Determine Whether to Block Clients in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

If a client computer or client mobile device is no longer trusted, you can block the client in the System Center 2012 Configuration Manager console. Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages.

In Configuration Manager SP1, Mac clients, Linux and UNIX clients, and mobile devices that are enrolled by Microsoft Intune support block and unblock.

You must block and unblock a client from its assigned site rather than from a secondary site or a central administration site.

Important

Although blocking in Configuration Manager can help to secure the Configuration Manager site, do not rely on this feature to protect the site from untrusted computers or mobile devices if you allow clients to communicate with site systems by using HTTP, because a blocked client could rejoin the site with a new self-signed certificate and hardware ID. Instead, use the blocking feature to block lost or compromised boot media that you use to deploy operating systems, and when site systems accept HTTPS client connections.

Clients that access the site by using the ISV Proxy certificate cannot be blocked. For more information about the ISV Proxy certificate, see the Microsoft System Center 2012 Configuration Manager Software Development Kit (SDK).

If your site systems accept HTTPS client connections and your public key infrastructure (PKI) supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy.

Use the following sections to help differentiate between blocking clients and using a certificate revocation list, and the implications of blocking AMT-based computers:

  • Comparing Blocking Clients and Revoking Client Certificates

  • Blocking AMT-Based Computers

Comparing Blocking Clients and Revoking Client Certificates

Use the following table to help differentiate between blocking a client and using certificate revocation in a PKI-supported environment.

Blocking Client

Using Certificate Revocation

The option is available for HTTP and HTTPS client connections, but has limited security when clients connect to site systems by using HTTP.

The option is available for HTTPS Windows client connections if the public key infrastructure supports a certificate revocation list (CRL).

In Configuration Manager SP1, Mac clients always perform CRL checking and this functionality cannot be disabled.

Although mobile device clients do not use certificate revocation lists to check the certificates for site systems, their certificates can be revoked and checked by Configuration Manager.

Configuration Manager administrative users have the authority to block a client, and the action is taken in the Configuration Manager console.

Public key infrastructure administrators have the authority to revoke a certificate, and the action is taken outside the Configuration Manager console.

Client communication is rejected from the Configuration Manager hierarchy only.

Note

The same client could register with a different Configuration Manager hierarchy.

Client communication can be rejected from any computer or mobile device that requires this client certificate.

The client is immediately blocked from the Configuration Manager site.

There is likely to be a delay between revoking a certificate and site systems downloading the modified certificate revocation list (CRL).

For many PKI deployments, this delay can be a day or longer. For example, in Active Directory Certificate Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.

Helps to protect site systems from potentially compromised computers and mobile devices.

Helps to protect site systems and clients from potentially compromised computers and mobile devices.

Note

You can further protect site systems that run IIS from unknown clients by configuring a certificate trust list (CTL) in IIS.

Blocking AMT-Based Computers

After you block an Intel AMT-based computer that is provisioned by System Center 2012 Configuration Manager, you will no longer be able to manage it out of band. When an AMT-based computer is blocked, the following actions automatically occur to help protect the network from the security risks of elevation of privileges and information disclosure:

  • The site server revokes all certificates issued to the AMT-based computer with the revocation reason of Cease of Operation. The AMT-based computer might have multiple certificates if it is configured for 802.1X authenticated wired or wireless networks that support client certificates.

  • The site server deletes the AMT account in Active Directory Domain Services.

The AMT provisioning information is not removed from the computer, but the computer can no longer be managed out of band because its certificate is revoked and its account is deleted. If you later unblock the client, you must take the following actions before you can manage the computer out of band:

  1. Manually remove provisioning information from the computer’s BIOS extensions. You will not be able to perform this configuration remotely.

  2. Reprovision the computer with Configuration Manager.

If you think you might unblock the client later and you can verify a connection to the AMT-based computer before you block the client, you can remove the AMT provisioning information with Configuration Manager and then block the client. This sequence of actions saves you from having to manually configure the BIOS extensions after you unblock the client. However, this option relies on a successful connection to the untrusted computer to complete the removal of provisioning information. This is particularly risky when the AMT-based computer is a laptop and might be disconnected from the network or on a wireless connection.

Note

To verify that the AMT-based computer successfully removed provisioning information, confirm that the AMT status has changed from Provisioned to Not Provisioned. However, if the provisioning information was not removed before the client was blocked, the AMT status remains at Provisioned but you will be unable to manage the computer out of band until you reconfigure the BIOS extensions and reprovision the computer for AMT. For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.