Environment:

Server 2012 R2

SCCM 2012 R2 SP1.

I had a requirement a long time ago to use a wildcard certificate for SSL for SCCM clients.  After realizing that the thumbprint was being used to identify the machine, we stopped using HTTPS and reverted the entire environment back to HTTP traffic.

I image a machine (embedded, Enterprise, doesn't matter) and it shows up in the SCCM console.  I image two machines at the same time, and the first machine shows up, but once the second machine finishes and attempts to register, the SCCM Server gives it the GUID from the previous imaged machine, resulting in only one of the two machines showing up.

I can solve this on its own by making the first machine re-register easily enough, but once this hits production this solution will not be very good as its time intensive.  And if I do re-register the first machine, once I attempt a re-image, the issue comes back.

The reference image was built by SCCM.  I've made sure that the client is disabled and all the certificates and smscfg.ini are gone before capturing.  But still this issue comes back.

Any ideas?

Hi,

I saw many cases that have the same issue with yours even they delete all the certificates and SMSCFG.ini file. I recommend you deploy clients with the normal way.

You could have a look at Peter Hewson's comment in the following blog.

Prepare ConfigMgr client for Sysprep or Master Image

Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Best Regards,

Joyce

Yup.  We are deploying them the normal way, considering normal is running CCMSetup.exe and letting AD handle all of the other settings.

Installing isn't the problem.  Its Registration.  During provisioning, ClientIDManager doesn't do anything, it can't.  Its only after provisioning and after installation that I'm having the problem.

So I created a ticket.  I have a lot of it answered already, just gotta figure out where the machine gets its information to populate the ClientState.dat file.

Got with support.  They created a sql query to delete the stored identity in the DB.

What happened was I was forced to use a wildcard workstation authentication certificate and HTTPS for SCCM Clients.  Since the sites in HTTPS mode, the client will look in the computer store for a valid certificate, take its thumbprint, and send it over to the site server for authentication.  The site server takes the thumbprint, along with the clients HardwareID, and associates the two.

Since I had only one certificate for a bunch of machines, all the Hardware ID's got associated to the one thumbprint, tricking the site server into thinking that they were all the same box.  Even reimaging didn't fix this, or forcing a re-registration.  The client would communicate to the site server, and the site server would restore the identity. 

The SQL query I was given is as follows.  I do not recommend using it without support, as modifying the DB puts you into unsupported territory.

DECLARE @Name VARCHAR(25)
SET @Name = 'MACHINE_NAME'
DELETE FROM SYSTEM_DISC WHERE Name0 = @Name
DELETE FROM ClientKeyData WHERE SMSID IN (SELECT SMS_Unique_Identifier0 FROM SYSTEM_DISC WHERE Name0 =@Name)
DELETE FROM MachineIdGroupXRef WHERE MachineID IN (SELECT ItemKey FROM SYSTEM_DISC WHERE Name0 = @Name)
DELETE FROM System_AUX_Info WHERE Netbios_Name0 = @Name
DELETE FROM ImportedMachineIdentity WHERE ItemKey IN (SELECT ItemKey FROM SYSTEM_DISC WHERE Name0 = @Name)

• Marked as answer by ThomH 13 hours 40 minutes ago