SCCM Client certificate


  • Recently we upgraded our SCCM server and it seems that the clients need the new certificate for it to deply packages.  Although I was able to run a repair on the client to get a new certificate in SCCM, alot of PCs are not getting them.   There are too many clients to do them manually.  I can run the  CCMSETUP.EXE SMSSITECODE=*** RESETKEYINFORMATION=TRUE and it seems to fix the issue.  I was planning on using Scriptlogic to run the batch file with the command mentioned, however, I was wondering if there is any way to identify which PCs have the bad certificate so I can use Scriptlogic to target just those PCs.....Thanks. 
    Tuesday, November 16, 2010 12:03 PM


All replies

  • it seems that the clients need the new certificate for it to deply packages. 
    That's not the default behavior. Applying a SP usually does not change anything with those certs.
    Tuesday, November 16, 2010 12:25 PM
  • The upgrade became such a nightmare we put a call in with Microsoft.  That's where I was told they needed the updated certificate....
    Tuesday, November 16, 2010 12:52 PM
  • How are you sure a new certificate is necessary.  Did you check the Certificates on the machine to verify they are missing/wrong/expired. 

    As Torsten mentioned upgrading clients will not affect the certificate stores.  It might be that the client has an issue and never renewed it's client.  By reinstalling the client you might have fixed an underlying problem.
    Tuesday, November 16, 2010 12:53 PM
  • All I can think of is that Steve didn't do a normal upgrade.  That they did a side-by-side without parenting/childing; in that case, yes, RESETKEYINFORMATION=TRUE would be necessary on the clients for them to pick up the new cert from the new hierarchy.

    Regardless of the underlying cause of the problem, to me the answer is simple.  You need to upgrade those clients from SP1 to SP2 anyway.  So you will be running ccmsetup.exe anyway.  So... big deal... add RESETKEYINFORMATION=TRUE to your sp2 installation routine and reinstall on all your clients.  It can't hurt, and according to you, Steve, fixes the issue.  So no big deal.

    Standardize. Simplify. Automate.
    Tuesday, November 16, 2010 1:02 PM
  • Matthew - that is what the tech at Microsoft said.  Once we updated it to retrieve the new certificate, then the package deployed to the PC without issue. 

    Sherry - we tried doing the upgrade ourselves here and ran into problems, thus we had help with Microsoft.  They walked us through it step by step.  The RESETKEYINFORMATION=TRUE fixed the issue.  I wish I could identify which ones didnt update.

    Tuesday, November 16, 2010 5:42 PM
  • what do we have to work with?  If a known 'bad' client, one that needs to get a new cert... what can it do from a Configmgr point of view?

    does it still get policies from the MP?
    does it still send up hinv, sinv, heartbeat?
    does it run DCM baselines?

    If the client can so "something", especially DCM and Hinv... I could see potentially modifying Matt's routine:  to use a DCM-based vbscript instead of an advertisement-based vbscript.

    Note I said potentially... I can see it as possibly working when I think of it in my head.  But reality may not match my dreams.  :-)

    Standardize. Simplify. Automate.
    • Marked as answer by Eric Zhang CHN Thursday, November 25, 2010 5:56 AM
    Tuesday, November 16, 2010 6:23 PM
  • I have used the Resetkeyinformation before.  Here is how and why I used it.

    • Marked as answer by Yog Li Friday, November 26, 2010 11:02 AM
    Tuesday, November 16, 2010 7:05 PM