Pull Server reports Invalid Registration Key

I’ve been struggling with this for days, I’ll attach all my configuration scripts below but the basic gist seems to be the pull client gets an “unauthorized” response back from the server (401) and in the DSC PULL SERVER’s log I get the error “An invalid registration key was provided during registration.”

I googled that error and came up with absolutely nothing, very disheartening.

I can tell you one thing is that the contents of my registrationkeys.txt and my client’s dsc config are IDENTICAL. So I’m hoping the error is not actually related to that.

Pull Server config (used the widely available sample) - Server 2012 R2

$guid = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# =================================== Section Pull Server =================================== #
configuration xDscWebServiceRegistration
        [string[]]$NodeName = 'localhost',

        [string] $certificateThumbPrint,

        [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
        [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server

    Import-DSCResource -ModuleName xPSDesiredStateConfiguration

    Node $NodeName
        WindowsFeature DSCServiceFeature
            Ensure = "Present"
            Name   = "DSC-Service"            

        xDscWebService PSDSCPullServer
            Ensure                  = "Present"
            EndpointName            = "PSDSCPullServer"
            Port                    = 8080
            PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint   = $certificateThumbPrint
            ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
            State                   = "Started"
            DependsOn               = "[WindowsFeature]DSCServiceFeature" 
            RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"   
            AcceptSelfSignedCertificates = $true
            Enable32BitAppOnWin64   = $false
            UseSecurityBestPractices= $false

        File RegistrationKeyFile
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey

# Sample use (please change values of parameters according to your scenario):
# $thumbprint = (New-SelfSignedCertificate -Subject "TestPullServer").Thumbprint
# $registrationkey = [guid]::NewGuid()
# Sample_xDscWebServiceRegistration -RegistrationKey $registrationkey -certificateThumbPrint $thumbprint

# =================================== Section Pull Server =================================== #

#uncomment line below to 
xDscWebServiceRegistration -certificateThumbPrint ‎$cert -RegistrationKey $guid

client config - Also from sample - Windows 10 1709
There’s a mof on the server (localhost

$regkey = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

Configuration LCM_Pull {

    Node localhost {
        Settings {
            ConfigurationMode = 'ApplyAndAutoCorrect'
            RefreshMode = 'Pull'

        ConfigurationRepositoryWeb PullServer {
            ServerURL = 'https://myserver.contoso.blah:8080/PsDscPullserver.svc'
            CertificateID = $thumbprint
            AllowUnsecureConnection = $false
            RegistrationKey = $regkey
            ConfigurationNames = @('Win10Client')

        ResourceRepositoryWeb PullServerModules {
            ServerURL = 'https://myserver.contoso.blah:8080/PsDscPullserver.svc'
            AllowUnsecureConnection = $false
            #RegistrationKey = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

Set-DscLocalConfigurationManager -path .\LCM_Pull -Verbose

I know it’s a no no but have you tried a http pull server set up 1st? I ran across this about a year ago and i think it had something to do with the certs. I had to add the domain root cert in the DCS nodes cert repository before is would work properly.