Certificate doesn’t have private key or caller doesn’t have access to private key

I recently started seeing an issue on machines that been upgraded to Windows 10 where Software center wasn’t loading for users and the device was showing as inactive in the console. I started looking at the logs and noticed that there appeared to be issues with our certificates.

In the CcmMessaging log we would see these errors every few minutes-

 

Certificate [Thumbprint 487C247BD95D16B60A3A358256FED24395E8765B] issued to ‘Machine’ doesn’t have private key or caller doesn’t have access to private key.

and

Post to https://ManagementPoint/ccm_system/request failed with 0x87d00231.

In the Config Mgr applet we could see under client certificate it showed none instead of PKI.

We looked to see if there was an issue with the certificate, but it was not expired and it looked as though it had the private key.

We could fix this issue manually by deleting  the certificate, requesting a new one and then restarting the SMS service but we wanted to find the root cause.

After much searching I eventually stumbled across this forum post which led us to the solution

 

https://www.experts-exchange.com/questions/28099635/SCCM-2012-USMT-Computer-Personal-certificates.html

 

By changing our USMT script to exclude certificates we were able to stop these clients from carrying over the certificates without the private keys and having issues.

Leave a Reply

Your email address will not be published. Required fields are marked *