The Site Mode tab defines whether the Configuration Manager 2007 site will operate in native mode or mixed mode, and the site mode related settings. Site modes are used to specify how clients will communicate with the site. To select the mode that the site will operate in, select either Native or Mixed from the Site mode selection drop down list.

This tab is not visible when viewing the properties of a secondary site. Secondary sites inherit the settings contained on the site mode tab from their parent site.

To ensure clients do not become unmanaged as a result of changing the site mode from mixed to native, see Administrator Checklist: Migrating a Site to Native Mode.

After selecting the site mode, the options displayed depend on whether you have selected native mode or mixed mode.

If you change the site mode from mixed mode to native mode and you have a network load balancing (NLB) management point that is specified with an IP address, you must reconfigure the NLB management point to use a fully qualified domain name (FQDN) instead. Until you reconfigure the NLB management point with an FQDN, clients will be unable to contact their default management point and will be unmanaged. For more information, see How to Configure the Intranet FQDN of an NLB Management Point.

Native Mode Settings Properties

If you select native mode site operation, the following native mode properties are displayed.

Site server signing certificate

Specifies the site server signing certificate, which is a requirement to configure the site to use native mode operation. This certificate must already be deployed to the site server externally to Configuration Manager 2007. You cannot configure native mode without specifying this certificate.
The site server signing certificate must be configured directly on each primary site database. You cannot configure the site mode for a child primary site from a parent primary site because the certificate cannot be validated correctly in this scenario.
For more information about the PKI certificate requirements, see Certificate Requirements for Native ModeFor more information about deploying the PKI certificates required for native mode, see Deploying the PKI Certificates Required for Native Mode

Specifies the site server signing certificate for the site. If the certificate has been selected, this will display either the friendly name of the certificate if the certificate has a friendly name, or <No friendly name> if the selected certificate does not have a friendly name. If the certificate is not yet specified, click Browse to select it, or you can type in the thumbprint in the Thumbprint text box.This certificate is used by the site server to sign client policies. To accept policies signed by this certificate, clients must also have a copy of the site server signing certificate. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)

Browses to the certificate store on the site server so that you can select the site server signing certificate from the list of certificates displayed. Specifying the wrong certificate could result in the site being unmanaged, so the certificate you select will be validated for the following:
  • The certificate is within its validity period and has not expired.

  • The certificate has the correct certificate subject name, which includes the site code of the site.

  • The certificate purpose includes document signing.


If you cannot browse to the site server's certificate store (for example, you do not have appropriate permissions), but you have the certificate's thumbprint, you can enter it here. The thumbprint must be entered as a sequential string of hexadecimal characters. To eliminate typing errors, copy and paste the string from the certificate itself.
You can copy the thumbprint using the Microsoft Certificates MMC snap-in. On the computer where it is stored, navigate to the Local Computer, Personal store, and expand Certificates. Double-click the certificate, and then click the Details tab. Scroll through the files and click Thumbprint. Copy the string of hexadecimal numbers that is displayed in the text box.
When you enter the thumbprint, Configuration Manager 2007 will attempt to match it with a valid certificate on the site server's certificate store. If this is successful and the certificate is validated successfully, the friendly name will be displayed against the Certificate option.
Operating system deployment settings

Specifies settings related to operating system deployment when the site is operating in native mode. These settings are inherited by secondary sites, but not child primary sites.
Specify Root CA Certificates

Opens the Specify Root CA Certificates dialog box, which allows you to import exported root certification authority certificates for clients that are assigned to the site. These might be required for operating system deployment clients to complete installation.For information about preparing the root certification authority certificates, see How to Prepare the Root Certification Authority Certificates for Operating System Deployment Clients.
Client settings published to Active Directory

Specifies the native mode site settings that are published to Active Directory Domain Services for client computers, and are automatically used with client push installations.Client computers that can access these settings in Active Directory Domain Services are configured with these values periodically, including when site assignment succeeds, on startup and every 25 hours.If client computers do not use the default settings, specify these options with CCMSetup installation properties if any of the following scenarios apply:
  • The Active Directory schema is not extended for Configuration Manager 2007.

  • The Active Directory schema is extended for Configuration Manager 2007 but you have clients that cannot access these settings because they are workgroup clients or are from another Active Directory forest.

  • You want to specify different client settings for installation only.

For more information about the command line properties, see About Configuration Manager Client Installation Properties.
Enable CRL checking on clients

Specifies whether Configuration Manager client computers use a certificate revocation list (CRL) before using the PKI certificates required for native mode.The default for this setting is to enable CRL checking when the site is installed in native mode. When the site is installed in mixed mode and then migrated to native mode, the default for this setting is to disable CRL checking for clients.For more information, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode).
Allow HTTP communication for roaming and site assignment

Specifies whether native mode client computers can use HTTP if they roam to a mixed mode site so that they can communicate with the resident management point for content location, and download content from that site's distribution points. Additionally, HTTP is required for communication with a server locator point, which is required for site assignment if the Active Directory schema is not extended for Configuration Manager 2007, and also if native mode client computers use a network load balancing management point on the intranet and cannot locate this from Active Directory Domain Services.The default for this option is not to allow HTTP communication for roaming and site assignment.For more information about this option, see Decide If You Need to Configure HTTP Communication for Roaming and Site Assignment (Native Mode)
Certificate store

Specifies the location of the client certificate to use in native mode. The default location is the Personal store in the Computer certificate store. If the client certificate has been deployed to an alternate location in the Computer store, specify it here.
Certificate selection criteria

Specifies the selection criteria to use if more than one valid certificate is found in the specified certificate store. The default setting is to check only the certificate purpose. To specify the certificate selection criteria, select one of the following options, and then specify any associated value:
  • Check only certificate purpose: This option does not use the subject name or the subject alternative name when selecting certificates. Instead, certificates are selected only on the intended purpose of the certificate, which must include client authentication. This is the default certificate selection criteria.

  • Subject contains string: The string match on the subject name in the certificate is a case-insensitive match. This selection criteria is appropriate if you are using the fully qualified domain name of a computer, and you want the certificate selection to be based on the domain suffix, for example However, you can use this selection method to identify any string of sequential characters that differentiate the certificate from others in the client certificate store

  • Subject or alt includes attributes: The attribute identification is a case-sensitive match on the subject name, or subject alternative name field in the certificate. This selection criteria is appropriate if you are using X.500 distinguished names or equivalent object identifiers, in accordance with RFC 3280, and you want the certificate selection to be based on the attribute values. Specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the client certificate store. The order in which the attributes are entered has no significance. For a list of attribute values that are supported for certificate selection criteria, refer to the table in Determine If You Need to Specify Client Certificate Settings (Native Mode). The following examples define certificate selection criteria by using object identifier attributes and by using distinguished names attributes:

    • Example 1: =Maryland, =US, Contoso, =Sales

    • Example 2:   ST=Maryland, C=US, O= Contoso, OU=Workstations

If multiple certificates match criteria

Specifies the action to take if Configuration Manager finds more than one valid certificate based on the settings specified:
  • Select any certificate that matches: Of the certificates found that matched the selection, one will be chosen at random. If the client is running Configuration Manager 2007 SP1 or later, the certificate with the longest validity period is selected. If a connection is not successfully made with this certificate, the other certificates found will not be tried and the client will send an error message to its assigned fallback status point.

  • Fail selection and send error message: None of the certificates will be used to attempt a connection. Instead, the client will not attempt communication with its management point, and instead it will send an error message to its assigned fallback status point. This is the default configuration.


Saves the changes and exits the dialog box.

Exits the dialog box without saving any changes.

Saves the changes and remains in the dialog box.

Opens the Site Properties: Site Mode Tab help documentation.

Mixed Mode Settings Properties

If you select mixed mode site operation, the following mixed mode properties are displayed.

Approval Settings

Specifies the client approval settings to use when authorizing computers to be fully managed in a mixed mode site. Approve clients in a mixed mode site to verify client identity. Ensure that you select a client approval method that fits your risk profile. For more information about securing clients, see Best Practices for Securing Clients, and for more information about approval, see About Client Approval in Configuration Manager.
Changing the site approval method will not automatically reset the approval status of clients already assigned to the site. The new setting will take effect for newly assigned clients only.
Manually approve each computer

Manually approving every computer in the site introduces the least risk, but the largest administrative overhead. Clients must be manually approved from within the Configuration Manager console. Reference the procedure "To approve clients manually" in How to Approve Configuration Manager Clients.
Automatically approve computers in trusted domains (recommended)

Automatically approving computers in trusted domains automatically authorizes client computers joined to domains trusted by the site server's domain.
If your Configuration Manager 2007 hierarchy spans multiple domains, the management point must be configured with an intranet FQDN to approve clients that are in a different domain to the site server's domain. For more information, see How to Configure the Intranet FQDN of Site Systems and Determine If You Will Use FQDN Server Names.
When using this setting, you should ensure that you have other security controls in place to prevent untrustworthy computers from joining a trusted domain.
Automatically approve all computers (not recommended)

Automatically approving all computers will authorize any computer that requests assignment with the site. This setting is never recommended because it allows any computer to receive potentially sensitive data without verifying trustworthiness.
This site contains only ConfigMgr 2007 clients.

Regardless of the client approval method selected, this setting enables stronger client communication security settings available for Configuration Manager clients that are incompatible with SMS 2003 client communication settings. Before enabling this setting, ensure that you have no SMS 2003 clients in the site.
Client Settings

Specifies client data encryption settings for client information sent to management points.
Encrypt data before sending to management point.

Select this setting to encrypt inventory data and state messages sent from clients to their management point. The encryption method uses the client’s self-signed certificate that does not require a PKI, and it uses the 3DES algorithm rather than the more secure encryption method in native mode that uses a PKI certificate with SSL encryption. For more information about the differences in securing client data in mixed mode and native mode, see the table “Comparison of Mixed Mode and Native Mode” in the topic Benefits of Using Native Mode.

Saves the changes and exits the dialog box.

Exits the dialog box without saving any changes.

Saves the changes and remains in the dialog box.

Opens the Site Properties: Site Mode Tab help documentation.

See Also