CRM 2011/2013 – Common Plugin Errors and Isolation Mode

I got this plugin error whilst trying to deploy my custom workflow

Error registering plugins and/or workflows. The resource string “ErrorSerializingRegFile” for the “RegisterPlugin” task cannot be found

I have had this error many times, so I thought I would go through the common plugin errors


Common plugin errors

Below is a list of the common plugin errors which can frustrate you for a while


Forgetting to sign the plugin

This is a common thing to forget.  If you plugin won’t register you need to sign the plugin, you can see steps how to do this on my blog post

CRM 2013 – Step by Step Update Plugin Tutorial using the CRM 2013 Development Toolkit

Solution – sign the plugin


Haven’t checked out the crmregister file

This error occurs if the crmregister file is set to read only

Solution – make the crmregister file read only or check it out of source control


Isolation Mode = “Sandbox”

You can also get errors if you haven’t set the isolation mode to the correct value.  Often this can be resolved by setting the isolation mode to none

CRM 2011 – plugins and isolation mode

Solution – change isolation mode = “none”


Error message “Assembly must be registered in isolation” when registering Plugins in Microsoft Dynamics CRM 2011

Solution – Give the user Deployment Administrator role


Type Name incorrect

I added in my custom Workflow into my CRM Developer project.  It wrote a line to the RegisterFile.crmregister but



The CRM Developer toolkit didn’t put in the name space in front of the type.

Solution – Change the typename to include the namespace


Developer Toolkit

The CRM Developer toolkit is great and I love it, most of the time.  Sometimes I can get very frustrated with it, which you can read about here

What would be really good is if there was a way to regenerate the RegisterFile.crmregister from the plugins deployed in the CRM organisation.

I initially thought my problems were due to the CRM Developer toolkit getting itself into a pickle, but it turned out to be something more straight forward


Cannot register or unregister plugins!

The code I wrote was replacing a plugin with custom workflow.  The reasonfor this is by default plugins must run within 2 minutes or they time out.  The plugin was doing a lot of looping/recusive code, updating lots of related entities. This was causing an SQL timeout error.

To get round this I  created my custom workflow, the next step was to unregister the plugin but when I tried I got an error.

Not have enough privilege to complete Create operation for an SDK entity


Isolation mode

Earlier in the week the project had decided to change the plugins from





When you change this isolated setting to none this change the security privileges you need to deploy plugins.

Like most CRM problems the first place I search (and usually find answers) is the Hosk CRM blog


The short answer is plugins with Isolation mode set to Sandbox can be registered by a user with the role of System Administrator.

Plugins with Isolation mode = “none” have to be a deployment administrator

Why X 5

Good CRM Developers are always asking why, 5 times according to wiki


Plugin Security Restrictions

There is a Microsoft a document/web page called

Register and Deploy Plug-Ins

No one ever reads this because it’s very long and detailed and you don’t need to understand all of it to create and register plugins (unless you have a problem of course).

Reading pages such as this one does help to increase your knowledge and understanding of how CRM works, which is why I am looking at it today.  I know there is a problem because I can’t undeploy my plugin or deploy my custom workflow but



Below is the section called Security Restrictions


Security Restrictions

There is a security restriction that enables only privileged users to register plug-ins. For plug-ins that are not registered in isolation, the system user account under which the plug-in is being registered must exist in the Deployment Administrators group of Deployment Manager. Only the System Administrator user account or any user account included in the Deployment Administrators group can run Deployment Manager.

For non-isolated plug-ins, failure to include the registering user account in the Deployment Administrators group results in an exception being thrown during plug-in registration. The exception description states “Not have enough privilege to complete Create operation for an SDK entity.”

The system user account under which the plug-in is being registered must have the following organization-wide security privileges:

  • prvCreatePluginAssembly
  • prvCreatePluginType
  • prvCreateSdkMessageProcessingStep
  • prvCreateSdkMessageProcessingStepImage
  • prvCreateSdkMessageProcessingStepSecureConfig

Deployment Administrator


Deployment Administrator is a special role which can only be given out by a deployment administrator.  When you install CRM the account used to install CRM will be given the only deployment administrator role.  This user can open up the Deployment Manager application which is found on the CRM server.  Here the you can add more Deployment Administrators

If you want to learn more about Deployment Administrator role read the blog below

CRM 2011/2013 – Understanding and adding the deployment administrator role


Why am I talking about deployment administrators

In the security section above, there is this important paragraph.

For non-isolated plug-ins, failure to include the registering user account in the Deployment Administrators group results in an exception being thrown during plug-in registration. The exception description states “Not have enough privilege to complete Create operation for an SDK entity.”

Users are often set up as deployment administrators at the start of the project.  The reason this annoying popped up for me was because we had changed the isolation setting from Sandbox to none.

Before when I was publishing plugins with Isolation mode = “sandbox”, this paragraph was relevant.

For plug-ins registered in the sandbox (isolation mode), the system user account under which the plug-in is being registered must have the System Administrator role. Membership in the Deployment Administrators group is not required.

I added the deployment administrator role to my user and I was back publishing and unpublishing plugin.

CRM 2011/2013 – Understanding and adding the deployment administrator role


The Deployment Administrator role is a vital role in CRM and a mighty powerful role it is too because the user with the deployment administrator role can run the deployment manager console application.

It’s in the Deployment manager you can

  • enable/disable organisations
  • remove organisation
  • add new organisations
  • See how many licences you are using (blog link)
  • Add more Deployment Administrators


The Deployment Administrator is an important role and this role is initially given to the account you used to install CRM.  It’s important this user either creates another Deployment Administrator or that user is available to CRM Developers.

The reason this role is important to CRM Developers is because if you need to be a Deployment Administrator if you want to deploy plugins which have an isolation level = “none”.  This is because the Deployment Administrator role has complete access to the various Active Directory groups and databases (and the Deployment Manager).


The best practice is to have 2 or 3 trusted users who are Deployment Administrators and I would recommend you have an account which is not linked to anyone’s personal active directory users but a CRM Admin user.  This way, if a user goes on holiday it won’t halt CRM development.


How to add a Deployment Administrator

Go to the CRM Server with a user who is a Deployment Administrator

Open the Deployment Manager

Deployment manager

Right click on Deployment Administrator and click – New Deployment Administrator

Deployment manager 1


Add the details of the new Deployment Administrator


Other ways to Add Deployment Admin

You can add a deployment admin user CRM Powershell

What if we don’t know who the Deployment Administrator is?

Oh dear you are in trouble!  but if your deployment Administrator has left or is on holiday you can do it (WARNING UNSUPPORTED CHANGE) using the blog article and SQL script


Why else do I need to know about Deployment Admins

It will often crop up if CRM Developers cannot register or unregister Plugins/custom workflows.  If the plugin/custom workflow is deployed with Isolation Mode = “none” then the user must have the Deployment Administrator role.

CRM 2011 – Assembly must be registered in isolation

What if you are using CRM Online

If you are using CRM online you don’t have to worry about deployment administrators because all plugins are registered with isolation mode = “sandbox” and the user just has to be CRM Administrator.

CRM online doesn’t give you access to the CRM server, so it’s impossible to run the Deployment Manager.


Futher reading

This blog post by the CRM in the Field goes into quite a bit of detail