Hi all, Any new (or existing) machine that is imaged is not registering with SCCM. I can see the machine in the SCCM console but Client is listed as No. The site code is listed and Assigned = yes. Site is running in Native mode. From the client machine I cannot see any software advertisements. ClientIDManagerStartup.log has this: RegTask: Failed to refresh MP. Error: 0x80004005 ClientIDManagerStartup 29/03/2012 12:09:03 PM 3624 (0x0E28) CcmExec.log: Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154 CCMEXEC 19/03/2012 9:10:52 AM 3728 (0x0E90) LocationServices.log: Failed to reset certificate request times. (0x80041002) LocationServices 31/10/2011 4:15:11 PM 3616 (0x0E20) Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f0c LocationServices 9/06/2011 6:55:05 PM 1812 (0x0714) Failed to update Signing Certificate over HTTP with error 0x80072f0c. LocationServices 9/06/2011 6:55:05 PM 1812 (0x0714) Im not sure where to go from here any help would be greatly appreciated. Regards, Locust12

0x2f0c = ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED. Is this a general problem or are only some clients affected? Are the required certificates in place?Torsten Meringer | http://www.mssccmfaq.de

This seems to be a problem for the majority of machines - it is affecting all new machines. Client Auth certificates are given out via GP. SCCM certs were renewed about 3 months ago.

could you please let me know the below information? 1. Is it only happening on imaged machines or other machines too? 2. Which OS is it - XP/Windows7? 3. Did you check MPcontrol.log on the management point server? do you see any error? 4. do you see any error within execmgr.log (just to get an idea if something wrong with WMI)? Regards, AT\

All machines are imaged.Windows 7These four lines are repeated in the MPcontrol.log CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0) Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0) CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0) Certificate doesn't have "SSL Client Authentication" capabilities. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0) 4. Execmgr.log Failed to instantiate UI Server {C2F23AE4-82D8-456F-A4AF-A2655D8CA726} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394) Failed to instantiate UI Server 2 {E8425D59-451B-4978-A2AB-641470EB7C02} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394) Failed to instantiate Updates UI Server {2D023958-73D0-4542-8AD6-9A507364F70E} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394) Failed to instantiate VApp UI Server {00AAB372-0D6D-4976-B5F5-9BC7605E30BB} with error 0x80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394) Regards, Locust12

Locust Can you verify that the client certificate is actually getting down to the workstation? Certificates MMC console, Local Machine, Personal Store. Are there multiple certificates in the machine store? You might be selecting the wrong one. Try exporting the certificate which you believe is the problem one and import it into your user personal store. Then try to HTTPS to the MP. It should challenge you for the cert. What happens when you select that cert? Do the IIS Logs give you any clue?

Yes the client cert is making it to the workstation. Yes there are multiple certs (two) in the machine store. When I put the suspect cert into the current user\personal store I get a 403 Forbidden when trying to access https://FQDN.SMS_MP (I get this even before moving certs over). IIS logs look ok alot of 200's. I deleted both certs and rebooted on my machine (which was receiving advertisments) and on another which wasnt: The Client Auth cert is re-applyed via GPO to the computer\personal store. I can still view/run advertisments from my machine Still cannot see any advertisments from the other machine. Regards, Locust12

Anyone?

Sorry for delayed response. Certificate doesn't have "SSL Client Authentication" capabilities indicate that it's having some certificate issue. could you please go thru the link and let me know if still it does not help you. http://technet.microsoft.com/en-us/library/bb680733.aspx I will try to help you until it gets resolved :) Regards, AT\

Microsoft has released a KB article on the same kind of issue so you can try this one- http://support.microsoft.com/kb/2022502

Hi Atul, thank you for your response. I am familiar with that article, I used it along with http://technet.microsoft.com/en-us/library/cc872789.aspx to provision the new certs. If it helps I did notice in Control Panel > Configuration Manager (32-bit) that all components were installed but none enabled also the site code was not set. If I click Repair it does enable and disable some components and set the correct site code. After the repair the Run Advertised Programs is still empty but the window now shows the name of my company. I have also confirmed the Client Auth cert is installed on the MP. Regards, Locust12

I did not see KB977377 installed on either client or server. Regards, Locust12

ok great, it means now client is reporting fine and registering with MP. (correct me if I am wrong) Now, could you also check whether you have added the respective IP subnet (based on your client machine's IP address) to the SCCM site boundaries. Please let me know if any help required.

The site is listed as an Active Directory site - not by IP subnet. Regards, Locust12

Ewww, yuck. Using anything but IP Address Range boundaries will lead to issues in many environments.Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

haha ok I have just changed the boundary to IP subnet.

No, not IP Subnet. Those are part of the "Ewww, yuck". You should use IP Address Range boundaries -- there are major differences.Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

Ahh sorry, I have now changed this to IP Address range. Regards, Locust12

Hi Locust, Any update on the resolution? Have you found your issue fix after configuring right IP address range within SCCM site boundaries. I think now it should be fixed :)

I have just tested with a freshly deployed machine and the problem still exists. I notice the same behaviour as earlier - "Control Panel > Configuration Manager (32-bit)that all components were installed but none enabled also the site code was not set. If I clickRepair it does enable and disable some components and set the correct site code. After the repair theRun Advertised Programs is still empty but the window now shows the name of my company." The client is showing as "no" in the SCCM console. Are there any specific logs etc that will help with this? Regards, Locust12

How was the image created? Was it properly syspreped? Does it have the ConfigMgr agent in it? Was the agent properly prepared for imaging: http://technet.microsoft.com/en-us/library/bb694095.aspx? Is the client stuck in provisiong mode: http://blogs.technet.com/b/configurationmgr/archive/2010/09/13/solution-after-a-configmgr-2007-osd-task-sequence-completes-the-client-may-not-automatically-pull-down-policy.aspx?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

Hi Jason, The image was created using Capture Media which I created from the SCCM console. The machine was removed from the domain, and not activated. No other steps were taken in syspreping (I thought the Capture Media done the Generalise step). I dont think the agent was installed prior to capturing this image. It is depolyed as part of the TS. I will prepare another machine and go through the provisioning steps in the link you sent, then test again. The client has all the symptoms listed in the last link except the reg keys are not in provisioning mode ie; Provisioning mode=false SystemTaskExcludes= (empty) I will update again when I have tested with a new image. If there is anything else please let me know. Regards, Locust12

Sorry for the delay in getting to test this, other network issues came about which demanded my attention. It seems that the client agent was not properly prepared for imaging. After following the steps in the link you provided and recreating the master image all worked fine. I am now able to see all advertisments again. Thanks again for your assistance. Regards, Locust12