A manually requested System Center Mobile Device Manager 2008 GCM certificate cannot be saved to the computer store

This article has been archived. It is offered "as is" and will no longer be updated.
In some situations, an administrator of System Center Mobile Device Manager 2008 (SCMDM) must manually request a Gateway Configuration Management (GCM) certificate from the Certificate Authority's (CA) web enrollment page.  If the server hosting the web enrollment page has been updated with the hotfix described in Knowledge Base article KB922706, the option to "Store certificate in the local computer certificate store " will not appear. 
The hotfix changes the web enrollment page to support clients using Windows Vista, Windows Server 2008, Windows 7 and later clients.  The underlying ActiveX control invoked by the "Store certificate in the local computer certificate store" checkbox no longer runs when the fix is applied, even if the client requesting the certificate is running an OS prior to Windows Vista.

1) One workaround would be to install only the web enrollment tool on a server hosting IIS, and pointing to the issuing CA currently used by SCMDM.  Do not install the hotfix for 922706 on this server.  The "Store certificate in the local computer certificate store " checkbox should be available.

Note: If the web enrollment tool has been installed on a server hosting IIS that does not have the hotfix, but points to an issuing CA other than the one previously used by SCMDM, the certificate for the issuing CA must also be installed on any server receiving a certificate from the web enrollment tool.

2) An alternate workaround, if option 1 is not available:

  1. Open a MMC on one of the CAs and add the Certificate Templates snap-in.
  2. Double click on the SCMDMGCM template and go to the Request Handling tab of the property dialog.
  3. Check the Allow private key to be exported checkbox.  Click Apply. Click Ok.
  4. Follow the section "Create and Install certificates from the SCMDMGCM Template" section of the Manual Certificate Procedures chapter of the SCMDM Deployment Guide.
  5. Open a MMC on the DM server and add the Certificates snap-in for "My User Account".  Add the Certificates snap-in for "Computer Account".
  6. Under "Certificates - Current User", expand the Personal store, highlight Certificates.
  7. Right click on the certificate issued using the GCM certificate template and choose Export.  Select the option to export the private key and accept the default format.  Save the certificate to the desktop.
  8. Under "Certificates (Local Computer)", expand the Personal store, highlight Certificates.
  9. Right click on Certificates, click on All Tasks, then select Import...
  10. Browse to the file you just saved on the desktop.
  11. Verify that the Place all certificates in the following store option is selected and that the Personal store of the local computer is selected.
  12. Finish the "import certificate" wizard and verify that the GCM certificate (and private key) have been successfully imported.

Note:  You will have to complete the Provide Network Service Permissions to the Certificate section of the Manual Certificate Procedures chapter after completing this workaround.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2142221 - Last Review: 12/12/2015 08:53:36 - Revision: 1.0

Microsoft System Center Mobile Device Manager 2008

  • kbnosurvey kbarchive KB2142221