SCCM MECM Configuration Manager Clients Not Checking in With Management Point, Server Certificate Retrieved in TLS is Not an Exact Match of the Current MP Encryption Certificate 0x80004005

Issue: 

After migrating to a new management point, many clients were not checking into the management point. When reviewing the Devices under Assets and Compliance, many clients were showing offline even though the were actually online and responded to ping from the server.

Reviewing the logs on the client machines, the CCM Notification log CCMNotificationAgent.log showed:

Server Certificate Retrieved in TLS is Not an Exact Match of the Current MP Encryption Certificate 0x80004005

Reviewing logs on the management point server, the BGB Server Log bgbserver.log  showed:

Expecting More Data From Client

and

Can't Finish Connecting With Client, Which Might Have Already Disconnect System.IO.IOException: Authentication Failed Because the Remote Party Has Closed the Transport System

Reviewing the Configuration Manager Console

Administration - Hierarchy Configuration - Active Directory Forests

Publishing Status showed Authentication Failure

Reviewed properties of Domain Forest and Use Computer Account of Site Server was checked

Resolution:

In Active Directory Users and Computers Click View and check Advanced
Expand System OU
Grant the Site Server's Computer Account Full Permissions on the System Management container


This article was helpful in resolving the issue: http://eskonr.com/2019/12/client-assignment-failed-from-http-to-https-with-error-code-failed-to-verify-message-could-not-retrieve-certificate-from-mpcert/