Category Archives: FDCC

PKI certificate autoenrollment fails on Windows 7

Today is a blogging double-feature!  If your network has any type of security hardening (e.g. FDCC, DISA STIG, etc.) you may end up in a situation where your Windows 7 and 2008 R2 machines are not autoenrolling for PKI certificates from your internal enterprise CA.  We found that the following two settings must be enabled in policy:

1. NETWORK SERVICE must be given the “Access this computer from network” user right.  This allows the machine to enroll certificates.
2. The “Task Scheduler” service on the target machine must not be disabled.  The Certificate Services Client uses this service to autoenroll PKI certs.

SCOM 2007 R2 Agent Reporting Issues with DISA/FDCC

We are in the middle of developing a new XP SP3 image for SCCM deployment to newly added workstations.  One of the applications we install with the deployment sequence is the SCOM 2007 R2 Agent.  Recently, I discovered that our test machines with the new image were not reporting to the Operations Manager Server.  Inspecting the log, I noticed a number of 21405 errors:

The process stated at <time> failed to create System.Discovery.Data, no errors detected in the output. The process exited with 1 Command executed: “C:WINDOWSsystem32cscript.exe” /nologo “DiscoverWindowsComputerProperties.js”…

Well, it turns out that the DISA Desktop Application STIG (pages 4 and 5) requires systems to have the default actions for JS and VBS files altered.

To fix this issue, both filetypes must be reassociated to run using either cscript or wscript.  There are a number of resouces on the Interweb to do this type of task.  In our case, I created a WSF script and put it into an SCCM software package to deploy to the affected computers.  I will post the script files if there is interest in them.

Special thanks to Graham’s blog post in aiding our troubleshooting of the issue.