How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager

How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager. We need to have proper certificates to Authenticate and Encrypt the data flow between ConfigMgr clients and Management Point (Even in Mixed mode).

Sometimes, we need to play with certificates to resolve client authentication and registration issues. The following steps would be useful to fix that kind of issue.

Latest Post – Free ConfigMgr Training Part 2 | 20 Hours Of Technical | SCCM HTMD Blog (anoopcnair.com)

How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager

The following topics are covered in this post how to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager.

Patch My PC
  • SMS certificate Store Details (MMC)
  • Export certificates
  • Import Certificates
  • Certificates stored folder location in windows explorer or in the file system
  • Find the location and name of the private key file associated the certificates

SMS certificate Store Details (MMC)

Launch MMC (mmc.exe) and Click on File —> Add/Remove Snap-in

How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager
How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager

Select Certificates from Available Snap-ins and click on Add button

How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager
How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager

Select “Computer Account” and click NEXT

image
How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager

Select Local Computer and click on FINISH

Adaptiva
image

Click OK on the “Add or Remove Snap-ins” window

image

Here are the TWO certificates, “SMS Signing Certificate” and “SMS Encryption Certificate,” used for Authentication and Encryption.

image

Export certificates

You need to right-click on the certificate All Tasks – Export….This will open up Certificate Export Wizard.

image

Select “Yes, export the private key” and click “Next.”

image

Select Export File Format” page, “Personal Information Exchange – PKCS #12(.PFX)” and click NEXT (Even, you can select INCLUDE and EXPORT checkboxes mentioned in the below screenshot)

image

Type in the password on the Password window and click NEXT

image

On the “File to Export” page, enter the file name you wish to store the exported certificate. Please do not give it an extension. Click NEXT

image

Click on FINISH

image

Import Certificates

Right Click on “Certificates (Local Computer)” –> “SMS” -> “Certificates” –> All Tasks –> Import

image

On the “Welcome to the Certificate Import Wizard” page, click “NEXT.”

image

Browse through and provide the path of the certificate export file you are importing, and click “NEXT.”

image

Enter the password that you used in the export process, check “Mark this key as exportable. This will allow you to back up or transport your keys at a later time”, and click “NEXT.”

image

“Place all certificates in the following store” should already be selected, and the Certificate store value should already say “SMS.” Click “NEXT”

image

Click FINISH

image

Certificates stored folder location in windows explorer or in the file system

Windows 2008 R2 servers – “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”

Windows 7 workstations – “C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys”

Note – Both SMS certificates are stored in the 19cf* Machine Key files.

Find the location and name of the private key file associated with the certificates

FindPrivateKey.exe tool can be used to find out those details.

Syntax and examples of FindPrivateKey.exe in the following MSDN link.

Download FindPrivateKey.exe HERE

image

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

1 thought on “How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager”

  1. Thx for your thread. There is no information on the internet conterning SCCM self-signed certificates implementation.

    But the most important question is… How to check the cert is used, data is encrypted. Which log file to check?

    If you have information regarding this…

    Thx in advance.

    Luc

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.