Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Configuration Manager 2007 client operations fail after you install a May 2017 security update for Windows Server 2008 or 2008 R2


View products that this article applies to.

Symptoms

Client-related operations fail in an installation of Microsoft System Center Configuration Manager 2007 that has the server locator point (SLP) role after you install one of the following May 2017 security updates for Windows Server 2008 or Windows Server 2008 R2:

4018556 Security update for the Windows COM Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017

4019263 May 9, 2017—KB4019263 (Security-only update)

4019264 May 9, 2017—KB4019264 (Monthly Rollup)

Note This problem does not affect System Center Configuration Manager 2012 or the current branch version of the program.

This problem can affect the following operations:

  • New client registrations
  • Client assignments to new sites
  • Client reinstallations

Also, you receive a "Could Not Initialize" error message if you browse to the following location:

http://localhost/sms_slp/SLP.dll?site&SC=<sitecode>

Note In this message, <sitecode> represents your actual site code.

This error message resembles the following screen shot.

4035047 - error msg

↑ Back to the top


Cause

The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the "Symptoms" section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.

↑ Back to the top


Workaround

The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the "Symptoms" section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.

  1. Open the Properties window of the SLPExec.exe file. by default, this file is located in the following folder: 
    c:\SMS\SMS_SLP
     
    Note If you don't know where the SLPExec.exe file is located, go to IIS, browse to the default website, and then look under SMS_SLP and content view. Click View Permissions to see the full path.
  2. In the Group or user names area, add LOCAL SERVICE.
  3. Grant the Read & execute permission for LOCAL SERVICE, as shown in the following screen shot.

    4035052 - add perms

After you grant the permission, try again to access the URL that generated the error. If the XML information is displayed, the problem is temporarily resolved.

4035047 - XML  

↑ Back to the top


More Information

If you do not have Active Directory schema extended, SLP is required for the client to be able to check for a site version and get the site code information. If SLP is broken, the client cannot be registered.

For many environments, this problem does not occur if you extend the schema.

For more information about whether SLP is required, see the following TechNet topic:

Determine If You Need a Server Locator Point for Configuration Manager Clients

↑ Back to the top


Keywords: kb, kbprb, kbsurveynew

↑ Back to the top

Article Info
Article ID : 4035047
Revision : 15
Created on : 7/10/2017
Published on : 7/10/2017
Exists online : False
Views : 352