Introduction
This article describes an update for the Asset Intelligence (AI) authentication certificate in Microsoft System Center System Center 2012 Configuration Manager Service Pack 2, System Center 2012 R2 Configuration Manager Service Pack 1, and the current branch of Microsoft Endpoint Configuration Manager versions 2006 and earlier. Before you install this update, check out the "Installation instructions" section.Note Microsoft Endpoint Configuration Manager current branch version 2010 and later versions are pre-provisioned with this version of the Asset Intelligence (AI) authentication certificate, so you do not have to apply this update to those versions.
Symptoms
In Configuration Manager, the issuing certificate that System Center Online uses to validate the Asset Intelligence public authentication (bootstrap) certificate (expiration date January 7, 2021) was updated November 11, 2020. The previous issuing certificate will remain valid for a short period to allow for a smooth transition. When the old issuing certificate is removed, System Center Online will no longer recognize the pre-provisioned public authentication certificate that is used by the Asset Intelligence synchronization point site system role to enroll with the service.
-
Scenario 1: You try to install a new Asset Intelligence synchronization point, and it is making its first connection attempt to the System Center Online service.
-
Scenario 2: Your existing Asset Intelligence synchronization point tries to use the public authentication certificate to renew the specific per-installation certificate.
In either of these scenarios, System Center Online rejects the public authentication certificate, and you receive the following error message in the Asset Intelligence pane of the Configuration Manager Console:
Expired credentials/certificate/token. Need to re-provision online account.
Additionally, the following error message is logged in the Aiupdatesvc.log file:
Asset Intelligence Catalog Sync Service Warning: 0 :Log_Date:WebException trying to enroll: Status = ProtocolError Asset Intelligence Catalog Sync Service Error: 0 :Log_Date:Exception attempting sync - The request failed with HTTP status 403: Forbidden.
Resolution
To resolve this issue, upgrade to Configuration Manager current branch 2010 (or a later version) or apply this update. The AI authentication certificate that is in this update is valid until October 26, 2021. You should update the System Center Online public authentication certificate for Asset Intelligence on the top site in your hierarchy to allow for installation of a new Asset Intelligence synchronization point or to ensure continued connectivity between the Asset Intelligence synchronization point and the System Center Online service for your existing installations.
Update information
A supported update package is available from the Microsoft Download Center.
Download the update package now.
Installation instructions
This update should be installed on the top site in the hierarchy. Install the certificate file that is in this hotfix to manually renew the Asset Intelligence certificate. To do this, follow these steps:
-
Download the hotfix package, ConfigMgrAICert-KB4575785.exe.
-
Double-click the hotfix package to open the Microsoft Self-Extractor dialog box, select Yes to accept the License Agreement, select a location for the extracted files, and then select OK to continue and decompress the files.
-
Run the ConfigMgrAICert-KB4575785.exe file to extract the CMCSBootstrapCert.pfx certificate file to a location that can be accessed by the site server.
-
In the Configuration Manager console, find the computer name of the Asset Intelligence synchronization point server in the following location.
-
For all System Center 2012 Configuration Manager products:
-
Administration\Overview\Site Configuration\Servers and Site System Roles
-
For all Microsoft Endpoint Configuration Manager current branch versions:
Administration\Overview\Site Configuration\Servers and Site System Roles
-
-
Right-click the Asset Intelligence synchronization point, and then select Properties.
-
Select the General tab, specify the path of the certificate file, and then select OK.
Note You do not have to reset the System Center Online Point server role or restart the AI_UPDATE_SERVICE_POINT service after you re-enable the Asset Intelligence synchronization point by using the new certificate. You only have to perform the synchronization again.
Restart information
You do not have to restart the computer after you apply this hotfix.
Replacement information
This update replaces the following six updates:
-
4514931July 2019 Update for Asset Intelligence authentication certificate in System Center Configuration Manager
-
4054234 Update for Asset Intelligence authentication certificate in System Center Configuration Manager (KB 4054234)
-
3207852 Update for authentication certificate in System Center Configuration Manager Asset Intelligence is available
-
3060648 An update for the authentication certificate in System Center Configuration Manager Asset Intelligence is available
-
2733615 An update for the authentication certificate in System Center Configuration Manager Asset Intelligence is available
-
2783924 An update for the authentication certificate in System Center Configuration Manager Asset Intelligence is available
|
File name |
File version |
File size |
Date |
Time |
Platform |
|---|---|---|---|---|---|
|
CMCSBootstrapCert.pfx |
Not Applicable |
2668 |
29-Oct-2020 |
09:31 |
Not Applicable |
|
license_ENU.rtf |
Not Applicable |
43725 |
29-Jun-2015 |
15:19 |
Not Applicable |
