6 Replies Latest reply: Oct 20, 2009 3:36 AM by Sniper04 RSS

Expiring AMT client certificates

Trevor.Sullivan Community Member
Currently Being Moderated

Hello,

 

I'm curious to understand what happens when an AMT client certificate expires. How does Configuration Manager know to generate and send down a new client certificate before it expires? Does it keep track of this information somewhere? What happens if ConfigMgr is unable to contact the client ahead of time, and the certificate expires .... Will ConfigMgr still be able to connect using digest auth to push down a new cert?

 

Thanks,

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

  • 1. Re: Expiring AMT client certificates
    wryork Community Member
    Currently Being Moderated

    Trevor,

    SCCM is set by default to renew the certificate when the certificate has 42 days pending before expiration.  This is a configurable option.  You can find this setting under Site Database -> Site Management -> <Site ID> Site Server -> Site Settings -> Site Maintenance -> Tasks and look for Evaluate Provisioned AMT Computers Certificate (Window below)

     

    Cert Renew 1.jpg

     

    Select Properties on this setting and you will be able to configure this setting to work within your environment.  42 days is probably sufficient to ensure systems get new certs as most systems would not be off longer than that amount of time.  However if they are off for more time than this setting, the impact would be that the management certificate would not allow to manage the device, BUT SCCM could still re-provision a new cert even though the current cert had expired.

     

    Cert Renew 2.jpg

  • 2. Re: Expiring AMT client certificates
    Trevor.Sullivan Community Member
    Currently Being Moderated

    Thanks for that thorough explanation Bill

     

    Trevor Sullivan

    Systems Engineer

    OfficeMax Corporation

  • 3. Re: Expiring AMT client certificates
    Sniper04 Community Member
    Currently Being Moderated

    Thanks for your answer .

     

     

    And how to renew amt client certificate with Intel SCS ???

  • 4. Re: Expiring AMT client certificates
    Sniper04 Community Member
    Currently Being Moderated

    anybody have an idea ???? really  ??

  • 5. Re: Expiring AMT client certificates
    amikaill Community Member
    Currently Being Moderated

    I believe the option is set as an option in the template used to issue AMT cert. It's called Renewal Period as shown below. Also some info MS copied below the image.

     

    template.bmp

     

    Renewal Intervals

    Windows XP Professional or Windows Server 2003 clients, when combined with a Windows Server 2003, Enterprise Edition certification authority, will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. When certificate renewal is performed, the old (previous) certificate enrollment is always archived automatically on the client machine, and the user directory object is updated.

    Important certificate renewal criteria include the following:

    • Automatic certificate renewal will only occur when 80 percent of the certificate lifetime has passed, or when the renewal interval period specified on the template has been reachedwhichever timeframe is smaller.

    • If the renewal period is greater than 20 percent of the certificate lifetime, autoenrollment will not automatically attempt certificate renewal until the 80 percent threshold has been reached.

    Forcing Re-Enrollment

    An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.

    To manually force the template version to be updated (thereby forcing re-enrollment)

    • Right-click the template and select Reenroll All Certificate Holders
  • 6. Re: Expiring AMT client certificates
    Sniper04 Community Member
    Currently Being Moderated

    Thank you for your response. I founded where is my problem.

     

    My problem is i have created an standolone certificate authority. With that it's not possible to reenroll certificat. I must create an root enterprise certificate for renew my AMT computers certificate.

     

    Big thanks again !!

More Like This

  • Retrieving data ...