If a client computer or client mobile device is no longer trusted, the Configuration Manager administrator can block the client in the Configuration Manager 2007 console. Blocked clients are rejected by the Configuration Manager 2007 infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages.

You must block and unblock a client from its assigned site. These actions cannot be performed from sites higher in the hierarchy.

Although blocking in Configuration Manager 2007 can help to secure the Configuration Manager 2007 site, do not rely on this feature to protect the site from untrusted computers or mobile devices if the site is in mixed mode, because a blocked client could re-join the site with a new self-signed certificate and hardware ID.This feature is designed to be used to block lost or compromised boot media when deploying clients with the operating system deployment feature, and with native mode clients.Clients accessing the site using the ISV Proxy certificate cannot be blocked. For more information about the ISV Proxy certificate, see the System Center Configuration Manager 2007 Software Development Kit (SDK).If the site is in native mode and your public key infrastructure supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager 2007 offers a second line of defense to protect your hierarchy.

To help differentiate between certificate revocation in a PKI-supported environment, and blocking a client in Configuration Manager 2007, refer to the following table.

Block Client Certificate Revocation

Option is available in both mixed mode and native mode sites, but has limited security when the site is in mixed mode.

Option is available for native mode sites only, if the public key infrastructure supports a certificate revocation list (CRL).

Mobile device clients do not use certificate revocation lists, although their certificates can be revoked and checked by Configuration Manager 2007.

Configuration Manager 2007 administrator has the authority to block a client, and the action is taken in the Configuration Manager console.

Public key infrastructure administrator has the authority to revoke a certificate, and the action is taken outside the Configuration Manager console.

Client communication is rejected from the Configuration Manager 2007 hierarchy only.

The same client could register with a different Configuration Manager 2007 hierarchy.

Client communication can be rejected from any computer or mobile device that requires this client certificate.

Client is immediately blocked from the Configuration Manager 2007 site.

There is likely to be a delay between revoking a certificate and site systems downloading the modified certificate revocation list (CRL).

For many PKI deployments, this delay can be a day or longer. For example, in Microsoft Windows 2003 Certificate Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.

Helps to protect site systems from potentially compromised computers and mobile devices.

Helps to protect both site systems and clients from potentially compromised computers and mobile devices.

For more information about enabling certificate revocation checking on client computers, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode).

You can further protect the native mode site from unknown clients by using a certificate trust list (CTL). For more information, see Determine If You Need to Configure a Certificate Trust List (CTL) with IIS (Native Mode).

See Also