This tutorial demonstrates multiple ways to check client certificate in SCCM for Windows devices. These methods help ConfigMgr administrators to find if the clients are using the self-signed certificates or PKI certificates.
Recently I implemented PKI certificates for SCCM for an organization and switched the communication to HTTPS only, securing the communication between the clients and Configuration Manager. Prior to this, I had to first determine how many clients were ready for HTTPS communication.

Once you switch the Configuration Manager roles from HTTP to HTTPS, the certificate assigned to the managed clients changes from self-signed to PKI. At the end of this project, I was asked if there is an easy way to see if all the clients had picked up the PKI certificates. There are two ways to find out that: manually and via the SCCM console. Let me demonstrate both methods.
Method 1: Check Client Certificate in SCCM Console
By default, the Configuration Manager console does not show the type of the certificate assigned to the clients. To see this information, all you need to do is right-click on a column detail name and select the Client Certificate.

Once you’ve enabled the Client Certificate column, you see the certificate that is assigned to each client. In the below example, the client certificate for the devices shows as self-signed.

After the PKI certificates have been deployed and communication has been switched to HTTPS on the Primary Site, clients will automatically begin to communicate using HTTPS if a certificate is present on the client. In the below screenshot, we see the client certificate for every device shows as PKI.

If you find any clients that still show self-signed certificates, try restarting the Configuration Manager Agent Service (SMS Agent Host).
Also note that ConfigMgr version 2107 is also a known issue where devices in SCCM Console showed self-signed while it was showing PKI on the client side. However, this issue is resolved in the latest version of the ConfigMgr current branch.
Method 2: Manually check the SCCM Client Certificate
To determine if the client is using a PKI cert or a self-signed certificate for communication, you can open the Configuration Manager Control Panel on Windows and check the client certificate.
Here’s how to manually check the client certificate details from SCCM client properties. Right-click the Start button and select Run. Type ‘control smscfgrc‘ and press OK to launch the ConfigMgr Control Panel applet. In the General tab, look for the Client certificate property to determine if the client is using a self-signed certificate or PKI.

Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.