After digging in to this further, I found out that this was actually a remote registry path issue. In my log files, I missed the warning message saying "Cannot connect to remote registry on 'SERVERFQDN' (frequent cause is remote registry service is not running)".
After our server was upgraded, a new set of GPOs were applied that configured the Machine value under HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths. This GPO removed the entry for "SOFTWARE\Microsoft\SMS"; manually reading it allowed the boot media creation process to complete successfully. Jesse Schauer Windows Server Administrator II Endpoint Manangement Services University of Idaho ITS From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Schauer, Jesse (jes...@uidaho.edu) Sent: Thursday, March 31, 2016 9:26 AM To: 'ms...@lists.myitforum.com' <ms...@lists.myitforum.com> Subject: [mssms] Boot Media Creation Fails: The user who creates media has to be local administrator on remote DP We recently upgraded our ConfiMgr site from 2012 to Current Branch. The site appears to be healthy but I am running into issues creating bootable media since the upgrade. I am attempting to create the media via a remote console using an account that has "Full Administrator" rights in ConfigMgr but does not have admin rights on the site server/DP. Previously, this worked without issue but now media creation fails. I am getting the following error messages in CreateTsMedia.log: Failed to open to WMI namespace '\\SERVERFQDN\root\default' (80041003) Unable to open WMI namespace '\\SERVERFQDN\root\default' (0x80041003) Failed to connect to namespace 'root\default' needed to read remote registry values. The user who creates media has to be local administrator on remote DP on 'DERVERFQDN' which contains media content. Is this a change from 2012 or am I running into a WMI permissions issue? Our full upgrade process was as follows: * 2012 R2 SP1 CU2 -> 1511 * 1511 -> 1602 * OS Upgrade from 2008 R2 to 2012 R2 The OS upgrade appears to have reset the WMI permissions so we manually recreated the permissions for the SMS Admins group to the root\SMS namespace. On a site still running 2012 R2 SP1 CU2 I do not see any rights granted to SMS Admins on the root\DEFAULT namespace. Jesse Schauer Windows Server Administrator II Endpoint Manangement Services University of Idaho ITS
