SCCM Client Certificate Removal

While troubleshooting some inactive SCCM clients I found that they had bad SMS Certs.

Symptoms of this were found in the locationServices.log

Failed to verify Certificate with error 0x80070057 was the error that pointed me to take a look at the SMS Cert.

Upon review I found that the certs were from a previous install of SCCM in my lab. These need to be deleted so the new install of SCCM can issue certs to the clients and establish a trust relationship.

My long term plan is to build a runbook to fix broken SCCM agents and this is a good place to start

Here is the quick script I put together

 

$Computers Get-content C:\list.csv

foreach ($computer in $Computers) {

$session New-PSSession -ComputerName $computer

Invoke-Command -Session $session -ScriptBlock{Remove-Item -Path ‘HKLM:\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates\*’ -force; restart-service ccmexec }

} 

Inside the scriptblock is the meat of the script, I delete the Certificates via the registry and then restart the SCCM agent service, the client will connect to the site server and request new certificates to be issued.

If this is the only problem on the machine it’s status should become active in SCCM.

This script is provided as is and should not be used in a production environment against all computers in your domain. 


Advertisements
This entry was posted in Powershell, SCCM and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s