Hi, I'm sorry if this has been answered before, but I've been looking at this for a couple of days now, and looked at as many threads as I could but nothing seems to shed light on what's happening. I could just be misunderstanding what I'm reading. So we have single server running SCCM 2007 SP2 running on Windows 2008 R2 Standard in mixed mode. Switching to native mode is currently not possible due to various factors. Most clients up to now have been domain joined, and all has been working OK. I am now looking to manage various servers that are either in a workgroup or joined to another domain to which there is no trust, and it is not possible to set one. According to the documentation this should not be too hard to do and the computers joined to the other domain can be considered as workgroup computers. I have set a Network Access Account, I have set up WINS and I have manually installed the client using these options. ccmsetup.exe /mp:essccm02v SMSMP=ESSCCM02V SMSSITECODE=SVR SMSSLP=ESSCCM02V CCMENABLELOGGING=True When I view the Configuratio Manager applet on the client the it seems to have the correct info, knows the Site code and has a fqdn for the management point. However only the 'Machine Policy Retrieval & Evaluation Cycle' and User Policy Retrieval & Evaluation Cycle' actions are available, but I imagine this is because it has not registered with the server and pulled down any other policies. Each time the agent starts this is the output from the ClientIDManagerStartup.log RegTask - Executing registration task synchronously. ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) Read SMBIOS (encoded): 56004D00770061007200650 (truncated) ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) Evaluated SMBIOS (encoded): 56004D0077006(truncated) ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) No SMBIOS Changed ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) SMBIOS unchanged ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) SID unchanged ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) HWID unchanged ClientIDManagerStartup 07/04/2011 16:59:44 868 (0x0364) RegTask: Initial backoff interval: 1 minutes ClientIDManagerStartup 07/04/2011 16:59:45 868 (0x0364) RegTask: Reset backoff interval: 257 minutes ClientIDManagerStartup 07/04/2011 16:59:45 868 (0x0364) Registry entry 'Internet MP Hostname' is either missing or empty. ClientIDManagerStartup 07/04/2011 16:59:46 868 (0x0364) GetSystemEnclosureChassisInfo: IsFixed=FALSE, IsLaptop=FALSE ClientIDManagerStartup 07/04/2011 16:59:46 868 (0x0364) Computed HardwareID=2:F432B49663B14E57E61999D78FA32D7378DF3225 Win32_SystemEnclosure.SerialNumber=<empty> Win32_SystemEnclosure.SMBIOSAssetTag=<empty> Win32_BaseBoard.SerialNumber=None Win32_BIOS.SerialNumber=VMware-50 2b 4d 0b b3 3a 67 93-5d 94 b1 e2 89 e1 73 d1 Win32_NetworkAdapterConfiguration.MACAddress=00:50:56:AB:3A:B5 ClientIDManagerStartup 07/04/2011 16:59:46 868 (0x0364) Registration Signature: FA6BC52FF83DB241689(truncated) 868 (0x0364) RegTask: Client registration is pending. ClientIDManagerStartup 07/04/2011 16:59:46 868 (0x0364) RegTask: Client is pending registration. Sending confirmation request... ClientIDManagerStartup 07/04/2011 16:59:46 868 (0x0364) The client will then sit there repeating the 'Client is pending registration. Sending confirmation request ....'. Each time it does this there seems to be a matching entry in the MP_RegistrationManager.log - this section again shows includes from the service starting on the client and I have verbose logging enabled. MP Reg: Message ReplyTo : direct:dummy:dummy MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Timeout : 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Body : <ClientRegistrationRequest><Data RequestType="Registration" TimeStamp="2011-04-07T15:59:46Z" SMSID=""><AgentInformation AgentType="0" AgentVersion="4.00.6487.2000"/><Certificates><Signing Encoding="HexBinary">308201D43082014(truncated)</Signing><Encryption Encoding="HexBinary">308201D53082014(truncated)</Encryption></Certificates><DiscoveryProperties><Property Name="Netbios Name" Value="BOPSXP"/><Property Name="FQ Name" Value="bopsxp"/><Property Name="Locale ID" Value="2057"/><Property Name="InternetFlag" Value="0"/><Property Name="HardwareID1" Value="2:F432B49663B14E57E61999D78FA32D7378DF3225"/></DiscoveryProperties></Data><Signature><SignatureValue>FA6BC52FF83DB241689CBCA7E(truncated)</SignatureValue></Signature></ClientRegistrationRequest> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Parsing done. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Successfully created certificate context. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Successfully created context from the raw signing certificate. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Successfully created certificate context. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Successfully created context from the raw encryption certificate. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Registration Signature: FA6BC52FF83DB241689(truncated) MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: DDR file written to F:\Microsoft Configuration Manager (x86)\inboxes\auth\ddm.box\regreq\5H5ICE5V.RDR MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Mp Reg: Reply message <ClientRegistrationResponse ResponseType="Registration" TimeStamp="2011-04-07T15:59:46Z" Status="1" SMSID="GUID:7D5BF5D0-CA9D-491D-A718-61F5E012C8D3"/> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message ReplyTo : direct:dummy:dummy MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Timeout : 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Body : <ClientRegistrationRequest><Data RequestType="Confirmation" TimeStamp="2011-04-07T15:59:46Z" SMSID="GUID:7D5BF5D0-CA9D-491D-A718-61F5E012C8D3"><AgentInformation AgentType="0" AgentVersion="4.00.6487.2000"/></Data><Signature><SignatureValue>15AE957C6(truncated)</SignatureValue></Signature></ClientRegistrationRequest> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Parsing done. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) spIMPDB2->GetClientPublicKeyEx( (LPCWSTR)sSMSID, &pPublicKey, &ulPublicKeyLen, &enumKeyType, &enumAgentType, &enumStatus ), HRESULT=80040238 (e:\nts_sms_fre\sms\mp\registration\regtask.cpp,1321) MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message ReplyTo : direct:dummy:dummy MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Timeout : 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Body : <ClientRegistrationRequest><Data RequestType="Registration" TimeStamp="2011-04-07T15:59:46Z" SMSID=""><AgentInformation AgentType="0" AgentVersion="4.00.6487.2000"/><Certificates><Signing Encoding="HexBinary">308201D430820141(truncated)</Signing><Encryption Encoding="HexBinary">308201D53(truncated)</Encryption></Certificates><DiscoveryProperties><Property Name="Netbios Name" Value="BOPSXP"/><Property Name="FQ Name" Value="bopsxp"/><Property Name="Locale ID" Value="2057"/><Property Name="InternetFlag" Value="0"/><Property Name="HardwareID1" Value="2:F432B49663B14E57E61999D78FA32D7378DF3225"/></DiscoveryProperties></Data><Signature><SignatureValue>FA6BC52FF83D(truncated)</SignatureValue></Signature></ClientRegistrationRequest> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Parsing done. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Successfully created certificate context. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Successfully created context from the raw signing certificate. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Successfully created certificate context. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Successfully created context from the raw encryption certificate. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Registration Signature: FA6BC52FF83DB2416(truncated) MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: DDR file written to F:\Microsoft Configuration Manager (x86)\inboxes\auth\ddm.box\regreq\5H5ICE5V.RDR MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Mp Reg: Reply message <ClientRegistrationResponse ResponseType="Registration" TimeStamp="2011-04-07T15:59:46Z" Status="1" SMSID="GUID:7D5BF5D0-CA9D-491D-A718-61F5E012C8D3"/> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message ReplyTo : direct:dummy:dummy MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Timeout : 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Message Body : <ClientRegistrationRequest><Data RequestType="Confirmation" TimeStamp="2011-04-07T15:59:46Z" SMSID="GUID:7D5BF5D0-CA9D-491D-A718-61F5E012C8D3"><AgentInformation AgentType="0" AgentVersion="4.00.6487.2000"/></Data><Signature><SignatureValue>15AE957C67B6FA77289(truncated)</SignatureValue></Signature></ClientRegistrationRequest> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Parsing done. MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) spIMPDB2->GetClientPublicKeyEx( (LPCWSTR)sSMSID, &pPublicKey, &ulPublicKeyLen, &enumKeyType, &enumAgentType, &enumStatus ), HRESULT=80040238 (e:\nts_sms_fre\sms\mp\registration\regtask.cpp,1321) MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Failed to get client(GUID:7D5BF5D0-CA9D-491D-A718-61F5E012C8D3) public key: 0x80040238 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Mp Reg: Reply message <ClientRegistrationResponse ResponseType="Confirmation" TimeStamp="2011-04-07T15:59:46Z" Status="1"/> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) Mp Reg: Reply message <ClientRegistrationResponse ResponseType="Confirmation" TimeStamp="2011-04-07T15:59:46Z" Status="1"/> MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 07/04/2011 16:59:45 1092 (0x0444) The client never shows up under the 'All systems' collection for manual approval, and it seems that the server is having problems getting the public key for the client from the client. Both client and server are running Windows firewall, but I have tried with both disabled and this has made no change to what's happening in the logs. I have checked that the system account has permissions on the 19c.... file under C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. I have tried deleting the certificate with ccmdelcert.exe. I have added the root CA for the domain the SCCM server is in to the trusted certificate authorities on the client, though as this is not native I didn't think I had to do to much with certificates. As I've been banging my head against this for a couple of days now I've currently run out of ideas as to how to approach this further, other that calling MS. If anyone has come across this before or has some suggestions I would be grateful. Regards, Jay Quige.

When you run ccmdelcert.exe, does it actually delete the certs from the SMS store; i.e., have you manaually checked the local computer's SMS certificate store using the certificates MMC snap-in?Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

It certainly said it did at when I ran the command, but I didn't check in the mmc. I'll redo that and check it tomorrow when I get in. Thanks.

Same issue in all non-domain client machines? Check this blog, explains how works the registration step by step: http://blogs.technet.com/b/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspx Follow the troubleshoot section. Regads!Gaston Gardonio - http://blogs.technet.com/plataformas/archive/tags/System+Center/default.aspx

@Jason - I've redone the ccmdelcert.exe process on the client I'm currently trying to get working. Checked in the MMC and yes there were removed from there. Restarted the service and it repopulated the SMS key in the Certificates MMC with 2x selfsigned certificates (SMS Signing Certificate and SMS Encryption Certificate) which say they are untrusted, but this is no different to our domain joined working clients. Still the same problem.

Hi Gaston, I have tried this on 3 different clients so far. 1 x joined to a different domain which has no trust relationship with the SCCM server domain and sits on a dmz network, 1 x standalone workgroup server in a dmz and now finally an xp workgroup client on the same network as the server (in order to remove any potential issues from the Checkpoint firewall that sites between the networks.) I have looked at that article before but I didn't understand how a workgroup client was meant to be able to do step 3. It has no knowledge of Active Directory to ask for a Kerberos ticket. And as I understood I wasn't expecting the workgroup clients to be given automatic approval anyway, but would require manual approval. The article says in step 6 "Whether the client is trusted or not, the MP executes the spUpdateClientRegistration stored procedure to update the database. If the client has authenticated properly, both the @ApprovalMethod and @IsIntegratedAuth parameters will be set to 1. If not, they are both set to 0." - as the client never shows up in the 'All System's collection it would seem that it does not get to run this stored procedure and add the machine as unapproved requiring manual approval. I will have a look at the SQL Profiler mentioned and see if I can see whether it is running this stored procedure as mentioned in the troubleshooting section. The first paragraphs from this link (linked from your link) http://technet.microsoft.com/en-us/library/bb694193.aspx seems to be our situation, or rather what our situation should be. We do have the option in bold set and we do automatically approve members of trusted domains. "Configuration Manager 2007 mixed mode does not authenticate clients before they are allowed to join the site. Any computer with the System Center Configuration Manager 2007 client installed and assigned to a site, and that has a self-signed certificate can communicate with a management point, display in the System Center Configuration Manager 2007 console, receive policy from the site, and send information to the site. In mixed mode, if the check box This site contains only ConfigMgr 2007 clients is not selected, then policies containing sensitive data can be sent to any client. However if the check box is selected, only clients that are approved can receive policies containing sensitive data. A Configuration Manager 2007 client cannot be approved until it has successfully installed and assigned to a site. Approval can be manual, automatic for computers in trusted domains, or automatic for all computers and is configured as a site property on the site mode tab for mixed mode sites. The most secure approval method is to automatically approve clients that are members of trusted domains. In this mode, clients that are not members of a trusted domain, including workgroup clients, must be manually approved."

SQL profiler shows this kind of thing. exec MP_IsClientRegistered NULL,0xC8566A1DD3200C (truncated string),'SVR','BOPSXP','GUID:79C15AC7-BC0E-47E4-8C3C-5EF64BB872AE',NULL,NULL,NULL,'2:F432B49663B14E57E61999D78FA32D7378DF3225','1','0','1' exec sp_reset_connection exec sp_GetPublicKeyForSMSID 'GUID:79C15AC7-BC0E-47E4-8C3C-5EF64BB872AE','0' and doesn't seem to get to run spUpdateClientRegistration

OK we've got to the bottom of this. Basically a colleague noticed that there were a load of .ddr files that had built up in the auth\ddm.box and \regreq folders. What seems to have happened is that on the 3rd April the SMS Writer service stopped a whole load of SMS Serivces 'as part of the preparation for the SMS Site Backup'. The SMS Site Backup completed successfully but then 'did not find command file "afterbackup.bat". Anyway it appears that a whole load of components, including the SMS Discovery Data Manager didn't get restarted at that point - strangely this must have been running for months without issue. I didn't notice this as nothing was flagged by the Site Status area in the Admin console, status was listed as OK, and all windows services were running. So long story short, rebooted the server and it's come up and started everything, processed the backed up .ddr files and all is now working and I have been able to approve my workgroup computers. Should have turned it on and off again sooner! Thanks to Jason and Gaston for their thoughts.

Great! The afterbackup error message is normal if you did not create the afterbackup.bat file.Gaston Gardonio - http://blogs.technet.com/plataformas/archive/tags/System+Center/default.aspx