question

NathanielThomas-4109 avatar image
0 Votes"
NathanielThomas-4109 asked AllenLiu-MSFT commented

RegTask: Failed to refresh site code. Error: 0x8000ffff

Hi All,

We have configured new IBCM in our environment and installed clients in few machines to check the communication. Client install without fine but we get "RegTask: Failed to refresh site code. Error: 0x8000ffff" in Clientidmanagerstatup.log. Below are the logs for reference

locationservices.log
Processing pending site assignment. LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
Assigning to site '' LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
LSIsSiteCompatible : Verifying Site Compatibility for <> LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
Using INF MP Publicfqdn.com as lookup MP. LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
Attempting to retrieve site information from lookup MP(s) LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
LSIsSiteCompatible : Domain joined client is on Internet. Unable to check compatibiliy of Site <> LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
Won't send a client assignment fallback status point message because the last assignment error matches this one. LocationServices 3/31/2021 4:55:12 PM 4188 (0x105C)
A Fallback Status Point has not been specified. Message with STATEID='500' will not be sent. LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
Processing pending site assignment. LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
Assigning to site '' LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
LSIsSiteCompatible : Verifying Site Compatibility for <> LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
Using INF MP Publicfqdn.com.com as lookup MP. LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
Attempting to retrieve site information from lookup MP(s) LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
LSIsSiteCompatible : Domain joined client is on Internet. Unable to check compatibiliy of Site <> LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
A Fallback Status Point has not been specified. Message with STATEID='608' will not be sent. LocationServices 3/31/2021 4:58:50 PM 12752 (0x31D0)
Current AD site of machine is LocationServices 3/31/2021 4:59:43 PM 6312 (0x18A8)
Won't send client assignment fallback status point message because last assignment message was sent too recently. LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
Processing pending site assignment. LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
Assigning to site '' LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
LSIsSiteCompatible : Verifying Site Compatibility for <> LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
Using INF MP Publicfqdn.com as lookup MP. LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
Attempting to retrieve site information from lookup MP(s) LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
LSIsSiteCompatible : Domain joined client is on Internet. Unable to check compatibiliy of Site <> LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)
Won't send a client assignment fallback status point message because the last assignment error matches this one. LocationServices 3/31/2021 5:03:50 PM 12752 (0x31D0)

Clientidmanagerstatup.log
[----- SHUTDOWN -----] ClientIDManagerStartup 3/31/2021 4:56:24 PM 1780 (0x06F4)
[----- STARTUP -----] ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Machine: ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
OS Version: 10.0.17763.0 ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
SCCM Client Version: 5.00.8913.1012 ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
'RDV' Identity store does not support backup. ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
CCM Identity is in sync with Identity stores ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Retrieved Certificate options successfully ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Begin validation of Certificate [Thumbprint F] issued to 'machine' ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Completed validation of Certificate [Thumbprint ] issued to 'machine' ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
PopulateRegistrationHint: Using the CertificateID to set the hint. Cert thumbprint '', SMSID '' ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
HTTPS is enforced for Client. The current state is 1. ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Updated registration hint. ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
PopulateRegistrationHint: Registration hint successfully populated. ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Deleted Certificate ID from registry successfully ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Certificate Issuer 1 [CN=rca; DC=; DC=; DC=com] ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Certificate Issuer 2 [CN=CA; DC=; DC=; DC=com] ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Skipping Certificate [Thumbprint ] issued to 'machine' as root is 'CN=CA, DC=, DC=, DC=' ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Unable to find any Certificate based on Certificate Issuers ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Raising pending event:
instance of CCM_ServiceHost_CertRetrieval_Status
{
DateTime = "20210331112841.549000+000";
HRESULT = "0x87d00215";
ProcessID = 22432;
ThreadID = 3796;
};
ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
PKI Client Certificate matching SCCM certificate selection criteria is not available. ClientIDManagerStartup 3/31/2021 4:58:41 PM 3796 (0x0ED4)
Registered AAD join event listener. ClientIDManagerStartup 3/31/2021 4:58:49 PM 12752 (0x31D0)
Registered for AAD on-boarding notifications. ClientIDManagerStartup 3/31/2021 4:58:49 PM 12752 (0x31D0)
Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 3/31/2021 4:58:49 PM 12752 (0x31D0)
Succesfully intialized registration renewal. ClientIDManagerStartup 3/31/2021 4:58:49 PM 12752 (0x31D0)
[RegTask] - Executing registration task synchronously. ClientIDManagerStartup 3/31/2021 4:58:49 PM 12752 (0x31D0)
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 3/31/2021 4:58:50 PM 12752 (0x31D0)
Sleeping for 297 seconds before refreshing location services. ClientIDManagerStartup 3/31/2021 4:58:52 PM 12752 (0x31D0)
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 3/31/2021 5:03:50 PM 12752 (0x31D0)
Sleeping for 296 seconds before refreshing location services. ClientIDManagerStartup 3/31/2021 5:03:53 PM 12752 (0x31D0)

Thanks,
Nathan.

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @NathanielThomas-4109
Thank you for posting in Microsoft Q&A forum.

Unable to find any Certificate based on Certificate Issuers
PKI Client Certificate matching SCCM certificate selection criteria is not available.

Base on the messages in Clientidmanagerstatup.log, we may firstly to check have we deployed the unique client auth certs to our managed systems?


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI Allen,

Thanks for the response. Indeed the machines are looking for incorrect certificate issuers. We have recently updated our CA server and generated new client and root certificates and imported it in client machines. Still the machines are looking out for old CA. Found the issue to be the problem with registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\security\certificate issuers\". this still had the old CA server names and not the new one. When i updated it in client machine with new one the machines started registering.

Question is how to update this value in all client machines?

Thanks,
Nathan.

0 Votes 0 ·

Hi Nathan,
Maybe we can update the value in all clients by group policy.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered NathanielThomas-4109 commented

How are you installing the client?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am installating the client manually in the user machines with the below command

ccmsetup.exe /usePKICert /NOCRLCheck CCMALWAYSINF=1 SMSSITECODE=01 CCMHOSTNAME=Public fqdn ccmhttpsstate=1

0 Votes 0 ·