Windows 7 Fix Autoenrollment Machine Certificate

From richud.com
Jump to navigation Jump to search


Problem

This all needs doing with an Admin/System account, running elevated.

SCCM Client wont install, hmmm, c:\Windows\ccmsetup\ccmsetup.log says

<![LOG[Certificate issued to 'xxxxx.xxx.xxx.xxx' has expired.]LOG]!>

should say

<![LOG[The certificate issued to 'xxxxx.xxx.xxx.xxx' has 'Client Authentication' capability.]LOG]!>

Looks like a certificate problem! 

c:\>certutil -store My

If this shows the certificate is expired, then you have a problem.

i.e 'NotAfter:' should be a date in the future (you will probably see other certificates with !Archived that have expired already, this is ok.)

Try forcing an Autoenrollment event. This should return "CertUtil: -pulse command completed successfully." on a working system. 

c:\>certutil -pulse

CertUtil: -pulse command FAILED: 0x80070002 (WIN32: 2) 
CertUtil: The system cannot find the file specified.

If this fails check out the task scheduler is at least running, this should show status as RUNNING 

c:\>sc query Schedule

See if it is working correctly with schtasks - if you see N/A in the Status column it is broken, it SHOULD say 'Ready' , below is an excert 

c:\>schtasks

Folder: \Microsoft\Windows\CertificateServicesClient
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SystemTask                               N/A                    N/A
UserTask                                 N/A                    N/A


Yep, it is broken!

You will also notice you cant run the task nor delete it. (i.e. these will fail, schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask" or schtasks /delete /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask")

Fix

In Windows 7 you cannot just copy and paste the tasks you must import them. (They have SID's)

Source machine

First you need to gather all the scheduled tasks from a good machine. (This script was created by joseph.garfield and has a few small alterations to it.) http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7 

@echo off
cls
setlocal EnableDelayedExpansion

if %1. == export. call :export
if %1. == import. call :import
exit /b 0
 
 
:export
md tasks 2>nul
 
schtasks /query /fo csv | findstr /V /c:"TaskName" > tnlist.txt
 
for /F "delims=," %%T in (tnlist.txt) do (
  set tn=%%T
  set fn=!tn:\=#!

  echo  Exporting !tn! !fn!
  schtasks /query /xml /TN !tn! > tasks\!fn!.xml
)

exit /b 0
 
 
 
:import
for %%f in (tasks\*.xml) do (
	call :importfile "%%f"
)
exit /b 0
 
 
:importfile
  	set filename=%1
 
	rem replace out the # symbol and .xml to derived the task name
	set taskname=%filename:#=\%
	set taskname=%taskname:tasks\=%
	set taskname=%taskname:.xml=%

	echo  Importing %taskname% from %filename%
	schtasks /create /tn %taskname% /xml %filename%
	echo.
	echo.

So assuming its saved somewhere on the source machine as tasks.bat 

cd %temp%
tasks.bat export

Copy tasks.bat + tnlist.txt + \Tasks (folder created) to the broken machine (in its temp folder ideally), keeping the same structure, i.e. %temp%\tasks.bat %temp%\tnlist.txt and %temp%\Tasks\

On broken machine

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache" /f
rmdir /s /q "c:\Windows\System32\Tasks\Microsoft\Windows"
cd %temp%
tasks.bat import

You should see the tasks import ok and c:\Windows\System32\Tasks\Microsoft\Windows and sub folders get re-created. e.g. 

 Directory of c:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient

07/08/2013  16:10    <DIR>          .
07/08/2013  16:10    <DIR>          ..
07/08/2013  16:10             4,468 SystemTask
07/08/2013  16:10             4,088 UserTask
07/08/2013  16:10             3,220 UserTask-Roam
               3 File(s)         11,776 bytes
               2 Dir(s)  270,992,662,528 bytes free

Running the task should then work 

C:\>schtasks /run /TN "\Microsoft\Windows\CertificateServicesClient\SystemTask"
SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\CertificateServicesClient\SystemTask".

Pulse should then work 

C:\>certutil -pulse
CertUtil: -pulse command completed successfully.

You should then get a new valid certificate 

C:\>certutil -store My
My
================ Certificate 0 ================
Serial Number: 62f43f870000000033cf
Issuer: CN=xxxxxxxxxxx CA, DC=uol, DC=le, DC=ac, DC=uk
 NotBefore: 16/04/2013 15:39
 NotAfter: 16/04/2014 15:39
Subject: EMPTY (DNS Name=xxxxxxxxxxx.xxxx.xxxx.xxx)
Non-root Certificate
<SNIP>

References

The original script http://community.spiceworks.com/scripts/show/1474-export-and-import-all-scheduled-tasks-in-windows-server-2008-windows-7

The same/similar problem on Vista http://social.technet.microsoft.com/Forums/windowsserver/en-US/5100f13d-f9e6-46fb-a394-76b7f9702c80/workstation-retrieving-certificates-from-ad-central-store

http://crosbysite.blogspot.co.uk/2011/08/certificate-autoenrollment-not-working.html

http://answers.microsoft.com/en-us/windows/forum/windows_vista-performance/task-image-is-corrupt-or-has-been-tampered-with/91c0aef2-fa32-4795-8eb2-5c109cabe550?page=2

  • This last one suggested to delete the SUBKEYS from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Schedule, it may be a better way to fix the scheduled tasks without needing import/export?

Comments

blog comments powered by Disqus


Retrieved from "https://www.richud.com/w/index.php?title=Windows_7_Fix_Autoenrollment_Machine_Certificate&oldid=3402"