locked
SCCM 2012 R2 Clients are not retrieving policy RRS feed

  • Question

  • Hi - I know this question has been asked many times before - but I have tried almost everything and a no closer to solving the problem.

    Background: Recently a SCCM 2012 SP1 single stand-alone site was upgraded to SCCM 2012 R2. The site is a single stand-alone primary site with a single DP, single MP, using mixed mode (HTTP). The R2 upgrade ran without any problem and all SCCM components are showing as healthy.

    A few test SCCM 2012 SP1 clients were upgraded to the R2 client using client-push.

    However the upgraded clients are not retrieving policy from the Management Point. In the Actions Tab of the SCCM client, only Machine Policy Retrieval and User Policy Retrieval are available. But kicking of those actions does not result in any of the advertised applications, Task Sequences becoming available. Infact Custom Client Settings are not being set either (e.g. Organisation Name in software Center).

    I have checked and rechecked the following:

    • The upgrade of the client completed successfully (checked ccmsetup.log) and the version number went from 5.00.7804.1000 (SP1) to 5.00.7958.1000 (R2).
    • The MP health in the SCCM console is showing healthy.
    • The MP access URL's load correctly when run from SCCm client computers
      • http://<ServerName>/sms_mp/.sms_aut?mplist” is ok
      • “http://<ServerName>/sms_mp/.sms_aut?mpcert” is ok
    • The SCCM clients are assigned to the site correctly – verified via the SCCM client and ClientLocation.Log
    • ClientIDManager.Log is not showing any errors
    • CCMExec.log and ExecMgr.log don't show any advertisements being executed (Execmgr.log is almost empty and only has "Software ditrbution site settings policy does not yet exist on the client). If the client is not yest registered this is expected behaviour")
    • The SCCM clients are Approved and NOT Blocked in SCCM
    • I have attempted to upgrade the SCCM client and also completely removed and reinstalled - and both have the same result (no client policy dpwnloaded)
    • I have also deleted the above clients completely from SCCM, Run divoery again and pushed the client to the machines again ...with the same result (SCCM client installs, assigns to correct site and then no policy downloaded)
    • SCCM 2012 Boundaries are configured correctly and assigned to Boundary Groups correctly
    • The SCCM client’s do not have the firewall enabled
    • Changed boundary from AD Site to Subnet to IP Address Range: Same issue exists
    • Uninstalled MP role and reinstalled it: same Issue exists
    • Tried to connect to SCCm client using 3rd party SCCM Client center tool but cannot connect
    • ??? Not sure what else to try ???


    Thursday, March 20, 2014 3:19 AM

All replies

  • Its has been suggested that the Management Point role should be removed and reinstalled - however I don't know what the ramifications of this are - especially since this environment only has a single Management Point....
    Thursday, March 20, 2014 3:44 AM
  • Are you using IP address range boundaries or IP subnet boundaries?

    If the answer is subnet, change to IP address range. http://blog.configmgrftw.com/ip-subnet-boundaries-are-evil/

    Thursday, March 20, 2014 4:37 AM
  • I have tried both AD site and IP subnet boundaries.

    However this doesn't explain why even SCCM client setting are not being applied?

    The log show the client is being assigned to the correct Site and MP.

    i have done quite a few SCCM 2012 R2 and SP1-to-R2 upgrades and this is the first time that I have come across this issue....

    Thursday, March 20, 2014 4:50 AM
  • Have you tried doing a hard policy reset with the Client Center tool from Roger Zander (download:  http://sourceforge.net/projects/smsclictr/)? 

    I've had a few clients in the past that have acted similarly, and they were fixed by triggering these schedules.  The hard policy reset triggers schedules 40 and 21.

      A full list off client schedules can be found in the SendScheduleMessages.xml located in the R2 toolkit.

    Thursday, March 20, 2014 12:34 PM
  • Try restarting CCMexec service in client machine

    Command prompt with Admin rights

    net stop ccmexec

    net start ccmexec, once done check policydownloader or policyevaluator.log


    Thanks, Prabha G

    Thursday, March 20, 2014 1:02 PM
  • Like I said, change to IP Address range boundaries and test again.
    Thursday, March 20, 2014 2:59 PM
  • Is there a chance the site code was changed?

    When you have removed the client from both the device and the repository, try shutting down and restarting the device then reinstall or rediscover the device.

    last thing to try possibly is to uninstalling the client, remove from the domain, re-add to the domain, rediscover and see if the PC shows up.

    Thursday, March 20, 2014 8:25 PM
  • Thanks everyone for the suggestions - I have tried most of them with no success

    #1) Changed the boundary to an IP Address Range = No change in client behaviour

    #2) Restarting CCMExec - this happens when the SCCM client is reinstalled = No change in client behaviour

    #3) Uninstalled the MP and reinstalled it = No change in client behaviour

    #4) SCCM Client Center (great tool which I used in SCCm 2007 - didn't realise it was updated for SCCM 2012). However I can't connect to any SCCM Client using this - not sure why since the clients are on the same subnet as the SCCM Primary Site server and there are no firewall's/AV enabled on the SCCm server or the clients!

    Just weird that the clients can't talk to the SCCM Primary Site server!

    Thursday, March 20, 2014 8:39 PM
  • I should add - it seems ALL clients are experiencing this issue. Not just clients upgraded to R2.

    I have done the client delete > rediscovery > reinstall multiple times with the same result.

    Don't understand how the client installs successfully but then refuses to talk to the MP!

    Thursday, March 20, 2014 9:31 PM

    Friday, March 21, 2014 3:09 AM
  • Please upload the ClientIDManagerStartup.log, LocationServices.log and CCMMessaging.log.

    -Umair

    Friday, March 21, 2014 3:47 AM
  • Based on your observation of looks like all clients are having same issue, can you please check Client settings which are applying to all these machines. Not sure if you have any customer client settings that might be oncflicting after upgrade and probably try applying the Default Client settings to these machine collection and should help. A thought from your inputs but again , sharing one of the client logs like locationservices, clientidmangetstatrup etc., should help if no client settings policy conflict occurring.

    Thanks SRee

    Friday, March 21, 2014 4:15 AM
  • Hello everyone - sorry for the slow response (weekend).

    I have done a complete fresh SCCM 2012 R2 client install on a VM and have uploaded the requested logs to a public Google Drive store: http://bit.ly/1nV9hIb

    Logs uploaded:

    CcmExec.log

    CcmMessaging.log

    ClientIDManagerStartup.log

    ClientLocation.log

    execmgr.log

    LocationServices.log

    PolicyAgent.log

    Any assistance would be greatly appreciated!


    Monday, March 24, 2014 10:12 PM
  • Did this get resolved?  I am seeing a similar issue at my location.

    Wednesday, May 21, 2014 6:34 PM
  • I have the same issue with SCCM MP and clients... tried many ways, did not help
    Monday, June 2, 2014 10:25 AM
  • What's the exact problem? How did you determine that something does not work as expected? Any errors in the site status?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, June 2, 2014 11:41 AM
  • What's the exact problem? How did you determine that something does not work as expected? Any errors in the site status?

    Torsten Meringer | http://www.mssccmfaq.de

    Hello Torsten,

    this problem with Management Point was caused by unexpected shutdown of SCCM site server as I thought. I removed MP role from the site server and installed on site system and MP had been working for a time, later I saw the same problem as first MP had. I removed MP role from the site system. I removed IIS from site server, rebooted, installed IIS, rebooted, installed MP role, rebooted, tried to install client via push installation and see the same situation. Client Certificate - None (instead of Self-signed), in the ClientIDManagerStartup.log I see: 

    <![LOG[[RegTask] - Client is not registered. Sending registration request for GUID:AD0418AC-4C2E-4E16-8901-0BFD90247570 ...]LOG]!><time="17:11:04.808-240" date="06-02-2014" component="ClientIDManagerStartup" context="" type="1" thread="2688" file="regtask.cpp:1609">
    <![LOG[RegTask: Failed to send registration request message. Error: 0x87d00309]LOG]!><time="17:11:04.912-240" date="06-02-2014" component="ClientIDManagerStartup" context="" type="3" thread="2688" file="regtask.cpp:1297">
    <![LOG[RegTask: Failed to send registration request. Error: 0x87d00309]LOG]!><time="17:11:04.912-240" date="06-02-2014" component="ClientIDManagerStartup" context="" type="3" thread="2688" file="regtask.cpp:1483">
    <![LOG[[RegTask] - Sleeping for 120 seconds ...]L

    I checked port 80 using telnet  - OK, checked Provisioning Mode - false (OK). Check mpcontrol - status code 200, text: OK. In the "component status" all green - OK. Client has found MP and site code (LocationServices - OK).

    ALL OK, but doesn't work! 

    Monday, June 2, 2014 2:08 PM
  • What does MP_Registration.log on the MP tell?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, June 2, 2014 3:09 PM
  • What does MP_Registration.log on the MP tell?

    Torsten Meringer | http://www.mssccmfaq.de

    Hello,

    there are a lot of similar messages like (copied last messages, around current time):

    Processing Registration request from Client 'GUID:364CC6DF-CB77-4A92-9A07-9F3150502062'

    Begin validation of Certificate [Thumbprint BEBDEB198AEDB0F3C9B686EB37CB05092D824561] issued to 'SMS'

    Completed validation of Certificate [Thumbprint BEBDEB198AEDB0F3C9B686EB37CB05092D824531] issued to 'SMS'

    MP Reg: Processing completed. Completion state = 0

    before these I see some errors:

    Registration hint is expired.

    CCMValidateAuthHeaders failed (0x87d0029b) to validate headers for client 'GUID:26E60C52-A5C0-41DF-8C22-73D8B52065C6'.

    MP Reg: Processing completed. Completion state = 0

    Is it useful?

    Tuesday, June 3, 2014 5:14 AM
  • Hello, I did a fresh install of a client and research.

    Agent is installed, it has found MP and site, Certificate - None,

    ClientIDManagerStartup.log:

    Failed to send registration request message. Error: 0x87d00309

    I checked client ID in the MP_RegistrationManager.log:

    Processing Registration request from Client 'GUID:8FB56521-A4CB-4968-9E37-D8BA35838767'

    Begin validation of Certificate [Thumbprint A466797C487D34320D1EC257EB61C9D69CFDEA2F] issued to 'SMS'

    Completed validation of Certificate [Thumbprint A466797C487D34320D1EC257EB61C9D69CFDEA2F] issued to 'SMS'

    MP Reg: DDR written to [C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\regreq\KEQU5XHK.RDR] for Client [GUID:8FB56521-A4CB-4968-9E37-D8BA35838767] with Certificate Thumbprint [A466797C487D34320D1EC257EB61C9D69CFDEA2F]

    MP Reg: Processing completed. Completion state = 0

    What should I to check next?



    • Edited by Andev Tuesday, June 3, 2014 10:43 AM
    Tuesday, June 3, 2014 9:45 AM
  • Hi all - sorry for the late response.

    We managed to resolve the issue after logging a job with Microsoft Support.

    The issue was that the SCCM 2012 R2 upgrade corrupted 2 tables in the SCCM Database - leading to corrupt SCCM client policies.

    I am pasting the resolution email from Microsoft below:

    (NOTE: This may not be the exact sypmtoms you are experiencing so do not implement this fix assuming it will fix your problem!)

    ISSUE: 

    - All clients are unable to download policies from the server

    CAUSE:

    - Bad policies in the Database

    RESOLUTION: 

    -Issue with PADbID - Run below query against SCCM DB to verify corrupt entries:

    SELECT * FROM ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)

    Confirmed Bad policies entries in the SCCM database

    Run below query to delete the bad policy after which we resolved the issue:

    Delete FROM ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)"

    Tuesday, June 3, 2014 11:51 PM
  • Hello,

    I am sorry, this is not my topic, I have the same problem with policies, but I have a fresh install of SCCM 2012 R2.

    Wednesday, June 4, 2014 5:10 AM
  • first query did not return results in my case.
    Wednesday, June 4, 2014 6:25 AM
  • Hello Sir

    thank you very much for this solution!

    worked very well for my setup!

    Sunday, April 19, 2015 6:38 PM
  • This worked perfectly.

    Thanks


    Ragavendren

    Tuesday, April 21, 2015 6:40 PM
  • Deleting the corrupted policy also worked for me.
    Friday, June 19, 2015 8:03 PM
  • Thanks for this. We had this issue along with our Operating System Deployments not starting with error 0x80004005 and "cannot get the 'Signature' node" reported in the smsts.log from Windows PE. Deleting the corrupted policy fixed both issues.
    Friday, June 26, 2015 9:06 AM
  • Thanks for sharing this solution GeekierThanYou!

    That solve my issue!

    Tuesday, November 17, 2015 9:34 PM
  • Please check any proxy setting are not configure on SCCM Client machine, if yes please remove the proxy after that agent client communicate with SCCM server successfully.
    • Proposed as answer by Trinhity Wednesday, July 29, 2020 12:03 AM
    Thursday, February 18, 2016 6:03 AM
  • I had a similar issue but was worried about deleting the policy from SQL because i didn't know what the actual policy was. What i eventually did (or rather tried first) was delete all the deployments for Client Setting and Antimalware policies and then redeploy them. Seemed to do the trick!
    Thursday, April 14, 2016 3:38 PM