A new hotfix KB14480034 has been released for SCCM 2203 to address the issue where registration fails for PKI clients after updating to Configuration Manager version 2203.
After KB13953025 hotfix, KB14480034 is the second hotfix released for SCCM version 2203 and is available for everyone. Customers using the early update ring version for SCCM 2203 must first install the KB13953025 first before installing this new hotfix.
The SCCM 2203 hotfix KB14480034 is available for installation in the Updates and Servicing node of the Configuration Manager console. If you don’t see this KB 14480034 update, click Check for Updates to get the latest updates available for Configuration Manager.
Summary of KB14480034
After updating to Configuration Manager current branch, version 2203, the registration process fails for clients using public key infrastructure (PKI) for client authentication if they are unable to authenticate against the domain. This affects the following scenarios:
- Newly installed workgroup clients using PKI.
- Clients that are joining an AD or Azure AD domain for the first time, generating a new device identity.
- Existing clients that are trying to renew their client authentication certificate.
When this issue happens, the following error is logged in the DDM.log file on the site server for each affected client.
ClientIdentity is not a hex string
The registration record is not valid. Bad RDR
The .RDR file(s) will be moved to ..\auth\ddm.box\regreq\bad_ddrs on the site server.
To resolve the above issues, you must install KB14480034 update on your ConfigMgr 2203 production server.
Install Hotfix KB14480034
Perform the following steps to install the KB14480034 hotfix for SCCM 2203:
- Launch the Configuration Manager console.
- Navigate to Administration > Overview > Updates and Servicing.
- Right-click Configuration Manager 2203 Hotfix KB14480034 and select Install Update Pack.
The Configuration Manager 2203 hotfix KB14480034 includes only site server updates. There are no console updates or client updates included with this hotfix. Click Next to continue.
You may also run a prerequisite check before installing the hotfix KB14480034 to eliminate potential errors or warnings. Typically, hotfixes shouldn’t cause any major issues.
On the License Terms page, review and click I accept these license terms and privacy statement for the update pack. Click Next.
Review the settings on Summary page and on Completion window, click Close. The hotfix installation begins now.
You can monitor the hotfix installation progress by reviewing the cmupdate.log on the site server. Alternatively, even Monitoring workspace provides the progress of hotfix installation.
The total installation time for hotfix KB14480034 was only 10 minutes and there were no errors encountered during the installation of this update.
The hotfix update KB14480034 does not require a computer restart or a site reset after installation. Although you may restart the server if you’d like to.
As mentioned earlier, there is no console upgrade after you install the hotfix KB14480034. The console version will remain 5.2203.1063.1500.
Similarly, there will be no client agent upgrade required and the client agents will remain at version 5.00.9078.1006. For more information, read about the updated SCCM build numbers, console version numbers.
Updating the Secondary Site with Hotfix KB14480034
After you install SCCM 2203 hotfix KB14480034 update on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM.
To update a secondary site in the Configuration Manager console, select Administration > Site Configuration> Sites > Recover Secondary Site, and then select the secondary site.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.