none
"AD / SYSVOL version mismatch" causing Certificate Autoenrollment from working in Win8.1?

    Question

  • I am working in our first 8.1 image and I noticed right away that I'm not getting my Personal certs from our CA. Our Win7 clients are fine. Running gpresult on the 8.1 VM states that there are "special alerts" on the GPOs due to a version mismatch. This issue is addressed here: https://support.microsoft.com/en-us/kb/2866345 The article reads as though this means these GPOs were filtered out, but this is not clear in the gpresult reports. Has anyone else had this issue? Did the update rollup fix the issue? Any gotchas? Thanks!
    • Moved by Joyce L Monday, June 01, 2015 6:14 AM move
    Saturday, May 30, 2015 5:50 PM

Answers

  • Alright, so I discovered that Windows Update wasn't working either, due to being stuck in OOBE mode. When I strip down the BUILD TS entirely, I get my certs and Windows Updates no problem, so I think there is an issue with one of the many apps in our BUILD TS that Win8.1 is more intolerant of than Win7. Yay trial & error! Thanks for the help Martin.
    • Marked as answer by JackalAR Wednesday, June 03, 2015 7:06 PM
    Tuesday, June 02, 2015 8:25 PM

All replies

  • > the GPOs due to a version mismatch. This issue is addressed here:
     
    Safely ignore it. This is an "internal" logic error in the GP RSoP engine.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, June 01, 2015 9:19 AM
  • Thanks for the info, but regardless, these policies don't seem to be applying. Apparently our CA is 2008 R2, and our AD schema level <=2003. Is this a symptom of regression in Windows 8.1 in function ProcessGPO where I should try the gpsvc debug logging workaround? ...or maybe we just need to make a copy of the GPOs and edit them on a Win8.1 box?

    ETA: certutil /pulse pulls the certs down no problem. We also don't seem to have any issues with our OOB Surface Pros either 8.0 upgraded to 8.1 or the 8.1 OOB models, just on our SCCM BUILD TS VM client. Obviously we don't yet have an image to push out, but I hope to soon.

    • Edited by JackalAR Monday, June 01, 2015 2:46 PM
    Monday, June 01, 2015 2:03 PM
  • > Thanks for the info, but regardless, these policies don't seem to be
     
    Hm, ok then it might be an issue... On a machine with that error, can
    you open up GPMC and check the GPO version numbers? Chances are that
    sysvol isn't properly replicating - to find out, simply check NTFRS/DFSR
    Eventlogs on all DCs.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, June 01, 2015 3:32 PM
  • Alright, so I discovered that Windows Update wasn't working either, due to being stuck in OOBE mode. When I strip down the BUILD TS entirely, I get my certs and Windows Updates no problem, so I think there is an issue with one of the many apps in our BUILD TS that Win8.1 is more intolerant of than Win7. Yay trial & error! Thanks for the help Martin.
    • Marked as answer by JackalAR Wednesday, June 03, 2015 7:06 PM
    Tuesday, June 02, 2015 8:25 PM