Breaking and Entering into an Offline SCCM Server

Recently, we ran into an issue during a Windows 7 to Windows 10 migration in which a user’s migration data was saved and uploaded to SCCM but never properly applied to the new workstation. The user didn’t notice the missing items before the .MIG file was purged from the SCCM server.

Because the .MIG files are encrypted, recovering that data is not as easy as pulling the file out of an old backup of the SCCM server with the State Migration Point role installed. You need to somehow either get the encryption key out of the database (which might be possible but we couldn’t figure it out), or restore the entire SCCM Primary Site server so that you can use the admin console to properly retrieve the decryption key.

So a disconnected copy of the server was restored, but once we logged in, the local admin account did not have permissions to launch the admin console. To add to that, because it was a disconnected restored backup, it did not have domain connectivity to login with a user who does have permissions.

So, we have to break in. This is totally unsupported, but if you find yourself in a similar situation we hope it helps!

    1. Log in with local admin account.
    2. Use SQL Server Configuration Manager to switch the SQL Server and SQL Server Agent service to log in with the local admin account.

    1. Start cmd as admin and run:
      1. net stop mssqlserver
      2. net start mssqlserver /m”SQLCMD”
      3. Sqlcmd
      4. create login [SERVER\ADMIN] from windows
      6. GO
      7. Exit
      8. net stop mssqlserver
      9. net start mssqlserver
    2. Using Microsoft SQL Server Management Studio, run:
      1. select * from dbo.RBAC_Admins
      2. Note this info for later. It should contain the super admin account that you want to change.
    3. Open System Center Configuration Manager. You should get an error saying you don’t have rights. That’s fine for now.
    4. Open the SMSProv.log. It should have logged your attempt to open the console with your local admin account. It should also list your account’s SID. Take note of it.
    5. Back in Microsoft SQL Server Management Studio, run:

    Update dbo.RBAC_Admins

    Set AdminSID=<<SIDFromSMSProv.log>>,LogonName= ‘SERVER\ADMIN’

    Where AdminID=<<AdminIDFromOldSuperUserAccount>>

    Hopefully at this point, you can access the SCCM console.

Leave a Reply

Your email address will not be published. Required fields are marked *