Jump to content


jb00

Client not recognizing PKI cert after Re-Imaging

By jb00, in System Center Configuration Manager (Current Branch)

Recommended Posts

jb00 Newbie

jb00

Posted
Posted

SCCM CB 1706 - Win7 to Win10 migration using USMT, LTI (non-upgrade) -  When re-imaging a machine using the same computer name, the client does not recognize the PKI cert. 

The machine pulls the previous PKI cert that was issued and ClientIDManagerStartup.log has the following errors:

1) Failed to acquire certificate private key.

2) Certificate [Thumbprint...] issued to 'machine name' doesn't have private key or caller doesn't have access to private key.

3) Unable to find PKI certificate matching SCCM certificate selection criteria. 0x87d00283.

I have found that if I request a new PKI certificate or change the machine's name in the imaging process, then the client registers.

Is there a way to automate the recovery of the private key so that the client can use the existing PKI cert?  Or I guess the correct question is how do I resolve this through automation during the imaging process?

Thanks

Jeff

Share this post

Link to post
Share on other sites
tale Newbie

tale

Posted
Posted

It sounds like the same issue I had found a few months ago. My USMT config was set to migrate="yes" for computer certs and keys. I didn't want to turn that off in case there was anything else that did need to be backed up. I don't know much about certificates so I decided to run a PowerShell script right after the USMT Restore process: 

# Cleanup after a USMT Restore
[DateTime]$Date = (Get-Date -Format 'yyyy-MM-dd')
# Find any outdated Client Authentication certificates
$CompName = ($env:ComputerName).ToUpper()
$Certs = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject.ToUpper() -like "*$CompName*" -And $_.EnhancedKeyUsageList -like "*Client Authentication*" -And $_.FriendlyName -eq ""} | Sort-Object NotBefore -Descending
ForEach ($Cert in $Certs) {
	If ($Cert.NotBefore -lt $Date) {
		# Removing Old Certificate"
		Remove-Item -Path Cert:\LocalMachine\My\$($Cert.PSChildName) -Force
	}
}

It searches for client certificates with a subject matching the computer's name and with an older initial date.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.