2

When deploying an image of 1809, slipstreamed with any updates from January 2019 onward I'm having issue where the permissions are broken on the RSA\MachineKeys located here:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

The symptoms are that the SCCM client cannot connect/report to the MP and I cannot RDP into the machine.

Any updates prior to January 2019, or using the vanilla 1809 image does not show have this issue. I use either OSBuilder or SCCM Offline Servicing to service the image.

Fixing the permissions on the existing keys, then restarting the SMS Agent service fixes it. It's not feasible as a fix though as this affects all new builds with these images.

So the following is true in this situation:

  1. Existing TS using Vanilla 1803 Image - All working fine
  2. Existing TS using updated 1803 Image - All working fine
  3. Existing TS using Vanilla 1809 Image - All working fine
  4. Existing TS using updated 1809 Image - Certificates broken

During the TS the certificates do not exist and checking the permissions on the folder they appear to be correct.

Does anyone have any insight they can share on this?

I'm suspecting something has changed either in the January updates for 1809 or .NET possibly.

mhouston100
  • 412
  • 1
  • 5
  • 20

1 Answers1

0

This seemed to be related to the offline servicing of the images. Running the offline update process from a clean machine (No domain, no applications, fresh build) seemed to resolve the issues.

I suspect it was due to the wrong version of DISM being used, event though the correct ADK was installed.

We have not had this problem since 1809

mhouston100
  • 412
  • 1
  • 5
  • 20