Topic last updated—March 2008

For a Configuration Manager 2007 site to function successfully in native mode, you must have all the required certificates installed in a Configuration Manager 2007 site before migrating the site to native mode.

To help you determine if Configuration Manager 2007 client computers have a valid certificate for successful native mode communication before you migrate the site into native mode, run a utility called the Configuration Manager Native Mode Readiness Tool. This utility is installed with Configuration Manager 2007 clients, in the folder %windir%\system32\CCM and should be run with local administrator privileges. To run the utility, run Sccmnativemodereadiness.exe from the CCM folder.

Without any command line arguments, this utility selects the first computer certificate in the default local store on the computer. To see alternative options that you can specify, from a command prompt type: Sccmnativemodereadiness.exe /?

The available options and examples are listed in the following table.

Sccmnativemodereadiness Option Description

/criteria:<criteria>

Specifies the certificate selection criteria if the client has more than one certificate that can be used for native mode communication (a valid certificate that includes client authentication capability).

For more information about whether you need to specify this option, see Determine If You Need to Specify Client Certificate Settings (Native Mode).

The criteria options are as follows:

  • SubjectStr:<subjectstring>. This is a case-insensitive substring match <subjectstring> against the certificate’s subject name.

  • Subject:<subjectstr>. This is a case-sensitive match <subjectstr> against the certificate’s subject name or subject alternative name (SAN).

  • SubjectAttr:<OID>=<OIDstr>. This matches any valid object identifier (OID) to <OIDstr>. The object identifier can be a distinguished name attribute or an OID number.

Examples:

  • sccmnativemodereadiness.exe /criteria:”SubjectStr:contoso.com”

  • Sccmnativemodereadiness.exe /criteria:”Subject:computer1.contoso.com”

  • Sccmnativemodereadiness exe /criteria:”SubjectAttr:2.5.4.11=Workstations”

  • Sccmnativemodereadiness exe /criteria:”SubjectAttr:OU=Workstations”

For the complete list of attributes that can be used for the SubjectAttr option, see the table in Determine If You Need to Specify Client Certificate Settings (Native Mode).

/store:<name>

Specifies an alternate certificate store name if the client certificate to be used for native mode communication is not located in the default certificate store of Personal in the Computer store.

Example: Sccmnativemodereadiness.exe /store:”ConfigMgr”

/selectfirstcert

Specifies that the client should select any valid and matching certificate for native mode communication if multiple valid certificates are found in the certificate store. However, if the client is running Configuration Manager 2007 SP1, the certificate with the longest validity period will be selected. This setting might be required if you are using Network Access Protection with IPsec enforcement.

Example: Sccmnativemodereadiness.exe /selectfirstcert

Although you can run this utility individually for a specific computer before you migrate the site into native mode, ensure that all client computers are ready for native mode by running the utility as a mandatory advertisement to all client computers assigned to the site.

Note
This utility requires the Configuration Manager 2007 client to be installed.

You can then view the results of the utility with the following reports:

You should resolve any client certificate issues before migrating the site to native mode. Clients that do not have a valid certificate when the site is migrated to native mode will be unmanaged.

Important
The Configuration Manager Native Mode Readiness Tool validates the client computer certificate only, and does not validate the certificates required by site systems, or by devices. Configuration Manager will verify the site server certificate when the site is installed for native mode, or migrated from mixed mode. However, server certificates for the web sites and for mobile client devices must be checked manually.

To determine whether Configuration Manager 2007 client computers are ready for native mode, follow these procedures to run the Configuration Manager Native Mode Readiness Tool, and then view the resulting reports.

To determine whether client computers are ready for native mode:

  1. In the administrator console, navigate to the Software Distribution node, and create a software distribution package with no source files.

  2. Click the software distribution package you have just created, then right-click Programs and select New.

  3. In the New Program Wizard, specify the command to run the Configuration Manager Native Mode Readiness Tool (for example, %windir%\system32\CCM\Sccmnativemodereadiness.exe).

  4. On the Environment page of the wizard, select the Run mode of Run with administrative rights, and complete the wizard.

  5. Right-click the Advertisements node, select New, and then select Advertisement.

  6. In the New Advertisement Wizard, select the package and the program you have just created, and then select a collection that contains all the client computers assigned to the site.

  7. In the Schedule page of the New Advertisement Wizard, create a mandatory advertisement so that the command runs automatically, and complete the wizard.

  8. When the advertisement has successfully run on clients, in the administrator console, navigate to System Center Configuration Manager / Site Database / Computer Management / Reporting / Reports.

  9. In the Reports node, click the Category column to sort the reports so that you can more easily find the reports with the category Site - Client Information.

  10. Right-click one of the following reports, and then select Run:

    • Clients incapable of native mode

    • Summary information of clients capable of native mode

  11. In the Report Information page, supply any additional information required, and then click Display to view the report. Note any computers that do not have a valid certificate, and the identifying reason.

  12. Close the report.

  13. Resolve the client certificates issues reported and rerun the advertisement and reports until there are no client certificate failures reported.

See Also