Require secure key exchange enabled by default
Most customers that enabled the require secure key exchange setting in SMS 2003 suddenly got stuck when deploying new secondary sites and couldn't figure out why the secondary site was constantly in the pending state.
I expect a lot more people deploying Configuration Manager will hit this issue as the require secure key exchange setting is now enabled by default.
If you’re experiencing this issue then the inboxes\despoolr.box\receive folder on the parent site will begin to fill up with files from the secondary site and the Despool.log file on the parent site will log entries similar to:
“Cannot find a public key for instruction C:\SMS\inboxes\despoolr.box\receive incoming from site S01, retry it later”
“Cannot find valid public key for key exchange instruction coming from site S01”
That’s assuming you’ve installed ConfigMgr to C:\SMS and the secondary site code is S01 of course.
You will also receive status messages for the SMS_DESPOOLER component on the receiving site.
The solution is to exchange the keys manually using the Preinst.exe tool. The following article discusses how to do this as well as mentioning a few other scenarios where this is necessary:
https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/45918ca7-891a-4551-99f6-b4daf41b58e5.mspx?mfr=true