I'm curious to understand what happens when an AMT client certificate expires. How does Configuration Manager know to generate and send down a new client certificate before it expires? Does it keep track of this information somewhere? What happens if ConfigMgr is unable to contact the client ahead of time, and the certificate expires .... Will ConfigMgr still be able to connect using digest auth to push down a new cert?
SCCM is set by default to renew the certificate when the certificate has 42 days pending before expiration. This is a configurable option. You can find this setting under Site Database -> Site Management -> <Site ID> Site Server -> Site Settings -> Site Maintenance -> Tasks and look for Evaluate Provisioned AMT Computers Certificate (Window below)
Select Properties on this setting and you will be able to configure this setting to work within your environment. 42 days is probably sufficient to ensure systems get new certs as most systems would not be off longer than that amount of time. However if they are off for more time than this setting, the impact would be that the management certificate would not allow to manage the device, BUT SCCM could still re-provision a new cert even though the current cert had expired.
I believe the option is set as an option in the template used to issue AMT cert. It's called Renewal Period as shown below. Also some info MS copied below the image.
Windows XP Professional or Windows Server 2003 clients, when combined with a Windows Server 2003, Enterprise Edition certification authority, will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. When certificate renewal is performed, the old (previous) certificate enrollment is always archived automatically on the client machine, and the user directory object is updated.
Important certificate renewal criteria include the following:
An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.
To manually force the template version to be updated (thereby forcing re-enrollment)
Thank you for your response. I founded where is my problem.
My problem is i have created an standolone certificate authority. With that it's not possible to reenroll certificat. I must create an root enterprise certificate for renew my AMT computers certificate.
Big thanks again !!