Devices in SCCM Console staying self-signed while its showing PKI on the client side

Patrick Baldonado 6

Hi all, We initially setup our SCCM environemnt using HTTP but now decided to flip to PKI to support CMG. We only have 1 MP which is on the Primary site as well. I have switched over MP, DP and SUP to use HTTPS, also binded MP 443 port to the IIS cert I have generated. I have also switched site Communication tab to use PKI. Finally, I have pushed client auth cert through GPO and can see clients are getting certs on Personal Store. I can even see the clients switching over to PKI under SCCM client General Tab. Also verified client registered using PKI in ClientIDManagerStartup.log. My problem is when I go check Devices in SCCM Console, under client certificate, they still show as self-signed rather than PKI. Thoughts please...

AllenLiu-MSFT 40,081 Reputation points Microsoft Vendor

2021-10-06T07:40:42.79+00:00

It seems there is no update for a couple of days. May we know the current status of the problem? If you think Jason's reply is useful, you may accept it as answer.
Pushpraj 0 Reputation points

2023-04-01T17:37:28.63+00:00

I am having the same issue.
on client side it is showing that it is using PKI but when I go to check in sccm console it is showing as self signed.
Can anyone give me the exact cause and solution of this???
Jason Sandys 31,151 Reputation points Microsoft Employee

2023-04-03T13:52:18.3766667+00:00

As has been called out, this is (still) a bug in ConfigMgr. If you are impacted, please use the in console feedback system to submit a frown.
Jeff Gilbert 5 Reputation points

2023-06-03T18:13:04.52+00:00

Wasted most of a day trying to figure out why the console wasn't updating. So we can't trust the console client cert column or the HTTPS reports. After years you'd think this would have been addressed. I suppose now we need to use an unsecure FSP to tell us if HTTPS is working or not to make our sites more secure. :|

12 answers

Jason Sandys 31,151 Reputation points Microsoft Employee

2021-09-30T20:58:43.633+00:00

If you are running 2107, then this is a known console issue. To our knowledge, there is no impact of negative effects because of this. It is noted in the official docs as well: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/certificates-overview#hardware-bound-key-storage-provider. We have a work item open and intend to fix this is a future version or build.
Please sign in to rate this answer.

2 people found this answer helpful.
durrie 406 Reputation points

2021-11-03T15:23:24.733+00:00

Hi Jason, thanks for the info, the link explains very succinctly how / why the issue occurs in 2107.

Is there anywhere we can track the progress for a new version / hotfix to this known issue?

I have very recently started the migration my site to HTTPS. Currently my site's "Communication Security" settings sit in the hybrid HTTPS or HTTP option so we can gauge when we might be ready to go full blown HTTPS only!

As such I want my team to easily see in the console view if any clients are still using self-signed certs so we can focus on addressing them and prep for HTTPS only cutover.

Jon Oram 1 Reputation point

2022-03-04T20:56:06.96+00:00

Jason,
With repect to the planned fix, this does not address the false reporting. From a compliance standpoint, these systems all appear in the console to NOT be compliant for a PKI requirement. That is, in organizations where PKI communication is required. While there may be a fix available in the future (not addresses in 2111) it would be great to have a work-around to address the false reporting. Can you please recommend a method that can be applied on the client to trigger this change?

Last comment stated 2203, with no promises. It would be nice to have a procedure that can be used to fix these systems before then. In organizations that use this value to audit the build configuration, this is not benign at all. And in the absence of a fix we should be able to count on a definitive date which we can communicate to our audit teams.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-03-04T22:11:00.64+00:00

PKI communication is required

There's no such thing as PKI communication. There is HTTPS communication but this no longer requires having a PKI-issued client auth certificate in ConfigMgr (this is a change introduced a while back that we've not documented but that I've begun mulling over on how we actually document it). Even if it did though, that's the point of having a fallback status point so that you would know which clients cannot successfully communicate with the site.

There is no fix at this time nor a viable workaround within the product. It would be quite straight-forward to create a PowerShell script though to see whether or not a client has a valid PKI-issued client auth certificate and this could be run using a baseline.

Jon Oram 1 Reputation point

2022-03-07T12:49:27.227+00:00

Jason,
OK, PKI-secured communication... Thanks for the info.

Alex Ignatenko 1 Reputation point

2022-03-18T22:04:32.237+00:00

@Jason Sandys - do you mean Bitlocker management is working with self-signed certs too? I was under impression you have to have PKI-issued cert to get this feature working.
In addition, the console information was useful during HTTP/HTTPS migration - to get clear understanding how many clients start using PKI-issued certificate before switching site to HTTPS only. Certainly, Powershell script quiring local cert store can be created, but that does not provide a prove that SCCM client use it (we can only assume it at best).

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-03-21T16:55:43.263+00:00

As of 2107, we replaced the recovery service with a core MP based path to communicate BitLocker recovery key info so nothing additional is required to secure this traffic.

As for the core issue of not being able to differentiate, please submit a frown in the console making sure to include the scenario and business-based impact for not having this.

As for the script, I wouldn't check for the existence of the cert, I would check the cert being used which I believe is referenced in WMI somewhere or at least called out in clientidmanagerstartup.log and then validate that the chosen cert is issued from your expected PKI. This is non-trivial, but not super-difficult.

Alex Ignatenko 1 Reputation point

2022-03-28T21:28:49.337+00:00

Great, thank you @Jason Sandys . So it looks like the only scenario where PKI is still needed is CMG without user replication to AAD or device is not AD joined or hybrid joined to AAD. Is that a correct assumption?

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-04-15T03:25:17.523+00:00

No, not correct. Config<gr issued tokens can also be used for client management across a CMG. User synchronization to AAD is unrelated to use or non use of a PKI.
Sign in to comment
Michael-CM 51 Reputation points

2022-11-09T18:39:02.107+00:00

@Jason Sandys Actual issue still exists on 2207, would be nice if you can fix it soon as it is very irritating.
Thanks!
Please sign in to rate this answer.

2 people found this answer helpful.
Chad Dissanayake 0 Reputation points

2023-09-01T02:34:00.3233333+00:00

SCCM Version 2203 also got the same issue

Jason Sandys 31,151 Reputation points Microsoft Employee

2023-09-05T18:04:36.1166667+00:00

This has been addressed in TP2305 and I believe should be included in 2309.
Sign in to comment
Jason Sandys 31,151 Reputation points Microsoft Employee

2021-11-03T18:47:29.077+00:00

Is there anywhere we can track the progress for a new version / hotfix to this known issue?

No, we don't make this info available publicly. From memory, this is fixed/addressed in 2111.
Please sign in to rate this answer.
PAUL WOODALL 6 Reputation points

2021-11-04T22:44:01.56+00:00

Hi Jason, we just had the very same issue after switching fully to PKI in our environment. We were tracking a small number of systems that had not switched from self-signed and now we don't have any way to know which systems they were. Is there a built in report or something else to assist us with finding the systems that do not use PKI yet? Do you know when the 2111 release will happen?

DeRRoOoN 1 Reputation point

2022-01-20T21:19:14.96+00:00

we have upgraded to 2111 but MECM console staying self-signed while its showing PKI on clients
any work around to fix this issue?

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-01-21T14:37:20.53+00:00

The fix did not actually make it into 2111. Note that this is a mostly benign issue though and does not actually impact functionality.

DeRRoOoN 1 Reputation point

2022-01-21T18:30:44.84+00:00

Thanks for the update Jason. we just want to validate if client has PKI or self-signed cert. it will get resolved in upcoming release? did MS aware of this issue?

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-01-21T18:51:52.473+00:00

Yes, we are aware and have an item in the backlog for this. I think it's scheduled to be fixed in 2203 (no commitments though).

Jonathan Abramson 1 Reputation point

2022-02-17T22:41:38.84+00:00

So, 2011 still has this issue. Is there any update on a fix for it yet?

Patrick Baldonado 6 Reputation points

2022-03-08T04:30:35.23+00:00

Thanks for clearing this up @Jason Sandys , please update us through this channel when Microsoft have successfully released a version or a hotfix that fixes for this popular issue.

Alex Ignatenko 1 Reputation point

2022-03-18T18:08:30.94+00:00

the issue is still there in 2203 preview.

Pedinotti, Paul 1 Reputation point

2022-08-22T19:55:49.967+00:00

I have been running 2203 for a while now and just realized that all of my CDES (SCEP) clients say self-signed in the SCCM console but in the control panel configuration manager the say PKI locally on the client
Sign in to comment
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-03-18T19:33:53.81+00:00

Yes, apologies. The work item for this issue had mistakenly been set to resolved when it in fact had been moved to our backlog where it still sits. I know this is at best annoying, but is it blocking anything for you? Either way, please use the file a frown function in the console to send your feedback making sure to include how this is impacting you and your business so that we can properly prioritize the work.
Please sign in to rate this answer.
Jonathan Abramson 21 Reputation points

2022-03-18T19:57:19.303+00:00

I've opened a ticket with Microsoft about this. It affects us because part of our QA process of adding new devices is to check that devices show PKI in the console. It is more than just moderately confusing and seems odd that it has been now 3 major releases since it was broken to fix it.

Jonathan Abramson 21 Reputation points

2022-03-18T22:03:46.687+00:00

Also, I'm not sure if it is related but we also noticed since 2011 we have had many AAD co-managed devices in SCCM reporting no client. Yet it has a last online time, reports a client version as well. We are testing a WMI script to clean as we've found it fixes this issue.

PAUL WOODALL 6 Reputation points

2022-03-18T22:23:54.083+00:00

Hi Jason,

Just sent my frown, it does impact our business and there is no query that can get around this issue. The collection query does exactly the same thing, everything comes back as self signed. There is no way to report on this.

Alex Ignatenko 1 Reputation point

2022-03-18T22:31:24.047+00:00

+2 frown sent.

Jason Sandys 31,151 Reputation points Microsoft Employee

2022-03-21T16:59:54.837+00:00

I'm not saying it does or doesn't impact your business. My point is that the more justification and true impact information we can collect from customers, the more likely it is we can allocate resources to address the issue. Simply saying that you're impacted carries weight, but the more info you can give and the more that impacts your business, the more we can justify prioritizing the necessary work but we don't know any of that until you provide the info.,
Sign in to comment
Jason Sandys 31,151 Reputation points Microsoft Employee

2022-11-09T18:41:47.597+00:00

Yes, I know this is still an issue. I have no control over whether this issue is addressed, however, because of the way we now store certs, addressing the issue is non-trivial.

Why is this irritating and what challenge or problem is it causing you (besides not knowing), i.e., what's the impact on your org?
Please sign in to rate this answer.
Jonathan Abramson 21 Reputation points

2022-11-09T18:57:25.093+00:00

I find it irritating because it seems so simple but having incorrect information in the console shouldn't be acceptable. Yes, I can go to the device and check it. But I have thousands of devices and it would be nice to know PKI is functioning properly from the console view.

Michael-CM 51 Reputation points

2022-11-09T19:01:49.617+00:00

Plus 1 from my side

Chad Dissanayake 0 Reputation points

2023-09-01T02:39:03.89+00:00

Hi Jason
Is there a way get sccm client PKI certificate status via PowerShell or Command prompt, so that we can run a script in each client machines remotely and find the PKI status then outcome for all the clients write into a central logfile.

So, please share any commands or scripts you know about this

Thanks

Chad

Jason Sandys 31,151 Reputation points Microsoft Employee

2023-09-05T18:00:08.1533333+00:00

Note that this has been addressed in TP2305 and I believe should be included in 2309.
Sign in to comment