This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 55.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZC%3C/text%3E%3C/svg%3E)
So let me set the scenario best I can. We have 1 site with 2 servers the main server running 2006 with the latest hotfix rollup applied. The other is an IBCM external management point server. What we have noticed is the following behavior
Any help/guidance etc would be amazing. This is a new environment we have been standing up over the last month so it is very possible we might have missed something etc
Without deeper investigation here, not much can be said but my initial thought is similar to @Garth Jones 's comment and would result in duplicate GUIDs and other negative ramifications. Basically, are you sure these systems were built with a properly sysprepped image? Alternatively, do the devices all share a single common PKI-issued client authentication certificate?
only a handful of the hundreds of systems we have were built using any sort of image. But I did think that first as well and checked but did not find anything the same
What about the certs?
So for the external cert we aren't using PKI (because our parent company doesn't have a internal CA) we are using a SAN Godaddy cert. It is currently only used when users are not on VPN so going through the external MP we have setup. For internal they just use http
To be clear, a cert issued from GoDaddy or any other public CA is a PKI issued cert.
Also, to validate, are you using this same client authentication cert on all managed clients? If so, that's your issue. Clients each require their own, unique, PKI-issued client authentication certificate as this establishes the client's identity to ConfigMgr.
Fair point on the public cert I should have worded it better.
yes the SAN cert 3 entries. 1 Main Site server FQDN 2 The external MP internal FQDN 3 The external address
You think having a cert like this can cause these sorts of issues? Our parent company says they have other business units using it this way. I get it needs a cert to auth against but i can't imagine it causing the list of issues I am seeing above.
I'm not referring to the server authentication certs here at all. I'm referring to the client authentication certs on the managed clients.
Based on what our parent company gave us they are the same. They had us take the server auth cert and push it out to the personal store on our computers so our machines show using PKI with that cert.
Then that's your issue. As noted, each managed client requires its own unique, PKI-issued, client auth cert. This is documented in the official docs at https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/network/pki-certificate-requirements#BKMK_PKIcertificates_for_clients.
What exactly do you mean by #3?
Are the computer cloned?
Have you checked for Duplicate GUIDs?
Take #2 where it shows back up after the discovery and then #3 where i try to install the agent again (even though it already exist on the machine if I look) and it disappears from the configuration manager console.
I thought about duplicate GUIDs at first and checked but it lead no where. Also most of our machines were built by hand and not an imaging process so it was a very big long shot to begin with.
Also another note I left out we moved to this SCCM environment from a much older one.
I have a different question; around "computers disappear"--then reappear after you re-discover them with Active Directory System Discovery.
I'm wondering what Discovery Agents you have enabled? Just/only AD system Disc? What about heartbeat?
"in general", I tell people that daily heartbeat is fine; if you don't have that at daily, or not enabled at all, what was the technical reason to disable heartbeat? I believe "out of the box" heartbeat is enabled for simple, weekly; but we don't know what you might have done.
We are using heartbeat/user/system discovery. All set to 1 week.
Hi,
Thanks for posting in Microsoft MECM Q&A forum.
When using PKI, by default the SCCM agent generates a Client GUID based on a certificate in the personal Computer store. As Jason mentioned, please make sure that they don't use the same Client authentication certificate. In your scenario, every machine should has its own certificate from GoDaddy.
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
So for each laptop I would need its own Godaddy cert but what would it contain? How would it auth against the server with it? Sorry I am not an SCCM expert I am just following the guidance of our parent company.