Hi all,

I'm just wondering if I could deploy the SCCM Agent 2012 (Package/manually) with the Parameter "UsePKICert" without having the PKI infra in place. Is it possible to use that way or do I need to re-install the agents afterwards? Are there other ways possible or is the PKI a must have before the Agent deploy process can start?

Many thanks in advance!

BR

Michael

To use the PKI option you need a cert installed, otherwise it will simply fallback to HTTP.

What's the scenario here where you'd want to do this?

Ok, if it will simply fallback to HTTP is not a problem. I will explain again.

PKI infra might not be ready before client rollout and therefore the question is if I could install the SCCM agent with this "UsePKICert" parameter (Within Intranet) without having an client cerficate installed on the clients. When I configure later the MP,DP and SUP in the DMZ, can these clients then connect via HTTPS or will it fail and I have to reinstall the SCCM agents? 

When the certificates are in place and the site roles are configured to use HTTPS, the client should switch automatically to HTTPS.

So it means if I use for instance this command line below, the agent works afterwards when PKI infra is ready to use, right? It should get the MP list from AD if it is either HTTP or HTTPS, correct?

Ccmsetup.exe /usepkicert smsmp=FQDN of Intranet MP ccmhostname=FQDN of Internet MP smssitecode=Site code

There is no use in providing those PKI and Internet-client related parameters, as the client can't use them. As long as the clients are on the intranet during the switch to HTTPS they will get the new information true a policy (new since R2). The only thing that would require a client reinstall is an Internet-only client.

Oh ok, good to know. Then I will simply skip that PKI parameters. Many thanks for your help! 

• Marked as answer by MK182 21 hours 14 minutes ago

May I ask which policy of R2 version are you referring to? Many thanks in advance!

https://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_PlanforInternetClients: "For System Center 2012 R2 Configuration Manager and later: If you configure an Internet capable management point, clients that connect to the management point will become Internet-capable when they next refresh their list of available management points."

Many thanks for the link Torsten!