs on an image, Windows normally deletes the associated Registry keys when it reboots. This message tells you that Windows did not delete a key for a Run Once script from one of these locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

To fix this issue:

  • If the script file no longer exists, delete the Registry key.
  • If the script referenced in the message exists, manually run the script, and then delete the Registry key.

“A post-installation reboot is pending”

This message originates with any of the following registry keys:

  • HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
  • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETLOGON\Start
  • HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME
  • HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\COMPUTERNAME\COMPUTERNAME
  1. If you see one of these entries, start by rebooting. Reboot multiple times if necessary, until you are sure that the message isn’t a real reboot request by some software.

  2. If the problem is with Net Logon, restart the Unidesk Service for Message Management.

  3. Check for the existence of one of the first three Registry keys from the previous list:

    • HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
  4. Manually modify any of these keys to suit your needs. If you don’t need the keys, you can delete them.

  5. Look for changes in the NetLogon key, to see whether:

    • The value is different from what it was at startup.
    • The computer name is different than the active computer name.

    If there is a discrepancy, fix the setting.

  6. Determine whether a domain-join operation is still waiting for a reboot.

    • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETLOGON\Start
    • HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME
    • HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\COMPUTERNAME\COMPUTERNAME

    You cannot modify these three Registry keys, but some software can modify the NETLOGON\Start key on every reboot.

After cleaning out the first three keys listed in step #1 you still get the prompt on reboot, you can choose to ignore layer integrity checks. This is a last resort, however, and is not normally recommended. For details about how to ignore layer integrity checks, see the “Last resort” section at the end of this article.

“A Microsoft ngen operation is in progress in the background”

This message is telling you that a foreground or background NGEN operation is still in progress. An NGEN operation is where .Net assemblies are compiled into native images. The message means that the process is still in progress. You can watch the progress.

Warning:

Do not reboot, because it can cause the process to start over.

To watch the progress in the foreground, run ngen update /force. Or, wait it out and run ngen queue status periodically to see how the process is progressing. Keep in mind that running ngen queue status slows the background process, because the background process pauses every time you check its status in the foreground.

It’s important to let the NGEN processes finish. Be patient. If you terminate the process or reboot in the middle, you can end up with partially written .Net assemblies.

If a background process, such as MSCORSVW.EXE (the NET runtime Optimization Service) is not finished within a day, check for stale background processes. A reboot might help.

Once the following services have finished running, you can continue:

  • ngen.exe
  • ngentask.exe
  • mscorsvw.exe

“An MSI install operation is in progress”

This message is saying that a system mutex (mutual exclusion object) named Global\_MSIExecute exists. The MSI installer uses Global\_MSIExecute to ensure that only one installer runs at a time. If you are certain that no MSI installations are happening, there might be a lock on a resource. Go back into the layer and figure out which process is locked.

“A reboot is pending to update drivers on the boot disk”

This message is telling you that a service or driver that is set to start at system boot time was modified or installed, and App Layering wants to make sure the modified driver can boot successfully.

Normally you need to reboot once, and the driver works fine. We have on some occasions seen software (like Microsoft Defender or McAfee) attempt to modify its driver file on every boot, triggering this integrity check every time. No reboots clear it. You may need to use the option of bypassing the layer integrity check, as explained in the section below, “Last resort”.

“a Microsoft NGen operation is needed”

This message is telling you that an application was installed on the packaging machine and that it scheduled items to be updated at a priority level of 3.

At this priority level, the operation only runs when the CPU is idle, and it is waiting until there is no more activity.

To ensure that the application runs in the most optimal way on the published image, App Layering blocks the finalization process, because the NGEN process needs to run on the packaging machine, instead of on every machine where the app is deployed.

With an NGEN eqi 3 (priority level 3), you can either:

  • Run the unfinished operations in both of the following directories:

    • c:\windows\microsoft.net\framework\vYY.MM.Build
    • c:\windows\microsoft.net\framework64\v4.0.30319
  • Wait. The NGEN operation typically runs on its own after 15 minutes of idle time.

The values being examined include:

  • HKLM\SOFTWARE\Microsoft.NETFramework\v2.0.50727\NGenService\Roots\WorkPending
  • HKLM\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727\NGenService\Roots\WorkPending

A value of 1 means that there are work items queued up to be processed.

“Software Center Client is configured to run, but the SMSCFG.INI is still present….”

This message is telling you that this machine has ccmexec.exe configured as a service and that it is not configured as disabled.

Since we know that any layers created on a packaging machine need to be sealed properly to deploy correctly in a VDI environment, we are checking to make sure the SMSCFG.ini is not present. There’s a command file for you to run at the very end of the layer. We have provided the commands to run in a batch command file that you can use to seal the layer. Log into a command window as administrator to run this script:

c:\windows\setup\scripts\SEALSCCMCLIENT.cmd

Expediting a Microsoft NGen operation

The NGEN executable is the Microsoft Native Image Generator. It is part of the .NET system. Ngen recompiles .NET byte code into native images and constructs the registry entries. Windows decides when to run NGEN based on what is being installed and what Windows detects in the configuration. When NGEN is running, always let it complete. An interrupted NGEN operation can leave you with non-functioning .NET assemblies, or other problems in the .NET system.

You have the choice of waiting for the NGEN process to complete in the background, or forcing it to the foreground. You can also check the status of the NGEN operation, as described in the following steps. However, every time you check the queue status, you are creating foreground activity, which might cause the background processing to temporarily pause.

Forcing the NGEN process to the foreground allows you to view progress. You can finalize the layer when the process is complete.

  1. Force an NGEN operation to the foreground. Normally, NGEN is a background operation and pauses if there is foreground activity. Bringing the task into the foreground can help the task to complete as quickly as possible. To do this:
    1. Open a command prompt as Administrator.
    2. Go to the Microsoft .NET Framework directory for the version currently in use:

      cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX

    3. Enter the NGEN command to execute the queued items:
    4. NGEN update /force
    5. This brings the NGEN task to the foreground in the command prompt, and lists the assemblies being compiled.

      Note:

      If you see several “compilation failed messages,” look in the Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, allow it to complete, or rerun NGEN update /force. Do not reboot to stop the task. The task must complete.

  2. Check the status of an NGEN operation
    1. Open a command prompt as Administrator.
    2. Check status by running this command: NGEN queue status
    3. When you receive the following status, the NGEN is complete, and you can finalize the layer. The .NET Runtime Optimization Service is stopped,

If you have a layer that simply won’t ever get to finalize, for whatever reason (like it always thinks it still has a reboot pending, or you don’t care about corrupted .NET assemblies and don’t want to wait for ngen to finish), you can tell that single layer to ignore its layer integrity checks and allow you to shut down to finalize, using a registry key.

Warning:

Only use this key as a last resort! App Layering blocks you from finalizing in these circumstances. Allowing you to finalize can irreparably harm the layer and the image you publish with it. Always try to solve the problem within Windows first!

To ignore layer integrity message (not recommended):

  1. Run regedit.exe and create this key

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Uniservice: “BypassLayerCheck”=DWORD 1

    The value doesn’t matter.All that matters is that the value exists. This blocks all layer integrity checks and allows a layer to be finalized regardless of the harm it could cause to the layer and to the layered images.