ConfigMgr Console Cannot Connect To The Site

Background:

I was recently working with a customer that kept getting running into an issue after installing the ConfigMgr 2012 R2 console where it would fail to connect to the site with the following error.

Error

This is obviously pretty generic error there could be many things. In my case, we where seeing some error in the SMSAdminUI.log as well as shown below.

Error1

[1, PID:4764][09/03/2014 15:01:12] :The performance counter '# images' was not found

[5, PID:4764][09/03/2014 15:01:18] :The performance counter '# result objects in memory' was not found

[5, PID:4764][09/03/2014 15:01:18] :The performance counter '# exceptions' was not found

Possible Fixes:

I’ve seen a few other post mention running a performance counter reset using LODCTR /R would fix this issue: http://thewindowsadmin.com/?p=56 & http://social.technet.microsoft.com/Forums/en-US/a224764a-8a41-40c5-baa8-3c6e8c40fd80/configuration-manager-cannot-connect-to-the-configuration-manager-site?forum=configmanagergeneral

In my case, we tried this and it did not resolve this issue. It was actually happening on multiple machines so I figured it wasn’t a performance counter issue.

After some troubleshooting we took a look at the Antivirus logs (MacAfee) in our case.

In the AccessProtection.txt log, we saw the following entries.

9/3/2014    4:07:36 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console\Performance    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9/3/2014    4:07:36 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9/3/2014    4:07:39 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console - WMI Query Engine\Performance    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9/3/2014    4:07:39 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console - WMI Query Engine    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9/3/2014    4:07:43 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console - WMI Query Engine\Performance    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9/3/2014    4:07:43 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ConfigMgr 2012 Console - WMI Query Engine    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

The customer had a rule enabled to prevent programs from registering as a service. Apparently, during the installation of the console a .NET 4 component is used to register some services.

We added these machines into a staging group that didn’t block anything and the console installed and could connect just fine.