Thanks for the prompt response!  🙂

@cdinet one more question, if I may.

When I go into Certificate Manager, it looks like someone has already chosen to regenerate a new certificate and it's just waiting for someone to click Activate Certificate.  My question is should the certificate still show 1024 prior to activation (see my attached screenshot)?

I don't recall regenerating a new certificate so it's possible that the regenerated certificate is very old.

We have close to 100% saturation at the moment, but wondering if the displayed certificate needs to be 2048.  Wondering if I should regenerate a new one and wait a few weeks or if there's any way to verify within the cabundle.cer whether the certificate is 1024 or 2018.  Thoughts?

Go through this kb - make sure you have the backup folder it mentions and check your status with that.  You can cancel and restart it if things don't look right.

https://kcm.trellix.com/corporate/index?page=content&id=KB91288

Also, a way to verify the certificate you're prepopulating is SHA-2 is to do the following on any existing client that's already been pre-staged:

1.  Open up "C:\ProgramData\McAfee\Agent\cabundle.cer" from any client with notepad.  As @cdinet mentioned, look for 4 entries to indicate the client has both the (future) new and the (current) old certificates.

2.  As the KB states, you can also export sitelist.xml from the ePO server and look for 4 certificate entries (as opposed to 2), and confirm they're the same certificates you see in "C:\ProgramData\McAfee\Agent\cabundle.cer" on any client.  To export sitelist, from ePO, go to Software | Master Repository | Actions | Export Sitelist

3.  To confirm the new certificates are SHA-2, while still viewing "C:\ProgramData\McAfee\Agent\cabundle.cer"  in notepad, copy the bottom two certificates from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into two new notepad files, and save the files (e.g. Test.cer and Test2.cer).  Then. double click the files and confirm they are SHA-2 (sha265RSA).