4 Replies Latest reply on Jun 28, 2017 11:15 AM by rgc

    ePO SHA1 to SHA2 migration


      To migrate to a SHA2 cert, the documentation states you should regenerate the cert but not to active the new cert until as many clients as possible have checked in. In my environment, inevitably, some clients will not get the new cert. The documentation states you need to reinstall the agent to fix this problem at that point. I have an idea on how to possibly reinstall the agent automatically through group policy. The part of the equation I need is some type of checker to verify the cert and/or last communication. My idea is to create a powershell script or batch file which will simply run at shutdown through group policy. If the client agent isn't communicating then the script will reinstall the agent. Has anyone else contemplated the steps they plan on taking to combat the orphaned clients once you've activated the SHA2 cert?

        • 1. Re: ePO SHA1 to SHA2 migration
          Moe Hassan

          jrp78, you can create a query to find inactive agents on ePO after you activate the the new cert. this is something you can have as part of regular epo administration. you can either create a "filter" in system tree view OR create a query to locate agents that have not communicated with ePO in the last X days. Once you get the list, you can simply deploy the agent again. no powershell/group policy required. I mean you can use them but locating inactive agents and then deploying agents is easier. with powershell/group policy, you can deploy but they wont tell you whether agent is active or not.

          • 2. Re: ePO SHA1 to SHA2 migration

            Ahh, yes. That's a good point. I do not leverage this function often normally but it should work for this case. I normally deploy all my agents at imaging in the task sequence. Sometimes I use Altiris after the fact if necessary.  I think I can sleep a little better now. Thanks Moe.

            • 3. Re: ePO SHA1 to SHA2 migration

              One more thing I noticed and was trying to get confirmation on, the regenerated certificate. I am waiting for as many agents as possible to check-in before activating the new cert as the documentation states. However, looking at the screenshot, I cannot find a way to confirm the new cert I regenerated is in fact SHA2. My fear is I've done nothing more here than regenerate a new SHA1 cert. Is what I'm seeing here normal when you are migrating from SHA1 to SHA2?

              2017-06-27 11_35_48-ePolicy Orchestrator 5.9.0.png

              • 4. Re: ePO SHA1 to SHA2 migration

                Actually it is not an errors, just an indication to be clear with 100% machines is communicated to ePO, to click on activation!!.


                As per your screenshot, you have 59% of machines already reported to ePO, once it is 100%, you can go for activation.

                If you have more queries, go through the attach document with step by step procedure of ePO 5.9 upgrade where it covers, what steps to follow after this activation...