The Management Service automatically distributes credentials to each Security Client when it checks in to the Management Service for the first time. After this credential is distributed, the Security Client is permitted to receive policies from the Policy Distribution Service and provide reporting data to the Policy Distribution Service.
Cryptographic best practices dictate that the credential, or key management key (KMK), be renewed at regular intervals to prevent certain cryptographic attacks from being practical. This can take place on a relatively long cycle, typically about once every year, and should not be done too frequently because the renewal requires some effort and network bandwidth.
To renew the KMK:
Open the Communications Console on the Management Service ().
Allow the Communications Console to run a complete check. Running the Communications Console causes the Management Service to lose user and log data; however, policy data is not deleted.
Have all end users authenticate to the Management Service (either via VPN or while inside the appropriate firewall) by right-clicking the Security Client taskbar icon, then clicking.
The Management Service passes the new KMK credentials down. In some cases, the user must authenticate to the domain (username and password).
Until the endpoints renew their KMKs, they cannot communicate with the Policy Distribution Service.