SCCM Client duplicate GUIDs and VMware View Blast

Another super niche blog post. No one is ever going to find this….

So I had to dig into System Centre Configuration Manager today, probably Microsoft’s most complex product.  I’ve been using this massively scalable and capable scheduling system since SMS1.2.  But it still a bit scary to support…

Machines cloned by VDI service VMware View were coming up with the same unique ID.  The SMS client had been captured in the reference image that was cloned to create desktop pools. The usual process to reset the GUID (stop SCCM agents, remove SMSCFG.ini, remove SMS certs, remove machine with that GUID from SCCM console, restart SCCM agents) wasn’t working. The machines always started with the same GUID.

The clue was in the following log file: C:\Windows\CCM\Logs\ClientIDManagerStartup.log

The SCCM agent was checking in the computer personal certificates store and finding the VMware View blast service’s self-signed cert.  It was deriving the GUID from this certificate (which was the same on the cloned machines) resulting in the same GUID for all the machines. It seems SCCM agent will use the first computer personal cert / self-signed cert it finds in preference over an SMS cert.

Update 2015/12/30: The behaviour is configurable in SCCM site settings.  I switched to only using certs issued by our CA (our domain name in the subject name).

CertSelection

Once SCCM was configured to ignore the self-signed certs created by locally installed apps, and the record deleted from SCCM, the devices started creating unique GUIDs again.

  1. Uninstall SCCM client
    c:\windows\ccmsetup\ccmsetup.exe /uninstall
  2. Clean up
    Remove-Item C:\windows\smscfg.ini
    remove-item C:\windows\ccmsetup -Recurse -force -Confirm:$false
    remove-item C:\windows\ccm -Recurse -force -Confirm:$false
    remove-item C:\windows\ccmcache -Recurse -force -Confirm:$false
  3. Remove SMS certs
    Get-ChildItem -Path cert:\localmachine\sms | remove-item
  4. Remove record in SCCM
  5. Reinstall SCCM client

Note: In PowerShell before version 3 the cert store provider is read-only, there’s a registry hack method to remove certs instead.  Or better still use SMS 2003 Toolkit utils.


Find more IT Infrastructure tips at www.alexmags.com

Leave a Reply