SCCM Client Registration Failing
The symptoms:
- Only 2 Actions displayed in the Configuration Manager Control Panel applet (Machine Policy Retrieval & Evaluation Cycle and User Policy Retrieval & Evaluation Cycle)
- PolicyAgent.log on the client:
Simple fixes that were tried but didn’t resolve the issue:
- Restart the client
- Uninstall the CCM client, restart, and reinstall
- Delete the computer object from the Console
Deeper troubleshooting is needed.
Review the ClientIDManagerStartup.log on the client for the registration request:
Server rejected registration request: 3
These 6 lines repeat every 5 minutes. Take note of the unique GUID your client is using, we need it later.
Find the Management Point the client is communicating with by checking LocationServices.log on the client:
On the Management Point that is being used, open MP_RegistrationManager.log and use your Client’s GUID to find the registration attempt:
Client ‘’ is unknown or has an invalid key registered in the database.
CCMValidateAuthHeaders failed (0x87d0025e) to validate headers for client ‘’.
MP Reg: Failed to verify RegistrationHint, 0x87d0025e.
It is worth noting that the Registration Request is submitted by a client with GUID starting with “8B40DE1D” however the next line reports an error but with a different client ID (92fcda09). It isn’t obvious but even though the client has not registered with SCCM yet (with its new ‘8B40DE1D’ GUID), SCCM has detected that this request is coming from a device it has seen previously (which it knows as GUID 92fcda09). I haven’t been able to work out what tables (if any) provide this linking and a search of common views like v_R_System for ‘92fcda09’ returned no results.
Moving on: the line “Client ‘’ is unknown or has an invalid key registered in the database.” is actually referring to a certificate. The following SQL retrieves the certificate information SCCM is referring to in the above log:
select *
from ClientKeyData
where SMSID like ‘92fcda09-%’
(‘92fcda09-%’ is taken from my specific log. You’ll need to update this with your own unique GUID)
Reviewing the one line that is returned you’ll notice the IsRevoked property is set to “1”. ie: the Site Server does not trust this specific client certificate.
You can verify that this line in the database is related to your specific client by comparing the Thumbprint and ValidUntil from the database with the certificate on the client itself:
The following SQL will update the database so that the certificate is trusted:
update ClientKeyData
set IsRevoked=0
where SMSID=<Full SMSID>
The client retries registration approximately every 5 minutes. Wait for the next retry and the client will register successfully.
