Tuesday, November 1, 2016

SCCM Client Installation Failures

The following list is some failures in SCCM client installations and the resolution:

One or more certificate is missing on local machine (should be 2 certificates).

CertificateMaintenance.log shows the following entries:
Crypt acquire context failed with 0x8009000f

Wrong permissions for machine key starts with 19c5.. located under the following path:

Correct permission for the file should be:
System: full control
Local Administrators: read and execute
Restart SMS Agent Host service after setting permissions should create the certificate and CertificateMaintenance.log shows no errors.

Client does not communicate with the management point and does not functioning.
ClientIDManagerStartup.log shows the following entries:
ComputeHardwareID failed (0x80041017)
RegTask: Failed to create registration request body. error: 0x80041017

This error most likely cause by WMI errors\damages.

Register WMI components with the following commands:

cd /d %windir%\system32\wbem
FOR /f %s in ('dir /b /s *.dll') do regsvr32 /s %s
Net stop /y winmgmt
FOR /f %s in ('dir /b *.mof *.mfl') do mofcomp %s
Net start winmgmt
Reboot machine
    Rebuilding the WMI repository is a destructive operation that can lead to data loss, applications breaking, and a whole host of slow to appear, difficult to diagnose problems. 

SCCM client installed successfully with any kind of installation method but the client don't register in SCCM console.
In addition, SMS Agent service is not at running state and crash seconds after trying start it.

SMS certificate are not created and there are only few logs in client folder (%systemroot%\ccm\logs).

In my case there where no errors in any of the logs created, but specific line in ClientIDManagerStartup.log got my attention:

Client is set to use HTTPS when available. The current state is 224

Farther investigation reveal that CNG Key Isolation service was at manual state (as it should be) but wasn't at running state.

CNG Key Isolation service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.
Without this service, SMS certificates cannot be created.
Make sure the service is running and start the SMS Agent service.

No comments:

Post a Comment