SCCM 'Client certificate' value set to 'none' problem can be right problems

Today a client ask me why his SCCM client not working and has "client certificate" to none and not self-signed

when it is a certificate problem , first thing is to check client log and mainly "CertificateMaintenance.log" file

As you can see, there is not a lot of logs on this computer

 open now CertificateMaintenance.log

We can see a lot of error


Creating Signing Certificate...
Failed to create certificate 8009000f
CCMDoCertificateMaintenance() failed (0x8009000f).
Raising pending event:
instance of CCM_ServiceHost_CertificateOperationsFailure
{
    DateTime = "20180622091556.352000+000";
    HRESULT = "0x8009000f";
    ProcessID = 7796;
    ThreadID = 2276;
};
CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event.


I know that there is a lot articles about this problem. I will not reinvent the wheel, so internet search find me fastly the same problem: https://teknikewl.wordpress.com/2013/08/05/client-fails-to-create-certificate/ or http://www.itreliable.com/wp/sccm-client-certificate-none-issue/
I already resolved this problem but this time I do an explanation for everyone

As screenshot show there is a difference between normal MachineKeys permissions below

and permissions on computer with certificate problems. Everyone and Administrators are applies to "this folder only" but user MYUSER has "This folder,subfolders and files"

 We can see on file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19c5cf9... there is a difference too with ONLY user MYUSER with rights

Problem is you SHOULD have rights for SYSTEM as below to permit local system to read certificate file