About Native Mode Certificates and Operating System Deployment
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
When you use Configuration Manager 2007 to deploy operating systems in native mode, you will need to include a public key infrastructure (PKI) certificate if task sequences used as part of the operating system deployment process communicate with the native mode site's management point. Without this certificate, authentication to the management point will fail, and operating system deployments will not succeed.
Additionally, for this certificate to be trusted by the management point, the site must also be configured with a root certification authority for the certificate. For more information about configuring the site with the root certification authority, see How to Specify the Root Certification Authority Certificates for Operating System Deployment Clients.
The certificate that you use with operating system deployments requires client authentication capability, and it does not get installed on the client as part of the operating system deployment. Its use is only temporary for the task sequences to complete. For the client to be managed in the native mode site after the operating system deployment, you must independently provision the client with its native mode client certificate. For more information about how to provision the client with its native mode client certificate, see Deploying the Client Computer Certificates to Clients and the Management Point.
For more information about all the certificates used with Configuration Manager 2007 native mode, see Certificate Requirements for Native Mode.
Specify the operating system deployment certificate as part of your boot media, if you are using media initiated operating system deployments, and configure the PXE service point to use this certificate if you are using PXE initiated operating system deployments. Specify the certificate by importing a Public Key Certificate Standard (PKCS #12) file, and providing the password that was chosen when the file was created. PKCS #12 files have a .PFX extension.
If you need guidance on how to prepare the PKCS #12 certificate file, see How to Export Certificates For Use With Operating System Deployment.
Protecting the Operating System Deployment Certificate from Unauthorized Use
To help protect unauthorized access to the Configuration Manager site using this certificate, assign a password with media initiated operating system deployments. You can also configure an expiration date that will be assigned to the media, and when this date expires, the media will no longer be valid.
If the PKI deployment is using a certificate revocation list (CRL), the certificate can also be revoked by a certification authority administrator, and this can be another method of protection if the certificate is known to be compromised. Certificate revocation checking is enabled by default on the management point.
When the site is in either native mode or mixed mode, you can also block client certificates that have been imported for operating system deployment, if you suspect the certificates have been compromised. For more information, see Determine If You Need to Block Configuration Manager Clients and How to Block Configuration Manager Clients.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.