Expiring AMT client certificates

idata · ‎03-06-2009

Hello,

I'm curious to understand what happens when an AMT client certificate expires. How does Configuration Manager know to generate and send down a new client certificate before it expires? Does it keep track of this information somewhere? What happens if ConfigMgr is unable to contact the client ahead of time, and the certificate expires .... Will ConfigMgr still be able to connect using digest auth to push down a new cert?

Thanks,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

William_Y_Intel · ‎03-06-2009

Trevor,

SCCM is set by default to renew the certificate when the certificate has 42 days pending before expiration. This is a configurable option. You can find this setting under Site Database -> Site Management -> Site Server -> Site Settings -> Site Maintenance -> Tasks and look for Evaluate Provisioned AMT Computers Certificate (Window below)

Select Properties on this setting and you will be able to configure this setting to work within your environment. 42 days is probably sufficient to ensure systems get new certs as most systems would not be off longer than that amount of time. However if they are off for more time than this setting, the impact would be that the management certificate would not allow to manage the device, BUT SCCM could still re-provision a new cert even though the current cert had expired.

idata · ‎03-06-2009

Thanks for that thorough explanation Bill

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

idata · ‎10-04-2009

Thanks for your answer .

And how to renew amt client certificate with Intel SCS ???

idata · ‎10-15-2009

anybody have an idea ???? really ??

Alireza_M_Intel · ‎10-15-2009

I believe the option is set as an option in the template used to issue AMT cert. It's called Renewal Period as shown below. Also some info MS copied below the image.

Renewal Intervals

Windows XP Professional or Windows Server 2003 clients, when combined with a Windows Server 2003, Enterprise Edition certification authority, will perform automatic renewal of certificates as specified on a per-template basis. Renewal intervals are dictated by the certificate template, which is set to six weeks (before expiration) by default. When certificate renewal is performed, the old (previous) certificate enrollment is always archived automatically on the client machine, and the user directory object is updated.

Important certificate renewal criteria include the following:

Automatic certificate renewal will only occur when 80 percent of the certificate lifetime has passed, or when the renewal interval period specified on the template has been reachedwhichever timeframe is smaller.
If the renewal period is greater than 20 percent of the certificate lifetime, autoenrollment will not automatically attempt certificate renewal until the 80 percent threshold has been reached.

Forcing Re-Enrollment

An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.

To manually force the template version to be updated (thereby forcing re-enrollment)

Right-click the template and select Reenroll All Certificate Holders

idata · ‎10-20-2009

Thank you for your response. I founded where is my problem.

My problem is i have created an standolone certificate authority. With that it's not possible to reenroll certificat. I must create an root enterprise certificate for renew my AMT computers certificate.

Big thanks again !!