Windows 7 Fix Autoenrollment Machine Certificate

=Problem=

This all needs doing with an Admin/System account, running elevated.

SCCM Client wont install, hmmm, c:\Windows\ccmsetup\ccmsetup.log says

<![LOG[Certificate issued to 'xxxxx.xxx.xxx.xxx' has expired.]LOG]!>

should say

<![LOG[The certificate issued to 'xxxxx.xxx.xxx.xxx' has 'Client Authentication' capability.]LOG]!>

Looks like a certificate problem!

c:\>certutil -store My

If this shows the certificate is expired, then you have a problem.

i.e 'NotAfter:' should be a date in the future (you will probably see other certificates with !Archived that have expired already, this is ok.)

Try forcing an Autoenrollment event. This should return "CertUtil: -pulse command completed successfully." on a working system.

c:\>certutil -pulse

CertUtil: -pulse command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified.

If this fails check out the task scheduler is at least running, this should show status as RUNNING

c:\>sc query Schedule

See if it is working correctly with schtasks - if you see N/A in the Status column it is broken, it SHOULD say 'Ready', below is an excert

c:\>schtasks

Folder: \Microsoft\Windows\CertificateServicesClient TaskName                                Next Run Time          Status

=
=========================== ====================== =============== SystemTask                              N/A                    N/A UserTask                                N/A                    N/A

Yep, it is broken!

You will also notice you cant run the task nor delete it. (i.e. these will fail, schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask" or schtasks /delete /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask")

=Fix=

In Windows 7 you cannot just copy and paste the tasks you must import them. (They have SID's)

Source machine
First you need to gather all the scheduled tasks from a good machine. (This script was created by joseph.garfield and has a few small alterations to it.) http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7

@echo off cls setlocal EnableDelayedExpansion

if %1. == export. call :export if %1. == import. call :import exit /b 0
 * export

md tasks 2>nul schtasks /query /fo csv | findstr /V /c:"TaskName" > tnlist.txt for /F "delims=," %%T in (tnlist.txt) do ( set tn=%%T  set fn=!tn:\=#!

echo Exporting !tn! !fn! schtasks /query /xml /TN !tn! > tasks\!fn!.xml )

exit /b 0
 * import

for %%f in (tasks\*.xml) do (	call :importfile "%%f" ) exit /b 0
 * importfile

set filename=%1 rem replace out the # symbol and .xml to derived the task name set taskname=%filename:#=\% set taskname=%taskname:tasks\=% set taskname=%taskname:.xml=%

echo Importing %taskname% from %filename% schtasks /create /tn %taskname% /xml %filename% echo. echo.

So assuming its saved somewhere on the source machine as tasks.bat cd %temp% tasks.bat export

Copy tasks.bat + tnlist.txt + \Tasks (folder created) to the broken machine (in its temp folder ideally), keeping the same structure, i.e. %temp%\tasks.bat %temp%\tnlist.txt and %temp%\Tasks\

On broken machine
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache" /f rmdir /s /q "c:\Windows\System32\Tasks\Microsoft\Windows" cd %temp% tasks.bat import

You should see the tasks import ok and c:\Windows\System32\Tasks\Microsoft\Windows and sub folders get re-created. e.g.

Directory of c:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient

07/08/2013 16:10    . 07/08/2013 16:10              .. 07/08/2013 16:10             4,468 SystemTask 07/08/2013 16:10             4,088 UserTask 07/08/2013 16:10             3,220 UserTask-Roam 3 File(s)        11,776 bytes 2 Dir(s) 270,992,662,528 bytes free

Running the task should then work

C:\>schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask" SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\CertificateServicesClient\SystemTask".

Pulse should then work

C:\>certutil -pulse CertUtil: -pulse command completed successfully.

You should then get a new valid certificate

C:\>certutil -store My My

=
=== Certificate 0 ================ Serial Number: 62f43f870000000033cf Issuer: CN=xxxxxxxxxxx CA, DC=uol, DC=le, DC=ac, DC=uk NotBefore: 16/04/2013 15:39 NotAfter: 16/04/2014 15:39 Subject: EMPTY (DNS Name=xxxxxxxxxxx.xxxx.xxxx.xxx) Non-root Certificate 

=References=

The original script http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7

The same/similar problem on Vista http://social.technet.microsoft.com/Forums/windowsserver/en-US/5100f13d-f9e6-46fb-a394-76b7f9702c80/workstation-retrieving-certificates-from-ad-central-store

http://crosbysite.blogspot.co.uk/2011/08/certificate-autoenrollment-not-working.html

http://answers.microsoft.com/en-us/windows/forum/windows_vista-performance/task-image-is-corrupt-or-has-been-tampered-with/91c0aef2-fa32-4795-8eb2-5c109cabe550?page=2


 * This last one suggested to delete the SUBKEYS from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Schedule, it may be a better way to fix the scheduled tasks without needing import/export?

=Comments=