(imported comment written by Don65)
Thanks Martin, that was helpful and pointed me in the right direction.
The problem appears to be with the besclient service security descriptor. Below is the process I used to identify where I believe problem is originating.
- I checked the following registry setting on a number of known properly working BES clients. All of the clients had the same hex value.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BESClient\Security]
“Security”=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00
- The reference build for the OSD capture was created on a VM. I reverted the VM to the snapshot that was taken just prior to the OSD capture and checked the registry value mentioned above. The reference build had the same hex value.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BESClient\Security]
“Security”=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00
- I reverted the reference build to the snapshot that was taken immediately after the sysprep / OSD capture completed. This is the hex value I found. It’s also the hex value that I’m seeing on all of the workstations built via an OSD bare metal build.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BESClient\Security]
“Security”=hex:01,00,14,80,a4,00,00,00,b0,00,00,00,14,00,00,00,1c,00,00,00,02,\
00,08,00,00,00,00,00,02,00,88,00,04,00,00,00,00,00,24,00,ff,01,0f,00,01,05,\
00,00,00,00,00,05,15,00,00,00,53,c3,93,22,93,4c,6b,e6,53,cb,c3,9e,00,02,00,\
00,00,00,24,00,8d,01,02,00,01,05,00,00,00,00,00,05,15,00,00,00,53,c3,93,22,\
93,4c,6b,e6,53,cb,c3,9e,01,02,00,00,00,00,24,00,ff,01,0f,00,01,05,00,00,00,\
00,00,05,15,00,00,00,53,c3,93,22,93,4c,6b,e6,53,cb,c3,9e,28,46,00,00,00,00,\
14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,\
05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
- To summarize, it appears the sysprep / capture process altered the hex value which in turn is causing the issue we’re seeing. If I export the registry hex value from a known good BES client, next import the known good registry value onto an OSD bare metal built workstation, then reboot the workstation, the issue is then resolved. I’m thinking I can probably import the known good registry hex value into the registry after the OSD bare metal build process completes via a software distribution task. This will be a near term workaround unless someone sees an issue with this. I also have a case open with IBM support. Hoping to get a quick answer on this so I can move forward with the deployment.