Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, June 23, 2014 8:05 PM
When using PKI certificates, Microsoft recommends using the Auto-enrollment method to enroll the client authentication certificate yet they also state Group Policy is disabled while the Task Sequence is running so obviously the system will not enroll the cert the first time the computer reboots after joining the domain or any other restart steps since that occurs during the TS while GP processing is disabled. That also means the cert will still not be enrolled when the client is installed during the "Setup Windows and ConfigMgr" step therefore the client doesn't really become fully operational until the Task Sequence actually completes and Group Policy processing is enabled which will occur within 90 minutes (GP refresh) after the TS completes. Can someone confirm this is true that auto cert enrollment will not occur until after the TS completes?
All replies (4)
Monday, June 23, 2014 10:16 PM âś…Answered
This is correct. It will continue to use the cert associated with the PXE enabled DP or boot media used to initiate the process in new computer and replace scenarios until the TS finishes or the cert assigned to the target system in refresh scenarios.
Jason | http://blog.configmgrftw.com
Monday, February 6, 2017 4:19 AM
Sorry to dig this one back up... So aside from waiting for the TS to finish, letting GP run for autoenrollment, and then rebooting system or cycling SMS Host service, are there any options to get the cert down earlier?
Monday, February 6, 2017 3:51 PM
The ConfigMgr client agent has nothing to do with getting the cert so cycling or no cycling that makes no difference. I've never had an issue with this though. Are you seeing problems?
Jason | http://blog.configmgrftw.com | @jasonsandys
Thursday, April 2, 2020 3:33 PM
I am now. After the clients joins the domain and the step 'Setup COnfigmgr' it boots to full OS. But the client doesn't initialise(due to lack of PKI cert) and does not appear in the SCCM console. And whilst in full OS doing the other steps, the AD sync kicks in and syncs the computer object and it appears in the console. But when the OSD completes, and the client initializes (after enrolling certs), it creates a new object in the console, so now I have 2 objects. 1 from AD sync and 1 from when the clients connects back to the MP. I was hoping the minute it gets to full OS, it should be able to contact the MP and creates and object in the SCCM console. and then the AD sync can overwrite the same object with attributes (but not vice versa).
If AD sync kicks in between installing the client and ending of the OSD, I get 2 device objects in SCCM. And if it doesn't, the AD sync overwrites the one created when the clients initializes.