Windows Registry Disclaimer:
Quest does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 “Description of the Microsoft Windows registry” at Microsoft Support.
The Agent registry will need to be refreshed to a clean state:
1) Open the registry editor (regedit) on the Agent machine
2) Stop the Agent service in services.msc
3) Export the registry configuration
3a) Take note of the AgentID key and make a copy of the AgentID GUID
4) Delete the Agent key under AppRecovery
5) Start the Agent service and refresh regedit
6) Stop the Agent service
7) Modify the AgentID key with the AgentID that was collected earlier.
8) Start the Agent service and protect it to the Core
Verify that the "Network security: Restrict NTLM: Incoming NTLM Traffic" is not set to "Deny." By default it is set to "Allow all," but some security requirements and group policies may set it to "Deny." If it is set to Deny the Agent and the Core cannot communicate to establish the relationship with the certificates. After the Agent is paired to Core, the setting can be placed back to Deny. After flipping it between Allow and Deny, be sure to open a cmd prompt as Administrator and execute a gpupdate /force.