Greetings.

I am wondering if anyone can give me advise on problem I am having with some of my sccm clients.

When I originally deployed SCCM i used self signed certs on clients.

We needed to add MAC and Linux support and MAC clients won't work without PKI, so I following this http://technet.microsoft.com/en-us/library/gg682023.aspx to configure Certificate Authority.

It all seemed work well, I can now join MAC client with auto-enroll and all machines are requesting client certificates and I had couple of machine with new push on windows site installed with PKI.

So right now I have about 250 windows clients, only 22 of them use PKI and the rest keeps using self-signed certs.

I foolishly switched main site settings, MP settings and DP point settings to use https only.

As a result I lost all self-signed clients and have full log for mpcontrol saying that it's rejecting clients cause they certificate cannot be validated.

I logged in to couple of those machines and MMC i can see that it did enroll machine with valid Client Cert but Configuration Manager client itself still saying that it's using self signed one.

Am I missing a step that I need to do to make sure that all those clients switch to PKI?

I believe you will need to redeploy the client to those systems to switch them to PKI.  Is PKI properly being deployed for new clients? 

It is. but how can i redeploy them?

I was under impression auto push won't reinstall them. If i do deployment - that seem to reuse existing configuration and still use self signed on old machines.

How can i verify that it does push clients to machine that already have it correctly and start using new config and not reuse old one.

I even tried removing clients from couple of machines and see if it gets pushed again on them with proper config and those machines don't seem to get client but used to get it fine before. I keep getting new machines being added to domain and they get client pushed to them, but anything that had client with self signed doesn't seem to be happy.

• Edited by fs2307 Friday, August 02, 2013 5:49 PM

what certs are under mmc\certificates\personal\certificates?

I had a similar problem. we had to remove all the certs from the personal folder, then re-run the GPO for auto-enrolment.

this is what's weird. it does show only one certificate with client authentication purpose - and that's correct pki issued certificate.

There is obviously root ca cert there as well.

Nothing else.

• Edited by fs2307 Monday, August 05, 2013 2:55 PM

what about removing one client from the machines, then remove the Device completely from  SCCM and rediscover it. Just to see if any new machines will be PKI, or continue to self-sign.

Did you ever get this resolved. I am seeing the same issue where I am at. The weird thing is when I re-install the client it downloads the installation over https: and then shortly after the install it can find the MP List. About half of the 20 clients I am testing have had no problem switching on there own and the other have are stuck trying to use http. I have tried re-installing the client some have worked but most have not.

My end solution for this was deploying one time script on all stuck machine that uninstalled sccm client from them completely and push it later on again.

Seems like attempt to reinstall over had no effect

• Marked as answer by fs2307 Tuesday, September 30, 2014 11:06 PM

One could use SCCM Client Action Tool

from http://sccmcat.codeplex.com/

http://www.scconfigmgr.com/2012/11/12/force-a-client-re-registration-in-configmgr-2012/

as per: http://www.scconfigmgr.com/2012/11/12/force-a-client-re-registration-in-configmgr-2012/

SMS Certificates do not show in MMC snapin as they are in:

SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\SMS\Certificates

OR

SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates

• Edited by scerazy 12 hours 34 minutes ago