|
Closed
|
Case #
|
10053
|
|
Affiliated Job:
|
New Trier Township District 2031
|
|
|
Opened:
|
Friday, April 29, 2011
|
|
Closed:
|
Friday, April 29, 2011
|
|
Total Hit Count:
|
13628
|
|
Last Hit:
|
Thursday, April 18, 2024 2:09:06 PM
|
|
Unique Hit Count:
|
4517
|
|
Last Unique Hit:
|
Thursday, April 18, 2024 2:09:06 PM
|
|
Case Type(s):
|
Development, Server
|
|
|
Case Notes(s):
|
All cases are posted for review purposes only. Any implementations should be performed at your own risk.
|
|
|
|
Problem:
|
|
Recently our district is migrating away from Script Logics/Desktop Authority and over to Microsoft's System Center Configuration Manager (SCCM) - while trying to push out the SCCM client to machines with the Desktop Authority installed, many of these machines would fail because of multiple SSL certificates in the machine's personal store. Depending on the SSL certificate used (Domain assigned or Expert Assist assigned) the client push would randomly fail.
|
|
|
Resolution:
|
We decided since the A.D. assigned certificates would be re-populated, we would run a group policy script (that would only run once) to clear out the currently assigned certificates, after a follow up reboot, the A.D. assigned certificate would be re-assigned back to the workstation. Because we are running SCCM in native mode, these machine SSL certificates are required for communication with SCCM.
Create a group policy to run the computer startup script below and assign the policy to the OU with the machines you need to clear out the SSL certs - NOTE, careful not to run this on your servers/DCs/CA servers.
| - | Download the CertMgr.Exe (not to be confused with CertMgr.msc) - part of the Windows SDK bundle (i.e. C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin) | | - | Position this exe in the policy i.e. \\domain.net\sysvol\domain.net\Policies\{GUID}\Machine\Scripts\Startup\CertEXE | | - | Create the below CertRemove.bat and assign it to run via Startup Script policy | | | --Start Code-- | | | @ECHO OFF | | | IF EXIST C:\Windows\System32\CertEXE\CertMgr.Exe GOTO END | | |
| | | :INSTALL | | | ECHO Fixing computers by removing the ExpertAssist Certificates... | | | C: | | | CD\Windows\System32 | | | MKDIR CertEXE | | | CD CertExe | | | COPY "\\domain.net\sysvol\domain.net\Policies\{GUID}\Machine\Scripts\Startup\CertEXE\CertMgr.Exe" "C:\Windows\System32\CertEXE\CertMgr.Exe" | | | CertMgr.Exe -del -all -c -r localMachine -s my | | | gpupdate | | |
| | | GOTO COMPLETE | | |
| | | :END | | | ECHO File Already Exists... | | |
| | | :COMPLETE | | | ECHO Setup Complete... | | | ^--End Code--^ | | - | Assign the group policy the following WMI filter designating it to run only on XP Pro machines | | | o Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" |
The result will require two reboots on behalf of the XP Pro machine, 1st to clear the SSL certificates from the Personal Machine Store and the 2nd to re-issue the domain certificate - if this needs to be run on additional operating systems - update this WMI filter to correspond to the operating system required and verify the batch works accordingly. Adjustments to the path may be needed.
|
|
|
|
|
|
|
|
