iisreset /stop
net stop cryptsvc

# Take ownership temporarily (needed on some machines)
takeown /F "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /R /D Y

# Reset permissions to defaults (this repairs the broken inheritance)
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /reset /T /C /Q

# Explicitly re-add the required accounts with correct rights
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "NETWORK SERVICE:(OI)(CI)(F)" /T
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "IIS_IUSRS:(OI)(CI)(R,W,M)" /T
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "SYSTEM:(OI)(CI)F" /T
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /grant "Administrators:(OI)(CI)F" /T

The new Machine will have two sets of Keys in “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”

e.g.

f686aace6942fb7f7b6d801628cd8692_<old-machine-SID>

c475b7f03624e23d08b0e79e4f0c11fc_<old-machine-SID>

f686aace6942fb7f7b6d801628cd8692_<new-machine-SID>

c475b7f03624e23d08b0e79e4f0c11fc_<new-machine-SID>

Backup files in “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”

Keep a copy of the <new-machine-SID>

Delete the *__<new-machine-SID> files

Rename the files *_<old-machine-SID> -> *_<new-machine-SID>

net start cryptsvc iisreset

Also