SCCM Client Certificate None Issue

I started to take over the responsibility of server patching after a server admin left recently. We use SCCM 2012 to patch servers. I met a few servers had the SCCM client certificate none issue. But not all fixes are same. The below screen shot shows the issue.

Server A had this issue after I updated the SCCM client. There is another server B had this issue for a very long time. When the issue existed, the client was not able to communicating to SCCM server and the software update could not deployment to it.

The fix to Server A is:

  1. Uninstalled the client manually (from elevated command prompt on the server, ran c:\windows\ccmsetup\ccmsetup.exe /uninstall).
  2. When the ccmesetup.exe process terminated in task manger, I mapped a drive (J: in my case) to SCCM server client shared folder \\SCCMSERVER\sms_p01\client
  3. Re-installed the client with this string: J:\ccmsetup.exe SMSSITECODE=P01 FSP=sccmserver.domain.com  SMSSLP= sccmserver.domain.com /noservice
  4. After it finished installing, it took about 10-15 minutes before the client started to show signs of life.  When it did, the two options under the actions tab were for Machine and User Policy Retrieval.  I got impatient and ran them.  Shortly after, the client appears to have finally connected.

But this method did not fix the server B issue. I also tried below steps according to the article I find online, but still no luck!

    1. Stop Windows Management Instrumentation (WMI) service
    2. Open Window Task Manager and End process CcmExec.exe
    3. SC Delete any sccm services (ccmexec, smstsmgr, cmrcservice, ccmsetup if exist)
      • C:\Windows\system32>sc delete ccmexec
      • C:\Windows\system32>sc delete smstsmgr
      • C:\Windows\system32>sc delete cmrcservice
    4. Delete C:\windows\ccm, C:\windows\ccmsetup, C:\windows\ccmcache, C:\Windows\SMSCFG.ini
    5. Go into regedit and remove:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS
    6. Then restart WMI, and reinstall the client.
  1. Unfortunately, this did not fix the issue, the client certificate was still none.

I find below error messages in the C:\Windows\CCM\Logs\CertificateMaintenance.log
<![LOG[Crypt acquire context failed with 0x8009000f.]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:867″>
<![LOG[Failed to create certificate 8009000f]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:991″>
<![LOG[CCMDoCertificateMaintenance() failed (0x8009000f).]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:2717″>

Used the key word Crypt acquire context failed with 0x8009000f, I found the article which fixed the issue at https://teknikewl.wordpress.com/2013/08/05/client-fails-to-create-certificate/

The fix steps are:

  1. Go to C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys folder, locate the file name starting with 19c5cf.
  2. Change the security settings on the 19c5cf key file to give SYSTEM full access and Administrators group Read and Read & Execute permissions.
  3. Restarted the SMS Agent Host service.

After that the client has created a self-signed certificate!