Configuration Manager 2007 client operations fail after you install a May 2017 security update for Windows Server 2008 or 2008 R2

Applies to: Microsoft System Center Configuration Manager 2007

Symptoms


Client-related operations fail in an installation of Microsoft System Center Configuration Manager 2007 that has the server locator point (SLP) role after you install one of the following May 2017 security updates for Windows Server 2008 or Windows Server 2008 R2:

4018556 Security update for the Windows COM Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017

4019263 May 9, 2017—KB4019263 (Security-only update)

4019264 May 9, 2017—KB4019264 (Monthly Rollup)

Note This problem does not affect System Center Configuration Manager 2012 or the current branch version of the program.

This problem can affect the following operations:

  • New client registrations
  • Client assignments to new sites
  • Client reinstallations

Also, you receive a "Could Not Initialize" error message if you browse to the following location:

http://localhost/sms_slp/SLP.dll?site&SC=<sitecode>

Note In this message, <sitecode> represents your actual site code.

This error message resembles the following screen shot.

error message

Cause


The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the "Symptoms" section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.

Workaround


The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the "Symptoms" section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.

  1. Open the Properties window of the SLPExec.exe file. by default, this file is located in the following folder: 
    c:\SMS\SMS_SLP
     
    Note If you don't know where the SLPExec.exe file is located, go to IIS, browse to the default website, and then look under SMS_SLP and content view. Click View Permissions to see the full path.
  2. In the Group or user names area, add LOCAL SERVICE.
  3. Grant the Read & execute permission for LOCAL SERVICE, as shown in the following screen shot.

    add permissions

After you grant the permission, try again to access the URL that generated the error. If the XML information is displayed, the problem is temporarily resolved.

XML
 

More Information


If you do not have Active Directory schema extended, SLP is required for the client to be able to check for a site version and get the site code information. If SLP is broken, the client cannot be registered.

For many environments, this problem does not occur if you extend the schema.

For more information about whether SLP is required, see the following TechNet topic:

Determine If You Need a Server Locator Point for Configuration Manager Clients