Any Tanjay family device (Polycom CX700, LG-Nortel 8450) currently running a Communicator Phone Edition (CPE) release (1.x or 3.5.x) cannot update directly to the Lync Phone Edition (LPE) CU6 (4.0.7577.4100) release due to a change in the way the newest firmware package was created.
For clarification the Cumulative Update for June 2012 release is commonly referred to as Cumulative Update 6 (CU6) and the previous March 2012 release was Cumulative Update 5 (CU5). Although official Microsoft documentation for Lync will not use the numeric identifiers for the various releases, throughout unofficial articles and technical forum discussions the CU nomenclature is widely used.
This can cause problems as newly purchased Tanjay devices will still ship with the older OCS firmware version because the CX700 is the only Lync Phone Edition devices supported with Office Communications Server. As there is no supported downgrade process to go from a newer Lync 4.x version down to an older OCS 3.5.x version then shipping these devices pre-installed with Lync firmware would prevent deployments still utilizing OCS from using the phones. (For an unsupported rollback procedure see Chris Lehr’s blog article.)
Workaround
Instead the device will need to first be updated to any previous Lync version (4.0.7576.0 through 4.0.7577.4066) and once that is complete then it can then be upgraded to the .4100 (CU6) release successfully.
But when Microsoft releases a new cumulative update the previous version is replaced on their download site, so only the latest version is ever available for download.
Until Microsoft provides a link to download a previous version of the firmware the February 2012 (CU5) update file for the Tanjay devices can be downloaded directly from here: ucupdates_tanjay_cu5.cab
In the event that the latest update has already been approved on the Lync Server then an earlier version needs to be restored.
- Using the Lync Server Control Panel navigate to the Clients > Device Update section and highlight the line for the desired device (e.g. CX700). In the following example the .4100 version has already been approved.
- Select Restore from the Action menu to activate the previously used .4066 version.
Root Cause
To understand the cause of this issue the individual firmware packages can be opened to identify what has changed between previous Cumulative Updates and the most recent June 2010 release (CU6).
- Browse to the DeviceUpdateStore folder on the Front End pool file share and open any of the Tanjay family devices. The example below shows all installed firmware versions for the Polycom CX700 for English packages on Hardware Revision A devices. The available versions shown below are the RTM release (.0) the CU5 package (.4066) and the CU6 package (.4100).
\\lync\share\1-WebServices-1\DeviceUpdateStore\UCPhone\Polycom\CX700\A\ENU
- Open the 4.0.7577.4066 folder and browse down to the expanded firmware files as shown below.
- Open the CPE.bat file to view the Security Catalog information in Windows Explorer which will display details about the certificate used to sign the digital package. Then click the View Signature button on the General tab to view additional details about the digital signature.
- On the Digital Signature Details window click the View Certificate button on the General tab to show the actual digital certificate information.
- On the package Certificate window switch to the Certification Path tab, then highlight the Microsoft Root Authority object in the path and then click the View Certificate button. This will open the certificate details for the root certificate authority used to sign the certificate on this firmware package.
- On the root Certificate window switch to the Details tab, taking note that the Signature Algorithm used to sign the root certificate authority certificate is MD5 (Message-Digest Algorithm). Also note the name “Microsoft Root Authority”.
- Now return to the original folder containing the different packages and then browse down to the CPE.cat file stored in the latest 4.0.7577.4100 (CU6) package.
- Perform the exact same steps as before to locate and identify the Signature Algorithm on the root certificate authority certificate sued for the .4100 package. Notice that this package is now signed using SHA1 (Secure Hash Algorithm), and not MD5. Also note that the root CA is different
When comparing the root certificates side-by-side the unique names (Microsoft Root Authority versus Microsoft Root Certificate Authority) indicate that these packages were singed by completely different CAs using different signature algorithms and different key lengths. (Note that the validity periods on both CAs are still nowhere near the expiration dates.)
The root cause is that the newer root certificate authority certificate used to the sign the certificate issued to the firmware package has changed in the 4.0.7577.4100 (CU6) release. All Lync Phone Edition packages prior to CU6 have always used an MD5 algorithm. MD5 is an older cryptographic hash function that has long been known to be unsuitable for use in digital signatures and most current applications have migrated to at least SHA1, if not beyond to SHA2.
On the surface this should not present too much of a problem as this is not a widespread issue since all Lync Phone Edition client versions (4.x) are compatible with both MD5 or SHA1 algorithms. But the earlier Communicator Phone Edition client versions (1.x and 3.5.x) are not compatible with the newer SHA1 format.
Since all newer Aries models phones have only ever shipped with the Lync 4.x versions, then the only devices impacted by this incompatibility are the Tanjay family devices. Thus when a device running any version prior to 4.x downloads the 4.0.7577.4100 package it will not be able to validate the issuing certificate authority’s certificate and will fail to install the update in the inactive partition.
This is why the update must now be a two-step process in that any Cumulative Release prior to CU6 must be installed on the Tanjay first. And once it has a working 4.x version then the latest 4.0.7577.4100 release can be approved and successfully installed on it. It is also safe to assume that future updates (e.g. CU7) will continue to use the newer root certificate authority so this two-step process will most likely still be required.
[…] Lync Phone Edition CU6 Upgrade Issues : Jeff Schertz’s Blog Posted on August 25, 2012 by johnacook http://blog.schertz.name/2012/08/lync-phone-edition-cu6-upgrade-issues/ […]
Another excellent deep dive, that we’d never ever hear from MS. Since Lync RTM, I constantly feel that MS abandoned the Tanjay family, even though its still the flagship model. I hope MS wont discontinue the Tanjay in Wave15.
that explains it. I thought I was going nuts.
Thanks.
All this and a link to the CU5 update thanks again.
An exccelent post Jeff Thanks! keep up the good work.
[…] full explaination of this odd behaviour is explained here by Jeff Schertz but the brief version is that Microsoft have changed the Root CA that signs the […]
Great post – thanks for linking my article 😉
Great post –
Any idea why your Lync control panel, device update has a colum for Revision and mine doesn't?
Thanks…
I rearranged the columns for that screen shot, so check to see if yours is just hidden off the window by scrolling over.
[…] the old CU5. Whole thread is here direct link is here. Problem in details is described by Jeff here. Thank you […]
I have a situation with CX700 older version, 1.0.452 beta vesion. We only have Lync2010. How can I upgrade the firmware so that it connects to Lync2010. I heard someone was lucky to get the firmware from Ploycom and upgraded the phone first to like 1.0.522…
Can you help us where to go from here?
Thanks
Joe
Joseph, take a look at this article: http://howdouc.blogspot.com/2011/11/mission-updat…
[…] Attention, la musique d’attente n’est pas stipulée dans la mise à jour pour les CX700 et LG 8540. Je vous rappelle aussi que pour mettre à jour ces téléphones, il faut vous assurer que votre téléphones est bien dans la dernière version de CU, sinon, je vous invite à consulter l’article de Jeff SCHERTZ : http://blog.schertz.name/2012/08/lync-phone-edition-cu6-upgrade-issues/ […]
[…] Jeff Schertz, a Lync Server MVP and blogger at http://Blog.Schertz.Name, has posted an explanation and workaround for the CU5-to-CU7 upgrade issue: Lync Phone Edition CU6 Upgrade Issues – Jeff Schertz’s Blog […]
Thank you sir. I just used this to upgrade to the 4/18/2013 update (CU7?) 4.0.7577.4387 (2.1) on the CX700. I went directly from the CAB (CU5) you provided to the newest from MS, and it worked like a charm. I just wish I would have found your article 5 hours ago!
Yes, excellent post. I'm pasting my phone's error log below (hoping it will help others find this via search engines).
======================================================================================
0:02:37.667.326 : Raw data 83 (wchar), 06/26/2013|07:39:50 UPRO: preValidateCB() hContext = 42bc0, download time=127926
0:02:37.667.566 : Raw data 52 (wchar), 06/26/2013|07:39:50 DownloadAuditThread() exiting
–:–:–.—.— : ====================== Data loss counter: 0 bytes lost ======================
–:–:–.—.— : ====================== Data loss counter: 0 bytes lost ======================
. . .
–:–:–.—.— : ====================== Data loss counter: 0 bytes lost ======================
0:02:42.654.981 : Raw data 85 (wchar), 06/26/2013|07:39:55 UPRO: notifyValidateCompleteCB() hContext = 42bc0, dwError = 2
0:02:42.690.355 : Raw data 123 (wchar), 06/26/2013|07:39:55 UPRO: postImageUpdateCB() hContext = 42bc0, pInfo = 00185E20, pInfo->dwStatusCode = 200, dwError = 2
0:02:42.690.457 : Raw data 74 (wchar), 06/26/2013|07:39:55 UPRO: postImageUpdateCB() error downloading index 1
0:02:42.722.503 : Raw data 55 (wchar), 06/26/2013|07:39:55 UPRO: cleanup() hContext = 42bc0
0:02:42.724.671 : Raw data 55 (wchar), 06/26/2013|07:39:55 UPRO: Deleting DSK1TEMPCPE.nbt
–:–:–.—.— : ====================== Data loss counter: 0 bytes lost ======================
. . .
0:02:46.825.229 : Raw data 55 (wchar), 06/26/2013|07:39:59 UPRO: Deleting DSK1TEMPCPE.cat
0:02:46.841.927 : Raw data 86 (wchar), 06/26/2013|07:39:59 UPRO: scheduleNextUpdate() hContext = 42bc0 interval = 86400000
Jeff, great post as always!! I have a CX700 ver 3.5.6907.187 and can't get it to upgrade. I assume it's because of what you mention here:
On the surface this should not present too much of a problem as this is not a widespread issue since all Lync Phone Edition client versions (4.x) are compatible with both MD5 or SHA1 algorithms. But the earlier Communicator Phone Edition client versions (1.x and 3.5.x) are not compatible with the newer SHA1 format.
Do you have access to earlier 4.x version that is MD5?
Thanks,
Jeff
Yes, this article has a link to the CU5 firmware.
Thanks! I missed the part above where you show the root authoritybeing md5. Everything I saw in the cpe.cat file I downloaded showed to be sha1 for the .4066 update; this led me to believe I needed a version prior to that to get the md5 version. I just need to slow down and read!!
Hi All
Lync Phone Edition CU5 seems to be available on MS site :
for french version : http://www.microsoft.com/fr-fr/download/details.a…
for English version : http://www.microsoft.com/en-us/download/details.a…
note that just fr-fr change with en-us. More languages could be retrieved by changing this part of URL.
hope this helps
hi,
great post, it's possible to link CU7?
Hi, where I found the old cumulative updates for Aastra 6715ip and 6721ip. In the microsoft site allways redirect to the last.
Thanks
Microsoft does not host old versions as the cumulative updates contain all previous fixes. If for some reason you need a specific older version you'll have to search around online or ask in a technical forum where someone who happened to keep the older versions may be willing to share. I don't have access to older releases as they are generally not recommended for use once a new version is available.
HI, I have one Aastra 6725ip With Lync Phone 2010 Beta. I loaded the CU7 in Lync Server, the phone not update after some restarts and long time inactivity. I see the Get from the phone in IIS log of front end server, but the phone never update. In phone I see Last Update Status 0x2/200.
I need update to CU6 first?
I don't know. I haven't updated an Aries phone with beta software in quite some time so it is possible that this is the same problem. I would test updating to RTM or an early update (e.g. CU1 or CU2) to see if that resolves the issue.
Thank you very much for clearing this up for us. Would you mind linking a CU5 update for the CX500/CX600/CX3000 series as well?
There is no need for the older updates for the Aries devices as they are not impacted by this issue. Only the Tanjay device is.
Jeff, is there a method of updating a CX700 to CU5 rollup manually? i.e. without deploying on the Lync Server? If possible, it would solve a few issues. Presently, we are in transition from a Lync 2010 environment to Lync 2013 backend. I've asked about getting CU5 installed, but MS rep states they will only deploy CU7 on Lync. We have about 5 CX700 running 3.5 code. The rest are CU7, so no issues there.
Thank you in advance
Richard
Jeff,
is there a way to update CX700 Tanjay devices manually, i.e. not through Lync 2013 server but rather directly?
No, only the device update service on the server can be used. There is no manual process.
Jeff, thanks as always for helping make life easier for people like me!
I've followed your instructions. the CX700 is on firmware 1.0.522.34, so installed the linked CAB file and verified it was there in CSCP (we're on Lync 2013). Rebooted the phone and it tried to update again, but we still got the same Update Status code.
I've looked all over the IIS logs on our FE Server, but don't see anything hitting. The sign in error that the phone displays does acknowledge that it's firmware needs to be updated.
I'm not sure where else to look or what else to try.
Thanks!
-Eric
Does the IIS log indicate that the device attempted to, or was able to download the actual package?
[…] OCS 3.5.x.x directly to the latest update. For more information, check Jeff Schertz’s blog Lync Phone Edition CU6 Upgrade Issues. To download this version you need to […]
I have a problema with CX-700 polycom Phone on Lync-2013, the update pack 4.0.75577.4066 is correctly installed and approved, but the plycom pone doesn’t update, it shows an error 0x2/0, I could send a PDF with the screens
what could be wrong?
Douglas, as covered at the end of my troubleshooting article that error means ‘FILE_NOT_FOUND’ so there may be a problem with how the file is stored in the Lync Web Service distribution point. I’ve not seen this error before so I can’t say as to what the problem might be. You could try re-importing the package, or approving a newer/older package as well.
[…] OCS 3.5.x.x directly to the latest update. For more information, check Jeff Schertz's blog Lync Phone Edition CU6 Upgrade Issues. To download this version you need to […]
Hi Jeff,
Many thanks for the postings on OCS/Lync. They have been very useful.
I have found some IP8540 phones from an office clear out and got them working successfully on OCS2007R2 (which included the firmware upgrade from 1.5 to 3.x)
I have now got a Lync 2013 environment built and now trying to get them working on Lync 2013.
They are current in a installing/downloading certificate loop and wondered if they need got get past this stage before getting the CU5 then CU6/7 firmware installed?
Which logs would be useful to check to work out what is going on?
Regards
Giles
This article covers what to look at for updating issues: http://blog.schertz.name/2012/03/troubleshooting-lync-phone-edition-issues/
Jeff,
Any chance you have a list of the minimal firmware versions that connect to different Lync and Skype for Business editions for the Polycom CX700
For Example:
CX700 version 1.0.522.101 connects up to Lync 2010 CU1
CX700 version 4.0.7577.4047 connects up to Skype for Business RTM
CX700 version 4.0.7577.4463 connects up to Skype for Business via Office 365
Why do I ask this question I have a Polycom CX700 that is running 1.0.522.101 and I get a message that I am unable to sign into the phone due to the old firmware installed when signing in against my Skype For Business. I have approved the Lync 2010 CU5 update but since I can’t sign into the phone it appears it will not download the new firmware.
Any ideas other then building a temp AD and Lync 2007/2010 environment?
Unfortunately, using a swing server is the only option to get over these humps between version mismatches.
A bit late to the conversation, but I have two phones that out of the box booted up with 1.0.522.101. It turns out there is a second partition and these two phones had a 3.5 version on that second partition. The procedure for switching partitions is to reset and calibrate the phone (using a paper clip in the small hole on the back) five times in a row. If you can get to the 3.5 version you stand a better chance of updating from Skype for Business rather than building out a Lync 20xx environment.
For the life of me I couldn’t get a CX700 to update, even after setting the approved version to CU5. What I found was the phone was at version 3.5.6907.35 and the client version policy was blocking clients earlier than 3.5.6907.233. Once I lowered that from 233 to 1 I went from getting the 0x2 error to getting 0x0/200.
Now to see if it will get that 4066 update…
Does anyone have the CU5 for the CX3000 model? I need it to be able to update my device.
Even here it isn’t available
https://onedrive.live.com/?authkey=%21AAU0GY0RjE9ILqc&id=FF04F2F514D1EFC%2136103&cid=0FF04F2F514D1EFC
Thanks!
Nikolas
Nikolas, the Aries family of CX phones including the CX3000 do not have the limitation in this article. You should upgrade to the latest available CU on that device.
Hi Jeff,
I have a Polycom CX700 running version 1.0.522.101. I have tried to introduce it to our Lync 2013 on prem environment to enable itself to upgrade. I have tried applying the CU5 update as per your blog but it is still not updating. I have applied all nessesary DHCP, DNS settings.
It also seems to be in the incorrect time zone but i am unable to sign into the device as the firmware (i can only assume will not allow sign in)
Any help would be awesome
Thanks
James
[…] OCS 3.5.x.x directly to the latest update. For more information, check Jeff Schertz’s blog Lync Phone Edition CU6 Upgrade Issues. To download this version you need to […]