Certificates can be distributed to managed clients using Communication profile:

Removing certificate from communication profile does not remove certificate from client automatically.

And even if certificate deleted manually from certificate store it will be restored by SMA during service restart.

8.7

by design

Certificate removal can be done manually using SMATool.exe

* Copy certificate thumbprint

* Remove certificate from communication profile

* Copy [C:\Program Files\Notification Server\Bin\Tools\SMATool.exe] from SMP server to client

* Find certificate path in secure store

SMATool.exe /storage enum > enum.txt

path is found by certificate thumbprint in enum.txt

------

AgentCore\CertificateBackup\2\XXXXX5b279505XXXXX3bed518e6bb5c2110XXXXX
Failed to execute command: 0x00000005 [Access is denied].

------

* Use found path to delete certificate from secure storage

SMATool.exe /storage delete AgentCore\CertificateBackup\2\XXXXX5b279505XXXXX3bed518e6bb5c2110XXXXX

* Delete certificate from certificate store (certmgr)