In some cases you may see client check-in issues for shared/kiosk machines as well as in some cases standard clients that have a Group Policy setting enforced to "Turn off Automatic Root Certificates Update". This was found to be enforced for a subset of machines in a customer environment which disallowed client communication after a server certificate update which came down from a new root CA. The clients that were able to automatically update their root CA did not have the above setting enforced and continued to communicate, but those in a secure group did not. The following error will be seen in the client communication logs for SEE:

"SubmitReport failed with error - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

To workaround this issue, the following GPO/Local policy setting can be adjusted:

To turn on Automatic Root Certificates Update via Local Group Policy Editor:

1. Click Start, and then click Run.
2. Type gpedit.msc, and then click OK.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
5. Double-click Turn off Automatic Root Certificates Update, click Disabled, and then click OK.
6. Close the Local Group Policy Editor.

Locate the GPO/Local Policy for "Turn off Automatic Root Certificates Update" and select "Disabled".