Configuration Manager – Does not have permission to update the prereq or state flag of the package

When attempting an upgrade of System Center Configuration Manager v1511 to 1606 I ran into issues relating to the permissions of the Security Scope in Configuration Manager under the account I was doing the upgrade under.

I also had issues enabling Automatic Client upgrade which was grayed out– after some research I found that it was due to the original Full Administrator account which was used by a contractor to do the SCCM environment installation had been deleted from Active Directory and had explicit ownership of All Scopes and Collections which was fixed by taking ownership of the Scope and Collections below.

ConfigMgr Error Object:instance of SMS_ExtendedStatus{ Description = “User \”DOMAIN\\User\” does not have permission to update the prereq or state flag of the package. “;               ErrorCode = 1112017920;      File = “e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspupdatepackages.cpp”;           Line = 435;              ObjectInfo = “2”;     Operation = “ExecMethod”;        ParameterInfo = “SMS_CM_UpdatePackages.PackageGuid=\”0D256560-ED2C-45B5-8D75-4D38AB3F758C\””;           ProviderName = “WinMgmt”;          StatusCode = 2147749889;};

ConfigMgr Error Object

In order to resolve this issue – I needed to make Changes to the Configuration Manager (SCCM) SQL database. I don’t take responsibility for any damage this may cause and of course highly recommend doing this in Test first, and of course making sure a SQL backup has been done before hand.

1. Open SQL Management Studio with an account that has sysadmin permissions on your SCCM database – and connect to it.

2. Expand Databases, and locate your SCCM database. Right click your database and select New Query

3. Type in or Copy the following Query and Execute it:

select *from RBAC_ADMINS
4. You should now get all the specified Administrators for SCCM role based Full Administrator group; this includes LogonName, DisplayName and their CreatedBy and Created Date

5. Now we need to set the correct permissions on the Security Scope – find the account you want to make Full Administrator (best practice would indicate – this should be an Active Directory group, which your account is then a member of to avoid future problems) and note down the AdminID of your account

6. Clear the Query box and type in:

Update v_securedScopePermissions Set categoryid=‘sms00all’ where adminid=<ADMINID>

7. Replace <ADMINID> with the number of your account, Admin ID without the <>.

8. When you are ready to make the change, click Execute

9. You have now successfully gained Full Administrator permissions over all Scopes and Permissions. Close the SCCM console and relaunch and you should now be able to do the upgrade or enable Automatic client upgrade.

2 replies
  1. Muzz
    Muzz says:

    Wow!, this is the best solution to this I have managed to find – but you are the only one to have done it this way!! Good work! Thanks for posting, worked well for me.

    • Luke
      Luke says:

      Not a problem! This was the fix supplied to me through a Microsoft Premier Support call. So glad it’s worked for you! Was a bit of a pain to resolve and I couldn’t find any information on the internet, not really being a SQL guy myself I wouldn’t have thought about this as a fix – so I felt I should share it.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply