SCCM Cert Confusion

Question

I set up PKI Certs on my SCCM environment earlier this year. Short of some errors in the CCMMessaging.log that I was told are nothing to worry about, things went fine. I was able to follow the online guides and everything looked the way it was supposed to look. My Configuration Manager Properties show Client certificate as "PKI". Everything points to me using PKI. I have not checked in a while, but I noticed today that in the SCCM console, the Client Certificate column shows "Self-signed." Herein lies the confusion. Why was something that used to show PKI now showing "Self-signed" when I am showing PKI on my client properties?

Things to consider:

1. I added a CMG yesterday and troubleshooting issues with that at the moment.
2. My site was updated to 2107 about 2 weeks ago.
3. I added Proxy settings this morning.

Can anyone offer any insight on why the discrepancy and/or how to remediate?

Answer 1

This is normal and (unfortunately) expected as of 2107. We made a change to harden certificate handling on the clients in 2107 and this unfortunately had this side-effect. We are looking to address this is a future release. For now, you can spot check clients manually or use Support Center which (from memory) will also tell which kind of cert the client is using.

Answer 2

Hi @Dillon, Matt ，

Why was something that used to show PKI now showing "Self-signed" when I am showing PKI on my client properties?

According to our description, we could check ClientLocation.log to see records tasks that are related to client site assignment, which records the reason for using the PKI.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

That error message is unrelated to the best of knowledge. That's looks to be the result of the user not having an AAD identity but without more context , I don't know that for sure.