Wednesday, September 24, 2014

SCCM Client breaks after Site Signing Certificate Renewal

The ConfigMgr sites in where I work is running in Native Mode and this means that there will be certificates required for this. Recently, the site signing certificate for one of my sites is expiring and hence renewal is required. The renewal went smooth for the Document Signing. However, after the new site signing certificate was issued  and assigned to the site, all clients stopped getting policies.

We got this error on the clients's PolicyAgent.log:

Everything looked fine, all certificates got issued, all clients trusted the new certificate, but still the ConfigMgr agent would not work. However, uninstalling and re-installing the client solved the problem, but I can't possibly be doing this for over 10000 clients?

Technically speaking, renewing/replacing the site signing certificate issued from the same Certificate Authority should not cause this issue but... Usually the new certificate will be automatically downloaded when renewing the certificate
But for my case, this unfortunately did not happen.
I had to remove the old site signing certificate on the ConfigMgr client agents. This is stored in the registry, and can be worked out with a simple Group Policy Preferences fix.

For me, I used the vbs below with a combination of psexec to do the same

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\CCM\Security"
strValueName = "AllowedRootCAHashCode"
strValue = ""

objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue

Basically what you need to do is to remove the client copy of the site server signing certificate if you change the root certification, locate the value named AllowedRootCAHashCode (type REG_SZ) and delete the associated value data that appears as a string of hexadecimal numbers.”
For x86-systems: HKLM\SOFTWARE\Microsoft\CCM\Security
For x64-systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\CCM\Security

After this is done, you should restart the SMS Agent service and you should continue to monitor the PolicyAgent.log for the cleanup of machine policy and after which all should work. 

No comments:

Post a Comment