共用方式為

How to Enable or Disable Certificate Revocation Checking (CRL) on Clients

  • 發行項

Follow these procedures to enable or disable certificate revocation checking on Configuration Manager 2007 client computers in a native mode site.

注意

Mobile device clients do not use certificate revocation lists.

The default setting for a native mode site is for client computers to check their certificate revocation list (CRL), but this option can be disabled. To verify this setting for individual clients, see How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management and the Https State Flags value. You cannot configure CRL checking of native mode site systems in Configuration Manager 2007; this setting is on by default and inherited with IIS configuration.

重要

The publishing and maintenance of the CRL is an integral part of the public key infrastructure (PKI), and external to Configuration Manager 2007. Do not enable this option until you have confirmed that a CRL is supported in your PKI environment.

There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:

  • Configure the option as a site property. Client computers that can access site properties published to Active Directory Domain Services will be automatically configured with this option on a periodic basis (including at site assignment time, every time the client starts, and every 25 hours). Clients installed using the client push installation method will be configured with the option at installation time only.

    For installed clients to be configured with the setting using Active Directory Domain Services, the following conditions must all apply:

    • Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions

    • The site must be publishing to Active Directory Domain Services

    • Clients must be on the intranet

    • Clients must be from the same Active Directory forest as the site server's forest.

  • Specify the setting using CCMSetup.exe command line options. You can use CCMSetup options when the client is first installed, or supplied as a script to run after installation, which will reinstall the client with the new configuration. If the client is already installed, you can use the software distribution feature to send the CCMSetup commands to the client, or use a Configuration Manager 2007 task sequence to achieve this.

    注意

    If the settings supplied with CCMSetup conflict with those published to Active Directory Domain Services, and clients can access the settings in the Active Directory Domain Services, the settings from Active Directory Domain Services will take precedence and the settings specified with CCMSetup will not be used.

Additionally, you can also specify the setting using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.

To configure certificate revocation checking (CRL) on clients in a native mode site by configuring the setting as a site property

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> - ** <site code> and then click Properties.

  3. On the Site Mode tab in the site properties dialog box, select or cancel Enable CRL checking on clients.

  4. Click OK.

To configure certificate revocation checking (CRL) on clients in a native mode site by specifying the setting using CCMSetup.exe command line options

  • To enable CRL checking: Use CCMSetup.exe with the command line property /native:CRL (for native mode communication and CRL checking), or /native:CRLANDFALLBACK (for native mode communication and CRL checking and HTTP communication for roaming and site assignment).

    To disable CRL checking: Use CCMSetup.exe with the command line property /native: (for native mode communication without CRL checking), or /native:FALLBACK (for native mode communication and HTTP communication for roaming and site assignment without CRL checking).

    For more information about CCMSetup installation properties, see About Configuration Manager Client Installation Properties.

See Also

Tasks

How to Install Configuration Manager Clients Using Client Push
How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management

Concepts

Determine If You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)