Issue & Autoenroll Client Authentication Certificate for SCCM Clients

A client certificate is required on any computer which need SSL communication with Configuration Manager HTTPS Management Point or SSL Software Update Point.

A client certificate is aslo required on any computer which will be managed via the Cloud Management Gateway ( CMG ) and devices are not Azure AD / Hybrid AD join. It is also required on the server that will host the Cloud Management Gateway connection point.

Let’s understand how we can issue a client authentication certificate using Microsoft Active Directory Certificate Services (Public Key Infrastructure / PKI) and configure auto enrollment via Group Policy.

Table of Contents

  • Issue Client Authentication Certificate
  • Configure Client Authentication Certificate Auto Enrollment
  • Export Trusted Root Certificate

Related Posts:

Configure Management Point for HTTPS

Configure Software Update Point for SSL

Issue Client Authentication Certificate from Microsoft PKI

RDP to Certificate Authority Server

On the Certificate Authority console, right click Certificate Template and click Manage.

Right click Workstation Authentication and click Duplicate Template.

Under Compatibility tab, make sure to use to Windows Server 2003 under Certificate Authority option.

In the General tab, enter SCCM Client Certificate under Template display name. Set the validity period as per your requirement.

Click on Security tab, select the Domain Computers group and add the permission of Read and Autoenroll , do not clear Enroll. Then click on Ok

Refresh the console and check if new template is there

In the Certificate Authority console, right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.

In the Enable Certificate Templates dialog box, choose the new template that you just created, ConfigMgr Client Certificate, and then choose OK.

Configure Client Authentication Certificate Auto Enrollment

The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. Follow the below process to configure auto enrollment group policy.

Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management)

Right-click the desired OU and select Create a GPO in this domain, and Link it here…

Name your GPO SCCM Client Cert – Auto Enroll, then click OK.

A blank GPO will now created. Right-click and Edit your newly created GPO.

Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies

Right-click on Certificate Services Client – Auto-Enrollment and then click Properties

Change the Configuration Model: to Enabled

Select the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox

Click Apply and OK

The group policy is now configured for auto enrollment. When Group Policy is re-applied, any machine on the domain communicating with the Domain Controller will request and recevie a client authentication certificate automatically.

On the client machine, certificate will be placed in the Local Computer Personal Certificate Store

To expedite the testing, you can reboot a workstations and run gpudate /force command to forcefully update the Group Policy.

Below is the result from GPRESULT command. You can see that GPO has been applied and SCCM Client Cert- Auto enroll is winning GPO.

Export Trusted Root Certificate

The trusted root certificate need to be provided to SCCM server when configuring for SSL. It’s also required for Cloud Management Gateway during setup.

Follow the below steps to export the trusted root certificate from the workstation which enrolled the client authentication certificate through GPO.

Go to Run and type certlm.msc and press enter to open local computer certificate store.

Right click on the client authenication certificate and select Open

In the Certificate page, select highest certification path and click on View certificate.

The Certificate Information page will open in a new window

Click on the Details tab and then click on Copy to file…

On the Welcome to the Certificate Export Wizard page, click on Next

On the Certificate Export Wizard page, ensure that DER conded binary X.509 (.CER) format is selected.

Click on Next

Provide the name for the file and click on Next

On the Completing the Certificate Export Wizard page, click on Finish.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top