SCCM clients fail to load machine policies - [Assignment Request] Assignments request for Machine <MachineName> completed with status 0x80004005

Thiago B Andrade 51 Reputation points
2024-03-21T16:56:39+00:00

Hi,

Out of nowhere, all SCCM clients stopped processing Machine Policies. Follow are entries from PolicyAgent.log:

Raising event:

instance of CCM_PolicyAgent_PolicyAuthorizationFailure

ClientID = "GUID:50F63C6B-BFBB-4D2D-B6DD-A379406E86DA";

DateTime = "20240321164351.133000+000";

PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\machine\\requestedconfig";

PolicySource = "SMS:SDE";

ProcessID = 1020;

ThreadID = 4960;

[Assignment Request] Assignments request for Machine <MachineName> completed with status 0x80004005

CB 2303. Communications between clients and MPs are HTTP only and are OK (Status 200). All Boundaries Groups configured correctly with Site Systems. Tried to reinstall the client, but it does not work.

Any help would be much appreciated.

Thiago

Microsoft Configuration Manager
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Simon Ren-MSFT 30,031 Reputation points Microsoft Vendor
    2024-03-22T07:34:59.6266667+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    ==>Out of nowhere, all SCCM clients stopped processing Machine Policies

    1,For this scenario, the issue may be on the server side, please make sure the site server and the MP are working well at first.

    2,Please also make sure that there is no firewall or anti-virus to stop the communication between the client and the MP and site server. Use the following URL to verify that a client can access the management point and the management point certificate information:

    http(s)://<ServerName>/sms_mp/.sms_aut?mplist

    http(s)://<ServerName>/sms_mp/.sms_aut?mpcert

    Where <ServerName> is the NetBIOS/FQDN for the management point computer.

    3,Check the CcmMessaging.log on the client to see if there is any error.

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Thiago B Andrade 51 Reputation points
    2024-03-22T17:21:49.49+00:00

    Hi Simon.

    The communication is fine between clients and the MPs as I said. There are no errors in CcmMessaging.log, I can see perfectly that the client deliveries messages to the MP:

    OutgoingMessage(Queue='mp_statusreceiver', ID={9DE4F1DD-E222-46B4-885C-CF537A78D99C}): Delivered successfully to host 'MPMachineName'. CcmMessaging 22/03/2024 14:12:34 17116 (0x42DC)

    As I mentioned before, the error 0x80004005 is related to AccessDenied: [Assignment Request] Assignments request for Machine <MachineName> completed with status 0x80004005

    If I try to open the namespace mentioned earlier :\\.\ROOT\ccm\policy\machine\requestedconfig I got AccessDenied...

    The clients can access the URLs normally:

    http(s)://<ServerName>/sms_mp/.sms_aut?mplist

    http(s)://<ServerName>/sms_mp/.sms_aut?mpcert

    Regards,

    Thiago

    0 comments No comments

  3. Simon Ren-MSFT 30,031 Reputation points Microsoft Vendor
    2024-03-25T09:30:10.6666667+00:00

    Hi,

    Thanks for your reply. Do you install any Windows update on the server recently?

    We can run the command 'wbemtest' to open Windows Management Instrumentation (WMI) Tester on the client and check if there is any WIM issue and check if it can connect to your site server. The path is \FQDN of Site server\root\cimv2. For more information, please refer to KB5004442

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Sherry Kissinger 3,801 Reputation points
    2024-03-25T13:22:58.1666667+00:00

    This is just wild speculation, but since your mplist/mpcert is fine, and you've so far concluded it's local access to a wmi namespace, AND it is affecting all machines, my first instinct is to suspect something all your machines 'have', like your antivirus, or anti-malware, or something like 'Crowdstrike' for example.

    Have you tried disabling those on a box to see? Or in some cases with anti-malware things like crowdstrike, it's often not "good enough" to try to disable it, you have to completely ununinstall it and reboot post-uninstall to see if that is the problem (depending upon your company's implementation of Crowdstrike, of course).

    Those are just examples...if you have 'some other software' that is supposed to 'protect your devices from evil', you may want to disable those, or build a machine which does not HAVE those installed, to narrow down which one of the 10 things you have as standards which is interfering. Or, of course... talk to whatever team is in charge of those anti-virus/anti-malware settings, and see if they lately implemented a policy for "protect WMI", which would of course mean... make CM not work in your case.

    0 comments No comments