Is you CSA configured and working properly?
Running brokerconfig (as admin) on the end device and running test should tell you more about where it is failing.
Also, I assume you are not running 2016, as this is no longer necessary with 2016.
Everything seems to be running correctly. It only seems to not work when brokerconfig is run in the provisioning template. I have a task based on the batch file and that works when I push to a device after imaging or if I run it manually. I was thinking that it has something to do with the fact that the device is logged in with a local admin account but not a domain account during imaging but I tried running it(brokerconfig) in different user context during the image process but it still does not work.
I assume /r works. I use -r, however I run this as a custom security scan.
I check to see if the .crt, .csr. .key files exists. If any are missing I call it with the -r.
This seems to work for us, I am getting ready to move it into a provisioning step as well so I can try to let you know if there seems to be a difference.
Another test you might do in the mean time (assuming your CSA is working good) is to run your bat file. Copy off the 3 files, and then run it yourself or however you get it to work. Then compare those 3 files to the original to see if any difference.
One more thing to be aware of. Running brokerconfig -r assumes the agent can communicate with the core.
If it can't reach the core, then this will fail also.
Another way to do this rather than doing it as part of your provisioning is to add it to your agent config.
This also assumes the agent will have connection to the core during install though.
Using LDMS 9.6, how do you add this to your agent config? We had the CSA specified in our agent config under 'Client Connectivity Settings', but you still had to manually run the broker config manually.
We had been told previously that all you had to do was setup the client connectivity settings and it would be good, but recently we discovered that it wasn't working and had been told we would have to manually run broker config until LDMS 2016 is in place.
Bunch of ways to do it. Here's the basics (the variations tend to come in how the detail gets executed usually).
One of them is through the use of MERGEINI - which essentially adds "stuff you want" to agent configurations. Documented here - MERGEINI - What is it and how to use it - with examples to help you along .
You can edit existing agent deployment .INI files (but those changes would get overwritten the next time someone would save an agent, thus the recommendation for Mergeini).
Essentially, you can configure the brokerconfig as an additional file to be downloaded (/included as a file in the self-contained agent) and include it being run / calling a script you wrote that runs it in a specific context).
Overall, the much "nicer" way is via LD 2016 (where each agent just "flat out" creates its own cert & you then decide whether to approve it or not & don't actually need an AD-user permission at any point).
Does that help answer your question?
Interesting, I have never used the MERGEINI stuff. I'll have to take a look.