MID-less Agents Registration Failure and Duplicate Agent ID Remediation<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Symptoms For a MID-less connected agent, the agent shows ACC-4004 error, which means that there are multiple agents using the same agent ID. For a MID-less connected agent, the agent shows ACC-4104 error, which means that there is already another agent registered using the same agent ID. For a MID-less connected agent, the agent has a registration failure. This is vague, but this re-registration process is applicable to general registration failures. Agent Registration Process When the agent starts up for the first time, it generates an agent ID based on the hostname, MAC address, and serial number of the host device. This agent ID is saved to the agent_now_id file on the host device. This agent ID is supposed to be unique per agent.The agent registers with the Instance using the generated agent ID and registration key in the acc.yml.After the Instance validates the agent registration, the Instance sends back to the agent a certificate file that is required for the agent to establish a persistent connection with the ITOM Cloud Services pod.The agent saves this certificate to the file system and connects to the pod, completing the registration process. Notes: Agent IDs are intended to be unique per agent. When the agent registers with the Instance, the Instance will block the registration if an agent is already registered with that agent ID. The certificate that the agent receives from the Instance after successfully registering states the agent ID. Issues During Registration When performing a mass deployment of ACC, customers often accidentally include the agent_now_id file or the certificate file in the golden image. When clones are made from this golden image, every clone uses the same agent ID since the agent_now_id file was copied.If the agent_now_id file is copied over, but the certificate file is not copied over, then registration will fail for the agent and an ACC-4104 error will be logged, which states that an agent is already registered with the agent ID. When registration fails, manual intervention is required to re-register the agent. See the "Remediation" section below.If the agent_now_id file is copied over AND the certificate file is copied over, then ACC-4004 errors will be logged for the error. The ACC-4004 error includes the agent ID that is being shared amongst multiple devices. Each ACC-4004 error for a given agent ID will state the hostname of a device that is using this agent ID, so users can figure out which devices are using the same agent ID. When multiple devices are using the same agent ID, manual intervention is required to force the agents to regenerate their agent IDs and re-register with the Instance. See the "Remediation" section below. Remediation To remediate any issues related to registration failures and/or problems related to duplicate agent ID, please follow these instructions. On the Instance, delete the sn_agent_agent_registration record based on the agent's agent ID. This is required to have the agent re-register.Stop the agentPut the registration key into the acc.yml. The registration key will have been cleared out after the previous registration (whether successful or unsuccessful), and the key is needed to perform registration again.Delete the certificate file. This is required to get the agent to re-register, since registration is done only if the certificate does not exist.Delete the agent_now_id file. This is required to get the agent to regenerate a new agent ID, since agent ID regeneration is only done if the agent_now_id file does not already exist.Start the agent. The agent will go through the registration process with the regenerated agent ID. File Paths Windows: acc.yml: C:\ProgramData\ServiceNow\agent-client-collector\config\acc.ymlcertificate file: C:\ProgramData\ServiceNow\agent-client-collector\config\cert\cnc\cnc_chain.crtagent_now_id file: C:\ProgramData\ServiceNow\agent-client-collector\cache\agent_now_id Script This KB provides a PowerShell script to perform the remediation on affected Windows devices. Note that the script does not delete the sn_agent_agent_registration record on the Instance (step 1 in the process listed above), so that will need to be done by an ACC admin, before the script is run. The script can be mass deployed by a tool like SCCM. The script validates the ServiceNow Agent Client Collector's agent ID against the certificate and re-registers the agent if necessary. The script checks if the agent ID matches the one in the certificate, and if not (or if no certificate exists), performs re-registration. The script will exit early with success in these conditions, where re-registration is NOT required: The agent service does not exist. This means ACC is not installed on the device.The agent regenerated agent ID matches the agent ID in the certificate file. This means that the agent is already registered with the correct agent ID, so re-registration is not required. The script will re-register the agent under these conditions: The certificate file does not exist. The absence of the certificate file means that the agent was not previously successfully registered, so registration is required.The newly generated agent ID does not match the agent ID in the certificate file. This means that the agent was registered, but with the "incorrect" agent ID. In this situation, it is likely that the agent ID is being shared across multiple devices, and re-registering the agent with the newly generated agent ID is required. Backup files are created during the process: - agent_now_id.backup: Backup of the original agent ID file - cnc_chain.crt.backup: Backup of the certificate file (if deleted during re-registration) These backup files can be manually deleted after successful registration is confirmed. The script returns JSON-formatted output like so: { "OriginalAgentIdFileExists": true, "Timestamp": "2025-12-05 15:40:48", "OriginalAgentId": "4eca5201061a0bb1", "ErrorMessage": null, "CertAgentId": "4eca5201061a0bb1", "Success": true, "ServiceExists": true, "AgentIdsMatch": false, "RegistrationKey": "{your_registration_key}", "CertFileExists": true, "Hostname": "W22-RITM0268626", "NewAgentId": "9fbb55f93d8945c1", "RegistrationPerformed": true } This provides key information in the registration status of the agent, like the original agent ID, the agent ID in the original certificate, and the regenerated agent ID. The script has a single parameter, which is the registration key. The script can be invoked like so: .\AgentClientCollectorRegistration.ps1 -RegistrationKey "your-registration-key-here" The script must be run as administrator.