none
SCCM 2012 R2 CU5 - Duplicate GUID on clients

    Question

  • SCCM 2012 R2 CU5 - Duplicate GUID on clients

    Environment: SCCM 2012 R2 CU5, OS: Windows 2008 R2, Clients: Windows 7 SP1

    I'm having some serious issues with duplicate GUIDs, after a new OSD of Windows 7 the configuration manager client has a unique identifier as confirmed in C:\Windows\SMSCFG.INI on the client, after another reboot the clients GUID changes to a common GUID. We have around 30 clients with this common GUID now, of course these cannot be managed correctly.

    I have used the various scripts to change the GUID's so they are unique but they reset back shortly after. It seems the GUID is stored somewhere on the clients or in the SQL CM_DB. I've tried uninstalling the client and removing the SMSCG.ini completely but what ever I do they always seem to end up on the same GUID.

    Any help is appreciated!


    • Edited by Hutchnet Wednesday, May 13, 2015 8:16 AM
    Wednesday, May 13, 2015 8:15 AM

Answers

  • Hi

    After a lot of troubleshooting I logged a call with Microsoft, the conclusion was that for some reason the reference image was the culprit even though we checked and it did not have a config agent installed, after recreation of the reference image new clients have unique GUID's. The fix for already affected clients is a complete rebuild! But this was just our case, if your issue is not image related you should be able to do the following:

    Stop the CCMEXEC service

    Rename c:\windows\SMSCFG.INI
    Delete the SCCM certs at a command prompt run: certutil
    –delstore SMS SMS

    Start the service

    If all new 2012 builds have the issue you should consider recreating your base image/build.

    Cheers

    • Marked as answer by Hutchnet Tuesday, August 25, 2015 1:15 PM
    Tuesday, June 16, 2015 9:33 AM

All replies

  • Did you clean up the certificates? If this is not done correctly, all pcs will share the same smsid.

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Wednesday, May 13, 2015 9:40 AM
    Moderator
  • I have tried so many different scripts, are you referring to below command?

    certutil –delstore SMS SMS

    I have  been trying to use the info from here but its for SMS, https://technet.microsoft.com/en-us/library/cc917513.aspx

    Wednesday, May 13, 2015 9:45 AM
  • I don't understand why a new OSD would receive a already used duplicate GUID, we don't install the config client on the build, just simply use the capture boot disk to deal with sysprep and imaging to .wim
    Wednesday, May 13, 2015 9:47 AM
  • Check your existing captured image to see if the certificates are already within the image.

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Wednesday, May 13, 2015 10:17 AM
    Moderator
  • I normally manually delete the two certificates.

    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Wednesday, May 13, 2015 10:18 AM
    Moderator
  • Where exactly do you delete the certs from, when I run:

    certutil –delstore SMS SMS

    No results are found, so looks like no certs on the system.

    Wednesday, May 13, 2015 10:24 AM
  • I checked that on the reference image, unless they are within the captured WIM
    Wednesday, May 13, 2015 10:25 AM
  • You can run a PowerShell command to remove the certs

    Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force 


    Cheers Paul |

    Wednesday, May 13, 2015 10:27 AM
  • Ok, so now I am trying the below:

    del c:\windows\SMSCFG.ini
    net stop "SMS Agent Host"
    cscript.exe newguid.vbs
    Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force
    certutil –delstore SMS SMS
    net start "SMS Agent Host"

    (Newguid.vbs creates a unique guid in the SMSCFG.ini file, full script is below:

    On Error Resume Next
    Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
    Dim objShell: Set objShell = CreateObject("WScript.Shell")
    Dim TypeLib: Set TypeLib = CreateObject("Scriptlet.TypeLib")
    strWinDir = objShell.ExpandEnvironmentStrings("%WinDir%")
    strSMSCFGPath = strWinDir & "\SMSCFG.ini"
    strGUID = Left(Trim(TypeLib.guid),38)
    strGUID = Replace(strGUID,"{","")
    strGUID = Replace(strGUID,"}","")
    If objFSO.FileExists(strWinDir & "\SMSCFG.ini.old") Then
    result = objFSO.DeleteFile(strWinDir & "\SMSCFG.ini.old", True)
    End If
    If objFSO.FileExists(strSMSCFGPath) Then
    Set objFile = objFSO.GetFile(strSMSCFGPath)
    objFile.Name = "SMSCFG.ini.old"
    Set objFile = Nothing
    End If
    Set objSMSCFG = objFSO.OpenTextFile(strSMSCFGPath, 2, True)
    objSMSCFG.WriteLine "[Configuration - Client Properties]"
    objSMSCFG.WriteLine "SMS Unique Identifier=GUID:" & UCase(strGUID)
    objSMSCFG.Close
    Set objSMSCFG = Nothing
    Set objFSO = Nothing
    Set TypeLib = Nothing
    WScript.Quit(Err.Number)

    Wednesday, May 13, 2015 10:32 AM
  • Literally 10 seconds after the SMSAgent service starts it reverts back to the duplicate guid....
    Wednesday, May 13, 2015 10:33 AM
  • How is your original WIM created? Are you using a build and capture or imaging technology? Is the WIM sysprepped?

    Cheers Paul |

    Wednesday, May 13, 2015 10:38 AM
  • A VM is created manually and tweaked accordingly then we run the SCCM capture media which syspreps and creates the WIM. We always use this method, have only had issues with our latest capture.
    • Edited by Hutchnet Wednesday, May 13, 2015 10:41 AM
    Wednesday, May 13, 2015 10:41 AM
  • I'd regress the change and try again. You shouldn't have to do any of this in your circumstance.

    Cheers Paul |

    Wednesday, May 13, 2015 10:49 AM
  • What do you mean by regress the change?
    Wednesday, May 13, 2015 10:51 AM
  • Go back to your VM that was working and update that one again.

    Cheers Paul |

    Wednesday, May 13, 2015 10:53 AM
  • Ok so you think the VM is the issue, that's completely doable to regress. However, I have 30+ clients that do not have unique GUID's, I also need to remediate those.
    Wednesday, May 13, 2015 10:55 AM
  • Re-install the client on those devices.

    Cheers Paul |

    Wednesday, May 13, 2015 10:55 AM
  • I've tried removing and reinstalling, they still get the same GUID
    Wednesday, May 13, 2015 10:59 AM
  • All that is required to generate a new GUID is to delete the certs. Have you opened the certificates MMC snap-in for the local computer and checked the certs manually in the SMS store? Are there other client auth certs in the Personal store for the local computer?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, May 13, 2015 12:26 PM
  • Agreed Jason. 


    Hutchnet - Are these physical or VDI devices?

    Cheers Paul |



    Wednesday, May 13, 2015 12:44 PM
  • Physical laptops/computers.

    Removing the certs and restarting the services seems to have no effect in the GUID's

    Wednesday, May 13, 2015 12:45 PM
  • I had some success with the below, the client was active in the DB and client installed status was 'yes' with a new GUID.

    del c:\windows\SMSCFG.ini
    net stop "SMS Agent Host"
    CCMSetup.exe /mp:SCCMSERVER /logon SMSSITECODE=XXX
    cscript.exe newguid.vbs
    Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force
    certutil –delstore SMS SMS
    CCMSetup.exe /mp:SCCMSERVER /logon SMSSITECODE=XXX
    net start "SMS Agent Host"

    However, I then attempted on another client, and now the new client also has the new GUID from the last successful one, and now that client is no longer in the DB as active and has a client status as 'no'.
    Wednesday, May 13, 2015 12:53 PM
  • First, as mentioned, it's not just the cert in the SMS store that you have to worry about. Thus, have you actually examined the Personal store?

    Next, the client appearing in the console or DB is jumping way ahead in the process and could be indicative of many other things. You need to be checking the GUID on the client itself as reported by the control panel applet or in WMI.

    Last, why are you using /logon? That stops the process if the client already exists meaning that running it the second time in the script above does nothing.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, May 13, 2015 1:13 PM
  • First, as mentioned, it's not just the cert in the SMS store that you have to worry about. Thus, have you actually examined the Personal store?

    Next, the client appearing in the console or DB is jumping way ahead in the process and could be indicative of many other things. You need to be checking the GUID on the client itself as reported by the control panel applet or in WMI.

    Last, why are you using /logon? That stops the process if the client already exists meaning that running it the second time in the script above does nothing.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Yes I checked the personal store, no certs in there at all. Also cleared the SMS store using the commands above.

    The GUID on the client is the same as what's in the console, I checked the SMSCFG.ini file on the local machine.

    My bad I actually cut pasted the script in use incorrectly when editing out the server name etc, below is what is in use, the /logon wojld not have mattered in that scenario:

    del c:\windows\SMSCFG.ini
    net stop "SMS Agent Host"
    CCMSetup.exe /uninstall
    cscript.exe newguid.vbs
    Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force
    certutil –delstore SMS SMS
    CCMSetup.exe /mp:SCCMSERVER /logon SMSSITECODE=XXX


    • Edited by Hutchnet Wednesday, May 13, 2015 1:42 PM
    Wednesday, May 13, 2015 1:41 PM
  • It's time to open a ticket with Microsoft Customer Support Services then as there's something else going on here causing this. There is a missing, hidden, or unknown variable here that is difficult or impossible to find via a forum thread. Combined with the fact that the SMS GUID generation algorithm is not publically documented, there's almost no way for us to know where to go from here.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, May 13, 2015 1:53 PM
  • It's time to open a ticket with Microsoft Customer Support Services then as there's something else going on here causing this. There is a missing, hidden, or unknown variable here that is difficult or impossible to find via a forum thread. Combined with the fact that the SMS GUID generation algorithm is not publically documented, there's almost no way for us to know where to go from here.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    I think you might be right, I've done some testing on a manually built Windows 7 box (No OSD via SCCM) and the following successfully creates new GUIDS as long as the client object is deleted from the console.

    net stop "SMS Agent Host"
    del c:\windows\SMSCFG.ini
    certutil –delstore SMS SMS
    net start "SMS Agent Host"

    However if the client object is not deleted from the database then it will pick the one that relates to that object from the database.

    When the same is done on one of our images (Built using OSD and same image) it reverts back to the common GUID.

    Wednesday, May 13, 2015 2:56 PM
  • The above makes me think that somewhere either on the client or in the database is a entry where the GUID is coming from.
    Wednesday, May 13, 2015 2:57 PM
  • So, if you delete the corresponding resource from ConfigMgr, then stop the agent, delete the certs, and restart the agent, does this generate a new GUID?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, May 13, 2015 2:58 PM
  • So, if you delete the corresponding resource from ConfigMgr, then stop the agent, delete the certs, and restart the agent, does this generate a new GUID?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Correct, this works fine on a client that has been built manually with a Windows 7 disk.

    However, it does not work on the image we are using for OSD, or any of the clients that have been built using that same image and task sequence.

    Wednesday, May 13, 2015 3:00 PM
  • To correct the above statement, if all clients with duplicate GUIDs are removed from the console, the script does work and creates a new GUID, the object then appears in the console fine, however, if the script is ran on another client built from the same image, it takes the same GUID and boots the first one out...
    Wednesday, May 13, 2015 3:39 PM
  • Is your reference system you create the image from ever joined to AD?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, May 13, 2015 3:42 PM
  • Is your reference system you create the image from ever joined to AD?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    No, its a purpose built Windows 7 build for creating a reference image.
    Wednesday, May 13, 2015 3:48 PM
  • This is one of many reasons I use MDT for build and capture.  No SCCM Client ever touches my reference WIM so never a worry.  Sorry to inject here.  :-)
    Wednesday, May 13, 2015 4:29 PM
  • This is one of many reasons I use MDT for build and capture.  No SCCM Client ever touches my reference WIM so never a worry.  Sorry to inject here.  :-)
    Thanks for the input, however the cause of this issue is still unknown, the method for capture is supported.
    Thursday, May 14, 2015 7:20 AM
  • I've never had this issue running a build and capture with ConfigMgr.

    Cheers Paul |

    Thursday, May 14, 2015 9:03 AM
  • I've never had this issue running a build and capture with ConfigMgr.

    Cheers Paul |


    Dito, I've never has this issue using the capture media.
    Thursday, May 14, 2015 9:04 AM
  • Is anyone aware of a way of deleting duplicates from SQL, the below query highlights a number of duplicates:

    select

    * from v_GS_System inner join v_HS_System on v_HS_System.ResourceID = v_GS_System.ResourceID where v_GS_System.Name0 <> v_HS_System.Name0

    Thursday, May 14, 2015 9:06 AM
  • As mentioned, it's time to open a case with Microsoft CSS. Messing with SQL directly is unsupported and could cause all kinds of havoc because of the many triggers, relationships, etc. happening behind the scenes.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, May 14, 2015 1:10 PM
  • As mentioned, it's time to open a case with Microsoft CSS. Messing with SQL directly is unsupported and could cause all kinds of havoc because of the many triggers, relationships, etc. happening behind the scenes.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    OK thanks, appreciate your effort.
    Thursday, May 14, 2015 1:28 PM
  • Hutchnet, did you already found a solution for this problem? I have the exact same issue with 4 of my Windows 2012 servers.
    Tuesday, June 16, 2015 9:26 AM
  • Hi

    After a lot of troubleshooting I logged a call with Microsoft, the conclusion was that for some reason the reference image was the culprit even though we checked and it did not have a config agent installed, after recreation of the reference image new clients have unique GUID's. The fix for already affected clients is a complete rebuild! But this was just our case, if your issue is not image related you should be able to do the following:

    Stop the CCMEXEC service

    Rename c:\windows\SMSCFG.INI
    Delete the SCCM certs at a command prompt run: certutil
    –delstore SMS SMS

    Start the service

    If all new 2012 builds have the issue you should consider recreating your base image/build.

    Cheers

    • Marked as answer by Hutchnet Tuesday, August 25, 2015 1:15 PM
    Tuesday, June 16, 2015 9:33 AM
  • Hi Hutchnet,

    The problem servers where installed long before we had implemented SCCM in our organization. I don't know what image they used to install these servers, but i think that is the problem. We don't have any troubles with our other 350 servers.

    The trick to remove the .ini and certificates does not resolve the problem, so i will start to rebuild the servers.

    Thanks for your help,

    Marcel

    Tuesday, June 16, 2015 10:28 AM
  • Yes if they weren't sysprep'd properly that could be the problem, good luck!
    Tuesday, June 16, 2015 10:33 AM
  • This seems to be the same issue that I am having. I also talked with Jason about this in another thread. Did you by chance use VMware for the base image?  

    This is my scenario.

    Initial build was a standalone 2008r2 server with hyper-v. I used a windows 7 hyper-v as the base machine will all applications installed (did not install sccm). I used MDT to capture the image from the hyper-V machine and deployed the image from the 2008 r2 server using WDS. Those machines were then rolled into the domain and then the sccm client was pushed to them. They are working just fine.

    We then set up a small DHCP scope on the network and I moved the image files from the standalone machine to the main network on a 2012 server using MDT and WDS. I needed to make a change to the image and I used a VMware windows 7 VM to make the changes and then captured the image just like the 2008 r2 server using sysprep. That VMware image was the same except for just adding a license key or something else minor. I deployed the image to a few machines and it looked like all was good and that SCCM was working correctly, but it wasn't. The GUIDs were the same, deleting and recreating the .ini file seemed to gen a new guid but after a refresh the new .ini would revert back to a GUID that was in use. I also noticed that the SID when checking the properties in SCCM showed -500 for all machines that had the duplicate guid issue which is the local admin account.

    So If you used VMware to create the image that maybe the issue, but I am not sure why or where the issue is. Rebuilding the machines over again sucks, but its something that maybe the only fix. I have used VMware to create windows 7 images before and no issue until this network.


    Duplicate GUID Query#1 select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System join SMS_GH_System_System on SMS_R_System.ResourceID = SMS_GH_System_System.ResourceID where SMS_R_System.Name <> SMS_GH_System_System.Name Duplicate GUID Query#2 select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System join SMS_G_System_System on SMS_R_System.ResourceID = SMS_G_System_System.ResourceID where SMS_R_System.Name <> SMS_G_System_System.Name Duplicate GUID Query#3 select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where SMS_R_System.ResourceID in (select SMS_GH_System_System.ResourceID from SMS_G_System_System join SMS_GH_System_System on SMS_G_System_System.ResourceID = SMS_GH_System_System.ResourceID where SMS_G_System_System.Name <> SMS_GH_System_System.Name)


    I added the above query into SCCM and found two machines that show when query 3 is ran. Do anyone know what the difference is between Q3 and Q1-Q2? I know that one machine that is shown from Q3 is a good working machine and the other is a machine that isnt working correctly. The CMUID/GUID's are different.


    • Edited by Wright54 Friday, July 10, 2015 3:03 PM
    Friday, July 10, 2015 2:27 PM
  • the following successfully creates new GUIDS as long as the client object is deleted from the console.

    net stop "SMS Agent Host"
    del c:\windows\SMSCFG.ini
    certutil –delstore SMS SMS
    net start "SMS Agent Host"

    This works as long as the client object that is deleted is an ACTIVE object. That is, the machine client object name must show Client YES. 


    • Edited by tmac3931 Friday, September 4, 2015 8:17 PM
    Friday, September 4, 2015 8:14 PM
  • One of the reasons of this Issue may be the same certificate in the computer certificate store (mmc -> Certificates\Computer account Personal\Certificates).
    Just remove it and re-generate the GUID:

    net stop "SMS Agent Host"
    del c:\windows\SMSCFG.ini
    certutil –delstore SMS SMS
    net start "SMS Agent Host"




    Wednesday, February 24, 2016 5:19 PM
  • "SMS Agent Host" is a localized (English) name : ))

    net stop CcmExec
    del c:\windows\SMSCFG.ini
    certutil –delstore SMS SMS
    net start CcmExec

    Tuesday, April 5, 2016 2:15 PM
  • Thank you for clarifying.  This process only works if you also delete the computer objects from the SCCM console. In addition, I believe the deletion should be done before restarting the SMS Agent Host.  Thanks again!
    Tuesday, August 9, 2016 3:42 PM
  • We ran into this same problem.  For some reason, our imaging process wasn't updating the computer's personal certificate.  The certificate showing was for the master image, not the new image.  This was further exacerbated because we had HTTPS communication with PKI turned on for Site.

    So, we turned off HTTPS and PKI for the Site, stopped the SMS Agent Host on the workstation and deleted the old SMSCFG.ini file, then restarted the SMS Agent Host service. The new SMSCFG.ini file had a new GUID, whereas this process had produced a duplicate GUID on previous attempts.  After a couple of hours, all was good with the workstation and SCCM.


    • Edited by Roni Ho Wednesday, June 14, 2017 4:46 PM
    Wednesday, June 14, 2017 4:45 PM
  • Hello Hutchnet,

    I have tried the same procedure , however after restarting the SMS Agent Host , the client shows again the duplicate entry. Anybody find the solutions for the same.


    Amit Singh |Project Consultant (System center)

    Wednesday, February 7, 2018 11:56 AM
  • How you come to conclude the below :

    What we need to check to conclude the below statement, that will help me in providing the Root cause. Please let me know. 

    " I logged a call with Microsoft, the conclusion was that for some reason the reference image was the culprit even though we checked and it did not have a config agent installed, after recreation of the reference image new clients have unique GUID's.  "



    Amit Singh |Project Consultant (System center)

    Wednesday, February 7, 2018 11:58 AM