Issue & Auto enroll Client Authentication Certificate for SCCM Clients

A client certificate is required on any computer which need SSL communication with Configuration Manager HTTPS Management Point or SSL Software Update Point.

A client certificate is aslo required on any computer which will be managed via the Cloud Management Gateway ( CMG ) and devices are not Azure AD / Hybrid AD join. It is also required on the server that will host the Cloud Management Gateway connection point.

Let’s understand how we can issue a client authentication certificate using Microsoft Active Directory Certificate Services (Public Key Infrastructure / PKI) and configure auto enrollment via Group Policy.


Issue Client Authentication Certificate from Microsoft PKI

RDP to Certificate Authority Server

On the Certificate Authority console, right click Certificate Template and click Manage.

Certificate template

Right click Workstation Authentication and click Duplicate Template.

Certificate template | Client Authentication Certificate

Under Compatibility tab, make sure to use to Windows Server 2003 under Certificate Authority option.

Certificate template

In the General tab, enter SCCM Client Certificate under Template display name. Set the validity period as per your requirement.

Certificate template

Click on Security tab, select the Domain Computers group and add the permission of Read and Autoenroll , do not clear Enroll. Then click on Ok

Certificate template

Refresh the console and check if new template is there

In the Certificate Authority console, right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.

Certificate template - New template to issue

In the Enable Certificate Templates dialog box, choose the new template that you just created, ConfigMgr Client Certificate, and then choose OK.

Enable Certificate template

Configure Client Authentication Certificate Auto Enrollment

The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. Follow the below process to configure auto enrollment group policy.

Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management)

Right-click the desired OU and select Create a GPO in this domain, and Link it here…

GPO Certificate auto enrollment

Name your GPO SCCM Client Cert – Auto Enroll, then click OK.

GPO Certificate auto enrollment

A blank GPO will now created. Right-click and Edit your newly created GPO.

GPO Certificate auto enrollment

Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies

Right-click on Certificate Services Client – Auto-Enrollment and then click Properties

GPO Certificate auto enrollment

Change the Configuration Model: to Enabled

Select the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox

Click Apply and OK

GPO Certificate auto enrollment

The group policy is now configured for auto enrollment. When Group Policy is re-applied, any machine on the domain communicating with the Domain Controller will request and recevie a client authentication certificate automatically.

On the client machine, certificate will be placed in the Local Computer Personal Certificate Store

To expedite the testing, you can reboot a workstations and run gpudate /force command to forcefully update the Group Policy.

Below is the result from GPRESULT command. You can see that GPO has been applied and SCCM Client Cert- Auto enroll is winning GPO.

GPO Certificate auto enrollment

Export Trusted Root Certificate

The trusted root certificate need to be provided to SCCM server when configuring for SSL. It’s also required for Cloud Management Gateway during setup.

Follow the below steps to export the trusted root certificate from the workstation which enrolled the client authentication certificate through GPO.

Go to Run and type certlm.msc and press enter to open local computer certificate store.

Right click on the client authenication certificate and select Open

Export Trusted Root Certificate

In the Certificate page, select highest certification path and click on View certificate.

Export Trusted Root Certificate

The Certificate Information page will open in a new window

Export Trusted Root Certificate

Click on the Details tab and then click on Copy to file…

Export Trusted Root Certificate

On the Welcome to the Certificate Export Wizard page, click on Next

On the Certificate Export Wizard page, ensure that DER conded binary X.509 (.CER) format is selected.

Click on Next

Export Trusted Root Certificate

Provide the name for the file and click on Next

Export Trusted Root Certificate

On the Completing the Certificate Export Wizard page, click on Finish.

Export Trusted Root Certificate

Related Posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top