I started to take over the responsibility of server patching after a server admin left recently. We use SCCM 2012 to patch servers. I met a few servers had the SCCM client certificate none issue. But not all fixes are same. The below screen shot shows the issue.
Server A had this issue after I updated the SCCM client. There is another server B had this issue for a very long time. When the issue existed, the client was not able to communicating to SCCM server and the software update could not deployment to it.
The fix to Server A is:
- Uninstalled the client manually (from elevated command prompt on the server, ran c:\windows\ccmsetup\ccmsetup.exe /uninstall).
- When the ccmesetup.exe process terminated in task manger, I mapped a drive (J: in my case) to SCCM server client shared folder \\SCCMSERVER\sms_p01\client
- Re-installed the client with this string: J:\ccmsetup.exe SMSSITECODE=P01 FSP=sccmserver.domain.com SMSSLP= sccmserver.domain.com /noservice
- After it finished installing, it took about 10-15 minutes before the client started to show signs of life. When it did, the two options under the actions tab were for Machine and User Policy Retrieval. I got impatient and ran them. Shortly after, the client appears to have finally connected.
But this method did not fix the server B issue. I also tried below steps according to the article I find online, but still no luck!
- Stop Windows Management Instrumentation (WMI) service
- Open Window Task Manager and End process CcmExec.exe
- SC Delete any sccm services (ccmexec, smstsmgr, cmrcservice, ccmsetup if exist)
- C:\Windows\system32>sc delete ccmexec
- C:\Windows\system32>sc delete smstsmgr
- C:\Windows\system32>sc delete cmrcservice
- Delete C:\windows\ccm, C:\windows\ccmsetup, C:\windows\ccmcache, C:\Windows\SMSCFG.ini
- Go into regedit and remove:
- Then restart WMI, and reinstall the client.
- Unfortunately, this did not fix the issue, the client certificate was still none.
I find below error messages in the C:\Windows\CCM\Logs\CertificateMaintenance.log
<![LOG[Crypt acquire context failed with 0x8009000f.]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:867″>
<![LOG[Failed to create certificate 8009000f]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:991″>
<![LOG[CCMDoCertificateMaintenance() failed (0x8009000f).]LOG]!><time=”14:01:09.236+360″ date=”06-16-2017″ component=”CertificateMaintenance” context=”” type=”3″ thread=”9464″ file=”ccmgencert.cpp:2717″>
Used the key word Crypt acquire context failed with 0x8009000f, I found the article which fixed the issue at https://teknikewl.wordpress.com/2013/08/05/client-fails-to-create-certificate/
The fix steps are:
- Go to C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys folder, locate the file name starting with 19c5cf.
- Change the security settings on the 19c5cf key file to give SYSTEM full access and Administrators group Read and Read & Execute permissions.
- Restarted the SMS Agent Host service.
After that the client has created a self-signed certificate!