Share via

Workstation PKI Authentication certificate not required on clients for IBCM?

Steve 406 Reputation points
2023-02-10T17:31:15.9566667+00:00

For Windows 10 workstations on an Internet-only connection, I'm not finding any PKI issued workstation client authentication certificates, yet the client is still able to install updates, run task sequences and apps from Software Center. The online documentation is not really clear on this.

Should it be possible that Internet-only clients with only SMS self-signed SMS Encryption and SMS Signing certificates (under Certificates (Local Computer)>SMS>Certificates) and showing as "Self-signed" under Client Certificate in the ConfigMgr control panel are able to connect to the IBCM server that requires https and if so, are they using the SMS self-signed certs or something else such as token-based authentication?

If the PKI issued SSL certificate (Enhanced Key Usage: Server & Client Authentication) securing the IBCM server https IIS Default Web Site, IIS WSUS Administration site, and the distribution point have been replaced recently since the cert is expiring soon, is there any concern that existing Internet-only clients won't be able communicate with the IBCM server after the previous cert expiration date?

Also, after an Internet-only client disappears out of the MECM console under Devices, likely because of aged data maintenance tasks, can the client be re-installed or activated with only an Internet connection and how is this done so the client can find the IBCM management point?

I've tried running machine policy refresh and also tried deleting and re-adding the IBCM MP FQDN in the ConfigMgr control panel, but ClientLocation.log keeps showing the MP is empty.

Microsoft Security | Intune | Configuration Manager | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 49,316 Reputation points Microsoft External Staff
    2023-02-13T07:38:45.8633333+00:00

    Hi, @Steve

    Thank you for posting in Microsoft Q&A forum.

    For IBCM management, the documentation is described below:

    Because of the higher security requirements of managing client computers on a public network, IBCM requires the use of PKI certificates. This configuration makes sure that connections are authenticated by an independent authority. When IBCM clients and site servers send data, it's encrypted and secure.

    It's recommended to use PKI certificates for security factors, are you configure the MP as HTTP mode for client connections?

    1

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.