what are SCCM client Certificates(where are they stored)

When you install SMS or SCCM client,clients need to authenticate their management point prior to establishing communications to prevent attackers from inserting rogue management points and redirecting clients to them to get it .

sometimes,client will fail to identify its management point which is tracked in locationservices.log file which requires attention could be issues like boundaries etc.

there are cases,where client might require to assign from its current hierarchy to different hierarchy but the certificates might be exist with old hierarchy and you mush reset it before it communicates with New.

To remove the trusted root key

  • On the client computer, run CCMSetup RESETKEYINFORMATION = TRUE.

some info about What is the trusted root key?

The trusted root key provides a mechanism for clients to verify the authenticity of the management point and its certificate if they cannot query Active Directory Domain Services. Every primary site server generates a trusted root key, even if the site is running in native mode and even if Active Directory Domain Services publishing is enabled. If the primary site is joined to a parent site, the child site eliminates its own trusted root key and instead trusts the trusted root key of the parent site.

Clients require the trusted root key only if they cannot query the Global Catalog for Configuration Manager 2007 information, either because they are in a workgroup or remote forest, or because the Active Directory Domain Services schema is not extended for Configuration Manager 2007. The trusted root key is stored in WMI in the root\ccm\locationservices namespace.

here is the procedure to identify the SMS client certificates.

image

image

image

image

image

image

More information about Trusted Root Key : http://technet.microsoft.com/en-us/library/bb680495.aspx

How to manage trusted root key in config mgr :http://technet.microsoft.com/en-us/library/bb632759.aspx

How to Pre-provision the Trusted Root Key on Clients : http://technet.microsoft.com/en-us/library/bb680504.aspx

Configuration Manager Cryptographic Controls http://technet.microsoft.com/en-us/library/bb693798.aspx

2 Responses to "what are SCCM client Certificates(where are they stored)"

  1. Hi Anoop,

    Are you aware how we can renew Boot Media Certificates?

    For example, If one of my Boot Media Certificates is going to expire tomorrow how can I renew it? In the certificate properties there is no mention of exactly which boot media the certificate relates to so how can we identify which boot media the certificate belongs to and then renew it?

    Reply

Leave a Reply