Windows 11 Client Not Auto-Enrolling Certificates

Anthony Vand 121 Reputation points
2024-10-29T00:19:18.3233333+00:00

Hello Everyone

I'm having a strange issue after upgrading one of my client computers to Windows 11 using SCCM Task Sequence (TS).

Windows 11 has been installed, but since the very beginning I noticed the SMS service is set to disabled.

I later on realized that's because the client certificate has been deleted and is not present on the client device:

{6ABD2DCD-98E2-47F2-B385-193E9C0A332F}

I tried GP update, but the client was not pulling certificate from the CA server.

I even tried to set the GPO manually on the client machine to enable the auto enrollment both for user and the computer:
{3BEEB678-0647-4228-928D-37A9A83A61B7}

But I still didn't receive any PKI certificate from the CA server.

I tried to change the compatibility of the template from the CA server, which did not help :

{CF6BE4AC-1FA0-4CAB-982C-38DD86AFABF4}

I appreciate any help on this matter since I'm kinda out of option at the moment

Cheers

Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
1,023 questions
{count} vote

Accepted answer
  1. XinGuo-MSFT 19,231 Reputation points
    2024-10-29T07:12:27.6433333+00:00

    Hi,

    If the SCCM clients are configured to use HTTPS, we want to check the Certificate Manager for the local machine (Run > certlm.msc).

    SMS service is set to disabled.

    The ccmexec.log file on the client computer records the activities of the SMS Agent Host service. This log is located in C:\Windows\CCM\Logs.

    Look for any errors or warnings that might indicate why the service was disabled.


1 additional answer

Sort by: Most helpful
  1. XinGuo-MSFT 19,231 Reputation points
    2024-10-29T02:06:54.2566667+00:00

    Hi,

    It sounds like you've been through quite a bit of troubleshooting already! Here are a few additional steps you can try to resolve the certificate auto-enrollment issue on your Windows 11 client:

    1. Refresh Group Policy:
      • Run gpupdate /force on the client machine to ensure that the latest Group Policy settings are applied. Additionally, you can use certutil -pulse to trigger certificate auto-enrollment manually.
    2. Review Event Logs:
      • Check the Event Viewer on the client machine for any errors or warnings related to certificate enrollment.
      • GPresult /H Gpeport.html
      • Is your Group Policy Object (GPO) linked to the specific Organizational Unit (OU) or the domain?

    https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    If these steps don't resolve the issue, it might be helpful to provide more details about any specific error messages or logs you are seeing. This can help narrow down the potential causes and solutions.

    Let me know if you need further assistance!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.