Windows 7 Fix Autoenrollment Machine Certificate
Problem
This all needs doing with an Admin/System account, running elevated.
SCCM Client wont install, hmmm, c:\Windows\ccmsetup\ccmsetup.log says
<![LOG[Certificate issued to 'xxxxx.xxx.xxx.xxx' has expired.]LOG]!>
should say
<![LOG[The certificate issued to 'xxxxx.xxx.xxx.xxx' has 'Client Authentication' capability.]LOG]!>
Looks like a certificate problem!
c:\>certutil -store My
If this shows the certificate is expired, then you have a problem.
i.e 'NotAfter:' should be a date in the future (you will probably see other certificates with !Archived that have expired already, this is ok.)
Try forcing an Autoenrollment event. This should return "CertUtil: -pulse command completed successfully." on a working system.
c:\>certutil -pulse CertUtil: -pulse command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified.
If this fails check out the task scheduler is at least running, this should show status as RUNNING
c:\>sc query Schedule
See if it is working correctly with schtasks - if you see N/A in the Status column it is broken, it SHOULD say 'Ready' , below is an excert
c:\>schtasks Folder: \Microsoft\Windows\CertificateServicesClient TaskName Next Run Time Status ======================================== ====================== =============== SystemTask N/A N/A UserTask N/A N/A
Yep, it is broken!
You will also notice you cant run the task nor delete it. (i.e. these will fail, schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask" or schtasks /delete /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask")
Fix
In Windows 7 you cannot just copy and paste the tasks you must import them. (They have SID's)
Source machine
First you need to gather all the scheduled tasks from a good machine. (This script was created by joseph.garfield and has a few small alterations to it.) http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7
@echo off cls setlocal EnableDelayedExpansion if %1. == export. call :export if %1. == import. call :import exit /b 0 :export md tasks 2>nul schtasks /query /fo csv | findstr /V /c:"TaskName" > tnlist.txt for /F "delims=," %%T in (tnlist.txt) do ( set tn=%%T set fn=!tn:\=#! echo Exporting !tn! !fn! schtasks /query /xml /TN !tn! > tasks\!fn!.xml ) exit /b 0 :import for %%f in (tasks\*.xml) do ( call :importfile "%%f" ) exit /b 0 :importfile set filename=%1 rem replace out the # symbol and .xml to derived the task name set taskname=%filename:#=\% set taskname=%taskname:tasks\=% set taskname=%taskname:.xml=% echo Importing %taskname% from %filename% schtasks /create /tn %taskname% /xml %filename% echo. echo.
So assuming its saved somewhere on the source machine as tasks.bat
cd %temp% tasks.bat export
Copy tasks.bat + tnlist.txt + \Tasks (folder created) to the broken machine (in its temp folder ideally), keeping the same structure, i.e. %temp%\tasks.bat %temp%\tnlist.txt and %temp%\Tasks\
On broken machine
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache" /f rmdir /s /q "c:\Windows\System32\Tasks\Microsoft\Windows" cd %temp% tasks.bat import
You should see the tasks import ok and c:\Windows\System32\Tasks\Microsoft\Windows and sub folders get re-created. e.g.
Directory of c:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient 07/08/2013 16:10 <DIR> . 07/08/2013 16:10 <DIR> .. 07/08/2013 16:10 4,468 SystemTask 07/08/2013 16:10 4,088 UserTask 07/08/2013 16:10 3,220 UserTask-Roam 3 File(s) 11,776 bytes 2 Dir(s) 270,992,662,528 bytes free
Running the task should then work
C:\>schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask" SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\CertificateServicesClient\SystemTask".
Pulse should then work
C:\>certutil -pulse CertUtil: -pulse command completed successfully.
You should then get a new valid certificate
C:\>certutil -store My My ================ Certificate 0 ================ Serial Number: 62f43f870000000033cf Issuer: CN=xxxxxxxxxxx CA, DC=uol, DC=le, DC=ac, DC=uk NotBefore: 16/04/2013 15:39 NotAfter: 16/04/2014 15:39 Subject: EMPTY (DNS Name=xxxxxxxxxxx.xxxx.xxxx.xxx) Non-root Certificate <SNIP>
References
The original script http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7
The same/similar problem on Vista http://social.technet.microsoft.com/Forums/windowsserver/en-US/5100f13d-f9e6-46fb-a394-76b7f9702c80/workstation-retrieving-certificates-from-ad-central-store
http://crosbysite.blogspot.co.uk/2011/08/certificate-autoenrollment-not-working.html
- This last one suggested to delete the SUBKEYS from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Schedule, it may be a better way to fix the scheduled tasks without needing import/export?
Comments
blog comments powered by Disqus