yukis1 Posted May 30, 2012 Report post Posted May 30, 2012 Hi guys, I have been working on a new installation of SCCM 2012 in a DMZ environment which includes many servers that are not in the domain, part of a different Forest and etc… Most of the installation is doing great except some of the servers have very strict security policies. On those servers I have a problem when installing the client. When I install the client I can see it finds the site code (manually registered ‘hosts’ and ‘lmhosts’ files), but once the client is installed I have the following errors: 1. When looking on the client in control panel I see it has no certificate and the connection type is unknown 2. CertificateMaintenance.log on the client throws several errors: Failed to create certificate 80090020 CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058) CCMDoCertificateMaintenance() failed (0x80090020). CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058) Raising pending event: instance of CCM_ServiceHost_CertificateOperationsFailure { DateTime = "20120530082955.356000+000"; HRESULT = "0x80090020"; ProcessID = 36532; ThreadID = 36952; }; CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058) CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event. CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058) 3. ClientIDManagerStartup.log on the client also shows many errors: [----- STARTUP -----] ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) Machine: Server ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) OS Version: 6.1 Service Pack 1 ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) SCCM Client Version: 5.00.7711.0000 ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) Client is set to use HTTPS when available. The current state is 224. ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) 'RDV' Identity store does not support backup. ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) CCM Identity is in sync with Identity stores ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14) [RegTask] - Executing registration task synchronously. ClientIDManagerStartup 30/05/2012 12:51:09 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000320061002000390065002000610066002000660032002000620033002000610037002000630063002D0064003100200038006200200064003000200065003100200039003000200038003800200037006600200062003500 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000320061002000390065002000610066002000660032002000620033002000610037002000630063002D0064003100200038006200200064003000200065003100200039003000200038003800200037006600200062003500 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) No SMBIOS Changed ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) SMBIOS unchanged ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) SID unchanged ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC) HWID unchanged ClientIDManagerStartup 30/05/2012 12:51:14 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:16 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:18 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:22 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:26 2556 (0x09FC) RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:32 2556 (0x09FC) Quote Share this post Link to post Share on other sites More sharing options...
yukis1 Posted May 30, 2012 Report post Posted May 30, 2012 Problem solved!!! The problem was that the 'CNG Key Isolation' Service was disabled. Setting the service to Manual solved the issue. I believe that the service is only used during the installation process - to create the Self-Signed certificate, and can be disabled after the installation. I've now disabled it, and will continue monitoring the server and report back with results. Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted February 14, 2013 Report post Posted February 14, 2013 Which system did you have to enable the service for? Client or server? Mine is enabled on both and I am receiving this error from a new client I am trying to get into SCCM. Quote Share this post Link to post Share on other sites More sharing options...
rrasco Posted February 14, 2013 Report post Posted February 14, 2013 Follow up: I was able to get mine working. There were a few more things I tried to get it going. Referencing this post I enabled the Protected Storage Service. That did no resolve the issue. Moved onto find this post where I located the MachineKeys directory on Windows 7 (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) and removed the key that started with 19c5cf and the cert was able to be created. Repaired CCM on the client and it was reporting in no time. I believe it was an old cert on that machine from before I had SCCM configured correctly, thus it had to be cleared to function correctly. Quote Share this post Link to post Share on other sites More sharing options...
Oneone Posted February 18, 2013 Report post Posted February 18, 2013 Checked this out? http://blogs.technet.com/b/gladiatormsft/archive/2013/01/26/you-may-need-to-re-download-configuration-manager-2012-and-endpoint-protection-2012-sp1-binaries.aspx Quote Share this post Link to post Share on other sites More sharing options...
