Fix: SCCM Client PKI Registration Issue
In this post, I will show you how to fix SCCM client PKI registration issue. In case you notice the registration process fails for clients using public key infrastructure (PKI), there is a solution.
For the first time, after upgrading to SCCM 2203, admins started to notice PKI client registration failing on multiple workgroup computers. Microsoft proactively resolved SCCM client PKI registration issue with hotfix KB14480034.
The registration process fails for clients using public key infrastructure (PKI) for client authentication if they are unable to authenticate against the domain.
Moreover, the client PKI registration issue was prominently found with newly installed workgroup clients using PKI. It seems like the newly installed workgroup clients were not approved automatically in ConfigMgr due to PKI certificate issues.
If the workgroup clients fail to register in Configuration Manager console, you can identify the issue by reviewing the log files.
Identify Client PKI Registration Issue
So, how do you identify if you have a SCCM client PKI registration Issue in your setup? The answer is using the SCCM log files and some unique behaviors.
You must check the DDM.log file on the site server for each affected SCCM client to confirm whether the Client PKI issue is impacting the client or not.
When the registration fails for SCCM PKI clients, you can identify this issue as it affects the following scenarios:
- Clients that are joining an AD or Azure AD domain for the first time, generating a new device identity.
- Existing clients that are trying to renew their client authentication certificate.
- The registration process fails for newly installed workgroup clients using PKI.
If your clients are affected with PKI registration issue, you will notice the following errors in DDM.log file on every client computer.
ClientIdentity is not a hex string
The registration record is not valid. Bad RDR
In addition to the above errors, the .RDR file(s) will be moved to \Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\BAD_DDRS on the SCCM site server.
With SCCM client PKI registration issue, you may see an increase in the number of Bad DDR files in the SCCM Inbox folder. Although SCCM deletes the files from \Auth\ddm.box\BAD_DDRS automatically after 25 hours by default.
Fix SCCM Client PKI Registration Issue
Now that you know why the client PKI registration issue occurs in SCCM clients, you can address this issue by installing the hotfix KB14480034.
This hotfix is applicable for all customers running Configuration Manager version 2203. The hotfix updates the baseobj.dll located in C:\Program Files\Microsoft Configuration Manager\bin\X64 to version 5.00.9078.1014.
After installing the hotfix on a ConfigMgr Primary site, it should be installed on SCCM secondary sites.
Conclusion
The PKI registration issue for clients was first seen in version 2203, and I am certain this issue will not occur in upcoming versions of Configuration Manager. This post will be updated in case new client PKI registration issues occur in Configuration Manager.
Hi! We have this Issue with Enhanced HTTP enabled. we have to approve the Clients manually at the moment. hotfix KB14480034 is installed. unfortunatily i dont see any errors in ddm.log. any Ideas?
With Setting “Automatically approve all computers” it will work.
ClientIdManagerStartup.log
[RegTask] – Client is domain-joined and already registered. But the client is not approved yet. Retry in case it was not approved because of AD issue. ClientIDManagerStartup 30.06.2022 16:07:58 17052 (0x429C)