Local Certificate Created on Agent Managed Device

So the other day I was presented with a question from my customer that I found interesting and did not have an immediate answer for.  The question was, "why does Operations Manager 2007 create a certificate in the local store on an agent managed device?"  I was curious myself since all agent managed devices were in the same Forest/Domain as the Management Group, and therefore Kerberos authentication is used.  Hmm, let me research that further.

Well I come to find out that the reason is the following as explained by the product group, "The certificates are generated for the Run As Execution feature.  When the agent is installed, the certificate is automatically generated and sent to the RMS, where it is used to provide an additional layer of encryption over RunAs related secrets.  This ensures the RunAs secrets can be securly transported from the RMS to the MS, and finally to the Agent."

 So there you have it.