One of the most common issues you ever come across is that client computers stay in Unknown tab in Deployment status in SCCM console. There are several reasons for this:
- The client computer is turned off
- The client computer is considered inactive by SCCM, though it is running actually as you observed
- The client computer has an issue with updates scanning
The last probability is most seen. Recently I ran into such an issue caused by problematic updates scanning.
ScanAgent.log shows the following messages.
03-21-2022 16:43:40.123 ScanAgent 2928 (0xb70) ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJob::OnScanComplete -Scan Failed with Error=0x80240437 03-21-2022 16:43:40.139 ScanAgent 2928 (0xb70) ScanJob({383C1CD8-0555-44E4-A96A-551EA38718F6}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80240437
0x80240437 means –
Error Code: 0x80240437 (2149844023) Error Name: WU_E_PT_SECURITY_VERIFICATION_FAILURE Error Source: Windows Update Agent Error Message: There was a problem authorizing with the service.
This error code points out that the client has a communication security issue with the software update point. Looks like the client was rejected by the software update point server.
LocationServices.log reveals the wsus server it was trying to connecting to.
03-21-2022 16:43:35.295 LocationServices 2928 (0xb70) Calling back with the following WSUS locations 03-21-2022 16:43:35.295 LocationServices 2928 (0xb70) WSUS Path='https://contososup.test.lab:8531', Server='contososup.test.lab', Version='4241', LocalityEx='BOUNDARYGROUP', SUPFallbackIn='0'
As you can see, the client was connecting to contososup.test.lab at port 8531. Testing the communication between the client and the software update point with TNC contososup.test.lab -Port 8531. All was good.
Then I captured two network trace files while triggering a Software Update Scan cycle from Configuration Manager client UI. The two network traces show the following interesting behaviour.
Client –
Server –
The client and server could establish TCP 3 handshake but failed with TLS 1.2 connection. At that moment, I suspected the server might not support TLS 1.2. However, SoftwareDistribution.log from the software update point server proved me wrong. The logs says TLS 1.2 is indeed enabled.
03-22-2022 03:07:45.477 CommonDataAccess.SetSecureChannelProtocols 6 (0x6) SCHANNEL Protocol 'TLS 1.2' enabled
Remoting into the software update point server, I verified TLS 1.2 with IIS Crypto, a good free tool to check TLS settings.
What else to check? I launched WSUS console on the software update point server and caught sight of the following!
WSUS server was actually using port 8530 instead of 8531. Why the client was trying to connect at 8531? I went back to the client computer and check its wsus settings in the registry, which has the same information found in LocationServices.log.
WUServer: | https://contososup.test.lab:8531 |
WUStatusServer: | https://contososup.test.lab:8531 |
As you know, SCCM sets local group policy to define WSUS settings. Is there something wrong about software update point role? With that thought, I went back to SCCM console and examined the software update point role settings. Voila, there is the answer: Require SSL communication to the WSUS server option is checked.
SOLUTION
- Go to SCCM console
- Navigate to the Software Update Point
- Right click on it and then on Properties
- Select General tab
- Uncheck Require SSL communication to the WSUS server