SCCM Client certificate
Recently we upgraded our SCCM server and it seems that the clients need the new certificate for it to deply packages. Although I was able to run a repair on the client to get a new certificate in SCCM, alot of PCs are not getting them. There are too many clients to do them manually. I can run the CCMSETUP.EXE SMSSITECODE=*** RESETKEYINFORMATION=TRUE and it seems to fix the issue. I was planning on using Scriptlogic to run the batch file with the command mentioned, however, I was wondering if there is any way to identify which PCs have the bad certificate so I can use Scriptlogic to target just those PCs.....Thanks.
November 16th, 2010 7:06am

it seems that the clients need the new certificate for it to deply packages. That's not the default behavior. Applying a SP usually does not change anything with those certs.
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 7:29am

The upgrade became such a nightmare we put a call in with Microsoft. That's where I was told they needed the updated certificate....
November 16th, 2010 7:55am

How are you sure a new certificate is necessary. Did you check the Certificates on the machine to verify they are missing/wrong/expired. As Torsten mentioned upgrading clients will not affect the certificate stores. It might be that the client has an issue and never renewed it's client. By reinstalling the client you might have fixed an underlying problem. http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 7:56am

All I can think of is that Steve didn't do a normal upgrade. That they did a side-by-side without parenting/childing; in that case, yes, RESETKEYINFORMATION=TRUE would be necessary on the clients for them to pick up the new cert from the new hierarchy. Regardless of the underlying cause of the problem, to me the answer is simple. You need to upgrade those clients from SP1 to SP2 anyway. So you will be running ccmsetup.exe anyway. So... big deal... add RESETKEYINFORMATION=TRUE to your sp2 installation routine and reinstall on all your clients. It can't hurt, and according to you, Steve, fixes the issue. So no big deal.Standardize. Simplify. Automate.
November 16th, 2010 8:05am

Matthew - that is what the tech at Microsoft said. Once we updated it to retrieve the new certificate, then the package deployed to the PC without issue. Sherry - we tried doing the upgrade ourselves here and ran into problems, thus we had help with Microsoft. They walked us through it step by step. The RESETKEYINFORMATION=TRUE fixed the issue. I wish I could identify which ones didnt update.
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 12:43pm

what do we have to work with? If a known 'bad' client, one that needs to get a new cert... what can it do from a Configmgr point of view? does it still get policies from the MP? does it still send up hinv, sinv, heartbeat? does it run DCM baselines? If the client can so "something", especially DCM and Hinv... I could see potentially modifying Matt's routine: http://www.sccm-tools.com/tools/vbscript/vbscript-certificates.html to use a DCM-based vbscript instead of an advertisement-based vbscript. Note I said potentially... I can see it as possibly working when I think of it in my head. But reality may not match my dreams. :-)Standardize. Simplify. Automate.
November 16th, 2010 1:25pm

I have used the Resetkeyinformation before. Here is how and why I used it. http://sms-hints-tricks.blogspot.com/2009/01/configmgr-advanced-client-encountered.html http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 2:07pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics