ConfigMgr 2007: OSD Task Sequence Fails with the error "An error occurred while retrieving policy for this computer (0x80004005)"

ConfigMgr 2007: OSD Task Sequence Fails with the error "An error occurred while retrieving policy for this computer (0x80004005)"

  • Comments 2
  • Likes

Here's another ConfigMgr 2007 OSD tip from Frank Rojas out in Charlotte, North Carolina.  If you have a Task Sequence that fails almost immediately after it boots into WinPE with an 0x80004005 error then you'll want to check this one out:

========

Issue: When attempting to deploy a Task Sequence via SCCM 2007 OSD, the Task Sequence fails almost immediately after it boots into WinPE with the following error message:

An error occurred while retrieving policy for this computer  (0x80004005). For more information, please contact your system administrator or helpdesk operator.

Examining the SMSTS.log shows the following error message:

No cert available for policy decoding
Failed to download policy (Policy_ID> (Code 0x80004005).

Cause: This error message can be caused by missing, expired, or blocked Certificates for either the Boot Media or the PXE Service Point.

Resolution: To determine if the Certificate is missing, expired, or blocked follow the steps below:

  1. In the Configuration Manager Admin Console, expand Site Database --> Site Management --> <Site_Code> --> Site Settings --> Certificates.
  2. Click on either Boot Media or PXE, depending on the method that the PC is being booted when trying to run the OSD Task Sequence.
  3. On the right hand pane, locate the Certificate being used and see if it is blocked, expired, or missing.

To resolve the issue for missing or expired certificates on Boot Media, a new certificate needs to be created:

  1. Recreate the Boot Media by going in the Configuration Manager Admin Console to Site Database --> Computer Management --> Operating System Deployment.
  2. Right clicking on Task Sequences and choosing Create Task Sequence Media.
  3. Step through the Task Sequence Media Wizard to create the appropriate media.
  4. In the Security screen, locate the Create self-signed media certificate option.
  5. Make sure that the Set start date is set to either today or some date in the past.
  6. Make sure that the Set expiration date is set to some date in the future.
  7. Finish stepping through the Task Sequence Media Wizard to finish creating the ISO or USB Flash Drive.
  8. Go to Site Database --> Site Management --> <Site_Code> --> Site Settings --> Certificates --> Boot Media and verify that there is now a valid non-expired non-blocked Certificate.
  9. If using CDs/DVDs, once the ISO is created, create a CD/DVD from the ISO and dispose any previous OSD CDs or DVDs.
  10. If using a USB Flash Drive, make sure to recreate all USB Flash Drives be redoing steps 1-8 above.

To resolve the issue for missing or expired certificates on a PXE Service Point, a new Certificate needs to be created:

  1. Go to Site Database --> Site Management --> <Site_Code> --> Site Settings --> Site Systems and choose the server where the PXE Service Point is located.
  2. In the right pane, right click on the ConfigMgr PXE service point and choose Properties.
  3. Click on the Database tab and locate the Create self-signed PXE certificate option.
  4. Under Create self-signed PXE certificate, set the Set expiration date option to some time in the future.
  5. Click OK.
  6. Go to Site Database --> Site Management --> <Site_Code> --> Site Settings --> Certificates --> PXE and verify that there is now a valid non-expired non-blocked Certificate.
  7. Update the Boot Images by going to Site Database --> Computer Management --> Operating System Deployment --> Boot Images.
  8. Expand both the Boot image (x64) and Boot image (x86) nodes (and any custom Boot Images if present).
  9. For each Boot Image, right click on Distribution Points and choose Update Distribution Points.
  10. Step through the Manage Distribution Points wizard until it has completed rebuilding the Boot Images.
  11. Restart the Windows Deployment Services (WDS) Server service.

To resolve the issue if the certificate is blocked, follow these steps:

  1. Go to Site Database --> Site Management --> <Site_Code> --> Site Settings --> Certificates.
  2. Choose either Boot Media (if the deployment is being done via a boot media) or PXE (if the deployment is being done via PXE). You will be able to see all of the certificates associated with either the Boot Media or the PXE point.
  3. Check to see if the applicable certificate is set to "Blocked" under the Status column. If the certificate is blocked, unblock it. To unblock a certificate, right click on it and choose "Unblock".

If you are not certain which certificate is the applicable one, you may have to unblock the certificates one at a time, retry the deployment again, and then see if the error goes away. Once you have determined the applicable certificate, you may want to go back and re-block the certificates that were not applicable and were unblocked during the testing.

========

Thanks Frank!

J.C. Hornbeck | Manageability Knowledge Engineer

Comments
  • Good article but it would be helpful if you could let people know how to import a certificate as well.

    For instance if we previously had a self signed but want to move to one that is signed by our orginaizations CA.

    Also how do we completly delete the old certificates from the PXE Certificates area (or boot).  If there are some in there that we no longer want.

  • It would be handy to know how to remove the old expired certs as well.  I have so many of them listed it is easy to get confused

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment