MSMQ Setup complains 'The public cryptographic key of this computer cannot be stored'

A customer was having problems when re-installing MSMQ. A pop-up would appear complaining:

Message Queuing Client Setup Failure
Unable to store the public cryptographic key of this computer.
This computer cannot send or receive encrypted messages.
      Error Code: 0xC00E0025 
      Error Description: Access is denied.

Thanks to Lisa Guthrie for the solution below.

First we need to introduce an acronym to save on typing - the DULA. This means "domain user/local admin" which people will be in most places where their employers don't have strict policies tying down the desktop. The person has a normal domain account (no admin privileges in the domain) that has been added to the local administrators group on the computer, either directly (for their own machine) or through membership of a domain group (for the machines they are responsible for).

The problem comes when changes need to be made to the MSMQ configuration object for the computer in Active Directory. By default, only domain administrators and the original account used to install MSMQ (if it's not a domain administrator) have full control of the MSMQ configuration object. So if you install MSMQ using one DULA account and then try to renew cryptographic keys, uninstall MSMQ, etc., using another DULA account, you will get "access denied."

You can work around this by granting the second DULA account appropriate permissions on the MSMQ configuration object (and the computer object, if necessary).

Also, DULA accounts cannot reinstall MSMQ. You will need to either:

• reinstall as a domain administrator
  or
• manually remove the existing MSMQ configuration object from Active Directory before reinstalling.