You have Cloud-Enabled Management (CEM) agents that are unable to register with the Notification Server (NS), or you are attempting to generate a CEM agent installation package and get an error:

Failed to generate package. Access is denied

In this case, when attempting to test correcting the first issue by installing a new CEM agent to ensure the correct certificates were included and installed the following errors are seen in the logs;

Warning 1: CEM certificates response format is invalid

Warning 2: Failed to receive CEM certificates from https://<SMPserverFQDN>:443/altiris/NS/Agent/GetClientCertificate.aspx in CEM mode, error: The data is invalid (0x8007000D)

Warning 3: Configure Server Mode: CEM mode was not initialized successfully, will retry

Warning 4: Failed to register agent. Registration status 'Not registered'. Next retry in 60 min.

Errors (many) : CTAgent::GetAgentStatus(): CAtrsException exception, error: m_taskStatusCollector->GetTaskStatus failed, OS error: Invalid pointer (0x80004003), at line 1585

NOTE: The agent showed as connected to the Notification Server in Sym Agent's Property's Settings tab, but it did not show as registered to a Task Server in Task Status tab.

The error seen in the Notification Server logs when attempting to generate a CEM agent package was:

Failed to generate agent package

Access is denied
   [Altiris.NS.Exceptions.AeXException @ Altiris.NS.StandardItems]
   at Altiris.NS.StandardItems.AgentManagement.CEMPackageRegistrator.BuildSitePackage(PackageMode mode, String siteIdentifier, IEnumerable`1 gateways, IEnumerable`1 resourceTargets, IEnumerable`1 organizationalGroups, String additionalInstallParams, DateTime requestedPackageExpiry, AgentPackageParameters packageParams, DateTime& packageExpiry, String& installXML)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.GenerateCEMPackage(AgentPackageParameters packageParams)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object sender, EventArgs e)

Exception logged from:
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.ReportPackageGenrationException(Exception)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object, EventArgs)
   at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [<Domainname>\APPID], Auth [<Domainname>\APPID], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-3-131904958833856860]

HTTP [POST]: http://localhost/Altiris/NS/Admin/ClientManagement/IbcmAgentInstallationPackage.aspx
 ip: [127.0.0.1]; languages: [en-US]; content-length: [20053];
 response: [200 OK]; x-smp-nsversion: [8.1.4528.0];

The Windows Event Viewer / Security Logs on the Notification Server showed the following:

Account Name: <AppID Name>
Account Domain: <Domain Name>
Logon ID: <Login ID>

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {<KEYVALUE>}
Key Type: Machine key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016

ITMS 8.x

The Application Identity (Altiris Service Account) did not have needed permissions on the folder ProgramData\Microsoft\Crypto\RSA\MachineKeys

Follow below steps:

1. Browse to the following location: C:\ProgramData\Microsoft\Crypto\RSA\
2. Right click on 'MachineKeys' directory and select Properties.
3. Select Security.
4. Click Edit.
5. Select Add.
6. Give the Application Identity Account name.
7. Assign, at minimum, the following:
   • Modify
   • Read & Execute
   • List folder contents
   •  Read
   • Write
8. Click on Check Names and click OK.
9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, you may see "Access Denied" errors on as many as 5 subdirectories. This is normal in many situations so click Accept.