When we were in the process of migrating our SCCM 2007 hierarchy to the newly installed SCCM 2012, we encountered around 150 revoked clients that were being denied registration. While the vast majority of the agents functioned properly, these particular agents remained unable to register with SCCM 2012.
We checked all the settings for SCCM 2012: boundaries, Management Point, and PKI among others. All our configuration was correct. Moreover, the issue was not restricted to a specific location since the problematic clients were distributed over numerous secondary sites which contained perfectly functioning clients as well. All the workstations come from a single master image without the SCCM agent installed which puzzled us even more. We examined the ClientIDManager.log on a malfunctioning agent and we saw these errors:
The server was rejecting the registration request. No further details were present otherwise so we checked the server logs. We found the following behavior being logged in MP_RegistrationManager.log on the primary site’s management point:
That was odd since these clients were new and we have never revoked any certificates. We generated a new GUID for the agent by deleting %windir%\smscfg.ini and restarting the SMS Agent Host service. The same behavior remained and the server still rejected the registration for the new GUID with the same error.
Due to one of the log entries above, we suspected that the self-generated certificates had somehow expired but they were still valid:
Nevertheless, we again deleted smscfg.ini and we used SMS Toolkit to run CCMDelCert.exe on a problematic workstation. We restarted the SMS Agent Host service but the issue remained. We tried again but this time we deleted the agent and reinstalled it after the cleanup, the issue persisted.
Following that, we selected a secondary site that contained problematic agents and we performed the following:
- Deleted %windir%\smscfg.ini on all the clients in the site
- Ran CCMDelCert.exe on all the clients
- Ran CCMclean.exe /all on all the clients as well
- Uninstalled all the SCCM agents
- Fully deleted the secondary site and its database and cleaned up any references on the primary site
We reinstalled the secondary site and pushed all agents. The same issue remained and problematic clients appeared again. Even though all the troubleshooting steps generated new GUIDs, the server was still rejecting them with the same error message. The root of our revoked clients problem had to be coming from the primary site and its database.
We went back to the primary site and we connected to the SQL instance for the SCCM database and ran the following:
Select * from ClientKeyData where SMSID in (‘GUID:E0D8AAC8-414C-4076-B733-873CC6FE46AF’)
This GUID belonged to one of the problematic clients. The query returned no results however, indicating that it does not exist in the database at all. We checked the database for any revoked clients by running:
Select * from ClientKeyData where isrevoked=1
The query returned results indicating that some clients have been revoked by the server. That was odd since, as I mentioned earlier, we never blocked or revoked any client or certificate. We backed up the SCCM database and ran:
Update ClientKeyData set isrevoked=0 where isrevoked=1
The query updated a number of records that matched the number of clients we were having problems with. After a few minutes, the clients started trying to re-register and they were finally able to do so:
Caution: directly modifying the SCCM database is not recommended nor supported by Microsoft and should be extensively tested. Only perform update queries after taking a full backup and when advised to do so by Microsoft support personnel.