SCCM client registration issue with the MP

We have observed in our day to day activity where the SCCM client is installed properly. However, it is not registering against MP. Let get in the details of the issue which we well know of it.

ClientIDManagerStartup.log

[RegTask] – Client is not registered. Sending registration request for GUID:XXXXX-XXXX-XXXX-XXXX-XXXXXXX) …        ClientIDManagerStartup        7/29/2019 3:42:56 AM        5412 (0x1524)

RegTask: Failed to send registration request message. Error: 0x87d00231        ClientIDManagerStartup        7/29/2019 3:43:01 AM        5412 (0x1524)

RegTask: Failed to send registration request. Error: 0x87d00231        ClientIDManagerStartup        7/29/2019 3:43:01 AM        5412 (0x1524)

CcmMessaging.log

Post to https://XXXXXXXXXX_Server/ccm_system_windowsauth/request failed with 0x87d00231.        CcmMessaging        7/28/2019 11:26:56 PM        5412 (0x1524)

Failed to open to WMI namespace ‘\\.\root\ccm’ (80041003)        CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP] AsyncCallback(): —————————————————————–        CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered        CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP]                : dwStatusInformationLength is 4

CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP]                : *lpvStatusInformation is 0x80000000

CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR is set

CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

[CCMHTTP] AsyncCallback(): —————————————————————–        CcmMessaging        7/29/2019 3:43:01 AM        5412 (0x1524)

Reviewed the TLS configuration on a client machine.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

TLS 1.0, SSL 2.0 & SSL 3.0 is disabled

“disabledbydefault”=dword:00000001

“enabled”=dword:00000000

>>no registry key for TLS1.1 or TLS 1.2 created.

>>On MP Server – TLS & SSL configuration – all TLS protocols were allowed.

>>Since all client communication protocols were disabled on the client machine, the client to MP communication was failing.

Resolution

>>Changed below registry key values to allow TLS1.0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols – TLS 1.0

“disabledbydefault”=dword:00000000

“enabled”=dword:00000001

>>Restarted SMS agent host service, client successfully communicated with MP and downloaded all policies

Note:

If you are planning to disable TLS 1.0 and enable TLS 1.1 & 1.2 on Windows server 2008 R2 – install Update 3140245.

Then create \ modify required protocols under registry – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Set below registry key also need to be modified (Refer: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-windows-and-winhttp)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\

DefaultSecureProtocols = (DWORD): 0xAA0

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\

DefaultSecureProtocols = (DWORD): 0xAA0

About Amit Singh

Amit Singh is a technology Consultant & Microsoft Certified professional with demonstrable success in Project Consulting of Microsoft Private & Public cloud. View all posts by Amit Singh →