Certificate Verification

[rrasco]

I am troubleshooting an issue with some client machines with the client agent are appearing in the device list as 'No' under the client column.

 

Checking the ClientIDManagerSetup.log I see this:

[RegTask] - Server rejected registration request: 3 ClientIDManagerStartup 12/5/2012 1:04:01 PM 9500 (0x251C)

 

Researching this, possible causes are incorrectly configured boundaries or certificate issues. I tried scouring the logs on SCCM to find a specific error why the registration is being rejected, but I couldn't find anything related.

 

I believe my boundaries are configured correctly, I have two in a boundary group, an AD boundary along with an IP range for my client machines.

 

The next step in my process is to verify the certificates on the client machines. Looking at the cert manager on the client machines, I don't see an SMS folder or any certs related to SCCM. I do see this key with two entries in the registry though. My question is, how can I verify the certificates are correct and not expired for SCCM?

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates

[rrasco]

I found the certificates. I may be showing my greenness with certs (never could get my head wrapped around them) but I had to load the computer account certs in MMC. Running certmgr.msc only gives you user certs.

 

My certs for SMS are indeed expired. Deleting them now and then I need to figure out how to repair the client.

[rrasco]

I re-ran the client installation. Looks like it added new certs, but those are still expired. Original ones I deleted had a expiration of 10/26/12. The ones that were just issued expire on 11/11/12. Why would it issue an old cert?

[rrasco]

The certs on the SCCM server also have the 10/26/12 expiration date. Is that normal?

[rrasco]

Never mind about the certificate. They are not expired, expiration is 2112 not 2012. Oops. Client still won't register though.

 

Anyone know what log I can look at on SCCM to help pinpoint the issue?

[Rocket Man]

Have your systems in SCCM console got your site code?? They should have this regardless whether or not they have the client installed.....if not then this is indication that your boundaries are not setup correctly!!

 

Is it only some clients that are getting stuck in provisioning mode?

 

You can run these 2 reg enteries on a couple of machines via the command prompt and then restart them to see if it fixes your problem

 

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v ProvisioningMode /t REG_SZ /d false /f

 

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v SystemTaskExcludes /t REG_SZ /d "" /f

 

Rocket Man

[rrasco]

Have your systems in SCCM console got your site code?? They should have this regardless whether or not they have the client installed.....if not then this is indication that your boundaries are not setup correctly!!

 

Is it only some clients that are getting stuck in provisioning mode?

 

You can run these 2 reg enteries on a couple of machines via the command prompt and then restart them to see if it fixes your problem

 

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v ProvisioningMode /t REG_SZ /d false /f

 

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\CcmExec /v SystemTaskExcludes /t REG_SZ /d "" /f

 

Rocket Man

 

Devices do have a site code in the console. Does this mean my boundaries are setup correct?

 

I am only testing this on a few machines. I had one machine push out correctly, including EndPoint; automatically. I have two other machines I cannot get to auto-install the client. It is worth noting, I had to push-install the client on these machines. It did not install the client on discovery.

 

I will work on those suggestions. Takes me forever to reboot my machine so I'll get to that shortly.