SCCM Client Certificate Removal

While troubleshooting some inactive SCCM clients I found that they had bad SMS Certs.

Symptoms of this were found in the locationServices.log

Failed to verify Certificate with error 0x80070057 was the error that pointed me to take a look at the SMS Cert.

Upon review I found that the certs were from a previous install of SCCM in my lab. These need to be deleted so the new install of SCCM can issue certs to the clients and establish a trust relationship.

My long term plan is to build a runbook to fix broken SCCM agents and this is a good place to start

Here is the quick script I put together


$Computers Get-content C:list.csv

foreach ($computer in $Computers) {

$session New-PSSession -ComputerName $computer

Invoke-Command -Session $session -ScriptBlock{Remove-Item -Path ‘HKLM:SOFTWAREMicrosoftSystemCertificatesSMSCertificates*’ -force; restart-service ccmexec }


Inside the scriptblock is the meat of the script, I delete the Certificates via the registry and then restart the SCCM agent service, the client will connect to the site server and request new certificates to be issued.

If this is the only problem on the machine it’s status should become active in SCCM.

This script is provided as is and should not be used in a production environment against all computers in your domain. 

Leave a Reply

Your email address will not be published. Required fields are marked *