Monthly Archives: June 2011

SCCM Query and Report Aliases

When crafting queries and reports in SCCM (or SMS), it is helpful to know that the WMI class and SQL server naming conventions are slightly different.  This page is most helpful in this respect (of course, it’s hidden deep in the bowels of Technet):

http://technet.microsoft.com/en-us/library/cc180445.aspx

SCCM OOB Management and Intel AMT MEBx (vPro) custom certificate hashes

If you run the Delete Provisioning Data from Management Controller Memory command on a workstation in SCCM, not only does this unprovision the machine for OOB management, but any custom certificate hashes that you entered in MEBx will be deleted as well.  If you want to provision this machine again, you will need to go back in and re-add the hash.

Issuing certificates directly to smart cards with Windows Certificate Manager

We’ve been working on a plan to deploy smart cards on our standalone network.  For initial certificate issuance, we planned on using the certmgr.msc MMC snap-in.  This is done by right-clicking the Personal folder and selecting All Tasks | Advanced Operations | Enroll On Behalf Of… option.  Everything seemed to be working, but the certificate was only issuing into the local store, and not onto the smart card.  After some trial and error, we found that our issue was an incorrect CSP for the certificate template.  By default, the Smartcard Logon template allows for the use of any CSP (with the Base Crypto Provider as the default).  Prior to issuance, the certificate template must be customized to issue directly to the smart card.  First, make sure that the “Allow private key to be exported” option is NOT selected (otherwise, the next setting won’t be available, which was our problem).  Then, ensure the CSP is set so that the Microsoft Base Smart Card Crypto Provider (or whatever CSP your smart card uses) is the only one allowed.  Once the template is published this way, logon certificates will issue directly to the card!