KB: Configuration Manager 2007 client operations fail after you install a May 2017 security update for Windows Server 2008 R2

We have released a new KB article Configuration Manager 2007 client operations fail after you install a May 2017 security update for Windows Server 2008 R2 which contains a solution to the following issue:

Client-related operations fail in an installation of Microsoft System Center Configuration Manager 2007 that has the server locator point (SLP) role after you install one of the following May 2017 security updates for Windows Server 2008:

4018556 Security update for the Windows COM Elevation of Privilege Vulnerability in Windows Server 2008: May 9, 2017

4019263 May 9, 2017—KB4019263 (Security-only update)

4019264 May 9, 2017—KB4019264 (Monthly Rollup)

Note This problem does not affect System Center Configuration Manager 2012 or the current branch version of the program.

This problem can affect the following operations:

  • New client registrations
  • Client assignments to new sites
  • Client reinstallations

Also, you receive a “Could Not Initialize” error message if you browse to the following location:

http://localhost/sms_slp/SLP.dll?site&SC=<sitecode>

Note In this message, <sitecode> represents your actual site code. This error message resembles the following screen shot:

Cause

The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the “Symptoms” section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.


Workaround

The worker process typically runs under the LOCAL SERVICE account. However, after you apply one of the updates that are mentioned in the “Symptoms” section, the LOCAL SERVICE account is removed. This causes the worker process to be moved to the System account, and the SLP becomes inaccessible.

  1. Open the Properties window of the SLPExec.exe file. by default, this file is located in the following folder:
    c:\SMS\SMS_SLP
    Note If you don’t know where the SLPExec.exe file is located, go to IIS, browse to the default website, and then look under SMS_SLP and content view. Click View Permissions to see the full path.
  2. In the Group or user names area, add LOCAL SERVICE.
  3. Grant the Read & execute permission for LOCAL SERVICE

After you grant the permission, try again to access the URL that generated the error. If the XML information is displayed, the problem is temporarily resolved.

For the official KB article see https://support.microsoft.com/help/4035047.