SCCM Agent has only two actions after installation:
LocationServices 800 (0x320) Signature verification using hash algorithm 32772 failed with 0x80090006.
LocationServices 800 (0x320) CCMVerifyMsgSignature failed.
LocationServices 800 (0x320) Failed to verify received message 0x80090006
LocationServices 800 (0x320) CCMVerify failed with 0x80090006
LocationServices 800 (0x320) Failed to verify message. Could not retrieve certificate from MPCERT.
LocationServices 800 (0x320) MPCERT requests are throttled for 00:00:00
ISSUE
ConfigMgr Agent has only two actions in Actions tab after installation
- Machine Policy Retrieval & Evaluation Cycle
- User Policy Retrieval & Evaluation Cycle
CCM Notification Agent component is also in Disabled state.
LOGS
CertificateMaintenance.log:
CertificateMaintenance 800 (0x320) Failed to verify signature of message received from MP using name 'contosomp01.lab.com'
CertificateMaintenance 800 (0x320) Failed to verify signature of message received from MP using name 'contosomp02.lab.com'
ClentIDManagerStartup.log:
ClientIDManagerStartup 800 (0x320) RegTask: Failed to refresh site code. Error: 0x8000ffff
LocationServices.log
LocationServices 800 (0x320) Signature verification using hash algorithm 32772 failed with 0x80090006.
LocationServices 800 (0x320) CCMVerifyMsgSignature failed.
LocationServices 800 (0x320) Failed to verify received message 0x80090006
LocationServices 800 (0x320) CCMVerify failed with 0x80090006
LocationServices 800 (0x320) Failed to verify message. Could not retrieve certificate from MPCERT.
LocationServices 800 (0x320) MPCERT requests are throttled for 00:00:00
There was no CcmNotificationAgent.log.
PolicyAgent.log shows nothing helpful but the following:
PolicyAgent_RequestAssignments 2284 (0x8ec) PolicyEvaluatorSystemTask::Execute, szEvent = PreShutdown
PolicyAgent_RequestAssignments 2284 (0x8ec) Processing PreShutdown event
ANALYSIS
I had a hunch that it should have something to do with certificates of management points the client computer received because the LocationServices.log implied that the messages coming from the management points could not be verified. It was obviously that the client computer failed to decrypt the messages from the management points.
To get management points information in WMI on the client computer, I ran the following PowerShell queries.
-- This query returned complete information about the management points
Get-WmiObject -Namespace "ROOT\ccm\LocationServices" -Class SMS_MPInformation
-- This query returned empty
Get-WmiObject -Namespace "ROOT\ccm\LocationServices" -Class SMS_MPInformationEx
-- This query returned complete information about the management points
Get-WmiObject -Namespace "ROOT\ccm\LocationServices" -Class SMS_MPList
-- This query returned empty
Get-WmiObject -Namespace "ROOT\ccm\LocationServices" -Class SMS_MPListEx
As you can see, the client computer failed to fill the WMI class instances of SMS_MPInformationEx and SMS_MPListEx. This behaviour corresponded to the error messages in LocationServices.log.
The AD publishing status in \Administration\Overview\Hierarchy Configuration\Active Directory Forests also shows Success. However, while verifying the System Container in AD, I was told that there was much obsolete information about some management points and sites that had been deleted, as the customer put it. That caught my attention in that those obsolete information should have been deleted and disappeared since the old management points and sites did not exist in the environment any longer.
I suggested them to delete all the entries in System Container and restart SMS_EXECUTIVE service of the primary site. But the publishing failed due to insufficient permissions. It was found that the publishing account used in SCCM for AD publishing has only “This object only” permission which was not enough. I changed it to “This object and all descendant objects“. Bingo, the issue was gone and the client computer ended up showing online in SCCM console.
SOLUTION
- Delete all the entries in System Container
- Make sure that the publishing account used in SCCM for AD publishing has “This object and all descendant objects” permission to System Container
- Restart SMS_EXECUTIVE service of the primary site
References