Remove From My Forums

Windows 10 Build 1803 unable to request Enterprise CA computer certificates

General discussion
13

Sign in to vote

Hi,

I've also just created a case for this: 118050918152001

Since the new build (1803) was installed on previous Windows 10 1709 machines, we are unable to request Certificates from our Enterprise Certificate Authority.
A user on the same system is able to do so, however as the local computer, we cannot request new certificates. The MMC.exe shows no templates available, all are access denied.

I've cross checked on complete separate fresh installed (from iso) machines, installing a server 2016 domain controller, promoting it to a new forest and domain, installing and creating a CA and joining a Windows 10 build 1709 machine in it. This 1709 machine was correctly able to request a new Machine certificate, no problems.
Then upgrading the 1709 machine to 1803, I am no longer able to request a new computer certificate. Problem is as described above.
Also tested to install a fresh copy of windows 10 build 1803 and joining it to the new domain, same issues.

There are a number of things we have tried, however, no apparent errors in the application or system logs on the client or the CA. No errors/warnings on the CA.. Also, no communication between de client and the CA server when the mmc snapin is determining which templates are available (which is to be expected, because the information is stored in the CertificateTemplateCache key in the registry on the client itself).

My guess is that there is a bug in the determination on ACLs on the templates and the SID/security identifier of the local system/ad computer account...

Haven't found anyone posting the same issues, but I think the problem will be widespread and duly noticed as I was able to confirm the issues in a clean testing environment...

Anyone with any insights?

-Bart

Wednesday, May 9, 2018 1:14 PM

All replies

1

Sign in to vote

We have the exact same issue. We have an older CA, so it's interesting that even a Server 2016 CA did not make any difference.

-ji

Wednesday, May 9, 2018 1:32 PM
0

Sign in to vote

We are in the same boat. Problem just arises and we haven't had a time to investigate it. We saw some freaking errors in event log related to DCOM and Windows.SecurityCenter.WscBrokerManager - but I'm not sure is it related or not.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

Wednesday, May 9, 2018 2:09 PM
0

Sign in to vote
We've looked into the DCOM errors as well. Resolved them but to no avail..

Just to clarify, the mmc shows no templates available, when you tick the box for "Show all templates", you see that "You cannot request a certificate at this time because no certificate types are available" and all templates have the error: "You do not have permission to request this type of certificate".

Already looked into by two engineers from Microsoft, tried various amounts of security settings, even giving everyone full control on the CA and the templates but it still doesn't work as it did previously... (and should).
- Edited by BartvdO Thursday, May 10, 2018 9:08 PM extra info
Wednesday, May 9, 2018 2:20 PM
0

Sign in to vote

Thanks for the heads-up! Another observation is that user certificates can successfully be requested, the culprit is computer certificates.

Hope to see some development in this case, as it is a bit of a pain for us not being able to get the computer certificates...

Friday, May 11, 2018 6:55 AM
0

Sign in to vote

Yes, we saw that as well, to me that indicates that the underlying code for requesting certificates and communication to the CA is ok, just that it has something to do with the computer-credentials or the way they are used in determining the ACLs on the templates...

It has gone very quiet since yesterday from MS support. So.... I'm guessing they reproduced the problem (very easy in my view) and are hard at work on a fix atm, very curious!

Friday, May 11, 2018 11:30 PM
0

Sign in to vote
We have the same issue. Getting Certificate from GPO Works fine. But using certreq.exe fails With 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE), and MMC show no templates. Our CA is Windows Server 2016.
- Edited by mdahling Saturday, May 12, 2018 10:24 AM
Saturday, May 12, 2018 10:23 AM
0

Sign in to vote

Same issue. As a temporary workaround we were able to export the certs from 1709 build and import into 1803

its a pain but better this than nothing.

Monday, May 14, 2018 3:41 PM
0

Sign in to vote
I've also started implementing a workaround, as MS Support is really letting me down at the moment. They aren't responding to my inquiries on the lab-testing or the current state of the case. All the did was ask if I installed all updates on the systems.... and no answers!

So, I've made a copy of the Computer/Machine template and modified it in such a way that we are able to supply the subject name in the request. Made one machine able to request these certificates and of course added admin approval. Now I can create a computer certificate by requesting one from the new Template and filling in the custom CN and subject alt name (don't forget the alt name, else it won't work!), also don't forget to tick the "Make private key exportable" option!
Export the cert+key and import it on the pc that needs the computer cert. Voila... works for now...

This is actually a relatively quick and easy fix, although I will admit, not so pretty. If you want to use this workaround to, please be aware of the security implications and be vigilant on the security settings and admin approval of this new template..

Hope this helps!
- Edited by BartvdO Tuesday, May 15, 2018 11:00 AM typo
Tuesday, May 15, 2018 10:59 AM
0

Sign in to vote

We're having the same issue. Since 1803 we can't access the template at all, even with full permissions for both the requesting user and the machine.

Wednesday, May 16, 2018 8:25 AM
0

Sign in to vote

Have you tried to use GPO to enroll Computer certificates? That's Works for us with 1803. Only certreq.exe and mmc fails.

Wednesday, May 16, 2018 10:16 AM
4

Sign in to vote

Basically - Windows 10 1803 is broken regarding this issue. Like thousand issues before. I see that there are some workarounds available. It's depressing how many bugs are included in every feature update.I'm very dissapointed. Starting from Windows 10 our IT dept. are overloaded to find bugs, fix bugs, find a workarounds and so on. MS is claiming that Windows 10 is best OS ever.. from my point of view it's worst ever.
Sorry, this post wont help nobody I just had to write it...
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

Thursday, May 17, 2018 7:58 AM
0

Sign in to vote

Thanks M$! Great service! It seems you don't have any test departments at all.

Thursday, May 17, 2018 8:50 AM
1

Sign in to vote
The only one way to get the Computer certificate is to use another computer with non-1803 Windows 10 (better Windows Server), export and import on destination Computer.

You have to change the Computer Template:
- Edited by Anahaym Friday, May 18, 2018 11:59 AM
Friday, May 18, 2018 9:47 AM
0

Sign in to vote

We use GPO to enroll the WiFi certificates and this is broken as well.

However for some strange reason if I login with a user, then restart the PC it gets the certificate. If I just restart without having logged in first, nothing happens.

I havent been able to figure out why it is so, since it is a Computer Policy and the User part in is is disabled.

But the fact remains, when a User profile is created it will work next time policies are run.(Restart or gpupdate /force) In no login you can restart the PC 10 times and it still wont work.

Hope this helps someone with more knowledge than I have.

Tuesday, May 22, 2018 7:48 AM
0

Sign in to vote

Case Update:

Microsoft contacted me yesterday, explaining it is indeed a bug and other customers are also affected.
They also identified a workaround: Enabling Credential Guard on the Windows 10 1803 box...
Now that may sound as something you might already want and use, the implications are not for the ill prepared... It has quite some hardware and software pre-requisites to be able to activate it... And this has to be done to every system that experiences this problem.

I've tested on one system with Credential Guard and can confirm it indeed resolves the issue for that one system.. however I do believe that my workaround with the custom computer cert template in my previous reply is an easier one from the admin point of view...
I've also replied that to the support tech on this case, hopefully other customers can also benefit from this workaround...

All we can now do is hope that they find the problem and quickly release a fix for it.. I've asked to be able to beta-test the fix... Let's see what comes up....

Tuesday, May 22, 2018 10:51 AM
0

Sign in to vote

Great news, hope they get around to release the fix soon :)

Wednesday, May 23, 2018 7:03 AM
1

Sign in to vote

Case Update:

All we can now do is hope that they find the problem and quickly release a fix for it.. I've asked to be able to beta-test the fix... Let's see what comes up....

Well, MS support closed the ticket. They cannot do anything more at this time. They say it is a know issue, they won't even go so far as calling it a bug any longer.

To quote: "Currently the issue is understood and a request to the windows servicing division has been sent.
This is a complex issue and this may take some time to process"

So, no KB, no hotfix, nothing... Only two solutions I know of, or rather, work arounds, are the custom template or enabling Credential Guard...

Hopefully they won't introduce this nice 'feature' in Windows Server 2016 soon... That would certainly stir things up....

I'll keep a look out on the progress as far as I can.. Don't expect anything from MS support at this point...

Thursday, May 24, 2018 8:11 AM
1

Sign in to vote

The workaround from MS Works for us. During imaging of Computers, we enable Virtualization Technology (VTx) in BIOS, and activate credential guard in Registry by setting:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LsaCfgFlags"=dword:00000002

Now we can request certificate With certreq.exe og with MMC, so imaging over Wi-Fi with 801.X Works!!!

Friday, May 25, 2018 9:00 AM
0

Sign in to vote

Unfortunately, this workaround only works with Win10 Enterprise, but Win 10 Pro does not have a credential guard!
Are there any other suggestions?

Tuesday, May 29, 2018 6:56 AM
0

Sign in to vote

Indeed that is not available... The only workaround I can think of is the custom CA template. It's a bit more work to set it up and it's (a lot) harder to automate... But it works for all editions of Windows 10...

Tuesday, May 29, 2018 9:45 AM
0

Sign in to vote

Hi! i tried this same fix, but the resulting certificates seem to be issued by the supplied CN... same as a self-signed certificate...

Any clue as to what I might be doing wrong?

Tuesday, May 29, 2018 1:32 PM
0

Sign in to vote

Seeing the same issue. Build and capture with SCCM and image. Newly imaged machine will not get config manager cert or wifi cert both through auto-enroll.

It looked like the fix was to delete HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache and run "certutil -pulse" but that is not working in a task sequence when run as system. If i enter-pssession to that machine and run it will pick up certs.

Just adding my observations.

Wednesday, May 30, 2018 3:46 PM
0

Sign in to vote

I'd like to Echo this request, as this is now an issue for our company and all future 1803 Roll outs...

Wednesday, June 6, 2018 8:30 PM
2

Sign in to vote
We are in the middle of 1803 roll out and noticed the same thing as well… *sigh*

Implemented a quick and dirty fix to run certutil -pulse as a startup script.

Restarted a few classrooms and can confirm that the clients got their certficates during reboot, and started working.
- Edited by Node M Wednesday, June 27, 2018 8:38 AM typo
Thursday, June 7, 2018 8:11 AM
1

Sign in to vote
I used certutil -pulse and it solve my problem.

So here is my step list

Generate a request with the Following command :

certreq -new [RequestInfFile] [RequestFile]

Send the request to certificate autority

certreq -config [CAName] -submit [RequestFile] [CerticateFile]

Get root certificate from AD

CertUitl -pulse

Import Certificate

certreq -machine -accept [CerticateFile]
- Edited by CNESST_PhilNic Monday, June 11, 2018 3:34 PM Added Step List
Monday, June 11, 2018 3:06 PM
1

Sign in to vote

I used certutil -pulse and it solved my problem as well.

Just did a script that run the command + a restart when I start installing programs in the reinstall sequence.

Works like a charm, ty. :)

Monday, June 18, 2018 1:15 PM
0

Sign in to vote
The only one way to get the Computer certificate is to use another computer with non-1803 Windows 10 (better Windows Server), export and import on destination Computer.

You have to change the Computer Template:

I was able to solve this as well for my environment. It is a tiny one, however, so not a lot of work, just 8 servers and 5 clients. I first made copy of the Computer Template on the CA and set the Subject Name tab to be provided during request and marked the key to be exportable. I then re-issued the template to my CA and restarted the CA Service.

Then I submitted a new request from a pre 1803 server and selected the custom template. Filled in the details for the certificate subject and enrolled. The certificate can then be exported, including the private key and then be imported on the target machine.

This seems to work, the only issue I am left with is that the requests to the CA are not recognizable as such in the Issued Certificate view. That is a nuisance.

Will this bug need to be fixed in the CA Service or client OS? Can it be fixed at all???

Regards, Solino
- Edited by SolinodeBaay Tuesday, June 19, 2018 1:36 PM
Tuesday, June 19, 2018 1:35 PM
0

Sign in to vote

Hey InspectorDK,

Curious as to where in the task sequence you have implemented this step. Prior to, or after "Setup Windows and Configuration Manager"?

I was under the impression that group policies were not applied during task sequence processing, therefore the client would not be aware of enrollment policies. So not understanding how pulse would take effect under that circumstance, as those policies as well appear to be a requirement of using the pulse switch with certutil.

Thanks,
BT

Tuesday, June 19, 2018 4:07 PM
0

Sign in to vote

We are in the middle 1803 roll out and noticed the same thing as well… *sigh*

Implemented a quick and dirty fix to run certutil -pulse as a startup script.

Restarted a few classrooms and can confirm that the clients got their certficates during reboot, and started working.

Would you mind detailing how you are accomplishing this? I am in the same boat trying to image labs of computers at a time. Need to somehow get certutil -pulse to run on machines after final reboot of task sequence. Thanks for any help.

Tuesday, June 19, 2018 4:21 PM
2

Sign in to vote
SirKoon- Look into the SMSTSPostAction variable as one way to run commands post task sequence (Google search on "SMSTSPostAction gpupdate" should return you some useful information. You can assign that variable cmd commands and when the task sequence has released, it will run them. This is a way you can run gpupdate post imaging and it may help with this scenario also.

The may be working for us. 4 out of 4 computers I just imaged with the fix below could connect to wireless on the login screen (prior to this those 4 out of 4 computers could never connect at the login screen). Testing more now, but appears to be a workaround.

1) Delete this key somewhere in the task sequence (don't know for sure if this is needed, but I have added this for now based on someone's suggestion above): HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

2) Add a "Set Task Sequence Variable" task where Task Sequence Variable = SMSTSPostAction and Value = cmd /c gpupdate /force && certutil -pulse && shutdown /r /f /t 5

After the task sequence finishes, you will be at the login screen for a little bit while GPUpdate runs then certutil -pulse will go fast then restart in 5 seconds. I think the restart time could be 0. I just currently have it set for 5 seconds. Setting SMSTSPostAction could be set anywhere in the task sequence. I am setting it as the last task.
- Edited by MelanieQu Saturday, July 21, 2018 2:16 PM Removing last Restart Computer task caused SMSTSPostAction not to run for me so removed text that said I was doing that.
Thursday, June 21, 2018 4:05 PM
0

Sign in to vote

SirKoon- Look into the SMSTSPostAction variable as one way to run commands post task sequence (Google search on "SMSTSPostAction gpupdate" should return you some useful information. You can assign that variable cmd commands and when the task sequence has released, it will run them. This is a way you can run gpupdate post imaging and it may help with this scenario also.

The may be working for us. 4 out of 4 computers I just imaged with the fix below could connect to wireless on the login screen (prior to this those 4 out of 4 computers could never connect at the login screen). Testing more now, but appears to be a workaround.

1) Delete this key somewhere in the task sequence (don't know for sure if this is needed, but I have added this for now based on someone's suggestion above): HKLM\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

2) Add a "Set Task Sequence Variable" task where Task Sequence Variable = SMSTSPostAction and Value = cmd /c gpupdate /force && certutil -pulse && shutdown /r /f /t 5

After the task sequence finishes, you will be at the login screen for a little bit while GPUpdate runs then certutil -pulse will go fast then restart in 5 seconds. I think the restart time could be 0. I just currently have it set for 5 seconds. Setting SMSTSPostAction could be set anywhere in the task sequence. I am setting it as the last task and removing the normal Restart Computer last task.

Thank you very much for chiming in, that seems to be working after my first test! I was already initiating a reboot with the SMSTSPostaction to get gpupdate to run; wasn't aware you could run multiple commands. FWIW, I did not need to delete the reg key.

Cheers!

Thursday, June 21, 2018 9:57 PM
2

Sign in to vote
MelanieQu,

Since I only had ONE computer that had updated to 1803 (bypassing my WSUS and all other GPOs, go figure), I tried just the command cmd /c gpupdate /force && certutil -pulse && shutdown on admin CMD and it worked a charm.

THANKS!
- Edited by HammSilv Wednesday, June 27, 2018 7:31 PM
Wednesday, June 27, 2018 7:30 PM
0

Sign in to vote

Melanie,
This worked great, thanks for the detailed fix. I too avoided the registry change and all is well.

Thursday, June 28, 2018 5:15 PM
0

Sign in to vote

Hi, but this mean it only works on Windows 10 Enterprise?

What is with Windows 10 Pro?

Thanks

Friday, June 29, 2018 10:49 AM
4

Sign in to vote
UPDATED: If you have this issue, please make a support case to Microsoft, so that they know how many customers are affected with this issue. Thanks.

I had same issue with 1803, for me the LSA registry didn't help.

Only thing it helped is enable Hyper-V Hypervisior, restart. After that I can see those machine certificate templates.

Regards,

Zeng Yinghua (Sandy) (Blog, Twitter)

Please remember to mark the replies as answers if they help.
- Edited by Zeng Yinghua (Sandy)MVP Thursday, July 19, 2018 1:33 PM
Thursday, July 12, 2018 2:57 PM
0

Sign in to vote

Perfect! It works pretty well!
Many thanks Sandy.

Monday, July 16, 2018 6:33 PM
0

Sign in to vote

Hi Sandy,

you are right! It's especially needed for older Windows 10 Versions.

Official documentation tells us to enable Virtualization Based Security (VBS) for Credential Guard, which relies on Hyper-V Hypervisor.

Additional information:

Since Windows Version 1607 this is not necessary anymore.

Add the virtualization-based security features

Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-the-registry

best,
Oliver

Thursday, July 19, 2018 6:54 AM
1

Sign in to vote

SMSTSPostAction variable set to do a gpupdate, certutil and restart continues to be a workaround for us for thousands of computers being imaged. One note though is that above I said that I removed the Restart Computer task that is normally the last task in an OSD task sequence since a restart was happening with the PostAction. However, if I removed that last restart task, the PostAction would never run in my scenario. I ended up keeping the last Restart Computer task and then another restart happens as part of the PostAction. I don't know if the PostAction not getting called without the last Restart Computer task is something specific to my task sequence, but I thought I would mention to make sure the PostAction commands are actually happening if you try this as a fix and it doesn't work.

Saturday, July 21, 2018 2:06 PM
1

Sign in to vote

We have had a similar issue with WiFi which we utilize a machine certificate to grant access to WiFi. On a 1803 build, this process does not seem to work the same way as it did in 1709. We have also seen the same issue in 1709 which can be resolved by GPUpdate /force and a reboot. On 1803, that does not seem to resolve it during the build process. If a user logs on right after the build on the wired network, then a certificate is deployed. With 1803 (option presented in this thread to use CertUtil -pulse) seems to have resolved the issue for us.

It does need the GPUpdate /force as part of the sequence but that is always happening within the build process. The addition of the CertUtil -pulse has added the success to the build process.

Thanks to all who have contributed here.

Cheers.

Tuesday, July 24, 2018 7:27 PM
0

Sign in to vote

Sadly, this issue isn't just Win10 1803. I am trying to build out an 1803 based 2016 core server for a project and I require a certificate. I have created a new template and it requires the Subject name to be supplied by the requester (since it will be the external DNS name instead of the internal name the certificate is for). When I try to run the following command:

Get-Certificate -Template VPNServers -SubjectName "CN=someprocess1.somedomain.com" -DnsName someprocess1.somedomain.com,someprocess.somedomain.com -CertStoreLocation Cert:\LocalMachine\My

I get the following error:

Get-Certificate : CertEnroll::CX509Enrollment::Enroll: You do not have permission to request this type of certificate.: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422 CERTSRV_E_TEMPLATE_DENIED)

I can't enable Hyper-V because this is a VM running on Hyper-V. I attempted the delete the registry key, gpupdate /force && certutil -pulse && shutdown /r /t 5 and event tried enabling credential guard per the article linked above. None of these are working for me. I am probably going to either Dupe the template and make the Private Key exportable and use that workaround to get the certificate on my server or fall back from 1803 for now.

Mind you, all of this is being done from command line/PowerShell or using Windows Admin Center (Honolulu) in the case of the registry keys. WAC for Certificates is not helpful because it is greyed out to request (though it would have probably failed anyway).

I hope MS gets a patch for this issue out soon.

Charles

Thursday, August 2, 2018 1:40 PM
0

Sign in to vote

After you enable nested virtualization you can install Hyper-V feature in VM. ;)
Сквозь сиреневый дым...

Friday, August 3, 2018 10:49 AM
0

Sign in to vote
We have this same issue as well. Unfortunately the work around does not work for us. We are attempting to get this to work on a newly deployed Windows 10 Pro x64 build 1803 image. Does this workaround not work on Professional version of Windows? Does anyone have any other workarounds to suggest for Windows 10 Pro? Thanks in advance.
- Edited by 64bitfury Monday, August 13, 2018 6:26 PM
Friday, August 10, 2018 6:22 PM
0

Sign in to vote
Well, Microsoft contacted me a few weeks ago and said that they were working on a fix.. without an ETA on when it would be available. The support rep also told me that more and more customers are running into this issue, though we weren't the first one to raise their awareness about it...

Last week I was contacted again. I was on a holiday at the time, but they said there is a private fix available for testing. I just got back from my holiday and said I am eager to test it!

Let's see how this goes, I'll update asap...
- Edited by BartvdO Tuesday, August 14, 2018 11:56 AM
Tuesday, August 14, 2018 11:55 AM
0

Sign in to vote

Do you already know if the update worked?
Developer Paulo Pedro

Thursday, August 16, 2018 11:37 AM
0

Sign in to vote

This is how I got it working on Lenovo, HP and DELL laptops:

1) Start computer, boot to BIOS and enable Intel VTx teknology (all options)

2) Install Win 10 1803

3) Install this registry fix:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"LsaCfgFlagsDefault"=dword:00000000

"LsaCfgFlags"=dword:00000002

4) Add the certificate through MMC, but be beware that you cannot yet connect your PC to your secure network

5) Restart the computer and enter the BIOS

6) Disable Intel VTx technology (all options)

7) Restart the computer

8) Login and connect to your secure network

Regards

Søren

Thursday, August 16, 2018 12:55 PM
0

Sign in to vote

Well, Microsoft contacted me a few weeks ago and said that they were working on a fix.. without an ETA on when it would be available. The support rep also told me that more and more customers are running into this issue, though we weren't the first one to raise their awareness about it...

Last week I was contacted again. I was on a holiday at the time, but they said there is a private fix available for testing. I just got back from my holiday and said I am eager to test it!

Let's see how this goes, I'll update asap...

Please let us know. Im eager to get this working.

Thursday, August 16, 2018 2:52 PM
0

Sign in to vote

I installed this update KB4343909 and it looks like the issue is fixed.

Thursday, August 16, 2018 7:21 PM
0

Sign in to vote

I installed this update KB4343909 and it looks like the issue is fixed.

It did not work for me

Wednesday, August 22, 2018 11:03 AM
0

Sign in to vote

For me it`s also not working...

we are using Windows 10 1803 Pro!

Wednesday, August 22, 2018 3:07 PM
0

Sign in to vote

Unfortunately, the microsoft support engineer didn't respond to my email at all. After a week of waiting I tried to contact him, and found he was on a holiday. His technical lead seems to have left MS (access denied on mailbox), his manager was also on leave and the backup manager replied that he would look into it.

After a day or two they promptly replied "

I am following up on behalf of J.... as he is out of office. The workaround for your issue is to enable Credential Guard.

I am not aware of Hotfix mentioned by J..... Maybe he was talking about the workaround that I mentioned earlier. J.... will follow up with you if he has found the hotfix. Meanwhile, I am also doing research on it and will let you know the hotfix released for the same.

"
So, not much progress at all I'm afraid....

Monday, August 27, 2018 2:18 PM
3

Sign in to vote
Microsoft has released a patch to solve the problem. I will test it in the next hours an reply again.

https://support.microsoft.com/en-us/help/4346783/windows-10-update-kb4346783

Edit: Now it`s working!
- Edited by AbitGambit Friday, August 31, 2018 6:38 AM
Tuesday, August 28, 2018 9:29 AM
0

Sign in to vote

Requests and renewal of certificates are already in order. I did not try any other fixes on this package.
God protect windows 10 :-)

Friday, August 31, 2018 6:11 AM
0

Sign in to vote

I have installed kb4346783 and created a new image for deployment.

Still not working for me.. I have Windows 10 EDU and PRO

During installation of Windows 10 With SCCM the computer is added to an AD Group for Wireless Connection.

This Wireless connection is using a certificate. This certificate is now not deployed.

It Works on 1709 and all prevoius Version of Windows 10.

Friday, August 31, 2018 10:39 AM
0

Sign in to vote

I installed Update KB4346783 in the deployment process with wusa.exe for testing.

Certificates are correctly deployed

Friday, August 31, 2018 11:51 AM
0

Sign in to vote

Update works for me.

Friday, August 31, 2018 4:01 PM
0

Sign in to vote

For me it also seems to be working. At least on Enterprise edition.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

Sunday, September 2, 2018 9:46 AM
0

Sign in to vote

Yes, Microsoft informed me on friday night that there is a new update that solves the problem, finally:

https://support.microsoft.com/en-us/help/4346783/windows-10-update-kb4346783

Addresses an issue that causes computer certificate enrollment or renewal to fail with an "Access denied" error after installing the April 2018 update. This issue occurs when the registry process has a lower process ID (PID) than all other processes except SYSTEM.

Wednesday, September 5, 2018 8:09 AM
0

Sign in to vote
Hi,

I'm struggling with this problem and about to deploy 2500 computers using SCCM and Windows 10 Enterprise 1803.

I'm using a GPO to create the certificates to enroll computers. This has been working without any problem with Windows 7 and 10 prior to 1803 so there's nothing that doesn't work on this side of the configuration.

I've tried adding a task to install this patch as soon as possible in my TS but it still doesn't give any result.

I've tried the SMSTSPostAction variable with the command line cmd /c gpupdate /force && certutil -pulse && shutdown /r /f /t 5 but it also doesn't change anything.

Can anyone confirm that he has solved this problem using the patch or the SMSTSPostAction variable ?

At the moment, all I can see is that if you don't open a session on the computer, you'll never see these certificates on the computer. As long as I haven't opened a session, there's no certificate on the computer. Opening a session allows the certificates to be available in the Personal computer store and the computer is seen with a functional SCCM client by the server.

Thanks for your help
- Edited by Tof006 Wednesday, September 12, 2018 6:47 AM
Wednesday, September 12, 2018 6:44 AM
0

Sign in to vote

I've the same problem. I install the latest Cumulative Update and no certificate until a session is open on the computer. The Client cannot contact SCCM Server until a user os logged on the computer. It's a really annoying problem.

Thursday, September 13, 2018 5:49 PM
0

Sign in to vote

Microsoft has released a patch to solve the problem. I will test it in the next hours an reply again.

https://support.microsoft.com/en-us/help/4346783/windows-10-update-kb4346783

Edit: Now it`s working!
thanks. it works for me

Friday, September 14, 2018 10:34 AM
0

Sign in to vote
I've the same problem. I install the latest Cumulative Update and no certificate until a session is open on the computer. The Client cannot contact SCCM Server until a user os logged on the computer. It's a really annoying problem.

Hi,
I have tried the followings:

1) Install the KB4346783 during my TS on a Windows 10 1803 Enterprise: doesn't work. You need to open a session to obtain certificates from the Enterprise CA.

2) Add September's cumulative update to the Wim : doesn't change anything except preventing me from installing the KB...

This morning, I finally found a solution :

Found this site : https://www.reddit.com/r/SCCM/comments/9687cb/are_you_deploying_windows_10_1803_do_your/
and the comment from mikeh361 :
"Nope, I tried that and tried adding a scheduled task that would run 10 minutes after computer start (at the end of a task sequence) that would run certutil -pulse and then force a gpupdate and neither worked. The only thing that worked was putting it in a group policy as a computer startup script."

So here's what I've done :

1) Add the SMSTSPostAction that does a shutdown.exe /r /f /t 300
See here for explanations (https://marconuijens.com/2017/01/20/automatically-rebootrestart-sccm-task-sequence-as-last-step-using-smstspostaction/)

2) Enabled Credential Guard (still don't know if it's necessary but I don't see any reason not to activate this feature) using this script : http://www.scconfigmgr.com/2016/06/15/enable-credential-guard-in-windows-10-during-osd-with-configmgr/

3) Created a GPO with that computer startup script :
certutil -pulse && gpupdate /force && WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000022}" /NOINTERACTIVE && WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000021}" /NOINTERACTIVE && WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000001}" /NOINTERACTIVE
For triggers explanations see here : https://msdn.microsoft.com/en-us/library/jj902739.aspx

And I can finally say that EVERYTHING is working as expected

Hope this will help others.

EDIT : not EVERYTHING works. I still don't manage to get the Hardware inventory working...
It needs 2 reboots to get the hardware inventory on the SCCM server. I need to understand why and try to improve this.

I'm gonna put the 2 triggers in the SMSTSPostAction section and check if it works.
- Edited by Tof006 Sunday, September 16, 2018 3:05 PM
Sunday, September 16, 2018 9:31 AM
0

Sign in to vote

In 1809 evrything works again, whitout any tweeks :-)

Upgrading my images today!

Friday, October 5, 2018 7:50 AM
0

Sign in to vote

The problem of the computer certificates not applied after deploying the OS is not the only problem in which you will be running.
As some of you might know, the client certificate pull request is a task under "Microsoft\Windows\CertificateServicesClient" called "SystemTask". It runs as SYSTEM, has a trigger on startup and the status after the task sequence finishes is "Queued".
After further investigation and much more time spent than necessary, we recognized something: Every task which runs under SYSTEM and has a trigger on startup will be queued until a single user logs on. After the logon, every task runs fine at startup, no matter how many times you will reboot the device.

Microsoft released some an update on 26 September, but this did not fix this issue. Under 1809, it seems to be working again. There is another post in the answers forum here. They are discussing the same issue with the tasks but not specifically the problem with the client certificates (perhaps because they do not use them).

This is a really annoying problem for us. We really depend on these certificates and the pull request with certutil seems not to be working at about 40 - 50 %, no matter what we try.

Manually stopping and restarting the tasks in the SMSTSPostAction doesn't help because the tasks get queued as well.

Monday, October 15, 2018 8:17 AM
0

Sign in to vote

I see exactly the same issue... all Tasks (even a simple Task without conditions) are queued by Task Scheduler and not executed before first logon. restart the Task Scheduler Service does not help. And therefore, AutoEnrollment is also affected. I'm not sure, but I can imagine that the behavior of the Task Scheduler is somehow intended if the setup is currently in the OOBE-Phase.

Has someone tried deployment without SCCM (e.g. using a media-installer + autounattend.xml for domain-join)?

(I'm using OS Build 17134.345 Enterprise Edition -> Latest CU for 1803)

I haven't seen this issue with Windows 10 1709.

Tuesday, October 16, 2018 8:58 PM
0

Sign in to vote

From my support case with MS i have information that patch KB4462933 will fix the certificate issue among others issues and will be released Wednesday, October 24th 2PM, PST Time. First it was scheduled for the 18th but was delayed

Tuesday, October 23, 2018 7:54 AM
0

Sign in to vote

Sandy's solution to enable Hyper-V Hypervisor worked for me on several computers.

I then uninstalled that windows feature and was back to being unable to request certs. reinstalled and all is good.

When we image with earlier versions of Win10 we don't have this issue. We can request Certs (and hyperV is not enabled)

Thursday, November 1, 2018 9:59 PM